From 001e1e71899435b64d30b590afe5b1f6be2122e5 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 8 Aug 2025 18:24:53 -0400 Subject: [PATCH] Fixes for 6.15 Signed-off-by: Sasha Levin --- ...usb-scarlett2-fix-missing-null-check.patch | 43 + ...wb_history_size-value-is-a-power-of-.patch | 55 + ...p-detection-used-in-conflicting-atta.patch | 121 ++ ...ligned-memory-accesses-in-kunit-test.patch | 60 + ...config-drop-obsolete-config_net_cls_.patch | 38 + ...ontron-bl-common-fix-rts-polarity-fo.patch | 38 + ...ochip-sam9x7-add-clock-name-property.patch | 45 + ...hip-sama7d65-add-clock-name-property.patch | 45 + ...arm-dts-ti-omap-fixup-pinheader-typo.patch | 44 + ...rrectly-use-two-tuples-for-timer-add.patch | 37 + ...-gs101-add-local-timer-stop-to-cpuid.patch | 61 + ...ale-imx93-tqma9352-limit-buck2-to-60.patch | 50 + ...m-beacon-fix-hs400-usdhc-clock-speed.patch | 41 + ...n-beacon-fix-hs400-usdhc-clock-speed.patch | 41 + ...-venice-gw74xx-update-name-of-m2skt_.patch | 62 + ...sm8976-make-blsp_dma-controlled-remo.patch | 61 + ...cs615-disable-the-cti-device-of-the-.patch | 43 + ...cs615-fix-a-crash-issue-caused-by-in.patch | 74 + ...a8775p-correct-the-interrupt-for-rem.patch | 84 + ...4-dts-qcom-sc7180-expand-imem-region.patch | 53 + ...4-dts-qcom-sdm845-expand-imem-region.patch | 53 + ...ip-enable-emmc-hs200-mode-on-radxa-e.patch | 38 + ...ockchip-fix-phy-handling-for-rock-4d.patch | 63 + ...ip-fix-pinctrl-node-names-for-rk3528.patch | 135 ++ ...rm64-dts-st-fix-timer-used-for-ticks.patch | 37 + ...-am62p-j722s-fix-pinctrl-single-size.patch | 40 + ...am642-phyboard-electra-fix-pru-icssg.patch | 42 + ...cs_el0_enable-should-use-passed-task.patch | 67 + ...-pointer-assignments-for-snd_soc_acp.patch | 116 ++ ...t-channel-status-data-when-phy-is-no.patch | 56 + ...t-channel-status-data-with-firmware-.patch | 59 + ...e-reserved-memory-or-enable-buffer-p.patch | 174 +++ ...ally-allocate-struct-snd_ctl_elem_va.patch | 79 + ...-read-only-controls-to-be-deferrable.patch | 41 + ...me-holes-in-the-regmap-readable-writ.patch | 70 + ...yup-return-value-of-snd_soc_xlate_td.patch | 88 ++ ...tore-audit-logging-in-load-failure-c.patch | 117 ++ ...ock-mtip32xx-fix-usage-of-dma_map_sg.patch | 95 ++ ...hunk_sectors-for-atomic-write-limits.patch | 58 + ...vcd_dump-fix-out-of-bounds-via-dev_c.patch | 108 ++ ...ent-mask-data-status-from-le-ext-adv.patch | 105 ++ ...nc-fix-double-free-in-hci_discovery_.patch | 115 ++ ...-initialization-for-exception-bounda.patch | 48 + ...w_dissector-ctx-accesses-are-aligned.patch | 48 + ...k-netfilter-ctx-accesses-are-aligned.patch | 43 + ...disable-migration-in-nf_hook_run_bpf.patch | 98 ++ ...ock-is-held-around-bpf_prog_ksym_fin.patch | 67 + ...if-a-b-.-as-a-jump-in-cfg-computatio.patch | 51 + ...a-corruption-when-using-bpf_msg_pop_.patch | 59 + ...preload-don-t-select-usermode_driver.patch | 40 + ...fix-psock-incorrectly-pointing-to-sk.patch | 82 + ...ry-leak-in-dump_xx_nlmsg-on-realloc-.patch | 77 + ...tial-support-for-lowest-level-from-b.patch | 107 ++ ..._generic-fix-the-modem-name-of-foxco.patch | 52 + queue-6.15/caif-reduce-stack-size-again.patch | 359 +++++ ...er_pciefd-store-device-channel-index.patch | 36 + ...ssign-netdev.dev_port-based-on-devic.patch | 39 + ...-usb-fd-devices-potential-malfunctio.patch | 74 + ...ame-strrchr-expects-nul-terminated-s.patch | 90 ++ ...lk-at91-sam9x7-update-pll-clk-ranges.patch | 86 ++ ...kgen-fix-fpfd_max-frequency-for-zynq.patch | 43 + ...ard-fix-the-round-rate-handling-for-.patch | 38 + ...null-check-in-davinci_lpsc_clk_regis.patch | 45 + ...-imx95-blk-ctl-fix-synchronous-abort.patch | 86 ++ ...h-fix-missing-clk_set_rate_parent-fl.patch | 44 + ...sunxi-ng-v3s-fix-de-clock-definition.patch | 44 + ...-ap-correctly-refer-the-parent-of-os.patch | 48 + ...nregister-pll_post-only-if-registere.patch | 50 + ...armada-8k-make-both-cpu-masks-static.patch | 52 + ...icy-rwsem-before-it-may-be-possibly-.patch | 49 + ...ze-cpufreq-based-frequency-invarianc.patch | 63 + ...tate-always-use-hwp_desired_perf-in-.patch | 51 + ...es-neonbs-work-around-gcc-15-warning.patch | 56 + ...rash-when-rebind-ccp-device-for-ccp..patch | 81 + ...ix-locking-on-alloc-failure-handling.patch | 83 + ...mg-hash-fix-dma_unmap_sg-nents-value.patch | 36 + ...-secure-fix-dma_unmap_sg-nents-value.patch | 50 + ...keembay-fix-dma_unmap_sg-nents-value.patch | 63 + ...fix-memory-leak-in-krb5_test_one_prf.patch | 55 + ...vell-cesa-fix-engine-load-inaccuracy.patch | 75 + ...-enabling-vfs-in-the-absence-of-iomm.patch | 40 + ...able-zuc-256-capability-for-qat-gen5.patch | 62 + ...ma-direction-for-compression-on-gen2.patch | 93 ++ ...eq_file-position-update-in-adf_ring_.patch | 49 + ...tate-restore-for-banks-with-exceptio.patch | 85 ++ ...use-unmanaged-allocation-for-dc_data.patch | 77 + ...-ce-fix-nents-passed-to-dma_unmap_sg.patch | 44 + ...x-again-wvoid-pointer-to-enum-cast-w.patch | 39 + ...-fix-missing-check-after-dma-map-and.patch | 73 + ...faxi-add-missing-check-after-dma-map.patch | 55 + ...m-fix-up-some-const-issues-with-rece.patch | 66 + ...play-hwmgr-smu_helper-fix-order-of-m.patch | 44 + ...u-gfx10-fix-kiq-locking-in-kcq-reset.patch | 52 + ...pu-gfx9-fix-kiq-locking-in-kcq-reset.patch | 40 + ...fx9.4.3-fix-kiq-locking-in-kcq-reset.patch | 41 + ...move-nbiov7.9-replay-count-reporting.patch | 70 + ...mi-evaluate-limited-range-after-comp.patch | 50 + ...ill-in-min_prefill_lines-for-sc8180x.patch | 37 + ...-panfrost-device-variable-name-in-de.patch | 54 + ...missing-explicit-padding-in-drm_pant.patch | 60 + ...anup-fb-when-drm_gem_fb_afbc_init-fa.patch | 52 + ...2-fail-cleanly-if-missing-a-primary-.patch | 52 + ...2-fix-the-update-of-layer-port-selec.patch | 297 ++++ ...ost-backed-userspace-on-guest-backed.patch | 42 + ...rm-xe-correct-bmg-vsec-header-sizing.patch | 73 + ...-the-rev-value-for-the-dvsec-entries.patch | 59 + .../drm-xe-vf-disable-csc-support-on-vf.patch | 41 + ...flag-should-be-same-like-generic_wri.patch | 49 + ...se-after-free-in-ext4_end_io_rsv_wor.patch | 83 + ...h_new-bit-is-cleared-in-write_end-ha.patch | 76 + ...wrong-quota-mount-option-description.patch | 40 + ...-memleak-when-committing-super-block.patch | 69 + ...an-uninit-value-in-extent_info-usage.patch | 47 + ...-to-avoid-invalid-wait-context-issue.patch | 162 ++ ...d-out-of-boundary-access-in-devs.pat.patch | 60 + ...x-to-avoid-panic-in-f2fs_evict_inode.patch | 282 ++++ ...to-avoid-uaf-in-f2fs_sync_inode_meta.patch | 235 +++ ...ulate-dirty-data-during-has_not_enou.patch | 40 + ...k-upper-boundary-for-gc_no_zoned_gc_.patch | 42 + ...k-upper-boundary-for-gc_valid_thresh.patch | 42 + ...k-upper-boundary-for-value-of-gc_boo.patch | 42 + ...ger-foreground-gc-during-f2fs_map_bl.patch | 67 + ...te-upper_p-in-__get_secs_required-co.patch | 37 + ...e_time-when-forcibly-set-to-foregrou.patch | 36 + ...m-may-be-called-from-an-invalid-cont.patch | 79 + ...e-handle_type-values-when-reporting-.patch | 47 + ...ed-registered_fb-reference-in-commen.patch | 45 + ...k-fb_add_videomode-to-prevent-null-p.patch | 46 + ...i-fix-up-turbo-frequencies-selection.patch | 38 + queue-6.15/fix-dma_unmap_sg-nents-value.patch | 38 + ...orrect-reporting-of-read-buffer-size.patch | 38 + ...set-bad-inode-after-removing-name-fa.patch | 104 ++ ...low-2-more-characters-in-do_c_string.patch | 65 + ...t-fix-parameter-name-in-infofc-macro.patch | 42 + .../gfs2-minor-do_xmote-cancelation-fix.patch | 36 + queue-6.15/gfs2-no-more-self-recovery.patch | 81 + ...fs-make-splice-write-available-again.patch | 42 + ...us-make-splice-write-available-again.patch | 42 + ...utex_lock-check-in-hfsplus_free_exte.patch | 94 ++ ...handle-devm_pm_runtime_enable-errors.patch | 38 + ...ix-an-error-handling-path-in-mule_i2.patch | 47 + ...ter-svc-fix-npcm845-fifo_empty-quirk.patch | 69 + ...gative-overflow-of-nb_pkts-in-zeroco.patch | 59 + ...t-qcom-qcs615-drop-ip0-interconnects.patch | 114 ++ ...nnect-qcom-sc8180x-specify-num_nodes.patch | 68 + ...m-sc8280xp-specify-num_links-for-qnm.patch | 36 + ...io_uring-fix-breakage-in-expert-menu.patch | 47 + ...-pasid-and-ats-capabilities-in-the-c.patch | 47 + ...-geometry.aperture_end-for-v2-tables.patch | 85 ++ ...iommu-arm-smmu-disable-prr-on-sm8250.patch | 40 + ...t-wipe-out-the-page-table-nid-when-d.patch | 41 + ...-data-races-around-rt-fib6_nsiblings.patch | 121 ++ ...e-infinite-loop-in-fib6_info_uses_de.patch | 60 + ...vent-infinite-loop-in-rt6_nlmsg_size.patch | 113 ++ ...ing-check-for-alloc_ordered_workqueu.patch | 69 + ...e-reference-count-leak-in-dballocctl.patch | 45 + ...f-fix-configlist-updatelistallforall.patch | 38 + ...kcsan-test-initialize-dummy-variable.patch | 47 + ...emptirq_delay_test-use-offstack-cpu-.patch | 67 + ...fix-check-for-setting-new-vls-in-sve.patch | 40 + ...d-back-volatile-for-sizeof-constants.patch | 48 + ...andlock-fix-warning-from-kunit-tests.patch | 200 +++ ...t-unregister-boot-console-needlessly.patch | 150 ++ ...macsec-set-iff_unicast_flt-priv-flag.patch | 72 + ...w-removing-faulty-rdev-during-resync.patch | 92 ++ ...-fix-h264-separate_colour_plane-chec.patch | 47 + ...-destroy-mutex-after-freeing-the-irq.patch | 56 + ...-init-vsc-from-mei_vsc_hw_reset-on-s.patch | 49 + queue-6.15/mei-vsc-event-notifier-fixes.patch | 82 + ...e-event-callback-on-remove-and-probe.patch | 52 + .../memcg_slabinfo-fix-use-of-pg_slab.patch | 44 + ...ate-tps65214-mfd-cell-s-gpio-compati.patch | 42 + ...-the-moduleparam-prefix-length-check.patch | 61 + ...sible-integer-overflow-in-erase_xfer.patch | 41 + ...-atmel-fix-dma_mapping_error-address.patch | 38 + ...nand-atmel-set-pmecc-data-setup-time.patch | 57 + ...chip-add-missing-check-after-dma-map.patch | 61 + ...sion-fixup-params-set_4byte_addr_mod.patch | 105 ++ ...wl8k-add-missing-check-after-dma-map.patch | 39 + ...ix-null-ptr-deref-in-neigh_flush_dev.patch | 196 +++ ...p-fix-wrong-rx-drop-mib-counter-for-.patch | 61 + ...-helpers-to-annotate-data-races-arou.patch | 139 ++ ...annotate-data-races-around-dst-input.patch | 87 ++ ...nnotate-data-races-around-dst-output.patch | 87 ++ ...ix-in-out-netdev-to-pass-to-the-forw.patch | 58 + ...k-device-memory-pointer-before-usage.patch | 75 + ...read-only-port-buffer-size-in-pbmc-b.patch | 50 + ...-skb-secpath-if-xfrm-state-is-not-fo.patch | 111 ++ ...ct-conditions-for-adding-duplicating.patch | 117 ++ ...info-use-atomic64_t-for-three-counte.patch | 106 ++ ...register-console-drivers-when-target.patch | 127 ++ ...les-adjust-lockdep-assertions-handli.patch | 51 + ...les-drop-dead-code-from-fill_-_info-.patch | 92 ++ ...cct-don-t-assume-acct-name-is-null-t.patch | 50 + .../padata-fix-pd-uaf-once-and-for-all.patch | 269 ++++ ...data-remove-comment-for-reorder_work.patch | 34 + ...osition-of-reading-the-link-control-.patch | 69 + ...-epf-vntb-fix-the-incorrect-usage-of.patch | 52 + ...-epf-vntb-return-enoent-if-pci_epc_g.patch | 43 + .../pci-fix-driver_managed_dma-check.patch | 59 + ...hp-clean-up-allocated-irqs-on-unplug.patch | 229 +++ ...surprise-plug-detection-and-recovery.patch | 215 +++ ...-around-switches-with-broken-presenc.patch | 77 + ...t-fix-unexpected-completion-log-mess.patch | 41 + ...d-missed-dso__put-to-dso__load_kcore.patch | 38 + ..._pmu-avoid-shortening-hwmon-pmu-name.patch | 39 + ...nts-set-default-gh-modifier-properly.patch | 82 + ...cord-cache-build-id-of-hit-dsos-only.patch | 43 + ...emory-leaks-for-evsel-priv-in-timehi.patch | 101 ++ ...x-memory-leaks-in-perf-sched-latency.patch | 90 ++ ...d-fix-memory-leaks-in-perf-sched-map.patch | 106 ++ ...-thread-leaks-in-perf-sched-timehist.patch | 198 +++ ...ee-thread-priv-using-priv_destructor.patch | 40 + ...-make-sure-it-frees-the-usage-string.patch | 103 ++ ...use-rc_chk_equal-to-compare-pointers.patch | 38 + ...p_account-fix-leaked-file-descriptor.patch | 57 + ...x-use-after-free-in-help_unknown_cmd.patch | 99 ++ ...s-remove-libtraceevent-in-.gitignore.patch | 37 + ...-qcom-eusb2-repeater-don-t-zero-out-.patch | 160 ++ ...ix-memory-leak-in-berlin_pinctrl_bui.patch | 55 + ...naan-k230-add-null-check-in-dt-parse.patch | 54 + ...230-fix-order-of-dt-parse-and-pinctr.patch | 56 + ...-fix-memory-leak-on-krealloc-failure.patch | 55 + ...causing-mux_owner-null-with-active-m.patch | 95 ++ ...nv-tracing-move-powernv_throttle-tra.patch | 167 ++ ...printing-of-core-cpu-fields-in-cpupo.patch | 60 + ...-governor-before-using-governor-name.patch | 50 + ...vfreq-fix-a-index-typo-in-trans_stat.patch | 34 + ...-qcom-wcn-fix-bluetooth-wifi-copypas.patch | 37 + ...ap-charger-fix-null-check-for-power_.patch | 42 + ...14577-handle-null-pdata-when-config_.patch | 51 + ...ax1720x-correct-capacity-computation.patch | 71 + ...ply-qcom_pmi8998_charger-fix-wakeirq.patch | 47 + ...u-fix-null-pointer-dereference-in-ge.patch | 44 + .../powerpc-eeh-export-eeh_unfreeze_pe.patch | 39 + ...-make-eeh-driver-device-hotplug-safe.patch | 252 +++ ...dlpar-search-drc-index-from-ibm-drc-.patch | 113 ++ queue-6.15/pps-fix-poll-support.patch | 102 ++ ...e-treatment-to-check-proc_lseek-as-o.patch | 89 ++ ...delayed-execution-of-hurry-callbacks.patch | 97 ++ queue-6.15/rdma-hns-drop-gfp_nowarn.patch | 90 ++ ...ix-accessing-uninitialized-resources.patch | 67 + ...hns-fix-double-destruction-of-rsv_qp.patch | 137 ++ ...configurations-not-cleared-in-error-.patch | 49 + ...dma-hns-fix-wframe-larger-than-issue.patch | 67 + ...et-message-length-of-ack_req-from-fw.patch | 189 +++ ...-mana_ib-fix-dscp-value-in-modify-qp.patch | 38 + ...-fix-umr-modifying-of-mkey-page-size.patch | 79 + ...80211-update-skb-s-control-block-key.patch | 40 + ...hat-nreaders-and-loops-multiplicatio.patch | 74 + ...om-pas-conclude-the-rename-from-adsp.patch | 1353 +++++++++++++++++ ...oc-xlnx-disable-unsupported-features.patch | 37 + ...replace-inode_trylock-with-inode_loc.patch | 45 + ...ent-the-dispatching-of-uninitialized.patch | 55 + ...remove-ring_buffer_read_prepare_sync.patch | 216 +++ ...nclusion-of-smnpm-in-the-guest-isa-b.patch | 197 +++ ...ncorrect-maximum-clock-rate-handling.patch | 40 + ...incorrect-maximum-clock-rate-handlin.patch | 40 + ...-incorrect-maximum-clock-rate-handli.patch | 40 + ...-incorrect-maximum-clock-rate-handli.patch | 40 + ...incorrect-maximum-clock-rate-handlin.patch | 40 + ...ncorrect-maximum-clock-rate-handling.patch | 40 + ...clarify-invariant-for-miscdeviceregi.patch | 49 + .../rv-adjust-monitor-dependencies.patch | 93 ++ ...amples-mei-fix-building-on-musl-libc.patch | 75 + ...line-initialize-dl_servers-after-smp.patch | 140 ++ ...ne-less-agressive-dl_server-handling.patch | 163 ++ ...eset-extra_bw-to-max_bw-when-clearin.patch | 49 + ...l-__put_task_struct-on-rt-if-pi_bloc.patch | 97 ++ ...sched-psi-fix-psi_seq-initialization.patch | 51 + ...ize-psi_group_change-cpu_clock-usage.patch | 338 ++++ ...db-move-mnt_-constants-to-gdb-parsed.patch | 50 + ...lx-efct-fix-dma_unmap_sg-nents-value.patch | 37 + ...csi_tgt-fix-dma_unmap_sg-nents-value.patch | 48 + ...si-isci-fix-dma_unmap_sg-nents-value.patch | 37 + ...i-mpt3sas-fix-a-fw_event-memory-leak.patch | 39 + ...i-mvsas-fix-dma_unmap_sg-nents-value.patch | 46 + ...-iscsi-fix-hw-conn-removal-use-after.patch | 50 + ...shutdown-issue-start-stop-unit-appro.patch | 53 + ...e-link-recovery-when-h8-exit-fails-d.patch | 57 + ...-alsa-fix-memory-leak-in-utimer-test.patch | 37 + ...sts-bpf-fix-implementation-of-smp_mb.patch | 48 + ...-fix-signedness-bug-in-redir_partial.patch | 38 + ...x-unintentional-switch-case-fall-thr.patch | 37 + ...oints-use-suspend_stats-to-reliably-.patch | 115 ++ ...t-fix-remote-command-checking-in-req.patch | 41 + ...t-tso-enable-test-cases-based-on-hw_.patch | 141 ++ ...t-tso-fix-non-tunneled-tso6-test-cas.patch | 102 ++ ...t-tso-fix-vxlan-tunnel-flags-to-get-.patch | 100 ++ ...rno-checking-in-syscall_user_dispatc.patch | 132 ++ ...sts-landlock-fix-build-of-audit_test.patch | 42 + ...elftests-landlock-fix-readlink-check.patch | 50 + ...ink.sh-remove-esp4_offload-after-tes.patch | 62 + ...g-fix-false-failure-of-subsystem-eve.patch | 85 ++ ...hacha-correctly-skip-test-if-necessa.patch | 52 + queue-6.15/series | 371 +++++ ...use-hyphen-in-exported-variable-name.patch | 107 ++ ...cumentation-build-error-for-krealloc.patch | 53 + ...t-allow-parsing-zero-length-av-pairs.patch | 47 + ...soc-qcom-pmic_glink-fix-of-node-leak.patch | 54 + ...qmi-encoding-decoding-for-big-endian.patch | 126 ++ ...ear-err_force-register-with-err_stat.patch | 38 + ...oundwire-correct-some-property-names.patch | 48 + ...s-move-debug-statement-outside-of-er.patch | 56 + ...-restore-params-when-prepare-ports-f.patch | 43 + ...for-cfg-availability-in-stm32_spi_pr.patch | 59 + ...x-potential-memory-leak-in-fbtft_fra.patch | 39 + ...b-fix-error-code-in-board_type_ioctl.patch | 38 + ...-error-handling-paths-in-cb_gpib_pro.patch | 59 + ...gbphy-fix-up-const-issue-with-the-ma.patch | 52 + ...omisp-fix-stack-buffer-overflow-in-g.patch | 79 + ...-incorrect-null-termination-of-batte.patch | 41 + ...egative-overflow-of-budget-in-zeroco.patch | 46 + ...-tcp_measure_rcv_mss-for-ooo-packets.patch | 42 + ...queue-to-avoid-including-too-much-du.patch | 56 + ...eam-replace-team-lock-with-rtnl-lock.patch | 425 ++++++ .../tools-rv-do-not-skip-idle-in-trace.patch | 55 + ...hten-the-filename-size-in-check_if_c.patch | 68 + ...g-use-queue_rcu_work-to-free-filters.patch | 112 ++ ...e-vmalloc-for-ublk_device-s-__queues.patch | 54 + ...-atomic_long_inc_below-argument-type.patch | 66 + ...avoid-shadowing-err-in-uml_rtc_start.patch | 38 + ...arly-xhci-dbc-fix-early_ioremap-leak.patch | 56 + ...at-fix-incorrect-type-for-of_match-v.patch | 39 + ...fi-fastcharge-make-power-supply-name.patch | 110 ++ ...yoga-c630-fix-error-and-remove-paths.patch | 65 + ...idr-memory-leak-in-vduse-module-exit.patch | 50 + ...-fix-needs_teardown-flag-calculation.patch | 54 + ...lease-of-uninitialized-resources-on-.patch | 153 ++ ...ced-vfio_df_close-call-in-no-iommu-m.patch | 69 + ...oken-checks-for-vfio_device_bind_iom.patch | 380 +++++ .../vfio-pci-separate-sr-iov-vf-dev_set.patch | 58 + .../vfio-pds-fix-missing-detach_ioas-op.patch | 46 + ...ent-open_count-decrement-to-negative.patch | 49 + ...e-kthread-api-and-add-mode-selection.patch | 530 +++++++ ...heck-for-inline_sg_cnt-exceeding-pre.patch | 44 + ...og-flooding-with-target-does-not-exi.patch | 65 + ...-dispatching-of-uninitialized-payloa.patch | 49 + ...g-dst-reference-in-vrf_ip6_input_dst.patch | 65 + ..._wdt-check-record-length-in-ziirave_.patch | 42 + ...r-initialized-flag-for-deinit-ed-srn.patch | 97 ++ ...sleeping-in-atomic-in-ath11k_mac_op_.patch | 72 + ...d-accessing-uninitialized-arvif-ar-d.patch | 151 ++ ...12k-block-radio-bring-up-in-ftm-mode.patch | 68 + ...r-auth-flag-only-for-actual-associat.patch | 82 + ...double-budget-decrement-while-reapin.patch | 45 + ...endianness-handling-while-accessing-.patch | 70 + ...-ab-pointer-directly-to-ath12k_dp_tx.patch | 71 + ...-htt_tcl_metadata_ver_v1-in-ftm-mode.patch | 78 + ...x-p2p-discovery-failure-in-p2p-peer-.patch | 65 + ...d-missing-lock-in-cfg80211_check_and.patch | 85 ++ ...-error-code-in-iwl_op_mode_dvm_start.patch | 40 + ...wifi-fix-memory-leak-in-iwl_mvm_init.patch | 40 + ...wlwifi-mld-decode-eof-bit-for-ampdus.patch | 46 + ...eck-802.11-encaps-offloading-in-ieee.patch | 45 + ...ac80211-do-not-schedule-stopped-txqs.patch | 49 + ...n-t-call-fq_flow_idx-for-management-.patch | 45 + ...x-warn_on-for-monitor-mode-on-some-d.patch | 56 + ...ject-tdls-operations-when-station-is.patch | 46 + ...ite-cnt-before-copying-in-ieee80211_.patch | 47 + ...-fix-possible-oob-access-in-mt7996_t.patch | 67 + ...-fix-secondary-link-lookup-in-mt7996.patch | 39 + ...-fix-valid_links-bitmask-in-mt7996_m.patch | 46 + ...-num_sub_specs-before-looping-throug.patch | 39 + ...x-error-handling-in-usb-driver-probe.patch | 176 +++ ...l-urbs-before-clearing-tx-status-que.patch | 68 + ...x-rx-skb-size-for-aggregation-disabl.patch | 45 + ...8-fix-macid-assigned-to-tdls-station.patch | 51 + ...-null-dereference-when-rx-problemati.patch | 82 + ...fix-eht-20mhz-tx-rate-for-non-ap-sta.patch | 64 + ...xen-fix-uaf-in-dmabuf_exp_from_pages.patch | 96 ++ ...e-struct-gntdev_copy_batch-from-stac.patch | 187 +++ 372 files changed, 29357 insertions(+) create mode 100644 queue-6.15/alsa-usb-scarlett2-fix-missing-null-check.patch create mode 100644 queue-6.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch create mode 100644 queue-6.15/apparmor-fix-loop-detection-used-in-conflicting-atta.patch create mode 100644 queue-6.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch create mode 100644 queue-6.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch create mode 100644 queue-6.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch create mode 100644 queue-6.15/arm-dts-microchip-sam9x7-add-clock-name-property.patch create mode 100644 queue-6.15/arm-dts-microchip-sama7d65-add-clock-name-property.patch create mode 100644 queue-6.15/arm-dts-ti-omap-fixup-pinheader-typo.patch create mode 100644 queue-6.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch create mode 100644 queue-6.15/arm64-dts-exynos-gs101-add-local-timer-stop-to-cpuid.patch create mode 100644 queue-6.15/arm64-dts-freescale-imx93-tqma9352-limit-buck2-to-60.patch create mode 100644 queue-6.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch create mode 100644 queue-6.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch create mode 100644 queue-6.15/arm64-dts-imx8mp-venice-gw74xx-update-name-of-m2skt_.patch create mode 100644 queue-6.15/arm64-dts-qcom-msm8976-make-blsp_dma-controlled-remo.patch create mode 100644 queue-6.15/arm64-dts-qcom-qcs615-disable-the-cti-device-of-the-.patch create mode 100644 queue-6.15/arm64-dts-qcom-qcs615-fix-a-crash-issue-caused-by-in.patch create mode 100644 queue-6.15/arm64-dts-qcom-sa8775p-correct-the-interrupt-for-rem.patch create mode 100644 queue-6.15/arm64-dts-qcom-sc7180-expand-imem-region.patch create mode 100644 queue-6.15/arm64-dts-qcom-sdm845-expand-imem-region.patch create mode 100644 queue-6.15/arm64-dts-rockchip-enable-emmc-hs200-mode-on-radxa-e.patch create mode 100644 queue-6.15/arm64-dts-rockchip-fix-phy-handling-for-rock-4d.patch create mode 100644 queue-6.15/arm64-dts-rockchip-fix-pinctrl-node-names-for-rk3528.patch create mode 100644 queue-6.15/arm64-dts-st-fix-timer-used-for-ticks.patch create mode 100644 queue-6.15/arm64-dts-ti-k3-am62p-j722s-fix-pinctrl-single-size.patch create mode 100644 queue-6.15/arm64-dts-ti-k3-am642-phyboard-electra-fix-pru-icssg.patch create mode 100644 queue-6.15/arm64-gcs-task_gcs_el0_enable-should-use-passed-task.patch create mode 100644 queue-6.15/asoc-amd-acp-fix-pointer-assignments-for-snd_soc_acp.patch create mode 100644 queue-6.15/asoc-fsl_xcvr-get-channel-status-data-when-phy-is-no.patch create mode 100644 queue-6.15/asoc-fsl_xcvr-get-channel-status-data-with-firmware-.patch create mode 100644 queue-6.15/asoc-mediatek-use-reserved-memory-or-enable-buffer-p.patch create mode 100644 queue-6.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch create mode 100644 queue-6.15/asoc-sdca-allow-read-only-controls-to-be-deferrable.patch create mode 100644 queue-6.15/asoc-sdca-fix-some-holes-in-the-regmap-readable-writ.patch create mode 100644 queue-6.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch create mode 100644 queue-6.15/audit-module-restore-audit-logging-in-load-failure-c.patch create mode 100644 queue-6.15/block-mtip32xx-fix-usage-of-dma_map_sg.patch create mode 100644 queue-6.15/block-sanitize-chunk_sectors-for-atomic-write-limits.patch create mode 100644 queue-6.15/bluetooth-hci_devcd_dump-fix-out-of-bounds-via-dev_c.patch create mode 100644 queue-6.15/bluetooth-hci_event-mask-data-status-from-le-ext-adv.patch create mode 100644 queue-6.15/bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch create mode 100644 queue-6.15/bpf-arm64-fix-fp-initialization-for-exception-bounda.patch create mode 100644 queue-6.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch create mode 100644 queue-6.15/bpf-check-netfilter-ctx-accesses-are-aligned.patch create mode 100644 queue-6.15/bpf-disable-migration-in-nf_hook_run_bpf.patch create mode 100644 queue-6.15/bpf-ensure-rcu-lock-is-held-around-bpf_prog_ksym_fin.patch create mode 100644 queue-6.15/bpf-handle-jset-if-a-b-.-as-a-jump-in-cfg-computatio.patch create mode 100644 queue-6.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch create mode 100644 queue-6.15/bpf-preload-don-t-select-usermode_driver.patch create mode 100644 queue-6.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch create mode 100644 queue-6.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch create mode 100644 queue-6.15/btrfs-remove-partial-support-for-lowest-level-from-b.patch create mode 100644 queue-6.15/bus-mhi-host-pci_generic-fix-the-modem-name-of-foxco.patch create mode 100644 queue-6.15/caif-reduce-stack-size-again.patch create mode 100644 queue-6.15/can-kvaser_pciefd-store-device-channel-index.patch create mode 100644 queue-6.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch create mode 100644 queue-6.15/can-peak_usb-fix-usb-fd-devices-potential-malfunctio.patch create mode 100644 queue-6.15/ceph-parse_longname-strrchr-expects-nul-terminated-s.patch create mode 100644 queue-6.15/clk-at91-sam9x7-update-pll-clk-ranges.patch create mode 100644 queue-6.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch create mode 100644 queue-6.15/clk-clocking-wizard-fix-the-round-rate-handling-for-.patch create mode 100644 queue-6.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch create mode 100644 queue-6.15/clk-imx95-blk-ctl-fix-synchronous-abort.patch create mode 100644 queue-6.15/clk-renesas-rzv2h-fix-missing-clk_set_rate_parent-fl.patch create mode 100644 queue-6.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch create mode 100644 queue-6.15/clk-thead-th1520-ap-correctly-refer-the-parent-of-os.patch create mode 100644 queue-6.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch create mode 100644 queue-6.15/cpufreq-armada-8k-make-both-cpu-masks-static.patch create mode 100644 queue-6.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch create mode 100644 queue-6.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch create mode 100644 queue-6.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch create mode 100644 queue-6.15/crypto-arm-aes-neonbs-work-around-gcc-15-warning.patch create mode 100644 queue-6.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch create mode 100644 queue-6.15/crypto-ccp-fix-locking-on-alloc-failure-handling.patch create mode 100644 queue-6.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/crypto-krb5-fix-memory-leak-in-krb5_test_one_prf.patch create mode 100644 queue-6.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch create mode 100644 queue-6.15/crypto-qat-allow-enabling-vfs-in-the-absence-of-iomm.patch create mode 100644 queue-6.15/crypto-qat-disable-zuc-256-capability-for-qat-gen5.patch create mode 100644 queue-6.15/crypto-qat-fix-dma-direction-for-compression-on-gen2.patch create mode 100644 queue-6.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch create mode 100644 queue-6.15/crypto-qat-fix-state-restore-for-banks-with-exceptio.patch create mode 100644 queue-6.15/crypto-qat-use-unmanaged-allocation-for-dc_data.patch create mode 100644 queue-6.15/crypto-sun8i-ce-fix-nents-passed-to-dma_unmap_sg.patch create mode 100644 queue-6.15/dmaengine-mmp-fix-again-wvoid-pointer-to-enum-cast-w.patch create mode 100644 queue-6.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch create mode 100644 queue-6.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch create mode 100644 queue-6.15/drivers-misc-sram-fix-up-some-const-issues-with-rece.patch create mode 100644 queue-6.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch create mode 100644 queue-6.15/drm-amdgpu-gfx10-fix-kiq-locking-in-kcq-reset.patch create mode 100644 queue-6.15/drm-amdgpu-gfx9-fix-kiq-locking-in-kcq-reset.patch create mode 100644 queue-6.15/drm-amdgpu-gfx9.4.3-fix-kiq-locking-in-kcq-reset.patch create mode 100644 queue-6.15/drm-amdgpu-remove-nbiov7.9-replay-count-reporting.patch create mode 100644 queue-6.15/drm-connector-hdmi-evaluate-limited-range-after-comp.patch create mode 100644 queue-6.15/drm-msm-dpu-fill-in-min_prefill_lines-for-sc8180x.patch create mode 100644 queue-6.15/drm-panfrost-fix-panfrost-device-variable-name-in-de.patch create mode 100644 queue-6.15/drm-panthor-add-missing-explicit-padding-in-drm_pant.patch create mode 100644 queue-6.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch create mode 100644 queue-6.15/drm-rockchip-vop2-fail-cleanly-if-missing-a-primary-.patch create mode 100644 queue-6.15/drm-rockchip-vop2-fix-the-update-of-layer-port-selec.patch create mode 100644 queue-6.15/drm-vmwgfx-fix-host-backed-userspace-on-guest-backed.patch create mode 100644 queue-6.15/drm-xe-correct-bmg-vsec-header-sizing.patch create mode 100644 queue-6.15/drm-xe-correct-the-rev-value-for-the-dvsec-entries.patch create mode 100644 queue-6.15/drm-xe-vf-disable-csc-support-on-vf.patch create mode 100644 queue-6.15/exfat-fdatasync-flag-should-be-same-like-generic_wri.patch create mode 100644 queue-6.15/ext4-fix-inode-use-after-free-in-ext4_end_io_rsv_wor.patch create mode 100644 queue-6.15/ext4-make-sure-bh_new-bit-is-cleared-in-write_end-ha.patch create mode 100644 queue-6.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch create mode 100644 queue-6.15/f2fs-fix-bio-memleak-when-committing-super-block.patch create mode 100644 queue-6.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch create mode 100644 queue-6.15/f2fs-fix-to-avoid-invalid-wait-context-issue.patch create mode 100644 queue-6.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch create mode 100644 queue-6.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch create mode 100644 queue-6.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch create mode 100644 queue-6.15/f2fs-fix-to-calculate-dirty-data-during-has_not_enou.patch create mode 100644 queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_no_zoned_gc_.patch create mode 100644 queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_valid_thresh.patch create mode 100644 queue-6.15/f2fs-fix-to-check-upper-boundary-for-value-of-gc_boo.patch create mode 100644 queue-6.15/f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_bl.patch create mode 100644 queue-6.15/f2fs-fix-to-update-upper_p-in-__get_secs_required-co.patch create mode 100644 queue-6.15/f2fs-turn-off-one_time-when-forcibly-set-to-foregrou.patch create mode 100644 queue-6.15/f2fs-vm_unmap_ram-may-be-called-from-an-invalid-cont.patch create mode 100644 queue-6.15/fanotify-sanitize-handle_type-values-when-reporting-.patch create mode 100644 queue-6.15/fbcon-fix-outdated-registered_fb-reference-in-commen.patch create mode 100644 queue-6.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch create mode 100644 queue-6.15/firmware-arm_scmi-fix-up-turbo-frequencies-selection.patch create mode 100644 queue-6.15/fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/fortify-fix-incorrect-reporting-of-read-buffer-size.patch create mode 100644 queue-6.15/fs-ntfs3-cancle-set-bad-inode-after-removing-name-fa.patch create mode 100644 queue-6.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch create mode 100644 queue-6.15/fs_context-fix-parameter-name-in-infofc-macro.patch create mode 100644 queue-6.15/gfs2-minor-do_xmote-cancelation-fix.patch create mode 100644 queue-6.15/gfs2-no-more-self-recovery.patch create mode 100644 queue-6.15/hfs-make-splice-write-available-again.patch create mode 100644 queue-6.15/hfsplus-make-splice-write-available-again.patch create mode 100644 queue-6.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch create mode 100644 queue-6.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch create mode 100644 queue-6.15/i2c-muxes-mule-fix-an-error-handling-path-in-mule_i2.patch create mode 100644 queue-6.15/i3c-master-svc-fix-npcm845-fifo_empty-quirk.patch create mode 100644 queue-6.15/igb-xsk-solve-negative-overflow-of-nb_pkts-in-zeroco.patch create mode 100644 queue-6.15/interconnect-qcom-qcs615-drop-ip0-interconnects.patch create mode 100644 queue-6.15/interconnect-qcom-sc8180x-specify-num_nodes.patch create mode 100644 queue-6.15/interconnect-qcom-sc8280xp-specify-num_links-for-qnm.patch create mode 100644 queue-6.15/io_uring-fix-breakage-in-expert-menu.patch create mode 100644 queue-6.15/iommu-amd-enable-pasid-and-ats-capabilities-in-the-c.patch create mode 100644 queue-6.15/iommu-amd-fix-geometry.aperture_end-for-v2-tables.patch create mode 100644 queue-6.15/iommu-arm-smmu-disable-prr-on-sm8250.patch create mode 100644 queue-6.15/iommu-vt-d-do-not-wipe-out-the-page-table-nid-when-d.patch create mode 100644 queue-6.15/ipv6-annotate-data-races-around-rt-fib6_nsiblings.patch create mode 100644 queue-6.15/ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch create mode 100644 queue-6.15/ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch create mode 100644 queue-6.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch create mode 100644 queue-6.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch create mode 100644 queue-6.15/kconfig-qconf-fix-configlist-updatelistallforall.patch create mode 100644 queue-6.15/kcsan-test-initialize-dummy-variable.patch create mode 100644 queue-6.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch create mode 100644 queue-6.15/kselftest-arm64-fix-check-for-setting-new-vls-in-sve.patch create mode 100644 queue-6.15/kunit-fortify-add-back-volatile-for-sizeof-constants.patch create mode 100644 queue-6.15/landlock-fix-warning-from-kunit-tests.patch create mode 100644 queue-6.15/m68k-don-t-unregister-boot-console-needlessly.patch create mode 100644 queue-6.15/macsec-set-iff_unicast_flt-priv-flag.patch create mode 100644 queue-6.15/md-allow-removing-faulty-rdev-during-resync.patch create mode 100644 queue-6.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch create mode 100644 queue-6.15/mei-vsc-destroy-mutex-after-freeing-the-irq.patch create mode 100644 queue-6.15/mei-vsc-don-t-re-init-vsc-from-mei_vsc_hw_reset-on-s.patch create mode 100644 queue-6.15/mei-vsc-event-notifier-fixes.patch create mode 100644 queue-6.15/mei-vsc-unset-the-event-callback-on-remove-and-probe.patch create mode 100644 queue-6.15/memcg_slabinfo-fix-use-of-pg_slab.patch create mode 100644 queue-6.15/mfd-tps65219-update-tps65214-mfd-cell-s-gpio-compati.patch create mode 100644 queue-6.15/module-restore-the-moduleparam-prefix-length-check.patch create mode 100644 queue-6.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch create mode 100644 queue-6.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch create mode 100644 queue-6.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch create mode 100644 queue-6.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch create mode 100644 queue-6.15/mtd-spi-nor-spansion-fixup-params-set_4byte_addr_mod.patch create mode 100644 queue-6.15/mwl8k-add-missing-check-after-dma-map.patch create mode 100644 queue-6.15/neighbour-fix-null-ptr-deref-in-neigh_flush_dev.patch create mode 100644 queue-6.15/net-dsa-microchip-fix-wrong-rx-drop-mib-counter-for-.patch create mode 100644 queue-6.15/net-dst-add-four-helpers-to-annotate-data-races-arou.patch create mode 100644 queue-6.15/net-dst-annotate-data-races-around-dst-input.patch create mode 100644 queue-6.15/net-dst-annotate-data-races-around-dst-output.patch create mode 100644 queue-6.15/net-ipv6-ip6mr-fix-in-out-netdev-to-pass-to-the-forw.patch create mode 100644 queue-6.15/net-mlx5-check-device-memory-pointer-before-usage.patch create mode 100644 queue-6.15/net-mlx5e-clear-read-only-port-buffer-size-in-pbmc-b.patch create mode 100644 queue-6.15/net-mlx5e-remove-skb-secpath-if-xfrm-state-is-not-fo.patch create mode 100644 queue-6.15/net-sched-restrict-conditions-for-adding-duplicating.patch create mode 100644 queue-6.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch create mode 100644 queue-6.15/netconsole-only-register-console-drivers-when-target.patch create mode 100644 queue-6.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch create mode 100644 queue-6.15/netfilter-nf_tables-drop-dead-code-from-fill_-_info-.patch create mode 100644 queue-6.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch create mode 100644 queue-6.15/padata-fix-pd-uaf-once-and-for-all.patch create mode 100644 queue-6.15/padata-remove-comment-for-reorder_work.patch create mode 100644 queue-6.15/pci-adjust-the-position-of-reading-the-link-control-.patch create mode 100644 queue-6.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch create mode 100644 queue-6.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch create mode 100644 queue-6.15/pci-fix-driver_managed_dma-check.patch create mode 100644 queue-6.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch create mode 100644 queue-6.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch create mode 100644 queue-6.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch create mode 100644 queue-6.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch create mode 100644 queue-6.15/perf-dso-add-missed-dso__put-to-dso__load_kcore.patch create mode 100644 queue-6.15/perf-hwmon_pmu-avoid-shortening-hwmon-pmu-name.patch create mode 100644 queue-6.15/perf-parse-events-set-default-gh-modifier-properly.patch create mode 100644 queue-6.15/perf-record-cache-build-id-of-hit-dsos-only.patch create mode 100644 queue-6.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch create mode 100644 queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-latency.patch create mode 100644 queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-map.patch create mode 100644 queue-6.15/perf-sched-fix-thread-leaks-in-perf-sched-timehist.patch create mode 100644 queue-6.15/perf-sched-free-thread-priv-using-priv_destructor.patch create mode 100644 queue-6.15/perf-sched-make-sure-it-frees-the-usage-string.patch create mode 100644 queue-6.15/perf-sched-use-rc_chk_equal-to-compare-pointers.patch create mode 100644 queue-6.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch create mode 100644 queue-6.15/perf-tools-fix-use-after-free-in-help_unknown_cmd.patch create mode 100644 queue-6.15/perf-tools-remove-libtraceevent-in-.gitignore.patch create mode 100644 queue-6.15/phy-qualcomm-phy-qcom-eusb2-repeater-don-t-zero-out-.patch create mode 100644 queue-6.15/pinctrl-berlin-fix-memory-leak-in-berlin_pinctrl_bui.patch create mode 100644 queue-6.15/pinctrl-canaan-k230-add-null-check-in-dt-parse.patch create mode 100644 queue-6.15/pinctrl-canaan-k230-fix-order-of-dt-parse-and-pinctr.patch create mode 100644 queue-6.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch create mode 100644 queue-6.15/pinmux-fix-race-causing-mux_owner-null-with-active-m.patch create mode 100644 queue-6.15/pm-cpufreq-powernv-tracing-move-powernv_throttle-tra.patch create mode 100644 queue-6.15/pm-cpupower-fix-printing-of-core-cpu-fields-in-cpupo.patch create mode 100644 queue-6.15/pm-devfreq-check-governor-before-using-governor-name.patch create mode 100644 queue-6.15/pm-devfreq-fix-a-index-typo-in-trans_stat.patch create mode 100644 queue-6.15/power-sequencing-qcom-wcn-fix-bluetooth-wifi-copypas.patch create mode 100644 queue-6.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch create mode 100644 queue-6.15/power-supply-max14577-handle-null-pdata-when-config_.patch create mode 100644 queue-6.15/power-supply-max1720x-correct-capacity-computation.patch create mode 100644 queue-6.15/power-supply-qcom_pmi8998_charger-fix-wakeirq.patch create mode 100644 queue-6.15/powercap-dtpm_cpu-fix-null-pointer-dereference-in-ge.patch create mode 100644 queue-6.15/powerpc-eeh-export-eeh_unfreeze_pe.patch create mode 100644 queue-6.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch create mode 100644 queue-6.15/powerpc-pseries-dlpar-search-drc-index-from-ibm-drc-.patch create mode 100644 queue-6.15/pps-fix-poll-support.patch create mode 100644 queue-6.15/proc-use-the-same-treatment-to-check-proc_lseek-as-o.patch create mode 100644 queue-6.15/rcu-fix-delayed-execution-of-hurry-callbacks.patch create mode 100644 queue-6.15/rdma-hns-drop-gfp_nowarn.patch create mode 100644 queue-6.15/rdma-hns-fix-accessing-uninitialized-resources.patch create mode 100644 queue-6.15/rdma-hns-fix-double-destruction-of-rsv_qp.patch create mode 100644 queue-6.15/rdma-hns-fix-hw-configurations-not-cleared-in-error-.patch create mode 100644 queue-6.15/rdma-hns-fix-wframe-larger-than-issue.patch create mode 100644 queue-6.15/rdma-hns-get-message-length-of-ack_req-from-fw.patch create mode 100644 queue-6.15/rdma-mana_ib-fix-dscp-value-in-modify-qp.patch create mode 100644 queue-6.15/rdma-mlx5-fix-umr-modifying-of-mkey-page-size.patch create mode 100644 queue-6.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch create mode 100644 queue-6.15/refscale-check-that-nreaders-and-loops-multiplicatio.patch create mode 100644 queue-6.15/remoteproc-qcom-pas-conclude-the-rename-from-adsp.patch create mode 100644 queue-6.15/remoteproc-xlnx-disable-unsupported-features.patch create mode 100644 queue-6.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch create mode 100644 queue-6.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch create mode 100644 queue-6.15/ring-buffer-remove-ring_buffer_read_prepare_sync.patch create mode 100644 queue-6.15/risc-v-kvm-fix-inclusion-of-smnpm-in-the-guest-isa-b.patch create mode 100644 queue-6.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch create mode 100644 queue-6.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch create mode 100644 queue-6.15/rtc-nct3018y-fix-incorrect-maximum-clock-rate-handli.patch create mode 100644 queue-6.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch create mode 100644 queue-6.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch create mode 100644 queue-6.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch create mode 100644 queue-6.15/rust-miscdevice-clarify-invariant-for-miscdeviceregi.patch create mode 100644 queue-6.15/rv-adjust-monitor-dependencies.patch create mode 100644 queue-6.15/samples-mei-fix-building-on-musl-libc.patch create mode 100644 queue-6.15/sched-deadline-initialize-dl_servers-after-smp.patch create mode 100644 queue-6.15/sched-deadline-less-agressive-dl_server-handling.patch create mode 100644 queue-6.15/sched-deadline-reset-extra_bw-to-max_bw-when-clearin.patch create mode 100644 queue-6.15/sched-do-not-call-__put_task_struct-on-rt-if-pi_bloc.patch create mode 100644 queue-6.15/sched-psi-fix-psi_seq-initialization.patch create mode 100644 queue-6.15/sched-psi-optimize-psi_group_change-cpu_clock-usage.patch create mode 100644 queue-6.15/scripts-gdb-move-mnt_-constants-to-gdb-parsed.patch create mode 100644 queue-6.15/scsi-elx-efct-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch create mode 100644 queue-6.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.15/scsi-revert-scsi-iscsi-fix-hw-conn-removal-use-after.patch create mode 100644 queue-6.15/scsi-sd-make-sd-shutdown-issue-start-stop-unit-appro.patch create mode 100644 queue-6.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch create mode 100644 queue-6.15/selftests-alsa-fix-memory-leak-in-utimer-test.patch create mode 100644 queue-6.15/selftests-bpf-fix-implementation-of-smp_mb.patch create mode 100644 queue-6.15/selftests-bpf-fix-signedness-bug-in-redir_partial.patch create mode 100644 queue-6.15/selftests-bpf-fix-unintentional-switch-case-fall-thr.patch create mode 100644 queue-6.15/selftests-breakpoints-use-suspend_stats-to-reliably-.patch create mode 100644 queue-6.15/selftests-drv-net-fix-remote-command-checking-in-req.patch create mode 100644 queue-6.15/selftests-drv-net-tso-enable-test-cases-based-on-hw_.patch create mode 100644 queue-6.15/selftests-drv-net-tso-fix-non-tunneled-tso6-test-cas.patch create mode 100644 queue-6.15/selftests-drv-net-tso-fix-vxlan-tunnel-flags-to-get-.patch create mode 100644 queue-6.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch create mode 100644 queue-6.15/selftests-landlock-fix-build-of-audit_test.patch create mode 100644 queue-6.15/selftests-landlock-fix-readlink-check.patch create mode 100644 queue-6.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch create mode 100644 queue-6.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch create mode 100644 queue-6.15/selftests-vdso-chacha-correctly-skip-test-if-necessa.patch create mode 100644 queue-6.15/sh-do-not-use-hyphen-in-exported-variable-name.patch create mode 100644 queue-6.15/slub-fix-a-documentation-build-error-for-krealloc.patch create mode 100644 queue-6.15/smb-client-allow-parsing-zero-length-av-pairs.patch create mode 100644 queue-6.15/soc-qcom-pmic_glink-fix-of-node-leak.patch create mode 100644 queue-6.15/soc-qcom-qmi-encoding-decoding-for-big-endian.patch create mode 100644 queue-6.15/soc-tegra-cbb-clear-err_force-register-with-err_stat.patch create mode 100644 queue-6.15/soundwire-correct-some-property-names.patch create mode 100644 queue-6.15/soundwire-debugfs-move-debug-statement-outside-of-er.patch create mode 100644 queue-6.15/soundwire-stream-restore-params-when-prepare-ports-f.patch create mode 100644 queue-6.15/spi-stm32-check-for-cfg-availability-in-stm32_spi_pr.patch create mode 100644 queue-6.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch create mode 100644 queue-6.15/staging-gpib-fix-error-code-in-board_type_ioctl.patch create mode 100644 queue-6.15/staging-gpib-fix-error-handling-paths-in-cb_gpib_pro.patch create mode 100644 queue-6.15/staging-greybus-gbphy-fix-up-const-issue-with-the-ma.patch create mode 100644 queue-6.15/staging-media-atomisp-fix-stack-buffer-overflow-in-g.patch create mode 100644 queue-6.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch create mode 100644 queue-6.15/stmmac-xsk-fix-negative-overflow-of-budget-in-zeroco.patch create mode 100644 queue-6.15/tcp-call-tcp_measure_rcv_mss-for-ooo-packets.patch create mode 100644 queue-6.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch create mode 100644 queue-6.15/team-replace-team-lock-with-rtnl-lock.patch create mode 100644 queue-6.15/tools-rv-do-not-skip-idle-in-trace.patch create mode 100644 queue-6.15/tools-subcmd-tighten-the-filename-size-in-check_if_c.patch create mode 100644 queue-6.15/tracing-use-queue_rcu_work-to-free-filters.patch create mode 100644 queue-6.15/ublk-use-vmalloc-for-ublk_device-s-__queues.patch create mode 100644 queue-6.15/ucount-fix-atomic_long_inc_below-argument-type.patch create mode 100644 queue-6.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch create mode 100644 queue-6.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch create mode 100644 queue-6.15/usb-host-xhci-plat-fix-incorrect-type-for-of_match-v.patch create mode 100644 queue-6.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch create mode 100644 queue-6.15/usb-typec-ucsi-yoga-c630-fix-error-and-remove-paths.patch create mode 100644 queue-6.15/vdpa-fix-idr-memory-leak-in-vduse-module-exit.patch create mode 100644 queue-6.15/vdpa-mlx5-fix-needs_teardown-flag-calculation.patch create mode 100644 queue-6.15/vdpa-mlx5-fix-release-of-uninitialized-resources-on-.patch create mode 100644 queue-6.15/vfio-fix-unbalanced-vfio_df_close-call-in-no-iommu-m.patch create mode 100644 queue-6.15/vfio-pci-do-vf_token-checks-for-vfio_device_bind_iom.patch create mode 100644 queue-6.15/vfio-pci-separate-sr-iov-vf-dev_set.patch create mode 100644 queue-6.15/vfio-pds-fix-missing-detach_ioas-op.patch create mode 100644 queue-6.15/vfio-prevent-open_count-decrement-to-negative.patch create mode 100644 queue-6.15/vhost-reintroduce-kthread-api-and-add-mode-selection.patch create mode 100644 queue-6.15/vhost-scsi-fix-check-for-inline_sg_cnt-exceeding-pre.patch create mode 100644 queue-6.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch create mode 100644 queue-6.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch create mode 100644 queue-6.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch create mode 100644 queue-6.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch create mode 100644 queue-6.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch create mode 100644 queue-6.15/wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch create mode 100644 queue-6.15/wifi-ath12k-avoid-accessing-uninitialized-arvif-ar-d.patch create mode 100644 queue-6.15/wifi-ath12k-block-radio-bring-up-in-ftm-mode.patch create mode 100644 queue-6.15/wifi-ath12k-clear-auth-flag-only-for-actual-associat.patch create mode 100644 queue-6.15/wifi-ath12k-fix-double-budget-decrement-while-reapin.patch create mode 100644 queue-6.15/wifi-ath12k-fix-endianness-handling-while-accessing-.patch create mode 100644 queue-6.15/wifi-ath12k-pass-ab-pointer-directly-to-ath12k_dp_tx.patch create mode 100644 queue-6.15/wifi-ath12k-use-htt_tcl_metadata_ver_v1-in-ftm-mode.patch create mode 100644 queue-6.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch create mode 100644 queue-6.15/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and.patch create mode 100644 queue-6.15/wifi-iwlwifi-fix-error-code-in-iwl_op_mode_dvm_start.patch create mode 100644 queue-6.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch create mode 100644 queue-6.15/wifi-iwlwifi-mld-decode-eof-bit-for-ampdus.patch create mode 100644 queue-6.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch create mode 100644 queue-6.15/wifi-mac80211-do-not-schedule-stopped-txqs.patch create mode 100644 queue-6.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch create mode 100644 queue-6.15/wifi-mac80211-fix-warn_on-for-monitor-mode-on-some-d.patch create mode 100644 queue-6.15/wifi-mac80211-reject-tdls-operations-when-station-is.patch create mode 100644 queue-6.15/wifi-mac80211-write-cnt-before-copying-in-ieee80211_.patch create mode 100644 queue-6.15/wifi-mt76-mt7996-fix-possible-oob-access-in-mt7996_t.patch create mode 100644 queue-6.15/wifi-mt76-mt7996-fix-secondary-link-lookup-in-mt7996.patch create mode 100644 queue-6.15/wifi-mt76-mt7996-fix-valid_links-bitmask-in-mt7996_m.patch create mode 100644 queue-6.15/wifi-nl80211-set-num_sub_specs-before-looping-throug.patch create mode 100644 queue-6.15/wifi-plfxlc-fix-error-handling-in-usb-driver-probe.patch create mode 100644 queue-6.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch create mode 100644 queue-6.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch create mode 100644 queue-6.15/wifi-rtw88-fix-macid-assigned-to-tdls-station.patch create mode 100644 queue-6.15/wifi-rtw89-avoid-null-dereference-when-rx-problemati.patch create mode 100644 queue-6.15/wifi-rtw89-fix-eht-20mhz-tx-rate-for-non-ap-sta.patch create mode 100644 queue-6.15/xen-fix-uaf-in-dmabuf_exp_from_pages.patch create mode 100644 queue-6.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch diff --git a/queue-6.15/alsa-usb-scarlett2-fix-missing-null-check.patch b/queue-6.15/alsa-usb-scarlett2-fix-missing-null-check.patch new file mode 100644 index 0000000000..9cd28491ff --- /dev/null +++ b/queue-6.15/alsa-usb-scarlett2-fix-missing-null-check.patch @@ -0,0 +1,43 @@ +From 2b5cb514e5dcc054096fab73cfc8054117f6db05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Jul 2025 07:37:08 +0200 +Subject: ALSA: usb: scarlett2: Fix missing NULL check + +From: Takashi Iwai + +[ Upstream commit df485a4b2b3ee5b35c80f990beb554e38a8a5fb1 ] + +scarlett2_input_select_ctl_info() sets up the string arrays allocated +via kasprintf(), but it misses NULL checks, which may lead to NULL +dereference Oops. Let's add the proper NULL check. + +Fixes: 8eba063b5b2b ("ALSA: scarlett2: Simplify linked channel handling") +Link: https://patch.msgid.link/20250731053714.29414-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_scarlett2.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c +index 288d22e6a0b2..5d47502c2858 100644 +--- a/sound/usb/mixer_scarlett2.c ++++ b/sound/usb/mixer_scarlett2.c +@@ -3971,8 +3971,13 @@ static int scarlett2_input_select_ctl_info( + goto unlock; + + /* Loop through each input */ +- for (i = 0; i < inputs; i++) ++ for (i = 0; i < inputs; i++) { + values[i] = kasprintf(GFP_KERNEL, "Input %d", i + 1); ++ if (!values[i]) { ++ err = -ENOMEM; ++ goto unlock; ++ } ++ } + + err = snd_ctl_enum_info(uinfo, 1, i, + (const char * const *)values); +-- +2.39.5 + diff --git a/queue-6.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch b/queue-6.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch new file mode 100644 index 0000000000..ef09551cab --- /dev/null +++ b/queue-6.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch @@ -0,0 +1,55 @@ +From a5ee1df505174e103c16be7f346302df4175c964 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 12:54:38 -0700 +Subject: apparmor: ensure WB_HISTORY_SIZE value is a power of 2 + +From: Ryan Lee + +[ Upstream commit 6c055e62560b958354625604293652753d82bcae ] + +WB_HISTORY_SIZE was defined to be a value not a power of 2, despite a +comment in the declaration of struct match_workbuf stating it is and a +modular arithmetic usage in the inc_wb_pos macro assuming that it is. Bump +WB_HISTORY_SIZE's value up to 32 and add a BUILD_BUG_ON_NOT_POWER_OF_2 +line to ensure that any future changes to the value of WB_HISTORY_SIZE +respect this requirement. + +Fixes: 136db994852a ("apparmor: increase left match history buffer size") + +Signed-off-by: Ryan Lee +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/include/match.h | 3 ++- + security/apparmor/match.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h +index 536ce3abd598..b45fc39fa837 100644 +--- a/security/apparmor/include/match.h ++++ b/security/apparmor/include/match.h +@@ -137,7 +137,8 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start, + + void aa_dfa_free_kref(struct kref *kref); + +-#define WB_HISTORY_SIZE 24 ++/* This needs to be a power of 2 */ ++#define WB_HISTORY_SIZE 32 + struct match_workbuf { + unsigned int count; + unsigned int pos; +diff --git a/security/apparmor/match.c b/security/apparmor/match.c +index f2d9c57f8794..1ceabde550f2 100644 +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c +@@ -681,6 +681,7 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start, + + #define inc_wb_pos(wb) \ + do { \ ++ BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \ + wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \ + wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \ + } while (0) +-- +2.39.5 + diff --git a/queue-6.15/apparmor-fix-loop-detection-used-in-conflicting-atta.patch b/queue-6.15/apparmor-fix-loop-detection-used-in-conflicting-atta.patch new file mode 100644 index 0000000000..db63fa074a --- /dev/null +++ b/queue-6.15/apparmor-fix-loop-detection-used-in-conflicting-atta.patch @@ -0,0 +1,121 @@ +From ccf1baff368048d35c970816a365c296450cb79e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 12:54:39 -0700 +Subject: apparmor: fix loop detection used in conflicting attachment + resolution + +From: Ryan Lee + +[ Upstream commit a88db916b8c77552f49f7d9f8744095ea01a268f ] + +Conflicting attachment resolution is based on the number of states +traversed to reach an accepting state in the attachment DFA, accounting +for DFA loops traversed during the matching process. However, the loop +counting logic had multiple bugs: + + - The inc_wb_pos macro increments both position and length, but length + is supposed to saturate upon hitting buffer capacity, instead of + wrapping around. + - If no revisited state is found when traversing the history, is_loop + would still return true, as if there was a loop found the length of + the history buffer, instead of returning false and signalling that + no loop was found. As a result, the adjustment step of + aa_dfa_leftmatch would sometimes produce negative counts with loop- + free DFAs that traversed enough states. + - The iteration in the is_loop for loop is supposed to stop before + i = wb->len, so the conditional should be < instead of <=. + +This patch fixes the above bugs as well as the following nits: + - The count and size fields in struct match_workbuf were not used, + so they can be removed. + - The history buffer in match_workbuf semantically stores aa_state_t + and not unsigned ints, even if aa_state_t is currently unsigned int. + - The local variables in is_loop are counters, and thus should be + unsigned ints instead of aa_state_t's. + +Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") + +Signed-off-by: Ryan Lee +Co-developed-by: John Johansen +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/include/match.h | 5 +---- + security/apparmor/match.c | 22 +++++++++++----------- + 2 files changed, 12 insertions(+), 15 deletions(-) + +diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h +index b45fc39fa837..27cf23b0396b 100644 +--- a/security/apparmor/include/match.h ++++ b/security/apparmor/include/match.h +@@ -140,15 +140,12 @@ void aa_dfa_free_kref(struct kref *kref); + /* This needs to be a power of 2 */ + #define WB_HISTORY_SIZE 32 + struct match_workbuf { +- unsigned int count; + unsigned int pos; + unsigned int len; +- unsigned int size; /* power of 2, same as history size */ +- unsigned int history[WB_HISTORY_SIZE]; ++ aa_state_t history[WB_HISTORY_SIZE]; + }; + #define DEFINE_MATCH_WB(N) \ + struct match_workbuf N = { \ +- .count = 0, \ + .pos = 0, \ + .len = 0, \ + } +diff --git a/security/apparmor/match.c b/security/apparmor/match.c +index 1ceabde550f2..c5a91600842a 100644 +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c +@@ -679,35 +679,35 @@ aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start, + return state; + } + +-#define inc_wb_pos(wb) \ +-do { \ ++#define inc_wb_pos(wb) \ ++do { \ + BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \ + wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \ +- wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \ ++ wb->len = (wb->len + 1) > WB_HISTORY_SIZE ? WB_HISTORY_SIZE : \ ++ wb->len + 1; \ + } while (0) + + /* For DFAs that don't support extended tagging of states */ ++/* adjust is only set if is_loop returns true */ + static bool is_loop(struct match_workbuf *wb, aa_state_t state, + unsigned int *adjust) + { +- aa_state_t pos = wb->pos; +- aa_state_t i; ++ int pos = wb->pos; ++ int i; + + if (wb->history[pos] < state) + return false; + +- for (i = 0; i <= wb->len; i++) { ++ for (i = 0; i < wb->len; i++) { + if (wb->history[pos] == state) { + *adjust = i; + return true; + } +- if (pos == 0) +- pos = WB_HISTORY_SIZE; +- pos--; ++ /* -1 wraps to WB_HISTORY_SIZE - 1 */ ++ pos = (pos - 1) & (WB_HISTORY_SIZE - 1); + } + +- *adjust = i; +- return true; ++ return false; + } + + static aa_state_t leftmatch_fb(struct aa_dfa *dfa, aa_state_t start, +-- +2.39.5 + diff --git a/queue-6.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch b/queue-6.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch new file mode 100644 index 0000000000..02518d8401 --- /dev/null +++ b/queue-6.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch @@ -0,0 +1,60 @@ +From 8b243528135df1884603891e5d1671f0040917ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 May 2025 17:08:22 +0200 +Subject: apparmor: Fix unaligned memory accesses in KUnit test + +From: Helge Deller + +[ Upstream commit c68804199dd9d63868497a27b5da3c3cd15356db ] + +The testcase triggers some unnecessary unaligned memory accesses on the +parisc architecture: + Kernel: unaligned access to 0x12f28e27 in policy_unpack_test_init+0x180/0x374 (iir 0x0cdc1280) + Kernel: unaligned access to 0x12f28e67 in policy_unpack_test_init+0x270/0x374 (iir 0x64dc00ce) + +Use the existing helper functions put_unaligned_le32() and +put_unaligned_le16() to avoid such warnings on architectures which +prefer aligned memory accesses. + +Signed-off-by: Helge Deller +Fixes: 98c0cc48e27e ("apparmor: fix policy_unpack_test on big endian systems") +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/policy_unpack_test.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/policy_unpack_test.c b/security/apparmor/policy_unpack_test.c +index 5b2ba88ae9e2..cf18744dafe2 100644 +--- a/security/apparmor/policy_unpack_test.c ++++ b/security/apparmor/policy_unpack_test.c +@@ -9,6 +9,8 @@ + #include "include/policy.h" + #include "include/policy_unpack.h" + ++#include ++ + #define TEST_STRING_NAME "TEST_STRING" + #define TEST_STRING_DATA "testing" + #define TEST_STRING_BUF_OFFSET \ +@@ -80,7 +82,7 @@ static struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf, + *(buf + 1) = strlen(TEST_U32_NAME) + 1; + strscpy(buf + 3, TEST_U32_NAME, e->end - (void *)(buf + 3)); + *(buf + 3 + strlen(TEST_U32_NAME) + 1) = AA_U32; +- *((__le32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = cpu_to_le32(TEST_U32_DATA); ++ put_unaligned_le32(TEST_U32_DATA, buf + 3 + strlen(TEST_U32_NAME) + 2); + + buf = e->start + TEST_NAMED_U64_BUF_OFFSET; + *buf = AA_NAME; +@@ -103,7 +105,7 @@ static struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf, + *(buf + 1) = strlen(TEST_ARRAY_NAME) + 1; + strscpy(buf + 3, TEST_ARRAY_NAME, e->end - (void *)(buf + 3)); + *(buf + 3 + strlen(TEST_ARRAY_NAME) + 1) = AA_ARRAY; +- *((__le16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = cpu_to_le16(TEST_ARRAY_SIZE); ++ put_unaligned_le16(TEST_ARRAY_SIZE, buf + 3 + strlen(TEST_ARRAY_NAME) + 2); + + return e; + } +-- +2.39.5 + diff --git a/queue-6.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch b/queue-6.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch new file mode 100644 index 0000000000..10d9ff2914 --- /dev/null +++ b/queue-6.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch @@ -0,0 +1,38 @@ +From 09829358346b60936bc1473304985aa23e2ad9fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Mar 2025 20:11:16 +0100 +Subject: arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX + +From: Johan Korsnes + +[ Upstream commit 75cd37c5f28b85979fd5a65174013010f6b78f27 ] + +This option was removed from the Kconfig in commit +8c710f75256b ("net/sched: Retire tcindex classifier") but it was not +removed from the defconfigs. + +Fixes: 8c710f75256b ("net/sched: Retire tcindex classifier") +Signed-off-by: Johan Korsnes +Reviewed-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250323191116.113482-1-johan.korsnes@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/configs/ppc6xx_defconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig +index a91a766b71a4..efa1411a52e0 100644 +--- a/arch/powerpc/configs/ppc6xx_defconfig ++++ b/arch/powerpc/configs/ppc6xx_defconfig +@@ -253,7 +253,6 @@ CONFIG_NET_SCH_DSMARK=m + CONFIG_NET_SCH_NETEM=m + CONFIG_NET_SCH_INGRESS=m + CONFIG_NET_CLS_BASIC=m +-CONFIG_NET_CLS_TCINDEX=m + CONFIG_NET_CLS_ROUTE4=m + CONFIG_NET_CLS_FW=m + CONFIG_NET_CLS_U32=m +-- +2.39.5 + diff --git a/queue-6.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch b/queue-6.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch new file mode 100644 index 0000000000..57adfa3edc --- /dev/null +++ b/queue-6.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch @@ -0,0 +1,38 @@ +From 148ed2570472c9673cf9060879a865556f4bda5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 14:24:41 +0200 +Subject: ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 + interface + +From: Annette Kobou + +[ Upstream commit 47ef5256124fb939d8157b13ca048c902435cf23 ] + +The polarity of the DE signal of the transceiver is active-high for +sending. Therefore rs485-rts-active-low is wrong and needs to be +removed to make RS485 transmissions work. + +Signed-off-by: Annette Kobou +Signed-off-by: Frieder Schrempf +Fixes: 1ea4b76cdfde ("ARM: dts: imx6ul-kontron-n6310: Add Kontron i.MX6UL N6310 SoM and boards") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi b/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi +index 29d2f86d5e34..f4c45e964daf 100644 +--- a/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi +@@ -168,7 +168,6 @@ &uart2 { + pinctrl-0 = <&pinctrl_uart2>; + linux,rs485-enabled-at-boot-time; + rs485-rx-during-tx; +- rs485-rts-active-low; + uart-has-rtscts; + status = "okay"; + }; +-- +2.39.5 + diff --git a/queue-6.15/arm-dts-microchip-sam9x7-add-clock-name-property.patch b/queue-6.15/arm-dts-microchip-sam9x7-add-clock-name-property.patch new file mode 100644 index 0000000000..d321db001d --- /dev/null +++ b/queue-6.15/arm-dts-microchip-sam9x7-add-clock-name-property.patch @@ -0,0 +1,45 @@ +From 46ad5c772883543d4dfec2ca41e096587a604830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 09:08:42 -0700 +Subject: ARM: dts: microchip: sam9x7: Add clock name property + +From: Ryan Wanner + +[ Upstream commit 2e24723492b28ffdccb0e3e68725673e299e3823 ] + +Add clock-output-names to the xtal nodes, so the driver can correctly +register the main and slow xtal. + +This fixes the issue of the SoC clock driver not being able to find +the main xtal and slow xtal correctly causing a bad clock tree. + +Fixes: 41af45af8bc3 ("ARM: dts: at91: sam9x7: add device tree for SoC") +Signed-off-by: Ryan Wanner +Link: https://lore.kernel.org/r/036518968ac657b93e315bb550b822b59ae6f17c.1750175453.git.Ryan.Wanner@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/sam9x7.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/microchip/sam9x7.dtsi b/arch/arm/boot/dts/microchip/sam9x7.dtsi +index b217a908f525..114449e90720 100644 +--- a/arch/arm/boot/dts/microchip/sam9x7.dtsi ++++ b/arch/arm/boot/dts/microchip/sam9x7.dtsi +@@ -45,11 +45,13 @@ cpu@0 { + clocks { + slow_xtal: clock-slowxtal { + compatible = "fixed-clock"; ++ clock-output-names = "slow_xtal"; + #clock-cells = <0>; + }; + + main_xtal: clock-mainxtal { + compatible = "fixed-clock"; ++ clock-output-names = "main_xtal"; + #clock-cells = <0>; + }; + }; +-- +2.39.5 + diff --git a/queue-6.15/arm-dts-microchip-sama7d65-add-clock-name-property.patch b/queue-6.15/arm-dts-microchip-sama7d65-add-clock-name-property.patch new file mode 100644 index 0000000000..678d852d0c --- /dev/null +++ b/queue-6.15/arm-dts-microchip-sama7d65-add-clock-name-property.patch @@ -0,0 +1,45 @@ +From 3488d45b305fa9d3f4d63ece0e13721621645dbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 09:08:41 -0700 +Subject: ARM: dts: microchip: sama7d65: Add clock name property + +From: Ryan Wanner + +[ Upstream commit 0029468132ba2e00a3010865038783d9b2e6cc07 ] + +Add clock-output-names to the xtal nodes, so the driver can correctly +register the main and slow xtal. + +This fixes the issue of the SoC clock driver not being able to find +the main xtal and slow xtal correctly causing a bad clock tree. + +Fixes: 261dcfad1b59 ("ARM: dts: microchip: add sama7d65 SoC DT") +Signed-off-by: Ryan Wanner +Link: https://lore.kernel.org/r/3878ae6d0016d46f0c91bd379146d575d5d336aa.1750175453.git.Ryan.Wanner@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/sama7d65.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/microchip/sama7d65.dtsi b/arch/arm/boot/dts/microchip/sama7d65.dtsi +index b6710ccd4c36..7b1dd28a2cfa 100644 +--- a/arch/arm/boot/dts/microchip/sama7d65.dtsi ++++ b/arch/arm/boot/dts/microchip/sama7d65.dtsi +@@ -38,11 +38,13 @@ cpu0: cpu@0 { + clocks { + main_xtal: clock-mainxtal { + compatible = "fixed-clock"; ++ clock-output-names = "main_xtal"; + #clock-cells = <0>; + }; + + slow_xtal: clock-slowxtal { + compatible = "fixed-clock"; ++ clock-output-names = "slow_xtal"; + #clock-cells = <0>; + }; + }; +-- +2.39.5 + diff --git a/queue-6.15/arm-dts-ti-omap-fixup-pinheader-typo.patch b/queue-6.15/arm-dts-ti-omap-fixup-pinheader-typo.patch new file mode 100644 index 0000000000..dbbdb8202c --- /dev/null +++ b/queue-6.15/arm-dts-ti-omap-fixup-pinheader-typo.patch @@ -0,0 +1,44 @@ +From 135cd541ed779dec545d86d1c0667cd1381e6f6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 13:48:39 +0200 +Subject: arm: dts: ti: omap: Fixup pinheader typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Albin Törnqvist + +[ Upstream commit a3a4be32b69c99fc20a66e0de83b91f8c882bf4c ] + +This commit fixes a typo introduced in commit +ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names"). +gpio0_7 is located on the P9 header on the BBB. +This was verified with a BeagleBone Black by toggling the pin and +checking with a multimeter that it corresponds to pin 42 on the P9 +header. + +Signed-off-by: Albin Törnqvist +Link: https://lore.kernel.org/r/20250624114839.1465115-2-albin.tornqvist@codiax.se +Fixes: ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names") +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ti/omap/am335x-boneblack.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts b/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts +index 16b567e3cb47..b4fdcf9c02b5 100644 +--- a/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts ++++ b/arch/arm/boot/dts/ti/omap/am335x-boneblack.dts +@@ -35,7 +35,7 @@ &gpio0 { + "P9_18 [spi0_d1]", + "P9_17 [spi0_cs0]", + "[mmc0_cd]", +- "P8_42A [ecappwm0]", ++ "P9_42A [ecappwm0]", + "P8_35 [lcd d12]", + "P8_33 [lcd d13]", + "P8_31 [lcd d14]", +-- +2.39.5 + diff --git a/queue-6.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch b/queue-6.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch new file mode 100644 index 0000000000..df76d42cff --- /dev/null +++ b/queue-6.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch @@ -0,0 +1,37 @@ +From adc4ed7212e79e926edc2e60f5441af94d2e417e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 09:19:22 +0200 +Subject: ARM: dts: vfxxx: Correctly use two tuples for timer address + +From: Krzysztof Kozlowski + +[ Upstream commit f3440dcf8b994197c968fbafe047ce27eed226e8 ] + +Address and size-cells are 1 and the ftm timer node takes two address +spaces in "reg" property, so this should be in two <> tuples. Change +has no functional impact, but original code is confusing/less readable. + +Fixes: 07513e1330a9 ("ARM: dts: vf610: Add Freescale FlexTimer Module timer node.") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/nxp/vf/vfxxx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi b/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi +index 597f20be82f1..62e555bf6a71 100644 +--- a/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi ++++ b/arch/arm/boot/dts/nxp/vf/vfxxx.dtsi +@@ -603,7 +603,7 @@ usbmisc1: usb@400b4800 { + + ftm: ftm@400b8000 { + compatible = "fsl,ftm-timer"; +- reg = <0x400b8000 0x1000 0x400b9000 0x1000>; ++ reg = <0x400b8000 0x1000>, <0x400b9000 0x1000>; + interrupts = <44 IRQ_TYPE_LEVEL_HIGH>; + clock-names = "ftm-evt", "ftm-src", + "ftm-evt-counter-en", "ftm-src-counter-en"; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-exynos-gs101-add-local-timer-stop-to-cpuid.patch b/queue-6.15/arm64-dts-exynos-gs101-add-local-timer-stop-to-cpuid.patch new file mode 100644 index 0000000000..889add5f77 --- /dev/null +++ b/queue-6.15/arm64-dts-exynos-gs101-add-local-timer-stop-to-cpuid.patch @@ -0,0 +1,61 @@ +From 0159ff7c963207a0ac28d965b1f0ab292deb5073 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 10:34:25 +0100 +Subject: arm64: dts: exynos: gs101: Add 'local-timer-stop' to cpuidle nodes + +From: Will Deacon + +[ Upstream commit b649082312dd1a4c3989bbdb7c25eb711e9b1d94 ] + +In preparation for switching to the architected timer as the primary +clockevents device, mark the cpuidle nodes with the 'local-timer-stop' +property to indicate that an alternative clockevents device must be +used for waking up from the "c2" idle state. + +Signed-off-by: Will Deacon +[Original commit from https://android.googlesource.com/kernel/gs/+/a896fd98638047989513d05556faebd28a62b27c] +Signed-off-by: Will McVicker +Reviewed-by: Youngmin Nam +Tested-by: Youngmin Nam +Fixes: ea89fdf24fd9 ("arm64: dts: exynos: google: Add initial Google gs101 SoC support") +Signed-off-by: Peter Griffin +Reviewed-by: Peter Griffin +Tested-by: Peter Griffin +Link: https://lore.kernel.org/r/20250611-gs101-cpuidle-v2-1-4fa811ec404d@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/google/gs101.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/exynos/google/gs101.dtsi b/arch/arm64/boot/dts/exynos/google/gs101.dtsi +index 3de3a758f113..fd0badf24e6f 100644 +--- a/arch/arm64/boot/dts/exynos/google/gs101.dtsi ++++ b/arch/arm64/boot/dts/exynos/google/gs101.dtsi +@@ -155,6 +155,7 @@ ananke_cpu_sleep: cpu-ananke-sleep { + idle-state-name = "c2"; + compatible = "arm,idle-state"; + arm,psci-suspend-param = <0x0010000>; ++ local-timer-stop; + entry-latency-us = <70>; + exit-latency-us = <160>; + min-residency-us = <2000>; +@@ -164,6 +165,7 @@ enyo_cpu_sleep: cpu-enyo-sleep { + idle-state-name = "c2"; + compatible = "arm,idle-state"; + arm,psci-suspend-param = <0x0010000>; ++ local-timer-stop; + entry-latency-us = <150>; + exit-latency-us = <190>; + min-residency-us = <2500>; +@@ -173,6 +175,7 @@ hera_cpu_sleep: cpu-hera-sleep { + idle-state-name = "c2"; + compatible = "arm,idle-state"; + arm,psci-suspend-param = <0x0010000>; ++ local-timer-stop; + entry-latency-us = <235>; + exit-latency-us = <220>; + min-residency-us = <3500>; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-freescale-imx93-tqma9352-limit-buck2-to-60.patch b/queue-6.15/arm64-dts-freescale-imx93-tqma9352-limit-buck2-to-60.patch new file mode 100644 index 0000000000..13f2b3e0b6 --- /dev/null +++ b/queue-6.15/arm64-dts-freescale-imx93-tqma9352-limit-buck2-to-60.patch @@ -0,0 +1,50 @@ +From 973bd4356eba72aeccb3d2b054b89e1ec4297e52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 11:41:27 +0200 +Subject: arm64: dts: freescale: imx93-tqma9352: Limit BUCK2 to 600mV + +From: Alexander Stein + +[ Upstream commit 696a4c325fad8af95da6a9d797766d1613831622 ] + +TQMa9352 is only using LPDDR4X, so the BUCK2 regulator should be fixed +at 600MV. + +Fixes: d2858e6bd36c ("arm64: dts: freescale: imx93-tqma9352: Add PMIC node") +Signed-off-by: Alexander Stein +Acked-by: Peng Fan +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +index 2cabdae24227..09385b058664 100644 +--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: (GPL-2.0-or-later OR MIT) + /* +- * Copyright (c) 2022 TQ-Systems GmbH , ++ * Copyright (c) 2022-2025 TQ-Systems GmbH , + * D-82229 Seefeld, Germany. + * Author: Markus Niebel + */ +@@ -110,11 +110,11 @@ buck1: BUCK1 { + regulator-ramp-delay = <3125>; + }; + +- /* V_DDRQ - 1.1 LPDDR4 or 0.6 LPDDR4X */ ++ /* V_DDRQ - 0.6 V for LPDDR4X */ + buck2: BUCK2 { + regulator-name = "BUCK2"; + regulator-min-microvolt = <600000>; +- regulator-max-microvolt = <1100000>; ++ regulator-max-microvolt = <600000>; + regulator-boot-on; + regulator-always-on; + regulator-ramp-delay = <3125>; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch b/queue-6.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch new file mode 100644 index 0000000000..631b4b8694 --- /dev/null +++ b/queue-6.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch @@ -0,0 +1,41 @@ +From fea305bb3497da3c04c6cca374dad4842a125f84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 16:34:45 -0500 +Subject: arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed + +From: Adam Ford + +[ Upstream commit f83f69097a302ed2a2775975ddcf12e6a5ac6ec3 ] + +The reference manual for the i.MX8MM states the clock rate in +MMC mode is 1/2 of the input clock, therefore to properly run +at HS400 rates, the input clock must be 400MHz to operate at +200MHz. Currently the clock is set to 200MHz which is half the +rate it should be, so the throughput is half of what it should be +for HS400 operation. + +Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit") +Signed-off-by: Adam Ford +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +index 9ba0cb89fa24..c0f00835e47d 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +@@ -286,6 +286,8 @@ &usdhc3 { + pinctrl-0 = <&pinctrl_usdhc3>; + pinctrl-1 = <&pinctrl_usdhc3_100mhz>; + pinctrl-2 = <&pinctrl_usdhc3_200mhz>; ++ assigned-clocks = <&clk IMX8MM_CLK_USDHC3>; ++ assigned-clock-rates = <400000000>; + bus-width = <8>; + non-removable; + status = "okay"; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch b/queue-6.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch new file mode 100644 index 0000000000..537e7e2e63 --- /dev/null +++ b/queue-6.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch @@ -0,0 +1,41 @@ +From 43e575c436a038a24726f4c2e2b72f8fa9c077d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 16:34:46 -0500 +Subject: arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed + +From: Adam Ford + +[ Upstream commit e16ad6c79906bba5e2ac499492b6a5b29ab19d6c ] + +The reference manual for the i.MX8MN states the clock rate in +MMC mode is 1/2 of the input clock, therefore to properly run +at HS400 rates, the input clock must be 400MHz to operate at +200MHz. Currently the clock is set to 200MHz which is half the +rate it should be, so the throughput is half of what it should be +for HS400 operation. + +Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit") +Signed-off-by: Adam Ford +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +index bb11590473a4..353d0c9ff35c 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +@@ -297,6 +297,8 @@ &usdhc3 { + pinctrl-0 = <&pinctrl_usdhc3>; + pinctrl-1 = <&pinctrl_usdhc3_100mhz>; + pinctrl-2 = <&pinctrl_usdhc3_200mhz>; ++ assigned-clocks = <&clk IMX8MN_CLK_USDHC3>; ++ assigned-clock-rates = <400000000>; + bus-width = <8>; + non-removable; + status = "okay"; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-imx8mp-venice-gw74xx-update-name-of-m2skt_.patch b/queue-6.15/arm64-dts-imx8mp-venice-gw74xx-update-name-of-m2skt_.patch new file mode 100644 index 0000000000..01a495f286 --- /dev/null +++ b/queue-6.15/arm64-dts-imx8mp-venice-gw74xx-update-name-of-m2skt_.patch @@ -0,0 +1,62 @@ +From aee34e60e9d4f0fee623eac82f4b24364666eac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 15:51:04 -0700 +Subject: arm64: dts: imx8mp-venice-gw74xx: update name of M2SKT_WDIS2# gpio + +From: Tim Harvey + +[ Upstream commit 26a6a9cde64a890997708007d9de25809970eac9 ] + +The GW74xx D revision has added a M2SKT_WDIS2# GPIO which routes to the +W_DISABLE2# pin of the M.2 socket. Update the gpio name for consistency. + +Fixes: 6a5d95b06d93 ("arm64: dts: imx8mp-venice-gw74xx: add M2SKT_GPIO10 gpio configuration") +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts +index 568d24265ddf..12de7cf1e853 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts +@@ -301,7 +301,7 @@ &gpio2 { + &gpio3 { + gpio-line-names = + "", "", "", "", "", "", "m2_rst", "", +- "", "", "", "", "", "", "m2_gpio10", "", ++ "", "", "", "", "", "", "m2_wdis2#", "", + "", "", "", "", "", "", "", "", + "", "", "", "", "", "", "", ""; + }; +@@ -310,7 +310,7 @@ &gpio4 { + gpio-line-names = + "", "", "m2_off#", "", "", "", "", "", + "", "", "", "", "", "", "", "", +- "", "", "m2_wdis#", "", "", "", "", "", ++ "", "", "m2_wdis1#", "", "", "", "", "", + "", "", "", "", "", "", "", "rs485_en"; + }; + +@@ -811,14 +811,14 @@ pinctrl_hog: hoggrp { + MX8MP_IOMUXC_GPIO1_IO09__GPIO1_IO09 0x40000040 /* DIO0 */ + MX8MP_IOMUXC_GPIO1_IO11__GPIO1_IO11 0x40000040 /* DIO1 */ + MX8MP_IOMUXC_SAI1_RXD0__GPIO4_IO02 0x40000040 /* M2SKT_OFF# */ +- MX8MP_IOMUXC_SAI1_TXD6__GPIO4_IO18 0x40000150 /* M2SKT_WDIS# */ ++ MX8MP_IOMUXC_SAI1_TXD6__GPIO4_IO18 0x40000150 /* M2SKT_WDIS1# */ + MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x40000040 /* M2SKT_PIN20 */ + MX8MP_IOMUXC_SD1_STROBE__GPIO2_IO11 0x40000040 /* M2SKT_PIN22 */ + MX8MP_IOMUXC_SD2_CLK__GPIO2_IO13 0x40000150 /* PCIE1_WDIS# */ + MX8MP_IOMUXC_SD2_CMD__GPIO2_IO14 0x40000150 /* PCIE3_WDIS# */ + MX8MP_IOMUXC_SD2_DATA3__GPIO2_IO18 0x40000150 /* PCIE2_WDIS# */ + MX8MP_IOMUXC_NAND_DATA00__GPIO3_IO06 0x40000040 /* M2SKT_RST# */ +- MX8MP_IOMUXC_NAND_DQS__GPIO3_IO14 0x40000040 /* M2SKT_GPIO10 */ ++ MX8MP_IOMUXC_NAND_DQS__GPIO3_IO14 0x40000150 /* M2KST_WDIS2# */ + MX8MP_IOMUXC_SAI3_TXD__GPIO5_IO01 0x40000104 /* UART_TERM */ + MX8MP_IOMUXC_SAI3_TXFS__GPIO4_IO31 0x40000104 /* UART_RS485 */ + MX8MP_IOMUXC_SAI3_TXC__GPIO5_IO00 0x40000104 /* UART_HALF */ +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-qcom-msm8976-make-blsp_dma-controlled-remo.patch b/queue-6.15/arm64-dts-qcom-msm8976-make-blsp_dma-controlled-remo.patch new file mode 100644 index 0000000000..9475749775 --- /dev/null +++ b/queue-6.15/arm64-dts-qcom-msm8976-make-blsp_dma-controlled-remo.patch @@ -0,0 +1,61 @@ +From 5828a457de18a84f34e5bf217afd25324a8e999e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 22:35:03 +0200 +Subject: arm64: dts: qcom: msm8976: Make blsp_dma controlled-remotely +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Apitzsch + +[ Upstream commit 76270a18dbdf0bb50615f1b29d2cae8d683da01e ] + +The blsp_dma controller is shared between the different subsystems, +which is why it is already initialized by the firmware. We should not +reinitialize it from Linux to avoid potential other users of the DMA +engine to misbehave. + +In mainline this can be described using the "qcom,controlled-remotely" +property. In the downstream/vendor kernel from Qualcomm there is an +opposite "qcom,managed-locally" property. This property is *not* set +for the qcom,sps-dma@7884000 and qcom,sps-dma@7ac4000 [1] so adding +"qcom,controlled-remotely" upstream matches the behavior of the +downstream/vendor kernel. + +Adding this fixes booting Longcheer L9360. + +[1]: https://git.codelinaro.org/clo/la/kernel/msm-3.10/-/blob/LA.BR.1.3.7.c26/arch/arm/boot/dts/qcom/msm8976.dtsi#L1149-1163 + +Fixes: 0484d3ce0902 ("arm64: dts: qcom: Add DTS for MSM8976 and MSM8956 SoCs") +Reviewed-by: Konrad Dybcio +Signed-off-by: André Apitzsch +Link: https://lore.kernel.org/r/20250615-bqx5plus-v2-1-72b45c84237d@apitzsch.eu +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8976.dtsi b/arch/arm64/boot/dts/qcom/msm8976.dtsi +index d036f31dfdca..963996f7c927 100644 +--- a/arch/arm64/boot/dts/qcom/msm8976.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8976.dtsi +@@ -1330,6 +1330,7 @@ blsp1_dma: dma-controller@7884000 { + clock-names = "bam_clk"; + #dma-cells = <1>; + qcom,ee = <0>; ++ qcom,controlled-remotely; + }; + + blsp1_uart1: serial@78af000 { +@@ -1450,6 +1451,7 @@ blsp2_dma: dma-controller@7ac4000 { + clock-names = "bam_clk"; + #dma-cells = <1>; + qcom,ee = <0>; ++ qcom,controlled-remotely; + }; + + blsp2_uart2: serial@7af0000 { +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-qcom-qcs615-disable-the-cti-device-of-the-.patch b/queue-6.15/arm64-dts-qcom-qcs615-disable-the-cti-device-of-the-.patch new file mode 100644 index 0000000000..96d7dc741f --- /dev/null +++ b/queue-6.15/arm64-dts-qcom-qcs615-disable-the-cti-device-of-the-.patch @@ -0,0 +1,43 @@ +From 7cce8486dc52e6fa723a3524d7613047dfe2b9c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:00:03 +0800 +Subject: arm64: dts: qcom: qcs615: disable the CTI device of the camera block + +From: Jie Gan + +[ Upstream commit 1b7fc8a281cae9e3176584558a4ac551ce0f777d ] + +Disable the CTI device of the camera block to prevent potential NoC errors +during AMBA bus device matching. + +The clocks for the Qualcomm Debug Subsystem (QDSS) are managed by aoss_qmp +through a mailbox. However, the camera block resides outside the AP domain, +meaning its QDSS clock cannot be controlled via aoss_qmp. + +Fixes: bf469630552a ("arm64: dts: qcom: qcs615: Add coresight nodes") +Signed-off-by: Jie Gan +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250611030003.3801-1-jie.gan@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcs615.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/qcs615.dtsi b/arch/arm64/boot/dts/qcom/qcs615.dtsi +index e1f510e5485c..3fda88b32a71 100644 +--- a/arch/arm64/boot/dts/qcom/qcs615.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi +@@ -2428,6 +2428,9 @@ cti@6c13000 { + + clocks = <&aoss_qmp>; + clock-names = "apb_pclk"; ++ ++ /* Not all required clocks can be enabled from the OS */ ++ status = "fail"; + }; + + cti@6c20000 { +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-qcom-qcs615-fix-a-crash-issue-caused-by-in.patch b/queue-6.15/arm64-dts-qcom-qcs615-fix-a-crash-issue-caused-by-in.patch new file mode 100644 index 0000000000..1c528b6127 --- /dev/null +++ b/queue-6.15/arm64-dts-qcom-qcs615-fix-a-crash-issue-caused-by-in.patch @@ -0,0 +1,74 @@ +From 6645c9f157997bb721e634f870ca021f702a9374 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 08:50:16 +0800 +Subject: arm64: dts: qcom: qcs615: fix a crash issue caused by infinite loop + for Coresight + +From: Jie Gan + +[ Upstream commit bd4f35786d5f0798cc1f8c187a81a7c998e6c58f ] + +An infinite loop has been created by the Coresight devices. When only a +source device is enabled, the coresight_find_activated_sysfs_sink function +is recursively invoked in an attempt to locate an active sink device, +ultimately leading to a stack overflow and system crash. Therefore, disable +the replicator1 to break the infinite loop and prevent a potential stack +overflow. + +replicator1_out -> funnel_swao_in6 -> tmc_etf_swao_in -> tmc_etf_swao_out + | | +replicator1_in replicator_swao_in + | | +replicator0_out1 replicator_swao_out0 + | | +replicator0_in funnel_in1_in3 + | | +tmc_etf_out <- tmc_etf_in <- funnel_merg_out <- funnel_merg_in1 <- funnel_in1_out + +[call trace] + dump_backtrace+0x9c/0x128 + show_stack+0x20/0x38 + dump_stack_lvl+0x48/0x60 + dump_stack+0x18/0x28 + panic+0x340/0x3b0 + nmi_panic+0x94/0xa0 + panic_bad_stack+0x114/0x138 + handle_bad_stack+0x34/0xb8 + __bad_stack+0x78/0x80 + coresight_find_activated_sysfs_sink+0x28/0xa0 [coresight] + coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] + coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] + coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] + coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] + ... + coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] + coresight_enable_sysfs+0x80/0x2a0 [coresight] + +side effect after the change: +Only trace data originating from AOSS can reach the ETF_SWAO and EUD sinks. + +Fixes: bf469630552a ("arm64: dts: qcom: qcs615: Add coresight nodes") +Signed-off-by: Jie Gan +Acked-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250522005016.2148-1-jie.gan@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcs615.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/qcom/qcs615.dtsi b/arch/arm64/boot/dts/qcom/qcs615.dtsi +index 120654849043..e1f510e5485c 100644 +--- a/arch/arm64/boot/dts/qcom/qcs615.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs615.dtsi +@@ -1868,6 +1868,7 @@ replicator@604a000 { + + clocks = <&aoss_qmp>; + clock-names = "apb_pclk"; ++ status = "disabled"; + + in-ports { + port { +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-qcom-sa8775p-correct-the-interrupt-for-rem.patch b/queue-6.15/arm64-dts-qcom-sa8775p-correct-the-interrupt-for-rem.patch new file mode 100644 index 0000000000..69033ff559 --- /dev/null +++ b/queue-6.15/arm64-dts-qcom-sa8775p-correct-the-interrupt-for-rem.patch @@ -0,0 +1,84 @@ +From 169c18c9cbbb65997152d9b2a5714ade0b803a10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 10:39:33 +0800 +Subject: arm64: dts: qcom: sa8775p: Correct the interrupt for remoteproc + +From: Lijuan Gao + +[ Upstream commit 7bd7209e9cb11c8864e601d915008da088476f0c ] + +Fix the incorrect IRQ numbers for ready and handover on sa8775p. +The correct values are as follows: + +Fatal interrupt - 0 +Ready interrupt - 1 +Handover interrupt - 2 +Stop acknowledge interrupt - 3 + +Fixes: df54dcb34ff2e ("arm64: dts: qcom: sa8775p: add ADSP, CDSP and GPDSP nodes") +Signed-off-by: Lijuan Gao +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250612-correct_interrupt_for_remoteproc-v1-2-490ee6d92a1b@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sa8775p.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sa8775p.dtsi b/arch/arm64/boot/dts/qcom/sa8775p.dtsi +index 2010b7988b6c..958e4be164d8 100644 +--- a/arch/arm64/boot/dts/qcom/sa8775p.dtsi ++++ b/arch/arm64/boot/dts/qcom/sa8775p.dtsi +@@ -4663,8 +4663,8 @@ remoteproc_gpdsp0: remoteproc@20c00000 { + + interrupts-extended = <&intc GIC_SPI 768 IRQ_TYPE_EDGE_RISING>, + <&smp2p_gpdsp0_in 0 0>, +- <&smp2p_gpdsp0_in 2 0>, + <&smp2p_gpdsp0_in 1 0>, ++ <&smp2p_gpdsp0_in 2 0>, + <&smp2p_gpdsp0_in 3 0>; + interrupt-names = "wdog", "fatal", "ready", + "handover", "stop-ack"; +@@ -4706,8 +4706,8 @@ remoteproc_gpdsp1: remoteproc@21c00000 { + + interrupts-extended = <&intc GIC_SPI 624 IRQ_TYPE_EDGE_RISING>, + <&smp2p_gpdsp1_in 0 0>, +- <&smp2p_gpdsp1_in 2 0>, + <&smp2p_gpdsp1_in 1 0>, ++ <&smp2p_gpdsp1_in 2 0>, + <&smp2p_gpdsp1_in 3 0>; + interrupt-names = "wdog", "fatal", "ready", + "handover", "stop-ack"; +@@ -4847,8 +4847,8 @@ remoteproc_cdsp0: remoteproc@26300000 { + + interrupts-extended = <&intc GIC_SPI 578 IRQ_TYPE_EDGE_RISING>, + <&smp2p_cdsp0_in 0 IRQ_TYPE_EDGE_RISING>, +- <&smp2p_cdsp0_in 2 IRQ_TYPE_EDGE_RISING>, + <&smp2p_cdsp0_in 1 IRQ_TYPE_EDGE_RISING>, ++ <&smp2p_cdsp0_in 2 IRQ_TYPE_EDGE_RISING>, + <&smp2p_cdsp0_in 3 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "wdog", "fatal", "ready", + "handover", "stop-ack"; +@@ -4979,8 +4979,8 @@ remoteproc_cdsp1: remoteproc@2a300000 { + + interrupts-extended = <&intc GIC_SPI 798 IRQ_TYPE_EDGE_RISING>, + <&smp2p_cdsp1_in 0 IRQ_TYPE_EDGE_RISING>, +- <&smp2p_cdsp1_in 2 IRQ_TYPE_EDGE_RISING>, + <&smp2p_cdsp1_in 1 IRQ_TYPE_EDGE_RISING>, ++ <&smp2p_cdsp1_in 2 IRQ_TYPE_EDGE_RISING>, + <&smp2p_cdsp1_in 3 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "wdog", "fatal", "ready", + "handover", "stop-ack"; +@@ -5135,8 +5135,8 @@ remoteproc_adsp: remoteproc@30000000 { + + interrupts-extended = <&pdc 6 IRQ_TYPE_EDGE_RISING>, + <&smp2p_adsp_in 0 IRQ_TYPE_EDGE_RISING>, +- <&smp2p_adsp_in 2 IRQ_TYPE_EDGE_RISING>, + <&smp2p_adsp_in 1 IRQ_TYPE_EDGE_RISING>, ++ <&smp2p_adsp_in 2 IRQ_TYPE_EDGE_RISING>, + <&smp2p_adsp_in 3 IRQ_TYPE_EDGE_RISING>; + interrupt-names = "wdog", "fatal", "ready", "handover", + "stop-ack"; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-qcom-sc7180-expand-imem-region.patch b/queue-6.15/arm64-dts-qcom-sc7180-expand-imem-region.patch new file mode 100644 index 0000000000..d98a9cd729 --- /dev/null +++ b/queue-6.15/arm64-dts-qcom-sc7180-expand-imem-region.patch @@ -0,0 +1,53 @@ +From a1b64150af170e2504df8144144a54776c5ec374 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 01:18:18 +0200 +Subject: arm64: dts: qcom: sc7180: Expand IMEM region + +From: Konrad Dybcio + +[ Upstream commit 965e28cad4739b11f1bc58c0a9935e025938bb1f ] + +We need more than what is currently described, expand the region to its +actual boundaries. + +Fixes: ede638c42c82 ("arm64: dts: qcom: sc7180: Add IMEM and pil info regions") +Signed-off-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250523-topic-ipa_mem_dts-v1-3-f7aa94fac1ab@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7180.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7180.dtsi b/arch/arm64/boot/dts/qcom/sc7180.dtsi +index 87c432c12a24..7dddafa901d8 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi +@@ -3523,18 +3523,18 @@ spmi_bus: spmi@c440000 { + #interrupt-cells = <4>; + }; + +- sram@146aa000 { ++ sram@14680000 { + compatible = "qcom,sc7180-imem", "syscon", "simple-mfd"; +- reg = <0 0x146aa000 0 0x2000>; ++ reg = <0 0x14680000 0 0x2e000>; + + #address-cells = <1>; + #size-cells = <1>; + +- ranges = <0 0 0x146aa000 0x2000>; ++ ranges = <0 0 0x14680000 0x2e000>; + +- pil-reloc@94c { ++ pil-reloc@2a94c { + compatible = "qcom,pil-reloc-info"; +- reg = <0x94c 0xc8>; ++ reg = <0x2a94c 0xc8>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-qcom-sdm845-expand-imem-region.patch b/queue-6.15/arm64-dts-qcom-sdm845-expand-imem-region.patch new file mode 100644 index 0000000000..53a7fc5790 --- /dev/null +++ b/queue-6.15/arm64-dts-qcom-sdm845-expand-imem-region.patch @@ -0,0 +1,53 @@ +From 858759a93d11ea0fa526e7a5dafd426dd76a7209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 01:18:17 +0200 +Subject: arm64: dts: qcom: sdm845: Expand IMEM region + +From: Konrad Dybcio + +[ Upstream commit 81a4a7de3d4031e77b5796479ef21aefb0862807 ] + +We need more than what is currently described, expand the region to its +actual boundaries. + +Signed-off-by: Konrad Dybcio +Fixes: 948f6161c6ab ("arm64: dts: qcom: sdm845: Add IMEM and PIL info region") +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250523-topic-ipa_mem_dts-v1-2-f7aa94fac1ab@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index d0314cdf0b92..0e6ec2c54c24 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -5078,18 +5078,18 @@ spmi_bus: spmi@c440000 { + #interrupt-cells = <4>; + }; + +- sram@146bf000 { ++ sram@14680000 { + compatible = "qcom,sdm845-imem", "syscon", "simple-mfd"; +- reg = <0 0x146bf000 0 0x1000>; ++ reg = <0 0x14680000 0 0x40000>; + + #address-cells = <1>; + #size-cells = <1>; + +- ranges = <0 0 0x146bf000 0x1000>; ++ ranges = <0 0 0x14680000 0x40000>; + +- pil-reloc@94c { ++ pil-reloc@3f94c { + compatible = "qcom,pil-reloc-info"; +- reg = <0x94c 0xc8>; ++ reg = <0x3f94c 0xc8>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-rockchip-enable-emmc-hs200-mode-on-radxa-e.patch b/queue-6.15/arm64-dts-rockchip-enable-emmc-hs200-mode-on-radxa-e.patch new file mode 100644 index 0000000000..5e3a07c4df --- /dev/null +++ b/queue-6.15/arm64-dts-rockchip-enable-emmc-hs200-mode-on-radxa-e.patch @@ -0,0 +1,38 @@ +From 05a798266d217413082cf6200c36510f1c303772 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 16:58:30 +0000 +Subject: arm64: dts: rockchip: Enable eMMC HS200 mode on Radxa E20C + +From: Jonas Karlman + +[ Upstream commit 6e3071f4e03997ca0e4388ca61aa06df2802dcd1 ] + +eMMC HS200 mode (1.8V I/O) is supported by the MMC host controller on +RK3528 and works with the optional on-board eMMC module on Radxa E20C. + +Be explicit about HS200 support in the device tree for Radxa E20C. + +Fixes: 3a01b5f14a8a ("arm64: dts: rockchip: Enable onboard eMMC on Radxa E20C") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20250621165832.2226160-1-jonas@kwiboo.se +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts b/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts +index 57a446b5cbd6..92bdb66169f2 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts +@@ -140,6 +140,7 @@ &saradc { + &sdhci { + bus-width = <8>; + cap-mmc-highspeed; ++ mmc-hs200-1_8v; + no-sd; + no-sdio; + non-removable; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-rockchip-fix-phy-handling-for-rock-4d.patch b/queue-6.15/arm64-dts-rockchip-fix-phy-handling-for-rock-4d.patch new file mode 100644 index 0000000000..98eaec2cb9 --- /dev/null +++ b/queue-6.15/arm64-dts-rockchip-fix-phy-handling-for-rock-4d.patch @@ -0,0 +1,63 @@ +From 8fe80351ed5b0d958a1ad3c56e144193852ec2e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 19:31:59 +0200 +Subject: arm64: dts: rockchip: fix PHY handling for ROCK 4D + +From: Sebastian Reichel + +[ Upstream commit cd803da7c033e376a66793a43ee98e136bc6cc25 ] + +Old revisions of the ROCK 4D board have a dedicated crystal to +supply the RTL8211F PHY's 25MHz clock input. At least some newer +revisions instead use REFCLKO25M_GMAC0_OUT. The DT already has +this half-prepared, but there are some issues: + +1. The DT relies on auto-selecting the right PHY driver, which + requires that it works good enough to read the ID registers. + This does not work without the clock, which is handled by + the PHY driver. By updating the compatible to contain the + RTL8211F IDs, so that the operating system can choose the + right PHY driver without relying on a pre-powered PHY. + +2. Despite the name REFCLKO25M_GMAC0_OUT could also provide a + different frequency, so ensure it is explicitly set to 25 + MHz as expected by the PHY. + +3. While at it switch from deprecated "enable-gpio" to standard + "enable-gpios". + +Fixes: a0fb7eca9c09 ("arm64: dts: rockchip: Add Radxa ROCK 4D device tree") +Signed-off-by: Sebastian Reichel +Link: https://lore.kernel.org/r/20250704-rk3576-rock4d-phy-handling-fixes-v1-1-1d64130c4139@kernel.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts b/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts +index 6756403111e7..0a93853cdf43 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts +@@ -641,14 +641,16 @@ hym8563: rtc@51 { + + &mdio0 { + rgmii_phy0: ethernet-phy@1 { +- compatible = "ethernet-phy-ieee802.3-c22"; ++ compatible = "ethernet-phy-id001c.c916"; + reg = <0x1>; + clocks = <&cru REFCLKO25M_GMAC0_OUT>; ++ assigned-clocks = <&cru REFCLKO25M_GMAC0_OUT>; ++ assigned-clock-rates = <25000000>; + pinctrl-names = "default"; + pinctrl-0 = <&rtl8211f_rst>; + reset-assert-us = <20000>; + reset-deassert-us = <100000>; +- reset-gpio = <&gpio2 RK_PB5 GPIO_ACTIVE_LOW>; ++ reset-gpios = <&gpio2 RK_PB5 GPIO_ACTIVE_LOW>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-rockchip-fix-pinctrl-node-names-for-rk3528.patch b/queue-6.15/arm64-dts-rockchip-fix-pinctrl-node-names-for-rk3528.patch new file mode 100644 index 0000000000..90c846e3db --- /dev/null +++ b/queue-6.15/arm64-dts-rockchip-fix-pinctrl-node-names-for-rk3528.patch @@ -0,0 +1,135 @@ +From 74e8338b3096c7439ae8a918b4adea23b4e842f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 11:38:57 +0000 +Subject: arm64: dts: rockchip: Fix pinctrl node names for RK3528 + +From: Jonas Karlman + +[ Upstream commit f2792bf1c7a54ef23fb3a84286b66f427bfc4853 ] + +Following warnings can be observed with CHECK_DTBS=y for the RK3528: + + rk3528-pinctrl.dtsi:101.36-105.5: Warning (node_name_chars_strict): + /pinctrl/fephy/fephym0-led_dpx: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:108.38-112.5: Warning (node_name_chars_strict): + /pinctrl/fephy/fephym0-led_link: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:115.36-119.5: Warning (node_name_chars_strict): + /pinctrl/fephy/fephym0-led_spd: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:122.36-126.5: Warning (node_name_chars_strict): + /pinctrl/fephy/fephym1-led_dpx: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:129.38-133.5: Warning (node_name_chars_strict): + /pinctrl/fephy/fephym1-led_link: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:136.36-140.5: Warning (node_name_chars_strict): + /pinctrl/fephy/fephym1-led_spd: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:782.32-790.5: Warning (node_name_chars_strict): + /pinctrl/rgmii/rgmii-rx_bus2: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:793.32-801.5: Warning (node_name_chars_strict): + /pinctrl/rgmii/rgmii-tx_bus2: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:804.36-810.5: Warning (node_name_chars_strict): + /pinctrl/rgmii/rgmii-rgmii_clk: Character '_' not recommended in node name + rk3528-pinctrl.dtsi:813.36-823.5: Warning (node_name_chars_strict): + /pinctrl/rgmii/rgmii-rgmii_bus: Character '_' not recommended in node name + +Rename the affected nodes to fix these warnings. + +Fixes: a31fad19ae39 ("arm64: dts: rockchip: Add pinctrl and gpio nodes for RK3528") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20250621113859.2146400-1-jonas@kwiboo.se +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + .../boot/dts/rockchip/rk3528-pinctrl.dtsi | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi b/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi +index ea051362fb26..59b75c91bbb7 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi +@@ -98,42 +98,42 @@ eth_pins: eth-pins { + + fephy { + /omit-if-no-ref/ +- fephym0_led_dpx: fephym0-led_dpx { ++ fephym0_led_dpx: fephym0-led-dpx { + rockchip,pins = + /* fephy_led_dpx_m0 */ + <4 RK_PB5 2 &pcfg_pull_none>; + }; + + /omit-if-no-ref/ +- fephym0_led_link: fephym0-led_link { ++ fephym0_led_link: fephym0-led-link { + rockchip,pins = + /* fephy_led_link_m0 */ + <4 RK_PC0 2 &pcfg_pull_none>; + }; + + /omit-if-no-ref/ +- fephym0_led_spd: fephym0-led_spd { ++ fephym0_led_spd: fephym0-led-spd { + rockchip,pins = + /* fephy_led_spd_m0 */ + <4 RK_PB7 2 &pcfg_pull_none>; + }; + + /omit-if-no-ref/ +- fephym1_led_dpx: fephym1-led_dpx { ++ fephym1_led_dpx: fephym1-led-dpx { + rockchip,pins = + /* fephy_led_dpx_m1 */ + <2 RK_PA4 5 &pcfg_pull_none>; + }; + + /omit-if-no-ref/ +- fephym1_led_link: fephym1-led_link { ++ fephym1_led_link: fephym1-led-link { + rockchip,pins = + /* fephy_led_link_m1 */ + <2 RK_PA6 5 &pcfg_pull_none>; + }; + + /omit-if-no-ref/ +- fephym1_led_spd: fephym1-led_spd { ++ fephym1_led_spd: fephym1-led-spd { + rockchip,pins = + /* fephy_led_spd_m1 */ + <2 RK_PA5 5 &pcfg_pull_none>; +@@ -779,7 +779,7 @@ rgmii_miim: rgmii-miim { + }; + + /omit-if-no-ref/ +- rgmii_rx_bus2: rgmii-rx_bus2 { ++ rgmii_rx_bus2: rgmii-rx-bus2 { + rockchip,pins = + /* rgmii_rxd0 */ + <3 RK_PA3 2 &pcfg_pull_none>, +@@ -790,7 +790,7 @@ rgmii_rx_bus2: rgmii-rx_bus2 { + }; + + /omit-if-no-ref/ +- rgmii_tx_bus2: rgmii-tx_bus2 { ++ rgmii_tx_bus2: rgmii-tx-bus2 { + rockchip,pins = + /* rgmii_txd0 */ + <3 RK_PA1 2 &pcfg_pull_none_drv_level_2>, +@@ -801,7 +801,7 @@ rgmii_tx_bus2: rgmii-tx_bus2 { + }; + + /omit-if-no-ref/ +- rgmii_rgmii_clk: rgmii-rgmii_clk { ++ rgmii_rgmii_clk: rgmii-rgmii-clk { + rockchip,pins = + /* rgmii_rxclk */ + <3 RK_PA5 2 &pcfg_pull_none>, +@@ -810,7 +810,7 @@ rgmii_rgmii_clk: rgmii-rgmii_clk { + }; + + /omit-if-no-ref/ +- rgmii_rgmii_bus: rgmii-rgmii_bus { ++ rgmii_rgmii_bus: rgmii-rgmii-bus { + rockchip,pins = + /* rgmii_rxd2 */ + <3 RK_PA7 2 &pcfg_pull_none>, +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-st-fix-timer-used-for-ticks.patch b/queue-6.15/arm64-dts-st-fix-timer-used-for-ticks.patch new file mode 100644 index 0000000000..49d04e7e79 --- /dev/null +++ b/queue-6.15/arm64-dts-st-fix-timer-used-for-ticks.patch @@ -0,0 +1,37 @@ +From 28d155b2533e8eb72190a9c3c8cd836f0ab1740f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 15:12:39 +0200 +Subject: arm64: dts: st: fix timer used for ticks + +From: Patrick Delaunay + +[ Upstream commit 9ec406ac4b7de3e8040a503429d1a5d389bfdaf6 ] + +Remove always-on on generic ARM timer as the clock source provided by +STGEN is deactivated in low power mode, STOP1 by example. + +Fixes: 5d30d03aaf78 ("arm64: dts: st: introduce stm32mp25 SoCs family") +Signed-off-by: Patrick Delaunay +Link: https://lore.kernel.org/r/20250515151238.1.I85271ddb811a7cf73532fec90de7281cb24ce260@changeid +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/st/stm32mp251.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/st/stm32mp251.dtsi b/arch/arm64/boot/dts/st/stm32mp251.dtsi +index 87110f91e489..afe88e04875a 100644 +--- a/arch/arm64/boot/dts/st/stm32mp251.dtsi ++++ b/arch/arm64/boot/dts/st/stm32mp251.dtsi +@@ -150,7 +150,7 @@ timer { + , + , + ; +- always-on; ++ arm,no-tick-in-suspend; + }; + + soc@0 { +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-ti-k3-am62p-j722s-fix-pinctrl-single-size.patch b/queue-6.15/arm64-dts-ti-k3-am62p-j722s-fix-pinctrl-single-size.patch new file mode 100644 index 0000000000..2748dd859d --- /dev/null +++ b/queue-6.15/arm64-dts-ti-k3-am62p-j722s-fix-pinctrl-single-size.patch @@ -0,0 +1,40 @@ +From 56b3038b2ffaed457087dae121b57d10be9389b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 08:52:39 +0200 +Subject: arm64: dts: ti: k3-am62p-j722s: fix pinctrl-single size + +From: Michael Walle + +[ Upstream commit fdc8ad019ab9a2308b8cef54fbc366f482fb746f ] + +Pinmux registers ends at 0x000f42ac (including). Thus, the size argument +of the pinctrl-single node has to be 0x2b0. Fix it. + +This will fix the following error: +pinctrl-single f4000.pinctrl: mux offset out of range: 0x2ac (0x2ac) + +Fixes: 29075cc09f43 ("arm64: dts: ti: Introduce AM62P5 family of SoCs") +Signed-off-by: Michael Walle +Link: https://lore.kernel.org/r/20250618065239.1904953-1-mwalle@kernel.org +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi b/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi +index f9b5c97518d6..8bacb04b3773 100644 +--- a/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-am62p-j722s-common-main.dtsi +@@ -250,7 +250,7 @@ secure_proxy_sa3: mailbox@43600000 { + + main_pmx0: pinctrl@f4000 { + compatible = "pinctrl-single"; +- reg = <0x00 0xf4000 0x00 0x2ac>; ++ reg = <0x00 0xf4000 0x00 0x2b0>; + #pinctrl-cells = <1>; + pinctrl-single,register-width = <32>; + pinctrl-single,function-mask = <0xffffffff>; +-- +2.39.5 + diff --git a/queue-6.15/arm64-dts-ti-k3-am642-phyboard-electra-fix-pru-icssg.patch b/queue-6.15/arm64-dts-ti-k3-am642-phyboard-electra-fix-pru-icssg.patch new file mode 100644 index 0000000000..912b907ea4 --- /dev/null +++ b/queue-6.15/arm64-dts-ti-k3-am642-phyboard-electra-fix-pru-icssg.patch @@ -0,0 +1,42 @@ +From 53e6e010d651cf4bd3290bcd66987dd7c1f36e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 07:33:39 +0200 +Subject: arm64: dts: ti: k3-am642-phyboard-electra: Fix PRU-ICSSG Ethernet + ports + +From: Wadim Egorov + +[ Upstream commit 945e48a39c957924bc84d1a6c137da039e13855b ] + +For the ICSSG PHYs to operate correctly, a 25 MHz reference clock must +be supplied on CLKOUT0. Previously, our bootloader configured this +clock, which is why the PRU Ethernet ports appeared to work, but the +change never made it into the device tree. + +Add clock properties to make EXT_REFCLK1.CLKOUT0 output a 25MHz clock. + +Signed-off-by: Wadim Egorov +Fixes: 87adfd1ab03a ("arm64: dts: ti: am642-phyboard-electra: Add PRU-ICSSG nodes") +Link: https://lore.kernel.org/r/20250521053339.1751844-1-w.egorov@phytec.de +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts +index f63c101b7d61..129524eb5b91 100644 +--- a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts ++++ b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-rdk.dts +@@ -322,6 +322,8 @@ AM64X_IOPAD(0x0040, PIN_OUTPUT, 7) /* (U21) GPMC0_AD1.GPIO0_16 */ + &icssg0_mdio { + pinctrl-names = "default"; + pinctrl-0 = <&icssg0_mdio_pins_default &clkout0_pins_default>; ++ assigned-clocks = <&k3_clks 157 123>; ++ assigned-clock-parents = <&k3_clks 157 125>; + status = "okay"; + + icssg0_phy1: ethernet-phy@1 { +-- +2.39.5 + diff --git a/queue-6.15/arm64-gcs-task_gcs_el0_enable-should-use-passed-task.patch b/queue-6.15/arm64-gcs-task_gcs_el0_enable-should-use-passed-task.patch new file mode 100644 index 0000000000..56d96a90cb --- /dev/null +++ b/queue-6.15/arm64-gcs-task_gcs_el0_enable-should-use-passed-task.patch @@ -0,0 +1,67 @@ +From e66711626a3c4e901356438a68589edc30cbcf0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 23:37:33 -0500 +Subject: arm64/gcs: task_gcs_el0_enable() should use passed task + +From: Jeremy Linton + +[ Upstream commit cbbcfb94c55c02a8c4ce52b5da0770b5591a314c ] + +Mark Rutland noticed that the task parameter is ignored and +'current' is being used instead. Since this is usually +what its passed, it hasn't yet been causing problems but likely +will as the code gets more testing. + +But, once this is fixed, it creates a new bug in copy_thread_gcs() +since the gcs_el_mode isn't yet set for the task before its being +checked. Move gcs_alloc_thread_stack() after the new task's +gcs_el0_mode initialization to avoid this. + +Fixes: fc84bc5378a8 ("arm64/gcs: Context switch GCS state for EL0") +Signed-off-by: Jeremy Linton +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250719043740.4548-2-jeremy.linton@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/gcs.h | 2 +- + arch/arm64/kernel/process.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/include/asm/gcs.h b/arch/arm64/include/asm/gcs.h +index f50660603ecf..5bc432234d3a 100644 +--- a/arch/arm64/include/asm/gcs.h ++++ b/arch/arm64/include/asm/gcs.h +@@ -58,7 +58,7 @@ static inline u64 gcsss2(void) + + static inline bool task_gcs_el0_enabled(struct task_struct *task) + { +- return current->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE; ++ return task->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE; + } + + void gcs_set_el0_mode(struct task_struct *task); +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index 4bc70205312e..ce21682fe129 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -305,13 +305,13 @@ static int copy_thread_gcs(struct task_struct *p, + p->thread.gcs_base = 0; + p->thread.gcs_size = 0; + ++ p->thread.gcs_el0_mode = current->thread.gcs_el0_mode; ++ p->thread.gcs_el0_locked = current->thread.gcs_el0_locked; ++ + gcs = gcs_alloc_thread_stack(p, args); + if (IS_ERR_VALUE(gcs)) + return PTR_ERR((void *)gcs); + +- p->thread.gcs_el0_mode = current->thread.gcs_el0_mode; +- p->thread.gcs_el0_locked = current->thread.gcs_el0_locked; +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/asoc-amd-acp-fix-pointer-assignments-for-snd_soc_acp.patch b/queue-6.15/asoc-amd-acp-fix-pointer-assignments-for-snd_soc_acp.patch new file mode 100644 index 0000000000..6b1e0074f7 --- /dev/null +++ b/queue-6.15/asoc-amd-acp-fix-pointer-assignments-for-snd_soc_acp.patch @@ -0,0 +1,116 @@ +From 18c9d167da9803e9d316364fcc7d3cb21288236d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 17:42:32 +0530 +Subject: ASoC: amd: acp: Fix pointer assignments for snd_soc_acpi_mach + structures + +From: Venkata Prasad Potturu + +[ Upstream commit 0779c0ad2a7cc0ae1865860c9bc8732613cc56b1 ] + +This patch modifies the assignment of machine structure pointers in the +acp_pci_probe function. Previously, the machine pointers were assigned +using the address-of operator (&), which caused incompatibility issues +in type assignments. + +Additionally, the declarations of the machine arrays in amd.h have been +updated to reflect that they are indeed arrays (`[]`). The code is +further cleaned up by declaring the codec structures in +amd-acpi-mach.c as static, reflecting their intended usage. + +error: symbol 'amp_rt1019' was not declared. Should it be static? +error: symbol 'amp_max' was not declared. Should it be static? +error: symbol 'snd_soc_acpi_amd_acp_machines' was not declared. Should it be static? +error: symbol 'snd_soc_acpi_amd_rmb_acp_machines' was not declared. Should it be static? +error: symbol 'snd_soc_acpi_amd_acp63_acp_machines' was not declared. Should it be static? +error: symbol 'snd_soc_acpi_amd_acp70_acp_machines' was not declared. Should it be static? + +Fixes: 9c2c0ef64009 ("ASoC: amd: acp: Fix snd_soc_acpi_mach id's duplicate symbol error") + +Link: https://github.com/thesofproject/linux/issues/5438 +Signed-off-by: Venkata Prasad Potturu +Link: https://patch.msgid.link/20250609121251.639080-1-venkataprasad.potturu@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-pci.c | 8 ++++---- + sound/soc/amd/acp/amd-acpi-mach.c | 4 ++-- + sound/soc/amd/acp/amd.h | 8 ++++---- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-pci.c b/sound/soc/amd/acp/acp-pci.c +index 0b2aa33cc426..2591b1a1c5e0 100644 +--- a/sound/soc/amd/acp/acp-pci.c ++++ b/sound/soc/amd/acp/acp-pci.c +@@ -137,26 +137,26 @@ static int acp_pci_probe(struct pci_dev *pci, const struct pci_device_id *pci_id + chip->name = "acp_asoc_renoir"; + chip->rsrc = &rn_rsrc; + chip->acp_hw_ops_init = acp31_hw_ops_init; +- chip->machines = &snd_soc_acpi_amd_acp_machines; ++ chip->machines = snd_soc_acpi_amd_acp_machines; + break; + case 0x6f: + chip->name = "acp_asoc_rembrandt"; + chip->rsrc = &rmb_rsrc; + chip->acp_hw_ops_init = acp6x_hw_ops_init; +- chip->machines = &snd_soc_acpi_amd_rmb_acp_machines; ++ chip->machines = snd_soc_acpi_amd_rmb_acp_machines; + break; + case 0x63: + chip->name = "acp_asoc_acp63"; + chip->rsrc = &acp63_rsrc; + chip->acp_hw_ops_init = acp63_hw_ops_init; +- chip->machines = &snd_soc_acpi_amd_acp63_acp_machines; ++ chip->machines = snd_soc_acpi_amd_acp63_acp_machines; + break; + case 0x70: + case 0x71: + chip->name = "acp_asoc_acp70"; + chip->rsrc = &acp70_rsrc; + chip->acp_hw_ops_init = acp70_hw_ops_init; +- chip->machines = &snd_soc_acpi_amd_acp70_acp_machines; ++ chip->machines = snd_soc_acpi_amd_acp70_acp_machines; + break; + default: + dev_err(dev, "Unsupported device revision:0x%x\n", pci->revision); +diff --git a/sound/soc/amd/acp/amd-acpi-mach.c b/sound/soc/amd/acp/amd-acpi-mach.c +index d95047d2ee94..27da2a862f1c 100644 +--- a/sound/soc/amd/acp/amd-acpi-mach.c ++++ b/sound/soc/amd/acp/amd-acpi-mach.c +@@ -8,12 +8,12 @@ + + #include + +-struct snd_soc_acpi_codecs amp_rt1019 = { ++static struct snd_soc_acpi_codecs amp_rt1019 = { + .num_codecs = 1, + .codecs = {"10EC1019"} + }; + +-struct snd_soc_acpi_codecs amp_max = { ++static struct snd_soc_acpi_codecs amp_max = { + .num_codecs = 1, + .codecs = {"MX98360A"} + }; +diff --git a/sound/soc/amd/acp/amd.h b/sound/soc/amd/acp/amd.h +index 863e74fcee43..cb8d97122f95 100644 +--- a/sound/soc/amd/acp/amd.h ++++ b/sound/soc/amd/acp/amd.h +@@ -243,10 +243,10 @@ extern struct acp_resource rmb_rsrc; + extern struct acp_resource acp63_rsrc; + extern struct acp_resource acp70_rsrc; + +-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp_machines; +-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_rmb_acp_machines; +-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp63_acp_machines; +-extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp70_acp_machines; ++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp_machines[]; ++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_rmb_acp_machines[]; ++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp63_acp_machines[]; ++extern struct snd_soc_acpi_mach snd_soc_acpi_amd_acp70_acp_machines[]; + + extern const struct snd_soc_dai_ops asoc_acp_cpu_dai_ops; + extern const struct snd_soc_dai_ops acp_dmic_dai_ops; +-- +2.39.5 + diff --git a/queue-6.15/asoc-fsl_xcvr-get-channel-status-data-when-phy-is-no.patch b/queue-6.15/asoc-fsl_xcvr-get-channel-status-data-when-phy-is-no.patch new file mode 100644 index 0000000000..e3436eead2 --- /dev/null +++ b/queue-6.15/asoc-fsl_xcvr-get-channel-status-data-when-phy-is-no.patch @@ -0,0 +1,56 @@ +From c257c006e5e04ea65603b2d916323c631b15fb84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:04:04 +0800 +Subject: ASoC: fsl_xcvr: get channel status data when PHY is not exists + +From: Shengjiu Wang + +[ Upstream commit ca592e20659e0304ebd8f4dabb273da4f9385848 ] + +There is no PHY for the XCVR module on i.MX93, the channel status needs +to be obtained from FSL_XCVR_RX_CS_DATA_* registers. And channel status +acknowledge (CSA) bit should be set once channel status is processed. + +Fixes: e240b9329a30 ("ASoC: fsl_xcvr: Add support for i.MX93 platform") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20250710030405.3370671-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_xcvr.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c +index 83aea341c1b6..5b1e5f377426 100644 +--- a/sound/soc/fsl/fsl_xcvr.c ++++ b/sound/soc/fsl/fsl_xcvr.c +@@ -1423,6 +1423,26 @@ static irqreturn_t irq0_isr(int irq, void *devid) + /* clear CS control register */ + memset_io(reg_ctrl, 0, sizeof(val)); + } ++ } else { ++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_0, ++ (u32 *)&xcvr->rx_iec958.status[0]); ++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_1, ++ (u32 *)&xcvr->rx_iec958.status[4]); ++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_2, ++ (u32 *)&xcvr->rx_iec958.status[8]); ++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_3, ++ (u32 *)&xcvr->rx_iec958.status[12]); ++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_4, ++ (u32 *)&xcvr->rx_iec958.status[16]); ++ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_5, ++ (u32 *)&xcvr->rx_iec958.status[20]); ++ for (i = 0; i < 6; i++) { ++ val = *(u32 *)(xcvr->rx_iec958.status + i * 4); ++ *(u32 *)(xcvr->rx_iec958.status + i * 4) = ++ bitrev32(val); ++ } ++ regmap_set_bits(xcvr->regmap, FSL_XCVR_RX_DPTH_CTRL, ++ FSL_XCVR_RX_DPTH_CTRL_CSA); + } + } + if (isr & FSL_XCVR_IRQ_NEW_UD) { +-- +2.39.5 + diff --git a/queue-6.15/asoc-fsl_xcvr-get-channel-status-data-with-firmware-.patch b/queue-6.15/asoc-fsl_xcvr-get-channel-status-data-with-firmware-.patch new file mode 100644 index 0000000000..3f38a82b87 --- /dev/null +++ b/queue-6.15/asoc-fsl_xcvr-get-channel-status-data-with-firmware-.patch @@ -0,0 +1,59 @@ +From e557d9739120cebf3918c98c4f3ff21867b19580 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:04:05 +0800 +Subject: ASoC: fsl_xcvr: get channel status data with firmware exists + +From: Shengjiu Wang + +[ Upstream commit 6776ecc9dd587c08a6bb334542f9f8821a091013 ] + +For the XCVR module on i.MX95, even though it only supports SPDIF, the +channel status needs to be obtained from RAM space, which is processed +by firmware. Firmware is necessary to trigger the FSL_XCVR_IRQ_NEW_CS +interrupt. + +This change also applies for the SPDIF & ARC function on i.MX8MP which +has the firmware. + +Fixes: e6a9750a346b ("ASoC: fsl_xcvr: Add suspend and resume support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20250710030405.3370671-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_xcvr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c +index 5b1e5f377426..f877dcb2570a 100644 +--- a/sound/soc/fsl/fsl_xcvr.c ++++ b/sound/soc/fsl/fsl_xcvr.c +@@ -1395,7 +1395,7 @@ static irqreturn_t irq0_isr(int irq, void *devid) + if (isr & FSL_XCVR_IRQ_NEW_CS) { + dev_dbg(dev, "Received new CS block\n"); + isr_clr |= FSL_XCVR_IRQ_NEW_CS; +- if (!xcvr->soc_data->spdif_only) { ++ if (xcvr->soc_data->fw_name) { + /* Data RAM is 4KiB, last two pages: 8 and 9. Select page 8. */ + regmap_update_bits(xcvr->regmap, FSL_XCVR_EXT_CTRL, + FSL_XCVR_EXT_CTRL_PAGE_MASK, +@@ -1517,6 +1517,7 @@ static const struct fsl_xcvr_soc_data fsl_xcvr_imx93_data = { + }; + + static const struct fsl_xcvr_soc_data fsl_xcvr_imx95_data = { ++ .fw_name = "imx/xcvr/xcvr-imx95.bin", + .spdif_only = true, + .use_phy = true, + .use_edma = true, +@@ -1806,7 +1807,7 @@ static int fsl_xcvr_runtime_resume(struct device *dev) + } + } + +- if (xcvr->mode == FSL_XCVR_MODE_EARC) { ++ if (xcvr->soc_data->fw_name) { + ret = fsl_xcvr_load_firmware(xcvr); + if (ret) { + dev_err(dev, "failed to load firmware.\n"); +-- +2.39.5 + diff --git a/queue-6.15/asoc-mediatek-use-reserved-memory-or-enable-buffer-p.patch b/queue-6.15/asoc-mediatek-use-reserved-memory-or-enable-buffer-p.patch new file mode 100644 index 0000000000..4fcce5c5f3 --- /dev/null +++ b/queue-6.15/asoc-mediatek-use-reserved-memory-or-enable-buffer-p.patch @@ -0,0 +1,174 @@ +From 06356ee29ea8080c0a882fdbd87b1a6464d0e116 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 15:48:57 +0800 +Subject: ASoC: mediatek: use reserved memory or enable buffer pre-allocation + +From: Chen-Yu Tsai + +[ Upstream commit ec4a10ca4a68ec97f12f4d17d7abb74db34987db ] + +In commit 32c9c06adb5b ("ASoC: mediatek: disable buffer pre-allocation") +buffer pre-allocation was disabled to accommodate newer platforms that +have a limited reserved memory region for the audio frontend. + +Turns out disabling pre-allocation across the board impacts platforms +that don't have this reserved memory region. Buffer allocation failures +have been observed on MT8173 and MT8183 based Chromebooks under low +memory conditions, which results in no audio playback for the user. + +Since some MediaTek platforms already have dedicated reserved memory +pools for the audio frontend, the plan is to enable this for all of +them. This requires device tree changes. As a fallback, reinstate the +original policy of pre-allocating audio buffers at probe time of the +reserved memory pool cannot be found or used. + +This patch covers the MT8173, MT8183, MT8186 and MT8192 platforms for +now, the reason being that existing MediaTek platform drivers that +supported reserved memory were all platforms that mainly supported +ChromeOS, and is also the set of devices that I can verify. + +Fixes: 32c9c06adb5b ("ASoC: mediatek: disable buffer pre-allocation") +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Chen-Yu Tsai +Link: https://patch.msgid.link/20250612074901.4023253-7-wenst@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 +++- + sound/soc/mediatek/common/mtk-base-afe.h | 1 + + sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 7 +++++++ + sound/soc/mediatek/mt8183/mt8183-afe-pcm.c | 7 +++++++ + sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 7 +++++++ + sound/soc/mediatek/mt8192/mt8192-afe-pcm.c | 7 +++++++ + 6 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/mediatek/common/mtk-afe-platform-driver.c b/sound/soc/mediatek/common/mtk-afe-platform-driver.c +index 6b6330583941..70fd05d5ff48 100644 +--- a/sound/soc/mediatek/common/mtk-afe-platform-driver.c ++++ b/sound/soc/mediatek/common/mtk-afe-platform-driver.c +@@ -120,7 +120,9 @@ int mtk_afe_pcm_new(struct snd_soc_component *component, + struct mtk_base_afe *afe = snd_soc_component_get_drvdata(component); + + size = afe->mtk_afe_hardware->buffer_bytes_max; +- snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, 0, size); ++ snd_pcm_set_managed_buffer_all(pcm, SNDRV_DMA_TYPE_DEV, afe->dev, ++ afe->preallocate_buffers ? size : 0, ++ size); + + return 0; + } +diff --git a/sound/soc/mediatek/common/mtk-base-afe.h b/sound/soc/mediatek/common/mtk-base-afe.h +index f51578b6c50a..a406f2e3e7a8 100644 +--- a/sound/soc/mediatek/common/mtk-base-afe.h ++++ b/sound/soc/mediatek/common/mtk-base-afe.h +@@ -117,6 +117,7 @@ struct mtk_base_afe { + struct mtk_base_afe_irq *irqs; + int irqs_size; + int memif_32bit_supported; ++ bool preallocate_buffers; + + struct list_head sub_dais; + struct snd_soc_dai_driver *dai_drivers; +diff --git a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c +index 04ed0cfec174..f93d6348fdf8 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c ++++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1070,6 +1071,12 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev) + + afe->dev = &pdev->dev; + ++ ret = of_reserved_mem_device_init(&pdev->dev); ++ if (ret) { ++ dev_info(&pdev->dev, "no reserved memory found, pre-allocating buffers instead\n"); ++ afe->preallocate_buffers = true; ++ } ++ + irq_id = platform_get_irq(pdev, 0); + if (irq_id <= 0) + return irq_id < 0 ? irq_id : -ENXIO; +diff --git a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c +index d083b4bf0f95..e7378bee8e50 100644 +--- a/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c ++++ b/sound/soc/mediatek/mt8183/mt8183-afe-pcm.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1094,6 +1095,12 @@ static int mt8183_afe_pcm_dev_probe(struct platform_device *pdev) + afe->dev = &pdev->dev; + dev = afe->dev; + ++ ret = of_reserved_mem_device_init(dev); ++ if (ret) { ++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n"); ++ afe->preallocate_buffers = true; ++ } ++ + /* initial audio related clock */ + ret = mt8183_init_clock(afe); + if (ret) { +diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c +index db7c93401bee..c73b4664e53e 100644 +--- a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c ++++ b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2835,6 +2836,12 @@ static int mt8186_afe_pcm_dev_probe(struct platform_device *pdev) + afe_priv = afe->platform_priv; + afe->dev = &pdev->dev; + ++ ret = of_reserved_mem_device_init(dev); ++ if (ret) { ++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n"); ++ afe->preallocate_buffers = true; ++ } ++ + afe->base_addr = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(afe->base_addr)) + return PTR_ERR(afe->base_addr); +diff --git a/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c b/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c +index fd6af74d7995..3d32fe46118e 100644 +--- a/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c ++++ b/sound/soc/mediatek/mt8192/mt8192-afe-pcm.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2179,6 +2180,12 @@ static int mt8192_afe_pcm_dev_probe(struct platform_device *pdev) + + afe->dev = dev; + ++ ret = of_reserved_mem_device_init(dev); ++ if (ret) { ++ dev_info(dev, "no reserved memory found, pre-allocating buffers instead\n"); ++ afe->preallocate_buffers = true; ++ } ++ + /* init audio related clock */ + ret = mt8192_init_clock(afe); + if (ret) { +-- +2.39.5 + diff --git a/queue-6.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch b/queue-6.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch new file mode 100644 index 0000000000..92077c2a2e --- /dev/null +++ b/queue-6.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch @@ -0,0 +1,79 @@ +From c8a5e563a81127dee022e801d1f207bb379c9351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 11:30:53 +0200 +Subject: ASoC: ops: dynamically allocate struct snd_ctl_elem_value + +From: Arnd Bergmann + +[ Upstream commit 7e10d7242ea8a5947878880b912ffa5806520705 ] + +This structure is really too larget to be allocated on the stack: + +sound/soc/soc-ops.c:435:5: error: stack frame size (1296) exceeds limit (1280) in 'snd_soc_limit_volume' [-Werror,-Wframe-larger-than] + +Change the function to dynamically allocate it instead. + +There is probably a better way to do it since only two integer fields +inside of that structure are actually used, but this is the simplest +rework for the moment. + +Fixes: 783db6851c18 ("ASoC: ops: Enforce platform maximum on initial value") +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20250610093057.2643233-1-arnd@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index 8d4dd11c9aef..a629e0eacb20 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -399,28 +399,32 @@ EXPORT_SYMBOL_GPL(snd_soc_put_volsw_sx); + static int snd_soc_clip_to_platform_max(struct snd_kcontrol *kctl) + { + struct soc_mixer_control *mc = (struct soc_mixer_control *)kctl->private_value; +- struct snd_ctl_elem_value uctl; ++ struct snd_ctl_elem_value *uctl; + int ret; + + if (!mc->platform_max) + return 0; + +- ret = kctl->get(kctl, &uctl); ++ uctl = kzalloc(sizeof(*uctl), GFP_KERNEL); ++ if (!uctl) ++ return -ENOMEM; ++ ++ ret = kctl->get(kctl, uctl); + if (ret < 0) +- return ret; ++ goto out; + +- if (uctl.value.integer.value[0] > mc->platform_max) +- uctl.value.integer.value[0] = mc->platform_max; ++ if (uctl->value.integer.value[0] > mc->platform_max) ++ uctl->value.integer.value[0] = mc->platform_max; + + if (snd_soc_volsw_is_stereo(mc) && +- uctl.value.integer.value[1] > mc->platform_max) +- uctl.value.integer.value[1] = mc->platform_max; ++ uctl->value.integer.value[1] > mc->platform_max) ++ uctl->value.integer.value[1] = mc->platform_max; + +- ret = kctl->put(kctl, &uctl); +- if (ret < 0) +- return ret; ++ ret = kctl->put(kctl, uctl); + +- return 0; ++out: ++ kfree(uctl); ++ return ret; + } + + /** +-- +2.39.5 + diff --git a/queue-6.15/asoc-sdca-allow-read-only-controls-to-be-deferrable.patch b/queue-6.15/asoc-sdca-allow-read-only-controls-to-be-deferrable.patch new file mode 100644 index 0000000000..3ae8d6cb4b --- /dev/null +++ b/queue-6.15/asoc-sdca-allow-read-only-controls-to-be-deferrable.patch @@ -0,0 +1,41 @@ +From d3ebaa75ae37c577e99623784cc03be7a2599a72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 13:41:49 +0100 +Subject: ASoC: SDCA: Allow read-only controls to be deferrable + +From: Charles Keepax + +[ Upstream commit 4eb6ad5d2080681b531db2c1764246f9a868062f ] + +The current SDCA Control parsing only checks the deferrable flag for +Read/Write and Dual Ranked controls. However, reads can defer as well as +writes so Read Only controls should also check for the deferrable flag. +Add the handling for this into find_sdca_entity_control(). + +Fixes: 42b144cb6a2d ("ASoC: SDCA: Add SDCA Control parsing") +Signed-off-by: Charles Keepax +Reviewed-by: Pierre-Louis Bossart +Link: https://patch.msgid.link/20250707124155.2596744-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sdca/sdca_functions.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sdca/sdca_functions.c b/sound/soc/sdca/sdca_functions.c +index 493f390f087a..15aa57a07c73 100644 +--- a/sound/soc/sdca/sdca_functions.c ++++ b/sound/soc/sdca/sdca_functions.c +@@ -880,7 +880,8 @@ static int find_sdca_entity_control(struct device *dev, struct sdca_entity *enti + control->value = tmp; + control->has_fixed = true; + } +- ++ fallthrough; ++ case SDCA_ACCESS_MODE_RO: + control->deferrable = fwnode_property_read_bool(control_node, + "mipi-sdca-control-deferrable"); + break; +-- +2.39.5 + diff --git a/queue-6.15/asoc-sdca-fix-some-holes-in-the-regmap-readable-writ.patch b/queue-6.15/asoc-sdca-fix-some-holes-in-the-regmap-readable-writ.patch new file mode 100644 index 0000000000..83cd696b48 --- /dev/null +++ b/queue-6.15/asoc-sdca-fix-some-holes-in-the-regmap-readable-writ.patch @@ -0,0 +1,70 @@ +From 84d1454bd75f90797f35c3e561e3402d95671741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 14:54:31 +0100 +Subject: ASoC: SDCA: Fix some holes in the regmap readable/writeable helpers + +From: Charles Keepax + +[ Upstream commit 061fade7a67f6cdfe918a675270d84107abbef61 ] + +The current regmap readable/writeable helper functions always +allow the Next flag and allows any Control Number. Mask the Next +flag based on SDCA_ACCESS_MODE_DUAL which is the only Mode that +supports it. Also check that the Control Number is valid for +the given control. + +Fixes: e3f7caf74b79 ("ASoC: SDCA: Add generic regmap SDCA helpers") +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20250718135432.1048566-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sdca/sdca_regmap.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sdca/sdca_regmap.c b/sound/soc/sdca/sdca_regmap.c +index 4b78188cfceb..394058a0537c 100644 +--- a/sound/soc/sdca/sdca_regmap.c ++++ b/sound/soc/sdca/sdca_regmap.c +@@ -72,12 +72,18 @@ bool sdca_regmap_readable(struct sdca_function_data *function, unsigned int reg) + if (!control) + return false; + ++ if (!(BIT(SDW_SDCA_CTL_CNUM(reg)) & control->cn_list)) ++ return false; ++ + switch (control->mode) { + case SDCA_ACCESS_MODE_RW: + case SDCA_ACCESS_MODE_RO: +- case SDCA_ACCESS_MODE_DUAL: + case SDCA_ACCESS_MODE_RW1S: + case SDCA_ACCESS_MODE_RW1C: ++ if (SDW_SDCA_NEXT_CTL(0) & reg) ++ return false; ++ fallthrough; ++ case SDCA_ACCESS_MODE_DUAL: + /* No access to registers marked solely for device use */ + return control->layers & ~SDCA_ACCESS_LAYER_DEVICE; + default: +@@ -104,11 +110,17 @@ bool sdca_regmap_writeable(struct sdca_function_data *function, unsigned int reg + if (!control) + return false; + ++ if (!(BIT(SDW_SDCA_CTL_CNUM(reg)) & control->cn_list)) ++ return false; ++ + switch (control->mode) { + case SDCA_ACCESS_MODE_RW: +- case SDCA_ACCESS_MODE_DUAL: + case SDCA_ACCESS_MODE_RW1S: + case SDCA_ACCESS_MODE_RW1C: ++ if (SDW_SDCA_NEXT_CTL(0) & reg) ++ return false; ++ fallthrough; ++ case SDCA_ACCESS_MODE_DUAL: + /* No access to registers marked solely for device use */ + return control->layers & ~SDCA_ACCESS_LAYER_DEVICE; + default: +-- +2.39.5 + diff --git a/queue-6.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch b/queue-6.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch new file mode 100644 index 0000000000..6a48785650 --- /dev/null +++ b/queue-6.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch @@ -0,0 +1,88 @@ +From 1a7afdd551e42af54e29042059acbadbbb07b93d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 01:59:15 +0000 +Subject: ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kuninori Morimoto + +[ Upstream commit f4c77d5af0a9cd0ee22617baa8b49d0e151fbda7 ] + +commit 7f1186a8d738661 ("ASoC: soc-dai: check return value at +snd_soc_dai_set_tdm_slot()") checks return value of +xlate_tdm_slot_mask() (A1)(A2). + + /* + * ... +(Y) * TDM mode can be disabled by passing 0 for @slots. In this case @tx_mask, + * @rx_mask and @slot_width will be ignored. + * ... + */ + int snd_soc_dai_set_tdm_slot(...) + { + ... + if (...) +(A1) ret = dai->driver->ops->xlate_tdm_slot_mask(...); + else +(A2) ret = snd_soc_xlate_tdm_slot_mask(...); + if (ret) + goto err; + ... + } + +snd_soc_xlate_tdm_slot_mask() (A2) will return -EINVAL if slots was 0 (X), +but snd_soc_dai_set_tdm_slot() allow to use it (Y). + +(A) static int snd_soc_xlate_tdm_slot_mask(...) + { + ... + if (!slots) +(X) return -EINVAL; + ... + } + +Call xlate_tdm_slot_mask() only if slots was non zero. + +Reported-by: Giedrius Trainavičius +Closes: https://lore.kernel.org/r/CAMONXLtSL7iKyvH6w=CzPTxQdBECf++hn8RKL6Y4=M_ou2YHow@mail.gmail.com +Fixes: 7f1186a8d738661 ("ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()") +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/8734cdfx59.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dai.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c +index a210089747d0..32f46a38682b 100644 +--- a/sound/soc/soc-dai.c ++++ b/sound/soc/soc-dai.c +@@ -259,13 +259,15 @@ int snd_soc_dai_set_tdm_slot(struct snd_soc_dai *dai, + &rx_mask, + }; + +- if (dai->driver->ops && +- dai->driver->ops->xlate_tdm_slot_mask) +- ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); +- else +- ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); +- if (ret) +- goto err; ++ if (slots) { ++ if (dai->driver->ops && ++ dai->driver->ops->xlate_tdm_slot_mask) ++ ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); ++ else ++ ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); ++ if (ret) ++ goto err; ++ } + + for_each_pcm_streams(stream) + snd_soc_dai_tdm_mask_set(dai, stream, *tdm_mask[stream]); +-- +2.39.5 + diff --git a/queue-6.15/audit-module-restore-audit-logging-in-load-failure-c.patch b/queue-6.15/audit-module-restore-audit-logging-in-load-failure-c.patch new file mode 100644 index 0000000000..08b79d2b38 --- /dev/null +++ b/queue-6.15/audit-module-restore-audit-logging-in-load-failure-c.patch @@ -0,0 +1,117 @@ +From 2709f60645896925e09c1472419f707f0bc970d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 15:58:00 -0400 +Subject: audit,module: restore audit logging in load failure case + +From: Richard Guy Briggs + +[ Upstream commit ae1ae11fb277f1335d6bcd4935ba0ea985af3c32 ] + +The move of the module sanity check to earlier skipped the audit logging +call in the case of failure and to a place where the previously used +context is unavailable. + +Add an audit logging call for the module loading failure case and get +the module name when possible. + +Link: https://issues.redhat.com/browse/RHEL-52839 +Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()") +Signed-off-by: Richard Guy Briggs +Reviewed-by: Petr Pavlu +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + include/linux/audit.h | 9 ++++----- + kernel/audit.h | 2 +- + kernel/auditsc.c | 2 +- + kernel/module/main.c | 6 ++++-- + 4 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/include/linux/audit.h b/include/linux/audit.h +index 0050ef288ab3..a394614ccd0b 100644 +--- a/include/linux/audit.h ++++ b/include/linux/audit.h +@@ -417,7 +417,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, + extern void __audit_log_capset(const struct cred *new, const struct cred *old); + extern void __audit_mmap_fd(int fd, int flags); + extern void __audit_openat2_how(struct open_how *how); +-extern void __audit_log_kern_module(char *name); ++extern void __audit_log_kern_module(const char *name); + extern void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar); + extern void __audit_tk_injoffset(struct timespec64 offset); + extern void __audit_ntp_log(const struct audit_ntp_data *ad); +@@ -519,7 +519,7 @@ static inline void audit_openat2_how(struct open_how *how) + __audit_openat2_how(how); + } + +-static inline void audit_log_kern_module(char *name) ++static inline void audit_log_kern_module(const char *name) + { + if (!audit_dummy_context()) + __audit_log_kern_module(name); +@@ -677,9 +677,8 @@ static inline void audit_mmap_fd(int fd, int flags) + static inline void audit_openat2_how(struct open_how *how) + { } + +-static inline void audit_log_kern_module(char *name) +-{ +-} ++static inline void audit_log_kern_module(const char *name) ++{ } + + static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar) + { } +diff --git a/kernel/audit.h b/kernel/audit.h +index 0211cb307d30..2a24d01c5fb0 100644 +--- a/kernel/audit.h ++++ b/kernel/audit.h +@@ -200,7 +200,7 @@ struct audit_context { + int argc; + } execve; + struct { +- char *name; ++ const char *name; + } module; + struct { + struct audit_ntp_data ntp_data; +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 78fd876a5473..eb98cd6fe91f 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -2864,7 +2864,7 @@ void __audit_openat2_how(struct open_how *how) + context->type = AUDIT_OPENAT2; + } + +-void __audit_log_kern_module(char *name) ++void __audit_log_kern_module(const char *name) + { + struct audit_context *context = audit_context(); + +diff --git a/kernel/module/main.c b/kernel/module/main.c +index 9d8a845d9466..05da78b6a6c1 100644 +--- a/kernel/module/main.c ++++ b/kernel/module/main.c +@@ -3298,7 +3298,7 @@ static int load_module(struct load_info *info, const char __user *uargs, + + module_allocated = true; + +- audit_log_kern_module(mod->name); ++ audit_log_kern_module(info->name); + + /* Reserve our place in the list. */ + err = add_unformed_module(mod); +@@ -3460,8 +3460,10 @@ static int load_module(struct load_info *info, const char __user *uargs, + * failures once the proper module was allocated and + * before that. + */ +- if (!module_allocated) ++ if (!module_allocated) { ++ audit_log_kern_module(info->name ? info->name : "?"); + mod_stat_bump_becoming(info, flags); ++ } + free_copy(info, flags); + return err; + } +-- +2.39.5 + diff --git a/queue-6.15/block-mtip32xx-fix-usage-of-dma_map_sg.patch b/queue-6.15/block-mtip32xx-fix-usage-of-dma_map_sg.patch new file mode 100644 index 0000000000..c9cd2dbe0a --- /dev/null +++ b/queue-6.15/block-mtip32xx-fix-usage-of-dma_map_sg.patch @@ -0,0 +1,95 @@ +From 8db6fc12f4772823091733591aa61b9ad0b92cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 14:11:19 +0200 +Subject: block: mtip32xx: Fix usage of dma_map_sg() + +From: Thomas Fourier + +[ Upstream commit 8e1fab9cccc7b806b0cffdceabb09b310b83b553 ] + +The dma_map_sg() can fail and, in case of failure, returns 0. If it +fails, mtip_hw_submit_io() returns an error. + +The dma_unmap_sg() requires the nents parameter to be the same as the +one passed to dma_map_sg(). This patch saves the nents in +command->scatter_ents. + +Fixes: 88523a61558a ("block: Add driver for Micron RealSSD pcie flash cards") +Signed-off-by: Thomas Fourier +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20250627121123.203731-2-fourier.thomas@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/mtip32xx/mtip32xx.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c +index 0d619df03fa9..fe3a0b8377db 100644 +--- a/drivers/block/mtip32xx/mtip32xx.c ++++ b/drivers/block/mtip32xx/mtip32xx.c +@@ -2040,11 +2040,12 @@ static int mtip_hw_ioctl(struct driver_data *dd, unsigned int cmd, + * @dir Direction (read or write) + * + * return value +- * None ++ * 0 The IO completed successfully. ++ * -ENOMEM The DMA mapping failed. + */ +-static void mtip_hw_submit_io(struct driver_data *dd, struct request *rq, +- struct mtip_cmd *command, +- struct blk_mq_hw_ctx *hctx) ++static int mtip_hw_submit_io(struct driver_data *dd, struct request *rq, ++ struct mtip_cmd *command, ++ struct blk_mq_hw_ctx *hctx) + { + struct mtip_cmd_hdr *hdr = + dd->port->command_list + sizeof(struct mtip_cmd_hdr) * rq->tag; +@@ -2056,12 +2057,14 @@ static void mtip_hw_submit_io(struct driver_data *dd, struct request *rq, + unsigned int nents; + + /* Map the scatter list for DMA access */ +- nents = blk_rq_map_sg(rq, command->sg); +- nents = dma_map_sg(&dd->pdev->dev, command->sg, nents, dma_dir); ++ command->scatter_ents = blk_rq_map_sg(rq, command->sg); ++ nents = dma_map_sg(&dd->pdev->dev, command->sg, ++ command->scatter_ents, dma_dir); ++ if (!nents) ++ return -ENOMEM; + +- prefetch(&port->flags); + +- command->scatter_ents = nents; ++ prefetch(&port->flags); + + /* + * The number of retries for this command before it is +@@ -2112,11 +2115,13 @@ static void mtip_hw_submit_io(struct driver_data *dd, struct request *rq, + if (unlikely(port->flags & MTIP_PF_PAUSE_IO)) { + set_bit(rq->tag, port->cmds_to_issue); + set_bit(MTIP_PF_ISSUE_CMDS_BIT, &port->flags); +- return; ++ return 0; + } + + /* Issue the command to the hardware */ + mtip_issue_ncq_command(port, rq->tag); ++ ++ return 0; + } + + /* +@@ -3315,7 +3320,9 @@ static blk_status_t mtip_queue_rq(struct blk_mq_hw_ctx *hctx, + + blk_mq_start_request(rq); + +- mtip_hw_submit_io(dd, rq, cmd, hctx); ++ if (mtip_hw_submit_io(dd, rq, cmd, hctx)) ++ return BLK_STS_IOERR; ++ + return BLK_STS_OK; + } + +-- +2.39.5 + diff --git a/queue-6.15/block-sanitize-chunk_sectors-for-atomic-write-limits.patch b/queue-6.15/block-sanitize-chunk_sectors-for-atomic-write-limits.patch new file mode 100644 index 0000000000..7271b8ba44 --- /dev/null +++ b/queue-6.15/block-sanitize-chunk_sectors-for-atomic-write-limits.patch @@ -0,0 +1,58 @@ +From 498b3b693787a846c82d2f318eb4bff724e76496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 10:52:54 +0000 +Subject: block: sanitize chunk_sectors for atomic write limits + +From: John Garry + +[ Upstream commit 1de67e8e28fc47d71ee06ffa0185da549b378ffb ] + +Currently we just ensure that a non-zero value in chunk_sectors aligns +with any atomic write boundary, as the blk boundary functionality uses +both these values. + +However it is also improper to have atomic write unit max > chunk_sectors +(for non-zero chunk_sectors), as this would lead to splitting of atomic +write bios (which is disallowed). + +Sanitize atomic write unit max against chunk_sectors to avoid any +potential problems. + +Fixes: d00eea91deaf3 ("block: Add extra checks in blk_validate_atomic_write_limits()") +Reviewed-by: Nilay Shroff +Signed-off-by: John Garry +Reviewed-by: Martin K. Petersen +Link: https://lore.kernel.org/r/20250711105258.3135198-3-john.g.garry@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-settings.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/block/blk-settings.c b/block/blk-settings.c +index 4817e7ca03f8..d8c79e5112b4 100644 +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -186,6 +186,8 @@ static void blk_atomic_writes_update_limits(struct queue_limits *lim) + static void blk_validate_atomic_write_limits(struct queue_limits *lim) + { + unsigned int boundary_sectors; ++ unsigned int atomic_write_hw_max_sectors = ++ lim->atomic_write_hw_max >> SECTOR_SHIFT; + + if (!(lim->features & BLK_FEAT_ATOMIC_WRITES)) + goto unsupported; +@@ -207,6 +209,10 @@ static void blk_validate_atomic_write_limits(struct queue_limits *lim) + lim->atomic_write_hw_max)) + goto unsupported; + ++ if (WARN_ON_ONCE(lim->chunk_sectors && ++ atomic_write_hw_max_sectors > lim->chunk_sectors)) ++ goto unsupported; ++ + boundary_sectors = lim->atomic_write_hw_boundary >> SECTOR_SHIFT; + + if (boundary_sectors) { +-- +2.39.5 + diff --git a/queue-6.15/bluetooth-hci_devcd_dump-fix-out-of-bounds-via-dev_c.patch b/queue-6.15/bluetooth-hci_devcd_dump-fix-out-of-bounds-via-dev_c.patch new file mode 100644 index 0000000000..c4100612db --- /dev/null +++ b/queue-6.15/bluetooth-hci_devcd_dump-fix-out-of-bounds-via-dev_c.patch @@ -0,0 +1,108 @@ +From faf9b50bf55328fd79c7829600de2cdfdb81ae90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 11:10:52 -0400 +Subject: Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv + +From: Ivan Pravdin + +[ Upstream commit 7af4d7b53502286c6cf946d397ab183e76d14820 ] + +Currently both dev_coredumpv and skb_put_data in hci_devcd_dump use +hdev->dump.head. However, dev_coredumpv can free the buffer. From +dev_coredumpm_timeout documentation, which is used by dev_coredumpv: + + > Creates a new device coredump for the given device. If a previous one hasn't + > been read yet, the new coredump is discarded. The data lifetime is determined + > by the device coredump framework and when it is no longer needed the @free + > function will be called to free the data. + +If the data has not been read by the userspace yet, dev_coredumpv will +discard new buffer, freeing hdev->dump.head. This leads to +vmalloc-out-of-bounds error when skb_put_data tries to access +hdev->dump.head. + +A crash report from syzbot illustrates this: + + ================================================================== + BUG: KASAN: vmalloc-out-of-bounds in skb_put_data + include/linux/skbuff.h:2752 [inline] + BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 + net/bluetooth/coredump.c:258 + Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844 + + CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted + 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full) + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 02/12/2025 + Workqueue: hci0 hci_devcd_timeout + Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0xc3/0x670 mm/kasan/report.c:521 + kasan_report+0xe0/0x110 mm/kasan/report.c:634 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 + __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105 + skb_put_data include/linux/skbuff.h:2752 [inline] + hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258 + hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413 + process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:464 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + + The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping + Memory state around the buggy address: + ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + >ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ================================================================== + +To avoid this issue, reorder dev_coredumpv to be called after +skb_put_data that does not free the data. + +Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c +Fixes: b257e02ecc46 ("HCI: coredump: Log devcd dumps into the monitor") +Tested-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com +Signed-off-by: Ivan Pravdin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/coredump.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c +index 819eacb38762..720cb79adf96 100644 +--- a/net/bluetooth/coredump.c ++++ b/net/bluetooth/coredump.c +@@ -249,15 +249,15 @@ static void hci_devcd_dump(struct hci_dev *hdev) + + size = hdev->dump.tail - hdev->dump.head; + +- /* Emit a devcoredump with the available data */ +- dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL); +- + /* Send a copy to monitor as a diagnostic packet */ + skb = bt_skb_alloc(size, GFP_ATOMIC); + if (skb) { + skb_put_data(skb, hdev->dump.head, size); + hci_recv_diag(hdev, skb); + } ++ ++ /* Emit a devcoredump with the available data */ ++ dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL); + } + + static void hci_devcd_handle_pkt_complete(struct hci_dev *hdev, +-- +2.39.5 + diff --git a/queue-6.15/bluetooth-hci_event-mask-data-status-from-le-ext-adv.patch b/queue-6.15/bluetooth-hci_event-mask-data-status-from-le-ext-adv.patch new file mode 100644 index 0000000000..fce364d564 --- /dev/null +++ b/queue-6.15/bluetooth-hci_event-mask-data-status-from-le-ext-adv.patch @@ -0,0 +1,105 @@ +From d4a2c57e6692e85894159c589d66db67a08e6800 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 16:30:23 +0100 +Subject: Bluetooth: hci_event: Mask data status from LE ext adv reports + +From: Chris Down + +[ Upstream commit 0cadf8534f2a727bc3a01e8c583b085d25963ee0 ] + +The Event_Type field in an LE Extended Advertising Report uses bits 5 +and 6 for data status (e.g. truncation or fragmentation), not the PDU +type itself. + +The ext_evt_type_to_legacy() function fails to mask these status bits +before evaluation. This causes valid advertisements with status bits set +(e.g. a truncated non-connectable advertisement, which ends up showing +as PDU type 0x40) to be misclassified as unknown and subsequently +dropped. This is okay for most checks which use bitwise AND on the +relevant event type bits, but it doesn't work for non-connectable types, +which are checked with '== LE_EXT_ADV_NON_CONN_IND' (that is, zero). + +In terms of behaviour, first the device sends a truncated report: + +> HCI Event: LE Meta Event (0x3e) plen 26 + LE Extended Advertising Report (0x0d) + Entry 0 + Event type: 0x0040 + Data status: Incomplete, data truncated, no more to come + Address type: Random (0x01) + Address: 1D:12:46:FA:F8:6E (Non-Resolvable) + SID: 0x03 + RSSI: -98 dBm (0x9e) + Data length: 0x00 + +Then, a few seconds later, it sends the subsequent complete report: + +> HCI Event: LE Meta Event (0x3e) plen 122 + LE Extended Advertising Report (0x0d) + Entry 0 + Event type: 0x0000 + Data status: Complete + Address type: Random (0x01) + Address: 1D:12:46:FA:F8:6E (Non-Resolvable) + SID: 0x03 + RSSI: -97 dBm (0x9f) + Data length: 0x60 + Service Data: Google (0xfef3) + Data[92]: ... + +These devices often send multiple truncated reports per second. + +This patch introduces a PDU type mask to ensure only the relevant bits +are evaluated, allowing for the correct translation of all valid +extended advertising packets. + +Fixes: b2cc9761f144 ("Bluetooth: Handle extended ADV PDU types") +Signed-off-by: Chris Down +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 1 + + net/bluetooth/hci_event.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index f47dfb8b5be7..ebe01eb28264 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -2633,6 +2633,7 @@ struct hci_ev_le_conn_complete { + #define LE_EXT_ADV_DIRECT_IND 0x0004 + #define LE_EXT_ADV_SCAN_RSP 0x0008 + #define LE_EXT_ADV_LEGACY_PDU 0x0010 ++#define LE_EXT_ADV_DATA_STATUS_MASK 0x0060 + #define LE_EXT_ADV_EVT_TYPE_MASK 0x007f + + #define ADDR_LE_DEV_PUBLIC 0x00 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index cf4b30ac9e0e..c1dd8d78701f 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6239,6 +6239,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data, + + static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) + { ++ u16 pdu_type = evt_type & ~LE_EXT_ADV_DATA_STATUS_MASK; ++ ++ if (!pdu_type) ++ return LE_ADV_NONCONN_IND; ++ + if (evt_type & LE_EXT_ADV_LEGACY_PDU) { + switch (evt_type) { + case LE_LEGACY_ADV_IND: +@@ -6270,8 +6275,7 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) + if (evt_type & LE_EXT_ADV_SCAN_IND) + return LE_ADV_SCAN_IND; + +- if (evt_type == LE_EXT_ADV_NON_CONN_IND || +- evt_type & LE_EXT_ADV_DIRECT_IND) ++ if (evt_type & LE_EXT_ADV_DIRECT_IND) + return LE_ADV_NONCONN_IND; + + invalid: +-- +2.39.5 + diff --git a/queue-6.15/bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch b/queue-6.15/bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch new file mode 100644 index 0000000000..59b4c47555 --- /dev/null +++ b/queue-6.15/bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch @@ -0,0 +1,115 @@ +From c0f061c1caca06269db3be6ca9a664426f4f23a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 22:23:58 +0300 +Subject: Bluetooth: hci_sync: fix double free in + 'hci_discovery_filter_clear()' + +From: Arseniy Krasnov + +[ Upstream commit 2935e556850e9c94d7a00adf14d3cd7fe406ac03 ] + +Function 'hci_discovery_filter_clear()' frees 'uuids' array and then +sets it to NULL. There is a tiny chance of the following race: + +'hci_cmd_sync_work()' + + 'update_passive_scan_sync()' + + 'hci_update_passive_scan_sync()' + + 'hci_discovery_filter_clear()' + kfree(uuids); + + <-------------------------preempted--------------------------------> + 'start_service_discovery()' + + 'hci_discovery_filter_clear()' + kfree(uuids); // DOUBLE FREE + + <-------------------------preempted--------------------------------> + + uuids = NULL; + +To fix it let's add locking around 'kfree()' call and NULL pointer +assignment. Otherwise the following backtrace fires: + +[ ] ------------[ cut here ]------------ +[ ] kernel BUG at mm/slub.c:547! +[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP +[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1 +[ ] Tainted: [O]=OOT_MODULE +[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ ] pc : __slab_free+0xf8/0x348 +[ ] lr : __slab_free+0x48/0x348 +... +[ ] Call trace: +[ ] __slab_free+0xf8/0x348 +[ ] kfree+0x164/0x27c +[ ] start_service_discovery+0x1d0/0x2c0 +[ ] hci_sock_sendmsg+0x518/0x924 +[ ] __sock_sendmsg+0x54/0x60 +[ ] sock_write_iter+0x98/0xf8 +[ ] do_iter_readv_writev+0xe4/0x1c8 +[ ] vfs_writev+0x128/0x2b0 +[ ] do_writev+0xfc/0x118 +[ ] __arm64_sys_writev+0x20/0x2c +[ ] invoke_syscall+0x68/0xf0 +[ ] el0_svc_common.constprop.0+0x40/0xe0 +[ ] do_el0_svc+0x1c/0x28 +[ ] el0_svc+0x30/0xd0 +[ ] el0t_64_sync_handler+0x100/0x12c +[ ] el0t_64_sync+0x194/0x198 +[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000) +[ ] ---[ end trace 0000000000000000 ]--- + +Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled") +Signed-off-by: Arseniy Krasnov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index d22468bb4341..351a9057e70e 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -93,6 +94,7 @@ struct discovery_state { + u16 uuid_count; + u8 (*uuids)[16]; + unsigned long name_resolve_timeout; ++ spinlock_t lock; + }; + + #define SUSPEND_NOTIFIER_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */ +@@ -885,6 +887,7 @@ static inline void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, + + static inline void discovery_init(struct hci_dev *hdev) + { ++ spin_lock_init(&hdev->discovery.lock); + hdev->discovery.state = DISCOVERY_STOPPED; + INIT_LIST_HEAD(&hdev->discovery.all); + INIT_LIST_HEAD(&hdev->discovery.unknown); +@@ -899,8 +902,11 @@ static inline void hci_discovery_filter_clear(struct hci_dev *hdev) + hdev->discovery.report_invalid_rssi = true; + hdev->discovery.rssi = HCI_RSSI_INVALID; + hdev->discovery.uuid_count = 0; ++ ++ spin_lock(&hdev->discovery.lock); + kfree(hdev->discovery.uuids); + hdev->discovery.uuids = NULL; ++ spin_unlock(&hdev->discovery.lock); + } + + bool hci_discovery_active(struct hci_dev *hdev); +-- +2.39.5 + diff --git a/queue-6.15/bpf-arm64-fix-fp-initialization-for-exception-bounda.patch b/queue-6.15/bpf-arm64-fix-fp-initialization-for-exception-bounda.patch new file mode 100644 index 0000000000..bf5163e61e --- /dev/null +++ b/queue-6.15/bpf-arm64-fix-fp-initialization-for-exception-bounda.patch @@ -0,0 +1,48 @@ +From 7e5e4ca5ea75bb2de5e721a3a75284a736f73ce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 13:34:09 +0000 +Subject: bpf, arm64: Fix fp initialization for exception boundary + +From: Puranjay Mohan + +[ Upstream commit b114fcee766d5101eada1aca7bb5fd0a86c89b35 ] + +In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF +program, find_used_callee_regs() is not called because for a program +acting as exception boundary, all callee saved registers are saved. +find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP +being used in any of the instructions. + +For programs acting as exception boundary, ctx->fp_used remains false +even if frame pointer is used by the program and therefore, FP is not +set-up for such programs in the prologue. This can cause the kernel to +crash due to a pagefault. + +Fix it by setting ctx->fp_used = true for exception boundary programs as +fp is always saved in such programs. + +Fixes: 5d4fa9ec5643 ("bpf, arm64: Avoid blindly saving/restoring all callee-saved registers") +Signed-off-by: Puranjay Mohan +Signed-off-by: Daniel Borkmann +Acked-by: Xu Kuohai +Link: https://lore.kernel.org/bpf/20250722133410.54161-2-puranjay@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index 634d78422adb..a85236d0afee 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -412,6 +412,7 @@ static void push_callee_regs(struct jit_ctx *ctx) + emit(A64_PUSH(A64_R(23), A64_R(24), A64_SP), ctx); + emit(A64_PUSH(A64_R(25), A64_R(26), A64_SP), ctx); + emit(A64_PUSH(A64_R(27), A64_R(28), A64_SP), ctx); ++ ctx->fp_used = true; + } else { + find_used_callee_regs(ctx); + for (i = 0; i + 1 < ctx->nr_used_callee_reg; i += 2) { +-- +2.39.5 + diff --git a/queue-6.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch b/queue-6.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch new file mode 100644 index 0000000000..10a054c327 --- /dev/null +++ b/queue-6.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch @@ -0,0 +1,48 @@ +From 195ede61ed4067b64d81d502b99ba816666c40d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 11:47:23 +0200 +Subject: bpf: Check flow_dissector ctx accesses are aligned + +From: Paul Chaignon + +[ Upstream commit ead3d7b2b6afa5ee7958620c4329982a7d9c2b78 ] + +flow_dissector_is_valid_access doesn't check that the context access is +aligned. As a consequence, an unaligned access within one of the exposed +field is considered valid and later rejected by +flow_dissector_convert_ctx_access when we try to convert it. + +The later rejection is problematic because it's reported as a verifier +bug with a kernel warning and doesn't point to the right instruction in +verifier logs. + +Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") +Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa +Signed-off-by: Paul Chaignon +Acked-by: Yonghong Song +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 34f91c3aacb2..ac2cb6eba56e 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -9463,6 +9463,9 @@ static bool flow_dissector_is_valid_access(int off, int size, + if (off < 0 || off >= sizeof(struct __sk_buff)) + return false; + ++ if (off % size != 0) ++ return false; ++ + if (type == BPF_WRITE) + return false; + +-- +2.39.5 + diff --git a/queue-6.15/bpf-check-netfilter-ctx-accesses-are-aligned.patch b/queue-6.15/bpf-check-netfilter-ctx-accesses-are-aligned.patch new file mode 100644 index 0000000000..289d27531b --- /dev/null +++ b/queue-6.15/bpf-check-netfilter-ctx-accesses-are-aligned.patch @@ -0,0 +1,43 @@ +From 31ce9678a82902e282c7462aa45142e4b094ec18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 11:48:15 +0200 +Subject: bpf: Check netfilter ctx accesses are aligned + +From: Paul Chaignon + +[ Upstream commit 9e6448f7b1efb27f8d508b067ecd33ed664a4246 ] + +Similarly to the previous patch fixing the flow_dissector ctx accesses, +nf_is_valid_access also doesn't check that ctx accesses are aligned. +Contrary to flow_dissector programs, netfilter programs don't have +context conversion. The unaligned ctx accesses are therefore allowed by +the verifier. + +Fixes: fd9c663b9ad6 ("bpf: minimal support for programs hooked into netfilter framework") +Signed-off-by: Paul Chaignon +Acked-by: Yonghong Song +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/r/853ae9ed5edaa5196e8472ff0f1bb1cc24059214.1754039605.git.paul.chaignon@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index 25bbac8986c2..c12250e50a8b 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -295,6 +295,9 @@ static bool nf_is_valid_access(int off, int size, enum bpf_access_type type, + if (off < 0 || off >= sizeof(struct bpf_nf_ctx)) + return false; + ++ if (off % size != 0) ++ return false; ++ + if (type == BPF_WRITE) + return false; + +-- +2.39.5 + diff --git a/queue-6.15/bpf-disable-migration-in-nf_hook_run_bpf.patch b/queue-6.15/bpf-disable-migration-in-nf_hook_run_bpf.patch new file mode 100644 index 0000000000..a6304a74f1 --- /dev/null +++ b/queue-6.15/bpf-disable-migration-in-nf_hook_run_bpf.patch @@ -0,0 +1,98 @@ +From 162cd233d0d46675a306aed4cffa13265d12dd17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 22:40:37 +0000 +Subject: bpf: Disable migration in nf_hook_run_bpf(). + +From: Kuniyuki Iwashima + +[ Upstream commit 17ce3e5949bc37557305ad46316f41c7875d6366 ] + +syzbot reported that the netfilter bpf prog can be called without +migration disabled in xmit path. + +Then the assertion in __bpf_prog_run() fails, triggering the splat +below. [0] + +Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf(). + +[0]: +BUG: assuming non migratable context at ./include/linux/filter.h:703 +in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session +3 locks held by sshd-session/5829: + #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline] + #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395 + #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] + #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] + #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470 + #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] + #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] + #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241 +CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 + __cant_migrate kernel/sched/core.c:8860 [inline] + __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834 + __bpf_prog_run include/linux/filter.h:703 [inline] + bpf_prog_run include/linux/filter.h:725 [inline] + nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20 + nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] + nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623 + nf_hook+0x370/0x680 include/linux/netfilter.h:272 + NF_HOOK_COND include/linux/netfilter.h:305 [inline] + ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433 + dst_output include/net/dst.h:459 [inline] + ip_local_out net/ipv4/ip_output.c:129 [inline] + __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527 + __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479 + tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline] + tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838 + __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021 + tcp_push+0x225/0x700 net/ipv4/tcp.c:759 + tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359 + tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396 + inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851 + sock_sendmsg_nosec net/socket.c:712 [inline] + __sock_sendmsg net/socket.c:727 [inline] + sock_write_iter+0x4aa/0x5b0 net/socket.c:1131 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x6c7/0x1150 fs/read_write.c:686 + ksys_write+0x1f8/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fe7d365d407 +Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff +RSP: + +Fixes: fd9c663b9ad67 ("bpf: minimal support for programs hooked into netfilter framework") +Reported-by: syzbot+40f772d37250b6d10efc@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6879466d.a00a0220.3af5df.0022.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Martin KaFai Lau +Tested-by: syzbot+40f772d37250b6d10efc@syzkaller.appspotmail.com +Acked-by: Florian Westphal +Link: https://patch.msgid.link/20250722224041.112292-1-kuniyu@google.com +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_bpf_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c +index 06b084844700..25bbac8986c2 100644 +--- a/net/netfilter/nf_bpf_link.c ++++ b/net/netfilter/nf_bpf_link.c +@@ -17,7 +17,7 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb, + .skb = skb, + }; + +- return bpf_prog_run(prog, &ctx); ++ return bpf_prog_run_pin_on_cpu(prog, &ctx); + } + + struct bpf_nf_link { +-- +2.39.5 + diff --git a/queue-6.15/bpf-ensure-rcu-lock-is-held-around-bpf_prog_ksym_fin.patch b/queue-6.15/bpf-ensure-rcu-lock-is-held-around-bpf_prog_ksym_fin.patch new file mode 100644 index 0000000000..f1bdc219dc --- /dev/null +++ b/queue-6.15/bpf-ensure-rcu-lock-is-held-around-bpf_prog_ksym_fin.patch @@ -0,0 +1,67 @@ +From fa552c6e0ed2b77db33b1f8e204ff8dce6ed1f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:48:10 -0700 +Subject: bpf: Ensure RCU lock is held around bpf_prog_ksym_find + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit d090326860096df9dac6f27cff76d3f8df44d4f1 ] + +Add a warning to ensure RCU lock is held around tree lookup, and then +fix one of the invocations in bpf_stack_walker. The program has an +active stack frame and won't disappear. Use the opportunity to remove +unneeded invocation of is_bpf_text_address. + +Fixes: f18b03fabaa9 ("bpf: Implement BPF exceptions") +Reviewed-by: Emil Tsalapatis +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20250703204818.925464-5-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 5 ++++- + kernel/bpf/helpers.c | 11 +++++++++-- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index c20babbf998f..93e49b0c218b 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -778,7 +778,10 @@ bool is_bpf_text_address(unsigned long addr) + + struct bpf_prog *bpf_prog_ksym_find(unsigned long addr) + { +- struct bpf_ksym *ksym = bpf_ksym_find(addr); ++ struct bpf_ksym *ksym; ++ ++ WARN_ON_ONCE(!rcu_read_lock_held()); ++ ksym = bpf_ksym_find(addr); + + return ksym && ksym->prog ? + container_of(ksym, struct bpf_prog_aux, ksym)->prog : +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 52d02bc0abb2..3312442bc389 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -2864,9 +2864,16 @@ static bool bpf_stack_walker(void *cookie, u64 ip, u64 sp, u64 bp) + struct bpf_throw_ctx *ctx = cookie; + struct bpf_prog *prog; + +- if (!is_bpf_text_address(ip)) +- return !ctx->cnt; ++ /* ++ * The RCU read lock is held to safely traverse the latch tree, but we ++ * don't need its protection when accessing the prog, since it has an ++ * active stack frame on the current stack trace, and won't disappear. ++ */ ++ rcu_read_lock(); + prog = bpf_prog_ksym_find(ip); ++ rcu_read_unlock(); ++ if (!prog) ++ return !ctx->cnt; + ctx->cnt++; + if (bpf_is_subprog(prog)) + return true; +-- +2.39.5 + diff --git a/queue-6.15/bpf-handle-jset-if-a-b-.-as-a-jump-in-cfg-computatio.patch b/queue-6.15/bpf-handle-jset-if-a-b-.-as-a-jump-in-cfg-computatio.patch new file mode 100644 index 0000000000..301d832997 --- /dev/null +++ b/queue-6.15/bpf-handle-jset-if-a-b-.-as-a-jump-in-cfg-computatio.patch @@ -0,0 +1,51 @@ +From 39e4ae4f044c3d78d8077027f911bcf5628aae2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 10:53:30 -0700 +Subject: bpf: handle jset (if a & b ...) as a jump in CFG computation + +From: Eduard Zingerman + +[ Upstream commit 3157f7e2999616ac91f4d559a8566214f74000a5 ] + +BPF_JSET is a conditional jump and currently verifier.c:can_jump() +does not know about that. This can lead to incorrect live registers +and SCC computation. + +E.g. in the following example: + + 1: r0 = 1; + 2: r2 = 2; + 3: if r1 & 0x7 goto +1; + 4: exit; + 5: r0 = r2; + 6: exit; + +W/o this fix insn_successors(3) will return only (4), a jump to (5) +would be missed and r2 won't be marked as alive at (3). + +Fixes: 14c8552db644 ("bpf: simple DFA-based live registers analysis") +Reported-by: syzbot+a36aac327960ff474804@syzkaller.appspotmail.com +Suggested-by: Alexei Starovoitov +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20250613175331.3238739-1-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index c12dfbeb78a7..a1ecad2944a8 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -23657,6 +23657,7 @@ static bool can_jump(struct bpf_insn *insn) + case BPF_JSLT: + case BPF_JSLE: + case BPF_JCOND: ++ case BPF_JSET: + return true; + } + +-- +2.39.5 + diff --git a/queue-6.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch b/queue-6.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch new file mode 100644 index 0000000000..a064a1cd50 --- /dev/null +++ b/queue-6.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch @@ -0,0 +1,59 @@ +From 4b768ddad6fa41ea2aea971f0453d9fc7528b250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 10:08:52 +0800 +Subject: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls + +From: Jiayuan Chen + +[ Upstream commit 178f6a5c8cb3b6be1602de0964cd440243f493c9 ] + +When sending plaintext data, we initially calculated the corresponding +ciphertext length. However, if we later reduced the plaintext data length +via socket policy, we failed to recalculate the ciphertext length. + +This results in transmitting buffers containing uninitialized data during +ciphertext transmission. + +This causes uninitialized bytes to be appended after a complete +"Application Data" packet, leading to errors on the receiving end when +parsing TLS record. + +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Reported-by: Cong Wang +Signed-off-by: Jiayuan Chen +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20250609020910.397930-2-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index fc88e34b7f33..549d1ea01a72 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -872,6 +872,19 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + delta = msg->sg.size; + psock->eval = sk_psock_msg_verdict(sk, psock, msg); + delta -= msg->sg.size; ++ ++ if ((s32)delta > 0) { ++ /* It indicates that we executed bpf_msg_pop_data(), ++ * causing the plaintext data size to decrease. ++ * Therefore the encrypted data size also needs to ++ * correspondingly decrease. We only need to subtract ++ * delta to calculate the new ciphertext length since ++ * ktls does not support block encryption. ++ */ ++ struct sk_msg *enc = &ctx->open_rec->msg_encrypted; ++ ++ sk_msg_trim(sk, enc, enc->sg.size - delta); ++ } + } + if (msg->cork_bytes && msg->cork_bytes > msg->sg.size && + !enospc && !full_record) { +-- +2.39.5 + diff --git a/queue-6.15/bpf-preload-don-t-select-usermode_driver.patch b/queue-6.15/bpf-preload-don-t-select-usermode_driver.patch new file mode 100644 index 0000000000..bc5fb477c0 --- /dev/null +++ b/queue-6.15/bpf-preload-don-t-select-usermode_driver.patch @@ -0,0 +1,40 @@ +From 8f1a98cfe6458b2c9db6132c8983ee54ea8b67a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 11:04:41 +0200 +Subject: bpf/preload: Don't select USERMODE_DRIVER +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 2b03164eee20eac7ce0fe3aa4fbda7efc1e5427a ] + +The usermode driver framework is not used anymore by the BPF +preload code. + +Fixes: cb80ddc67152 ("bpf: Convert bpf_preload.ko to use light skeleton.") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Daniel Borkmann +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/bpf/20250721-remove-usermode-driver-v1-1-0d0083334382@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/bpf/preload/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/kernel/bpf/preload/Kconfig b/kernel/bpf/preload/Kconfig +index c9d45c9d6918..f9b11d01c3b5 100644 +--- a/kernel/bpf/preload/Kconfig ++++ b/kernel/bpf/preload/Kconfig +@@ -10,7 +10,6 @@ menuconfig BPF_PRELOAD + # The dependency on !COMPILE_TEST prevents it from being enabled + # in allmodconfig or allyesconfig configurations + depends on !COMPILE_TEST +- select USERMODE_DRIVER + help + This builds kernel module with several embedded BPF programs that are + pinned into BPF FS mount point as human readable files that are +-- +2.39.5 + diff --git a/queue-6.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch b/queue-6.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch new file mode 100644 index 0000000000..c2b9bc587c --- /dev/null +++ b/queue-6.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch @@ -0,0 +1,82 @@ +From 73369a4d574815df9f666a5d7ee75a3ed8a56095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 10:59:08 +0800 +Subject: bpf, sockmap: Fix psock incorrectly pointing to sk + +From: Jiayuan Chen + +[ Upstream commit 76be5fae32febb1fdb848ba09f78c4b2c76cb337 ] + +We observed an issue from the latest selftest: sockmap_redir where +sk_psock(psock->sk) != psock in the backlog. The root cause is the special +behavior in sockmap_redir - it frequently performs map_update() and +map_delete() on the same socket. During map_update(), we create a new +psock and during map_delete(), we eventually free the psock via rcu_work +in sk_psock_drop(). However, pending workqueues might still exist and not +be processed yet. If users immediately perform another map_update(), a new +psock will be allocated for the same sk, resulting in two psocks pointing +to the same sk. + +When the pending workqueue is later triggered, it uses the old psock to +access sk for I/O operations, which is incorrect. + +Timing Diagram: + +cpu0 cpu1 + +map_update(sk): + sk->psock = psock1 + psock1->sk = sk +map_delete(sk): + rcu_work_free(psock1) + +map_update(sk): + sk->psock = psock2 + psock2->sk = sk + workqueue: + wakeup with psock1, but the sk of psock1 + doesn't belong to psock1 +rcu_handler: + clean psock1 + free(psock1) + +Previously, we used reference counting to address the concurrency issue +between backlog and sock_map_close(). This logic remains necessary as it +prevents the sk from being freed while processing the backlog. But this +patch prevents pending backlogs from using a psock after it has been +stopped. + +Note: We cannot call cancel_delayed_work_sync() in map_delete() since this +might be invoked in BPF context by BPF helper, and the function may sleep. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Jiayuan Chen +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/bpf/20250609025908.79331-1-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 34c51eb1a14f..83c78379932e 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -656,6 +656,13 @@ static void sk_psock_backlog(struct work_struct *work) + bool ingress; + int ret; + ++ /* If sk is quickly removed from the map and then added back, the old ++ * psock should not be scheduled, because there are now two psocks ++ * pointing to the same sk. ++ */ ++ if (!sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) ++ return; ++ + /* Increment the psock refcnt to synchronize with close(fd) path in + * sock_map_close(), ensuring we wait for backlog thread completion + * before sk_socket freed. If refcnt increment fails, it indicates +-- +2.39.5 + diff --git a/queue-6.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch b/queue-6.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch new file mode 100644 index 0000000000..d5ed6e0c22 --- /dev/null +++ b/queue-6.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch @@ -0,0 +1,77 @@ +From 891c0cb2f5db2c7c4ee52cb10f89ab7bbaf9621f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:21:33 +0800 +Subject: bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure + +From: Yuan Chen + +[ Upstream commit 99fe8af069a9fa5b09140518b1364e35713a642e ] + +In function dump_xx_nlmsg(), when realloc() fails to allocate memory, +the original pointer to the buffer is overwritten with NULL. This causes +a memory leak because the previously allocated buffer becomes unreachable +without being freed. + +Fixes: 7900efc19214 ("tools/bpf: bpftool: improve output format for bpftool net") +Signed-off-by: Yuan Chen +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/r/20250620012133.14819-1-chenyuan_fl@163.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/net.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c +index 64f958f437b0..cfc6f944f7c3 100644 +--- a/tools/bpf/bpftool/net.c ++++ b/tools/bpf/bpftool/net.c +@@ -366,17 +366,18 @@ static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb) + { + struct bpf_netdev_t *netinfo = cookie; + struct ifinfomsg *ifinfo = msg; ++ struct ip_devname_ifindex *tmp; + + if (netinfo->filter_idx > 0 && netinfo->filter_idx != ifinfo->ifi_index) + return 0; + + if (netinfo->used_len == netinfo->array_len) { +- netinfo->devices = realloc(netinfo->devices, +- (netinfo->array_len + 16) * +- sizeof(struct ip_devname_ifindex)); +- if (!netinfo->devices) ++ tmp = realloc(netinfo->devices, ++ (netinfo->array_len + 16) * sizeof(struct ip_devname_ifindex)); ++ if (!tmp) + return -ENOMEM; + ++ netinfo->devices = tmp; + netinfo->array_len += 16; + } + netinfo->devices[netinfo->used_len].ifindex = ifinfo->ifi_index; +@@ -395,6 +396,7 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb) + { + struct bpf_tcinfo_t *tcinfo = cookie; + struct tcmsg *info = msg; ++ struct tc_kind_handle *tmp; + + if (tcinfo->is_qdisc) { + /* skip clsact qdisc */ +@@ -406,11 +408,12 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb) + } + + if (tcinfo->used_len == tcinfo->array_len) { +- tcinfo->handle_array = realloc(tcinfo->handle_array, ++ tmp = realloc(tcinfo->handle_array, + (tcinfo->array_len + 16) * sizeof(struct tc_kind_handle)); +- if (!tcinfo->handle_array) ++ if (!tmp) + return -ENOMEM; + ++ tcinfo->handle_array = tmp; + tcinfo->array_len += 16; + } + tcinfo->handle_array[tcinfo->used_len].handle = info->tcm_handle; +-- +2.39.5 + diff --git a/queue-6.15/btrfs-remove-partial-support-for-lowest-level-from-b.patch b/queue-6.15/btrfs-remove-partial-support-for-lowest-level-from-b.patch new file mode 100644 index 0000000000..b667673654 --- /dev/null +++ b/queue-6.15/btrfs-remove-partial-support-for-lowest-level-from-b.patch @@ -0,0 +1,107 @@ +From d7faaebed91aad477f3d6e3c1889d0cbd2c098be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 16:32:23 +0800 +Subject: btrfs: remove partial support for lowest level from + btrfs_search_forward() + +From: Sun YangKai + +[ Upstream commit 27260dd1904bb409cf84709928ba9bc5506fbe8e ] + +Commit 323ac95bce44 ("Btrfs: don't read leaf blocks containing only +checksums during truncate") changed the condition from `level == 0` to +`level == path->lowest_level`, while its original purpose was just to do +some leaf node handling (calling btrfs_item_key_to_cpu()) and skip some +code that doesn't fit leaf nodes. + +After changing the condition, the code path: + +1. Also handles the non-leaf nodes when path->lowest_level is nonzero, + which is wrong. However btrfs_search_forward() is never called with a + nonzero path->lowest_level, which makes this bug not found before. + +2. Makes the later if block with the same condition, which was originally + used to handle non-leaf node (calling btrfs_node_key_to_cpu()) when + lowest_level is not zero, dead code. + +Since btrfs_search_forward() is never called for a path with a +lowest_level different from zero, just completely remove the partial +support for a non-zero lowest_level, simplifying a bit the code, and +assert that lowest_level is zero at the start of the function. + +Suggested-by: Qu Wenruo +Fixes: 323ac95bce44 ("Btrfs: don't read leaf blocks containing only checksums during truncate") +Reviewed-by: Filipe Manana +Signed-off-by: Sun YangKai +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 18 +++++------------- + 1 file changed, 5 insertions(+), 13 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index a2e7979372cc..648531fe0900 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -4585,16 +4585,13 @@ int btrfs_del_items(struct btrfs_trans_handle *trans, struct btrfs_root *root, + + /* + * A helper function to walk down the tree starting at min_key, and looking +- * for nodes or leaves that are have a minimum transaction id. ++ * for leaves that have a minimum transaction id. + * This is used by the btree defrag code, and tree logging + * + * This does not cow, but it does stuff the starting key it finds back + * into min_key, so you can call btrfs_search_slot with cow=1 on the + * key and get a writable path. + * +- * This honors path->lowest_level to prevent descent past a given level +- * of the tree. +- * + * min_trans indicates the oldest transaction that you are interested + * in walking through. Any nodes or leaves older than min_trans are + * skipped over (without reading them). +@@ -4615,6 +4612,7 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key, + int keep_locks = path->keep_locks; + + ASSERT(!path->nowait); ++ ASSERT(path->lowest_level == 0); + path->keep_locks = 1; + again: + cur = btrfs_read_lock_root_node(root); +@@ -4636,8 +4634,8 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key, + goto out; + } + +- /* at the lowest level, we're done, setup the path and exit */ +- if (level == path->lowest_level) { ++ /* At level 0 we're done, setup the path and exit. */ ++ if (level == 0) { + if (slot >= nritems) + goto find_next_key; + ret = 0; +@@ -4678,12 +4676,6 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key, + goto out; + } + } +- if (level == path->lowest_level) { +- ret = 0; +- /* Save our key for returning back. */ +- btrfs_node_key_to_cpu(cur, min_key, slot); +- goto out; +- } + cur = btrfs_read_node_slot(cur, slot); + if (IS_ERR(cur)) { + ret = PTR_ERR(cur); +@@ -4699,7 +4691,7 @@ int btrfs_search_forward(struct btrfs_root *root, struct btrfs_key *min_key, + out: + path->keep_locks = keep_locks; + if (ret == 0) +- btrfs_unlock_up_safe(path, path->lowest_level + 1); ++ btrfs_unlock_up_safe(path, 1); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.15/bus-mhi-host-pci_generic-fix-the-modem-name-of-foxco.patch b/queue-6.15/bus-mhi-host-pci_generic-fix-the-modem-name-of-foxco.patch new file mode 100644 index 0000000000..05c1022121 --- /dev/null +++ b/queue-6.15/bus-mhi-host-pci_generic-fix-the-modem-name-of-foxco.patch @@ -0,0 +1,52 @@ +From ba558be2d5694d6762920f3763df6cdf524e5124 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 17:50:19 +0800 +Subject: bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640 + +From: Slark Xiao + +[ Upstream commit ae5a34264354087aef38cdd07961827482a51c5a ] + +T99W640 was mistakenly mentioned as T99W515. T99W515 is a LGA device, not +a M.2 modem device. So correct it's name to avoid name mismatch issue. + +Fixes: bf30a75e6e00 ("bus: mhi: host: Add support for Foxconn SDX72 modems") +Signed-off-by: Slark Xiao +[mani: commit message fixup] +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20250606095019.383992-1-slark_xiao@163.com +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/host/pci_generic.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/bus/mhi/host/pci_generic.c b/drivers/bus/mhi/host/pci_generic.c +index 059cfd77382f..cd274f4dae93 100644 +--- a/drivers/bus/mhi/host/pci_generic.c ++++ b/drivers/bus/mhi/host/pci_generic.c +@@ -593,8 +593,8 @@ static const struct mhi_pci_dev_info mhi_foxconn_dw5932e_info = { + .sideband_wake = false, + }; + +-static const struct mhi_pci_dev_info mhi_foxconn_t99w515_info = { +- .name = "foxconn-t99w515", ++static const struct mhi_pci_dev_info mhi_foxconn_t99w640_info = { ++ .name = "foxconn-t99w640", + .edl = "qcom/sdx72m/foxconn/edl.mbn", + .edl_trigger = true, + .config = &modem_foxconn_sdx72_config, +@@ -920,9 +920,9 @@ static const struct pci_device_id mhi_pci_id_table[] = { + /* DW5932e (sdx62), Non-eSIM */ + { PCI_DEVICE(PCI_VENDOR_ID_FOXCONN, 0xe0f9), + .driver_data = (kernel_ulong_t) &mhi_foxconn_dw5932e_info }, +- /* T99W515 (sdx72) */ ++ /* T99W640 (sdx72) */ + { PCI_DEVICE(PCI_VENDOR_ID_FOXCONN, 0xe118), +- .driver_data = (kernel_ulong_t) &mhi_foxconn_t99w515_info }, ++ .driver_data = (kernel_ulong_t) &mhi_foxconn_t99w640_info }, + /* DW5934e(sdx72), With eSIM */ + { PCI_DEVICE(PCI_VENDOR_ID_FOXCONN, 0xe11d), + .driver_data = (kernel_ulong_t) &mhi_foxconn_dw5934e_info }, +-- +2.39.5 + diff --git a/queue-6.15/caif-reduce-stack-size-again.patch b/queue-6.15/caif-reduce-stack-size-again.patch new file mode 100644 index 0000000000..effb6723a2 --- /dev/null +++ b/queue-6.15/caif-reduce-stack-size-again.patch @@ -0,0 +1,359 @@ +From 78577b1695b9a7f45a9b0cf67495e350ebcabe54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:22:39 +0200 +Subject: caif: reduce stack size, again + +From: Arnd Bergmann + +[ Upstream commit b630c781bcf6ff87657146661816d0d30a902139 ] + +I tried to fix the stack usage in this function a couple of years ago, +but there is still a problem with the latest gcc versions in some +configurations: + +net/caif/cfctrl.c:553:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=] + +Reduce this once again, with a separate cfctrl_link_setup() function that +holds the bulk of all the local variables. It also turns out that the +param[] array that takes up a large portion of the stack is write-only +and can be left out here. + +Fixes: ce6289661b14 ("caif: reduce stack size with KASAN") +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20250620112244.3425554-1-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/caif/cfctrl.c | 294 +++++++++++++++++++++++----------------------- + 1 file changed, 144 insertions(+), 150 deletions(-) + +diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c +index 20139fa1be1f..06b604cf9d58 100644 +--- a/net/caif/cfctrl.c ++++ b/net/caif/cfctrl.c +@@ -351,17 +351,154 @@ int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer) + return found; + } + ++static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp) ++{ ++ u8 len; ++ u8 linkid = 0; ++ enum cfctrl_srv serv; ++ enum cfctrl_srv servtype; ++ u8 endpoint; ++ u8 physlinkid; ++ u8 prio; ++ u8 tmp; ++ u8 *cp; ++ int i; ++ struct cfctrl_link_param linkparam; ++ struct cfctrl_request_info rsp, *req; ++ ++ memset(&linkparam, 0, sizeof(linkparam)); ++ ++ tmp = cfpkt_extr_head_u8(pkt); ++ ++ serv = tmp & CFCTRL_SRV_MASK; ++ linkparam.linktype = serv; ++ ++ servtype = tmp >> 4; ++ linkparam.chtype = servtype; ++ ++ tmp = cfpkt_extr_head_u8(pkt); ++ physlinkid = tmp & 0x07; ++ prio = tmp >> 3; ++ ++ linkparam.priority = prio; ++ linkparam.phyid = physlinkid; ++ endpoint = cfpkt_extr_head_u8(pkt); ++ linkparam.endpoint = endpoint & 0x03; ++ ++ switch (serv) { ++ case CFCTRL_SRV_VEI: ++ case CFCTRL_SRV_DBG: ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ break; ++ case CFCTRL_SRV_VIDEO: ++ tmp = cfpkt_extr_head_u8(pkt); ++ linkparam.u.video.connid = tmp; ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ break; ++ ++ case CFCTRL_SRV_DATAGRAM: ++ linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt); ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ break; ++ case CFCTRL_SRV_RFM: ++ /* Construct a frame, convert ++ * DatagramConnectionID ++ * to network format long and copy it out... ++ */ ++ linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt); ++ cp = (u8 *) linkparam.u.rfm.volume; ++ for (tmp = cfpkt_extr_head_u8(pkt); ++ cfpkt_more(pkt) && tmp != '\0'; ++ tmp = cfpkt_extr_head_u8(pkt)) ++ *cp++ = tmp; ++ *cp = '\0'; ++ ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ ++ break; ++ case CFCTRL_SRV_UTIL: ++ /* Construct a frame, convert ++ * DatagramConnectionID ++ * to network format long and copy it out... ++ */ ++ /* Fifosize KB */ ++ linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt); ++ /* Fifosize bufs */ ++ linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt); ++ /* name */ ++ cp = (u8 *) linkparam.u.utility.name; ++ caif_assert(sizeof(linkparam.u.utility.name) ++ >= UTILITY_NAME_LENGTH); ++ for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) { ++ tmp = cfpkt_extr_head_u8(pkt); ++ *cp++ = tmp; ++ } ++ /* Length */ ++ len = cfpkt_extr_head_u8(pkt); ++ linkparam.u.utility.paramlen = len; ++ /* Param Data */ ++ cp = linkparam.u.utility.params; ++ while (cfpkt_more(pkt) && len--) { ++ tmp = cfpkt_extr_head_u8(pkt); ++ *cp++ = tmp; ++ } ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ /* Length */ ++ len = cfpkt_extr_head_u8(pkt); ++ /* Param Data */ ++ cfpkt_extr_head(pkt, NULL, len); ++ break; ++ default: ++ pr_warn("Request setup, invalid type (%d)\n", serv); ++ return -1; ++ } ++ ++ rsp.cmd = CFCTRL_CMD_LINK_SETUP; ++ rsp.param = linkparam; ++ spin_lock_bh(&cfctrl->info_list_lock); ++ req = cfctrl_remove_req(cfctrl, &rsp); ++ ++ if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) || ++ cfpkt_erroneous(pkt)) { ++ pr_err("Invalid O/E bit or parse error " ++ "on CAIF control channel\n"); ++ cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0, ++ req ? req->client_layer : NULL); ++ } else { ++ cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid, ++ serv, physlinkid, ++ req ? req->client_layer : NULL); ++ } ++ ++ kfree(req); ++ ++ spin_unlock_bh(&cfctrl->info_list_lock); ++ ++ return 0; ++} ++ + static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + { + u8 cmdrsp; + u8 cmd; +- int ret = -1; +- u8 len; +- u8 param[255]; ++ int ret = 0; + u8 linkid = 0; + struct cfctrl *cfctrl = container_obj(layer); +- struct cfctrl_request_info rsp, *req; +- + + cmdrsp = cfpkt_extr_head_u8(pkt); + cmd = cmdrsp & CFCTRL_CMD_MASK; +@@ -374,150 +511,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + + switch (cmd) { + case CFCTRL_CMD_LINK_SETUP: +- { +- enum cfctrl_srv serv; +- enum cfctrl_srv servtype; +- u8 endpoint; +- u8 physlinkid; +- u8 prio; +- u8 tmp; +- u8 *cp; +- int i; +- struct cfctrl_link_param linkparam; +- memset(&linkparam, 0, sizeof(linkparam)); +- +- tmp = cfpkt_extr_head_u8(pkt); +- +- serv = tmp & CFCTRL_SRV_MASK; +- linkparam.linktype = serv; +- +- servtype = tmp >> 4; +- linkparam.chtype = servtype; +- +- tmp = cfpkt_extr_head_u8(pkt); +- physlinkid = tmp & 0x07; +- prio = tmp >> 3; +- +- linkparam.priority = prio; +- linkparam.phyid = physlinkid; +- endpoint = cfpkt_extr_head_u8(pkt); +- linkparam.endpoint = endpoint & 0x03; +- +- switch (serv) { +- case CFCTRL_SRV_VEI: +- case CFCTRL_SRV_DBG: +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- break; +- case CFCTRL_SRV_VIDEO: +- tmp = cfpkt_extr_head_u8(pkt); +- linkparam.u.video.connid = tmp; +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- break; +- +- case CFCTRL_SRV_DATAGRAM: +- linkparam.u.datagram.connid = +- cfpkt_extr_head_u32(pkt); +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- break; +- case CFCTRL_SRV_RFM: +- /* Construct a frame, convert +- * DatagramConnectionID +- * to network format long and copy it out... +- */ +- linkparam.u.rfm.connid = +- cfpkt_extr_head_u32(pkt); +- cp = (u8 *) linkparam.u.rfm.volume; +- for (tmp = cfpkt_extr_head_u8(pkt); +- cfpkt_more(pkt) && tmp != '\0'; +- tmp = cfpkt_extr_head_u8(pkt)) +- *cp++ = tmp; +- *cp = '\0'; +- +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- +- break; +- case CFCTRL_SRV_UTIL: +- /* Construct a frame, convert +- * DatagramConnectionID +- * to network format long and copy it out... +- */ +- /* Fifosize KB */ +- linkparam.u.utility.fifosize_kb = +- cfpkt_extr_head_u16(pkt); +- /* Fifosize bufs */ +- linkparam.u.utility.fifosize_bufs = +- cfpkt_extr_head_u16(pkt); +- /* name */ +- cp = (u8 *) linkparam.u.utility.name; +- caif_assert(sizeof(linkparam.u.utility.name) +- >= UTILITY_NAME_LENGTH); +- for (i = 0; +- i < UTILITY_NAME_LENGTH +- && cfpkt_more(pkt); i++) { +- tmp = cfpkt_extr_head_u8(pkt); +- *cp++ = tmp; +- } +- /* Length */ +- len = cfpkt_extr_head_u8(pkt); +- linkparam.u.utility.paramlen = len; +- /* Param Data */ +- cp = linkparam.u.utility.params; +- while (cfpkt_more(pkt) && len--) { +- tmp = cfpkt_extr_head_u8(pkt); +- *cp++ = tmp; +- } +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- /* Length */ +- len = cfpkt_extr_head_u8(pkt); +- /* Param Data */ +- cfpkt_extr_head(pkt, ¶m, len); +- break; +- default: +- pr_warn("Request setup, invalid type (%d)\n", +- serv); +- goto error; +- } +- +- rsp.cmd = cmd; +- rsp.param = linkparam; +- spin_lock_bh(&cfctrl->info_list_lock); +- req = cfctrl_remove_req(cfctrl, &rsp); +- +- if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) || +- cfpkt_erroneous(pkt)) { +- pr_err("Invalid O/E bit or parse error " +- "on CAIF control channel\n"); +- cfctrl->res.reject_rsp(cfctrl->serv.layer.up, +- 0, +- req ? req->client_layer +- : NULL); +- } else { +- cfctrl->res.linksetup_rsp(cfctrl->serv. +- layer.up, linkid, +- serv, physlinkid, +- req ? req-> +- client_layer : NULL); +- } +- +- kfree(req); +- +- spin_unlock_bh(&cfctrl->info_list_lock); +- } ++ ret = cfctrl_link_setup(cfctrl, pkt, cmdrsp); + break; + case CFCTRL_CMD_LINK_DESTROY: + linkid = cfpkt_extr_head_u8(pkt); +@@ -544,9 +538,9 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + break; + default: + pr_err("Unrecognized Control Frame\n"); ++ ret = -1; + goto error; + } +- ret = 0; + error: + cfpkt_destroy(pkt); + return ret; +-- +2.39.5 + diff --git a/queue-6.15/can-kvaser_pciefd-store-device-channel-index.patch b/queue-6.15/can-kvaser_pciefd-store-device-channel-index.patch new file mode 100644 index 0000000000..949887e168 --- /dev/null +++ b/queue-6.15/can-kvaser_pciefd-store-device-channel-index.patch @@ -0,0 +1,36 @@ +From 3405fbd956ea0f79ffca0b41fd8f1794844db94c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:32:25 +0200 +Subject: can: kvaser_pciefd: Store device channel index + +From: Jimmy Assarsson + +[ Upstream commit d54b16b40ddadb7d0a77fff48af7b319a0cd6aae ] + +Store device channel index in netdev.dev_port. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Reviewed-by: Vincent Mailhol +Signed-off-by: Jimmy Assarsson +Link: https://patch.msgid.link/20250725123230.8-6-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/kvaser_pciefd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index 0071a51ce2c1..879b3ea6e9b0 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -981,6 +981,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) + can->completed_tx_bytes = 0; + can->bec.txerr = 0; + can->bec.rxerr = 0; ++ can->can.dev->dev_port = i; + + init_completion(&can->start_comp); + init_completion(&can->flush_comp); +-- +2.39.5 + diff --git a/queue-6.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch b/queue-6.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch new file mode 100644 index 0000000000..61baea96fb --- /dev/null +++ b/queue-6.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch @@ -0,0 +1,39 @@ +From e64fa35c135ff07c426758a2c5e413d62c597b9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:34:44 +0200 +Subject: can: kvaser_usb: Assign netdev.dev_port based on device channel index + +From: Jimmy Assarsson + +[ Upstream commit c151b06a087a61c7a1790b75ee2f1d6edb6a8a45 ] + +Assign netdev.dev_port based on the device channel index, to indicate the +port number of the network device. +While this driver already uses netdev.dev_id for that purpose, dev_port is +more appropriate. However, retain dev_id to avoid potential regressions. + +Fixes: 3e66d0138c05 ("can: populate netdev::dev_id for udev discrimination") +Reviewed-by: Vincent Mailhol +Signed-off-by: Jimmy Assarsson +Link: https://patch.msgid.link/20250725123452.41-4-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +index dcb0bcbe0565..f73ccbc3140a 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -852,6 +852,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel) + netdev->ethtool_ops = &kvaser_usb_ethtool_ops; + SET_NETDEV_DEV(netdev, &dev->intf->dev); + netdev->dev_id = channel; ++ netdev->dev_port = channel; + + dev->nets[channel] = priv; + +-- +2.39.5 + diff --git a/queue-6.15/can-peak_usb-fix-usb-fd-devices-potential-malfunctio.patch b/queue-6.15/can-peak_usb-fix-usb-fd-devices-potential-malfunctio.patch new file mode 100644 index 0000000000..c3c2db5f66 --- /dev/null +++ b/queue-6.15/can-peak_usb-fix-usb-fd-devices-potential-malfunctio.patch @@ -0,0 +1,74 @@ +From 0700c18bb6e5ba4619cfea7279469805b679d2a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jul 2025 10:13:19 +0200 +Subject: can: peak_usb: fix USB FD devices potential malfunction + +From: Stephane Grosjean + +[ Upstream commit 788199b73b6efe4ee2ade4d7457b50bb45493488 ] + +The latest firmware versions of USB CAN FD interfaces export the EP numbers +to be used to dialog with the device via the "type" field of a response to +a vendor request structure, particularly when its value is greater than or +equal to 2. + +Correct the driver's test of this field. + +Fixes: 4f232482467a ("can: peak_usb: include support for a new MCU") +Signed-off-by: Stephane Grosjean +Link: https://patch.msgid.link/20250724081550.11694-1-stephane.grosjean@free.fr +Reviewed-by: Vincent Mailhol +[mkl: rephrase commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +index 4d85b29a17b7..ebefc274b50a 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -49,7 +49,7 @@ struct __packed pcan_ufd_fw_info { + __le32 ser_no; /* S/N */ + __le32 flags; /* special functions */ + +- /* extended data when type == PCAN_USBFD_TYPE_EXT */ ++ /* extended data when type >= PCAN_USBFD_TYPE_EXT */ + u8 cmd_out_ep; /* ep for cmd */ + u8 cmd_in_ep; /* ep for replies */ + u8 data_out_ep[2]; /* ep for CANx TX */ +@@ -982,10 +982,11 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev) + dev->can.ctrlmode |= CAN_CTRLMODE_FD_NON_ISO; + } + +- /* if vendor rsp is of type 2, then it contains EP numbers to +- * use for cmds pipes. If not, then default EP should be used. ++ /* if vendor rsp type is greater than or equal to 2, then it ++ * contains EP numbers to use for cmds pipes. If not, then ++ * default EP should be used. + */ +- if (fw_info->type != cpu_to_le16(PCAN_USBFD_TYPE_EXT)) { ++ if (le16_to_cpu(fw_info->type) < PCAN_USBFD_TYPE_EXT) { + fw_info->cmd_out_ep = PCAN_USBPRO_EP_CMDOUT; + fw_info->cmd_in_ep = PCAN_USBPRO_EP_CMDIN; + } +@@ -1018,11 +1019,11 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev) + dev->can_channel_id = + le32_to_cpu(pdev->usb_if->fw_info.dev_id[dev->ctrl_idx]); + +- /* if vendor rsp is of type 2, then it contains EP numbers to +- * use for data pipes. If not, then statically defined EP are used +- * (see peak_usb_create_dev()). ++ /* if vendor rsp type is greater than or equal to 2, then it contains EP ++ * numbers to use for data pipes. If not, then statically defined EP are ++ * used (see peak_usb_create_dev()). + */ +- if (fw_info->type == cpu_to_le16(PCAN_USBFD_TYPE_EXT)) { ++ if (le16_to_cpu(fw_info->type) >= PCAN_USBFD_TYPE_EXT) { + dev->ep_msg_in = fw_info->data_in_ep; + dev->ep_msg_out = fw_info->data_out_ep[dev->ctrl_idx]; + } +-- +2.39.5 + diff --git a/queue-6.15/ceph-parse_longname-strrchr-expects-nul-terminated-s.patch b/queue-6.15/ceph-parse_longname-strrchr-expects-nul-terminated-s.patch new file mode 100644 index 0000000000..838ad8f3ed --- /dev/null +++ b/queue-6.15/ceph-parse_longname-strrchr-expects-nul-terminated-s.patch @@ -0,0 +1,90 @@ +From fa0ed5ee991cc31964420652f386dd86c34bdbf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 17:57:17 -0500 +Subject: [ceph] parse_longname(): strrchr() expects NUL-terminated string + +From: Al Viro + +[ Upstream commit 101841c38346f4ca41dc1802c867da990ffb32eb ] + +... and parse_longname() is not guaranteed that. That's the reason +why it uses kmemdup_nul() to build the argument for kstrtou64(); +the problem is, kstrtou64() is not the only thing that need it. + +Just get a NUL-terminated copy of the entire thing and be done +with that... + +Fixes: dd66df0053ef "ceph: add support for encrypted snapshot names" +Tested-by: Viacheslav Dubeyko +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/ceph/crypto.c | 31 ++++++++++++------------------- + 1 file changed, 12 insertions(+), 19 deletions(-) + +diff --git a/fs/ceph/crypto.c b/fs/ceph/crypto.c +index 3b3c4d8d401e..9c7062245880 100644 +--- a/fs/ceph/crypto.c ++++ b/fs/ceph/crypto.c +@@ -215,35 +215,31 @@ static struct inode *parse_longname(const struct inode *parent, + struct ceph_client *cl = ceph_inode_to_client(parent); + struct inode *dir = NULL; + struct ceph_vino vino = { .snap = CEPH_NOSNAP }; +- char *inode_number; +- char *name_end; +- int orig_len = *name_len; ++ char *name_end, *inode_number; + int ret = -EIO; +- ++ /* NUL-terminate */ ++ char *str __free(kfree) = kmemdup_nul(name, *name_len, GFP_KERNEL); ++ if (!str) ++ return ERR_PTR(-ENOMEM); + /* Skip initial '_' */ +- name++; +- name_end = strrchr(name, '_'); ++ str++; ++ name_end = strrchr(str, '_'); + if (!name_end) { +- doutc(cl, "failed to parse long snapshot name: %s\n", name); ++ doutc(cl, "failed to parse long snapshot name: %s\n", str); + return ERR_PTR(-EIO); + } +- *name_len = (name_end - name); ++ *name_len = (name_end - str); + if (*name_len <= 0) { + pr_err_client(cl, "failed to parse long snapshot name\n"); + return ERR_PTR(-EIO); + } + + /* Get the inode number */ +- inode_number = kmemdup_nul(name_end + 1, +- orig_len - *name_len - 2, +- GFP_KERNEL); +- if (!inode_number) +- return ERR_PTR(-ENOMEM); ++ inode_number = name_end + 1; + ret = kstrtou64(inode_number, 10, &vino.ino); + if (ret) { +- doutc(cl, "failed to parse inode number: %s\n", name); +- dir = ERR_PTR(ret); +- goto out; ++ doutc(cl, "failed to parse inode number: %s\n", str); ++ return ERR_PTR(ret); + } + + /* And finally the inode */ +@@ -254,9 +250,6 @@ static struct inode *parse_longname(const struct inode *parent, + if (IS_ERR(dir)) + doutc(cl, "can't find inode %s (%s)\n", inode_number, name); + } +- +-out: +- kfree(inode_number); + return dir; + } + +-- +2.39.5 + diff --git a/queue-6.15/clk-at91-sam9x7-update-pll-clk-ranges.patch b/queue-6.15/clk-at91-sam9x7-update-pll-clk-ranges.patch new file mode 100644 index 0000000000..0846a6020f --- /dev/null +++ b/queue-6.15/clk-at91-sam9x7-update-pll-clk-ranges.patch @@ -0,0 +1,86 @@ +From 764b543f846933b8213d54122aa82824d32652dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 15:05:12 +0530 +Subject: clk: at91: sam9x7: update pll clk ranges + +From: Varshini Rajendran + +[ Upstream commit c7f7ddbd27d55fa552a7269b7bae539adc2a3d46 ] + +Update the min, max ranges of the PLL clocks according to the latest +datasheet to be coherent in the driver. This patch solves the issues in +configuring the clocks related to peripherals with the desired frequency +within the range. + +Fixes: 33013b43e271 ("clk: at91: sam9x7: add sam9x7 pmc driver") +Suggested-by: Patrice Vilchez +Signed-off-by: Varshini Rajendran +Link: https://lore.kernel.org/r/20250714093512.29944-1-varshini.rajendran@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/sam9x7.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/clk/at91/sam9x7.c b/drivers/clk/at91/sam9x7.c +index cbb8b220f16b..ffab32b047a0 100644 +--- a/drivers/clk/at91/sam9x7.c ++++ b/drivers/clk/at91/sam9x7.c +@@ -61,44 +61,44 @@ static const struct clk_master_layout sam9x7_master_layout = { + + /* Fractional PLL core output range. */ + static const struct clk_range plla_core_outputs[] = { +- { .min = 375000000, .max = 1600000000 }, ++ { .min = 800000000, .max = 1600000000 }, + }; + + static const struct clk_range upll_core_outputs[] = { +- { .min = 600000000, .max = 1200000000 }, ++ { .min = 600000000, .max = 960000000 }, + }; + + static const struct clk_range lvdspll_core_outputs[] = { +- { .min = 400000000, .max = 800000000 }, ++ { .min = 600000000, .max = 1200000000 }, + }; + + static const struct clk_range audiopll_core_outputs[] = { +- { .min = 400000000, .max = 800000000 }, ++ { .min = 600000000, .max = 1200000000 }, + }; + + static const struct clk_range plladiv2_core_outputs[] = { +- { .min = 375000000, .max = 1600000000 }, ++ { .min = 800000000, .max = 1600000000 }, + }; + + /* Fractional PLL output range. */ + static const struct clk_range plla_outputs[] = { +- { .min = 732421, .max = 800000000 }, ++ { .min = 400000000, .max = 800000000 }, + }; + + static const struct clk_range upll_outputs[] = { +- { .min = 300000000, .max = 600000000 }, ++ { .min = 300000000, .max = 480000000 }, + }; + + static const struct clk_range lvdspll_outputs[] = { +- { .min = 10000000, .max = 800000000 }, ++ { .min = 175000000, .max = 550000000 }, + }; + + static const struct clk_range audiopll_outputs[] = { +- { .min = 10000000, .max = 800000000 }, ++ { .min = 0, .max = 300000000 }, + }; + + static const struct clk_range plladiv2_outputs[] = { +- { .min = 366210, .max = 400000000 }, ++ { .min = 200000000, .max = 400000000 }, + }; + + /* PLL characteristics. */ +-- +2.39.5 + diff --git a/queue-6.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch b/queue-6.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch new file mode 100644 index 0000000000..4773bcbd58 --- /dev/null +++ b/queue-6.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch @@ -0,0 +1,43 @@ +From 9153438b8059f8c3d556f5f5c2cbf85f3dae4701 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 16:41:06 +0100 +Subject: clk: clk-axi-clkgen: fix fpfd_max frequency for zynq +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit ce8a9096699500e2c5bca09dde27b16edda5f636 ] + +The fpfd_max frequency should be set to 450 MHz instead of 300 MHz. +Well, it actually depends on the platform speed grade but we are being +conservative for ultrascale so let's be consistent. In a following +change we will set these limits at runtime. + +Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20250519-dev-axi-clkgen-limits-v6-1-bc4b3b61d1d4@analog.com +Reviewed-by: David Lechner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-axi-clkgen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c +index 934e53a96ddd..00bf799964c6 100644 +--- a/drivers/clk/clk-axi-clkgen.c ++++ b/drivers/clk/clk-axi-clkgen.c +@@ -118,7 +118,7 @@ static const struct axi_clkgen_limits axi_clkgen_zynqmp_default_limits = { + + static const struct axi_clkgen_limits axi_clkgen_zynq_default_limits = { + .fpfd_min = 10000, +- .fpfd_max = 300000, ++ .fpfd_max = 450000, + .fvco_min = 600000, + .fvco_max = 1200000, + }; +-- +2.39.5 + diff --git a/queue-6.15/clk-clocking-wizard-fix-the-round-rate-handling-for-.patch b/queue-6.15/clk-clocking-wizard-fix-the-round-rate-handling-for-.patch new file mode 100644 index 0000000000..c015269121 --- /dev/null +++ b/queue-6.15/clk-clocking-wizard-fix-the-round-rate-handling-for-.patch @@ -0,0 +1,38 @@ +From de678baff101d242d99119d8f8e006af1a6b50b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 11:11:14 +0530 +Subject: clk: clocking-wizard: Fix the round rate handling for versal + +From: Shubhrajyoti Datta + +[ Upstream commit 7f5e9ca0a424af44a708bb4727624d56f83ecffa ] + +Fix the `clk_round_rate` implementation for Versal platforms by calling +the Versal-specific divider calculation helper. The existing code used +the generic divider routine, which results in incorrect round rate. + +Fixes: 7681f64e6404 ("clk: clocking-wizard: calculate dividers fractional parts") +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20250625054114.28273-1-shubhrajyoti.datta@amd.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/xilinx/clk-xlnx-clock-wizard.c b/drivers/clk/xilinx/clk-xlnx-clock-wizard.c +index bbf7714480e7..0295a13a811c 100644 +--- a/drivers/clk/xilinx/clk-xlnx-clock-wizard.c ++++ b/drivers/clk/xilinx/clk-xlnx-clock-wizard.c +@@ -669,7 +669,7 @@ static long clk_wzrd_ver_round_rate_all(struct clk_hw *hw, unsigned long rate, + u32 m, d, o, div, f; + int err; + +- err = clk_wzrd_get_divisors(hw, rate, *prate); ++ err = clk_wzrd_get_divisors_ver(hw, rate, *prate); + if (err) + return err; + +-- +2.39.5 + diff --git a/queue-6.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch b/queue-6.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch new file mode 100644 index 0000000000..f351a7c997 --- /dev/null +++ b/queue-6.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch @@ -0,0 +1,45 @@ +From 6783c0f95a8f34110481c46f54bd3cc98504cb9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 21:13:41 +0800 +Subject: clk: davinci: Add NULL check in davinci_lpsc_clk_register() + +From: Henry Martin + +[ Upstream commit 13de464f445d42738fe18c9a28bab056ba3a290a ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +davinci_lpsc_clk_register() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue and ensuring +no resources are left allocated. + +Fixes: c6ed4d734bc7 ("clk: davinci: New driver for davinci PSC clocks") +Signed-off-by: Henry Martin +Link: https://lore.kernel.org/r/20250401131341.26800-1-bsdhenrymartin@gmail.com +Reviewed-by: David Lechner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/davinci/psc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/clk/davinci/psc.c b/drivers/clk/davinci/psc.c +index b48322176c21..f3ee9397bb0c 100644 +--- a/drivers/clk/davinci/psc.c ++++ b/drivers/clk/davinci/psc.c +@@ -277,6 +277,11 @@ davinci_lpsc_clk_register(struct device *dev, const char *name, + + lpsc->pm_domain.name = devm_kasprintf(dev, GFP_KERNEL, "%s: %s", + best_dev_name(dev), name); ++ if (!lpsc->pm_domain.name) { ++ clk_hw_unregister(&lpsc->hw); ++ kfree(lpsc); ++ return ERR_PTR(-ENOMEM); ++ } + lpsc->pm_domain.attach_dev = davinci_psc_genpd_attach_dev; + lpsc->pm_domain.detach_dev = davinci_psc_genpd_detach_dev; + lpsc->pm_domain.flags = GENPD_FLAG_PM_CLK; +-- +2.39.5 + diff --git a/queue-6.15/clk-imx95-blk-ctl-fix-synchronous-abort.patch b/queue-6.15/clk-imx95-blk-ctl-fix-synchronous-abort.patch new file mode 100644 index 0000000000..e474b2d81a --- /dev/null +++ b/queue-6.15/clk-imx95-blk-ctl-fix-synchronous-abort.patch @@ -0,0 +1,86 @@ +From 38e56d9eb394dd51aa210f4b9057a46402e516de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 10:24:38 +0800 +Subject: clk: imx95-blk-ctl: Fix synchronous abort + +From: Laurentiu Palcu + +[ Upstream commit b08217a257215ed9130fce93d35feba66b49bf0a ] + +When enabling runtime PM for clock suppliers that also belong to a power +domain, the following crash is thrown: +error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP +Workqueue: events_unbound deferred_probe_work_func +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : clk_mux_get_parent+0x60/0x90 +lr : clk_core_reparent_orphans_nolock+0x58/0xd8 + Call trace: + clk_mux_get_parent+0x60/0x90 + clk_core_reparent_orphans_nolock+0x58/0xd8 + of_clk_add_hw_provider.part.0+0x90/0x100 + of_clk_add_hw_provider+0x1c/0x38 + imx95_bc_probe+0x2e0/0x3f0 + platform_probe+0x70/0xd8 + +Enabling runtime PM without explicitly resuming the device caused +the power domain cut off after clk_register() is called. As a result, +a crash happens when the clock hardware provider is added and attempts +to access the BLK_CTL register. + +Fix this by using devm_pm_runtime_enable() instead of pm_runtime_enable() +and getting rid of the pm_runtime_disable() in the cleanup path. + +Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver") +Reviewed-by: Frank Li +Reviewed-by: Abel Vesa +Signed-off-by: Laurentiu Palcu +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20250707-imx95-blk-ctl-7-1-v3-2-c1b676ec13be@nxp.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx95-blk-ctl.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c +index cc2ee2be1819..86bdcd217531 100644 +--- a/drivers/clk/imx/clk-imx95-blk-ctl.c ++++ b/drivers/clk/imx/clk-imx95-blk-ctl.c +@@ -342,8 +342,10 @@ static int imx95_bc_probe(struct platform_device *pdev) + if (!clk_hw_data) + return -ENOMEM; + +- if (bc_data->rpm_enabled) +- pm_runtime_enable(&pdev->dev); ++ if (bc_data->rpm_enabled) { ++ devm_pm_runtime_enable(&pdev->dev); ++ pm_runtime_resume_and_get(&pdev->dev); ++ } + + clk_hw_data->num = bc_data->num_clks; + hws = clk_hw_data->hws; +@@ -383,8 +385,10 @@ static int imx95_bc_probe(struct platform_device *pdev) + goto cleanup; + } + +- if (pm_runtime_enabled(bc->dev)) ++ if (pm_runtime_enabled(bc->dev)) { ++ pm_runtime_put_sync(&pdev->dev); + clk_disable_unprepare(bc->clk_apb); ++ } + + return 0; + +@@ -395,9 +399,6 @@ static int imx95_bc_probe(struct platform_device *pdev) + clk_hw_unregister(hws[i]); + } + +- if (bc_data->rpm_enabled) +- pm_runtime_disable(&pdev->dev); +- + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.15/clk-renesas-rzv2h-fix-missing-clk_set_rate_parent-fl.patch b/queue-6.15/clk-renesas-rzv2h-fix-missing-clk_set_rate_parent-fl.patch new file mode 100644 index 0000000000..40ab858cae --- /dev/null +++ b/queue-6.15/clk-renesas-rzv2h-fix-missing-clk_set_rate_parent-fl.patch @@ -0,0 +1,44 @@ +From 25b69c0ebc9c657825cd5169df29b4cc31b2fa68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 15:03:41 +0100 +Subject: clk: renesas: rzv2h: Fix missing CLK_SET_RATE_PARENT flag for ddiv + clocks + +From: Lad Prabhakar + +[ Upstream commit 715676d8418062f54d746451294ccce9786c1734 ] + +Commit bc4d25fdfadf ("clk: renesas: rzv2h: Add support for dynamic +switching divider clocks") missed setting the `CLK_SET_RATE_PARENT` +flag when registering ddiv clocks. + +Without this flag, rate changes to the divider clock do not propagate +to its parent, potentially resulting in incorrect clock configurations. + +Fix this by setting `CLK_SET_RATE_PARENT` in the clock init data. + +Fixes: bc4d25fdfadfa ("clk: renesas: rzv2h: Add support for dynamic switching divider clocks") +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250609140341.235919-1-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/rzv2h-cpg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/renesas/rzv2h-cpg.c b/drivers/clk/renesas/rzv2h-cpg.c +index 2b9771ab2b3f..43d2e73f9601 100644 +--- a/drivers/clk/renesas/rzv2h-cpg.c ++++ b/drivers/clk/renesas/rzv2h-cpg.c +@@ -323,6 +323,7 @@ rzv2h_cpg_ddiv_clk_register(const struct cpg_core_clk *core, + init.ops = &rzv2h_ddiv_clk_divider_ops; + init.parent_names = &parent_name; + init.num_parents = 1; ++ init.flags = CLK_SET_RATE_PARENT; + + ddiv->priv = priv; + ddiv->mon = cfg_ddiv.monbit; +-- +2.39.5 + diff --git a/queue-6.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch b/queue-6.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch new file mode 100644 index 0000000000..f5df55743a --- /dev/null +++ b/queue-6.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch @@ -0,0 +1,44 @@ +From 61010e33de930db08d233a6b15e99f110c6c4e64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 17:40:07 +0200 +Subject: clk: sunxi-ng: v3s: Fix de clock definition + +From: Paul Kocialkowski + +[ Upstream commit e8ab346f9907a1a3aa2f0e5decf849925c06ae2e ] + +The de clock is marked with CLK_SET_RATE_PARENT, which is really not +necessary (as confirmed from experimentation) and significantly +restricts flexibility for other clocks using the same parent. + +In addition the source selection (parent) field is marked as using +2 bits, when it the documentation reports that it uses 3. + +Fix both issues in the de clock definition. + +Fixes: d0f11d14b0bc ("clk: sunxi-ng: add support for V3s CCU") +Signed-off-by: Paul Kocialkowski +Link: https://patch.msgid.link/20250704154008.3463257-1-paulk@sys-base.io +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +index 579a81bb46df..7744fc632ea6 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c ++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +@@ -347,8 +347,7 @@ static SUNXI_CCU_GATE(dram_ohci_clk, "dram-ohci", "dram", + + static const char * const de_parents[] = { "pll-video", "pll-periph0" }; + static SUNXI_CCU_M_WITH_MUX_GATE(de_clk, "de", de_parents, +- 0x104, 0, 4, 24, 2, BIT(31), +- CLK_SET_RATE_PARENT); ++ 0x104, 0, 4, 24, 3, BIT(31), 0); + + static const char * const tcon_parents[] = { "pll-video" }; + static SUNXI_CCU_M_WITH_MUX_GATE(tcon_clk, "tcon", tcon_parents, +-- +2.39.5 + diff --git a/queue-6.15/clk-thead-th1520-ap-correctly-refer-the-parent-of-os.patch b/queue-6.15/clk-thead-th1520-ap-correctly-refer-the-parent-of-os.patch new file mode 100644 index 0000000000..08249408fa --- /dev/null +++ b/queue-6.15/clk-thead-th1520-ap-correctly-refer-the-parent-of-os.patch @@ -0,0 +1,48 @@ +From 8e42608d90c092a9deed7dc5308c351c2539bde4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 09:21:34 +0000 +Subject: clk: thead: th1520-ap: Correctly refer the parent of osc_12m + +From: Yao Zi + +[ Upstream commit d274c77ffa202b70ad01d579f33b73b4de123375 ] + +The "osc_12m" fixed factor clock refers the external oscillator by +setting clk_parent_data.fw_name to osc_24m, which is obviously wrong +since no clock-names property is allowed for compatible +thead,th1520-clk-ap. + +Refer the oscillator as parent by index instead. + +Fixes: ae81b69fd2b1 ("clk: thead: Add support for T-Head TH1520 AP_SUBSYS clocks") +Signed-off-by: Yao Zi +Reviewed-by: Drew Fustini +Signed-off-by: Drew Fustini +Signed-off-by: Sasha Levin +--- + drivers/clk/thead/clk-th1520-ap.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/thead/clk-th1520-ap.c b/drivers/clk/thead/clk-th1520-ap.c +index 4c9555fc6184..6ab89245af12 100644 +--- a/drivers/clk/thead/clk-th1520-ap.c ++++ b/drivers/clk/thead/clk-th1520-ap.c +@@ -582,7 +582,14 @@ static const struct clk_parent_data peri2sys_apb_pclk_pd[] = { + { .hw = &peri2sys_apb_pclk.common.hw } + }; + +-static CLK_FIXED_FACTOR_FW_NAME(osc12m_clk, "osc_12m", "osc_24m", 2, 1, 0); ++static struct clk_fixed_factor osc12m_clk = { ++ .div = 2, ++ .mult = 1, ++ .hw.init = CLK_HW_INIT_PARENTS_DATA("osc_12m", ++ osc_24m_clk, ++ &clk_fixed_factor_ops, ++ 0), ++}; + + static const char * const out_parents[] = { "osc_24m", "osc_12m" }; + +-- +2.39.5 + diff --git a/queue-6.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch b/queue-6.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch new file mode 100644 index 0000000000..b96b606902 --- /dev/null +++ b/queue-6.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch @@ -0,0 +1,50 @@ +From 993bea2d16f50b5a6c51e358faf6a58a2b27e751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 03:36:13 -0800 +Subject: clk: xilinx: vcu: unregister pll_post only if registered correctly + +From: Rohit Visavalia + +[ Upstream commit 3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d ] + +If registration of pll_post is failed, it will be set to NULL or ERR, +unregistering same will fail with following call trace: + +Unable to handle kernel NULL pointer dereference at virtual address 008 +pc : clk_hw_unregister+0xc/0x20 +lr : clk_hw_unregister_fixed_factor+0x18/0x30 +sp : ffff800011923850 +... +Call trace: + clk_hw_unregister+0xc/0x20 + clk_hw_unregister_fixed_factor+0x18/0x30 + xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu] + xvcu_probe+0x2bc/0x53c [xlnx_vcu] + +Fixes: 4472e1849db7 ("soc: xilinx: vcu: make pll post divider explicit") +Signed-off-by: Rohit Visavalia +Link: https://lore.kernel.org/r/20250210113614.4149050-2-rohit.visavalia@amd.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/xilinx/xlnx_vcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/xilinx/xlnx_vcu.c b/drivers/clk/xilinx/xlnx_vcu.c +index 81501b48412e..88b3fd8250c2 100644 +--- a/drivers/clk/xilinx/xlnx_vcu.c ++++ b/drivers/clk/xilinx/xlnx_vcu.c +@@ -587,8 +587,8 @@ static void xvcu_unregister_clock_provider(struct xvcu_device *xvcu) + xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_MCU]); + if (!IS_ERR_OR_NULL(hws[CLK_XVCU_ENC_CORE])) + xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_CORE]); +- +- clk_hw_unregister_fixed_factor(xvcu->pll_post); ++ if (!IS_ERR_OR_NULL(xvcu->pll_post)) ++ clk_hw_unregister_fixed_factor(xvcu->pll_post); + } + + /** +-- +2.39.5 + diff --git a/queue-6.15/cpufreq-armada-8k-make-both-cpu-masks-static.patch b/queue-6.15/cpufreq-armada-8k-make-both-cpu-masks-static.patch new file mode 100644 index 0000000000..2de2190a2a --- /dev/null +++ b/queue-6.15/cpufreq-armada-8k-make-both-cpu-masks-static.patch @@ -0,0 +1,52 @@ +From 14fc4cbc580d7b452510ec047daaf446253fca5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:14:53 +0200 +Subject: cpufreq: armada-8k: make both cpu masks static + +From: Arnd Bergmann + +[ Upstream commit b1b41bc072baf7301b1ae95fe417de09a5ad47e2 ] + +An earlier patch marked one of the two CPU masks as 'static' to reduce stack +usage, but if CONFIG_NR_CPUS is large enough, the function still produces +a warning for compile testing: + +drivers/cpufreq/armada-8k-cpufreq.c: In function 'armada_8k_cpufreq_init': +drivers/cpufreq/armada-8k-cpufreq.c:203:1: error: the frame size of 1416 bytes is larger than 1408 bytes [-Werror=frame-larger-than=] + +Normally this should be done using alloc_cpumask_var(), but since the +driver already has a static mask and the probe function is not called +concurrently, use the same trick for both. + +Fixes: 1ffec650d07f ("cpufreq: armada-8k: Avoid excessive stack usage") +Signed-off-by: Arnd Bergmann +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/armada-8k-cpufreq.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/armada-8k-cpufreq.c b/drivers/cpufreq/armada-8k-cpufreq.c +index 5a3545bd0d8d..006f4c554dd7 100644 +--- a/drivers/cpufreq/armada-8k-cpufreq.c ++++ b/drivers/cpufreq/armada-8k-cpufreq.c +@@ -132,7 +132,7 @@ static int __init armada_8k_cpufreq_init(void) + int ret = 0, opps_index = 0, cpu, nb_cpus; + struct freq_table *freq_tables; + struct device_node *node; +- static struct cpumask cpus; ++ static struct cpumask cpus, shared_cpus; + + node = of_find_matching_node_and_match(NULL, armada_8k_cpufreq_of_match, + NULL); +@@ -154,7 +154,6 @@ static int __init armada_8k_cpufreq_init(void) + * divisions of it). + */ + for_each_cpu(cpu, &cpus) { +- struct cpumask shared_cpus; + struct device *cpu_dev; + struct clk *clk; + +-- +2.39.5 + diff --git a/queue-6.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch b/queue-6.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch new file mode 100644 index 0000000000..a208ffb2e3 --- /dev/null +++ b/queue-6.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch @@ -0,0 +1,49 @@ +From 66ca0ccf3575b7c38233fad48844ce521a8adcfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:41:43 +0800 +Subject: cpufreq: Init policy->rwsem before it may be possibly used + +From: Lifeng Zheng + +[ Upstream commit d1378d1d7edb3a4c4935a44fe834ae135be03564 ] + +In cpufreq_policy_put_kobj(), policy->rwsem is used. But in +cpufreq_policy_alloc(), if freq_qos_add_notifier() returns an error, error +path via err_kobj_remove or err_min_qos_notifier will be reached and +cpufreq_policy_put_kobj() will be called before policy->rwsem is +initialized. Thus, the calling of init_rwsem() should be moved to where +before these two error paths can be reached. + +Fixes: 67d874c3b2c6 ("cpufreq: Register notifiers with the PM QoS framework") +Signed-off-by: Lifeng Zheng +Link: https://patch.msgid.link/20250709104145.2348017-3-zhenglifeng1@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index ea2a8d86d640..5c84d56341e2 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1323,6 +1323,8 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu) + goto err_free_real_cpus; + } + ++ init_rwsem(&policy->rwsem); ++ + freq_constraints_init(&policy->constraints); + + policy->nb_min.notifier_call = cpufreq_notifier_min; +@@ -1345,7 +1347,6 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu) + } + + INIT_LIST_HEAD(&policy->policy_list); +- init_rwsem(&policy->rwsem); + spin_lock_init(&policy->transition_lock); + init_waitqueue_head(&policy->transition_wait); + INIT_WORK(&policy->update, handle_update); +-- +2.39.5 + diff --git a/queue-6.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch b/queue-6.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch new file mode 100644 index 0000000000..62840e28c8 --- /dev/null +++ b/queue-6.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch @@ -0,0 +1,63 @@ +From 79c07fc678db686bcd6df81a42c4c3c009e3a10b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:41:42 +0800 +Subject: cpufreq: Initialize cpufreq-based frequency-invariance later + +From: Lifeng Zheng + +[ Upstream commit 2a6c727387062a2ea79eb6cf5004820cb1b0afe2 ] + +The cpufreq-based invariance is enabled in cpufreq_register_driver(), +but never disabled after registration fails. Move the invariance +initialization to where all other initializations have been successfully +done to solve this problem. + +Fixes: 874f63531064 ("cpufreq: report whether cpufreq supports Frequency Invariance (FI)") +Signed-off-by: Lifeng Zheng +Link: https://patch.msgid.link/20250709104145.2348017-2-zhenglifeng1@huawei.com +[ rjw: New subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index f45ded62b0e0..ea2a8d86d640 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -3009,15 +3009,6 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) + cpufreq_driver = driver_data; + write_unlock_irqrestore(&cpufreq_driver_lock, flags); + +- /* +- * Mark support for the scheduler's frequency invariance engine for +- * drivers that implement target(), target_index() or fast_switch(). +- */ +- if (!cpufreq_driver->setpolicy) { +- static_branch_enable_cpuslocked(&cpufreq_freq_invariance); +- pr_debug("supports frequency invariance"); +- } +- + if (driver_data->setpolicy) + driver_data->flags |= CPUFREQ_CONST_LOOPS; + +@@ -3048,6 +3039,15 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) + hp_online = ret; + ret = 0; + ++ /* ++ * Mark support for the scheduler's frequency invariance engine for ++ * drivers that implement target(), target_index() or fast_switch(). ++ */ ++ if (!cpufreq_driver->setpolicy) { ++ static_branch_enable_cpuslocked(&cpufreq_freq_invariance); ++ pr_debug("supports frequency invariance"); ++ } ++ + pr_debug("driver %s up and running\n", driver_data->name); + goto out; + +-- +2.39.5 + diff --git a/queue-6.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch b/queue-6.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch new file mode 100644 index 0000000000..565a7dea8d --- /dev/null +++ b/queue-6.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch @@ -0,0 +1,51 @@ +From f03c98109dadf4b81f8f607eabb9858257e44c29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 20:19:19 +0200 +Subject: cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode + +From: Rafael J. Wysocki + +[ Upstream commit 1cefe495cacba5fb0417da3a75a1a76e3546d176 ] + +In the passive mode, intel_cpufreq_update_pstate() sets HWP_MIN_PERF in +accordance with the target frequency to ensure delivering adequate +performance, but it sets HWP_DESIRED_PERF to 0, so the processor has no +indication that the desired performance level is actually equal to the +floor one. This may cause it to choose a performance point way above +the desired level. + +Moreover, this is inconsistent with intel_cpufreq_adjust_perf() which +actually sets HWP_DESIRED_PERF in accordance with the target performance +value. + +Address this by adjusting intel_cpufreq_update_pstate() to pass +target_pstate as both the minimum and the desired performance levels +to intel_cpufreq_hwp_update(). + +Fixes: a365ab6b9dfb ("cpufreq: intel_pstate: Implement the ->adjust_perf() callback") +Signed-off-by: Rafael J. Wysocki +Tested-by: Shashank Balaji +Link: https://patch.msgid.link/6173276.lOV4Wx5bFT@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index ba9bf06f1c77..f9205fe199b8 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -3130,8 +3130,8 @@ static int intel_cpufreq_update_pstate(struct cpufreq_policy *policy, + int max_pstate = policy->strict_target ? + target_pstate : cpu->max_perf_ratio; + +- intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate, 0, +- fast_switch); ++ intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate, ++ target_pstate, fast_switch); + } else if (target_pstate != old_pstate) { + intel_cpufreq_perf_ctl_update(cpu, target_pstate, fast_switch); + } +-- +2.39.5 + diff --git a/queue-6.15/crypto-arm-aes-neonbs-work-around-gcc-15-warning.patch b/queue-6.15/crypto-arm-aes-neonbs-work-around-gcc-15-warning.patch new file mode 100644 index 0000000000..6d6547edd8 --- /dev/null +++ b/queue-6.15/crypto-arm-aes-neonbs-work-around-gcc-15-warning.patch @@ -0,0 +1,56 @@ +From e8f36c22726162f3a90a3aec71f4571a85bd388e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 11:32:52 +0200 +Subject: crypto: arm/aes-neonbs - work around gcc-15 warning + +From: Arnd Bergmann + +[ Upstream commit d5fa96dc5590915f060fee3209143313e4f5b03b ] + +I get a very rare -Wstringop-overread warning with gcc-15 for one function +in aesbs_ctr_encrypt(): + +arch/arm/crypto/aes-neonbs-glue.c: In function 'ctr_encrypt': +arch/arm/crypto/aes-neonbs-glue.c:212:1446: error: '__builtin_memcpy' offset [17, 2147483647] is out of the bounds [0, 16] of object 'buf' with type 'u8[16]' {aka 'unsigned char[16]'} [-Werror=array-bounds=] + 212 | src = dst = memcpy(buf + sizeof(buf) - bytes, +arch/arm/crypto/aes-neonbs-glue.c: In function 'ctr_encrypt': +arch/arm/crypto/aes-neonbs-glue.c:218:17: error: 'aesbs_ctr_encrypt' reading 1 byte from a region of size 0 [-Werror=stringop-overread] + 218 | aesbs_ctr_encrypt(dst, src, ctx->rk, ctx->rounds, bytes, walk.iv); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 2 of type 'const u8[0]' {aka 'const unsigned char[]'} +arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 3 of type 'const u8[0]' {aka 'const unsigned char[]'} +arch/arm/crypto/aes-neonbs-glue.c:218:17: note: referencing argument 6 of type 'u8[0]' {aka 'unsigned char[]'} +arch/arm/crypto/aes-neonbs-glue.c:36:17: note: in a call to function 'aesbs_ctr_encrypt' + 36 | asmlinkage void aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[], + +This could happen in theory if walk.nbytes is larger than INT_MAX and gets +converted to a negative local variable. + +Keep the type unsigned like the orignal nbytes to be sure there is no +integer overflow. + +Fixes: c8bf850e991a ("crypto: arm/aes-neonbs-ctr - deal with non-multiples of AES block size") +Signed-off-by: Arnd Bergmann +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/arm/crypto/aes-neonbs-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/crypto/aes-neonbs-glue.c b/arch/arm/crypto/aes-neonbs-glue.c +index f6be80b5938b..2fad3a0c0563 100644 +--- a/arch/arm/crypto/aes-neonbs-glue.c ++++ b/arch/arm/crypto/aes-neonbs-glue.c +@@ -232,7 +232,7 @@ static int ctr_encrypt(struct skcipher_request *req) + while (walk.nbytes > 0) { + const u8 *src = walk.src.virt.addr; + u8 *dst = walk.dst.virt.addr; +- int bytes = walk.nbytes; ++ unsigned int bytes = walk.nbytes; + + if (unlikely(bytes < AES_BLOCK_SIZE)) + src = dst = memcpy(buf + sizeof(buf) - bytes, +-- +2.39.5 + diff --git a/queue-6.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch b/queue-6.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch new file mode 100644 index 0000000000..4ba59eaa14 --- /dev/null +++ b/queue-6.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch @@ -0,0 +1,81 @@ +From 2e7073bc05732c2da04f1d86a6ca32d82adc4a29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 14:54:18 +0800 +Subject: crypto: ccp - Fix crash when rebind ccp device for ccp.ko + +From: Mengbiao Xiong + +[ Upstream commit 181698af38d3f93381229ad89c09b5bd0496661a ] + +When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding +the ccp device causes the following crash: + +$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind +$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind + +[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 +[ 204.978026] #PF: supervisor write access in kernel mode +[ 204.979126] #PF: error_code(0x0002) - not-present page +[ 204.980226] PGD 0 P4D 0 +[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI +... +[ 204.997852] Call Trace: +[ 204.999074] +[ 205.000297] start_creating+0x9f/0x1c0 +[ 205.001533] debugfs_create_dir+0x1f/0x170 +[ 205.002769] ? srso_return_thunk+0x5/0x5f +[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] +[ 205.005241] ccp5_init+0x8b2/0x960 [ccp] +[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] +[ 205.007709] sp_init+0x5f/0x80 [ccp] +[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] +[ 205.010165] ? srso_return_thunk+0x5/0x5f +[ 205.011376] local_pci_probe+0x4f/0xb0 +[ 205.012584] pci_device_probe+0xdb/0x230 +[ 205.013810] really_probe+0xed/0x380 +[ 205.015024] __driver_probe_device+0x7e/0x160 +[ 205.016240] device_driver_attach+0x2f/0x60 +[ 205.017457] bind_store+0x7c/0xb0 +[ 205.018663] drv_attr_store+0x28/0x40 +[ 205.019868] sysfs_kf_write+0x5f/0x70 +[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 +[ 205.022267] vfs_write+0x308/0x440 +[ 205.023453] ksys_write+0x6d/0xe0 +[ 205.024616] __x64_sys_write+0x1e/0x30 +[ 205.025778] x64_sys_call+0x16ba/0x2150 +[ 205.026942] do_syscall_64+0x56/0x1e0 +[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 205.029276] RIP: 0033:0x7fbc36f10104 +[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 + +This patch sets ccp_debugfs_dir to NULL after destroying it in +ccp5_debugfs_destroy, allowing the directory dentry to be +recreated when rebinding the ccp device. + +Tested on AMD Ryzen 7 1700X. + +Fixes: 3cdbe346ed3f ("crypto: ccp - Add debugfs entries for CCP information") +Signed-off-by: Mengbiao Xiong +Reviewed-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-debugfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/ccp/ccp-debugfs.c b/drivers/crypto/ccp/ccp-debugfs.c +index a1055554b47a..dc26bc22c91d 100644 +--- a/drivers/crypto/ccp/ccp-debugfs.c ++++ b/drivers/crypto/ccp/ccp-debugfs.c +@@ -319,5 +319,8 @@ void ccp5_debugfs_setup(struct ccp_device *ccp) + + void ccp5_debugfs_destroy(void) + { ++ mutex_lock(&ccp_debugfs_lock); + debugfs_remove_recursive(ccp_debugfs_dir); ++ ccp_debugfs_dir = NULL; ++ mutex_unlock(&ccp_debugfs_lock); + } +-- +2.39.5 + diff --git a/queue-6.15/crypto-ccp-fix-locking-on-alloc-failure-handling.patch b/queue-6.15/crypto-ccp-fix-locking-on-alloc-failure-handling.patch new file mode 100644 index 0000000000..95147d6411 --- /dev/null +++ b/queue-6.15/crypto-ccp-fix-locking-on-alloc-failure-handling.patch @@ -0,0 +1,83 @@ +From ac42db70bbdc0795ce432e824858f0e44861d591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 19:43:54 +1000 +Subject: crypto: ccp - Fix locking on alloc failure handling + +From: Alexey Kardashevskiy + +[ Upstream commit b4abeccb8d39db7d9b51cb0098d6458760b30a75 ] + +The __snp_alloc_firmware_pages() helper allocates pages in the firmware +state (alloc + rmpupdate). In case of failed rmpupdate, it tries +reclaiming pages with already changed state. This requires calling +the PSP firmware and since there is sev_cmd_mutex to guard such calls, +the helper takes a "locked" parameter so specify if the lock needs to +be held. + +Most calls happen from snp_alloc_firmware_page() which executes without +the lock. However + +commit 24512afa4336 ("crypto: ccp: Handle the legacy TMR allocation when SNP is enabled") + +switched sev_fw_alloc() from alloc_pages() (which does not call the PSP) to +__snp_alloc_firmware_pages() (which does) but did not account for the fact +that sev_fw_alloc() is called from __sev_platform_init_locked() +(via __sev_platform_init_handle_tmr()) and executes with the lock held. + +Add a "locked" parameter to __snp_alloc_firmware_pages(). +Make sev_fw_alloc() use the new parameter to prevent potential deadlock in +rmp_mark_pages_firmware() if rmpupdate() failed. + +Fixes: 24512afa4336 ("crypto: ccp: Handle the legacy TMR allocation when SNP is enabled") +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: Tom Lendacky +Reviewed-by: Pratik R. Sampat +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sev-dev.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c +index 2e87ca0e292a..4d790837af22 100644 +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -424,7 +424,7 @@ static int rmp_mark_pages_firmware(unsigned long paddr, unsigned int npages, boo + return rc; + } + +-static struct page *__snp_alloc_firmware_pages(gfp_t gfp_mask, int order) ++static struct page *__snp_alloc_firmware_pages(gfp_t gfp_mask, int order, bool locked) + { + unsigned long npages = 1ul << order, paddr; + struct sev_device *sev; +@@ -443,7 +443,7 @@ static struct page *__snp_alloc_firmware_pages(gfp_t gfp_mask, int order) + return page; + + paddr = __pa((unsigned long)page_address(page)); +- if (rmp_mark_pages_firmware(paddr, npages, false)) ++ if (rmp_mark_pages_firmware(paddr, npages, locked)) + return NULL; + + return page; +@@ -453,7 +453,7 @@ void *snp_alloc_firmware_page(gfp_t gfp_mask) + { + struct page *page; + +- page = __snp_alloc_firmware_pages(gfp_mask, 0); ++ page = __snp_alloc_firmware_pages(gfp_mask, 0, false); + + return page ? page_address(page) : NULL; + } +@@ -488,7 +488,7 @@ static void *sev_fw_alloc(unsigned long len) + { + struct page *page; + +- page = __snp_alloc_firmware_pages(GFP_KERNEL, get_order(len)); ++ page = __snp_alloc_firmware_pages(GFP_KERNEL, get_order(len), true); + if (!page) + return NULL; + +-- +2.39.5 + diff --git a/queue-6.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..a84d733359 --- /dev/null +++ b/queue-6.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,36 @@ +From ec3fc7ebfb62a26f13be5ddd86615a26d3c6f4dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 11:16:22 +0200 +Subject: crypto: img-hash - Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 34b283636181ce02c52633551f594fec9876bec7 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator") +Signed-off-by: Thomas Fourier +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/img-hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c +index 1dc2378aa88b..503bc1c9e3f3 100644 +--- a/drivers/crypto/img-hash.c ++++ b/drivers/crypto/img-hash.c +@@ -436,7 +436,7 @@ static int img_hash_write_via_dma_stop(struct img_hash_dev *hdev) + struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req); + + if (ctx->flags & DRIVER_FLAGS_SG) +- dma_unmap_sg(hdev->dev, ctx->sg, ctx->dma_ct, DMA_TO_DEVICE); ++ dma_unmap_sg(hdev->dev, ctx->sg, 1, DMA_TO_DEVICE); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..f37cc26632 --- /dev/null +++ b/queue-6.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,50 @@ +From f9cb51010f86449298094d2db532b2dc45ed312b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:29:26 +0200 +Subject: crypto: inside-secure - Fix `dma_unmap_sg()` nents value + +From: Thomas Fourier + +[ Upstream commit cb7fa6b6fc71e0c801e271aa498e2f19e6df2931 ] + +The `dma_unmap_sg()` functions should be called with the same nents as the +`dma_map_sg()`, not the value the map function returned. + +Fixes: c957f8b3e2e5 ("crypto: inside-secure - avoid unmapping DMA memory that was not mapped") +Signed-off-by: Thomas Fourier +Reviewed-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/inside-secure/safexcel_hash.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c +index f44c08f5f5ec..af4b978189e5 100644 +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -249,7 +249,9 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, + safexcel_complete(priv, ring); + + if (sreq->nents) { +- dma_unmap_sg(priv->dev, areq->src, sreq->nents, DMA_TO_DEVICE); ++ dma_unmap_sg(priv->dev, areq->src, ++ sg_nents_for_len(areq->src, areq->nbytes), ++ DMA_TO_DEVICE); + sreq->nents = 0; + } + +@@ -497,7 +499,9 @@ static int safexcel_ahash_send_req(struct crypto_async_request *async, int ring, + DMA_FROM_DEVICE); + unmap_sg: + if (req->nents) { +- dma_unmap_sg(priv->dev, areq->src, req->nents, DMA_TO_DEVICE); ++ dma_unmap_sg(priv->dev, areq->src, ++ sg_nents_for_len(areq->src, areq->nbytes), ++ DMA_TO_DEVICE); + req->nents = 0; + } + cdesc_rollback: +-- +2.39.5 + diff --git a/queue-6.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..5dbed0b440 --- /dev/null +++ b/queue-6.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,63 @@ +From 5ede1e8972e6199f7508ecbc934cd350ad3a0cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 10:57:06 +0200 +Subject: crypto: keembay - Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 01951a7dc5ac1a37e5fb7d86ea7eb2dfbf96e8b6 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 472b04444cd3 ("crypto: keembay - Add Keem Bay OCS HCU driver") +Signed-off-by: Thomas Fourier +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c b/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c +index 95dc8979918d..8f9e21ced0fe 100644 +--- a/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c ++++ b/drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c +@@ -68,6 +68,7 @@ struct ocs_hcu_ctx { + * @sg_data_total: Total data in the SG list at any time. + * @sg_data_offset: Offset into the data of the current individual SG node. + * @sg_dma_nents: Number of sg entries mapped in dma_list. ++ * @nents: Number of entries in the scatterlist. + */ + struct ocs_hcu_rctx { + struct ocs_hcu_dev *hcu_dev; +@@ -91,6 +92,7 @@ struct ocs_hcu_rctx { + unsigned int sg_data_total; + unsigned int sg_data_offset; + unsigned int sg_dma_nents; ++ unsigned int nents; + }; + + /** +@@ -199,7 +201,7 @@ static void kmb_ocs_hcu_dma_cleanup(struct ahash_request *req, + + /* Unmap req->src (if mapped). */ + if (rctx->sg_dma_nents) { +- dma_unmap_sg(dev, req->src, rctx->sg_dma_nents, DMA_TO_DEVICE); ++ dma_unmap_sg(dev, req->src, rctx->nents, DMA_TO_DEVICE); + rctx->sg_dma_nents = 0; + } + +@@ -260,6 +262,10 @@ static int kmb_ocs_dma_prepare(struct ahash_request *req) + rc = -ENOMEM; + goto cleanup; + } ++ ++ /* Save the value of nents to pass to dma_unmap_sg. */ ++ rctx->nents = nents; ++ + /* + * The value returned by dma_map_sg() can be < nents; so update + * nents accordingly. +-- +2.39.5 + diff --git a/queue-6.15/crypto-krb5-fix-memory-leak-in-krb5_test_one_prf.patch b/queue-6.15/crypto-krb5-fix-memory-leak-in-krb5_test_one_prf.patch new file mode 100644 index 0000000000..82743f8b82 --- /dev/null +++ b/queue-6.15/crypto-krb5-fix-memory-leak-in-krb5_test_one_prf.patch @@ -0,0 +1,55 @@ +From 2bb8a2414bf2bc1e1d4a8ab746e6f74f0613608a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 00:11:40 -0700 +Subject: crypto: krb5 - Fix memory leak in krb5_test_one_prf() + +From: Eric Biggers + +[ Upstream commit b19f1ab8d5bf417e00d5855c62e061fb449b13c5 ] + +Fix a leak reported by kmemleak: + + unreferenced object 0xffff8880093bf7a0 (size 32): + comm "swapper/0", pid 1, jiffies 4294877529 + hex dump (first 32 bytes): + 9d 18 86 16 f6 38 52 fe 86 91 5b b8 40 b4 a8 86 .....8R...[.@... + ff 3e 6b b0 f8 19 b4 9b 89 33 93 d3 93 85 42 95 .>k......3....B. + backtrace (crc 8ba12f3b): + kmemleak_alloc+0x8d/0xa0 + __kmalloc_noprof+0x3cd/0x4d0 + prep_buf+0x36/0x70 + load_buf+0x10d/0x1c0 + krb5_test_one_prf+0x1e1/0x3c0 + krb5_selftest.cold+0x7c/0x54c + crypto_krb5_init+0xd/0x20 + do_one_initcall+0xa5/0x230 + do_initcalls+0x213/0x250 + kernel_init_freeable+0x220/0x260 + kernel_init+0x1d/0x170 + ret_from_fork+0x301/0x410 + ret_from_fork_asm+0x1a/0x30 + +Fixes: fc0cf10c04f4 ("crypto/krb5: Implement crypto self-testing") +Signed-off-by: Eric Biggers +Acked-by: David Howells +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/krb5/selftest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/krb5/selftest.c b/crypto/krb5/selftest.c +index 2a81a6315a0d..4519c572d37e 100644 +--- a/crypto/krb5/selftest.c ++++ b/crypto/krb5/selftest.c +@@ -152,6 +152,7 @@ static int krb5_test_one_prf(const struct krb5_prf_test *test) + + out: + clear_buf(&result); ++ clear_buf(&prf); + clear_buf(&octet); + clear_buf(&key); + return ret; +-- +2.39.5 + diff --git a/queue-6.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch b/queue-6.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch new file mode 100644 index 0000000000..dd43c0e65d --- /dev/null +++ b/queue-6.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch @@ -0,0 +1,75 @@ +From ef7bef0791c7a11176cabc3e33a34b65b955acb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 20:41:28 +0800 +Subject: crypto: marvell/cesa - Fix engine load inaccuracy + +From: Herbert Xu + +[ Upstream commit 442134ab30e75b7229c4bfc1ac5641d245cffe27 ] + +If an error occurs during queueing the engine load will never be +decremented. Fix this by moving the engine load adjustment into +the cleanup function. + +Fixes: bf8f91e71192 ("crypto: marvell - Add load balancing between engines") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/cipher.c | 4 +++- + drivers/crypto/marvell/cesa/hash.c | 5 +++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c +index 48c5c8ea8c43..3fe0fd9226cf 100644 +--- a/drivers/crypto/marvell/cesa/cipher.c ++++ b/drivers/crypto/marvell/cesa/cipher.c +@@ -75,9 +75,12 @@ mv_cesa_skcipher_dma_cleanup(struct skcipher_request *req) + static inline void mv_cesa_skcipher_cleanup(struct skcipher_request *req) + { + struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req); ++ struct mv_cesa_engine *engine = creq->base.engine; + + if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) + mv_cesa_skcipher_dma_cleanup(req); ++ ++ atomic_sub(req->cryptlen, &engine->load); + } + + static void mv_cesa_skcipher_std_step(struct skcipher_request *req) +@@ -212,7 +215,6 @@ mv_cesa_skcipher_complete(struct crypto_async_request *req) + struct mv_cesa_engine *engine = creq->base.engine; + unsigned int ivsize; + +- atomic_sub(skreq->cryptlen, &engine->load); + ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(skreq)); + + if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) { +diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c +index 6815eddc9068..e339ce7ad533 100644 +--- a/drivers/crypto/marvell/cesa/hash.c ++++ b/drivers/crypto/marvell/cesa/hash.c +@@ -110,9 +110,12 @@ static inline void mv_cesa_ahash_dma_cleanup(struct ahash_request *req) + static inline void mv_cesa_ahash_cleanup(struct ahash_request *req) + { + struct mv_cesa_ahash_req *creq = ahash_request_ctx(req); ++ struct mv_cesa_engine *engine = creq->base.engine; + + if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) + mv_cesa_ahash_dma_cleanup(req); ++ ++ atomic_sub(req->nbytes, &engine->load); + } + + static void mv_cesa_ahash_last_cleanup(struct ahash_request *req) +@@ -395,8 +398,6 @@ static void mv_cesa_ahash_complete(struct crypto_async_request *req) + } + } + } +- +- atomic_sub(ahashreq->nbytes, &engine->load); + } + + static void mv_cesa_ahash_prepare(struct crypto_async_request *req, +-- +2.39.5 + diff --git a/queue-6.15/crypto-qat-allow-enabling-vfs-in-the-absence-of-iomm.patch b/queue-6.15/crypto-qat-allow-enabling-vfs-in-the-absence-of-iomm.patch new file mode 100644 index 0000000000..58408063df --- /dev/null +++ b/queue-6.15/crypto-qat-allow-enabling-vfs-in-the-absence-of-iomm.patch @@ -0,0 +1,40 @@ +From 2b5812b93e13c92d7cd0f7ad0463b18a7d66cf8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 09:23:43 +0100 +Subject: crypto: qat - allow enabling VFs in the absence of IOMMU + +From: Ahsan Atta + +[ Upstream commit 53669ff591d4deb2d80eed4c07593ad0c0b45899 ] + +The commit ca88a2bdd4dd ("crypto: qat - allow disabling SR-IOV VFs") +introduced an unnecessary change that prevented enabling SR-IOV when +IOMMU is disabled. In certain scenarios, it is desirable to enable +SR-IOV even in the absence of IOMMU. Thus, restoring the previous +functionality to allow VFs to be enumerated in the absence of IOMMU. + +Fixes: ca88a2bdd4dd ("crypto: qat - allow disabling SR-IOV VFs") +Signed-off-by: Ahsan Atta +Reviewed-by: Giovanni Cabiddu +Reviewed-by: Michal Witwicki +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_common/adf_sriov.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_sriov.c b/drivers/crypto/intel/qat/qat_common/adf_sriov.c +index c75d0b6cb0ad..31d1ef0cb1f5 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_sriov.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_sriov.c +@@ -155,7 +155,6 @@ static int adf_do_enable_sriov(struct adf_accel_dev *accel_dev) + if (!device_iommu_mapped(&GET_DEV(accel_dev))) { + dev_warn(&GET_DEV(accel_dev), + "IOMMU should be enabled for SR-IOV to work correctly\n"); +- return -EINVAL; + } + + if (adf_dev_started(accel_dev)) { +-- +2.39.5 + diff --git a/queue-6.15/crypto-qat-disable-zuc-256-capability-for-qat-gen5.patch b/queue-6.15/crypto-qat-disable-zuc-256-capability-for-qat-gen5.patch new file mode 100644 index 0000000000..797d400f69 --- /dev/null +++ b/queue-6.15/crypto-qat-disable-zuc-256-capability-for-qat-gen5.patch @@ -0,0 +1,62 @@ +From 1213edb0b73ab0315710894ea21e9f43794131d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 10:20:49 +0100 +Subject: crypto: qat - disable ZUC-256 capability for QAT GEN5 + +From: Bairavi Alagappan + +[ Upstream commit d956692c7dd523b331d4556ee03def8dd02609dc ] + +The ZUC-256 EEA (encryption) and EIA (integrity) algorithms are not +supported on QAT GEN5 devices, as their current implementation does not +align with the NIST specification. Earlier versions of the ZUC-256 +specification used a different initialization scheme, which has since +been revised to comply with the 5G specification. + +Due to this misalignment with the updated specification, remove support +for ZUC-256 EEA and EIA for QAT GEN5 by masking out the ZUC-256 +capability. + +Fixes: fcf60f4bcf549 ("crypto: qat - add support for 420xx devices") +Signed-off-by: Bairavi Alagappan +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c +index 4feeef83f7a3..3549167a9557 100644 +--- a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c ++++ b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c +@@ -193,7 +193,6 @@ static u32 get_accel_cap(struct adf_accel_dev *accel_dev) + ICP_ACCEL_CAPABILITIES_SM4 | + ICP_ACCEL_CAPABILITIES_AES_V2 | + ICP_ACCEL_CAPABILITIES_ZUC | +- ICP_ACCEL_CAPABILITIES_ZUC_256 | + ICP_ACCEL_CAPABILITIES_WIRELESS_CRYPTO_EXT | + ICP_ACCEL_CAPABILITIES_EXT_ALGCHAIN; + +@@ -225,17 +224,11 @@ static u32 get_accel_cap(struct adf_accel_dev *accel_dev) + + if (fusectl1 & ICP_ACCEL_GEN4_MASK_WCP_WAT_SLICE) { + capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC; +- capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC_256; + capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_WIRELESS_CRYPTO_EXT; + } + +- if (fusectl1 & ICP_ACCEL_GEN4_MASK_EIA3_SLICE) { ++ if (fusectl1 & ICP_ACCEL_GEN4_MASK_EIA3_SLICE) + capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC; +- capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC_256; +- } +- +- if (fusectl1 & ICP_ACCEL_GEN4_MASK_ZUC_256_SLICE) +- capabilities_sym &= ~ICP_ACCEL_CAPABILITIES_ZUC_256; + + capabilities_asym = ICP_ACCEL_CAPABILITIES_CRYPTO_ASYMMETRIC | + ICP_ACCEL_CAPABILITIES_SM2 | +-- +2.39.5 + diff --git a/queue-6.15/crypto-qat-fix-dma-direction-for-compression-on-gen2.patch b/queue-6.15/crypto-qat-fix-dma-direction-for-compression-on-gen2.patch new file mode 100644 index 0000000000..4f6ca04453 --- /dev/null +++ b/queue-6.15/crypto-qat-fix-dma-direction-for-compression-on-gen2.patch @@ -0,0 +1,93 @@ +From 68195ae953bbfccfc45ad0552af7e01e85f1a572 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 08:07:49 +0100 +Subject: crypto: qat - fix DMA direction for compression on GEN2 devices + +From: Giovanni Cabiddu + +[ Upstream commit d41d75fe1b751ee6b347bf1cb1cfe9accc4fcb12 ] + +QAT devices perform an additional integrity check during compression by +decompressing the output. Starting from QAT GEN4, this verification is +done in-line by the hardware. However, on GEN2 devices, the hardware +reads back the compressed output from the destination buffer and performs +a decompression operation using it as the source. + +In the current QAT driver, destination buffers are always marked as +write-only. This is incorrect for QAT GEN2 compression, where the buffer +is also read during verification. Since commit 6f5dc7658094 +("iommu/vt-d: Restore WO permissions on second-level paging entries"), +merged in v6.16-rc1, write-only permissions are strictly enforced, leading +to DMAR errors when using QAT GEN2 devices for compression, if VT-d is +enabled. + +Mark the destination buffers as DMA_BIDIRECTIONAL. This ensures +compatibility with GEN2 devices, even though it is not required for +QAT GEN4 and later. + +Signed-off-by: Giovanni Cabiddu +Fixes: cf5bb835b7c8 ("crypto: qat - fix DMA transfer direction") +Reviewed-by: Ahsan Atta +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_common/qat_bl.c | 6 +++--- + drivers/crypto/intel/qat/qat_common/qat_compression.c | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/qat_bl.c b/drivers/crypto/intel/qat/qat_common/qat_bl.c +index 5e4dad4693ca..9b2338f58d97 100644 +--- a/drivers/crypto/intel/qat/qat_common/qat_bl.c ++++ b/drivers/crypto/intel/qat/qat_common/qat_bl.c +@@ -38,7 +38,7 @@ void qat_bl_free_bufl(struct adf_accel_dev *accel_dev, + for (i = 0; i < blout->num_mapped_bufs; i++) { + dma_unmap_single(dev, blout->buffers[i].addr, + blout->buffers[i].len, +- DMA_FROM_DEVICE); ++ DMA_BIDIRECTIONAL); + } + dma_unmap_single(dev, blpout, sz_out, DMA_TO_DEVICE); + +@@ -162,7 +162,7 @@ static int __qat_bl_sgl_to_bufl(struct adf_accel_dev *accel_dev, + } + buffers[y].addr = dma_map_single(dev, sg_virt(sg) + left, + sg->length - left, +- DMA_FROM_DEVICE); ++ DMA_BIDIRECTIONAL); + if (unlikely(dma_mapping_error(dev, buffers[y].addr))) + goto err_out; + buffers[y].len = sg->length; +@@ -204,7 +204,7 @@ static int __qat_bl_sgl_to_bufl(struct adf_accel_dev *accel_dev, + if (!dma_mapping_error(dev, buflout->buffers[i].addr)) + dma_unmap_single(dev, buflout->buffers[i].addr, + buflout->buffers[i].len, +- DMA_FROM_DEVICE); ++ DMA_BIDIRECTIONAL); + } + + if (!buf->sgl_dst_valid) +diff --git a/drivers/crypto/intel/qat/qat_common/qat_compression.c b/drivers/crypto/intel/qat/qat_common/qat_compression.c +index 2c3aa89b316a..cf94ba3011d5 100644 +--- a/drivers/crypto/intel/qat/qat_common/qat_compression.c ++++ b/drivers/crypto/intel/qat/qat_common/qat_compression.c +@@ -205,7 +205,7 @@ static int qat_compression_alloc_dc_data(struct adf_accel_dev *accel_dev) + if (!obuff) + goto err; + +- obuff_p = dma_map_single(dev, obuff, ovf_buff_sz, DMA_FROM_DEVICE); ++ obuff_p = dma_map_single(dev, obuff, ovf_buff_sz, DMA_BIDIRECTIONAL); + if (unlikely(dma_mapping_error(dev, obuff_p))) + goto err; + +@@ -233,7 +233,7 @@ static void qat_free_dc_data(struct adf_accel_dev *accel_dev) + return; + + dma_unmap_single(dev, dc_data->ovf_buff_p, dc_data->ovf_buff_sz, +- DMA_FROM_DEVICE); ++ DMA_BIDIRECTIONAL); + kfree_sensitive(dc_data->ovf_buff); + kfree(dc_data); + accel_dev->dc_data = NULL; +-- +2.39.5 + diff --git a/queue-6.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch b/queue-6.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch new file mode 100644 index 0000000000..0ef5c41edb --- /dev/null +++ b/queue-6.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch @@ -0,0 +1,49 @@ +From 68a5a407a3af9452813bb4205b08b45fa0b1b9d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 08:10:29 +0100 +Subject: crypto: qat - fix seq_file position update in adf_ring_next() + +From: Giovanni Cabiddu + +[ Upstream commit 6908c5f4f066a0412c3d9a6f543a09fa7d87824b ] + +The `adf_ring_next()` function in the QAT debug transport interface +fails to correctly update the position index when reaching the end of +the ring elements. This triggers the following kernel warning when +reading ring files, such as +/sys/kernel/debug/qat_c6xx_/transport/bank_00/ring_00: + + [27725.022965] seq_file: buggy .next function adf_ring_next [intel_qat] did not update position index + +Ensure that the `*pos` index is incremented before returning NULL when +after the last element in the ring is found, satisfying the seq_file API +requirements and preventing the warning. + +Fixes: a672a9dc872e ("crypto: qat - Intel(R) QAT transport code") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Ahsan Atta +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_common/adf_transport_debug.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c b/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c +index e2dd568b87b5..621b5d3dfcef 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_transport_debug.c +@@ -31,8 +31,10 @@ static void *adf_ring_next(struct seq_file *sfile, void *v, loff_t *pos) + struct adf_etr_ring_data *ring = sfile->private; + + if (*pos >= (ADF_SIZE_TO_RING_SIZE_IN_BYTES(ring->ring_size) / +- ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) ++ ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) { ++ (*pos)++; + return NULL; ++ } + + return ring->base_addr + + (ADF_MSG_SIZE_TO_BYTES(ring->msg_size) * (*pos)++); +-- +2.39.5 + diff --git a/queue-6.15/crypto-qat-fix-state-restore-for-banks-with-exceptio.patch b/queue-6.15/crypto-qat-fix-state-restore-for-banks-with-exceptio.patch new file mode 100644 index 0000000000..286f3db4ea --- /dev/null +++ b/queue-6.15/crypto-qat-fix-state-restore-for-banks-with-exceptio.patch @@ -0,0 +1,85 @@ +From fb67bea60827c644aecead533a09e04b92ed2f2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 16:59:56 +0100 +Subject: crypto: qat - fix state restore for banks with exceptions + +From: Svyatoslav Pankratov + +[ Upstream commit 254923ca8715f623704378266815b6d14eb26194 ] + +Change the logic in the restore function to properly handle bank +exceptions. + +The check for exceptions in the saved state should be performed before +conducting any other ringstat register checks. +If a bank was saved with an exception, the ringstat will have the +appropriate rp_halt/rp_exception bits set, causing the driver to exit +the restore process with an error. Instead, the restore routine should +first check the ringexpstat register, and if any exception was raised, +it should stop further checks and return without any error. In other +words, if a ring pair is in an exception state at the source, it should +be restored the same way at the destination but without raising an error. + +Even though this approach might lead to losing the exception state +during migration, the driver will log the exception from the saved state +during the restore process. + +Signed-off-by: Svyatoslav Pankratov +Fixes: bbfdde7d195f ("crypto: qat - add bank save and restore flows") +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../intel/qat/qat_common/adf_gen4_hw_data.c | 29 ++++++++++++++----- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c +index 099949a2421c..b661736d9ae1 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.c +@@ -579,6 +579,28 @@ static int bank_state_restore(struct adf_hw_csr_ops *ops, void __iomem *base, + ops->write_csr_int_srcsel_w_val(base, bank, state->iaintflagsrcsel0); + ops->write_csr_exp_int_en(base, bank, state->ringexpintenable); + ops->write_csr_int_col_ctl(base, bank, state->iaintcolctl); ++ ++ /* ++ * Verify whether any exceptions were raised during the bank save process. ++ * If exceptions occurred, the status and exception registers cannot ++ * be directly restored. Consequently, further restoration is not ++ * feasible, and the current state of the ring should be maintained. ++ */ ++ val = state->ringexpstat; ++ if (val) { ++ pr_info("QAT: Bank %u state not fully restored due to exception in saved state (%#x)\n", ++ bank, val); ++ return 0; ++ } ++ ++ /* Ensure that the restoration process completed without exceptions */ ++ tmp_val = ops->read_csr_exp_stat(base, bank); ++ if (tmp_val) { ++ pr_err("QAT: Bank %u restored with exception: %#x\n", ++ bank, tmp_val); ++ return -EFAULT; ++ } ++ + ops->write_csr_ring_srv_arb_en(base, bank, state->ringsrvarben); + + /* Check that all ring statuses match the saved state. */ +@@ -612,13 +634,6 @@ static int bank_state_restore(struct adf_hw_csr_ops *ops, void __iomem *base, + if (ret) + return ret; + +- tmp_val = ops->read_csr_exp_stat(base, bank); +- val = state->ringexpstat; +- if (tmp_val && !val) { +- pr_err("QAT: Bank was restored with exception: 0x%x\n", val); +- return -EINVAL; +- } +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/crypto-qat-use-unmanaged-allocation-for-dc_data.patch b/queue-6.15/crypto-qat-use-unmanaged-allocation-for-dc_data.patch new file mode 100644 index 0000000000..93fb9e0f8b --- /dev/null +++ b/queue-6.15/crypto-qat-use-unmanaged-allocation-for-dc_data.patch @@ -0,0 +1,77 @@ +From 4fcd20d2626188a33fefe87b056bb9b1729b4739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 09:21:41 +0100 +Subject: crypto: qat - use unmanaged allocation for dc_data + +From: Suman Kumar Chakraborty + +[ Upstream commit 4cc871ad0173e8bc22f80e3609e34d546d30ef1a ] + +The dc_data structure holds data required for handling compression +operations, such as overflow buffers. In this context, the use of +managed memory allocation APIs (devm_kzalloc() and devm_kfree()) +is not necessary, as these data structures are freed and +re-allocated when a device is restarted in adf_dev_down() and +adf_dev_up(). + +Additionally, managed APIs automatically handle memory cleanup when the +device is detached, which can lead to conflicts with manual cleanup +processes. Specifically, if a device driver invokes the adf_dev_down() +function as part of the cleanup registered with +devm_add_action_or_reset(), it may attempt to free memory that is also +managed by the device's resource management system, potentially leading +to a double-free. + +This might result in a warning similar to the following when unloading +the device specific driver, for example qat_6xxx.ko: + + qat_free_dc_data+0x4f/0x60 [intel_qat] + qat_compression_event_handler+0x3d/0x1d0 [intel_qat] + adf_dev_shutdown+0x6d/0x1a0 [intel_qat] + adf_dev_down+0x32/0x50 [intel_qat] + devres_release_all+0xb8/0x110 + device_unbind_cleanup+0xe/0x70 + device_release_driver_internal+0x1c1/0x200 + driver_detach+0x48/0x90 + bus_remove_driver+0x74/0xf0 + pci_unregister_driver+0x2e/0xb0 + +Use unmanaged memory allocation APIs (kzalloc_node() and kfree()) for +the dc_data structure. This ensures that memory is explicitly allocated +and freed under the control of the driver code, preventing manual +deallocation from interfering with automatic cleanup. + +Fixes: 1198ae56c9a5 ("crypto: qat - expose deflate through acomp api for QAT GEN2") +Signed-off-by: Suman Kumar Chakraborty +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_common/qat_compression.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/qat_compression.c b/drivers/crypto/intel/qat/qat_common/qat_compression.c +index 7842a9f22178..2c3aa89b316a 100644 +--- a/drivers/crypto/intel/qat/qat_common/qat_compression.c ++++ b/drivers/crypto/intel/qat/qat_common/qat_compression.c +@@ -197,7 +197,7 @@ static int qat_compression_alloc_dc_data(struct adf_accel_dev *accel_dev) + struct adf_dc_data *dc_data = NULL; + u8 *obuff = NULL; + +- dc_data = devm_kzalloc(dev, sizeof(*dc_data), GFP_KERNEL); ++ dc_data = kzalloc_node(sizeof(*dc_data), GFP_KERNEL, dev_to_node(dev)); + if (!dc_data) + goto err; + +@@ -235,7 +235,7 @@ static void qat_free_dc_data(struct adf_accel_dev *accel_dev) + dma_unmap_single(dev, dc_data->ovf_buff_p, dc_data->ovf_buff_sz, + DMA_FROM_DEVICE); + kfree_sensitive(dc_data->ovf_buff); +- devm_kfree(dev, dc_data); ++ kfree(dc_data); + accel_dev->dc_data = NULL; + } + +-- +2.39.5 + diff --git a/queue-6.15/crypto-sun8i-ce-fix-nents-passed-to-dma_unmap_sg.patch b/queue-6.15/crypto-sun8i-ce-fix-nents-passed-to-dma_unmap_sg.patch new file mode 100644 index 0000000000..6fc326801d --- /dev/null +++ b/queue-6.15/crypto-sun8i-ce-fix-nents-passed-to-dma_unmap_sg.patch @@ -0,0 +1,44 @@ +From 6d413c3ccc78a0ff25b725d8562adc079d67f6b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 18:13:48 +0300 +Subject: crypto: sun8i-ce - fix nents passed to dma_unmap_sg() + +From: Ovidiu Panait + +[ Upstream commit b6cd3cfb5afe49952f8f6be947aeeca9ba0faebb ] + +In sun8i_ce_cipher_unprepare(), dma_unmap_sg() is incorrectly called with +the number of entries returned by dma_map_sg(), rather than using the +original number of entries passed when mapping the scatterlist. + +To fix this, stash the original number of entries passed to dma_map_sg() +in the request context. + +Fixes: 0605fa0f7826 ("crypto: sun8i-ce - split into prepare/run/unprepare") +Signed-off-by: Ovidiu Panait +Acked-by: Corentin LABBE +Tested-by: Corentin LABBE +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +index 05f67661553c..63e66a85477e 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +@@ -265,8 +265,8 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req + } + + chan->timeout = areq->cryptlen; +- rctx->nr_sgs = nr_sgs; +- rctx->nr_sgd = nr_sgd; ++ rctx->nr_sgs = ns; ++ rctx->nr_sgd = nd; + return 0; + + theend_sgs: +-- +2.39.5 + diff --git a/queue-6.15/dmaengine-mmp-fix-again-wvoid-pointer-to-enum-cast-w.patch b/queue-6.15/dmaengine-mmp-fix-again-wvoid-pointer-to-enum-cast-w.patch new file mode 100644 index 0000000000..4645fcc201 --- /dev/null +++ b/queue-6.15/dmaengine-mmp-fix-again-wvoid-pointer-to-enum-cast-w.patch @@ -0,0 +1,39 @@ +From 7e0a9c02506911dce8b4bf874bdaecd52dd65db6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 21:26:05 +0200 +Subject: dmaengine: mmp: Fix again Wvoid-pointer-to-enum-cast warning + +From: Krzysztof Kozlowski + +[ Upstream commit a0b1589b62e2fcfb112996e0f4d5593bd2edf069 ] + +This was fixed and re-introduced. 'type' is an enum, thus cast of +pointer on 64-bit compile test with W=1 causes: + + mmp_tdma.c:644:9: error: cast to smaller integer type 'enum mmp_tdma_type' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast] + +Fixes: a67ba97dfb30 ("dmaengine: Use device_get_match_data()") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250525-dma-fixes-v1-5-89d06dac9bcb@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_tdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/mmp_tdma.c b/drivers/dma/mmp_tdma.c +index c8dc504510f1..b7fb843c67a6 100644 +--- a/drivers/dma/mmp_tdma.c ++++ b/drivers/dma/mmp_tdma.c +@@ -641,7 +641,7 @@ static int mmp_tdma_probe(struct platform_device *pdev) + int chan_num = TDMA_CHANNEL_NUM; + struct gen_pool *pool = NULL; + +- type = (enum mmp_tdma_type)device_get_match_data(&pdev->dev); ++ type = (kernel_ulong_t)device_get_match_data(&pdev->dev); + + /* always have couple channels */ + tdev = devm_kzalloc(&pdev->dev, sizeof(*tdev), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch b/queue-6.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch new file mode 100644 index 0000000000..b96e4c0e5b --- /dev/null +++ b/queue-6.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch @@ -0,0 +1,73 @@ +From d0d2247897f851f6bd007a4185f3bf2da9bbf368 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 14:37:52 +0200 +Subject: dmaengine: mv_xor: Fix missing check after DMA map and missing unmap + +From: Thomas Fourier + +[ Upstream commit 60095aca6b471b7b7a79c80b7395f7e4e414b479 ] + +The DMA map functions can fail and should be tested for errors. + +In case of error, unmap the already mapped regions. + +Fixes: 22843545b200 ("dma: mv_xor: Add support for DMA_INTERRUPT") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250701123753.46935-2-fourier.thomas@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mv_xor.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c +index fa6e4646fdc2..1fdcb0f5c9e7 100644 +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -1061,8 +1061,16 @@ mv_xor_channel_add(struct mv_xor_device *xordev, + */ + mv_chan->dummy_src_addr = dma_map_single(dma_dev->dev, + mv_chan->dummy_src, MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE); ++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_src_addr)) ++ return ERR_PTR(-ENOMEM); ++ + mv_chan->dummy_dst_addr = dma_map_single(dma_dev->dev, + mv_chan->dummy_dst, MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE); ++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_dst_addr)) { ++ ret = -ENOMEM; ++ goto err_unmap_src; ++ } ++ + + /* allocate coherent memory for hardware descriptors + * note: writecombine gives slightly better performance, but +@@ -1071,8 +1079,10 @@ mv_xor_channel_add(struct mv_xor_device *xordev, + mv_chan->dma_desc_pool_virt = + dma_alloc_wc(&pdev->dev, MV_XOR_POOL_SIZE, &mv_chan->dma_desc_pool, + GFP_KERNEL); +- if (!mv_chan->dma_desc_pool_virt) +- return ERR_PTR(-ENOMEM); ++ if (!mv_chan->dma_desc_pool_virt) { ++ ret = -ENOMEM; ++ goto err_unmap_dst; ++ } + + /* discover transaction capabilities from the platform data */ + dma_dev->cap_mask = cap_mask; +@@ -1155,6 +1165,13 @@ mv_xor_channel_add(struct mv_xor_device *xordev, + err_free_dma: + dma_free_coherent(&pdev->dev, MV_XOR_POOL_SIZE, + mv_chan->dma_desc_pool_virt, mv_chan->dma_desc_pool); ++err_unmap_dst: ++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_dst_addr, ++ MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE); ++err_unmap_src: ++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_src_addr, ++ MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE); ++ + return ERR_PTR(ret); + } + +-- +2.39.5 + diff --git a/queue-6.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch b/queue-6.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..852859839f --- /dev/null +++ b/queue-6.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch @@ -0,0 +1,55 @@ +From 294a170a3a18aadc32078f179e9c34a91a6b8346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:57:16 +0200 +Subject: dmaengine: nbpfaxi: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit c6ee78fc8f3e653bec427cfd06fec7877ee782bd ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, unmap and return an error. + +Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250707075752.28674-2-fourier.thomas@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/nbpfaxi.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c +index 7a2488a0d6a3..765462303de0 100644 +--- a/drivers/dma/nbpfaxi.c ++++ b/drivers/dma/nbpfaxi.c +@@ -711,6 +711,9 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan) + list_add_tail(&ldesc->node, &lhead); + ldesc->hwdesc_dma_addr = dma_map_single(dchan->device->dev, + hwdesc, sizeof(*hwdesc), DMA_TO_DEVICE); ++ if (dma_mapping_error(dchan->device->dev, ++ ldesc->hwdesc_dma_addr)) ++ goto unmap_error; + + dev_dbg(dev, "%s(): mapped 0x%p to %pad\n", __func__, + hwdesc, &ldesc->hwdesc_dma_addr); +@@ -737,6 +740,16 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan) + spin_unlock_irq(&chan->lock); + + return ARRAY_SIZE(dpage->desc); ++ ++unmap_error: ++ while (i--) { ++ ldesc--; hwdesc--; ++ ++ dma_unmap_single(dchan->device->dev, ldesc->hwdesc_dma_addr, ++ sizeof(hwdesc), DMA_TO_DEVICE); ++ } ++ ++ return -ENOMEM; + } + + static void nbpf_desc_put(struct nbpf_desc *desc) +-- +2.39.5 + diff --git a/queue-6.15/drivers-misc-sram-fix-up-some-const-issues-with-rece.patch b/queue-6.15/drivers-misc-sram-fix-up-some-const-issues-with-rece.patch new file mode 100644 index 0000000000..eeebb423ca --- /dev/null +++ b/queue-6.15/drivers-misc-sram-fix-up-some-const-issues-with-rece.patch @@ -0,0 +1,66 @@ +From 83a72ebaa75eeb1211b48404edfa1788fc9cc3f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 16:16:26 +0200 +Subject: drivers: misc: sram: fix up some const issues with recent attribute + changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +[ Upstream commit bf7b4a0e25569ce39c6749afe363aefe5723d326 ] + +The binary attribute const changes recently for the sram driver were +made in a way that hid the fact that we would be casting a const pointer +to a non-const one. So explicitly make the cast so that it is obvious +and preserve the const pointer in the sram_reserve_cmp() function. + +Cc: Arnd Bergmann +Cc: Thomas Weißschuh +Fixes: c3b8c358c4f3 ("misc: sram: constify 'struct bin_attribute'") +Link: https://lore.kernel.org/r/2025052125-squid-sandstorm-a418@gregkh +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/sram.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c +index e5069882457e..c69644be4176 100644 +--- a/drivers/misc/sram.c ++++ b/drivers/misc/sram.c +@@ -28,7 +28,8 @@ static ssize_t sram_read(struct file *filp, struct kobject *kobj, + { + struct sram_partition *part; + +- part = container_of(attr, struct sram_partition, battr); ++ /* Cast away the const as the attribute is part of a larger structure */ ++ part = (struct sram_partition *)container_of(attr, struct sram_partition, battr); + + mutex_lock(&part->lock); + memcpy_fromio(buf, part->base + pos, count); +@@ -43,7 +44,8 @@ static ssize_t sram_write(struct file *filp, struct kobject *kobj, + { + struct sram_partition *part; + +- part = container_of(attr, struct sram_partition, battr); ++ /* Cast away the const as the attribute is part of a larger structure */ ++ part = (struct sram_partition *)container_of(attr, struct sram_partition, battr); + + mutex_lock(&part->lock); + memcpy_toio(part->base + pos, buf, count); +@@ -164,8 +166,8 @@ static void sram_free_partitions(struct sram_dev *sram) + static int sram_reserve_cmp(void *priv, const struct list_head *a, + const struct list_head *b) + { +- struct sram_reserve *ra = list_entry(a, struct sram_reserve, list); +- struct sram_reserve *rb = list_entry(b, struct sram_reserve, list); ++ const struct sram_reserve *ra = list_entry(a, struct sram_reserve, list); ++ const struct sram_reserve *rb = list_entry(b, struct sram_reserve, list); + + return ra->start - rb->start; + } +-- +2.39.5 + diff --git a/queue-6.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch b/queue-6.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch new file mode 100644 index 0000000000..553df6f2b7 --- /dev/null +++ b/queue-6.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch @@ -0,0 +1,44 @@ +From b2b59d50024edc03b451b76aefb1312b5c211836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 23:26:17 +0300 +Subject: drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value + +From: Fedor Pchelkin + +[ Upstream commit a54e4639c4ef37a0241bac7d2a77f2e6ffb57099 ] + +There is a small typo in phm_wait_on_indirect_register(). + +Swap mask and value arguments provided to phm_wait_on_register() so that +they satisfy the function signature and actual usage scheme. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +In practice this doesn't fix any issues because the only place this +function is used uses the same value for the value and mask. + +Fixes: 3bace3591493 ("drm/amd/powerplay: add hardware manager sub-component") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c +index 79a566f3564a..c305ea4ec17d 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c +@@ -149,7 +149,7 @@ int phm_wait_on_indirect_register(struct pp_hwmgr *hwmgr, + } + + cgs_write_register(hwmgr->device, indirect_port, index); +- return phm_wait_on_register(hwmgr, indirect_port + 1, mask, value); ++ return phm_wait_on_register(hwmgr, indirect_port + 1, value, mask); + } + + int phm_wait_for_register_unequal(struct pp_hwmgr *hwmgr, +-- +2.39.5 + diff --git a/queue-6.15/drm-amdgpu-gfx10-fix-kiq-locking-in-kcq-reset.patch b/queue-6.15/drm-amdgpu-gfx10-fix-kiq-locking-in-kcq-reset.patch new file mode 100644 index 0000000000..53d5463b80 --- /dev/null +++ b/queue-6.15/drm-amdgpu-gfx10-fix-kiq-locking-in-kcq-reset.patch @@ -0,0 +1,52 @@ +From 25af2784e8c1fe3a0f107678f8bdb84a4a1d51e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:56:35 -0400 +Subject: drm/amdgpu/gfx10: fix kiq locking in KCQ reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit a4b2ba8f631d3e44b30b9b46ee290fbfe608b7d0 ] + +The ring test needs to be inside the lock. + +Fixes: 097af47d3cfb ("drm/amdgpu/gfx10: wait for reset done before remap") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: Jiadong Zhu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 2144d124c910..cd4605362a93 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -9567,9 +9567,8 @@ static int gfx_v10_0_reset_kcq(struct amdgpu_ring *ring, + kiq->pmf->kiq_unmap_queues(kiq_ring, ring, RESET_QUEUES, + 0, 0); + amdgpu_ring_commit(kiq_ring); +- spin_unlock_irqrestore(&kiq->ring_lock, flags); +- + r = amdgpu_ring_test_ring(kiq_ring); ++ spin_unlock_irqrestore(&kiq->ring_lock, flags); + if (r) + return r; + +@@ -9605,9 +9604,8 @@ static int gfx_v10_0_reset_kcq(struct amdgpu_ring *ring, + } + kiq->pmf->kiq_map_queues(kiq_ring, ring); + amdgpu_ring_commit(kiq_ring); +- spin_unlock_irqrestore(&kiq->ring_lock, flags); +- + r = amdgpu_ring_test_ring(kiq_ring); ++ spin_unlock_irqrestore(&kiq->ring_lock, flags); + if (r) + return r; + +-- +2.39.5 + diff --git a/queue-6.15/drm-amdgpu-gfx9-fix-kiq-locking-in-kcq-reset.patch b/queue-6.15/drm-amdgpu-gfx9-fix-kiq-locking-in-kcq-reset.patch new file mode 100644 index 0000000000..a5e60c0300 --- /dev/null +++ b/queue-6.15/drm-amdgpu-gfx9-fix-kiq-locking-in-kcq-reset.patch @@ -0,0 +1,40 @@ +From e22da16b643b168f550c8d8bec279b6c6776d6b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:38:27 -0400 +Subject: drm/amdgpu/gfx9: fix kiq locking in KCQ reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 730ea5074dac1b105717316be5d9c18b09829385 ] + +The ring test needs to be inside the lock. + +Fixes: fdbd69486b46 ("drm/amdgpu/gfx9: wait for reset done before remap") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: Jiadong Zhu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index d725e2e230a3..59ea6e88bd9e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -7299,8 +7299,8 @@ static int gfx_v9_0_reset_kcq(struct amdgpu_ring *ring, + } + kiq->pmf->kiq_map_queues(kiq_ring, ring); + amdgpu_ring_commit(kiq_ring); +- spin_unlock_irqrestore(&kiq->ring_lock, flags); + r = amdgpu_ring_test_ring(kiq_ring); ++ spin_unlock_irqrestore(&kiq->ring_lock, flags); + if (r) { + DRM_ERROR("fail to remap queue\n"); + return r; +-- +2.39.5 + diff --git a/queue-6.15/drm-amdgpu-gfx9.4.3-fix-kiq-locking-in-kcq-reset.patch b/queue-6.15/drm-amdgpu-gfx9.4.3-fix-kiq-locking-in-kcq-reset.patch new file mode 100644 index 0000000000..6739dac0ab --- /dev/null +++ b/queue-6.15/drm-amdgpu-gfx9.4.3-fix-kiq-locking-in-kcq-reset.patch @@ -0,0 +1,41 @@ +From e2b897ede9b4b27fe6573f22646db2e1abddcbf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:42:23 -0400 +Subject: drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 08f116c59310728ea8b7e9dc3086569006c861cf ] + +The ring test needs to be inside the lock. + +Fixes: 4c953e53cc34 ("drm/amdgpu/gfx_9.4.3: wait for reset done before remap") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: Jiadong Zhu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c +index 53fbf6ca7cdb..c386b2f4cbcc 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c +@@ -3572,9 +3572,8 @@ static int gfx_v9_4_3_reset_kcq(struct amdgpu_ring *ring, + } + kiq->pmf->kiq_map_queues(kiq_ring, ring); + amdgpu_ring_commit(kiq_ring); +- spin_unlock_irqrestore(&kiq->ring_lock, flags); +- + r = amdgpu_ring_test_ring(kiq_ring); ++ spin_unlock_irqrestore(&kiq->ring_lock, flags); + if (r) { + dev_err(adev->dev, "fail to remap queue\n"); + return r; +-- +2.39.5 + diff --git a/queue-6.15/drm-amdgpu-remove-nbiov7.9-replay-count-reporting.patch b/queue-6.15/drm-amdgpu-remove-nbiov7.9-replay-count-reporting.patch new file mode 100644 index 0000000000..9d24138f9c --- /dev/null +++ b/queue-6.15/drm-amdgpu-remove-nbiov7.9-replay-count-reporting.patch @@ -0,0 +1,70 @@ +From 9f821102dfd822c1015889788673b5c723ed65c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 13:29:11 +0530 +Subject: drm/amdgpu: Remove nbiov7.9 replay count reporting + +From: Lijo Lazar + +[ Upstream commit 0f566f0e9c614aa3d95082246f5b8c9e8a09c8b3 ] + +Direct pcie replay count reporting is not available on nbio v7.9. +Reporting is done through firmware. + +Signed-off-by: Lijo Lazar +Acked-by: Mangesh Gadre +Reviewed-by: Asad Kamal +Fixes: 50709d18f4a6 ("drm/amdgpu: Add pci replay count to nbio v7.9") +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c b/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c +index f23cb79110d6..3a78d035e128 100644 +--- a/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c ++++ b/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c +@@ -31,9 +31,6 @@ + + #define NPS_MODE_MASK 0x000000FFL + +-/* Core 0 Port 0 counter */ +-#define smnPCIEP_NAK_COUNTER 0x1A340218 +- + static void nbio_v7_9_remap_hdp_registers(struct amdgpu_device *adev) + { + WREG32_SOC15(NBIO, 0, regBIF_BX0_REMAP_HDP_MEM_FLUSH_CNTL, +@@ -463,22 +460,6 @@ static void nbio_v7_9_init_registers(struct amdgpu_device *adev) + } + } + +-static u64 nbio_v7_9_get_pcie_replay_count(struct amdgpu_device *adev) +-{ +- u32 val, nak_r, nak_g; +- +- if (adev->flags & AMD_IS_APU) +- return 0; +- +- /* Get the number of NAKs received and generated */ +- val = RREG32_PCIE(smnPCIEP_NAK_COUNTER); +- nak_r = val & 0xFFFF; +- nak_g = val >> 16; +- +- /* Add the total number of NAKs, i.e the number of replays */ +- return (nak_r + nak_g); +-} +- + #define MMIO_REG_HOLE_OFFSET 0x1A000 + + static void nbio_v7_9_set_reg_remap(struct amdgpu_device *adev) +@@ -520,7 +501,6 @@ const struct amdgpu_nbio_funcs nbio_v7_9_funcs = { + .get_memory_partition_mode = nbio_v7_9_get_memory_partition_mode, + .is_nps_switch_requested = nbio_v7_9_is_nps_switch_requested, + .init_registers = nbio_v7_9_init_registers, +- .get_pcie_replay_count = nbio_v7_9_get_pcie_replay_count, + .set_reg_remap = nbio_v7_9_set_reg_remap, + }; + +-- +2.39.5 + diff --git a/queue-6.15/drm-connector-hdmi-evaluate-limited-range-after-comp.patch b/queue-6.15/drm-connector-hdmi-evaluate-limited-range-after-comp.patch new file mode 100644 index 0000000000..e6ca05feb3 --- /dev/null +++ b/queue-6.15/drm-connector-hdmi-evaluate-limited-range-after-comp.patch @@ -0,0 +1,50 @@ +From 1aca361e5d8ed5a884d6aa6f3dae9673a8a4ad28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 15:11:09 +0300 +Subject: drm/connector: hdmi: Evaluate limited range after computing format + +From: Cristian Ciocaltea + +[ Upstream commit 21f627139652dd8329a88e281df6600f3866d238 ] + +Evaluating the requirement to use a limited RGB quantization range +involves a verification of the output format, among others, but this is +currently performed before actually computing the format, hence relying +on the old connector state. + +Move the call to hdmi_is_limited_range() after hdmi_compute_config() to +ensure the verification is done on the updated output format. + +Fixes: 027d43590649 ("drm/connector: hdmi: Add RGB Quantization Range to the connector state") +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Cristian Ciocaltea +Acked-by: Maxime Ripard +Link: https://lore.kernel.org/r/20250527-hdmi-conn-yuv-v5-1-74c9c4a8ac0c@collabora.com +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/display/drm_hdmi_state_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/display/drm_hdmi_state_helper.c b/drivers/gpu/drm/display/drm_hdmi_state_helper.c +index c205f37da1e1..6bc96d5d1ab9 100644 +--- a/drivers/gpu/drm/display/drm_hdmi_state_helper.c ++++ b/drivers/gpu/drm/display/drm_hdmi_state_helper.c +@@ -506,12 +506,12 @@ int drm_atomic_helper_connector_hdmi_check(struct drm_connector *connector, + if (!new_conn_state->crtc || !new_conn_state->best_encoder) + return 0; + +- new_conn_state->hdmi.is_limited_range = hdmi_is_limited_range(connector, new_conn_state); +- + ret = hdmi_compute_config(connector, new_conn_state, mode); + if (ret) + return ret; + ++ new_conn_state->hdmi.is_limited_range = hdmi_is_limited_range(connector, new_conn_state); ++ + ret = hdmi_generate_infoframes(connector, new_conn_state); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-6.15/drm-msm-dpu-fill-in-min_prefill_lines-for-sc8180x.patch b/queue-6.15/drm-msm-dpu-fill-in-min_prefill_lines-for-sc8180x.patch new file mode 100644 index 0000000000..89768e3119 --- /dev/null +++ b/queue-6.15/drm-msm-dpu-fill-in-min_prefill_lines-for-sc8180x.patch @@ -0,0 +1,37 @@ +From 63283beb457e182c5a08a26b542fbaa663488c75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 14:50:03 +0200 +Subject: drm/msm/dpu: Fill in min_prefill_lines for SC8180X + +From: Konrad Dybcio + +[ Upstream commit 5136acc40afc0261802e5cb01b04f871bf6d876b ] + +Based on the downstream release, predictably same value as for SM8150. + +Signed-off-by: Konrad Dybcio +Fixes: f3af2d6ee9ab ("drm/msm/dpu: Add SC8180x to hw catalog") +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/657794/ +Link: https://lore.kernel.org/r/20250610-topic-dpu_8180_mpl-v1-1-f480cd22f11c@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h +index e736eb73a7e6..49aed344d346 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h +@@ -383,6 +383,7 @@ static const struct dpu_perf_cfg sc8180x_perf_data = { + .min_core_ib = 2400000, + .min_llcc_ib = 800000, + .min_dram_ib = 800000, ++ .min_prefill_lines = 24, + .danger_lut_tbl = {0xf, 0xffff, 0x0}, + .safe_lut_tbl = {0xfff0, 0xf000, 0xffff}, + .qos_lut_tbl = { +-- +2.39.5 + diff --git a/queue-6.15/drm-panfrost-fix-panfrost-device-variable-name-in-de.patch b/queue-6.15/drm-panfrost-fix-panfrost-device-variable-name-in-de.patch new file mode 100644 index 0000000000..6f0245be75 --- /dev/null +++ b/queue-6.15/drm-panfrost-fix-panfrost-device-variable-name-in-de.patch @@ -0,0 +1,54 @@ +From 06a8fbd6c5a1ecee8504e15c11d3665a67cdea3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 18:44:02 +0100 +Subject: drm/panfrost: Fix panfrost device variable name in devfreq +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Adrián Larumbe + +[ Upstream commit 6048f5587614bb4919c54966913452c1a0a43138 ] + +Commit 64111a0e22a9 ("drm/panfrost: Fix incorrect updating of current +device frequency") was a Panfrost port of a similar fix in Panthor. + +Fix the Panfrost device pointer variable name so that it follows +Panfrost naming conventions. + +Signed-off-by: Adrián Larumbe +Fixes: 64111a0e22a9 ("drm/panfrost: Fix incorrect updating of current device frequency") +Reviewed-by: Boris Brezillon +Reviewed-by: Steven Price +Signed-off-by: Steven Price +Link: https://lore.kernel.org/r/20250520174634.353267-6-adrian.larumbe@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/panfrost_devfreq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_devfreq.c b/drivers/gpu/drm/panfrost/panfrost_devfreq.c +index 3385fd3ef41a..5d0dce10336b 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_devfreq.c ++++ b/drivers/gpu/drm/panfrost/panfrost_devfreq.c +@@ -29,7 +29,7 @@ static void panfrost_devfreq_update_utilization(struct panfrost_devfreq *pfdevfr + static int panfrost_devfreq_target(struct device *dev, unsigned long *freq, + u32 flags) + { +- struct panfrost_device *ptdev = dev_get_drvdata(dev); ++ struct panfrost_device *pfdev = dev_get_drvdata(dev); + struct dev_pm_opp *opp; + int err; + +@@ -40,7 +40,7 @@ static int panfrost_devfreq_target(struct device *dev, unsigned long *freq, + + err = dev_pm_opp_set_rate(dev, *freq); + if (!err) +- ptdev->pfdevfreq.current_frequency = *freq; ++ pfdev->pfdevfreq.current_frequency = *freq; + + return err; + } +-- +2.39.5 + diff --git a/queue-6.15/drm-panthor-add-missing-explicit-padding-in-drm_pant.patch b/queue-6.15/drm-panthor-add-missing-explicit-padding-in-drm_pant.patch new file mode 100644 index 0000000000..ce61811c83 --- /dev/null +++ b/queue-6.15/drm-panthor-add-missing-explicit-padding-in-drm_pant.patch @@ -0,0 +1,60 @@ +From b3830c39f4631819893bab12a753a5bfbf291c8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 10:09:31 +0200 +Subject: drm/panthor: Add missing explicit padding in drm_panthor_gpu_info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Boris Brezillon + +[ Upstream commit 95cbab48782bf62e4093837dc15ac6133902c12f ] + +drm_panthor_gpu_info::shader_present is currently automatically offset +by 4 byte to meet Arm's 32-bit/64-bit field alignment rules, but those +constraints don't stand on 32-bit x86 and cause a mismatch when running +an x86 binary in a user emulated environment like FEX. It's also +generally agreed that uAPIs should explicitly pad their struct fields, +which we originally intended to do, but a mistake slipped through during +the submission process, leading drm_panthor_gpu_info::shader_present to +be misaligned. + +This uAPI change doesn't break any of the existing users of panthor +which are either arm32 or arm64 where the 64-bit alignment of +u64 fields is already enforced a the compiler level. + +Changes in v2: +- Rename the garbage field into pad0 and adjust the comment accordingly +- Add Liviu's A-b + +Changes in v3: +- Add R-bs + +Fixes: 0f25e493a246 ("drm/panthor: Add uAPI") +Acked-by: Liviu Dudau +Reviewed-by: Adrián Larumbe +Reviewed-by: Steven Price +Link: https://lore.kernel.org/r/20250606080932.4140010-2-boris.brezillon@collabora.com +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +--- + include/uapi/drm/panthor_drm.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/uapi/drm/panthor_drm.h b/include/uapi/drm/panthor_drm.h +index 97e2c4510e69..dbb907eae443 100644 +--- a/include/uapi/drm/panthor_drm.h ++++ b/include/uapi/drm/panthor_drm.h +@@ -293,6 +293,9 @@ struct drm_panthor_gpu_info { + /** @as_present: Bitmask encoding the number of address-space exposed by the MMU. */ + __u32 as_present; + ++ /** @pad0: MBZ. */ ++ __u32 pad0; ++ + /** @shader_present: Bitmask encoding the shader cores exposed by the GPU. */ + __u64 shader_present; + +-- +2.39.5 + diff --git a/queue-6.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch b/queue-6.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch new file mode 100644 index 0000000000..721bdec6ac --- /dev/null +++ b/queue-6.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch @@ -0,0 +1,52 @@ +From 4076b68c9bb64172af7fde2df43b743e97056f6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 11:15:59 +0800 +Subject: drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed + +From: Andy Yan + +[ Upstream commit 099593a28138b48feea5be8ce700e5bc4565e31d ] + +In the function drm_gem_fb_init_with_funcs, the framebuffer (fb) +and its corresponding object ID have already been registered. + +So we need to cleanup the drm framebuffer if the subsequent +execution of drm_gem_fb_afbc_init fails. + +Directly call drm_framebuffer_put to ensure that all fb related +resources are cleanup. + +Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc") +Signed-off-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250509031607.2542187-1-andyshrk@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c +index dcc1f07632c3..5829ee061c61 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c +@@ -52,16 +52,9 @@ rockchip_fb_create(struct drm_device *dev, struct drm_file *file, + } + + if (drm_is_afbc(mode_cmd->modifier[0])) { +- int ret, i; +- + ret = drm_gem_fb_afbc_init(dev, mode_cmd, afbc_fb); + if (ret) { +- struct drm_gem_object **obj = afbc_fb->base.obj; +- +- for (i = 0; i < info->num_planes; ++i) +- drm_gem_object_put(obj[i]); +- +- kfree(afbc_fb); ++ drm_framebuffer_put(&afbc_fb->base); + return ERR_PTR(ret); + } + } +-- +2.39.5 + diff --git a/queue-6.15/drm-rockchip-vop2-fail-cleanly-if-missing-a-primary-.patch b/queue-6.15/drm-rockchip-vop2-fail-cleanly-if-missing-a-primary-.patch new file mode 100644 index 0000000000..0e8d225a75 --- /dev/null +++ b/queue-6.15/drm-rockchip-vop2-fail-cleanly-if-missing-a-primary-.patch @@ -0,0 +1,52 @@ +From 017d22dd32b4f023c0739362ab7717ddd579e629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 23:27:48 +0200 +Subject: drm/rockchip: vop2: fail cleanly if missing a primary plane for a + video-port + +From: Heiko Stuebner + +[ Upstream commit f9f68bf1d0efeadb6c427c9dbb30f307a7def19b ] + +Each window of a vop2 is usable by a specific set of video ports, so while +binding the vop2, we look through the list of available windows trying to +find one designated as primary-plane and usable by that specific port. + +The code later wants to use drm_crtc_init_with_planes with that found +primary plane, but nothing has checked so far if a primary plane was +actually found. + +For whatever reason, the rk3576 vp2 does not have a usable primary window +(if vp0 is also in use) which brought the issue to light and ended in a +null-pointer dereference further down. + +As we expect a primary-plane to exist for a video-port, add a check at +the end of the window-iteration and fail probing if none was found. + +Fixes: 604be85547ce ("drm/rockchip: Add VOP2 driver") +Reviewed-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250610212748.1062375-1-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +index d0f5fea15e21..6b37ce3ee60b 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +@@ -2422,6 +2422,10 @@ static int vop2_create_crtcs(struct vop2 *vop2) + break; + } + } ++ ++ if (!vp->primary_plane) ++ return dev_err_probe(drm->dev, -ENOENT, ++ "no primary plane for vp %d\n", i); + } + + /* Register all unused window as overlay plane */ +-- +2.39.5 + diff --git a/queue-6.15/drm-rockchip-vop2-fix-the-update-of-layer-port-selec.patch b/queue-6.15/drm-rockchip-vop2-fix-the-update-of-layer-port-selec.patch new file mode 100644 index 0000000000..bde86a0764 --- /dev/null +++ b/queue-6.15/drm-rockchip-vop2-fix-the-update-of-layer-port-selec.patch @@ -0,0 +1,297 @@ +From 9e1f9cd0baa5d0c079c11837ddf6ab21c306f9ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 18:21:54 +0800 +Subject: drm/rockchip: vop2: Fix the update of LAYER/PORT select registers + when there are multi display output on rk3588/rk3568 + +From: Andy Yan + +[ Upstream commit 3e89a8c6835476aa782da80585dee9ddae651eea ] + +The all video ports of rk3568/rk3588 share the same OVL_LAYER_SEL +and OVL_PORT_SEL registers, and the configuration of these two registers +can be set to take effect when the vsync signal arrives at a certain Video +Port. + +If two threads for two display output choose to update these two registers +simultaneously to meet their own plane adjustment requirements(change plane +zpos or switch plane from one crtc to another), then no matter which Video +Port'svsync signal we choose to follow for these two registers, the display +output of the other Video Port will be abnormal. +This is because the configuration of this Video Port does not take +effect at the right time (its configuration should take effect when its +VSYNC signal arrives). + +In order to solve this problem, when performing plane migration or +change the zpos of planes, there are two things to be observed and +followed: + +1. When a plane is migrated from one VP to another, the configuration of + the layer can only take effect after the Port mux configuration is + enabled. + +2. When change the zpos of planes, we must ensure that the change for + the previous VP takes effect before we proceed to change the next VP. + Otherwise, the new configuration might overwrite the previous one for + the previous VP, or it could lead to the configuration of the previous + VP being take effect along with the VSYNC of the new VP. + +This issue only occurs in scenarios where multi-display output is enabled. + +Fixes: c5996e4ab109 ("drm/rockchip: vop2: Make overlay layer select register configuration take effect by vsync") +Signed-off-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250421102156.424480-1-andyshrk@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 25 ++---- + drivers/gpu/drm/rockchip/rockchip_drm_vop2.h | 33 ++++++++ + drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 89 ++++++++++++++++++-- + 3 files changed, 122 insertions(+), 25 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +index 6b37ce3ee60b..186f6452a7d3 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +@@ -146,25 +146,6 @@ static void vop2_unlock(struct vop2 *vop2) + mutex_unlock(&vop2->vop2_lock); + } + +-/* +- * Note: +- * The write mask function is documented but missing on rk3566/8, writes +- * to these bits have no effect. For newer soc(rk3588 and following) the +- * write mask is needed for register writes. +- * +- * GLB_CFG_DONE_EN has no write mask bit. +- * +- */ +-static void vop2_cfg_done(struct vop2_video_port *vp) +-{ +- struct vop2 *vop2 = vp->vop2; +- u32 val = RK3568_REG_CFG_DONE__GLB_CFG_DONE_EN; +- +- val |= BIT(vp->id) | (BIT(vp->id) << 16); +- +- regmap_set_bits(vop2->map, RK3568_REG_CFG_DONE, val); +-} +- + static void vop2_win_disable(struct vop2_win *win) + { + vop2_win_write(win, VOP2_WIN_ENABLE, 0); +@@ -854,6 +835,11 @@ static void vop2_enable(struct vop2 *vop2) + if (vop2->version == VOP_VERSION_RK3588) + rk3588_vop2_power_domain_enable_all(vop2); + ++ if (vop2->version <= VOP_VERSION_RK3588) { ++ vop2->old_layer_sel = vop2_readl(vop2, RK3568_OVL_LAYER_SEL); ++ vop2->old_port_sel = vop2_readl(vop2, RK3568_OVL_PORT_SEL); ++ } ++ + vop2_writel(vop2, RK3568_REG_CFG_DONE, RK3568_REG_CFG_DONE__GLB_CFG_DONE_EN); + + /* +@@ -2728,6 +2714,7 @@ static int vop2_bind(struct device *dev, struct device *master, void *data) + return dev_err_probe(drm->dev, vop2->irq, "cannot find irq for vop2\n"); + + mutex_init(&vop2->vop2_lock); ++ mutex_init(&vop2->ovl_lock); + + ret = devm_request_irq(dev, vop2->irq, vop2_isr, IRQF_SHARED, dev_name(dev), vop2); + if (ret) +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h +index fc3ecb9fcd95..fa5c56f16047 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.h +@@ -334,6 +334,19 @@ struct vop2 { + /* optional internal rgb encoder */ + struct rockchip_rgb *rgb; + ++ /* ++ * Used to record layer selection configuration on rk356x/rk3588 ++ * as register RK3568_OVL_LAYER_SEL and RK3568_OVL_PORT_SEL are ++ * shared for all the Video Ports. ++ */ ++ u32 old_layer_sel; ++ u32 old_port_sel; ++ /* ++ * Ensure that the updates to these two registers(RKK3568_OVL_LAYER_SEL/RK3568_OVL_PORT_SEL) ++ * take effect in sequence. ++ */ ++ struct mutex ovl_lock; ++ + /* must be put at the end of the struct */ + struct vop2_win win[]; + }; +@@ -727,6 +740,7 @@ enum dst_factor_mode { + #define RK3588_OVL_PORT_SEL__CLUSTER2 GENMASK(21, 20) + #define RK3568_OVL_PORT_SEL__CLUSTER1 GENMASK(19, 18) + #define RK3568_OVL_PORT_SEL__CLUSTER0 GENMASK(17, 16) ++#define RK3588_OVL_PORT_SET__PORT3_MUX GENMASK(15, 12) + #define RK3568_OVL_PORT_SET__PORT2_MUX GENMASK(11, 8) + #define RK3568_OVL_PORT_SET__PORT1_MUX GENMASK(7, 4) + #define RK3568_OVL_PORT_SET__PORT0_MUX GENMASK(3, 0) +@@ -831,4 +845,23 @@ static inline struct vop2_win *to_vop2_win(struct drm_plane *p) + return container_of(p, struct vop2_win, base); + } + ++/* ++ * Note: ++ * The write mask function is documented but missing on rk3566/8, writes ++ * to these bits have no effect. For newer soc(rk3588 and following) the ++ * write mask is needed for register writes. ++ * ++ * GLB_CFG_DONE_EN has no write mask bit. ++ * ++ */ ++static inline void vop2_cfg_done(struct vop2_video_port *vp) ++{ ++ struct vop2 *vop2 = vp->vop2; ++ u32 val = RK3568_REG_CFG_DONE__GLB_CFG_DONE_EN; ++ ++ val |= BIT(vp->id) | (BIT(vp->id) << 16); ++ ++ regmap_set_bits(vop2->map, RK3568_REG_CFG_DONE, val); ++} ++ + #endif /* _ROCKCHIP_DRM_VOP2_H */ +diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c +index 32c4ed685739..45c5e3987813 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c ++++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c +@@ -2052,12 +2052,55 @@ static void vop2_setup_alpha(struct vop2_video_port *vp) + } + } + ++static u32 rk3568_vop2_read_port_mux(struct vop2 *vop2) ++{ ++ return vop2_readl(vop2, RK3568_OVL_PORT_SEL); ++} ++ ++static void rk3568_vop2_wait_for_port_mux_done(struct vop2 *vop2) ++{ ++ u32 port_mux_sel; ++ int ret; ++ ++ /* ++ * Spin until the previous port_mux figuration is done. ++ */ ++ ret = readx_poll_timeout_atomic(rk3568_vop2_read_port_mux, vop2, port_mux_sel, ++ port_mux_sel == vop2->old_port_sel, 0, 50 * 1000); ++ if (ret) ++ DRM_DEV_ERROR(vop2->dev, "wait port_mux done timeout: 0x%x--0x%x\n", ++ port_mux_sel, vop2->old_port_sel); ++} ++ ++static u32 rk3568_vop2_read_layer_cfg(struct vop2 *vop2) ++{ ++ return vop2_readl(vop2, RK3568_OVL_LAYER_SEL); ++} ++ ++static void rk3568_vop2_wait_for_layer_cfg_done(struct vop2 *vop2, u32 cfg) ++{ ++ u32 atv_layer_cfg; ++ int ret; ++ ++ /* ++ * Spin until the previous layer configuration is done. ++ */ ++ ret = readx_poll_timeout_atomic(rk3568_vop2_read_layer_cfg, vop2, atv_layer_cfg, ++ atv_layer_cfg == cfg, 0, 50 * 1000); ++ if (ret) ++ DRM_DEV_ERROR(vop2->dev, "wait layer cfg done timeout: 0x%x--0x%x\n", ++ atv_layer_cfg, cfg); ++} ++ + static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp) + { + struct vop2 *vop2 = vp->vop2; + struct drm_plane *plane; + u32 layer_sel = 0; + u32 port_sel; ++ u32 old_layer_sel = 0; ++ u32 atv_layer_sel = 0; ++ u32 old_port_sel = 0; + u8 layer_id; + u8 old_layer_id; + u8 layer_sel_id; +@@ -2069,19 +2112,18 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp) + struct vop2_video_port *vp2 = &vop2->vps[2]; + struct rockchip_crtc_state *vcstate = to_rockchip_crtc_state(vp->crtc.state); + ++ mutex_lock(&vop2->ovl_lock); + ovl_ctrl = vop2_readl(vop2, RK3568_OVL_CTRL); + ovl_ctrl &= ~RK3568_OVL_CTRL__LAYERSEL_REGDONE_IMD; + ovl_ctrl &= ~RK3568_OVL_CTRL__LAYERSEL_REGDONE_SEL; +- ovl_ctrl |= FIELD_PREP(RK3568_OVL_CTRL__LAYERSEL_REGDONE_SEL, vp->id); + + if (vcstate->yuv_overlay) + ovl_ctrl |= RK3568_OVL_CTRL__YUV_MODE(vp->id); + else + ovl_ctrl &= ~RK3568_OVL_CTRL__YUV_MODE(vp->id); + +- vop2_writel(vop2, RK3568_OVL_CTRL, ovl_ctrl); +- +- port_sel = vop2_readl(vop2, RK3568_OVL_PORT_SEL); ++ old_port_sel = vop2->old_port_sel; ++ port_sel = old_port_sel; + port_sel &= RK3568_OVL_PORT_SEL__SEL_PORT; + + if (vp0->nlayers) +@@ -2102,7 +2144,13 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp) + else + port_sel |= FIELD_PREP(RK3568_OVL_PORT_SET__PORT2_MUX, 8); + +- layer_sel = vop2_readl(vop2, RK3568_OVL_LAYER_SEL); ++ /* Fixed value for rk3588 */ ++ if (vop2->version == VOP_VERSION_RK3588) ++ port_sel |= FIELD_PREP(RK3588_OVL_PORT_SET__PORT3_MUX, 7); ++ ++ atv_layer_sel = vop2_readl(vop2, RK3568_OVL_LAYER_SEL); ++ old_layer_sel = vop2->old_layer_sel; ++ layer_sel = old_layer_sel; + + ofs = 0; + for (i = 0; i < vp->id; i++) +@@ -2186,8 +2234,37 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp) + old_win->data->layer_sel_id[vp->id]); + } + ++ vop2->old_layer_sel = layer_sel; ++ vop2->old_port_sel = port_sel; ++ /* ++ * As the RK3568_OVL_LAYER_SEL and RK3568_OVL_PORT_SEL are shared by all Video Ports, ++ * and the configuration take effect by one Video Port's vsync. ++ * When performing layer migration or change the zpos of layers, there are two things ++ * to be observed and followed: ++ * 1. When a layer is migrated from one VP to another, the configuration of the layer ++ * can only take effect after the Port mux configuration is enabled. ++ * ++ * 2. When we change the zpos of layers, we must ensure that the change for the previous ++ * VP takes effect before we proceed to change the next VP. Otherwise, the new ++ * configuration might overwrite the previous one for the previous VP, or it could ++ * lead to the configuration of the previous VP being take effect along with the VSYNC ++ * of the new VP. ++ */ ++ if (layer_sel != old_layer_sel || port_sel != old_port_sel) ++ ovl_ctrl |= FIELD_PREP(RK3568_OVL_CTRL__LAYERSEL_REGDONE_SEL, vp->id); ++ vop2_writel(vop2, RK3568_OVL_CTRL, ovl_ctrl); ++ ++ if (port_sel != old_port_sel) { ++ vop2_writel(vop2, RK3568_OVL_PORT_SEL, port_sel); ++ vop2_cfg_done(vp); ++ rk3568_vop2_wait_for_port_mux_done(vop2); ++ } ++ ++ if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel) ++ rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel); ++ + vop2_writel(vop2, RK3568_OVL_LAYER_SEL, layer_sel); +- vop2_writel(vop2, RK3568_OVL_PORT_SEL, port_sel); ++ mutex_unlock(&vop2->ovl_lock); + } + + static void rk3568_vop2_setup_dly_for_windows(struct vop2_video_port *vp) +-- +2.39.5 + diff --git a/queue-6.15/drm-vmwgfx-fix-host-backed-userspace-on-guest-backed.patch b/queue-6.15/drm-vmwgfx-fix-host-backed-userspace-on-guest-backed.patch new file mode 100644 index 0000000000..f7f275eead --- /dev/null +++ b/queue-6.15/drm-vmwgfx-fix-host-backed-userspace-on-guest-backed.patch @@ -0,0 +1,42 @@ +From 491dd2b49ecc717c8618cff33a093e165666363c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 15:34:27 -0500 +Subject: drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel + +From: Ian Forbes + +[ Upstream commit 7872997c048e989c7689c2995d230fdca7798000 ] + +Running 3D applications with SVGA_FORCE_HOST_BACKED=1 or using an +ancient version of mesa was broken because the buffer was pinned in +VMW_BO_DOMAIN_SYS and could not be moved to VMW_BO_DOMAIN_MOB during +validation. + +The compat_shader buffer should not pinned. + +Fixes: 668b206601c5 ("drm/vmwgfx: Stop using raw ttm_buffer_object's") +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://lore.kernel.org/r/20250429203427.1742331-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c +index 7fb1c88bcc47..69dfe69ce0f8 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c +@@ -896,7 +896,7 @@ int vmw_compat_shader_add(struct vmw_private *dev_priv, + .busy_domain = VMW_BO_DOMAIN_SYS, + .bo_type = ttm_bo_type_device, + .size = size, +- .pin = true, ++ .pin = false, + .keep_resv = true, + }; + +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-correct-bmg-vsec-header-sizing.patch b/queue-6.15/drm-xe-correct-bmg-vsec-header-sizing.patch new file mode 100644 index 0000000000..6e1f7700e5 --- /dev/null +++ b/queue-6.15/drm-xe-correct-bmg-vsec-header-sizing.patch @@ -0,0 +1,73 @@ +From 913ec27308992aa9d810bc44ae384d39764ed591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jul 2025 13:29:33 -0400 +Subject: drm/xe: Correct BMG VSEC header sizing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael J. Ruhl + +[ Upstream commit 5b27388171a18cf6842c700520086ec50194e858 ] + +The intel_vsec_header information for the crashlog feature is +incorrect. + +Update the VSEC header with correct sizing and count. + +Since the crashlog entries are "merged" (num_entries = 2), the +separate capabilities entries must be merged as well. + +Fixes: 0c45e76fcc62 ("drm/xe/vsec: Support BMG devices") +Acked-by: Rodrigo Vivi +Signed-off-by: Michael J. Ruhl +Reviewed-by: David E. Box +Link: https://lore.kernel.org/r/20250713172943.7335-4-michael.j.ruhl@intel.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_vsec.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_vsec.c b/drivers/gpu/drm/xe/xe_vsec.c +index 1bf7e709e110..56930ad42962 100644 +--- a/drivers/gpu/drm/xe/xe_vsec.c ++++ b/drivers/gpu/drm/xe/xe_vsec.c +@@ -33,30 +33,19 @@ static struct intel_vsec_header bmg_telemetry = { + .offset = BMG_DISCOVERY_OFFSET, + }; + +-static struct intel_vsec_header bmg_punit_crashlog = { ++static struct intel_vsec_header bmg_crashlog = { + .rev = 1, + .length = 0x10, + .id = VSEC_ID_CRASHLOG, +- .num_entries = 1, +- .entry_size = 4, ++ .num_entries = 2, ++ .entry_size = 6, + .tbir = 0, + .offset = BMG_DISCOVERY_OFFSET + 0x60, + }; + +-static struct intel_vsec_header bmg_oobmsm_crashlog = { +- .rev = 1, +- .length = 0x10, +- .id = VSEC_ID_CRASHLOG, +- .num_entries = 1, +- .entry_size = 4, +- .tbir = 0, +- .offset = BMG_DISCOVERY_OFFSET + 0x78, +-}; +- + static struct intel_vsec_header *bmg_capabilities[] = { + &bmg_telemetry, +- &bmg_punit_crashlog, +- &bmg_oobmsm_crashlog, ++ &bmg_crashlog, + NULL + }; + +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-correct-the-rev-value-for-the-dvsec-entries.patch b/queue-6.15/drm-xe-correct-the-rev-value-for-the-dvsec-entries.patch new file mode 100644 index 0000000000..639d59b85d --- /dev/null +++ b/queue-6.15/drm-xe-correct-the-rev-value-for-the-dvsec-entries.patch @@ -0,0 +1,59 @@ +From 38b438d8a13093e707e8bea9310d16248f0f2bf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jul 2025 13:29:32 -0400 +Subject: drm/xe: Correct the rev value for the DVSEC entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael J. Ruhl + +[ Upstream commit 0ba9e9cf76f2487654bc9bca38218780fa53030e ] + +By definition, the Designated Vendor Specific Extended Capability +(DVSEC) revision should be 1. + +Add the rev value to be correct. + +Fixes: 0c45e76fcc62 ("drm/xe/vsec: Support BMG devices") +Signed-off-by: Michael J. Ruhl +Reviewed-by: David E. Box +Link: https://lore.kernel.org/r/20250713172943.7335-3-michael.j.ruhl@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_vsec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_vsec.c b/drivers/gpu/drm/xe/xe_vsec.c +index b378848d3b7b..1bf7e709e110 100644 +--- a/drivers/gpu/drm/xe/xe_vsec.c ++++ b/drivers/gpu/drm/xe/xe_vsec.c +@@ -24,6 +24,7 @@ + #define BMG_DEVICE_ID 0xE2F8 + + static struct intel_vsec_header bmg_telemetry = { ++ .rev = 1, + .length = 0x10, + .id = VSEC_ID_TELEMETRY, + .num_entries = 2, +@@ -33,6 +34,7 @@ static struct intel_vsec_header bmg_telemetry = { + }; + + static struct intel_vsec_header bmg_punit_crashlog = { ++ .rev = 1, + .length = 0x10, + .id = VSEC_ID_CRASHLOG, + .num_entries = 1, +@@ -42,6 +44,7 @@ static struct intel_vsec_header bmg_punit_crashlog = { + }; + + static struct intel_vsec_header bmg_oobmsm_crashlog = { ++ .rev = 1, + .length = 0x10, + .id = VSEC_ID_CRASHLOG, + .num_entries = 1, +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-vf-disable-csc-support-on-vf.patch b/queue-6.15/drm-xe-vf-disable-csc-support-on-vf.patch new file mode 100644 index 0000000000..823110ef58 --- /dev/null +++ b/queue-6.15/drm-xe-vf-disable-csc-support-on-vf.patch @@ -0,0 +1,41 @@ +From 40b976751fbd4e5e43990956b1d33402a33248e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jul 2025 14:34:37 +0200 +Subject: drm/xe/vf: Disable CSC support on VF + +From: Lukasz Laguna + +[ Upstream commit f62408efc8669b82541295a4611494c8c8c52684 ] + +CSC is not accessible by VF drivers, so disable its support flag on VF +to prevent further initialization attempts. + +Fixes: e02cea83d32d ("drm/xe/gsc: add Battlemage support") +Signed-off-by: Lukasz Laguna +Cc: Alexander Usyskin +Cc: Michal Wajdeczko +Reviewed-by: Michal Wajdeczko +Signed-off-by: Michal Wajdeczko +Link: https://lore.kernel.org/r/20250729123437.5933-1-lukasz.laguna@intel.com +(cherry picked from commit 552dbba1caaf0cb40ce961806d757615e26ec668) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c +index f3123914b1ab..258c9616de19 100644 +--- a/drivers/gpu/drm/xe/xe_device.c ++++ b/drivers/gpu/drm/xe/xe_device.c +@@ -678,6 +678,7 @@ static void sriov_update_device_info(struct xe_device *xe) + /* disable features that are not available/applicable to VFs */ + if (IS_SRIOV_VF(xe)) { + xe->info.probe_display = 0; ++ xe->info.has_heci_cscfi = 0; + xe->info.has_heci_gscfi = 0; + xe->info.skip_guc_pc = 1; + xe->info.skip_pcode = 1; +-- +2.39.5 + diff --git a/queue-6.15/exfat-fdatasync-flag-should-be-same-like-generic_wri.patch b/queue-6.15/exfat-fdatasync-flag-should-be-same-like-generic_wri.patch new file mode 100644 index 0000000000..711296d2b6 --- /dev/null +++ b/queue-6.15/exfat-fdatasync-flag-should-be-same-like-generic_wri.patch @@ -0,0 +1,49 @@ +From a69fc996fa6245f73e2d419f85e7bd72f23ebf75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 09:33:31 +0800 +Subject: exfat: fdatasync flag should be same like generic_write_sync() + +From: Zhengxu Zhang + +[ Upstream commit 2f2d42a17b5a6711378d39df74f1f69a831c5d4e ] + +Test: androbench by default setting, use 64GB sdcard. + the random write speed: + without this patch 3.5MB/s + with this patch 7MB/s + +After patch "11a347fb6cef", the random write speed decreased significantly. +the .write_iter() interface had been modified, and check the differences +with generic_file_write_iter(), when calling generic_write_sync() and +exfat_file_write_iter() to call vfs_fsync_range(), the fdatasync flag is +wrong, and make not use the fdatasync mode, and make random write speed +decreased. So use generic_write_sync() instead of vfs_fsync_range(). + +Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength") +Signed-off-by: Zhengxu Zhang +Acked-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Sasha Levin +--- + fs/exfat/file.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/exfat/file.c b/fs/exfat/file.c +index 841a5b18e3df..7ac5126aa4f1 100644 +--- a/fs/exfat/file.c ++++ b/fs/exfat/file.c +@@ -623,9 +623,8 @@ static ssize_t exfat_file_write_iter(struct kiocb *iocb, struct iov_iter *iter) + if (pos > valid_size) + pos = valid_size; + +- if (iocb_is_dsync(iocb) && iocb->ki_pos > pos) { +- ssize_t err = vfs_fsync_range(file, pos, iocb->ki_pos - 1, +- iocb->ki_flags & IOCB_SYNC); ++ if (iocb->ki_pos > pos) { ++ ssize_t err = generic_write_sync(iocb, iocb->ki_pos - pos); + if (err < 0) + return err; + } +-- +2.39.5 + diff --git a/queue-6.15/ext4-fix-inode-use-after-free-in-ext4_end_io_rsv_wor.patch b/queue-6.15/ext4-fix-inode-use-after-free-in-ext4_end_io_rsv_wor.patch new file mode 100644 index 0000000000..58a962990b --- /dev/null +++ b/queue-6.15/ext4-fix-inode-use-after-free-in-ext4_end_io_rsv_wor.patch @@ -0,0 +1,83 @@ +From 1f921e126fe5f6efc74ca33b373d27dd71710e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 19:15:04 +0800 +Subject: ext4: fix inode use after free in ext4_end_io_rsv_work() + +From: Baokun Li + +[ Upstream commit c678bdc998754589cea2e6afab9401d7d8312ac4 ] + +In ext4_io_end_defer_completion(), check if io_end->list_vec is empty to +avoid adding an io_end that requires no conversion to the +i_rsv_conversion_list, which in turn prevents starting an unnecessary +worker. An ext4_emergency_state() check is also added to avoid attempting +to abort the journal in an emergency state. + +Additionally, ext4_put_io_end_defer() is refactored to call +ext4_io_end_defer_completion() directly instead of being open-coded. +This also prevents starting an unnecessary worker when EXT4_IO_END_FAILED +is set but data_err=abort is not enabled. + +This ensures that the check in ext4_put_io_end_defer() is consistent with +the check in ext4_end_bio(). Otherwise, we might add an io_end to the +i_rsv_conversion_list and then call ext4_finish_bio(), after which the +inode could be freed before ext4_end_io_rsv_work() is called, triggering +a use-after-free issue. + +Fixes: ce51afb8cc5e ("ext4: abort journal on data writeback failure if in data_err=abort mode") +Signed-off-by: Baokun Li +Reviewed-by: Zhang Yi +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20250708111504.3208660-1-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/page-io.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c +index 179e54f3a3b6..3d8b0f6d2dea 100644 +--- a/fs/ext4/page-io.c ++++ b/fs/ext4/page-io.c +@@ -236,10 +236,12 @@ static void dump_completed_IO(struct inode *inode, struct list_head *head) + + static bool ext4_io_end_defer_completion(ext4_io_end_t *io_end) + { +- if (io_end->flag & EXT4_IO_END_UNWRITTEN) ++ if (io_end->flag & EXT4_IO_END_UNWRITTEN && ++ !list_empty(&io_end->list_vec)) + return true; + if (test_opt(io_end->inode->i_sb, DATA_ERR_ABORT) && +- io_end->flag & EXT4_IO_END_FAILED) ++ io_end->flag & EXT4_IO_END_FAILED && ++ !ext4_emergency_state(io_end->inode->i_sb)) + return true; + return false; + } +@@ -256,6 +258,7 @@ static void ext4_add_complete_io(ext4_io_end_t *io_end) + WARN_ON(!(io_end->flag & EXT4_IO_END_DEFER_COMPLETION)); + WARN_ON(io_end->flag & EXT4_IO_END_UNWRITTEN && + !io_end->handle && sbi->s_journal); ++ WARN_ON(!io_end->bio); + + spin_lock_irqsave(&ei->i_completed_io_lock, flags); + wq = sbi->rsv_conversion_wq; +@@ -318,12 +321,9 @@ ext4_io_end_t *ext4_init_io_end(struct inode *inode, gfp_t flags) + void ext4_put_io_end_defer(ext4_io_end_t *io_end) + { + if (refcount_dec_and_test(&io_end->count)) { +- if (io_end->flag & EXT4_IO_END_FAILED || +- (io_end->flag & EXT4_IO_END_UNWRITTEN && +- !list_empty(&io_end->list_vec))) { +- ext4_add_complete_io(io_end); +- return; +- } ++ if (ext4_io_end_defer_completion(io_end)) ++ return ext4_add_complete_io(io_end); ++ + ext4_release_io_end(io_end); + } + } +-- +2.39.5 + diff --git a/queue-6.15/ext4-make-sure-bh_new-bit-is-cleared-in-write_end-ha.patch b/queue-6.15/ext4-make-sure-bh_new-bit-is-cleared-in-write_end-ha.patch new file mode 100644 index 0000000000..7d5d713bbd --- /dev/null +++ b/queue-6.15/ext4-make-sure-bh_new-bit-is-cleared-in-write_end-ha.patch @@ -0,0 +1,76 @@ +From ff2ffdee78196b95c649421662998e64d9948f5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 10:48:32 +0200 +Subject: ext4: Make sure BH_New bit is cleared in ->write_end handler + +From: Jan Kara + +[ Upstream commit 91b8ca8b26729b729dda8a4eddb9aceaea706f37 ] + +Currently we clear BH_New bit in case of error and also in the standard +ext4_write_end() handler (in block_commit_write()). However +ext4_journalled_write_end() misses this clearing and thus we are leaving +stale BH_New bits behind. Generally ext4_block_write_begin() clears +these bits before any harm can be done but in case blocksize < pagesize +and we hit some error when processing a page with these stale bits, +we'll try to zero buffers with these stale BH_New bits and jbd2 will +complain (as buffers were not prepared for writing in this transaction). +Fix the problem by clearing BH_New bits in ext4_journalled_write_end() +and WARN if ext4_block_write_begin() sees stale BH_New bits. + +Reported-by: Baolin Liu +Reported-by: Zhi Long +Fixes: 3910b513fcdf ("ext4: persist the new uptodate buffers in ext4_journalled_zero_new_buffers") +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20250709084831.23876-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 2 ++ + fs/ext4/inode.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index e5e6bf0d338b..f27d9da53fb7 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -611,6 +611,7 @@ static int ext4_convert_inline_data_to_extent(struct address_space *mapping, + } else + ret = ext4_block_write_begin(handle, folio, from, to, + ext4_get_block); ++ clear_buffer_new(folio_buffers(folio)); + + if (!ret && ext4_should_journal_data(inode)) { + ret = ext4_walk_page_buffers(handle, inode, +@@ -890,6 +891,7 @@ static int ext4_da_convert_inline_data_to_extent(struct address_space *mapping, + return ret; + } + ++ clear_buffer_new(folio_buffers(folio)); + folio_mark_dirty(folio); + folio_mark_uptodate(folio); + ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 7fcdc01a0220..46bfb39f6108 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1065,7 +1065,7 @@ int ext4_block_write_begin(handle_t *handle, struct folio *folio, + } + continue; + } +- if (buffer_new(bh)) ++ if (WARN_ON_ONCE(buffer_new(bh))) + clear_buffer_new(bh); + if (!buffer_mapped(bh)) { + WARN_ON(bh->b_size != blocksize); +@@ -1282,6 +1282,7 @@ static int write_end_fn(handle_t *handle, struct inode *inode, + ret = ext4_dirty_journalled_data(handle, bh); + clear_buffer_meta(bh); + clear_buffer_prio(bh); ++ clear_buffer_new(bh); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch b/queue-6.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch new file mode 100644 index 0000000000..7aa09f464c --- /dev/null +++ b/queue-6.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch @@ -0,0 +1,40 @@ +From 13f91b763c1ec503b07c460a89e7082a16d9a013 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 14:49:25 +0800 +Subject: f2fs: doc: fix wrong quota mount option description + +From: Chao Yu + +[ Upstream commit 81b6ecca2f15922e8d653dc037df5871e754be6e ] + +We should use "{usr,grp,prj}jquota=" to disable journaled quota, +rather than using off{usr,grp,prj}jquota. + +Fixes: 4b2414d04e99 ("f2fs: support journalled quota") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/f2fs.rst | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/filesystems/f2fs.rst b/Documentation/filesystems/f2fs.rst +index e15c4275862a..edfd30b198f7 100644 +--- a/Documentation/filesystems/f2fs.rst ++++ b/Documentation/filesystems/f2fs.rst +@@ -236,9 +236,9 @@ usrjquota= Appoint specified file and type during mount, so that quota + grpjquota= information can be properly updated during recovery flow, + prjjquota= : must be in root directory; + jqfmt= : [vfsold,vfsv0,vfsv1]. +-offusrjquota Turn off user journalled quota. +-offgrpjquota Turn off group journalled quota. +-offprjjquota Turn off project journalled quota. ++usrjquota= Turn off user journalled quota. ++grpjquota= Turn off group journalled quota. ++prjjquota= Turn off project journalled quota. + quota Enable plain user disk quota accounting. + noquota Disable all plain disk quota option. + alloc_mode=%s Adjust block allocation policy, which supports "reuse" +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-bio-memleak-when-committing-super-block.patch b/queue-6.15/f2fs-fix-bio-memleak-when-committing-super-block.patch new file mode 100644 index 0000000000..507870d2de --- /dev/null +++ b/queue-6.15/f2fs-fix-bio-memleak-when-committing-super-block.patch @@ -0,0 +1,69 @@ +From 46e1f3a99e250b5f01209c4a06627342ae163fbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jun 2025 14:41:16 +0800 +Subject: f2fs: fix bio memleak when committing super block + +From: Sheng Yong + +[ Upstream commit 554d9b7242a73d701ce121ac81bb578a3fca538e ] + +When committing new super block, bio is allocated but not freed, and +kmemleak complains: + + unreferenced object 0xffff88801d185600 (size 192): + comm "kworker/3:2", pid 128, jiffies 4298624992 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 80 67 c3 00 81 88 ff ff .........g...... + 01 08 06 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ + backtrace (crc 650ecdb1): + kmem_cache_alloc_noprof+0x3a9/0x460 + mempool_alloc_noprof+0x12f/0x310 + bio_alloc_bioset+0x1e2/0x7e0 + __f2fs_commit_super+0xe0/0x370 + f2fs_commit_super+0x4ed/0x8c0 + f2fs_record_error_work+0xc7/0x190 + process_one_work+0x7db/0x1970 + worker_thread+0x518/0xea0 + kthread+0x359/0x690 + ret_from_fork+0x34/0x70 + ret_from_fork_asm+0x1a/0x30 + +The issue can be reproduced by: + + mount /dev/vda /mnt + i=0 + while :; do + echo '[h]abc' > /sys/fs/f2fs/vda/extension_list + echo '[h]!abc' > /sys/fs/f2fs/vda/extension_list + echo scan > /sys/kernel/debug/kmemleak + dmesg | grep "new suspected memory leaks" + [ $? -eq 0 ] && break + i=$((i + 1)) + echo "$i" + done + umount /mnt + +Fixes: 5bcde4557862 ("f2fs: get rid of buffer_head use") +Signed-off-by: Sheng Yong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 86dd30eb50b1..f3d0495f3a5f 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -3446,6 +3446,7 @@ static int __f2fs_commit_super(struct f2fs_sb_info *sbi, struct folio *folio, + f2fs_bug_on(sbi, 1); + + ret = submit_bio_wait(bio); ++ bio_put(bio); + folio_end_writeback(folio); + + return ret; +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch b/queue-6.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch new file mode 100644 index 0000000000..4a0c25c134 --- /dev/null +++ b/queue-6.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch @@ -0,0 +1,47 @@ +From 625b6e39285f30c03e68291b18ac7895c0e09846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 16:35:37 +0530 +Subject: f2fs: fix KMSAN uninit-value in extent_info usage + +From: Abinash Singh + +[ Upstream commit 154467f4ad033473e5c903a03e7b9bca7df9a0fa ] + +KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` + and `__is_back_mergeable()` via the read extent tree path. + +The root cause is that `get_read_extent_info()` only initializes three +fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the +remaining fields uninitialized. This leads to undefined behavior +when those fields are accessed later, especially during +extent merging. + +Fix it by zero-initializing the `extent_info` struct before population. + +Reported-by: syzbot+b8c1d60e95df65e827d4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b8c1d60e95df65e827d4 +Fixes: 94afd6d6e525 ("f2fs: extent cache: support unaligned extent") +Reviewed-by: Chao Yu +Signed-off-by: Abinash Singh +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/extent_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c +index 347b3b647834..c4d79ab0ae91 100644 +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -414,7 +414,7 @@ void f2fs_init_read_extent_tree(struct inode *inode, struct page *ipage) + struct f2fs_extent *i_ext = &F2FS_INODE(ipage)->i_ext; + struct extent_tree *et; + struct extent_node *en; +- struct extent_info ei; ++ struct extent_info ei = {0}; + + if (!__may_extent_tree(inode, EX_READ)) { + /* drop largest read extent */ +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-avoid-invalid-wait-context-issue.patch b/queue-6.15/f2fs-fix-to-avoid-invalid-wait-context-issue.patch new file mode 100644 index 0000000000..57ac793e32 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-avoid-invalid-wait-context-issue.patch @@ -0,0 +1,162 @@ +From 3e78a917617323b09afa2a53d3eed0400f222c75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 16:42:18 +0800 +Subject: f2fs: fix to avoid invalid wait context issue + +From: Chao Yu + +[ Upstream commit 90d5c9ba3ed91950f1546bf123a7a57cd958b452 ] + +============================= +[ BUG: Invalid wait context ] +6.13.0-rc1 #84 Tainted: G O +----------------------------- +cat/56160 is trying to lock: +ffff888105c86648 (&cprc->stat_lock){+.+.}-{3:3}, at: update_general_status+0x32a/0x8c0 [f2fs] +other info that might help us debug this: +context-{5:5} +2 locks held by cat/56160: + #0: ffff88810a002a98 (&p->lock){+.+.}-{4:4}, at: seq_read_iter+0x56/0x4c0 + #1: ffffffffa0462638 (f2fs_stat_lock){....}-{2:2}, at: stat_show+0x29/0x1020 [f2fs] +stack backtrace: +CPU: 0 UID: 0 PID: 56160 Comm: cat Tainted: G O 6.13.0-rc1 #84 +Tainted: [O]=OOT_MODULE +Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +Call Trace: + + dump_stack_lvl+0x88/0xd0 + dump_stack+0x14/0x20 + __lock_acquire+0x8d4/0xbb0 + lock_acquire+0xd6/0x300 + _raw_spin_lock+0x38/0x50 + update_general_status+0x32a/0x8c0 [f2fs] + stat_show+0x50/0x1020 [f2fs] + seq_read_iter+0x116/0x4c0 + seq_read+0xfa/0x130 + full_proxy_read+0x66/0x90 + vfs_read+0xc4/0x350 + ksys_read+0x74/0xf0 + __x64_sys_read+0x1d/0x20 + x64_sys_call+0x17d9/0x1b80 + do_syscall_64+0x68/0x130 + entry_SYSCALL_64_after_hwframe+0x67/0x6f +RIP: 0033:0x7f2ca53147e2 + +- seq_read + - stat_show + - raw_spin_lock_irqsave(&f2fs_stat_lock, flags) + : f2fs_stat_lock is raw_spinlock_t type variable + - update_general_status + - spin_lock(&sbi->cprc_info.stat_lock); + : stat_lock is spinlock_t type variable + +The root cause is the lock order is incorrect [1], we should not acquire +spinlock_t lock after raw_spinlock_t lock, as if CONFIG_PREEMPT_LOCK is +on, spinlock_t is implemented based on rtmutex, which can sleep after +holding the lock. + +To fix this issue, let's use change f2fs_stat_lock lock type from +raw_spinlock_t to spinlock_t, it's safe due to: +- we don't need to use raw version of spinlock as the path is not +performance sensitive. +- we don't need to use irqsave version of spinlock as it won't be +used in irq context. + +Quoted from [1]: + +"Extend lockdep to validate lock wait-type context. + +The current wait-types are: + + LD_WAIT_FREE, /* wait free, rcu etc.. */ + LD_WAIT_SPIN, /* spin loops, raw_spinlock_t etc.. */ + LD_WAIT_CONFIG, /* CONFIG_PREEMPT_LOCK, spinlock_t etc.. */ + LD_WAIT_SLEEP, /* sleeping locks, mutex_t etc.. */ + +Where lockdep validates that the current lock (the one being acquired) +fits in the current wait-context (as generated by the held stack). + +This ensures that there is no attempt to acquire mutexes while holding +spinlocks, to acquire spinlocks while holding raw_spinlocks and so on. In +other words, its a more fancy might_sleep()." + +[1] https://lore.kernel.org/all/20200321113242.427089655@linutronix.de + +Fixes: 98237fcda4a2 ("f2fs: use spin_lock to avoid hang") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/debug.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c +index 16c2dfb4f595..3417e7e550b2 100644 +--- a/fs/f2fs/debug.c ++++ b/fs/f2fs/debug.c +@@ -21,7 +21,7 @@ + #include "gc.h" + + static LIST_HEAD(f2fs_stat_list); +-static DEFINE_RAW_SPINLOCK(f2fs_stat_lock); ++static DEFINE_SPINLOCK(f2fs_stat_lock); + #ifdef CONFIG_DEBUG_FS + static struct dentry *f2fs_debugfs_root; + #endif +@@ -439,9 +439,8 @@ static int stat_show(struct seq_file *s, void *v) + { + struct f2fs_stat_info *si; + int i = 0, j = 0; +- unsigned long flags; + +- raw_spin_lock_irqsave(&f2fs_stat_lock, flags); ++ spin_lock(&f2fs_stat_lock); + list_for_each_entry(si, &f2fs_stat_list, stat_list) { + struct f2fs_sb_info *sbi = si->sbi; + +@@ -753,7 +752,7 @@ static int stat_show(struct seq_file *s, void *v) + seq_printf(s, " - paged : %llu KB\n", + si->page_mem >> 10); + } +- raw_spin_unlock_irqrestore(&f2fs_stat_lock, flags); ++ spin_unlock(&f2fs_stat_lock); + return 0; + } + +@@ -765,7 +764,6 @@ int f2fs_build_stats(struct f2fs_sb_info *sbi) + struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); + struct f2fs_stat_info *si; + struct f2fs_dev_stats *dev_stats; +- unsigned long flags; + int i; + + si = f2fs_kzalloc(sbi, sizeof(struct f2fs_stat_info), GFP_KERNEL); +@@ -817,9 +815,9 @@ int f2fs_build_stats(struct f2fs_sb_info *sbi) + + atomic_set(&sbi->max_aw_cnt, 0); + +- raw_spin_lock_irqsave(&f2fs_stat_lock, flags); ++ spin_lock(&f2fs_stat_lock); + list_add_tail(&si->stat_list, &f2fs_stat_list); +- raw_spin_unlock_irqrestore(&f2fs_stat_lock, flags); ++ spin_unlock(&f2fs_stat_lock); + + return 0; + } +@@ -827,11 +825,10 @@ int f2fs_build_stats(struct f2fs_sb_info *sbi) + void f2fs_destroy_stats(struct f2fs_sb_info *sbi) + { + struct f2fs_stat_info *si = F2FS_STAT(sbi); +- unsigned long flags; + +- raw_spin_lock_irqsave(&f2fs_stat_lock, flags); ++ spin_lock(&f2fs_stat_lock); + list_del(&si->stat_list); +- raw_spin_unlock_irqrestore(&f2fs_stat_lock, flags); ++ spin_unlock(&f2fs_stat_lock); + + kfree(si->dev_stats); + kfree(si); +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch b/queue-6.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch new file mode 100644 index 0000000000..858fc0f576 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch @@ -0,0 +1,60 @@ +From b7f53a87e4f210ce052f197365e126438f902248 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 15:14:50 +0800 +Subject: f2fs: fix to avoid out-of-boundary access in devs.path + +From: Chao Yu + +[ Upstream commit 5661998536af52848cc4d52a377e90368196edea ] + +- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123 +- truncate -s $((1024*1024*1024)) \ + /mnt/f2fs/012345678901234567890123456789012345678901234567890123 +- touch /mnt/f2fs/file +- truncate -s $((1024*1024*1024)) /mnt/f2fs/file +- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ + -c /mnt/f2fs/file +- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ + /mnt/f2fs/loop + +[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff +[16937.192268] F2FS-fs (loop0): Failed to find devices + +If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may +not end up w/ null character due to path array is fully filled, So +accidently, fields locate after path[] may be treated as part of +device path, result in parsing wrong device path. + +struct f2fs_dev_info { +... + char path[MAX_PATH_LEN]; +... +}; + +Let's add one byte space for sbi->devs.path[] to store null +character of device path string. + +Fixes: 3c62be17d4f5 ("f2fs: support multiple devices") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 34e4ae2a5f5b..8a8d15c219dc 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1273,7 +1273,7 @@ struct f2fs_bio_info { + struct f2fs_dev_info { + struct file *bdev_file; + struct block_device *bdev; +- char path[MAX_PATH_LEN]; ++ char path[MAX_PATH_LEN + 1]; + unsigned int total_segments; + block_t start_blk; + block_t end_blk; +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch b/queue-6.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch new file mode 100644 index 0000000000..b8b9659b27 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch @@ -0,0 +1,282 @@ +From 62bb69ff48927dfc46844de02518cde9b5e563b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 17:56:57 +0800 +Subject: f2fs: fix to avoid panic in f2fs_evict_inode + +From: Chao Yu + +[ Upstream commit a509a55f8eecc8970b3980c6f06886bbff0e2f68 ] + +As syzbot [1] reported as below: + +R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450 +R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 + +---[ end trace 0000000000000000 ]--- +================================================================== +BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 +Read of size 8 at addr ffff88812d962278 by task syz-executor/564 + +CPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Call Trace: + + __dump_stack+0x21/0x24 lib/dump_stack.c:88 + dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106 + print_address_description+0x71/0x210 mm/kasan/report.c:316 + print_report+0x4a/0x60 mm/kasan/report.c:427 + kasan_report+0x122/0x150 mm/kasan/report.c:531 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 + __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 + __list_del_entry include/linux/list.h:134 [inline] + list_del_init include/linux/list.h:206 [inline] + f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531 + f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585 + f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703 + f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731 + write_inode fs/fs-writeback.c:1460 [inline] + __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677 + writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733 + sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789 + f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159 + block_operations fs/f2fs/checkpoint.c:1269 [inline] + f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658 + kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668 + deactivate_locked_super+0x98/0x100 fs/super.c:332 + deactivate_super+0xaf/0xe0 fs/super.c:363 + cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186 + __cleanup_mnt+0x19/0x20 fs/namespace.c:1193 + task_work_run+0x1c6/0x230 kernel/task_work.c:203 + exit_task_work include/linux/task_work.h:39 [inline] + do_exit+0x9fb/0x2410 kernel/exit.c:871 + do_group_exit+0x210/0x2d0 kernel/exit.c:1021 + __do_sys_exit_group kernel/exit.c:1032 [inline] + __se_sys_exit_group kernel/exit.c:1030 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030 + x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 +RIP: 0033:0x7f28b1b8e169 +Code: Unable to access opcode bytes at 0x7f28b1b8e13f. +RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 +RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360 +R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360 +R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 + + +Allocated by task 569: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505 + __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737 + slab_alloc_node mm/slub.c:3398 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429 + alloc_inode_sb include/linux/fs.h:3245 [inline] + f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x186/0x880 fs/inode.c:1373 + f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483 + f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487 + __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690 + lookup_slow+0x57/0x70 fs/namei.c:1707 + walk_component+0x2e6/0x410 fs/namei.c:1998 + lookup_last fs/namei.c:2455 [inline] + path_lookupat+0x180/0x490 fs/namei.c:2479 + filename_lookup+0x1f0/0x500 fs/namei.c:2508 + vfs_statx+0x10b/0x660 fs/stat.c:229 + vfs_fstatat fs/stat.c:267 [inline] + vfs_lstat include/linux/fs.h:3424 [inline] + __do_sys_newlstat fs/stat.c:423 [inline] + __se_sys_newlstat+0xd5/0x350 fs/stat.c:417 + __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417 + x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +Freed by task 13: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516 + ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:236 + __kasan_slab_free+0x11/0x20 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1750 + slab_free mm/slub.c:3661 [inline] + kmem_cache_free+0x12d/0x2a0 mm/slub.c:3683 + f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1562 + i_callback+0x4c/0x70 fs/inode.c:250 + rcu_do_batch+0x503/0xb80 kernel/rcu/tree.c:2297 + rcu_core+0x5a2/0xe70 kernel/rcu/tree.c:2557 + rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574 + handle_softirqs+0x178/0x500 kernel/softirq.c:578 + run_ksoftirqd+0x28/0x30 kernel/softirq.c:945 + smpboot_thread_fn+0x45a/0x8c0 kernel/smpboot.c:164 + kthread+0x270/0x310 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + +Last potentially related work creation: + kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486 + kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496 + call_rcu+0xd4/0xf70 kernel/rcu/tree.c:2845 + destroy_inode fs/inode.c:316 [inline] + evict+0x7da/0x870 fs/inode.c:720 + iput_final fs/inode.c:1834 [inline] + iput+0x62b/0x830 fs/inode.c:1860 + do_unlinkat+0x356/0x540 fs/namei.c:4397 + __do_sys_unlink fs/namei.c:4438 [inline] + __se_sys_unlink fs/namei.c:4436 [inline] + __x64_sys_unlink+0x49/0x50 fs/namei.c:4436 + x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +The buggy address belongs to the object at ffff88812d961f20 + which belongs to the cache f2fs_inode_cache of size 1200 +The buggy address is located 856 bytes inside of + 1200-byte region [ffff88812d961f20, ffff88812d9623d0) + +The buggy address belongs to the physical page: +page:ffffea0004b65800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d960 +head:ffffea0004b65800 order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=1) +raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810a94c500 +raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 569, tgid 568 (syz.2.16), ts 55943246141, free_ts 0 + set_page_owner include/linux/page_owner.h:31 [inline] + post_alloc_hook+0x1d0/0x1f0 mm/page_alloc.c:2532 + prep_new_page mm/page_alloc.c:2539 [inline] + get_page_from_freelist+0x2e63/0x2ef0 mm/page_alloc.c:4328 + __alloc_pages+0x235/0x4b0 mm/page_alloc.c:5605 + alloc_slab_page include/linux/gfp.h:-1 [inline] + allocate_slab mm/slub.c:1939 [inline] + new_slab+0xec/0x4b0 mm/slub.c:1992 + ___slab_alloc+0x6f6/0xb50 mm/slub.c:3180 + __slab_alloc+0x5e/0xa0 mm/slub.c:3279 + slab_alloc_node mm/slub.c:3364 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc_lru+0x13f/0x220 mm/slub.c:3429 + alloc_inode_sb include/linux/fs.h:3245 [inline] + f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x186/0x880 fs/inode.c:1373 + f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483 + f2fs_fill_super+0x3ad7/0x6bb0 fs/f2fs/super.c:4293 + mount_bdev+0x2ae/0x3e0 fs/super.c:1443 + f2fs_mount+0x34/0x40 fs/f2fs/super.c:4642 + legacy_get_tree+0xea/0x190 fs/fs_context.c:632 + vfs_get_tree+0x89/0x260 fs/super.c:1573 + do_new_mount+0x25a/0xa20 fs/namespace.c:3056 +page_owner free stack trace missing + +Memory state around the buggy address: + ffff88812d962100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88812d962180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88812d962200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88812d962280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88812d962300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +[1] https://syzkaller.appspot.com/x/report.txt?x=13448368580000 + +This bug can be reproduced w/ the reproducer [2], once we enable +CONFIG_F2FS_CHECK_FS config, the reproducer will trigger panic as below, +so the direct reason of this bug is the same as the one below patch [3] +fixed. + +kernel BUG at fs/f2fs/inode.c:857! +RIP: 0010:f2fs_evict_inode+0x1204/0x1a20 +Call Trace: + + evict+0x32a/0x7a0 + do_unlinkat+0x37b/0x5b0 + __x64_sys_unlink+0xad/0x100 + do_syscall_64+0x5a/0xb0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +RIP: 0010:f2fs_evict_inode+0x1204/0x1a20 + +[2] https://syzkaller.appspot.com/x/repro.c?x=17495ccc580000 +[3] https://lore.kernel.org/linux-f2fs-devel/20250702120321.1080759-1-chao@kernel.org + +Tracepoints before panic: + +f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file1 +f2fs_unlink_exit: dev = (7,0), ino = 7, ret = 0 +f2fs_evict_inode: dev = (7,0), ino = 7, pino = 3, i_mode = 0x81ed, i_size = 10, i_nlink = 0, i_blocks = 0, i_advise = 0x0 +f2fs_truncate_node: dev = (7,0), ino = 7, nid = 8, block_address = 0x3c05 + +f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file3 +f2fs_unlink_exit: dev = (7,0), ino = 8, ret = 0 +f2fs_evict_inode: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 9000, i_nlink = 0, i_blocks = 24, i_advise = 0x4 +f2fs_truncate: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 0, i_nlink = 0, i_blocks = 24, i_advise = 0x4 +f2fs_truncate_blocks_enter: dev = (7,0), ino = 8, i_size = 0, i_blocks = 24, start file offset = 0 +f2fs_truncate_blocks_exit: dev = (7,0), ino = 8, ret = -2 + +The root cause is: in the fuzzed image, dnode #8 belongs to inode #7, +after inode #7 eviction, dnode #8 was dropped. + +However there is dirent that has ino #8, so, once we unlink file3, in +f2fs_evict_inode(), both f2fs_truncate() and f2fs_update_inode_page() +will fail due to we can not load node #8, result in we missed to call +f2fs_inode_synced() to clear inode dirty status. + +Let's fix this by calling f2fs_inode_synced() in error path of +f2fs_evict_inode(). + +PS: As I verified, the reproducer [2] can trigger this bug in v6.1.129, +but it failed in v6.16-rc4, this is because the testcase will stop due to +other corruption has been detected by f2fs: + +F2FS-fs (loop0): inconsistent node block, node_type:2, nid:8, node_footer[nid:8,ino:8,ofs:0,cpver:5013063228981249506,blkaddr:15366] +F2FS-fs (loop0): f2fs_lookup: inode (ino=9) has zero i_nlink + +Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing") +Closes: https://syzkaller.appspot.com/x/report.txt?x=13448368580000 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index b9a1e428b23f..f3c5e6e7579b 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -934,6 +934,19 @@ void f2fs_evict_inode(struct inode *inode) + f2fs_update_inode_page(inode); + if (dquot_initialize_needed(inode)) + set_sbi_flag(sbi, SBI_QUOTA_NEED_REPAIR); ++ ++ /* ++ * If both f2fs_truncate() and f2fs_update_inode_page() failed ++ * due to fuzzed corrupted inode, call f2fs_inode_synced() to ++ * avoid triggering later f2fs_bug_on(). ++ */ ++ if (is_inode_flag_set(inode, FI_DIRTY_INODE)) { ++ f2fs_warn(sbi, ++ "f2fs_evict_inode: inode is dirty, ino:%lu", ++ inode->i_ino); ++ f2fs_inode_synced(inode); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } + } + if (freeze_protected) + sb_end_intwrite(inode->i_sb); +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch b/queue-6.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch new file mode 100644 index 0000000000..e1904ef221 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch @@ -0,0 +1,235 @@ +From 67e943a947a626f584405b28fc8f5a87a39d1528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 17:53:39 +0800 +Subject: f2fs: fix to avoid UAF in f2fs_sync_inode_meta() + +From: Chao Yu + +[ Upstream commit 7c30d79930132466f5be7d0b57add14d1a016bda ] + +syzbot reported an UAF issue as below: [1] [2] + +[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000 + +================================================================== +BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 +Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8 + +CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Workqueue: writeback wb_workfn (flush-7:0) +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:316 [inline] + print_report+0x158/0x4e0 mm/kasan/report.c:427 + kasan_report+0x13c/0x170 mm/kasan/report.c:531 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 + __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 + __list_del_entry include/linux/list.h:134 [inline] + list_del_init include/linux/list.h:206 [inline] + f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553 + f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588 + f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706 + f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734 + write_inode fs/fs-writeback.c:1460 [inline] + __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677 + writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903 + __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974 + wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081 + wb_check_background_flush fs/fs-writeback.c:2151 [inline] + wb_do_writeback fs/fs-writeback.c:2239 [inline] + wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266 + process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299 + worker_thread+0xa60/0x1260 kernel/workqueue.c:2446 + kthread+0x26d/0x300 kernel/kthread.c:386 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + + +Allocated by task 298: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 + __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333 + kasan_slab_alloc include/linux/kasan.h:202 [inline] + slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768 + slab_alloc_node mm/slub.c:3421 [inline] + slab_alloc mm/slub.c:3431 [inline] + __kmem_cache_alloc_lru mm/slub.c:3438 [inline] + kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454 + alloc_inode_sb include/linux/fs.h:3255 [inline] + f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x18c/0x7e0 fs/inode.c:1373 + f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 + f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484 + __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689 + lookup_slow+0x5a/0x80 fs/namei.c:1706 + walk_component+0x2e7/0x410 fs/namei.c:1997 + lookup_last fs/namei.c:2454 [inline] + path_lookupat+0x16d/0x450 fs/namei.c:2478 + filename_lookup+0x251/0x600 fs/namei.c:2507 + vfs_statx+0x107/0x4b0 fs/stat.c:229 + vfs_fstatat fs/stat.c:267 [inline] + vfs_lstat include/linux/fs.h:3434 [inline] + __do_sys_newlstat fs/stat.c:423 [inline] + __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417 + __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417 + x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +Freed by task 0: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 + ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 + __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 + kasan_slab_free include/linux/kasan.h:178 [inline] + slab_free_hook mm/slub.c:1745 [inline] + slab_free_freelist_hook mm/slub.c:1771 [inline] + slab_free mm/slub.c:3686 [inline] + kmem_cache_free+0x291/0x560 mm/slub.c:3711 + f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584 + i_callback+0x4b/0x70 fs/inode.c:250 + rcu_do_batch+0x552/0xbe0 kernel/rcu/tree.c:2297 + rcu_core+0x502/0xf40 kernel/rcu/tree.c:2557 + rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574 + handle_softirqs+0x1db/0x650 kernel/softirq.c:624 + __do_softirq kernel/softirq.c:662 [inline] + invoke_softirq kernel/softirq.c:479 [inline] + __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711 + irq_exit_rcu+0x9/0x10 kernel/softirq.c:723 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] + sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118 + asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691 + +Last potentially related work creation: + kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486 + kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496 + __call_rcu_common kernel/rcu/tree.c:2807 [inline] + call_rcu+0xdc/0x10f0 kernel/rcu/tree.c:2926 + destroy_inode fs/inode.c:316 [inline] + evict+0x87d/0x930 fs/inode.c:720 + iput_final fs/inode.c:1834 [inline] + iput+0x616/0x690 fs/inode.c:1860 + do_unlinkat+0x4e1/0x920 fs/namei.c:4396 + __do_sys_unlink fs/namei.c:4437 [inline] + __se_sys_unlink fs/namei.c:4435 [inline] + __x64_sys_unlink+0x49/0x50 fs/namei.c:4435 + x64_sys_call+0x289/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +The buggy address belongs to the object at ffff888100567a10 + which belongs to the cache f2fs_inode_cache of size 1360 +The buggy address is located 952 bytes inside of + 1360-byte region [ffff888100567a10, ffff888100567f60) + +The buggy address belongs to the physical page: +page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560 +head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=1) +raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80 +raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0 + set_page_owner include/linux/page_owner.h:33 [inline] + post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637 + prep_new_page+0x1b/0x110 mm/page_alloc.c:2644 + get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539 + __alloc_pages+0x234/0x610 mm/page_alloc.c:5837 + alloc_slab_page+0x6c/0xf0 include/linux/gfp.h:-1 + allocate_slab mm/slub.c:1962 [inline] + new_slab+0x90/0x3e0 mm/slub.c:2015 + ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203 + __slab_alloc+0x5d/0xa0 mm/slub.c:3302 + slab_alloc_node mm/slub.c:3387 [inline] + slab_alloc mm/slub.c:3431 [inline] + __kmem_cache_alloc_lru mm/slub.c:3438 [inline] + kmem_cache_alloc_lru+0x149/0x270 mm/slub.c:3454 + alloc_inode_sb include/linux/fs.h:3255 [inline] + f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x18c/0x7e0 fs/inode.c:1373 + f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 + f2fs_fill_super+0x5360/0x6dc0 fs/f2fs/super.c:4488 + mount_bdev+0x282/0x3b0 fs/super.c:1445 + f2fs_mount+0x34/0x40 fs/f2fs/super.c:4743 + legacy_get_tree+0xf1/0x190 fs/fs_context.c:632 +page_owner free stack trace missing + +Memory state around the buggy address: + ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +[2] https://syzkaller.appspot.com/text?tag=CrashLog&x=13654c60580000 + +[ 24.675720][ T28] audit: type=1400 audit(1745327318.732:72): avc: denied { write } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.705426][ T296] ------------[ cut here ]------------ +[ 24.706608][ T28] audit: type=1400 audit(1745327318.732:73): avc: denied { remove_name } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.711550][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540 +[ 24.734141][ T28] audit: type=1400 audit(1745327318.732:74): avc: denied { rename } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.742969][ T296] Modules linked in: +[ 24.765201][ T28] audit: type=1400 audit(1745327318.732:75): avc: denied { add_name } for pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.768847][ T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0 +[ 24.799506][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +[ 24.809401][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540 +[ 24.815018][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61 +[ 24.834584][ T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293 +[ 24.840465][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000 +[ 24.848291][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 +[ 24.856064][ T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d +[ 24.864073][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000 +[ 24.871812][ T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c + +The root cause is w/ a fuzzed image, f2fs may missed to clear FI_DIRTY_INODE +flag for target inode, after f2fs_evict_inode(), the inode is still linked in +sbi->inode_list[DIRTY_META] global list, once it triggers checkpoint, +f2fs_sync_inode_meta() may access the released inode. + +In f2fs_evict_inode(), let's always call f2fs_inode_synced() to clear +FI_DIRTY_INODE flag and drop inode from global dirty list to avoid this +UAF issue. + +Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing") +Closes: https://syzkaller.appspot.com/bug?extid=849174b2efaf0d8be6ba +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index f5991e8751b9..b9a1e428b23f 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -950,8 +950,12 @@ void f2fs_evict_inode(struct inode *inode) + if (likely(!f2fs_cp_error(sbi) && + !is_sbi_flag_set(sbi, SBI_CP_DISABLED))) + f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); +- else +- f2fs_inode_synced(inode); ++ ++ /* ++ * anyway, it needs to remove the inode from sbi->inode_list[DIRTY_META] ++ * list to avoid UAF in f2fs_sync_inode_meta() during checkpoint. ++ */ ++ f2fs_inode_synced(inode); + + /* for the case f2fs_new_inode() was failed, .i_ino is zero, skip it */ + if (inode->i_ino) +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-calculate-dirty-data-during-has_not_enou.patch b/queue-6.15/f2fs-fix-to-calculate-dirty-data-during-has_not_enou.patch new file mode 100644 index 0000000000..a3b8015476 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-calculate-dirty-data-during-has_not_enou.patch @@ -0,0 +1,40 @@ +From bec9217ee24023fd8b20b1437f92a36a58a82aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jul 2025 16:01:43 +0800 +Subject: f2fs: fix to calculate dirty data during has_not_enough_free_secs() + +From: Chao Yu + +[ Upstream commit e194e140ab7de2ce2782e64b9e086a43ca6ff4f2 ] + +In lfs mode, dirty data needs OPU, we'd better calculate lower_p and +upper_p w/ them during has_not_enough_free_secs(), otherwise we may +encounter out-of-space issue due to we missed to reclaim enough +free section w/ foreground gc. + +Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option") +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 4c3a0d54be7e..4e0a56f10780 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -623,8 +623,7 @@ static inline void __get_secs_required(struct f2fs_sb_info *sbi, + unsigned int dent_blocks = total_dent_blocks % CAP_BLKS_PER_SEC(sbi); + unsigned int data_blocks = 0; + +- if (f2fs_lfs_mode(sbi) && +- unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) { ++ if (f2fs_lfs_mode(sbi)) { + total_data_blocks = get_pages(sbi, F2FS_DIRTY_DATA); + data_secs = total_data_blocks / CAP_BLKS_PER_SEC(sbi); + data_blocks = total_data_blocks % CAP_BLKS_PER_SEC(sbi); +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_no_zoned_gc_.patch b/queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_no_zoned_gc_.patch new file mode 100644 index 0000000000..731c80dd67 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_no_zoned_gc_.patch @@ -0,0 +1,42 @@ +From 123134b8541be21c736c44c84d4b0b83c08fd535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 10:38:18 +0800 +Subject: f2fs: fix to check upper boundary for gc_no_zoned_gc_percent + +From: Chao Yu + +[ Upstream commit a919ae794ad2dc6d04b3eea2f9bc86332c1630cc ] + +This patch adds missing upper boundary check while setting +gc_no_zoned_gc_percent via sysfs. + +Fixes: 9a481a1c16f4 ("f2fs: create gc_no_zoned_gc_percent and gc_boost_zoned_gc_percent") +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index db5418f72ff8..05e5d8316c70 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -621,6 +621,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a, + return count; + } + ++ if (!strcmp(a->attr.name, "gc_no_zoned_gc_percent")) { ++ if (t > 100) ++ return -EINVAL; ++ *ui = (unsigned int)t; ++ return count; ++ } ++ + if (!strcmp(a->attr.name, "gc_boost_zoned_gc_percent")) { + if (t > 100) + return -EINVAL; +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_valid_thresh.patch b/queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_valid_thresh.patch new file mode 100644 index 0000000000..20eca55162 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-check-upper-boundary-for-gc_valid_thresh.patch @@ -0,0 +1,42 @@ +From 346eec284b58a2ae994114c9a21d5846451f640c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 10:38:17 +0800 +Subject: f2fs: fix to check upper boundary for gc_valid_thresh_ratio + +From: Chao Yu + +[ Upstream commit 7a96d1d73ce9de5041e891a623b722f900651561 ] + +This patch adds missing upper boundary check while setting +gc_valid_thresh_ratio via sysfs. + +Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC") +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 932df15df328..db5418f72ff8 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -628,6 +628,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a, + return count; + } + ++ if (!strcmp(a->attr.name, "gc_valid_thresh_ratio")) { ++ if (t > 100) ++ return -EINVAL; ++ *ui = (unsigned int)t; ++ return count; ++ } ++ + #ifdef CONFIG_F2FS_IOSTAT + if (!strcmp(a->attr.name, "iostat_enable")) { + sbi->iostat_enable = !!t; +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-check-upper-boundary-for-value-of-gc_boo.patch b/queue-6.15/f2fs-fix-to-check-upper-boundary-for-value-of-gc_boo.patch new file mode 100644 index 0000000000..8643ff0c11 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-check-upper-boundary-for-value-of-gc_boo.patch @@ -0,0 +1,42 @@ +From 8268208ca4347ff5c0ef32fca265b562c44333e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 09:14:07 +0900 +Subject: f2fs: fix to check upper boundary for value of + gc_boost_zoned_gc_percent + +From: yohan.joung + +[ Upstream commit 10dcaa56ef93f2a45e4c3fec27d8e1594edad110 ] + +to check the upper boundary when setting gc_boost_zoned_gc_percent + +Fixes: 9a481a1c16f4 ("f2fs: create gc_no_zoned_gc_percent and gc_boost_zoned_gc_percent") +Signed-off-by: yohan.joung +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index c69161366467..932df15df328 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -621,6 +621,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a, + return count; + } + ++ if (!strcmp(a->attr.name, "gc_boost_zoned_gc_percent")) { ++ if (t > 100) ++ return -EINVAL; ++ *ui = (unsigned int)t; ++ return count; ++ } ++ + #ifdef CONFIG_F2FS_IOSTAT + if (!strcmp(a->attr.name, "iostat_enable")) { + sbi->iostat_enable = !!t; +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_bl.patch b/queue-6.15/f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_bl.patch new file mode 100644 index 0000000000..08e1548bf0 --- /dev/null +++ b/queue-6.15/f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_bl.patch @@ -0,0 +1,67 @@ +From 696dc0ee9e7e041013e9076b5d82384da711ed70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jul 2025 16:01:44 +0800 +Subject: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs + mode + +From: Chao Yu + +[ Upstream commit 1005a3ca28e90c7a64fa43023f866b960a60f791 ] + +w/ "mode=lfs" mount option, generic/299 will cause system panic as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/segment.c:2835! +Call Trace: + + f2fs_allocate_data_block+0x6f4/0xc50 + f2fs_map_blocks+0x970/0x1550 + f2fs_iomap_begin+0xb2/0x1e0 + iomap_iter+0x1d6/0x430 + __iomap_dio_rw+0x208/0x9a0 + f2fs_file_write_iter+0x6b3/0xfa0 + aio_write+0x15d/0x2e0 + io_submit_one+0x55e/0xab0 + __x64_sys_io_submit+0xa5/0x230 + do_syscall_64+0x84/0x2f0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0010:new_curseg+0x70f/0x720 + +The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may +trigger foreground gc only if it allocates any physical block, it will be +a little bit later when there is multiple threads writing data w/ +aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so +f2fs_map_blocks() does block allocations aggressively. + +In order to fix this issue, let's give a chance to trigger foreground +gc in prior to block allocation in f2fs_map_blocks(). + +Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option") +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 84d45e58a5ff..80eb44dfe0f1 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -1572,8 +1572,11 @@ int f2fs_map_blocks(struct inode *inode, struct f2fs_map_blocks *map, int flag) + end = pgofs + maxblocks; + + next_dnode: +- if (map->m_may_create) ++ if (map->m_may_create) { ++ if (f2fs_lfs_mode(sbi)) ++ f2fs_balance_fs(sbi, true); + f2fs_map_lock(sbi, flag); ++ } + + /* When reading holes, we need its node page */ + set_new_dnode(&dn, inode, NULL, NULL, 0); +-- +2.39.5 + diff --git a/queue-6.15/f2fs-fix-to-update-upper_p-in-__get_secs_required-co.patch b/queue-6.15/f2fs-fix-to-update-upper_p-in-__get_secs_required-co.patch new file mode 100644 index 0000000000..1ab86aecbe --- /dev/null +++ b/queue-6.15/f2fs-fix-to-update-upper_p-in-__get_secs_required-co.patch @@ -0,0 +1,37 @@ +From e5f19d122266f76a6439929969954f761f880bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jul 2025 16:01:42 +0800 +Subject: f2fs: fix to update upper_p in __get_secs_required() correctly + +From: Chao Yu + +[ Upstream commit 6840faddb65683b4e7bd8196f177b038a1e19faf ] + +Commit 1acd73edbbfe ("f2fs: fix to account dirty data in __get_secs_required()") +missed to calculate upper_p w/ data_secs, fix it. + +Fixes: 1acd73edbbfe ("f2fs: fix to account dirty data in __get_secs_required()") +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 503f6df690bf..4c3a0d54be7e 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -633,7 +633,7 @@ static inline void __get_secs_required(struct f2fs_sb_info *sbi, + if (lower_p) + *lower_p = node_secs + dent_secs + data_secs; + if (upper_p) +- *upper_p = node_secs + dent_secs + ++ *upper_p = node_secs + dent_secs + data_secs + + (node_blocks ? 1 : 0) + (dent_blocks ? 1 : 0) + + (data_blocks ? 1 : 0); + if (curseg_p) +-- +2.39.5 + diff --git a/queue-6.15/f2fs-turn-off-one_time-when-forcibly-set-to-foregrou.patch b/queue-6.15/f2fs-turn-off-one_time-when-forcibly-set-to-foregrou.patch new file mode 100644 index 0000000000..2b15013850 --- /dev/null +++ b/queue-6.15/f2fs-turn-off-one_time-when-forcibly-set-to-foregrou.patch @@ -0,0 +1,36 @@ +From 9803cf648fe461fd667c5e35b8fe50cfae30f6c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 11:49:04 -0700 +Subject: f2fs: turn off one_time when forcibly set to foreground GC + +From: Daeho Jeong + +[ Upstream commit 8142daf8a53806689186ee255cc02f89af7f8890 ] + +one_time mode is only for background GC. So, we need to set it back to +false when foreground GC is enforced. + +Fixes: 9748c2ddea4a ("f2fs: do FG_GC when GC boosting is required for zoned devices") +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 8b5a55b72264..67f04d140e0f 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1893,6 +1893,7 @@ int f2fs_gc(struct f2fs_sb_info *sbi, struct f2fs_gc_control *gc_control) + /* Let's run FG_GC, if we don't have enough space. */ + if (has_not_enough_free_secs(sbi, 0, 0)) { + gc_type = FG_GC; ++ gc_control->one_time = false; + + /* + * For example, if there are many prefree_segments below given +-- +2.39.5 + diff --git a/queue-6.15/f2fs-vm_unmap_ram-may-be-called-from-an-invalid-cont.patch b/queue-6.15/f2fs-vm_unmap_ram-may-be-called-from-an-invalid-cont.patch new file mode 100644 index 0000000000..eeee9486ca --- /dev/null +++ b/queue-6.15/f2fs-vm_unmap_ram-may-be-called-from-an-invalid-cont.patch @@ -0,0 +1,79 @@ +From 8009ec2592e6f650ccbc25d10d58b90c58eb4564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jul 2025 17:31:15 +0200 +Subject: f2fs: vm_unmap_ram() may be called from an invalid context + +From: Jan Prusakowski + +[ Upstream commit 08a7efc5b02a0620ae16aa9584060e980a69cb55 ] + +When testing F2FS with xfstests using UFS backed virtual disks the +kernel complains sometimes that f2fs_release_decomp_mem() calls +vm_unmap_ram() from an invalid context. Example trace from +f2fs/007 test: + +f2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007 +[ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978 +[ 11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd +[ 11.475357] preempt_count: 1, expected: 0 +[ 11.476970] RCU nest depth: 0, expected: 0 +[ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none) +[ 11.478535] Tainted: [W]=WARN +[ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 11.478537] Call Trace: +[ 11.478543] +[ 11.478545] dump_stack_lvl+0x4e/0x70 +[ 11.478554] __might_resched.cold+0xaf/0xbe +[ 11.478557] vm_unmap_ram+0x21/0xb0 +[ 11.478560] f2fs_release_decomp_mem+0x59/0x80 +[ 11.478563] f2fs_free_dic+0x18/0x1a0 +[ 11.478565] f2fs_finish_read_bio+0xd7/0x290 +[ 11.478570] blk_update_request+0xec/0x3b0 +[ 11.478574] ? sbitmap_queue_clear+0x3b/0x60 +[ 11.478576] scsi_end_request+0x27/0x1a0 +[ 11.478582] scsi_io_completion+0x40/0x300 +[ 11.478583] ufshcd_mcq_poll_cqe_lock+0xa3/0xe0 +[ 11.478588] ufshcd_sl_intr+0x194/0x1f0 +[ 11.478592] ufshcd_threaded_intr+0x68/0xb0 +[ 11.478594] ? __pfx_irq_thread_fn+0x10/0x10 +[ 11.478599] irq_thread_fn+0x20/0x60 +[ 11.478602] ? __pfx_irq_thread_fn+0x10/0x10 +[ 11.478603] irq_thread+0xb9/0x180 +[ 11.478605] ? __pfx_irq_thread_dtor+0x10/0x10 +[ 11.478607] ? __pfx_irq_thread+0x10/0x10 +[ 11.478609] kthread+0x10a/0x230 +[ 11.478614] ? __pfx_kthread+0x10/0x10 +[ 11.478615] ret_from_fork+0x7e/0xd0 +[ 11.478619] ? __pfx_kthread+0x10/0x10 +[ 11.478621] ret_from_fork_asm+0x1a/0x30 +[ 11.478623] + +This patch modifies in_task() check inside f2fs_read_end_io() to also +check if interrupts are disabled. This ensures that pages are unmapped +asynchronously in an interrupt handler. + +Fixes: bff139b49d9f ("f2fs: handle decompress only post processing in softirq") +Signed-off-by: Jan Prusakowski +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index b0b8748ae287..84d45e58a5ff 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -282,7 +282,7 @@ static void f2fs_read_end_io(struct bio *bio) + { + struct f2fs_sb_info *sbi = F2FS_P_SB(bio_first_page_all(bio)); + struct bio_post_read_ctx *ctx; +- bool intask = in_task(); ++ bool intask = in_task() && !irqs_disabled(); + + iostat_update_and_unbind_ctx(bio); + ctx = bio->bi_private; +-- +2.39.5 + diff --git a/queue-6.15/fanotify-sanitize-handle_type-values-when-reporting-.patch b/queue-6.15/fanotify-sanitize-handle_type-values-when-reporting-.patch new file mode 100644 index 0000000000..03f024cc99 --- /dev/null +++ b/queue-6.15/fanotify-sanitize-handle_type-values-when-reporting-.patch @@ -0,0 +1,47 @@ +From 523264904963467c3b6b944f407a7234edabf67a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 12:48:35 +0200 +Subject: fanotify: sanitize handle_type values when reporting fid + +From: Amir Goldstein + +[ Upstream commit 8631e01c2c5d1fe6705bcc0d733a0b7a17d3daac ] + +Unlike file_handle, type and len of struct fanotify_fh are u8. +Traditionally, filesystem return handle_type < 0xff, but there +is no enforecement for that in vfs. + +Add a sanity check in fanotify to avoid truncating handle_type +if its value is > 0xff. + +Fixes: 7cdafe6cc4a6 ("exportfs: check for error return value from exportfs_encode_*()") +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20250627104835.184495-1-amir73il@gmail.com +Signed-off-by: Sasha Levin +--- + fs/notify/fanotify/fanotify.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c +index 6d386080faf2..7834eadf40a7 100644 +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -454,7 +454,13 @@ static int fanotify_encode_fh(struct fanotify_fh *fh, struct inode *inode, + dwords = fh_len >> 2; + type = exportfs_encode_fid(inode, buf, &dwords); + err = -EINVAL; +- if (type <= 0 || type == FILEID_INVALID || fh_len != dwords << 2) ++ /* ++ * Unlike file_handle, type and len of struct fanotify_fh are u8. ++ * Traditionally, filesystem return handle_type < 0xff, but there ++ * is no enforecement for that in vfs. ++ */ ++ BUILD_BUG_ON(MAX_HANDLE_SZ > 0xff || FILEID_INVALID > 0xff); ++ if (type <= 0 || type >= FILEID_INVALID || fh_len != dwords << 2) + goto out_err; + + fh->type = type; +-- +2.39.5 + diff --git a/queue-6.15/fbcon-fix-outdated-registered_fb-reference-in-commen.patch b/queue-6.15/fbcon-fix-outdated-registered_fb-reference-in-commen.patch new file mode 100644 index 0000000000..8f7419af4e --- /dev/null +++ b/queue-6.15/fbcon-fix-outdated-registered_fb-reference-in-commen.patch @@ -0,0 +1,45 @@ +From 8991014eb656032aa4b5a2916a51ea2b91842353 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:34:38 +0800 +Subject: fbcon: Fix outdated registered_fb reference in comment + +From: Shixiong Ou + +[ Upstream commit 0f168e7be696a17487e83d1d47e5a408a181080f ] + +The variable was renamed to fbcon_registered_fb, but this comment was +not updated along with the change. Correct it to avoid confusion. + +Signed-off-by: Shixiong Ou +Fixes: efc3acbc105a ("fbcon: Maintain a private array of fb_info") +[sima: Add Fixes: line.] +Signed-off-by: Simona Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20250709103438.572309-1-oushixiong1025@163.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c +index 2df48037688d..2b2d36c021ba 100644 +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -952,13 +952,13 @@ static const char *fbcon_startup(void) + int rows, cols; + + /* +- * If num_registered_fb is zero, this is a call for the dummy part. ++ * If fbcon_num_registered_fb is zero, this is a call for the dummy part. + * The frame buffer devices weren't initialized yet. + */ + if (!fbcon_num_registered_fb || info_idx == -1) + return display_desc; + /* +- * Instead of blindly using registered_fb[0], we use info_idx, set by ++ * Instead of blindly using fbcon_registered_fb[0], we use info_idx, set by + * fbcon_fb_registered(); + */ + info = fbcon_registered_fb[info_idx]; +-- +2.39.5 + diff --git a/queue-6.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch b/queue-6.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch new file mode 100644 index 0000000000..42cbe51d5f --- /dev/null +++ b/queue-6.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch @@ -0,0 +1,46 @@ +From ec4660132b788dd313269bce55decf837f6974d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:25:34 -0500 +Subject: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref + +From: Chenyuan Yang + +[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ] + +fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot +allocate a struct fb_modelist. If that happens, the modelist stays empty but +the driver continues to register. Add a check for its return value to prevent +poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev: +Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var"). + +Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support") +Signed-off-by: Chenyuan Yang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index f30da32cdaed..a077bf346bdf 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -996,8 +996,13 @@ static int imxfb_probe(struct platform_device *pdev) + info->fix.smem_start = fbi->map_dma; + + INIT_LIST_HEAD(&info->modelist); +- for (i = 0; i < fbi->num_modes; i++) +- fb_add_videomode(&fbi->mode[i].mode, &info->modelist); ++ for (i = 0; i < fbi->num_modes; i++) { ++ ret = fb_add_videomode(&fbi->mode[i].mode, &info->modelist); ++ if (ret) { ++ dev_err(&pdev->dev, "Failed to add videomode\n"); ++ goto failed_cmap; ++ } ++ } + + /* + * This makes sure that our colour bitfield +-- +2.39.5 + diff --git a/queue-6.15/firmware-arm_scmi-fix-up-turbo-frequencies-selection.patch b/queue-6.15/firmware-arm_scmi-fix-up-turbo-frequencies-selection.patch new file mode 100644 index 0000000000..c7aa3d6a4a --- /dev/null +++ b/queue-6.15/firmware-arm_scmi-fix-up-turbo-frequencies-selection.patch @@ -0,0 +1,38 @@ +From e5b78c73565b3cd16c44f85171cb9efe05bf6499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 03:17:19 +0530 +Subject: firmware: arm_scmi: Fix up turbo frequencies selection + +From: Sibi Sankar + +[ Upstream commit ad28fc31dd702871764e9294d4f2314ad78d24a9 ] + +Sustained frequency when greater than or equal to 4Ghz on 64-bit devices +currently result in marking all frequencies as turbo. Address the turbo +frequency selection bug by fixing the truncation. + +Fixes: a897575e79d7 ("firmware: arm_scmi: Add support for marking certain frequencies as turbo") +Signed-off-by: Sibi Sankar +Message-Id: <20250514214719.203607-1-quic_sibis@quicinc.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/perf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_scmi/perf.c b/drivers/firmware/arm_scmi/perf.c +index c7e5a34b254b..683fd9b85c5c 100644 +--- a/drivers/firmware/arm_scmi/perf.c ++++ b/drivers/firmware/arm_scmi/perf.c +@@ -892,7 +892,7 @@ static int scmi_dvfs_device_opps_add(const struct scmi_protocol_handle *ph, + freq = dom->opp[idx].indicative_freq * dom->mult_factor; + + /* All OPPs above the sustained frequency are treated as turbo */ +- data.turbo = freq > dom->sustained_freq_khz * 1000; ++ data.turbo = freq > dom->sustained_freq_khz * 1000UL; + + data.level = dom->opp[idx].perf; + data.freq = freq; +-- +2.39.5 + diff --git a/queue-6.15/fix-dma_unmap_sg-nents-value.patch b/queue-6.15/fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..f5940a0bdf --- /dev/null +++ b/queue-6.15/fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,38 @@ +From 13db0a85651de2348d6e9ee47afbd60a230a1a06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 11:23:46 +0200 +Subject: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 1db50f7b7a793670adcf062df9ff27798829d963 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: ed10435d3583 ("RDMA/erdma: Implement hierarchical MTT") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20250630092346.81017-2-fourier.thomas@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/erdma/erdma_verbs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c +index af36a8d2df22..ec0ad4086066 100644 +--- a/drivers/infiniband/hw/erdma/erdma_verbs.c ++++ b/drivers/infiniband/hw/erdma/erdma_verbs.c +@@ -629,7 +629,8 @@ static struct erdma_mtt *erdma_create_cont_mtt(struct erdma_dev *dev, + static void erdma_destroy_mtt_buf_sg(struct erdma_dev *dev, + struct erdma_mtt *mtt) + { +- dma_unmap_sg(&dev->pdev->dev, mtt->sglist, mtt->nsg, DMA_TO_DEVICE); ++ dma_unmap_sg(&dev->pdev->dev, mtt->sglist, ++ DIV_ROUND_UP(mtt->size, PAGE_SIZE), DMA_TO_DEVICE); + vfree(mtt->sglist); + } + +-- +2.39.5 + diff --git a/queue-6.15/fortify-fix-incorrect-reporting-of-read-buffer-size.patch b/queue-6.15/fortify-fix-incorrect-reporting-of-read-buffer-size.patch new file mode 100644 index 0000000000..ae82753a9c --- /dev/null +++ b/queue-6.15/fortify-fix-incorrect-reporting-of-read-buffer-size.patch @@ -0,0 +1,38 @@ +From 7a922c223289442ad0f1d1521e68c25864b63074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jul 2025 16:18:25 -0700 +Subject: fortify: Fix incorrect reporting of read buffer size + +From: Kees Cook + +[ Upstream commit 94fd44648dae2a5b6149a41faa0b07928c3e1963 ] + +When FORTIFY_SOURCE reports about a run-time buffer overread, the wrong +buffer size was being shown in the error message. (The bounds checking +was correct.) + +Fixes: 3d965b33e40d ("fortify: Improve buffer overflow reporting") +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20250729231817.work.023-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + include/linux/fortify-string.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h +index e4ce1cae03bf..b3b53f8c1b28 100644 +--- a/include/linux/fortify-string.h ++++ b/include/linux/fortify-string.h +@@ -596,7 +596,7 @@ __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size, + if (p_size != SIZE_MAX && p_size < size) + fortify_panic(func, FORTIFY_WRITE, p_size, size, true); + else if (q_size != SIZE_MAX && q_size < size) +- fortify_panic(func, FORTIFY_READ, p_size, size, true); ++ fortify_panic(func, FORTIFY_READ, q_size, size, true); + + /* + * Warn when writing beyond destination field size. +-- +2.39.5 + diff --git a/queue-6.15/fs-ntfs3-cancle-set-bad-inode-after-removing-name-fa.patch b/queue-6.15/fs-ntfs3-cancle-set-bad-inode-after-removing-name-fa.patch new file mode 100644 index 0000000000..176da7861c --- /dev/null +++ b/queue-6.15/fs-ntfs3-cancle-set-bad-inode-after-removing-name-fa.patch @@ -0,0 +1,104 @@ +From 3fcd7358aa54e658dae9e105cb11b241710d7936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 15:31:57 +0800 +Subject: fs/ntfs3: cancle set bad inode after removing name fails + +From: Edward Adam Davis + +[ Upstream commit d99208b91933fd2a58ed9ed321af07dacd06ddc3 ] + +The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link. +When renaming, the file0's inode is marked as a bad inode because the file +name cannot be deleted. + +The underlying bug is that make_bad_inode() is called on a live inode. +In some cases it's "icache lookup finds a normal inode, d_splice_alias() +is called to attach it to dentry, while another thread decides to call +make_bad_inode() on it - that would evict it from icache, but we'd already +found it there earlier". +In some it's outright "we have an inode attached to dentry - that's how we +got it in the first place; let's call make_bad_inode() on it just for shits +and giggles". + +Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations") +Reported-by: syzbot+1aa90f0eb1fc3e77d969@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1aa90f0eb1fc3e77d969 +Signed-off-by: Edward Adam Davis +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/frecord.c | 7 +++---- + fs/ntfs3/namei.c | 10 +++------- + fs/ntfs3/ntfs_fs.h | 3 +-- + 3 files changed, 7 insertions(+), 13 deletions(-) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index b7a83200f2cc..83593ecbe57e 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -3003,8 +3003,7 @@ int ni_add_name(struct ntfs_inode *dir_ni, struct ntfs_inode *ni, + * ni_rename - Remove one name and insert new name. + */ + int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni, +- struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de, +- bool *is_bad) ++ struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de) + { + int err; + struct NTFS_DE *de2 = NULL; +@@ -3027,8 +3026,8 @@ int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni, + err = ni_add_name(new_dir_ni, ni, new_de); + if (!err) { + err = ni_remove_name(dir_ni, ni, de, &de2, &undo); +- if (err && ni_remove_name(new_dir_ni, ni, new_de, &de2, &undo)) +- *is_bad = true; ++ WARN_ON(err && ni_remove_name(new_dir_ni, ni, new_de, &de2, ++ &undo)); + } + + /* +diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c +index 652735a0b0c4..fec451381a88 100644 +--- a/fs/ntfs3/namei.c ++++ b/fs/ntfs3/namei.c +@@ -244,7 +244,7 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir, + struct ntfs_inode *ni = ntfs_i(inode); + struct inode *new_inode = d_inode(new_dentry); + struct NTFS_DE *de, *new_de; +- bool is_same, is_bad; ++ bool is_same; + /* + * de - memory of PATH_MAX bytes: + * [0-1024) - original name (dentry->d_name) +@@ -313,12 +313,8 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir, + if (dir_ni != new_dir_ni) + ni_lock_dir2(new_dir_ni); + +- is_bad = false; +- err = ni_rename(dir_ni, new_dir_ni, ni, de, new_de, &is_bad); +- if (is_bad) { +- /* Restore after failed rename failed too. */ +- _ntfs_bad_inode(inode); +- } else if (!err) { ++ err = ni_rename(dir_ni, new_dir_ni, ni, de, new_de); ++ if (!err) { + simple_rename_timestamp(dir, dentry, new_dir, new_dentry); + mark_inode_dirty(inode); + mark_inode_dirty(dir); +diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h +index d628977e2556..a79cf4a63b25 100644 +--- a/fs/ntfs3/ntfs_fs.h ++++ b/fs/ntfs3/ntfs_fs.h +@@ -581,8 +581,7 @@ int ni_add_name(struct ntfs_inode *dir_ni, struct ntfs_inode *ni, + struct NTFS_DE *de); + + int ni_rename(struct ntfs_inode *dir_ni, struct ntfs_inode *new_dir_ni, +- struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de, +- bool *is_bad); ++ struct ntfs_inode *ni, struct NTFS_DE *de, struct NTFS_DE *new_de); + + bool ni_is_dirty(struct inode *inode); + int ni_set_compress(struct inode *inode, bool compr); +-- +2.39.5 + diff --git a/queue-6.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch b/queue-6.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch new file mode 100644 index 0000000000..a753277e8f --- /dev/null +++ b/queue-6.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch @@ -0,0 +1,65 @@ +From f38b1dc15781df1d29ca29685efb6bee7f357f47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jul 2025 09:19:10 -0500 +Subject: fs/orangefs: Allow 2 more characters in do_c_string() + +From: Dan Carpenter + +[ Upstream commit 2138e89cb066b40386b1d9ddd61253347d356474 ] + +The do_k_string() and do_c_string() functions do essentially the same +thing which is they add a string and a comma onto the end of an existing +string. At the end, the caller will overwrite the last comma with a +newline. Later, in orangefs_kernel_debug_init(), we add a newline to +the string. + +The change to do_k_string() is just cosmetic. I moved the "- 1" to +the other side of the comparison and made it "+ 1". This has no +effect on runtime, I just wanted the functions to match each other +and the rest of the file. + +However in do_c_string(), I removed the "- 2" which allows us to print +two extra characters. I noticed this issue while reviewing the code +and I doubt affects anything in real life. My guess is that this was +double counting the comma and the newline. The "+ 1" accounts for +the newline, and the caller will delete the final comma which ensures +there is enough space for the newline. + +Removing the "- 2" lets us print 2 more characters, but mainly it makes +the code more consistent and understandable for reviewers. + +Fixes: 44f4641073f1 ("orangefs: clean up debugfs globals") +Signed-off-by: Dan Carpenter +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index f7095c91660c..e8e3badbc2ec 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -769,8 +769,8 @@ static void do_k_string(void *k_mask, int index) + + if (*mask & s_kmod_keyword_mask_map[index].mask_val) { + if ((strlen(kernel_debug_string) + +- strlen(s_kmod_keyword_mask_map[index].keyword)) +- < ORANGEFS_MAX_DEBUG_STRING_LEN - 1) { ++ strlen(s_kmod_keyword_mask_map[index].keyword) + 1) ++ < ORANGEFS_MAX_DEBUG_STRING_LEN) { + strcat(kernel_debug_string, + s_kmod_keyword_mask_map[index].keyword); + strcat(kernel_debug_string, ","); +@@ -797,7 +797,7 @@ static void do_c_string(void *c_mask, int index) + (mask->mask2 & cdm_array[index].mask2)) { + if ((strlen(client_debug_string) + + strlen(cdm_array[index].keyword) + 1) +- < ORANGEFS_MAX_DEBUG_STRING_LEN - 2) { ++ < ORANGEFS_MAX_DEBUG_STRING_LEN) { + strcat(client_debug_string, + cdm_array[index].keyword); + strcat(client_debug_string, ","); +-- +2.39.5 + diff --git a/queue-6.15/fs_context-fix-parameter-name-in-infofc-macro.patch b/queue-6.15/fs_context-fix-parameter-name-in-infofc-macro.patch new file mode 100644 index 0000000000..f10896f1ef --- /dev/null +++ b/queue-6.15/fs_context-fix-parameter-name-in-infofc-macro.patch @@ -0,0 +1,42 @@ +From 4bd920dd835490021789ff603093151c1cdbb122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 01:09:27 +0200 +Subject: fs_context: fix parameter name in infofc() macro +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: RubenKelevra + +[ Upstream commit ffaf1bf3737f706e4e9be876de4bc3c8fc578091 ] + +The macro takes a parameter called "p" but references "fc" internally. +This happens to compile as long as callers pass a variable named fc, +but breaks otherwise. Rename the first parameter to “fc” to match the +usage and to be consistent with warnfc() / errorfc(). + +Fixes: a3ff937b33d9 ("prefix-handling analogues of errorf() and friends") +Signed-off-by: RubenKelevra +Link: https://lore.kernel.org/20250617230927.1790401-1-rubenkelevra@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + include/linux/fs_context.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h +index a19e4bd32e4d..7773eb870039 100644 +--- a/include/linux/fs_context.h ++++ b/include/linux/fs_context.h +@@ -200,7 +200,7 @@ void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt, + */ + #define infof(fc, fmt, ...) __logfc(fc, 'i', fmt, ## __VA_ARGS__) + #define info_plog(p, fmt, ...) __plog(p, 'i', fmt, ## __VA_ARGS__) +-#define infofc(p, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__) ++#define infofc(fc, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__) + + /** + * warnf - Store supplementary warning message +-- +2.39.5 + diff --git a/queue-6.15/gfs2-minor-do_xmote-cancelation-fix.patch b/queue-6.15/gfs2-minor-do_xmote-cancelation-fix.patch new file mode 100644 index 0000000000..a769b3895d --- /dev/null +++ b/queue-6.15/gfs2-minor-do_xmote-cancelation-fix.patch @@ -0,0 +1,36 @@ +From 9899047e3e853952b89aa11f3d1ec6e577888608 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 21:21:27 +0200 +Subject: gfs2: Minor do_xmote cancelation fix + +From: Andreas Gruenbacher + +[ Upstream commit 75bb2ddea9640b663e4b2eaa06e15196f6f11a95 ] + +Commit 6cb3b1c2df87 changed how finish_xmote() clears the GLF_LOCK flag, +but it failed to adjust the equivalent code in do_xmote(). Fix that. + +Fixes: 6cb3b1c2df87 ("gfs2: Fix additional unlikely request cancelation race") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index ba25b884169e..ea96113edbe3 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -802,7 +802,8 @@ __acquires(&gl->gl_lockref.lock) + * We skip telling dlm to do the locking, so we won't get a + * reply that would otherwise clear GLF_LOCK. So we clear it here. + */ +- clear_bit(GLF_LOCK, &gl->gl_flags); ++ if (!test_bit(GLF_CANCELING, &gl->gl_flags)) ++ clear_bit(GLF_LOCK, &gl->gl_flags); + clear_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags); + gfs2_glock_queue_work(gl, GL_GLOCK_DFT_HOLD); + return; +-- +2.39.5 + diff --git a/queue-6.15/gfs2-no-more-self-recovery.patch b/queue-6.15/gfs2-no-more-self-recovery.patch new file mode 100644 index 0000000000..6d1c5e06fe --- /dev/null +++ b/queue-6.15/gfs2-no-more-self-recovery.patch @@ -0,0 +1,81 @@ +From 21e0a1b6c8cfb467948efb929ec404e2dc5349ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 23:30:32 +0200 +Subject: gfs2: No more self recovery + +From: Andreas Gruenbacher + +[ Upstream commit deb016c1669002e48c431d6fd32ea1c20ef41756 ] + +When a node withdraws and it turns out that it is the only node that has +the filesystem mounted, gfs2 currently tries to replay the local journal +to bring the filesystem back into a consistent state. Not only is that +a very bad idea, it has also never worked because gfs2_recover_func() +will refuse to do anything during a withdraw. + +However, before even getting to this point, gfs2_recover_func() +dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before +commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") +and is a NULL pointer dereference since then. + +Simply get rid of self recovery to fix that. + +Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish") +Reported-by: Chunjie Zhu +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/util.c | 31 +++++++++++-------------------- + 1 file changed, 11 insertions(+), 20 deletions(-) + +diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c +index 13be8d1d228b..ee198a261d4f 100644 +--- a/fs/gfs2/util.c ++++ b/fs/gfs2/util.c +@@ -232,32 +232,23 @@ static void signal_our_withdraw(struct gfs2_sbd *sdp) + */ + ret = gfs2_glock_nq(&sdp->sd_live_gh); + ++ gfs2_glock_put(live_gl); /* drop extra reference we acquired */ ++ clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags); ++ + /* + * If we actually got the "live" lock in EX mode, there are no other +- * nodes available to replay our journal. So we try to replay it +- * ourselves. We hold the "live" glock to prevent other mounters +- * during recovery, then just dequeue it and reacquire it in our +- * normal SH mode. Just in case the problem that caused us to +- * withdraw prevents us from recovering our journal (e.g. io errors +- * and such) we still check if the journal is clean before proceeding +- * but we may wait forever until another mounter does the recovery. ++ * nodes available to replay our journal. + */ + if (ret == 0) { +- fs_warn(sdp, "No other mounters found. Trying to recover our " +- "own journal jid %d.\n", sdp->sd_lockstruct.ls_jid); +- if (gfs2_recover_journal(sdp->sd_jdesc, 1)) +- fs_warn(sdp, "Unable to recover our journal jid %d.\n", +- sdp->sd_lockstruct.ls_jid); +- gfs2_glock_dq_wait(&sdp->sd_live_gh); +- gfs2_holder_reinit(LM_ST_SHARED, +- LM_FLAG_NOEXP | GL_EXACT | GL_NOPID, +- &sdp->sd_live_gh); +- gfs2_glock_nq(&sdp->sd_live_gh); ++ fs_warn(sdp, "No other mounters found.\n"); ++ /* ++ * We are about to release the lockspace. By keeping live_gl ++ * locked here, we ensure that the next mounter coming along ++ * will be a "first" mounter which will perform recovery. ++ */ ++ goto skip_recovery; + } + +- gfs2_glock_put(live_gl); /* drop extra reference we acquired */ +- clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags); +- + /* + * At this point our journal is evicted, so we need to get a new inode + * for it. Once done, we need to call gfs2_find_jhead which +-- +2.39.5 + diff --git a/queue-6.15/hfs-make-splice-write-available-again.patch b/queue-6.15/hfs-make-splice-write-available-again.patch new file mode 100644 index 0000000000..1a7891bedc --- /dev/null +++ b/queue-6.15/hfs-make-splice-write-available-again.patch @@ -0,0 +1,42 @@ +From 4fe06028f42ab0fa3efd1cd780c88193f3e306c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 08:00:32 -0600 +Subject: hfs: make splice write available again + +From: Yangtao Li + +[ Upstream commit 4c831f30475a222046ded25560c3810117a6cff6 ] + +Since 5.10, splice() or sendfile() return EINVAL. This was +caused by commit 36e2c7421f02 ("fs: don't allow splice read/write +without explicit ops"). + +This patch initializes the splice_write field in file_operations, like +most file systems do, to restore the functionality. + +Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops") +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250529140033.2296791-2-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c +index a81ce7a740b9..451115360f73 100644 +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -692,6 +692,7 @@ static const struct file_operations hfs_file_operations = { + .write_iter = generic_file_write_iter, + .mmap = generic_file_mmap, + .splice_read = filemap_splice_read, ++ .splice_write = iter_file_splice_write, + .fsync = hfs_file_fsync, + .open = hfs_file_open, + .release = hfs_file_release, +-- +2.39.5 + diff --git a/queue-6.15/hfsplus-make-splice-write-available-again.patch b/queue-6.15/hfsplus-make-splice-write-available-again.patch new file mode 100644 index 0000000000..f454a2d851 --- /dev/null +++ b/queue-6.15/hfsplus-make-splice-write-available-again.patch @@ -0,0 +1,42 @@ +From fba2aa153d49fe3ce788a7127820bdef63b49f58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 08:00:31 -0600 +Subject: hfsplus: make splice write available again + +From: Yangtao Li + +[ Upstream commit 2eafb669da0bf71fac0838bff13594970674e2b4 ] + +Since 5.10, splice() or sendfile() return EINVAL. This was +caused by commit 36e2c7421f02 ("fs: don't allow splice read/write +without explicit ops"). + +This patch initializes the splice_write field in file_operations, like +most file systems do, to restore the functionality. + +Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops") +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250529140033.2296791-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c +index f331e9574217..c85b5802ec0f 100644 +--- a/fs/hfsplus/inode.c ++++ b/fs/hfsplus/inode.c +@@ -368,6 +368,7 @@ static const struct file_operations hfsplus_file_operations = { + .write_iter = generic_file_write_iter, + .mmap = generic_file_mmap, + .splice_read = filemap_splice_read, ++ .splice_write = iter_file_splice_write, + .fsync = hfsplus_file_fsync, + .open = hfsplus_file_open, + .release = hfsplus_file_release, +-- +2.39.5 + diff --git a/queue-6.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch b/queue-6.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch new file mode 100644 index 0000000000..5c66ce429a --- /dev/null +++ b/queue-6.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch @@ -0,0 +1,94 @@ +From 542cf10e28db930c122402c54740b1f99c37cfac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 00:18:06 -0600 +Subject: hfsplus: remove mutex_lock check in hfsplus_free_extents + +From: Yangtao Li + +[ Upstream commit fcb96956c921f1aae7e7b477f2435c56f77a31b4 ] + +Syzbot reported an issue in hfsplus filesystem: + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 + hfsplus_free_extents+0x700/0xad0 +Call Trace: + +hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606 +hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56 +cont_expand_zero fs/buffer.c:2383 [inline] +cont_write_begin+0x2cf/0x860 fs/buffer.c:2446 +hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52 +generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347 +hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263 +notify_change+0xe38/0x10f0 fs/attr.c:420 +do_truncate+0x1fb/0x2e0 fs/open.c:65 +do_sys_ftruncate+0x2eb/0x380 fs/open.c:193 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock +on file truncation") unlock extree before hfsplus_free_extents(), +and add check wheather extree is locked in hfsplus_free_extents(). + +However, when operations such as hfsplus_file_release, +hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed +concurrently in different files, it is very likely to trigger the +WARN_ON, which will lead syzbot and xfstest to consider it as an +abnormality. + +The comment above this warning also describes one of the easy +triggering situations, which can easily trigger and cause +xfstest&syzbot to report errors. + +[task A] [task B] +->hfsplus_file_release + ->hfsplus_file_truncate + ->hfs_find_init + ->mutex_lock + ->mutex_unlock + ->hfsplus_write_begin + ->hfsplus_get_block + ->hfsplus_file_extend + ->hfsplus_ext_read_extent + ->hfs_find_init + ->mutex_lock + ->hfsplus_free_extents + WARN_ON(mutex_is_locked) !!! + +Several threads could try to lock the shared extents tree. +And warning can be triggered in one thread when another thread +has locked the tree. This is the wrong behavior of the code and +we need to remove the warning. + +Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation") +Reported-by: syzbot+8c0bc9f818702ff75b76@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/00000000000057fa4605ef101c4c@google.com/ +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250529061807.2213498-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/extents.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c +index a6d61685ae79..b1699b3c246a 100644 +--- a/fs/hfsplus/extents.c ++++ b/fs/hfsplus/extents.c +@@ -342,9 +342,6 @@ static int hfsplus_free_extents(struct super_block *sb, + int i; + int err = 0; + +- /* Mapping the allocation file may lock the extent tree */ +- WARN_ON(mutex_is_locked(&HFSPLUS_SB(sb)->ext_tree->tree_lock)); +- + hfsplus_dump_extent(extent); + for (i = 0; i < 8; extent++, i++) { + count = be32_to_cpu(extent->block_count); +-- +2.39.5 + diff --git a/queue-6.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch b/queue-6.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch new file mode 100644 index 0000000000..c8787a5334 --- /dev/null +++ b/queue-6.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch @@ -0,0 +1,38 @@ +From eab6e043ddf6af0c6e1cd081964936e6ba790e76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jun 2025 20:31:41 +0300 +Subject: hwrng: mtk - handle devm_pm_runtime_enable errors + +From: Ovidiu Panait + +[ Upstream commit 522a242a18adc5c63a24836715dbeec4dc3faee1 ] + +Although unlikely, devm_pm_runtime_enable() call might fail, so handle +the return value. + +Fixes: 78cb66caa6ab ("hwrng: mtk - Use devm_pm_runtime_enable") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/mtk-rng.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c +index 1e3048f2bb38..6c4e40d0365f 100644 +--- a/drivers/char/hw_random/mtk-rng.c ++++ b/drivers/char/hw_random/mtk-rng.c +@@ -142,7 +142,9 @@ static int mtk_rng_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, priv); + pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); +- devm_pm_runtime_enable(&pdev->dev); ++ ret = devm_pm_runtime_enable(&pdev->dev); ++ if (ret) ++ return ret; + + dev_info(&pdev->dev, "registered RNG driver\n"); + +-- +2.39.5 + diff --git a/queue-6.15/i2c-muxes-mule-fix-an-error-handling-path-in-mule_i2.patch b/queue-6.15/i2c-muxes-mule-fix-an-error-handling-path-in-mule_i2.patch new file mode 100644 index 0000000000..9d3a2eefc2 --- /dev/null +++ b/queue-6.15/i2c-muxes-mule-fix-an-error-handling-path-in-mule_i2.patch @@ -0,0 +1,47 @@ +From b0a4029a27cd47b54c9c7dbe8ab2b439bc33a51b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jul 2025 21:38:02 +0200 +Subject: i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe() + +From: Christophe JAILLET + +[ Upstream commit 33ac5155891cab165c93b51b0e22e153eacc2ee7 ] + +If an error occurs in the loop that creates the device adapters, then a +reference to 'dev' still needs to be released. + +Use for_each_child_of_node_scoped() to both fix the issue and save one line +of code. + +Fixes: d0f8e97866bf ("i2c: muxes: add support for tsd,mule-i2c multiplexer") +Signed-off-by: Christophe JAILLET +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/muxes/i2c-mux-mule.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/i2c/muxes/i2c-mux-mule.c b/drivers/i2c/muxes/i2c-mux-mule.c +index 284ff4afeeac..d3b32b794172 100644 +--- a/drivers/i2c/muxes/i2c-mux-mule.c ++++ b/drivers/i2c/muxes/i2c-mux-mule.c +@@ -47,7 +47,6 @@ static int mule_i2c_mux_probe(struct platform_device *pdev) + struct mule_i2c_reg_mux *priv; + struct i2c_client *client; + struct i2c_mux_core *muxc; +- struct device_node *dev; + unsigned int readback; + int ndev, ret; + bool old_fw; +@@ -95,7 +94,7 @@ static int mule_i2c_mux_probe(struct platform_device *pdev) + "Failed to register mux remove\n"); + + /* Create device adapters */ +- for_each_child_of_node(mux_dev->of_node, dev) { ++ for_each_child_of_node_scoped(mux_dev->of_node, dev) { + u32 reg; + + ret = of_property_read_u32(dev, "reg", ®); +-- +2.39.5 + diff --git a/queue-6.15/i3c-master-svc-fix-npcm845-fifo_empty-quirk.patch b/queue-6.15/i3c-master-svc-fix-npcm845-fifo_empty-quirk.patch new file mode 100644 index 0000000000..4baa5ce126 --- /dev/null +++ b/queue-6.15/i3c-master-svc-fix-npcm845-fifo_empty-quirk.patch @@ -0,0 +1,69 @@ +From d5ce46a18deb881c937af2abcff1b348e4a0a2d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jul 2025 08:37:19 +0800 +Subject: i3c: master: svc: Fix npcm845 FIFO_EMPTY quirk + +From: Stanley Chu + +[ Upstream commit bc4a09d8e79cadccdd505f47b01903a80bc666e7 ] + +In a private write transfer, the driver pre-fills the FIFO to work around +the FIFO_EMPTY quirk. However, if an IBIWON event occurs, the hardware +emits a NACK and the driver initiates a retry. During the retry, driver +attempts to pre-fill the FIFO again if there is remaining data, but since +the FIFO is already full, this leads to data loss. + +Check available space in FIFO to prevent overflow. + +Fixes: 4008a74e0f9b ("i3c: master: svc: Fix npcm845 FIFO empty issue") +Signed-off-by: Stanley Chu +Link: https://lore.kernel.org/r/20250730003719.1825593-1-yschu@nuvoton.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/svc-i3c-master.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c +index 85e16de208d3..01295eb80806 100644 +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -104,6 +104,7 @@ + #define SVC_I3C_MDATACTRL_TXTRIG_FIFO_NOT_FULL GENMASK(5, 4) + #define SVC_I3C_MDATACTRL_RXTRIG_FIFO_NOT_EMPTY 0 + #define SVC_I3C_MDATACTRL_RXCOUNT(x) FIELD_GET(GENMASK(28, 24), (x)) ++#define SVC_I3C_MDATACTRL_TXCOUNT(x) FIELD_GET(GENMASK(20, 16), (x)) + #define SVC_I3C_MDATACTRL_TXFULL BIT(30) + #define SVC_I3C_MDATACTRL_RXEMPTY BIT(31) + +@@ -1308,14 +1309,19 @@ static int svc_i3c_master_xfer(struct svc_i3c_master *master, + * FIFO start filling as soon as possible after EmitStartAddr. + */ + if (svc_has_quirk(master, SVC_I3C_QUIRK_FIFO_EMPTY) && !rnw && xfer_len) { +- u32 end = xfer_len > SVC_I3C_FIFO_SIZE ? 0 : SVC_I3C_MWDATAB_END; +- u32 len = min_t(u32, xfer_len, SVC_I3C_FIFO_SIZE); +- +- writesb(master->regs + SVC_I3C_MWDATAB1, out, len - 1); +- /* Mark END bit if this is the last byte */ +- writel(out[len - 1] | end, master->regs + SVC_I3C_MWDATAB); +- xfer_len -= len; +- out += len; ++ u32 space, end, len; ++ ++ reg = readl(master->regs + SVC_I3C_MDATACTRL); ++ space = SVC_I3C_FIFO_SIZE - SVC_I3C_MDATACTRL_TXCOUNT(reg); ++ if (space) { ++ end = xfer_len > space ? 0 : SVC_I3C_MWDATAB_END; ++ len = min_t(u32, xfer_len, space); ++ writesb(master->regs + SVC_I3C_MWDATAB1, out, len - 1); ++ /* Mark END bit if this is the last byte */ ++ writel(out[len - 1] | end, master->regs + SVC_I3C_MWDATAB); ++ xfer_len -= len; ++ out += len; ++ } + } + + ret = readl_poll_timeout(master->regs + SVC_I3C_MSTATUS, reg, +-- +2.39.5 + diff --git a/queue-6.15/igb-xsk-solve-negative-overflow-of-nb_pkts-in-zeroco.patch b/queue-6.15/igb-xsk-solve-negative-overflow-of-nb_pkts-in-zeroco.patch new file mode 100644 index 0000000000..87a94251a6 --- /dev/null +++ b/queue-6.15/igb-xsk-solve-negative-overflow-of-nb_pkts-in-zeroco.patch @@ -0,0 +1,59 @@ +From 433d5acf1c3225f9d2941499a9dc51e852ed6c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:23:27 +0800 +Subject: igb: xsk: solve negative overflow of nb_pkts in zerocopy mode + +From: Jason Xing + +[ Upstream commit 3b7c13dfdcc26a78756cc17a23cdf4310c5a24a9 ] + +There is no break time in the while() loop, so every time at the end of +igb_xmit_zc(), negative overflow of nb_pkts will occur, which renders +the return value always false. But theoretically, the result should be +set after calling xsk_tx_peek_release_desc_batch(). We can take +i40e_xmit_zc() as a good example. + +Returning false means we're not done with transmission and we need one +more poll, which is exactly what igb_xmit_zc() always did before this +patch. After this patch, the return value depends on the nb_pkts value. +Two cases might happen then: +1. if (nb_pkts < budget), it means we process all the possible data, so + return true and no more necessary poll will be triggered because of + this. +2. if (nb_pkts == budget), it means we might have more data, so return + false to let another poll run again. + +Fixes: f8e284a02afc ("igb: Add AF_XDP zero-copy Tx support") +Signed-off-by: Jason Xing +Reviewed-by: Aleksandr Loktionov +Link: https://patch.msgid.link/20250723142327.85187-3-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_xsk.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_xsk.c b/drivers/net/ethernet/intel/igb/igb_xsk.c +index 157d43787fa0..02935d4e1140 100644 +--- a/drivers/net/ethernet/intel/igb/igb_xsk.c ++++ b/drivers/net/ethernet/intel/igb/igb_xsk.c +@@ -481,7 +481,7 @@ bool igb_xmit_zc(struct igb_ring *tx_ring, struct xsk_buff_pool *xsk_pool) + if (!nb_pkts) + return true; + +- while (nb_pkts-- > 0) { ++ for (; i < nb_pkts; i++) { + dma = xsk_buff_raw_get_dma(xsk_pool, descs[i].addr); + xsk_buff_raw_dma_sync_for_device(xsk_pool, dma, descs[i].len); + +@@ -511,7 +511,6 @@ bool igb_xmit_zc(struct igb_ring *tx_ring, struct xsk_buff_pool *xsk_pool) + + total_bytes += descs[i].len; + +- i++; + tx_ring->next_to_use++; + tx_buffer_info->next_to_watch = tx_desc; + if (tx_ring->next_to_use == tx_ring->count) +-- +2.39.5 + diff --git a/queue-6.15/interconnect-qcom-qcs615-drop-ip0-interconnects.patch b/queue-6.15/interconnect-qcom-qcs615-drop-ip0-interconnects.patch new file mode 100644 index 0000000000..aee4f25321 --- /dev/null +++ b/queue-6.15/interconnect-qcom-qcs615-drop-ip0-interconnects.patch @@ -0,0 +1,114 @@ +From 099d294952be69e95803b8c09d2e1816a3faeaff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 21:37:56 +0200 +Subject: interconnect: qcom: qcs615: Drop IP0 interconnects + +From: Konrad Dybcio + +[ Upstream commit cbabc73e85be9e706a5051c9416de4a8d391cf57 ] + +In the same spirit as e.g. Commit b136d257ee0b ("interconnect: qcom: +sc8280xp: Drop IP0 interconnects"), drop the resources that should be +taken care of through the clk-rpmh driver. + +Fixes: 77d79677b04b ("interconnect: qcom: add QCS615 interconnect provider driver") +Signed-off-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250627-topic-qcs615_icc_ipa-v1-2-dc47596cde69@oss.qualcomm.com +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/qcom/qcs615.c | 42 ------------------------------ + 1 file changed, 42 deletions(-) + +diff --git a/drivers/interconnect/qcom/qcs615.c b/drivers/interconnect/qcom/qcs615.c +index 7e59e91ce886..0549cfcbac64 100644 +--- a/drivers/interconnect/qcom/qcs615.c ++++ b/drivers/interconnect/qcom/qcs615.c +@@ -342,15 +342,6 @@ static struct qcom_icc_node qnm_snoc_sf = { + .links = { QCS615_SLAVE_LLCC }, + }; + +-static struct qcom_icc_node ipa_core_master = { +- .name = "ipa_core_master", +- .id = QCS615_MASTER_IPA_CORE, +- .channels = 1, +- .buswidth = 8, +- .num_links = 1, +- .links = { QCS615_SLAVE_IPA_CORE }, +-}; +- + static struct qcom_icc_node llcc_mc = { + .name = "llcc_mc", + .id = QCS615_MASTER_LLCC, +@@ -942,14 +933,6 @@ static struct qcom_icc_node srvc_gemnoc = { + .num_links = 0, + }; + +-static struct qcom_icc_node ipa_core_slave = { +- .name = "ipa_core_slave", +- .id = QCS615_SLAVE_IPA_CORE, +- .channels = 1, +- .buswidth = 8, +- .num_links = 0, +-}; +- + static struct qcom_icc_node ebi = { + .name = "ebi", + .id = QCS615_SLAVE_EBI1, +@@ -1113,12 +1096,6 @@ static struct qcom_icc_bcm bcm_cn1 = { + &qhs_sdc1, &qhs_sdc2 }, + }; + +-static struct qcom_icc_bcm bcm_ip0 = { +- .name = "IP0", +- .num_nodes = 1, +- .nodes = { &ipa_core_slave }, +-}; +- + static struct qcom_icc_bcm bcm_mc0 = { + .name = "MC0", + .keepalive = true, +@@ -1260,7 +1237,6 @@ static struct qcom_icc_bcm * const aggre1_noc_bcms[] = { + &bcm_qup0, + &bcm_sn3, + &bcm_sn14, +- &bcm_ip0, + }; + + static struct qcom_icc_node * const aggre1_noc_nodes[] = { +@@ -1411,22 +1387,6 @@ static const struct qcom_icc_desc qcs615_gem_noc = { + .num_bcms = ARRAY_SIZE(gem_noc_bcms), + }; + +-static struct qcom_icc_bcm * const ipa_virt_bcms[] = { +- &bcm_ip0, +-}; +- +-static struct qcom_icc_node * const ipa_virt_nodes[] = { +- [MASTER_IPA_CORE] = &ipa_core_master, +- [SLAVE_IPA_CORE] = &ipa_core_slave, +-}; +- +-static const struct qcom_icc_desc qcs615_ipa_virt = { +- .nodes = ipa_virt_nodes, +- .num_nodes = ARRAY_SIZE(ipa_virt_nodes), +- .bcms = ipa_virt_bcms, +- .num_bcms = ARRAY_SIZE(ipa_virt_bcms), +-}; +- + static struct qcom_icc_bcm * const mc_virt_bcms[] = { + &bcm_acv, + &bcm_mc0, +@@ -1525,8 +1485,6 @@ static const struct of_device_id qnoc_of_match[] = { + .data = &qcs615_dc_noc}, + { .compatible = "qcom,qcs615-gem-noc", + .data = &qcs615_gem_noc}, +- { .compatible = "qcom,qcs615-ipa-virt", +- .data = &qcs615_ipa_virt}, + { .compatible = "qcom,qcs615-mc-virt", + .data = &qcs615_mc_virt}, + { .compatible = "qcom,qcs615-mmss-noc", +-- +2.39.5 + diff --git a/queue-6.15/interconnect-qcom-sc8180x-specify-num_nodes.patch b/queue-6.15/interconnect-qcom-sc8180x-specify-num_nodes.patch new file mode 100644 index 0000000000..83779e9f9d --- /dev/null +++ b/queue-6.15/interconnect-qcom-sc8180x-specify-num_nodes.patch @@ -0,0 +1,68 @@ +From 552cd00cec4731b2d7d20df808a91024d3bf2e31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 19:35:14 +0300 +Subject: interconnect: qcom: sc8180x: specify num_nodes + +From: Dmitry Baryshkov + +[ Upstream commit 7e0b59496a02d25828612721e846ea4b717a97b9 ] + +Specify .num_nodes for several BCMs which missed this declaration. + +Fixes: 04548d4e2798 ("interconnect: qcom: sc8180x: Reformat node and bcm definitions") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250704-rework-icc-v2-2-875fac996ef5@oss.qualcomm.com +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/qcom/sc8180x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/interconnect/qcom/sc8180x.c b/drivers/interconnect/qcom/sc8180x.c +index a741badaa966..4dd1d2f2e821 100644 +--- a/drivers/interconnect/qcom/sc8180x.c ++++ b/drivers/interconnect/qcom/sc8180x.c +@@ -1492,34 +1492,40 @@ static struct qcom_icc_bcm bcm_sh3 = { + + static struct qcom_icc_bcm bcm_sn0 = { + .name = "SN0", ++ .num_nodes = 1, + .nodes = { &slv_qns_gemnoc_sf } + }; + + static struct qcom_icc_bcm bcm_sn1 = { + .name = "SN1", ++ .num_nodes = 1, + .nodes = { &slv_qxs_imem } + }; + + static struct qcom_icc_bcm bcm_sn2 = { + .name = "SN2", + .keepalive = true, ++ .num_nodes = 1, + .nodes = { &slv_qns_gemnoc_gc } + }; + + static struct qcom_icc_bcm bcm_co2 = { + .name = "CO2", ++ .num_nodes = 1, + .nodes = { &mas_qnm_npu } + }; + + static struct qcom_icc_bcm bcm_sn3 = { + .name = "SN3", + .keepalive = true, ++ .num_nodes = 2, + .nodes = { &slv_srvc_aggre1_noc, + &slv_qns_cnoc } + }; + + static struct qcom_icc_bcm bcm_sn4 = { + .name = "SN4", ++ .num_nodes = 1, + .nodes = { &slv_qxs_pimem } + }; + +-- +2.39.5 + diff --git a/queue-6.15/interconnect-qcom-sc8280xp-specify-num_links-for-qnm.patch b/queue-6.15/interconnect-qcom-sc8280xp-specify-num_links-for-qnm.patch new file mode 100644 index 0000000000..2504d7bac0 --- /dev/null +++ b/queue-6.15/interconnect-qcom-sc8280xp-specify-num_links-for-qnm.patch @@ -0,0 +1,36 @@ +From 004bcc87309272e7cacb0f4a4f647fa303f1f91b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 19:35:13 +0300 +Subject: interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg + +From: Dmitry Baryshkov + +[ Upstream commit 02ee375506dceb7d32007821a2bff31504d64b99 ] + +The qnm_a1noc_cfg declaration didn't include .num_links definition, fix +it. + +Fixes: f29dabda7917 ("interconnect: qcom: Add SC8280XP interconnect provider") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250704-rework-icc-v2-1-875fac996ef5@oss.qualcomm.com +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/qcom/sc8280xp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/interconnect/qcom/sc8280xp.c b/drivers/interconnect/qcom/sc8280xp.c +index 0270f6c64481..c646cdf8a19b 100644 +--- a/drivers/interconnect/qcom/sc8280xp.c ++++ b/drivers/interconnect/qcom/sc8280xp.c +@@ -48,6 +48,7 @@ static struct qcom_icc_node qnm_a1noc_cfg = { + .id = SC8280XP_MASTER_A1NOC_CFG, + .channels = 1, + .buswidth = 4, ++ .num_links = 1, + .links = { SC8280XP_SLAVE_SERVICE_A1NOC }, + }; + +-- +2.39.5 + diff --git a/queue-6.15/io_uring-fix-breakage-in-expert-menu.patch b/queue-6.15/io_uring-fix-breakage-in-expert-menu.patch new file mode 100644 index 0000000000..c48acb297b --- /dev/null +++ b/queue-6.15/io_uring-fix-breakage-in-expert-menu.patch @@ -0,0 +1,47 @@ +From b6962ecb09bca7b49044a3f2d8dc71ee0c9f0d34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jul 2025 18:04:56 -0700 +Subject: io_uring: fix breakage in EXPERT menu + +From: Randy Dunlap + +[ Upstream commit d1fbe1ebf4a12cabd7945335d5e47718cb2bef99 ] + +Add a dependency for IO_URING for the GCOV_PROFILE_URING symbol. + +Without this patch the EXPERT config menu ends with +"Enable IO uring support" and the menu prompts for +GCOV_PROFILE_URING and IO_URING_MOCK_FILE are not subordinate to it. +This causes all of the EXPERT Kconfig options that follow +GCOV_PROFILE_URING to be display in the "upper" menu (General setup), +just following the EXPERT menu. + +Fixes: 1802656ef890 ("io_uring: add GCOV_PROFILE_URING Kconfig option") +Signed-off-by: Randy Dunlap +Cc: Jens Axboe +Cc: Andrew Morton +Cc: Masahiro Yamada +Cc: io-uring@vger.kernel.org +Link: https://lore.kernel.org/r/20250720010456.2945344-1-rdunlap@infradead.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index bf3a920064be..b2367239ac9d 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1761,7 +1761,7 @@ config IO_URING + + config GCOV_PROFILE_URING + bool "Enable GCOV profiling on the io_uring subsystem" +- depends on GCOV_KERNEL ++ depends on IO_URING && GCOV_KERNEL + help + Enable GCOV profiling on the io_uring subsystem, to facilitate + code coverage testing. +-- +2.39.5 + diff --git a/queue-6.15/iommu-amd-enable-pasid-and-ats-capabilities-in-the-c.patch b/queue-6.15/iommu-amd-enable-pasid-and-ats-capabilities-in-the-c.patch new file mode 100644 index 0000000000..308aa05635 --- /dev/null +++ b/queue-6.15/iommu-amd-enable-pasid-and-ats-capabilities-in-the-c.patch @@ -0,0 +1,47 @@ +From 3ca9146579816ad4f7a36f041e910caf0776ae66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 08:54:33 -0700 +Subject: iommu/amd: Enable PASID and ATS capabilities in the correct order + +From: Easwar Hariharan + +[ Upstream commit c694bc8b612ddd0dd70e122a00f39cb1e2e6927f ] + +Per the PCIe spec, behavior of the PASID capability is undefined if the +value of the PASID Enable bit changes while the Enable bit of the +function's ATS control register is Set. Unfortunately, +pdev_enable_caps() does exactly that by ordering enabling ATS for the +device before enabling PASID. + +Cc: Suravee Suthikulpanit +Cc: Vasant Hegde +Cc: Jason Gunthorpe +Cc: Jerry Snitselaar +Fixes: eda8c2860ab679 ("iommu/amd: Enable device ATS/PASID/PRI capabilities independently") +Signed-off-by: Easwar Hariharan +Reviewed-by: Vasant Hegde +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20250703155433.6221-1-eahariha@linux.microsoft.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 31f8d208dedb..cef1d2400d47 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -634,8 +634,8 @@ static inline void pdev_disable_cap_pasid(struct pci_dev *pdev) + + static void pdev_enable_caps(struct pci_dev *pdev) + { +- pdev_enable_cap_ats(pdev); + pdev_enable_cap_pasid(pdev); ++ pdev_enable_cap_ats(pdev); + pdev_enable_cap_pri(pdev); + } + +-- +2.39.5 + diff --git a/queue-6.15/iommu-amd-fix-geometry.aperture_end-for-v2-tables.patch b/queue-6.15/iommu-amd-fix-geometry.aperture_end-for-v2-tables.patch new file mode 100644 index 0000000000..7041ff8136 --- /dev/null +++ b/queue-6.15/iommu-amd-fix-geometry.aperture_end-for-v2-tables.patch @@ -0,0 +1,85 @@ +From 311002cb0a4fd7719a8fabcf73dbc57432a05dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 20:58:05 -0300 +Subject: iommu/amd: Fix geometry.aperture_end for V2 tables + +From: Jason Gunthorpe + +[ Upstream commit 8637afa79cfa6123f602408cfafe8c9a73620ff1 ] + +The AMD IOMMU documentation seems pretty clear that the V2 table follows +the normal CPU expectation of sign extension. This is shown in + + Figure 25: AMD64 Long Mode 4-Kbyte Page Address Translation + +Where bits Sign-Extend [63:57] == [56]. This is typical for x86 which +would have three regions in the page table: lower, non-canonical, upper. + +The manual describes that the V1 table does not sign extend in section +2.2.4 Sharing AMD64 Processor and IOMMU Page Tables GPA-to-SPA + +Further, Vasant has checked this and indicates the HW has an addtional +behavior that the manual does not yet describe. The AMDv2 table does not +have the sign extended behavior when attached to PASID 0, which may +explain why this has gone unnoticed. + +The iommu domain geometry does not directly support sign extended page +tables. The driver should report only one of the lower/upper spaces. Solve +this by removing the top VA bit from the geometry to use only the lower +space. + +This will also make the iommu_domain work consistently on all PASID 0 and +PASID != 1. + +Adjust dma_max_address() to remove the top VA bit. It now returns: + +5 Level: + Before 0x1ffffffffffffff + After 0x0ffffffffffffff +4 Level: + Before 0xffffffffffff + After 0x7fffffffffff + +Fixes: 11c439a19466 ("iommu/amd/pgtbl_v2: Fix domain max address") +Link: https://lore.kernel.org/all/8858d4d6-d360-4ef0-935c-bfd13ea54f42@amd.com/ +Signed-off-by: Jason Gunthorpe +Reviewed-by: Vasant Hegde +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/0-v2-0615cc99b88a+1ce-amdv2_geo_jgg@nvidia.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index cef1d2400d47..aafe94568e44 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -2526,8 +2526,21 @@ static inline u64 dma_max_address(enum protection_domain_mode pgtable) + if (pgtable == PD_MODE_V1) + return ~0ULL; + +- /* V2 with 4/5 level page table */ +- return ((1ULL << PM_LEVEL_SHIFT(amd_iommu_gpt_level)) - 1); ++ /* ++ * V2 with 4/5 level page table. Note that "2.2.6.5 AMD64 4-Kbyte Page ++ * Translation" shows that the V2 table sign extends the top of the ++ * address space creating a reserved region in the middle of the ++ * translation, just like the CPU does. Further Vasant says the docs are ++ * incomplete and this only applies to non-zero PASIDs. If the AMDv2 ++ * page table is assigned to the 0 PASID then there is no sign extension ++ * check. ++ * ++ * Since the IOMMU must have a fixed geometry, and the core code does ++ * not understand sign extended addressing, we have to chop off the high ++ * bit to get consistent behavior with attachments of the domain to any ++ * PASID. ++ */ ++ return ((1ULL << (PM_LEVEL_SHIFT(amd_iommu_gpt_level) - 1)) - 1); + } + + static bool amd_iommu_hd_support(struct amd_iommu *iommu) +-- +2.39.5 + diff --git a/queue-6.15/iommu-arm-smmu-disable-prr-on-sm8250.patch b/queue-6.15/iommu-arm-smmu-disable-prr-on-sm8250.patch new file mode 100644 index 0000000000..7fc0b1ff8d --- /dev/null +++ b/queue-6.15/iommu-arm-smmu-disable-prr-on-sm8250.patch @@ -0,0 +1,40 @@ +From c5630d581c1a99404c343c66ca9de6751dfd57d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jul 2025 19:08:33 +0300 +Subject: iommu/arm-smmu: disable PRR on SM8250 + +From: Dmitry Baryshkov + +[ Upstream commit b9bb7e814cd0c3633791327a96749a1f9b7f3ef4 ] + +On SM8250 / QRB5165-RB5 using PRR bits resets the device, most likely +because of the hyp limitations. Disable PRR support on that platform. + +Fixes: 7f2ef1bfc758 ("iommu/arm-smmu: Add support for PRR bit setup") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Akhil P Oommen +Reviewed-by: Rob Clark +Link: https://lore.kernel.org/r/20250705-iommu-fix-prr-v2-1-406fecc37cf8@oss.qualcomm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +index 59d02687280e..4f4c9e376fc4 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +@@ -342,7 +342,8 @@ static int qcom_adreno_smmu_init_context(struct arm_smmu_domain *smmu_domain, + priv->set_prr_addr = NULL; + + if (of_device_is_compatible(np, "qcom,smmu-500") && +- of_device_is_compatible(np, "qcom,adreno-smmu")) { ++ !of_device_is_compatible(np, "qcom,sm8250-smmu-500") && ++ of_device_is_compatible(np, "qcom,adreno-smmu")) { + priv->set_prr_bit = qcom_adreno_smmu_set_prr_bit; + priv->set_prr_addr = qcom_adreno_smmu_set_prr_addr; + } +-- +2.39.5 + diff --git a/queue-6.15/iommu-vt-d-do-not-wipe-out-the-page-table-nid-when-d.patch b/queue-6.15/iommu-vt-d-do-not-wipe-out-the-page-table-nid-when-d.patch new file mode 100644 index 0000000000..484558242d --- /dev/null +++ b/queue-6.15/iommu-vt-d-do-not-wipe-out-the-page-table-nid-when-d.patch @@ -0,0 +1,41 @@ +From 467fa85093d6443755a60f3805f189de3a50a166 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 12:50:22 +0800 +Subject: iommu/vt-d: Do not wipe out the page table NID when devices detach + +From: Jason Gunthorpe + +[ Upstream commit 5c3687d5789cfff8d285a2c76bceb47f145bf01f ] + +The NID is used to control which NUMA node memory for the page table is +allocated it from. It should be a permanent property of the page table +when it was allocated and not change during attach/detach of devices. + +Reviewed-by: Wei Wang +Reviewed-by: Kevin Tian +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/3-v3-dbbe6f7e7ae3+124ffe-vtd_prep_jgg@nvidia.com +Signed-off-by: Lu Baolu +Fixes: 7c204426b818 ("iommu/vt-d: Add domain_alloc_paging support") +Link: https://lore.kernel.org/r/20250714045028.958850-6-baolu.lu@linux.intel.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/iommu.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c +index ff07ee2940f5..024fb7c36d88 100644 +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -1440,7 +1440,6 @@ void domain_detach_iommu(struct dmar_domain *domain, struct intel_iommu *iommu) + if (--info->refcnt == 0) { + clear_bit(info->did, iommu->domain_ids); + xa_erase(&domain->iommu_array, iommu->seq_id); +- domain->nid = NUMA_NO_NODE; + kfree(info); + } + spin_unlock(&iommu->lock); +-- +2.39.5 + diff --git a/queue-6.15/ipv6-annotate-data-races-around-rt-fib6_nsiblings.patch b/queue-6.15/ipv6-annotate-data-races-around-rt-fib6_nsiblings.patch new file mode 100644 index 0000000000..d1c00d9dca --- /dev/null +++ b/queue-6.15/ipv6-annotate-data-races-around-rt-fib6_nsiblings.patch @@ -0,0 +1,121 @@ +From 7c780e6dd21401e8feb2dd136330e99405d57637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:07:25 +0000 +Subject: ipv6: annotate data-races around rt->fib6_nsiblings + +From: Eric Dumazet + +[ Upstream commit 31d7d67ba1274f42494256d52e86da80ed09f3cb ] + +rt->fib6_nsiblings can be read locklessly, add corresponding +READ_ONCE() and WRITE_ONCE() annotations. + +Fixes: 66f5d6ce53e6 ("ipv6: replace rwlock with rcu and spinlock in fib6_table") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250725140725.3626540-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 20 +++++++++++++------- + net/ipv6/route.c | 5 +++-- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index d7cf38f91c5b..3ac7e15d8d23 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -433,15 +433,17 @@ struct fib6_dump_arg { + static int fib6_rt_dump(struct fib6_info *rt, struct fib6_dump_arg *arg) + { + enum fib_event_type fib_event = FIB_EVENT_ENTRY_REPLACE; ++ unsigned int nsiblings; + int err; + + if (!rt || rt == arg->net->ipv6.fib6_null_entry) + return 0; + +- if (rt->fib6_nsiblings) ++ nsiblings = READ_ONCE(rt->fib6_nsiblings); ++ if (nsiblings) + err = call_fib6_multipath_entry_notifier(arg->nb, fib_event, + rt, +- rt->fib6_nsiblings, ++ nsiblings, + arg->extack); + else + err = call_fib6_entry_notifier(arg->nb, fib_event, rt, +@@ -1119,7 +1121,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + + if (rt6_duplicate_nexthop(iter, rt)) { + if (rt->fib6_nsiblings) +- rt->fib6_nsiblings = 0; ++ WRITE_ONCE(rt->fib6_nsiblings, 0); + if (!(iter->fib6_flags & RTF_EXPIRES)) + return -EEXIST; + if (!(rt->fib6_flags & RTF_EXPIRES)) { +@@ -1148,7 +1150,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + */ + if (rt_can_ecmp && + rt6_qualify_for_ecmp(iter)) +- rt->fib6_nsiblings++; ++ WRITE_ONCE(rt->fib6_nsiblings, ++ rt->fib6_nsiblings + 1); + } + + if (iter->fib6_metric > rt->fib6_metric) +@@ -1198,7 +1201,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + fib6_nsiblings = 0; + list_for_each_entry_safe(sibling, temp_sibling, + &rt->fib6_siblings, fib6_siblings) { +- sibling->fib6_nsiblings++; ++ WRITE_ONCE(sibling->fib6_nsiblings, ++ sibling->fib6_nsiblings + 1); + BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings); + fib6_nsiblings++; + } +@@ -1243,7 +1247,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + list_for_each_entry_safe(sibling, next_sibling, + &rt->fib6_siblings, + fib6_siblings) +- sibling->fib6_nsiblings--; ++ WRITE_ONCE(sibling->fib6_nsiblings, ++ sibling->fib6_nsiblings - 1); + WRITE_ONCE(rt->fib6_nsiblings, 0); + list_del_rcu(&rt->fib6_siblings); + rt6_multipath_rebalance(next_sibling); +@@ -1961,7 +1966,8 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn, + notify_del = true; + list_for_each_entry_safe(sibling, next_sibling, + &rt->fib6_siblings, fib6_siblings) +- sibling->fib6_nsiblings--; ++ WRITE_ONCE(sibling->fib6_nsiblings, ++ sibling->fib6_nsiblings - 1); + WRITE_ONCE(rt->fib6_nsiblings, 0); + list_del_rcu(&rt->fib6_siblings); + rt6_multipath_rebalance(next_sibling); +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 506afe11fe3c..aa1341fc9933 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5249,7 +5249,8 @@ static void ip6_route_mpath_notify(struct fib6_info *rt, + */ + rcu_read_lock(); + +- if ((nlflags & NLM_F_APPEND) && rt_last && rt_last->fib6_nsiblings) { ++ if ((nlflags & NLM_F_APPEND) && rt_last && ++ READ_ONCE(rt_last->fib6_nsiblings)) { + rt = list_first_or_null_rcu(&rt_last->fib6_siblings, + struct fib6_info, + fib6_siblings); +@@ -5782,7 +5783,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb, + if (dst->lwtstate && + lwtunnel_fill_encap(skb, dst->lwtstate, RTA_ENCAP, RTA_ENCAP_TYPE) < 0) + goto nla_put_failure; +- } else if (rt->fib6_nsiblings) { ++ } else if (READ_ONCE(rt->fib6_nsiblings)) { + struct fib6_info *sibling; + struct nlattr *mp; + +-- +2.39.5 + diff --git a/queue-6.15/ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch b/queue-6.15/ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch new file mode 100644 index 0000000000..667e381bc8 --- /dev/null +++ b/queue-6.15/ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch @@ -0,0 +1,60 @@ +From ced9f742e5ee16cee2afb83b5365172ee1fca39f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:07:24 +0000 +Subject: ipv6: fix possible infinite loop in fib6_info_uses_dev() + +From: Eric Dumazet + +[ Upstream commit f8d8ce1b515a0a6af72b30502670a406cfb75073 ] + +fib6_info_uses_dev() seems to rely on RCU without an explicit +protection. + +Like the prior fix in rt6_nlmsg_size(), +we need to make sure fib6_del_route() or fib6_add_rt2node() +have not removed the anchor from the list, or we risk an infinite loop. + +Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250725140725.3626540-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index ebb4abd5e69e..506afe11fe3c 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5884,16 +5884,21 @@ static bool fib6_info_uses_dev(const struct fib6_info *f6i, + if (f6i->fib6_nh->fib_nh_dev == dev) + return true; + +- if (f6i->fib6_nsiblings) { +- struct fib6_info *sibling, *next_sibling; ++ if (READ_ONCE(f6i->fib6_nsiblings)) { ++ const struct fib6_info *sibling; + +- list_for_each_entry_safe(sibling, next_sibling, +- &f6i->fib6_siblings, fib6_siblings) { +- if (sibling->fib6_nh->fib_nh_dev == dev) ++ rcu_read_lock(); ++ list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, ++ fib6_siblings) { ++ if (sibling->fib6_nh->fib_nh_dev == dev) { ++ rcu_read_unlock(); + return true; ++ } ++ if (!READ_ONCE(f6i->fib6_nsiblings)) ++ break; + } ++ rcu_read_unlock(); + } +- + return false; + } + +-- +2.39.5 + diff --git a/queue-6.15/ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch b/queue-6.15/ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch new file mode 100644 index 0000000000..eabcfcbb91 --- /dev/null +++ b/queue-6.15/ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch @@ -0,0 +1,113 @@ +From e1c7434c9f3e6d6d3b9e1df99715b94eec513fa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:07:23 +0000 +Subject: ipv6: prevent infinite loop in rt6_nlmsg_size() + +From: Eric Dumazet + +[ Upstream commit 54e6fe9dd3b0e7c481c2228782c9494d653546da ] + +While testing prior patch, I was able to trigger +an infinite loop in rt6_nlmsg_size() in the following place: + +list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, + fib6_siblings) { + rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); +} + +This is because fib6_del_route() and fib6_add_rt2node() +uses list_del_rcu(), which can confuse rcu readers, +because they might no longer see the head of the list. + +Restart the loop if f6i->fib6_nsiblings is zero. + +Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250725140725.3626540-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 4 ++-- + net/ipv6/route.c | 34 ++++++++++++++++++---------------- + 2 files changed, 20 insertions(+), 18 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index bf727149fdec..d7cf38f91c5b 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1244,7 +1244,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + &rt->fib6_siblings, + fib6_siblings) + sibling->fib6_nsiblings--; +- rt->fib6_nsiblings = 0; ++ WRITE_ONCE(rt->fib6_nsiblings, 0); + list_del_rcu(&rt->fib6_siblings); + rt6_multipath_rebalance(next_sibling); + return err; +@@ -1962,7 +1962,7 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn, + list_for_each_entry_safe(sibling, next_sibling, + &rt->fib6_siblings, fib6_siblings) + sibling->fib6_nsiblings--; +- rt->fib6_nsiblings = 0; ++ WRITE_ONCE(rt->fib6_nsiblings, 0); + list_del_rcu(&rt->fib6_siblings); + rt6_multipath_rebalance(next_sibling); + } +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 96f1621e2381..ebb4abd5e69e 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5596,32 +5596,34 @@ static int rt6_nh_nlmsg_size(struct fib6_nh *nh, void *arg) + + static size_t rt6_nlmsg_size(struct fib6_info *f6i) + { ++ struct fib6_info *sibling; ++ struct fib6_nh *nh; + int nexthop_len; + + if (f6i->nh) { + nexthop_len = nla_total_size(4); /* RTA_NH_ID */ + nexthop_for_each_fib6_nh(f6i->nh, rt6_nh_nlmsg_size, + &nexthop_len); +- } else { +- struct fib6_nh *nh = f6i->fib6_nh; +- struct fib6_info *sibling; +- +- nexthop_len = 0; +- if (f6i->fib6_nsiblings) { +- rt6_nh_nlmsg_size(nh, &nexthop_len); +- +- rcu_read_lock(); ++ goto common; ++ } + +- list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, +- fib6_siblings) { +- rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); +- } ++ rcu_read_lock(); ++retry: ++ nh = f6i->fib6_nh; ++ nexthop_len = 0; ++ if (READ_ONCE(f6i->fib6_nsiblings)) { ++ rt6_nh_nlmsg_size(nh, &nexthop_len); + +- rcu_read_unlock(); ++ list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, ++ fib6_siblings) { ++ rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); ++ if (!READ_ONCE(f6i->fib6_nsiblings)) ++ goto retry; + } +- nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws); + } +- ++ rcu_read_unlock(); ++ nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws); ++common: + return NLMSG_ALIGN(sizeof(struct rtmsg)) + + nla_total_size(16) /* RTA_SRC */ + + nla_total_size(16) /* RTA_DST */ +-- +2.39.5 + diff --git a/queue-6.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch b/queue-6.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch new file mode 100644 index 0000000000..92900d4ca2 --- /dev/null +++ b/queue-6.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch @@ -0,0 +1,69 @@ +From c7079f2e816ef9a539d30218beee49a1ebddbf5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 09:48:48 +0800 +Subject: iwlwifi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 90a0d9f339960448a3acc1437a46730f975efd6a ] + +Add check for the return value of alloc_ordered_workqueue since it may +return NULL pointer. + +Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers") +Signed-off-by: Jiasheng Jiang +Link: https://patch.msgid.link/20230110014848.28226-1-jiasheng@iscas.ac.cn +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +index a7f9e244c097..cd20958fb91a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +@@ -1048,9 +1048,11 @@ static void iwl_bg_restart(struct work_struct *data) + * + *****************************************************************************/ + +-static void iwl_setup_deferred_work(struct iwl_priv *priv) ++static int iwl_setup_deferred_work(struct iwl_priv *priv) + { + priv->workqueue = alloc_ordered_workqueue(DRV_NAME, 0); ++ if (!priv->workqueue) ++ return -ENOMEM; + + INIT_WORK(&priv->restart, iwl_bg_restart); + INIT_WORK(&priv->beacon_update, iwl_bg_beacon_update); +@@ -1067,6 +1069,8 @@ static void iwl_setup_deferred_work(struct iwl_priv *priv) + timer_setup(&priv->statistics_periodic, iwl_bg_statistics_periodic, 0); + + timer_setup(&priv->ucode_trace, iwl_bg_ucode_trace, 0); ++ ++ return 0; + } + + void iwl_cancel_deferred_work(struct iwl_priv *priv) +@@ -1464,7 +1468,9 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans, + /******************** + * 6. Setup services + ********************/ +- iwl_setup_deferred_work(priv); ++ if (iwl_setup_deferred_work(priv)) ++ goto out_uninit_drv; ++ + iwl_setup_rx_handlers(priv); + + iwl_power_initialize(priv); +@@ -1503,6 +1509,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans, + iwl_cancel_deferred_work(priv); + destroy_workqueue(priv->workqueue); + priv->workqueue = NULL; ++out_uninit_drv: + iwl_uninit_drv(priv); + out_free_eeprom_blob: + kfree(priv->eeprom_blob); +-- +2.39.5 + diff --git a/queue-6.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch b/queue-6.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch new file mode 100644 index 0000000000..49cfe14dde --- /dev/null +++ b/queue-6.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch @@ -0,0 +1,45 @@ +From a2957f8f2223ef20f9e5d1c16acafb7c93e1d1b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jul 2025 01:22:14 +0000 +Subject: jfs: fix metapage reference count leak in dbAllocCtl + +From: Zheng Yu + +[ Upstream commit 856db37592021e9155384094e331e2d4589f28b1 ] + +In dbAllocCtl(), read_metapage() increases the reference count of the +metapage. However, when dp->tree.budmin < 0, the function returns -EIO +without calling release_metapage() to decrease the reference count, +leading to a memory leak. + +Add release_metapage(mp) before the error return to properly manage +the metapage reference count and prevent the leak. + +Fixes: a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ("jfs: fix shift-out-of-bounds in dbSplit") + +Signed-off-by: Zheng Yu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 35e063c9f3a4..5a877261c3fe 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1809,8 +1809,10 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results) + return -EIO; + dp = (struct dmap *) mp->data; + +- if (dp->tree.budmin < 0) ++ if (dp->tree.budmin < 0) { ++ release_metapage(mp); + return -EIO; ++ } + + /* try to allocate the blocks. + */ +-- +2.39.5 + diff --git a/queue-6.15/kconfig-qconf-fix-configlist-updatelistallforall.patch b/queue-6.15/kconfig-qconf-fix-configlist-updatelistallforall.patch new file mode 100644 index 0000000000..a6aad9f05b --- /dev/null +++ b/queue-6.15/kconfig-qconf-fix-configlist-updatelistallforall.patch @@ -0,0 +1,38 @@ +From 4df3c2b3e460452275cfdbdca5d2bc9c02773294 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 03:48:56 +0900 +Subject: kconfig: qconf: fix ConfigList::updateListAllforAll() + +From: Masahiro Yamada + +[ Upstream commit 721bfe583c52ba1ea74b3736a31a9dcfe6dd6d95 ] + +ConfigList::updateListForAll() and ConfigList::updateListAllforAll() +are identical. + +Commit f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All) +to ConfigList class") was a misconversion. + +Fixes: f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All) to ConfigList class") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index eaa465b0ccf9..49607555d343 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -478,7 +478,7 @@ void ConfigList::updateListAllForAll() + while (it.hasNext()) { + ConfigList *list = it.next(); + +- list->updateList(); ++ list->updateListAll(); + } + } + +-- +2.39.5 + diff --git a/queue-6.15/kcsan-test-initialize-dummy-variable.patch b/queue-6.15/kcsan-test-initialize-dummy-variable.patch new file mode 100644 index 0000000000..b3f0dfcd4e --- /dev/null +++ b/queue-6.15/kcsan-test-initialize-dummy-variable.patch @@ -0,0 +1,47 @@ +From 07476506fe28c0399074cc0810fe8b52cfdefef5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 20:19:17 +0200 +Subject: kcsan: test: Initialize dummy variable + +From: Marco Elver + +[ Upstream commit 9872916ad1a1a5e7d089e05166c85dbd65e5b0e8 ] + +Newer compiler versions rightfully point out: + + kernel/kcsan/kcsan_test.c:591:41: error: variable 'dummy' is + uninitialized when passed as a const pointer argument here + [-Werror,-Wuninitialized-const-pointer] + 591 | KCSAN_EXPECT_READ_BARRIER(atomic_read(&dummy), false); + | ^~~~~ + 1 error generated. + +Although this particular test does not care about the value stored in +the dummy atomic variable, let's silence the warning. + +Link: https://lkml.kernel.org/r/CA+G9fYu8JY=k-r0hnBRSkQQrFJ1Bz+ShdXNwC1TNeMt0eXaxeA@mail.gmail.com +Fixes: 8bc32b348178 ("kcsan: test: Add test cases for memory barrier instrumentation") +Reported-by: Linux Kernel Functional Testing +Reviewed-by: Alexander Potapenko +Signed-off-by: Marco Elver +Signed-off-by: Sasha Levin +--- + kernel/kcsan/kcsan_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/kcsan/kcsan_test.c b/kernel/kcsan/kcsan_test.c +index 6ce73cceaf53..1305bc0e2479 100644 +--- a/kernel/kcsan/kcsan_test.c ++++ b/kernel/kcsan/kcsan_test.c +@@ -533,7 +533,7 @@ static void test_barrier_nothreads(struct kunit *test) + struct kcsan_scoped_access *reorder_access = NULL; + #endif + arch_spinlock_t arch_spinlock = __ARCH_SPIN_LOCK_UNLOCKED; +- atomic_t dummy; ++ atomic_t dummy = ATOMIC_INIT(0); + + KCSAN_TEST_REQUIRES(test, reorder_access != NULL); + KCSAN_TEST_REQUIRES(test, IS_ENABLED(CONFIG_SMP)); +-- +2.39.5 + diff --git a/queue-6.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch b/queue-6.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch new file mode 100644 index 0000000000..66cadecae0 --- /dev/null +++ b/queue-6.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch @@ -0,0 +1,67 @@ +From 50322140088b3c3c0a1a47b033aec5765c7da802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:12:12 +0200 +Subject: kernel: trace: preemptirq_delay_test: use offstack cpu mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit adc353c0bfb243ebfd29b6222fa3bf149169a6de ] + +A CPU mask on the stack is broken for large values of CONFIG_NR_CPUS: + +kernel/trace/preemptirq_delay_test.c: In function ‘preemptirq_delay_run’: +kernel/trace/preemptirq_delay_test.c:143:1: error: the frame size of 8512 bytes is larger than 1536 bytes [-Werror=frame-larger-than=] + +Fall back to dynamic allocation here. + +Cc: Masami Hiramatsu +Cc: Song Chen +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20250620111215.3365305-1-arnd@kernel.org +Fixes: 4b9091e1c194 ("kernel: trace: preemptirq_delay_test: add cpu affinity") +Signed-off-by: Arnd Bergmann +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/preemptirq_delay_test.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/preemptirq_delay_test.c b/kernel/trace/preemptirq_delay_test.c +index 314ffc143039..acb0c971a408 100644 +--- a/kernel/trace/preemptirq_delay_test.c ++++ b/kernel/trace/preemptirq_delay_test.c +@@ -117,12 +117,15 @@ static int preemptirq_delay_run(void *data) + { + int i; + int s = MIN(burst_size, NR_TEST_FUNCS); +- struct cpumask cpu_mask; ++ cpumask_var_t cpu_mask; ++ ++ if (!alloc_cpumask_var(&cpu_mask, GFP_KERNEL)) ++ return -ENOMEM; + + if (cpu_affinity > -1) { +- cpumask_clear(&cpu_mask); +- cpumask_set_cpu(cpu_affinity, &cpu_mask); +- if (set_cpus_allowed_ptr(current, &cpu_mask)) ++ cpumask_clear(cpu_mask); ++ cpumask_set_cpu(cpu_affinity, cpu_mask); ++ if (set_cpus_allowed_ptr(current, cpu_mask)) + pr_err("cpu_affinity:%d, failed\n", cpu_affinity); + } + +@@ -139,6 +142,8 @@ static int preemptirq_delay_run(void *data) + + __set_current_state(TASK_RUNNING); + ++ free_cpumask_var(cpu_mask); ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/kselftest-arm64-fix-check-for-setting-new-vls-in-sve.patch b/queue-6.15/kselftest-arm64-fix-check-for-setting-new-vls-in-sve.patch new file mode 100644 index 0000000000..cbba7b9727 --- /dev/null +++ b/queue-6.15/kselftest-arm64-fix-check-for-setting-new-vls-in-sve.patch @@ -0,0 +1,40 @@ +From 7a17efc129eb249a03e07b276a123951074101ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 16:25:31 +0100 +Subject: kselftest/arm64: Fix check for setting new VLs in sve-ptrace + +From: Mark Brown + +[ Upstream commit 867446f090589626497638f70b10be5e61a0b925 ] + +The check that the new vector length we set was the expected one was typoed +to an assignment statement which for some reason the compilers didn't spot, +most likely due to the macros involved. + +Fixes: a1d7111257cd ("selftests: arm64: More comprehensively test the SVE ptrace interface") +Acked-by: Mark Rutland +Acked-by: Dev Jain +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20250609-kselftest-arm64-ssve-fixups-v2-1-998fcfa6f240@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/arm64/fp/sve-ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/arm64/fp/sve-ptrace.c b/tools/testing/selftests/arm64/fp/sve-ptrace.c +index 577b6e05e860..c499d5789dd5 100644 +--- a/tools/testing/selftests/arm64/fp/sve-ptrace.c ++++ b/tools/testing/selftests/arm64/fp/sve-ptrace.c +@@ -253,7 +253,7 @@ static void ptrace_set_get_vl(pid_t child, const struct vec_type *type, + return; + } + +- ksft_test_result(new_sve->vl = prctl_vl, "Set %s VL %u\n", ++ ksft_test_result(new_sve->vl == prctl_vl, "Set %s VL %u\n", + type->name, vl); + + free(new_sve); +-- +2.39.5 + diff --git a/queue-6.15/kunit-fortify-add-back-volatile-for-sizeof-constants.patch b/queue-6.15/kunit-fortify-add-back-volatile-for-sizeof-constants.patch new file mode 100644 index 0000000000..196a7c782f --- /dev/null +++ b/queue-6.15/kunit-fortify-add-back-volatile-for-sizeof-constants.patch @@ -0,0 +1,48 @@ +From 439b08adeb967eee10982e68606a72a101a5aec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jun 2025 16:40:38 -0700 +Subject: kunit/fortify: Add back "volatile" for sizeof() constants +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 10299c07c94aa0997fa43523b53301e713a6415d ] + +It seems the Clang can see through OPTIMIZER_HIDE_VAR when the constant +is coming from sizeof. Adding "volatile" back to these variables solves +this false positive without reintroducing the issues that originally led +to switching to OPTIMIZER_HIDE_VAR in the first place[1]. + +Reported-by: Nathan Chancellor +Closes: https://github.com/ClangBuiltLinux/linux/issues/2075 [1] +Cc: Jannik Glückert +Suggested-by: Nathan Chancellor +Fixes: 6ee149f61bcc ("kunit/fortify: Replace "volatile" with OPTIMIZER_HIDE_VAR()") +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20250628234034.work.800-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/tests/fortify_kunit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/tests/fortify_kunit.c b/lib/tests/fortify_kunit.c +index 29ffc62a71e3..fc9c76f026d6 100644 +--- a/lib/tests/fortify_kunit.c ++++ b/lib/tests/fortify_kunit.c +@@ -1003,8 +1003,8 @@ static void fortify_test_memcmp(struct kunit *test) + { + char one[] = "My mind is going ..."; + char two[] = "My mind is going ... I can feel it."; +- size_t one_len = sizeof(one) - 1; +- size_t two_len = sizeof(two) - 1; ++ volatile size_t one_len = sizeof(one) - 1; ++ volatile size_t two_len = sizeof(two) - 1; + + OPTIMIZER_HIDE_VAR(one_len); + OPTIMIZER_HIDE_VAR(two_len); +-- +2.39.5 + diff --git a/queue-6.15/landlock-fix-warning-from-kunit-tests.patch b/queue-6.15/landlock-fix-warning-from-kunit-tests.patch new file mode 100644 index 0000000000..bde7cf7bd8 --- /dev/null +++ b/queue-6.15/landlock-fix-warning-from-kunit-tests.patch @@ -0,0 +1,200 @@ +From 003ded9fb8a7dac7218ab6819a04c4f66f966f82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 17:09:36 +0100 +Subject: landlock: Fix warning from KUnit tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tingmao Wang + +[ Upstream commit e0a69cf2c03e61bd8069becb97f66c173d0d1fa1 ] + +get_id_range() expects a positive value as first argument but +get_random_u8() can return 0. Fix this by clamping it. + +Validated by running the test in a for loop for 1000 times. + +Note that MAX() is wrong as it is only supposed to be used for +constants, but max() is good here. + + [..] ok 9 test_range2_rand1 + [..] ok 10 test_range2_rand2 + [..] ok 11 test_range2_rand15 + [..] ------------[ cut here ]------------ + [..] WARNING: CPU: 6 PID: 104 at security/landlock/id.c:99 test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1)) + [..] Modules linked in: + [..] CPU: 6 UID: 0 PID: 104 Comm: kunit_try_catch Tainted: G N 6.16.0-rc1-dev-00001-g314a2f98b65f #1 PREEMPT(undef) + [..] Tainted: [N]=TEST + [..] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + [..] RIP: 0010:test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1)) + [..] Code: 49 c7 c0 10 70 30 82 4c 89 ff 48 c7 c6 a0 63 1e 83 49 c7 45 a0 e0 63 1e 83 e8 3f 95 17 00 e9 1f ff ff ff 0f 0b e9 df fd ff ff <0f> 0b ba 01 00 00 00 e9 68 fe ff ff 49 89 45 a8 49 8d 4d a0 45 31 + + [..] RSP: 0000:ffff888104eb7c78 EFLAGS: 00010246 + [..] RAX: 0000000000000000 RBX: 000000000870822c RCX: 0000000000000000 + ^^^^^^^^^^^^^^^^ + [..] + [..] Call Trace: + [..] + [..] ---[ end trace 0000000000000000 ]--- + [..] ok 12 test_range2_rand16 + [..] # landlock_id: pass:12 fail:0 skip:0 total:12 + [..] # Totals: pass:12 fail:0 skip:0 total:12 + [..] ok 1 landlock_id + +Fixes: d9d2a68ed44b ("landlock: Add unique ID generator") +Signed-off-by: Tingmao Wang +Link: https://lore.kernel.org/r/73e28efc5b8cc394608b99d5bc2596ca917d7c4a.1750003733.git.m@maowtm.org +[mic: Minor cosmetic improvements] +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + security/landlock/id.c | 69 +++++++++++++++++++++++++----------------- + 1 file changed, 42 insertions(+), 27 deletions(-) + +diff --git a/security/landlock/id.c b/security/landlock/id.c +index 56f7cc0fc744..838c3ed7bb82 100644 +--- a/security/landlock/id.c ++++ b/security/landlock/id.c +@@ -119,6 +119,12 @@ static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter, + + #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST + ++static u8 get_random_u8_positive(void) ++{ ++ /* max() evaluates its arguments once. */ ++ return max(1, get_random_u8()); ++} ++ + static void test_range1_rand0(struct kunit *const test) + { + atomic64_t counter; +@@ -127,9 +133,10 @@ static void test_range1_rand0(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 0), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 1); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 1); + } + + static void test_range1_rand1(struct kunit *const test) +@@ -140,9 +147,10 @@ static void test_range1_rand1(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 1), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 2); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 2); + } + + static void test_range1_rand15(struct kunit *const test) +@@ -153,9 +161,10 @@ static void test_range1_rand15(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 15), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 16); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 16); + } + + static void test_range1_rand16(struct kunit *const test) +@@ -166,9 +175,10 @@ static void test_range1_rand16(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 16), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 1); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 1); + } + + static void test_range2_rand0(struct kunit *const test) +@@ -179,9 +189,10 @@ static void test_range2_rand0(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 0), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 2); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 2); + } + + static void test_range2_rand1(struct kunit *const test) +@@ -192,9 +203,10 @@ static void test_range2_rand1(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 1), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 3); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 3); + } + + static void test_range2_rand2(struct kunit *const test) +@@ -205,9 +217,10 @@ static void test_range2_rand2(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 2), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 4); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 4); + } + + static void test_range2_rand15(struct kunit *const test) +@@ -218,9 +231,10 @@ static void test_range2_rand15(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 15), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 17); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 17); + } + + static void test_range2_rand16(struct kunit *const test) +@@ -231,9 +245,10 @@ static void test_range2_rand16(struct kunit *const test) + init = get_random_u32(); + atomic64_set(&counter, init); + KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 16), init); +- KUNIT_EXPECT_EQ( +- test, get_id_range(get_random_u8(), &counter, get_random_u8()), +- init + 2); ++ KUNIT_EXPECT_EQ(test, ++ get_id_range(get_random_u8_positive(), &counter, ++ get_random_u8()), ++ init + 2); + } + + #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ +-- +2.39.5 + diff --git a/queue-6.15/m68k-don-t-unregister-boot-console-needlessly.patch b/queue-6.15/m68k-don-t-unregister-boot-console-needlessly.patch new file mode 100644 index 0000000000..bf4dccbf01 --- /dev/null +++ b/queue-6.15/m68k-don-t-unregister-boot-console-needlessly.patch @@ -0,0 +1,150 @@ +From 4e3a467c4d0088505f2f65a431ddecf4f2aaeb6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:26:44 +1100 +Subject: m68k: Don't unregister boot console needlessly + +From: Finn Thain + +[ Upstream commit 83f672a7f69ec38b1bbb27221e342937f68c11c7 ] + +When MACH_IS_MVME147, the boot console calls mvme147_scc_write() to +generate console output. That will continue to work even after +debug_cons_nputs() becomes unavailable so there's no need to +unregister the boot console. + +Take the opportunity to remove a repeated MACH_IS_* test. Use the +actual .write method (instead of a wrapper) and test that pointer +instead. This means adding an unused parameter to debug_cons_nputs() for +consistency with the struct console API. + +early_printk.c is only built when CONFIG_EARLY_PRINTK=y. As of late, +head.S is only built when CONFIG_MMU_MOTOROLA=y. So let the former symbol +depend on the latter, to obviate some ifdef conditionals. + +Cc: Daniel Palmer +Fixes: 077b33b9e283 ("m68k: mvme147: Reinstate early console") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/d1d4328e5aa9a87bd8352529ce62b767731c0530.1743467205.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.debug | 2 +- + arch/m68k/kernel/early_printk.c | 42 +++++++++++---------------------- + arch/m68k/kernel/head.S | 8 +++---- + 3 files changed, 19 insertions(+), 33 deletions(-) + +diff --git a/arch/m68k/Kconfig.debug b/arch/m68k/Kconfig.debug +index 30638a6e8edc..d036f903864c 100644 +--- a/arch/m68k/Kconfig.debug ++++ b/arch/m68k/Kconfig.debug +@@ -10,7 +10,7 @@ config BOOTPARAM_STRING + + config EARLY_PRINTK + bool "Early printk" +- depends on !(SUN3 || M68000 || COLDFIRE) ++ depends on MMU_MOTOROLA + help + Write kernel log output directly to a serial port. + Where implemented, output goes to the framebuffer as well. +diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c +index f11ef9f1f56f..521cbb8a150c 100644 +--- a/arch/m68k/kernel/early_printk.c ++++ b/arch/m68k/kernel/early_printk.c +@@ -16,25 +16,10 @@ + #include "../mvme147/mvme147.h" + #include "../mvme16x/mvme16x.h" + +-asmlinkage void __init debug_cons_nputs(const char *s, unsigned n); +- +-static void __ref debug_cons_write(struct console *c, +- const char *s, unsigned n) +-{ +-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \ +- defined(CONFIG_COLDFIRE)) +- if (MACH_IS_MVME147) +- mvme147_scc_write(c, s, n); +- else if (MACH_IS_MVME16x) +- mvme16x_cons_write(c, s, n); +- else +- debug_cons_nputs(s, n); +-#endif +-} ++asmlinkage void __init debug_cons_nputs(struct console *c, const char *s, unsigned int n); + + static struct console early_console_instance = { + .name = "debug", +- .write = debug_cons_write, + .flags = CON_PRINTBUFFER | CON_BOOT, + .index = -1 + }; +@@ -44,6 +29,12 @@ static int __init setup_early_printk(char *buf) + if (early_console || buf) + return 0; + ++ if (MACH_IS_MVME147) ++ early_console_instance.write = mvme147_scc_write; ++ else if (MACH_IS_MVME16x) ++ early_console_instance.write = mvme16x_cons_write; ++ else ++ early_console_instance.write = debug_cons_nputs; + early_console = &early_console_instance; + register_console(early_console); + +@@ -51,20 +42,15 @@ static int __init setup_early_printk(char *buf) + } + early_param("earlyprintk", setup_early_printk); + +-/* +- * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be called +- * after init sections are discarded (for platforms that use it). +- */ +-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \ +- defined(CONFIG_COLDFIRE)) +- + static int __init unregister_early_console(void) + { +- if (!early_console || MACH_IS_MVME16x) +- return 0; ++ /* ++ * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be ++ * called after init sections are discarded (for platforms that use it). ++ */ ++ if (early_console && early_console->write == debug_cons_nputs) ++ return unregister_console(early_console); + +- return unregister_console(early_console); ++ return 0; + } + late_initcall(unregister_early_console); +- +-#endif +diff --git a/arch/m68k/kernel/head.S b/arch/m68k/kernel/head.S +index 852255cf60de..ba22bc2f3d6d 100644 +--- a/arch/m68k/kernel/head.S ++++ b/arch/m68k/kernel/head.S +@@ -3263,8 +3263,8 @@ func_return putn + * turns around and calls the internal routines. This routine + * is used by the boot console. + * +- * The calling parameters are: +- * void debug_cons_nputs(const char *str, unsigned length) ++ * The function signature is - ++ * void debug_cons_nputs(struct console *c, const char *s, unsigned int n) + * + * This routine does NOT understand variable arguments only + * simple strings! +@@ -3273,8 +3273,8 @@ ENTRY(debug_cons_nputs) + moveml %d0/%d1/%a0,%sp@- + movew %sr,%sp@- + ori #0x0700,%sr +- movel %sp@(18),%a0 /* fetch parameter */ +- movel %sp@(22),%d1 /* fetch parameter */ ++ movel %sp@(22),%a0 /* char *s */ ++ movel %sp@(26),%d1 /* unsigned int n */ + jra 2f + 1: + #ifdef CONSOLE_DEBUG +-- +2.39.5 + diff --git a/queue-6.15/macsec-set-iff_unicast_flt-priv-flag.patch b/queue-6.15/macsec-set-iff_unicast_flt-priv-flag.patch new file mode 100644 index 0000000000..06d36d7ed7 --- /dev/null +++ b/queue-6.15/macsec-set-iff_unicast_flt-priv-flag.patch @@ -0,0 +1,72 @@ +From a28ae65fbfdc8b5a4c1aef9c538fc161c384d57a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 15:47:14 -0700 +Subject: macsec: set IFF_UNICAST_FLT priv flag + +From: Stanislav Fomichev + +[ Upstream commit 0349659fd72f662c054ff20d432559bfaa228ce4 ] + +Cosmin reports the following locking issue: + + # BUG: sleeping function called from invalid context at + kernel/locking/mutex.c:275 + # dump_stack_lvl+0x4f/0x60 + # __might_resched+0xeb/0x140 + # mutex_lock+0x1a/0x40 + # dev_set_promiscuity+0x26/0x90 + # __dev_set_promiscuity+0x85/0x170 + # __dev_set_rx_mode+0x69/0xa0 + # dev_uc_add+0x6d/0x80 + # vlan_dev_open+0x5f/0x120 [8021q] + # __dev_open+0x10c/0x2a0 + # __dev_change_flags+0x1a4/0x210 + # netif_change_flags+0x22/0x60 + # do_setlink.isra.0+0xdb0/0x10f0 + # rtnl_newlink+0x797/0xb00 + # rtnetlink_rcv_msg+0x1cb/0x3f0 + # netlink_rcv_skb+0x53/0x100 + # netlink_unicast+0x273/0x3b0 + # netlink_sendmsg+0x1f2/0x430 + +Which is similar to recent syzkaller reports in [0] and [1] and triggers +because macsec does not advertise IFF_UNICAST_FLT although it has proper +ndo_set_rx_mode callback that takes care of pushing uc/mc addresses +down to the real device. + +In general, dev_uc_add call path is problematic for stacking +non-IFF_UNICAST_FLT because we might grab netdev instance lock under +addr_list_lock spinlock, so this is not a systemic fix. + +0: https://lore.kernel.org/netdev/686d55b4.050a0220.1ffab7.0014.GAE@google.com +1: https://lore.kernel.org/netdev/68712acf.a00a0220.26a83e.0051.GAE@google.com/ +Reviewed-by: Simon Horman +Tested-by: Simon Horman +Link: https://lore.kernel.org/netdev/2aff4342b0f5b1539c02ffd8df4c7e58dd9746e7.camel@nvidia.com +Fixes: 7e4d784f5810 ("net: hold netdev instance lock during rtnetlink operations") +Reported-by: Cosmin Ratiu +Tested-by: Cosmin Ratiu +Signed-off-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250723224715.1341121-1-sdf@fomichev.me +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 7edbe76b5455..4c75d1fea552 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3868,7 +3868,7 @@ static void macsec_setup(struct net_device *dev) + ether_setup(dev); + dev->min_mtu = 0; + dev->max_mtu = ETH_MAX_MTU; +- dev->priv_flags |= IFF_NO_QUEUE; ++ dev->priv_flags |= IFF_NO_QUEUE | IFF_UNICAST_FLT; + dev->netdev_ops = &macsec_netdev_ops; + dev->needs_free_netdev = true; + dev->priv_destructor = macsec_free_netdev; +-- +2.39.5 + diff --git a/queue-6.15/md-allow-removing-faulty-rdev-during-resync.patch b/queue-6.15/md-allow-removing-faulty-rdev-during-resync.patch new file mode 100644 index 0000000000..f628e81bc3 --- /dev/null +++ b/queue-6.15/md-allow-removing-faulty-rdev-during-resync.patch @@ -0,0 +1,92 @@ +From 836a6b11a3c78081f5cf6ec5b583dfbeef0f2ad4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 15:54:12 +0800 +Subject: md: allow removing faulty rdev during resync + +From: Zheng Qixing + +[ Upstream commit c0ffeb648000acdc932da7a9d33fd65e9263c54c ] + +During RAID resync, faulty rdev cannot be removed and will result in +"Device or resource busy" error when attempting hot removal. + +Reproduction steps: + mdadm -Cv /dev/md0 -l1 -n3 -e1.2 /dev/sd{b..d} + mdadm /dev/md0 -f /dev/sdb + mdadm /dev/md0 -r /dev/sdb + -> mdadm: hot remove failed for /dev/sdb: Device or resource busy + +After commit 4b10a3bc67c1 ("md: ensure resync is prioritized over +recovery"), when a device becomes faulty during resync, the +md_choose_sync_action() function returns early without calling +remove_and_add_spares(), preventing faulty device removal. + +This patch extracts a helper function remove_spares() to support +removing faulty devices during RAID resync operations. + +Fixes: 4b10a3bc67c1 ("md: ensure resync is prioritized over recovery") +Signed-off-by: Zheng Qixing +Reviewed-by: Li Nan +Link: https://lore.kernel.org/linux-raid/20250707075412.150301-1-zhengqixing@huaweicloud.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 9daa78c5fe33..0de87d451a47 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -9380,17 +9380,11 @@ static bool md_spares_need_change(struct mddev *mddev) + return false; + } + +-static int remove_and_add_spares(struct mddev *mddev, +- struct md_rdev *this) ++static int remove_spares(struct mddev *mddev, struct md_rdev *this) + { + struct md_rdev *rdev; +- int spares = 0; + int removed = 0; + +- if (this && test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) +- /* Mustn't remove devices when resync thread is running */ +- return 0; +- + rdev_for_each(rdev, mddev) { + if ((this == NULL || rdev == this) && rdev_removeable(rdev) && + !mddev->pers->hot_remove_disk(mddev, rdev)) { +@@ -9404,6 +9398,21 @@ static int remove_and_add_spares(struct mddev *mddev, + if (removed && mddev->kobj.sd) + sysfs_notify_dirent_safe(mddev->sysfs_degraded); + ++ return removed; ++} ++ ++static int remove_and_add_spares(struct mddev *mddev, ++ struct md_rdev *this) ++{ ++ struct md_rdev *rdev; ++ int spares = 0; ++ int removed = 0; ++ ++ if (this && test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ /* Mustn't remove devices when resync thread is running */ ++ return 0; ++ ++ removed = remove_spares(mddev, this); + if (this && removed) + goto no_add; + +@@ -9446,6 +9455,7 @@ static bool md_choose_sync_action(struct mddev *mddev, int *spares) + + /* Check if resync is in progress. */ + if (mddev->recovery_cp < MaxSector) { ++ remove_spares(mddev, NULL); + set_bit(MD_RECOVERY_SYNC, &mddev->recovery); + clear_bit(MD_RECOVERY_RECOVER, &mddev->recovery); + return true; +-- +2.39.5 + diff --git a/queue-6.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch b/queue-6.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch new file mode 100644 index 0000000000..f823af77c5 --- /dev/null +++ b/queue-6.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch @@ -0,0 +1,47 @@ +From 652d28d7b0f281891c759f41bc1286738a98f86a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 14:38:48 +0000 +Subject: media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check + +From: James Cowgill + +[ Upstream commit 803b9eabc649c778986449eb0596e5ffeb7a8aed ] + +The `separate_colour_plane_flag` element is only present in the SPS if +`chroma_format_idc == 3`, so the corresponding flag should be disabled +whenever that is not the case and not just on profiles where +`chroma_format_idc` is not present. + +Fixes: b32e48503df0 ("media: controls: Validate H264 stateless controls") +Signed-off-by: James Cowgill +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c +index 90d25329661e..b45809a82f9a 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c +@@ -968,12 +968,12 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx, + + p_h264_sps->flags &= + ~V4L2_H264_SPS_FLAG_QPPRIME_Y_ZERO_TRANSFORM_BYPASS; +- +- if (p_h264_sps->chroma_format_idc < 3) +- p_h264_sps->flags &= +- ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE; + } + ++ if (p_h264_sps->chroma_format_idc < 3) ++ p_h264_sps->flags &= ++ ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE; ++ + if (p_h264_sps->flags & V4L2_H264_SPS_FLAG_FRAME_MBS_ONLY) + p_h264_sps->flags &= + ~V4L2_H264_SPS_FLAG_MB_ADAPTIVE_FRAME_FIELD; +-- +2.39.5 + diff --git a/queue-6.15/mei-vsc-destroy-mutex-after-freeing-the-irq.patch b/queue-6.15/mei-vsc-destroy-mutex-after-freeing-the-irq.patch new file mode 100644 index 0000000000..186550b086 --- /dev/null +++ b/queue-6.15/mei-vsc-destroy-mutex-after-freeing-the-irq.patch @@ -0,0 +1,56 @@ +From d09b45c516bcaead8f5efb96f1f3c7d438735ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 10:50:47 +0200 +Subject: mei: vsc: Destroy mutex after freeing the IRQ + +From: Hans de Goede + +[ Upstream commit 35b7f3525fe0a7283de7116e3c75ee3ccb3b14c9 ] + +The event_notify callback which runs from vsc_tp_thread_isr may call +vsc_tp_xfer() which locks the mutex. So the ISR depends on the mutex. + +Move the mutex_destroy() call to after free_irq() to ensure that the ISR +is not running while the mutex is destroyed. + +Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20250623085052.12347-6-hansg@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mei/vsc-tp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c +index 267d0de5fade..66b41b86ea7d 100644 +--- a/drivers/misc/mei/vsc-tp.c ++++ b/drivers/misc/mei/vsc-tp.c +@@ -552,10 +552,10 @@ static int vsc_tp_probe(struct spi_device *spi) + return 0; + + err_destroy_lock: +- mutex_destroy(&tp->mutex); +- + free_irq(spi->irq, tp); + ++ mutex_destroy(&tp->mutex); ++ + return ret; + } + +@@ -565,9 +565,9 @@ static void vsc_tp_remove(struct spi_device *spi) + + platform_device_unregister(tp->pdev); + +- mutex_destroy(&tp->mutex); +- + free_irq(spi->irq, tp); ++ ++ mutex_destroy(&tp->mutex); + } + + static void vsc_tp_shutdown(struct spi_device *spi) +-- +2.39.5 + diff --git a/queue-6.15/mei-vsc-don-t-re-init-vsc-from-mei_vsc_hw_reset-on-s.patch b/queue-6.15/mei-vsc-don-t-re-init-vsc-from-mei_vsc_hw_reset-on-s.patch new file mode 100644 index 0000000000..1b65333422 --- /dev/null +++ b/queue-6.15/mei-vsc-don-t-re-init-vsc-from-mei_vsc_hw_reset-on-s.patch @@ -0,0 +1,49 @@ +From 02da5372e2d5e01444fc7f65dd7ba704af764c59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 10:50:44 +0200 +Subject: mei: vsc: Don't re-init VSC from mei_vsc_hw_reset() on stop + +From: Hans de Goede + +[ Upstream commit 880af854d6343b796f05b9a8b52b68a88535625b ] + +mei_vsc_hw_reset() gets called from mei_start() and mei_stop() in +the latter case we do not need to re-init the VSC by calling vsc_tp_init(). + +mei_stop() only happens on shutdown and driver unbind. On shutdown we +don't need to load + boot the firmware and if the driver later is +bound to the device again then mei_start() will do another reset. + +The intr_enable flag is true when called from mei_start() and false on +mei_stop(). Skip vsc_tp_init() when intr_enable is false. + +This avoids unnecessarily uploading the firmware, which takes 11 seconds. +This change reduces the poweroff/reboot time by 11 seconds. + +Fixes: 386a766c4169 ("mei: Add MEI hardware support for IVSC device") +Signed-off-by: Hans de Goede +Reviewed-by: Alexander Usyskin +Link: https://lore.kernel.org/r/20250623085052.12347-3-hansg@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mei/platform-vsc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c +index 435760b1e86f..1ac85f0251c5 100644 +--- a/drivers/misc/mei/platform-vsc.c ++++ b/drivers/misc/mei/platform-vsc.c +@@ -256,6 +256,9 @@ static int mei_vsc_hw_reset(struct mei_device *mei_dev, bool intr_enable) + + vsc_tp_reset(hw->tp); + ++ if (!intr_enable) ++ return 0; ++ + return vsc_tp_init(hw->tp, mei_dev->dev); + } + +-- +2.39.5 + diff --git a/queue-6.15/mei-vsc-event-notifier-fixes.patch b/queue-6.15/mei-vsc-event-notifier-fixes.patch new file mode 100644 index 0000000000..bf71aceb04 --- /dev/null +++ b/queue-6.15/mei-vsc-event-notifier-fixes.patch @@ -0,0 +1,82 @@ +From 08a5d73e74bbf2578cee310aed267a233938b89d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 10:50:48 +0200 +Subject: mei: vsc: Event notifier fixes + +From: Hans de Goede + +[ Upstream commit 18f14b2e7f73c7ec272d833d570b632286467c7d ] + +vsc_tp_register_event_cb() can race with vsc_tp_thread_isr(), add a mutex +to protect against this. + +Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20250623085052.12347-7-hansg@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mei/vsc-tp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c +index 66b41b86ea7d..97df3077175d 100644 +--- a/drivers/misc/mei/vsc-tp.c ++++ b/drivers/misc/mei/vsc-tp.c +@@ -79,9 +79,8 @@ struct vsc_tp { + + vsc_tp_event_cb_t event_notify; + void *event_notify_context; +- +- /* used to protect command download */ +- struct mutex mutex; ++ struct mutex event_notify_mutex; /* protects event_notify + context */ ++ struct mutex mutex; /* protects command download */ + }; + + /* GPIO resources */ +@@ -113,6 +112,8 @@ static irqreturn_t vsc_tp_thread_isr(int irq, void *data) + { + struct vsc_tp *tp = data; + ++ guard(mutex)(&tp->event_notify_mutex); ++ + if (tp->event_notify) + tp->event_notify(tp->event_notify_context); + +@@ -399,6 +400,8 @@ EXPORT_SYMBOL_NS_GPL(vsc_tp_need_read, "VSC_TP"); + int vsc_tp_register_event_cb(struct vsc_tp *tp, vsc_tp_event_cb_t event_cb, + void *context) + { ++ guard(mutex)(&tp->event_notify_mutex); ++ + tp->event_notify = event_cb; + tp->event_notify_context = context; + +@@ -530,6 +533,7 @@ static int vsc_tp_probe(struct spi_device *spi) + return ret; + + mutex_init(&tp->mutex); ++ mutex_init(&tp->event_notify_mutex); + + /* only one child acpi device */ + ret = acpi_dev_for_each_child(ACPI_COMPANION(dev), +@@ -554,6 +558,7 @@ static int vsc_tp_probe(struct spi_device *spi) + err_destroy_lock: + free_irq(spi->irq, tp); + ++ mutex_destroy(&tp->event_notify_mutex); + mutex_destroy(&tp->mutex); + + return ret; +@@ -567,6 +572,7 @@ static void vsc_tp_remove(struct spi_device *spi) + + free_irq(spi->irq, tp); + ++ mutex_destroy(&tp->event_notify_mutex); + mutex_destroy(&tp->mutex); + } + +-- +2.39.5 + diff --git a/queue-6.15/mei-vsc-unset-the-event-callback-on-remove-and-probe.patch b/queue-6.15/mei-vsc-unset-the-event-callback-on-remove-and-probe.patch new file mode 100644 index 0000000000..1d594fc718 --- /dev/null +++ b/queue-6.15/mei-vsc-unset-the-event-callback-on-remove-and-probe.patch @@ -0,0 +1,52 @@ +From 97d279591c6b52c42b202f34c7f8eba2d7c74ce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 10:50:49 +0200 +Subject: mei: vsc: Unset the event callback on remove and probe errors + +From: Hans de Goede + +[ Upstream commit 6175c6974095f8ca7e5f8d593171512f3e5bd453 ] + +Make mei_vsc_remove() properly unset the callback to avoid a dead callback +sticking around after probe errors or unbinding of the platform driver. + +Fixes: 386a766c4169 ("mei: Add MEI hardware support for IVSC device") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20250623085052.12347-8-hansg@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mei/platform-vsc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/misc/mei/platform-vsc.c b/drivers/misc/mei/platform-vsc.c +index 1ac85f0251c5..b2b5a20ae3fa 100644 +--- a/drivers/misc/mei/platform-vsc.c ++++ b/drivers/misc/mei/platform-vsc.c +@@ -380,6 +380,8 @@ static int mei_vsc_probe(struct platform_device *pdev) + err_cancel: + mei_cancel_work(mei_dev); + ++ vsc_tp_register_event_cb(tp, NULL, NULL); ++ + mei_disable_interrupts(mei_dev); + + return ret; +@@ -388,11 +390,14 @@ static int mei_vsc_probe(struct platform_device *pdev) + static void mei_vsc_remove(struct platform_device *pdev) + { + struct mei_device *mei_dev = platform_get_drvdata(pdev); ++ struct mei_vsc_hw *hw = mei_dev_to_vsc_hw(mei_dev); + + pm_runtime_disable(mei_dev->dev); + + mei_stop(mei_dev); + ++ vsc_tp_register_event_cb(hw->tp, NULL, NULL); ++ + mei_disable_interrupts(mei_dev); + + mei_deregister(mei_dev); +-- +2.39.5 + diff --git a/queue-6.15/memcg_slabinfo-fix-use-of-pg_slab.patch b/queue-6.15/memcg_slabinfo-fix-use-of-pg_slab.patch new file mode 100644 index 0000000000..c1d7e73aa3 --- /dev/null +++ b/queue-6.15/memcg_slabinfo-fix-use-of-pg_slab.patch @@ -0,0 +1,44 @@ +From f7e5672d8809315e0662d6fa966d5b1ee5ff4b17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 16:59:13 +0100 +Subject: memcg_slabinfo: Fix use of PG_slab + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 7f770e94d7936e8e35d4b4d5fa4618301b03ea33 ] + +Check PGTY_slab instead of PG_slab. + +Fixes: 4ffca5a96678 (mm: support only one page_type per page) +Signed-off-by: Matthew Wilcox (Oracle) +Tested-by: Roman Gushchin +Reviewed-by: Roman Gushchin +Reviewed-by: Harry Yoo +Link: https://patch.msgid.link/20250611155916.2579160-11-willy@infradead.org +Signed-off-by: Vlastimil Babka +Signed-off-by: Sasha Levin +--- + tools/cgroup/memcg_slabinfo.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/cgroup/memcg_slabinfo.py b/tools/cgroup/memcg_slabinfo.py +index 270c28a0d098..6bf4bde77903 100644 +--- a/tools/cgroup/memcg_slabinfo.py ++++ b/tools/cgroup/memcg_slabinfo.py +@@ -146,11 +146,11 @@ def detect_kernel_config(): + + + def for_each_slab(prog): +- PGSlab = ~prog.constant('PG_slab') ++ slabtype = prog.constant('PGTY_slab') + + for page in for_each_page(prog): + try: +- if page.page_type.value_() == PGSlab: ++ if (page.page_type.value_() >> 24) == slabtype: + yield cast('struct slab *', page) + except FaultError: + pass +-- +2.39.5 + diff --git a/queue-6.15/mfd-tps65219-update-tps65214-mfd-cell-s-gpio-compati.patch b/queue-6.15/mfd-tps65219-update-tps65214-mfd-cell-s-gpio-compati.patch new file mode 100644 index 0000000000..b12185d7b7 --- /dev/null +++ b/queue-6.15/mfd-tps65219-update-tps65214-mfd-cell-s-gpio-compati.patch @@ -0,0 +1,42 @@ +From 3c763cd558d542924bf1eee8a7c837a254a9aad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 14:04:54 -0500 +Subject: mfd: tps65219: Update TPS65214 MFD cell's GPIO compatible string + +From: Shree Ramamoorthy + +[ Upstream commit 6f27d26e363a41fc651be852094823ce47a43243 ] + +This patch reflects the change made to move TPS65215 from 1 GPO and 1 GPIO +to 2 GPOs and 1 GPIO. TPS65215 and TPS65219 both have 2 GPOs and 1 GPIO. +TPS65214 has 1 GPO and 1 GPIO. TPS65215 will reuse the TPS65219 GPIO +compatible string. + +TPS65214 TRM: https://www.ti.com/lit/pdf/slvud30 +TPS65215 TRM: https://www.ti.com/lit/pdf/slvucw5/ + +Fixes: 7947219ab1a2 ("mfd: tps65219: Add support for TI TPS65214 PMIC") +Signed-off-by: Shree Ramamoorthy +Link: https://lore.kernel.org/r/20250527190455.169772-2-s-ramamoorthy@ti.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/tps65219.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/tps65219.c b/drivers/mfd/tps65219.c +index fd390600fbf0..297511025dd4 100644 +--- a/drivers/mfd/tps65219.c ++++ b/drivers/mfd/tps65219.c +@@ -190,7 +190,7 @@ static const struct resource tps65219_regulator_resources[] = { + + static const struct mfd_cell tps65214_cells[] = { + MFD_CELL_RES("tps65214-regulator", tps65214_regulator_resources), +- MFD_CELL_NAME("tps65215-gpio"), ++ MFD_CELL_NAME("tps65214-gpio"), + }; + + static const struct mfd_cell tps65215_cells[] = { +-- +2.39.5 + diff --git a/queue-6.15/module-restore-the-moduleparam-prefix-length-check.patch b/queue-6.15/module-restore-the-moduleparam-prefix-length-check.patch new file mode 100644 index 0000000000..6b9d2ab02f --- /dev/null +++ b/queue-6.15/module-restore-the-moduleparam-prefix-length-check.patch @@ -0,0 +1,61 @@ +From 0d9077748b867b4923c957e9536a086d6bab53a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 16:32:34 +0200 +Subject: module: Restore the moduleparam prefix length check + +From: Petr Pavlu + +[ Upstream commit bdc877ba6b7ff1b6d2ebeff11e63da4a50a54854 ] + +The moduleparam code allows modules to provide their own definition of +MODULE_PARAM_PREFIX, instead of using the default KBUILD_MODNAME ".". + +Commit 730b69d22525 ("module: check kernel param length at compile time, +not runtime") added a check to ensure the prefix doesn't exceed +MODULE_NAME_LEN, as this is what param_sysfs_builtin() expects. + +Later, commit 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking +for sysfs perms.") removed this check, but there is no indication this was +intentional. + +Since the check is still useful for param_sysfs_builtin() to function +properly, reintroduce it in __module_param_call(), but in a modernized form +using static_assert(). + +While here, clean up the __module_param_call() comments. In particular, +remove the comment "Default value instead of permissions?", which comes +from commit 9774a1f54f17 ("[PATCH] Compile-time check re world-writeable +module params"). This comment was related to the test variable +__param_perm_check_##name, which was removed in the previously mentioned +commit 58f86cc89c33. + +Fixes: 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking for sysfs perms.") +Signed-off-by: Petr Pavlu +Reviewed-by: Daniel Gomez +Link: https://lore.kernel.org/r/20250630143535.267745-4-petr.pavlu@suse.com +Signed-off-by: Daniel Gomez +Signed-off-by: Sasha Levin +--- + include/linux/moduleparam.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h +index bfb85fd13e1f..110e9d09de24 100644 +--- a/include/linux/moduleparam.h ++++ b/include/linux/moduleparam.h +@@ -282,10 +282,9 @@ struct kparam_array + #define __moduleparam_const const + #endif + +-/* This is the fundamental function for registering boot/module +- parameters. */ ++/* This is the fundamental function for registering boot/module parameters. */ + #define __module_param_call(prefix, name, ops, arg, perm, level, flags) \ +- /* Default value instead of permissions? */ \ ++ static_assert(sizeof(""prefix) - 1 <= MAX_PARAM_PREFIX_LEN); \ + static const char __param_str_##name[] = prefix #name; \ + static struct kernel_param __moduleparam_const __param_##name \ + __used __section("__param") \ +-- +2.39.5 + diff --git a/queue-6.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch b/queue-6.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch new file mode 100644 index 0000000000..d43302ff7d --- /dev/null +++ b/queue-6.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch @@ -0,0 +1,41 @@ +From 9582b7d2c82a41e1283e53418364917182b25cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 17:53:13 +0300 +Subject: mtd: fix possible integer overflow in erase_xfer() + +From: Ivan Stepchenko + +[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ] + +The expression '1 << EraseUnitSize' is evaluated in int, which causes +a negative result when shifting by 31 - the upper bound of the valid +range [10, 31], enforced by scan_header(). This leads to incorrect +extension when storing the result in 'erase->len' (uint64_t), producing +a large unexpected value. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ivan Stepchenko +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/ftl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c +index 8c22064ead38..f2bd1984609c 100644 +--- a/drivers/mtd/ftl.c ++++ b/drivers/mtd/ftl.c +@@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part, + return -ENOMEM; + + erase->addr = xfer->Offset; +- erase->len = 1 << part->header.EraseUnitSize; ++ erase->len = 1ULL << part->header.EraseUnitSize; + + ret = mtd_erase(part->mbd.mtd, erase); + if (!ret) { +-- +2.39.5 + diff --git a/queue-6.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch b/queue-6.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch new file mode 100644 index 0000000000..9134bb6a98 --- /dev/null +++ b/queue-6.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch @@ -0,0 +1,38 @@ +From 9b27cba414fa05f404ee1e8a39c0c24680ff157d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 08:45:11 +0200 +Subject: mtd: rawnand: atmel: Fix dma_mapping_error() address + +From: Thomas Fourier + +[ Upstream commit e1e6b933c56b1e9fda93caa0b8bae39f3f421e5c ] + +It seems like what was intended is to test if the dma_map of the +previous line failed but the wrong dma address was passed. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Signed-off-by: Thomas Fourier +Rule: add +Link: https://lore.kernel.org/stable/20250702064515.18145-2-fourier.thomas%40gmail.com +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c +index dedcca87defc..84ab4a83cbd6 100644 +--- a/drivers/mtd/nand/raw/atmel/nand-controller.c ++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c +@@ -373,7 +373,7 @@ static int atmel_nand_dma_transfer(struct atmel_nand_controller *nc, + dma_cookie_t cookie; + + buf_dma = dma_map_single(nc->dev, buf, len, dir); +- if (dma_mapping_error(nc->dev, dev_dma)) { ++ if (dma_mapping_error(nc->dev, buf_dma)) { + dev_err(nc->dev, + "Failed to prepare a buffer for DMA access\n"); + goto err; +-- +2.39.5 + diff --git a/queue-6.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch b/queue-6.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch new file mode 100644 index 0000000000..7acaf2264e --- /dev/null +++ b/queue-6.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch @@ -0,0 +1,57 @@ +From 986befd55c8b3be1013742518ba7eb66326a8276 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 16:13:40 +0530 +Subject: mtd: rawnand: atmel: set pmecc data setup time + +From: Balamanikandan Gunasundar + +[ Upstream commit f552a7c7e0a14215cb8a6fd89e60fa3932a74786 ] + +Setup the pmecc data setup time as 3 clock cycles for 133MHz as recommended +by the datasheet. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Reported-by: Zixun LI +Closes: https://lore.kernel.org/all/c015bb20-6a57-4f63-8102-34b3d83e0f5b@microchip.com +Suggested-by: Ada Couprie Diaz +Signed-off-by: Balamanikandan Gunasundar +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/atmel/pmecc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c +index 3c7dee1be21d..0b402823b619 100644 +--- a/drivers/mtd/nand/raw/atmel/pmecc.c ++++ b/drivers/mtd/nand/raw/atmel/pmecc.c +@@ -143,6 +143,7 @@ struct atmel_pmecc_caps { + int nstrengths; + int el_offset; + bool correct_erased_chunks; ++ bool clk_ctrl; + }; + + struct atmel_pmecc { +@@ -843,6 +844,10 @@ static struct atmel_pmecc *atmel_pmecc_create(struct platform_device *pdev, + if (IS_ERR(pmecc->regs.errloc)) + return ERR_CAST(pmecc->regs.errloc); + ++ /* pmecc data setup time */ ++ if (caps->clk_ctrl) ++ writel(PMECC_CLK_133MHZ, pmecc->regs.base + ATMEL_PMECC_CLK); ++ + /* Disable all interrupts before registering the PMECC handler. */ + writel(0xffffffff, pmecc->regs.base + ATMEL_PMECC_IDR); + atmel_pmecc_reset(pmecc); +@@ -896,6 +901,7 @@ static struct atmel_pmecc_caps at91sam9g45_caps = { + .strengths = atmel_pmecc_strengths, + .nstrengths = 5, + .el_offset = 0x8c, ++ .clk_ctrl = true, + }; + + static struct atmel_pmecc_caps sama5d4_caps = { +-- +2.39.5 + diff --git a/queue-6.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch b/queue-6.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..e91d83059a --- /dev/null +++ b/queue-6.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch @@ -0,0 +1,61 @@ +From b602fd647caa0620d8fd40cb92a2da4348acfb22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:15:50 +0200 +Subject: mtd: rawnand: rockchip: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit 3b36f86dc47261828f96f826077131a35dd825fd ] + +The DMA map functions can fail and should be tested for errors. + +Fixes: 058e0e847d54 ("mtd: rawnand: rockchip: NFC driver for RK3308, RK2928 and others") +Signed-off-by: Thomas Fourier +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/mtd/nand/raw/rockchip-nand-controller.c b/drivers/mtd/nand/raw/rockchip-nand-controller.c +index 63e7b9e39a5a..c5d7cd8a6cab 100644 +--- a/drivers/mtd/nand/raw/rockchip-nand-controller.c ++++ b/drivers/mtd/nand/raw/rockchip-nand-controller.c +@@ -656,9 +656,16 @@ static int rk_nfc_write_page_hwecc(struct nand_chip *chip, const u8 *buf, + + dma_data = dma_map_single(nfc->dev, (void *)nfc->page_buf, + mtd->writesize, DMA_TO_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_data)) ++ return -ENOMEM; ++ + dma_oob = dma_map_single(nfc->dev, nfc->oob_buf, + ecc->steps * oob_step, + DMA_TO_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_oob)) { ++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize, DMA_TO_DEVICE); ++ return -ENOMEM; ++ } + + reinit_completion(&nfc->done); + writel(INT_DMA, nfc->regs + nfc->cfg->int_en_off); +@@ -772,9 +779,17 @@ static int rk_nfc_read_page_hwecc(struct nand_chip *chip, u8 *buf, int oob_on, + dma_data = dma_map_single(nfc->dev, nfc->page_buf, + mtd->writesize, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_data)) ++ return -ENOMEM; ++ + dma_oob = dma_map_single(nfc->dev, nfc->oob_buf, + ecc->steps * oob_step, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_oob)) { ++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize, ++ DMA_FROM_DEVICE); ++ return -ENOMEM; ++ } + + /* + * The first blocks (4, 8 or 16 depending on the device) +-- +2.39.5 + diff --git a/queue-6.15/mtd-spi-nor-spansion-fixup-params-set_4byte_addr_mod.patch b/queue-6.15/mtd-spi-nor-spansion-fixup-params-set_4byte_addr_mod.patch new file mode 100644 index 0000000000..08343b5333 --- /dev/null +++ b/queue-6.15/mtd-spi-nor-spansion-fixup-params-set_4byte_addr_mod.patch @@ -0,0 +1,105 @@ +From 493f9b752665639bc859a1c9f7d67e4c9117c1eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 16:44:27 +0900 +Subject: mtd: spi-nor: spansion: Fixup params->set_4byte_addr_mode for SEMPER + +From: Takahiro Kuwano + +[ Upstream commit a45ab839f52f3f00ac3dae18a50e902efd216de2 ] + +Infineon SEMPER flash family does not support E9h opcode as Exit 4-byte +mode (EX4B). Therefore, params->set_4byte_addr_mode is not determined by +BFPT parse. Fixup it up by introducing vendor specific EX4B opcode (B8h) +and function. + +Fixes: c87c9b11c53ce ("mtd: spi-nor: spansion: Determine current address mode") +Signed-off-by: Takahiro Kuwano +Acked-by: Tudor Ambarus +Acked-by: Pratyush Yadav +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20250612074427.22263-1-Takahiro.Kuwano@infineon.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/spansion.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/drivers/mtd/spi-nor/spansion.c b/drivers/mtd/spi-nor/spansion.c +index bf08dbf5e742..b9f156c0f8bc 100644 +--- a/drivers/mtd/spi-nor/spansion.c ++++ b/drivers/mtd/spi-nor/spansion.c +@@ -17,6 +17,7 @@ + + #define SPINOR_OP_CLSR 0x30 /* Clear status register 1 */ + #define SPINOR_OP_CLPEF 0x82 /* Clear program/erase failure flags */ ++#define SPINOR_OP_CYPRESS_EX4B 0xB8 /* Exit 4-byte address mode */ + #define SPINOR_OP_CYPRESS_DIE_ERASE 0x61 /* Chip (die) erase */ + #define SPINOR_OP_RD_ANY_REG 0x65 /* Read any register */ + #define SPINOR_OP_WR_ANY_REG 0x71 /* Write any register */ +@@ -58,6 +59,13 @@ + SPI_MEM_OP_DUMMY(ndummy, 0), \ + SPI_MEM_OP_DATA_IN(1, buf, 0)) + ++#define CYPRESS_NOR_EN4B_EX4B_OP(enable) \ ++ SPI_MEM_OP(SPI_MEM_OP_CMD(enable ? SPINOR_OP_EN4B : \ ++ SPINOR_OP_CYPRESS_EX4B, 0), \ ++ SPI_MEM_OP_NO_ADDR, \ ++ SPI_MEM_OP_NO_DUMMY, \ ++ SPI_MEM_OP_NO_DATA) ++ + #define SPANSION_OP(opcode) \ + SPI_MEM_OP(SPI_MEM_OP_CMD(opcode, 0), \ + SPI_MEM_OP_NO_ADDR, \ +@@ -356,6 +364,20 @@ static int cypress_nor_quad_enable_volatile(struct spi_nor *nor) + return 0; + } + ++static int cypress_nor_set_4byte_addr_mode(struct spi_nor *nor, bool enable) ++{ ++ int ret; ++ struct spi_mem_op op = CYPRESS_NOR_EN4B_EX4B_OP(enable); ++ ++ spi_nor_spimem_setup_op(nor, &op, nor->reg_proto); ++ ++ ret = spi_mem_exec_op(nor->spimem, &op); ++ if (ret) ++ dev_dbg(nor->dev, "error %d setting 4-byte mode\n", ret); ++ ++ return ret; ++} ++ + /** + * cypress_nor_determine_addr_mode_by_sr1() - Determine current address mode + * (3 or 4-byte) by querying status +@@ -526,6 +548,9 @@ s25fs256t_post_bfpt_fixup(struct spi_nor *nor, + struct spi_mem_op op; + int ret; + ++ /* Assign 4-byte address mode method that is not determined in BFPT */ ++ nor->params->set_4byte_addr_mode = cypress_nor_set_4byte_addr_mode; ++ + ret = cypress_nor_set_addr_mode_nbytes(nor); + if (ret) + return ret; +@@ -591,6 +616,9 @@ s25hx_t_post_bfpt_fixup(struct spi_nor *nor, + { + int ret; + ++ /* Assign 4-byte address mode method that is not determined in BFPT */ ++ nor->params->set_4byte_addr_mode = cypress_nor_set_4byte_addr_mode; ++ + ret = cypress_nor_set_addr_mode_nbytes(nor); + if (ret) + return ret; +@@ -718,6 +746,9 @@ static int s28hx_t_post_bfpt_fixup(struct spi_nor *nor, + const struct sfdp_parameter_header *bfpt_header, + const struct sfdp_bfpt *bfpt) + { ++ /* Assign 4-byte address mode method that is not determined in BFPT */ ++ nor->params->set_4byte_addr_mode = cypress_nor_set_4byte_addr_mode; ++ + return cypress_nor_set_addr_mode_nbytes(nor); + } + +-- +2.39.5 + diff --git a/queue-6.15/mwl8k-add-missing-check-after-dma-map.patch b/queue-6.15/mwl8k-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..595db3478d --- /dev/null +++ b/queue-6.15/mwl8k-add-missing-check-after-dma-map.patch @@ -0,0 +1,39 @@ +From bb8f6dd42b1a8923553fdf2c757609cc9bc41fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 13:13:34 +0200 +Subject: mwl8k: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit 50459501b9a212dbe7a673727589ee105a8a9954 ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, unmap and return an error. + +Fixes: 788838ebe8a4 ("mwl8k: use pci_unmap_addr{,set}() to keep track of unmap addresses on rx") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20250709111339.25360-2-fourier.thomas@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index bab9ef37a1ab..8bcb1d0dd618 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -1227,6 +1227,10 @@ static int rxq_refill(struct ieee80211_hw *hw, int index, int limit) + + addr = dma_map_single(&priv->pdev->dev, skb->data, + MWL8K_RX_MAXSZ, DMA_FROM_DEVICE); ++ if (dma_mapping_error(&priv->pdev->dev, addr)) { ++ kfree_skb(skb); ++ break; ++ } + + rxq->rxd_count++; + rx = rxq->tail++; +-- +2.39.5 + diff --git a/queue-6.15/neighbour-fix-null-ptr-deref-in-neigh_flush_dev.patch b/queue-6.15/neighbour-fix-null-ptr-deref-in-neigh_flush_dev.patch new file mode 100644 index 0000000000..2c365a3fbe --- /dev/null +++ b/queue-6.15/neighbour-fix-null-ptr-deref-in-neigh_flush_dev.patch @@ -0,0 +1,196 @@ +From 91701885171026452af7c1b9831e449a9ce89fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 19:53:59 +0000 +Subject: neighbour: Fix null-ptr-deref in neigh_flush_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 1bbb76a899486827394530916f01214d049931b3 ] + +kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0] + +The cited commit introduced per-netdev neighbour list and converted +neigh_flush_dev() to use it instead of the global hash table. + +One thing we missed is that neigh_table_clear() calls neigh_ifdown() +with NULL dev. + +Let's restore the hash table iteration. + +Note that IPv6 module is no longer unloadable, so neigh_table_clear() +is called only when IPv6 fails to initialise, which is unlikely to +happen. + +[0]: +IPv6: Attempt to unregister permanent protocol 136 +IPv6: Attempt to unregister permanent protocol 17 +Oops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07] +CPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1 +Tainted: [T]=RANDSTRUCT +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570 +Code: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f +RSP: 0000:ffff88810026f408 EFLAGS: 00010206 +RAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640 +RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000 +FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __neigh_ifdown.llvm.6395807810224103582+0x44/0x390 + neigh_table_clear+0xb1/0x268 + ndisc_cleanup+0x21/0x38 [ipv6] + init_module+0x2f5/0x468 [ipv6] + do_one_initcall+0x1ba/0x628 + do_init_module+0x21a/0x530 + load_module+0x2550/0x2ea0 + __se_sys_finit_module+0x3d2/0x620 + __x64_sys_finit_module+0x76/0x88 + x64_sys_call+0x7ff/0xde8 + do_syscall_64+0xfb/0x1e8 + entry_SYSCALL_64_after_hwframe+0x67/0x6f +RIP: 0033:0x7f575d6f2719 +Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719 +RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004 +RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00 +R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000 +R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270 + +Modules linked in: ipv6(+) + +Fixes: f7f52738637f4 ("neighbour: Create netdev->neighbour association") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202507200931.7a89ecd8-lkp@intel.com +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250723195443.448163-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 88 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 61 insertions(+), 27 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index a07249b59ae1..559841334f1a 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -368,6 +368,43 @@ static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net, + } + } + ++static void neigh_flush_one(struct neighbour *n) ++{ ++ hlist_del_rcu(&n->hash); ++ hlist_del_rcu(&n->dev_list); ++ ++ write_lock(&n->lock); ++ ++ neigh_del_timer(n); ++ neigh_mark_dead(n); ++ ++ if (refcount_read(&n->refcnt) != 1) { ++ /* The most unpleasant situation. ++ * We must destroy neighbour entry, ++ * but someone still uses it. ++ * ++ * The destroy will be delayed until ++ * the last user releases us, but ++ * we must kill timers etc. and move ++ * it to safe state. ++ */ ++ __skb_queue_purge(&n->arp_queue); ++ n->arp_queue_len_bytes = 0; ++ WRITE_ONCE(n->output, neigh_blackhole); ++ ++ if (n->nud_state & NUD_VALID) ++ n->nud_state = NUD_NOARP; ++ else ++ n->nud_state = NUD_NONE; ++ ++ neigh_dbg(2, "neigh %p is stray\n", n); ++ } ++ ++ write_unlock(&n->lock); ++ ++ neigh_cleanup_and_release(n); ++} ++ + static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev, + bool skip_perm) + { +@@ -381,32 +418,24 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev, + if (skip_perm && n->nud_state & NUD_PERMANENT) + continue; + +- hlist_del_rcu(&n->hash); +- hlist_del_rcu(&n->dev_list); +- write_lock(&n->lock); +- neigh_del_timer(n); +- neigh_mark_dead(n); +- if (refcount_read(&n->refcnt) != 1) { +- /* The most unpleasant situation. +- * We must destroy neighbour entry, +- * but someone still uses it. +- * +- * The destroy will be delayed until +- * the last user releases us, but +- * we must kill timers etc. and move +- * it to safe state. +- */ +- __skb_queue_purge(&n->arp_queue); +- n->arp_queue_len_bytes = 0; +- WRITE_ONCE(n->output, neigh_blackhole); +- if (n->nud_state & NUD_VALID) +- n->nud_state = NUD_NOARP; +- else +- n->nud_state = NUD_NONE; +- neigh_dbg(2, "neigh %p is stray\n", n); +- } +- write_unlock(&n->lock); +- neigh_cleanup_and_release(n); ++ neigh_flush_one(n); ++ } ++} ++ ++static void neigh_flush_table(struct neigh_table *tbl) ++{ ++ struct neigh_hash_table *nht; ++ int i; ++ ++ nht = rcu_dereference_protected(tbl->nht, ++ lockdep_is_held(&tbl->lock)); ++ ++ for (i = 0; i < (1 << nht->hash_shift); i++) { ++ struct hlist_node *tmp; ++ struct neighbour *n; ++ ++ neigh_for_each_in_bucket_safe(n, tmp, &nht->hash_heads[i]) ++ neigh_flush_one(n); + } + } + +@@ -422,7 +451,12 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev, + bool skip_perm) + { + write_lock_bh(&tbl->lock); +- neigh_flush_dev(tbl, dev, skip_perm); ++ if (likely(dev)) { ++ neigh_flush_dev(tbl, dev, skip_perm); ++ } else { ++ DEBUG_NET_WARN_ON_ONCE(skip_perm); ++ neigh_flush_table(tbl); ++ } + pneigh_ifdown_and_unlock(tbl, dev); + pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL, + tbl->family); +-- +2.39.5 + diff --git a/queue-6.15/net-dsa-microchip-fix-wrong-rx-drop-mib-counter-for-.patch b/queue-6.15/net-dsa-microchip-fix-wrong-rx-drop-mib-counter-for-.patch new file mode 100644 index 0000000000..7f7a49cdcd --- /dev/null +++ b/queue-6.15/net-dsa-microchip-fix-wrong-rx-drop-mib-counter-for-.patch @@ -0,0 +1,61 @@ +From 859bc2e84320f3af10342d05453d68a82ffefd1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 20:04:03 -0700 +Subject: net: dsa: microchip: Fix wrong rx drop MIB counter for KSZ8863 + +From: Tristram Ha + +[ Upstream commit 165a7f5db919ab68a45ae755cceb751e067273ef ] + +When KSZ8863 support was first added to KSZ driver the RX drop MIB +counter was somehow defined as 0x105. The TX drop MIB counter +starts at 0x100 for port 1, 0x101 for port 2, and 0x102 for port 3, so +the RX drop MIB counter should start at 0x103 for port 1, 0x104 for +port 2, and 0x105 for port 3. + +There are 5 ports for KSZ8895, so its RX drop MIB counter starts at +0x105. + +Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips") +Signed-off-by: Tristram Ha +Reviewed-by: Oleksij Rempel +Link: https://patch.msgid.link/20250723030403.56878-1-Tristram.Ha@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8.c | 3 +++ + drivers/net/dsa/microchip/ksz8_reg.h | 4 +++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/microchip/ksz8.c b/drivers/net/dsa/microchip/ksz8.c +index be433b4e2b1c..8f55be89f8bf 100644 +--- a/drivers/net/dsa/microchip/ksz8.c ++++ b/drivers/net/dsa/microchip/ksz8.c +@@ -371,6 +371,9 @@ static void ksz8863_r_mib_pkt(struct ksz_device *dev, int port, u16 addr, + addr -= dev->info->reg_mib_cnt; + ctrl_addr = addr ? KSZ8863_MIB_PACKET_DROPPED_TX_0 : + KSZ8863_MIB_PACKET_DROPPED_RX_0; ++ if (ksz_is_8895_family(dev) && ++ ctrl_addr == KSZ8863_MIB_PACKET_DROPPED_RX_0) ++ ctrl_addr = KSZ8895_MIB_PACKET_DROPPED_RX_0; + ctrl_addr += port; + ctrl_addr |= IND_ACC_TABLE(TABLE_MIB | TABLE_READ); + +diff --git a/drivers/net/dsa/microchip/ksz8_reg.h b/drivers/net/dsa/microchip/ksz8_reg.h +index 329688603a58..da80e659c648 100644 +--- a/drivers/net/dsa/microchip/ksz8_reg.h ++++ b/drivers/net/dsa/microchip/ksz8_reg.h +@@ -784,7 +784,9 @@ + #define KSZ8795_MIB_TOTAL_TX_1 0x105 + + #define KSZ8863_MIB_PACKET_DROPPED_TX_0 0x100 +-#define KSZ8863_MIB_PACKET_DROPPED_RX_0 0x105 ++#define KSZ8863_MIB_PACKET_DROPPED_RX_0 0x103 ++ ++#define KSZ8895_MIB_PACKET_DROPPED_RX_0 0x105 + + #define MIB_PACKET_DROPPED 0x0000FFFF + +-- +2.39.5 + diff --git a/queue-6.15/net-dst-add-four-helpers-to-annotate-data-races-arou.patch b/queue-6.15/net-dst-add-four-helpers-to-annotate-data-races-arou.patch new file mode 100644 index 0000000000..ee13f520ba --- /dev/null +++ b/queue-6.15/net-dst-add-four-helpers-to-annotate-data-races-arou.patch @@ -0,0 +1,139 @@ +From 5f011154ea735c1ff2304c5a765d24b702c94f3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 12:19:30 +0000 +Subject: net: dst: add four helpers to annotate data-races around dst->dev + +From: Eric Dumazet + +[ Upstream commit 88fe14253e181878c2ddb51a298ae8c468a63010 ] + +dst->dev is read locklessly in many contexts, +and written in dst_dev_put(). + +Fixing all the races is going to need many changes. + +We probably will have to add full RCU protection. + +Add three helpers to ease this painful process. + +static inline struct net_device *dst_dev(const struct dst_entry *dst) +{ + return READ_ONCE(dst->dev); +} + +static inline struct net_device *skb_dst_dev(const struct sk_buff *skb) +{ + return dst_dev(skb_dst(skb)); +} + +static inline struct net *skb_dst_dev_net(const struct sk_buff *skb) +{ + return dev_net(skb_dst_dev(skb)); +} + +static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb) +{ + return dev_net_rcu(skb_dst_dev(skb)); +} + +Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250630121934.3399505-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/dst.h | 20 ++++++++++++++++++++ + net/core/dst.c | 4 ++-- + net/core/sock.c | 8 ++++---- + 3 files changed, 26 insertions(+), 6 deletions(-) + +diff --git a/include/net/dst.h b/include/net/dst.h +index 2caf85e2ce86..32dafbab4cd0 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -561,6 +561,26 @@ static inline void skb_dst_update_pmtu_no_confirm(struct sk_buff *skb, u32 mtu) + dst->ops->update_pmtu(dst, NULL, skb, mtu, false); + } + ++static inline struct net_device *dst_dev(const struct dst_entry *dst) ++{ ++ return READ_ONCE(dst->dev); ++} ++ ++static inline struct net_device *skb_dst_dev(const struct sk_buff *skb) ++{ ++ return dst_dev(skb_dst(skb)); ++} ++ ++static inline struct net *skb_dst_dev_net(const struct sk_buff *skb) ++{ ++ return dev_net(skb_dst_dev(skb)); ++} ++ ++static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb) ++{ ++ return dev_net_rcu(skb_dst_dev(skb)); ++} ++ + struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie); + void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk, + struct sk_buff *skb, u32 mtu, bool confirm_neigh); +diff --git a/net/core/dst.c b/net/core/dst.c +index e483daf17666..b3a12c7c08af 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -150,7 +150,7 @@ void dst_dev_put(struct dst_entry *dst) + dst->ops->ifdown(dst, dev); + WRITE_ONCE(dst->input, dst_discard); + WRITE_ONCE(dst->output, dst_discard_out); +- dst->dev = blackhole_netdev; ++ WRITE_ONCE(dst->dev, blackhole_netdev); + netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker, + GFP_ATOMIC); + } +@@ -263,7 +263,7 @@ unsigned int dst_blackhole_mtu(const struct dst_entry *dst) + { + unsigned int mtu = dst_metric_raw(dst, RTAX_MTU); + +- return mtu ? : dst->dev->mtu; ++ return mtu ? : dst_dev(dst)->mtu; + } + EXPORT_SYMBOL_GPL(dst_blackhole_mtu); + +diff --git a/net/core/sock.c b/net/core/sock.c +index 3e8c548cb1f8..bcd0d6c757ce 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2557,8 +2557,8 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst) + !ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr)); + #endif + /* pairs with the WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */ +- max_size = is_ipv6 ? READ_ONCE(dst->dev->gso_max_size) : +- READ_ONCE(dst->dev->gso_ipv4_max_size); ++ max_size = is_ipv6 ? READ_ONCE(dst_dev(dst)->gso_max_size) : ++ READ_ONCE(dst_dev(dst)->gso_ipv4_max_size); + if (max_size > GSO_LEGACY_MAX_SIZE && !sk_is_tcp(sk)) + max_size = GSO_LEGACY_MAX_SIZE; + +@@ -2569,7 +2569,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) + { + u32 max_segs = 1; + +- sk->sk_route_caps = dst->dev->features; ++ sk->sk_route_caps = dst_dev(dst)->features; + if (sk_is_tcp(sk)) { + struct inet_connection_sock *icsk = inet_csk(sk); + +@@ -2587,7 +2587,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) + sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM; + sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst); + /* pairs with the WRITE_ONCE() in netif_set_gso_max_segs() */ +- max_segs = max_t(u32, READ_ONCE(dst->dev->gso_max_segs), 1); ++ max_segs = max_t(u32, READ_ONCE(dst_dev(dst)->gso_max_segs), 1); + } + } + sk->sk_gso_max_segs = max_segs; +-- +2.39.5 + diff --git a/queue-6.15/net-dst-annotate-data-races-around-dst-input.patch b/queue-6.15/net-dst-annotate-data-races-around-dst-input.patch new file mode 100644 index 0000000000..a8fb7d891f --- /dev/null +++ b/queue-6.15/net-dst-annotate-data-races-around-dst-input.patch @@ -0,0 +1,87 @@ +From 9dc4c786046a951b67468c43df2ae2e00d046ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 12:19:28 +0000 +Subject: net: dst: annotate data-races around dst->input + +From: Eric Dumazet + +[ Upstream commit f1c5fd34891a1c242885f48c2e4dc52df180f311 ] + +dst_dev_put() can overwrite dst->input while other +cpus might read this field (for instance from dst_input()) + +Add READ_ONCE()/WRITE_ONCE() annotations to suppress +potential issues. + +We will likely need full RCU protection later. + +Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250630121934.3399505-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/dst.h | 2 +- + include/net/lwtunnel.h | 4 ++-- + net/core/dst.c | 2 +- + net/ipv4/route.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/net/dst.h b/include/net/dst.h +index 78c78cdce0e9..65d81116d6bf 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -466,7 +466,7 @@ INDIRECT_CALLABLE_DECLARE(int ip_local_deliver(struct sk_buff *)); + /* Input packet from network to transport. */ + static inline int dst_input(struct sk_buff *skb) + { +- return INDIRECT_CALL_INET(skb_dst(skb)->input, ++ return INDIRECT_CALL_INET(READ_ONCE(skb_dst(skb)->input), + ip6_input, ip_local_deliver, skb); + } + +diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h +index 39cd50300a18..a8cf7036c5e6 100644 +--- a/include/net/lwtunnel.h ++++ b/include/net/lwtunnel.h +@@ -144,8 +144,8 @@ static inline void lwtunnel_set_redirect(struct dst_entry *dst) + dst->output = lwtunnel_output; + } + if (lwtunnel_input_redirect(dst->lwtstate)) { +- dst->lwtstate->orig_input = dst->input; +- dst->input = lwtunnel_input; ++ dst->lwtstate->orig_input = READ_ONCE(dst->input); ++ WRITE_ONCE(dst->input, lwtunnel_input); + } + } + #else +diff --git a/net/core/dst.c b/net/core/dst.c +index 795ca07e28a4..b46f7722a1b6 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -148,7 +148,7 @@ void dst_dev_put(struct dst_entry *dst) + dst->obsolete = DST_OBSOLETE_DEAD; + if (dst->ops->ifdown) + dst->ops->ifdown(dst, dev); +- dst->input = dst_discard; ++ WRITE_ONCE(dst->input, dst_discard); + dst->output = dst_discard_out; + dst->dev = blackhole_netdev; + netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker, +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 5d7c7efea66c..3db3840cefee 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1684,7 +1684,7 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt) + else if (rt->rt_gw_family == AF_INET6) + new_rt->rt_gw6 = rt->rt_gw6; + +- new_rt->dst.input = rt->dst.input; ++ new_rt->dst.input = READ_ONCE(rt->dst.input); + new_rt->dst.output = rt->dst.output; + new_rt->dst.error = rt->dst.error; + new_rt->dst.lastuse = jiffies; +-- +2.39.5 + diff --git a/queue-6.15/net-dst-annotate-data-races-around-dst-output.patch b/queue-6.15/net-dst-annotate-data-races-around-dst-output.patch new file mode 100644 index 0000000000..c63db48a0a --- /dev/null +++ b/queue-6.15/net-dst-annotate-data-races-around-dst-output.patch @@ -0,0 +1,87 @@ +From bed451ce06b91a4ff92abfdad93ad2a1e454b826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 12:19:29 +0000 +Subject: net: dst: annotate data-races around dst->output + +From: Eric Dumazet + +[ Upstream commit 2dce8c52a98995c4719def6f88629ab1581c0b82 ] + +dst_dev_put() can overwrite dst->output while other +cpus might read this field (for instance from dst_output()) + +Add READ_ONCE()/WRITE_ONCE() annotations to suppress +potential issues. + +We will likely need RCU protection in the future. + +Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250630121934.3399505-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/dst.h | 2 +- + include/net/lwtunnel.h | 4 ++-- + net/core/dst.c | 2 +- + net/ipv4/route.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/net/dst.h b/include/net/dst.h +index 65d81116d6bf..2caf85e2ce86 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -456,7 +456,7 @@ INDIRECT_CALLABLE_DECLARE(int ip_output(struct net *, struct sock *, + /* Output packet to network from transport. */ + static inline int dst_output(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- return INDIRECT_CALL_INET(skb_dst(skb)->output, ++ return INDIRECT_CALL_INET(READ_ONCE(skb_dst(skb)->output), + ip6_output, ip_output, + net, sk, skb); + } +diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h +index a8cf7036c5e6..eabe80d52a6c 100644 +--- a/include/net/lwtunnel.h ++++ b/include/net/lwtunnel.h +@@ -140,8 +140,8 @@ int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, + static inline void lwtunnel_set_redirect(struct dst_entry *dst) + { + if (lwtunnel_output_redirect(dst->lwtstate)) { +- dst->lwtstate->orig_output = dst->output; +- dst->output = lwtunnel_output; ++ dst->lwtstate->orig_output = READ_ONCE(dst->output); ++ WRITE_ONCE(dst->output, lwtunnel_output); + } + if (lwtunnel_input_redirect(dst->lwtstate)) { + dst->lwtstate->orig_input = READ_ONCE(dst->input); +diff --git a/net/core/dst.c b/net/core/dst.c +index b46f7722a1b6..e483daf17666 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -149,7 +149,7 @@ void dst_dev_put(struct dst_entry *dst) + if (dst->ops->ifdown) + dst->ops->ifdown(dst, dev); + WRITE_ONCE(dst->input, dst_discard); +- dst->output = dst_discard_out; ++ WRITE_ONCE(dst->output, dst_discard_out); + dst->dev = blackhole_netdev; + netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker, + GFP_ATOMIC); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 3db3840cefee..e686f088bc67 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1685,7 +1685,7 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt) + new_rt->rt_gw6 = rt->rt_gw6; + + new_rt->dst.input = READ_ONCE(rt->dst.input); +- new_rt->dst.output = rt->dst.output; ++ new_rt->dst.output = READ_ONCE(rt->dst.output); + new_rt->dst.error = rt->dst.error; + new_rt->dst.lastuse = jiffies; + new_rt->dst.lwtstate = lwtstate_get(rt->dst.lwtstate); +-- +2.39.5 + diff --git a/queue-6.15/net-ipv6-ip6mr-fix-in-out-netdev-to-pass-to-the-forw.patch b/queue-6.15/net-ipv6-ip6mr-fix-in-out-netdev-to-pass-to-the-forw.patch new file mode 100644 index 0000000000..a019ea5b29 --- /dev/null +++ b/queue-6.15/net-ipv6-ip6mr-fix-in-out-netdev-to-pass-to-the-forw.patch @@ -0,0 +1,58 @@ +From 047e27ac2e3508217764d7e092b8bc13e22bee02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 00:44:15 +0200 +Subject: net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain + +From: Petr Machata + +[ Upstream commit 3365afd3abda5f6a54f4a822dad5c9314e94c3fc ] + +The netfilter hook is invoked with skb->dev for input netdevice, and +vif_dev for output netdevice. However at the point of invocation, skb->dev +is already set to vif_dev, and MR-forwarded packets are reported with +in=out: + + # ip6tables -A FORWARD -j LOG --log-prefix '[forw]' + # cd tools/testing/selftests/net/forwarding + # ./router_multicast.sh + # dmesg | fgrep '[forw]' + [ 1670.248245] [forw]IN=v5 OUT=v5 [...] + +For reference, IPv4 MR code shows in and out as appropriate. +Fix by caching skb->dev and using the updated value for output netdev. + +Fixes: 7bc570c8b4f7 ("[IPV6] MROUTE: Support multicast forwarding.") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/3141ae8386fbe13fef4b793faa75e6bae58d798a.1750113335.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6mr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 3276cde5ebd7..63c90dae6cbf 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -2039,6 +2039,7 @@ static int ip6mr_forward2(struct net *net, struct mr_table *mrt, + struct sk_buff *skb, int vifi) + { + struct vif_device *vif = &mrt->vif_table[vifi]; ++ struct net_device *indev = skb->dev; + struct net_device *vif_dev; + struct ipv6hdr *ipv6h; + struct dst_entry *dst; +@@ -2101,7 +2102,7 @@ static int ip6mr_forward2(struct net *net, struct mr_table *mrt, + IP6CB(skb)->flags |= IP6SKB_FORWARDED; + + return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, +- net, NULL, skb, skb->dev, vif_dev, ++ net, NULL, skb, indev, skb->dev, + ip6mr_forward2_finish); + + out_free: +-- +2.39.5 + diff --git a/queue-6.15/net-mlx5-check-device-memory-pointer-before-usage.patch b/queue-6.15/net-mlx5-check-device-memory-pointer-before-usage.patch new file mode 100644 index 0000000000..86b4d5b932 --- /dev/null +++ b/queue-6.15/net-mlx5-check-device-memory-pointer-before-usage.patch @@ -0,0 +1,75 @@ +From 7d2a36b34c7e5cb55d1476abf0767e1e241e95b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 15:08:12 +0300 +Subject: net/mlx5: Check device memory pointer before usage + +From: Stav Aviram + +[ Upstream commit 70f238c902b8c0461ae6fbb8d1a0bbddc4350eea ] + +Add a NULL check before accessing device memory to prevent a crash if +dev->dm allocation in mlx5_init_once() fails. + +Fixes: c9b9dcb430b3 ("net/mlx5: Move device memory management to mlx5_core") +Signed-off-by: Stav Aviram +Link: https://patch.msgid.link/c88711327f4d74d5cebc730dc629607e989ca187.1751370035.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/dm.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 ++-- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 --- + 3 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/dm.c b/drivers/infiniband/hw/mlx5/dm.c +index b4c97fb62abf..9ded2b7c1e31 100644 +--- a/drivers/infiniband/hw/mlx5/dm.c ++++ b/drivers/infiniband/hw/mlx5/dm.c +@@ -282,7 +282,7 @@ static struct ib_dm *handle_alloc_dm_memic(struct ib_ucontext *ctx, + int err; + u64 address; + +- if (!MLX5_CAP_DEV_MEM(dm_db->dev, memic)) ++ if (!dm_db || !MLX5_CAP_DEV_MEM(dm_db->dev, memic)) + return ERR_PTR(-EOPNOTSUPP); + + dm = kzalloc(sizeof(*dm), GFP_KERNEL); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c +index 7c5516b0a844..8115071c34a4 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c +@@ -30,7 +30,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev) + + dm = kzalloc(sizeof(*dm), GFP_KERNEL); + if (!dm) +- return ERR_PTR(-ENOMEM); ++ return NULL; + + spin_lock_init(&dm->lock); + +@@ -96,7 +96,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev) + err_steering: + kfree(dm); + +- return ERR_PTR(-ENOMEM); ++ return NULL; + } + + void mlx5_dm_cleanup(struct mlx5_core_dev *dev) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 9c1504d29d34..e7bcd0f0a709 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1102,9 +1102,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev) + } + + dev->dm = mlx5_dm_create(dev); +- if (IS_ERR(dev->dm)) +- mlx5_core_warn(dev, "Failed to init device memory %ld\n", PTR_ERR(dev->dm)); +- + dev->tracer = mlx5_fw_tracer_create(dev); + dev->hv_vhca = mlx5_hv_vhca_create(dev); + dev->rsc_dump = mlx5_rsc_dump_create(dev); +-- +2.39.5 + diff --git a/queue-6.15/net-mlx5e-clear-read-only-port-buffer-size-in-pbmc-b.patch b/queue-6.15/net-mlx5e-clear-read-only-port-buffer-size-in-pbmc-b.patch new file mode 100644 index 0000000000..ce8db899e2 --- /dev/null +++ b/queue-6.15/net-mlx5e-clear-read-only-port-buffer-size-in-pbmc-b.patch @@ -0,0 +1,50 @@ +From ebca52b1fc7dc66fad818be74d5127d9c763c113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 10:44:30 +0300 +Subject: net/mlx5e: Clear Read-Only port buffer size in PBMC before update + +From: Alexei Lazar + +[ Upstream commit fd4b97246a23c1149479b88490946bcfbd28de63 ] + +When updating the PBMC register, we read its current value, +modify desired fields, then write it back. + +The port_buffer_size field within PBMC is Read-Only (RO). +If this RO field contains a non-zero value when read, +attempting to write it back will cause the entire PBMC +register update to fail. + +This commit ensures port_buffer_size is explicitly cleared +to zero after reading the PBMC register but before writing +back the modified value. +This allows updates to other fields in the PBMC register to succeed. + +Fixes: 0696d60853d5 ("net/mlx5e: Receive buffer configuration") +Signed-off-by: Alexei Lazar +Reviewed-by: Yael Chemla +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1753256672-337784-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +index 8e25f4ef5ccc..5ae787656a7c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.c +@@ -331,6 +331,9 @@ static int port_set_buffer(struct mlx5e_priv *priv, + if (err) + goto out; + ++ /* RO bits should be set to 0 on write */ ++ MLX5_SET(pbmc_reg, in, port_buffer_size, 0); ++ + err = mlx5e_port_set_pbmc(mdev, in); + out: + kfree(in); +-- +2.39.5 + diff --git a/queue-6.15/net-mlx5e-remove-skb-secpath-if-xfrm-state-is-not-fo.patch b/queue-6.15/net-mlx5e-remove-skb-secpath-if-xfrm-state-is-not-fo.patch new file mode 100644 index 0000000000..d2eead9f01 --- /dev/null +++ b/queue-6.15/net-mlx5e-remove-skb-secpath-if-xfrm-state-is-not-fo.patch @@ -0,0 +1,111 @@ +From 11d65e9032f9a12e1607b6ef351ee9ef7e71099c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 10:44:31 +0300 +Subject: net/mlx5e: Remove skb secpath if xfrm state is not found + +From: Jianbo Liu + +[ Upstream commit 6d19c44b5c6dd72f9a357d0399604ec16a77de3c ] + +Hardware returns a unique identifier for a decrypted packet's xfrm +state, this state is looked up in an xarray. However, the state might +have been freed by the time of this lookup. + +Currently, if the state is not found, only a counter is incremented. +The secpath (sp) extension on the skb is not removed, resulting in +sp->len becoming 0. + +Subsequently, functions like __xfrm_policy_check() attempt to access +fields such as xfrm_input_state(skb)->xso.type (which dereferences +sp->xvec[sp->len - 1]) without first validating sp->len. This leads to +a crash when dereferencing an invalid state pointer. + +This patch prevents the crash by explicitly removing the secpath +extension from the skb if the xfrm state is not found after hardware +decryption. This ensures downstream functions do not operate on a +zero-length secpath. + + BUG: unable to handle page fault for address: ffffffff000002c8 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 282e067 P4D 282e067 PUD 0 + Oops: Oops: 0000 [#1] SMP + CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:__xfrm_policy_check+0x61a/0xa30 + Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa + RSP: 0018:ffff88885fb04918 EFLAGS: 00010297 + RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000 + RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000 + RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353 + R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8 + R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00 + FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ? try_to_wake_up+0x108/0x4c0 + ? udp4_lib_lookup2+0xbe/0x150 + ? udp_lib_lport_inuse+0x100/0x100 + ? __udp4_lib_lookup+0x2b0/0x410 + __xfrm_policy_check2.constprop.0+0x11e/0x130 + udp_queue_rcv_one_skb+0x1d/0x530 + udp_unicast_rcv_skb+0x76/0x90 + __udp4_lib_rcv+0xa64/0xe90 + ip_protocol_deliver_rcu+0x20/0x130 + ip_local_deliver_finish+0x75/0xa0 + ip_local_deliver+0xc1/0xd0 + ? ip_protocol_deliver_rcu+0x130/0x130 + ip_sublist_rcv+0x1f9/0x240 + ? ip_rcv_finish_core+0x430/0x430 + ip_list_rcv+0xfc/0x130 + __netif_receive_skb_list_core+0x181/0x1e0 + netif_receive_skb_list_internal+0x200/0x360 + ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core] + gro_receive_skb+0xfd/0x210 + mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core] + mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core] + ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core] + mlx5e_napi_poll+0x114/0xab0 [mlx5_core] + __napi_poll+0x25/0x170 + net_rx_action+0x32d/0x3a0 + ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core] + ? notifier_call_chain+0x33/0xa0 + handle_softirqs+0xda/0x250 + irq_exit_rcu+0x6d/0xc0 + common_interrupt+0x81/0xa0 + + +Fixes: b2ac7541e377 ("net/mlx5e: IPsec: Add Connect-X IPsec Rx data path offload") +Signed-off-by: Jianbo Liu +Reviewed-by: Dragos Tatulea +Reviewed-by: Yael Chemla +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1753256672-337784-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c +index 727fa7c18523..6056106edcc6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c +@@ -327,6 +327,10 @@ void mlx5e_ipsec_offload_handle_rx_skb(struct net_device *netdev, + if (unlikely(!sa_entry)) { + rcu_read_unlock(); + atomic64_inc(&ipsec->sw_stats.ipsec_rx_drop_sadb_miss); ++ /* Clear secpath to prevent invalid dereference ++ * in downstream XFRM policy checks. ++ */ ++ secpath_reset(skb); + return; + } + xfrm_state_hold(sa_entry->x); +-- +2.39.5 + diff --git a/queue-6.15/net-sched-restrict-conditions-for-adding-duplicating.patch b/queue-6.15/net-sched-restrict-conditions-for-adding-duplicating.patch new file mode 100644 index 0000000000..d95d00dcd4 --- /dev/null +++ b/queue-6.15/net-sched-restrict-conditions-for-adding-duplicating.patch @@ -0,0 +1,117 @@ +From cf43634148b85c9e80968e29a1907f6181c71019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 16:43:26 +0000 +Subject: net/sched: Restrict conditions for adding duplicating netems to qdisc + tree + +From: William Liu + +[ Upstream commit ec8e0e3d7adef940cdf9475e2352c0680189d14e ] + +netem_enqueue's duplication prevention logic breaks when a netem +resides in a qdisc tree with other netems - this can lead to a +soft lockup and OOM loop in netem_dequeue, as seen in [1]. +Ensure that a duplicating netem cannot exist in a tree with other +netems. + +Previous approaches suggested in discussions in chronological order: + +1) Track duplication status or ttl in the sk_buff struct. Considered +too specific a use case to extend such a struct, though this would +be a resilient fix and address other previous and potential future +DOS bugs like the one described in loopy fun [2]. + +2) Restrict netem_enqueue recursion depth like in act_mirred with a +per cpu variable. However, netem_dequeue can call enqueue on its +child, and the depth restriction could be bypassed if the child is a +netem. + +3) Use the same approach as in 2, but add metadata in netem_skb_cb +to handle the netem_dequeue case and track a packet's involvement +in duplication. This is an overly complex approach, and Jamal +notes that the skb cb can be overwritten to circumvent this +safeguard. + +4) Prevent the addition of a netem to a qdisc tree if its ancestral +path contains a netem. However, filters and actions can cause a +packet to change paths when re-enqueued to the root from netem +duplication, leading us to the current solution: prevent a +duplicating netem from inhabiting the same tree as other netems. + +[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ +[2] https://lwn.net/Articles/719297/ + +Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication") +Reported-by: William Liu +Reported-by: Savino Dicanosa +Signed-off-by: William Liu +Signed-off-by: Savino Dicanosa +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20250708164141.875402-1-will@willsroot.io +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_netem.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index fdd79d3ccd8c..eafc316ae319 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -973,6 +973,41 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla, + return 0; + } + ++static const struct Qdisc_class_ops netem_class_ops; ++ ++static int check_netem_in_tree(struct Qdisc *sch, bool duplicates, ++ struct netlink_ext_ack *extack) ++{ ++ struct Qdisc *root, *q; ++ unsigned int i; ++ ++ root = qdisc_root_sleeping(sch); ++ ++ if (sch != root && root->ops->cl_ops == &netem_class_ops) { ++ if (duplicates || ++ ((struct netem_sched_data *)qdisc_priv(root))->duplicate) ++ goto err; ++ } ++ ++ if (!qdisc_dev(root)) ++ return 0; ++ ++ hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) { ++ if (sch != q && q->ops->cl_ops == &netem_class_ops) { ++ if (duplicates || ++ ((struct netem_sched_data *)qdisc_priv(q))->duplicate) ++ goto err; ++ } ++ } ++ ++ return 0; ++ ++err: ++ NL_SET_ERR_MSG(extack, ++ "netem: cannot mix duplicating netems with other netems in tree"); ++ return -EINVAL; ++} ++ + /* Parse netlink message to set options */ + static int netem_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) +@@ -1031,6 +1066,11 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + q->gap = qopt->gap; + q->counter = 0; + q->loss = qopt->loss; ++ ++ ret = check_netem_in_tree(sch, qopt->duplicate, extack); ++ if (ret) ++ goto unlock; ++ + q->duplicate = qopt->duplicate; + + /* for compatibility with earlier versions. +-- +2.39.5 + diff --git a/queue-6.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch b/queue-6.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch new file mode 100644 index 0000000000..a466ef1d03 --- /dev/null +++ b/queue-6.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch @@ -0,0 +1,106 @@ +From bca22fdc334e0582b8e04785811a9f2cb77311c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 09:01:57 +0000 +Subject: net_sched: act_ctinfo: use atomic64_t for three counters + +From: Eric Dumazet + +[ Upstream commit d300335b4e18672913dd792ff9f49e6cccf41d26 ] + +Commit 21c167aa0ba9 ("net/sched: act_ctinfo: use percpu stats") +missed that stats_dscp_set, stats_dscp_error and stats_cpmark_set +might be written (and read) locklessly. + +Use atomic64_t for these three fields, I doubt act_ctinfo is used +heavily on big SMP hosts anyway. + +Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action") +Signed-off-by: Eric Dumazet +Cc: Pedro Tammela +Link: https://patch.msgid.link/20250709090204.797558-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tc_act/tc_ctinfo.h | 6 +++--- + net/sched/act_ctinfo.c | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/include/net/tc_act/tc_ctinfo.h b/include/net/tc_act/tc_ctinfo.h +index f071c1d70a25..a04bcac7adf4 100644 +--- a/include/net/tc_act/tc_ctinfo.h ++++ b/include/net/tc_act/tc_ctinfo.h +@@ -18,9 +18,9 @@ struct tcf_ctinfo_params { + struct tcf_ctinfo { + struct tc_action common; + struct tcf_ctinfo_params __rcu *params; +- u64 stats_dscp_set; +- u64 stats_dscp_error; +- u64 stats_cpmark_set; ++ atomic64_t stats_dscp_set; ++ atomic64_t stats_dscp_error; ++ atomic64_t stats_cpmark_set; + }; + + enum { +diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c +index 5b1241ddc758..93ab3bcd6d31 100644 +--- a/net/sched/act_ctinfo.c ++++ b/net/sched/act_ctinfo.c +@@ -44,9 +44,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + ipv4_change_dsfield(ip_hdr(skb), + INET_ECN_MASK, + newdscp); +- ca->stats_dscp_set++; ++ atomic64_inc(&ca->stats_dscp_set); + } else { +- ca->stats_dscp_error++; ++ atomic64_inc(&ca->stats_dscp_error); + } + } + break; +@@ -57,9 +57,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + ipv6_change_dsfield(ipv6_hdr(skb), + INET_ECN_MASK, + newdscp); +- ca->stats_dscp_set++; ++ atomic64_inc(&ca->stats_dscp_set); + } else { +- ca->stats_dscp_error++; ++ atomic64_inc(&ca->stats_dscp_error); + } + } + break; +@@ -72,7 +72,7 @@ static void tcf_ctinfo_cpmark_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + struct tcf_ctinfo_params *cp, + struct sk_buff *skb) + { +- ca->stats_cpmark_set++; ++ atomic64_inc(&ca->stats_cpmark_set); + skb->mark = READ_ONCE(ct->mark) & cp->cpmarkmask; + } + +@@ -323,15 +323,18 @@ static int tcf_ctinfo_dump(struct sk_buff *skb, struct tc_action *a, + } + + if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_SET, +- ci->stats_dscp_set, TCA_CTINFO_PAD)) ++ atomic64_read(&ci->stats_dscp_set), ++ TCA_CTINFO_PAD)) + goto nla_put_failure; + + if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_ERROR, +- ci->stats_dscp_error, TCA_CTINFO_PAD)) ++ atomic64_read(&ci->stats_dscp_error), ++ TCA_CTINFO_PAD)) + goto nla_put_failure; + + if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_CPMARK_SET, +- ci->stats_cpmark_set, TCA_CTINFO_PAD)) ++ atomic64_read(&ci->stats_cpmark_set), ++ TCA_CTINFO_PAD)) + goto nla_put_failure; + + spin_unlock_bh(&ci->tcf_lock); +-- +2.39.5 + diff --git a/queue-6.15/netconsole-only-register-console-drivers-when-target.patch b/queue-6.15/netconsole-only-register-console-drivers-when-target.patch new file mode 100644 index 0000000000..c527ccf871 --- /dev/null +++ b/queue-6.15/netconsole-only-register-console-drivers-when-target.patch @@ -0,0 +1,127 @@ +From 939d609256d315ae0c36a1d8ca8e387075f048cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 02:46:26 -0700 +Subject: netconsole: Only register console drivers when targets are configured + +From: Breno Leitao + +[ Upstream commit bc0cb64db1c765a81f69997d5a28f539e1731bc0 ] + +The netconsole driver currently registers the basic console driver +unconditionally during initialization, even when only extended targets +are configured. This results in unnecessary console registration and +performance overhead, as the write_msg() callback is invoked for every +log message only to return early when no matching targets are found. + +Optimize the driver by conditionally registering console drivers based +on the actual target configuration. The basic console driver is now +registered only when non-extended targets exist, same as the extended +console. The implementation also handles dynamic target creation through +the configfs interface. + +This change eliminates unnecessary console driver registrations, +redundant write_msg() callbacks for unused console types, and associated +lock contention and target list iterations. The optimization is +particularly beneficial for systems using only the most common extended +console type. + +Fixes: e2f15f9a79201 ("netconsole: implement extended console support") +Signed-off-by: Breno Leitao +Link: https://patch.msgid.link/20250609-netcons_ext-v3-1-5336fa670326@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netconsole.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c +index 176935a8645f..a35b1fd4337b 100644 +--- a/drivers/net/netconsole.c ++++ b/drivers/net/netconsole.c +@@ -86,10 +86,10 @@ static DEFINE_SPINLOCK(target_list_lock); + static DEFINE_MUTEX(target_cleanup_list_lock); + + /* +- * Console driver for extended netconsoles. Registered on the first use to +- * avoid unnecessarily enabling ext message formatting. ++ * Console driver for netconsoles. Register only consoles that have ++ * an associated target of the same type. + */ +-static struct console netconsole_ext; ++static struct console netconsole_ext, netconsole; + + struct netconsole_target_stats { + u64_stats_t xmit_drop_count; +@@ -97,6 +97,11 @@ struct netconsole_target_stats { + struct u64_stats_sync syncp; + }; + ++enum console_type { ++ CONS_BASIC = BIT(0), ++ CONS_EXTENDED = BIT(1), ++}; ++ + /* Features enabled in sysdata. Contrary to userdata, this data is populated by + * the kernel. The fields are designed as bitwise flags, allowing multiple + * features to be set in sysdata_fields. +@@ -491,6 +496,12 @@ static ssize_t enabled_store(struct config_item *item, + if (nt->extended && !console_is_registered(&netconsole_ext)) + register_console(&netconsole_ext); + ++ /* User might be enabling the basic format target for the very ++ * first time, make sure the console is registered. ++ */ ++ if (!nt->extended && !console_is_registered(&netconsole)) ++ register_console(&netconsole); ++ + /* + * Skip netpoll_parse_options() -- all the attributes are + * already configured via configfs. Just print them out. +@@ -1690,8 +1701,8 @@ static int __init init_netconsole(void) + { + int err; + struct netconsole_target *nt, *tmp; ++ u32 console_type_needed = 0; + unsigned int count = 0; +- bool extended = false; + unsigned long flags; + char *target_config; + char *input = config; +@@ -1707,9 +1718,10 @@ static int __init init_netconsole(void) + } + /* Dump existing printks when we register */ + if (nt->extended) { +- extended = true; ++ console_type_needed |= CONS_EXTENDED; + netconsole_ext.flags |= CON_PRINTBUFFER; + } else { ++ console_type_needed |= CONS_BASIC; + netconsole.flags |= CON_PRINTBUFFER; + } + +@@ -1728,9 +1740,10 @@ static int __init init_netconsole(void) + if (err) + goto undonotifier; + +- if (extended) ++ if (console_type_needed & CONS_EXTENDED) + register_console(&netconsole_ext); +- register_console(&netconsole); ++ if (console_type_needed & CONS_BASIC) ++ register_console(&netconsole); + pr_info("network logging started\n"); + + return err; +@@ -1760,7 +1773,8 @@ static void __exit cleanup_netconsole(void) + + if (console_is_registered(&netconsole_ext)) + unregister_console(&netconsole_ext); +- unregister_console(&netconsole); ++ if (console_is_registered(&netconsole)) ++ unregister_console(&netconsole); + dynamic_netconsole_exit(); + unregister_netdevice_notifier(&netconsole_netdev_notifier); + +-- +2.39.5 + diff --git a/queue-6.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch b/queue-6.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch new file mode 100644 index 0000000000..64d0f35441 --- /dev/null +++ b/queue-6.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch @@ -0,0 +1,51 @@ +From ae0c9b9f6bab26ec438618b0a181ca9c57815551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 14:12:15 +0300 +Subject: netfilter: nf_tables: adjust lockdep assertions handling + +From: Fedor Pchelkin + +[ Upstream commit 8df1b40de76979bb8e975201d07b71103d5de820 ] + +It's needed to check the return value of lockdep_commit_lock_is_held(), +otherwise there's no point in this assertion as it doesn't print any +debug information on itself. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +Fixes: b04df3da1b5c ("netfilter: nf_tables: do not defer rule destruction via call_rcu") +Reported-by: Alexey Khoroshilov +Signed-off-by: Fedor Pchelkin +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 3eb000ae2f27..843f2c3ce73c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3981,7 +3981,7 @@ void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) + /* can only be used if rule is no longer visible to dumps */ + static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) + { +- lockdep_commit_lock_is_held(ctx->net); ++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net)); + + nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); + nf_tables_rule_destroy(ctx, rule); +@@ -5770,7 +5770,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase) + { +- lockdep_commit_lock_is_held(ctx->net); ++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net)); + + switch (phase) { + case NFT_TRANS_PREPARE_ERROR: +-- +2.39.5 + diff --git a/queue-6.15/netfilter-nf_tables-drop-dead-code-from-fill_-_info-.patch b/queue-6.15/netfilter-nf_tables-drop-dead-code-from-fill_-_info-.patch new file mode 100644 index 0000000000..446b2155ba --- /dev/null +++ b/queue-6.15/netfilter-nf_tables-drop-dead-code-from-fill_-_info-.patch @@ -0,0 +1,92 @@ +From 6732fe599a37831d8bcb7b45b3b3c46b644f21d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 15:37:02 +0200 +Subject: netfilter: nf_tables: Drop dead code from fill_*_info routines + +From: Phil Sutter + +[ Upstream commit 8080357a8c6cf4905bbd8969412c19d34be3395e ] + +This practically reverts commit 28339b21a365 ("netfilter: nf_tables: do +not send complete notification of deletions"): The feature was never +effective, due to prior modification of 'event' variable the conditional +early return never happened. + +User space also relies upon the current behaviour, so better reintroduce +the shortened deletion notifications once it is fixed. + +Fixes: 28339b21a365 ("netfilter: nf_tables: do not send complete notification of deletions") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 25 ------------------------- + 1 file changed, 25 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a133e1c175ce..3eb000ae2f27 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1130,11 +1130,6 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, + NFTA_TABLE_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELTABLE) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (nla_put_be32(skb, NFTA_TABLE_FLAGS, + htonl(table->flags & NFT_TABLE_F_MASK))) + goto nla_put_failure; +@@ -1993,11 +1988,6 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, + NFTA_CHAIN_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELCHAIN && !hook_list) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (nft_is_base_chain(chain)) { + const struct nft_base_chain *basechain = nft_base_chain(chain); + struct nft_stats __percpu *stats; +@@ -4788,11 +4778,6 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, + NFTA_SET_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELSET) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (set->flags != 0) + if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) + goto nla_put_failure; +@@ -8276,11 +8261,6 @@ static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, + NFTA_OBJ_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELOBJ) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || + nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || + nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset)) +@@ -9298,11 +9278,6 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, + NFTA_FLOWTABLE_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELFLOWTABLE && !hook_list) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || + nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) + goto nla_put_failure; +-- +2.39.5 + diff --git a/queue-6.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch b/queue-6.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch new file mode 100644 index 0000000000..e82dce6960 --- /dev/null +++ b/queue-6.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch @@ -0,0 +1,50 @@ +From 057efd5a56fdb21d0230697a659d547f475f0665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 13:27:13 +0200 +Subject: netfilter: xt_nfacct: don't assume acct name is null-terminated + +From: Florian Westphal + +[ Upstream commit bf58e667af7d96c8eb9411f926a0a0955f41ce21 ] + +BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 +Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 +[..] + string+0x231/0x2b0 lib/vsprintf.c:721 + vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 + [..] + nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41 + xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523 + +nfnl_acct_find_get() handles non-null input, but the error +printk relied on its presence. + +Reported-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690 +Tested-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com +Fixes: ceb98d03eac5 ("netfilter: xtables: add nfacct match to support extended accounting") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_nfacct.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c +index 7c6bf1c16813..0ca1cdfc4095 100644 +--- a/net/netfilter/xt_nfacct.c ++++ b/net/netfilter/xt_nfacct.c +@@ -38,8 +38,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par) + + nfacct = nfnl_acct_find_get(par->net, info->name); + if (nfacct == NULL) { +- pr_info_ratelimited("accounting object `%s' does not exists\n", +- info->name); ++ pr_info_ratelimited("accounting object `%.*s' does not exist\n", ++ NFACCT_NAME_MAX, info->name); + return -ENOENT; + } + info->nfacct = nfacct; +-- +2.39.5 + diff --git a/queue-6.15/padata-fix-pd-uaf-once-and-for-all.patch b/queue-6.15/padata-fix-pd-uaf-once-and-for-all.patch new file mode 100644 index 0000000000..0414fedc62 --- /dev/null +++ b/queue-6.15/padata-fix-pd-uaf-once-and-for-all.patch @@ -0,0 +1,269 @@ +From 70cf8e5c88311e1593d54c9c82f84c5c3eb9cb93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 May 2025 20:32:20 +0800 +Subject: padata: Fix pd UAF once and for all + +From: Herbert Xu + +[ Upstream commit 71203f68c7749609d7fc8ae6ad054bdedeb24f91 ] + +There is a race condition/UAF in padata_reorder that goes back +to the initial commit. A reference count is taken at the start +of the process in padata_do_parallel, and released at the end in +padata_serial_worker. + +This reference count is (and only is) required for padata_replace +to function correctly. If padata_replace is never called then +there is no issue. + +In the function padata_reorder which serves as the core of padata, +as soon as padata is added to queue->serial.list, and the associated +spin lock released, that padata may be processed and the reference +count on pd would go away. + +Fix this by getting the next padata before the squeue->serial lock +is released. + +In order to make this possible, simplify padata_reorder by only +calling it once the next padata arrives. + +Fixes: 16295bec6398 ("padata: Generic parallelization/serialization interface") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + include/linux/padata.h | 3 - + kernel/padata.c | 132 ++++++++++++----------------------------- + 2 files changed, 37 insertions(+), 98 deletions(-) + +diff --git a/include/linux/padata.h b/include/linux/padata.h +index 0146daf34430..b486c7359de2 100644 +--- a/include/linux/padata.h ++++ b/include/linux/padata.h +@@ -91,7 +91,6 @@ struct padata_cpumask { + * @cpu: Next CPU to be processed. + * @cpumask: The cpumasks in use for parallel and serial workers. + * @reorder_work: work struct for reordering. +- * @lock: Reorder lock. + */ + struct parallel_data { + struct padata_shell *ps; +@@ -102,8 +101,6 @@ struct parallel_data { + unsigned int processed; + int cpu; + struct padata_cpumask cpumask; +- struct work_struct reorder_work; +- spinlock_t ____cacheline_aligned lock; + }; + + /** +diff --git a/kernel/padata.c b/kernel/padata.c +index 7eee94166357..25cd3406477a 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -261,20 +261,17 @@ EXPORT_SYMBOL(padata_do_parallel); + * be parallel processed by another cpu and is not yet present in + * the cpu's reorder queue. + */ +-static struct padata_priv *padata_find_next(struct parallel_data *pd, +- bool remove_object) ++static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu, ++ unsigned int processed) + { + struct padata_priv *padata; + struct padata_list *reorder; +- int cpu = pd->cpu; + + reorder = per_cpu_ptr(pd->reorder_list, cpu); + + spin_lock(&reorder->lock); +- if (list_empty(&reorder->list)) { +- spin_unlock(&reorder->lock); +- return NULL; +- } ++ if (list_empty(&reorder->list)) ++ goto notfound; + + padata = list_entry(reorder->list.next, struct padata_priv, list); + +@@ -282,97 +279,52 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd, + * Checks the rare case where two or more parallel jobs have hashed to + * the same CPU and one of the later ones finishes first. + */ +- if (padata->seq_nr != pd->processed) { +- spin_unlock(&reorder->lock); +- return NULL; +- } +- +- if (remove_object) { +- list_del_init(&padata->list); +- ++pd->processed; +- pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); +- } ++ if (padata->seq_nr != processed) ++ goto notfound; + ++ list_del_init(&padata->list); + spin_unlock(&reorder->lock); + return padata; ++ ++notfound: ++ pd->processed = processed; ++ pd->cpu = cpu; ++ spin_unlock(&reorder->lock); ++ return NULL; + } + +-static void padata_reorder(struct parallel_data *pd) ++static void padata_reorder(struct padata_priv *padata) + { ++ struct parallel_data *pd = padata->pd; + struct padata_instance *pinst = pd->ps->pinst; +- int cb_cpu; +- struct padata_priv *padata; +- struct padata_serial_queue *squeue; +- struct padata_list *reorder; ++ unsigned int processed; ++ int cpu; + +- /* +- * We need to ensure that only one cpu can work on dequeueing of +- * the reorder queue the time. Calculating in which percpu reorder +- * queue the next object will arrive takes some time. A spinlock +- * would be highly contended. Also it is not clear in which order +- * the objects arrive to the reorder queues. So a cpu could wait to +- * get the lock just to notice that there is nothing to do at the +- * moment. Therefore we use a trylock and let the holder of the lock +- * care for all the objects enqueued during the holdtime of the lock. +- */ +- if (!spin_trylock_bh(&pd->lock)) +- return; ++ processed = pd->processed; ++ cpu = pd->cpu; + +- while (1) { +- padata = padata_find_next(pd, true); ++ do { ++ struct padata_serial_queue *squeue; ++ int cb_cpu; + +- /* +- * If the next object that needs serialization is parallel +- * processed by another cpu and is still on it's way to the +- * cpu's reorder queue, nothing to do for now. +- */ +- if (!padata) +- break; ++ cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); ++ processed++; + + cb_cpu = padata->cb_cpu; + squeue = per_cpu_ptr(pd->squeue, cb_cpu); + + spin_lock(&squeue->serial.lock); + list_add_tail(&padata->list, &squeue->serial.list); +- spin_unlock(&squeue->serial.lock); +- + queue_work_on(cb_cpu, pinst->serial_wq, &squeue->work); +- } + +- spin_unlock_bh(&pd->lock); +- +- /* +- * The next object that needs serialization might have arrived to +- * the reorder queues in the meantime. +- * +- * Ensure reorder queue is read after pd->lock is dropped so we see +- * new objects from another task in padata_do_serial. Pairs with +- * smp_mb in padata_do_serial. +- */ +- smp_mb(); +- +- reorder = per_cpu_ptr(pd->reorder_list, pd->cpu); +- if (!list_empty(&reorder->list) && padata_find_next(pd, false)) { + /* +- * Other context(eg. the padata_serial_worker) can finish the request. +- * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish. ++ * If the next object that needs serialization is parallel ++ * processed by another cpu and is still on it's way to the ++ * cpu's reorder queue, end the loop. + */ +- padata_get_pd(pd); +- if (!queue_work(pinst->serial_wq, &pd->reorder_work)) +- padata_put_pd(pd); +- } +-} +- +-static void invoke_padata_reorder(struct work_struct *work) +-{ +- struct parallel_data *pd; +- +- local_bh_disable(); +- pd = container_of(work, struct parallel_data, reorder_work); +- padata_reorder(pd); +- local_bh_enable(); +- /* Pairs with putting the reorder_work in the serial_wq */ +- padata_put_pd(pd); ++ padata = padata_find_next(pd, cpu, processed); ++ spin_unlock(&squeue->serial.lock); ++ } while (padata); + } + + static void padata_serial_worker(struct work_struct *serial_work) +@@ -423,6 +375,7 @@ void padata_do_serial(struct padata_priv *padata) + struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu); + struct padata_priv *cur; + struct list_head *pos; ++ bool gotit = true; + + spin_lock(&reorder->lock); + /* Sort in ascending order of sequence number. */ +@@ -432,17 +385,14 @@ void padata_do_serial(struct padata_priv *padata) + if ((signed int)(cur->seq_nr - padata->seq_nr) < 0) + break; + } +- list_add(&padata->list, pos); ++ if (padata->seq_nr != pd->processed) { ++ gotit = false; ++ list_add(&padata->list, pos); ++ } + spin_unlock(&reorder->lock); + +- /* +- * Ensure the addition to the reorder list is ordered correctly +- * with the trylock of pd->lock in padata_reorder. Pairs with smp_mb +- * in padata_reorder. +- */ +- smp_mb(); +- +- padata_reorder(pd); ++ if (gotit) ++ padata_reorder(padata); + } + EXPORT_SYMBOL(padata_do_serial); + +@@ -632,9 +582,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps) + padata_init_squeues(pd); + pd->seq_nr = -1; + refcount_set(&pd->refcnt, 1); +- spin_lock_init(&pd->lock); + pd->cpu = cpumask_first(pd->cpumask.pcpu); +- INIT_WORK(&pd->reorder_work, invoke_padata_reorder); + + return pd; + +@@ -1144,12 +1092,6 @@ void padata_free_shell(struct padata_shell *ps) + if (!ps) + return; + +- /* +- * Wait for all _do_serial calls to finish to avoid touching +- * freed pd's and ps's. +- */ +- synchronize_rcu(); +- + mutex_lock(&ps->pinst->lock); + list_del(&ps->list); + pd = rcu_dereference_protected(ps->pd, 1); +-- +2.39.5 + diff --git a/queue-6.15/padata-remove-comment-for-reorder_work.patch b/queue-6.15/padata-remove-comment-for-reorder_work.patch new file mode 100644 index 0000000000..d2a1cbec8b --- /dev/null +++ b/queue-6.15/padata-remove-comment-for-reorder_work.patch @@ -0,0 +1,34 @@ +From 8f41d1b54356df3ab7c4d7b0771d808b5173e694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 16:38:49 +0800 +Subject: padata: Remove comment for reorder_work + +From: Herbert Xu + +[ Upstream commit 82a0302e7167d0b7c6cde56613db3748f8dd806d ] + +Remove comment for reorder_work which no longer exists. + +Reported-by: Stephen Rothwell +Fixes: 71203f68c774 ("padata: Fix pd UAF once and for all") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + include/linux/padata.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/linux/padata.h b/include/linux/padata.h +index b486c7359de2..765f2778e264 100644 +--- a/include/linux/padata.h ++++ b/include/linux/padata.h +@@ -90,7 +90,6 @@ struct padata_cpumask { + * @processed: Number of already processed objects. + * @cpu: Next CPU to be processed. + * @cpumask: The cpumasks in use for parallel and serial workers. +- * @reorder_work: work struct for reordering. + */ + struct parallel_data { + struct padata_shell *ps; +-- +2.39.5 + diff --git a/queue-6.15/pci-adjust-the-position-of-reading-the-link-control-.patch b/queue-6.15/pci-adjust-the-position-of-reading-the-link-control-.patch new file mode 100644 index 0000000000..f40e5adba0 --- /dev/null +++ b/queue-6.15/pci-adjust-the-position-of-reading-the-link-control-.patch @@ -0,0 +1,69 @@ +From 0040806d4b8aa03873eea691c9d215753d184a80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 13:51:55 +0800 +Subject: PCI: Adjust the position of reading the Link Control 2 register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiwei Sun + +[ Upstream commit b85af48de3ece4e5bbdb2248a5360a409991cf67 ] + +In a89c82249c37 ("PCI: Work around PCIe link training failures"), if the +speed limit is set to 2.5 GT/s and the retraining is successful, an attempt +will be made to lift the speed limit. One condition for lifting the speed +limit is to check whether the link speed field of the Link Control 2 +register is PCI_EXP_LNKCTL2_TLS_2_5GT. + +However, since de9a6c8d5dbf ("PCI/bwctrl: Add pcie_set_target_speed() to +set PCIe Link Speed"), the `lnkctl2` local variable does not undergo any +changes during the speed limit setting and retraining process. As a result, +the code intended to lift the speed limit is not executed. + +To address this issue, adjust the position of the Link Control 2 register +read operation in the code and place it before its use. + +Fixes: de9a6c8d5dbf ("PCI/bwctrl: Add pcie_set_target_speed() to set PCIe Link Speed") +Suggested-by: Maciej W. Rozycki +Suggested-by: Ilpo Järvinen +Signed-off-by: Jiwei Sun +Signed-off-by: Bjorn Helgaas +Link: https://patch.msgid.link/20250123055155.22648-3-sjiwei@163.com +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index d0f7b749b9a6..6e29f2b39dce 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -109,13 +109,13 @@ int pcie_failed_link_retrain(struct pci_dev *dev) + !pcie_cap_has_lnkctl2(dev) || !dev->link_active_reporting) + return ret; + +- pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &lnkctl2); + pcie_capability_read_word(dev, PCI_EXP_LNKSTA, &lnksta); + if (!(lnksta & PCI_EXP_LNKSTA_DLLLA) && pcie_lbms_seen(dev, lnksta)) { +- u16 oldlnkctl2 = lnkctl2; ++ u16 oldlnkctl2; + + pci_info(dev, "broken device, retraining non-functional downstream link at 2.5GT/s\n"); + ++ pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &oldlnkctl2); + ret = pcie_set_target_speed(dev, PCIE_SPEED_2_5GT, false); + if (ret) { + pci_info(dev, "retraining failed\n"); +@@ -127,6 +127,8 @@ int pcie_failed_link_retrain(struct pci_dev *dev) + pcie_capability_read_word(dev, PCI_EXP_LNKSTA, &lnksta); + } + ++ pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &lnkctl2); ++ + if ((lnksta & PCI_EXP_LNKSTA_DLLLA) && + (lnkctl2 & PCI_EXP_LNKCTL2_TLS) == PCI_EXP_LNKCTL2_TLS_2_5GT && + pci_match_id(ids, dev)) { +-- +2.39.5 + diff --git a/queue-6.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch b/queue-6.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch new file mode 100644 index 0000000000..bffd870a5b --- /dev/null +++ b/queue-6.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch @@ -0,0 +1,52 @@ +From bc9e1a5baed70dba2941d2c69e4f2f7959ae09fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:20:22 +0530 +Subject: PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem + attribute + +From: Manivannan Sadhasivam + +[ Upstream commit 61ae7f8694fb4b57a8c02a1a8d2b601806afc999 ] + +__iomem attribute is supposed to be used only with variables holding the +MMIO pointer. But here, 'mw_addr' variable is just holding a 'void *' +returned by pci_epf_alloc_space(). So annotating it with __iomem is clearly +wrong. Hence, drop the attribute. + +This also fixes the below sparse warning: + + drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: warning: incorrect type in assignment (different address spaces) + drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: expected void [noderef] __iomem *mw_addr + drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: got void * + drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: warning: incorrect type in assignment (different address spaces) + drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: expected unsigned int [usertype] *epf_db + drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: got void [noderef] __iomem *mw_addr + drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: warning: incorrect type in argument 2 (different address spaces) + drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: expected void *addr + drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: got void [noderef] __iomem *mw_addr + +Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250709125022.22524-1-mani@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c +index 3cddfdd04029..62d09a528e68 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c +@@ -530,7 +530,7 @@ static int epf_ntb_db_bar_init(struct epf_ntb *ntb) + struct device *dev = &ntb->epf->dev; + int ret; + struct pci_epf_bar *epf_bar; +- void __iomem *mw_addr; ++ void *mw_addr; + enum pci_barno barno; + size_t size = sizeof(u32) * ntb->db_count; + +-- +2.39.5 + diff --git a/queue-6.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch b/queue-6.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch new file mode 100644 index 0000000000..c5ae1aafc7 --- /dev/null +++ b/queue-6.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch @@ -0,0 +1,43 @@ +From 6010ae47f643cc5d9250dc0111204dc8d4f90f5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 19:03:38 +0200 +Subject: PCI: endpoint: pci-epf-vntb: Return -ENOENT if + pci_epc_get_next_free_bar() fails + +From: Jerome Brunet + +[ Upstream commit 7ea488cce73263231662e426639dd3e836537068 ] + +According the function documentation of epf_ntb_init_epc_bar(), the +function should return an error code on error. However, it returns -1 when +no BAR is available i.e., when pci_epc_get_next_free_bar() fails. + +Return -ENOENT instead. + +Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") +Signed-off-by: Jerome Brunet +[mani: changed err code to -ENOENT] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250603-pci-vntb-bar-mapping-v2-1-fc685a22ad28@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c +index 874cb097b093..3cddfdd04029 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c +@@ -700,7 +700,7 @@ static int epf_ntb_init_epc_bar(struct epf_ntb *ntb) + barno = pci_epc_get_next_free_bar(epc_features, barno); + if (barno < 0) { + dev_err(dev, "Fail to get NTB function BAR\n"); +- return barno; ++ return -ENOENT; + } + ntb->epf_ntb_bar[bar] = barno; + } +-- +2.39.5 + diff --git a/queue-6.15/pci-fix-driver_managed_dma-check.patch b/queue-6.15/pci-fix-driver_managed_dma-check.patch new file mode 100644 index 0000000000..443aa41fa2 --- /dev/null +++ b/queue-6.15/pci-fix-driver_managed_dma-check.patch @@ -0,0 +1,59 @@ +From dbb9695f7b55858b6c60e3633db7feebed5910c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:39:29 +0100 +Subject: PCI: Fix driver_managed_dma check + +From: Robin Murphy + +[ Upstream commit 78447d4545b2ea76ee04f4e46d473639483158b2 ] + +Since it's not currently safe to take device_lock() in the IOMMU probe +path, that can race against really_probe() setting dev->driver before +attempting to bind. The race itself isn't so bad, since we're only +concerned with dereferencing dev->driver itself anyway, but sadly my +attempt to implement the check with minimal churn leads to a kind of +Time-of-Check to Time-of-Use (TOCTOU) issue, where dev->driver becomes +valid after to_pci_driver(NULL) is already computed, and thus the check +fails to work as intended. + +Will and I both hit this with the platform bus, but the pattern here is +the same, so fix it for correctness too. + +Fixes: bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe path") +Reported-by: Will McVicker +Signed-off-by: Robin Murphy +Signed-off-by: Bjorn Helgaas +Reviewed-by: Will McVicker +Link: https://patch.msgid.link/20250425133929.646493-4-robin.murphy@arm.com +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-driver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index c8bd71a739f7..66e3bea7dc1a 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1634,7 +1634,7 @@ static int pci_bus_num_vf(struct device *dev) + */ + static int pci_dma_configure(struct device *dev) + { +- struct pci_driver *driver = to_pci_driver(dev->driver); ++ const struct device_driver *drv = READ_ONCE(dev->driver); + struct device *bridge; + int ret = 0; + +@@ -1651,8 +1651,8 @@ static int pci_dma_configure(struct device *dev) + + pci_put_host_bridge_device(bridge); + +- /* @driver may not be valid when we're called from the IOMMU layer */ +- if (!ret && dev->driver && !driver->driver_managed_dma) { ++ /* @drv may not be valid when we're called from the IOMMU layer */ ++ if (!ret && drv && !to_pci_driver(drv)->driver_managed_dma) { + ret = iommu_device_use_default_domain(dev); + if (ret) + arch_teardown_dma_ops(dev); +-- +2.39.5 + diff --git a/queue-6.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch b/queue-6.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch new file mode 100644 index 0000000000..9f10d6457e --- /dev/null +++ b/queue-6.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch @@ -0,0 +1,229 @@ +From 78d48283baa4ae5a68e76d2478bbadc5bd1173a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:36:07 -0500 +Subject: PCI: pnv_php: Clean up allocated IRQs on unplug + +From: Timothy Pearson + +[ Upstream commit 4668619092554e1b95c9a5ac2941ca47ba6d548a ] + +When the root of a nested PCIe bridge configuration is unplugged, the +pnv_php driver leaked the allocated IRQ resources for the child bridges' +hotplug event notifications, resulting in a panic. + +Fix this by walking all child buses and deallocating all its IRQ resources +before calling pci_hp_remove_devices(). + +Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so +that it is only destroyed in pnv_php_free_slot(), instead of +pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will +now be called by workers triggered by hot unplug interrupts, so the +workqueue needs to stay allocated. + +The abridged kernel panic that occurs without this patch is as follows: + + WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c + CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2 + Call Trace: + msi_device_data_release+0x34/0x9c (unreliable) + release_nodes+0x64/0x13c + devres_release_all+0xc0/0x140 + device_del+0x2d4/0x46c + pci_destroy_dev+0x5c/0x194 + pci_hp_remove_devices+0x90/0x128 + pci_hp_remove_devices+0x44/0x128 + pnv_php_disable_slot+0x54/0xd4 + power_write_file+0xf8/0x18c + pci_slot_attr_store+0x40/0x5c + sysfs_kf_write+0x64/0x78 + kernfs_fop_write_iter+0x1b0/0x290 + vfs_write+0x3bc/0x50c + ksys_write+0x84/0x140 + system_call_exception+0x124/0x230 + system_call_vectored_common+0x15c/0x2ec + +Signed-off-by: Shawn Anastasio +Signed-off-by: Timothy Pearson +[bhelgaas: tidy comments] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/2013845045.1359852.1752615367790.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pnv_php.c | 96 ++++++++++++++++++++++++++++------- + 1 file changed, 77 insertions(+), 19 deletions(-) + +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index 573a41869c15..1304329ca6f7 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -3,6 +3,7 @@ + * PCI Hotplug Driver for PowerPC PowerNV platform. + * + * Copyright Gavin Shan, IBM Corporation 2016. ++ * Copyright (C) 2025 Raptor Engineering, LLC + */ + + #include +@@ -36,8 +37,10 @@ static void pnv_php_register(struct device_node *dn); + static void pnv_php_unregister_one(struct device_node *dn); + static void pnv_php_unregister(struct device_node *dn); + ++static void pnv_php_enable_irq(struct pnv_php_slot *php_slot); ++ + static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, +- bool disable_device) ++ bool disable_device, bool disable_msi) + { + struct pci_dev *pdev = php_slot->pdev; + u16 ctrl; +@@ -53,19 +56,15 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, + php_slot->irq = 0; + } + +- if (php_slot->wq) { +- destroy_workqueue(php_slot->wq); +- php_slot->wq = NULL; +- } +- +- if (disable_device) { ++ if (disable_device || disable_msi) { + if (pdev->msix_enabled) + pci_disable_msix(pdev); + else if (pdev->msi_enabled) + pci_disable_msi(pdev); ++ } + ++ if (disable_device) + pci_disable_device(pdev); +- } + } + + static void pnv_php_free_slot(struct kref *kref) +@@ -74,7 +73,8 @@ static void pnv_php_free_slot(struct kref *kref) + struct pnv_php_slot, kref); + + WARN_ON(!list_empty(&php_slot->children)); +- pnv_php_disable_irq(php_slot, false); ++ pnv_php_disable_irq(php_slot, false, false); ++ destroy_workqueue(php_slot->wq); + kfree(php_slot->name); + kfree(php_slot); + } +@@ -561,8 +561,58 @@ static int pnv_php_reset_slot(struct hotplug_slot *slot, bool probe) + static int pnv_php_enable_slot(struct hotplug_slot *slot) + { + struct pnv_php_slot *php_slot = to_pnv_php_slot(slot); ++ u32 prop32; ++ int ret; ++ ++ ret = pnv_php_enable(php_slot, true); ++ if (ret) ++ return ret; ++ ++ /* (Re-)enable interrupt if the slot supports surprise hotplug */ ++ ret = of_property_read_u32(php_slot->dn, "ibm,slot-surprise-pluggable", ++ &prop32); ++ if (!ret && prop32) ++ pnv_php_enable_irq(php_slot); + +- return pnv_php_enable(php_slot, true); ++ return 0; ++} ++ ++/* ++ * Disable any hotplug interrupts for all slots on the provided bus, as well as ++ * all downstream slots in preparation for a hot unplug. ++ */ ++static int pnv_php_disable_all_irqs(struct pci_bus *bus) ++{ ++ struct pci_bus *child_bus; ++ struct pci_slot *slot; ++ ++ /* First go down child buses */ ++ list_for_each_entry(child_bus, &bus->children, node) ++ pnv_php_disable_all_irqs(child_bus); ++ ++ /* Disable IRQs for all pnv_php slots on this bus */ ++ list_for_each_entry(slot, &bus->slots, list) { ++ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot->hotplug); ++ ++ pnv_php_disable_irq(php_slot, false, true); ++ } ++ ++ return 0; ++} ++ ++/* ++ * Disable any hotplug interrupts for all downstream slots on the provided ++ * bus in preparation for a hot unplug. ++ */ ++static int pnv_php_disable_all_downstream_irqs(struct pci_bus *bus) ++{ ++ struct pci_bus *child_bus; ++ ++ /* Go down child buses, recursively deactivating their IRQs */ ++ list_for_each_entry(child_bus, &bus->children, node) ++ pnv_php_disable_all_irqs(child_bus); ++ ++ return 0; + } + + static int pnv_php_disable_slot(struct hotplug_slot *slot) +@@ -579,6 +629,13 @@ static int pnv_php_disable_slot(struct hotplug_slot *slot) + php_slot->state != PNV_PHP_STATE_REGISTERED) + return 0; + ++ /* ++ * Free all IRQ resources from all child slots before remove. ++ * Note that we do not disable the root slot IRQ here as that ++ * would also deactivate the slot hot (re)plug interrupt! ++ */ ++ pnv_php_disable_all_downstream_irqs(php_slot->bus); ++ + /* Remove all devices behind the slot */ + pci_lock_rescan_remove(); + pci_hp_remove_devices(php_slot->bus); +@@ -647,6 +704,15 @@ static struct pnv_php_slot *pnv_php_alloc_slot(struct device_node *dn) + return NULL; + } + ++ /* Allocate workqueue for this slot's interrupt handling */ ++ php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name); ++ if (!php_slot->wq) { ++ SLOT_WARN(php_slot, "Cannot alloc workqueue\n"); ++ kfree(php_slot->name); ++ kfree(php_slot); ++ return NULL; ++ } ++ + if (dn->child && PCI_DN(dn->child)) + php_slot->slot_no = PCI_SLOT(PCI_DN(dn->child)->devfn); + else +@@ -843,14 +909,6 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq) + u16 sts, ctrl; + int ret; + +- /* Allocate workqueue */ +- php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name); +- if (!php_slot->wq) { +- SLOT_WARN(php_slot, "Cannot alloc workqueue\n"); +- pnv_php_disable_irq(php_slot, true); +- return; +- } +- + /* Check PDC (Presence Detection Change) is broken or not */ + ret = of_property_read_u32(php_slot->dn, "ibm,slot-broken-pdc", + &broken_pdc); +@@ -869,7 +927,7 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq) + ret = request_irq(irq, pnv_php_interrupt, IRQF_SHARED, + php_slot->name, php_slot); + if (ret) { +- pnv_php_disable_irq(php_slot, true); ++ pnv_php_disable_irq(php_slot, true, true); + SLOT_WARN(php_slot, "Error %d enabling IRQ %d\n", ret, irq); + return; + } +-- +2.39.5 + diff --git a/queue-6.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch b/queue-6.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch new file mode 100644 index 0000000000..0d85ee73f4 --- /dev/null +++ b/queue-6.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch @@ -0,0 +1,215 @@ +From c4aa0e91d1c53537381071503d38f4e300160751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:39:06 -0500 +Subject: PCI: pnv_php: Fix surprise plug detection and recovery + +From: Timothy Pearson + +[ Upstream commit a2a2a6fc2469524caa713036297c542746d148dc ] + +The existing PowerNV hotplug code did not handle surprise plug events +correctly, leading to a complete failure of the hotplug system after device +removal and a required reboot to detect new devices. + +This comes down to two issues: + + 1) When a device is surprise removed, often the bridge upstream + port will cause a PE freeze on the PHB. If this freeze is not + cleared, the MSI interrupts from the bridge hotplug notification + logic will not be received by the kernel, stalling all plug events + on all slots associated with the PE. + + 2) When a device is removed from a slot, regardless of surprise or + programmatic removal, the associated PHB/PE ls left frozen. + If this freeze is not cleared via a fundamental reset, skiboot + is unable to clear the freeze and cannot retrain / rescan the + slot. This also requires a reboot to clear the freeze and redetect + the device in the slot. + +Issue the appropriate unfreeze and rescan commands on hotplug events, +and don't oops on hotplug if pci_bus_to_OF_node() returns NULL. + +Signed-off-by: Timothy Pearson +[bhelgaas: tidy comments] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/171044224.1359864.1752615546988.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci-hotplug.c | 3 + + drivers/pci/hotplug/pnv_php.c | 110 +++++++++++++++++++++++++++++- + 2 files changed, 110 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/pci-hotplug.c b/arch/powerpc/kernel/pci-hotplug.c +index 9ea74973d78d..6f444d0822d8 100644 +--- a/arch/powerpc/kernel/pci-hotplug.c ++++ b/arch/powerpc/kernel/pci-hotplug.c +@@ -141,6 +141,9 @@ void pci_hp_add_devices(struct pci_bus *bus) + struct pci_controller *phb; + struct device_node *dn = pci_bus_to_OF_node(bus); + ++ if (!dn) ++ return; ++ + phb = pci_bus_to_host(bus); + + mode = PCI_PROBE_NORMAL; +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index 5476c9e7760d..4f85e7fe29ec 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -4,12 +4,14 @@ + * + * Copyright Gavin Shan, IBM Corporation 2016. + * Copyright (C) 2025 Raptor Engineering, LLC ++ * Copyright (C) 2025 Raptor Computing Systems, LLC + */ + + #include + #include + #include + #include ++#include + #include + #include + +@@ -469,6 +471,61 @@ static int pnv_php_set_attention_state(struct hotplug_slot *slot, u8 state) + return 0; + } + ++static int pnv_php_activate_slot(struct pnv_php_slot *php_slot, ++ struct hotplug_slot *slot) ++{ ++ int ret, i; ++ ++ /* ++ * Issue initial slot activation command to firmware ++ * ++ * Firmware will power slot on, attempt to train the link, and ++ * discover any downstream devices. If this process fails, firmware ++ * will return an error code and an invalid device tree. Failure ++ * can be caused for multiple reasons, including a faulty ++ * downstream device, poor connection to the downstream device, or ++ * a previously latched PHB fence. On failure, issue fundamental ++ * reset up to three times before aborting. ++ */ ++ ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON); ++ if (ret) { ++ SLOT_WARN( ++ php_slot, ++ "PCI slot activation failed with error code %d, possible frozen PHB", ++ ret); ++ SLOT_WARN( ++ php_slot, ++ "Attempting complete PHB reset before retrying slot activation\n"); ++ for (i = 0; i < 3; i++) { ++ /* ++ * Slot activation failed, PHB may be fenced from a ++ * prior device failure. ++ * ++ * Use the OPAL fundamental reset call to both try a ++ * device reset and clear any potentially active PHB ++ * fence / freeze. ++ */ ++ SLOT_WARN(php_slot, "Try %d...\n", i + 1); ++ pci_set_pcie_reset_state(php_slot->pdev, ++ pcie_warm_reset); ++ msleep(250); ++ pci_set_pcie_reset_state(php_slot->pdev, ++ pcie_deassert_reset); ++ ++ ret = pnv_php_set_slot_power_state( ++ slot, OPAL_PCI_SLOT_POWER_ON); ++ if (!ret) ++ break; ++ } ++ ++ if (i >= 3) ++ SLOT_WARN(php_slot, ++ "Failed to bring slot online, aborting!\n"); ++ } ++ ++ return ret; ++} ++ + static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan) + { + struct hotplug_slot *slot = &php_slot->slot; +@@ -531,7 +588,7 @@ static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan) + goto scan; + + /* Power is off, turn it on and then scan the slot */ +- ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON); ++ ret = pnv_php_activate_slot(php_slot, slot); + if (ret) + return ret; + +@@ -838,16 +895,63 @@ static int pnv_php_enable_msix(struct pnv_php_slot *php_slot) + return entry.vector; + } + ++static void ++pnv_php_detect_clear_suprise_removal_freeze(struct pnv_php_slot *php_slot) ++{ ++ struct pci_dev *pdev = php_slot->pdev; ++ struct eeh_dev *edev; ++ struct eeh_pe *pe; ++ int i, rc; ++ ++ /* ++ * When a device is surprise removed from a downstream bridge slot, ++ * the upstream bridge port can still end up frozen due to related EEH ++ * events, which will in turn block the MSI interrupts for slot hotplug ++ * detection. ++ * ++ * Detect and thaw any frozen upstream PE after slot deactivation. ++ */ ++ edev = pci_dev_to_eeh_dev(pdev); ++ pe = edev ? edev->pe : NULL; ++ rc = eeh_pe_get_state(pe); ++ if ((rc == -ENODEV) || (rc == -ENOENT)) { ++ SLOT_WARN( ++ php_slot, ++ "Upstream bridge PE state unknown, hotplug detect may fail\n"); ++ } else { ++ if (pe->state & EEH_PE_ISOLATED) { ++ SLOT_WARN( ++ php_slot, ++ "Upstream bridge PE %02x frozen, thawing...\n", ++ pe->addr); ++ for (i = 0; i < 3; i++) ++ if (!eeh_unfreeze_pe(pe)) ++ break; ++ if (i >= 3) ++ SLOT_WARN( ++ php_slot, ++ "Unable to thaw PE %02x, hotplug detect will fail!\n", ++ pe->addr); ++ else ++ SLOT_WARN(php_slot, ++ "PE %02x thawed successfully\n", ++ pe->addr); ++ } ++ } ++} ++ + static void pnv_php_event_handler(struct work_struct *work) + { + struct pnv_php_event *event = + container_of(work, struct pnv_php_event, work); + struct pnv_php_slot *php_slot = event->php_slot; + +- if (event->added) ++ if (event->added) { + pnv_php_enable_slot(&php_slot->slot); +- else ++ } else { + pnv_php_disable_slot(&php_slot->slot); ++ pnv_php_detect_clear_suprise_removal_freeze(php_slot); ++ } + + kfree(event); + } +-- +2.39.5 + diff --git a/queue-6.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch b/queue-6.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch new file mode 100644 index 0000000000..5257c489dd --- /dev/null +++ b/queue-6.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch @@ -0,0 +1,77 @@ +From 226714b0bef049953b20f9d2fbb9f84385429cb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:36:55 -0500 +Subject: PCI: pnv_php: Work around switches with broken presence detection + +From: Timothy Pearson + +[ Upstream commit 80f9fc2362797538ebd4fd70a1dfa838cc2c2cdb ] + +The Microsemi Switchtec PM8533 PFX 48xG3 [11f8:8533] PCIe switch system +was observed to incorrectly assert the Presence Detect Set bit in its +capabilities when tested on a Raptor Computing Systems Blackbird system, +resulting in the hot insert path never attempting a rescan of the bus +and any downstream devices not being re-detected. + +Work around this by additionally checking whether the PCIe data link is +active or not when performing presence detection on downstream switches' +ports, similar to the pciehp_hpc.c driver. + +Signed-off-by: Shawn Anastasio +Signed-off-by: Timothy Pearson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/505981576.1359853.1752615415117.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pnv_php.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index 1304329ca6f7..5476c9e7760d 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -391,6 +391,20 @@ static int pnv_php_get_power_state(struct hotplug_slot *slot, u8 *state) + return 0; + } + ++static int pcie_check_link_active(struct pci_dev *pdev) ++{ ++ u16 lnk_status; ++ int ret; ++ ++ ret = pcie_capability_read_word(pdev, PCI_EXP_LNKSTA, &lnk_status); ++ if (ret == PCIBIOS_DEVICE_NOT_FOUND || PCI_POSSIBLE_ERROR(lnk_status)) ++ return -ENODEV; ++ ++ ret = !!(lnk_status & PCI_EXP_LNKSTA_DLLLA); ++ ++ return ret; ++} ++ + static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state) + { + struct pnv_php_slot *php_slot = to_pnv_php_slot(slot); +@@ -403,6 +417,19 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state) + */ + ret = pnv_pci_get_presence_state(php_slot->id, &presence); + if (ret >= 0) { ++ if (pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM && ++ presence == OPAL_PCI_SLOT_EMPTY) { ++ /* ++ * Similar to pciehp_hpc, check whether the Link Active ++ * bit is set to account for broken downstream bridges ++ * that don't properly assert Presence Detect State, as ++ * was observed on the Microsemi Switchtec PM8533 PFX ++ * [11f8:8533]. ++ */ ++ if (pcie_check_link_active(php_slot->pdev) > 0) ++ presence = OPAL_PCI_SLOT_PRESENT; ++ } ++ + *state = presence; + ret = 0; + } else { +-- +2.39.5 + diff --git a/queue-6.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch b/queue-6.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch new file mode 100644 index 0000000000..f227107e9a --- /dev/null +++ b/queue-6.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch @@ -0,0 +1,41 @@ +From 0adcdaf333cbc5e88c8d8dcd5bc53e5fd27a84ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 00:01:59 +0800 +Subject: PCI: rockchip-host: Fix "Unexpected Completion" log message + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit fcc5f586c4edbcc10de23fb9b8c0972a84e945cd ] + +Fix the debug message for the PCIE_CORE_INT_UCR interrupt to clearly +indicate "Unexpected Completion" instead of a duplicate "malformed TLP" +message. + +Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support") +Signed-off-by: Hans Zhang <18255117159@163.com> +[mani: added fixes tag] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Manivannan Sadhasivam +Acked-by: Shawn Lin +Link: https://patch.msgid.link/20250607160201.807043-2-18255117159@163.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-rockchip-host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-rockchip-host.c b/drivers/pci/controller/pcie-rockchip-host.c +index 6a46be17aa91..2804980bab86 100644 +--- a/drivers/pci/controller/pcie-rockchip-host.c ++++ b/drivers/pci/controller/pcie-rockchip-host.c +@@ -439,7 +439,7 @@ static irqreturn_t rockchip_pcie_subsys_irq_handler(int irq, void *arg) + dev_dbg(dev, "malformed TLP received from the link\n"); + + if (sub_reg & PCIE_CORE_INT_UCR) +- dev_dbg(dev, "malformed TLP received from the link\n"); ++ dev_dbg(dev, "Unexpected Completion received from the link\n"); + + if (sub_reg & PCIE_CORE_INT_FCE) + dev_dbg(dev, "an error was observed in the flow control advertisements from the other side\n"); +-- +2.39.5 + diff --git a/queue-6.15/perf-dso-add-missed-dso__put-to-dso__load_kcore.patch b/queue-6.15/perf-dso-add-missed-dso__put-to-dso__load_kcore.patch new file mode 100644 index 0000000000..e22f71f756 --- /dev/null +++ b/queue-6.15/perf-dso-add-missed-dso__put-to-dso__load_kcore.patch @@ -0,0 +1,38 @@ +From 587a9b118231d4aaaa09c07000148b17335a019e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 12:03:21 -0700 +Subject: perf dso: Add missed dso__put to dso__load_kcore + +From: Ian Rogers + +[ Upstream commit 63a088e999de3f431f87d9a367933da894ddb613 ] + +The kcore loading creates a set of list nodes that have reference +counted references to maps of the kcore. The list node freeing in the +success path wasn't releasing the maps, add the missing puts. It is +unclear why this leak was being missed by leak sanitizer. + +Fixes: 83720209961f ("perf map: Move map list node into symbol") +Signed-off-by: Ian Rogers +Link: https://lore.kernel.org/r/20250624190326.2038704-2-irogers@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c +index 11540219481b..9c9e28bbb245 100644 +--- a/tools/perf/util/symbol.c ++++ b/tools/perf/util/symbol.c +@@ -1414,6 +1414,7 @@ static int dso__load_kcore(struct dso *dso, struct map *map, + goto out_err; + } + } ++ map__zput(new_node->map); + free(new_node); + } + +-- +2.39.5 + diff --git a/queue-6.15/perf-hwmon_pmu-avoid-shortening-hwmon-pmu-name.patch b/queue-6.15/perf-hwmon_pmu-avoid-shortening-hwmon-pmu-name.patch new file mode 100644 index 0000000000..01a9cc91d5 --- /dev/null +++ b/queue-6.15/perf-hwmon_pmu-avoid-shortening-hwmon-pmu-name.patch @@ -0,0 +1,39 @@ +From a73514c6725c403efb0a891b547e8bd57c68d089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:51:14 -0700 +Subject: perf hwmon_pmu: Avoid shortening hwmon PMU name + +From: Ian Rogers + +[ Upstream commit 28f5aa8184c9c9b8eab35fa3884c416fe75e88e4 ] + +Long names like ucsi_source_psy_USBC000:001 when prefixed with hwmon_ +exceed the buffer size and the last digit is lost. This causes +confusion with similar names like ucsi_source_psy_USBC000:002. Extend +the buffer size to avoid this. + +Fixes: 53cc0b351ec9 ("perf hwmon_pmu: Add a tool PMU exposing events from hwmon in sysfs") +Signed-off-by: Ian Rogers +Link: https://lore.kernel.org/r/20250710235126.1086011-2-irogers@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/hwmon_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/hwmon_pmu.c b/tools/perf/util/hwmon_pmu.c +index 3cce77fc8004..cf7156c7e3bc 100644 +--- a/tools/perf/util/hwmon_pmu.c ++++ b/tools/perf/util/hwmon_pmu.c +@@ -344,7 +344,7 @@ static int hwmon_pmu__read_events(struct hwmon_pmu *pmu) + + struct perf_pmu *hwmon_pmu__new(struct list_head *pmus, int hwmon_dir, const char *sysfs_name, const char *name) + { +- char buf[32]; ++ char buf[64]; + struct hwmon_pmu *hwm; + + hwm = zalloc(sizeof(*hwm)); +-- +2.39.5 + diff --git a/queue-6.15/perf-parse-events-set-default-gh-modifier-properly.patch b/queue-6.15/perf-parse-events-set-default-gh-modifier-properly.patch new file mode 100644 index 0000000000..fb0a108fde --- /dev/null +++ b/queue-6.15/perf-parse-events-set-default-gh-modifier-properly.patch @@ -0,0 +1,82 @@ +From 48ebdf37e0b318478cfefea0ade169bc7f82dfa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 15:54:31 -0700 +Subject: perf parse-events: Set default GH modifier properly + +From: Namhyung Kim + +[ Upstream commit dcbe6e51a0bb80a40f9a8c87750c291c2364573d ] + +Commit 7b100989b4f6bce7 ("perf evlist: Remove __evlist__add_default") +changed to use "cycles:P" as a default event. But the problem is it +cannot set other default modifiers correctly. + +perf kvm needs to set attr.exclude_host by default but it didn't work +because of the logic in the parse_events__modifier_list(). Also the +exclude_GH_default was applied only if ":u" modifier was specified - +which is strange. Move it out after handling the ":GH" and check +perf_host and perf_guest properly. + +Before: + $ ./perf kvm record -vv true |& grep exclude + (nothing) + +But specifying an event (without a modifier) works: + + $ ./perf kvm record -vv -e cycles true |& grep exclude + exclude_host 1 + +After: +It now works for the both cases: + + $ ./perf kvm record -vv true |& grep exclude + exclude_host 1 + + $ ./perf kvm record -vv -e cycles true |& grep exclude + exclude_host 1 + +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250606225431.2109754-1-namhyung@kernel.org +Fixes: 35c8d21371e9b342 ("perf tools: Don't set attr.exclude_guest by default") +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/parse-events.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 5152fd5a6ead..7ed3c3cadd6a 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -1733,13 +1733,11 @@ static int parse_events__modifier_list(struct parse_events_state *parse_state, + int eH = group ? evsel->core.attr.exclude_host : 0; + int eG = group ? evsel->core.attr.exclude_guest : 0; + int exclude = eu | ek | eh; +- int exclude_GH = group ? evsel->exclude_GH : 0; ++ int exclude_GH = eG | eH; + + if (mod.user) { + if (!exclude) + exclude = eu = ek = eh = 1; +- if (!exclude_GH && !perf_guest && exclude_GH_default) +- eG = 1; + eu = 0; + } + if (mod.kernel) { +@@ -1762,6 +1760,13 @@ static int parse_events__modifier_list(struct parse_events_state *parse_state, + exclude_GH = eG = eH = 1; + eH = 0; + } ++ if (!exclude_GH && exclude_GH_default) { ++ if (perf_host) ++ eG = 1; ++ else if (perf_guest) ++ eH = 1; ++ } ++ + evsel->core.attr.exclude_user = eu; + evsel->core.attr.exclude_kernel = ek; + evsel->core.attr.exclude_hv = eh; +-- +2.39.5 + diff --git a/queue-6.15/perf-record-cache-build-id-of-hit-dsos-only.patch b/queue-6.15/perf-record-cache-build-id-of-hit-dsos-only.patch new file mode 100644 index 0000000000..425dc3ed0b --- /dev/null +++ b/queue-6.15/perf-record-cache-build-id-of-hit-dsos-only.patch @@ -0,0 +1,43 @@ +From d9757e5e6bc0c748c3eefcb407c01e31c73c2dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Jul 2025 00:03:30 -0700 +Subject: perf record: Cache build-ID of hit DSOs only + +From: Namhyung Kim + +[ Upstream commit 6235ce77749f45cac27f630337e2fdf04e8a6c73 ] + +It post-processes samples to find which DSO has samples. Based on that +info, it can save used DSOs in the build-ID cache directory. But for +some reason, it saves all DSOs without checking the hit mark. Skipping +unused DSOs can give some speedup especially with --buildid-mmap being +default. + +On my idle machine, `time perf record -a sleep 1` goes down from 3 sec +to 1.5 sec with this change. + +Fixes: e29386c8f7d71fa5 ("perf record: Add --buildid-mmap option to enable PERF_RECORD_MMAP2's build id") +Reviewed-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/r/20250731070330.57116-1-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/build-id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c +index e763e8d99a43..ee00313d5d7e 100644 +--- a/tools/perf/util/build-id.c ++++ b/tools/perf/util/build-id.c +@@ -864,7 +864,7 @@ static int dso__cache_build_id(struct dso *dso, struct machine *machine, + char *allocated_name = NULL; + int ret = 0; + +- if (!dso__has_build_id(dso)) ++ if (!dso__has_build_id(dso) || !dso__hit(dso)) + return 0; + + if (dso__is_kcore(dso)) { +-- +2.39.5 + diff --git a/queue-6.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch b/queue-6.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch new file mode 100644 index 0000000000..d465889873 --- /dev/null +++ b/queue-6.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch @@ -0,0 +1,101 @@ +From a971eb75fc9c399ec21fc35ea78e7f63d2de4927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:39 -0700 +Subject: perf sched: Fix memory leaks for evsel->priv in timehist + +From: Namhyung Kim + +[ Upstream commit 117e5c33b1c44037af016d77ce6c0b086d55535f ] + +It uses evsel->priv to save per-cpu timing information. It should be +freed when the evsel is released. + +Add the priv destructor for evsel same as thread to handle that. + +Fixes: 49394a2a24c78ce0 ("perf sched timehist: Introduce timehist command") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-6-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 12 ++++++++++++ + tools/perf/util/evsel.c | 11 +++++++++++ + tools/perf/util/evsel.h | 2 ++ + 3 files changed, 25 insertions(+) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 83b5a85a91b7..a6eb0462dd5b 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -2020,6 +2020,16 @@ static u64 evsel__get_time(struct evsel *evsel, u32 cpu) + return r->last_time[cpu]; + } + ++static void timehist__evsel_priv_destructor(void *priv) ++{ ++ struct evsel_runtime *r = priv; ++ ++ if (r) { ++ free(r->last_time); ++ free(r); ++ } ++} ++ + static int comm_width = 30; + + static char *timehist_get_commstr(struct thread *thread) +@@ -3314,6 +3324,8 @@ static int perf_sched__timehist(struct perf_sched *sched) + + setup_pager(); + ++ evsel__set_priv_destructor(timehist__evsel_priv_destructor); ++ + /* prefer sched_waking if it is captured */ + if (evlist__find_tracepoint_by_name(session->evlist, "sched:sched_waking")) + handlers[1].handler = timehist_sched_wakeup_ignore; +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 3c030da2e477..08fd9b9afcf8 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1652,6 +1652,15 @@ static void evsel__free_config_terms(struct evsel *evsel) + free_config_terms(&evsel->config_terms); + } + ++static void (*evsel__priv_destructor)(void *priv); ++ ++void evsel__set_priv_destructor(void (*destructor)(void *priv)) ++{ ++ assert(evsel__priv_destructor == NULL); ++ ++ evsel__priv_destructor = destructor; ++} ++ + void evsel__exit(struct evsel *evsel) + { + assert(list_empty(&evsel->core.node)); +@@ -1680,6 +1689,8 @@ void evsel__exit(struct evsel *evsel) + hashmap__free(evsel->per_pkg_mask); + evsel->per_pkg_mask = NULL; + zfree(&evsel->metric_events); ++ if (evsel__priv_destructor) ++ evsel__priv_destructor(evsel->priv); + perf_evsel__object.fini(evsel); + if (evsel__tool_event(evsel) == TOOL_PMU__EVENT_SYSTEM_TIME || + evsel__tool_event(evsel) == TOOL_PMU__EVENT_USER_TIME) +diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h +index aae431d63d64..b7f8b29f30ea 100644 +--- a/tools/perf/util/evsel.h ++++ b/tools/perf/util/evsel.h +@@ -270,6 +270,8 @@ void evsel__init(struct evsel *evsel, struct perf_event_attr *attr, int idx); + void evsel__exit(struct evsel *evsel); + void evsel__delete(struct evsel *evsel); + ++void evsel__set_priv_destructor(void (*destructor)(void *priv)); ++ + struct callchain_param; + + void evsel__config(struct evsel *evsel, struct record_opts *opts, +-- +2.39.5 + diff --git a/queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-latency.patch b/queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-latency.patch new file mode 100644 index 0000000000..8621ae9f14 --- /dev/null +++ b/queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-latency.patch @@ -0,0 +1,90 @@ +From 71b5346b6b4e67a86be68fbbcd7d3d3841271957 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:41 -0700 +Subject: perf sched: Fix memory leaks in 'perf sched latency' + +From: Namhyung Kim + +[ Upstream commit e68b1c0098b959cb88afce5c93dd6a9324e6da78 ] + +The work_atoms should be freed after use. Add free_work_atoms() to +make sure to release all. It should use list_splice_init() when merging +atoms to prevent accessing invalid pointers. + +Fixes: b1ffe8f3e0c96f552 ("perf sched: Finish latency => atom rename and misc cleanups") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-8-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 087d4eaba5f7..4bbebd6ef2e4 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -1111,6 +1111,21 @@ add_sched_in_event(struct work_atoms *atoms, u64 timestamp) + atoms->nb_atoms++; + } + ++static void free_work_atoms(struct work_atoms *atoms) ++{ ++ struct work_atom *atom, *tmp; ++ ++ if (atoms == NULL) ++ return; ++ ++ list_for_each_entry_safe(atom, tmp, &atoms->work_list, list) { ++ list_del(&atom->list); ++ free(atom); ++ } ++ thread__zput(atoms->thread); ++ free(atoms); ++} ++ + static int latency_switch_event(struct perf_sched *sched, + struct evsel *evsel, + struct perf_sample *sample, +@@ -3426,13 +3441,13 @@ static void __merge_work_atoms(struct rb_root_cached *root, struct work_atoms *d + this->total_runtime += data->total_runtime; + this->nb_atoms += data->nb_atoms; + this->total_lat += data->total_lat; +- list_splice(&data->work_list, &this->work_list); ++ list_splice_init(&data->work_list, &this->work_list); + if (this->max_lat < data->max_lat) { + this->max_lat = data->max_lat; + this->max_lat_start = data->max_lat_start; + this->max_lat_end = data->max_lat_end; + } +- zfree(&data); ++ free_work_atoms(data); + return; + } + } +@@ -3511,7 +3526,6 @@ static int perf_sched__lat(struct perf_sched *sched) + work_list = rb_entry(next, struct work_atoms, node); + output_lat_thread(sched, work_list); + next = rb_next(next); +- thread__zput(work_list->thread); + } + + printf(" -----------------------------------------------------------------------------------------------------------------\n"); +@@ -3525,6 +3539,13 @@ static int perf_sched__lat(struct perf_sched *sched) + + rc = 0; + ++ while ((next = rb_first_cached(&sched->sorted_atom_root))) { ++ struct work_atoms *data; ++ ++ data = rb_entry(next, struct work_atoms, node); ++ rb_erase_cached(next, &sched->sorted_atom_root); ++ free_work_atoms(data); ++ } + out_free_cpus_switch_event: + free_cpus_switch_event(sched); + return rc; +-- +2.39.5 + diff --git a/queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-map.patch b/queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-map.patch new file mode 100644 index 0000000000..d2e0b9ef58 --- /dev/null +++ b/queue-6.15/perf-sched-fix-memory-leaks-in-perf-sched-map.patch @@ -0,0 +1,106 @@ +From cce253ac946dcf4d0fc11676b9699bab2d7b2f5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:37 -0700 +Subject: perf sched: Fix memory leaks in 'perf sched map' + +From: Namhyung Kim + +[ Upstream commit dc3a80c98884d86389b3b572c50ccc7f502cd41b ] + +It maintains per-cpu pointers for the current thread but it doesn't +release the refcounts. + +Fixes: 5e895278697c014e ("perf sched: Move curr_thread initialization to perf_sched__map()") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-4-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index fa4052e04020..b73989fb6ace 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -1634,6 +1634,7 @@ static int map_switch_event(struct perf_sched *sched, struct evsel *evsel, + const char *color = PERF_COLOR_NORMAL; + char stimestamp[32]; + const char *str; ++ int ret = -1; + + BUG_ON(this_cpu.cpu >= MAX_CPUS || this_cpu.cpu < 0); + +@@ -1664,17 +1665,20 @@ static int map_switch_event(struct perf_sched *sched, struct evsel *evsel, + sched_in = map__findnew_thread(sched, machine, -1, next_pid); + sched_out = map__findnew_thread(sched, machine, -1, prev_pid); + if (sched_in == NULL || sched_out == NULL) +- return -1; ++ goto out; + + tr = thread__get_runtime(sched_in); +- if (tr == NULL) { +- thread__put(sched_in); +- return -1; +- } ++ if (tr == NULL) ++ goto out; ++ ++ thread__put(sched->curr_thread[this_cpu.cpu]); ++ thread__put(sched->curr_out_thread[this_cpu.cpu]); + + sched->curr_thread[this_cpu.cpu] = thread__get(sched_in); + sched->curr_out_thread[this_cpu.cpu] = thread__get(sched_out); + ++ ret = 0; ++ + str = thread__comm_str(sched_in); + new_shortname = 0; + if (!tr->shortname[0]) { +@@ -1769,12 +1773,10 @@ static int map_switch_event(struct perf_sched *sched, struct evsel *evsel, + color_fprintf(stdout, color, "\n"); + + out: +- if (sched->map.task_name) +- thread__put(sched_out); +- ++ thread__put(sched_out); + thread__put(sched_in); + +- return 0; ++ return ret; + } + + static int process_sched_switch_event(const struct perf_tool *tool, +@@ -3556,10 +3558,10 @@ static int perf_sched__map(struct perf_sched *sched) + + sched->curr_out_thread = calloc(MAX_CPUS, sizeof(*(sched->curr_out_thread))); + if (!sched->curr_out_thread) +- return rc; ++ goto out_free_curr_thread; + + if (setup_cpus_switch_event(sched)) +- goto out_free_curr_thread; ++ goto out_free_curr_out_thread; + + if (setup_map_cpus(sched)) + goto out_free_cpus_switch_event; +@@ -3590,7 +3592,14 @@ static int perf_sched__map(struct perf_sched *sched) + out_free_cpus_switch_event: + free_cpus_switch_event(sched); + ++out_free_curr_out_thread: ++ for (int i = 0; i < MAX_CPUS; i++) ++ thread__put(sched->curr_out_thread[i]); ++ zfree(&sched->curr_out_thread); ++ + out_free_curr_thread: ++ for (int i = 0; i < MAX_CPUS; i++) ++ thread__put(sched->curr_thread[i]); + zfree(&sched->curr_thread); + return rc; + } +-- +2.39.5 + diff --git a/queue-6.15/perf-sched-fix-thread-leaks-in-perf-sched-timehist.patch b/queue-6.15/perf-sched-fix-thread-leaks-in-perf-sched-timehist.patch new file mode 100644 index 0000000000..cf845eb81e --- /dev/null +++ b/queue-6.15/perf-sched-fix-thread-leaks-in-perf-sched-timehist.patch @@ -0,0 +1,198 @@ +From 41b4a1a4606221b7ef98979d65712e26d442611a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:38 -0700 +Subject: perf sched: Fix thread leaks in 'perf sched timehist' + +From: Namhyung Kim + +[ Upstream commit e2eb59260c4f6bac403491d0112891766b8650d1 ] + +Add missing thread__put() after machine__findnew_thread() or +timehist_get_thread(). Also idle threads' last_thread should be +refcounted properly. + +Fixes: 699b5b920db04a6f ("perf sched timehist: Save callchain when entering idle") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-5-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 48 +++++++++++++++++++++++++++++--------- + 1 file changed, 37 insertions(+), 11 deletions(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index b73989fb6ace..83b5a85a91b7 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -2313,8 +2313,10 @@ static void save_task_callchain(struct perf_sched *sched, + return; + } + +- if (!sched->show_callchain || sample->callchain == NULL) ++ if (!sched->show_callchain || sample->callchain == NULL) { ++ thread__put(thread); + return; ++ } + + cursor = get_tls_callchain_cursor(); + +@@ -2323,10 +2325,12 @@ static void save_task_callchain(struct perf_sched *sched, + if (verbose > 0) + pr_err("Failed to resolve callchain. Skipping\n"); + ++ thread__put(thread); + return; + } + + callchain_cursor_commit(cursor); ++ thread__put(thread); + + while (true) { + struct callchain_cursor_node *node; +@@ -2403,8 +2407,17 @@ static void free_idle_threads(void) + return; + + for (i = 0; i < idle_max_cpu; ++i) { +- if ((idle_threads[i])) +- thread__delete(idle_threads[i]); ++ struct thread *idle = idle_threads[i]; ++ ++ if (idle) { ++ struct idle_thread_runtime *itr; ++ ++ itr = thread__priv(idle); ++ if (itr) ++ thread__put(itr->last_thread); ++ ++ thread__delete(idle); ++ } + } + + free(idle_threads); +@@ -2441,7 +2454,7 @@ static struct thread *get_idle_thread(int cpu) + } + } + +- return idle_threads[cpu]; ++ return thread__get(idle_threads[cpu]); + } + + static void save_idle_callchain(struct perf_sched *sched, +@@ -2496,7 +2509,8 @@ static struct thread *timehist_get_thread(struct perf_sched *sched, + if (itr == NULL) + return NULL; + +- itr->last_thread = thread; ++ thread__put(itr->last_thread); ++ itr->last_thread = thread__get(thread); + + /* copy task callchain when entering to idle */ + if (evsel__intval(evsel, sample, "next_pid") == 0) +@@ -2567,6 +2581,7 @@ static void timehist_print_wakeup_event(struct perf_sched *sched, + /* show wakeup unless both awakee and awaker are filtered */ + if (timehist_skip_sample(sched, thread, evsel, sample) && + timehist_skip_sample(sched, awakened, evsel, sample)) { ++ thread__put(thread); + return; + } + +@@ -2583,6 +2598,8 @@ static void timehist_print_wakeup_event(struct perf_sched *sched, + printf("awakened: %s", timehist_get_commstr(awakened)); + + printf("\n"); ++ ++ thread__put(thread); + } + + static int timehist_sched_wakeup_ignore(const struct perf_tool *tool __maybe_unused, +@@ -2611,8 +2628,10 @@ static int timehist_sched_wakeup_event(const struct perf_tool *tool, + return -1; + + tr = thread__get_runtime(thread); +- if (tr == NULL) ++ if (tr == NULL) { ++ thread__put(thread); + return -1; ++ } + + if (tr->ready_to_run == 0) + tr->ready_to_run = sample->time; +@@ -2622,6 +2641,7 @@ static int timehist_sched_wakeup_event(const struct perf_tool *tool, + !perf_time__skip_sample(&sched->ptime, sample->time)) + timehist_print_wakeup_event(sched, evsel, sample, machine, thread); + ++ thread__put(thread); + return 0; + } + +@@ -2649,6 +2669,7 @@ static void timehist_print_migration_event(struct perf_sched *sched, + + if (timehist_skip_sample(sched, thread, evsel, sample) && + timehist_skip_sample(sched, migrated, evsel, sample)) { ++ thread__put(thread); + return; + } + +@@ -2676,6 +2697,7 @@ static void timehist_print_migration_event(struct perf_sched *sched, + printf(" cpu %d => %d", ocpu, dcpu); + + printf("\n"); ++ thread__put(thread); + } + + static int timehist_migrate_task_event(const struct perf_tool *tool, +@@ -2695,8 +2717,10 @@ static int timehist_migrate_task_event(const struct perf_tool *tool, + return -1; + + tr = thread__get_runtime(thread); +- if (tr == NULL) ++ if (tr == NULL) { ++ thread__put(thread); + return -1; ++ } + + tr->migrations++; + tr->migrated = sample->time; +@@ -2706,6 +2730,7 @@ static int timehist_migrate_task_event(const struct perf_tool *tool, + timehist_print_migration_event(sched, evsel, sample, + machine, thread); + } ++ thread__put(thread); + + return 0; + } +@@ -2728,10 +2753,10 @@ static void timehist_update_task_prio(struct evsel *evsel, + return; + + tr = thread__get_runtime(thread); +- if (tr == NULL) +- return; ++ if (tr != NULL) ++ tr->prio = next_prio; + +- tr->prio = next_prio; ++ thread__put(thread); + } + + static int timehist_sched_change_event(const struct perf_tool *tool, +@@ -2743,7 +2768,7 @@ static int timehist_sched_change_event(const struct perf_tool *tool, + struct perf_sched *sched = container_of(tool, struct perf_sched, tool); + struct perf_time_interval *ptime = &sched->ptime; + struct addr_location al; +- struct thread *thread; ++ struct thread *thread = NULL; + struct thread_runtime *tr = NULL; + u64 tprev, t = sample->time; + int rc = 0; +@@ -2867,6 +2892,7 @@ static int timehist_sched_change_event(const struct perf_tool *tool, + + evsel__save_time(evsel, sample->time, sample->cpu); + ++ thread__put(thread); + addr_location__exit(&al); + return rc; + } +-- +2.39.5 + diff --git a/queue-6.15/perf-sched-free-thread-priv-using-priv_destructor.patch b/queue-6.15/perf-sched-free-thread-priv-using-priv_destructor.patch new file mode 100644 index 0000000000..095cbdb24d --- /dev/null +++ b/queue-6.15/perf-sched-free-thread-priv-using-priv_destructor.patch @@ -0,0 +1,40 @@ +From 36e1f9a0e4bca73bdb4de891f02a052af74d693a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:36 -0700 +Subject: perf sched: Free thread->priv using priv_destructor + +From: Namhyung Kim + +[ Upstream commit aa9fdd106bab8c478d37eba5703c0950ad5c0d4f ] + +In many perf sched subcommand saves priv data structure in the thread +but it forgot to free them. As it's an opaque type with 'void *', it +needs to register that knows how to free the data. In this case, just +regular 'free()' is fine. + +Fixes: 04cb4fc4d40a5bf1 ("perf thread: Allow tools to register a thread->priv destructor") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-3-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index b7bbfad0ed60..fa4052e04020 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -3898,6 +3898,8 @@ int cmd_sched(int argc, const char **argv) + if (!argc) + usage_with_options(sched_usage, sched_options); + ++ thread__set_priv_destructor(free); ++ + /* + * Aliased to 'perf script' for now: + */ +-- +2.39.5 + diff --git a/queue-6.15/perf-sched-make-sure-it-frees-the-usage-string.patch b/queue-6.15/perf-sched-make-sure-it-frees-the-usage-string.patch new file mode 100644 index 0000000000..1c2e256b92 --- /dev/null +++ b/queue-6.15/perf-sched-make-sure-it-frees-the-usage-string.patch @@ -0,0 +1,103 @@ +From f44cb4fa971807dd98068cdd888bcbbe60b83095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:35 -0700 +Subject: perf sched: Make sure it frees the usage string + +From: Namhyung Kim + +[ Upstream commit 10d9b89203765fb776512742c13af8dd92821842 ] + +The parse_options_subcommand() allocates the usage string based on the +given subcommands. So it should reach the end of the function to free +the string to prevent memory leaks. + +Fixes: 1a5efc9e13f357ab ("libsubcmd: Don't free the usage string") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-2-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 26ece6e9bfd1..b7bbfad0ed60 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -3902,9 +3902,9 @@ int cmd_sched(int argc, const char **argv) + * Aliased to 'perf script' for now: + */ + if (!strcmp(argv[0], "script")) { +- return cmd_script(argc, argv); ++ ret = cmd_script(argc, argv); + } else if (strlen(argv[0]) > 2 && strstarts("record", argv[0])) { +- return __cmd_record(argc, argv); ++ ret = __cmd_record(argc, argv); + } else if (strlen(argv[0]) > 2 && strstarts("latency", argv[0])) { + sched.tp_handler = &lat_ops; + if (argc > 1) { +@@ -3913,7 +3913,7 @@ int cmd_sched(int argc, const char **argv) + usage_with_options(latency_usage, latency_options); + } + setup_sorting(&sched, latency_options, latency_usage); +- return perf_sched__lat(&sched); ++ ret = perf_sched__lat(&sched); + } else if (!strcmp(argv[0], "map")) { + if (argc) { + argc = parse_options(argc, argv, map_options, map_usage, 0); +@@ -3924,13 +3924,14 @@ int cmd_sched(int argc, const char **argv) + sched.map.task_names = strlist__new(sched.map.task_name, NULL); + if (sched.map.task_names == NULL) { + fprintf(stderr, "Failed to parse task names\n"); +- return -1; ++ ret = -1; ++ goto out; + } + } + } + sched.tp_handler = &map_ops; + setup_sorting(&sched, latency_options, latency_usage); +- return perf_sched__map(&sched); ++ ret = perf_sched__map(&sched); + } else if (strlen(argv[0]) > 2 && strstarts("replay", argv[0])) { + sched.tp_handler = &replay_ops; + if (argc) { +@@ -3938,7 +3939,7 @@ int cmd_sched(int argc, const char **argv) + if (argc) + usage_with_options(replay_usage, replay_options); + } +- return perf_sched__replay(&sched); ++ ret = perf_sched__replay(&sched); + } else if (!strcmp(argv[0], "timehist")) { + if (argc) { + argc = parse_options(argc, argv, timehist_options, +@@ -3954,19 +3955,19 @@ int cmd_sched(int argc, const char **argv) + parse_options_usage(NULL, timehist_options, "w", true); + if (sched.show_next) + parse_options_usage(NULL, timehist_options, "n", true); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out; + } + ret = symbol__validate_sym_arguments(); +- if (ret) +- return ret; +- +- return perf_sched__timehist(&sched); ++ if (!ret) ++ ret = perf_sched__timehist(&sched); + } else { + usage_with_options(sched_usage, sched_options); + } + ++out: + /* free usage string allocated by parse_options_subcommand */ + free((void *)sched_usage[0]); + +- return 0; ++ return ret; + } +-- +2.39.5 + diff --git a/queue-6.15/perf-sched-use-rc_chk_equal-to-compare-pointers.patch b/queue-6.15/perf-sched-use-rc_chk_equal-to-compare-pointers.patch new file mode 100644 index 0000000000..0b6df78862 --- /dev/null +++ b/queue-6.15/perf-sched-use-rc_chk_equal-to-compare-pointers.patch @@ -0,0 +1,38 @@ +From f6ad116988243f7f0f685b82984741f12a78d62c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:40 -0700 +Subject: perf sched: Use RC_CHK_EQUAL() to compare pointers + +From: Namhyung Kim + +[ Upstream commit 7a4002ec9e0fced907179da94f67c3082d7b4162 ] + +So that it can check two pointers to the same object properly when +REFCNT_CHECKING is on. + +Fixes: 78c32f4cb12f9430 ("libperf rc_check: Add RC_CHK_EQUAL") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-7-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index a6eb0462dd5b..087d4eaba5f7 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -994,7 +994,7 @@ thread_atoms_search(struct rb_root_cached *root, struct thread *thread, + else if (cmp < 0) + node = node->rb_right; + else { +- BUG_ON(thread != atoms->thread); ++ BUG_ON(!RC_CHK_EQUAL(thread, atoms->thread)); + return atoms; + } + } +-- +2.39.5 + diff --git a/queue-6.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch b/queue-6.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch new file mode 100644 index 0000000000..876d9cd716 --- /dev/null +++ b/queue-6.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch @@ -0,0 +1,57 @@ +From 891d03e982e8b12f9e81ab9ba0ee7c9b4c4afa58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 12:10:15 +0100 +Subject: perf tests bp_account: Fix leaked file descriptor + +From: Leo Yan + +[ Upstream commit 4a6cdecaa1497f1fbbd1d5307a225b6ca5a62a90 ] + +Since the commit e9846f5ead26 ("perf test: In forked mode add check that +fds aren't leaked"), the test "Breakpoint accounting" reports the error: + + # perf test -vvv "Breakpoint accounting" + 20: Breakpoint accounting: + --- start --- + test child forked, pid 373 + failed opening event 0 + failed opening event 0 + watchpoints count 4, breakpoints count 6, has_ioctl 1, share 0 + wp 0 created + wp 1 created + wp 2 created + wp 3 created + wp 0 modified to bp + wp max created + ---- end(0) ---- + Leak of file descriptor 7 that opened: 'anon_inode:[perf_event]' + +A watchpoint's file descriptor was not properly released. This patch +fixes the leak. + +Fixes: 032db28e5fa3 ("perf tests: Add breakpoint accounting/modify test") +Reported-by: Aishwarya TCV +Signed-off-by: Leo Yan +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250711-perf_fix_breakpoint_accounting-v1-1-b314393023f9@arm.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/tests/bp_account.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/bp_account.c b/tools/perf/tests/bp_account.c +index 4cb7d486b5c1..047433c977bc 100644 +--- a/tools/perf/tests/bp_account.c ++++ b/tools/perf/tests/bp_account.c +@@ -104,6 +104,7 @@ static int bp_accounting(int wp_cnt, int share) + fd_wp = wp_event((void *)&the_var, &attr_new); + TEST_ASSERT_VAL("failed to create max wp\n", fd_wp != -1); + pr_debug("wp max created\n"); ++ close(fd_wp); + } + + for (i = 0; i < wp_cnt; i++) +-- +2.39.5 + diff --git a/queue-6.15/perf-tools-fix-use-after-free-in-help_unknown_cmd.patch b/queue-6.15/perf-tools-fix-use-after-free-in-help_unknown_cmd.patch new file mode 100644 index 0000000000..0dae378a04 --- /dev/null +++ b/queue-6.15/perf-tools-fix-use-after-free-in-help_unknown_cmd.patch @@ -0,0 +1,99 @@ +From 45a8b66425dcd02a52934db8d6863fee61a1a9e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 13:10:27 -0700 +Subject: perf tools: Fix use-after-free in help_unknown_cmd() + +From: Namhyung Kim + +[ Upstream commit 1fdf938168c4d26fa279d4f204768690d1f9c4ae ] + +Currently perf aborts when it finds an invalid command. I guess it +depends on the environment as I have some custom commands in the path. + + $ perf bad-command + perf: 'bad-command' is not a perf-command. See 'perf --help'. + Aborted (core dumped) + +It's because the exclude_cmds() in libsubcmd has a use-after-free when +it removes some entries. After copying one to another entry, it keeps +the pointer in the both position. And the next copy operation will free +the later one but it's the same entry in the previous one. + +For example, let's say cmds = { A, B, C, D, E } and excludes = { B, E }. + + ci cj ei cmds-name excludes + -----------+-------------------- + 0 0 0 | A B : cmp < 0, ci == cj + 1 1 0 | B B : cmp == 0 + 2 1 1 | C E : cmp < 0, ci != cj + +At this point, it frees cmds->names[1] and cmds->names[1] is assigned to +cmds->names[2]. + + 3 2 1 | D E : cmp < 0, ci != cj + +Now it frees cmds->names[2] but it's the same as cmds->names[1]. So +accessing cmds->names[1] will be invalid. + +This makes the subcmd tests succeed. + + $ perf test subcmd + 69: libsubcmd help tests : + 69.1: Load subcmd names : Ok + 69.2: Uniquify subcmd names : Ok + 69.3: Exclude duplicate subcmd names : Ok + +Fixes: 4b96679170c6 ("libsubcmd: Avoid SEGV/use-after-free when commands aren't excluded") +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250701201027.1171561-3-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/lib/subcmd/help.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c +index 8561b0f01a24..9ef569492560 100644 +--- a/tools/lib/subcmd/help.c ++++ b/tools/lib/subcmd/help.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include "subcmd-util.h" + #include "help.h" + #include "exec-cmd.h" +@@ -82,10 +83,11 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes) + ci++; + cj++; + } else { +- zfree(&cmds->names[cj]); +- cmds->names[cj++] = cmds->names[ci++]; ++ cmds->names[cj++] = cmds->names[ci]; ++ cmds->names[ci++] = NULL; + } + } else if (cmp == 0) { ++ zfree(&cmds->names[ci]); + ci++; + ei++; + } else if (cmp > 0) { +@@ -94,12 +96,12 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes) + } + if (ci != cj) { + while (ci < cmds->cnt) { +- zfree(&cmds->names[cj]); +- cmds->names[cj++] = cmds->names[ci++]; ++ cmds->names[cj++] = cmds->names[ci]; ++ cmds->names[ci++] = NULL; + } + } + for (ci = cj; ci < cmds->cnt; ci++) +- zfree(&cmds->names[ci]); ++ assert(cmds->names[ci] == NULL); + cmds->cnt = cj; + } + +-- +2.39.5 + diff --git a/queue-6.15/perf-tools-remove-libtraceevent-in-.gitignore.patch b/queue-6.15/perf-tools-remove-libtraceevent-in-.gitignore.patch new file mode 100644 index 0000000000..51faeda534 --- /dev/null +++ b/queue-6.15/perf-tools-remove-libtraceevent-in-.gitignore.patch @@ -0,0 +1,37 @@ +From f50771891d84c7b5d976a2ff7598f3ea7868cfe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jul 2025 19:15:32 +0800 +Subject: perf tools: Remove libtraceevent in .gitignore + +From: Chen Pei + +[ Upstream commit af470fb532fc803c4c582d15b4bd394682a77a15 ] + +The libtraceevent has been removed from the source tree, and .gitignore +needs to be updated as well. + +Fixes: 4171925aa9f3f7bf ("tools lib traceevent: Remove libtraceevent") +Signed-off-by: Chen Pei +Link: https://lore.kernel.org/r/20250726111532.8031-1-cp0613@linux.alibaba.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/.gitignore | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/perf/.gitignore b/tools/perf/.gitignore +index 5aaf73df6700..b64302a76144 100644 +--- a/tools/perf/.gitignore ++++ b/tools/perf/.gitignore +@@ -48,8 +48,6 @@ libbpf/ + libperf/ + libsubcmd/ + libsymbol/ +-libtraceevent/ +-libtraceevent_plugins/ + fixdep + Documentation/doc.dep + python_ext_build/ +-- +2.39.5 + diff --git a/queue-6.15/phy-qualcomm-phy-qcom-eusb2-repeater-don-t-zero-out-.patch b/queue-6.15/phy-qualcomm-phy-qcom-eusb2-repeater-don-t-zero-out-.patch new file mode 100644 index 0000000000..c176f915b6 --- /dev/null +++ b/queue-6.15/phy-qualcomm-phy-qcom-eusb2-repeater-don-t-zero-out-.patch @@ -0,0 +1,160 @@ +From f0069f37bf3118789b5644a13fb4f90735ef7245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 10:26:36 +0200 +Subject: phy: qualcomm: phy-qcom-eusb2-repeater: Don't zero-out registers + +From: Luca Weiss + +[ Upstream commit 31bc94de76026c527f82c238f414539a14f0f3e6 ] + +Zeroing out registers does not happen in the downstream kernel, and will +"tune" the repeater in surely unexpected ways since most registers don't +have a reset value of 0x0. + +Stop doing that and instead just set the registers that are in the init +sequence (though long term I don't think there's actually PMIC-specific +init sequences, there's board specific tuning, but that's a story for +another day). + +Fixes: 99a517a582fc ("phy: qualcomm: phy-qcom-eusb2-repeater: Zero out untouched tuning regs") +Reviewed-by: Konrad Dybcio +Reviewed-by: Neil Armstrong +Signed-off-by: Luca Weiss +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20250617-eusb2-repeater-tuning-v2-2-ed6c484f18ee@fairphone.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + .../phy/qualcomm/phy-qcom-eusb2-repeater.c | 87 +++++++------------ + 1 file changed, 32 insertions(+), 55 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c +index 6bd1b3c75c77..d7493c2294ef 100644 +--- a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c ++++ b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c +@@ -37,32 +37,13 @@ + #define EUSB2_TUNE_EUSB_EQU 0x5A + #define EUSB2_TUNE_EUSB_HS_COMP_CUR 0x5B + +-enum eusb2_reg_layout { +- TUNE_EUSB_HS_COMP_CUR, +- TUNE_EUSB_EQU, +- TUNE_EUSB_SLEW, +- TUNE_USB2_HS_COMP_CUR, +- TUNE_USB2_PREEM, +- TUNE_USB2_EQU, +- TUNE_USB2_SLEW, +- TUNE_SQUELCH_U, +- TUNE_HSDISC, +- TUNE_RES_FSDIF, +- TUNE_IUSB2, +- TUNE_USB2_CROSSOVER, +- NUM_TUNE_FIELDS, +- +- FORCE_VAL_5 = NUM_TUNE_FIELDS, +- FORCE_EN_5, +- +- EN_CTL1, +- +- RPTR_STATUS, +- LAYOUT_SIZE, ++struct eusb2_repeater_init_tbl_reg { ++ unsigned int reg; ++ unsigned int value; + }; + + struct eusb2_repeater_cfg { +- const u32 *init_tbl; ++ const struct eusb2_repeater_init_tbl_reg *init_tbl; + int init_tbl_num; + const char * const *vreg_list; + int num_vregs; +@@ -82,16 +63,16 @@ static const char * const pm8550b_vreg_l[] = { + "vdd18", "vdd3", + }; + +-static const u32 pm8550b_init_tbl[NUM_TUNE_FIELDS] = { +- [TUNE_IUSB2] = 0x8, +- [TUNE_SQUELCH_U] = 0x3, +- [TUNE_USB2_PREEM] = 0x5, ++static const struct eusb2_repeater_init_tbl_reg pm8550b_init_tbl[] = { ++ { EUSB2_TUNE_IUSB2, 0x8 }, ++ { EUSB2_TUNE_SQUELCH_U, 0x3 }, ++ { EUSB2_TUNE_USB2_PREEM, 0x5 }, + }; + +-static const u32 smb2360_init_tbl[NUM_TUNE_FIELDS] = { +- [TUNE_IUSB2] = 0x5, +- [TUNE_SQUELCH_U] = 0x3, +- [TUNE_USB2_PREEM] = 0x2, ++static const struct eusb2_repeater_init_tbl_reg smb2360_init_tbl[] = { ++ { EUSB2_TUNE_IUSB2, 0x5 }, ++ { EUSB2_TUNE_SQUELCH_U, 0x3 }, ++ { EUSB2_TUNE_USB2_PREEM, 0x2 }, + }; + + static const struct eusb2_repeater_cfg pm8550b_eusb2_cfg = { +@@ -129,17 +110,10 @@ static int eusb2_repeater_init(struct phy *phy) + struct eusb2_repeater *rptr = phy_get_drvdata(phy); + struct device_node *np = rptr->dev->of_node; + struct regmap *regmap = rptr->regmap; +- const u32 *init_tbl = rptr->cfg->init_tbl; +- u8 tune_usb2_preem = init_tbl[TUNE_USB2_PREEM]; +- u8 tune_hsdisc = init_tbl[TUNE_HSDISC]; +- u8 tune_iusb2 = init_tbl[TUNE_IUSB2]; + u32 base = rptr->base; +- u32 val; ++ u32 poll_val; + int ret; +- +- of_property_read_u8(np, "qcom,tune-usb2-amplitude", &tune_iusb2); +- of_property_read_u8(np, "qcom,tune-usb2-disc-thres", &tune_hsdisc); +- of_property_read_u8(np, "qcom,tune-usb2-preem", &tune_usb2_preem); ++ u8 val; + + ret = regulator_bulk_enable(rptr->cfg->num_vregs, rptr->vregs); + if (ret) +@@ -147,21 +121,24 @@ static int eusb2_repeater_init(struct phy *phy) + + regmap_write(regmap, base + EUSB2_EN_CTL1, EUSB2_RPTR_EN); + +- regmap_write(regmap, base + EUSB2_TUNE_EUSB_HS_COMP_CUR, init_tbl[TUNE_EUSB_HS_COMP_CUR]); +- regmap_write(regmap, base + EUSB2_TUNE_EUSB_EQU, init_tbl[TUNE_EUSB_EQU]); +- regmap_write(regmap, base + EUSB2_TUNE_EUSB_SLEW, init_tbl[TUNE_EUSB_SLEW]); +- regmap_write(regmap, base + EUSB2_TUNE_USB2_HS_COMP_CUR, init_tbl[TUNE_USB2_HS_COMP_CUR]); +- regmap_write(regmap, base + EUSB2_TUNE_USB2_EQU, init_tbl[TUNE_USB2_EQU]); +- regmap_write(regmap, base + EUSB2_TUNE_USB2_SLEW, init_tbl[TUNE_USB2_SLEW]); +- regmap_write(regmap, base + EUSB2_TUNE_SQUELCH_U, init_tbl[TUNE_SQUELCH_U]); +- regmap_write(regmap, base + EUSB2_TUNE_RES_FSDIF, init_tbl[TUNE_RES_FSDIF]); +- regmap_write(regmap, base + EUSB2_TUNE_USB2_CROSSOVER, init_tbl[TUNE_USB2_CROSSOVER]); +- +- regmap_write(regmap, base + EUSB2_TUNE_USB2_PREEM, tune_usb2_preem); +- regmap_write(regmap, base + EUSB2_TUNE_HSDISC, tune_hsdisc); +- regmap_write(regmap, base + EUSB2_TUNE_IUSB2, tune_iusb2); +- +- ret = regmap_read_poll_timeout(regmap, base + EUSB2_RPTR_STATUS, val, val & RPTR_OK, 10, 5); ++ /* Write registers from init table */ ++ for (int i = 0; i < rptr->cfg->init_tbl_num; i++) ++ regmap_write(regmap, base + rptr->cfg->init_tbl[i].reg, ++ rptr->cfg->init_tbl[i].value); ++ ++ /* Override registers from devicetree values */ ++ if (!of_property_read_u8(np, "qcom,tune-usb2-amplitude", &val)) ++ regmap_write(regmap, base + EUSB2_TUNE_USB2_PREEM, val); ++ ++ if (!of_property_read_u8(np, "qcom,tune-usb2-disc-thres", &val)) ++ regmap_write(regmap, base + EUSB2_TUNE_HSDISC, val); ++ ++ if (!of_property_read_u8(np, "qcom,tune-usb2-preem", &val)) ++ regmap_write(regmap, base + EUSB2_TUNE_IUSB2, val); ++ ++ /* Wait for status OK */ ++ ret = regmap_read_poll_timeout(regmap, base + EUSB2_RPTR_STATUS, poll_val, ++ poll_val & RPTR_OK, 10, 5); + if (ret) + dev_err(rptr->dev, "initialization timed-out\n"); + +-- +2.39.5 + diff --git a/queue-6.15/pinctrl-berlin-fix-memory-leak-in-berlin_pinctrl_bui.patch b/queue-6.15/pinctrl-berlin-fix-memory-leak-in-berlin_pinctrl_bui.patch new file mode 100644 index 0000000000..e1b7b00b6e --- /dev/null +++ b/queue-6.15/pinctrl-berlin-fix-memory-leak-in-berlin_pinctrl_bui.patch @@ -0,0 +1,55 @@ +From 7e950d6a550aa3c29f5155e4d36c55f3426c36c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:53:43 +0800 +Subject: pinctrl: berlin: fix memory leak in berlin_pinctrl_build_state() + +From: Yuan Chen + +[ Upstream commit 8f6f303551100291bf2c1e1ccc66b758fffb1168 ] + +In the original implementation, krealloc() failure handling incorrectly +assigned the original memory pointer to NULL after kfree(), causing a +memory leak when reallocation failed. + +Fixes: de845036f997 ("pinctrl: berlin: fix error return code of berlin_pinctrl_build_state()") +Signed-off-by: Yuan Chen +Link: https://lore.kernel.org/20250620015343.21494-1-chenyuan_fl@163.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/berlin/berlin.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/berlin/berlin.c b/drivers/pinctrl/berlin/berlin.c +index c372a2a24be4..9dc2da8056b7 100644 +--- a/drivers/pinctrl/berlin/berlin.c ++++ b/drivers/pinctrl/berlin/berlin.c +@@ -204,6 +204,7 @@ static int berlin_pinctrl_build_state(struct platform_device *pdev) + const struct berlin_desc_group *desc_group; + const struct berlin_desc_function *desc_function; + int i, max_functions = 0; ++ struct pinfunction *new_functions; + + pctrl->nfunctions = 0; + +@@ -229,12 +230,15 @@ static int berlin_pinctrl_build_state(struct platform_device *pdev) + } + } + +- pctrl->functions = krealloc(pctrl->functions, ++ new_functions = krealloc(pctrl->functions, + pctrl->nfunctions * sizeof(*pctrl->functions), + GFP_KERNEL); +- if (!pctrl->functions) ++ if (!new_functions) { ++ kfree(pctrl->functions); + return -ENOMEM; ++ } + ++ pctrl->functions = new_functions; + /* map functions to theirs groups */ + for (i = 0; i < pctrl->desc->ngroups; i++) { + desc_group = pctrl->desc->groups + i; +-- +2.39.5 + diff --git a/queue-6.15/pinctrl-canaan-k230-add-null-check-in-dt-parse.patch b/queue-6.15/pinctrl-canaan-k230-add-null-check-in-dt-parse.patch new file mode 100644 index 0000000000..c8f8eae605 --- /dev/null +++ b/queue-6.15/pinctrl-canaan-k230-add-null-check-in-dt-parse.patch @@ -0,0 +1,54 @@ +From e11660babe6c8776cfb1ed06f97566fbfda89943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 00:11:13 +0800 +Subject: pinctrl: canaan: k230: add NULL check in DT parse + +From: Ze Huang + +[ Upstream commit 65bd0be486390fc12a84eafaad78758c5e5a55e6 ] + +Add a NULL check for the return value of of_get_property() when +retrieving the "pinmux" property in the group parser. This avoids +a potential NULL pointer dereference if the property is missing +from the device tree node. + +Also fix a typo ("sintenel") in the device ID match table comment, +correcting it to "sentinel". + +Fixes: 545887eab6f6 ("pinctrl: canaan: Add support for k230 SoC") +Reported-by: Yao Zi +Signed-off-by: Ze Huang +Link: https://lore.kernel.org/20250624-k230-return-check-v1-1-6b4fc5ba0c41@whut.edu.cn +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-k230.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c +index a9b4627b46b0..4976308e6237 100644 +--- a/drivers/pinctrl/pinctrl-k230.c ++++ b/drivers/pinctrl/pinctrl-k230.c +@@ -477,6 +477,10 @@ static int k230_pinctrl_parse_groups(struct device_node *np, + grp->name = np->name; + + list = of_get_property(np, "pinmux", &size); ++ if (!list) { ++ dev_err(dev, "failed to get pinmux property\n"); ++ return -EINVAL; ++ } + size /= sizeof(*list); + + grp->num_pins = size; +@@ -623,7 +627,7 @@ static int k230_pinctrl_probe(struct platform_device *pdev) + + static const struct of_device_id k230_dt_ids[] = { + { .compatible = "canaan,k230-pinctrl", }, +- { /* sintenel */ } ++ { /* sentinel */ } + }; + MODULE_DEVICE_TABLE(of, k230_dt_ids); + +-- +2.39.5 + diff --git a/queue-6.15/pinctrl-canaan-k230-fix-order-of-dt-parse-and-pinctr.patch b/queue-6.15/pinctrl-canaan-k230-fix-order-of-dt-parse-and-pinctr.patch new file mode 100644 index 0000000000..3997b49f1e --- /dev/null +++ b/queue-6.15/pinctrl-canaan-k230-fix-order-of-dt-parse-and-pinctr.patch @@ -0,0 +1,56 @@ +From 171d20aafe91eedcf0e6f6e2d75333ed285caba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 00:11:14 +0800 +Subject: pinctrl: canaan: k230: Fix order of DT parse and pinctrl register + +From: Ze Huang + +[ Upstream commit d94a32ac688f953dc9a9f12b5b4139ecad841bbb ] + +Move DT parse before pinctrl register. This ensures that device tree +parsing is done before calling devm_pinctrl_register() to prevent using +uninitialized pin resources. + +Fixes: 545887eab6f6 ("pinctrl: canaan: Add support for k230 SoC") +Reported-by: Yao Zi +Signed-off-by: Ze Huang +Link: https://lore.kernel.org/20250624-k230-return-check-v1-2-6b4fc5ba0c41@whut.edu.cn +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-k230.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c +index 4976308e6237..d716f23d837f 100644 +--- a/drivers/pinctrl/pinctrl-k230.c ++++ b/drivers/pinctrl/pinctrl-k230.c +@@ -590,6 +590,7 @@ static int k230_pinctrl_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct k230_pinctrl *info; + struct pinctrl_desc *pctl; ++ int ret; + + info = devm_kzalloc(dev, sizeof(*info), GFP_KERNEL); + if (!info) +@@ -615,13 +616,15 @@ static int k230_pinctrl_probe(struct platform_device *pdev) + return dev_err_probe(dev, PTR_ERR(info->regmap_base), + "failed to init regmap\n"); + ++ ret = k230_pinctrl_parse_dt(pdev, info); ++ if (ret) ++ return ret; ++ + info->pctl_dev = devm_pinctrl_register(dev, pctl, info); + if (IS_ERR(info->pctl_dev)) + return dev_err_probe(dev, PTR_ERR(info->pctl_dev), + "devm_pinctrl_register failed\n"); + +- k230_pinctrl_parse_dt(pdev, info); +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch b/queue-6.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch new file mode 100644 index 0000000000..7c0e57413c --- /dev/null +++ b/queue-6.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch @@ -0,0 +1,55 @@ +From afce09f91887ab0df125f67fe0cebc8fe578817a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:27:08 +0800 +Subject: pinctrl: sunxi: Fix memory leak on krealloc failure + +From: Yuan Chen + +[ Upstream commit e3507c56cbb208d4f160942748c527ef6a528ba1 ] + +In sunxi_pctrl_dt_node_to_map(), when krealloc() fails to resize +the pinctrl_map array, the function returns -ENOMEM directly +without freeing the previously allocated *map buffer. This results +in a memory leak of the original kmalloc_array allocation. + +Fixes: e11dee2e98f8 ("pinctrl: sunxi: Deal with configless pins") +Signed-off-by: Yuan Chen +Link: https://lore.kernel.org/20250620012708.16709-1-chenyuan_fl@163.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +index f1c5a991cf7b..ada2ec62916f 100644 +--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +@@ -408,6 +408,7 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev, + const char *function, *pin_prop; + const char *group; + int ret, npins, nmaps, configlen = 0, i = 0; ++ struct pinctrl_map *new_map; + + *map = NULL; + *num_maps = 0; +@@ -482,9 +483,13 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev, + * We know have the number of maps we need, we can resize our + * map array + */ +- *map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL); +- if (!*map) +- return -ENOMEM; ++ new_map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL); ++ if (!new_map) { ++ ret = -ENOMEM; ++ goto err_free_map; ++ } ++ ++ *map = new_map; + + return 0; + +-- +2.39.5 + diff --git a/queue-6.15/pinmux-fix-race-causing-mux_owner-null-with-active-m.patch b/queue-6.15/pinmux-fix-race-causing-mux_owner-null-with-active-m.patch new file mode 100644 index 0000000000..f0b7386275 --- /dev/null +++ b/queue-6.15/pinmux-fix-race-causing-mux_owner-null-with-active-m.patch @@ -0,0 +1,95 @@ +From 5c17633e65a91a338337b246f3f9305af3157801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 13:28:38 +0530 +Subject: pinmux: fix race causing mux_owner NULL with active mux_usecount + +From: Mukesh Ojha + +[ Upstream commit 0b075c011032f88d1cfde3b45d6dcf08b44140eb ] + +commit 5a3e85c3c397 ("pinmux: Use sequential access to access +desc->pinmux data") tried to address the issue when two client of the +same gpio calls pinctrl_select_state() for the same functionality, was +resulting in NULL pointer issue while accessing desc->mux_owner. +However, issue was not completely fixed due to the way it was handled +and it can still result in the same NULL pointer. + +The issue occurs due to the following interleaving: + + cpu0 (process A) cpu1 (process B) + + pin_request() { pin_free() { + + mutex_lock() + desc->mux_usecount--; //becomes 0 + .. + mutex_unlock() + + mutex_lock(desc->mux) + desc->mux_usecount++; // becomes 1 + desc->mux_owner = owner; + mutex_unlock(desc->mux) + + mutex_lock(desc->mux) + desc->mux_owner = NULL; + mutex_unlock(desc->mux) + +This sequence leads to a state where the pin appears to be in use +(`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can +cause NULL pointer on next pin_request on the same pin. + +Ensure that updates to mux_usecount and mux_owner are performed +atomically under the same lock. Only clear mux_owner when mux_usecount +reaches zero and no new owner has been assigned. + +Fixes: 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") +Signed-off-by: Mukesh Ojha +Link: https://lore.kernel.org/20250708-pinmux-race-fix-v2-1-8ae9e8a0d1a1@oss.qualcomm.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinmux.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/drivers/pinctrl/pinmux.c b/drivers/pinctrl/pinmux.c +index 0743190da59e..2c31e7f2a27a 100644 +--- a/drivers/pinctrl/pinmux.c ++++ b/drivers/pinctrl/pinmux.c +@@ -236,18 +236,7 @@ static const char *pin_free(struct pinctrl_dev *pctldev, int pin, + if (desc->mux_usecount) + return NULL; + } +- } +- +- /* +- * If there is no kind of request function for the pin we just assume +- * we got it by default and proceed. +- */ +- if (gpio_range && ops->gpio_disable_free) +- ops->gpio_disable_free(pctldev, gpio_range, pin); +- else if (ops->free) +- ops->free(pctldev, pin); + +- scoped_guard(mutex, &desc->mux_lock) { + if (gpio_range) { + owner = desc->gpio_owner; + desc->gpio_owner = NULL; +@@ -258,6 +247,15 @@ static const char *pin_free(struct pinctrl_dev *pctldev, int pin, + } + } + ++ /* ++ * If there is no kind of request function for the pin we just assume ++ * we got it by default and proceed. ++ */ ++ if (gpio_range && ops->gpio_disable_free) ++ ops->gpio_disable_free(pctldev, gpio_range, pin); ++ else if (ops->free) ++ ops->free(pctldev, pin); ++ + module_put(pctldev->owner); + + return owner; +-- +2.39.5 + diff --git a/queue-6.15/pm-cpufreq-powernv-tracing-move-powernv_throttle-tra.patch b/queue-6.15/pm-cpufreq-powernv-tracing-move-powernv_throttle-tra.patch new file mode 100644 index 0000000000..61dfe621f2 --- /dev/null +++ b/queue-6.15/pm-cpufreq-powernv-tracing-move-powernv_throttle-tra.patch @@ -0,0 +1,167 @@ +From 6c05cd07fa814bf2ee16367d1e5b6800c07c5f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 10:53:11 -0400 +Subject: PM: cpufreq: powernv/tracing: Move powernv_throttle trace event + +From: Steven Rostedt + +[ Upstream commit 647fe16b46999258ce1aec41f4bdeabb4f0cc8e7 ] + +As the trace event powernv_throttle is only used by the powernv code, move +it to a separate include file and have that code directly enable it. + +Trace events can take up around 5K of memory when they are defined +regardless if they are used or not. It wastes memory to have them defined +in configurations where the tracepoint is not used. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Madhavan Srinivasan +Cc: Michael Ellerman +Link: https://lore.kernel.org/20250612145407.906308844@goodmis.org +Fixes: 0306e481d479a ("cpufreq: powernv/tracing: Add powernv_throttle tracepoint") +Acked-by: Viresh Kumar +Acked-by: Rafael J. Wysocki +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/Makefile | 1 + + drivers/cpufreq/powernv-cpufreq.c | 4 ++- + drivers/cpufreq/powernv-trace.h | 44 +++++++++++++++++++++++++++++++ + include/trace/events/power.h | 22 ---------------- + kernel/trace/power-traces.c | 1 - + 5 files changed, 48 insertions(+), 24 deletions(-) + create mode 100644 drivers/cpufreq/powernv-trace.h + +diff --git a/drivers/cpufreq/Makefile b/drivers/cpufreq/Makefile +index 22ab45209f9b..246f58b496da 100644 +--- a/drivers/cpufreq/Makefile ++++ b/drivers/cpufreq/Makefile +@@ -20,6 +20,7 @@ obj-$(CONFIG_CPUFREQ_VIRT) += virtual-cpufreq.o + + # Traces + CFLAGS_amd-pstate-trace.o := -I$(src) ++CFLAGS_powernv-cpufreq.o := -I$(src) + amd_pstate-y := amd-pstate.o amd-pstate-trace.o + + ################################################################################## +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index afe5abf89d33..b7c3251e7e87 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -21,7 +21,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -30,6 +29,9 @@ + #include + #include + ++#define CREATE_TRACE_POINTS ++#include "powernv-trace.h" ++ + #define POWERNV_MAX_PSTATES_ORDER 8 + #define POWERNV_MAX_PSTATES (1UL << (POWERNV_MAX_PSTATES_ORDER)) + #define PMSR_PSAFE_ENABLE (1UL << 30) +diff --git a/drivers/cpufreq/powernv-trace.h b/drivers/cpufreq/powernv-trace.h +new file mode 100644 +index 000000000000..8cadb7c9427b +--- /dev/null ++++ b/drivers/cpufreq/powernv-trace.h +@@ -0,0 +1,44 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#if !defined(_POWERNV_TRACE_H) || defined(TRACE_HEADER_MULTI_READ) ++#define _POWERNV_TRACE_H ++ ++#include ++#include ++#include ++ ++#undef TRACE_SYSTEM ++#define TRACE_SYSTEM power ++ ++TRACE_EVENT(powernv_throttle, ++ ++ TP_PROTO(int chip_id, const char *reason, int pmax), ++ ++ TP_ARGS(chip_id, reason, pmax), ++ ++ TP_STRUCT__entry( ++ __field(int, chip_id) ++ __string(reason, reason) ++ __field(int, pmax) ++ ), ++ ++ TP_fast_assign( ++ __entry->chip_id = chip_id; ++ __assign_str(reason); ++ __entry->pmax = pmax; ++ ), ++ ++ TP_printk("Chip %d Pmax %d %s", __entry->chip_id, ++ __entry->pmax, __get_str(reason)) ++); ++ ++#endif /* _POWERNV_TRACE_H */ ++ ++/* This part must be outside protection */ ++#undef TRACE_INCLUDE_PATH ++#define TRACE_INCLUDE_PATH . ++ ++#undef TRACE_INCLUDE_FILE ++#define TRACE_INCLUDE_FILE powernv-trace ++ ++#include +diff --git a/include/trace/events/power.h b/include/trace/events/power.h +index 9253e83b9bb4..ff0974e9be9a 100644 +--- a/include/trace/events/power.h ++++ b/include/trace/events/power.h +@@ -99,28 +99,6 @@ DEFINE_EVENT(psci_domain_idle, psci_domain_idle_exit, + TP_ARGS(cpu_id, state, s2idle) + ); + +-TRACE_EVENT(powernv_throttle, +- +- TP_PROTO(int chip_id, const char *reason, int pmax), +- +- TP_ARGS(chip_id, reason, pmax), +- +- TP_STRUCT__entry( +- __field(int, chip_id) +- __string(reason, reason) +- __field(int, pmax) +- ), +- +- TP_fast_assign( +- __entry->chip_id = chip_id; +- __assign_str(reason); +- __entry->pmax = pmax; +- ), +- +- TP_printk("Chip %d Pmax %d %s", __entry->chip_id, +- __entry->pmax, __get_str(reason)) +-); +- + TRACE_EVENT(pstate_sample, + + TP_PROTO(u32 core_busy, +diff --git a/kernel/trace/power-traces.c b/kernel/trace/power-traces.c +index 21bb161c2316..f2fe33573e54 100644 +--- a/kernel/trace/power-traces.c ++++ b/kernel/trace/power-traces.c +@@ -17,5 +17,4 @@ + EXPORT_TRACEPOINT_SYMBOL_GPL(suspend_resume); + EXPORT_TRACEPOINT_SYMBOL_GPL(cpu_idle); + EXPORT_TRACEPOINT_SYMBOL_GPL(cpu_frequency); +-EXPORT_TRACEPOINT_SYMBOL_GPL(powernv_throttle); + +-- +2.39.5 + diff --git a/queue-6.15/pm-cpupower-fix-printing-of-core-cpu-fields-in-cpupo.patch b/queue-6.15/pm-cpupower-fix-printing-of-core-cpu-fields-in-cpupo.patch new file mode 100644 index 0000000000..c099103652 --- /dev/null +++ b/queue-6.15/pm-cpupower-fix-printing-of-core-cpu-fields-in-cpupo.patch @@ -0,0 +1,60 @@ +From 5cffc5247f79054e3e4878993ac789cb45c47b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 17:53:55 +0530 +Subject: pm: cpupower: Fix printing of CORE, CPU fields in cpupower-monitor + +From: Gautham R. Shenoy + +[ Upstream commit 14a3318b4ac8ae0ca2e1132a89de167e1030fbdb ] + +After the commit 0014f65e3df0 ("pm: cpupower: remove hard-coded +topology depth values"), "cpupower monitor" output ceased to print the +CORE and the CPU fields on a multi-socket platform. + +The reason for this is that the patch changed the behaviour to break +out of the switch-case after printing the PKG details, while prior to +the patch, the CORE and the CPU details would also get printed since +the "if" condition check would pass for any level whose topology depth +was lesser than that of a package. + +Fix this ensuring all the details below a desired topology depth are +printed in the cpupower monitor output. + +Link: https://lore.kernel.org/r/20250612122355.19629-3-gautham.shenoy@amd.com +Fixes: 0014f65e3df0 ("pm: cpupower: remove hard-coded topology depth values") +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c +index ad493157f826..e8b3841d5c0f 100644 +--- a/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/cpupower-monitor.c +@@ -121,10 +121,8 @@ void print_header(int topology_depth) + switch (topology_depth) { + case TOPOLOGY_DEPTH_PKG: + printf(" PKG|"); +- break; + case TOPOLOGY_DEPTH_CORE: + printf("CORE|"); +- break; + case TOPOLOGY_DEPTH_CPU: + printf(" CPU|"); + break; +@@ -167,10 +165,8 @@ void print_results(int topology_depth, int cpu) + switch (topology_depth) { + case TOPOLOGY_DEPTH_PKG: + printf("%4d|", cpu_top.core_info[cpu].pkg); +- break; + case TOPOLOGY_DEPTH_CORE: + printf("%4d|", cpu_top.core_info[cpu].core); +- break; + case TOPOLOGY_DEPTH_CPU: + printf("%4d|", cpu_top.core_info[cpu].cpu); + break; +-- +2.39.5 + diff --git a/queue-6.15/pm-devfreq-check-governor-before-using-governor-name.patch b/queue-6.15/pm-devfreq-check-governor-before-using-governor-name.patch new file mode 100644 index 0000000000..62097b17e6 --- /dev/null +++ b/queue-6.15/pm-devfreq-check-governor-before-using-governor-name.patch @@ -0,0 +1,50 @@ +From 2ef441566dc73c6271b24ccee13c8f3f1d63e0c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 11:00:20 +0800 +Subject: PM / devfreq: Check governor before using governor->name + +From: Lifeng Zheng + +[ Upstream commit bab7834c03820eb11269bc48f07c3800192460d2 ] + +Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from +struct devfreq") removes governor_name and uses governor->name to replace +it. But devfreq->governor may be NULL and directly using +devfreq->governor->name may cause null pointer exception. Move the check of +governor to before using governor->name. + +Fixes: 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq") +Signed-off-by: Lifeng Zheng +Link: https://lore.kernel.org/lkml/20250421030020.3108405-5-zhenglifeng1@huawei.com/ +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index 98657d3b9435..713e6e52cca1 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -1382,15 +1382,11 @@ int devfreq_remove_governor(struct devfreq_governor *governor) + int ret; + struct device *dev = devfreq->dev.parent; + ++ if (!devfreq->governor) ++ continue; ++ + if (!strncmp(devfreq->governor->name, governor->name, + DEVFREQ_NAME_LEN)) { +- /* we should have a devfreq governor! */ +- if (!devfreq->governor) { +- dev_warn(dev, "%s: Governor %s NOT present\n", +- __func__, governor->name); +- continue; +- /* Fall through */ +- } + ret = devfreq->governor->event_handler(devfreq, + DEVFREQ_GOV_STOP, NULL); + if (ret) { +-- +2.39.5 + diff --git a/queue-6.15/pm-devfreq-fix-a-index-typo-in-trans_stat.patch b/queue-6.15/pm-devfreq-fix-a-index-typo-in-trans_stat.patch new file mode 100644 index 0000000000..136a136c1e --- /dev/null +++ b/queue-6.15/pm-devfreq-fix-a-index-typo-in-trans_stat.patch @@ -0,0 +1,34 @@ +From 17c75b592f07a52a8010d7f15b19e75232f14a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 16:13:50 -1000 +Subject: PM / devfreq: Fix a index typo in trans_stat + +From: Chanwoo Choi + +[ Upstream commit 78c5845fbbf6aaeb9959c5fbaee5cc53ef5f38c2 ] + +Fixes: 4920ee6dcfaf ("PM / devfreq: Convert to use sysfs_emit_at() API") +Signed-off-by: pls +Link: https://patchwork.kernel.org/project/linux-pm/patch/20250515143100.17849-1-chanwoo@kernel.org/ +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index 713e6e52cca1..0d9f3d3282ec 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -1739,7 +1739,7 @@ static ssize_t trans_stat_show(struct device *dev, + for (i = 0; i < max_state; i++) { + if (len >= PAGE_SIZE - 1) + break; +- if (df->freq_table[2] == df->previous_freq) ++ if (df->freq_table[i] == df->previous_freq) + len += sysfs_emit_at(buf, len, "*"); + else + len += sysfs_emit_at(buf, len, " "); +-- +2.39.5 + diff --git a/queue-6.15/power-sequencing-qcom-wcn-fix-bluetooth-wifi-copypas.patch b/queue-6.15/power-sequencing-qcom-wcn-fix-bluetooth-wifi-copypas.patch new file mode 100644 index 0000000000..7fb827315b --- /dev/null +++ b/queue-6.15/power-sequencing-qcom-wcn-fix-bluetooth-wifi-copypas.patch @@ -0,0 +1,37 @@ +From e2b307e276a436eb294642f2894ce7c9690beb5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 17:55:43 +0200 +Subject: power: sequencing: qcom-wcn: fix bluetooth-wifi copypasta for WCN6855 + +From: Konrad Dybcio + +[ Upstream commit 07d59dec6795428983a840de85aa02febaf7e01b ] + +Prevent a name conflict (which is surprisingly not caught by the +framework). + +Fixes: bd4c8bafcf50 ("power: sequencing: qcom-wcn: improve support for wcn6855") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250625-topic-wcn6855_pwrseq-v1-1-cfb96d599ff8@oss.qualcomm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/power/sequencing/pwrseq-qcom-wcn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/sequencing/pwrseq-qcom-wcn.c b/drivers/power/sequencing/pwrseq-qcom-wcn.c +index e8f5030f2639..7d8d6b340749 100644 +--- a/drivers/power/sequencing/pwrseq-qcom-wcn.c ++++ b/drivers/power/sequencing/pwrseq-qcom-wcn.c +@@ -155,7 +155,7 @@ static const struct pwrseq_unit_data pwrseq_qcom_wcn_bt_unit_data = { + }; + + static const struct pwrseq_unit_data pwrseq_qcom_wcn6855_bt_unit_data = { +- .name = "wlan-enable", ++ .name = "bluetooth-enable", + .deps = pwrseq_qcom_wcn6855_unit_deps, + .enable = pwrseq_qcom_wcn_bt_enable, + .disable = pwrseq_qcom_wcn_bt_disable, +-- +2.39.5 + diff --git a/queue-6.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch b/queue-6.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch new file mode 100644 index 0000000000..72558a8b80 --- /dev/null +++ b/queue-6.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch @@ -0,0 +1,42 @@ +From c34fe5b09f7fbcfc4b0bbd3dd88dca2e6a382781 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 10:47:41 +0800 +Subject: power: supply: cpcap-charger: Fix null check for + power_supply_get_by_name + +From: Charles Han + +[ Upstream commit d9fa3aae08f99493e67fb79413c0e95d30fca5e9 ] + +In the cpcap_usb_detect() function, the power_supply_get_by_name() +function may return `NULL` instead of an error pointer. +To prevent potential null pointer dereferences, Added a null check. + +Fixes: eab4e6d953c1 ("power: supply: cpcap-charger: get the battery inserted infomation from cpcap-battery") +Signed-off-by: Charles Han +Link: https://lore.kernel.org/r/20250519024741.5846-1-hanchunchao@inspur.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cpcap-charger.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/supply/cpcap-charger.c b/drivers/power/supply/cpcap-charger.c +index 13300dc60baf..d0c3008db534 100644 +--- a/drivers/power/supply/cpcap-charger.c ++++ b/drivers/power/supply/cpcap-charger.c +@@ -689,9 +689,8 @@ static void cpcap_usb_detect(struct work_struct *work) + struct power_supply *battery; + + battery = power_supply_get_by_name("battery"); +- if (IS_ERR_OR_NULL(battery)) { +- dev_err(ddata->dev, "battery power_supply not available %li\n", +- PTR_ERR(battery)); ++ if (!battery) { ++ dev_err(ddata->dev, "battery power_supply not available\n"); + return; + } + +-- +2.39.5 + diff --git a/queue-6.15/power-supply-max14577-handle-null-pdata-when-config_.patch b/queue-6.15/power-supply-max14577-handle-null-pdata-when-config_.patch new file mode 100644 index 0000000000..cd0a7af552 --- /dev/null +++ b/queue-6.15/power-supply-max14577-handle-null-pdata-when-config_.patch @@ -0,0 +1,51 @@ +From 2329b7023af518e8f70644c450d4ef9b6616430b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 14:16:01 +0800 +Subject: power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set + +From: Charles Han + +[ Upstream commit 2937f5d2e24eefef8cb126244caec7fe3307f724 ] + +When the kernel is not configured CONFIG_OF, the max14577_charger_dt_init +function returns NULL. Fix the max14577_charger_probe functionby returning +-ENODATA instead of potentially passing a NULL pointer to PTR_ERR. + +This fixes the below smatch warning: +max14577_charger_probe() warn: passing zero to 'PTR_ERR' + +Fixes: e30110e9c96f ("charger: max14577: Configure battery-dependent settings from DTS and sysfs") +Signed-off-by: Charles Han +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250519061601.8755-1-hanchunchao@inspur.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max14577_charger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/max14577_charger.c b/drivers/power/supply/max14577_charger.c +index 1cef2f860b5f..63077d38ea30 100644 +--- a/drivers/power/supply/max14577_charger.c ++++ b/drivers/power/supply/max14577_charger.c +@@ -501,7 +501,7 @@ static struct max14577_charger_platform_data *max14577_charger_dt_init( + static struct max14577_charger_platform_data *max14577_charger_dt_init( + struct platform_device *pdev) + { +- return NULL; ++ return ERR_PTR(-ENODATA); + } + #endif /* CONFIG_OF */ + +@@ -572,7 +572,7 @@ static int max14577_charger_probe(struct platform_device *pdev) + chg->max14577 = max14577; + + chg->pdata = max14577_charger_dt_init(pdev); +- if (IS_ERR_OR_NULL(chg->pdata)) ++ if (IS_ERR(chg->pdata)) + return PTR_ERR(chg->pdata); + + ret = max14577_charger_reg_init(chg); +-- +2.39.5 + diff --git a/queue-6.15/power-supply-max1720x-correct-capacity-computation.patch b/queue-6.15/power-supply-max1720x-correct-capacity-computation.patch new file mode 100644 index 0000000000..46c6115fc5 --- /dev/null +++ b/queue-6.15/power-supply-max1720x-correct-capacity-computation.patch @@ -0,0 +1,71 @@ +From 2d6ad4ff82cf2ac1192d7d8fca921a82da1b4e71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 14:51:44 +0200 +Subject: power: supply: max1720x correct capacity computation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Antoine + +[ Upstream commit 58ae036172b5f051a19a32eba94a3e5eb37bf47e ] + +From the datasheet of the MAX17201/17205, the LSB should be "5.0μVh/RSENSE". +The current computation sets it at 0.5mAh=5.0μVh/10mOhm, which does not take +into account the value of rsense (which is in 10µV steps) which can be +different from 10mOhm. + +Change the computation to fit the specs. + +Fixes: 479b6d04964b ("power: supply: add support for MAX1720x standalone fuel gauge") +Signed-off-by: Thomas Antoine +Link: https://lore.kernel.org/r/20250523-b4-gs101_max77759_fg-v4-1-b49904e35a34@uclouvain.be +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max1720x_battery.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/power/supply/max1720x_battery.c b/drivers/power/supply/max1720x_battery.c +index ea3912fd1de8..68b5314ecf3a 100644 +--- a/drivers/power/supply/max1720x_battery.c ++++ b/drivers/power/supply/max1720x_battery.c +@@ -288,9 +288,10 @@ static int max172xx_voltage_to_ps(unsigned int reg) + return reg * 1250; /* in uV */ + } + +-static int max172xx_capacity_to_ps(unsigned int reg) ++static int max172xx_capacity_to_ps(unsigned int reg, ++ struct max1720x_device_info *info) + { +- return reg * 500; /* in uAh */ ++ return reg * (500000 / info->rsense); /* in uAh */ + } + + /* +@@ -394,11 +395,11 @@ static int max1720x_battery_get_property(struct power_supply *psy, + break; + case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: + ret = regmap_read(info->regmap, MAX172XX_DESIGN_CAP, ®_val); +- val->intval = max172xx_capacity_to_ps(reg_val); ++ val->intval = max172xx_capacity_to_ps(reg_val, info); + break; + case POWER_SUPPLY_PROP_CHARGE_AVG: + ret = regmap_read(info->regmap, MAX172XX_REPCAP, ®_val); +- val->intval = max172xx_capacity_to_ps(reg_val); ++ val->intval = max172xx_capacity_to_ps(reg_val, info); + break; + case POWER_SUPPLY_PROP_TIME_TO_EMPTY_AVG: + ret = regmap_read(info->regmap, MAX172XX_TTE, ®_val); +@@ -422,7 +423,7 @@ static int max1720x_battery_get_property(struct power_supply *psy, + break; + case POWER_SUPPLY_PROP_CHARGE_FULL: + ret = regmap_read(info->regmap, MAX172XX_FULL_CAP, ®_val); +- val->intval = max172xx_capacity_to_ps(reg_val); ++ val->intval = max172xx_capacity_to_ps(reg_val, info); + break; + case POWER_SUPPLY_PROP_MODEL_NAME: + ret = regmap_read(info->regmap, MAX172XX_DEV_NAME, ®_val); +-- +2.39.5 + diff --git a/queue-6.15/power-supply-qcom_pmi8998_charger-fix-wakeirq.patch b/queue-6.15/power-supply-qcom_pmi8998_charger-fix-wakeirq.patch new file mode 100644 index 0000000000..ba6dc70e74 --- /dev/null +++ b/queue-6.15/power-supply-qcom_pmi8998_charger-fix-wakeirq.patch @@ -0,0 +1,47 @@ +From abe9f624bd29a1a9d1e6d4b577b551ee1bf42cbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 16:55:11 +0200 +Subject: power: supply: qcom_pmi8998_charger: fix wakeirq + +From: Casey Connolly + +[ Upstream commit 6c5393771c50fac30f08dfb6d2f65f4f2cfeb8c7 ] + +Unloading and reloading the driver (e.g. when built as a module) +currently leads to errors trying to enable wake IRQ since it's already +enabled. + +Use devm to manage this for us so it correctly gets disabled when +removing the driver. + +Additionally, call device_init_wakeup() so that charger attach/remove +will trigger a wakeup by default. + +Fixes: 8648aeb5d7b7 ("power: supply: add Qualcomm PMI8998 SMB2 Charger driver") +Signed-off-by: Casey Connolly +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250619-smb2-smb5-support-v1-3-ac5dec51b6e1@linaro.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/qcom_pmi8998_charger.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/qcom_pmi8998_charger.c b/drivers/power/supply/qcom_pmi8998_charger.c +index 74a8d8ed8d9f..8b641b822f52 100644 +--- a/drivers/power/supply/qcom_pmi8998_charger.c ++++ b/drivers/power/supply/qcom_pmi8998_charger.c +@@ -1016,7 +1016,9 @@ static int smb2_probe(struct platform_device *pdev) + if (rc < 0) + return rc; + +- rc = dev_pm_set_wake_irq(chip->dev, chip->cable_irq); ++ devm_device_init_wakeup(chip->dev); ++ ++ rc = devm_pm_set_wake_irq(chip->dev, chip->cable_irq); + if (rc < 0) + return dev_err_probe(chip->dev, rc, "Couldn't set wake irq\n"); + +-- +2.39.5 + diff --git a/queue-6.15/powercap-dtpm_cpu-fix-null-pointer-dereference-in-ge.patch b/queue-6.15/powercap-dtpm_cpu-fix-null-pointer-dereference-in-ge.patch new file mode 100644 index 0000000000..c153c4acef --- /dev/null +++ b/queue-6.15/powercap-dtpm_cpu-fix-null-pointer-dereference-in-ge.patch @@ -0,0 +1,44 @@ +From aefa17e70938f48b91d38ad0eff31fc1e642b5eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 01:13:55 +0300 +Subject: powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() + +From: Sivan Zohar-Kotzer + +[ Upstream commit 46dc57406887dd02565cb264224194a6776d882b ] + +The get_pd_power_uw() function can crash with a NULL pointer dereference +when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible +during runtime, causing get_cpu_device() to return NULL, which propagates +through em_cpu_get() and leads to a crash when em_span_cpus() dereferences +the NULL pointer. + +Add a NULL check after em_cpu_get() and return 0 if unavailable, +matching the existing fallback behavior in __dtpm_cpu_setup(). + +Fixes: eb82bace8931 ("powercap/drivers/dtpm: Scale the power with the load") +Signed-off-by: Sivan Zohar-Kotzer +Link: https://patch.msgid.link/20250701221355.96916-1-sivany32@gmail.com +[ rjw: Drop an excess empty code line ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/dtpm_cpu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/powercap/dtpm_cpu.c b/drivers/powercap/dtpm_cpu.c +index 6b6f51b21550..99390ec1481f 100644 +--- a/drivers/powercap/dtpm_cpu.c ++++ b/drivers/powercap/dtpm_cpu.c +@@ -96,6 +96,8 @@ static u64 get_pd_power_uw(struct dtpm *dtpm) + int i; + + pd = em_cpu_get(dtpm_cpu->cpu); ++ if (!pd) ++ return 0; + + pd_mask = em_span_cpus(pd); + +-- +2.39.5 + diff --git a/queue-6.15/powerpc-eeh-export-eeh_unfreeze_pe.patch b/queue-6.15/powerpc-eeh-export-eeh_unfreeze_pe.patch new file mode 100644 index 0000000000..9ee0e0f983 --- /dev/null +++ b/queue-6.15/powerpc-eeh-export-eeh_unfreeze_pe.patch @@ -0,0 +1,39 @@ +From 358f32c46cd4158ba60a3d7c6c54242293d85248 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:37:34 -0500 +Subject: powerpc/eeh: Export eeh_unfreeze_pe() + +From: Timothy Pearson + +[ Upstream commit e82b34eed04b0ddcff4548b62633467235672fd3 ] + +The PowerNV hotplug driver needs to be able to clear any frozen PE(s) +on the PHB after suprise removal of a downstream device. + +Export the eeh_unfreeze_pe() symbol to allow implementation of this +functionality in the php_nv module. + +Signed-off-by: Timothy Pearson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/1778535414.1359858.1752615454618.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index ca7f7bb2b478..2b5f3323e107 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -1139,6 +1139,7 @@ int eeh_unfreeze_pe(struct eeh_pe *pe) + + return ret; + } ++EXPORT_SYMBOL_GPL(eeh_unfreeze_pe); + + + static struct pci_device_id eeh_reset_ids[] = { +-- +2.39.5 + diff --git a/queue-6.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch b/queue-6.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch new file mode 100644 index 0000000000..f919f06034 --- /dev/null +++ b/queue-6.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch @@ -0,0 +1,252 @@ +From 1b7b91ab11357236cad68e499081df7fca6f19c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:38:23 -0500 +Subject: powerpc/eeh: Make EEH driver device hotplug safe + +From: Timothy Pearson + +[ Upstream commit 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 ] + +Multiple race conditions existed between the PCIe hotplug driver and the +EEH driver, leading to a variety of kernel oopses of the same general +nature: + + + + + + + + +A second class of oops is also seen when the underlying bus disappears +during device recovery. + +Refactor the EEH module to be PCI rescan and remove safe. Also clean +up a few minor formatting / readability issues. + +Signed-off-by: Timothy Pearson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/1334208367.1359861.1752615503144.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_driver.c | 48 +++++++++++++++++++++----------- + arch/powerpc/kernel/eeh_pe.c | 10 ++++--- + 2 files changed, 38 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index 7efe04c68f0f..dd50de91c438 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -257,13 +257,12 @@ static void eeh_pe_report_edev(struct eeh_dev *edev, eeh_report_fn fn, + struct pci_driver *driver; + enum pci_ers_result new_result; + +- pci_lock_rescan_remove(); + pdev = edev->pdev; + if (pdev) + get_device(&pdev->dev); +- pci_unlock_rescan_remove(); + if (!pdev) { + eeh_edev_info(edev, "no device"); ++ *result = PCI_ERS_RESULT_DISCONNECT; + return; + } + device_lock(&pdev->dev); +@@ -304,8 +303,9 @@ static void eeh_pe_report(const char *name, struct eeh_pe *root, + struct eeh_dev *edev, *tmp; + + pr_info("EEH: Beginning: '%s'\n", name); +- eeh_for_each_pe(root, pe) eeh_pe_for_each_dev(pe, edev, tmp) +- eeh_pe_report_edev(edev, fn, result); ++ eeh_for_each_pe(root, pe) ++ eeh_pe_for_each_dev(pe, edev, tmp) ++ eeh_pe_report_edev(edev, fn, result); + if (result) + pr_info("EEH: Finished:'%s' with aggregate recovery state:'%s'\n", + name, pci_ers_result_name(*result)); +@@ -383,6 +383,8 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata) + if (!edev) + return; + ++ pci_lock_rescan_remove(); ++ + /* + * The content in the config space isn't saved because + * the blocked config space on some adapters. We have +@@ -393,14 +395,19 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata) + if (list_is_last(&edev->entry, &edev->pe->edevs)) + eeh_pe_restore_bars(edev->pe); + ++ pci_unlock_rescan_remove(); + return; + } + + pdev = eeh_dev_to_pci_dev(edev); +- if (!pdev) ++ if (!pdev) { ++ pci_unlock_rescan_remove(); + return; ++ } + + pci_restore_state(pdev); ++ ++ pci_unlock_rescan_remove(); + } + + /** +@@ -647,9 +654,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + if (any_passed || driver_eeh_aware || (pe->type & EEH_PE_VF)) { + eeh_pe_dev_traverse(pe, eeh_rmv_device, rmv_data); + } else { +- pci_lock_rescan_remove(); + pci_hp_remove_devices(bus); +- pci_unlock_rescan_remove(); + } + + /* +@@ -665,8 +670,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + if (rc) + return rc; + +- pci_lock_rescan_remove(); +- + /* Restore PE */ + eeh_ops->configure_bridge(pe); + eeh_pe_restore_bars(pe); +@@ -674,7 +677,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + /* Clear frozen state */ + rc = eeh_clear_pe_frozen_state(pe, false); + if (rc) { +- pci_unlock_rescan_remove(); + return rc; + } + +@@ -709,7 +711,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + pe->tstamp = tstamp; + pe->freeze_count = cnt; + +- pci_unlock_rescan_remove(); + return 0; + } + +@@ -843,10 +844,13 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + {LIST_HEAD_INIT(rmv_data.removed_vf_list), 0}; + int devices = 0; + ++ pci_lock_rescan_remove(); ++ + bus = eeh_pe_bus_get(pe); + if (!bus) { + pr_err("%s: Cannot find PCI bus for PHB#%x-PE#%x\n", + __func__, pe->phb->global_number, pe->addr); ++ pci_unlock_rescan_remove(); + return; + } + +@@ -1094,10 +1098,15 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true); + eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED); + +- pci_lock_rescan_remove(); +- pci_hp_remove_devices(bus); +- pci_unlock_rescan_remove(); ++ bus = eeh_pe_bus_get(pe); ++ if (bus) ++ pci_hp_remove_devices(bus); ++ else ++ pr_err("%s: PCI bus for PHB#%x-PE#%x disappeared\n", ++ __func__, pe->phb->global_number, pe->addr); ++ + /* The passed PE should no longer be used */ ++ pci_unlock_rescan_remove(); + return; + } + +@@ -1114,6 +1123,8 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + eeh_clear_slot_attention(edev->pdev); + + eeh_pe_state_clear(pe, EEH_PE_RECOVERING, true); ++ ++ pci_unlock_rescan_remove(); + } + + /** +@@ -1132,6 +1143,7 @@ void eeh_handle_special_event(void) + unsigned long flags; + int rc; + ++ pci_lock_rescan_remove(); + + do { + rc = eeh_ops->next_error(&pe); +@@ -1171,10 +1183,12 @@ void eeh_handle_special_event(void) + + break; + case EEH_NEXT_ERR_NONE: ++ pci_unlock_rescan_remove(); + return; + default: + pr_warn("%s: Invalid value %d from next_error()\n", + __func__, rc); ++ pci_unlock_rescan_remove(); + return; + } + +@@ -1186,7 +1200,9 @@ void eeh_handle_special_event(void) + if (rc == EEH_NEXT_ERR_FROZEN_PE || + rc == EEH_NEXT_ERR_FENCED_PHB) { + eeh_pe_state_mark(pe, EEH_PE_RECOVERING); ++ pci_unlock_rescan_remove(); + eeh_handle_normal_event(pe); ++ pci_lock_rescan_remove(); + } else { + eeh_for_each_pe(pe, tmp_pe) + eeh_pe_for_each_dev(tmp_pe, edev, tmp_edev) +@@ -1199,7 +1215,6 @@ void eeh_handle_special_event(void) + eeh_report_failure, NULL); + eeh_set_channel_state(pe, pci_channel_io_perm_failure); + +- pci_lock_rescan_remove(); + list_for_each_entry(hose, &hose_list, list_node) { + phb_pe = eeh_phb_pe_get(hose); + if (!phb_pe || +@@ -1218,7 +1233,6 @@ void eeh_handle_special_event(void) + } + pci_hp_remove_devices(bus); + } +- pci_unlock_rescan_remove(); + } + + /* +@@ -1228,4 +1242,6 @@ void eeh_handle_special_event(void) + if (rc == EEH_NEXT_ERR_DEAD_IOC) + break; + } while (rc != EEH_NEXT_ERR_NONE); ++ ++ pci_unlock_rescan_remove(); + } +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c +index d283d281d28e..e740101fadf3 100644 +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -671,10 +671,12 @@ static void eeh_bridge_check_link(struct eeh_dev *edev) + eeh_ops->write_config(edev, cap + PCI_EXP_LNKCTL, 2, val); + + /* Check link */ +- if (!edev->pdev->link_active_reporting) { +- eeh_edev_dbg(edev, "No link reporting capability\n"); +- msleep(1000); +- return; ++ if (edev->pdev) { ++ if (!edev->pdev->link_active_reporting) { ++ eeh_edev_dbg(edev, "No link reporting capability\n"); ++ msleep(1000); ++ return; ++ } + } + + /* Wait the link is up until timeout (5s) */ +-- +2.39.5 + diff --git a/queue-6.15/powerpc-pseries-dlpar-search-drc-index-from-ibm-drc-.patch b/queue-6.15/powerpc-pseries-dlpar-search-drc-index-from-ibm-drc-.patch new file mode 100644 index 0000000000..9d8a079224 --- /dev/null +++ b/queue-6.15/powerpc-pseries-dlpar-search-drc-index-from-ibm-drc-.patch @@ -0,0 +1,113 @@ +From 340dd1366bfbd0e3277cdd55e4b3199c602bd32e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 May 2025 16:50:02 -0700 +Subject: powerpc/pseries/dlpar: Search DRC index from ibm,drc-indexes for IO + add +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haren Myneni + +[ Upstream commit 41a1452759a8b1121df9cf7310acf31d766ba70b ] + +IO hotplug add event is handled in the user space with drmgr tool. +After the device is enabled, the user space uses /sys/kernel/dlpar +interface with “dt add index ” to update the device tree. +The kernel interface (dlpar_hp_dt_add()) finds the parent node for +the specified ‘drc_index’ from ibm,drc-info property. The recent FW +provides this property from 2017 onwards. But KVM guest code in +some releases is still using the older SLOF firmware which has +ibm,drc-indexes property instead of ibm,drc-info. + +If the ibm,drc-info is not available, this patch adds changes to +search ‘drc_index’ from the indexes array in ibm,drc-indexes +property to support old FW. + +Fixes: 02b98ff44a57 ("powerpc/pseries/dlpar: Add device tree nodes for DLPAR IO add") +Reported-by: Kowshik Jois +Signed-off-by: Haren Myneni +Tested-by: Amit Machhiwal +Reviewed-by: Tyrel Datwyler +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250531235002.239213-1-haren@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/dlpar.c | 52 +++++++++++++++++++++++++- + 1 file changed, 50 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index 213aa26dc8b3..979487da6522 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -404,6 +404,45 @@ get_device_node_with_drc_info(u32 index) + return NULL; + } + ++static struct device_node * ++get_device_node_with_drc_indexes(u32 drc_index) ++{ ++ struct device_node *np = NULL; ++ u32 nr_indexes, index; ++ int i, rc; ++ ++ for_each_node_with_property(np, "ibm,drc-indexes") { ++ /* ++ * First element in the array is the total number of ++ * DRC indexes returned. ++ */ ++ rc = of_property_read_u32_index(np, "ibm,drc-indexes", ++ 0, &nr_indexes); ++ if (rc) ++ goto out_put_np; ++ ++ /* ++ * Retrieve DRC index from the list and return the ++ * device node if matched with the specified index. ++ */ ++ for (i = 0; i < nr_indexes; i++) { ++ rc = of_property_read_u32_index(np, "ibm,drc-indexes", ++ i+1, &index); ++ if (rc) ++ goto out_put_np; ++ ++ if (drc_index == index) ++ return np; ++ } ++ } ++ ++ return NULL; ++ ++out_put_np: ++ of_node_put(np); ++ return NULL; ++} ++ + static int dlpar_hp_dt_add(u32 index) + { + struct device_node *np, *nodes; +@@ -423,10 +462,19 @@ static int dlpar_hp_dt_add(u32 index) + goto out; + } + ++ /* ++ * Recent FW provides ibm,drc-info property. So search ++ * for the user specified DRC index from ibm,drc-info ++ * property. If this property is not available, search ++ * in the indexes array from ibm,drc-indexes property. ++ */ + np = get_device_node_with_drc_info(index); + +- if (!np) +- return -EIO; ++ if (!np) { ++ np = get_device_node_with_drc_indexes(index); ++ if (!np) ++ return -EIO; ++ } + + /* Next, configure the connector. */ + nodes = dlpar_configure_connector(cpu_to_be32(index), np); +-- +2.39.5 + diff --git a/queue-6.15/pps-fix-poll-support.patch b/queue-6.15/pps-fix-poll-support.patch new file mode 100644 index 0000000000..e94b94f72b --- /dev/null +++ b/queue-6.15/pps-fix-poll-support.patch @@ -0,0 +1,102 @@ +From 4e345cd08e0af4eeae537783b01511de4c8dbc69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 12:57:50 +0200 +Subject: pps: fix poll support + +From: Denis OSTERLAND-HEIM + +[ Upstream commit 12c409aa1ec2592280a2ddcc66ff8f3c7f7bb171 ] + +Because pps_cdev_poll() returns unconditionally EPOLLIN, +a user space program that calls select/poll get always an immediate data +ready-to-read response. As a result the intended use to wait until next +data becomes ready does not work. + +User space snippet: + + struct pollfd pollfd = { + .fd = open("/dev/pps0", O_RDONLY), + .events = POLLIN|POLLERR, + .revents = 0 }; + while(1) { + poll(&pollfd, 1, 2000/*ms*/); // returns immediate, but should wait + if(revents & EPOLLIN) { // always true + struct pps_fdata fdata; + memset(&fdata, 0, sizeof(memdata)); + ioctl(PPS_FETCH, &fdata); // currently fetches data at max speed + } + } + +Lets remember the last fetch event counter and compare this value +in pps_cdev_poll() with most recent event counter +and return 0 if they are equal. + +Signed-off-by: Denis OSTERLAND-HEIM +Co-developed-by: Rodolfo Giometti +Signed-off-by: Rodolfo Giometti +Fixes: eae9d2ba0cfc ("LinuxPPS: core support") +Link: https://lore.kernel.org/all/f6bed779-6d59-4f0f-8a59-b6312bd83b4e@enneenne.com/ +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/c3c50ad1eb19ef553eca8a57c17f4c006413ab70.camel@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/pps/pps.c | 11 +++++++++-- + include/linux/pps_kernel.h | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c +index 6a02245ea35f..9463232af8d2 100644 +--- a/drivers/pps/pps.c ++++ b/drivers/pps/pps.c +@@ -41,6 +41,9 @@ static __poll_t pps_cdev_poll(struct file *file, poll_table *wait) + + poll_wait(file, &pps->queue, wait); + ++ if (pps->last_fetched_ev == pps->last_ev) ++ return 0; ++ + return EPOLLIN | EPOLLRDNORM; + } + +@@ -186,9 +189,11 @@ static long pps_cdev_ioctl(struct file *file, + if (err) + return err; + +- /* Return the fetched timestamp */ ++ /* Return the fetched timestamp and save last fetched event */ + spin_lock_irq(&pps->lock); + ++ pps->last_fetched_ev = pps->last_ev; ++ + fdata.info.assert_sequence = pps->assert_sequence; + fdata.info.clear_sequence = pps->clear_sequence; + fdata.info.assert_tu = pps->assert_tu; +@@ -272,9 +277,11 @@ static long pps_cdev_compat_ioctl(struct file *file, + if (err) + return err; + +- /* Return the fetched timestamp */ ++ /* Return the fetched timestamp and save last fetched event */ + spin_lock_irq(&pps->lock); + ++ pps->last_fetched_ev = pps->last_ev; ++ + compat.info.assert_sequence = pps->assert_sequence; + compat.info.clear_sequence = pps->clear_sequence; + compat.info.current_mode = pps->current_mode; +diff --git a/include/linux/pps_kernel.h b/include/linux/pps_kernel.h +index c7abce28ed29..aab0aebb529e 100644 +--- a/include/linux/pps_kernel.h ++++ b/include/linux/pps_kernel.h +@@ -52,6 +52,7 @@ struct pps_device { + int current_mode; /* PPS mode at event time */ + + unsigned int last_ev; /* last PPS event id */ ++ unsigned int last_fetched_ev; /* last fetched PPS event id */ + wait_queue_head_t queue; /* PPS event queue */ + + unsigned int id; /* PPS source unique ID */ +-- +2.39.5 + diff --git a/queue-6.15/proc-use-the-same-treatment-to-check-proc_lseek-as-o.patch b/queue-6.15/proc-use-the-same-treatment-to-check-proc_lseek-as-o.patch new file mode 100644 index 0000000000..057d17baa1 --- /dev/null +++ b/queue-6.15/proc-use-the-same-treatment-to-check-proc_lseek-as-o.patch @@ -0,0 +1,89 @@ +From b97f291cce2a5968e818a689fb75533c643a9a6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jun 2025 10:13:53 +0800 +Subject: proc: use the same treatment to check proc_lseek as ones for + proc_read_iter et.al + +From: wangzijie + +[ Upstream commit ff7ec8dc1b646296f8d94c39339e8d3833d16c05 ] + +Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. +It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in +proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same +manner. + +Link: https://lkml.kernel.org/r/20250607021353.1127963-1-wangzijie1@honor.com +Fixes: 3f61631d47f1 ("take care to handle NULL ->proc_lseek()") +Signed-off-by: wangzijie +Reviewed-by: Alexey Dobriyan +Cc: Alexei Starovoitov +Cc: Al Viro +Cc: "Edgecombe, Rick P" +Cc: Kirill A. Shuemov +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/proc/generic.c | 2 ++ + fs/proc/inode.c | 2 +- + fs/proc/internal.h | 5 +++++ + include/linux/proc_fs.h | 1 + + 4 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/proc/generic.c b/fs/proc/generic.c +index a3e22803cddf..e0e50914ab25 100644 +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -569,6 +569,8 @@ static void pde_set_flags(struct proc_dir_entry *pde) + if (pde->proc_ops->proc_compat_ioctl) + pde->flags |= PROC_ENTRY_proc_compat_ioctl; + #endif ++ if (pde->proc_ops->proc_lseek) ++ pde->flags |= PROC_ENTRY_proc_lseek; + } + + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, +diff --git a/fs/proc/inode.c b/fs/proc/inode.c +index 3604b616311c..129490151be1 100644 +--- a/fs/proc/inode.c ++++ b/fs/proc/inode.c +@@ -473,7 +473,7 @@ static int proc_reg_open(struct inode *inode, struct file *file) + typeof_member(struct proc_ops, proc_open) open; + struct pde_opener *pdeo; + +- if (!pde->proc_ops->proc_lseek) ++ if (!pde_has_proc_lseek(pde)) + file->f_mode &= ~FMODE_LSEEK; + + if (pde_is_permanent(pde)) { +diff --git a/fs/proc/internal.h b/fs/proc/internal.h +index 96122e91c645..3d48ffe72583 100644 +--- a/fs/proc/internal.h ++++ b/fs/proc/internal.h +@@ -99,6 +99,11 @@ static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde) + #endif + } + ++static inline bool pde_has_proc_lseek(const struct proc_dir_entry *pde) ++{ ++ return pde->flags & PROC_ENTRY_proc_lseek; ++} ++ + extern struct kmem_cache *proc_dir_entry_cache; + void pde_free(struct proc_dir_entry *pde); + +diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h +index ea62201c74c4..703d0c76cc9a 100644 +--- a/include/linux/proc_fs.h ++++ b/include/linux/proc_fs.h +@@ -27,6 +27,7 @@ enum { + + PROC_ENTRY_proc_read_iter = 1U << 1, + PROC_ENTRY_proc_compat_ioctl = 1U << 2, ++ PROC_ENTRY_proc_lseek = 1U << 3, + }; + + struct proc_ops { +-- +2.39.5 + diff --git a/queue-6.15/rcu-fix-delayed-execution-of-hurry-callbacks.patch b/queue-6.15/rcu-fix-delayed-execution-of-hurry-callbacks.patch new file mode 100644 index 0000000000..17297317a4 --- /dev/null +++ b/queue-6.15/rcu-fix-delayed-execution-of-hurry-callbacks.patch @@ -0,0 +1,97 @@ +From 91e0a03ab95fd4e53357199f9ce7234f2580338b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 13:53:38 +0800 +Subject: rcu: Fix delayed execution of hurry callbacks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tze-nan Wu + +[ Upstream commit 463d46044f04013306a4893242f65788b8a16b2e ] + +We observed a regression in our customer’s environment after enabling +CONFIG_LAZY_RCU. In the Android Update Engine scenario, where ioctl() is +used heavily, we found that callbacks queued via call_rcu_hurry (such as +percpu_ref_switch_to_atomic_rcu) can sometimes be delayed by up to 5 +seconds before execution. This occurs because the new grace period does +not start immediately after the previous one completes. + +The root cause is that the wake_nocb_gp_defer() function now checks +"rdp->nocb_defer_wakeup" instead of "rdp_gp->nocb_defer_wakeup". On CPUs +that are not rcuog, "rdp->nocb_defer_wakeup" may always be +RCU_NOCB_WAKE_NOT. This can cause "rdp_gp->nocb_defer_wakeup" to be +downgraded and the "rdp_gp->nocb_timer" to be postponed by up to 10 +seconds, delaying the execution of hurry RCU callbacks. + +The trace log of one scenario we encountered is as follow: + // previous GP ends at this point + rcu_preempt [000] d..1. 137.240210: rcu_grace_period: rcu_preempt 8369 end + rcu_preempt [000] ..... 137.240212: rcu_grace_period: rcu_preempt 8372 reqwait + // call_rcu_hurry enqueues "percpu_ref_switch_to_atomic_rcu", the callback waited on by UpdateEngine + update_engine [002] d..1. 137.301593: __call_rcu_common: wyy: unlikely p_ref = 00000000********. lazy = 0 + // FirstQ on cpu 2 rdp_gp->nocb_timer is set to fire after 1 jiffy (4ms) + // and the rdp_gp->nocb_defer_wakeup is set to RCU_NOCB_WAKE + update_engine [002] d..2. 137.301595: rcu_nocb_wake: rcu_preempt 2 FirstQ on cpu2 with rdp_gp (cpu0). + // FirstBQ event on cpu2 during the 1 jiffy, make the timer postpond 10 seconds later. + // also, the rdp_gp->nocb_defer_wakeup is overwrite to RCU_NOCB_WAKE_LAZY + update_engine [002] d..1. 137.301601: rcu_nocb_wake: rcu_preempt 2 WakeEmptyIsDeferred + ... + ... + ... + // before the 10 seconds timeout, cpu0 received another call_rcu_hurry + // reset the timer to jiffies+1 and set the waketype = RCU_NOCB_WAKE. + kworker/u32:0 [000] d..2. 142.557564: rcu_nocb_wake: rcu_preempt 0 FirstQ + kworker/u32:0 [000] d..1. 142.557576: rcu_nocb_wake: rcu_preempt 0 WakeEmptyIsDeferred + kworker/u32:0 [000] d..1. 142.558296: rcu_nocb_wake: rcu_preempt 0 WakeNot + kworker/u32:0 [000] d..1. 142.558562: rcu_nocb_wake: rcu_preempt 0 WakeNot + // idle(do_nocb_deferred_wakeup) wake rcuog due to waketype == RCU_NOCB_WAKE + [000] d..1. 142.558786: rcu_nocb_wake: rcu_preempt 0 DoWake + [000] dN.1. 142.558839: rcu_nocb_wake: rcu_preempt 0 DeferredWake + rcuog/0 [000] ..... 142.558871: rcu_nocb_wake: rcu_preempt 0 EndSleep + rcuog/0 [000] ..... 142.558877: rcu_nocb_wake: rcu_preempt 0 Check + // finally rcuog request a new GP at this point (5 seconds after the FirstQ event) + rcuog/0 [000] d..2. 142.558886: rcu_grace_period: rcu_preempt 8372 newreq + rcu_preempt [001] d..1. 142.559458: rcu_grace_period: rcu_preempt 8373 start + ... + rcu_preempt [000] d..1. 142.564258: rcu_grace_period: rcu_preempt 8373 end + rcuop/2 [000] D..1. 142.566337: rcu_batch_start: rcu_preempt CBs=219 bl=10 + // the hurry CB is invoked at this point + rcuop/2 [000] b.... 142.566352: blk_queue_usage_counter_release: wyy: wakeup. p_ref = 00000000********. + +This patch changes the condition to check "rdp_gp->nocb_defer_wakeup" in +the lazy path. This prevents an already scheduled "rdp_gp->nocb_timer" +from being postponed and avoids overwriting "rdp_gp->nocb_defer_wakeup" +when it is not RCU_NOCB_WAKE_NOT. + +Fixes: 3cb278e73be5 ("rcu: Make call_rcu() lazy to save power") +Co-developed-by: Cheng-jui Wang +Signed-off-by: Cheng-jui Wang +Co-developed-by: Lorry.Luo@mediatek.com +Signed-off-by: Lorry.Luo@mediatek.com +Tested-by: weiyangyang@vivo.com +Signed-off-by: weiyangyang@vivo.com +Signed-off-by: Tze-nan Wu +Reviewed-by: Frederic Weisbecker +Signed-off-by: Neeraj Upadhyay (AMD) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_nocb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h +index fa269d34167a..6b3118a4dde3 100644 +--- a/kernel/rcu/tree_nocb.h ++++ b/kernel/rcu/tree_nocb.h +@@ -276,7 +276,7 @@ static void wake_nocb_gp_defer(struct rcu_data *rdp, int waketype, + * callback storms, no need to wake up too early. + */ + if (waketype == RCU_NOCB_WAKE_LAZY && +- rdp->nocb_defer_wakeup == RCU_NOCB_WAKE_NOT) { ++ rdp_gp->nocb_defer_wakeup == RCU_NOCB_WAKE_NOT) { + mod_timer(&rdp_gp->nocb_timer, jiffies + rcu_get_jiffies_lazy_flush()); + WRITE_ONCE(rdp_gp->nocb_defer_wakeup, waketype); + } else if (waketype == RCU_NOCB_WAKE_BYPASS) { +-- +2.39.5 + diff --git a/queue-6.15/rdma-hns-drop-gfp_nowarn.patch b/queue-6.15/rdma-hns-drop-gfp_nowarn.patch new file mode 100644 index 0000000000..0991334fe7 --- /dev/null +++ b/queue-6.15/rdma-hns-drop-gfp_nowarn.patch @@ -0,0 +1,90 @@ +From 8e7e745270e7f51dd4abb93916b46178fba868ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 19:39:04 +0800 +Subject: RDMA/hns: Drop GFP_NOWARN + +From: Junxian Huang + +[ Upstream commit 5338abb299f0cd764edf78a7e71a0b746af35030 ] + +GFP_NOWARN silences all warnings on dma_alloc_coherent() failure, +which might otherwise help with troubleshooting. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250703113905.3597124-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 18 +++++------------- + 1 file changed, 5 insertions(+), 13 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index ca0798224e56..3d479c63b117 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -249,15 +249,12 @@ int hns_roce_calc_hem_mhop(struct hns_roce_dev *hr_dev, + } + + static struct hns_roce_hem *hns_roce_alloc_hem(struct hns_roce_dev *hr_dev, +- unsigned long hem_alloc_size, +- gfp_t gfp_mask) ++ unsigned long hem_alloc_size) + { + struct hns_roce_hem *hem; + int order; + void *buf; + +- WARN_ON(gfp_mask & __GFP_HIGHMEM); +- + order = get_order(hem_alloc_size); + if (PAGE_SIZE << order != hem_alloc_size) { + dev_err(hr_dev->dev, "invalid hem_alloc_size: %lu!\n", +@@ -265,13 +262,12 @@ static struct hns_roce_hem *hns_roce_alloc_hem(struct hns_roce_dev *hr_dev, + return NULL; + } + +- hem = kmalloc(sizeof(*hem), +- gfp_mask & ~(__GFP_HIGHMEM | __GFP_NOWARN)); ++ hem = kmalloc(sizeof(*hem), GFP_KERNEL); + if (!hem) + return NULL; + + buf = dma_alloc_coherent(hr_dev->dev, hem_alloc_size, +- &hem->dma, gfp_mask); ++ &hem->dma, GFP_KERNEL); + if (!buf) + goto fail; + +@@ -378,7 +374,6 @@ static int alloc_mhop_hem(struct hns_roce_dev *hr_dev, + { + u32 bt_size = mhop->bt_chunk_size; + struct device *dev = hr_dev->dev; +- gfp_t flag; + u64 bt_ba; + u32 size; + int ret; +@@ -417,8 +412,7 @@ static int alloc_mhop_hem(struct hns_roce_dev *hr_dev, + * alloc bt space chunk for MTT/CQE. + */ + size = table->type < HEM_TYPE_MTT ? mhop->buf_chunk_size : bt_size; +- flag = GFP_KERNEL | __GFP_NOWARN; +- table->hem[index->buf] = hns_roce_alloc_hem(hr_dev, size, flag); ++ table->hem[index->buf] = hns_roce_alloc_hem(hr_dev, size); + if (!table->hem[index->buf]) { + ret = -ENOMEM; + goto err_alloc_hem; +@@ -546,9 +540,7 @@ int hns_roce_table_get(struct hns_roce_dev *hr_dev, + goto out; + } + +- table->hem[i] = hns_roce_alloc_hem(hr_dev, +- table->table_chunk_size, +- GFP_KERNEL | __GFP_NOWARN); ++ table->hem[i] = hns_roce_alloc_hem(hr_dev, table->table_chunk_size); + if (!table->hem[i]) { + ret = -ENOMEM; + goto out; +-- +2.39.5 + diff --git a/queue-6.15/rdma-hns-fix-accessing-uninitialized-resources.patch b/queue-6.15/rdma-hns-fix-accessing-uninitialized-resources.patch new file mode 100644 index 0000000000..2aca658331 --- /dev/null +++ b/queue-6.15/rdma-hns-fix-accessing-uninitialized-resources.patch @@ -0,0 +1,67 @@ +From 0623d2080ae27c0b63648862c295cd88a31d5975 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 19:39:03 +0800 +Subject: RDMA/hns: Fix accessing uninitialized resources + +From: Junxian Huang + +[ Upstream commit 278c18a4a78a9a6bf529ef45ccde512a5686ea9d ] + +hr_dev->pgdir_list and hr_dev->pgdir_mutex won't be initialized if +CQ/QP record db are not enabled, but they are also needed when using +SRQ with SRQ record db enabled. Simplified the logic by always +initailizing the reosurces. + +Fixes: c9813b0b9992 ("RDMA/hns: Support SRQ record doorbell") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250703113905.3597124-5-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_main.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 623610b3e2ec..11fa64044a8d 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -947,10 +947,7 @@ static int hns_roce_init_hem(struct hns_roce_dev *hr_dev) + static void hns_roce_teardown_hca(struct hns_roce_dev *hr_dev) + { + hns_roce_cleanup_bitmap(hr_dev); +- +- if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB || +- hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB) +- mutex_destroy(&hr_dev->pgdir_mutex); ++ mutex_destroy(&hr_dev->pgdir_mutex); + } + + /** +@@ -968,11 +965,8 @@ static int hns_roce_setup_hca(struct hns_roce_dev *hr_dev) + INIT_LIST_HEAD(&hr_dev->qp_list); + spin_lock_init(&hr_dev->qp_list_lock); + +- if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB || +- hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB) { +- INIT_LIST_HEAD(&hr_dev->pgdir_list); +- mutex_init(&hr_dev->pgdir_mutex); +- } ++ INIT_LIST_HEAD(&hr_dev->pgdir_list); ++ mutex_init(&hr_dev->pgdir_mutex); + + hns_roce_init_uar_table(hr_dev); + +@@ -1004,9 +998,7 @@ static int hns_roce_setup_hca(struct hns_roce_dev *hr_dev) + + err_uar_table_free: + ida_destroy(&hr_dev->uar_ida.ida); +- if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB || +- hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB) +- mutex_destroy(&hr_dev->pgdir_mutex); ++ mutex_destroy(&hr_dev->pgdir_mutex); + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.15/rdma-hns-fix-double-destruction-of-rsv_qp.patch b/queue-6.15/rdma-hns-fix-double-destruction-of-rsv_qp.patch new file mode 100644 index 0000000000..b8115b7b7c --- /dev/null +++ b/queue-6.15/rdma-hns-fix-double-destruction-of-rsv_qp.patch @@ -0,0 +1,137 @@ +From 291a8280cfef66ab95bedbaa9b6bc0fba28efe79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 19:39:00 +0800 +Subject: RDMA/hns: Fix double destruction of rsv_qp + +From: wenglianfa + +[ Upstream commit c6957b95ecc5b63c5a4bb4ecc28af326cf8f6dc8 ] + +rsv_qp may be double destroyed in error flow, first in free_mr_init(), +and then in hns_roce_exit(). Fix it by moving the free_mr_init() call +into hns_roce_v2_init(). + +list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100) +WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240 +... +Call trace: + __list_del_entry_valid+0x148/0x240 + hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2] + hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2] + hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2] + free_mr_exit+0x6c/0x120 [hns_roce_hw_v2] + hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2] + hns_roce_exit+0x118/0x350 [hns_roce_hw_v2] + __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2] + hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2] + hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2] + hclge_notify_roce_client+0x6c/0x160 [hclge] + hclge_reset_rebuild+0x150/0x5c0 [hclge] + hclge_reset+0x10c/0x140 [hclge] + hclge_reset_subtask+0x80/0x104 [hclge] + hclge_reset_service_task+0x168/0x3ac [hclge] + hclge_service_task+0x50/0x100 [hclge] + process_one_work+0x250/0x9a0 + worker_thread+0x324/0x990 + kthread+0x190/0x210 + ret_from_fork+0x10/0x18 + +Fixes: fd8489294dd2 ("RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08") +Signed-off-by: wenglianfa +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250703113905.3597124-2-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 25 +++++++++++----------- + drivers/infiniband/hw/hns/hns_roce_main.c | 6 +++--- + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index bbf6e1983704..126990bf74b4 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -2971,14 +2971,22 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) + { + int ret; + ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { ++ ret = free_mr_init(hr_dev); ++ if (ret) { ++ dev_err(hr_dev->dev, "failed to init free mr!\n"); ++ return ret; ++ } ++ } ++ + /* The hns ROCEE requires the extdb info to be cleared before using */ + ret = hns_roce_clear_extdb_list_info(hr_dev); + if (ret) +- return ret; ++ goto err_clear_extdb_failed; + + ret = get_hem_table(hr_dev); + if (ret) +- return ret; ++ goto err_clear_extdb_failed; + + if (hr_dev->is_vf) + return 0; +@@ -2993,6 +3001,9 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) + + err_llm_init_failed: + put_hem_table(hr_dev); ++err_clear_extdb_failed: ++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) ++ free_mr_exit(hr_dev); + + return ret; + } +@@ -7027,21 +7038,11 @@ static int __hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) + goto error_failed_roce_init; + } + +- if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) { +- ret = free_mr_init(hr_dev); +- if (ret) { +- dev_err(hr_dev->dev, "failed to init free mr!\n"); +- goto error_failed_free_mr_init; +- } +- } + + handle->priv = hr_dev; + + return 0; + +-error_failed_free_mr_init: +- hns_roce_exit(hr_dev); +- + error_failed_roce_init: + kfree(hr_dev->priv); + +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index e7a497cc125c..623610b3e2ec 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -965,6 +965,9 @@ static int hns_roce_setup_hca(struct hns_roce_dev *hr_dev) + + spin_lock_init(&hr_dev->sm_lock); + ++ INIT_LIST_HEAD(&hr_dev->qp_list); ++ spin_lock_init(&hr_dev->qp_list_lock); ++ + if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_CQ_RECORD_DB || + hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_RECORD_DB) { + INIT_LIST_HEAD(&hr_dev->pgdir_list); +@@ -1132,9 +1135,6 @@ int hns_roce_init(struct hns_roce_dev *hr_dev) + } + } + +- INIT_LIST_HEAD(&hr_dev->qp_list); +- spin_lock_init(&hr_dev->qp_list_lock); +- + ret = hns_roce_register_device(hr_dev); + if (ret) + goto error_failed_register_device; +-- +2.39.5 + diff --git a/queue-6.15/rdma-hns-fix-hw-configurations-not-cleared-in-error-.patch b/queue-6.15/rdma-hns-fix-hw-configurations-not-cleared-in-error-.patch new file mode 100644 index 0000000000..11f81e25d5 --- /dev/null +++ b/queue-6.15/rdma-hns-fix-hw-configurations-not-cleared-in-error-.patch @@ -0,0 +1,49 @@ +From a7e05d8db6b20b7aa177d021d0783948d4f8484a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 19:39:01 +0800 +Subject: RDMA/hns: Fix HW configurations not cleared in error flow + +From: wenglianfa + +[ Upstream commit 998b41cb20b02c4e28ac558e4e7f8609d659ec05 ] + +hns_roce_clear_extdb_list_info() will eventually do some HW +configurations through FW, and they need to be cleared by +calling hns_roce_function_clear() when the initialization +fails. + +Fixes: 7e78dd816e45 ("RDMA/hns: Clear extended doorbell info before using") +Signed-off-by: wenglianfa +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250703113905.3597124-3-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 126990bf74b4..217c252fc722 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -2986,7 +2986,7 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) + + ret = get_hem_table(hr_dev); + if (ret) +- goto err_clear_extdb_failed; ++ goto err_get_hem_table_failed; + + if (hr_dev->is_vf) + return 0; +@@ -3001,6 +3001,8 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev) + + err_llm_init_failed: + put_hem_table(hr_dev); ++err_get_hem_table_failed: ++ hns_roce_function_clear(hr_dev); + err_clear_extdb_failed: + if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) + free_mr_exit(hr_dev); +-- +2.39.5 + diff --git a/queue-6.15/rdma-hns-fix-wframe-larger-than-issue.patch b/queue-6.15/rdma-hns-fix-wframe-larger-than-issue.patch new file mode 100644 index 0000000000..9b7dd8b76d --- /dev/null +++ b/queue-6.15/rdma-hns-fix-wframe-larger-than-issue.patch @@ -0,0 +1,67 @@ +From 34541cc83f40d19e5e6925032e7669b0a81ede86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 19:39:05 +0800 +Subject: RDMA/hns: Fix -Wframe-larger-than issue + +From: Junxian Huang + +[ Upstream commit 79d56805c5068f2bc81518043e043c3dedd1c82a ] + +Fix -Wframe-larger-than issue by allocating memory for qpc struct +with kzalloc() instead of using stack memory. + +Fixes: 606bf89e98ef ("RDMA/hns: Refactor for hns_roce_v2_modify_qp function") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506240032.CSgIyFct-lkp@intel.com/ +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250703113905.3597124-7-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 1c55ed69b560..07d93cf4557e 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -5371,11 +5371,10 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp, + { + struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device); + struct hns_roce_qp *hr_qp = to_hr_qp(ibqp); +- struct hns_roce_v2_qp_context ctx[2]; +- struct hns_roce_v2_qp_context *context = ctx; +- struct hns_roce_v2_qp_context *qpc_mask = ctx + 1; ++ struct hns_roce_v2_qp_context *context; ++ struct hns_roce_v2_qp_context *qpc_mask; + struct ib_device *ibdev = &hr_dev->ib_dev; +- int ret; ++ int ret = -ENOMEM; + + if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS) + return -EOPNOTSUPP; +@@ -5386,7 +5385,11 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp, + * we should set all bits of the relevant fields in context mask to + * 0 at the same time, else set them to 0x1. + */ +- memset(context, 0, hr_dev->caps.qpc_sz); ++ context = kvzalloc(sizeof(*context), GFP_KERNEL); ++ qpc_mask = kvzalloc(sizeof(*qpc_mask), GFP_KERNEL); ++ if (!context || !qpc_mask) ++ goto out; ++ + memset(qpc_mask, 0xff, hr_dev->caps.qpc_sz); + + ret = hns_roce_v2_set_abs_fields(ibqp, attr, attr_mask, cur_state, +@@ -5428,6 +5431,8 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp, + clear_qp(hr_qp); + + out: ++ kvfree(qpc_mask); ++ kvfree(context); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.15/rdma-hns-get-message-length-of-ack_req-from-fw.patch b/queue-6.15/rdma-hns-get-message-length-of-ack_req-from-fw.patch new file mode 100644 index 0000000000..c4d7149b8c --- /dev/null +++ b/queue-6.15/rdma-hns-get-message-length-of-ack_req-from-fw.patch @@ -0,0 +1,189 @@ +From e21da117227351605b50b9bb88b0adf2882aff48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 19:39:02 +0800 +Subject: RDMA/hns: Get message length of ack_req from FW + +From: Junxian Huang + +[ Upstream commit 2c2ec0106c0f1f12d4eefd11de318ac47557a750 ] + +ACK_REQ_FREQ indicates the number of packets (after MTU fragmentation) +HW sends before setting an ACK request. When MTU is greater than or +equal to 1024, the current ACK_REQ_FREQ value causes HW to request an +ACK for every MTU fragment. The processing of a large number of ACKs +severely impacts HW performance when sending large size payloads. + +Get message length of ack_req from FW so that we can adjust this +parameter according to different situations. There are several +constraints for ACK_REQ_FREQ: + +1. mtu * (2 ^ ACK_REQ_FREQ) should not be too large, otherwise it may + cause some unexpected retries when sending large payload. + +2. ACK_REQ_FREQ should be larger than or equal to LP_PKTN_INI. + +3. ACK_REQ_FREQ must be equal to LP_PKTN_INI when using LDCP + or HC3 congestion control algorithm. + +Fixes: 56518a603fd2 ("RDMA/hns: Modify the value of long message loopback slice") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250703113905.3597124-4-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_device.h | 1 + + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 45 ++++++++++++++++----- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 8 +++- + 3 files changed, 43 insertions(+), 11 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h +index 560a1d9de408..cbe73d9ad525 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_device.h ++++ b/drivers/infiniband/hw/hns/hns_roce_device.h +@@ -856,6 +856,7 @@ struct hns_roce_caps { + u16 default_ceq_arm_st; + u8 cong_cap; + enum hns_roce_cong_type default_cong_type; ++ u32 max_ack_req_msg_len; + }; + + enum hns_roce_device_state { +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 217c252fc722..1c55ed69b560 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -2181,31 +2181,36 @@ static void apply_func_caps(struct hns_roce_dev *hr_dev) + + static int hns_roce_query_caps(struct hns_roce_dev *hr_dev) + { +- struct hns_roce_cmq_desc desc[HNS_ROCE_QUERY_PF_CAPS_CMD_NUM]; ++ struct hns_roce_cmq_desc desc[HNS_ROCE_QUERY_PF_CAPS_CMD_NUM] = {}; + struct hns_roce_caps *caps = &hr_dev->caps; + struct hns_roce_query_pf_caps_a *resp_a; + struct hns_roce_query_pf_caps_b *resp_b; + struct hns_roce_query_pf_caps_c *resp_c; + struct hns_roce_query_pf_caps_d *resp_d; + struct hns_roce_query_pf_caps_e *resp_e; ++ struct hns_roce_query_pf_caps_f *resp_f; + enum hns_roce_opcode_type cmd; + int ctx_hop_num; + int pbl_hop_num; ++ int cmd_num; + int ret; + int i; + + cmd = hr_dev->is_vf ? HNS_ROCE_OPC_QUERY_VF_CAPS_NUM : + HNS_ROCE_OPC_QUERY_PF_CAPS_NUM; ++ cmd_num = hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 ? ++ HNS_ROCE_QUERY_PF_CAPS_CMD_NUM_HIP08 : ++ HNS_ROCE_QUERY_PF_CAPS_CMD_NUM; + +- for (i = 0; i < HNS_ROCE_QUERY_PF_CAPS_CMD_NUM; i++) { ++ for (i = 0; i < cmd_num - 1; i++) { + hns_roce_cmq_setup_basic_desc(&desc[i], cmd, true); +- if (i < (HNS_ROCE_QUERY_PF_CAPS_CMD_NUM - 1)) +- desc[i].flag |= cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT); +- else +- desc[i].flag &= ~cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT); ++ desc[i].flag |= cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT); + } + +- ret = hns_roce_cmq_send(hr_dev, desc, HNS_ROCE_QUERY_PF_CAPS_CMD_NUM); ++ hns_roce_cmq_setup_basic_desc(&desc[cmd_num - 1], cmd, true); ++ desc[cmd_num - 1].flag &= ~cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT); ++ ++ ret = hns_roce_cmq_send(hr_dev, desc, cmd_num); + if (ret) + return ret; + +@@ -2214,6 +2219,7 @@ static int hns_roce_query_caps(struct hns_roce_dev *hr_dev) + resp_c = (struct hns_roce_query_pf_caps_c *)desc[2].data; + resp_d = (struct hns_roce_query_pf_caps_d *)desc[3].data; + resp_e = (struct hns_roce_query_pf_caps_e *)desc[4].data; ++ resp_f = (struct hns_roce_query_pf_caps_f *)desc[5].data; + + caps->local_ca_ack_delay = resp_a->local_ca_ack_delay; + caps->max_sq_sg = le16_to_cpu(resp_a->max_sq_sg); +@@ -2278,6 +2284,8 @@ static int hns_roce_query_caps(struct hns_roce_dev *hr_dev) + caps->reserved_srqs = hr_reg_read(resp_e, PF_CAPS_E_RSV_SRQS); + caps->reserved_lkey = hr_reg_read(resp_e, PF_CAPS_E_RSV_LKEYS); + ++ caps->max_ack_req_msg_len = le32_to_cpu(resp_f->max_ack_req_msg_len); ++ + caps->qpc_hop_num = ctx_hop_num; + caps->sccc_hop_num = ctx_hop_num; + caps->srqc_hop_num = ctx_hop_num; +@@ -4559,7 +4567,9 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + dma_addr_t trrl_ba; + dma_addr_t irrl_ba; + enum ib_mtu ib_mtu; ++ u8 ack_req_freq; + const u8 *smac; ++ int lp_msg_len; + u8 lp_pktn_ini; + u64 *mtts; + u8 *dmac; +@@ -4642,7 +4652,8 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + return -EINVAL; + #define MIN_LP_MSG_LEN 1024 + /* mtu * (2 ^ lp_pktn_ini) should be in the range of 1024 to mtu */ +- lp_pktn_ini = ilog2(max(mtu, MIN_LP_MSG_LEN) / mtu); ++ lp_msg_len = max(mtu, MIN_LP_MSG_LEN); ++ lp_pktn_ini = ilog2(lp_msg_len / mtu); + + if (attr_mask & IB_QP_PATH_MTU) { + hr_reg_write(context, QPC_MTU, ib_mtu); +@@ -4652,8 +4663,22 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + hr_reg_write(context, QPC_LP_PKTN_INI, lp_pktn_ini); + hr_reg_clear(qpc_mask, QPC_LP_PKTN_INI); + +- /* ACK_REQ_FREQ should be larger than or equal to LP_PKTN_INI */ +- hr_reg_write(context, QPC_ACK_REQ_FREQ, lp_pktn_ini); ++ /* ++ * There are several constraints for ACK_REQ_FREQ: ++ * 1. mtu * (2 ^ ACK_REQ_FREQ) should not be too large, otherwise ++ * it may cause some unexpected retries when sending large ++ * payload. ++ * 2. ACK_REQ_FREQ should be larger than or equal to LP_PKTN_INI. ++ * 3. ACK_REQ_FREQ must be equal to LP_PKTN_INI when using LDCP ++ * or HC3 congestion control algorithm. ++ */ ++ if (hr_qp->cong_type == CONG_TYPE_LDCP || ++ hr_qp->cong_type == CONG_TYPE_HC3 || ++ hr_dev->caps.max_ack_req_msg_len < lp_msg_len) ++ ack_req_freq = lp_pktn_ini; ++ else ++ ack_req_freq = ilog2(hr_dev->caps.max_ack_req_msg_len / mtu); ++ hr_reg_write(context, QPC_ACK_REQ_FREQ, ack_req_freq); + hr_reg_clear(qpc_mask, QPC_ACK_REQ_FREQ); + + hr_reg_clear(qpc_mask, QPC_RX_REQ_PSN_ERR); +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index bc7466830eaf..1c2660305d27 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -1168,7 +1168,8 @@ struct hns_roce_cfg_gmv_tb_b { + #define GMV_TB_B_SMAC_H GMV_TB_B_FIELD_LOC(47, 32) + #define GMV_TB_B_SGID_IDX GMV_TB_B_FIELD_LOC(71, 64) + +-#define HNS_ROCE_QUERY_PF_CAPS_CMD_NUM 5 ++#define HNS_ROCE_QUERY_PF_CAPS_CMD_NUM_HIP08 5 ++#define HNS_ROCE_QUERY_PF_CAPS_CMD_NUM 6 + struct hns_roce_query_pf_caps_a { + u8 number_ports; + u8 local_ca_ack_delay; +@@ -1280,6 +1281,11 @@ struct hns_roce_query_pf_caps_e { + __le16 aeq_period; + }; + ++struct hns_roce_query_pf_caps_f { ++ __le32 max_ack_req_msg_len; ++ __le32 rsv[5]; ++}; ++ + #define PF_CAPS_E_FIELD_LOC(h, l) \ + FIELD_LOC(struct hns_roce_query_pf_caps_e, h, l) + +-- +2.39.5 + diff --git a/queue-6.15/rdma-mana_ib-fix-dscp-value-in-modify-qp.patch b/queue-6.15/rdma-mana_ib-fix-dscp-value-in-modify-qp.patch new file mode 100644 index 0000000000..32cdbf366d --- /dev/null +++ b/queue-6.15/rdma-mana_ib-fix-dscp-value-in-modify-qp.patch @@ -0,0 +1,38 @@ +From 833dbd57c5cb6946636660478c30f3d9cec82084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 03:24:45 -0700 +Subject: RDMA/mana_ib: Fix DSCP value in modify QP + +From: Shiraz Saleem + +[ Upstream commit 62de0e67328e9503459a24b9343c3358937cdeef ] + +Convert the traffic_class in GRH to a DSCP value as required by the HW. + +Fixes: e095405b45bb ("RDMA/mana_ib: Modify QP state") +Signed-off-by: Shiraz Saleem +Signed-off-by: Konstantin Taranov +Link: https://patch.msgid.link/1752143085-4169-1-git-send-email-kotaranov@linux.microsoft.com +Reviewed-by: Long Li +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mana/qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c +index c928af58f38b..456d78c6fcb8 100644 +--- a/drivers/infiniband/hw/mana/qp.c ++++ b/drivers/infiniband/hw/mana/qp.c +@@ -773,7 +773,7 @@ static int mana_ib_gd_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + req.ah_attr.dest_port = ROCE_V2_UDP_DPORT; + req.ah_attr.src_port = rdma_get_udp_sport(attr->ah_attr.grh.flow_label, + ibqp->qp_num, attr->dest_qp_num); +- req.ah_attr.traffic_class = attr->ah_attr.grh.traffic_class; ++ req.ah_attr.traffic_class = attr->ah_attr.grh.traffic_class >> 2; + req.ah_attr.hop_limit = attr->ah_attr.grh.hop_limit; + } + +-- +2.39.5 + diff --git a/queue-6.15/rdma-mlx5-fix-umr-modifying-of-mkey-page-size.patch b/queue-6.15/rdma-mlx5-fix-umr-modifying-of-mkey-page-size.patch new file mode 100644 index 0000000000..f87d3a4d8e --- /dev/null +++ b/queue-6.15/rdma-mlx5-fix-umr-modifying-of-mkey-page-size.patch @@ -0,0 +1,79 @@ +From a5e462028d88f011e163e74bf2bf0109698ffc5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 09:42:09 +0300 +Subject: RDMA/mlx5: Fix UMR modifying of mkey page size + +From: Edward Srouji + +[ Upstream commit c4f96972c3c206ac8f6770b5ecd5320b561d0058 ] + +When changing the page size on an mkey, the driver needs to set the +appropriate bits in the mkey mask to indicate which fields are being +modified. +The 6th bit of a page size in mlx5 driver is considered an extension, +and this bit has a dedicated capability and mask bits. + +Previously, the driver was not setting this mask in the mkey mask when +performing page size changes, regardless of its hardware support, +potentially leading to an incorrect page size updates. + +This fixes the issue by setting the relevant bit in the mkey mask when +performing page size changes on an mkey and the 6th bit of this field is +supported by the hardware. + +Fixes: cef7dde8836a ("net/mlx5: Expand mkey page size to support 6 bits") +Signed-off-by: Edward Srouji +Reviewed-by: Michael Guralnik +Link: https://patch.msgid.link/9f43a9c73bf2db6085a99dc836f7137e76579f09.1751979184.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/umr.c | 6 ++++-- + include/linux/mlx5/device.h | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/umr.c b/drivers/infiniband/hw/mlx5/umr.c +index 793f3c5c4d01..80c665d15218 100644 +--- a/drivers/infiniband/hw/mlx5/umr.c ++++ b/drivers/infiniband/hw/mlx5/umr.c +@@ -32,13 +32,15 @@ static __be64 get_umr_disable_mr_mask(void) + return cpu_to_be64(result); + } + +-static __be64 get_umr_update_translation_mask(void) ++static __be64 get_umr_update_translation_mask(struct mlx5_ib_dev *dev) + { + u64 result; + + result = MLX5_MKEY_MASK_LEN | + MLX5_MKEY_MASK_PAGE_SIZE | + MLX5_MKEY_MASK_START_ADDR; ++ if (MLX5_CAP_GEN_2(dev->mdev, umr_log_entity_size_5)) ++ result |= MLX5_MKEY_MASK_PAGE_SIZE_5; + + return cpu_to_be64(result); + } +@@ -654,7 +656,7 @@ static void mlx5r_umr_final_update_xlt(struct mlx5_ib_dev *dev, + flags & MLX5_IB_UPD_XLT_ENABLE || flags & MLX5_IB_UPD_XLT_ADDR; + + if (update_translation) { +- wqe->ctrl_seg.mkey_mask |= get_umr_update_translation_mask(); ++ wqe->ctrl_seg.mkey_mask |= get_umr_update_translation_mask(dev); + if (!mr->ibmr.length) + MLX5_SET(mkc, &wqe->mkey_seg, length64, 1); + } +diff --git a/include/linux/mlx5/device.h b/include/linux/mlx5/device.h +index 6822cfa5f4ad..9d2467f982ad 100644 +--- a/include/linux/mlx5/device.h ++++ b/include/linux/mlx5/device.h +@@ -280,6 +280,7 @@ enum { + MLX5_MKEY_MASK_SMALL_FENCE = 1ull << 23, + MLX5_MKEY_MASK_RELAXED_ORDERING_WRITE = 1ull << 25, + MLX5_MKEY_MASK_FREE = 1ull << 29, ++ MLX5_MKEY_MASK_PAGE_SIZE_5 = 1ull << 42, + MLX5_MKEY_MASK_RELAXED_ORDERING_READ = 1ull << 47, + }; + +-- +2.39.5 + diff --git a/queue-6.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch b/queue-6.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch new file mode 100644 index 0000000000..8d5fcc5be0 --- /dev/null +++ b/queue-6.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch @@ -0,0 +1,40 @@ +From 4c57c711efda0e9598c28ea672fa898480811a86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 17:45:29 +0200 +Subject: Reapply "wifi: mac80211: Update skb's control block key in + ieee80211_tx_dequeue()" + +From: Remi Pommarel + +[ Upstream commit 754fe848b3b297fc85ec24cd959bad22b6df8cb8 ] + +This reverts commit 0937cb5f345c ("Revert "wifi: mac80211: Update +skb's control block key in ieee80211_tx_dequeue()""). + +This commit broke TX with 802.11 encapsulation HW offloading, now that +this is fixed, reapply it. + +Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue") +Signed-off-by: Remi Pommarel +Link: https://patch.msgid.link/66b8fc39fb0194fa06c9ca7eeb6ffe0118dcb3ec.1752765971.git.repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 7799455b0403..506523803cc0 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3894,6 +3894,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, + * The key can be removed while the packet was queued, so need to call + * this here to get the current key. + */ ++ info->control.hw_key = NULL; + r = ieee80211_tx_h_select_key(&tx); + if (r != TX_CONTINUE) { + ieee80211_free_txskb(&local->hw, skb); +-- +2.39.5 + diff --git a/queue-6.15/refscale-check-that-nreaders-and-loops-multiplicatio.patch b/queue-6.15/refscale-check-that-nreaders-and-loops-multiplicatio.patch new file mode 100644 index 0000000000..afc0e2e2f1 --- /dev/null +++ b/queue-6.15/refscale-check-that-nreaders-and-loops-multiplicatio.patch @@ -0,0 +1,74 @@ +From 1b1298c772985dafcda1351b178850ebd0cf37a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jun 2025 23:12:12 +0000 +Subject: refscale: Check that nreaders and loops multiplication doesn't + overflow + +From: Artem Sadovnikov + +[ Upstream commit 005b6187705bc9723518ce19c5cb911fc1f7ef07 ] + +The nreaders and loops variables are exposed as module parameters, which, +in certain combinations, can lead to multiplication overflow. + +Besides, loops parameter is defined as long, while through the code is +used as int, which can cause truncation on 64-bit kernels and possible +zeroes where they shouldn't appear. + +Since code uses result of multiplication as int anyway, it only makes sense +to replace loops with int. Multiplication overflow check is also added +due to possible multiplication between two very big numbers. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 653ed64b01dc ("refperf: Add a test to measure performance of read-side synchronization") +Signed-off-by: Artem Sadovnikov +Signed-off-by: Neeraj Upadhyay (AMD) +Signed-off-by: Sasha Levin +--- + kernel/rcu/refscale.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c +index f11a7c2af778..ab7fcdc94cc0 100644 +--- a/kernel/rcu/refscale.c ++++ b/kernel/rcu/refscale.c +@@ -85,7 +85,7 @@ torture_param(int, holdoff, IS_BUILTIN(CONFIG_RCU_REF_SCALE_TEST) ? 10 : 0, + // Number of typesafe_lookup structures, that is, the degree of concurrency. + torture_param(long, lookup_instances, 0, "Number of typesafe_lookup structures."); + // Number of loops per experiment, all readers execute operations concurrently. +-torture_param(long, loops, 10000, "Number of loops per experiment."); ++torture_param(int, loops, 10000, "Number of loops per experiment."); + // Number of readers, with -1 defaulting to about 75% of the CPUs. + torture_param(int, nreaders, -1, "Number of readers, -1 for 75% of CPUs."); + // Number of runs. +@@ -1140,7 +1140,7 @@ static void + ref_scale_print_module_parms(const struct ref_scale_ops *cur_ops, const char *tag) + { + pr_alert("%s" SCALE_FLAG +- "--- %s: verbose=%d verbose_batched=%d shutdown=%d holdoff=%d lookup_instances=%ld loops=%ld nreaders=%d nruns=%d readdelay=%d\n", scale_type, tag, ++ "--- %s: verbose=%d verbose_batched=%d shutdown=%d holdoff=%d lookup_instances=%ld loops=%d nreaders=%d nruns=%d readdelay=%d\n", scale_type, tag, + verbose, verbose_batched, shutdown, holdoff, lookup_instances, loops, nreaders, nruns, readdelay); + } + +@@ -1238,12 +1238,16 @@ ref_scale_init(void) + // Reader tasks (default to ~75% of online CPUs). + if (nreaders < 0) + nreaders = (num_online_cpus() >> 1) + (num_online_cpus() >> 2); +- if (WARN_ONCE(loops <= 0, "%s: loops = %ld, adjusted to 1\n", __func__, loops)) ++ if (WARN_ONCE(loops <= 0, "%s: loops = %d, adjusted to 1\n", __func__, loops)) + loops = 1; + if (WARN_ONCE(nreaders <= 0, "%s: nreaders = %d, adjusted to 1\n", __func__, nreaders)) + nreaders = 1; + if (WARN_ONCE(nruns <= 0, "%s: nruns = %d, adjusted to 1\n", __func__, nruns)) + nruns = 1; ++ if (WARN_ONCE(loops > INT_MAX / nreaders, ++ "%s: nreaders * loops will overflow, adjusted loops to %d", ++ __func__, INT_MAX / nreaders)) ++ loops = INT_MAX / nreaders; + reader_tasks = kcalloc(nreaders, sizeof(reader_tasks[0]), + GFP_KERNEL); + if (!reader_tasks) { +-- +2.39.5 + diff --git a/queue-6.15/remoteproc-qcom-pas-conclude-the-rename-from-adsp.patch b/queue-6.15/remoteproc-qcom-pas-conclude-the-rename-from-adsp.patch new file mode 100644 index 0000000000..7c81347d8e --- /dev/null +++ b/queue-6.15/remoteproc-qcom-pas-conclude-the-rename-from-adsp.patch @@ -0,0 +1,1353 @@ +From 9a6f2096ce6b8b9171cb3ae2c6942a4baf7b9ac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 17:17:47 -0500 +Subject: remoteproc: qcom: pas: Conclude the rename from adsp + +From: Bjorn Andersson + +[ Upstream commit 2c0c883f895f16fd9d367ec2e64bccab907d8d87 ] + +The change that renamed the driver from "adsp" to "pas" didn't change +any of the implementation. The result is an aesthetic eyesore, and +confusing to many. + +Conclude the rename of the driver, by updating function, structures and +variable names to match what the driver actually is. The "Hexagon v5" is +also dropped from the name and Kconfig, as this isn't correct either. + +No functional change. + +Fixes: 9e004f97161d ("remoteproc: qcom: Rename Hexagon v5 PAS driver") +Signed-off-by: Bjorn Andersson +Reviewed-by: Wasim Nazir +Link: https://lore.kernel.org/r/20250605-pas-rename-v2-1-f1c89e49e691@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/Kconfig | 11 +- + drivers/remoteproc/qcom_q6v5_pas.c | 621 ++++++++++++++--------------- + 2 files changed, 313 insertions(+), 319 deletions(-) + +diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig +index 83962a114dc9..48a0d3a69ed0 100644 +--- a/drivers/remoteproc/Kconfig ++++ b/drivers/remoteproc/Kconfig +@@ -214,7 +214,7 @@ config QCOM_Q6V5_MSS + handled by QCOM_Q6V5_PAS driver. + + config QCOM_Q6V5_PAS +- tristate "Qualcomm Hexagon v5 Peripheral Authentication Service support" ++ tristate "Qualcomm Peripheral Authentication Service support" + depends on OF && ARCH_QCOM + depends on QCOM_SMEM + depends on RPMSG_QCOM_SMD || RPMSG_QCOM_SMD=n +@@ -229,11 +229,10 @@ config QCOM_Q6V5_PAS + select QCOM_RPROC_COMMON + select QCOM_SCM + help +- Say y here to support the TrustZone based Peripheral Image Loader +- for the Qualcomm Hexagon v5 based remote processors. This is commonly +- used to control subsystems such as ADSP (Audio DSP), +- CDSP (Compute DSP), MPSS (Modem Peripheral SubSystem), and +- SLPI (Sensor Low Power Island). ++ Say y here to support the TrustZone based Peripheral Image Loader for ++ the Qualcomm remote processors. This is commonly used to control ++ subsystems such as ADSP (Audio DSP), CDSP (Compute DSP), MPSS (Modem ++ Peripheral SubSystem), and SLPI (Sensor Low Power Island). + + config QCOM_Q6V5_WCSS + tristate "Qualcomm Hexagon based WCSS Peripheral Image Loader" +diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c +index b306f223127c..02e29171cbbe 100644 +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Qualcomm ADSP/SLPI Peripheral Image Loader for MSM8974 and MSM8996 ++ * Qualcomm Peripheral Authentication Service remoteproc driver + * + * Copyright (C) 2016 Linaro Ltd + * Copyright (C) 2014 Sony Mobile Communications AB +@@ -31,11 +31,11 @@ + #include "qcom_q6v5.h" + #include "remoteproc_internal.h" + +-#define ADSP_DECRYPT_SHUTDOWN_DELAY_MS 100 ++#define QCOM_PAS_DECRYPT_SHUTDOWN_DELAY_MS 100 + + #define MAX_ASSIGN_COUNT 3 + +-struct adsp_data { ++struct qcom_pas_data { + int crash_reason_smem; + const char *firmware_name; + const char *dtb_firmware_name; +@@ -60,7 +60,7 @@ struct adsp_data { + int region_assign_vmid; + }; + +-struct qcom_adsp { ++struct qcom_pas { + struct device *dev; + struct rproc *rproc; + +@@ -119,36 +119,37 @@ struct qcom_adsp { + struct qcom_scm_pas_metadata dtb_pas_metadata; + }; + +-static void adsp_segment_dump(struct rproc *rproc, struct rproc_dump_segment *segment, +- void *dest, size_t offset, size_t size) ++static void qcom_pas_segment_dump(struct rproc *rproc, ++ struct rproc_dump_segment *segment, ++ void *dest, size_t offset, size_t size) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + int total_offset; + +- total_offset = segment->da + segment->offset + offset - adsp->mem_phys; +- if (total_offset < 0 || total_offset + size > adsp->mem_size) { +- dev_err(adsp->dev, ++ total_offset = segment->da + segment->offset + offset - pas->mem_phys; ++ if (total_offset < 0 || total_offset + size > pas->mem_size) { ++ dev_err(pas->dev, + "invalid copy request for segment %pad with offset %zu and size %zu)\n", + &segment->da, offset, size); + memset(dest, 0xff, size); + return; + } + +- memcpy_fromio(dest, adsp->mem_region + total_offset, size); ++ memcpy_fromio(dest, pas->mem_region + total_offset, size); + } + +-static void adsp_minidump(struct rproc *rproc) ++static void qcom_pas_minidump(struct rproc *rproc) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + + if (rproc->dump_conf == RPROC_COREDUMP_DISABLED) + return; + +- qcom_minidump(rproc, adsp->minidump_id, adsp_segment_dump); ++ qcom_minidump(rproc, pas->minidump_id, qcom_pas_segment_dump); + } + +-static int adsp_pds_enable(struct qcom_adsp *adsp, struct device **pds, +- size_t pd_count) ++static int qcom_pas_pds_enable(struct qcom_pas *pas, struct device **pds, ++ size_t pd_count) + { + int ret; + int i; +@@ -174,8 +175,8 @@ static int adsp_pds_enable(struct qcom_adsp *adsp, struct device **pds, + return ret; + }; + +-static void adsp_pds_disable(struct qcom_adsp *adsp, struct device **pds, +- size_t pd_count) ++static void qcom_pas_pds_disable(struct qcom_pas *pas, struct device **pds, ++ size_t pd_count) + { + int i; + +@@ -185,65 +186,65 @@ static void adsp_pds_disable(struct qcom_adsp *adsp, struct device **pds, + } + } + +-static int adsp_shutdown_poll_decrypt(struct qcom_adsp *adsp) ++static int qcom_pas_shutdown_poll_decrypt(struct qcom_pas *pas) + { + unsigned int retry_num = 50; + int ret; + + do { +- msleep(ADSP_DECRYPT_SHUTDOWN_DELAY_MS); +- ret = qcom_scm_pas_shutdown(adsp->pas_id); ++ msleep(QCOM_PAS_DECRYPT_SHUTDOWN_DELAY_MS); ++ ret = qcom_scm_pas_shutdown(pas->pas_id); + } while (ret == -EINVAL && --retry_num); + + return ret; + } + +-static int adsp_unprepare(struct rproc *rproc) ++static int qcom_pas_unprepare(struct rproc *rproc) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + + /* +- * adsp_load() did pass pas_metadata to the SCM driver for storing ++ * qcom_pas_load() did pass pas_metadata to the SCM driver for storing + * metadata context. It might have been released already if + * auth_and_reset() was successful, but in other cases clean it up + * here. + */ +- qcom_scm_pas_metadata_release(&adsp->pas_metadata); +- if (adsp->dtb_pas_id) +- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata); ++ qcom_scm_pas_metadata_release(&pas->pas_metadata); ++ if (pas->dtb_pas_id) ++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata); + + return 0; + } + +-static int adsp_load(struct rproc *rproc, const struct firmware *fw) ++static int qcom_pas_load(struct rproc *rproc, const struct firmware *fw) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + int ret; + +- /* Store firmware handle to be used in adsp_start() */ +- adsp->firmware = fw; ++ /* Store firmware handle to be used in qcom_pas_start() */ ++ pas->firmware = fw; + +- if (adsp->lite_pas_id) +- ret = qcom_scm_pas_shutdown(adsp->lite_pas_id); ++ if (pas->lite_pas_id) ++ ret = qcom_scm_pas_shutdown(pas->lite_pas_id); + +- if (adsp->dtb_pas_id) { +- ret = request_firmware(&adsp->dtb_firmware, adsp->dtb_firmware_name, adsp->dev); ++ if (pas->dtb_pas_id) { ++ ret = request_firmware(&pas->dtb_firmware, pas->dtb_firmware_name, pas->dev); + if (ret) { +- dev_err(adsp->dev, "request_firmware failed for %s: %d\n", +- adsp->dtb_firmware_name, ret); ++ dev_err(pas->dev, "request_firmware failed for %s: %d\n", ++ pas->dtb_firmware_name, ret); + return ret; + } + +- ret = qcom_mdt_pas_init(adsp->dev, adsp->dtb_firmware, adsp->dtb_firmware_name, +- adsp->dtb_pas_id, adsp->dtb_mem_phys, +- &adsp->dtb_pas_metadata); ++ ret = qcom_mdt_pas_init(pas->dev, pas->dtb_firmware, pas->dtb_firmware_name, ++ pas->dtb_pas_id, pas->dtb_mem_phys, ++ &pas->dtb_pas_metadata); + if (ret) + goto release_dtb_firmware; + +- ret = qcom_mdt_load_no_init(adsp->dev, adsp->dtb_firmware, adsp->dtb_firmware_name, +- adsp->dtb_pas_id, adsp->dtb_mem_region, +- adsp->dtb_mem_phys, adsp->dtb_mem_size, +- &adsp->dtb_mem_reloc); ++ ret = qcom_mdt_load_no_init(pas->dev, pas->dtb_firmware, pas->dtb_firmware_name, ++ pas->dtb_pas_id, pas->dtb_mem_region, ++ pas->dtb_mem_phys, pas->dtb_mem_size, ++ &pas->dtb_mem_reloc); + if (ret) + goto release_dtb_metadata; + } +@@ -251,248 +252,246 @@ static int adsp_load(struct rproc *rproc, const struct firmware *fw) + return 0; + + release_dtb_metadata: +- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata); ++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata); + + release_dtb_firmware: +- release_firmware(adsp->dtb_firmware); ++ release_firmware(pas->dtb_firmware); + + return ret; + } + +-static int adsp_start(struct rproc *rproc) ++static int qcom_pas_start(struct rproc *rproc) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + int ret; + +- ret = qcom_q6v5_prepare(&adsp->q6v5); ++ ret = qcom_q6v5_prepare(&pas->q6v5); + if (ret) + return ret; + +- ret = adsp_pds_enable(adsp, adsp->proxy_pds, adsp->proxy_pd_count); ++ ret = qcom_pas_pds_enable(pas, pas->proxy_pds, pas->proxy_pd_count); + if (ret < 0) + goto disable_irqs; + +- ret = clk_prepare_enable(adsp->xo); ++ ret = clk_prepare_enable(pas->xo); + if (ret) + goto disable_proxy_pds; + +- ret = clk_prepare_enable(adsp->aggre2_clk); ++ ret = clk_prepare_enable(pas->aggre2_clk); + if (ret) + goto disable_xo_clk; + +- if (adsp->cx_supply) { +- ret = regulator_enable(adsp->cx_supply); ++ if (pas->cx_supply) { ++ ret = regulator_enable(pas->cx_supply); + if (ret) + goto disable_aggre2_clk; + } + +- if (adsp->px_supply) { +- ret = regulator_enable(adsp->px_supply); ++ if (pas->px_supply) { ++ ret = regulator_enable(pas->px_supply); + if (ret) + goto disable_cx_supply; + } + +- if (adsp->dtb_pas_id) { +- ret = qcom_scm_pas_auth_and_reset(adsp->dtb_pas_id); ++ if (pas->dtb_pas_id) { ++ ret = qcom_scm_pas_auth_and_reset(pas->dtb_pas_id); + if (ret) { +- dev_err(adsp->dev, ++ dev_err(pas->dev, + "failed to authenticate dtb image and release reset\n"); + goto disable_px_supply; + } + } + +- ret = qcom_mdt_pas_init(adsp->dev, adsp->firmware, rproc->firmware, adsp->pas_id, +- adsp->mem_phys, &adsp->pas_metadata); ++ ret = qcom_mdt_pas_init(pas->dev, pas->firmware, rproc->firmware, pas->pas_id, ++ pas->mem_phys, &pas->pas_metadata); + if (ret) + goto disable_px_supply; + +- ret = qcom_mdt_load_no_init(adsp->dev, adsp->firmware, rproc->firmware, adsp->pas_id, +- adsp->mem_region, adsp->mem_phys, adsp->mem_size, +- &adsp->mem_reloc); ++ ret = qcom_mdt_load_no_init(pas->dev, pas->firmware, rproc->firmware, pas->pas_id, ++ pas->mem_region, pas->mem_phys, pas->mem_size, ++ &pas->mem_reloc); + if (ret) + goto release_pas_metadata; + +- qcom_pil_info_store(adsp->info_name, adsp->mem_phys, adsp->mem_size); ++ qcom_pil_info_store(pas->info_name, pas->mem_phys, pas->mem_size); + +- ret = qcom_scm_pas_auth_and_reset(adsp->pas_id); ++ ret = qcom_scm_pas_auth_and_reset(pas->pas_id); + if (ret) { +- dev_err(adsp->dev, ++ dev_err(pas->dev, + "failed to authenticate image and release reset\n"); + goto release_pas_metadata; + } + +- ret = qcom_q6v5_wait_for_start(&adsp->q6v5, msecs_to_jiffies(5000)); ++ ret = qcom_q6v5_wait_for_start(&pas->q6v5, msecs_to_jiffies(5000)); + if (ret == -ETIMEDOUT) { +- dev_err(adsp->dev, "start timed out\n"); +- qcom_scm_pas_shutdown(adsp->pas_id); ++ dev_err(pas->dev, "start timed out\n"); ++ qcom_scm_pas_shutdown(pas->pas_id); + goto release_pas_metadata; + } + +- qcom_scm_pas_metadata_release(&adsp->pas_metadata); +- if (adsp->dtb_pas_id) +- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata); ++ qcom_scm_pas_metadata_release(&pas->pas_metadata); ++ if (pas->dtb_pas_id) ++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata); + +- /* Remove pointer to the loaded firmware, only valid in adsp_load() & adsp_start() */ +- adsp->firmware = NULL; ++ /* firmware is used to pass reference from qcom_pas_start(), drop it now */ ++ pas->firmware = NULL; + + return 0; + + release_pas_metadata: +- qcom_scm_pas_metadata_release(&adsp->pas_metadata); +- if (adsp->dtb_pas_id) +- qcom_scm_pas_metadata_release(&adsp->dtb_pas_metadata); ++ qcom_scm_pas_metadata_release(&pas->pas_metadata); ++ if (pas->dtb_pas_id) ++ qcom_scm_pas_metadata_release(&pas->dtb_pas_metadata); + disable_px_supply: +- if (adsp->px_supply) +- regulator_disable(adsp->px_supply); ++ if (pas->px_supply) ++ regulator_disable(pas->px_supply); + disable_cx_supply: +- if (adsp->cx_supply) +- regulator_disable(adsp->cx_supply); ++ if (pas->cx_supply) ++ regulator_disable(pas->cx_supply); + disable_aggre2_clk: +- clk_disable_unprepare(adsp->aggre2_clk); ++ clk_disable_unprepare(pas->aggre2_clk); + disable_xo_clk: +- clk_disable_unprepare(adsp->xo); ++ clk_disable_unprepare(pas->xo); + disable_proxy_pds: +- adsp_pds_disable(adsp, adsp->proxy_pds, adsp->proxy_pd_count); ++ qcom_pas_pds_disable(pas, pas->proxy_pds, pas->proxy_pd_count); + disable_irqs: +- qcom_q6v5_unprepare(&adsp->q6v5); ++ qcom_q6v5_unprepare(&pas->q6v5); + +- /* Remove pointer to the loaded firmware, only valid in adsp_load() & adsp_start() */ +- adsp->firmware = NULL; ++ /* firmware is used to pass reference from qcom_pas_start(), drop it now */ ++ pas->firmware = NULL; + + return ret; + } + + static void qcom_pas_handover(struct qcom_q6v5 *q6v5) + { +- struct qcom_adsp *adsp = container_of(q6v5, struct qcom_adsp, q6v5); +- +- if (adsp->px_supply) +- regulator_disable(adsp->px_supply); +- if (adsp->cx_supply) +- regulator_disable(adsp->cx_supply); +- clk_disable_unprepare(adsp->aggre2_clk); +- clk_disable_unprepare(adsp->xo); +- adsp_pds_disable(adsp, adsp->proxy_pds, adsp->proxy_pd_count); ++ struct qcom_pas *pas = container_of(q6v5, struct qcom_pas, q6v5); ++ ++ if (pas->px_supply) ++ regulator_disable(pas->px_supply); ++ if (pas->cx_supply) ++ regulator_disable(pas->cx_supply); ++ clk_disable_unprepare(pas->aggre2_clk); ++ clk_disable_unprepare(pas->xo); ++ qcom_pas_pds_disable(pas, pas->proxy_pds, pas->proxy_pd_count); + } + +-static int adsp_stop(struct rproc *rproc) ++static int qcom_pas_stop(struct rproc *rproc) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + int handover; + int ret; + +- ret = qcom_q6v5_request_stop(&adsp->q6v5, adsp->sysmon); ++ ret = qcom_q6v5_request_stop(&pas->q6v5, pas->sysmon); + if (ret == -ETIMEDOUT) +- dev_err(adsp->dev, "timed out on wait\n"); ++ dev_err(pas->dev, "timed out on wait\n"); + +- ret = qcom_scm_pas_shutdown(adsp->pas_id); +- if (ret && adsp->decrypt_shutdown) +- ret = adsp_shutdown_poll_decrypt(adsp); ++ ret = qcom_scm_pas_shutdown(pas->pas_id); ++ if (ret && pas->decrypt_shutdown) ++ ret = qcom_pas_shutdown_poll_decrypt(pas); + + if (ret) +- dev_err(adsp->dev, "failed to shutdown: %d\n", ret); ++ dev_err(pas->dev, "failed to shutdown: %d\n", ret); + +- if (adsp->dtb_pas_id) { +- ret = qcom_scm_pas_shutdown(adsp->dtb_pas_id); ++ if (pas->dtb_pas_id) { ++ ret = qcom_scm_pas_shutdown(pas->dtb_pas_id); + if (ret) +- dev_err(adsp->dev, "failed to shutdown dtb: %d\n", ret); ++ dev_err(pas->dev, "failed to shutdown dtb: %d\n", ret); + } + +- handover = qcom_q6v5_unprepare(&adsp->q6v5); ++ handover = qcom_q6v5_unprepare(&pas->q6v5); + if (handover) +- qcom_pas_handover(&adsp->q6v5); ++ qcom_pas_handover(&pas->q6v5); + +- if (adsp->smem_host_id) +- ret = qcom_smem_bust_hwspin_lock_by_host(adsp->smem_host_id); ++ if (pas->smem_host_id) ++ ret = qcom_smem_bust_hwspin_lock_by_host(pas->smem_host_id); + + return ret; + } + +-static void *adsp_da_to_va(struct rproc *rproc, u64 da, size_t len, bool *is_iomem) ++static void *qcom_pas_da_to_va(struct rproc *rproc, u64 da, size_t len, bool *is_iomem) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + int offset; + +- offset = da - adsp->mem_reloc; +- if (offset < 0 || offset + len > adsp->mem_size) ++ offset = da - pas->mem_reloc; ++ if (offset < 0 || offset + len > pas->mem_size) + return NULL; + + if (is_iomem) + *is_iomem = true; + +- return adsp->mem_region + offset; ++ return pas->mem_region + offset; + } + +-static unsigned long adsp_panic(struct rproc *rproc) ++static unsigned long qcom_pas_panic(struct rproc *rproc) + { +- struct qcom_adsp *adsp = rproc->priv; ++ struct qcom_pas *pas = rproc->priv; + +- return qcom_q6v5_panic(&adsp->q6v5); ++ return qcom_q6v5_panic(&pas->q6v5); + } + +-static const struct rproc_ops adsp_ops = { +- .unprepare = adsp_unprepare, +- .start = adsp_start, +- .stop = adsp_stop, +- .da_to_va = adsp_da_to_va, ++static const struct rproc_ops qcom_pas_ops = { ++ .unprepare = qcom_pas_unprepare, ++ .start = qcom_pas_start, ++ .stop = qcom_pas_stop, ++ .da_to_va = qcom_pas_da_to_va, + .parse_fw = qcom_register_dump_segments, +- .load = adsp_load, +- .panic = adsp_panic, ++ .load = qcom_pas_load, ++ .panic = qcom_pas_panic, + }; + +-static const struct rproc_ops adsp_minidump_ops = { +- .unprepare = adsp_unprepare, +- .start = adsp_start, +- .stop = adsp_stop, +- .da_to_va = adsp_da_to_va, ++static const struct rproc_ops qcom_pas_minidump_ops = { ++ .unprepare = qcom_pas_unprepare, ++ .start = qcom_pas_start, ++ .stop = qcom_pas_stop, ++ .da_to_va = qcom_pas_da_to_va, + .parse_fw = qcom_register_dump_segments, +- .load = adsp_load, +- .panic = adsp_panic, +- .coredump = adsp_minidump, ++ .load = qcom_pas_load, ++ .panic = qcom_pas_panic, ++ .coredump = qcom_pas_minidump, + }; + +-static int adsp_init_clock(struct qcom_adsp *adsp) ++static int qcom_pas_init_clock(struct qcom_pas *pas) + { +- adsp->xo = devm_clk_get(adsp->dev, "xo"); +- if (IS_ERR(adsp->xo)) +- return dev_err_probe(adsp->dev, PTR_ERR(adsp->xo), ++ pas->xo = devm_clk_get(pas->dev, "xo"); ++ if (IS_ERR(pas->xo)) ++ return dev_err_probe(pas->dev, PTR_ERR(pas->xo), + "failed to get xo clock"); + +- +- adsp->aggre2_clk = devm_clk_get_optional(adsp->dev, "aggre2"); +- if (IS_ERR(adsp->aggre2_clk)) +- return dev_err_probe(adsp->dev, PTR_ERR(adsp->aggre2_clk), ++ pas->aggre2_clk = devm_clk_get_optional(pas->dev, "aggre2"); ++ if (IS_ERR(pas->aggre2_clk)) ++ return dev_err_probe(pas->dev, PTR_ERR(pas->aggre2_clk), + "failed to get aggre2 clock"); + + return 0; + } + +-static int adsp_init_regulator(struct qcom_adsp *adsp) ++static int qcom_pas_init_regulator(struct qcom_pas *pas) + { +- adsp->cx_supply = devm_regulator_get_optional(adsp->dev, "cx"); +- if (IS_ERR(adsp->cx_supply)) { +- if (PTR_ERR(adsp->cx_supply) == -ENODEV) +- adsp->cx_supply = NULL; ++ pas->cx_supply = devm_regulator_get_optional(pas->dev, "cx"); ++ if (IS_ERR(pas->cx_supply)) { ++ if (PTR_ERR(pas->cx_supply) == -ENODEV) ++ pas->cx_supply = NULL; + else +- return PTR_ERR(adsp->cx_supply); ++ return PTR_ERR(pas->cx_supply); + } + +- if (adsp->cx_supply) +- regulator_set_load(adsp->cx_supply, 100000); ++ if (pas->cx_supply) ++ regulator_set_load(pas->cx_supply, 100000); + +- adsp->px_supply = devm_regulator_get_optional(adsp->dev, "px"); +- if (IS_ERR(adsp->px_supply)) { +- if (PTR_ERR(adsp->px_supply) == -ENODEV) +- adsp->px_supply = NULL; ++ pas->px_supply = devm_regulator_get_optional(pas->dev, "px"); ++ if (IS_ERR(pas->px_supply)) { ++ if (PTR_ERR(pas->px_supply) == -ENODEV) ++ pas->px_supply = NULL; + else +- return PTR_ERR(adsp->px_supply); ++ return PTR_ERR(pas->px_supply); + } + + return 0; + } + +-static int adsp_pds_attach(struct device *dev, struct device **devs, +- char **pd_names) ++static int qcom_pas_pds_attach(struct device *dev, struct device **devs, char **pd_names) + { + size_t num_pds = 0; + int ret; +@@ -528,10 +527,9 @@ static int adsp_pds_attach(struct device *dev, struct device **devs, + return ret; + }; + +-static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds, +- size_t pd_count) ++static void qcom_pas_pds_detach(struct qcom_pas *pas, struct device **pds, size_t pd_count) + { +- struct device *dev = adsp->dev; ++ struct device *dev = pas->dev; + int i; + + /* Handle single power domain */ +@@ -544,62 +542,62 @@ static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds, + dev_pm_domain_detach(pds[i], false); + } + +-static int adsp_alloc_memory_region(struct qcom_adsp *adsp) ++static int qcom_pas_alloc_memory_region(struct qcom_pas *pas) + { + struct reserved_mem *rmem; + struct device_node *node; + +- node = of_parse_phandle(adsp->dev->of_node, "memory-region", 0); ++ node = of_parse_phandle(pas->dev->of_node, "memory-region", 0); + if (!node) { +- dev_err(adsp->dev, "no memory-region specified\n"); ++ dev_err(pas->dev, "no memory-region specified\n"); + return -EINVAL; + } + + rmem = of_reserved_mem_lookup(node); + of_node_put(node); + if (!rmem) { +- dev_err(adsp->dev, "unable to resolve memory-region\n"); ++ dev_err(pas->dev, "unable to resolve memory-region\n"); + return -EINVAL; + } + +- adsp->mem_phys = adsp->mem_reloc = rmem->base; +- adsp->mem_size = rmem->size; +- adsp->mem_region = devm_ioremap_wc(adsp->dev, adsp->mem_phys, adsp->mem_size); +- if (!adsp->mem_region) { +- dev_err(adsp->dev, "unable to map memory region: %pa+%zx\n", +- &rmem->base, adsp->mem_size); ++ pas->mem_phys = pas->mem_reloc = rmem->base; ++ pas->mem_size = rmem->size; ++ pas->mem_region = devm_ioremap_wc(pas->dev, pas->mem_phys, pas->mem_size); ++ if (!pas->mem_region) { ++ dev_err(pas->dev, "unable to map memory region: %pa+%zx\n", ++ &rmem->base, pas->mem_size); + return -EBUSY; + } + +- if (!adsp->dtb_pas_id) ++ if (!pas->dtb_pas_id) + return 0; + +- node = of_parse_phandle(adsp->dev->of_node, "memory-region", 1); ++ node = of_parse_phandle(pas->dev->of_node, "memory-region", 1); + if (!node) { +- dev_err(adsp->dev, "no dtb memory-region specified\n"); ++ dev_err(pas->dev, "no dtb memory-region specified\n"); + return -EINVAL; + } + + rmem = of_reserved_mem_lookup(node); + of_node_put(node); + if (!rmem) { +- dev_err(adsp->dev, "unable to resolve dtb memory-region\n"); ++ dev_err(pas->dev, "unable to resolve dtb memory-region\n"); + return -EINVAL; + } + +- adsp->dtb_mem_phys = adsp->dtb_mem_reloc = rmem->base; +- adsp->dtb_mem_size = rmem->size; +- adsp->dtb_mem_region = devm_ioremap_wc(adsp->dev, adsp->dtb_mem_phys, adsp->dtb_mem_size); +- if (!adsp->dtb_mem_region) { +- dev_err(adsp->dev, "unable to map dtb memory region: %pa+%zx\n", +- &rmem->base, adsp->dtb_mem_size); ++ pas->dtb_mem_phys = pas->dtb_mem_reloc = rmem->base; ++ pas->dtb_mem_size = rmem->size; ++ pas->dtb_mem_region = devm_ioremap_wc(pas->dev, pas->dtb_mem_phys, pas->dtb_mem_size); ++ if (!pas->dtb_mem_region) { ++ dev_err(pas->dev, "unable to map dtb memory region: %pa+%zx\n", ++ &rmem->base, pas->dtb_mem_size); + return -EBUSY; + } + + return 0; + } + +-static int adsp_assign_memory_region(struct qcom_adsp *adsp) ++static int qcom_pas_assign_memory_region(struct qcom_pas *pas) + { + struct qcom_scm_vmperm perm[MAX_ASSIGN_COUNT]; + struct device_node *node; +@@ -607,45 +605,45 @@ static int adsp_assign_memory_region(struct qcom_adsp *adsp) + int offset; + int ret; + +- if (!adsp->region_assign_idx) ++ if (!pas->region_assign_idx) + return 0; + +- for (offset = 0; offset < adsp->region_assign_count; ++offset) { ++ for (offset = 0; offset < pas->region_assign_count; ++offset) { + struct reserved_mem *rmem = NULL; + +- node = of_parse_phandle(adsp->dev->of_node, "memory-region", +- adsp->region_assign_idx + offset); ++ node = of_parse_phandle(pas->dev->of_node, "memory-region", ++ pas->region_assign_idx + offset); + if (node) + rmem = of_reserved_mem_lookup(node); + of_node_put(node); + if (!rmem) { +- dev_err(adsp->dev, "unable to resolve shareable memory-region index %d\n", ++ dev_err(pas->dev, "unable to resolve shareable memory-region index %d\n", + offset); + return -EINVAL; + } + +- if (adsp->region_assign_shared) { ++ if (pas->region_assign_shared) { + perm[0].vmid = QCOM_SCM_VMID_HLOS; + perm[0].perm = QCOM_SCM_PERM_RW; +- perm[1].vmid = adsp->region_assign_vmid; ++ perm[1].vmid = pas->region_assign_vmid; + perm[1].perm = QCOM_SCM_PERM_RW; + perm_size = 2; + } else { +- perm[0].vmid = adsp->region_assign_vmid; ++ perm[0].vmid = pas->region_assign_vmid; + perm[0].perm = QCOM_SCM_PERM_RW; + perm_size = 1; + } + +- adsp->region_assign_phys[offset] = rmem->base; +- adsp->region_assign_size[offset] = rmem->size; +- adsp->region_assign_owners[offset] = BIT(QCOM_SCM_VMID_HLOS); ++ pas->region_assign_phys[offset] = rmem->base; ++ pas->region_assign_size[offset] = rmem->size; ++ pas->region_assign_owners[offset] = BIT(QCOM_SCM_VMID_HLOS); + +- ret = qcom_scm_assign_mem(adsp->region_assign_phys[offset], +- adsp->region_assign_size[offset], +- &adsp->region_assign_owners[offset], ++ ret = qcom_scm_assign_mem(pas->region_assign_phys[offset], ++ pas->region_assign_size[offset], ++ &pas->region_assign_owners[offset], + perm, perm_size); + if (ret < 0) { +- dev_err(adsp->dev, "assign memory %d failed\n", offset); ++ dev_err(pas->dev, "assign memory %d failed\n", offset); + return ret; + } + } +@@ -653,35 +651,35 @@ static int adsp_assign_memory_region(struct qcom_adsp *adsp) + return 0; + } + +-static void adsp_unassign_memory_region(struct qcom_adsp *adsp) ++static void qcom_pas_unassign_memory_region(struct qcom_pas *pas) + { + struct qcom_scm_vmperm perm; + int offset; + int ret; + +- if (!adsp->region_assign_idx || adsp->region_assign_shared) ++ if (!pas->region_assign_idx || pas->region_assign_shared) + return; + +- for (offset = 0; offset < adsp->region_assign_count; ++offset) { ++ for (offset = 0; offset < pas->region_assign_count; ++offset) { + perm.vmid = QCOM_SCM_VMID_HLOS; + perm.perm = QCOM_SCM_PERM_RW; + +- ret = qcom_scm_assign_mem(adsp->region_assign_phys[offset], +- adsp->region_assign_size[offset], +- &adsp->region_assign_owners[offset], ++ ret = qcom_scm_assign_mem(pas->region_assign_phys[offset], ++ pas->region_assign_size[offset], ++ &pas->region_assign_owners[offset], + &perm, 1); + if (ret < 0) +- dev_err(adsp->dev, "unassign memory %d failed\n", offset); ++ dev_err(pas->dev, "unassign memory %d failed\n", offset); + } + } + +-static int adsp_probe(struct platform_device *pdev) ++static int qcom_pas_probe(struct platform_device *pdev) + { +- const struct adsp_data *desc; +- struct qcom_adsp *adsp; ++ const struct qcom_pas_data *desc; ++ struct qcom_pas *pas; + struct rproc *rproc; + const char *fw_name, *dtb_fw_name = NULL; +- const struct rproc_ops *ops = &adsp_ops; ++ const struct rproc_ops *ops = &qcom_pas_ops; + int ret; + + desc = of_device_get_match_data(&pdev->dev); +@@ -706,9 +704,9 @@ static int adsp_probe(struct platform_device *pdev) + } + + if (desc->minidump_id) +- ops = &adsp_minidump_ops; ++ ops = &qcom_pas_minidump_ops; + +- rproc = devm_rproc_alloc(&pdev->dev, desc->sysmon_name, ops, fw_name, sizeof(*adsp)); ++ rproc = devm_rproc_alloc(&pdev->dev, desc->sysmon_name, ops, fw_name, sizeof(*pas)); + + if (!rproc) { + dev_err(&pdev->dev, "unable to allocate remoteproc\n"); +@@ -718,68 +716,65 @@ static int adsp_probe(struct platform_device *pdev) + rproc->auto_boot = desc->auto_boot; + rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE); + +- adsp = rproc->priv; +- adsp->dev = &pdev->dev; +- adsp->rproc = rproc; +- adsp->minidump_id = desc->minidump_id; +- adsp->pas_id = desc->pas_id; +- adsp->lite_pas_id = desc->lite_pas_id; +- adsp->info_name = desc->sysmon_name; +- adsp->smem_host_id = desc->smem_host_id; +- adsp->decrypt_shutdown = desc->decrypt_shutdown; +- adsp->region_assign_idx = desc->region_assign_idx; +- adsp->region_assign_count = min_t(int, MAX_ASSIGN_COUNT, desc->region_assign_count); +- adsp->region_assign_vmid = desc->region_assign_vmid; +- adsp->region_assign_shared = desc->region_assign_shared; ++ pas = rproc->priv; ++ pas->dev = &pdev->dev; ++ pas->rproc = rproc; ++ pas->minidump_id = desc->minidump_id; ++ pas->pas_id = desc->pas_id; ++ pas->lite_pas_id = desc->lite_pas_id; ++ pas->info_name = desc->sysmon_name; ++ pas->smem_host_id = desc->smem_host_id; ++ pas->decrypt_shutdown = desc->decrypt_shutdown; ++ pas->region_assign_idx = desc->region_assign_idx; ++ pas->region_assign_count = min_t(int, MAX_ASSIGN_COUNT, desc->region_assign_count); ++ pas->region_assign_vmid = desc->region_assign_vmid; ++ pas->region_assign_shared = desc->region_assign_shared; + if (dtb_fw_name) { +- adsp->dtb_firmware_name = dtb_fw_name; +- adsp->dtb_pas_id = desc->dtb_pas_id; ++ pas->dtb_firmware_name = dtb_fw_name; ++ pas->dtb_pas_id = desc->dtb_pas_id; + } +- platform_set_drvdata(pdev, adsp); ++ platform_set_drvdata(pdev, pas); + +- ret = device_init_wakeup(adsp->dev, true); ++ ret = device_init_wakeup(pas->dev, true); + if (ret) + goto free_rproc; + +- ret = adsp_alloc_memory_region(adsp); ++ ret = qcom_pas_alloc_memory_region(pas); + if (ret) + goto free_rproc; + +- ret = adsp_assign_memory_region(adsp); ++ ret = qcom_pas_assign_memory_region(pas); + if (ret) + goto free_rproc; + +- ret = adsp_init_clock(adsp); ++ ret = qcom_pas_init_clock(pas); + if (ret) + goto unassign_mem; + +- ret = adsp_init_regulator(adsp); ++ ret = qcom_pas_init_regulator(pas); + if (ret) + goto unassign_mem; + +- ret = adsp_pds_attach(&pdev->dev, adsp->proxy_pds, +- desc->proxy_pd_names); ++ ret = qcom_pas_pds_attach(&pdev->dev, pas->proxy_pds, desc->proxy_pd_names); + if (ret < 0) + goto unassign_mem; +- adsp->proxy_pd_count = ret; ++ pas->proxy_pd_count = ret; + +- ret = qcom_q6v5_init(&adsp->q6v5, pdev, rproc, desc->crash_reason_smem, desc->load_state, +- qcom_pas_handover); ++ ret = qcom_q6v5_init(&pas->q6v5, pdev, rproc, desc->crash_reason_smem, ++ desc->load_state, qcom_pas_handover); + if (ret) + goto detach_proxy_pds; + +- qcom_add_glink_subdev(rproc, &adsp->glink_subdev, desc->ssr_name); +- qcom_add_smd_subdev(rproc, &adsp->smd_subdev); +- qcom_add_pdm_subdev(rproc, &adsp->pdm_subdev); +- adsp->sysmon = qcom_add_sysmon_subdev(rproc, +- desc->sysmon_name, +- desc->ssctl_id); +- if (IS_ERR(adsp->sysmon)) { +- ret = PTR_ERR(adsp->sysmon); ++ qcom_add_glink_subdev(rproc, &pas->glink_subdev, desc->ssr_name); ++ qcom_add_smd_subdev(rproc, &pas->smd_subdev); ++ qcom_add_pdm_subdev(rproc, &pas->pdm_subdev); ++ pas->sysmon = qcom_add_sysmon_subdev(rproc, desc->sysmon_name, desc->ssctl_id); ++ if (IS_ERR(pas->sysmon)) { ++ ret = PTR_ERR(pas->sysmon); + goto deinit_remove_pdm_smd_glink; + } + +- qcom_add_ssr_subdev(rproc, &adsp->ssr_subdev, desc->ssr_name); ++ qcom_add_ssr_subdev(rproc, &pas->ssr_subdev, desc->ssr_name); + ret = rproc_add(rproc); + if (ret) + goto remove_ssr_sysmon; +@@ -787,41 +782,41 @@ static int adsp_probe(struct platform_device *pdev) + return 0; + + remove_ssr_sysmon: +- qcom_remove_ssr_subdev(rproc, &adsp->ssr_subdev); +- qcom_remove_sysmon_subdev(adsp->sysmon); ++ qcom_remove_ssr_subdev(rproc, &pas->ssr_subdev); ++ qcom_remove_sysmon_subdev(pas->sysmon); + deinit_remove_pdm_smd_glink: +- qcom_remove_pdm_subdev(rproc, &adsp->pdm_subdev); +- qcom_remove_smd_subdev(rproc, &adsp->smd_subdev); +- qcom_remove_glink_subdev(rproc, &adsp->glink_subdev); +- qcom_q6v5_deinit(&adsp->q6v5); ++ qcom_remove_pdm_subdev(rproc, &pas->pdm_subdev); ++ qcom_remove_smd_subdev(rproc, &pas->smd_subdev); ++ qcom_remove_glink_subdev(rproc, &pas->glink_subdev); ++ qcom_q6v5_deinit(&pas->q6v5); + detach_proxy_pds: +- adsp_pds_detach(adsp, adsp->proxy_pds, adsp->proxy_pd_count); ++ qcom_pas_pds_detach(pas, pas->proxy_pds, pas->proxy_pd_count); + unassign_mem: +- adsp_unassign_memory_region(adsp); ++ qcom_pas_unassign_memory_region(pas); + free_rproc: +- device_init_wakeup(adsp->dev, false); ++ device_init_wakeup(pas->dev, false); + + return ret; + } + +-static void adsp_remove(struct platform_device *pdev) ++static void qcom_pas_remove(struct platform_device *pdev) + { +- struct qcom_adsp *adsp = platform_get_drvdata(pdev); +- +- rproc_del(adsp->rproc); +- +- qcom_q6v5_deinit(&adsp->q6v5); +- adsp_unassign_memory_region(adsp); +- qcom_remove_glink_subdev(adsp->rproc, &adsp->glink_subdev); +- qcom_remove_sysmon_subdev(adsp->sysmon); +- qcom_remove_smd_subdev(adsp->rproc, &adsp->smd_subdev); +- qcom_remove_pdm_subdev(adsp->rproc, &adsp->pdm_subdev); +- qcom_remove_ssr_subdev(adsp->rproc, &adsp->ssr_subdev); +- adsp_pds_detach(adsp, adsp->proxy_pds, adsp->proxy_pd_count); +- device_init_wakeup(adsp->dev, false); ++ struct qcom_pas *pas = platform_get_drvdata(pdev); ++ ++ rproc_del(pas->rproc); ++ ++ qcom_q6v5_deinit(&pas->q6v5); ++ qcom_pas_unassign_memory_region(pas); ++ qcom_remove_glink_subdev(pas->rproc, &pas->glink_subdev); ++ qcom_remove_sysmon_subdev(pas->sysmon); ++ qcom_remove_smd_subdev(pas->rproc, &pas->smd_subdev); ++ qcom_remove_pdm_subdev(pas->rproc, &pas->pdm_subdev); ++ qcom_remove_ssr_subdev(pas->rproc, &pas->ssr_subdev); ++ qcom_pas_pds_detach(pas, pas->proxy_pds, pas->proxy_pd_count); ++ device_init_wakeup(pas->dev, false); + } + +-static const struct adsp_data adsp_resource_init = { ++static const struct qcom_pas_data adsp_resource_init = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .pas_id = 1, +@@ -831,7 +826,7 @@ static const struct adsp_data adsp_resource_init = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data sa8775p_adsp_resource = { ++static const struct qcom_pas_data sa8775p_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mbn", + .pas_id = 1, +@@ -848,7 +843,7 @@ static const struct adsp_data sa8775p_adsp_resource = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data sdm845_adsp_resource_init = { ++static const struct qcom_pas_data sdm845_adsp_resource_init = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .pas_id = 1, +@@ -859,7 +854,7 @@ static const struct adsp_data sdm845_adsp_resource_init = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data sm6350_adsp_resource = { ++static const struct qcom_pas_data sm6350_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .pas_id = 1, +@@ -875,7 +870,7 @@ static const struct adsp_data sm6350_adsp_resource = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data sm6375_mpss_resource = { ++static const struct qcom_pas_data sm6375_mpss_resource = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .pas_id = 4, +@@ -890,7 +885,7 @@ static const struct adsp_data sm6375_mpss_resource = { + .ssctl_id = 0x12, + }; + +-static const struct adsp_data sm8150_adsp_resource = { ++static const struct qcom_pas_data sm8150_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .pas_id = 1, +@@ -905,7 +900,7 @@ static const struct adsp_data sm8150_adsp_resource = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data sm8250_adsp_resource = { ++static const struct qcom_pas_data sm8250_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .pas_id = 1, +@@ -922,7 +917,7 @@ static const struct adsp_data sm8250_adsp_resource = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data sm8350_adsp_resource = { ++static const struct qcom_pas_data sm8350_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .pas_id = 1, +@@ -938,7 +933,7 @@ static const struct adsp_data sm8350_adsp_resource = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data msm8996_adsp_resource = { ++static const struct qcom_pas_data msm8996_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .pas_id = 1, +@@ -952,7 +947,7 @@ static const struct adsp_data msm8996_adsp_resource = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data cdsp_resource_init = { ++static const struct qcom_pas_data cdsp_resource_init = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .pas_id = 18, +@@ -962,7 +957,7 @@ static const struct adsp_data cdsp_resource_init = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sa8775p_cdsp0_resource = { ++static const struct qcom_pas_data sa8775p_cdsp0_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp0.mbn", + .pas_id = 18, +@@ -980,7 +975,7 @@ static const struct adsp_data sa8775p_cdsp0_resource = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sa8775p_cdsp1_resource = { ++static const struct qcom_pas_data sa8775p_cdsp1_resource = { + .crash_reason_smem = 633, + .firmware_name = "cdsp1.mbn", + .pas_id = 30, +@@ -998,7 +993,7 @@ static const struct adsp_data sa8775p_cdsp1_resource = { + .ssctl_id = 0x20, + }; + +-static const struct adsp_data sdm845_cdsp_resource_init = { ++static const struct qcom_pas_data sdm845_cdsp_resource_init = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .pas_id = 18, +@@ -1009,7 +1004,7 @@ static const struct adsp_data sdm845_cdsp_resource_init = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sm6350_cdsp_resource = { ++static const struct qcom_pas_data sm6350_cdsp_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .pas_id = 18, +@@ -1025,7 +1020,7 @@ static const struct adsp_data sm6350_cdsp_resource = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sm8150_cdsp_resource = { ++static const struct qcom_pas_data sm8150_cdsp_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .pas_id = 18, +@@ -1040,7 +1035,7 @@ static const struct adsp_data sm8150_cdsp_resource = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sm8250_cdsp_resource = { ++static const struct qcom_pas_data sm8250_cdsp_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .pas_id = 18, +@@ -1055,7 +1050,7 @@ static const struct adsp_data sm8250_cdsp_resource = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sc8280xp_nsp0_resource = { ++static const struct qcom_pas_data sc8280xp_nsp0_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .pas_id = 18, +@@ -1069,7 +1064,7 @@ static const struct adsp_data sc8280xp_nsp0_resource = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sc8280xp_nsp1_resource = { ++static const struct qcom_pas_data sc8280xp_nsp1_resource = { + .crash_reason_smem = 633, + .firmware_name = "cdsp.mdt", + .pas_id = 30, +@@ -1083,7 +1078,7 @@ static const struct adsp_data sc8280xp_nsp1_resource = { + .ssctl_id = 0x20, + }; + +-static const struct adsp_data x1e80100_adsp_resource = { ++static const struct qcom_pas_data x1e80100_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .dtb_firmware_name = "adsp_dtb.mdt", +@@ -1103,7 +1098,7 @@ static const struct adsp_data x1e80100_adsp_resource = { + .ssctl_id = 0x14, + }; + +-static const struct adsp_data x1e80100_cdsp_resource = { ++static const struct qcom_pas_data x1e80100_cdsp_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .dtb_firmware_name = "cdsp_dtb.mdt", +@@ -1123,7 +1118,7 @@ static const struct adsp_data x1e80100_cdsp_resource = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sm8350_cdsp_resource = { ++static const struct qcom_pas_data sm8350_cdsp_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .pas_id = 18, +@@ -1140,7 +1135,7 @@ static const struct adsp_data sm8350_cdsp_resource = { + .ssctl_id = 0x17, + }; + +-static const struct adsp_data sa8775p_gpdsp0_resource = { ++static const struct qcom_pas_data sa8775p_gpdsp0_resource = { + .crash_reason_smem = 640, + .firmware_name = "gpdsp0.mbn", + .pas_id = 39, +@@ -1157,7 +1152,7 @@ static const struct adsp_data sa8775p_gpdsp0_resource = { + .ssctl_id = 0x21, + }; + +-static const struct adsp_data sa8775p_gpdsp1_resource = { ++static const struct qcom_pas_data sa8775p_gpdsp1_resource = { + .crash_reason_smem = 641, + .firmware_name = "gpdsp1.mbn", + .pas_id = 40, +@@ -1174,7 +1169,7 @@ static const struct adsp_data sa8775p_gpdsp1_resource = { + .ssctl_id = 0x22, + }; + +-static const struct adsp_data mpss_resource_init = { ++static const struct qcom_pas_data mpss_resource_init = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .pas_id = 4, +@@ -1191,7 +1186,7 @@ static const struct adsp_data mpss_resource_init = { + .ssctl_id = 0x12, + }; + +-static const struct adsp_data sc8180x_mpss_resource = { ++static const struct qcom_pas_data sc8180x_mpss_resource = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .pas_id = 4, +@@ -1206,7 +1201,7 @@ static const struct adsp_data sc8180x_mpss_resource = { + .ssctl_id = 0x12, + }; + +-static const struct adsp_data msm8996_slpi_resource_init = { ++static const struct qcom_pas_data msm8996_slpi_resource_init = { + .crash_reason_smem = 424, + .firmware_name = "slpi.mdt", + .pas_id = 12, +@@ -1220,7 +1215,7 @@ static const struct adsp_data msm8996_slpi_resource_init = { + .ssctl_id = 0x16, + }; + +-static const struct adsp_data sdm845_slpi_resource_init = { ++static const struct qcom_pas_data sdm845_slpi_resource_init = { + .crash_reason_smem = 424, + .firmware_name = "slpi.mdt", + .pas_id = 12, +@@ -1236,7 +1231,7 @@ static const struct adsp_data sdm845_slpi_resource_init = { + .ssctl_id = 0x16, + }; + +-static const struct adsp_data wcss_resource_init = { ++static const struct qcom_pas_data wcss_resource_init = { + .crash_reason_smem = 421, + .firmware_name = "wcnss.mdt", + .pas_id = 6, +@@ -1246,7 +1241,7 @@ static const struct adsp_data wcss_resource_init = { + .ssctl_id = 0x12, + }; + +-static const struct adsp_data sdx55_mpss_resource = { ++static const struct qcom_pas_data sdx55_mpss_resource = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .pas_id = 4, +@@ -1261,7 +1256,7 @@ static const struct adsp_data sdx55_mpss_resource = { + .ssctl_id = 0x22, + }; + +-static const struct adsp_data sm8450_mpss_resource = { ++static const struct qcom_pas_data sm8450_mpss_resource = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .pas_id = 4, +@@ -1279,7 +1274,7 @@ static const struct adsp_data sm8450_mpss_resource = { + .ssctl_id = 0x12, + }; + +-static const struct adsp_data sm8550_adsp_resource = { ++static const struct qcom_pas_data sm8550_adsp_resource = { + .crash_reason_smem = 423, + .firmware_name = "adsp.mdt", + .dtb_firmware_name = "adsp_dtb.mdt", +@@ -1299,7 +1294,7 @@ static const struct adsp_data sm8550_adsp_resource = { + .smem_host_id = 2, + }; + +-static const struct adsp_data sm8550_cdsp_resource = { ++static const struct qcom_pas_data sm8550_cdsp_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .dtb_firmware_name = "cdsp_dtb.mdt", +@@ -1320,7 +1315,7 @@ static const struct adsp_data sm8550_cdsp_resource = { + .smem_host_id = 5, + }; + +-static const struct adsp_data sm8550_mpss_resource = { ++static const struct qcom_pas_data sm8550_mpss_resource = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .dtb_firmware_name = "modem_dtb.mdt", +@@ -1344,7 +1339,7 @@ static const struct adsp_data sm8550_mpss_resource = { + .region_assign_vmid = QCOM_SCM_VMID_MSS_MSA, + }; + +-static const struct adsp_data sc7280_wpss_resource = { ++static const struct qcom_pas_data sc7280_wpss_resource = { + .crash_reason_smem = 626, + .firmware_name = "wpss.mdt", + .pas_id = 6, +@@ -1361,7 +1356,7 @@ static const struct adsp_data sc7280_wpss_resource = { + .ssctl_id = 0x19, + }; + +-static const struct adsp_data sm8650_cdsp_resource = { ++static const struct qcom_pas_data sm8650_cdsp_resource = { + .crash_reason_smem = 601, + .firmware_name = "cdsp.mdt", + .dtb_firmware_name = "cdsp_dtb.mdt", +@@ -1386,7 +1381,7 @@ static const struct adsp_data sm8650_cdsp_resource = { + .region_assign_vmid = QCOM_SCM_VMID_CDSP, + }; + +-static const struct adsp_data sm8650_mpss_resource = { ++static const struct qcom_pas_data sm8650_mpss_resource = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .dtb_firmware_name = "modem_dtb.mdt", +@@ -1410,7 +1405,7 @@ static const struct adsp_data sm8650_mpss_resource = { + .region_assign_vmid = QCOM_SCM_VMID_MSS_MSA, + }; + +-static const struct adsp_data sm8750_mpss_resource = { ++static const struct qcom_pas_data sm8750_mpss_resource = { + .crash_reason_smem = 421, + .firmware_name = "modem.mdt", + .dtb_firmware_name = "modem_dtb.mdt", +@@ -1434,7 +1429,7 @@ static const struct adsp_data sm8750_mpss_resource = { + .region_assign_vmid = QCOM_SCM_VMID_MSS_MSA, + }; + +-static const struct of_device_id adsp_of_match[] = { ++static const struct of_device_id qcom_pas_of_match[] = { + { .compatible = "qcom,msm8226-adsp-pil", .data = &msm8996_adsp_resource}, + { .compatible = "qcom,msm8953-adsp-pil", .data = &msm8996_adsp_resource}, + { .compatible = "qcom,msm8974-adsp-pil", .data = &adsp_resource_init}, +@@ -1504,17 +1499,17 @@ static const struct of_device_id adsp_of_match[] = { + { .compatible = "qcom,x1e80100-cdsp-pas", .data = &x1e80100_cdsp_resource}, + { }, + }; +-MODULE_DEVICE_TABLE(of, adsp_of_match); ++MODULE_DEVICE_TABLE(of, qcom_pas_of_match); + +-static struct platform_driver adsp_driver = { +- .probe = adsp_probe, +- .remove = adsp_remove, ++static struct platform_driver qcom_pas_driver = { ++ .probe = qcom_pas_probe, ++ .remove = qcom_pas_remove, + .driver = { + .name = "qcom_q6v5_pas", +- .of_match_table = adsp_of_match, ++ .of_match_table = qcom_pas_of_match, + }, + }; + +-module_platform_driver(adsp_driver); +-MODULE_DESCRIPTION("Qualcomm Hexagon v5 Peripheral Authentication Service driver"); ++module_platform_driver(qcom_pas_driver); ++MODULE_DESCRIPTION("Qualcomm Peripheral Authentication Service remoteproc driver"); + MODULE_LICENSE("GPL v2"); +-- +2.39.5 + diff --git a/queue-6.15/remoteproc-xlnx-disable-unsupported-features.patch b/queue-6.15/remoteproc-xlnx-disable-unsupported-features.patch new file mode 100644 index 0000000000..7c75ab3ada --- /dev/null +++ b/queue-6.15/remoteproc-xlnx-disable-unsupported-features.patch @@ -0,0 +1,37 @@ +From ac99ee52bf07c35600137ba550de110064dc565d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 14:30:47 -0700 +Subject: remoteproc: xlnx: Disable unsupported features + +From: Tanmay Shah + +[ Upstream commit 699cdd706290208d47bd858a188b030df2e90357 ] + +AMD-Xilinx platform driver does not support iommu or recovery mechanism +yet. Disable both features in platform driver. + +Signed-off-by: Tanmay Shah +Link: https://lore.kernel.org/r/20250716213048.2316424-2-tanmay.shah@amd.com +Fixes: 6b291e8020a8 ("drivers: remoteproc: Add Xilinx r5 remoteproc driver") +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/xlnx_r5_remoteproc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/remoteproc/xlnx_r5_remoteproc.c b/drivers/remoteproc/xlnx_r5_remoteproc.c +index 5aeedeaf3c41..c165422d0651 100644 +--- a/drivers/remoteproc/xlnx_r5_remoteproc.c ++++ b/drivers/remoteproc/xlnx_r5_remoteproc.c +@@ -906,6 +906,8 @@ static struct zynqmp_r5_core *zynqmp_r5_add_rproc_core(struct device *cdev) + + rproc_coredump_set_elf_info(r5_rproc, ELFCLASS32, EM_ARM); + ++ r5_rproc->recovery_disabled = true; ++ r5_rproc->has_iommu = false; + r5_rproc->auto_boot = false; + r5_core = r5_rproc->priv; + r5_core->dev = cdev; +-- +2.39.5 + diff --git a/queue-6.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch b/queue-6.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch new file mode 100644 index 0000000000..b35316bbb1 --- /dev/null +++ b/queue-6.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch @@ -0,0 +1,45 @@ +From 14266ae307381083b652260c40d6304b7fd715b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 15:11:32 +0200 +Subject: Revert "fs/ntfs3: Replace inode_trylock with inode_lock" + +From: Konstantin Komarov + +[ Upstream commit a49f0abd8959048af18c6c690b065eb0d65b2d21 ] + +This reverts commit 69505fe98f198ee813898cbcaf6770949636430b. + +Initially, conditional lock acquisition was removed to fix an xfstest bug +that was observed during internal testing. The deadlock reported by syzbot +is resolved by reintroducing conditional acquisition. The xfstest bug no +longer occurs on kernel version 6.16-rc1 during internal testing. I +assume that changes in other modules may have contributed to this. + +Fixes: 69505fe98f19 ("fs/ntfs3: Replace inode_trylock with inode_lock") +Reported-by: syzbot+a91fcdbd2698f99db8f4@syzkaller.appspotmail.com +Suggested-by: Lorenzo Stoakes +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/file.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c +index 9b6a3f8d2e7c..fbecda79fa84 100644 +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -394,7 +394,10 @@ static int ntfs_file_mmap(struct file *file, struct vm_area_struct *vma) + } + + if (ni->i_valid < to) { +- inode_lock(inode); ++ if (!inode_trylock(inode)) { ++ err = -EAGAIN; ++ goto out; ++ } + err = ntfs_extend_initialized_size(file, ni, + ni->i_valid, to); + inode_unlock(inode); +-- +2.39.5 + diff --git a/queue-6.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch b/queue-6.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch new file mode 100644 index 0000000000..b3878852c5 --- /dev/null +++ b/queue-6.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch @@ -0,0 +1,55 @@ +From a2d83d2da4ea90a69ec11644b6e6291c3a8a5375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 10:30:09 +0200 +Subject: Revert "vmci: Prevent the dispatching of uninitialized payloads" + +From: Greg Kroah-Hartman + +[ Upstream commit 8f5d9bed6122b8d96508436e5ad2498bb797eb6b ] + +This reverts commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031. + +While the code "looks" correct, the compiler has no way to know that +doing "fun" pointer math like this really isn't a write off the end of +the structure as there is no hint anywhere that the structure has data +at the end of it. + +This causes the following build warning: + +In function 'fortify_memset_chk', + inlined from 'ctx_fire_notification.isra' at drivers/misc/vmw_vmci/vmci_context.c:254:3: +include/linux/fortify-string.h:480:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 480 | __write_overflow_field(p_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +So revert it for now and it can come back in the future in a "sane" way +that either correctly makes the structure know that there is trailing +data, OR just the payload structure is properly referenced and zeroed +out. + +Fixes: bfb4cf9fb97e ("vmci: Prevent the dispatching of uninitialized payloads") +Cc: Stephen Rothwell +Cc: Lizhi Xu +Link: https://lore.kernel.org/r/20250703171021.0aee1482@canb.auug.org.au +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_context.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c +index d566103caa27..f22b44827e92 100644 +--- a/drivers/misc/vmw_vmci/vmci_context.c ++++ b/drivers/misc/vmw_vmci/vmci_context.c +@@ -251,8 +251,6 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags) + ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID, + VMCI_CONTEXT_RESOURCE_ID); + ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr); +- memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0, +- ev.msg.hdr.payload_size); + ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED; + ev.payload.context_id = context_id; + +-- +2.39.5 + diff --git a/queue-6.15/ring-buffer-remove-ring_buffer_read_prepare_sync.patch b/queue-6.15/ring-buffer-remove-ring_buffer_read_prepare_sync.patch new file mode 100644 index 0000000000..dbfb0e747c --- /dev/null +++ b/queue-6.15/ring-buffer-remove-ring_buffer_read_prepare_sync.patch @@ -0,0 +1,216 @@ +From 48804678cc077c74e8e793b5873057ccaedc3d44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 18:04:40 -0400 +Subject: ring-buffer: Remove ring_buffer_read_prepare_sync() + +From: Steven Rostedt + +[ Upstream commit 119a5d573622ae90ba730d18acfae9bb75d77b9a ] + +When the ring buffer was first introduced, reading the non-consuming +"trace" file required disabling the writing of the ring buffer. To make +sure the writing was fully disabled before iterating the buffer with a +non-consuming read, it would set the disable flag of the buffer and then +call an RCU synchronization to make sure all the buffers were +synchronized. + +The function ring_buffer_read_start() originally would initialize the +iterator and call an RCU synchronization, but this was for each individual +per CPU buffer where this would get called many times on a machine with +many CPUs before the trace file could be read. The commit 72c9ddfd4c5bf +("ring-buffer: Make non-consuming read less expensive with lots of cpus.") +separated ring_buffer_read_start into ring_buffer_read_prepare(), +ring_buffer_read_sync() and then ring_buffer_read_start() to allow each of +the per CPU buffers to be prepared, call the read_buffer_read_sync() once, +and then the ring_buffer_read_start() for each of the CPUs which made +things much faster. + +The commit 1039221cc278 ("ring-buffer: Do not disable recording when there +is an iterator") removed the requirement of disabling the recording of the +ring buffer in order to iterate it, but it did not remove the +synchronization that was happening that was required to wait for all the +buffers to have no more writers. It's now OK for the buffers to have +writers and no synchronization is needed. + +Remove the synchronization and put back the interface for the ring buffer +iterator back before commit 72c9ddfd4c5bf was applied. + +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20250630180440.3eabb514@batman.local.home +Reported-by: David Howells +Fixes: 1039221cc278 ("ring-buffer: Do not disable recording when there is an iterator") +Tested-by: David Howells +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + include/linux/ring_buffer.h | 4 +-- + kernel/trace/ring_buffer.c | 63 ++++++------------------------------- + kernel/trace/trace.c | 14 +++------ + kernel/trace/trace_kdb.c | 8 ++--- + 4 files changed, 18 insertions(+), 71 deletions(-) + +diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h +index 56e27263acf8..00e232f3c2e8 100644 +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -152,9 +152,7 @@ ring_buffer_consume(struct trace_buffer *buffer, int cpu, u64 *ts, + unsigned long *lost_events); + + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags); +-void ring_buffer_read_prepare_sync(void); +-void ring_buffer_read_start(struct ring_buffer_iter *iter); ++ring_buffer_read_start(struct trace_buffer *buffer, int cpu, gfp_t flags); + void ring_buffer_read_finish(struct ring_buffer_iter *iter); + + struct ring_buffer_event * +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 67707ff28fc5..f84210ee691e 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -5835,24 +5835,20 @@ ring_buffer_consume(struct trace_buffer *buffer, int cpu, u64 *ts, + EXPORT_SYMBOL_GPL(ring_buffer_consume); + + /** +- * ring_buffer_read_prepare - Prepare for a non consuming read of the buffer ++ * ring_buffer_read_start - start a non consuming read of the buffer + * @buffer: The ring buffer to read from + * @cpu: The cpu buffer to iterate over + * @flags: gfp flags to use for memory allocation + * +- * This performs the initial preparations necessary to iterate +- * through the buffer. Memory is allocated, buffer resizing +- * is disabled, and the iterator pointer is returned to the caller. +- * +- * After a sequence of ring_buffer_read_prepare calls, the user is +- * expected to make at least one call to ring_buffer_read_prepare_sync. +- * Afterwards, ring_buffer_read_start is invoked to get things going +- * for real. ++ * This creates an iterator to allow non-consuming iteration through ++ * the buffer. If the buffer is disabled for writing, it will produce ++ * the same information each time, but if the buffer is still writing ++ * then the first hit of a write will cause the iteration to stop. + * +- * This overall must be paired with ring_buffer_read_finish. ++ * Must be paired with ring_buffer_read_finish. + */ + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags) ++ring_buffer_read_start(struct trace_buffer *buffer, int cpu, gfp_t flags) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct ring_buffer_iter *iter; +@@ -5878,51 +5874,12 @@ ring_buffer_read_prepare(struct trace_buffer *buffer, int cpu, gfp_t flags) + + atomic_inc(&cpu_buffer->resize_disabled); + +- return iter; +-} +-EXPORT_SYMBOL_GPL(ring_buffer_read_prepare); +- +-/** +- * ring_buffer_read_prepare_sync - Synchronize a set of prepare calls +- * +- * All previously invoked ring_buffer_read_prepare calls to prepare +- * iterators will be synchronized. Afterwards, read_buffer_read_start +- * calls on those iterators are allowed. +- */ +-void +-ring_buffer_read_prepare_sync(void) +-{ +- synchronize_rcu(); +-} +-EXPORT_SYMBOL_GPL(ring_buffer_read_prepare_sync); +- +-/** +- * ring_buffer_read_start - start a non consuming read of the buffer +- * @iter: The iterator returned by ring_buffer_read_prepare +- * +- * This finalizes the startup of an iteration through the buffer. +- * The iterator comes from a call to ring_buffer_read_prepare and +- * an intervening ring_buffer_read_prepare_sync must have been +- * performed. +- * +- * Must be paired with ring_buffer_read_finish. +- */ +-void +-ring_buffer_read_start(struct ring_buffer_iter *iter) +-{ +- struct ring_buffer_per_cpu *cpu_buffer; +- unsigned long flags; +- +- if (!iter) +- return; +- +- cpu_buffer = iter->cpu_buffer; +- +- raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); ++ guard(raw_spinlock_irqsave)(&cpu_buffer->reader_lock); + arch_spin_lock(&cpu_buffer->lock); + rb_iter_reset(iter); + arch_spin_unlock(&cpu_buffer->lock); +- raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); ++ ++ return iter; + } + EXPORT_SYMBOL_GPL(ring_buffer_read_start); + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 14e1e1ed5505..db3fd111b10a 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4640,21 +4640,15 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + if (iter->cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->array_buffer->buffer, +- cpu, GFP_KERNEL); +- } +- ring_buffer_read_prepare_sync(); +- for_each_tracing_cpu(cpu) { +- ring_buffer_read_start(iter->buffer_iter[cpu]); ++ ring_buffer_read_start(iter->array_buffer->buffer, ++ cpu, GFP_KERNEL); + tracing_iter_reset(iter, cpu); + } + } else { + cpu = iter->cpu_file; + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->array_buffer->buffer, +- cpu, GFP_KERNEL); +- ring_buffer_read_prepare_sync(); +- ring_buffer_read_start(iter->buffer_iter[cpu]); ++ ring_buffer_read_start(iter->array_buffer->buffer, ++ cpu, GFP_KERNEL); + tracing_iter_reset(iter, cpu); + } + +diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c +index 1e72d20b3c2f..1981d00e1f5d 100644 +--- a/kernel/trace/trace_kdb.c ++++ b/kernel/trace/trace_kdb.c +@@ -43,17 +43,15 @@ static void ftrace_dump_buf(int skip_entries, long cpu_file) + if (cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter.buffer_iter[cpu] = +- ring_buffer_read_prepare(iter.array_buffer->buffer, +- cpu, GFP_ATOMIC); +- ring_buffer_read_start(iter.buffer_iter[cpu]); ++ ring_buffer_read_start(iter.array_buffer->buffer, ++ cpu, GFP_ATOMIC); + tracing_iter_reset(&iter, cpu); + } + } else { + iter.cpu_file = cpu_file; + iter.buffer_iter[cpu_file] = +- ring_buffer_read_prepare(iter.array_buffer->buffer, ++ ring_buffer_read_start(iter.array_buffer->buffer, + cpu_file, GFP_ATOMIC); +- ring_buffer_read_start(iter.buffer_iter[cpu_file]); + tracing_iter_reset(&iter, cpu_file); + } + +-- +2.39.5 + diff --git a/queue-6.15/risc-v-kvm-fix-inclusion-of-smnpm-in-the-guest-isa-b.patch b/queue-6.15/risc-v-kvm-fix-inclusion-of-smnpm-in-the-guest-isa-b.patch new file mode 100644 index 0000000000..8e1033dbba --- /dev/null +++ b/queue-6.15/risc-v-kvm-fix-inclusion-of-smnpm-in-the-guest-isa-b.patch @@ -0,0 +1,197 @@ +From e83edcbc61968aee945a7911618c737ea143cf12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 16:46:58 -0800 +Subject: RISC-V: KVM: Fix inclusion of Smnpm in the guest ISA bitmap + +From: Samuel Holland + +[ Upstream commit 7826c8f37220daabf90c09fcd9a835d6763f1372 ] + +The Smnpm extension requires special handling because the guest ISA +extension maps to a different extension (Ssnpm) on the host side. +commit 1851e7836212 ("RISC-V: KVM: Allow Smnpm and Ssnpm extensions for +guests") missed that the vcpu->arch.isa bit is based only on the host +extension, so currently both KVM_RISCV_ISA_EXT_{SMNPM,SSNPM} map to +vcpu->arch.isa[RISCV_ISA_EXT_SSNPM]. This does not cause any problems +for the guest, because both extensions are force-enabled anyway when the +host supports Ssnpm, but prevents checking for (guest) Smnpm in the SBI +FWFT logic. + +Redefine kvm_isa_ext_arr to look up the guest extension, since only the +guest -> host mapping is unambiguous. Factor out the logic for checking +for host support of an extension, so this special case only needs to be +handled in one place, and be explicit about which variables hold a host +vs a guest ISA extension. + +Fixes: 1851e7836212 ("RISC-V: KVM: Allow Smnpm and Ssnpm extensions for guests") +Signed-off-by: Samuel Holland +Reviewed-by: Anup Patel +Link: https://lore.kernel.org/r/20250111004702.2813013-2-samuel.holland@sifive.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/kvm/vcpu_onereg.c | 83 +++++++++++++++++++++++------------- + 1 file changed, 53 insertions(+), 30 deletions(-) + +diff --git a/arch/riscv/kvm/vcpu_onereg.c b/arch/riscv/kvm/vcpu_onereg.c +index 2e1b646f0d61..cce6a38ea54f 100644 +--- a/arch/riscv/kvm/vcpu_onereg.c ++++ b/arch/riscv/kvm/vcpu_onereg.c +@@ -23,7 +23,7 @@ + #define KVM_ISA_EXT_ARR(ext) \ + [KVM_RISCV_ISA_EXT_##ext] = RISCV_ISA_EXT_##ext + +-/* Mapping between KVM ISA Extension ID & Host ISA extension ID */ ++/* Mapping between KVM ISA Extension ID & guest ISA extension ID */ + static const unsigned long kvm_isa_ext_arr[] = { + /* Single letter extensions (alphabetically sorted) */ + [KVM_RISCV_ISA_EXT_A] = RISCV_ISA_EXT_a, +@@ -35,7 +35,7 @@ static const unsigned long kvm_isa_ext_arr[] = { + [KVM_RISCV_ISA_EXT_M] = RISCV_ISA_EXT_m, + [KVM_RISCV_ISA_EXT_V] = RISCV_ISA_EXT_v, + /* Multi letter extensions (alphabetically sorted) */ +- [KVM_RISCV_ISA_EXT_SMNPM] = RISCV_ISA_EXT_SSNPM, ++ KVM_ISA_EXT_ARR(SMNPM), + KVM_ISA_EXT_ARR(SMSTATEEN), + KVM_ISA_EXT_ARR(SSAIA), + KVM_ISA_EXT_ARR(SSCOFPMF), +@@ -112,6 +112,36 @@ static unsigned long kvm_riscv_vcpu_base2isa_ext(unsigned long base_ext) + return KVM_RISCV_ISA_EXT_MAX; + } + ++static int kvm_riscv_vcpu_isa_check_host(unsigned long kvm_ext, unsigned long *guest_ext) ++{ ++ unsigned long host_ext; ++ ++ if (kvm_ext >= KVM_RISCV_ISA_EXT_MAX || ++ kvm_ext >= ARRAY_SIZE(kvm_isa_ext_arr)) ++ return -ENOENT; ++ ++ *guest_ext = kvm_isa_ext_arr[kvm_ext]; ++ switch (*guest_ext) { ++ case RISCV_ISA_EXT_SMNPM: ++ /* ++ * Pointer masking effective in (H)S-mode is provided by the ++ * Smnpm extension, so that extension is reported to the guest, ++ * even though the CSR bits for configuring VS-mode pointer ++ * masking on the host side are part of the Ssnpm extension. ++ */ ++ host_ext = RISCV_ISA_EXT_SSNPM; ++ break; ++ default: ++ host_ext = *guest_ext; ++ break; ++ } ++ ++ if (!__riscv_isa_extension_available(NULL, host_ext)) ++ return -ENOENT; ++ ++ return 0; ++} ++ + static bool kvm_riscv_vcpu_isa_enable_allowed(unsigned long ext) + { + switch (ext) { +@@ -219,13 +249,13 @@ static bool kvm_riscv_vcpu_isa_disable_allowed(unsigned long ext) + + void kvm_riscv_vcpu_setup_isa(struct kvm_vcpu *vcpu) + { +- unsigned long host_isa, i; ++ unsigned long guest_ext, i; + + for (i = 0; i < ARRAY_SIZE(kvm_isa_ext_arr); i++) { +- host_isa = kvm_isa_ext_arr[i]; +- if (__riscv_isa_extension_available(NULL, host_isa) && +- kvm_riscv_vcpu_isa_enable_allowed(i)) +- set_bit(host_isa, vcpu->arch.isa); ++ if (kvm_riscv_vcpu_isa_check_host(i, &guest_ext)) ++ continue; ++ if (kvm_riscv_vcpu_isa_enable_allowed(i)) ++ set_bit(guest_ext, vcpu->arch.isa); + } + } + +@@ -607,18 +637,15 @@ static int riscv_vcpu_get_isa_ext_single(struct kvm_vcpu *vcpu, + unsigned long reg_num, + unsigned long *reg_val) + { +- unsigned long host_isa_ext; +- +- if (reg_num >= KVM_RISCV_ISA_EXT_MAX || +- reg_num >= ARRAY_SIZE(kvm_isa_ext_arr)) +- return -ENOENT; ++ unsigned long guest_ext; ++ int ret; + +- host_isa_ext = kvm_isa_ext_arr[reg_num]; +- if (!__riscv_isa_extension_available(NULL, host_isa_ext)) +- return -ENOENT; ++ ret = kvm_riscv_vcpu_isa_check_host(reg_num, &guest_ext); ++ if (ret) ++ return ret; + + *reg_val = 0; +- if (__riscv_isa_extension_available(vcpu->arch.isa, host_isa_ext)) ++ if (__riscv_isa_extension_available(vcpu->arch.isa, guest_ext)) + *reg_val = 1; /* Mark the given extension as available */ + + return 0; +@@ -628,17 +655,14 @@ static int riscv_vcpu_set_isa_ext_single(struct kvm_vcpu *vcpu, + unsigned long reg_num, + unsigned long reg_val) + { +- unsigned long host_isa_ext; +- +- if (reg_num >= KVM_RISCV_ISA_EXT_MAX || +- reg_num >= ARRAY_SIZE(kvm_isa_ext_arr)) +- return -ENOENT; ++ unsigned long guest_ext; ++ int ret; + +- host_isa_ext = kvm_isa_ext_arr[reg_num]; +- if (!__riscv_isa_extension_available(NULL, host_isa_ext)) +- return -ENOENT; ++ ret = kvm_riscv_vcpu_isa_check_host(reg_num, &guest_ext); ++ if (ret) ++ return ret; + +- if (reg_val == test_bit(host_isa_ext, vcpu->arch.isa)) ++ if (reg_val == test_bit(guest_ext, vcpu->arch.isa)) + return 0; + + if (!vcpu->arch.ran_atleast_once) { +@@ -648,10 +672,10 @@ static int riscv_vcpu_set_isa_ext_single(struct kvm_vcpu *vcpu, + */ + if (reg_val == 1 && + kvm_riscv_vcpu_isa_enable_allowed(reg_num)) +- set_bit(host_isa_ext, vcpu->arch.isa); ++ set_bit(guest_ext, vcpu->arch.isa); + else if (!reg_val && + kvm_riscv_vcpu_isa_disable_allowed(reg_num)) +- clear_bit(host_isa_ext, vcpu->arch.isa); ++ clear_bit(guest_ext, vcpu->arch.isa); + else + return -EINVAL; + kvm_riscv_vcpu_fp_reset(vcpu); +@@ -1009,16 +1033,15 @@ static int copy_fp_d_reg_indices(const struct kvm_vcpu *vcpu, + static int copy_isa_ext_reg_indices(const struct kvm_vcpu *vcpu, + u64 __user *uindices) + { ++ unsigned long guest_ext; + unsigned int n = 0; +- unsigned long isa_ext; + + for (int i = 0; i < KVM_RISCV_ISA_EXT_MAX; i++) { + u64 size = IS_ENABLED(CONFIG_32BIT) ? + KVM_REG_SIZE_U32 : KVM_REG_SIZE_U64; + u64 reg = KVM_REG_RISCV | size | KVM_REG_RISCV_ISA_EXT | i; + +- isa_ext = kvm_isa_ext_arr[i]; +- if (!__riscv_isa_extension_available(NULL, isa_ext)) ++ if (kvm_riscv_vcpu_isa_check_host(i, &guest_ext)) + continue; + + if (uindices) { +-- +2.39.5 + diff --git a/queue-6.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch b/queue-6.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch new file mode 100644 index 0000000000..a1819d8e9e --- /dev/null +++ b/queue-6.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch @@ -0,0 +1,40 @@ +From 4df424a67f9eb952d57d6efa9578dea35b77ad66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:21 -0400 +Subject: rtc: ds1307: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit cf6eb547a24af7ad7bbd2abe9c5327f956bbeae8 ] + +When ds3231_clk_sqw_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: 6c6ff145b3346 ("rtc: ds1307: add clock provider support for DS3231") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-1-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index 5efbe69bf5ca..c8a666de9cbe 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -1466,7 +1466,7 @@ static long ds3231_clk_sqw_round_rate(struct clk_hw *hw, unsigned long rate, + return ds3231_clk_sqw_rates[i]; + } + +- return 0; ++ return ds3231_clk_sqw_rates[ARRAY_SIZE(ds3231_clk_sqw_rates) - 1]; + } + + static int ds3231_clk_sqw_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-6.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch b/queue-6.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch new file mode 100644 index 0000000000..4b9c05ae76 --- /dev/null +++ b/queue-6.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch @@ -0,0 +1,40 @@ +From c25488706d4f17dec998b35a5b820e9dc9e428af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:22 -0400 +Subject: rtc: hym8563: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit d0a518eb0a692a2ab8357e844970660c5ea37720 ] + +When hym8563_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: dcaf038493525 ("rtc: add hym8563 rtc-driver") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-2-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-hym8563.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c +index 63f11ea3589d..759dc2ad6e3b 100644 +--- a/drivers/rtc/rtc-hym8563.c ++++ b/drivers/rtc/rtc-hym8563.c +@@ -294,7 +294,7 @@ static long hym8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int hym8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-6.15/rtc-nct3018y-fix-incorrect-maximum-clock-rate-handli.patch b/queue-6.15/rtc-nct3018y-fix-incorrect-maximum-clock-rate-handli.patch new file mode 100644 index 0000000000..55886b50bc --- /dev/null +++ b/queue-6.15/rtc-nct3018y-fix-incorrect-maximum-clock-rate-handli.patch @@ -0,0 +1,40 @@ +From fffcc23ff44aeca9a89a00a2153dba41a026ab8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:23 -0400 +Subject: rtc: nct3018y: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit 437c59e4b222cd697b4cf95995d933e7d583c5f1 ] + +When nct3018y_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: 5adbaed16cc63 ("rtc: Add NCT3018Y real time clock driver") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-3-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-nct3018y.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-nct3018y.c b/drivers/rtc/rtc-nct3018y.c +index 76c5f464b2da..cea05fca0bcc 100644 +--- a/drivers/rtc/rtc-nct3018y.c ++++ b/drivers/rtc/rtc-nct3018y.c +@@ -376,7 +376,7 @@ static long nct3018y_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int nct3018y_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-6.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch b/queue-6.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch new file mode 100644 index 0000000000..bb25ec0852 --- /dev/null +++ b/queue-6.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch @@ -0,0 +1,40 @@ +From 869949d7891fe819ba885060cb80f59020ba576d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:24 -0400 +Subject: rtc: pcf85063: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit 186ae1869880e58bb3f142d222abdb35ecb4df0f ] + +When pcf85063_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: 8c229ab6048b7 ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-4-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf85063.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c +index 4fa5c4ecdd5a..b26c9bfad5d9 100644 +--- a/drivers/rtc/rtc-pcf85063.c ++++ b/drivers/rtc/rtc-pcf85063.c +@@ -410,7 +410,7 @@ static long pcf85063_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int pcf85063_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-6.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch b/queue-6.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch new file mode 100644 index 0000000000..96b7ce046a --- /dev/null +++ b/queue-6.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch @@ -0,0 +1,40 @@ +From a1015d2447cdc1a9cd6bae1cd0c5cdf6c3504c26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:25 -0400 +Subject: rtc: pcf8563: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit 906726a5efeefe0ef0103ccff5312a09080c04ae ] + +When pcf8563_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: a39a6405d5f94 ("rtc: pcf8563: add CLKOUT to common clock framework") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-5-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf8563.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-pcf8563.c b/drivers/rtc/rtc-pcf8563.c +index 5a084d426e58..e79da8901544 100644 +--- a/drivers/rtc/rtc-pcf8563.c ++++ b/drivers/rtc/rtc-pcf8563.c +@@ -339,7 +339,7 @@ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int pcf8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-6.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch b/queue-6.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch new file mode 100644 index 0000000000..fdb04ab1a6 --- /dev/null +++ b/queue-6.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch @@ -0,0 +1,40 @@ +From 0094f96bd7e12aa7daf08338a29836198051d75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:26 -0400 +Subject: rtc: rv3028: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit b574acb3cf7591d2513a9f29f8c2021ad55fb881 ] + +When rv3028_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: f583c341a515f ("rtc: rv3028: add clkout support") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-6-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-rv3028.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-rv3028.c b/drivers/rtc/rtc-rv3028.c +index 868d1b1eb0f4..278841c2e47e 100644 +--- a/drivers/rtc/rtc-rv3028.c ++++ b/drivers/rtc/rtc-rv3028.c +@@ -740,7 +740,7 @@ static long rv3028_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int rv3028_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-6.15/rust-miscdevice-clarify-invariant-for-miscdeviceregi.patch b/queue-6.15/rust-miscdevice-clarify-invariant-for-miscdeviceregi.patch new file mode 100644 index 0000000000..a15bdd5996 --- /dev/null +++ b/queue-6.15/rust-miscdevice-clarify-invariant-for-miscdeviceregi.patch @@ -0,0 +1,49 @@ +From c69c97057dd51fb90a77bc3a0aef879d1e2a3458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 16:15:20 +0530 +Subject: rust: miscdevice: clarify invariant for `MiscDeviceRegistration` + +From: Shankari Anand + +[ Upstream commit b9ff1c2a26fa31216be18e9b14c419ff8fe39e72 ] + +Reword and expand the invariant documentation for `MiscDeviceRegistration` +to clarify what it means for the inner device to be "registered". +It expands to explain: +- `inner` points to a `miscdevice` registered via `misc_register`. +- This registration stays valid for the entire lifetime of the object. +- Deregistration is guaranteed on `Drop`, via `misc_deregister`. + +Reported-by: Benno Lossin +Closes: https://github.com/Rust-for-Linux/linux/issues/1168 +Fixes: f893691e7426 ("rust: miscdevice: add base miscdevice abstraction") +Signed-off-by: Shankari Anand +Link: https://lore.kernel.org/r/20250626104520.563036-1-shankari.ak0208@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + rust/kernel/miscdevice.rs | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/rust/kernel/miscdevice.rs b/rust/kernel/miscdevice.rs +index 15d10e5c1db7..188ae10d3319 100644 +--- a/rust/kernel/miscdevice.rs ++++ b/rust/kernel/miscdevice.rs +@@ -44,7 +44,13 @@ pub const fn into_raw(self) -> bindings::miscdevice { + /// + /// # Invariants + /// +-/// `inner` is a registered misc device. ++/// - `inner` contains a `struct miscdevice` that is registered using ++/// `misc_register()`. ++/// - This registration remains valid for the entire lifetime of the ++/// [`MiscDeviceRegistration`] instance. ++/// - Deregistration occurs exactly once in [`Drop`] via `misc_deregister()`. ++/// - `inner` wraps a valid, pinned `miscdevice` created using ++/// [`MiscDeviceOptions::into_raw`]. + #[repr(transparent)] + #[pin_data(PinnedDrop)] + pub struct MiscDeviceRegistration { +-- +2.39.5 + diff --git a/queue-6.15/rv-adjust-monitor-dependencies.patch b/queue-6.15/rv-adjust-monitor-dependencies.patch new file mode 100644 index 0000000000..a1fee30a35 --- /dev/null +++ b/queue-6.15/rv-adjust-monitor-dependencies.patch @@ -0,0 +1,93 @@ +From 58e793a2a427e1d5eb2cea25e2bb832dc1797af8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 15:50:16 +0200 +Subject: rv: Adjust monitor dependencies + +From: Gabriele Monaco + +[ Upstream commit 79de661707a4a2dc695fd3e00529a14b4f5ec50d ] + +RV monitors relying on the preemptirqs tracepoints are set as dependent +on PREEMPT_TRACER and IRQSOFF_TRACER. In fact, those configurations do +enable the tracepoints but are not the minimal configurations enabling +them, which are TRACE_PREEMPT_TOGGLE and TRACE_IRQFLAGS (not selectable +manually). + +Set TRACE_PREEMPT_TOGGLE and TRACE_IRQFLAGS as dependencies for +monitors. + +Cc: Masami Hiramatsu +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Tomas Glozar +Cc: Juri Lelli +Cc: Clark Williams +Cc: John Kacur +Link: https://lore.kernel.org/20250728135022.255578-5-gmonaco@redhat.com +Fixes: fbe6c09b7eb4 ("rv: Add scpd, snep and sncid per-cpu monitors") +Acked-by: Nam Cao +Signed-off-by: Gabriele Monaco +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/rv/monitors/scpd/Kconfig | 2 +- + kernel/trace/rv/monitors/sncid/Kconfig | 2 +- + kernel/trace/rv/monitors/snep/Kconfig | 2 +- + kernel/trace/rv/monitors/wip/Kconfig | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/rv/monitors/scpd/Kconfig b/kernel/trace/rv/monitors/scpd/Kconfig +index b9114fbf680f..682d0416188b 100644 +--- a/kernel/trace/rv/monitors/scpd/Kconfig ++++ b/kernel/trace/rv/monitors/scpd/Kconfig +@@ -2,7 +2,7 @@ + # + config RV_MON_SCPD + depends on RV +- depends on PREEMPT_TRACER ++ depends on TRACE_PREEMPT_TOGGLE + depends on RV_MON_SCHED + default y + select DA_MON_EVENTS_IMPLICIT +diff --git a/kernel/trace/rv/monitors/sncid/Kconfig b/kernel/trace/rv/monitors/sncid/Kconfig +index 76bcfef4fd10..3a5639feaaaf 100644 +--- a/kernel/trace/rv/monitors/sncid/Kconfig ++++ b/kernel/trace/rv/monitors/sncid/Kconfig +@@ -2,7 +2,7 @@ + # + config RV_MON_SNCID + depends on RV +- depends on IRQSOFF_TRACER ++ depends on TRACE_IRQFLAGS + depends on RV_MON_SCHED + default y + select DA_MON_EVENTS_IMPLICIT +diff --git a/kernel/trace/rv/monitors/snep/Kconfig b/kernel/trace/rv/monitors/snep/Kconfig +index 77527f971232..7dd54f434ff7 100644 +--- a/kernel/trace/rv/monitors/snep/Kconfig ++++ b/kernel/trace/rv/monitors/snep/Kconfig +@@ -2,7 +2,7 @@ + # + config RV_MON_SNEP + depends on RV +- depends on PREEMPT_TRACER ++ depends on TRACE_PREEMPT_TOGGLE + depends on RV_MON_SCHED + default y + select DA_MON_EVENTS_IMPLICIT +diff --git a/kernel/trace/rv/monitors/wip/Kconfig b/kernel/trace/rv/monitors/wip/Kconfig +index e464b9294865..87a26195792b 100644 +--- a/kernel/trace/rv/monitors/wip/Kconfig ++++ b/kernel/trace/rv/monitors/wip/Kconfig +@@ -2,7 +2,7 @@ + # + config RV_MON_WIP + depends on RV +- depends on PREEMPT_TRACER ++ depends on TRACE_PREEMPT_TOGGLE + select DA_MON_EVENTS_IMPLICIT + bool "wip monitor" + help +-- +2.39.5 + diff --git a/queue-6.15/samples-mei-fix-building-on-musl-libc.patch b/queue-6.15/samples-mei-fix-building-on-musl-libc.patch new file mode 100644 index 0000000000..eb2d493fef --- /dev/null +++ b/queue-6.15/samples-mei-fix-building-on-musl-libc.patch @@ -0,0 +1,75 @@ +From ca2e0e6eb8b880eda059e0b5a1f9fe2c0b963bf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 19:29:55 +0530 +Subject: samples: mei: Fix building on musl libc + +From: Brahmajit Das + +[ Upstream commit 239df3e4b4752524e7c0fb3417c218d8063654b4 ] + +The header bits/wordsize.h is glibc specific and on building on musl +with allyesconfig results in + +samples/mei/mei-amt-version.c:77:10: fatal error: bits/wordsize.h: No such file or directory + 77 | #include + | ^~~~~~~~~~~~~~~~~ + +mei-amt-version.c build file without bits/wordsize.h on musl and glibc. + +However on musl we get the follwing error without sys/time.h + +samples/mei/mei-amt-version.c: In function 'mei_recv_msg': +samples/mei/mei-amt-version.c:159:24: error: storage size of 'tv' isn't known + 159 | struct timeval tv; + | ^~ +samples/mei/mei-amt-version.c:160:9: error: unknown type name 'fd_set' + 160 | fd_set set; + | ^~~~~~ +samples/mei/mei-amt-version.c:168:9: error: implicit declaration of function 'FD_ZERO' [-Wimplicit-function-declaration] + 168 | FD_ZERO(&set); + | ^~~~~~~ +samples/mei/mei-amt-version.c:169:9: error: implicit declaration of function 'FD_SET'; did you mean 'L_SET'? [-Wimplicit-function-declaration] + 169 | FD_SET(me->fd, &set); + | ^~~~~~ + | L_SET +samples/mei/mei-amt-version.c:170:14: error: implicit declaration of function 'select' [-Wimplicit-function-declaration] + 170 | rc = select(me->fd + 1, &set, NULL, NULL, &tv); + | ^~~~~~ +samples/mei/mei-amt-version.c:171:23: error: implicit declaration of function 'FD_ISSET' [-Wimplicit-function-declaration] + 171 | if (rc > 0 && FD_ISSET(me->fd, &set)) { + | ^~~~~~~~ +samples/mei/mei-amt-version.c:159:24: warning: unused variable 'tv' [-Wunused-variable] + 159 | struct timeval tv; + | ^~ + +Hence the the file has been included. + +Fixes: c52827cc4ddf ("staging/mei: add mei user space example") +Signed-off-by: Brahmajit Das +Link: https://lore.kernel.org/r/20250702135955.24955-1-listout@listout.xyz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + samples/mei/mei-amt-version.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c +index 867debd3b912..1d7254bcb44c 100644 +--- a/samples/mei/mei-amt-version.c ++++ b/samples/mei/mei-amt-version.c +@@ -69,11 +69,11 @@ + #include + #include + #include ++#include + #include + #include + #include + #include +-#include + #include + + /***************************************************************************** +-- +2.39.5 + diff --git a/queue-6.15/sched-deadline-initialize-dl_servers-after-smp.patch b/queue-6.15/sched-deadline-initialize-dl_servers-after-smp.patch new file mode 100644 index 0000000000..67b52d2e61 --- /dev/null +++ b/queue-6.15/sched-deadline-initialize-dl_servers-after-smp.patch @@ -0,0 +1,140 @@ +From 3444b7294c4455310b55a9f0b60d3de6480c71cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 13:51:14 +0200 +Subject: sched/deadline: Initialize dl_servers after SMP + +From: Juri Lelli + +[ Upstream commit 9f239df55546ee1d28f0976130136ffd1cad0fd7 ] + +dl-servers are currently initialized too early at boot when CPUs are not +fully up (only boot CPU is). This results in miscalculation of per +runqueue DEADLINE variables like extra_bw (which needs a stable CPU +count). + +Move initialization of dl-servers later on after SMP has been +initialized and CPUs are all online, so that CPU count is stable and +DEADLINE variables can be computed correctly. + +Fixes: d741f297bceaf ("sched/fair: Fair server interface") +Reported-by: Marcel Ziswiler +Signed-off-by: Juri Lelli +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Waiman Long +Tested-by: Marcel Ziswiler # nuc & rock5b +Link: https://lore.kernel.org/r/20250627115118.438797-2-juri.lelli@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 ++ + kernel/sched/deadline.c | 48 +++++++++++++++++++++++++---------------- + kernel/sched/sched.h | 1 + + 3 files changed, 33 insertions(+), 18 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 7d5f51e2f761..333743f143aa 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -8501,6 +8501,8 @@ void __init sched_init_smp(void) + init_sched_rt_class(); + init_sched_dl_class(); + ++ sched_init_dl_servers(); ++ + sched_smp_initialized = true; + } + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 094134c9b135..ef5b5c045769 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -824,6 +824,8 @@ static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se) + struct dl_rq *dl_rq = dl_rq_of_se(dl_se); + struct rq *rq = rq_of_dl_rq(dl_rq); + ++ update_rq_clock(rq); ++ + WARN_ON(is_dl_boosted(dl_se)); + WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline)); + +@@ -1652,23 +1654,7 @@ void dl_server_start(struct sched_dl_entity *dl_se) + { + struct rq *rq = dl_se->rq; + +- /* +- * XXX: the apply do not work fine at the init phase for the +- * fair server because things are not yet set. We need to improve +- * this before getting generic. +- */ +- if (!dl_server(dl_se)) { +- u64 runtime = 50 * NSEC_PER_MSEC; +- u64 period = 1000 * NSEC_PER_MSEC; +- +- dl_server_apply_params(dl_se, runtime, period, 1); +- +- dl_se->dl_server = 1; +- dl_se->dl_defer = 1; +- setup_new_dl_entity(dl_se); +- } +- +- if (!dl_se->dl_runtime || dl_se->dl_server_active) ++ if (!dl_server(dl_se) || dl_se->dl_server_active) + return; + + dl_se->dl_server_active = 1; +@@ -1679,7 +1665,7 @@ void dl_server_start(struct sched_dl_entity *dl_se) + + void dl_server_stop(struct sched_dl_entity *dl_se) + { +- if (!dl_se->dl_runtime) ++ if (!dl_server(dl_se) || !dl_server_active(dl_se)) + return; + + dequeue_dl_entity(dl_se, DEQUEUE_SLEEP); +@@ -1712,6 +1698,32 @@ void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq, + dl_se->server_pick_task = pick_task; + } + ++void sched_init_dl_servers(void) ++{ ++ int cpu; ++ struct rq *rq; ++ struct sched_dl_entity *dl_se; ++ ++ for_each_online_cpu(cpu) { ++ u64 runtime = 50 * NSEC_PER_MSEC; ++ u64 period = 1000 * NSEC_PER_MSEC; ++ ++ rq = cpu_rq(cpu); ++ ++ guard(rq_lock_irq)(rq); ++ ++ dl_se = &rq->fair_server; ++ ++ WARN_ON(dl_server(dl_se)); ++ ++ dl_server_apply_params(dl_se, runtime, period, 1); ++ ++ dl_se->dl_server = 1; ++ dl_se->dl_defer = 1; ++ setup_new_dl_entity(dl_se); ++ } ++} ++ + void __dl_server_attach_root(struct sched_dl_entity *dl_se, struct rq *rq) + { + u64 new_bw = dl_se->dl_bw; +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index d6f82833f652..063f29a228ad 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -384,6 +384,7 @@ extern void dl_server_stop(struct sched_dl_entity *dl_se); + extern void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq, + dl_server_has_tasks_f has_tasks, + dl_server_pick_f pick_task); ++extern void sched_init_dl_servers(void); + + extern void dl_server_update_idle_time(struct rq *rq, + struct task_struct *p); +-- +2.39.5 + diff --git a/queue-6.15/sched-deadline-less-agressive-dl_server-handling.patch b/queue-6.15/sched-deadline-less-agressive-dl_server-handling.patch new file mode 100644 index 0000000000..0441721fab --- /dev/null +++ b/queue-6.15/sched-deadline-less-agressive-dl_server-handling.patch @@ -0,0 +1,163 @@ +From c0a825f92d92fdccff156fd030efa068df138577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 11:19:30 +0200 +Subject: sched/deadline: Less agressive dl_server handling + +From: Peter Zijlstra + +[ Upstream commit cccb45d7c4295bbfeba616582d0249f2d21e6df5 ] + +Chris reported that commit 5f6bd380c7bd ("sched/rt: Remove default +bandwidth control") caused a significant dip in his favourite +benchmark of the day. Simply disabling dl_server cured things. + +His workload hammers the 0->1, 1->0 transitions, and the +dl_server_{start,stop}() overhead kills it -- fairly obviously a bad +idea in hind sight and all that. + +Change things around to only disable the dl_server when there has not +been a fair task around for a whole period. Since the default period +is 1 second, this ensures the benchmark never trips this, overhead +gone. + +Fixes: 557a6bfc662c ("sched/fair: Add trivial fair server") +Reported-by: Chris Mason +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Juri Lelli +Acked-by: Juri Lelli +Link: https://lkml.kernel.org/r/20250702121158.465086194@infradead.org +Signed-off-by: Sasha Levin +--- + include/linux/sched.h | 1 + + kernel/sched/deadline.c | 25 ++++++++++++++++++++++--- + kernel/sched/fair.c | 9 --------- + 3 files changed, 23 insertions(+), 12 deletions(-) + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index f96ac1982893..1f92572b20c0 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -702,6 +702,7 @@ struct sched_dl_entity { + unsigned int dl_defer : 1; + unsigned int dl_defer_armed : 1; + unsigned int dl_defer_running : 1; ++ unsigned int dl_server_idle : 1; + + /* + * Bandwidth enforcement timer. Each -deadline task has its +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 89019a140826..094134c9b135 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1215,6 +1215,8 @@ static void __push_dl_task(struct rq *rq, struct rq_flags *rf) + /* a defer timer will not be reset if the runtime consumed was < dl_server_min_res */ + static const u64 dl_server_min_res = 1 * NSEC_PER_MSEC; + ++static bool dl_server_stopped(struct sched_dl_entity *dl_se); ++ + static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_dl_entity *dl_se) + { + struct rq *rq = rq_of_dl_se(dl_se); +@@ -1234,6 +1236,7 @@ static enum hrtimer_restart dl_server_timer(struct hrtimer *timer, struct sched_ + + if (!dl_se->server_has_tasks(dl_se)) { + replenish_dl_entity(dl_se); ++ dl_server_stopped(dl_se); + return HRTIMER_NORESTART; + } + +@@ -1639,8 +1642,10 @@ void dl_server_update_idle_time(struct rq *rq, struct task_struct *p) + void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec) + { + /* 0 runtime = fair server disabled */ +- if (dl_se->dl_runtime) ++ if (dl_se->dl_runtime) { ++ dl_se->dl_server_idle = 0; + update_curr_dl_se(dl_se->rq, dl_se, delta_exec); ++ } + } + + void dl_server_start(struct sched_dl_entity *dl_se) +@@ -1663,7 +1668,7 @@ void dl_server_start(struct sched_dl_entity *dl_se) + setup_new_dl_entity(dl_se); + } + +- if (!dl_se->dl_runtime) ++ if (!dl_se->dl_runtime || dl_se->dl_server_active) + return; + + dl_se->dl_server_active = 1; +@@ -1684,6 +1689,20 @@ void dl_server_stop(struct sched_dl_entity *dl_se) + dl_se->dl_server_active = 0; + } + ++static bool dl_server_stopped(struct sched_dl_entity *dl_se) ++{ ++ if (!dl_se->dl_server_active) ++ return false; ++ ++ if (dl_se->dl_server_idle) { ++ dl_server_stop(dl_se); ++ return true; ++ } ++ ++ dl_se->dl_server_idle = 1; ++ return false; ++} ++ + void dl_server_init(struct sched_dl_entity *dl_se, struct rq *rq, + dl_server_has_tasks_f has_tasks, + dl_server_pick_f pick_task) +@@ -2435,7 +2454,7 @@ static struct task_struct *__pick_task_dl(struct rq *rq) + if (dl_server(dl_se)) { + p = dl_se->server_pick_task(dl_se); + if (!p) { +- if (dl_server_active(dl_se)) { ++ if (!dl_server_stopped(dl_se)) { + dl_se->dl_yielded = 1; + update_curr_dl_se(rq, dl_se, 0); + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 138d9f4658d5..9746eff2eff7 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -5886,7 +5886,6 @@ static bool throttle_cfs_rq(struct cfs_rq *cfs_rq) + struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(cfs_rq->tg); + struct sched_entity *se; + long queued_delta, runnable_delta, idle_delta, dequeue = 1; +- long rq_h_nr_queued = rq->cfs.h_nr_queued; + + raw_spin_lock(&cfs_b->lock); + /* This will start the period timer if necessary */ +@@ -5970,10 +5969,6 @@ static bool throttle_cfs_rq(struct cfs_rq *cfs_rq) + + /* At this point se is NULL and we are at root level*/ + sub_nr_running(rq, queued_delta); +- +- /* Stop the fair server if throttling resulted in no runnable tasks */ +- if (rq_h_nr_queued && !rq->cfs.h_nr_queued) +- dl_server_stop(&rq->fair_server); + done: + /* + * Note: distribution will already see us throttled via the +@@ -7067,7 +7062,6 @@ static void set_next_buddy(struct sched_entity *se); + static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags) + { + bool was_sched_idle = sched_idle_rq(rq); +- int rq_h_nr_queued = rq->cfs.h_nr_queued; + bool task_sleep = flags & DEQUEUE_SLEEP; + bool task_delayed = flags & DEQUEUE_DELAYED; + struct task_struct *p = NULL; +@@ -7151,9 +7145,6 @@ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags) + + sub_nr_running(rq, h_nr_queued); + +- if (rq_h_nr_queued && !rq->cfs.h_nr_queued) +- dl_server_stop(&rq->fair_server); +- + /* balance early to pull high priority tasks */ + if (unlikely(!was_sched_idle && sched_idle_rq(rq))) + rq->next_balance = jiffies; +-- +2.39.5 + diff --git a/queue-6.15/sched-deadline-reset-extra_bw-to-max_bw-when-clearin.patch b/queue-6.15/sched-deadline-reset-extra_bw-to-max_bw-when-clearin.patch new file mode 100644 index 0000000000..4f17121029 --- /dev/null +++ b/queue-6.15/sched-deadline-reset-extra_bw-to-max_bw-when-clearin.patch @@ -0,0 +1,49 @@ +From b72d296cd0f7287f3cf6e49ad4e62654067adaa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 13:51:15 +0200 +Subject: sched/deadline: Reset extra_bw to max_bw when clearing root domains + +From: Juri Lelli + +[ Upstream commit fcc9276c4d331cd1fe9319d793e80b02e09727f5 ] + +dl_clear_root_domain() doesn't take into account the fact that per-rq +extra_bw variables retain values computed before root domain changes, +resulting in broken accounting. + +Fix it by resetting extra_bw to max_bw before restoring back dl-servers +contributions. + +Fixes: 2ff899e351643 ("sched/deadline: Rebuild root domain accounting after every update") +Reported-by: Marcel Ziswiler +Signed-off-by: Juri Lelli +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Marcel Ziswiler # nuc & rock5b +Link: https://lore.kernel.org/r/20250627115118.438797-3-juri.lelli@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index ef5b5c045769..135580a41e14 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -3007,7 +3007,14 @@ void dl_clear_root_domain(struct root_domain *rd) + int i; + + guard(raw_spinlock_irqsave)(&rd->dl_bw.lock); ++ ++ /* ++ * Reset total_bw to zero and extra_bw to max_bw so that next ++ * loop will add dl-servers contributions back properly, ++ */ + rd->dl_bw.total_bw = 0; ++ for_each_cpu(i, rd->span) ++ cpu_rq(i)->dl.extra_bw = cpu_rq(i)->dl.max_bw; + + /* + * dl_servers are not tasks. Since dl_add_task_root_domain ignores +-- +2.39.5 + diff --git a/queue-6.15/sched-do-not-call-__put_task_struct-on-rt-if-pi_bloc.patch b/queue-6.15/sched-do-not-call-__put_task_struct-on-rt-if-pi_bloc.patch new file mode 100644 index 0000000000..c1080eebcc --- /dev/null +++ b/queue-6.15/sched-do-not-call-__put_task_struct-on-rt-if-pi_bloc.patch @@ -0,0 +1,97 @@ +From 93130f0272c72e9b1e0d5290be208f036fcadcf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 11:03:59 -0300 +Subject: sched: Do not call __put_task_struct() on rt if pi_blocked_on is set + +From: Luis Claudio R. Goncalves + +[ Upstream commit 8671bad873ebeb082afcf7b4501395c374da6023 ] + +With PREEMPT_RT enabled, some of the calls to put_task_struct() coming +from rt_mutex_adjust_prio_chain() could happen in preemptible context and +with a mutex enqueued. That could lead to this sequence: + + rt_mutex_adjust_prio_chain() + put_task_struct() + __put_task_struct() + sched_ext_free() + spin_lock_irqsave() + rtlock_lock() ---> TRIGGERS + lockdep_assert(!current->pi_blocked_on); + +This is not a SCHED_EXT bug. The first cleanup function called by +__put_task_struct() is sched_ext_free() and it happens to take a +(RT) spin_lock, which in the scenario described above, would trigger +the lockdep assertion of "!current->pi_blocked_on". + +Crystal Wood was able to identify the problem as __put_task_struct() +being called during rt_mutex_adjust_prio_chain(), in the context of +a process with a mutex enqueued. + +Instead of adding more complex conditions to decide when to directly +call __put_task_struct() and when to defer the call, unconditionally +resort to the deferred call on PREEMPT_RT to simplify the code. + +Fixes: 893cdaaa3977 ("sched: avoid false lockdep splat in put_task_struct()") +Suggested-by: Crystal Wood +Signed-off-by: Luis Claudio R. Goncalves +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Wander Lairson Costa +Reviewed-by: Valentin Schneider +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/aGvTz5VaPFyj0pBV@uudg.org +Signed-off-by: Sasha Levin +--- + include/linux/sched/task.h | 27 ++++++++++----------------- + 1 file changed, 10 insertions(+), 17 deletions(-) + +diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h +index ca1db4b92c32..58ce71715268 100644 +--- a/include/linux/sched/task.h ++++ b/include/linux/sched/task.h +@@ -135,24 +135,17 @@ static inline void put_task_struct(struct task_struct *t) + return; + + /* +- * In !RT, it is always safe to call __put_task_struct(). +- * Under RT, we can only call it in preemptible context. +- */ +- if (!IS_ENABLED(CONFIG_PREEMPT_RT) || preemptible()) { +- static DEFINE_WAIT_OVERRIDE_MAP(put_task_map, LD_WAIT_SLEEP); +- +- lock_map_acquire_try(&put_task_map); +- __put_task_struct(t); +- lock_map_release(&put_task_map); +- return; +- } +- +- /* +- * under PREEMPT_RT, we can't call put_task_struct ++ * Under PREEMPT_RT, we can't call __put_task_struct + * in atomic context because it will indirectly +- * acquire sleeping locks. ++ * acquire sleeping locks. The same is true if the ++ * current process has a mutex enqueued (blocked on ++ * a PI chain). ++ * ++ * In !RT, it is always safe to call __put_task_struct(). ++ * Though, in order to simplify the code, resort to the ++ * deferred call too. + * +- * call_rcu() will schedule delayed_put_task_struct_rcu() ++ * call_rcu() will schedule __put_task_struct_rcu_cb() + * to be called in process context. + * + * __put_task_struct() is called when +@@ -165,7 +158,7 @@ static inline void put_task_struct(struct task_struct *t) + * + * delayed_free_task() also uses ->rcu, but it is only called + * when it fails to fork a process. Therefore, there is no +- * way it can conflict with put_task_struct(). ++ * way it can conflict with __put_task_struct(). + */ + call_rcu(&t->rcu, __put_task_struct_rcu_cb); + } +-- +2.39.5 + diff --git a/queue-6.15/sched-psi-fix-psi_seq-initialization.patch b/queue-6.15/sched-psi-fix-psi_seq-initialization.patch new file mode 100644 index 0000000000..1ae9c42691 --- /dev/null +++ b/queue-6.15/sched-psi-fix-psi_seq-initialization.patch @@ -0,0 +1,51 @@ +From f6672eca355da604b803bc6f3001735ae6b5aa0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 15:11:14 -0400 +Subject: sched/psi: Fix psi_seq initialization + +From: Peter Zijlstra + +[ Upstream commit 99b773d720aeea1ef2170dce5fcfa80649e26b78 ] + +With the seqcount moved out of the group into a global psi_seq, +re-initializing the seqcount on group creation is causing seqcount +corruption. + +Fixes: 570c8efd5eb7 ("sched/psi: Optimize psi_group_change() cpu_clock() usage") +Reported-by: Chris Mason +Suggested-by: Beata Michalska +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sched/psi.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index c62f4316a2b9..e0ad56b26171 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -172,7 +172,7 @@ struct psi_group psi_system = { + .pcpu = &system_group_pcpu, + }; + +-static DEFINE_PER_CPU(seqcount_t, psi_seq); ++static DEFINE_PER_CPU(seqcount_t, psi_seq) = SEQCNT_ZERO(psi_seq); + + static inline void psi_write_begin(int cpu) + { +@@ -200,11 +200,7 @@ static void poll_timer_fn(struct timer_list *t); + + static void group_init(struct psi_group *group) + { +- int cpu; +- + group->enabled = true; +- for_each_possible_cpu(cpu) +- seqcount_init(per_cpu_ptr(&psi_seq, cpu)); + group->avg_last_update = sched_clock(); + group->avg_next_update = group->avg_last_update + psi_period; + mutex_init(&group->avgs_lock); +-- +2.39.5 + diff --git a/queue-6.15/sched-psi-optimize-psi_group_change-cpu_clock-usage.patch b/queue-6.15/sched-psi-optimize-psi_group_change-cpu_clock-usage.patch new file mode 100644 index 0000000000..8e1b7f10a0 --- /dev/null +++ b/queue-6.15/sched-psi-optimize-psi_group_change-cpu_clock-usage.patch @@ -0,0 +1,338 @@ +From 00ed740d644159a152d38efbf67fe1187e8512b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 17:28:00 +0200 +Subject: sched/psi: Optimize psi_group_change() cpu_clock() usage + +From: Peter Zijlstra + +[ Upstream commit 570c8efd5eb79c3725ba439ce105ed1bedc5acd9 ] + +Dietmar reported that commit 3840cbe24cf0 ("sched: psi: fix bogus +pressure spikes from aggregation race") caused a regression for him on +a high context switch rate benchmark (schbench) due to the now +repeating cpu_clock() calls. + +In particular the problem is that get_recent_times() will extrapolate +the current state to 'now'. But if an update uses a timestamp from +before the start of the update, it is possible to get two reads +with inconsistent results. It is effectively back-dating an update. + +(note that this all hard-relies on the clock being synchronized across +CPUs -- if this is not the case, all bets are off). + +Combine this problem with the fact that there are per-group-per-cpu +seqcounts, the commit in question pushed the clock read into the group +iteration, causing tree-depth cpu_clock() calls. On architectures +where cpu_clock() has appreciable overhead, this hurts. + +Instead move to a per-cpu seqcount, which allows us to have a single +clock read for all group updates, increasing internal consistency and +lowering update overhead. This comes at the cost of a longer update +side (proportional to the tree depth) which can cause the read side to +retry more often. + +Fixes: 3840cbe24cf0 ("sched: psi: fix bogus pressure spikes from aggregation race") +Reported-by: Dietmar Eggemann +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Johannes Weiner +Tested-by: Dietmar Eggemann , +Link: https://lkml.kernel.org/20250522084844.GC31726@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + include/linux/psi_types.h | 6 +- + kernel/sched/psi.c | 121 +++++++++++++++++++++----------------- + 2 files changed, 68 insertions(+), 59 deletions(-) + +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index f1fd3a8044e0..dd10c22299ab 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -84,11 +84,9 @@ enum psi_aggregators { + struct psi_group_cpu { + /* 1st cacheline updated by the scheduler */ + +- /* Aggregator needs to know of concurrent changes */ +- seqcount_t seq ____cacheline_aligned_in_smp; +- + /* States of the tasks belonging to this group */ +- unsigned int tasks[NR_PSI_TASK_COUNTS]; ++ unsigned int tasks[NR_PSI_TASK_COUNTS] ++ ____cacheline_aligned_in_smp; + + /* Aggregate pressure state derived from the tasks */ + u32 state_mask; +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index 1396674fa722..c62f4316a2b9 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -172,6 +172,28 @@ struct psi_group psi_system = { + .pcpu = &system_group_pcpu, + }; + ++static DEFINE_PER_CPU(seqcount_t, psi_seq); ++ ++static inline void psi_write_begin(int cpu) ++{ ++ write_seqcount_begin(per_cpu_ptr(&psi_seq, cpu)); ++} ++ ++static inline void psi_write_end(int cpu) ++{ ++ write_seqcount_end(per_cpu_ptr(&psi_seq, cpu)); ++} ++ ++static inline u32 psi_read_begin(int cpu) ++{ ++ return read_seqcount_begin(per_cpu_ptr(&psi_seq, cpu)); ++} ++ ++static inline bool psi_read_retry(int cpu, u32 seq) ++{ ++ return read_seqcount_retry(per_cpu_ptr(&psi_seq, cpu), seq); ++} ++ + static void psi_avgs_work(struct work_struct *work); + + static void poll_timer_fn(struct timer_list *t); +@@ -182,7 +204,7 @@ static void group_init(struct psi_group *group) + + group->enabled = true; + for_each_possible_cpu(cpu) +- seqcount_init(&per_cpu_ptr(group->pcpu, cpu)->seq); ++ seqcount_init(per_cpu_ptr(&psi_seq, cpu)); + group->avg_last_update = sched_clock(); + group->avg_next_update = group->avg_last_update + psi_period; + mutex_init(&group->avgs_lock); +@@ -262,14 +284,14 @@ static void get_recent_times(struct psi_group *group, int cpu, + + /* Snapshot a coherent view of the CPU state */ + do { +- seq = read_seqcount_begin(&groupc->seq); ++ seq = psi_read_begin(cpu); + now = cpu_clock(cpu); + memcpy(times, groupc->times, sizeof(groupc->times)); + state_mask = groupc->state_mask; + state_start = groupc->state_start; + if (cpu == current_cpu) + memcpy(tasks, groupc->tasks, sizeof(groupc->tasks)); +- } while (read_seqcount_retry(&groupc->seq, seq)); ++ } while (psi_read_retry(cpu, seq)); + + /* Calculate state time deltas against the previous snapshot */ + for (s = 0; s < NR_PSI_STATES; s++) { +@@ -768,30 +790,20 @@ static void record_times(struct psi_group_cpu *groupc, u64 now) + groupc->times[PSI_NONIDLE] += delta; + } + ++#define for_each_group(iter, group) \ ++ for (typeof(group) iter = group; iter; iter = iter->parent) ++ + static void psi_group_change(struct psi_group *group, int cpu, + unsigned int clear, unsigned int set, +- bool wake_clock) ++ u64 now, bool wake_clock) + { + struct psi_group_cpu *groupc; + unsigned int t, m; + u32 state_mask; +- u64 now; + + lockdep_assert_rq_held(cpu_rq(cpu)); + groupc = per_cpu_ptr(group->pcpu, cpu); + +- /* +- * First we update the task counts according to the state +- * change requested through the @clear and @set bits. +- * +- * Then if the cgroup PSI stats accounting enabled, we +- * assess the aggregate resource states this CPU's tasks +- * have been in since the last change, and account any +- * SOME and FULL time these may have resulted in. +- */ +- write_seqcount_begin(&groupc->seq); +- now = cpu_clock(cpu); +- + /* + * Start with TSK_ONCPU, which doesn't have a corresponding + * task count - it's just a boolean flag directly encoded in +@@ -843,7 +855,6 @@ static void psi_group_change(struct psi_group *group, int cpu, + + groupc->state_mask = state_mask; + +- write_seqcount_end(&groupc->seq); + return; + } + +@@ -864,8 +875,6 @@ static void psi_group_change(struct psi_group *group, int cpu, + + groupc->state_mask = state_mask; + +- write_seqcount_end(&groupc->seq); +- + if (state_mask & group->rtpoll_states) + psi_schedule_rtpoll_work(group, 1, false); + +@@ -900,24 +909,29 @@ static void psi_flags_change(struct task_struct *task, int clear, int set) + void psi_task_change(struct task_struct *task, int clear, int set) + { + int cpu = task_cpu(task); +- struct psi_group *group; ++ u64 now; + + if (!task->pid) + return; + + psi_flags_change(task, clear, set); + +- group = task_psi_group(task); +- do { +- psi_group_change(group, cpu, clear, set, true); +- } while ((group = group->parent)); ++ psi_write_begin(cpu); ++ now = cpu_clock(cpu); ++ for_each_group(group, task_psi_group(task)) ++ psi_group_change(group, cpu, clear, set, now, true); ++ psi_write_end(cpu); + } + + void psi_task_switch(struct task_struct *prev, struct task_struct *next, + bool sleep) + { +- struct psi_group *group, *common = NULL; ++ struct psi_group *common = NULL; + int cpu = task_cpu(prev); ++ u64 now; ++ ++ psi_write_begin(cpu); ++ now = cpu_clock(cpu); + + if (next->pid) { + psi_flags_change(next, 0, TSK_ONCPU); +@@ -926,16 +940,15 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, + * ancestors with @prev, those will already have @prev's + * TSK_ONCPU bit set, and we can stop the iteration there. + */ +- group = task_psi_group(next); +- do { +- if (per_cpu_ptr(group->pcpu, cpu)->state_mask & +- PSI_ONCPU) { ++ for_each_group(group, task_psi_group(next)) { ++ struct psi_group_cpu *groupc = per_cpu_ptr(group->pcpu, cpu); ++ ++ if (groupc->state_mask & PSI_ONCPU) { + common = group; + break; + } +- +- psi_group_change(group, cpu, 0, TSK_ONCPU, true); +- } while ((group = group->parent)); ++ psi_group_change(group, cpu, 0, TSK_ONCPU, now, true); ++ } + } + + if (prev->pid) { +@@ -968,12 +981,11 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, + + psi_flags_change(prev, clear, set); + +- group = task_psi_group(prev); +- do { ++ for_each_group(group, task_psi_group(prev)) { + if (group == common) + break; +- psi_group_change(group, cpu, clear, set, wake_clock); +- } while ((group = group->parent)); ++ psi_group_change(group, cpu, clear, set, now, wake_clock); ++ } + + /* + * TSK_ONCPU is handled up to the common ancestor. If there are +@@ -983,20 +995,21 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, + */ + if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) { + clear &= ~TSK_ONCPU; +- for (; group; group = group->parent) +- psi_group_change(group, cpu, clear, set, wake_clock); ++ for_each_group(group, common) ++ psi_group_change(group, cpu, clear, set, now, wake_clock); + } + } ++ psi_write_end(cpu); + } + + #ifdef CONFIG_IRQ_TIME_ACCOUNTING + void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_struct *prev) + { + int cpu = task_cpu(curr); +- struct psi_group *group; + struct psi_group_cpu *groupc; + s64 delta; + u64 irq; ++ u64 now; + + if (static_branch_likely(&psi_disabled) || !irqtime_enabled()) + return; +@@ -1005,8 +1018,7 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st + return; + + lockdep_assert_rq_held(rq); +- group = task_psi_group(curr); +- if (prev && task_psi_group(prev) == group) ++ if (prev && task_psi_group(prev) == task_psi_group(curr)) + return; + + irq = irq_time_read(cpu); +@@ -1015,25 +1027,22 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st + return; + rq->psi_irq_time = irq; + +- do { +- u64 now; ++ psi_write_begin(cpu); ++ now = cpu_clock(cpu); + ++ for_each_group(group, task_psi_group(curr)) { + if (!group->enabled) + continue; + + groupc = per_cpu_ptr(group->pcpu, cpu); + +- write_seqcount_begin(&groupc->seq); +- now = cpu_clock(cpu); +- + record_times(groupc, now); + groupc->times[PSI_IRQ_FULL] += delta; + +- write_seqcount_end(&groupc->seq); +- + if (group->rtpoll_states & (1 << PSI_IRQ_FULL)) + psi_schedule_rtpoll_work(group, 1, false); +- } while ((group = group->parent)); ++ } ++ psi_write_end(cpu); + } + #endif + +@@ -1221,12 +1230,14 @@ void psi_cgroup_restart(struct psi_group *group) + return; + + for_each_possible_cpu(cpu) { +- struct rq *rq = cpu_rq(cpu); +- struct rq_flags rf; ++ u64 now; + +- rq_lock_irq(rq, &rf); +- psi_group_change(group, cpu, 0, 0, true); +- rq_unlock_irq(rq, &rf); ++ guard(rq_lock_irq)(cpu_rq(cpu)); ++ ++ psi_write_begin(cpu); ++ now = cpu_clock(cpu); ++ psi_group_change(group, cpu, 0, 0, now, true); ++ psi_write_end(cpu); + } + } + #endif /* CONFIG_CGROUPS */ +-- +2.39.5 + diff --git a/queue-6.15/scripts-gdb-move-mnt_-constants-to-gdb-parsed.patch b/queue-6.15/scripts-gdb-move-mnt_-constants-to-gdb-parsed.patch new file mode 100644 index 0000000000..a65ef94b3c --- /dev/null +++ b/queue-6.15/scripts-gdb-move-mnt_-constants-to-gdb-parsed.patch @@ -0,0 +1,50 @@ +From 9f873630cfc541f550d313022ba3a63635959f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 15:46:02 +0200 +Subject: scripts: gdb: move MNT_* constants to gdb-parsed + +From: Johannes Berg + +[ Upstream commit 41a7f737685eed2700654720d3faaffdf0132135 ] + +Since these are now no longer defines, but in an enum. + +Link: https://lkml.kernel.org/r/20250618134629.25700-2-johannes@sipsolutions.net +Fixes: 101f2bbab541 ("fs: convert mount flags to enum") +Reviewed-by: Benjamin Berg +Signed-off-by: Johannes Berg +Cc: Jan Kiszka +Cc: Kieran Bingham +Cc: Stephen Brennan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + scripts/gdb/linux/constants.py.in | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/scripts/gdb/linux/constants.py.in b/scripts/gdb/linux/constants.py.in +index f795302ddfa8..c3886739a028 100644 +--- a/scripts/gdb/linux/constants.py.in ++++ b/scripts/gdb/linux/constants.py.in +@@ -74,12 +74,12 @@ if IS_BUILTIN(CONFIG_MODULES): + LX_GDBPARSED(MOD_RO_AFTER_INIT) + + /* linux/mount.h */ +-LX_VALUE(MNT_NOSUID) +-LX_VALUE(MNT_NODEV) +-LX_VALUE(MNT_NOEXEC) +-LX_VALUE(MNT_NOATIME) +-LX_VALUE(MNT_NODIRATIME) +-LX_VALUE(MNT_RELATIME) ++LX_GDBPARSED(MNT_NOSUID) ++LX_GDBPARSED(MNT_NODEV) ++LX_GDBPARSED(MNT_NOEXEC) ++LX_GDBPARSED(MNT_NOATIME) ++LX_GDBPARSED(MNT_NODIRATIME) ++LX_GDBPARSED(MNT_RELATIME) + + /* linux/threads.h */ + LX_VALUE(NR_CPUS) +-- +2.39.5 + diff --git a/queue-6.15/scsi-elx-efct-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/scsi-elx-efct-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..3e983efb37 --- /dev/null +++ b/queue-6.15/scsi-elx-efct-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,37 @@ +From 3625e27e145792f4f35beab17bc9c14d5fc70ad2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 13:41:13 +0200 +Subject: scsi: elx: efct: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 3a988d0b65d7d1713ce7596eae288a293f3b938e ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 692e5d73a811 ("scsi: elx: efct: LIO backend interface routines") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250627114117.188480-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/elx/efct/efct_lio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/elx/efct/efct_lio.c b/drivers/scsi/elx/efct/efct_lio.c +index 9ac69356b13e..bd3d489e56ae 100644 +--- a/drivers/scsi/elx/efct/efct_lio.c ++++ b/drivers/scsi/elx/efct/efct_lio.c +@@ -382,7 +382,7 @@ efct_lio_sg_unmap(struct efct_io *io) + return; + + dma_unmap_sg(&io->efct->pci->dev, cmd->t_data_sg, +- ocp->seg_map_cnt, cmd->data_direction); ++ cmd->t_data_nents, cmd->data_direction); + ocp->seg_map_cnt = 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..8c4e7419da --- /dev/null +++ b/queue-6.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,48 @@ +From cd780bdf806a54babcbd7e375c77abe656094181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 13:18:02 +0200 +Subject: scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 023a293b9cd0bb86a9b50cd7688a3d9d266826db ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 88a678bbc34c ("ibmvscsis: Initial commit of IBM VSCSI Tgt Driver") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250630111803.94389-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ibmvscsi_tgt/libsrp.c b/drivers/scsi/ibmvscsi_tgt/libsrp.c +index 8a0e28aec928..0ecad398ed3d 100644 +--- a/drivers/scsi/ibmvscsi_tgt/libsrp.c ++++ b/drivers/scsi/ibmvscsi_tgt/libsrp.c +@@ -184,7 +184,8 @@ static int srp_direct_data(struct ibmvscsis_cmd *cmd, struct srp_direct_buf *md, + err = rdma_io(cmd, sg, nsg, md, 1, dir, len); + + if (dma_map) +- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL); ++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents, ++ DMA_BIDIRECTIONAL); + + return err; + } +@@ -256,7 +257,8 @@ static int srp_indirect_data(struct ibmvscsis_cmd *cmd, struct srp_cmd *srp_cmd, + err = rdma_io(cmd, sg, nsg, md, nmd, dir, len); + + if (dma_map) +- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL); ++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents, ++ DMA_BIDIRECTIONAL); + + free_mem: + if (token && dma_map) { +-- +2.39.5 + diff --git a/queue-6.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..e3942ca6d0 --- /dev/null +++ b/queue-6.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,37 @@ +From 4a9854b8e711bd64367f59312e00ff8d072c7748 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 16:24:47 +0200 +Subject: scsi: isci: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 063bec4444d54e5f35d11949c5c90eaa1ff84c11 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: ddcc7e347a89 ("isci: fix dma_unmap_sg usage") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250627142451.241713-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/isci/request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c +index 355a0bc0828e..bb89a2e33eb4 100644 +--- a/drivers/scsi/isci/request.c ++++ b/drivers/scsi/isci/request.c +@@ -2904,7 +2904,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost, + task->total_xfer_len, task->data_dir); + else /* unmap the sgl dma addresses */ + dma_unmap_sg(&ihost->pdev->dev, task->scatter, +- request->num_sg_entries, task->data_dir); ++ task->num_scatter, task->data_dir); + break; + case SAS_PROTOCOL_SMP: { + struct scatterlist *sg = &task->smp_task.smp_req; +-- +2.39.5 + diff --git a/queue-6.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch b/queue-6.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch new file mode 100644 index 0000000000..86450a95bb --- /dev/null +++ b/queue-6.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch @@ -0,0 +1,39 @@ +From 60165142f61a300b06eaab76ae00cf228124bf91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 17:30:18 +0200 +Subject: scsi: mpt3sas: Fix a fw_event memory leak + +From: Tomas Henzl + +[ Upstream commit 3e90b38781e3bdd651edaf789585687611638862 ] + +In _mpt3sas_fw_work() the fw_event reference is removed, it should also +be freed in all cases. + +Fixes: 4318c7347847 ("scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware.") +Signed-off-by: Tomas Henzl +Link: https://lore.kernel.org/r/20250723153018.50518-1-thenzl@redhat.com +Acked-by: Sathya Prakash Veerichetty +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index 508861e88d9f..0f900ddb3047 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -10790,8 +10790,7 @@ _mpt3sas_fw_work(struct MPT3SAS_ADAPTER *ioc, struct fw_event_work *fw_event) + break; + case MPI2_EVENT_PCIE_TOPOLOGY_CHANGE_LIST: + _scsih_pcie_topology_change_event(ioc, fw_event); +- ioc->current_event = NULL; +- return; ++ break; + } + out: + fw_event_work_put(fw_event); +-- +2.39.5 + diff --git a/queue-6.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..97fcd7661d --- /dev/null +++ b/queue-6.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,46 @@ +From 731b4f01e0c8b613d4cac13abd27faa5a1296d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 15:48:18 +0200 +Subject: scsi: mvsas: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 0141618727bc929fe868153d21797f10ce5bef3f ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: b5762948263d ("[SCSI] mvsas: Add Marvell 6440 SAS/SATA driver") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250627134822.234813-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvsas/mv_sas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c +index 52ac10226cb0..3f12096528b1 100644 +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -818,7 +818,7 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf + dev_printk(KERN_ERR, mvi->dev, "mvsas prep failed[%d]!\n", rc); + if (!sas_protocol_ata(task->task_proto)) + if (n_elem) +- dma_unmap_sg(mvi->dev, task->scatter, n_elem, ++ dma_unmap_sg(mvi->dev, task->scatter, task->num_scatter, + task->data_dir); + prep_out: + return rc; +@@ -864,7 +864,7 @@ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task, + if (!sas_protocol_ata(task->task_proto)) + if (slot->n_elem) + dma_unmap_sg(mvi->dev, task->scatter, +- slot->n_elem, task->data_dir); ++ task->num_scatter, task->data_dir); + + switch (task->task_proto) { + case SAS_PROTOCOL_SMP: +-- +2.39.5 + diff --git a/queue-6.15/scsi-revert-scsi-iscsi-fix-hw-conn-removal-use-after.patch b/queue-6.15/scsi-revert-scsi-iscsi-fix-hw-conn-removal-use-after.patch new file mode 100644 index 0000000000..e5b359f541 --- /dev/null +++ b/queue-6.15/scsi-revert-scsi-iscsi-fix-hw-conn-removal-use-after.patch @@ -0,0 +1,50 @@ +From 9995ef16fc673ad334cbeda14c58121bc693fa5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 15:39:26 +0800 +Subject: scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" + +From: Li Lingfeng + +[ Upstream commit 7bdc68921481c19cd8c85ddf805a834211c19e61 ] + +This reverts commit c577ab7ba5f3bf9062db8a58b6e89d4fe370447e. + +The invocation of iscsi_put_conn() in iscsi_iter_destory_conn_fn() is +used to free the initial reference counter of iscsi_cls_conn. For +non-qla4xxx cases, the ->destroy_conn() callback (e.g., +iscsi_conn_teardown) will call iscsi_remove_conn() and iscsi_put_conn() +to remove the connection from the children list of session and free the +connection at last. However for qla4xxx, it is not the case. The +->destroy_conn() callback of qla4xxx will keep the connection in the +session conn_list and doesn't use iscsi_put_conn() to free the initial +reference counter. Therefore, it seems necessary to keep the +iscsi_put_conn() in the iscsi_iter_destroy_conn_fn(), otherwise, there +will be memory leak problem. + +Link: https://lore.kernel.org/all/88334658-072b-4b90-a949-9c74ef93cfd1@huawei.com/ +Fixes: c577ab7ba5f3 ("scsi: iscsi: Fix HW conn removal use after free") +Signed-off-by: Li Lingfeng +Link: https://lore.kernel.org/r/20250715073926.3529456-1-lilingfeng3@huawei.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index c75a806496d6..743b4c792ceb 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2143,6 +2143,8 @@ static int iscsi_iter_destroy_conn_fn(struct device *dev, void *data) + return 0; + + iscsi_remove_conn(iscsi_dev_to_conn(dev)); ++ iscsi_put_conn(iscsi_dev_to_conn(dev)); ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/scsi-sd-make-sd-shutdown-issue-start-stop-unit-appro.patch b/queue-6.15/scsi-sd-make-sd-shutdown-issue-start-stop-unit-appro.patch new file mode 100644 index 0000000000..a05d320566 --- /dev/null +++ b/queue-6.15/scsi-sd-make-sd-shutdown-issue-start-stop-unit-appro.patch @@ -0,0 +1,53 @@ +From eeec23e246843b5831b8c602d6f41e7c1e01cbc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jul 2025 21:45:20 +0000 +Subject: scsi: sd: Make sd shutdown issue START STOP UNIT appropriately + +From: Salomon Dushimirimana + +[ Upstream commit 8e48727c26c4d839ff9b4b73d1cae486bea7fe19 ] + +Commit aa3998dbeb3a ("ata: libata-scsi: Disable scsi device +manage_system_start_stop") enabled libata EH to manage device power mode +trasitions for system suspend/resume and removed the flag from +ata_scsi_dev_config. However, since the sd_shutdown() function still +relies on the manage_system_start_stop flag, a spin-down command is not +issued to the disk with command "echo 1 > /sys/block/sdb/device/delete" + +sd_shutdown() can be called for both system/runtime start stop +operations, so utilize the manage_run_time_start_stop flag set in the +ata_scsi_dev_config and issue a spin-down command during disk removal +when the system is running. This is in addition to when the system is +powering off and manage_shutdown flag is set. The +manage_system_start_stop flag will still be used for drivers that still +set the flag. + +Fixes: aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop") +Signed-off-by: Salomon Dushimirimana +Link: https://lore.kernel.org/r/20250724214520.112927-1-salomondush@google.com +Tested-by: Damien Le Moal +Reviewed-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 89d5c4b17bc4..2f64caa3b253 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -4173,7 +4173,9 @@ static void sd_shutdown(struct device *dev) + if ((system_state != SYSTEM_RESTART && + sdkp->device->manage_system_start_stop) || + (system_state == SYSTEM_POWER_OFF && +- sdkp->device->manage_shutdown)) { ++ sdkp->device->manage_shutdown) || ++ (system_state == SYSTEM_RUNNING && ++ sdkp->device->manage_runtime_start_stop)) { + sd_printk(KERN_NOTICE, sdkp, "Stopping disk\n"); + sd_start_stop_device(sdkp, 0); + } +-- +2.39.5 + diff --git a/queue-6.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch b/queue-6.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch new file mode 100644 index 0000000000..e500b24d21 --- /dev/null +++ b/queue-6.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch @@ -0,0 +1,57 @@ +From 77f25f9cfeb0fce4ac3077ce089d68273386bfcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 17:12:13 +0900 +Subject: scsi: ufs: core: Use link recovery when h8 exit fails during runtime + resume + +From: Seunghui Lee + +[ Upstream commit 35dabf4503b94a697bababe94678a8bc989c3223 ] + +If the h8 exit fails during runtime resume process, the runtime thread +enters runtime suspend immediately and the error handler operates at the +same time. It becomes stuck and cannot be recovered through the error +handler. To fix this, use link recovery instead of the error handler. + +Fixes: 4db7a2360597 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths") +Signed-off-by: Seunghui Lee +Link: https://lore.kernel.org/r/20250717081213.6811-1-sh043.lee@samsung.com +Reviewed-by: Bean Huo +Acked-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index e7e6bbc04d21..db2a2760c0d6 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4322,7 +4322,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + hba->uic_async_done = NULL; + if (reenable_intr) + ufshcd_enable_intr(hba, UIC_COMMAND_COMPL); +- if (ret) { ++ if (ret && !hba->pm_op_in_progress) { + ufshcd_set_link_broken(hba); + ufshcd_schedule_eh_work(hba); + } +@@ -4330,6 +4330,14 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + spin_unlock_irqrestore(hba->host->host_lock, flags); + mutex_unlock(&hba->uic_cmd_mutex); + ++ /* ++ * If the h8 exit fails during the runtime resume process, it becomes ++ * stuck and cannot be recovered through the error handler. To fix ++ * this, use link recovery instead of the error handler. ++ */ ++ if (ret && hba->pm_op_in_progress) ++ ret = ufshcd_link_recovery(hba); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.15/selftests-alsa-fix-memory-leak-in-utimer-test.patch b/queue-6.15/selftests-alsa-fix-memory-leak-in-utimer-test.patch new file mode 100644 index 0000000000..3b3490d586 --- /dev/null +++ b/queue-6.15/selftests-alsa-fix-memory-leak-in-utimer-test.patch @@ -0,0 +1,37 @@ +From 13690fe3376657e60cbde50a97f607c27d40780a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Jul 2025 18:02:22 +0800 +Subject: selftests: ALSA: fix memory leak in utimer test + +From: WangYuli + +[ Upstream commit 6260da046819b7bda828bacae148fc8856fdebd7 ] + +Free the malloc'd buffer in TEST_F(timer_f, utimer) to prevent +memory leak. + +Fixes: 1026392d10af ("selftests: ALSA: Cover userspace-driven timers with test") +Reported-by: Jun Zhan +Signed-off-by: WangYuli +Link: https://patch.msgid.link/DE4D931FCF54F3DB+20250731100222.65748-1-wangyuli@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/alsa/utimer-test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/alsa/utimer-test.c b/tools/testing/selftests/alsa/utimer-test.c +index 32ee3ce57721..37964f311a33 100644 +--- a/tools/testing/selftests/alsa/utimer-test.c ++++ b/tools/testing/selftests/alsa/utimer-test.c +@@ -135,6 +135,7 @@ TEST_F(timer_f, utimer) { + pthread_join(ticking_thread, NULL); + ASSERT_EQ(total_ticks, TICKS_COUNT); + pclose(rfp); ++ free(buf); + } + + TEST(wrong_timers_test) { +-- +2.39.5 + diff --git a/queue-6.15/selftests-bpf-fix-implementation-of-smp_mb.patch b/queue-6.15/selftests-bpf-fix-implementation-of-smp_mb.patch new file mode 100644 index 0000000000..ef27b818c2 --- /dev/null +++ b/queue-6.15/selftests-bpf-fix-implementation-of-smp_mb.patch @@ -0,0 +1,48 @@ +From 28b75439ab6252f7d9da884247b088d72ad4ad86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 17:54:33 +0000 +Subject: selftests/bpf: fix implementation of smp_mb() + +From: Puranjay Mohan + +[ Upstream commit 0769857a07b4451a1dc1c3ad1f1c86a6f4ce136a ] + +As BPF doesn't include any barrier instructions, smp_mb() is implemented +by doing a dummy value returning atomic operation. Such an operation +acts a full barrier as enforced by LKMM and also by the work in progress +BPF memory model. + +If the returned value is not used, clang[1] can optimize the value +returning atomic instruction in to a normal atomic instruction which +provides no ordering guarantees. + +Mark the variable as volatile so the above optimization is never +performed and smp_mb() works as expected. + +[1] https://godbolt.org/z/qzze7bG6z + +Fixes: 88d706ba7cc5 ("selftests/bpf: Introduce arena spin lock") +Signed-off-by: Puranjay Mohan +Link: https://lore.kernel.org/r/20250710175434.18829-2-puranjay@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/bpf_atomic.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/bpf_atomic.h b/tools/testing/selftests/bpf/bpf_atomic.h +index a9674e544322..c550e5711967 100644 +--- a/tools/testing/selftests/bpf/bpf_atomic.h ++++ b/tools/testing/selftests/bpf/bpf_atomic.h +@@ -61,7 +61,7 @@ extern bool CONFIG_X86_64 __kconfig __weak; + + #define smp_mb() \ + ({ \ +- unsigned long __val; \ ++ volatile unsigned long __val; \ + __sync_fetch_and_add(&__val, 0); \ + }) + +-- +2.39.5 + diff --git a/queue-6.15/selftests-bpf-fix-signedness-bug-in-redir_partial.patch b/queue-6.15/selftests-bpf-fix-signedness-bug-in-redir_partial.patch new file mode 100644 index 0000000000..930d17c20e --- /dev/null +++ b/queue-6.15/selftests-bpf-fix-signedness-bug-in-redir_partial.patch @@ -0,0 +1,38 @@ +From 417a7db0cdd3da83f8e2eb0c668dee07cd181e65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 16:42:08 +0800 +Subject: selftests/bpf: fix signedness bug in redir_partial() + +From: Fushuai Wang + +[ Upstream commit 6a4bd31f680a1d1cf06492fe6dc4f08da09769e6 ] + +When xsend() returns -1 (error), the check 'n < sizeof(buf)' incorrectly +treats it as success due to unsigned promotion. Explicitly check for -1 +first. + +Fixes: a4b7193d8efd ("selftests/bpf: Add sockmap test for redirecting partial skb data") +Signed-off-by: Fushuai Wang +Link: https://lore.kernel.org/r/20250612084208.27722-1-wangfushuai@baidu.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c b/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c +index 4ee1148d22be..1cfed83156b0 100644 +--- a/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c ++++ b/tools/testing/selftests/bpf/prog_tests/sockmap_listen.c +@@ -924,6 +924,8 @@ static void redir_partial(int family, int sotype, int sock_map, int parser_map) + goto close; + + n = xsend(c1, buf, sizeof(buf), 0); ++ if (n == -1) ++ goto close; + if (n < sizeof(buf)) + FAIL("incomplete write"); + +-- +2.39.5 + diff --git a/queue-6.15/selftests-bpf-fix-unintentional-switch-case-fall-thr.patch b/queue-6.15/selftests-bpf-fix-unintentional-switch-case-fall-thr.patch new file mode 100644 index 0000000000..0fa89ea915 --- /dev/null +++ b/queue-6.15/selftests-bpf-fix-unintentional-switch-case-fall-thr.patch @@ -0,0 +1,37 @@ +From afb1697a76b27eb40628d5e8c3c09862f13db180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 13:15:36 +0100 +Subject: selftests/bpf: Fix unintentional switch case fall through + +From: Mykyta Yatsenko + +[ Upstream commit 66ab68c9de89672366fdc474f4f185bb58cecf2d ] + +Break from switch expression after parsing -n CLI argument in veristat, +instead of falling through and enabling comparison mode. + +Fixes: a5c57f81eb2b ("veristat: add ability to set BPF_F_TEST_SANITY_STRICT flag with -r flag") +Signed-off-by: Mykyta Yatsenko +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20250617121536.1320074-1-mykyta.yatsenko5@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/veristat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/veristat.c b/tools/testing/selftests/bpf/veristat.c +index a18972ffdeb6..2ff2c064f045 100644 +--- a/tools/testing/selftests/bpf/veristat.c ++++ b/tools/testing/selftests/bpf/veristat.c +@@ -344,6 +344,7 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state) + fprintf(stderr, "invalid top N specifier: %s\n", arg); + argp_usage(state); + } ++ break; + case 'C': + env.comparison_mode = true; + break; +-- +2.39.5 + diff --git a/queue-6.15/selftests-breakpoints-use-suspend_stats-to-reliably-.patch b/queue-6.15/selftests-breakpoints-use-suspend_stats-to-reliably-.patch new file mode 100644 index 0000000000..e17b6754d4 --- /dev/null +++ b/queue-6.15/selftests-breakpoints-use-suspend_stats-to-reliably-.patch @@ -0,0 +1,115 @@ +From 7055fe6a81a9051eb9a3a1b3a42e8e2b2a6e2aa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 12:16:26 -0700 +Subject: selftests: breakpoints: use suspend_stats to reliably check suspend + success + +From: Moon Hee Lee + +[ Upstream commit 07b7c2b4eca3f83ce9cd5ee3fa1c7c001d721c69 ] + +The step_after_suspend_test verifies that the system successfully +suspended and resumed by setting a timerfd and checking whether the +timer fully expired. However, this method is unreliable due to timing +races. + +In practice, the system may take time to enter suspend, during which the +timer may expire just before or during the transition. As a result, +the remaining time after resume may show non-zero nanoseconds, even if +suspend/resume completed successfully. This leads to false test failures. + +Replace the timer-based check with a read from +/sys/power/suspend_stats/success. This counter is incremented only +after a full suspend/resume cycle, providing a reliable and race-free +indicator. + +Also remove the unused file descriptor for /sys/power/state, which +remained after switching to a system() call to trigger suspend [1]. + +[1] https://lore.kernel.org/all/20240930224025.2858767-1-yifei.l.liu@oracle.com/ + +Link: https://lore.kernel.org/r/20250626191626.36794-1-moonhee.lee.ca@gmail.com +Fixes: c66be905cda2 ("selftests: breakpoints: use remaining time to check if suspend succeed") +Signed-off-by: Moon Hee Lee +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../breakpoints/step_after_suspend_test.c | 41 ++++++++++++++----- + 1 file changed, 31 insertions(+), 10 deletions(-) + +diff --git a/tools/testing/selftests/breakpoints/step_after_suspend_test.c b/tools/testing/selftests/breakpoints/step_after_suspend_test.c +index 8d275f03e977..8d233ac95696 100644 +--- a/tools/testing/selftests/breakpoints/step_after_suspend_test.c ++++ b/tools/testing/selftests/breakpoints/step_after_suspend_test.c +@@ -127,22 +127,42 @@ int run_test(int cpu) + return KSFT_PASS; + } + ++/* ++ * Reads the suspend success count from sysfs. ++ * Returns the count on success or exits on failure. ++ */ ++static int get_suspend_success_count_or_fail(void) ++{ ++ FILE *fp; ++ int val; ++ ++ fp = fopen("/sys/power/suspend_stats/success", "r"); ++ if (!fp) ++ ksft_exit_fail_msg( ++ "Failed to open suspend_stats/success: %s\n", ++ strerror(errno)); ++ ++ if (fscanf(fp, "%d", &val) != 1) { ++ fclose(fp); ++ ksft_exit_fail_msg( ++ "Failed to read suspend success count\n"); ++ } ++ ++ fclose(fp); ++ return val; ++} ++ + void suspend(void) + { +- int power_state_fd; + int timerfd; + int err; ++ int count_before; ++ int count_after; + struct itimerspec spec = {}; + + if (getuid() != 0) + ksft_exit_skip("Please run the test as root - Exiting.\n"); + +- power_state_fd = open("/sys/power/state", O_RDWR); +- if (power_state_fd < 0) +- ksft_exit_fail_msg( +- "open(\"/sys/power/state\") failed %s)\n", +- strerror(errno)); +- + timerfd = timerfd_create(CLOCK_BOOTTIME_ALARM, 0); + if (timerfd < 0) + ksft_exit_fail_msg("timerfd_create() failed\n"); +@@ -152,14 +172,15 @@ void suspend(void) + if (err < 0) + ksft_exit_fail_msg("timerfd_settime() failed\n"); + ++ count_before = get_suspend_success_count_or_fail(); ++ + system("(echo mem > /sys/power/state) 2> /dev/null"); + +- timerfd_gettime(timerfd, &spec); +- if (spec.it_value.tv_sec != 0 || spec.it_value.tv_nsec != 0) ++ count_after = get_suspend_success_count_or_fail(); ++ if (count_after <= count_before) + ksft_exit_fail_msg("Failed to enter Suspend state\n"); + + close(timerfd); +- close(power_state_fd); + } + + int main(int argc, char **argv) +-- +2.39.5 + diff --git a/queue-6.15/selftests-drv-net-fix-remote-command-checking-in-req.patch b/queue-6.15/selftests-drv-net-fix-remote-command-checking-in-req.patch new file mode 100644 index 0000000000..747597750b --- /dev/null +++ b/queue-6.15/selftests-drv-net-fix-remote-command-checking-in-req.patch @@ -0,0 +1,41 @@ +From e6ac4727ee75e03fd2a9935989388f6984a5ccb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 16:54:53 +0300 +Subject: selftests: drv-net: Fix remote command checking in require_cmd() + +From: Gal Pressman + +[ Upstream commit b4d52c698210ae1a3ceb487b189701bc70551a48 ] + +The require_cmd() method was checking for command availability locally +even when remote=True was specified, due to a missing host parameter. + +Fix by passing host=self.remote when checking remote command +availability, ensuring commands are verified on the correct host. + +Fixes: f1e68a1a4a40 ("selftests: drv-net: add require_XYZ() helpers for validating env") +Reviewed-by: Nimrod Oren +Signed-off-by: Gal Pressman +Link: https://patch.msgid.link/20250723135454.649342-2-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/lib/py/env.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/drivers/net/lib/py/env.py b/tools/testing/selftests/drivers/net/lib/py/env.py +index ad5ff645183a..98bfc1e9e9ca 100644 +--- a/tools/testing/selftests/drivers/net/lib/py/env.py ++++ b/tools/testing/selftests/drivers/net/lib/py/env.py +@@ -259,7 +259,7 @@ class NetDrvEpEnv(NetDrvEnvBase): + if not self._require_cmd(comm, "local"): + raise KsftSkipEx("Test requires command: " + comm) + if remote: +- if not self._require_cmd(comm, "remote"): ++ if not self._require_cmd(comm, "remote", host=self.remote): + raise KsftSkipEx("Test requires (remote) command: " + comm) + + def wait_hw_stats_settle(self): +-- +2.39.5 + diff --git a/queue-6.15/selftests-drv-net-tso-enable-test-cases-based-on-hw_.patch b/queue-6.15/selftests-drv-net-tso-enable-test-cases-based-on-hw_.patch new file mode 100644 index 0000000000..c44b5cd4f1 --- /dev/null +++ b/queue-6.15/selftests-drv-net-tso-enable-test-cases-based-on-hw_.patch @@ -0,0 +1,141 @@ +From 9696089f93588eae541cb4012ebb14fc4737032a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:47:36 -0700 +Subject: selftests: drv-net: tso: enable test cases based on hw_features + +From: Daniel Zahka + +[ Upstream commit 266b835e5e84a0f8fec7fd988ee81925890e8d89 ] + +tso.py uses the active features at the time of test execution +as the set of available gso features to test. This means if a gso +feature is supported but toggled off at test start, the test will be +skipped with a "Device does not support {feature}" message. + +Instead, we can enumerate the set of toggleable features by capturing +the driver's hw_features bitmap. To avoid configuration side-effects +from running the test, we also snapshot the wanted_features flag set +before making any feature changes, and then attempt to restore the +same set of wanted_features before test exit. + +Fixes: 0d0f4174f6c8 ("selftests: drv-net: add a simple TSO test") +Signed-off-by: Daniel Zahka +Link: https://patch.msgid.link/20250723184740.4075410-2-daniel.zahka@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/hw/tso.py | 52 ++++++++++++++----- + 1 file changed, 40 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/hw/tso.py b/tools/testing/selftests/drivers/net/hw/tso.py +index 3370827409aa..f8386e3d88cd 100755 +--- a/tools/testing/selftests/drivers/net/hw/tso.py ++++ b/tools/testing/selftests/drivers/net/hw/tso.py +@@ -119,15 +119,30 @@ def build_tunnel(cfg, outer_ipver, tun_info): + return remote_v4, remote_v6 + + ++def restore_wanted_features(cfg): ++ features_cmd = "" ++ for feature in cfg.hw_features: ++ setting = "on" if feature in cfg.wanted_features else "off" ++ features_cmd += f" {feature} {setting}" ++ try: ++ ethtool(f"-K {cfg.ifname} {features_cmd}") ++ except Exception as e: ++ ksft_pr(f"WARNING: failure restoring wanted features: {e}") ++ ++ + def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None): + """Construct specific tests from the common template.""" + def f(cfg): + cfg.require_ipver(outer_ipver) ++ defer(restore_wanted_features, cfg) + + if not cfg.have_stat_super_count and \ + not cfg.have_stat_wire_count: + raise KsftSkipEx(f"Device does not support LSO queue stats") + ++ if feature not in cfg.hw_features: ++ raise KsftSkipEx(f"Device does not support {feature}") ++ + ipver = outer_ipver + if tun: + remote_v4, remote_v6 = build_tunnel(cfg, ipver, tun) +@@ -138,12 +153,12 @@ def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None): + + tun_partial = tun and tun[1] + # Tunnel which can silently fall back to gso-partial +- has_gso_partial = tun and 'tx-gso-partial' in cfg.features ++ has_gso_partial = tun and 'tx-gso-partial' in cfg.hw_features + + # For TSO4 via partial we need mangleid + if ipver == "4" and feature in cfg.partial_features: + ksft_pr("Testing with mangleid enabled") +- if 'tx-tcp-mangleid-segmentation' not in cfg.features: ++ if 'tx-tcp-mangleid-segmentation' not in cfg.hw_features: + ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation on") + defer(ethtool, f"-K {cfg.ifname} tx-tcp-mangleid-segmentation off") + +@@ -161,11 +176,8 @@ def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None): + should_lso=tun_partial) + + # Full feature enabled. +- if feature in cfg.features: +- ethtool(f"-K {cfg.ifname} {feature} on") +- run_one_stream(cfg, ipver, remote_v4, remote_v6, should_lso=True) +- else: +- raise KsftXfailEx(f"Device does not support {feature}") ++ ethtool(f"-K {cfg.ifname} {feature} on") ++ run_one_stream(cfg, ipver, remote_v4, remote_v6, should_lso=True) + + f.__name__ = name + ((outer_ipver + "_") if tun else "") + "ipv" + inner_ipver + return f +@@ -176,23 +188,39 @@ def query_nic_features(cfg) -> None: + cfg.have_stat_super_count = False + cfg.have_stat_wire_count = False + +- cfg.features = set() + features = cfg.ethnl.features_get({"header": {"dev-index": cfg.ifindex}}) +- for f in features["active"]["bits"]["bit"]: +- cfg.features.add(f["name"]) ++ ++ cfg.wanted_features = set() ++ for f in features["wanted"]["bits"]["bit"]: ++ cfg.wanted_features.add(f["name"]) ++ ++ cfg.hw_features = set() ++ hw_all_features_cmd = "" ++ for f in features["hw"]["bits"]["bit"]: ++ if f.get("value", False): ++ feature = f["name"] ++ cfg.hw_features.add(feature) ++ hw_all_features_cmd += f" {feature} on" ++ try: ++ ethtool(f"-K {cfg.ifname} {hw_all_features_cmd}") ++ except Exception as e: ++ ksft_pr(f"WARNING: failure enabling all hw features: {e}") ++ ksft_pr("partial gso feature detection may be impacted") + + # Check which features are supported via GSO partial + cfg.partial_features = set() +- if 'tx-gso-partial' in cfg.features: ++ if 'tx-gso-partial' in cfg.hw_features: + ethtool(f"-K {cfg.ifname} tx-gso-partial off") + + no_partial = set() + features = cfg.ethnl.features_get({"header": {"dev-index": cfg.ifindex}}) + for f in features["active"]["bits"]["bit"]: + no_partial.add(f["name"]) +- cfg.partial_features = cfg.features - no_partial ++ cfg.partial_features = cfg.hw_features - no_partial + ethtool(f"-K {cfg.ifname} tx-gso-partial on") + ++ restore_wanted_features(cfg) ++ + stats = cfg.netnl.qstats_get({"ifindex": cfg.ifindex}, dump=True) + if stats: + if 'tx-hw-gso-packets' in stats[0]: +-- +2.39.5 + diff --git a/queue-6.15/selftests-drv-net-tso-fix-non-tunneled-tso6-test-cas.patch b/queue-6.15/selftests-drv-net-tso-fix-non-tunneled-tso6-test-cas.patch new file mode 100644 index 0000000000..7c5077ecc4 --- /dev/null +++ b/queue-6.15/selftests-drv-net-tso-fix-non-tunneled-tso6-test-cas.patch @@ -0,0 +1,102 @@ +From 148636dd3064874aa1d53563f355aa1fbffe80ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:47:38 -0700 +Subject: selftests: drv-net: tso: fix non-tunneled tso6 test case name + +From: Daniel Zahka + +[ Upstream commit b25b44cd178cc54277f2dc0ff3b3d5a37ae4b26b ] + +The non-tunneled tso6 test case was showing up as: +ok 8 tso.ipv4 + +This is because of the way test_builder() uses the inner_ipver arg in +test naming, and how test_info is iterated over in main(). Given that +some tunnels not supported yet, e.g. ipip or sit, only support ipv4 or +ipv6 as the inner network protocol, I think the best fix here is to +call test_builder() in separate branches for tunneled and non-tunneled +tests, and to make supported inner l3 types an explicit attribute of +tunnel test cases. + + # Detected qstat for LSO wire-packets + TAP version 13 + 1..14 + ok 1 tso.ipv4 + # Testing with mangleid enabled + ok 2 tso.vxlan4_ipv4 + ok 3 tso.vxlan4_ipv6 + # Testing with mangleid enabled + ok 4 tso.vxlan_csum4_ipv4 + ok 5 tso.vxlan_csum4_ipv6 + # Testing with mangleid enabled + ok 6 tso.gre4_ipv4 + ok 7 tso.gre4_ipv6 + ok 8 tso.ipv6 + # Testing with mangleid enabled + ok 9 tso.vxlan6_ipv4 + ok 10 tso.vxlan6_ipv6 + # Testing with mangleid enabled + ok 11 tso.vxlan_csum6_ipv4 + ok 12 tso.vxlan_csum6_ipv6 + # Testing with mangleid enabled + ok 13 tso.gre6_ipv4 + ok 14 tso.gre6_ipv6 + # Totals: pass:14 fail:0 xfail:0 xpass:0 skip:0 error:0 + +Fixes: 0d0f4174f6c8 ("selftests: drv-net: add a simple TSO test") +Signed-off-by: Daniel Zahka +Link: https://patch.msgid.link/20250723184740.4075410-4-daniel.zahka@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/hw/tso.py | 26 ++++++++++--------- + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/hw/tso.py b/tools/testing/selftests/drivers/net/hw/tso.py +index 6461a83b3d0e..5fddb5056a20 100755 +--- a/tools/testing/selftests/drivers/net/hw/tso.py ++++ b/tools/testing/selftests/drivers/net/hw/tso.py +@@ -227,14 +227,14 @@ def main() -> None: + query_nic_features(cfg) + + test_info = ( +- # name, v4/v6 ethtool_feature tun:(type, args) +- ("", "4", "tx-tcp-segmentation", None), +- ("", "6", "tx-tcp6-segmentation", None), +- ("vxlan", "4", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 noudpcsum")), +- ("vxlan", "6", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 udp6zerocsumtx udp6zerocsumrx")), +- ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", "id 100 dstport 4789 udpcsum")), +- ("gre", "4", "tx-gre-segmentation", ("gre", "")), +- ("gre", "6", "tx-gre-segmentation", ("ip6gre", "")), ++ # name, v4/v6 ethtool_feature tun:(type, args, inner ip versions) ++ ("", "4", "tx-tcp-segmentation", None), ++ ("", "6", "tx-tcp6-segmentation", None), ++ ("vxlan", "4", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 noudpcsum", ("4", "6"))), ++ ("vxlan", "6", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 udp6zerocsumtx udp6zerocsumrx", ("4", "6"))), ++ ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", "id 100 dstport 4789 udpcsum", ("4", "6"))), ++ ("gre", "4", "tx-gre-segmentation", ("gre", "", ("4", "6"))), ++ ("gre", "6", "tx-gre-segmentation", ("ip6gre","", ("4", "6"))), + ) + + cases = [] +@@ -244,11 +244,13 @@ def main() -> None: + if info[1] and outer_ipver != info[1]: + continue + +- cases.append(test_builder(info[0], cfg, outer_ipver, info[2], +- tun=info[3], inner_ipver="4")) + if info[3]: +- cases.append(test_builder(info[0], cfg, outer_ipver, info[2], +- tun=info[3], inner_ipver="6")) ++ cases += [ ++ test_builder(info[0], cfg, outer_ipver, info[2], info[3], inner_ipver) ++ for inner_ipver in info[3][2] ++ ] ++ else: ++ cases.append(test_builder(info[0], cfg, outer_ipver, info[2], None, outer_ipver)) + + ksft_run(cases=cases, args=(cfg, )) + ksft_exit() +-- +2.39.5 + diff --git a/queue-6.15/selftests-drv-net-tso-fix-vxlan-tunnel-flags-to-get-.patch b/queue-6.15/selftests-drv-net-tso-fix-vxlan-tunnel-flags-to-get-.patch new file mode 100644 index 0000000000..93199274be --- /dev/null +++ b/queue-6.15/selftests-drv-net-tso-fix-vxlan-tunnel-flags-to-get-.patch @@ -0,0 +1,100 @@ +From 73fb58cfb3517534259a4f053178a3ba5035fb59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:47:37 -0700 +Subject: selftests: drv-net: tso: fix vxlan tunnel flags to get correct + gso_type + +From: Daniel Zahka + +[ Upstream commit 2cfbcc5d8af9199823151c21f740e476b223dd2e ] + +When vxlan is used with ipv6 as the outer network header, the correct +ip link parameters for acheiving the SKB_GSO_UDP_TUNNEL gso type is +"udp6zerocsumtx udp6zerocsumrx". Otherwise the gso type will be +SKB_GSO_UDP_TUNNEL_CSUM. + +This bug was the reason for the second of the three possible +invocations of run_one_stream() invocations, so that can be deleted as +well. We only need to test with the feature off and on. + +Fixes: 0d0f4174f6c8 ("selftests: drv-net: add a simple TSO test") +Signed-off-by: Daniel Zahka +Link: https://patch.msgid.link/20250723184740.4075410-3-daniel.zahka@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/hw/tso.py | 37 +++++++------------ + 1 file changed, 13 insertions(+), 24 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/hw/tso.py b/tools/testing/selftests/drivers/net/hw/tso.py +index f8386e3d88cd..6461a83b3d0e 100755 +--- a/tools/testing/selftests/drivers/net/hw/tso.py ++++ b/tools/testing/selftests/drivers/net/hw/tso.py +@@ -102,7 +102,7 @@ def build_tunnel(cfg, outer_ipver, tun_info): + remote_addr = cfg.remote_addr_v[outer_ipver] + + tun_type = tun_info[0] +- tun_arg = tun_info[2] ++ tun_arg = tun_info[1] + ip(f"link add {tun_type}-ksft type {tun_type} {tun_arg} local {local_addr} remote {remote_addr} dev {cfg.ifname}") + defer(ip, f"link del {tun_type}-ksft") + ip(f"link set dev {tun_type}-ksft up") +@@ -151,29 +151,17 @@ def test_builder(name, cfg, outer_ipver, feature, tun=None, inner_ipver=None): + remote_v4 = cfg.remote_addr_v["4"] + remote_v6 = cfg.remote_addr_v["6"] + +- tun_partial = tun and tun[1] +- # Tunnel which can silently fall back to gso-partial +- has_gso_partial = tun and 'tx-gso-partial' in cfg.hw_features +- +- # For TSO4 via partial we need mangleid +- if ipver == "4" and feature in cfg.partial_features: +- ksft_pr("Testing with mangleid enabled") +- if 'tx-tcp-mangleid-segmentation' not in cfg.hw_features: +- ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation on") +- defer(ethtool, f"-K {cfg.ifname} tx-tcp-mangleid-segmentation off") +- + # First test without the feature enabled. + ethtool(f"-K {cfg.ifname} {feature} off") +- if has_gso_partial: +- ethtool(f"-K {cfg.ifname} tx-gso-partial off") + run_one_stream(cfg, ipver, remote_v4, remote_v6, should_lso=False) + +- # Now test with the feature enabled. +- # For compatible tunnels only - just GSO partial, not specific feature. +- if has_gso_partial: ++ ethtool(f"-K {cfg.ifname} tx-gso-partial off") ++ ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation off") ++ if feature in cfg.partial_features: + ethtool(f"-K {cfg.ifname} tx-gso-partial on") +- run_one_stream(cfg, ipver, remote_v4, remote_v6, +- should_lso=tun_partial) ++ if ipver == "4": ++ ksft_pr("Testing with mangleid enabled") ++ ethtool(f"-K {cfg.ifname} tx-tcp-mangleid-segmentation on") + + # Full feature enabled. + ethtool(f"-K {cfg.ifname} {feature} on") +@@ -239,13 +227,14 @@ def main() -> None: + query_nic_features(cfg) + + test_info = ( +- # name, v4/v6 ethtool_feature tun:(type, partial, args) ++ # name, v4/v6 ethtool_feature tun:(type, args) + ("", "4", "tx-tcp-segmentation", None), + ("", "6", "tx-tcp6-segmentation", None), +- ("vxlan", "", "tx-udp_tnl-segmentation", ("vxlan", True, "id 100 dstport 4789 noudpcsum")), +- ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", False, "id 100 dstport 4789 udpcsum")), +- ("gre", "4", "tx-gre-segmentation", ("gre", False, "")), +- ("gre", "6", "tx-gre-segmentation", ("ip6gre", False, "")), ++ ("vxlan", "4", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 noudpcsum")), ++ ("vxlan", "6", "tx-udp_tnl-segmentation", ("vxlan", "id 100 dstport 4789 udp6zerocsumtx udp6zerocsumrx")), ++ ("vxlan_csum", "", "tx-udp_tnl-csum-segmentation", ("vxlan", "id 100 dstport 4789 udpcsum")), ++ ("gre", "4", "tx-gre-segmentation", ("gre", "")), ++ ("gre", "6", "tx-gre-segmentation", ("ip6gre", "")), + ) + + cases = [] +-- +2.39.5 + diff --git a/queue-6.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch b/queue-6.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch new file mode 100644 index 0000000000..c5b2f76a50 --- /dev/null +++ b/queue-6.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch @@ -0,0 +1,132 @@ +From ca8ea1aa1fa3e63a2ecbfe2f95b4e0d0b8bcd29a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 17:04:28 +0200 +Subject: selftests: Fix errno checking in syscall_user_dispatch test + +From: Dmitry Vyukov + +[ Upstream commit b89732c8c8357487185f260a723a060b3476144e ] + +Successful syscalls don't change errno, so checking errno is wrong +to ensure that a syscall has failed. For example for the following +sequence: + + prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0); + EXPECT_EQ(EINVAL, errno); + prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel); + EXPECT_EQ(EINVAL, errno); + +only the first syscall may fail and set errno, but the second may succeed +and keep errno intact, and the check will falsely pass. +Or if errno happened to be EINVAL before, even the first check may falsely +pass. + +Also use EXPECT/ASSERT consistently. Currently there is an inconsistent mix +without obvious reasons for usage of one or another. + +Fixes: 179ef035992e ("selftests: Add kselftest for syscall user dispatch") +Signed-off-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/af6a04dbfef9af8570f5bab43e3ef1416b62699a.1747839857.git.dvyukov@google.com +Signed-off-by: Sasha Levin +--- + .../syscall_user_dispatch/sud_test.c | 50 +++++++++---------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +diff --git a/tools/testing/selftests/syscall_user_dispatch/sud_test.c b/tools/testing/selftests/syscall_user_dispatch/sud_test.c +index d975a6767329..48cf01aeec3e 100644 +--- a/tools/testing/selftests/syscall_user_dispatch/sud_test.c ++++ b/tools/testing/selftests/syscall_user_dispatch/sud_test.c +@@ -79,6 +79,21 @@ TEST_SIGNAL(dispatch_trigger_sigsys, SIGSYS) + } + } + ++static void prctl_valid(struct __test_metadata *_metadata, ++ unsigned long op, unsigned long off, ++ unsigned long size, void *sel) ++{ ++ EXPECT_EQ(0, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel)); ++} ++ ++static void prctl_invalid(struct __test_metadata *_metadata, ++ unsigned long op, unsigned long off, ++ unsigned long size, void *sel, int err) ++{ ++ EXPECT_EQ(-1, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel)); ++ EXPECT_EQ(err, errno); ++} ++ + TEST(bad_prctl_param) + { + char sel = SYSCALL_DISPATCH_FILTER_ALLOW; +@@ -86,57 +101,42 @@ TEST(bad_prctl_param) + + /* Invalid op */ + op = -1; +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0, 0, &sel); +- ASSERT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0, 0, &sel, EINVAL); + + /* PR_SYS_DISPATCH_OFF */ + op = PR_SYS_DISPATCH_OFF; + + /* offset != 0 */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, 0); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x1, 0x0, 0, EINVAL); + + /* len != 0 */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x0, 0xff, 0, EINVAL); + + /* sel != NULL */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x0, 0x0, &sel, EINVAL); + + /* Valid parameter */ +- errno = 0; +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, 0x0); +- EXPECT_EQ(0, errno); ++ prctl_valid(_metadata, op, 0x0, 0x0, 0x0); + + /* PR_SYS_DISPATCH_ON */ + op = PR_SYS_DISPATCH_ON; + + /* Dispatcher region is bad (offset > 0 && len == 0) */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, &sel); +- EXPECT_EQ(EINVAL, errno); +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, -1L, 0x0, &sel); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x1, 0x0, &sel, EINVAL); ++ prctl_invalid(_metadata, op, -1L, 0x0, &sel, EINVAL); + + /* Invalid selector */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x1, (void *) -1); +- ASSERT_EQ(EFAULT, errno); ++ prctl_invalid(_metadata, op, 0x0, 0x1, (void *) -1, EFAULT); + + /* + * Dispatcher range overflows unsigned long + */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, 1, -1L, &sel); +- ASSERT_EQ(EINVAL, errno) { +- TH_LOG("Should reject bad syscall range"); +- } ++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, 1, -1L, &sel, EINVAL); + + /* + * Allowed range overflows usigned long + */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel); +- ASSERT_EQ(EINVAL, errno) { +- TH_LOG("Should reject bad syscall range"); +- } ++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel, EINVAL); + } + + /* +-- +2.39.5 + diff --git a/queue-6.15/selftests-landlock-fix-build-of-audit_test.patch b/queue-6.15/selftests-landlock-fix-build-of-audit_test.patch new file mode 100644 index 0000000000..faa0700068 --- /dev/null +++ b/queue-6.15/selftests-landlock-fix-build-of-audit_test.patch @@ -0,0 +1,42 @@ +From 31fa9646450a86415323211a605f65674c947fd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 14:44:16 -0700 +Subject: selftests/landlock: Fix build of audit_test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Song Liu + +[ Upstream commit dc58130bc38f09b162aa3b216f8b8f1e0a56127b ] + +We are hitting build error on CentOS 9: + +audit_test.c:232:40: error: ‘O_CLOEXEC’ undeclared (...) + +Fix this by including fcntl.h. + +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20250605214416.1885878-1-song@kernel.org +Fixes: 6b4566400a29 ("selftests/landlock: Add PID tests for audit records") +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/audit_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/landlock/audit_test.c b/tools/testing/selftests/landlock/audit_test.c +index cfc571afd0eb..46d02d49835a 100644 +--- a/tools/testing/selftests/landlock/audit_test.c ++++ b/tools/testing/selftests/landlock/audit_test.c +@@ -7,6 +7,7 @@ + + #define _GNU_SOURCE + #include ++#include + #include + #include + #include +-- +2.39.5 + diff --git a/queue-6.15/selftests-landlock-fix-readlink-check.patch b/queue-6.15/selftests-landlock-fix-readlink-check.patch new file mode 100644 index 0000000000..5c67633ec9 --- /dev/null +++ b/queue-6.15/selftests-landlock-fix-readlink-check.patch @@ -0,0 +1,50 @@ +From 512405e1fc7013180add9057d1002903ede806c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 16:44:25 +0200 +Subject: selftests/landlock: Fix readlink check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +[ Upstream commit 94a7ce26428d3a7ceb46c503ed726160578b9fcc ] + +The audit_init_filter_exe() helper incorrectly checks the readlink(2) +error because an unsigned integer is used to store the result. Use a +signed integer for this check. + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/aDbFwyZ_fM-IO7sC@stanley.mountain +Fixes: 6a500b22971c ("selftests/landlock: Add tests for audit flags and domain IDs") +Reviewed-by: Günther Noack +Link: https://lore.kernel.org/r/20250528144426.1709063-1-mic@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/audit.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/landlock/audit.h b/tools/testing/selftests/landlock/audit.h +index 18a6014920b5..b16986aa6442 100644 +--- a/tools/testing/selftests/landlock/audit.h ++++ b/tools/testing/selftests/landlock/audit.h +@@ -403,11 +403,12 @@ static int audit_init_filter_exe(struct audit_filter *filter, const char *path) + /* It is assume that there is not already filtering rules. */ + filter->record_type = AUDIT_EXE; + if (!path) { +- filter->exe_len = readlink("/proc/self/exe", filter->exe, +- sizeof(filter->exe) - 1); +- if (filter->exe_len < 0) ++ int ret = readlink("/proc/self/exe", filter->exe, ++ sizeof(filter->exe) - 1); ++ if (ret < 0) + return -errno; + ++ filter->exe_len = ret; + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch b/queue-6.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch new file mode 100644 index 0000000000..789b412194 --- /dev/null +++ b/queue-6.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch @@ -0,0 +1,62 @@ +From 96608aa37e9c228c950be7afdacdb6fceaaa9684 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 11:50:28 +0800 +Subject: selftests: rtnetlink.sh: remove esp4_offload after test + +From: Xiumei Mu + +[ Upstream commit 5b32321fdaf3fd1a92ec726af18765e225b0ee2b ] + +The esp4_offload module, loaded during IPsec offload tests, should +be reset to its default settings after testing. +Otherwise, leaving it enabled could unintentionally affect subsequence +test cases by keeping offload active. + +Without this fix: +$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload; +PASS: ipsec_offload +esp4_offload 12288 0 +esp4 32768 1 esp4_offload + +With this fix: +$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload; +PASS: ipsec_offload + +Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test") +Signed-off-by: Xiumei Mu +Reviewed-by: Shannon Nelson +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/6d3a1d777c4de4eb0ca94ced9e77be8d48c5b12f.1753415428.git.xmu@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 2e8243a65b50..d2298da320a6 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -673,6 +673,11 @@ kci_test_ipsec_offload() + sysfsf=$sysfsd/ipsec + sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/ + probed=false ++ esp4_offload_probed_default=false ++ ++ if lsmod | grep -q esp4_offload; then ++ esp4_offload_probed_default=true ++ fi + + if ! mount | grep -q debugfs; then + mount -t debugfs none /sys/kernel/debug/ &> /dev/null +@@ -766,6 +771,7 @@ EOF + fi + + # clean up any leftovers ++ ! "$esp4_offload_probed_default" && lsmod | grep -q esp4_offload && rmmod esp4_offload + echo 0 > /sys/bus/netdevsim/del_device + $probed && rmmod netdevsim + +-- +2.39.5 + diff --git a/queue-6.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch b/queue-6.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch new file mode 100644 index 0000000000..fa712a9af0 --- /dev/null +++ b/queue-6.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch @@ -0,0 +1,85 @@ +From cbf8c9952c470657e0b8359e93088e9b7d94c7dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 13:42:12 -0400 +Subject: selftests/tracing: Fix false failure of subsystem event test + +From: Steven Rostedt + +[ Upstream commit 213879061a9c60200ba971330dbefec6df3b4a30 ] + +The subsystem event test enables all "sched" events and makes sure there's +at least 3 different events in the output. It used to cat the entire trace +file to | wc -l, but on slow machines, that could last a very long time. +To solve that, it was changed to just read the first 100 lines of the +trace file. This can cause false failures as some events repeat so often, +that the 100 lines that are examined could possibly be of only one event. + +Instead, create an awk script that looks for 3 different events and will +exit out after it finds them. This will find the 3 events the test looks +for (eventually if it works), and still exit out after the test is +satisfied and not cause slower machines to run forever. + +Link: https://lore.kernel.org/r/20250721134212.53c3e140@batman.local.home +Reported-by: Tengda Wu +Closes: https://lore.kernel.org/all/20250710130134.591066-1-wutengda@huaweicloud.com/ +Fixes: 1a4ea83a6e67 ("selftests/ftrace: Limit length in subsystem-enable tests") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/event/subsystem-enable.tc | 28 +++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc +index b7c8f29c09a9..65916bb55dfb 100644 +--- a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc ++++ b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc +@@ -14,11 +14,35 @@ fail() { #msg + exit_fail + } + ++# As reading trace can last forever, simply look for 3 different ++# events then exit out of reading the file. If there's not 3 different ++# events, then the test has failed. ++check_unique() { ++ cat trace | grep -v '^#' | awk ' ++ BEGIN { cnt = 0; } ++ { ++ for (i = 0; i < cnt; i++) { ++ if (event[i] == $5) { ++ break; ++ } ++ } ++ if (i == cnt) { ++ event[cnt++] = $5; ++ if (cnt > 2) { ++ exit; ++ } ++ } ++ } ++ END { ++ printf "%d", cnt; ++ }' ++} ++ + echo 'sched:*' > set_event + + yield + +-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` ++count=`check_unique` + if [ $count -lt 3 ]; then + fail "at least fork, exec and exit events should be recorded" + fi +@@ -29,7 +53,7 @@ echo 1 > events/sched/enable + + yield + +-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` ++count=`check_unique` + if [ $count -lt 3 ]; then + fail "at least fork, exec and exit events should be recorded" + fi +-- +2.39.5 + diff --git a/queue-6.15/selftests-vdso-chacha-correctly-skip-test-if-necessa.patch b/queue-6.15/selftests-vdso-chacha-correctly-skip-test-if-necessa.patch new file mode 100644 index 0000000000..22f4792cff --- /dev/null +++ b/queue-6.15/selftests-vdso-chacha-correctly-skip-test-if-necessa.patch @@ -0,0 +1,52 @@ +From 21c0215d9880f91ee84e9e5fdb5794ae797c3b5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 12:33:51 +0200 +Subject: selftests: vDSO: chacha: Correctly skip test if necessary +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 2c0a4428f5d6005ff0db12057cc35273593fc040 ] + +According to kselftest.h ksft_exit_skip() is not meant to be called when +a plan has already been printed. + +Use the recommended function ksft_test_result_skip(). + +This fixes a bug, where the TAP output would be invalid when skipping: + + TAP version 13 + 1..1 + ok 2 # SKIP Not implemented on architecture + +The SKIP line should start with "ok 1" as the plan only contains one test. + +Fixes: 3b5992eaf730 ("selftests: vDSO: unconditionally build chacha test") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Thomas Gleixner +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/all/20250611-selftests-vdso-fixes-v3-1-e62e37a6bcf5@linutronix.de +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/vdso_test_chacha.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/vDSO/vdso_test_chacha.c b/tools/testing/selftests/vDSO/vdso_test_chacha.c +index 8757f738b0b1..0aad682b12c8 100644 +--- a/tools/testing/selftests/vDSO/vdso_test_chacha.c ++++ b/tools/testing/selftests/vDSO/vdso_test_chacha.c +@@ -76,7 +76,8 @@ static void reference_chacha20_blocks(uint8_t *dst_bytes, const uint32_t *key, u + + void __weak __arch_chacha20_blocks_nostack(uint8_t *dst_bytes, const uint32_t *key, uint32_t *counter, size_t nblocks) + { +- ksft_exit_skip("Not implemented on architecture\n"); ++ ksft_test_result_skip("Not implemented on architecture\n"); ++ ksft_finished(); + } + + int main(int argc, char *argv[]) +-- +2.39.5 + diff --git a/queue-6.15/series b/queue-6.15/series index 9d2b6ebcc8..9a2f6046f8 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -6,3 +6,374 @@ alsa-hda-cs35l56-workaround-bad-dev-index-on-lenovo-.patch alsa-hda-realtek-support-mute-led-for-yoga-with-alc2.patch asoc-intel-fix-snd_soc_sof-dependencies.patch asoc-amd-yc-add-dmi-quirk-for-asus-m6501rm.patch +audit-module-restore-audit-logging-in-load-failure-c.patch +ceph-parse_longname-strrchr-expects-nul-terminated-s.patch +fs_context-fix-parameter-name-in-infofc-macro.patch +selftests-landlock-fix-readlink-check.patch +selftests-landlock-fix-build-of-audit_test.patch +fs-ntfs3-cancle-set-bad-inode-after-removing-name-fa.patch +landlock-fix-warning-from-kunit-tests.patch +ublk-use-vmalloc-for-ublk_device-s-__queues.patch +hfsplus-make-splice-write-available-again.patch +hfs-make-splice-write-available-again.patch +hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch +revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch +block-mtip32xx-fix-usage-of-dma_map_sg.patch +gfs2-minor-do_xmote-cancelation-fix.patch +md-allow-removing-faulty-rdev-during-resync.patch +kunit-fortify-add-back-volatile-for-sizeof-constants.patch +gfs2-no-more-self-recovery.patch +block-sanitize-chunk_sectors-for-atomic-write-limits.patch +io_uring-fix-breakage-in-expert-menu.patch +btrfs-remove-partial-support-for-lowest-level-from-b.patch +asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch +asoc-amd-acp-fix-pointer-assignments-for-snd_soc_acp.patch +asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch +asoc-mediatek-use-reserved-memory-or-enable-buffer-p.patch +arm64-dts-freescale-imx93-tqma9352-limit-buck2-to-60.patch +selftests-fix-errno-checking-in-syscall_user_dispatc.patch +soc-qcom-qmi-encoding-decoding-for-big-endian.patch +arm64-dts-qcom-qcs615-fix-a-crash-issue-caused-by-in.patch +arm64-dts-qcom-sdm845-expand-imem-region.patch +arm64-dts-qcom-sc7180-expand-imem-region.patch +arm64-dts-qcom-qcs615-disable-the-cti-device-of-the-.patch +arm64-dts-exynos-gs101-add-local-timer-stop-to-cpuid.patch +arm64-dts-qcom-sa8775p-correct-the-interrupt-for-rem.patch +arm64-dts-qcom-msm8976-make-blsp_dma-controlled-remo.patch +pm-cpupower-fix-printing-of-core-cpu-fields-in-cpupo.patch +arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch +usb-host-xhci-plat-fix-incorrect-type-for-of_match-v.patch +usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch +arm64-dts-ti-k3-am642-phyboard-electra-fix-pru-icssg.patch +arm64-dts-ti-k3-am62p-j722s-fix-pinctrl-single-size.patch +arm-dts-microchip-sama7d65-add-clock-name-property.patch +arm-dts-microchip-sam9x7-add-clock-name-property.patch +cpufreq-armada-8k-make-both-cpu-masks-static.patch +firmware-arm_scmi-fix-up-turbo-frequencies-selection.patch +usb-typec-ucsi-yoga-c630-fix-error-and-remove-paths.patch +mei-vsc-don-t-re-init-vsc-from-mei_vsc_hw_reset-on-s.patch +mei-vsc-destroy-mutex-after-freeing-the-irq.patch +mei-vsc-event-notifier-fixes.patch +mei-vsc-unset-the-event-callback-on-remove-and-probe.patch +spi-stm32-check-for-cfg-availability-in-stm32_spi_pr.patch +drivers-misc-sram-fix-up-some-const-issues-with-rece.patch +power-sequencing-qcom-wcn-fix-bluetooth-wifi-copypas.patch +arm64-dts-rockchip-enable-emmc-hs200-mode-on-radxa-e.patch +staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch +rust-miscdevice-clarify-invariant-for-miscdeviceregi.patch +vmci-prevent-the-dispatching-of-uninitialized-payloa.patch +pps-fix-poll-support.patch +arm64-dts-imx8mp-venice-gw74xx-update-name-of-m2skt_.patch +selftests-vdso-chacha-correctly-skip-test-if-necessa.patch +revert-vmci-prevent-the-dispatching-of-uninitialized.patch +powercap-dtpm_cpu-fix-null-pointer-dereference-in-ge.patch +usb-early-xhci-dbc-fix-early_ioremap-leak.patch +arm-dts-ti-omap-fixup-pinheader-typo.patch +staging-gpib-fix-error-code-in-board_type_ioctl.patch +staging-gpib-fix-error-handling-paths-in-cb_gpib_pro.patch +soc-tegra-cbb-clear-err_force-register-with-err_stat.patch +arm64-dts-rockchip-fix-phy-handling-for-rock-4d.patch +arm64-dts-st-fix-timer-used-for-ticks.patch +selftests-breakpoints-use-suspend_stats-to-reliably-.patch +arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch +arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch +arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch +arm64-dts-rockchip-fix-pinctrl-node-names-for-rk3528.patch +pm-devfreq-check-governor-before-using-governor-name.patch +pm-devfreq-fix-a-index-typo-in-trans_stat.patch +cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch +cpufreq-initialize-cpufreq-based-frequency-invarianc.patch +cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch +asoc-sdca-allow-read-only-controls-to-be-deferrable.patch +staging-greybus-gbphy-fix-up-const-issue-with-the-ma.patch +samples-mei-fix-building-on-musl-libc.patch +soc-qcom-pmic_glink-fix-of-node-leak.patch +interconnect-qcom-sc8280xp-specify-num_links-for-qnm.patch +interconnect-qcom-sc8180x-specify-num_nodes.patch +interconnect-qcom-qcs615-drop-ip0-interconnects.patch +bus-mhi-host-pci_generic-fix-the-modem-name-of-foxco.patch +drm-xe-correct-the-rev-value-for-the-dvsec-entries.patch +drm-xe-correct-bmg-vsec-header-sizing.patch +staging-nvec-fix-incorrect-null-termination-of-batte.patch +selftests-tracing-fix-false-failure-of-subsystem-eve.patch +drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch +drm-connector-hdmi-evaluate-limited-range-after-comp.patch +drm-panfrost-fix-panfrost-device-variable-name-in-de.patch +drm-panthor-add-missing-explicit-padding-in-drm_pant.patch +wifi-rtw89-fix-eht-20mhz-tx-rate-for-non-ap-sta.patch +bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch +netconsole-only-register-console-drivers-when-target.patch +bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch +selftests-bpf-fix-signedness-bug-in-redir_partial.patch +bpf-handle-jset-if-a-b-.-as-a-jump-in-cfg-computatio.patch +selftests-bpf-fix-unintentional-switch-case-fall-thr.patch +net-ipv6-ip6mr-fix-in-out-netdev-to-pass-to-the-forw.patch +drm-vmwgfx-fix-host-backed-userspace-on-guest-backed.patch +slub-fix-a-documentation-build-error-for-krealloc.patch +drm-amdgpu-remove-nbiov7.9-replay-count-reporting.patch +bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch +powerpc-pseries-dlpar-search-drc-index-from-ibm-drc-.patch +wifi-ath12k-avoid-accessing-uninitialized-arvif-ar-d.patch +wifi-ath12k-fix-double-budget-decrement-while-reapin.patch +wifi-ath12k-pass-ab-pointer-directly-to-ath12k_dp_tx.patch +caif-reduce-stack-size-again.patch +wifi-rtw89-avoid-null-dereference-when-rx-problemati.patch +wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch +wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch +iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch +team-replace-team-lock-with-rtnl-lock.patch +wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch +wifi-ath12k-clear-auth-flag-only-for-actual-associat.patch +tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch +net-mlx5-check-device-memory-pointer-before-usage.patch +net-dst-annotate-data-races-around-dst-input.patch +net-dst-annotate-data-races-around-dst-output.patch +net-dst-add-four-helpers-to-annotate-data-races-arou.patch +wifi-iwlwifi-fix-error-code-in-iwl_op_mode_dvm_start.patch +kselftest-arm64-fix-check-for-setting-new-vls-in-sve.patch +bpf-ensure-rcu-lock-is-held-around-bpf_prog_ksym_fin.patch +drm-msm-dpu-fill-in-min_prefill_lines-for-sc8180x.patch +m68k-don-t-unregister-boot-console-needlessly.patch +refscale-check-that-nreaders-and-loops-multiplicatio.patch +wifi-mt76-mt7996-fix-secondary-link-lookup-in-mt7996.patch +wifi-mt76-mt7996-fix-possible-oob-access-in-mt7996_t.patch +wifi-mt76-mt7996-fix-valid_links-bitmask-in-mt7996_m.patch +drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch +wifi-ath12k-block-radio-bring-up-in-ftm-mode.patch +drm-rockchip-vop2-fail-cleanly-if-missing-a-primary-.patch +drm-rockchip-vop2-fix-the-update-of-layer-port-selec.patch +sched-psi-optimize-psi_group_change-cpu_clock-usage.patch +sched-deadline-less-agressive-dl_server-handling.patch +fbcon-fix-outdated-registered_fb-reference-in-commen.patch +netfilter-nf_tables-drop-dead-code-from-fill_-_info-.patch +netfilter-nf_tables-adjust-lockdep-assertions-handli.patch +arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch +um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch +iommu-amd-enable-pasid-and-ats-capabilities-in-the-c.patch +net-sched-restrict-conditions-for-adding-duplicating.patch +net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch +rdma-mlx5-fix-umr-modifying-of-mkey-page-size.patch +xen-fix-uaf-in-dmabuf_exp_from_pages.patch +sched-deadline-initialize-dl_servers-after-smp.patch +sched-deadline-reset-extra_bw-to-max_bw-when-clearin.patch +iommu-vt-d-do-not-wipe-out-the-page-table-nid-when-d.patch +iommu-arm-smmu-disable-prr-on-sm8250.patch +xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch +sched-do-not-call-__put_task_struct-on-rt-if-pi_bloc.patch +tcp-call-tcp_measure_rcv_mss-for-ooo-packets.patch +wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch +wifi-rtw88-fix-macid-assigned-to-tdls-station.patch +mwl8k-add-missing-check-after-dma-map.patch +wifi-ath12k-use-htt_tcl_metadata_ver_v1-in-ftm-mode.patch +wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch +drm-amdgpu-gfx9-fix-kiq-locking-in-kcq-reset.patch +drm-amdgpu-gfx9.4.3-fix-kiq-locking-in-kcq-reset.patch +drm-amdgpu-gfx10-fix-kiq-locking-in-kcq-reset.patch +selftests-bpf-fix-implementation-of-smp_mb.patch +iommu-amd-fix-geometry.aperture_end-for-v2-tables.patch +rcu-fix-delayed-execution-of-hurry-callbacks.patch +wifi-mac80211-reject-tdls-operations-when-station-is.patch +wifi-plfxlc-fix-error-handling-in-usb-driver-probe.patch +wifi-cfg80211-add-missing-lock-in-cfg80211_check_and.patch +wifi-mac80211-do-not-schedule-stopped-txqs.patch +wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch +wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch +reapply-wifi-mac80211-update-skb-s-control-block-key.patch +wifi-ath12k-fix-endianness-handling-while-accessing-.patch +wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch +pm-cpufreq-powernv-tracing-move-powernv_throttle-tra.patch +wifi-mac80211-write-cnt-before-copying-in-ieee80211_.patch +wifi-nl80211-set-num_sub_specs-before-looping-throug.patch +ring-buffer-remove-ring_buffer_read_prepare_sync.patch +kcsan-test-initialize-dummy-variable.patch +memcg_slabinfo-fix-use-of-pg_slab.patch +wifi-mac80211-fix-warn_on-for-monitor-mode-on-some-d.patch +arm64-gcs-task_gcs_el0_enable-should-use-passed-task.patch +wifi-iwlwifi-mld-decode-eof-bit-for-ampdus.patch +bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch +bluetooth-hci_devcd_dump-fix-out-of-bounds-via-dev_c.patch +bluetooth-hci_event-mask-data-status-from-le-ext-adv.patch +bpf-disable-migration-in-nf_hook_run_bpf.patch +tools-rv-do-not-skip-idle-in-trace.patch +selftests-drv-net-fix-remote-command-checking-in-req.patch +selftests-drv-net-tso-enable-test-cases-based-on-hw_.patch +selftests-drv-net-tso-fix-vxlan-tunnel-flags-to-get-.patch +selftests-drv-net-tso-fix-non-tunneled-tso6-test-cas.patch +can-peak_usb-fix-usb-fd-devices-potential-malfunctio.patch +can-kvaser_pciefd-store-device-channel-index.patch +can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch +netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch +net-mlx5e-clear-read-only-port-buffer-size-in-pbmc-b.patch +net-mlx5e-remove-skb-secpath-if-xfrm-state-is-not-fo.patch +macsec-set-iff_unicast_flt-priv-flag.patch +net-dsa-microchip-fix-wrong-rx-drop-mib-counter-for-.patch +neighbour-fix-null-ptr-deref-in-neigh_flush_dev.patch +stmmac-xsk-fix-negative-overflow-of-budget-in-zeroco.patch +igb-xsk-solve-negative-overflow-of-nb_pkts-in-zeroco.patch +selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch +vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch +ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch +ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch +ipv6-annotate-data-races-around-rt-fib6_nsiblings.patch +bpf-preload-don-t-select-usermode_driver.patch +bpf-arm64-fix-fp-initialization-for-exception-bounda.patch +risc-v-kvm-fix-inclusion-of-smnpm-in-the-guest-isa-b.patch +rv-adjust-monitor-dependencies.patch +staging-media-atomisp-fix-stack-buffer-overflow-in-g.patch +fortify-fix-incorrect-reporting-of-read-buffer-size.patch +remoteproc-qcom-pas-conclude-the-rename-from-adsp.patch +pci-rockchip-host-fix-unexpected-completion-log-mess.patch +clk-renesas-rzv2h-fix-missing-clk_set_rate_parent-fl.patch +crypto-sun8i-ce-fix-nents-passed-to-dma_unmap_sg.patch +crypto-qat-use-unmanaged-allocation-for-dc_data.patch +crypto-marvell-cesa-fix-engine-load-inaccuracy.patch +padata-fix-pd-uaf-once-and-for-all.patch +crypto-qat-allow-enabling-vfs-in-the-absence-of-iomm.patch +crypto-qat-fix-state-restore-for-banks-with-exceptio.patch +mtd-fix-possible-integer-overflow-in-erase_xfer.patch +clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch +media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch +perf-parse-events-set-default-gh-modifier-properly.patch +clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch +power-supply-cpcap-charger-fix-null-check-for-power_.patch +power-supply-max14577-handle-null-pdata-when-config_.patch +power-supply-qcom_pmi8998_charger-fix-wakeirq.patch +power-supply-max1720x-correct-capacity-computation.patch +crypto-arm-aes-neonbs-work-around-gcc-15-warning.patch +pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch +pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch +pinctrl-berlin-fix-memory-leak-in-berlin_pinctrl_bui.patch +pinctrl-canaan-k230-add-null-check-in-dt-parse.patch +pinctrl-canaan-k230-fix-order-of-dt-parse-and-pinctr.patch +pci-adjust-the-position-of-reading-the-link-control-.patch +soundwire-correct-some-property-names.patch +dmaengine-mmp-fix-again-wvoid-pointer-to-enum-cast-w.patch +soundwire-debugfs-move-debug-statement-outside-of-er.patch +phy-qualcomm-phy-qcom-eusb2-repeater-don-t-zero-out-.patch +fanotify-sanitize-handle_type-values-when-reporting-.patch +clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch +fix-dma_unmap_sg-nents-value.patch +perf-tools-fix-use-after-free-in-help_unknown_cmd.patch +perf-dso-add-missed-dso__put-to-dso__load_kcore.patch +mtd-spi-nor-spansion-fixup-params-set_4byte_addr_mod.patch +perf-sched-make-sure-it-frees-the-usage-string.patch +perf-sched-free-thread-priv-using-priv_destructor.patch +perf-sched-fix-memory-leaks-in-perf-sched-map.patch +perf-sched-fix-thread-leaks-in-perf-sched-timehist.patch +perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch +perf-sched-use-rc_chk_equal-to-compare-pointers.patch +perf-sched-fix-memory-leaks-in-perf-sched-latency.patch +rdma-hns-fix-double-destruction-of-rsv_qp.patch +rdma-hns-fix-hw-configurations-not-cleared-in-error-.patch +crypto-ccp-fix-locking-on-alloc-failure-handling.patch +crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch +crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch +rdma-hns-get-message-length-of-ack_req-from-fw.patch +rdma-hns-fix-accessing-uninitialized-resources.patch +rdma-hns-drop-gfp_nowarn.patch +rdma-hns-fix-wframe-larger-than-issue.patch +tracing-use-queue_rcu_work-to-free-filters.patch +kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch +proc-use-the-same-treatment-to-check-proc_lseek-as-o.patch +pinmux-fix-race-causing-mux_owner-null-with-active-m.patch +perf-tests-bp_account-fix-leaked-file-descriptor.patch +perf-hwmon_pmu-avoid-shortening-hwmon-pmu-name.patch +rdma-mana_ib-fix-dscp-value-in-modify-qp.patch +clk-thead-th1520-ap-correctly-refer-the-parent-of-os.patch +clk-sunxi-ng-v3s-fix-de-clock-definition.patch +scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch +scsi-elx-efct-fix-dma_unmap_sg-nents-value.patch +scsi-mvsas-fix-dma_unmap_sg-nents-value.patch +scsi-isci-fix-dma_unmap_sg-nents-value.patch +pci-fix-driver_managed_dma-check.patch +watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch +ext4-fix-inode-use-after-free-in-ext4_end_io_rsv_wor.patch +ext4-make-sure-bh_new-bit-is-cleared-in-write_end-ha.patch +clk-at91-sam9x7-update-pll-clk-ranges.patch +hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch +crypto-keembay-fix-dma_unmap_sg-nents-value.patch +crypto-img-hash-fix-dma_unmap_sg-nents-value.patch +crypto-qat-disable-zuc-256-capability-for-qat-gen5.patch +crypto-krb5-fix-memory-leak-in-krb5_test_one_prf.patch +soundwire-stream-restore-params-when-prepare-ports-f.patch +pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch +clk-imx95-blk-ctl-fix-synchronous-abort.patch +remoteproc-xlnx-disable-unsupported-features.patch +fs-orangefs-allow-2-more-characters-in-do_c_string.patch +tools-subcmd-tighten-the-filename-size-in-check_if_c.patch +dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch +dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch +mfd-tps65219-update-tps65214-mfd-cell-s-gpio-compati.patch +asoc-sdca-fix-some-holes-in-the-regmap-readable-writ.patch +asoc-fsl_xcvr-get-channel-status-data-when-phy-is-no.patch +asoc-fsl_xcvr-get-channel-status-data-with-firmware-.patch +sh-do-not-use-hyphen-in-exported-variable-name.patch +perf-tools-remove-libtraceevent-in-.gitignore.patch +clk-clocking-wizard-fix-the-round-rate-handling-for-.patch +crypto-qat-fix-dma-direction-for-compression-on-gen2.patch +crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch +fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch +smb-client-allow-parsing-zero-length-av-pairs.patch +jfs-fix-metapage-reference-count-leak-in-dballocctl.patch +mtd-rawnand-atmel-fix-dma_mapping_error-address.patch +mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch +mtd-rawnand-atmel-set-pmecc-data-setup-time.patch +drm-xe-vf-disable-csc-support-on-vf.patch +selftests-alsa-fix-memory-leak-in-utimer-test.patch +alsa-usb-scarlett2-fix-missing-null-check.patch +perf-record-cache-build-id-of-hit-dsos-only.patch +vdpa-mlx5-fix-needs_teardown-flag-calculation.patch +vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch +vhost-scsi-fix-check-for-inline_sg_cnt-exceeding-pre.patch +vdpa-mlx5-fix-release-of-uninitialized-resources-on-.patch +vdpa-fix-idr-memory-leak-in-vduse-module-exit.patch +vhost-reintroduce-kthread-api-and-add-mode-selection.patch +bpf-check-flow_dissector-ctx-accesses-are-aligned.patch +bpf-check-netfilter-ctx-accesses-are-aligned.patch +apparmor-ensure-wb_history_size-value-is-a-power-of-.patch +apparmor-fix-loop-detection-used-in-conflicting-atta.patch +scripts-gdb-move-mnt_-constants-to-gdb-parsed.patch +apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch +i3c-master-svc-fix-npcm845-fifo_empty-quirk.patch +module-restore-the-moduleparam-prefix-length-check.patch +ucount-fix-atomic_long_inc_below-argument-type.patch +rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch +rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch +rtc-nct3018y-fix-incorrect-maximum-clock-rate-handli.patch +rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch +rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch +rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch +f2fs-turn-off-one_time-when-forcibly-set-to-foregrou.patch +f2fs-fix-bio-memleak-when-committing-super-block.patch +f2fs-fix-to-avoid-invalid-wait-context-issue.patch +f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch +f2fs-fix-to-check-upper-boundary-for-value-of-gc_boo.patch +f2fs-fix-to-check-upper-boundary-for-gc_valid_thresh.patch +f2fs-fix-to-check-upper-boundary-for-gc_no_zoned_gc_.patch +f2fs-doc-fix-wrong-quota-mount-option-description.patch +f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch +f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch +f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch +f2fs-vm_unmap_ram-may-be-called-from-an-invalid-cont.patch +f2fs-fix-to-update-upper_p-in-__get_secs_required-co.patch +f2fs-fix-to-calculate-dirty-data-during-has_not_enou.patch +f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_bl.patch +exfat-fdatasync-flag-should-be-same-like-generic_wri.patch +i2c-muxes-mule-fix-an-error-handling-path-in-mule_i2.patch +vfio-fix-unbalanced-vfio_df_close-call-in-no-iommu-m.patch +vfio-prevent-open_count-decrement-to-negative.patch +vfio-pds-fix-missing-detach_ioas-op.patch +vfio-pci-separate-sr-iov-vf-dev_set.patch +scsi-mpt3sas-fix-a-fw_event-memory-leak.patch +scsi-revert-scsi-iscsi-fix-hw-conn-removal-use-after.patch +scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch +scsi-sd-make-sd-shutdown-issue-start-stop-unit-appro.patch +kconfig-qconf-fix-configlist-updatelistallforall.patch +vfio-pci-do-vf_token-checks-for-vfio_device_bind_iom.patch +sched-psi-fix-psi_seq-initialization.patch +padata-remove-comment-for-reorder_work.patch +pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch +pci-pnv_php-work-around-switches-with-broken-presenc.patch +powerpc-eeh-export-eeh_unfreeze_pe.patch +powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch +pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch diff --git a/queue-6.15/sh-do-not-use-hyphen-in-exported-variable-name.patch b/queue-6.15/sh-do-not-use-hyphen-in-exported-variable-name.patch new file mode 100644 index 0000000000..784e3922ba --- /dev/null +++ b/queue-6.15/sh-do-not-use-hyphen-in-exported-variable-name.patch @@ -0,0 +1,107 @@ +From 1d6e7b1c40240fb03245bbcb9cf56bc74e04179f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 16:47:32 +0200 +Subject: sh: Do not use hyphen in exported variable name + +From: Ben Hutchings + +[ Upstream commit c32969d0362a790fbc6117e0b6a737a7e510b843 ] + +arch/sh/Makefile defines and exports ld-bfd to be used by +arch/sh/boot/compressed/Makefile and arch/sh/boot/romimage/Makefile. +However some shells, including dash, will not pass through environment +variables whose name includes a hyphen. Usually GNU make does not use +a shell to recurse, but if e.g. $(srctree) contains '~' it will use a +shell here. + +Other instances of this problem were previously fixed by commits +2bfbe7881ee0 "kbuild: Do not use hyphen in exported variable name" +and 82977af93a0d "sh: rename suffix-y to suffix_y". + +Rename the variable to ld_bfd. + +References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0 +Fixes: 7b022d07a0fd ("sh: Tidy up the ldscript output format specifier.") +Signed-off-by: Ben Hutchings +Reviewed-by: John Paul Adrian Glaubitz +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/Makefile | 10 +++++----- + arch/sh/boot/compressed/Makefile | 4 ++-- + arch/sh/boot/romimage/Makefile | 4 ++-- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/sh/Makefile b/arch/sh/Makefile +index cab2f9c011a8..7b420424b6d7 100644 +--- a/arch/sh/Makefile ++++ b/arch/sh/Makefile +@@ -103,16 +103,16 @@ UTS_MACHINE := sh + LDFLAGS_vmlinux += -e _stext + + ifdef CONFIG_CPU_LITTLE_ENDIAN +-ld-bfd := elf32-sh-linux +-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd) ++ld_bfd := elf32-sh-linux ++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd) + KBUILD_LDFLAGS += -EL + else +-ld-bfd := elf32-shbig-linux +-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd) ++ld_bfd := elf32-shbig-linux ++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd) + KBUILD_LDFLAGS += -EB + endif + +-export ld-bfd ++export ld_bfd + + # Mach groups + machdir-$(CONFIG_SOLUTION_ENGINE) += mach-se +diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile +index 8bc319ff54bf..58df491778b2 100644 +--- a/arch/sh/boot/compressed/Makefile ++++ b/arch/sh/boot/compressed/Makefile +@@ -27,7 +27,7 @@ endif + + ccflags-remove-$(CONFIG_MCOUNT) += -pg + +-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \ ++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \ + -T $(obj)/../../kernel/vmlinux.lds + + KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING +@@ -51,7 +51,7 @@ $(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.bin FORCE + + OBJCOPYFLAGS += -R .empty_zero_page + +-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T ++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T + + $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE + $(call if_changed,ld) +diff --git a/arch/sh/boot/romimage/Makefile b/arch/sh/boot/romimage/Makefile +index c7c8be58400c..17b03df0a8de 100644 +--- a/arch/sh/boot/romimage/Makefile ++++ b/arch/sh/boot/romimage/Makefile +@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) := $(obj)/mmcif-sh7724.o + load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y) + obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y) + +-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \ ++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \ + -T $(obj)/../../kernel/vmlinux.lds + + $(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE +@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page + $(obj)/zeropage.bin: vmlinux FORCE + $(call if_changed,objcopy) + +-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T ++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T + + $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE + $(call if_changed,ld) +-- +2.39.5 + diff --git a/queue-6.15/slub-fix-a-documentation-build-error-for-krealloc.patch b/queue-6.15/slub-fix-a-documentation-build-error-for-krealloc.patch new file mode 100644 index 0000000000..b1e8218d0a --- /dev/null +++ b/queue-6.15/slub-fix-a-documentation-build-error-for-krealloc.patch @@ -0,0 +1,53 @@ +From 047ebf8f819bf134634e4db381ea5d5d0219942f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 16:59:08 +0100 +Subject: slub: Fix a documentation build error for krealloc() + +From: Jonathan Corbet + +[ Upstream commit e8a45f198e3ae2434108f815bc28f37f6fe6742b ] + +The kerneldoc comment for krealloc() contains an unmarked literal block, +leading to these warnings in the docs build: + + ./mm/slub.c:4936: WARNING: Block quote ends without a blank line; unexpected unindent. [docutils] + ./mm/slub.c:4936: ERROR: Undefined substitution referenced: "--------". [docutils] + +Mark up and indent the block properly to bring a bit of peace to our build +logs. + +Fixes: 489a744e5fb1 (mm: krealloc: clarify valid usage of __GFP_ZERO) +Signed-off-by: Jonathan Corbet +Signed-off-by: Matthew Wilcox (Oracle) +Link: https://patch.msgid.link/20250611155916.2579160-6-willy@infradead.org +Signed-off-by: Vlastimil Babka +Signed-off-by: Sasha Levin +--- + mm/slub.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index be8b09e09d30..5c73b956615f 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4929,12 +4929,12 @@ __do_krealloc(const void *p, size_t new_size, gfp_t flags) + * When slub_debug_orig_size() is off, krealloc() only knows about the bucket + * size of an allocation (but not the exact size it was allocated with) and + * hence implements the following semantics for shrinking and growing buffers +- * with __GFP_ZERO. ++ * with __GFP_ZERO:: + * +- * new bucket +- * 0 size size +- * |--------|----------------| +- * | keep | zero | ++ * new bucket ++ * 0 size size ++ * |--------|----------------| ++ * | keep | zero | + * + * Otherwise, the original allocation size 'orig_size' could be used to + * precisely clear the requested size, and the new size will also be stored +-- +2.39.5 + diff --git a/queue-6.15/smb-client-allow-parsing-zero-length-av-pairs.patch b/queue-6.15/smb-client-allow-parsing-zero-length-av-pairs.patch new file mode 100644 index 0000000000..5ed887bdb6 --- /dev/null +++ b/queue-6.15/smb-client-allow-parsing-zero-length-av-pairs.patch @@ -0,0 +1,47 @@ +From 15d1db7a37ccaa92acb3f6c50909196f0165c99a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 00:04:43 -0300 +Subject: smb: client: allow parsing zero-length AV pairs + +From: Paulo Alcantara + +[ Upstream commit be77ab6b9fbe348daf3c2d3ee40f23ca5110a339 ] + +Zero-length AV pairs should be considered as valid target infos. +Don't skip the next AV pairs that follow them. + +Cc: linux-cifs@vger.kernel.org +Cc: David Howells +Fixes: 0e8ae9b953bc ("smb: client: parse av pair type 4 in CHALLENGE_MESSAGE") +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsencrypt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/cifsencrypt.c b/fs/smb/client/cifsencrypt.c +index 35892df7335c..6be850d2a346 100644 +--- a/fs/smb/client/cifsencrypt.c ++++ b/fs/smb/client/cifsencrypt.c +@@ -343,7 +343,7 @@ static struct ntlmssp2_name *find_next_av(struct cifs_ses *ses, + len = AV_LEN(av); + if (AV_TYPE(av) == NTLMSSP_AV_EOL) + return NULL; +- if (!len || (u8 *)av + sizeof(*av) + len > end) ++ if ((u8 *)av + sizeof(*av) + len > end) + return NULL; + return av; + } +@@ -363,7 +363,7 @@ static int find_av_name(struct cifs_ses *ses, u16 type, char **name, u16 maxlen) + + av_for_each_entry(ses, av) { + len = AV_LEN(av); +- if (AV_TYPE(av) != type) ++ if (AV_TYPE(av) != type || !len) + continue; + if (!IS_ALIGNED(len, sizeof(__le16))) { + cifs_dbg(VFS | ONCE, "%s: bad length(%u) for type %u\n", +-- +2.39.5 + diff --git a/queue-6.15/soc-qcom-pmic_glink-fix-of-node-leak.patch b/queue-6.15/soc-qcom-pmic_glink-fix-of-node-leak.patch new file mode 100644 index 0000000000..0ff1ce3793 --- /dev/null +++ b/queue-6.15/soc-qcom-pmic_glink-fix-of-node-leak.patch @@ -0,0 +1,54 @@ +From 1c9af1e408bffa7dae97ccbf8523bcb22b401ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 10:57:17 +0200 +Subject: soc: qcom: pmic_glink: fix OF node leak + +From: Johan Hovold + +[ Upstream commit 65702c3d293e45d3cac5e4e175296a9c90404326 ] + +Make sure to drop the OF node reference taken when registering the +auxiliary devices when the devices are later released. + +Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") +Cc: Bjorn Andersson +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250708085717.15922-1-johan@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pmic_glink.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c +index cde19cdfd3c7..e57b47c17c3c 100644 +--- a/drivers/soc/qcom/pmic_glink.c ++++ b/drivers/soc/qcom/pmic_glink.c +@@ -167,7 +167,10 @@ static int pmic_glink_rpmsg_callback(struct rpmsg_device *rpdev, void *data, + return 0; + } + +-static void pmic_glink_aux_release(struct device *dev) {} ++static void pmic_glink_aux_release(struct device *dev) ++{ ++ of_node_put(dev->of_node); ++} + + static int pmic_glink_add_aux_device(struct pmic_glink *pg, + struct auxiliary_device *aux, +@@ -181,8 +184,10 @@ static int pmic_glink_add_aux_device(struct pmic_glink *pg, + aux->dev.release = pmic_glink_aux_release; + device_set_of_node_from_dev(&aux->dev, parent); + ret = auxiliary_device_init(aux); +- if (ret) ++ if (ret) { ++ of_node_put(aux->dev.of_node); + return ret; ++ } + + ret = auxiliary_device_add(aux); + if (ret) +-- +2.39.5 + diff --git a/queue-6.15/soc-qcom-qmi-encoding-decoding-for-big-endian.patch b/queue-6.15/soc-qcom-qmi-encoding-decoding-for-big-endian.patch new file mode 100644 index 0000000000..5fd8cba4ac --- /dev/null +++ b/queue-6.15/soc-qcom-qmi-encoding-decoding-for-big-endian.patch @@ -0,0 +1,126 @@ +From 60bcedae71afca9e6052e197a5f279ee8a87fdf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 16:35:29 +0200 +Subject: soc: qcom: QMI encoding/decoding for big endian + +From: Alexander Wilhelm + +[ Upstream commit 3ced38da5f7de4c260f9eaa86fc805827953243a ] + +The QMI_DATA_LEN type may have different sizes. Taking the element's +address of that type and interpret it as a smaller sized ones works fine +for little endian platforms but not for big endian ones. Instead use +temporary variables of smaller sized types and cast them correctly to +support big endian platforms. + +Signed-off-by: Alexander Wilhelm +Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder") +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250522143530.3623809-2-alexander.wilhelm@westermo.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/qmi_encdec.c | 46 +++++++++++++++++++++++++++++------ + 1 file changed, 38 insertions(+), 8 deletions(-) + +diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c +index bb09eff85cff..dafe0a4c202e 100644 +--- a/drivers/soc/qcom/qmi_encdec.c ++++ b/drivers/soc/qcom/qmi_encdec.c +@@ -304,6 +304,8 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf, + const void *buf_src; + int encode_tlv = 0; + int rc; ++ u8 val8; ++ u16 val16; + + if (!ei_array) + return 0; +@@ -338,7 +340,6 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf, + break; + + case QMI_DATA_LEN: +- memcpy(&data_len_value, buf_src, temp_ei->elem_size); + data_len_sz = temp_ei->elem_size == sizeof(u8) ? + sizeof(u8) : sizeof(u16); + /* Check to avoid out of range buffer access */ +@@ -348,8 +349,17 @@ static int qmi_encode(const struct qmi_elem_info *ei_array, void *out_buf, + __func__); + return -ETOOSMALL; + } +- rc = qmi_encode_basic_elem(buf_dst, &data_len_value, +- 1, data_len_sz); ++ if (data_len_sz == sizeof(u8)) { ++ val8 = *(u8 *)buf_src; ++ data_len_value = (u32)val8; ++ rc = qmi_encode_basic_elem(buf_dst, &val8, ++ 1, data_len_sz); ++ } else { ++ val16 = *(u16 *)buf_src; ++ data_len_value = (u32)le16_to_cpu(val16); ++ rc = qmi_encode_basic_elem(buf_dst, &val16, ++ 1, data_len_sz); ++ } + UPDATE_ENCODE_VARIABLES(temp_ei, buf_dst, + encoded_bytes, tlv_len, + encode_tlv, rc); +@@ -523,14 +533,23 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array, + u32 string_len = 0; + u32 string_len_sz = 0; + const struct qmi_elem_info *temp_ei = ei_array; ++ u8 val8; ++ u16 val16; + + if (dec_level == 1) { + string_len = tlv_len; + } else { + string_len_sz = temp_ei->elem_len <= U8_MAX ? + sizeof(u8) : sizeof(u16); +- rc = qmi_decode_basic_elem(&string_len, buf_src, +- 1, string_len_sz); ++ if (string_len_sz == sizeof(u8)) { ++ rc = qmi_decode_basic_elem(&val8, buf_src, ++ 1, string_len_sz); ++ string_len = (u32)val8; ++ } else { ++ rc = qmi_decode_basic_elem(&val16, buf_src, ++ 1, string_len_sz); ++ string_len = (u32)val16; ++ } + decoded_bytes += rc; + } + +@@ -604,6 +623,9 @@ static int qmi_decode(const struct qmi_elem_info *ei_array, void *out_c_struct, + u32 decoded_bytes = 0; + const void *buf_src = in_buf; + int rc; ++ u8 val8; ++ u16 val16; ++ u32 val32; + + while (decoded_bytes < in_buf_len) { + if (dec_level >= 2 && temp_ei->data_type == QMI_EOTI) +@@ -642,9 +664,17 @@ static int qmi_decode(const struct qmi_elem_info *ei_array, void *out_c_struct, + if (temp_ei->data_type == QMI_DATA_LEN) { + data_len_sz = temp_ei->elem_size == sizeof(u8) ? + sizeof(u8) : sizeof(u16); +- rc = qmi_decode_basic_elem(&data_len_value, buf_src, +- 1, data_len_sz); +- memcpy(buf_dst, &data_len_value, sizeof(u32)); ++ if (data_len_sz == sizeof(u8)) { ++ rc = qmi_decode_basic_elem(&val8, buf_src, ++ 1, data_len_sz); ++ data_len_value = (u32)val8; ++ } else { ++ rc = qmi_decode_basic_elem(&val16, buf_src, ++ 1, data_len_sz); ++ data_len_value = (u32)val16; ++ } ++ val32 = cpu_to_le32(data_len_value); ++ memcpy(buf_dst, &val32, sizeof(u32)); + temp_ei = temp_ei + 1; + buf_dst = out_c_struct + temp_ei->offset; + tlv_len -= data_len_sz; +-- +2.39.5 + diff --git a/queue-6.15/soc-tegra-cbb-clear-err_force-register-with-err_stat.patch b/queue-6.15/soc-tegra-cbb-clear-err_force-register-with-err_stat.patch new file mode 100644 index 0000000000..33b7da55cd --- /dev/null +++ b/queue-6.15/soc-tegra-cbb-clear-err_force-register-with-err_stat.patch @@ -0,0 +1,38 @@ +From ea53f43e115b9cfa77489793104793d640e6613a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 16:08:22 +0530 +Subject: soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS + +From: Sumit Gupta + +[ Upstream commit a0647bca8966db04b79af72851ebd04224a4da40 ] + +When error is injected with the ERR_FORCE register, then this register +is not auto cleared on clearing the ERR_STATUS register. This causes +repeated interrupts on error injection. To fix, set the ERR_FORCE to +zero along with clearing the ERR_STATUS register after handling error. + +Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0") +Signed-off-by: Sumit Gupta +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/cbb/tegra234-cbb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c +index c74629af9bb5..1da31ead2b5e 100644 +--- a/drivers/soc/tegra/cbb/tegra234-cbb.c ++++ b/drivers/soc/tegra/cbb/tegra234-cbb.c +@@ -185,6 +185,8 @@ static void tegra234_cbb_error_clear(struct tegra_cbb *cbb) + { + struct tegra234_cbb *priv = to_tegra234_cbb(cbb); + ++ writel(0, priv->mon + FABRIC_MN_MASTER_ERR_FORCE_0); ++ + writel(0x3f, priv->mon + FABRIC_MN_MASTER_ERR_STATUS_0); + dsb(sy); + } +-- +2.39.5 + diff --git a/queue-6.15/soundwire-correct-some-property-names.patch b/queue-6.15/soundwire-correct-some-property-names.patch new file mode 100644 index 0000000000..51556b3817 --- /dev/null +++ b/queue-6.15/soundwire-correct-some-property-names.patch @@ -0,0 +1,48 @@ +From b40e5d237e3e5258f4fd29737823fbae559e1530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 13:55:07 +0100 +Subject: soundwire: Correct some property names + +From: Charles Keepax + +[ Upstream commit ae6a0f5b8a5b0ca2e4bf1c0380267ad83aca8401 ] + +The DisCo properties should be mipi-sdw-paging-supported and +mipi-sdw-bank-delay-supported, with an 'ed' on the end. Correct the +property names used in sdw_slave_read_prop(). + +The internal flag bank_delay_support is currently unimplemented, so that +being read wrong does not currently affect anything. The two existing +users for this helper and the paging_support flag rt1320-sdw.c and +rt721-sdca-sdw.c both manually set the flag in their slave properties, +thus are not affected by this bug either. + +Fixes: 56d4fe31af77 ("soundwire: Add MIPI DisCo property helpers") +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20250624125507.2866346-1-ckeepax@opensource.cirrus.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/mipi_disco.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soundwire/mipi_disco.c b/drivers/soundwire/mipi_disco.c +index 65afb28ef8fa..c69b78cd0b62 100644 +--- a/drivers/soundwire/mipi_disco.c ++++ b/drivers/soundwire/mipi_disco.c +@@ -451,10 +451,10 @@ int sdw_slave_read_prop(struct sdw_slave *slave) + "mipi-sdw-highPHY-capable"); + + prop->paging_support = mipi_device_property_read_bool(dev, +- "mipi-sdw-paging-support"); ++ "mipi-sdw-paging-supported"); + + prop->bank_delay_support = mipi_device_property_read_bool(dev, +- "mipi-sdw-bank-delay-support"); ++ "mipi-sdw-bank-delay-supported"); + + device_property_read_u32(dev, + "mipi-sdw-port15-read-behavior", &prop->p15_behave); +-- +2.39.5 + diff --git a/queue-6.15/soundwire-debugfs-move-debug-statement-outside-of-er.patch b/queue-6.15/soundwire-debugfs-move-debug-statement-outside-of-er.patch new file mode 100644 index 0000000000..f85a1d0dac --- /dev/null +++ b/queue-6.15/soundwire-debugfs-move-debug-statement-outside-of-er.patch @@ -0,0 +1,56 @@ +From 91a15e2904c92eb3ef4fe31c26e86fed2dbabef8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 18:33:14 -0300 +Subject: soundwire: debugfs: move debug statement outside of error handling + +From: Rodrigo Gobbi + +[ Upstream commit 06f77ff9d852c9f2764659ea81489364d8a69a9c ] + +The start_t and finish_t variables are not properly initialized +if errors happens over request_firmware actions. +This was also detected by smatch: + +drivers/soundwire/debugfs.c:301 cmd_go() error: uninitialized symbol 'finish_t'. +drivers/soundwire/debugfs.c:301 cmd_go() error: uninitialized symbol 'start_t'. + +Move the debug statement outside of firmware error handling. + +Signed-off-by: Rodrigo Gobbi +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-sound/0db6d0bf-7bac-43a7-b624-a00d3d2bf829@stanley.mountain/ +Fixes: bb5cb09eedce ("soundwire: debugfs: add interface for BPT/BRA transfers") +Link: https://lore.kernel.org/r/20250626213628.9575-1-rodrigo.gobbi.7@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/soundwire/debugfs.c b/drivers/soundwire/debugfs.c +index 3099ea074f10..230a51489486 100644 +--- a/drivers/soundwire/debugfs.c ++++ b/drivers/soundwire/debugfs.c +@@ -291,6 +291,9 @@ static int cmd_go(void *data, u64 value) + + finish_t = ktime_get(); + ++ dev_dbg(&slave->dev, "command completed, num_byte %zu status %d, time %lld ms\n", ++ num_bytes, ret, div_u64(finish_t - start_t, NSEC_PER_MSEC)); ++ + out: + if (fw) + release_firmware(fw); +@@ -298,9 +301,6 @@ static int cmd_go(void *data, u64 value) + pm_runtime_mark_last_busy(&slave->dev); + pm_runtime_put(&slave->dev); + +- dev_dbg(&slave->dev, "command completed, num_byte %zu status %d, time %lld ms\n", +- num_bytes, ret, div_u64(finish_t - start_t, NSEC_PER_MSEC)); +- + return ret; + } + DEFINE_DEBUGFS_ATTRIBUTE(cmd_go_fops, NULL, +-- +2.39.5 + diff --git a/queue-6.15/soundwire-stream-restore-params-when-prepare-ports-f.patch b/queue-6.15/soundwire-stream-restore-params-when-prepare-ports-f.patch new file mode 100644 index 0000000000..3d0750f65b --- /dev/null +++ b/queue-6.15/soundwire-stream-restore-params-when-prepare-ports-f.patch @@ -0,0 +1,43 @@ +From 4441ddf5212a3b17db879826d014b290644684d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 14:09:52 +0800 +Subject: soundwire: stream: restore params when prepare ports fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bard Liao + +[ Upstream commit dba7d9dbfdc4389361ff3a910e767d3cfca22587 ] + +The bus->params should be restored if the stream is failed to prepare. +The issue exists since beginning. The Fixes tag just indicates the +first commit that the commit can be applied to. + +Fixes: 17ed5bef49f4 ("soundwire: add missing newlines in dynamic debug logs") +Signed-off-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Reviewed-by: Ranjani Sridharan +Link: https://lore.kernel.org/r/20250626060952.405996-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c +index a4bea742b5d9..38c9dbd35606 100644 +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -1510,7 +1510,7 @@ static int _sdw_prepare_stream(struct sdw_stream_runtime *stream, + if (ret < 0) { + dev_err(bus->dev, "Prepare port(s) failed ret = %d\n", + ret); +- return ret; ++ goto restore_params; + } + } + +-- +2.39.5 + diff --git a/queue-6.15/spi-stm32-check-for-cfg-availability-in-stm32_spi_pr.patch b/queue-6.15/spi-stm32-check-for-cfg-availability-in-stm32_spi_pr.patch new file mode 100644 index 0000000000..5e063b74e3 --- /dev/null +++ b/queue-6.15/spi-stm32-check-for-cfg-availability-in-stm32_spi_pr.patch @@ -0,0 +1,59 @@ +From 0cea3d55f7d3e46357f092df68ee1ceb3c397f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 11:21:03 +0200 +Subject: spi: stm32: Check for cfg availability in stm32_spi_probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Le Goffic + +[ Upstream commit 21f1c800f6620e43f31dfd76709dbac8ebaa5a16 ] + +The stm32_spi_probe function now includes a check to ensure that the +pointer returned by of_device_get_match_data is not NULL before +accessing its members. This resolves a warning where a potential NULL +pointer dereference could occur when accessing cfg->has_device_mode. + +Before accessing the 'has_device_mode' member, we verify that 'cfg' is +not NULL. If 'cfg' is NULL, an error message is logged. + +This change ensures that the driver does not attempt to access +configuration data if it is not available, thus preventing a potential +system crash due to a NULL pointer dereference. + +Signed-off-by: Clément Le Goffic +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310191831.MLwx1c6x-lkp@intel.com/ +Fixes: fee681646fc8 ("spi: stm32: disable device mode with st,stm32f4-spi compatible") +Link: https://patch.msgid.link/20250616-spi-upstream-v1-2-7e8593f3f75d@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index da3517d7102d..dc22b98bdbcc 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -2069,9 +2069,15 @@ static int stm32_spi_probe(struct platform_device *pdev) + struct resource *res; + struct reset_control *rst; + struct device_node *np = pdev->dev.of_node; ++ const struct stm32_spi_cfg *cfg; + bool device_mode; + int ret; +- const struct stm32_spi_cfg *cfg = of_device_get_match_data(&pdev->dev); ++ ++ cfg = of_device_get_match_data(&pdev->dev); ++ if (!cfg) { ++ dev_err(&pdev->dev, "Failed to get match data for platform\n"); ++ return -ENODEV; ++ } + + device_mode = of_property_read_bool(np, "spi-slave"); + if (!cfg->has_device_mode && device_mode) { +-- +2.39.5 + diff --git a/queue-6.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch b/queue-6.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch new file mode 100644 index 0000000000..fc9ebee65e --- /dev/null +++ b/queue-6.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch @@ -0,0 +1,39 @@ +From 8006852aff37df5d9fa6085b1b097e5e71c8d709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 22:54:10 +0530 +Subject: staging: fbtft: fix potential memory leak in + fbtft_framebuffer_alloc() + +From: Abdun Nihaal + +[ Upstream commit eb2cb7dab60f9be0b435ac4a674255429a36d72c ] + +In the error paths after fb_info structure is successfully allocated, +the memory allocated in fb_deferred_io_init() for info->pagerefs is not +freed. Fix that by adding the cleanup function on the error path. + +Fixes: c296d5f9957c ("staging: fbtft: core support") +Signed-off-by: Abdun Nihaal +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20250626172412.18355-1-abdun.nihaal@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fbtft/fbtft-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c +index da9c64152a60..39bced400065 100644 +--- a/drivers/staging/fbtft/fbtft-core.c ++++ b/drivers/staging/fbtft/fbtft-core.c +@@ -692,6 +692,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display, + return info; + + release_framebuf: ++ fb_deferred_io_cleanup(info); + framebuffer_release(info); + + alloc_fail: +-- +2.39.5 + diff --git a/queue-6.15/staging-gpib-fix-error-code-in-board_type_ioctl.patch b/queue-6.15/staging-gpib-fix-error-code-in-board_type_ioctl.patch new file mode 100644 index 0000000000..8bd10321f7 --- /dev/null +++ b/queue-6.15/staging-gpib-fix-error-code-in-board_type_ioctl.patch @@ -0,0 +1,38 @@ +From ad953f0ddf94f1c7f2b2d1c3b112ef52d2276ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 23:46:20 -0700 +Subject: staging: gpib: Fix error code in board_type_ioctl() + +From: Harshit Mogalapalli + +[ Upstream commit aa07b790d79226f9bd0731d2c065db2823867cc5 ] + +When copy_from_user() fails it return number of bytes it wasn't able to +copy. So the correct return value when copy_from_user() fails is +-EFAULT. + +Fixes: 9dde4559e939 ("staging: gpib: Add GPIB common core driver") +Signed-off-by: Harshit Mogalapalli +Link: https://lore.kernel.org/r/20250703064633.1955893-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/gpib/common/gpib_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/gpib/common/gpib_os.c b/drivers/staging/gpib/common/gpib_os.c +index 8456b97290b8..01a9099a6c16 100644 +--- a/drivers/staging/gpib/common/gpib_os.c ++++ b/drivers/staging/gpib/common/gpib_os.c +@@ -819,7 +819,7 @@ static int board_type_ioctl(gpib_file_private_t *file_priv, struct gpib_board *b + + retval = copy_from_user(&cmd, (void __user *)arg, sizeof(board_type_ioctl_t)); + if (retval) +- return retval; ++ return -EFAULT; + + for (list_ptr = registered_drivers.next; list_ptr != ®istered_drivers; + list_ptr = list_ptr->next) { +-- +2.39.5 + diff --git a/queue-6.15/staging-gpib-fix-error-handling-paths-in-cb_gpib_pro.patch b/queue-6.15/staging-gpib-fix-error-handling-paths-in-cb_gpib_pro.patch new file mode 100644 index 0000000000..05b8c7b185 --- /dev/null +++ b/queue-6.15/staging-gpib-fix-error-handling-paths-in-cb_gpib_pro.patch @@ -0,0 +1,59 @@ +From aa1b896a8f8603bfddc3e37435556a0f381d513c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jul 2025 11:52:33 +0200 +Subject: staging: gpib: Fix error handling paths in cb_gpib_probe() + +From: Christophe JAILLET + +[ Upstream commit 1b0ee85ee7967a4d7a68080c3f6a66af69e4e0b4 ] + +If cb_gpib_config() fails, 'info' needs to be freed, as already done in the +remove function. + +While at it, remove a pointless comment related to gpib_attach(). + +Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/bf89d6f2f8b8c680720d02061fc4ebdd805deca8.1751709098.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/gpib/cb7210/cb7210.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/gpib/cb7210/cb7210.c b/drivers/staging/gpib/cb7210/cb7210.c +index 6b22a33a8c4f..e6465331ffd0 100644 +--- a/drivers/staging/gpib/cb7210/cb7210.c ++++ b/drivers/staging/gpib/cb7210/cb7210.c +@@ -1183,8 +1183,7 @@ struct local_info { + static int cb_gpib_probe(struct pcmcia_device *link) + { + struct local_info *info; +- +-// int ret, i; ++ int ret; + + /* Allocate space for private device-specific data */ + info = kzalloc(sizeof(*info), GFP_KERNEL); +@@ -1210,8 +1209,16 @@ static int cb_gpib_probe(struct pcmcia_device *link) + + /* Register with Card Services */ + curr_dev = link; +- return cb_gpib_config(link); +-} /* gpib_attach */ ++ ret = cb_gpib_config(link); ++ if (ret) ++ goto free_info; ++ ++ return 0; ++ ++free_info: ++ kfree(info); ++ return ret; ++} + + /* + * This deletes a driver "instance". The device is de-registered +-- +2.39.5 + diff --git a/queue-6.15/staging-greybus-gbphy-fix-up-const-issue-with-the-ma.patch b/queue-6.15/staging-greybus-gbphy-fix-up-const-issue-with-the-ma.patch new file mode 100644 index 0000000000..6d636f96af --- /dev/null +++ b/queue-6.15/staging-greybus-gbphy-fix-up-const-issue-with-the-ma.patch @@ -0,0 +1,52 @@ +From a67b9224af939b83ff557c9193a92dc71cb921c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 13:06:16 +0200 +Subject: staging: greybus: gbphy: fix up const issue with the match callback + +From: Greg Kroah-Hartman + +[ Upstream commit ce32eff1cf3ae8ac2596171dd0af1657634c83eb ] + +gbphy_dev_match_id() should be taking a const pointer, as the pointer +passed to it from the container_of() call was const to start with (it +was accidentally cast away with the call.) Fix this all up by correctly +marking the pointer types. + +Cc: Alex Elder +Cc: greybus-dev@lists.linaro.org +Fixes: d69d80484598 ("driver core: have match() callback in struct bus_type take a const *") +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/2025070115-reoccupy-showy-e2ad@gregkh +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/gbphy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/greybus/gbphy.c b/drivers/staging/greybus/gbphy.c +index 6adcad286633..60cf09a302a7 100644 +--- a/drivers/staging/greybus/gbphy.c ++++ b/drivers/staging/greybus/gbphy.c +@@ -102,8 +102,8 @@ static int gbphy_dev_uevent(const struct device *dev, struct kobj_uevent_env *en + } + + static const struct gbphy_device_id * +-gbphy_dev_match_id(struct gbphy_device *gbphy_dev, +- struct gbphy_driver *gbphy_drv) ++gbphy_dev_match_id(const struct gbphy_device *gbphy_dev, ++ const struct gbphy_driver *gbphy_drv) + { + const struct gbphy_device_id *id = gbphy_drv->id_table; + +@@ -119,7 +119,7 @@ gbphy_dev_match_id(struct gbphy_device *gbphy_dev, + + static int gbphy_dev_match(struct device *dev, const struct device_driver *drv) + { +- struct gbphy_driver *gbphy_drv = to_gbphy_driver(drv); ++ const struct gbphy_driver *gbphy_drv = to_gbphy_driver(drv); + struct gbphy_device *gbphy_dev = to_gbphy_dev(dev); + const struct gbphy_device_id *id; + +-- +2.39.5 + diff --git a/queue-6.15/staging-media-atomisp-fix-stack-buffer-overflow-in-g.patch b/queue-6.15/staging-media-atomisp-fix-stack-buffer-overflow-in-g.patch new file mode 100644 index 0000000000..edf89fa89a --- /dev/null +++ b/queue-6.15/staging-media-atomisp-fix-stack-buffer-overflow-in-g.patch @@ -0,0 +1,79 @@ +From f7168faa02d97256794e75e3a98cb67bf76d9b53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jul 2025 01:08:05 -0700 +Subject: staging: media: atomisp: Fix stack buffer overflow in + gmin_get_var_int() + +From: Kees Cook + +[ Upstream commit ee4cf798202d285dcbe85e4467a094c44f5ed8e6 ] + +When gmin_get_config_var() calls efi.get_variable() and the EFI variable +is larger than the expected buffer size, two behaviors combine to create +a stack buffer overflow: + +1. gmin_get_config_var() does not return the proper error code when + efi.get_variable() fails. It returns the stale 'ret' value from + earlier operations instead of indicating the EFI failure. + +2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates + *out_len to the required buffer size but writes no data to the output + buffer. However, due to bug #1, gmin_get_var_int() believes the call + succeeded. + +The caller gmin_get_var_int() then performs: +- Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack +- Calls gmin_get_config_var(dev, is_gmin, var, val, &len) with len=64 +- If EFI variable is >64 bytes, efi.get_variable() sets len=required_size +- Due to bug #1, thinks call succeeded with len=required_size +- Executes val[len] = 0, writing past end of 65-byte stack buffer + +This creates a stack buffer overflow when EFI variables are larger than +64 bytes. Since EFI variables can be controlled by firmware or system +configuration, this could potentially be exploited for code execution. + +Fix the bug by returning proper error codes from gmin_get_config_var() +based on EFI status instead of stale 'ret' value. + +The gmin_get_var_int() function is called during device initialization +for camera sensor configuration on Intel Bay Trail and Cherry Trail +platforms using the atomisp camera stack. + +Reported-by: zepta +Closes: https://lore.kernel.org/all/CAPBS6KoQyM7FMdPwOuXteXsOe44X4H3F8Fw+y_qWq6E+OdmxQA@mail.gmail.com +Fixes: 38d4f74bc148 ("media: atomisp_gmin_platform: stop abusing efivar API") +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250724080756.work.741-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + .../staging/media/atomisp/pci/atomisp_gmin_platform.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +index e176483df301..b86494faa63a 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +@@ -1358,14 +1358,15 @@ static int gmin_get_config_var(struct device *maindev, + if (efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) + status = efi.get_variable(var16, &GMIN_CFG_VAR_EFI_GUID, NULL, + (unsigned long *)out_len, out); +- if (status == EFI_SUCCESS) ++ if (status == EFI_SUCCESS) { + dev_info(maindev, "found EFI entry for '%s'\n", var8); +- else if (is_gmin) ++ return 0; ++ } ++ if (is_gmin) + dev_info(maindev, "Failed to find EFI gmin variable %s\n", var8); + else + dev_info(maindev, "Failed to find EFI variable %s\n", var8); +- +- return ret; ++ return -ENOENT; + } + + int gmin_get_var_int(struct device *dev, bool is_gmin, const char *var, int def) +-- +2.39.5 + diff --git a/queue-6.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch b/queue-6.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch new file mode 100644 index 0000000000..bfa27dd7c7 --- /dev/null +++ b/queue-6.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch @@ -0,0 +1,41 @@ +From 272343b9d37c47c4157cd6e7e612e109fde5b595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jul 2025 01:07:42 -0700 +Subject: staging: nvec: Fix incorrect null termination of battery manufacturer + +From: Alok Tiwari + +[ Upstream commit a8934352ba01081c51d2df428e9d540aae0e88b5 ] + +The battery manufacturer string was incorrectly null terminated using +bat_model instead of bat_manu. This could result in an unintended +write to the wrong field and potentially incorrect behavior. + +fixe the issue by correctly null terminating the bat_manu string. + +Fixes: 32890b983086 ("Staging: initial version of the nvec driver") +Signed-off-by: Alok Tiwari +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20250719080755.3954373-1-alok.a.tiwari@oracle.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/nvec/nvec_power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/nvec/nvec_power.c b/drivers/staging/nvec/nvec_power.c +index e0e67a3eb722..2faab9fdedef 100644 +--- a/drivers/staging/nvec/nvec_power.c ++++ b/drivers/staging/nvec/nvec_power.c +@@ -194,7 +194,7 @@ static int nvec_power_bat_notifier(struct notifier_block *nb, + break; + case MANUFACTURER: + memcpy(power->bat_manu, &res->plc, res->length - 2); +- power->bat_model[res->length - 2] = '\0'; ++ power->bat_manu[res->length - 2] = '\0'; + break; + case MODEL: + memcpy(power->bat_model, &res->plc, res->length - 2); +-- +2.39.5 + diff --git a/queue-6.15/stmmac-xsk-fix-negative-overflow-of-budget-in-zeroco.patch b/queue-6.15/stmmac-xsk-fix-negative-overflow-of-budget-in-zeroco.patch new file mode 100644 index 0000000000..7525b1cb8b --- /dev/null +++ b/queue-6.15/stmmac-xsk-fix-negative-overflow-of-budget-in-zeroco.patch @@ -0,0 +1,46 @@ +From 3c9c54428e18f186d99ea4234ca07664f947edc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:23:26 +0800 +Subject: stmmac: xsk: fix negative overflow of budget in zerocopy mode + +From: Jason Xing + +[ Upstream commit 2764ab51d5f0e8c7d3b7043af426b1883e3bde1d ] + +A negative overflow can happen when the budget number of descs are +consumed. as long as the budget is decreased to zero, it will again go +into while (budget-- > 0) statement and get decreased by one, so the +overflow issue can happen. It will lead to returning true whereas the +expected value should be false. + +In this case where all the budget is used up, it means zc function +should return false to let the poll run again because normally we +might have more data to process. Without this patch, zc function would +return true instead. + +Fixes: 132c32ee5bc0 ("net: stmmac: Add TX via XDP zero-copy socket") +Signed-off-by: Jason Xing +Reviewed-by: Aleksandr Loktionov +Link: https://patch.msgid.link/20250723142327.85187-2-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 1d716cee0cb1..77f800df6f37 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2585,7 +2585,7 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget) + + budget = min(budget, stmmac_tx_avail(priv, queue)); + +- while (budget-- > 0) { ++ for (; budget > 0; budget--) { + struct stmmac_metadata_request meta_req; + struct xsk_tx_metadata *meta = NULL; + dma_addr_t dma_addr; +-- +2.39.5 + diff --git a/queue-6.15/tcp-call-tcp_measure_rcv_mss-for-ooo-packets.patch b/queue-6.15/tcp-call-tcp_measure_rcv_mss-for-ooo-packets.patch new file mode 100644 index 0000000000..1a301bd07b --- /dev/null +++ b/queue-6.15/tcp-call-tcp_measure_rcv_mss-for-ooo-packets.patch @@ -0,0 +1,42 @@ +From edd665633dd275424313790ef7759965bc56c52b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 11:40:02 +0000 +Subject: tcp: call tcp_measure_rcv_mss() for ooo packets + +From: Eric Dumazet + +[ Upstream commit 38d7e444336567bae1c7b21fc18b7ceaaa5643a0 ] + +tcp_measure_rcv_mss() is used to update icsk->icsk_ack.rcv_mss +(tcpi_rcv_mss in tcp_info) and tp->scaling_ratio. + +Calling it from tcp_data_queue_ofo() makes sure these +fields are updated, and permits a better tuning +of sk->sk_rcvbuf, in the case a new flow receives many ooo +packets. + +Fixes: dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale") +Signed-off-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250711114006.480026-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index e75ee9023674..ca24c2ea359b 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5056,6 +5056,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb) + return; + } + ++ tcp_measure_rcv_mss(sk, skb); + /* Disable header prediction. */ + tp->pred_flags = 0; + inet_csk_schedule_ack(sk); +-- +2.39.5 + diff --git a/queue-6.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch b/queue-6.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch new file mode 100644 index 0000000000..6263ab30f9 --- /dev/null +++ b/queue-6.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch @@ -0,0 +1,56 @@ +From 118cf9fb40af73ce262da990769a71f61edaa971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 12:34:19 +0000 +Subject: tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range + +From: xin.guo + +[ Upstream commit a041f70e573e185d5d5fdbba53f0db2fbe7257ad ] + +If the new coming segment covers more than one skbs in the ofo queue, +and which seq is equal to rcv_nxt, then the sequence range +that is duplicated will be sent as DUP SACK, the detail as below, +in step6, the {501,2001} range is clearly including too much +DUP SACK range, in violation of RFC 2883 rules. + +1. client > server: Flags [.], seq 501:1001, ack 1325288529, win 20000, length 500 +2. server > client: Flags [.], ack 1, [nop,nop,sack 1 {501:1001}], length 0 +3. client > server: Flags [.], seq 1501:2001, ack 1325288529, win 20000, length 500 +4. server > client: Flags [.], ack 1, [nop,nop,sack 2 {1501:2001} {501:1001}], length 0 +5. client > server: Flags [.], seq 1:2001, ack 1325288529, win 20000, length 2000 +6. server > client: Flags [.], ack 2001, [nop,nop,sack 1 {501:2001}], length 0 + +After this fix, the final ACK is as below: + +6. server > client: Flags [.], ack 2001, options [nop,nop,sack 1 {501:1001}], length 0 + +[edumazet] added a new packetdrill test in the following patch. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: xin.guo +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250626123420.1933835-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index bce2a111cc9e..e75ee9023674 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4986,8 +4986,9 @@ static void tcp_ofo_queue(struct sock *sk) + + if (before(TCP_SKB_CB(skb)->seq, dsack_high)) { + __u32 dsack = dsack_high; ++ + if (before(TCP_SKB_CB(skb)->end_seq, dsack_high)) +- dsack_high = TCP_SKB_CB(skb)->end_seq; ++ dsack = TCP_SKB_CB(skb)->end_seq; + tcp_dsack_extend(sk, TCP_SKB_CB(skb)->seq, dsack); + } + p = rb_next(p); +-- +2.39.5 + diff --git a/queue-6.15/team-replace-team-lock-with-rtnl-lock.patch b/queue-6.15/team-replace-team-lock-with-rtnl-lock.patch new file mode 100644 index 0000000000..dc952837f1 --- /dev/null +++ b/queue-6.15/team-replace-team-lock-with-rtnl-lock.patch @@ -0,0 +1,425 @@ +From cfa96566614b6a55a8a5e0f4680c6afe2d436c81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 08:31:47 -0700 +Subject: team: replace team lock with rtnl lock + +From: Stanislav Fomichev + +[ Upstream commit bfb4fb77f9a8ce33ce357224569eae5564eec573 ] + +syszbot reports various ordering issues for lower instance locks and +team lock. Switch to using rtnl lock for protecting team device, +similar to bonding. Based on the patch by Tetsuo Handa. + +Cc: Jiri Pirko +Cc: Tetsuo Handa +Reported-by: syzbot+705c61d60b091ef42c04@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=705c61d60b091ef42c04 +Reported-by: syzbot+71fd22ae4b81631e22fd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=71fd22ae4b81631e22fd +Fixes: 6b1d3c5f675c ("team: grab team lock during team_change_rx_flags") +Link: https://lkml.kernel.org/r/ZoZ2RH9BcahEB9Sb@nanopsycho.orion +Signed-off-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250623153147.3413631-1-sdf@fomichev.me +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/team/team_core.c | 96 +++++++++++------------ + drivers/net/team/team_mode_activebackup.c | 3 +- + drivers/net/team/team_mode_loadbalance.c | 13 ++- + include/linux/if_team.h | 3 - + 4 files changed, 50 insertions(+), 65 deletions(-) + +diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c +index b75ceb90359f..94fc7eec4fca 100644 +--- a/drivers/net/team/team_core.c ++++ b/drivers/net/team/team_core.c +@@ -933,7 +933,7 @@ static bool team_port_find(const struct team *team, + * Enable/disable port by adding to enabled port hashlist and setting + * port->index (Might be racy so reader could see incorrect ifindex when + * processing a flying packet, but that is not a problem). Write guarded +- * by team->lock. ++ * by RTNL. + */ + static void team_port_enable(struct team *team, + struct team_port *port) +@@ -1660,8 +1660,6 @@ static int team_init(struct net_device *dev) + goto err_options_register; + netif_carrier_off(dev); + +- lockdep_register_key(&team->team_lock_key); +- __mutex_init(&team->lock, "team->team_lock_key", &team->team_lock_key); + netdev_lockdep_set_classes(dev); + + return 0; +@@ -1682,7 +1680,8 @@ static void team_uninit(struct net_device *dev) + struct team_port *port; + struct team_port *tmp; + +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + list_for_each_entry_safe(port, tmp, &team->port_list, list) + team_port_del(team, port->dev); + +@@ -1691,9 +1690,7 @@ static void team_uninit(struct net_device *dev) + team_mcast_rejoin_fini(team); + team_notify_peers_fini(team); + team_queue_override_fini(team); +- mutex_unlock(&team->lock); + netdev_change_features(dev); +- lockdep_unregister_key(&team->team_lock_key); + } + + static void team_destructor(struct net_device *dev) +@@ -1778,7 +1775,8 @@ static void team_change_rx_flags(struct net_device *dev, int change) + struct team_port *port; + int inc; + +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + list_for_each_entry(port, &team->port_list, list) { + if (change & IFF_PROMISC) { + inc = dev->flags & IFF_PROMISC ? 1 : -1; +@@ -1789,7 +1787,6 @@ static void team_change_rx_flags(struct net_device *dev, int change) + dev_set_allmulti(port->dev, inc); + } + } +- mutex_unlock(&team->lock); + } + + static void team_set_rx_mode(struct net_device *dev) +@@ -1811,14 +1808,14 @@ static int team_set_mac_address(struct net_device *dev, void *p) + struct team *team = netdev_priv(dev); + struct team_port *port; + ++ ASSERT_RTNL(); ++ + if (dev->type == ARPHRD_ETHER && !is_valid_ether_addr(addr->sa_data)) + return -EADDRNOTAVAIL; + dev_addr_set(dev, addr->sa_data); +- mutex_lock(&team->lock); + list_for_each_entry(port, &team->port_list, list) + if (team->ops.port_change_dev_addr) + team->ops.port_change_dev_addr(team, port); +- mutex_unlock(&team->lock); + return 0; + } + +@@ -1828,11 +1825,8 @@ static int team_change_mtu(struct net_device *dev, int new_mtu) + struct team_port *port; + int err; + +- /* +- * Alhough this is reader, it's guarded by team lock. It's not possible +- * to traverse list in reverse under rcu_read_lock +- */ +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + team->port_mtu_change_allowed = true; + list_for_each_entry(port, &team->port_list, list) { + err = dev_set_mtu(port->dev, new_mtu); +@@ -1843,7 +1837,6 @@ static int team_change_mtu(struct net_device *dev, int new_mtu) + } + } + team->port_mtu_change_allowed = false; +- mutex_unlock(&team->lock); + + WRITE_ONCE(dev->mtu, new_mtu); + +@@ -1853,7 +1846,6 @@ static int team_change_mtu(struct net_device *dev, int new_mtu) + list_for_each_entry_continue_reverse(port, &team->port_list, list) + dev_set_mtu(port->dev, dev->mtu); + team->port_mtu_change_allowed = false; +- mutex_unlock(&team->lock); + + return err; + } +@@ -1903,24 +1895,19 @@ static int team_vlan_rx_add_vid(struct net_device *dev, __be16 proto, u16 vid) + struct team_port *port; + int err; + +- /* +- * Alhough this is reader, it's guarded by team lock. It's not possible +- * to traverse list in reverse under rcu_read_lock +- */ +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + list_for_each_entry(port, &team->port_list, list) { + err = vlan_vid_add(port->dev, proto, vid); + if (err) + goto unwind; + } +- mutex_unlock(&team->lock); + + return 0; + + unwind: + list_for_each_entry_continue_reverse(port, &team->port_list, list) + vlan_vid_del(port->dev, proto, vid); +- mutex_unlock(&team->lock); + + return err; + } +@@ -1930,10 +1917,10 @@ static int team_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid) + struct team *team = netdev_priv(dev); + struct team_port *port; + +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + list_for_each_entry(port, &team->port_list, list) + vlan_vid_del(port->dev, proto, vid); +- mutex_unlock(&team->lock); + + return 0; + } +@@ -1955,9 +1942,9 @@ static void team_netpoll_cleanup(struct net_device *dev) + { + struct team *team = netdev_priv(dev); + +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + __team_netpoll_cleanup(team); +- mutex_unlock(&team->lock); + } + + static int team_netpoll_setup(struct net_device *dev) +@@ -1966,7 +1953,8 @@ static int team_netpoll_setup(struct net_device *dev) + struct team_port *port; + int err = 0; + +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + list_for_each_entry(port, &team->port_list, list) { + err = __team_port_enable_netpoll(port); + if (err) { +@@ -1974,7 +1962,6 @@ static int team_netpoll_setup(struct net_device *dev) + break; + } + } +- mutex_unlock(&team->lock); + return err; + } + #endif +@@ -1985,9 +1972,9 @@ static int team_add_slave(struct net_device *dev, struct net_device *port_dev, + struct team *team = netdev_priv(dev); + int err; + +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + err = team_port_add(team, port_dev, extack); +- mutex_unlock(&team->lock); + + if (!err) + netdev_change_features(dev); +@@ -2000,18 +1987,13 @@ static int team_del_slave(struct net_device *dev, struct net_device *port_dev) + struct team *team = netdev_priv(dev); + int err; + +- mutex_lock(&team->lock); ++ ASSERT_RTNL(); ++ + err = team_port_del(team, port_dev); +- mutex_unlock(&team->lock); + + if (err) + return err; + +- if (netif_is_team_master(port_dev)) { +- lockdep_unregister_key(&team->team_lock_key); +- lockdep_register_key(&team->team_lock_key); +- lockdep_set_class(&team->lock, &team->team_lock_key); +- } + netdev_change_features(dev); + + return err; +@@ -2304,9 +2286,10 @@ int team_nl_noop_doit(struct sk_buff *skb, struct genl_info *info) + static struct team *team_nl_team_get(struct genl_info *info) + { + struct net *net = genl_info_net(info); +- int ifindex; + struct net_device *dev; +- struct team *team; ++ int ifindex; ++ ++ ASSERT_RTNL(); + + if (!info->attrs[TEAM_ATTR_TEAM_IFINDEX]) + return NULL; +@@ -2318,14 +2301,11 @@ static struct team *team_nl_team_get(struct genl_info *info) + return NULL; + } + +- team = netdev_priv(dev); +- mutex_lock(&team->lock); +- return team; ++ return netdev_priv(dev); + } + + static void team_nl_team_put(struct team *team) + { +- mutex_unlock(&team->lock); + dev_put(team->dev); + } + +@@ -2515,9 +2495,13 @@ int team_nl_options_get_doit(struct sk_buff *skb, struct genl_info *info) + int err; + LIST_HEAD(sel_opt_inst_list); + ++ rtnl_lock(); ++ + team = team_nl_team_get(info); +- if (!team) +- return -EINVAL; ++ if (!team) { ++ err = -EINVAL; ++ goto rtnl_unlock; ++ } + + list_for_each_entry(opt_inst, &team->option_inst_list, list) + list_add_tail(&opt_inst->tmp_list, &sel_opt_inst_list); +@@ -2527,6 +2511,9 @@ int team_nl_options_get_doit(struct sk_buff *skb, struct genl_info *info) + + team_nl_team_put(team); + ++rtnl_unlock: ++ rtnl_unlock(); ++ + return err; + } + +@@ -2805,15 +2792,22 @@ int team_nl_port_list_get_doit(struct sk_buff *skb, + struct team *team; + int err; + ++ rtnl_lock(); ++ + team = team_nl_team_get(info); +- if (!team) +- return -EINVAL; ++ if (!team) { ++ err = -EINVAL; ++ goto rtnl_unlock; ++ } + + err = team_nl_send_port_list_get(team, info->snd_portid, info->snd_seq, + NLM_F_ACK, team_nl_send_unicast, NULL); + + team_nl_team_put(team); + ++rtnl_unlock: ++ rtnl_unlock(); ++ + return err; + } + +@@ -2961,11 +2955,9 @@ static void __team_port_change_port_removed(struct team_port *port) + + static void team_port_change_check(struct team_port *port, bool linkup) + { +- struct team *team = port->team; ++ ASSERT_RTNL(); + +- mutex_lock(&team->lock); + __team_port_change_check(port, linkup); +- mutex_unlock(&team->lock); + } + + +diff --git a/drivers/net/team/team_mode_activebackup.c b/drivers/net/team/team_mode_activebackup.c +index e0f599e2a51d..1c3336c7a1b2 100644 +--- a/drivers/net/team/team_mode_activebackup.c ++++ b/drivers/net/team/team_mode_activebackup.c +@@ -67,8 +67,7 @@ static void ab_active_port_get(struct team *team, struct team_gsetter_ctx *ctx) + { + struct team_port *active_port; + +- active_port = rcu_dereference_protected(ab_priv(team)->active_port, +- lockdep_is_held(&team->lock)); ++ active_port = rtnl_dereference(ab_priv(team)->active_port); + if (active_port) + ctx->data.u32_val = active_port->dev->ifindex; + else +diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c +index 00f8989c29c0..b14538bde2f8 100644 +--- a/drivers/net/team/team_mode_loadbalance.c ++++ b/drivers/net/team/team_mode_loadbalance.c +@@ -301,8 +301,7 @@ static int lb_bpf_func_set(struct team *team, struct team_gsetter_ctx *ctx) + if (lb_priv->ex->orig_fprog) { + /* Clear old filter data */ + __fprog_destroy(lb_priv->ex->orig_fprog); +- orig_fp = rcu_dereference_protected(lb_priv->fp, +- lockdep_is_held(&team->lock)); ++ orig_fp = rtnl_dereference(lb_priv->fp); + } + + rcu_assign_pointer(lb_priv->fp, fp); +@@ -324,8 +323,7 @@ static void lb_bpf_func_free(struct team *team) + return; + + __fprog_destroy(lb_priv->ex->orig_fprog); +- fp = rcu_dereference_protected(lb_priv->fp, +- lockdep_is_held(&team->lock)); ++ fp = rtnl_dereference(lb_priv->fp); + bpf_prog_destroy(fp); + } + +@@ -335,8 +333,7 @@ static void lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx) + lb_select_tx_port_func_t *func; + char *name; + +- func = rcu_dereference_protected(lb_priv->select_tx_port_func, +- lockdep_is_held(&team->lock)); ++ func = rtnl_dereference(lb_priv->select_tx_port_func); + name = lb_select_tx_port_get_name(func); + BUG_ON(!name); + ctx->data.str_val = name; +@@ -478,7 +475,7 @@ static void lb_stats_refresh(struct work_struct *work) + team = lb_priv_ex->team; + lb_priv = get_lb_priv(team); + +- if (!mutex_trylock(&team->lock)) { ++ if (!rtnl_trylock()) { + schedule_delayed_work(&lb_priv_ex->stats.refresh_dw, 0); + return; + } +@@ -515,7 +512,7 @@ static void lb_stats_refresh(struct work_struct *work) + schedule_delayed_work(&lb_priv_ex->stats.refresh_dw, + (lb_priv_ex->stats.refresh_interval * HZ) / 10); + +- mutex_unlock(&team->lock); ++ rtnl_unlock(); + } + + static void lb_stats_refresh_interval_get(struct team *team, +diff --git a/include/linux/if_team.h b/include/linux/if_team.h +index cdc684e04a2f..ce97d891cf72 100644 +--- a/include/linux/if_team.h ++++ b/include/linux/if_team.h +@@ -191,8 +191,6 @@ struct team { + + const struct header_ops *header_ops_cache; + +- struct mutex lock; /* used for overall locking, e.g. port lists write */ +- + /* + * List of enabled ports and their count + */ +@@ -223,7 +221,6 @@ struct team { + atomic_t count_pending; + struct delayed_work dw; + } mcast_rejoin; +- struct lock_class_key team_lock_key; + long mode_priv[TEAM_MODE_PRIV_LONGS]; + }; + +-- +2.39.5 + diff --git a/queue-6.15/tools-rv-do-not-skip-idle-in-trace.patch b/queue-6.15/tools-rv-do-not-skip-idle-in-trace.patch new file mode 100644 index 0000000000..e63c94f9e8 --- /dev/null +++ b/queue-6.15/tools-rv-do-not-skip-idle-in-trace.patch @@ -0,0 +1,55 @@ +From 989cc08b11756d7192faae3e6701773c6d34d319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 18:12:36 +0200 +Subject: tools/rv: Do not skip idle in trace + +From: Gabriele Monaco + +[ Upstream commit f60227f3448911b682c45041c3fbd94f6d3b15a2 ] + +Currently, the userspace RV tool skips trace events triggered by the RV +tool itself, this can be changed by passing the parameter -s, which sets +the variable config_my_pid to 0 (instead of the tool's PID). +This has the side effect of skipping events generated by idle (PID 0). + +Set config_my_pid to -1 (an invalid pid) to avoid skipping idle. + +Cc: Nam Cao +Cc: Tomas Glozar +Cc: Juri Lelli +Cc: Clark Williams +Cc: John Kacur +Link: https://lore.kernel.org/20250723161240.194860-2-gmonaco@redhat.com +Fixes: 6d60f89691fc ("tools/rv: Add in-kernel monitor interface") +Signed-off-by: Gabriele Monaco +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/verification/rv/src/in_kernel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/verification/rv/src/in_kernel.c b/tools/verification/rv/src/in_kernel.c +index c0dcee795c0d..4bb746ea6e17 100644 +--- a/tools/verification/rv/src/in_kernel.c ++++ b/tools/verification/rv/src/in_kernel.c +@@ -431,7 +431,7 @@ ikm_event_handler(struct trace_seq *s, struct tep_record *record, + + if (config_has_id && (config_my_pid == id)) + return 0; +- else if (config_my_pid && (config_my_pid == pid)) ++ else if (config_my_pid == pid) + return 0; + + tep_print_event(trace_event->tep, s, record, "%16s-%-8d [%.3d] ", +@@ -734,7 +734,7 @@ static int parse_arguments(char *monitor_name, int argc, char **argv) + config_reactor = optarg; + break; + case 's': +- config_my_pid = 0; ++ config_my_pid = -1; + break; + case 't': + config_trace = 1; +-- +2.39.5 + diff --git a/queue-6.15/tools-subcmd-tighten-the-filename-size-in-check_if_c.patch b/queue-6.15/tools-subcmd-tighten-the-filename-size-in-check_if_c.patch new file mode 100644 index 0000000000..e8847d3465 --- /dev/null +++ b/queue-6.15/tools-subcmd-tighten-the-filename-size-in-check_if_c.patch @@ -0,0 +1,68 @@ +From f4f5b027b001b6c9f6877a5b5dfb137e9f97d972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 08:08:53 -0700 +Subject: tools subcmd: Tighten the filename size in check_if_command_finished + +From: Ian Rogers + +[ Upstream commit 478272d1cdd9959a6d638e9d81f70642f04290c9 ] + +FILENAME_MAX is often PATH_MAX (4kb), far more than needed for the +/proc path. Make the buffer size sufficient for the maximum integer +plus "/proc/" and "/status" with a '\0' terminator. + +Fixes: 5ce42b5de461 ("tools subcmd: Add non-waitpid check_if_command_finished()") +Signed-off-by: Ian Rogers +Link: https://lore.kernel.org/r/20250717150855.1032526-1-irogers@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/lib/subcmd/run-command.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/subcmd/run-command.c b/tools/lib/subcmd/run-command.c +index 0a764c25c384..b7510f83209a 100644 +--- a/tools/lib/subcmd/run-command.c ++++ b/tools/lib/subcmd/run-command.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -216,10 +217,20 @@ static int wait_or_whine(struct child_process *cmd, bool block) + return result; + } + ++/* ++ * Conservative estimate of number of characaters needed to hold an a decoded ++ * integer, assume each 3 bits needs a character byte and plus a possible sign ++ * character. ++ */ ++#ifndef is_signed_type ++#define is_signed_type(type) (((type)(-1)) < (type)1) ++#endif ++#define MAX_STRLEN_TYPE(type) (sizeof(type) * 8 / 3 + (is_signed_type(type) ? 1 : 0)) ++ + int check_if_command_finished(struct child_process *cmd) + { + #ifdef __linux__ +- char filename[FILENAME_MAX + 12]; ++ char filename[6 + MAX_STRLEN_TYPE(typeof(cmd->pid)) + 7 + 1]; + char status_line[256]; + FILE *status_file; + +@@ -227,7 +238,7 @@ int check_if_command_finished(struct child_process *cmd) + * Check by reading /proc//status as calling waitpid causes + * stdout/stderr to be closed and data lost. + */ +- sprintf(filename, "/proc/%d/status", cmd->pid); ++ sprintf(filename, "/proc/%u/status", cmd->pid); + status_file = fopen(filename, "r"); + if (status_file == NULL) { + /* Open failed assume finish_command was called. */ +-- +2.39.5 + diff --git a/queue-6.15/tracing-use-queue_rcu_work-to-free-filters.patch b/queue-6.15/tracing-use-queue_rcu_work-to-free-filters.patch new file mode 100644 index 0000000000..099f096b08 --- /dev/null +++ b/queue-6.15/tracing-use-queue_rcu_work-to-free-filters.patch @@ -0,0 +1,112 @@ +From 1a7e69cedb90897591d11b890ae34194936ef4f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 13:17:32 -0400 +Subject: tracing: Use queue_rcu_work() to free filters + +From: Steven Rostedt + +[ Upstream commit 3aceaa539cfe3a2e62bd92e6697d9fae1c20c0be ] + +Freeing of filters requires to wait for both an RCU grace period as well as +a RCU task trace wait period after they have been detached from their +lists. The trace task period can be quite large so the freeing of the +filters was moved to use the call_rcu*() routines. The problem with that is +that the callback functions of call_rcu*() is done from a soft irq and can +cause latencies if the callback takes a bit of time. + +The filters are freed per event in a system and the syscalls system +contains an event per system call, which can be over 700 events. Freeing 700 +filters in a bottom half is undesirable. + +Instead, move the freeing to use queue_rcu_work() which is done in task +context. + +Link: https://lore.kernel.org/all/9a2f0cd0-1561-4206-8966-f93ccd25927f@paulmck-laptop/ + +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20250609131732.04fd303b@gandalf.local.home +Fixes: a9d0aab5eb33 ("tracing: Fix regression of filter waiting a long time on RCU synchronization") +Suggested-by: "Paul E. McKenney" +Reviewed-by: Paul E. McKenney +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_filter.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c +index cca676f651b1..8fc5323a2ed3 100644 +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -1342,13 +1342,14 @@ struct filter_list { + + struct filter_head { + struct list_head list; +- struct rcu_head rcu; ++ union { ++ struct rcu_head rcu; ++ struct rcu_work rwork; ++ }; + }; + +- +-static void free_filter_list(struct rcu_head *rhp) ++static void free_filter_list(struct filter_head *filter_list) + { +- struct filter_head *filter_list = container_of(rhp, struct filter_head, rcu); + struct filter_list *filter_item, *tmp; + + list_for_each_entry_safe(filter_item, tmp, &filter_list->list, list) { +@@ -1359,9 +1360,20 @@ static void free_filter_list(struct rcu_head *rhp) + kfree(filter_list); + } + ++static void free_filter_list_work(struct work_struct *work) ++{ ++ struct filter_head *filter_list; ++ ++ filter_list = container_of(to_rcu_work(work), struct filter_head, rwork); ++ free_filter_list(filter_list); ++} ++ + static void free_filter_list_tasks(struct rcu_head *rhp) + { +- call_rcu(rhp, free_filter_list); ++ struct filter_head *filter_list = container_of(rhp, struct filter_head, rcu); ++ ++ INIT_RCU_WORK(&filter_list->rwork, free_filter_list_work); ++ queue_rcu_work(system_wq, &filter_list->rwork); + } + + /* +@@ -1458,7 +1470,7 @@ static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir, + tracepoint_synchronize_unregister(); + + if (head) +- free_filter_list(&head->rcu); ++ free_filter_list(head); + + list_for_each_entry(file, &tr->events, list) { + if (file->system != dir || !file->filter) +@@ -2303,7 +2315,7 @@ static int process_system_preds(struct trace_subsystem_dir *dir, + return 0; + fail: + /* No call succeeded */ +- free_filter_list(&filter_list->rcu); ++ free_filter_list(filter_list); + parse_error(pe, FILT_ERR_BAD_SUBSYS_FILTER, 0); + return -EINVAL; + fail_mem: +@@ -2313,7 +2325,7 @@ static int process_system_preds(struct trace_subsystem_dir *dir, + if (!fail) + delay_free_filter(filter_list); + else +- free_filter_list(&filter_list->rcu); ++ free_filter_list(filter_list); + + return -ENOMEM; + } +-- +2.39.5 + diff --git a/queue-6.15/ublk-use-vmalloc-for-ublk_device-s-__queues.patch b/queue-6.15/ublk-use-vmalloc-for-ublk_device-s-__queues.patch new file mode 100644 index 0000000000..bda2a560d7 --- /dev/null +++ b/queue-6.15/ublk-use-vmalloc-for-ublk_device-s-__queues.patch @@ -0,0 +1,54 @@ +From 5c59d3d45d073482cc2e5bf515d2838965b1257b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:09:55 -0600 +Subject: ublk: use vmalloc for ublk_device's __queues + +From: Caleb Sander Mateos + +[ Upstream commit c2f48453b7806d41f5a3270f206a5cd5640ed207 ] + +struct ublk_device's __queues points to an allocation with up to +UBLK_MAX_NR_QUEUES (4096) queues, each of which have: +- struct ublk_queue (48 bytes) +- Tail array of up to UBLK_MAX_QUEUE_DEPTH (4096) struct ublk_io's, + 32 bytes each +This means the full allocation can exceed 512 MB, which may well be +impossible to service with contiguous physical pages. Switch to +kvcalloc() and kvfree(), since there is no need for physically +contiguous memory. + +Signed-off-by: Caleb Sander Mateos +Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20250620151008.3976463-2-csander@purestorage.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index 0e017eae97fb..066231e66f03 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -2373,7 +2373,7 @@ static void ublk_deinit_queues(struct ublk_device *ub) + + for (i = 0; i < nr_queues; i++) + ublk_deinit_queue(ub, i); +- kfree(ub->__queues); ++ kvfree(ub->__queues); + } + + static int ublk_init_queues(struct ublk_device *ub) +@@ -2384,7 +2384,7 @@ static int ublk_init_queues(struct ublk_device *ub) + int i, ret = -ENOMEM; + + ub->queue_size = ubq_size; +- ub->__queues = kcalloc(nr_queues, ubq_size, GFP_KERNEL); ++ ub->__queues = kvcalloc(nr_queues, ubq_size, GFP_KERNEL); + if (!ub->__queues) + return ret; + +-- +2.39.5 + diff --git a/queue-6.15/ucount-fix-atomic_long_inc_below-argument-type.patch b/queue-6.15/ucount-fix-atomic_long_inc_below-argument-type.patch new file mode 100644 index 0000000000..966a0ce29e --- /dev/null +++ b/queue-6.15/ucount-fix-atomic_long_inc_below-argument-type.patch @@ -0,0 +1,66 @@ +From 45b6f2491b07c572bed2624a77f5387f6f173746 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 19:45:57 +0200 +Subject: ucount: fix atomic_long_inc_below() argument type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uros Bizjak + +[ Upstream commit f8cd9193b62e92ad25def5370ca8ea2bc7585381 ] + +The type of u argument of atomic_long_inc_below() should be long to avoid +unwanted truncation to int. + +The patch fixes the wrong argument type of an internal function to +prevent unwanted argument truncation. It fixes an internal locking +primitive; it should not have any direct effect on userspace. + +Mark said + +: AFAICT there's no problem in practice because atomic_long_inc_below() +: is only used by inc_ucount(), and it looks like the value is +: constrained between 0 and INT_MAX. +: +: In inc_ucount() the limit value is taken from +: user_namespace::ucount_max[], and AFAICT that's only written by +: sysctls, to the table setup by setup_userns_sysctls(), where +: UCOUNT_ENTRY() limits the value between 0 and INT_MAX. +: +: This is certainly a cleanup, but there might be no functional issue in +: practice as above. + +Link: https://lkml.kernel.org/r/20250721174610.28361-1-ubizjak@gmail.com +Fixes: f9c82a4ea89c ("Increase size of ucounts to atomic_long_t") +Signed-off-by: Uros Bizjak +Reviewed-by: "Eric W. Biederman" +Cc: Sebastian Andrzej Siewior +Cc: "Paul E. McKenney" +Cc: Alexey Gladkov +Cc: Roman Gushchin +Cc: MengEn Sun +Cc: "Thomas Weißschuh" +Cc: Mark Rutland +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/ucount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/ucount.c b/kernel/ucount.c +index 8686e329b8f2..f629db485a07 100644 +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -199,7 +199,7 @@ void put_ucounts(struct ucounts *ucounts) + } + } + +-static inline bool atomic_long_inc_below(atomic_long_t *v, int u) ++static inline bool atomic_long_inc_below(atomic_long_t *v, long u) + { + long c, old; + c = atomic_long_read(v); +-- +2.39.5 + diff --git a/queue-6.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch b/queue-6.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch new file mode 100644 index 0000000000..99c92e52d8 --- /dev/null +++ b/queue-6.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch @@ -0,0 +1,38 @@ +From 6f1f014beacacac0947a7a25243d837b7d32a0e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 17:04:03 +0800 +Subject: um: rtc: Avoid shadowing err in uml_rtc_start() + +From: Tiwei Bie + +[ Upstream commit 4c916e3b224a02019b3cc3983a15f32bfd9a22df ] + +Remove the declaration of 'err' inside the 'if (timetravel)' block, +as it would otherwise be unavailable outside that block, potentially +leading to uml_rtc_start() returning an uninitialized value. + +Fixes: dde8b58d5127 ("um: add a pseudo RTC") +Signed-off-by: Tiwei Bie +Link: https://patch.msgid.link/20250708090403.1067440-5-tiwei.bie@linux.dev +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/rtc_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/drivers/rtc_user.c b/arch/um/drivers/rtc_user.c +index 51e79f3148cd..67912fcf7b28 100644 +--- a/arch/um/drivers/rtc_user.c ++++ b/arch/um/drivers/rtc_user.c +@@ -28,7 +28,7 @@ int uml_rtc_start(bool timetravel) + int err; + + if (timetravel) { +- int err = os_pipe(uml_rtc_irq_fds, 1, 1); ++ err = os_pipe(uml_rtc_irq_fds, 1, 1); + if (err) + goto fail; + } else { +-- +2.39.5 + diff --git a/queue-6.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch b/queue-6.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch new file mode 100644 index 0000000000..85bd4b0421 --- /dev/null +++ b/queue-6.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch @@ -0,0 +1,56 @@ +From 6acf78d08b888b3db4f6cb9c825d27532c08a43a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 14:47:47 -0700 +Subject: usb: early: xhci-dbc: Fix early_ioremap leak + +From: Lucas De Marchi + +[ Upstream commit 2b7eec2ec3015f52fc74cf45d0408925e984ecd1 ] + +Using the kernel param earlyprintk=xdbc,keep without proper hardware +setup leads to this: + + [ ] xhci_dbc:early_xdbc_parse_parameter: dbgp_num: 0 + ... + [ ] xhci_dbc:early_xdbc_setup_hardware: failed to setup the connection to host + ... + [ ] calling kmemleak_late_init+0x0/0xa0 @ 1 + [ ] kmemleak: Kernel memory leak detector initialized (mem pool available: 14919) + [ ] kmemleak: Automatic memory scanning thread started + [ ] initcall kmemleak_late_init+0x0/0xa0 returned 0 after 417 usecs + [ ] calling check_early_ioremap_leak+0x0/0x70 @ 1 + [ ] ------------[ cut here ]------------ + [ ] Debug warning: early ioremap leak of 1 areas detected. + please boot with early_ioremap_debug and report the dmesg. + [ ] WARNING: CPU: 11 PID: 1 at mm/early_ioremap.c:90 check_early_ioremap_leak+0x4e/0x70 + +When early_xdbc_setup_hardware() fails, make sure to call +early_iounmap() since xdbc_init() won't handle it. + +Signed-off-by: Lucas De Marchi +Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability") +Link: https://lore.kernel.org/r/20250627-xdbc-v1-1-43cc8c317b1b@intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/early/xhci-dbc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c +index 341408410ed9..41118bba9197 100644 +--- a/drivers/usb/early/xhci-dbc.c ++++ b/drivers/usb/early/xhci-dbc.c +@@ -681,6 +681,10 @@ int __init early_xdbc_setup_hardware(void) + + xdbc.table_base = NULL; + xdbc.out_buf = NULL; ++ ++ early_iounmap(xdbc.xhci_base, xdbc.xhci_length); ++ xdbc.xhci_base = NULL; ++ xdbc.xhci_length = 0; + } + + return ret; +-- +2.39.5 + diff --git a/queue-6.15/usb-host-xhci-plat-fix-incorrect-type-for-of_match-v.patch b/queue-6.15/usb-host-xhci-plat-fix-incorrect-type-for-of_match-v.patch new file mode 100644 index 0000000000..784ffd198b --- /dev/null +++ b/queue-6.15/usb-host-xhci-plat-fix-incorrect-type-for-of_match-v.patch @@ -0,0 +1,39 @@ +From 4688fa80ed5441a2ea8797bd4a94b5e4735f3a4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 01:57:47 -0400 +Subject: usb: host: xhci-plat: fix incorrect type for of_match variable in + xhci_plat_probe() + +From: Seungjin Bae + +[ Upstream commit d9e496a9fb4021a9e6b11e7ba221a41a2597ac27 ] + +The variable `of_match` was incorrectly declared as a `bool`. +It is assigned the return value of of_match_device(), which is a pointer of +type `const struct of_device_id *`. + +Fixes: 16b7e0cccb243 ("USB: xhci-plat: fix legacy PHY double init") +Signed-off-by: Seungjin Bae +Link: https://lore.kernel.org/r/20250619055746.176112-2-eeodqql09@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-plat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 619481dec8e8..87f173392a01 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -152,7 +152,7 @@ int xhci_plat_probe(struct platform_device *pdev, struct device *sysdev, const s + int ret; + int irq; + struct xhci_plat_priv *priv = NULL; +- bool of_match; ++ const struct of_device_id *of_match; + + if (usb_disabled()) + return -ENODEV; +-- +2.39.5 + diff --git a/queue-6.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch b/queue-6.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch new file mode 100644 index 0000000000..37c4e6aff5 --- /dev/null +++ b/queue-6.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch @@ -0,0 +1,110 @@ +From 316cc0527e2f5784e587f0c828bd481e61ba0fb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 18:26:17 +0000 +Subject: usb: misc: apple-mfi-fastcharge: Make power supply names unique + +From: Charalampos Mitrodimas + +[ Upstream commit 43007b89fb2de746443fbbb84aedd1089afdf582 ] + +When multiple Apple devices are connected concurrently, the +apple-mfi-fastcharge driver fails to probe the subsequent devices with +the following error: + + sysfs: cannot create duplicate filename '/class/power_supply/apple_mfi_fastcharge' + apple-mfi-fastcharge 5-2.4.3.3: probe of 5-2.4.3.3 failed with error -17 + +This happens because the driver uses a fixed power supply name +("apple_mfi_fastcharge") for all devices, causing a sysfs name +conflict when a second device is connected. + +Fix this by generating unique names using the USB bus and device +number (e.g., "apple_mfi_fastcharge_5-12"). This ensures each +connected device gets a unique power supply entry in sysfs. + +The change requires storing a copy of the power_supply_desc structure +in the per-device mfi_device struct, since the name pointer needs to +remain valid for the lifetime of the power supply registration. + +Fixes: 249fa8217b84 ("USB: Add driver to control USB fast charge for iOS devices") +Signed-off-by: Charalampos Mitrodimas +Link: https://lore.kernel.org/r/20250602-apple-mfi-fastcharge-duplicate-sysfs-v1-1-5d84de34fac6@posteo.net +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/apple-mfi-fastcharge.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/misc/apple-mfi-fastcharge.c b/drivers/usb/misc/apple-mfi-fastcharge.c +index ac8695195c13..8e852f4b8262 100644 +--- a/drivers/usb/misc/apple-mfi-fastcharge.c ++++ b/drivers/usb/misc/apple-mfi-fastcharge.c +@@ -44,6 +44,7 @@ MODULE_DEVICE_TABLE(usb, mfi_fc_id_table); + struct mfi_device { + struct usb_device *udev; + struct power_supply *battery; ++ struct power_supply_desc battery_desc; + int charge_type; + }; + +@@ -178,6 +179,7 @@ static int mfi_fc_probe(struct usb_device *udev) + { + struct power_supply_config battery_cfg = {}; + struct mfi_device *mfi = NULL; ++ char *battery_name; + int err; + + if (!mfi_fc_match(udev)) +@@ -187,23 +189,38 @@ static int mfi_fc_probe(struct usb_device *udev) + if (!mfi) + return -ENOMEM; + ++ battery_name = kasprintf(GFP_KERNEL, "apple_mfi_fastcharge_%d-%d", ++ udev->bus->busnum, udev->devnum); ++ if (!battery_name) { ++ err = -ENOMEM; ++ goto err_free_mfi; ++ } ++ ++ mfi->battery_desc = apple_mfi_fc_desc; ++ mfi->battery_desc.name = battery_name; ++ + battery_cfg.drv_data = mfi; + + mfi->charge_type = POWER_SUPPLY_CHARGE_TYPE_TRICKLE; + mfi->battery = power_supply_register(&udev->dev, +- &apple_mfi_fc_desc, ++ &mfi->battery_desc, + &battery_cfg); + if (IS_ERR(mfi->battery)) { + dev_err(&udev->dev, "Can't register battery\n"); + err = PTR_ERR(mfi->battery); +- kfree(mfi); +- return err; ++ goto err_free_name; + } + + mfi->udev = usb_get_dev(udev); + dev_set_drvdata(&udev->dev, mfi); + + return 0; ++ ++err_free_name: ++ kfree(battery_name); ++err_free_mfi: ++ kfree(mfi); ++ return err; + } + + static void mfi_fc_disconnect(struct usb_device *udev) +@@ -213,6 +230,7 @@ static void mfi_fc_disconnect(struct usb_device *udev) + mfi = dev_get_drvdata(&udev->dev); + if (mfi->battery) + power_supply_unregister(mfi->battery); ++ kfree(mfi->battery_desc.name); + dev_set_drvdata(&udev->dev, NULL); + usb_put_dev(mfi->udev); + kfree(mfi); +-- +2.39.5 + diff --git a/queue-6.15/usb-typec-ucsi-yoga-c630-fix-error-and-remove-paths.patch b/queue-6.15/usb-typec-ucsi-yoga-c630-fix-error-and-remove-paths.patch new file mode 100644 index 0000000000..74fcffbfcf --- /dev/null +++ b/queue-6.15/usb-typec-ucsi-yoga-c630-fix-error-and-remove-paths.patch @@ -0,0 +1,65 @@ +From 89f5787770a104dc6808eb59cd8586086220844b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 21:12:56 +0300 +Subject: usb: typec: ucsi: yoga-c630: fix error and remove paths + +From: Dmitry Baryshkov + +[ Upstream commit 168c3896f32e78e7b87f6aa9e85af36e47a9f96c ] + +Fix memory leak and call ucsi_destroy() from the driver's remove +function and probe's error path in order to remove debugfs files and +free the memory. Also call yoga_c630_ec_unregister_notify() in the +probe's error path. + +Fixes: 2ea6d07efe53 ("usb: typec: ucsi: add Lenovo Yoga C630 glue driver") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250621-c630-ucsi-v1-1-a86de5e11361@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/ucsi_yoga_c630.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi_yoga_c630.c b/drivers/usb/typec/ucsi/ucsi_yoga_c630.c +index d33e3f2dd1d8..47e8dd5b255b 100644 +--- a/drivers/usb/typec/ucsi/ucsi_yoga_c630.c ++++ b/drivers/usb/typec/ucsi/ucsi_yoga_c630.c +@@ -133,17 +133,30 @@ static int yoga_c630_ucsi_probe(struct auxiliary_device *adev, + + ret = yoga_c630_ec_register_notify(ec, &uec->nb); + if (ret) +- return ret; ++ goto err_destroy; ++ ++ ret = ucsi_register(uec->ucsi); ++ if (ret) ++ goto err_unregister; ++ ++ return 0; + +- return ucsi_register(uec->ucsi); ++err_unregister: ++ yoga_c630_ec_unregister_notify(uec->ec, &uec->nb); ++ ++err_destroy: ++ ucsi_destroy(uec->ucsi); ++ ++ return ret; + } + + static void yoga_c630_ucsi_remove(struct auxiliary_device *adev) + { + struct yoga_c630_ucsi *uec = auxiliary_get_drvdata(adev); + +- yoga_c630_ec_unregister_notify(uec->ec, &uec->nb); + ucsi_unregister(uec->ucsi); ++ yoga_c630_ec_unregister_notify(uec->ec, &uec->nb); ++ ucsi_destroy(uec->ucsi); + } + + static const struct auxiliary_device_id yoga_c630_ucsi_id_table[] = { +-- +2.39.5 + diff --git a/queue-6.15/vdpa-fix-idr-memory-leak-in-vduse-module-exit.patch b/queue-6.15/vdpa-fix-idr-memory-leak-in-vduse-module-exit.patch new file mode 100644 index 0000000000..5f42dcfae5 --- /dev/null +++ b/queue-6.15/vdpa-fix-idr-memory-leak-in-vduse-module-exit.patch @@ -0,0 +1,50 @@ +From 04bc8e9013cb269e191bb7407697881d60e134f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 14:53:35 +0200 +Subject: vdpa: Fix IDR memory leak in VDUSE module exit + +From: Anders Roxell + +[ Upstream commit d9ea58b5dc6b4b50fbb6a10c73f840e8b10442b7 ] + +Add missing idr_destroy() call in vduse_exit() to properly free the +vduse_idr radix tree nodes. Without this, module load/unload cycles leak +576-byte radix tree node allocations, detectable by kmemleak as: + +unreferenced object (size 576): + backtrace: + [] radix_tree_node_alloc+0xa0/0xf0 + [] idr_get_free+0x128/0x280 + +The vduse_idr is initialized via DEFINE_IDR() at line 136 and used throughout +the VDUSE (vDPA Device in Userspace) driver for device ID management. The fix +follows the documented pattern in lib/idr.c and matches the cleanup approach +used by other drivers. + +This leak was discovered through comprehensive module testing with cumulative +kmemleak detection across 10 load/unload iterations per module. + +Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") +Signed-off-by: Anders Roxell +Message-Id: <20250704125335.1084649-1-anders.roxell@linaro.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c +index 6a9a37351310..04620bb77203 100644 +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -2216,6 +2216,7 @@ static void vduse_exit(void) + cdev_del(&vduse_ctrl_cdev); + unregister_chrdev_region(vduse_major, VDUSE_DEV_MAX); + class_unregister(&vduse_class); ++ idr_destroy(&vduse_idr); + } + module_exit(vduse_exit); + +-- +2.39.5 + diff --git a/queue-6.15/vdpa-mlx5-fix-needs_teardown-flag-calculation.patch b/queue-6.15/vdpa-mlx5-fix-needs_teardown-flag-calculation.patch new file mode 100644 index 0000000000..99d205764f --- /dev/null +++ b/queue-6.15/vdpa-mlx5-fix-needs_teardown-flag-calculation.patch @@ -0,0 +1,54 @@ +From 232d42dd0de4e618e052d2f33782e2dfd8cb370a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 21:48:01 +0300 +Subject: vdpa/mlx5: Fix needs_teardown flag calculation + +From: Dragos Tatulea + +[ Upstream commit 6f0f3d7fc4e05797b801ded4910a64d16db230e9 ] + +needs_teardown is a device flag that indicates when virtual queues need +to be recreated. This happens for certain configuration changes: queue +size and some specific features. + +Currently, the needs_teardown state can be incorrectly reset by +subsequent .set_vq_num() calls. For example, for 1 rx VQ with size 512 +and 1 tx VQ with size 256: + +.set_vq_num(0, 512) -> sets needs_teardown to true (rx queue has a + non-default size) +.set_vq_num(1, 256) -> sets needs_teardown to false (tx queue has a + default size) + +This change takes into account the previous value of the needs_teardown +flag when re-calculating it during VQ size configuration. + +Fixes: 0fe963d6fc16 ("vdpa/mlx5: Re-create HW VQs under certain conditions") +Signed-off-by: Dragos Tatulea +Reviewed-by: Shahar Shitrit +Reviewed-by: Si-Wei Liu +Tested-by: Si-Wei Liu +Message-Id: <20250604184802.2625300-1-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index cccc49a08a1a..efb5fa694f1e 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -2491,7 +2491,7 @@ static void mlx5_vdpa_set_vq_num(struct vdpa_device *vdev, u16 idx, u32 num) + } + + mvq = &ndev->vqs[idx]; +- ndev->needs_teardown = num != mvq->num_ent; ++ ndev->needs_teardown |= num != mvq->num_ent; + mvq->num_ent = num; + } + +-- +2.39.5 + diff --git a/queue-6.15/vdpa-mlx5-fix-release-of-uninitialized-resources-on-.patch b/queue-6.15/vdpa-mlx5-fix-release-of-uninitialized-resources-on-.patch new file mode 100644 index 0000000000..f5c8b9aebb --- /dev/null +++ b/queue-6.15/vdpa-mlx5-fix-release-of-uninitialized-resources-on-.patch @@ -0,0 +1,153 @@ +From 5468a2736087ded7ae7d912ee60d9cb441cf9437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 12:04:24 +0000 +Subject: vdpa/mlx5: Fix release of uninitialized resources on error path + +From: Dragos Tatulea + +[ Upstream commit cc51a66815999afb7e9cd845968de4fdf07567b7 ] + +The commit in the fixes tag made sure that mlx5_vdpa_free() +is the single entrypoint for removing the vdpa device resources +added in mlx5_vdpa_dev_add(), even in the cleanup path of +mlx5_vdpa_dev_add(). + +This means that all functions from mlx5_vdpa_free() should be able to +handle uninitialized resources. This was not the case though: +mlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx() +were not able to do so. This caused the splat below when adding +a vdpa device without a MAC address. + +This patch fixes these remaining issues: + +- Makes mlx5_vdpa_destroy_mr_resources() return early if called on + uninitialized resources. + +- Moves mlx5_cmd_init_async_ctx() early on during device addition + because it can't fail. This means that mlx5_cmd_cleanup_async_ctx() + also can't fail. To mirror this, move the call site of + mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free(). + +An additional comment was added in mlx5_vdpa_free() to document +the expectations of functions called from this context. + +Splat: + + mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned? + ------------[ cut here ]------------ + WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0 + [...] + Call Trace: + + ? __try_to_del_timer_sync+0x61/0x90 + ? __timer_delete_sync+0x2b/0x40 + mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa] + mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa] + vdpa_release_dev+0x1e/0x50 [vdpa] + device_release+0x31/0x90 + kobject_cleanup+0x37/0x130 + mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa] + vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa] + genl_family_rcv_msg_doit+0xd8/0x130 + genl_family_rcv_msg+0x14b/0x220 + ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa] + genl_rcv_msg+0x47/0xa0 + ? __pfx_genl_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x27b/0x3b0 + netlink_sendmsg+0x1f7/0x430 + __sys_sendto+0x1fa/0x210 + ? ___pte_offset_map+0x17/0x160 + ? next_uptodate_folio+0x85/0x2b0 + ? percpu_counter_add_batch+0x51/0x90 + ? filemap_map_pages+0x515/0x660 + __x64_sys_sendto+0x20/0x30 + do_syscall_64+0x7b/0x2c0 + ? do_read_fault+0x108/0x220 + ? do_pte_missing+0x14a/0x3e0 + ? __handle_mm_fault+0x321/0x730 + ? count_memcg_events+0x13f/0x180 + ? handle_mm_fault+0x1fb/0x2d0 + ? do_user_addr_fault+0x20c/0x700 + ? syscall_exit_work+0x104/0x140 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f0c25b0feca + [...] + ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Dragos Tatulea +Fixes: 83e445e64f48 ("vdpa/mlx5: Fix error path during device add") +Reported-by: Wenli Quan +Closes: https://lore.kernel.org/virtualization/CADZSLS0r78HhZAStBaN1evCSoPqRJU95Lt8AqZNJ6+wwYQ6vPQ@mail.gmail.com/ +Reviewed-by: Tariq Toukan +Reviewed-by: Cosmin Ratiu +Message-Id: <20250708120424.2363354-2-dtatulea@nvidia.com> +Tested-by: Wenli Quan +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/core/mr.c | 3 +++ + drivers/vdpa/mlx5/net/mlx5_vnet.c | 10 ++++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/vdpa/mlx5/core/mr.c b/drivers/vdpa/mlx5/core/mr.c +index 61424342c096..c7a20278bc3c 100644 +--- a/drivers/vdpa/mlx5/core/mr.c ++++ b/drivers/vdpa/mlx5/core/mr.c +@@ -908,6 +908,9 @@ void mlx5_vdpa_destroy_mr_resources(struct mlx5_vdpa_dev *mvdev) + { + struct mlx5_vdpa_mr_resources *mres = &mvdev->mres; + ++ if (!mres->wq_gc) ++ return; ++ + atomic_set(&mres->shutdown, 1); + + flush_delayed_work(&mres->gc_dwork_ent); +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index efb5fa694f1e..0ed2fc28e1ce 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -3432,15 +3432,17 @@ static void mlx5_vdpa_free(struct vdpa_device *vdev) + + ndev = to_mlx5_vdpa_ndev(mvdev); + ++ /* Functions called here should be able to work with ++ * uninitialized resources. ++ */ + free_fixed_resources(ndev); + mlx5_vdpa_clean_mrs(mvdev); + mlx5_vdpa_destroy_mr_resources(&ndev->mvdev); +- mlx5_cmd_cleanup_async_ctx(&mvdev->async_ctx); +- + if (!is_zero_ether_addr(ndev->config.mac)) { + pfmdev = pci_get_drvdata(pci_physfn(mvdev->mdev->pdev)); + mlx5_mpfs_del_mac(pfmdev, ndev->config.mac); + } ++ mlx5_cmd_cleanup_async_ctx(&mvdev->async_ctx); + mlx5_vdpa_free_resources(&ndev->mvdev); + free_irqs(ndev); + kfree(ndev->event_cbs); +@@ -3888,6 +3890,8 @@ static int mlx5_vdpa_dev_add(struct vdpa_mgmt_dev *v_mdev, const char *name, + mvdev->actual_features = + (device_features & BIT_ULL(VIRTIO_F_VERSION_1)); + ++ mlx5_cmd_init_async_ctx(mdev, &mvdev->async_ctx); ++ + ndev->vqs = kcalloc(max_vqs, sizeof(*ndev->vqs), GFP_KERNEL); + ndev->event_cbs = kcalloc(max_vqs + 1, sizeof(*ndev->event_cbs), GFP_KERNEL); + if (!ndev->vqs || !ndev->event_cbs) { +@@ -3960,8 +3964,6 @@ static int mlx5_vdpa_dev_add(struct vdpa_mgmt_dev *v_mdev, const char *name, + ndev->rqt_size = 1; + } + +- mlx5_cmd_init_async_ctx(mdev, &mvdev->async_ctx); +- + ndev->mvdev.mlx_features = device_features; + mvdev->vdev.dma_dev = &mdev->pdev->dev; + err = mlx5_vdpa_alloc_resources(&ndev->mvdev); +-- +2.39.5 + diff --git a/queue-6.15/vfio-fix-unbalanced-vfio_df_close-call-in-no-iommu-m.patch b/queue-6.15/vfio-fix-unbalanced-vfio_df_close-call-in-no-iommu-m.patch new file mode 100644 index 0000000000..d855709f03 --- /dev/null +++ b/queue-6.15/vfio-fix-unbalanced-vfio_df_close-call-in-no-iommu-m.patch @@ -0,0 +1,69 @@ +From fe37ec7b02b67d62794ffd0e5fb343e9286b54e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 16:46:17 -0700 +Subject: vfio: Fix unbalanced vfio_df_close call in no-iommu mode + +From: Jacob Pan + +[ Upstream commit b25e271b377999191b12f0afbe1861edcf57e3fe ] + +For devices with no-iommu enabled in IOMMUFD VFIO compat mode, the group open +path skips vfio_df_open(), leaving open_count at 0. This causes a warning in +vfio_assert_device_open(device) when vfio_df_close() is called during group +close. + +The correct behavior is to skip only the IOMMUFD bind in the device open path +for no-iommu devices. Commit 6086efe73498 omitted vfio_df_open(), which was +too broad. This patch restores the previous behavior, ensuring +the vfio_df_open is called in the group open path. + +Fixes: 6086efe73498 ("vfio-iommufd: Move noiommu compat validation out of vfio_iommufd_bind()") +Suggested-by: Alex Williamson +Suggested-by: Jason Gunthorpe +Signed-off-by: Jacob Pan +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20250618234618.1910456-1-jacob.pan@linux.microsoft.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/group.c | 7 +++---- + drivers/vfio/iommufd.c | 4 ++++ + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c +index c321d442f0da..c376a6279de0 100644 +--- a/drivers/vfio/group.c ++++ b/drivers/vfio/group.c +@@ -192,11 +192,10 @@ static int vfio_df_group_open(struct vfio_device_file *df) + * implies they expected translation to exist + */ + if (!capable(CAP_SYS_RAWIO) || +- vfio_iommufd_device_has_compat_ioas(device, df->iommufd)) ++ vfio_iommufd_device_has_compat_ioas(device, df->iommufd)) { + ret = -EPERM; +- else +- ret = 0; +- goto out_put_kvm; ++ goto out_put_kvm; ++ } + } + + ret = vfio_df_open(df); +diff --git a/drivers/vfio/iommufd.c b/drivers/vfio/iommufd.c +index c8c3a2d53f86..a38d262c6028 100644 +--- a/drivers/vfio/iommufd.c ++++ b/drivers/vfio/iommufd.c +@@ -25,6 +25,10 @@ int vfio_df_iommufd_bind(struct vfio_device_file *df) + + lockdep_assert_held(&vdev->dev_set->lock); + ++ /* Returns 0 to permit device opening under noiommu mode */ ++ if (vfio_device_is_noiommu(vdev)) ++ return 0; ++ + return vdev->ops->bind_iommufd(vdev, ictx, &df->devid); + } + +-- +2.39.5 + diff --git a/queue-6.15/vfio-pci-do-vf_token-checks-for-vfio_device_bind_iom.patch b/queue-6.15/vfio-pci-do-vf_token-checks-for-vfio_device_bind_iom.patch new file mode 100644 index 0000000000..87e201e120 --- /dev/null +++ b/queue-6.15/vfio-pci-do-vf_token-checks-for-vfio_device_bind_iom.patch @@ -0,0 +1,380 @@ +From 9e894f852c022f5a3a512c8fc28eac64c26bb786 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 13:08:25 -0300 +Subject: vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD + +From: Jason Gunthorpe + +[ Upstream commit 86624ba3b522b6512def25534341da93356c8da4 ] + +This was missed during the initial implementation. The VFIO PCI encodes +the vf_token inside the device name when opening the device from the group +FD, something like: + + "0000:04:10.0 vf_token=bd8d9d2b-5a5f-4f5a-a211-f591514ba1f3" + +This is used to control access to a VF unless there is co-ordination with +the owner of the PF. + +Since we no longer have a device name in the cdev path, pass the token +directly through VFIO_DEVICE_BIND_IOMMUFD using an optional field +indicated by VFIO_DEVICE_BIND_FLAG_TOKEN. + +Fixes: 5fcc26969a16 ("vfio: Add VFIO_DEVICE_BIND_IOMMUFD") +Tested-by: Shameer Kolothum +Reviewed-by: Yi Liu +Signed-off-by: Jason Gunthorpe +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/0-v3-bdd8716e85fe+3978a-vfio_token_jgg@nvidia.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/device_cdev.c | 38 +++++++++++++++++-- + .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 1 + + drivers/vfio/pci/mlx5/main.c | 1 + + drivers/vfio/pci/nvgrace-gpu/main.c | 2 + + drivers/vfio/pci/pds/vfio_dev.c | 1 + + drivers/vfio/pci/qat/main.c | 1 + + drivers/vfio/pci/vfio_pci.c | 1 + + drivers/vfio/pci/vfio_pci_core.c | 22 +++++++---- + drivers/vfio/pci/virtio/main.c | 3 ++ + include/linux/vfio.h | 4 ++ + include/linux/vfio_pci_core.h | 2 + + include/uapi/linux/vfio.h | 12 +++++- + 12 files changed, 76 insertions(+), 12 deletions(-) + +diff --git a/drivers/vfio/device_cdev.c b/drivers/vfio/device_cdev.c +index 281a8dc3ed49..480cac3a0c27 100644 +--- a/drivers/vfio/device_cdev.c ++++ b/drivers/vfio/device_cdev.c +@@ -60,22 +60,50 @@ static void vfio_df_get_kvm_safe(struct vfio_device_file *df) + spin_unlock(&df->kvm_ref_lock); + } + ++static int vfio_df_check_token(struct vfio_device *device, ++ const struct vfio_device_bind_iommufd *bind) ++{ ++ uuid_t uuid; ++ ++ if (!device->ops->match_token_uuid) { ++ if (bind->flags & VFIO_DEVICE_BIND_FLAG_TOKEN) ++ return -EINVAL; ++ return 0; ++ } ++ ++ if (!(bind->flags & VFIO_DEVICE_BIND_FLAG_TOKEN)) ++ return device->ops->match_token_uuid(device, NULL); ++ ++ if (copy_from_user(&uuid, u64_to_user_ptr(bind->token_uuid_ptr), ++ sizeof(uuid))) ++ return -EFAULT; ++ return device->ops->match_token_uuid(device, &uuid); ++} ++ + long vfio_df_ioctl_bind_iommufd(struct vfio_device_file *df, + struct vfio_device_bind_iommufd __user *arg) + { ++ const u32 VALID_FLAGS = VFIO_DEVICE_BIND_FLAG_TOKEN; + struct vfio_device *device = df->device; + struct vfio_device_bind_iommufd bind; + unsigned long minsz; ++ u32 user_size; + int ret; + + static_assert(__same_type(arg->out_devid, df->devid)); + + minsz = offsetofend(struct vfio_device_bind_iommufd, out_devid); + +- if (copy_from_user(&bind, arg, minsz)) +- return -EFAULT; ++ ret = get_user(user_size, &arg->argsz); ++ if (ret) ++ return ret; ++ if (user_size < minsz) ++ return -EINVAL; ++ ret = copy_struct_from_user(&bind, minsz, arg, user_size); ++ if (ret) ++ return ret; + +- if (bind.argsz < minsz || bind.flags || bind.iommufd < 0) ++ if (bind.iommufd < 0 || bind.flags & ~VALID_FLAGS) + return -EINVAL; + + /* BIND_IOMMUFD only allowed for cdev fds */ +@@ -93,6 +121,10 @@ long vfio_df_ioctl_bind_iommufd(struct vfio_device_file *df, + goto out_unlock; + } + ++ ret = vfio_df_check_token(device, &bind); ++ if (ret) ++ goto out_unlock; ++ + df->iommufd = iommufd_ctx_from_fd(bind.iommufd); + if (IS_ERR(df->iommufd)) { + ret = PTR_ERR(df->iommufd); +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +index d12a350440d3..36b60e293204 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +@@ -1580,6 +1580,7 @@ static const struct vfio_device_ops hisi_acc_vfio_pci_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +diff --git a/drivers/vfio/pci/mlx5/main.c b/drivers/vfio/pci/mlx5/main.c +index 709543e7eb04..d83249aea275 100644 +--- a/drivers/vfio/pci/mlx5/main.c ++++ b/drivers/vfio/pci/mlx5/main.c +@@ -1387,6 +1387,7 @@ static const struct vfio_device_ops mlx5vf_pci_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +diff --git a/drivers/vfio/pci/nvgrace-gpu/main.c b/drivers/vfio/pci/nvgrace-gpu/main.c +index e5ac39c4cc6b..d95761dcdd58 100644 +--- a/drivers/vfio/pci/nvgrace-gpu/main.c ++++ b/drivers/vfio/pci/nvgrace-gpu/main.c +@@ -696,6 +696,7 @@ static const struct vfio_device_ops nvgrace_gpu_pci_ops = { + .mmap = nvgrace_gpu_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +@@ -715,6 +716,7 @@ static const struct vfio_device_ops nvgrace_gpu_pci_core_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +diff --git a/drivers/vfio/pci/pds/vfio_dev.c b/drivers/vfio/pci/pds/vfio_dev.c +index f6e0253a8a14..f3ccb0008f67 100644 +--- a/drivers/vfio/pci/pds/vfio_dev.c ++++ b/drivers/vfio/pci/pds/vfio_dev.c +@@ -201,6 +201,7 @@ static const struct vfio_device_ops pds_vfio_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c +index 845ed15b6771..5cce6b0b8d2f 100644 +--- a/drivers/vfio/pci/qat/main.c ++++ b/drivers/vfio/pci/qat/main.c +@@ -614,6 +614,7 @@ static const struct vfio_device_ops qat_vf_pci_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 5ba39f7623bb..ac10f14417f2 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -138,6 +138,7 @@ static const struct vfio_device_ops vfio_pci_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c +index 261a6dc5a5fc..fad410cf91bc 100644 +--- a/drivers/vfio/pci/vfio_pci_core.c ++++ b/drivers/vfio/pci/vfio_pci_core.c +@@ -1821,9 +1821,13 @@ void vfio_pci_core_request(struct vfio_device *core_vdev, unsigned int count) + } + EXPORT_SYMBOL_GPL(vfio_pci_core_request); + +-static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, +- bool vf_token, uuid_t *uuid) ++int vfio_pci_core_match_token_uuid(struct vfio_device *core_vdev, ++ const uuid_t *uuid) ++ + { ++ struct vfio_pci_core_device *vdev = ++ container_of(core_vdev, struct vfio_pci_core_device, vdev); ++ + /* + * There's always some degree of trust or collaboration between SR-IOV + * PF and VFs, even if just that the PF hosts the SR-IOV capability and +@@ -1854,7 +1858,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + bool match; + + if (!pf_vdev) { +- if (!vf_token) ++ if (!uuid) + return 0; /* PF is not vfio-pci, no VF token */ + + pci_info_ratelimited(vdev->pdev, +@@ -1862,7 +1866,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + return -EINVAL; + } + +- if (!vf_token) { ++ if (!uuid) { + pci_info_ratelimited(vdev->pdev, + "VF token required to access device\n"); + return -EACCES; +@@ -1880,7 +1884,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + } else if (vdev->vf_token) { + mutex_lock(&vdev->vf_token->lock); + if (vdev->vf_token->users) { +- if (!vf_token) { ++ if (!uuid) { + mutex_unlock(&vdev->vf_token->lock); + pci_info_ratelimited(vdev->pdev, + "VF token required to access device\n"); +@@ -1893,12 +1897,12 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + "Incorrect VF token provided for device\n"); + return -EACCES; + } +- } else if (vf_token) { ++ } else if (uuid) { + uuid_copy(&vdev->vf_token->uuid, uuid); + } + + mutex_unlock(&vdev->vf_token->lock); +- } else if (vf_token) { ++ } else if (uuid) { + pci_info_ratelimited(vdev->pdev, + "VF token incorrectly provided, not a PF or VF\n"); + return -EINVAL; +@@ -1906,6 +1910,7 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + + return 0; + } ++EXPORT_SYMBOL_GPL(vfio_pci_core_match_token_uuid); + + #define VF_TOKEN_ARG "vf_token=" + +@@ -1952,7 +1957,8 @@ int vfio_pci_core_match(struct vfio_device *core_vdev, char *buf) + } + } + +- ret = vfio_pci_validate_vf_token(vdev, vf_token, &uuid); ++ ret = core_vdev->ops->match_token_uuid(core_vdev, ++ vf_token ? &uuid : NULL); + if (ret) + return ret; + +diff --git a/drivers/vfio/pci/virtio/main.c b/drivers/vfio/pci/virtio/main.c +index 515fe1b9f94d..8084f3e36a9f 100644 +--- a/drivers/vfio/pci/virtio/main.c ++++ b/drivers/vfio/pci/virtio/main.c +@@ -94,6 +94,7 @@ static const struct vfio_device_ops virtiovf_vfio_pci_lm_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +@@ -114,6 +115,7 @@ static const struct vfio_device_ops virtiovf_vfio_pci_tran_lm_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +@@ -134,6 +136,7 @@ static const struct vfio_device_ops virtiovf_vfio_pci_ops = { + .mmap = vfio_pci_core_mmap, + .request = vfio_pci_core_request, + .match = vfio_pci_core_match, ++ .match_token_uuid = vfio_pci_core_match_token_uuid, + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, +diff --git a/include/linux/vfio.h b/include/linux/vfio.h +index 707b00772ce1..eb563f538dee 100644 +--- a/include/linux/vfio.h ++++ b/include/linux/vfio.h +@@ -105,6 +105,9 @@ struct vfio_device { + * @match: Optional device name match callback (return: 0 for no-match, >0 for + * match, -errno for abort (ex. match with insufficient or incorrect + * additional args) ++ * @match_token_uuid: Optional device token match/validation. Return 0 ++ * if the uuid is valid for the device, -errno otherwise. uuid is NULL ++ * if none was provided. + * @dma_unmap: Called when userspace unmaps IOVA from the container + * this device is attached to. + * @device_feature: Optional, fill in the VFIO_DEVICE_FEATURE ioctl +@@ -132,6 +135,7 @@ struct vfio_device_ops { + int (*mmap)(struct vfio_device *vdev, struct vm_area_struct *vma); + void (*request)(struct vfio_device *vdev, unsigned int count); + int (*match)(struct vfio_device *vdev, char *buf); ++ int (*match_token_uuid)(struct vfio_device *vdev, const uuid_t *uuid); + void (*dma_unmap)(struct vfio_device *vdev, u64 iova, u64 length); + int (*device_feature)(struct vfio_device *device, u32 flags, + void __user *arg, size_t argsz); +diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h +index fbb472dd99b3..f541044e42a2 100644 +--- a/include/linux/vfio_pci_core.h ++++ b/include/linux/vfio_pci_core.h +@@ -122,6 +122,8 @@ ssize_t vfio_pci_core_write(struct vfio_device *core_vdev, const char __user *bu + int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma); + void vfio_pci_core_request(struct vfio_device *core_vdev, unsigned int count); + int vfio_pci_core_match(struct vfio_device *core_vdev, char *buf); ++int vfio_pci_core_match_token_uuid(struct vfio_device *core_vdev, ++ const uuid_t *uuid); + int vfio_pci_core_enable(struct vfio_pci_core_device *vdev); + void vfio_pci_core_disable(struct vfio_pci_core_device *vdev); + void vfio_pci_core_finish_enable(struct vfio_pci_core_device *vdev); +diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h +index 5764f315137f..75100bf009ba 100644 +--- a/include/uapi/linux/vfio.h ++++ b/include/uapi/linux/vfio.h +@@ -905,10 +905,12 @@ struct vfio_device_feature { + * VFIO_DEVICE_BIND_IOMMUFD - _IOR(VFIO_TYPE, VFIO_BASE + 18, + * struct vfio_device_bind_iommufd) + * @argsz: User filled size of this data. +- * @flags: Must be 0. ++ * @flags: Must be 0 or a bit flags of VFIO_DEVICE_BIND_* + * @iommufd: iommufd to bind. + * @out_devid: The device id generated by this bind. devid is a handle for + * this device/iommufd bond and can be used in IOMMUFD commands. ++ * @token_uuid_ptr: Valid if VFIO_DEVICE_BIND_FLAG_TOKEN. Points to a 16 byte ++ * UUID in the same format as VFIO_DEVICE_FEATURE_PCI_VF_TOKEN. + * + * Bind a vfio_device to the specified iommufd. + * +@@ -917,13 +919,21 @@ struct vfio_device_feature { + * + * Unbind is automatically conducted when device fd is closed. + * ++ * A token is sometimes required to open the device, unless this is known to be ++ * needed VFIO_DEVICE_BIND_FLAG_TOKEN should not be set and token_uuid_ptr is ++ * ignored. The only case today is a PF/VF relationship where the VF bind must ++ * be provided the same token as VFIO_DEVICE_FEATURE_PCI_VF_TOKEN provided to ++ * the PF. ++ * + * Return: 0 on success, -errno on failure. + */ + struct vfio_device_bind_iommufd { + __u32 argsz; + __u32 flags; ++#define VFIO_DEVICE_BIND_FLAG_TOKEN (1 << 0) + __s32 iommufd; + __u32 out_devid; ++ __aligned_u64 token_uuid_ptr; + }; + + #define VFIO_DEVICE_BIND_IOMMUFD _IO(VFIO_TYPE, VFIO_BASE + 18) +-- +2.39.5 + diff --git a/queue-6.15/vfio-pci-separate-sr-iov-vf-dev_set.patch b/queue-6.15/vfio-pci-separate-sr-iov-vf-dev_set.patch new file mode 100644 index 0000000000..0350cebf48 --- /dev/null +++ b/queue-6.15/vfio-pci-separate-sr-iov-vf-dev_set.patch @@ -0,0 +1,58 @@ +From f6a39ca8bcee889947303463f91f1291d973da7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 16:56:18 -0600 +Subject: vfio/pci: Separate SR-IOV VF dev_set + +From: Alex Williamson + +[ Upstream commit e908f58b6beb337cbe4481d52c3f5c78167b1aab ] + +In the below noted Fixes commit we introduced a reflck mutex to allow +better scaling between devices for open and close. The reflck was +based on the hot reset granularity, device level for root bus devices +which cannot support hot reset or bus/slot reset otherwise. Overlooked +in this were SR-IOV VFs, where there's also no bus reset option, but +the default for a non-root-bus, non-slot-based device is bus level +reflck granularity. + +The reflck mutex has since become the dev_set mutex (via commit +2cd8b14aaa66 ("vfio/pci: Move to the device set infrastructure")) and +is our defacto serialization for various operations and ioctls. It +still seems to be the case though that sets of vfio-pci devices really +only need serialization relative to hot resets affecting the entire +set, which is not relevant to SR-IOV VFs. As described in the Closes +link below, this serialization contributes to startup latency when +multiple VFs sharing the same "bus" are opened concurrently. + +Mark the device itself as the basis of the dev_set for SR-IOV VFs. + +Reported-by: Aaron Lewis +Closes: https://lore.kernel.org/all/20250626180424.632628-1-aaronlewis@google.com +Tested-by: Aaron Lewis +Fixes: e309df5b0c9e ("vfio/pci: Parallelize device open and release") +Reviewed-by: Yi Liu +Reviewed-by: Kevin Tian +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20250626225623.1180952-1-alex.williamson@redhat.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c +index 6328c3a05bcd..261a6dc5a5fc 100644 +--- a/drivers/vfio/pci/vfio_pci_core.c ++++ b/drivers/vfio/pci/vfio_pci_core.c +@@ -2149,7 +2149,7 @@ int vfio_pci_core_register_device(struct vfio_pci_core_device *vdev) + return -EBUSY; + } + +- if (pci_is_root_bus(pdev->bus)) { ++ if (pci_is_root_bus(pdev->bus) || pdev->is_virtfn) { + ret = vfio_assign_device_set(&vdev->vdev, vdev); + } else if (!pci_probe_reset_slot(pdev->slot)) { + ret = vfio_assign_device_set(&vdev->vdev, pdev->slot); +-- +2.39.5 + diff --git a/queue-6.15/vfio-pds-fix-missing-detach_ioas-op.patch b/queue-6.15/vfio-pds-fix-missing-detach_ioas-op.patch new file mode 100644 index 0000000000..76f916cb9e --- /dev/null +++ b/queue-6.15/vfio-pds-fix-missing-detach_ioas-op.patch @@ -0,0 +1,46 @@ +From 7792cf74cac6470998de5c1759bcc6237d0a477e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 09:37:44 -0700 +Subject: vfio/pds: Fix missing detach_ioas op + +From: Brett Creeley + +[ Upstream commit fe24d5bc635e103a517ec201c3cb571eeab8be2f ] + +When CONFIG_IOMMUFD is enabled and a device is bound to the pds_vfio_pci +driver, the following WARN_ON() trace is seen and probe fails: + +WARNING: CPU: 0 PID: 5040 at drivers/vfio/vfio_main.c:317 __vfio_register_dev+0x130/0x140 [vfio] +<...> +pds_vfio_pci 0000:08:00.1: probe with driver pds_vfio_pci failed with error -22 + +This is because the driver's vfio_device_ops.detach_ioas isn't set. + +Fix this by using the generic vfio_iommufd_physical_detach_ioas +function. + +Fixes: 38fe3975b4c2 ("vfio/pds: Initial support for pds VFIO driver") +Signed-off-by: Brett Creeley +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20250702163744.69767-1-brett.creeley@amd.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/pds/vfio_dev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/pci/pds/vfio_dev.c b/drivers/vfio/pci/pds/vfio_dev.c +index 76a80ae7087b..f6e0253a8a14 100644 +--- a/drivers/vfio/pci/pds/vfio_dev.c ++++ b/drivers/vfio/pci/pds/vfio_dev.c +@@ -204,6 +204,7 @@ static const struct vfio_device_ops pds_vfio_ops = { + .bind_iommufd = vfio_iommufd_physical_bind, + .unbind_iommufd = vfio_iommufd_physical_unbind, + .attach_ioas = vfio_iommufd_physical_attach_ioas, ++ .detach_ioas = vfio_iommufd_physical_detach_ioas, + }; + + const struct vfio_device_ops *pds_vfio_ops_info(void) +-- +2.39.5 + diff --git a/queue-6.15/vfio-prevent-open_count-decrement-to-negative.patch b/queue-6.15/vfio-prevent-open_count-decrement-to-negative.patch new file mode 100644 index 0000000000..c43712270a --- /dev/null +++ b/queue-6.15/vfio-prevent-open_count-decrement-to-negative.patch @@ -0,0 +1,49 @@ +From f91f1e26afa988b60058d21af283a47baba6779e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 16:46:18 -0700 +Subject: vfio: Prevent open_count decrement to negative + +From: Jacob Pan + +[ Upstream commit 982ddd59ed97dc7e63efd97ed50273ffb817bd41 ] + +When vfio_df_close() is called with open_count=0, it triggers a warning in +vfio_assert_device_open() but still decrements open_count to -1. This allows +a subsequent open to incorrectly pass the open_count == 0 check, leading to +unintended behavior, such as setting df->access_granted = true. + +For example, running an IOMMUFD compat no-IOMMU device with VFIO tests +(https://github.com/awilliam/tests/blob/master/vfio-noiommu-pci-device-open.c) +results in a warning and a failed VFIO_GROUP_GET_DEVICE_FD ioctl on the first +run, but the second run succeeds incorrectly. + +Add checks to avoid decrementing open_count below zero. + +Fixes: 05f37e1c03b6 ("vfio: Pass struct vfio_device_file * to vfio_device_open/close()") +Reviewed-by: Jason Gunthorpe +Reviewed-by: Yi Liu +Signed-off-by: Jacob Pan +Link: https://lore.kernel.org/r/20250618234618.1910456-2-jacob.pan@linux.microsoft.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_main.c b/drivers/vfio/vfio_main.c +index 1fd261efc582..5046cae05222 100644 +--- a/drivers/vfio/vfio_main.c ++++ b/drivers/vfio/vfio_main.c +@@ -583,7 +583,8 @@ void vfio_df_close(struct vfio_device_file *df) + + lockdep_assert_held(&device->dev_set->lock); + +- vfio_assert_device_open(device); ++ if (!vfio_assert_device_open(device)) ++ return; + if (device->open_count == 1) + vfio_df_device_last_close(df); + device->open_count--; +-- +2.39.5 + diff --git a/queue-6.15/vhost-reintroduce-kthread-api-and-add-mode-selection.patch b/queue-6.15/vhost-reintroduce-kthread-api-and-add-mode-selection.patch new file mode 100644 index 0000000000..5c1c8fbbfb --- /dev/null +++ b/queue-6.15/vhost-reintroduce-kthread-api-and-add-mode-selection.patch @@ -0,0 +1,530 @@ +From 45f31e9d5458541ee7a5f9b127bf7e866b9fd309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 15:12:32 +0800 +Subject: vhost: Reintroduce kthread API and add mode selection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cindy Lu + +[ Upstream commit 7d9896e9f6d02d8aa85e63f736871f96c59a5263 ] + +Since commit 6e890c5d5021 ("vhost: use vhost_tasks for worker threads"), +the vhost uses vhost_task and operates as a child of the +owner thread. This is required for correct CPU usage accounting, +especially when using containers. + +However, this change has caused confusion for some legacy +userspace applications, and we didn't notice until it's too late. + +Unfortunately, it's too late to revert - we now have userspace +depending both on old and new behaviour :( + +To address the issue, reintroduce kthread mode for vhost workers and +provide a configuration to select between kthread and task worker. + +- Add 'fork_owner' parameter to vhost_dev to let users select kthread + or task mode. Default mode is task mode(VHOST_FORK_OWNER_TASK). + +- Reintroduce kthread mode support: + * Bring back the original vhost_worker() implementation, + and renamed to vhost_run_work_kthread_list(). + * Add cgroup support for the kthread + * Introduce struct vhost_worker_ops: + - Encapsulates create / stop / wake‑up callbacks. + - vhost_worker_create() selects the proper ops according to + inherit_owner. + +- Userspace configuration interface: + * New IOCTLs: + - VHOST_SET_FORK_FROM_OWNER lets userspace select task mode + (VHOST_FORK_OWNER_TASK) or kthread mode (VHOST_FORK_OWNER_KTHREAD) + - VHOST_GET_FORK_FROM_OWNER reads the current worker mode + * Expose module parameter 'fork_from_owner_default' to allow system + administrators to configure the default mode for vhost workers + * Kconfig option CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL controls whether + these IOCTLs and the parameter are available + +- The VHOST_NEW_WORKER functionality requires fork_owner to be set + to true, with validation added to ensure proper configuration + +This partially reverts or improves upon: + commit 6e890c5d5021 ("vhost: use vhost_tasks for worker threads") + commit 1cdaafa1b8b4 ("vhost: replace single worker pointer with xarray") + +Fixes: 6e890c5d5021 ("vhost: use vhost_tasks for worker threads"), +Signed-off-by: Cindy Lu +Message-Id: <20250714071333.59794-2-lulu@redhat.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Tested-by: Lei Yang +Signed-off-by: Sasha Levin +--- + drivers/vhost/Kconfig | 18 +++ + drivers/vhost/vhost.c | 244 ++++++++++++++++++++++++++++++++++--- + drivers/vhost/vhost.h | 22 ++++ + include/uapi/linux/vhost.h | 29 +++++ + 4 files changed, 295 insertions(+), 18 deletions(-) + +diff --git a/drivers/vhost/Kconfig b/drivers/vhost/Kconfig +index 020d4fbb947c..bc0f38574497 100644 +--- a/drivers/vhost/Kconfig ++++ b/drivers/vhost/Kconfig +@@ -95,4 +95,22 @@ config VHOST_CROSS_ENDIAN_LEGACY + + If unsure, say "N". + ++config VHOST_ENABLE_FORK_OWNER_CONTROL ++ bool "Enable VHOST_ENABLE_FORK_OWNER_CONTROL" ++ default y ++ help ++ This option enables two IOCTLs: VHOST_SET_FORK_FROM_OWNER and ++ VHOST_GET_FORK_FROM_OWNER. These allow userspace applications ++ to modify the vhost worker mode for vhost devices. ++ ++ Also expose module parameter 'fork_from_owner_default' to allow users ++ to configure the default mode for vhost workers. ++ ++ By default, `VHOST_ENABLE_FORK_OWNER_CONTROL` is set to `y`, ++ users can change the worker thread mode as needed. ++ If this config is disabled (n),the related IOCTLs and parameters will ++ be unavailable. ++ ++ If unsure, say "Y". ++ + endif +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 63612faeab72..79b0b7cd2860 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -41,6 +42,13 @@ static int max_iotlb_entries = 2048; + module_param(max_iotlb_entries, int, 0444); + MODULE_PARM_DESC(max_iotlb_entries, + "Maximum number of iotlb entries. (default: 2048)"); ++static bool fork_from_owner_default = VHOST_FORK_OWNER_TASK; ++ ++#ifdef CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL ++module_param(fork_from_owner_default, bool, 0444); ++MODULE_PARM_DESC(fork_from_owner_default, ++ "Set task mode as the default(default: Y)"); ++#endif + + enum { + VHOST_MEMORY_F_LOG = 0x1, +@@ -242,7 +250,7 @@ static void vhost_worker_queue(struct vhost_worker *worker, + * test_and_set_bit() implies a memory barrier. + */ + llist_add(&work->node, &worker->work_list); +- vhost_task_wake(worker->vtsk); ++ worker->ops->wakeup(worker); + } + } + +@@ -388,6 +396,44 @@ static void vhost_vq_reset(struct vhost_dev *dev, + __vhost_vq_meta_reset(vq); + } + ++static int vhost_run_work_kthread_list(void *data) ++{ ++ struct vhost_worker *worker = data; ++ struct vhost_work *work, *work_next; ++ struct vhost_dev *dev = worker->dev; ++ struct llist_node *node; ++ ++ kthread_use_mm(dev->mm); ++ ++ for (;;) { ++ /* mb paired w/ kthread_stop */ ++ set_current_state(TASK_INTERRUPTIBLE); ++ ++ if (kthread_should_stop()) { ++ __set_current_state(TASK_RUNNING); ++ break; ++ } ++ node = llist_del_all(&worker->work_list); ++ if (!node) ++ schedule(); ++ ++ node = llist_reverse_order(node); ++ /* make sure flag is seen after deletion */ ++ smp_wmb(); ++ llist_for_each_entry_safe(work, work_next, node, node) { ++ clear_bit(VHOST_WORK_QUEUED, &work->flags); ++ __set_current_state(TASK_RUNNING); ++ kcov_remote_start_common(worker->kcov_handle); ++ work->fn(work); ++ kcov_remote_stop(); ++ cond_resched(); ++ } ++ } ++ kthread_unuse_mm(dev->mm); ++ ++ return 0; ++} ++ + static bool vhost_run_work_list(void *data) + { + struct vhost_worker *worker = data; +@@ -552,6 +598,7 @@ void vhost_dev_init(struct vhost_dev *dev, + dev->byte_weight = byte_weight; + dev->use_worker = use_worker; + dev->msg_handler = msg_handler; ++ dev->fork_owner = fork_from_owner_default; + init_waitqueue_head(&dev->wait); + INIT_LIST_HEAD(&dev->read_list); + INIT_LIST_HEAD(&dev->pending_list); +@@ -581,6 +628,46 @@ long vhost_dev_check_owner(struct vhost_dev *dev) + } + EXPORT_SYMBOL_GPL(vhost_dev_check_owner); + ++struct vhost_attach_cgroups_struct { ++ struct vhost_work work; ++ struct task_struct *owner; ++ int ret; ++}; ++ ++static void vhost_attach_cgroups_work(struct vhost_work *work) ++{ ++ struct vhost_attach_cgroups_struct *s; ++ ++ s = container_of(work, struct vhost_attach_cgroups_struct, work); ++ s->ret = cgroup_attach_task_all(s->owner, current); ++} ++ ++static int vhost_attach_task_to_cgroups(struct vhost_worker *worker) ++{ ++ struct vhost_attach_cgroups_struct attach; ++ int saved_cnt; ++ ++ attach.owner = current; ++ ++ vhost_work_init(&attach.work, vhost_attach_cgroups_work); ++ vhost_worker_queue(worker, &attach.work); ++ ++ mutex_lock(&worker->mutex); ++ ++ /* ++ * Bypass attachment_cnt check in __vhost_worker_flush: ++ * Temporarily change it to INT_MAX to bypass the check ++ */ ++ saved_cnt = worker->attachment_cnt; ++ worker->attachment_cnt = INT_MAX; ++ __vhost_worker_flush(worker); ++ worker->attachment_cnt = saved_cnt; ++ ++ mutex_unlock(&worker->mutex); ++ ++ return attach.ret; ++} ++ + /* Caller should have device mutex */ + bool vhost_dev_has_owner(struct vhost_dev *dev) + { +@@ -626,7 +713,7 @@ static void vhost_worker_destroy(struct vhost_dev *dev, + + WARN_ON(!llist_empty(&worker->work_list)); + xa_erase(&dev->worker_xa, worker->id); +- vhost_task_stop(worker->vtsk); ++ worker->ops->stop(worker); + kfree(worker); + } + +@@ -649,42 +736,115 @@ static void vhost_workers_free(struct vhost_dev *dev) + xa_destroy(&dev->worker_xa); + } + ++static void vhost_task_wakeup(struct vhost_worker *worker) ++{ ++ return vhost_task_wake(worker->vtsk); ++} ++ ++static void vhost_kthread_wakeup(struct vhost_worker *worker) ++{ ++ wake_up_process(worker->kthread_task); ++} ++ ++static void vhost_task_do_stop(struct vhost_worker *worker) ++{ ++ return vhost_task_stop(worker->vtsk); ++} ++ ++static void vhost_kthread_do_stop(struct vhost_worker *worker) ++{ ++ kthread_stop(worker->kthread_task); ++} ++ ++static int vhost_task_worker_create(struct vhost_worker *worker, ++ struct vhost_dev *dev, const char *name) ++{ ++ struct vhost_task *vtsk; ++ u32 id; ++ int ret; ++ ++ vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed, ++ worker, name); ++ if (IS_ERR(vtsk)) ++ return PTR_ERR(vtsk); ++ ++ worker->vtsk = vtsk; ++ vhost_task_start(vtsk); ++ ret = xa_alloc(&dev->worker_xa, &id, worker, xa_limit_32b, GFP_KERNEL); ++ if (ret < 0) { ++ vhost_task_do_stop(worker); ++ return ret; ++ } ++ worker->id = id; ++ return 0; ++} ++ ++static int vhost_kthread_worker_create(struct vhost_worker *worker, ++ struct vhost_dev *dev, const char *name) ++{ ++ struct task_struct *task; ++ u32 id; ++ int ret; ++ ++ task = kthread_create(vhost_run_work_kthread_list, worker, "%s", name); ++ if (IS_ERR(task)) ++ return PTR_ERR(task); ++ ++ worker->kthread_task = task; ++ wake_up_process(task); ++ ret = xa_alloc(&dev->worker_xa, &id, worker, xa_limit_32b, GFP_KERNEL); ++ if (ret < 0) ++ goto stop_worker; ++ ++ ret = vhost_attach_task_to_cgroups(worker); ++ if (ret) ++ goto stop_worker; ++ ++ worker->id = id; ++ return 0; ++ ++stop_worker: ++ vhost_kthread_do_stop(worker); ++ return ret; ++} ++ ++static const struct vhost_worker_ops kthread_ops = { ++ .create = vhost_kthread_worker_create, ++ .stop = vhost_kthread_do_stop, ++ .wakeup = vhost_kthread_wakeup, ++}; ++ ++static const struct vhost_worker_ops vhost_task_ops = { ++ .create = vhost_task_worker_create, ++ .stop = vhost_task_do_stop, ++ .wakeup = vhost_task_wakeup, ++}; ++ + static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev) + { + struct vhost_worker *worker; +- struct vhost_task *vtsk; + char name[TASK_COMM_LEN]; + int ret; +- u32 id; ++ const struct vhost_worker_ops *ops = dev->fork_owner ? &vhost_task_ops : ++ &kthread_ops; + + worker = kzalloc(sizeof(*worker), GFP_KERNEL_ACCOUNT); + if (!worker) + return NULL; + + worker->dev = dev; ++ worker->ops = ops; + snprintf(name, sizeof(name), "vhost-%d", current->pid); + +- vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed, +- worker, name); +- if (IS_ERR(vtsk)) +- goto free_worker; +- + mutex_init(&worker->mutex); + init_llist_head(&worker->work_list); + worker->kcov_handle = kcov_common_handle(); +- worker->vtsk = vtsk; +- +- vhost_task_start(vtsk); +- +- ret = xa_alloc(&dev->worker_xa, &id, worker, xa_limit_32b, GFP_KERNEL); ++ ret = ops->create(worker, dev, name); + if (ret < 0) +- goto stop_worker; +- worker->id = id; ++ goto free_worker; + + return worker; + +-stop_worker: +- vhost_task_stop(vtsk); + free_worker: + kfree(worker); + return NULL; +@@ -865,6 +1025,14 @@ long vhost_worker_ioctl(struct vhost_dev *dev, unsigned int ioctl, + switch (ioctl) { + /* dev worker ioctls */ + case VHOST_NEW_WORKER: ++ /* ++ * vhost_tasks will account for worker threads under the parent's ++ * NPROC value but kthreads do not. To avoid userspace overflowing ++ * the system with worker threads fork_owner must be true. ++ */ ++ if (!dev->fork_owner) ++ return -EFAULT; ++ + ret = vhost_new_worker(dev, &state); + if (!ret && copy_to_user(argp, &state, sizeof(state))) + ret = -EFAULT; +@@ -982,6 +1150,7 @@ void vhost_dev_reset_owner(struct vhost_dev *dev, struct vhost_iotlb *umem) + + vhost_dev_cleanup(dev); + ++ dev->fork_owner = fork_from_owner_default; + dev->umem = umem; + /* We don't need VQ locks below since vhost_dev_cleanup makes sure + * VQs aren't running. +@@ -2135,6 +2304,45 @@ long vhost_dev_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp) + goto done; + } + ++#ifdef CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL ++ if (ioctl == VHOST_SET_FORK_FROM_OWNER) { ++ /* Only allow modification before owner is set */ ++ if (vhost_dev_has_owner(d)) { ++ r = -EBUSY; ++ goto done; ++ } ++ u8 fork_owner_val; ++ ++ if (get_user(fork_owner_val, (u8 __user *)argp)) { ++ r = -EFAULT; ++ goto done; ++ } ++ if (fork_owner_val != VHOST_FORK_OWNER_TASK && ++ fork_owner_val != VHOST_FORK_OWNER_KTHREAD) { ++ r = -EINVAL; ++ goto done; ++ } ++ d->fork_owner = !!fork_owner_val; ++ r = 0; ++ goto done; ++ } ++ if (ioctl == VHOST_GET_FORK_FROM_OWNER) { ++ u8 fork_owner_val = d->fork_owner; ++ ++ if (fork_owner_val != VHOST_FORK_OWNER_TASK && ++ fork_owner_val != VHOST_FORK_OWNER_KTHREAD) { ++ r = -EINVAL; ++ goto done; ++ } ++ if (put_user(fork_owner_val, (u8 __user *)argp)) { ++ r = -EFAULT; ++ goto done; ++ } ++ r = 0; ++ goto done; ++ } ++#endif ++ + /* You must be the owner to do anything else */ + r = vhost_dev_check_owner(d); + if (r) +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h +index bb75a292d50c..ab704d84fb34 100644 +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -26,7 +26,18 @@ struct vhost_work { + unsigned long flags; + }; + ++struct vhost_worker; ++struct vhost_dev; ++ ++struct vhost_worker_ops { ++ int (*create)(struct vhost_worker *worker, struct vhost_dev *dev, ++ const char *name); ++ void (*stop)(struct vhost_worker *worker); ++ void (*wakeup)(struct vhost_worker *worker); ++}; ++ + struct vhost_worker { ++ struct task_struct *kthread_task; + struct vhost_task *vtsk; + struct vhost_dev *dev; + /* Used to serialize device wide flushing with worker swapping. */ +@@ -36,6 +47,7 @@ struct vhost_worker { + u32 id; + int attachment_cnt; + bool killed; ++ const struct vhost_worker_ops *ops; + }; + + /* Poll a file (eventfd or socket) */ +@@ -176,6 +188,16 @@ struct vhost_dev { + int byte_weight; + struct xarray worker_xa; + bool use_worker; ++ /* ++ * If fork_owner is true we use vhost_tasks to create ++ * the worker so all settings/limits like cgroups, NPROC, ++ * scheduler, etc are inherited from the owner. If false, ++ * we use kthreads and only attach to the same cgroups ++ * as the owner for compat with older kernels. ++ * here we use true as default value. ++ * The default value is set by fork_from_owner_default ++ */ ++ bool fork_owner; + int (*msg_handler)(struct vhost_dev *dev, u32 asid, + struct vhost_iotlb_msg *msg); + }; +diff --git a/include/uapi/linux/vhost.h b/include/uapi/linux/vhost.h +index d4b3e2ae1314..e72f2655459e 100644 +--- a/include/uapi/linux/vhost.h ++++ b/include/uapi/linux/vhost.h +@@ -235,4 +235,33 @@ + */ + #define VHOST_VDPA_GET_VRING_SIZE _IOWR(VHOST_VIRTIO, 0x82, \ + struct vhost_vring_state) ++ ++/* fork_owner values for vhost */ ++#define VHOST_FORK_OWNER_KTHREAD 0 ++#define VHOST_FORK_OWNER_TASK 1 ++ ++/** ++ * VHOST_SET_FORK_FROM_OWNER - Set the fork_owner flag for the vhost device, ++ * This ioctl must called before VHOST_SET_OWNER. ++ * Only available when CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL=y ++ * ++ * @param fork_owner: An 8-bit value that determines the vhost thread mode ++ * ++ * When fork_owner is set to VHOST_FORK_OWNER_TASK(default value): ++ * - Vhost will create vhost worker as tasks forked from the owner, ++ * inheriting all of the owner's attributes. ++ * ++ * When fork_owner is set to VHOST_FORK_OWNER_KTHREAD: ++ * - Vhost will create vhost workers as kernel threads. ++ */ ++#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x83, __u8) ++ ++/** ++ * VHOST_GET_FORK_OWNER - Get the current fork_owner flag for the vhost device. ++ * Only available when CONFIG_VHOST_ENABLE_FORK_OWNER_CONTROL=y ++ * ++ * @return: An 8-bit value indicating the current thread mode. ++ */ ++#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x84, __u8) ++ + #endif +-- +2.39.5 + diff --git a/queue-6.15/vhost-scsi-fix-check-for-inline_sg_cnt-exceeding-pre.patch b/queue-6.15/vhost-scsi-fix-check-for-inline_sg_cnt-exceeding-pre.patch new file mode 100644 index 0000000000..5cbd9299cb --- /dev/null +++ b/queue-6.15/vhost-scsi-fix-check-for-inline_sg_cnt-exceeding-pre.patch @@ -0,0 +1,44 @@ +From 1e095cc0dfee3d411290559ddf5c2415946b98ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jun 2025 11:33:53 -0700 +Subject: vhost-scsi: Fix check for inline_sg_cnt exceeding preallocated limit + +From: Alok Tiwari + +[ Upstream commit 400cad513c78f9af72c5a20f3611c1f1dc71d465 ] + +The condition comparing ret to VHOST_SCSI_PREALLOC_SGLS was incorrect, +as ret holds the result of kstrtouint() (typically 0 on success), +not the parsed value. Update the check to use cnt, which contains the +actual user-provided value. + +prevents silently accepting values exceeding the maximum inline_sg_cnt. + +Fixes: bca939d5bcd0 ("vhost-scsi: Dynamically allocate scatterlists") +Signed-off-by: Alok Tiwari +Reviewed-by: Mike Christie +Reviewed-by: Stefan Hajnoczi +Message-Id: <20250628183405.3979538-1-alok.a.tiwari@oracle.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vhost/scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index 5b112de79f27..d3b8355f7953 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -71,7 +71,7 @@ static int vhost_scsi_set_inline_sg_cnt(const char *buf, + if (ret) + return ret; + +- if (ret > VHOST_SCSI_PREALLOC_SGLS) { ++ if (cnt > VHOST_SCSI_PREALLOC_SGLS) { + pr_err("Max inline_sg_cnt is %u\n", VHOST_SCSI_PREALLOC_SGLS); + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-6.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch b/queue-6.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch new file mode 100644 index 0000000000..6ed2ba986a --- /dev/null +++ b/queue-6.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch @@ -0,0 +1,65 @@ +From 07ea858fdf857bb12f1a4b48385e0e0c90c2cb15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 16:01:13 -0500 +Subject: vhost-scsi: Fix log flooding with target does not exist errors + +From: Mike Christie + +[ Upstream commit 69cd720a8a5e9ef0f05ce5dd8c9ea6e018245c82 ] + +As part of the normal initiator side scanning the guest's scsi layer +will loop over all possible targets and send an inquiry. Since the +max number of targets for virtio-scsi is 256, this can result in 255 +error messages about targets not existing if you only have a single +target. When there's more than 1 vhost-scsi device each with a single +target, then you get N * 255 log messages. + +It looks like the log message was added by accident in: + +commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from +control queue handler") + +when we added common helpers. Then in: + +commit 09d7583294aa ("vhost/scsi: Use common handling code in request +queue handler") + +we converted the scsi command processing path to use the new +helpers so we started to see the extra log messages during scanning. + +The patches were just making some code common but added the vq_err +call and I'm guessing the patch author forgot to enable the vq_err +call (vq_err is implemented by pr_debug which defaults to off). So +this patch removes the call since it's expected to hit this path +during device discovery. + +Fixes: 09d7583294aa ("vhost/scsi: Use common handling code in request queue handler") +Signed-off-by: Mike Christie +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Stefano Garzarella +Message-Id: <20250611210113.10912-1-michael.christie@oracle.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/scsi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index 26bcf3a7f70c..5b112de79f27 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1148,10 +1148,8 @@ vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc, + /* validated at handler entry */ + vs_tpg = vhost_vq_get_backend(vq); + tpg = READ_ONCE(vs_tpg[*vc->target]); +- if (unlikely(!tpg)) { +- vq_err(vq, "Target 0x%x does not exist\n", *vc->target); ++ if (unlikely(!tpg)) + goto out; +- } + } + + if (tpgp) +-- +2.39.5 + diff --git a/queue-6.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch b/queue-6.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch new file mode 100644 index 0000000000..f0c7eb627b --- /dev/null +++ b/queue-6.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch @@ -0,0 +1,49 @@ +From b42a5c1f1c6b00b7c4df81d35a6f9caf9115ad05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 13:52:14 +0800 +Subject: vmci: Prevent the dispatching of uninitialized payloads + +From: Lizhi Xu + +[ Upstream commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031 ] + +The reproducer executes the host's unlocked_ioctl call in two different +tasks. When init_context fails, the struct vmci_event_ctx is not fully +initialized when executing vmci_datagram_dispatch() to send events to all +vm contexts. This affects the datagram taken from the datagram queue of +its context by another task, because the datagram payload is not initialized +according to the size payload_size, which causes the kernel data to leak +to the user space. + +Before dispatching the datagram, and before setting the payload content, +explicitly set the payload content to 0 to avoid data leakage caused by +incomplete payload initialization. + +Fixes: 28d6692cd8fb ("VMCI: context implementation.") +Reported-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9b9124ae9b12d5af5d95 +Tested-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com +Signed-off-by: Lizhi Xu +Link: https://lore.kernel.org/r/20250627055214.2967129-1-lizhi.xu@windriver.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_context.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c +index f22b44827e92..d566103caa27 100644 +--- a/drivers/misc/vmw_vmci/vmci_context.c ++++ b/drivers/misc/vmw_vmci/vmci_context.c +@@ -251,6 +251,8 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags) + ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID, + VMCI_CONTEXT_RESOURCE_ID); + ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr); ++ memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0, ++ ev.msg.hdr.payload_size); + ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED; + ev.payload.context_id = context_id; + +-- +2.39.5 + diff --git a/queue-6.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch b/queue-6.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch new file mode 100644 index 0000000000..dcc7ea3fef --- /dev/null +++ b/queue-6.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch @@ -0,0 +1,65 @@ +From 23a6788e39918218c69f6d0cadb84c7856b685bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 09:00:43 -0700 +Subject: vrf: Drop existing dst reference in vrf_ip6_input_dst + +From: Stanislav Fomichev + +[ Upstream commit f388f807eca1de9e6e70f9ffb1a573c3811c4215 ] + +Commit ff3fbcdd4724 ("selftests: tc: Add generic erspan_opts matching support +for tc-flower") started triggering the following kmemleak warning: + +unreferenced object 0xffff888015fb0e00 (size 512): + comm "softirq", pid 0, jiffies 4294679065 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 40 d2 85 9e ff ff ff ff ........@....... + 41 69 59 9d ff ff ff ff 00 00 00 00 00 00 00 00 AiY............. + backtrace (crc 30b71e8b): + __kmalloc_noprof+0x359/0x460 + metadata_dst_alloc+0x28/0x490 + erspan_rcv+0x4f1/0x1160 [ip_gre] + gre_rcv+0x217/0x240 [ip_gre] + gre_rcv+0x1b8/0x400 [gre] + ip_protocol_deliver_rcu+0x31d/0x3a0 + ip_local_deliver_finish+0x37d/0x620 + ip_local_deliver+0x174/0x460 + ip_rcv+0x52b/0x6b0 + __netif_receive_skb_one_core+0x149/0x1a0 + process_backlog+0x3c8/0x1390 + __napi_poll.constprop.0+0xa1/0x390 + net_rx_action+0x59b/0xe00 + handle_softirqs+0x22b/0x630 + do_softirq+0xb1/0xf0 + __local_bh_enable_ip+0x115/0x150 + +vrf_ip6_input_dst unconditionally sets skb dst entry, add a call to +skb_dst_drop to drop any existing entry. + +Cc: David Ahern +Reviewed-by: Ido Schimmel +Fixes: 9ff74384600a ("net: vrf: Handle ipv6 multicast and link-local addresses") +Signed-off-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250725160043.350725-1-sdf@fomichev.me +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index 7168b33adadb..8b12b3ae580d 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -1304,6 +1304,8 @@ static void vrf_ip6_input_dst(struct sk_buff *skb, struct net_device *vrf_dev, + struct net *net = dev_net(vrf_dev); + struct rt6_info *rt6; + ++ skb_dst_drop(skb); ++ + rt6 = vrf_ip6_route_lookup(net, vrf_dev, &fl6, ifindex, skb, + RT6_LOOKUP_F_HAS_SADDR | RT6_LOOKUP_F_IFACE); + if (unlikely(!rt6)) +-- +2.39.5 + diff --git a/queue-6.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch b/queue-6.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch new file mode 100644 index 0000000000..b726e2956f --- /dev/null +++ b/queue-6.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch @@ -0,0 +1,42 @@ +From ec1d81a5a876c75f5411de8f958ca707b00d3d41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 23:22:19 +0300 +Subject: watchdog: ziirave_wdt: check record length in ziirave_firm_verify() + +From: Dan Carpenter + +[ Upstream commit 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 ] + +The "rec->len" value comes from the firmware. We generally do +trust firmware, but it's always better to double check. If +the length value is too large it would lead to memory corruption +when we set "data[i] = ret;" + +Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.") +Signed-off-by: Dan Carpenter +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/ziirave_wdt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c +index fcc1ba02e75b..5c6e3fa001d8 100644 +--- a/drivers/watchdog/ziirave_wdt.c ++++ b/drivers/watchdog/ziirave_wdt.c +@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd, + const u16 len = be16_to_cpu(rec->len); + const u32 addr = be32_to_cpu(rec->addr); + ++ if (len > sizeof(data)) ++ return -EINVAL; ++ + if (ziirave_firm_addr_readonly(addr)) + continue; + +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch b/queue-6.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch new file mode 100644 index 0000000000..c2fe4e9330 --- /dev/null +++ b/queue-6.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch @@ -0,0 +1,97 @@ +From 7796b5a24a8fe6f2cd215ab56c022b7013d43c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 17:45:06 +0900 +Subject: wifi: ath11k: clear initialized flag for deinit-ed srng lists + +From: Sergey Senozhatsky + +[ Upstream commit a5b46aa7cf5f05c213316a018e49a8e086efd98e ] + +In a number of cases we see kernel panics on resume due +to ath11k kernel page fault, which happens under the +following circumstances: + +1) First ath11k_hal_dump_srng_stats() call + + Last interrupt received for each group: + ath11k_pci 0000:01:00.0: group_id 0 22511ms before + ath11k_pci 0000:01:00.0: group_id 1 14440788ms before + [..] + ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. + ath11k_pci 0000:01:00.0: Service connect timeout + ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 + ath11k_pci 0000:01:00.0: failed to start core: -110 + ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM + ath11k_pci 0000:01:00.0: already resetting count 2 + ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 + ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 + ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery + [..] + +2) At this point reconfiguration fails (we have 2 resets) and + ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() + which destroys srng lists. However, it does not reset per-list + ->initialized flag. + +3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized + flag and attempts to dump srng stats: + + Last interrupt received for each group: + ath11k_pci 0000:01:00.0: group_id 0 66785ms before + ath11k_pci 0000:01:00.0: group_id 1 14485062ms before + ath11k_pci 0000:01:00.0: group_id 2 14485062ms before + ath11k_pci 0000:01:00.0: group_id 3 14485062ms before + ath11k_pci 0000:01:00.0: group_id 4 14780845ms before + ath11k_pci 0000:01:00.0: group_id 5 14780845ms before + ath11k_pci 0000:01:00.0: group_id 6 14485062ms before + ath11k_pci 0000:01:00.0: group_id 7 66814ms before + ath11k_pci 0000:01:00.0: group_id 8 68997ms before + ath11k_pci 0000:01:00.0: group_id 9 67588ms before + ath11k_pci 0000:01:00.0: group_id 10 69511ms before + BUG: unable to handle page fault for address: ffffa007404eb010 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] + Call Trace: + + ? __die_body+0xae/0xb0 + ? page_fault_oops+0x381/0x3e0 + ? exc_page_fault+0x69/0xa0 + ? asm_exc_page_fault+0x22/0x30 + ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] + ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] + worker_thread+0x389/0x930 + kthread+0x149/0x170 + +Clear per-list ->initialized flag in ath11k_hal_srng_deinit(). + +Signed-off-by: Sergey Senozhatsky +Reviewed-by: Baochen Qiang +Fixes: 5118935b1bc2 ("ath11k: dump SRNG stats during FW assert") +Link: https://patch.msgid.link/20250612084551.702803-1-senozhatsky@chromium.org +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/hal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c +index 8cb1505a5a0c..cab11a35f911 100644 +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -1346,6 +1346,10 @@ EXPORT_SYMBOL(ath11k_hal_srng_init); + void ath11k_hal_srng_deinit(struct ath11k_base *ab) + { + struct ath11k_hal *hal = &ab->hal; ++ int i; ++ ++ for (i = 0; i < HAL_SRNG_RING_ID_MAX; i++) ++ ab->hal.srng_list[i].initialized = 0; + + ath11k_hal_unregister_srng_key(ab); + ath11k_hal_free_cont_rdp(ab); +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch b/queue-6.15/wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch new file mode 100644 index 0000000000..23b846d3b3 --- /dev/null +++ b/queue-6.15/wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch @@ -0,0 +1,72 @@ +From e26dffe2020f3657aa99528e7a39dd25dd9b418d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 10:25:28 +0800 +Subject: wifi: ath11k: fix sleeping-in-atomic in + ath11k_mac_op_set_bitrate_mask() + +From: Baochen Qiang + +[ Upstream commit 65c12b104cb942d588a1a093acc4537fb3d3b129 ] + +ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to +ieee80211_iterate_stations_atomic(). Note in this case the iterator is +required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does +not follow it as it might sleep. Consequently below warning is seen: + +BUG: sleeping function called from invalid context at wmi.c:304 +Call Trace: + + dump_stack_lvl + __might_resched.cold + ath11k_wmi_cmd_send + ath11k_wmi_set_peer_param + ath11k_mac_disable_peer_fixed_rate + ieee80211_iterate_stations_atomic + ath11k_mac_op_set_bitrate_mask.cold + +Change to ieee80211_iterate_stations_mtx() to fix this issue. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20250603-ath11k-use-non-atomic-iterator-v1-1-d75762068d56@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 4763b271309a..9514e95d5020 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -8734,9 +8734,9 @@ ath11k_mac_op_set_bitrate_mask(struct ieee80211_hw *hw, + arvif->vdev_id, ret); + return ret; + } +- ieee80211_iterate_stations_atomic(ar->hw, +- ath11k_mac_disable_peer_fixed_rate, +- arvif); ++ ieee80211_iterate_stations_mtx(ar->hw, ++ ath11k_mac_disable_peer_fixed_rate, ++ arvif); + } else if (ath11k_mac_bitrate_mask_get_single_nss(ar, arvif, band, mask, + &single_nss)) { + rate = WMI_FIXED_RATE_NONE; +@@ -8803,9 +8803,9 @@ ath11k_mac_op_set_bitrate_mask(struct ieee80211_hw *hw, + } + + mutex_lock(&ar->conf_mutex); +- ieee80211_iterate_stations_atomic(ar->hw, +- ath11k_mac_disable_peer_fixed_rate, +- arvif); ++ ieee80211_iterate_stations_mtx(ar->hw, ++ ath11k_mac_disable_peer_fixed_rate, ++ arvif); + + arvif->bitrate_mask = *mask; + ieee80211_iterate_stations_atomic(ar->hw, +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath12k-avoid-accessing-uninitialized-arvif-ar-d.patch b/queue-6.15/wifi-ath12k-avoid-accessing-uninitialized-arvif-ar-d.patch new file mode 100644 index 0000000000..b20dc0efbe --- /dev/null +++ b/queue-6.15/wifi-ath12k-avoid-accessing-uninitialized-arvif-ar-d.patch @@ -0,0 +1,151 @@ +From 07d59d27c783eef75d2ceb615116a208cbea917a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 00:26:35 +0530 +Subject: wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon + miss + +From: Rameshkumar Sundaram + +[ Upstream commit 36670b67de18f1e5d34900c5d2ac60a8970c293c ] + +During beacon miss handling, ath12k driver iterates over active virtual +interfaces (vifs) and attempts to access the radio object (ar) via +arvif->deflink->ar. + +However, after commit aa80f12f3bed ("wifi: ath12k: defer vdev creation for +MLO"), arvif is linked to a radio only after vdev creation, typically when +a channel is assigned or a scan is requested. +For P2P capable devices, a default P2P interface is created by +wpa_supplicant along with regular station interfaces, these serve as dummy +interfaces for P2P-capable stations, lack an associated netdev and initiate +frequent scans to discover neighbor p2p devices. When a scan is initiated +on such P2P vifs, driver selects destination radio (ar) based on scan +frequency, creates a scan vdev, and attaches arvif to the radio. Once the +scan completes or is aborted, the scan vdev is deleted, detaching arvif +from the radio and leaving arvif->ar uninitialized. + +While handling beacon miss for station interfaces, P2P interface is also +encountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter() +tries to dereference the uninitialized arvif->deflink->ar. + +Fix this by verifying that vdev is created for the arvif before accessing +its ar during beacon miss handling and similar vif iterator callbacks. + +========================================================================== + wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + + CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full) + RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k] + Call Trace: + __iterate_interfaces+0x11a/0x410 [mac80211] + ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211] + ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k] + ath12k_roam_event+0x393/0x560 [ath12k] + ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k] + ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k] + ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k] + ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k] + ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k] + ath12k_pci_ce_workqueue+0x69/0x120 [ath12k] + process_one_work+0xe3a/0x1430 + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: aa80f12f3bed ("wifi: ath12k: defer vdev creation for MLO") +Signed-off-by: Rameshkumar Sundaram +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250618185635.750470-1-rameshkumar.sundaram@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 15 +++++++++------ + drivers/net/wireless/ath/ath12k/p2p.c | 3 ++- + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index d1d3c9f34372..7333ca58d541 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -685,6 +685,9 @@ static void ath12k_get_arvif_iter(void *data, u8 *mac, + if (WARN_ON(!arvif)) + continue; + ++ if (!arvif->is_created) ++ continue; ++ + if (arvif->vdev_id == arvif_iter->vdev_id && + arvif->ar == arvif_iter->ar) { + arvif_iter->arvif = arvif; +@@ -1844,7 +1847,7 @@ static void ath12k_mac_handle_beacon_iter(void *data, u8 *mac, + struct ath12k_vif *ahvif = ath12k_vif_to_ahvif(vif); + struct ath12k_link_vif *arvif = &ahvif->deflink; + +- if (vif->type != NL80211_IFTYPE_STATION) ++ if (vif->type != NL80211_IFTYPE_STATION || !arvif->is_created) + return; + + if (!ether_addr_equal(mgmt->bssid, vif->bss_conf.bssid)) +@@ -1867,16 +1870,16 @@ static void ath12k_mac_handle_beacon_miss_iter(void *data, u8 *mac, + u32 *vdev_id = data; + struct ath12k_vif *ahvif = ath12k_vif_to_ahvif(vif); + struct ath12k_link_vif *arvif = &ahvif->deflink; +- struct ath12k *ar = arvif->ar; +- struct ieee80211_hw *hw = ath12k_ar_to_hw(ar); ++ struct ieee80211_hw *hw; + +- if (arvif->vdev_id != *vdev_id) ++ if (!arvif->is_created || arvif->vdev_id != *vdev_id) + return; + + if (!arvif->is_up) + return; + + ieee80211_beacon_loss(vif); ++ hw = ath12k_ar_to_hw(arvif->ar); + + /* Firmware doesn't report beacon loss events repeatedly. If AP probe + * (done by mac80211) succeeds but beacons do not resume then it +@@ -9165,7 +9168,7 @@ ath12k_mac_change_chanctx_cnt_iter(void *data, u8 *mac, + if (WARN_ON(!arvif)) + continue; + +- if (arvif->ar != arg->ar) ++ if (!arvif->is_created || arvif->ar != arg->ar) + continue; + + link_conf = wiphy_dereference(ahvif->ah->hw->wiphy, +@@ -9200,7 +9203,7 @@ ath12k_mac_change_chanctx_fill_iter(void *data, u8 *mac, + if (WARN_ON(!arvif)) + continue; + +- if (arvif->ar != arg->ar) ++ if (!arvif->is_created || arvif->ar != arg->ar) + continue; + + link_conf = wiphy_dereference(ahvif->ah->hw->wiphy, +diff --git a/drivers/net/wireless/ath/ath12k/p2p.c b/drivers/net/wireless/ath/ath12k/p2p.c +index 84cccf7d91e7..59589748f1a8 100644 +--- a/drivers/net/wireless/ath/ath12k/p2p.c ++++ b/drivers/net/wireless/ath/ath12k/p2p.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: BSD-3-Clause-Clear + /* + * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. + */ + + #include +@@ -124,7 +125,7 @@ static void ath12k_p2p_noa_update_vdev_iter(void *data, u8 *mac, + + WARN_ON(!rcu_read_lock_any_held()); + arvif = &ahvif->deflink; +- if (arvif->ar != arg->ar || arvif->vdev_id != arg->vdev_id) ++ if (!arvif->is_created || arvif->ar != arg->ar || arvif->vdev_id != arg->vdev_id) + return; + + ath12k_p2p_noa_update(arvif, arg->noa); +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath12k-block-radio-bring-up-in-ftm-mode.patch b/queue-6.15/wifi-ath12k-block-radio-bring-up-in-ftm-mode.patch new file mode 100644 index 0000000000..f5bd491cc0 --- /dev/null +++ b/queue-6.15/wifi-ath12k-block-radio-bring-up-in-ftm-mode.patch @@ -0,0 +1,68 @@ +From 039e7c446a87d036dc82bf1ba0917b9de5a62c35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 08:45:02 +0530 +Subject: wifi: ath12k: Block radio bring-up in FTM mode + +From: Aaradhana Sahu + +[ Upstream commit 80570587e418f361e7ce3f9200477f728b38c94b ] + +Ensure that all radios remain down when the driver operates in Factory +Test Mode (FTM). Reject any userspace attempts to bring up an +interface in this mode. + +Currently, the driver allows userspace to bring up the interface even +though it operates in FTM mode, which violates FTM constraints and +leads to FTM command failures. + +Hence, block the radio start when the driver is in FTM mode. Also, +remove ath12k_ftm_mode check from ath12k_drain_tx() because FTM mode +check is already handled in the caller function +(ath12k_mac_op_start()). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: 3bc374cbc49e ("wifi: ath12k: add factory test mode support") +Signed-off-by: Aaradhana Sahu +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250630031502.8902-1-aaradhana.sahu@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index ccc27863f333..029376c57496 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -7689,14 +7689,9 @@ static int ath12k_mac_start(struct ath12k *ar) + + static void ath12k_drain_tx(struct ath12k_hw *ah) + { +- struct ath12k *ar = ah->radio; ++ struct ath12k *ar; + int i; + +- if (ath12k_ftm_mode) { +- ath12k_err(ar->ab, "fail to start mac operations in ftm mode\n"); +- return; +- } +- + lockdep_assert_wiphy(ah->hw->wiphy); + + for_each_ar(ah, ar, i) +@@ -7709,6 +7704,9 @@ static int ath12k_mac_op_start(struct ieee80211_hw *hw) + struct ath12k *ar; + int ret, i; + ++ if (ath12k_ftm_mode) ++ return -EPERM; ++ + lockdep_assert_wiphy(hw->wiphy); + + ath12k_drain_tx(ah); +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath12k-clear-auth-flag-only-for-actual-associat.patch b/queue-6.15/wifi-ath12k-clear-auth-flag-only-for-actual-associat.patch new file mode 100644 index 0000000000..0c2e332322 --- /dev/null +++ b/queue-6.15/wifi-ath12k-clear-auth-flag-only-for-actual-associat.patch @@ -0,0 +1,82 @@ +From 76229f36671d6b88965250301e859f8a6c82652d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 20:26:51 +0530 +Subject: wifi: ath12k: Clear auth flag only for actual association in security + mode + +From: Thiraviyam Mariyappan + +[ Upstream commit c27bb624b3d789a337df3bbcc020a575680555cc ] + +When setting a new bitrate, WMI peer association command is sent from +the host without the peer authentication bit set in peer_flags for +security mode, which causes ping failure. + +The firmware handles peer_flags when the client is associating, as the +peer authentication bit in peer_flags is set after the key exchange. +When the WMI peer association command is sent from the host to update +the new bitrate for an associated STA, the firmware expects the WMI +peer authentication bit to be set in peer_flags. + +Fix this issue by ensuring that the WMI peer auth bit is set in +peer_flags in WMI peer association command when updating the new +bitrate. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Thiraviyam Mariyappan +Signed-off-by: Ramasamy Kaliappan +Link: https://patch.msgid.link/20250608145651.1735236-1-ramasamy.kaliappan@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 4 ++++ + drivers/net/wireless/ath/ath12k/wmi.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index 7333ca58d541..ccc27863f333 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -3315,6 +3315,7 @@ static void ath12k_bss_assoc(struct ath12k *ar, + + rcu_read_unlock(); + ++ peer_arg->is_assoc = true; + ret = ath12k_wmi_send_peer_assoc_cmd(ar, peer_arg); + if (ret) { + ath12k_warn(ar->ab, "failed to run peer assoc for %pM vdev %i: %d\n", +@@ -5087,6 +5088,8 @@ static int ath12k_mac_station_assoc(struct ath12k *ar, + "invalid peer NSS %d\n", peer_arg->peer_nss); + return -EINVAL; + } ++ ++ peer_arg->is_assoc = true; + ret = ath12k_wmi_send_peer_assoc_cmd(ar, peer_arg); + if (ret) { + ath12k_warn(ar->ab, "failed to run peer assoc for STA %pM vdev %i: %d\n", +@@ -5333,6 +5336,7 @@ static void ath12k_sta_rc_update_wk(struct wiphy *wiphy, struct wiphy_work *wk) + ath12k_peer_assoc_prepare(ar, arvif, arsta, + peer_arg, true); + ++ peer_arg->is_assoc = false; + err = ath12k_wmi_send_peer_assoc_cmd(ar, peer_arg); + if (err) + ath12k_warn(ar->ab, "failed to run peer assoc for STA %pM vdev %i: %d\n", +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index a44fc9106634..f021498e5278 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -2136,7 +2136,7 @@ static void ath12k_wmi_copy_peer_flags(struct wmi_peer_assoc_complete_cmd *cmd, + cmd->peer_flags |= cpu_to_le32(WMI_PEER_AUTH); + if (arg->need_ptk_4_way) { + cmd->peer_flags |= cpu_to_le32(WMI_PEER_NEED_PTK_4_WAY); +- if (!hw_crypto_disabled) ++ if (!hw_crypto_disabled && arg->is_assoc) + cmd->peer_flags &= cpu_to_le32(~WMI_PEER_AUTH); + } + if (arg->need_gtk_2_way) +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath12k-fix-double-budget-decrement-while-reapin.patch b/queue-6.15/wifi-ath12k-fix-double-budget-decrement-while-reapin.patch new file mode 100644 index 0000000000..0c2968b25c --- /dev/null +++ b/queue-6.15/wifi-ath12k-fix-double-budget-decrement-while-reapin.patch @@ -0,0 +1,45 @@ +From 4524037a9db152a399eacc3cf689a07dea94a3e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 16:05:42 +0530 +Subject: wifi: ath12k: Fix double budget decrement while reaping monitor ring + +From: P Praneesh + +[ Upstream commit 54c350055b1da2767f18a49c11e4fcc42cf33ff8 ] + +Currently, the budget for monitor ring is reduced during each ring entry +reaping and again when the end reason is HAL_MON_END_OF_PPDU, leading to +inefficient budget use. The below mentioned commit intended to decrement +the budget only for HAL_MON_END_OF_PPDU but did not remove the other +decrement. Fix this by eliminating the budget decrement for each ring entry +reaping, ensuring the driver always reaps one full PPDU worth of entries +from the monitor destination ring. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: 394a3fa7c538 ("wifi: ath12k: Optimize NAPI budget by adjusting PPDU processing") +Signed-off-by: P Praneesh +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250603103542.1164713-1-praneesh.p@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_mon.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c +index 826c9723a7a6..340a7b3474b1 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_mon.c ++++ b/drivers/net/wireless/ath/ath12k/dp_mon.c +@@ -3528,7 +3528,6 @@ int ath12k_dp_mon_srng_process(struct ath12k *ar, int *budget, + ath12k_hal_srng_access_begin(ab, srng); + + while (likely(*budget)) { +- *budget -= 1; + mon_dst_desc = ath12k_hal_srng_dst_peek(ab, srng); + if (unlikely(!mon_dst_desc)) + break; +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath12k-fix-endianness-handling-while-accessing-.patch b/queue-6.15/wifi-ath12k-fix-endianness-handling-while-accessing-.patch new file mode 100644 index 0000000000..102aded05e --- /dev/null +++ b/queue-6.15/wifi-ath12k-fix-endianness-handling-while-accessing-.patch @@ -0,0 +1,70 @@ +From 242c7534ba64376a0614e6693b5edc2ae37ecbac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 23:05:38 +0530 +Subject: wifi: ath12k: fix endianness handling while accessing wmi service bit + +From: Tamizh Chelvam Raja + +[ Upstream commit 8f1a078842d4af4877fb686f3907788024d0d1b7 ] + +Currently there is no endian conversion in ath12k_wmi_tlv_services_parser() +so the service bit parsing will be incorrect on a big endian platform and +to fix this by using appropriate endian conversion. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00217-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: 342527f35338 ("wifi: ath12k: Add support to parse new WMI event for 6 GHz regulatory") +Signed-off-by: Tamizh Chelvam Raja +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250717173539.2523396-2-tamizh.raja@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index f021498e5278..9ebe4b573f7e 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -6829,7 +6829,7 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab, + void *data) + { + const struct wmi_service_available_event *ev; +- u32 *wmi_ext2_service_bitmap; ++ __le32 *wmi_ext2_service_bitmap; + int i, j; + u16 expected_len; + +@@ -6861,12 +6861,12 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab, + ev->wmi_service_segment_bitmap[3]); + break; + case WMI_TAG_ARRAY_UINT32: +- wmi_ext2_service_bitmap = (u32 *)ptr; ++ wmi_ext2_service_bitmap = (__le32 *)ptr; + for (i = 0, j = WMI_MAX_EXT_SERVICE; + i < WMI_SERVICE_SEGMENT_BM_SIZE32 && j < WMI_MAX_EXT2_SERVICE; + i++) { + do { +- if (wmi_ext2_service_bitmap[i] & ++ if (__le32_to_cpu(wmi_ext2_service_bitmap[i]) & + BIT(j % WMI_AVAIL_SERVICE_BITS_IN_SIZE32)) + set_bit(j, ab->wmi_ab.svc_map); + } while (++j % WMI_AVAIL_SERVICE_BITS_IN_SIZE32); +@@ -6874,8 +6874,10 @@ static int ath12k_wmi_tlv_services_parser(struct ath12k_base *ab, + + ath12k_dbg(ab, ATH12K_DBG_WMI, + "wmi_ext2_service_bitmap 0x%04x 0x%04x 0x%04x 0x%04x", +- wmi_ext2_service_bitmap[0], wmi_ext2_service_bitmap[1], +- wmi_ext2_service_bitmap[2], wmi_ext2_service_bitmap[3]); ++ __le32_to_cpu(wmi_ext2_service_bitmap[0]), ++ __le32_to_cpu(wmi_ext2_service_bitmap[1]), ++ __le32_to_cpu(wmi_ext2_service_bitmap[2]), ++ __le32_to_cpu(wmi_ext2_service_bitmap[3])); + break; + } + return 0; +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath12k-pass-ab-pointer-directly-to-ath12k_dp_tx.patch b/queue-6.15/wifi-ath12k-pass-ab-pointer-directly-to-ath12k_dp_tx.patch new file mode 100644 index 0000000000..7a77d22f33 --- /dev/null +++ b/queue-6.15/wifi-ath12k-pass-ab-pointer-directly-to-ath12k_dp_tx.patch @@ -0,0 +1,71 @@ +From e1f1fcbbc8c56e938730abc64ce33ab7b833cd6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 10:19:36 +0530 +Subject: wifi: ath12k: Pass ab pointer directly to + ath12k_dp_tx_get_encap_type() + +From: Tamizh Chelvam Raja + +[ Upstream commit 05062834350f0bf7ad1abcebc2807220e90220eb ] + +In ath12k_dp_tx_get_encap_type(), the arvif parameter is only used to +retrieve the ab pointer. In vdev delete sequence the arvif->ar could +become NULL and that would trigger kernel panic. +Since the caller ath12k_dp_tx() already has a valid ab pointer, pass it +directly to avoid panic and unnecessary dereferencing. + +PC points to "ath12k_dp_tx+0x228/0x988 [ath12k]" +LR points to "ath12k_dp_tx+0xc8/0x988 [ath12k]". +The Backtrace obtained is as follows: +ath12k_dp_tx+0x228/0x988 [ath12k] +ath12k_mac_tx_check_max_limit+0x608/0x920 [ath12k] +ieee80211_process_measurement_req+0x320/0x348 [mac80211] +ieee80211_tx_dequeue+0x9ac/0x1518 [mac80211] +ieee80211_tx_dequeue+0xb14/0x1518 [mac80211] +ieee80211_tx_prepare_skb+0x224/0x254 [mac80211] +ieee80211_xmit+0xec/0x100 [mac80211] +__ieee80211_subif_start_xmit+0xc50/0xf40 [mac80211] +ieee80211_subif_start_xmit+0x2e8/0x308 [mac80211] +netdev_start_xmit+0x150/0x18c +dev_hard_start_xmit+0x74/0xc0 + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 + +Fixes: e93bbd65547e ("wifi: ath12k: fix packets are sent in native wifi mode while we set raw mode") +Signed-off-by: Tamizh Chelvam Raja +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250606044936.3989400-1-tamizh.raja@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_tx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_tx.c b/drivers/net/wireless/ath/ath12k/dp_tx.c +index f82d2c58eff3..faf58e91d3eb 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_tx.c +@@ -12,10 +12,9 @@ + #include "mac.h" + + static enum hal_tcl_encap_type +-ath12k_dp_tx_get_encap_type(struct ath12k_link_vif *arvif, struct sk_buff *skb) ++ath12k_dp_tx_get_encap_type(struct ath12k_base *ab, struct sk_buff *skb) + { + struct ieee80211_tx_info *tx_info = IEEE80211_SKB_CB(skb); +- struct ath12k_base *ab = arvif->ar->ab; + + if (test_bit(ATH12K_FLAG_RAW_MODE, &ab->dev_flags)) + return HAL_TCL_ENCAP_TYPE_RAW; +@@ -302,7 +301,7 @@ int ath12k_dp_tx(struct ath12k *ar, struct ath12k_link_vif *arvif, + u32_encode_bits(mcbc_gsn, HTT_TCL_META_DATA_GLOBAL_SEQ_NUM); + } + +- ti.encap_type = ath12k_dp_tx_get_encap_type(arvif, skb); ++ ti.encap_type = ath12k_dp_tx_get_encap_type(ab, skb); + ti.addr_search_flags = arvif->hal_addr_search_flags; + ti.search_type = arvif->search_type; + ti.type = HAL_TCL_DESC_TYPE_BUFFER; +-- +2.39.5 + diff --git a/queue-6.15/wifi-ath12k-use-htt_tcl_metadata_ver_v1-in-ftm-mode.patch b/queue-6.15/wifi-ath12k-use-htt_tcl_metadata_ver_v1-in-ftm-mode.patch new file mode 100644 index 0000000000..629cb6e2d4 --- /dev/null +++ b/queue-6.15/wifi-ath12k-use-htt_tcl_metadata_ver_v1-in-ftm-mode.patch @@ -0,0 +1,78 @@ +From b5b6af68120e45142c9f0e8e367835d94240d678 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 09:24:20 +0530 +Subject: wifi: ath12k: Use HTT_TCL_METADATA_VER_V1 in FTM mode + +From: Aaradhana Sahu + +[ Upstream commit 66b3ebc77d23d6574a965bdbfe41de8aeb7f384e ] + +Currently host sends HTT_TCL_METADATA_VER_V2 to the firmware +regardless of the operating mode (Mission or FTM). + +Firmware expects additional software information (like peer ID, vdev +ID, and link ID) in Tx packets when HTT_TCL_METADATA_VER_V2 is set. +However, in FTM (Factory Test Mode) mode, no vdev is created on the +host side (this is expected). As a result, the firmware fails to find +the expected vdev during packet processing and ends up dropping +packets. + +To fix this, send HTT_TCL_METADATA_VER_V1 in FTM mode because FTM +mode doesn't support HTT_TCL_METADATA_VER_V2. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1 + +Fixes: 5d964966bd3f ("wifi: ath12k: Update HTT_TCL_METADATA version and bit mask definitions") +Signed-off-by: Aaradhana Sahu +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250711035420.1509029-1-aaradhana.sahu@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp.h | 1 + + drivers/net/wireless/ath/ath12k/dp_tx.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp.h b/drivers/net/wireless/ath/ath12k/dp.h +index e8dbba0c3bb7..4003e81df535 100644 +--- a/drivers/net/wireless/ath/ath12k/dp.h ++++ b/drivers/net/wireless/ath/ath12k/dp.h +@@ -425,6 +425,7 @@ enum htt_h2t_msg_type { + }; + + #define HTT_VER_REQ_INFO_MSG_ID GENMASK(7, 0) ++#define HTT_OPTION_TCL_METADATA_VER_V1 1 + #define HTT_OPTION_TCL_METADATA_VER_V2 2 + #define HTT_OPTION_TAG GENMASK(7, 0) + #define HTT_OPTION_LEN GENMASK(15, 8) +diff --git a/drivers/net/wireless/ath/ath12k/dp_tx.c b/drivers/net/wireless/ath/ath12k/dp_tx.c +index faf58e91d3eb..5e741b221d87 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_tx.c +@@ -1107,6 +1107,7 @@ int ath12k_dp_tx_htt_h2t_ver_req_msg(struct ath12k_base *ab) + struct sk_buff *skb; + struct htt_ver_req_cmd *cmd; + int len = sizeof(*cmd); ++ u32 metadata_version; + int ret; + + init_completion(&dp->htt_tgt_version_received); +@@ -1119,12 +1120,14 @@ int ath12k_dp_tx_htt_h2t_ver_req_msg(struct ath12k_base *ab) + cmd = (struct htt_ver_req_cmd *)skb->data; + cmd->ver_reg_info = le32_encode_bits(HTT_H2T_MSG_TYPE_VERSION_REQ, + HTT_OPTION_TAG); ++ metadata_version = ath12k_ftm_mode ? HTT_OPTION_TCL_METADATA_VER_V1 : ++ HTT_OPTION_TCL_METADATA_VER_V2; + + cmd->tcl_metadata_version = le32_encode_bits(HTT_TAG_TCL_METADATA_VERSION, + HTT_OPTION_TAG) | + le32_encode_bits(HTT_TCL_METADATA_VER_SZ, + HTT_OPTION_LEN) | +- le32_encode_bits(HTT_OPTION_TCL_METADATA_VER_V2, ++ le32_encode_bits(metadata_version, + HTT_OPTION_VALUE); + + ret = ath12k_htc_send(&ab->htc, dp->eid, skb); +-- +2.39.5 + diff --git a/queue-6.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch b/queue-6.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch new file mode 100644 index 0000000000..421370ed03 --- /dev/null +++ b/queue-6.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch @@ -0,0 +1,65 @@ +From adcb5d9de6c5f1fb2f9277687267c565e2a14413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 10:37:02 +0530 +Subject: wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing + P2P IE + +From: Gokul Sivakumar + +[ Upstream commit 579bf8037b70b644a674c126a32bbb2212cf5c21 ] + +After commit bd99a3013bdc ("brcmfmac: move configuration of probe request +IEs"), the probe request MGMT IE addition operation brcmf_vif_set_mgmt_ie() +got moved from the brcmf_p2p_scan_prep() to the brcmf_cfg80211_scan(). + +Because of this, as part of the scan request handler for the P2P Discovery, +vif struct used for adding the Probe Request P2P IE in firmware got changed +from the P2PAPI_BSSCFG_DEVICE vif to P2PAPI_BSSCFG_PRIMARY vif incorrectly. +So the firmware stopped adding P2P IE to the outgoing P2P Discovery probe +requests frames and the other P2P peers were unable to discover this device +causing a regression on the P2P feature. + +To fix this, while setting the P2P IE in firmware, properly use the vif of +the P2P discovery wdev on which the driver received the P2P scan request. +This is done by not changing the vif pointer, until brcmf_vif_set_mgmt_ie() +is completed. + +Fixes: bd99a3013bdc ("brcmfmac: move configuration of probe request IEs") +Signed-off-by: Gokul Sivakumar +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20250626050706.7271-1-gokulkumar.sivakumar@infineon.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 4b70845e1a26..075b99478e65 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -1545,10 +1545,6 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request) + return -EAGAIN; + } + +- /* If scan req comes for p2p0, send it over primary I/F */ +- if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif) +- vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif; +- + brcmf_dbg(SCAN, "START ESCAN\n"); + + cfg->scan_request = request; +@@ -1564,6 +1560,10 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request) + if (err) + goto scan_out; + ++ /* If scan req comes for p2p0, send it over primary I/F */ ++ if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif) ++ vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif; ++ + err = brcmf_do_escan(vif->ifp, request); + if (err) + goto scan_out; +-- +2.39.5 + diff --git a/queue-6.15/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and.patch b/queue-6.15/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and.patch new file mode 100644 index 0000000000..36a1c8605b --- /dev/null +++ b/queue-6.15/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and.patch @@ -0,0 +1,85 @@ +From 93653659c022dc5fe348d22714c07c430a62706b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 18:25:45 +0200 +Subject: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() + +From: Alexander Wetzel + +[ Upstream commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 ] + +Callers of wdev_chandef() must hold the wiphy mutex. + +But the worker cfg80211_propagate_cac_done_wk() never takes the lock. +Which triggers the warning below with the mesh_peer_connected_dfs +test from hostapd and not (yet) released mac80211 code changes: + +WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 +Modules linked in: +CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf +Workqueue: cfg80211 cfg80211_propagate_cac_done_wk +Stack: + 00000000 00000001 ffffff00 6093267c + 00000000 6002ec30 6d577c50 60037608 + 00000000 67e8d108 6063717b 00000000 +Call Trace: + [<6002ec30>] ? _printk+0x0/0x98 + [<6003c2b3>] show_stack+0x10e/0x11a + [<6002ec30>] ? _printk+0x0/0x98 + [<60037608>] dump_stack_lvl+0x71/0xb8 + [<6063717b>] ? wdev_chandef+0x60/0x165 + [<6003766d>] dump_stack+0x1e/0x20 + [<6005d1b7>] __warn+0x101/0x20f + [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d + [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec + [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 + [<600b11a2>] ? mark_held_locks+0x5a/0x6e + [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d + [<60052e53>] ? unblock_signals+0x3a/0xe7 + [<60052f2d>] ? um_set_signals+0x2d/0x43 + [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 + [<607508b2>] ? lock_is_held_type+0x207/0x21f + [<6063717b>] wdev_chandef+0x60/0x165 + [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f + [<60052f00>] ? um_set_signals+0x0/0x43 + [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a + [<6007e460>] process_scheduled_works+0x3bc/0x60e + [<6007d0ec>] ? move_linked_works+0x4d/0x81 + [<6007d120>] ? assign_work+0x0/0xaa + [<6007f81f>] worker_thread+0x220/0x2dc + [<600786ef>] ? set_pf_worker+0x0/0x57 + [<60087c96>] ? to_kthread+0x0/0x43 + [<6008ab3c>] kthread+0x2d3/0x2e2 + [<6007f5ff>] ? worker_thread+0x0/0x2dc + [<6006c05b>] ? calculate_sigpending+0x0/0x56 + [<6003b37d>] new_thread_handler+0x4a/0x64 +irq event stamp: 614611 +hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf +hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf +softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 +softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985 + +Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC") +Signed-off-by: Alexander Wetzel +Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index c1752b31734f..92e04370fa63 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -4229,6 +4229,8 @@ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev) + struct wireless_dev *wdev; + unsigned int link_id; + ++ guard(wiphy)(&rdev->wiphy); ++ + /* If we finished CAC or received radar, we should end any + * CAC running on the same channels. + * the check !cfg80211_chandef_dfs_usable contain 2 options: +-- +2.39.5 + diff --git a/queue-6.15/wifi-iwlwifi-fix-error-code-in-iwl_op_mode_dvm_start.patch b/queue-6.15/wifi-iwlwifi-fix-error-code-in-iwl_op_mode_dvm_start.patch new file mode 100644 index 0000000000..21fc9006ab --- /dev/null +++ b/queue-6.15/wifi-iwlwifi-fix-error-code-in-iwl_op_mode_dvm_start.patch @@ -0,0 +1,40 @@ +From 817bd6d63fdbe302899de0f432f8f855713cb66e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 13:08:42 -0500 +Subject: wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() + +From: Dan Carpenter + +[ Upstream commit cf80c02a9fdb6c5bc8508beb6a0f6a1294fc32f6 ] + +Preserve the error code if iwl_setup_deferred_work() fails. The current +code returns ERR_PTR(0) (which is NULL) on this path. I believe the +missing error code potentially leads to a use after free involving +debugfs. + +Fixes: 90a0d9f33996 ("iwlwifi: Add missing check for alloc_ordered_workqueue") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/a7a1cd2c-ce01-461a-9afd-dbe535f8df01@sabinyo.mountain +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +index cd20958fb91a..59c13c40bb83 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +@@ -1468,7 +1468,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans, + /******************** + * 6. Setup services + ********************/ +- if (iwl_setup_deferred_work(priv)) ++ err = iwl_setup_deferred_work(priv); ++ if (err) + goto out_uninit_drv; + + iwl_setup_rx_handlers(priv); +-- +2.39.5 + diff --git a/queue-6.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch b/queue-6.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch new file mode 100644 index 0000000000..399b7a995e --- /dev/null +++ b/queue-6.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch @@ -0,0 +1,40 @@ +From f24254486a22cae2f15807609e911466113a1c41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 11:52:13 +0800 +Subject: wifi: iwlwifi: Fix memory leak in iwl_mvm_init() + +From: Xiu Jianfeng + +[ Upstream commit ed2e916c890944633d6826dce267579334f63ea5 ] + +When iwl_opmode_register() fails, it does not unregster rate control, +which will cause a memory leak issue, this patch fixes it. + +Fixes: 9f66a397c877 ("iwlwifi: mvm: rs: add ops for the new rate scaling in the FW") +Signed-off-by: Xiu Jianfeng +Link: https://patch.msgid.link/20221109035213.570-1-xiujianfeng@huawei.com +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 76603ef02704..15617cad967f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -61,8 +61,10 @@ static int __init iwl_mvm_init(void) + } + + ret = iwl_opmode_register("iwlmvm", &iwl_mvm_ops); +- if (ret) ++ if (ret) { + pr_err("Unable to register MVM op_mode: %d\n", ret); ++ iwl_mvm_rate_control_unregister(); ++ } + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.15/wifi-iwlwifi-mld-decode-eof-bit-for-ampdus.patch b/queue-6.15/wifi-iwlwifi-mld-decode-eof-bit-for-ampdus.patch new file mode 100644 index 0000000000..4e423cfa73 --- /dev/null +++ b/queue-6.15/wifi-iwlwifi-mld-decode-eof-bit-for-ampdus.patch @@ -0,0 +1,46 @@ +From 7c6a3cdd9ea9b9feddbe3e2baa86fc4fd7e9405c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 09:45:11 +0300 +Subject: wifi: iwlwifi: mld: decode EOF bit for AMPDUs + +From: Benjamin Berg + +[ Upstream commit bc404dfddbf6817cae9b170c34556dc72ea975e5 ] + +Only the EOF bit handling for single frames was ported to the MLD +driver. The code to handle AMPDUs correctly was forgotten. Add it back +so that the bit is reported in the radiotap headers again. + +Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") +Signed-off-by: Benjamin Berg +Reviewed-by: Daniel Gabay +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250723094230.195be86372d5.I4db4abf348f7b6dfc75f869770dd77655a204bc7@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mld/rx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mld/rx.c b/drivers/net/wireless/intel/iwlwifi/mld/rx.c +index c4f189bcece2..5a206a663470 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mld/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mld/rx.c +@@ -1039,6 +1039,15 @@ static void iwl_mld_rx_eht(struct iwl_mld *mld, struct sk_buff *skb, + rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT; + } + ++ /* update aggregation data for monitor sake on default queue */ ++ if (!queue && (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD) && ++ (phy_info & IWL_RX_MPDU_PHY_AMPDU) && phy_data->first_subframe) { ++ rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT_KNOWN; ++ if (phy_data->data0 & ++ cpu_to_le32(IWL_RX_PHY_DATA0_EHT_DELIM_EOF)) ++ rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT; ++ } ++ + if (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD) + iwl_mld_decode_eht_phy_data(mld, phy_data, rx_status, eht, usig); + +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch b/queue-6.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch new file mode 100644 index 0000000000..5c3a057fcc --- /dev/null +++ b/queue-6.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch @@ -0,0 +1,45 @@ +From 27fced0983afa80bd7979487783c0380e7c3d02f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 17:45:28 +0200 +Subject: wifi: mac80211: Check 802.11 encaps offloading in + ieee80211_tx_h_select_key() + +From: Remi Pommarel + +[ Upstream commit 4037c468d1b3c508d69e6df0ef47fdee3d440e39 ] + +With 802.11 encapsulation offloading, ieee80211_tx_h_select_key() is +called on 802.3 frames. In that case do not try to use skb data as +valid 802.11 headers. + +Reported-by: Bert Karwatzki +Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de +Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue") +Signed-off-by: Remi Pommarel +Link: https://patch.msgid.link/1af4b5b903a5fca5ebe67333d5854f93b2be5abe.1752765971.git.repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 10e5fb294709..7799455b0403 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -622,6 +622,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx) + else + tx->key = NULL; + ++ if (info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) { ++ if (tx->key && tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE) ++ info->control.hw_key = &tx->key->conf; ++ return TX_CONTINUE; ++ } ++ + if (tx->key) { + bool skip_hw = false; + +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-do-not-schedule-stopped-txqs.patch b/queue-6.15/wifi-mac80211-do-not-schedule-stopped-txqs.patch new file mode 100644 index 0000000000..a9ee43b8ad --- /dev/null +++ b/queue-6.15/wifi-mac80211-do-not-schedule-stopped-txqs.patch @@ -0,0 +1,49 @@ +From 6e8ccb04138fd09cb1b482de081a5ef6ce07c420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 18:25:46 +0200 +Subject: wifi: mac80211: Do not schedule stopped TXQs + +From: Alexander Wetzel + +[ Upstream commit 11e3e22fa533f5d7cf04e32343b05a27eda3c7a5 ] + +Ignore TXQs with the flag IEEE80211_TXQ_STOP when scheduling a queue. + +The flag is only set after all fragments have been dequeued and won't +allow dequeueing other frames as long as the flag is set. + +For drivers using ieee80211_txq_schedule_start() this prevents an +loop trying to push the queued frames while IEEE80211_TXQ_STOP is set: + +After setting IEEE80211_TXQ_STOP the driver will call +ieee80211_return_txq(). Which calls __ieee80211_schedule_txq(), detects +that there sill are frames in the queue and immediately restarts the +stopped TXQ. Which can't dequeue any frame and thus starts over the loop. + +Signed-off-by: Alexander Wetzel +Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation") +Link: https://patch.msgid.link/20250717162547.94582-2-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 695db38ccfb4..fd21a18a028d 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4109,7 +4109,9 @@ void __ieee80211_schedule_txq(struct ieee80211_hw *hw, + + spin_lock_bh(&local->active_txq_lock[txq->ac]); + +- has_queue = force || txq_has_queue(txq); ++ has_queue = force || ++ (!test_bit(IEEE80211_TXQ_STOP, &txqi->flags) && ++ txq_has_queue(txq)); + if (list_empty(&txqi->schedule_order) && + (has_queue || ieee80211_txq_keep_active(txqi))) { + /* If airtime accounting is active, always enqueue STAs at the +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch b/queue-6.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch new file mode 100644 index 0000000000..5f2cf49022 --- /dev/null +++ b/queue-6.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch @@ -0,0 +1,45 @@ +From 66d82bfed2b0635e0cd89a923effd455a406c92c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 18:25:47 +0200 +Subject: wifi: mac80211: Don't call fq_flow_idx() for management frames + +From: Alexander Wetzel + +[ Upstream commit cb3bb3d88dfcd177a1050c0a009a3ee147b2e5b9 ] + +skb_get_hash() can only be used when the skb is linked to a netdev +device. + +Signed-off-by: Alexander Wetzel +Fixes: 73bc9e0af594 ("mac80211: don't apply flow control on management frames") +Link: https://patch.msgid.link/20250717162547.94582-3-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index fd21a18a028d..10e5fb294709 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1438,7 +1438,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local, + { + struct fq *fq = &local->fq; + struct fq_tin *tin = &txqi->tin; +- u32 flow_idx = fq_flow_idx(fq, skb); ++ u32 flow_idx; + + ieee80211_set_skb_enqueue_time(skb); + +@@ -1454,6 +1454,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local, + IEEE80211_TX_INTCFL_NEED_TXPROCESSING; + __skb_queue_tail(&txqi->frags, skb); + } else { ++ flow_idx = fq_flow_idx(fq, skb); + fq_tin_enqueue(fq, tin, flow_idx, skb, + fq_skb_free_func); + } +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-fix-warn_on-for-monitor-mode-on-some-d.patch b/queue-6.15/wifi-mac80211-fix-warn_on-for-monitor-mode-on-some-d.patch new file mode 100644 index 0000000000..f9363edc64 --- /dev/null +++ b/queue-6.15/wifi-mac80211-fix-warn_on-for-monitor-mode-on-some-d.patch @@ -0,0 +1,56 @@ +From d5b185ebd87fbf980499e69986c51dbb3d7ba6e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 09:14:19 +0200 +Subject: wifi: mac80211: fix WARN_ON for monitor mode on some devices + +From: Johannes Berg + +[ Upstream commit c57e5b9819dfd16d709bcd6cb633301ed0829a66 ] + +On devices without WANT_MONITOR_VIF (and probably without +channel context support) we get a WARN_ON for changing the +per-link setting of a monitor interface. + +Since we already skip AP_VLAN interfaces and MONITOR with +WANT_MONITOR_VIF and/or NO_VIRTUAL_MONITOR should update +the settings, catch this in the link change code instead +of the warning. + +Reported-by: Martin Kaistra +Link: https://lore.kernel.org/r/a9de62a0-28f1-4981-84df-253489da74ed@linutronix.de/ +Fixes: c4382d5ca1af ("wifi: mac80211: update the right link for tx power") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 6b6de43d9420..1bad353d8a77 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -407,9 +407,20 @@ void ieee80211_link_info_change_notify(struct ieee80211_sub_if_data *sdata, + + WARN_ON_ONCE(changed & BSS_CHANGED_VIF_CFG_FLAGS); + +- if (!changed || sdata->vif.type == NL80211_IFTYPE_AP_VLAN) ++ if (!changed) + return; + ++ switch (sdata->vif.type) { ++ case NL80211_IFTYPE_AP_VLAN: ++ return; ++ case NL80211_IFTYPE_MONITOR: ++ if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) ++ return; ++ break; ++ default: ++ break; ++ } ++ + if (!check_sdata_in_driver(sdata)) + return; + +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-reject-tdls-operations-when-station-is.patch b/queue-6.15/wifi-mac80211-reject-tdls-operations-when-station-is.patch new file mode 100644 index 0000000000..f658da7dc6 --- /dev/null +++ b/queue-6.15/wifi-mac80211-reject-tdls-operations-when-station-is.patch @@ -0,0 +1,46 @@ +From 7a2200ead0bef46023da58f1b6b6ea772e0c8ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:09:05 -0700 +Subject: wifi: mac80211: reject TDLS operations when station is not associated + +From: Moon Hee Lee + +[ Upstream commit 16ecdab5446f15a61ec88eb0d23d25d009821db0 ] + +syzbot triggered a WARN in ieee80211_tdls_oper() by sending +NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT, +before association completed and without prior TDLS setup. + +This left internal state like sdata->u.mgd.tdls_peer uninitialized, +leading to a WARN_ON() in code paths that assumed it was valid. + +Reject the operation early if not in station mode or not associated. + +Reported-by: syzbot+f73f203f8c9b19037380@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f73f203f8c9b19037380 +Fixes: 81dd2b882241 ("mac80211: move TDLS data to mgd private part") +Tested-by: syzbot+f73f203f8c9b19037380@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20250715230904.661092-2-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tdls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c +index 2f92e7c7f203..49c92c5d3909 100644 +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -1422,7 +1422,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev, + if (!(wiphy->flags & WIPHY_FLAG_SUPPORTS_TDLS)) + return -EOPNOTSUPP; + +- if (sdata->vif.type != NL80211_IFTYPE_STATION) ++ if (sdata->vif.type != NL80211_IFTYPE_STATION || !sdata->vif.cfg.assoc) + return -EINVAL; + + switch (oper) { +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-write-cnt-before-copying-in-ieee80211_.patch b/queue-6.15/wifi-mac80211-write-cnt-before-copying-in-ieee80211_.patch new file mode 100644 index 0000000000..bd473c2209 --- /dev/null +++ b/queue-6.15/wifi-mac80211-write-cnt-before-copying-in-ieee80211_.patch @@ -0,0 +1,47 @@ +From c6d973fa2c2519212564c8ec49c95d2daf01e327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 11:25:22 -0700 +Subject: wifi: mac80211: Write cnt before copying in + ieee80211_copy_rnr_beacon() + +From: Kees Cook + +[ Upstream commit a37192c432adaec9e8ef29e4ddb319ea2f443aa6 ] + +While I caught the need for setting cnt early in nl80211_parse_rnr_elems() +in the original annotation of struct cfg80211_rnr_elems with __counted_by, +I missed a similar pattern in ieee80211_copy_rnr_beacon(). Fix this by +moving the cnt assignment to before the loop. + +Fixes: 7b6d7087031b ("wifi: cfg80211: Annotate struct cfg80211_rnr_elems with __counted_by") +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Link: https://patch.msgid.link/20250721182521.work.540-kees@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 4a8d9c3ea480..d9f96a962fa6 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1109,13 +1109,13 @@ ieee80211_copy_rnr_beacon(u8 *pos, struct cfg80211_rnr_elems *dst, + { + int i, offset = 0; + ++ dst->cnt = src->cnt; + for (i = 0; i < src->cnt; i++) { + memcpy(pos + offset, src->elem[i].data, src->elem[i].len); + dst->elem[i].len = src->elem[i].len; + dst->elem[i].data = pos + offset; + offset += dst->elem[i].len; + } +- dst->cnt = src->cnt; + + return offset; + } +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-mt7996-fix-possible-oob-access-in-mt7996_t.patch b/queue-6.15/wifi-mt76-mt7996-fix-possible-oob-access-in-mt7996_t.patch new file mode 100644 index 0000000000..f938e854a5 --- /dev/null +++ b/queue-6.15/wifi-mt76-mt7996-fix-possible-oob-access-in-mt7996_t.patch @@ -0,0 +1,67 @@ +From 8f4896527bc642a685de7a6c1b98f1cc0e34239c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 15:08:10 +0200 +Subject: wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx() + +From: Lorenzo Bianconi + +[ Upstream commit 64cbf0d7ce9afe20666da90ec6ecaec6ba5ac64b ] + +Fis possible Out-Of-Boundary access in mt7996_tx routine if link_id is +set to IEEE80211_LINK_UNSPECIFIED + +Fixes: 3ce8acb86b661 ("wifi: mt76: mt7996: Update mt7996_tx to MLO support") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250704-mt7996-mlo-fixes-v1-6-356456c73f43@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7996/main.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +index 5584bea9e2a3..631ad0f9ff93 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +@@ -1216,10 +1216,17 @@ static void mt7996_tx(struct ieee80211_hw *hw, + + if (vif) { + struct mt7996_vif *mvif = (void *)vif->drv_priv; +- struct mt76_vif_link *mlink; ++ struct mt76_vif_link *mlink = &mvif->deflink.mt76; + +- mlink = rcu_dereference(mvif->mt76.link[link_id]); +- if (mlink && mlink->wcid) ++ if (link_id < IEEE80211_LINK_UNSPECIFIED) ++ mlink = rcu_dereference(mvif->mt76.link[link_id]); ++ ++ if (!mlink) { ++ ieee80211_free_txskb(hw, skb); ++ goto unlock; ++ } ++ ++ if (mlink->wcid) + wcid = mlink->wcid; + + if (mvif->mt76.roc_phy && +@@ -1228,7 +1235,7 @@ static void mt7996_tx(struct ieee80211_hw *hw, + if (mphy->roc_link) + wcid = mphy->roc_link->wcid; + } else { +- mphy = mt76_vif_link_phy(&mvif->deflink.mt76); ++ mphy = mt76_vif_link_phy(mlink); + } + } + +@@ -1237,7 +1244,7 @@ static void mt7996_tx(struct ieee80211_hw *hw, + goto unlock; + } + +- if (control->sta) { ++ if (control->sta && link_id < IEEE80211_LINK_UNSPECIFIED) { + struct mt7996_sta *msta = (void *)control->sta->drv_priv; + struct mt7996_sta_link *msta_link; + +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-mt7996-fix-secondary-link-lookup-in-mt7996.patch b/queue-6.15/wifi-mt76-mt7996-fix-secondary-link-lookup-in-mt7996.patch new file mode 100644 index 0000000000..71cd8ac48f --- /dev/null +++ b/queue-6.15/wifi-mt76-mt7996-fix-secondary-link-lookup-in-mt7996.patch @@ -0,0 +1,39 @@ +From 7a4f9fabb9ef10aabeab4f2ff66b9a3dc1062036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 15:08:06 +0200 +Subject: wifi: mt76: mt7996: Fix secondary link lookup in + mt7996_mcu_sta_mld_setup_tlv() + +From: Lorenzo Bianconi + +[ Upstream commit e8d7eef07199887161cd6f3c062406628781f8b6 ] + +Use proper link_id value for secondary link lookup in +mt7996_mcu_sta_mld_setup_tlv routine. + +Fixes: 00cef41d9d8f5 ("wifi: mt76: mt7996: Add mt7996_mcu_sta_mld_setup_tlv() and mt7996_mcu_sta_eht_mld_tlv()") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250704-mt7996-mlo-fixes-v1-2-356456c73f43@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index 63dc6df20c3e..ce6e33d39d22 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -2307,8 +2307,7 @@ mt7996_mcu_sta_mld_setup_tlv(struct mt7996_dev *dev, struct sk_buff *skb, + + if (nlinks > 1) { + link_id = __ffs(links & ~BIT(msta->deflink_id)); +- msta_link = mt76_dereference(msta->link[msta->deflink_id], +- &dev->mt76); ++ msta_link = mt76_dereference(msta->link[link_id], &dev->mt76); + if (!msta_link) + return; + } +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-mt7996-fix-valid_links-bitmask-in-mt7996_m.patch b/queue-6.15/wifi-mt76-mt7996-fix-valid_links-bitmask-in-mt7996_m.patch new file mode 100644 index 0000000000..98d2ba1eab --- /dev/null +++ b/queue-6.15/wifi-mt76-mt7996-fix-valid_links-bitmask-in-mt7996_m.patch @@ -0,0 +1,46 @@ +From f3af75ed40ad671b217e3202174d73d855b1340a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 15:08:11 +0200 +Subject: wifi: mt76: mt7996: Fix valid_links bitmask in + mt7996_mac_sta_{add,remove} + +From: Lorenzo Bianconi + +[ Upstream commit a59650a2270190905fdab79431140371feb35251 ] + +sta->valid_links bitmask can be set even for non-MLO client. + +Fixes: dd82a9e02c054 ("wifi: mt76: mt7996: Rely on mt7996_sta_link in sta_add/sta_remove callbacks") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250704-mt7996-mlo-fixes-v1-7-356456c73f43@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +index 631ad0f9ff93..45ef0f309135 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +@@ -1061,7 +1061,7 @@ mt7996_mac_sta_add(struct mt76_phy *mphy, struct ieee80211_vif *vif, + struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76); + struct mt7996_sta *msta = (struct mt7996_sta *)sta->drv_priv; + struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv; +- unsigned long links = sta->mlo ? sta->valid_links : BIT(0); ++ unsigned long links = sta->valid_links ? sta->valid_links : BIT(0); + int err; + + mutex_lock(&mdev->mutex); +@@ -1155,7 +1155,7 @@ mt7996_mac_sta_remove(struct mt76_phy *mphy, struct ieee80211_vif *vif, + { + struct mt76_dev *mdev = mphy->dev; + struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76); +- unsigned long links = sta->mlo ? sta->valid_links : BIT(0); ++ unsigned long links = sta->valid_links ? sta->valid_links : BIT(0); + + mutex_lock(&mdev->mutex); + +-- +2.39.5 + diff --git a/queue-6.15/wifi-nl80211-set-num_sub_specs-before-looping-throug.patch b/queue-6.15/wifi-nl80211-set-num_sub_specs-before-looping-throug.patch new file mode 100644 index 0000000000..eb633fc4c9 --- /dev/null +++ b/queue-6.15/wifi-nl80211-set-num_sub_specs-before-looping-throug.patch @@ -0,0 +1,39 @@ +From 0af6b8b6406482cafb541a7af7af492d6d1a8fa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 11:31:29 -0700 +Subject: wifi: nl80211: Set num_sub_specs before looping through sub_specs + +From: Kees Cook + +[ Upstream commit 2ed9a9fc9976262109d04f1a3c75c46de8ce4f22 ] + +The processing of the struct cfg80211_sar_specs::sub_specs flexible +array requires its counter, num_sub_specs, to be assigned before the +loop in nl80211_set_sar_specs(). Leave the final assignment after the +loop in place in case fewer ended up in the array. + +Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate") +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Link: https://patch.msgid.link/20250721183125.work.183-kees@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 0c7e8389bc49..5b348aefd77d 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -16892,6 +16892,7 @@ static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info) + if (!sar_spec) + return -ENOMEM; + ++ sar_spec->num_sub_specs = specs; + sar_spec->type = type; + specs = 0; + nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) { +-- +2.39.5 + diff --git a/queue-6.15/wifi-plfxlc-fix-error-handling-in-usb-driver-probe.patch b/queue-6.15/wifi-plfxlc-fix-error-handling-in-usb-driver-probe.patch new file mode 100644 index 0000000000..f938f24da2 --- /dev/null +++ b/queue-6.15/wifi-plfxlc-fix-error-handling-in-usb-driver-probe.patch @@ -0,0 +1,176 @@ +From 4c182cb049ae821b73e6f3a868c2433225c11793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 21:52:26 +0300 +Subject: wifi: plfxlc: Fix error handling in usb driver probe + +From: Murad Masimov + +[ Upstream commit 3fe79a25c3cd54d25d30bc235c0c57f8a123d9d5 ] + +If probe fails before ieee80211_register_hw() is successfully done, +ieee80211_unregister_hw() will be called anyway. This may lead to various +bugs as the implementation of ieee80211_unregister_hw() assumes that +ieee80211_register_hw() has been called. + +Divide error handling section into relevant subsections, so that +ieee80211_unregister_hw() is called only when it is appropriate. Correct +the order of the calls: ieee80211_unregister_hw() should go before +plfxlc_mac_release(). Also move ieee80211_free_hw() to plfxlc_mac_release() +as it supposed to be the opposite to plfxlc_mac_alloc_hw() that calls +ieee80211_alloc_hw(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 68d57a07bfe5 ("wireless: add plfxlc driver for pureLiFi X, XL, XC devices") +Signed-off-by: Murad Masimov +Link: https://patch.msgid.link/20250321185226.71-3-m.masimov@mt-integration.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/purelifi/plfxlc/mac.c | 11 ++++---- + drivers/net/wireless/purelifi/plfxlc/mac.h | 2 +- + drivers/net/wireless/purelifi/plfxlc/usb.c | 29 +++++++++++----------- + 3 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/wireless/purelifi/plfxlc/mac.c b/drivers/net/wireless/purelifi/plfxlc/mac.c +index 82d1bf7edba2..a7f5d287e369 100644 +--- a/drivers/net/wireless/purelifi/plfxlc/mac.c ++++ b/drivers/net/wireless/purelifi/plfxlc/mac.c +@@ -99,11 +99,6 @@ int plfxlc_mac_init_hw(struct ieee80211_hw *hw) + return r; + } + +-void plfxlc_mac_release(struct plfxlc_mac *mac) +-{ +- plfxlc_chip_release(&mac->chip); +-} +- + int plfxlc_op_start(struct ieee80211_hw *hw) + { + plfxlc_hw_mac(hw)->chip.usb.initialized = 1; +@@ -755,3 +750,9 @@ struct ieee80211_hw *plfxlc_mac_alloc_hw(struct usb_interface *intf) + SET_IEEE80211_DEV(hw, &intf->dev); + return hw; + } ++ ++void plfxlc_mac_release_hw(struct ieee80211_hw *hw) ++{ ++ plfxlc_chip_release(&plfxlc_hw_mac(hw)->chip); ++ ieee80211_free_hw(hw); ++} +diff --git a/drivers/net/wireless/purelifi/plfxlc/mac.h b/drivers/net/wireless/purelifi/plfxlc/mac.h +index 9384acddcf26..56da502999c1 100644 +--- a/drivers/net/wireless/purelifi/plfxlc/mac.h ++++ b/drivers/net/wireless/purelifi/plfxlc/mac.h +@@ -168,7 +168,7 @@ static inline u8 *plfxlc_mac_get_perm_addr(struct plfxlc_mac *mac) + } + + struct ieee80211_hw *plfxlc_mac_alloc_hw(struct usb_interface *intf); +-void plfxlc_mac_release(struct plfxlc_mac *mac); ++void plfxlc_mac_release_hw(struct ieee80211_hw *hw); + + int plfxlc_mac_preinit_hw(struct ieee80211_hw *hw, const u8 *hw_address); + int plfxlc_mac_init_hw(struct ieee80211_hw *hw); +diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c +index c2a1234b59db..0817506021c3 100644 +--- a/drivers/net/wireless/purelifi/plfxlc/usb.c ++++ b/drivers/net/wireless/purelifi/plfxlc/usb.c +@@ -604,7 +604,7 @@ static int probe(struct usb_interface *intf, + r = plfxlc_upload_mac_and_serial(intf, hw_address, serial_number); + if (r) { + dev_err(&intf->dev, "MAC and Serial upload failed (%d)\n", r); +- goto error; ++ goto error_free_hw; + } + + chip->unit_type = STA; +@@ -613,13 +613,13 @@ static int probe(struct usb_interface *intf, + r = plfxlc_mac_preinit_hw(hw, hw_address); + if (r) { + dev_err(&intf->dev, "Init mac failed (%d)\n", r); +- goto error; ++ goto error_free_hw; + } + + r = ieee80211_register_hw(hw); + if (r) { + dev_err(&intf->dev, "Register device failed (%d)\n", r); +- goto error; ++ goto error_free_hw; + } + + if ((le16_to_cpu(interface_to_usbdev(intf)->descriptor.idVendor) == +@@ -632,7 +632,7 @@ static int probe(struct usb_interface *intf, + } + if (r != 0) { + dev_err(&intf->dev, "FPGA download failed (%d)\n", r); +- goto error; ++ goto error_unreg_hw; + } + + tx->mac_fifo_full = 0; +@@ -642,21 +642,21 @@ static int probe(struct usb_interface *intf, + r = plfxlc_usb_init_hw(usb); + if (r < 0) { + dev_err(&intf->dev, "usb_init_hw failed (%d)\n", r); +- goto error; ++ goto error_unreg_hw; + } + + msleep(PLF_MSLEEP_TIME); + r = plfxlc_chip_switch_radio(chip, PLFXLC_RADIO_ON); + if (r < 0) { + dev_dbg(&intf->dev, "chip_switch_radio_on failed (%d)\n", r); +- goto error; ++ goto error_unreg_hw; + } + + msleep(PLF_MSLEEP_TIME); + r = plfxlc_chip_set_rate(chip, 8); + if (r < 0) { + dev_dbg(&intf->dev, "chip_set_rate failed (%d)\n", r); +- goto error; ++ goto error_unreg_hw; + } + + msleep(PLF_MSLEEP_TIME); +@@ -664,7 +664,7 @@ static int probe(struct usb_interface *intf, + hw_address, ETH_ALEN, USB_REQ_MAC_WR); + if (r < 0) { + dev_dbg(&intf->dev, "MAC_WR failure (%d)\n", r); +- goto error; ++ goto error_unreg_hw; + } + + plfxlc_chip_enable_rxtx(chip); +@@ -691,12 +691,12 @@ static int probe(struct usb_interface *intf, + plfxlc_mac_init_hw(hw); + usb->initialized = true; + return 0; ++ ++error_unreg_hw: ++ ieee80211_unregister_hw(hw); ++error_free_hw: ++ plfxlc_mac_release_hw(hw); + error: +- if (hw) { +- plfxlc_mac_release(plfxlc_hw_mac(hw)); +- ieee80211_unregister_hw(hw); +- ieee80211_free_hw(hw); +- } + dev_err(&intf->dev, "pureLifi:Device error"); + return r; + } +@@ -730,8 +730,7 @@ static void disconnect(struct usb_interface *intf) + */ + usb_reset_device(interface_to_usbdev(intf)); + +- plfxlc_mac_release(mac); +- ieee80211_free_hw(hw); ++ plfxlc_mac_release_hw(hw); + } + + static void plfxlc_usb_resume(struct plfxlc_usb *usb) +-- +2.39.5 + diff --git a/queue-6.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch b/queue-6.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch new file mode 100644 index 0000000000..dea837c91d --- /dev/null +++ b/queue-6.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch @@ -0,0 +1,68 @@ +From 4435d2420911c1d82657024bbbec2eb9739e5fa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 16:56:34 +0300 +Subject: wifi: rtl818x: Kill URBs before clearing tx status queue + +From: Daniil Dulov + +[ Upstream commit 16d8fd74dbfca0ea58645cd2fca13be10cae3cdd ] + +In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing +b_tx_status.queue. This change prevents callbacks from using already freed +skb due to anchor was not killed before freeing such skb. + + BUG: kernel NULL pointer dereference, address: 0000000000000080 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 + RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] + Call Trace: + + rtl8187_tx_cb+0x116/0x150 [rtl8187] + __usb_hcd_giveback_urb+0x9d/0x120 + usb_giveback_urb_bh+0xbb/0x140 + process_one_work+0x19b/0x3c0 + bh_worker+0x1a7/0x210 + tasklet_action+0x10/0x30 + handle_softirqs+0xf0/0x340 + __irq_exit_rcu+0xcd/0xf0 + common_interrupt+0x85/0xa0 + + +Tested on RTL8187BvE device. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: c1db52b9d27e ("rtl8187: Use usb anchor facilities to manage urbs") +Signed-off-by: Daniil Dulov +Reviewed-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250617135634.21760-1-d.dulov@aladdin.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +index 220ac5bdf279..8a57d6c72335 100644 +--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +@@ -1041,10 +1041,11 @@ static void rtl8187_stop(struct ieee80211_hw *dev, bool suspend) + rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF); + rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL); + ++ usb_kill_anchored_urbs(&priv->anchored); ++ + while ((skb = skb_dequeue(&priv->b_tx_status.queue))) + dev_kfree_skb_any(skb); + +- usb_kill_anchored_urbs(&priv->anchored); + mutex_unlock(&priv->conf_mutex); + + if (!priv->is_rtl8187b) +-- +2.39.5 + diff --git a/queue-6.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch b/queue-6.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch new file mode 100644 index 0000000000..2bdb5a1cc1 --- /dev/null +++ b/queue-6.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch @@ -0,0 +1,45 @@ +From ce6f288815ee005e273f4a178fee25e83510520c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 14:15:22 +0200 +Subject: wifi: rtl8xxxu: Fix RX skb size for aggregation disabled + +From: Martin Kaistra + +[ Upstream commit d76a1abcf57734d2bcd4a7ec051617edd4513d7f ] + +Commit 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for +phystats") increased the skb size when aggregation is enabled but decreased +it for the aggregation disabled case. + +As a result, if a frame near the maximum size is received, +rtl8xxxu_rx_complete() is called with status -EOVERFLOW and then the +driver starts to malfunction and no further communication is possible. + +Restore the skb size in the aggregation disabled case. + +Fixes: 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for phystats") +Signed-off-by: Martin Kaistra +Reviewed-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250709121522.1992366-1-martin.kaistra@linutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/core.c b/drivers/net/wireless/realtek/rtl8xxxu/core.c +index 569856ca677f..c6f69d87c38d 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c +@@ -6617,7 +6617,7 @@ static int rtl8xxxu_submit_rx_urb(struct rtl8xxxu_priv *priv, + skb_size = fops->rx_agg_buf_size; + skb_size += (rx_desc_sz + sizeof(struct rtl8723au_phy_stats)); + } else { +- skb_size = IEEE80211_MAX_FRAME_LEN; ++ skb_size = IEEE80211_MAX_FRAME_LEN + rx_desc_sz; + } + + skb = __netdev_alloc_skb(NULL, skb_size, GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.15/wifi-rtw88-fix-macid-assigned-to-tdls-station.patch b/queue-6.15/wifi-rtw88-fix-macid-assigned-to-tdls-station.patch new file mode 100644 index 0000000000..91b1b53337 --- /dev/null +++ b/queue-6.15/wifi-rtw88-fix-macid-assigned-to-tdls-station.patch @@ -0,0 +1,51 @@ +From 76d0a277cf1e91a4b8c436de6569d17a64181aa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jul 2025 22:27:32 +0300 +Subject: wifi: rtw88: Fix macid assigned to TDLS station + +From: Bitterblue Smith + +[ Upstream commit 526b000991b557c40ea53e64ba24bb9e0fff0071 ] + +When working in station mode, TDLS peers are assigned macid 0, even +though 0 was already assigned to the AP. This causes the connection +with the AP to stop working after the TDLS connection is torn down. + +Assign the next available macid to TDLS peers, same as client stations +in AP mode. + +Fixes: 902cb7b11f9a ("wifi: rtw88: assign mac_id for vif/sta and update to TX desc") +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/58648c09-8553-4bcc-a977-9dc9afd63780@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index bc2c1a5a30b3..c589727c525e 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -349,7 +349,7 @@ int rtw_sta_add(struct rtw_dev *rtwdev, struct ieee80211_sta *sta, + struct rtw_vif *rtwvif = (struct rtw_vif *)vif->drv_priv; + int i; + +- if (vif->type == NL80211_IFTYPE_STATION) { ++ if (vif->type == NL80211_IFTYPE_STATION && !sta->tdls) { + si->mac_id = rtwvif->mac_id; + } else { + si->mac_id = rtw_acquire_macid(rtwdev); +@@ -386,7 +386,7 @@ void rtw_sta_remove(struct rtw_dev *rtwdev, struct ieee80211_sta *sta, + + cancel_work_sync(&si->rc_work); + +- if (vif->type != NL80211_IFTYPE_STATION) ++ if (vif->type != NL80211_IFTYPE_STATION || sta->tdls) + rtw_release_macid(rtwdev, si->mac_id); + if (fw_exist) + rtw_fw_media_status_report(rtwdev, si->mac_id, false); +-- +2.39.5 + diff --git a/queue-6.15/wifi-rtw89-avoid-null-dereference-when-rx-problemati.patch b/queue-6.15/wifi-rtw89-avoid-null-dereference-when-rx-problemati.patch new file mode 100644 index 0000000000..730ee6801a --- /dev/null +++ b/queue-6.15/wifi-rtw89-avoid-null-dereference-when-rx-problemati.patch @@ -0,0 +1,82 @@ +From f3fde4fe9938641a44341872a146434cfba30504 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 20:46:47 +0800 +Subject: wifi: rtw89: avoid NULL dereference when RX problematic packet on + unsupported 6 GHz band + +From: Zong-Zhe Yang + +[ Upstream commit 7e04f01bb94fe61c73cc59f0495c3b6c16a83231 ] + +With a quite rare chance, RX report might be problematic to make SW think +a packet is received on 6 GHz band even if the chip does not support 6 GHz +band actually. Since SW won't initialize stuffs for unsupported bands, NULL +dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -> +rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it. + +The following is a crash log for this case. + + BUG: kernel NULL pointer dereference, address: 0000000000000032 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4) + Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024 + RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core] + Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11 + 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45 + 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85 + RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246 + RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011 + RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6 + RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000 + R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4 + R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0 + PKRU: 55555554 + Call Trace: + + ? __die_body+0x68/0xb0 + ? page_fault_oops+0x379/0x3e0 + ? exc_page_fault+0x4f/0xa0 + ? asm_exc_page_fault+0x22/0x30 + ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] + ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)] + __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)] + ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] + ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] + ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)] + rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)] + rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)] + +Fixes: c6aa9a9c4725 ("wifi: rtw89: add RNR support for 6 GHz scan") +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250618124649.11436-5-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c +index cc9b014457ac..69546a039494 100644 +--- a/drivers/net/wireless/realtek/rtw89/core.c ++++ b/drivers/net/wireless/realtek/rtw89/core.c +@@ -2110,6 +2110,11 @@ static void rtw89_core_cancel_6ghz_probe_tx(struct rtw89_dev *rtwdev, + if (rx_status->band != NL80211_BAND_6GHZ) + return; + ++ if (unlikely(!(rtwdev->chip->support_bands & BIT(NL80211_BAND_6GHZ)))) { ++ rtw89_debug(rtwdev, RTW89_DBG_UNEXP, "invalid rx on unsupported 6 GHz\n"); ++ return; ++ } ++ + ssid_ie = cfg80211_find_ie(WLAN_EID_SSID, ies, skb->len); + + list_for_each_entry(info, &pkt_list[NL80211_BAND_6GHZ], list) { +-- +2.39.5 + diff --git a/queue-6.15/wifi-rtw89-fix-eht-20mhz-tx-rate-for-non-ap-sta.patch b/queue-6.15/wifi-rtw89-fix-eht-20mhz-tx-rate-for-non-ap-sta.patch new file mode 100644 index 0000000000..04eb4c5ba1 --- /dev/null +++ b/queue-6.15/wifi-rtw89-fix-eht-20mhz-tx-rate-for-non-ap-sta.patch @@ -0,0 +1,64 @@ +From 11f614d9c4fdf0ebc190d92dcec1be6443432fb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 19:42:07 +0800 +Subject: wifi: rtw89: fix EHT 20MHz TX rate for non-AP STA + +From: Kuan-Chung Chen + +[ Upstream commit fe30a8ae853bade282fce63e740b5f34bdc55f6e ] + +The 4-octet EHT MCS/NSS subfield is only used for 20 MHz-only +non-AP STA. Correct the interpretation of this subfield to +prevent improper rate limitations. + +Fixes: f1dfcee2eae9 ("wifi: rtw89: Correct EHT TX rate on 20MHz connection") +Signed-off-by: Kuan-Chung Chen +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250605114207.12381-6-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/phy.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c +index f4eee642e5ce..4bdc6d9da625 100644 +--- a/drivers/net/wireless/realtek/rtw89/phy.c ++++ b/drivers/net/wireless/realtek/rtw89/phy.c +@@ -119,10 +119,12 @@ static u64 get_eht_mcs_ra_mask(u8 *max_nss, u8 start_mcs, u8 n_nss) + return mask; + } + +-static u64 get_eht_ra_mask(struct ieee80211_link_sta *link_sta) ++static u64 get_eht_ra_mask(struct rtw89_vif_link *rtwvif_link, ++ struct ieee80211_link_sta *link_sta) + { +- struct ieee80211_sta_eht_cap *eht_cap = &link_sta->eht_cap; ++ struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs_nss_20mhz; ++ struct ieee80211_sta_eht_cap *eht_cap = &link_sta->eht_cap; + struct ieee80211_eht_mcs_nss_supp_bw *mcs_nss; + u8 *he_phy_cap = link_sta->he_cap.he_cap_elem.phy_cap_info; + +@@ -136,8 +138,8 @@ static u64 get_eht_ra_mask(struct ieee80211_link_sta *link_sta) + /* MCS 9, 11, 13 */ + return get_eht_mcs_ra_mask(mcs_nss->rx_tx_max_nss, 9, 3); + case IEEE80211_STA_RX_BW_20: +- if (!(he_phy_cap[0] & +- IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL)) { ++ if (vif->type == NL80211_IFTYPE_AP && ++ !(he_phy_cap[0] & IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL)) { + mcs_nss_20mhz = &eht_cap->eht_mcs_nss_supp.only_20mhz; + /* MCS 7, 9, 11, 13 */ + return get_eht_mcs_ra_mask(mcs_nss_20mhz->rx_tx_max_nss, 7, 4); +@@ -332,7 +334,7 @@ static void rtw89_phy_ra_sta_update(struct rtw89_dev *rtwdev, + /* Set the ra mask from sta's capability */ + if (link_sta->eht_cap.has_eht) { + mode |= RTW89_RA_MODE_EHT; +- ra_mask |= get_eht_ra_mask(link_sta); ++ ra_mask |= get_eht_ra_mask(rtwvif_link, link_sta); + + if (rtwdev->hal.no_mcs_12_13) + high_rate_masks = rtw89_ra_mask_eht_mcs0_11; +-- +2.39.5 + diff --git a/queue-6.15/xen-fix-uaf-in-dmabuf_exp_from_pages.patch b/queue-6.15/xen-fix-uaf-in-dmabuf_exp_from_pages.patch new file mode 100644 index 0000000000..f87cd83e37 --- /dev/null +++ b/queue-6.15/xen-fix-uaf-in-dmabuf_exp_from_pages.patch @@ -0,0 +1,96 @@ +From 8c5a56b348c771ad5cf8e7594509c97ad2c15643 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jul 2025 06:09:16 +0100 +Subject: xen: fix UAF in dmabuf_exp_from_pages() + +From: Al Viro + +[ Upstream commit 532c8b51b3a8676cbf533a291f8156774f30ea87 ] + +[dma_buf_fd() fixes; no preferences regarding the tree it goes through - +up to xen folks] + +As soon as we'd inserted a file reference into descriptor table, another +thread could close it. That's fine for the case when all we are doing is +returning that descriptor to userland (it's a race, but it's a userland +race and there's nothing the kernel can do about it). However, if we +follow fd_install() with any kind of access to objects that would be +destroyed on close (be it the struct file itself or anything destroyed +by its ->release()), we have a UAF. + +dma_buf_fd() is a combination of reserving a descriptor and fd_install(). +gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the +objects destroyed on close - starting with gntdev_dmabuf itself. + +Fix that by doing reserving descriptor before anything else and do +fd_install() only when everything had been set up. + +Fixes: a240d6e42e28 ("xen/gntdev: Implement dma-buf export functionality") +Signed-off-by: Al Viro +Acked-by: Juergen Gross +Message-ID: <20250712050916.GY1880847@ZenIV> +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/gntdev-dmabuf.c | 28 ++++++++++------------------ + 1 file changed, 10 insertions(+), 18 deletions(-) + +diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c +index 5453d86324f6..82855105ab85 100644 +--- a/drivers/xen/gntdev-dmabuf.c ++++ b/drivers/xen/gntdev-dmabuf.c +@@ -357,8 +357,11 @@ struct gntdev_dmabuf_export_args { + static int dmabuf_exp_from_pages(struct gntdev_dmabuf_export_args *args) + { + DEFINE_DMA_BUF_EXPORT_INFO(exp_info); +- struct gntdev_dmabuf *gntdev_dmabuf; +- int ret; ++ struct gntdev_dmabuf *gntdev_dmabuf __free(kfree) = NULL; ++ CLASS(get_unused_fd, ret)(O_CLOEXEC); ++ ++ if (ret < 0) ++ return ret; + + gntdev_dmabuf = kzalloc(sizeof(*gntdev_dmabuf), GFP_KERNEL); + if (!gntdev_dmabuf) +@@ -383,32 +386,21 @@ static int dmabuf_exp_from_pages(struct gntdev_dmabuf_export_args *args) + exp_info.priv = gntdev_dmabuf; + + gntdev_dmabuf->dmabuf = dma_buf_export(&exp_info); +- if (IS_ERR(gntdev_dmabuf->dmabuf)) { +- ret = PTR_ERR(gntdev_dmabuf->dmabuf); +- gntdev_dmabuf->dmabuf = NULL; +- goto fail; +- } +- +- ret = dma_buf_fd(gntdev_dmabuf->dmabuf, O_CLOEXEC); +- if (ret < 0) +- goto fail; ++ if (IS_ERR(gntdev_dmabuf->dmabuf)) ++ return PTR_ERR(gntdev_dmabuf->dmabuf); + + gntdev_dmabuf->fd = ret; + args->fd = ret; + + pr_debug("Exporting DMA buffer with fd %d\n", ret); + ++ get_file(gntdev_dmabuf->priv->filp); + mutex_lock(&args->dmabuf_priv->lock); + list_add(&gntdev_dmabuf->next, &args->dmabuf_priv->exp_list); + mutex_unlock(&args->dmabuf_priv->lock); +- get_file(gntdev_dmabuf->priv->filp); +- return 0; + +-fail: +- if (gntdev_dmabuf->dmabuf) +- dma_buf_put(gntdev_dmabuf->dmabuf); +- kfree(gntdev_dmabuf); +- return ret; ++ fd_install(take_fd(ret), no_free_ptr(gntdev_dmabuf)->dmabuf->file); ++ return 0; + } + + static struct gntdev_grant_map * +-- +2.39.5 + diff --git a/queue-6.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch b/queue-6.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch new file mode 100644 index 0000000000..f924d8d095 --- /dev/null +++ b/queue-6.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch @@ -0,0 +1,187 @@ +From 1ec1bc0e08f26d4fae168f2a41ca8166de8e69a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 09:32:59 +0200 +Subject: xen/gntdev: remove struct gntdev_copy_batch from stack + +From: Juergen Gross + +[ Upstream commit 70045cf6593cbf0740956ea9b7b4269142c6ee38 ] + +When compiling the kernel with LLVM, the following warning was issued: + + drivers/xen/gntdev.c:991: warning: stack frame size (1160) exceeds + limit (1024) in function 'gntdev_ioctl' + +The main reason is struct gntdev_copy_batch which is located on the +stack and has a size of nearly 1kb. + +For performance reasons it shouldn't by just dynamically allocated +instead, so allocate a new instance when needed and instead of freeing +it put it into a list of free structs anchored in struct gntdev_priv. + +Fixes: a4cdb556cae0 ("xen/gntdev: add ioctl for grant copy") +Reported-by: Abinash Singh +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Message-ID: <20250703073259.17356-1-jgross@suse.com> +Signed-off-by: Sasha Levin +--- + drivers/xen/gntdev-common.h | 4 +++ + drivers/xen/gntdev.c | 71 ++++++++++++++++++++++++++----------- + 2 files changed, 54 insertions(+), 21 deletions(-) + +diff --git a/drivers/xen/gntdev-common.h b/drivers/xen/gntdev-common.h +index 9c286b2a1900..ac8ce3179ba2 100644 +--- a/drivers/xen/gntdev-common.h ++++ b/drivers/xen/gntdev-common.h +@@ -26,6 +26,10 @@ struct gntdev_priv { + /* lock protects maps and freeable_maps. */ + struct mutex lock; + ++ /* Free instances of struct gntdev_copy_batch. */ ++ struct gntdev_copy_batch *batch; ++ struct mutex batch_lock; ++ + #ifdef CONFIG_XEN_GRANT_DMA_ALLOC + /* Device for which DMA memory is allocated. */ + struct device *dma_dev; +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index 61faea1f0663..1f2160765618 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -56,6 +56,18 @@ MODULE_AUTHOR("Derek G. Murray , " + "Gerd Hoffmann "); + MODULE_DESCRIPTION("User-space granted page access driver"); + ++#define GNTDEV_COPY_BATCH 16 ++ ++struct gntdev_copy_batch { ++ struct gnttab_copy ops[GNTDEV_COPY_BATCH]; ++ struct page *pages[GNTDEV_COPY_BATCH]; ++ s16 __user *status[GNTDEV_COPY_BATCH]; ++ unsigned int nr_ops; ++ unsigned int nr_pages; ++ bool writeable; ++ struct gntdev_copy_batch *next; ++}; ++ + static unsigned int limit = 64*1024; + module_param(limit, uint, 0644); + MODULE_PARM_DESC(limit, +@@ -584,6 +596,8 @@ static int gntdev_open(struct inode *inode, struct file *flip) + INIT_LIST_HEAD(&priv->maps); + mutex_init(&priv->lock); + ++ mutex_init(&priv->batch_lock); ++ + #ifdef CONFIG_XEN_GNTDEV_DMABUF + priv->dmabuf_priv = gntdev_dmabuf_init(flip); + if (IS_ERR(priv->dmabuf_priv)) { +@@ -608,6 +622,7 @@ static int gntdev_release(struct inode *inode, struct file *flip) + { + struct gntdev_priv *priv = flip->private_data; + struct gntdev_grant_map *map; ++ struct gntdev_copy_batch *batch; + + pr_debug("priv %p\n", priv); + +@@ -620,6 +635,14 @@ static int gntdev_release(struct inode *inode, struct file *flip) + } + mutex_unlock(&priv->lock); + ++ mutex_lock(&priv->batch_lock); ++ while (priv->batch) { ++ batch = priv->batch; ++ priv->batch = batch->next; ++ kfree(batch); ++ } ++ mutex_unlock(&priv->batch_lock); ++ + #ifdef CONFIG_XEN_GNTDEV_DMABUF + gntdev_dmabuf_fini(priv->dmabuf_priv); + #endif +@@ -785,17 +808,6 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u) + return rc; + } + +-#define GNTDEV_COPY_BATCH 16 +- +-struct gntdev_copy_batch { +- struct gnttab_copy ops[GNTDEV_COPY_BATCH]; +- struct page *pages[GNTDEV_COPY_BATCH]; +- s16 __user *status[GNTDEV_COPY_BATCH]; +- unsigned int nr_ops; +- unsigned int nr_pages; +- bool writeable; +-}; +- + static int gntdev_get_page(struct gntdev_copy_batch *batch, void __user *virt, + unsigned long *gfn) + { +@@ -953,36 +965,53 @@ static int gntdev_grant_copy_seg(struct gntdev_copy_batch *batch, + static long gntdev_ioctl_grant_copy(struct gntdev_priv *priv, void __user *u) + { + struct ioctl_gntdev_grant_copy copy; +- struct gntdev_copy_batch batch; ++ struct gntdev_copy_batch *batch; + unsigned int i; + int ret = 0; + + if (copy_from_user(©, u, sizeof(copy))) + return -EFAULT; + +- batch.nr_ops = 0; +- batch.nr_pages = 0; ++ mutex_lock(&priv->batch_lock); ++ if (!priv->batch) { ++ batch = kmalloc(sizeof(*batch), GFP_KERNEL); ++ } else { ++ batch = priv->batch; ++ priv->batch = batch->next; ++ } ++ mutex_unlock(&priv->batch_lock); ++ if (!batch) ++ return -ENOMEM; ++ ++ batch->nr_ops = 0; ++ batch->nr_pages = 0; + + for (i = 0; i < copy.count; i++) { + struct gntdev_grant_copy_segment seg; + + if (copy_from_user(&seg, ©.segments[i], sizeof(seg))) { + ret = -EFAULT; ++ gntdev_put_pages(batch); + goto out; + } + +- ret = gntdev_grant_copy_seg(&batch, &seg, ©.segments[i].status); +- if (ret < 0) ++ ret = gntdev_grant_copy_seg(batch, &seg, ©.segments[i].status); ++ if (ret < 0) { ++ gntdev_put_pages(batch); + goto out; ++ } + + cond_resched(); + } +- if (batch.nr_ops) +- ret = gntdev_copy(&batch); +- return ret; ++ if (batch->nr_ops) ++ ret = gntdev_copy(batch); ++ ++ out: ++ mutex_lock(&priv->batch_lock); ++ batch->next = priv->batch; ++ priv->batch = batch; ++ mutex_unlock(&priv->batch_lock); + +- out: +- gntdev_put_pages(&batch); + return ret; + } + +-- +2.39.5 + -- 2.47.2