From df03806c7f78413af29e240a0fbf426ef1c4f1ef Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 8 Aug 2025 18:24:56 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...wb_history_size-value-is-a-power-of-.patch | 55 +++ ...ligned-memory-accesses-in-kunit-test.patch | 60 +++ ...config-drop-obsolete-config_net_cls_.patch | 38 ++ ...ontron-bl-common-fix-rts-polarity-fo.patch | 38 ++ ...arm-dts-ti-omap-fixup-pinheader-typo.patch | 44 +++ ...rrectly-use-two-tuples-for-timer-add.patch | 37 ++ ...m-beacon-fix-hs400-usdhc-clock-speed.patch | 41 ++ ...n-beacon-fix-hs400-usdhc-clock-speed.patch | 41 ++ ...ally-allocate-struct-snd_ctl_elem_va.patch | 79 ++++ ...yup-return-value-of-snd_soc_xlate_td.patch | 88 +++++ ...w_dissector-ctx-accesses-are-aligned.patch | 48 +++ ...a-corruption-when-using-bpf_msg_pop_.patch | 59 +++ ...fix-psock-incorrectly-pointing-to-sk.patch | 82 ++++ ...ry-leak-in-dump_xx_nlmsg-on-realloc-.patch | 77 ++++ queue-5.15/caif-reduce-stack-size-again.patch | 359 ++++++++++++++++++ ...er_pciefd-store-device-channel-index.patch | 36 ++ ...ssign-netdev.dev_port-based-on-devic.patch | 39 ++ ...kgen-fix-fpfd_max-frequency-for-zynq.patch | 43 +++ ...null-check-in-davinci_lpsc_clk_regis.patch | 45 +++ ...sunxi-ng-v3s-fix-de-clock-definition.patch | 44 +++ ...nregister-pll_post-only-if-registere.patch | 50 +++ ...icy-rwsem-before-it-may-be-possibly-.patch | 49 +++ ...ze-cpufreq-based-frequency-invarianc.patch | 63 +++ ...tate-always-use-hwp_desired_perf-in-.patch | 51 +++ ...rash-when-rebind-ccp-device-for-ccp..patch | 81 ++++ ...mg-hash-fix-dma_unmap_sg-nents-value.patch | 36 ++ ...-secure-fix-dma_unmap_sg-nents-value.patch | 50 +++ ...keembay-fix-dma_unmap_sg-nents-value.patch | 63 +++ ...vell-cesa-fix-engine-load-inaccuracy.patch | 75 ++++ ...eq_file-position-update-in-adf_ring_.patch | 49 +++ ...-fix-missing-check-after-dma-map-and.patch | 73 ++++ ...faxi-add-missing-check-after-dma-map.patch | 55 +++ ...play-hwmgr-smu_helper-fix-order-of-m.patch | 44 +++ ...anup-fb-when-drm_gem_fb_afbc_init-fa.patch | 52 +++ ...wrong-quota-mount-option-description.patch | 40 ++ ...an-uninit-value-in-extent_info-usage.patch | 47 +++ ...d-out-of-boundary-access-in-devs.pat.patch | 60 +++ ...x-to-avoid-panic-in-f2fs_evict_inode.patch | 282 ++++++++++++++ ...to-avoid-uaf-in-f2fs_sync_inode_meta.patch | 235 ++++++++++++ ...k-fb_add_videomode-to-prevent-null-p.patch | 46 +++ ...low-2-more-characters-in-do_c_string.patch | 65 ++++ ...t-fix-parameter-name-in-infofc-macro.patch | 42 ++ ...utex_lock-check-in-hfsplus_free_exte.patch | 94 +++++ ...handle-devm_pm_runtime_enable-errors.patch | 38 ++ ...ing-check-for-alloc_ordered_workqueu.patch | 69 ++++ ...e-reference-count-leak-in-dballocctl.patch | 45 +++ ...f-fix-configlist-updatelistallforall.patch | 38 ++ ...emptirq_delay_test-use-offstack-cpu-.patch | 67 ++++ ...t-unregister-boot-console-needlessly.patch | 150 ++++++++ ...-fix-h264-separate_colour_plane-chec.patch | 47 +++ ...-the-moduleparam-prefix-length-check.patch | 61 +++ ...sible-integer-overflow-in-erase_xfer.patch | 41 ++ ...-atmel-fix-dma_mapping_error-address.patch | 38 ++ ...nand-atmel-set-pmecc-data-setup-time.patch | 57 +++ ...chip-add-missing-check-after-dma-map.patch | 61 +++ ...wl8k-add-missing-check-after-dma-map.patch | 39 ++ ...k-device-memory-pointer-before-usage.patch | 75 ++++ ...ct-conditions-for-adding-duplicating.patch | 117 ++++++ ...info-use-atomic64_t-for-three-counte.patch | 106 ++++++ ...les-adjust-lockdep-assertions-handli.patch | 51 +++ ...cct-don-t-assume-acct-name-is-null-t.patch | 50 +++ ...-epf-vntb-fix-the-incorrect-usage-of.patch | 52 +++ ...-epf-vntb-return-enoent-if-pci_epc_g.patch | 43 +++ ...hp-clean-up-allocated-irqs-on-unplug.patch | 229 +++++++++++ ...surprise-plug-detection-and-recovery.patch | 214 +++++++++++ ...-around-switches-with-broken-presenc.patch | 77 ++++ ...t-fix-unexpected-completion-log-mess.patch | 41 ++ ...emory-leaks-for-evsel-priv-in-timehi.patch | 101 +++++ ...p_account-fix-leaked-file-descriptor.patch | 57 +++ ...-fix-memory-leak-on-krealloc-failure.patch | 55 +++ ...-governor-before-using-governor-name.patch | 50 +++ ...ap-charger-fix-null-check-for-power_.patch | 42 ++ ...14577-handle-null-pdata-when-config_.patch | 51 +++ .../powerpc-eeh-export-eeh_unfreeze_pe.patch | 39 ++ ...-make-eeh-driver-device-hotplug-safe.patch | 252 ++++++++++++ ...eh-rely-on-dev-link_active_reporting.patch | 39 ++ queue-5.15/pps-fix-poll-support.patch | 102 +++++ ...dma-hns-fix-wframe-larger-than-issue.patch | 67 ++++ ...80211-update-skb-s-control-block-key.patch | 40 ++ ...replace-inode_trylock-with-inode_loc.patch | 45 +++ ...ent-the-dispatching-of-uninitialized.patch | 55 +++ ...ncorrect-maximum-clock-rate-handling.patch | 40 ++ ...incorrect-maximum-clock-rate-handlin.patch | 40 ++ ...-incorrect-maximum-clock-rate-handli.patch | 40 ++ ...incorrect-maximum-clock-rate-handlin.patch | 40 ++ ...ncorrect-maximum-clock-rate-handling.patch | 40 ++ ...amples-mei-fix-building-on-musl-libc.patch | 75 ++++ ...csi_tgt-fix-dma_unmap_sg-nents-value.patch | 48 +++ ...si-isci-fix-dma_unmap_sg-nents-value.patch | 37 ++ ...i-mpt3sas-fix-a-fw_event-memory-leak.patch | 39 ++ ...i-mvsas-fix-dma_unmap_sg-nents-value.patch | 46 +++ ...e-link-recovery-when-h8-exit-fails-d.patch | 57 +++ ...rno-checking-in-syscall_user_dispatc.patch | 132 +++++++ ...ink.sh-remove-esp4_offload-after-tes.patch | 62 +++ ...g-fix-false-failure-of-subsystem-eve.patch | 85 +++++ queue-5.15/series | 116 ++++++ ...use-hyphen-in-exported-variable-name.patch | 107 ++++++ ...-restore-params-when-prepare-ports-f.patch | 43 +++ ...x-potential-memory-leak-in-fbtft_fra.patch | 39 ++ ...-incorrect-null-termination-of-batte.patch | 41 ++ ...queue-to-avoid-including-too-much-du.patch | 56 +++ ...-atomic_long_inc_below-argument-type.patch | 66 ++++ ...avoid-shadowing-err-in-uml_rtc_start.patch | 38 ++ ...arly-xhci-dbc-fix-early_ioremap-leak.patch | 56 +++ ...fi-fastcharge-make-power-supply-name.patch | 110 ++++++ ...og-flooding-with-target-does-not-exi.patch | 65 ++++ ...-dispatching-of-uninitialized-payloa.patch | 49 +++ ...g-dst-reference-in-vrf_ip6_input_dst.patch | 65 ++++ ..._wdt-check-record-length-in-ziirave_.patch | 42 ++ ...r-initialized-flag-for-deinit-ed-srn.patch | 97 +++++ ...x-p2p-discovery-failure-in-p2p-peer-.patch | 65 ++++ ...wifi-fix-memory-leak-in-iwl_mvm_init.patch | 40 ++ ...eck-802.11-encaps-offloading-in-ieee.patch | 45 +++ ...n-t-call-fq_flow_idx-for-management-.patch | 45 +++ ...l-urbs-before-clearing-tx-status-que.patch | 68 ++++ ...x-rx-skb-size-for-aggregation-disabl.patch | 45 +++ ...e-struct-gntdev_copy_batch-from-stac.patch | 187 +++++++++ 117 files changed, 8122 insertions(+) create mode 100644 queue-5.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch create mode 100644 queue-5.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch create mode 100644 queue-5.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch create mode 100644 queue-5.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch create mode 100644 queue-5.15/arm-dts-ti-omap-fixup-pinheader-typo.patch create mode 100644 queue-5.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch create mode 100644 queue-5.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch create mode 100644 queue-5.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch create mode 100644 queue-5.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch create mode 100644 queue-5.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch create mode 100644 queue-5.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch create mode 100644 queue-5.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch create mode 100644 queue-5.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch create mode 100644 queue-5.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch create mode 100644 queue-5.15/caif-reduce-stack-size-again.patch create mode 100644 queue-5.15/can-kvaser_pciefd-store-device-channel-index.patch create mode 100644 queue-5.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch create mode 100644 queue-5.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch create mode 100644 queue-5.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch create mode 100644 queue-5.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch create mode 100644 queue-5.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch create mode 100644 queue-5.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch create mode 100644 queue-5.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch create mode 100644 queue-5.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch create mode 100644 queue-5.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch create mode 100644 queue-5.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-5.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-5.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-5.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch create mode 100644 queue-5.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch create mode 100644 queue-5.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch create mode 100644 queue-5.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch create mode 100644 queue-5.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch create mode 100644 queue-5.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch create mode 100644 queue-5.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch create mode 100644 queue-5.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch create mode 100644 queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch create mode 100644 queue-5.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch create mode 100644 queue-5.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch create mode 100644 queue-5.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch create mode 100644 queue-5.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch create mode 100644 queue-5.15/fs_context-fix-parameter-name-in-infofc-macro.patch create mode 100644 queue-5.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch create mode 100644 queue-5.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch create mode 100644 queue-5.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch create mode 100644 queue-5.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch create mode 100644 queue-5.15/kconfig-qconf-fix-configlist-updatelistallforall.patch create mode 100644 queue-5.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch create mode 100644 queue-5.15/m68k-don-t-unregister-boot-console-needlessly.patch create mode 100644 queue-5.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch create mode 100644 queue-5.15/module-restore-the-moduleparam-prefix-length-check.patch create mode 100644 queue-5.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch create mode 100644 queue-5.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch create mode 100644 queue-5.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch create mode 100644 queue-5.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch create mode 100644 queue-5.15/mwl8k-add-missing-check-after-dma-map.patch create mode 100644 queue-5.15/net-mlx5-check-device-memory-pointer-before-usage.patch create mode 100644 queue-5.15/net-sched-restrict-conditions-for-adding-duplicating.patch create mode 100644 queue-5.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch create mode 100644 queue-5.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch create mode 100644 queue-5.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch create mode 100644 queue-5.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch create mode 100644 queue-5.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch create mode 100644 queue-5.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch create mode 100644 queue-5.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch create mode 100644 queue-5.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch create mode 100644 queue-5.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch create mode 100644 queue-5.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch create mode 100644 queue-5.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch create mode 100644 queue-5.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch create mode 100644 queue-5.15/pm-devfreq-check-governor-before-using-governor-name.patch create mode 100644 queue-5.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch create mode 100644 queue-5.15/power-supply-max14577-handle-null-pdata-when-config_.patch create mode 100644 queue-5.15/powerpc-eeh-export-eeh_unfreeze_pe.patch create mode 100644 queue-5.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch create mode 100644 queue-5.15/powerpc-eeh-rely-on-dev-link_active_reporting.patch create mode 100644 queue-5.15/pps-fix-poll-support.patch create mode 100644 queue-5.15/rdma-hns-fix-wframe-larger-than-issue.patch create mode 100644 queue-5.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch create mode 100644 queue-5.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch create mode 100644 queue-5.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch create mode 100644 queue-5.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch create mode 100644 queue-5.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch create mode 100644 queue-5.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch create mode 100644 queue-5.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch create mode 100644 queue-5.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch create mode 100644 queue-5.15/samples-mei-fix-building-on-musl-libc.patch create mode 100644 queue-5.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-5.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-5.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch create mode 100644 queue-5.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-5.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch create mode 100644 queue-5.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch create mode 100644 queue-5.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch create mode 100644 queue-5.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch create mode 100644 queue-5.15/sh-do-not-use-hyphen-in-exported-variable-name.patch create mode 100644 queue-5.15/soundwire-stream-restore-params-when-prepare-ports-f.patch create mode 100644 queue-5.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch create mode 100644 queue-5.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch create mode 100644 queue-5.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch create mode 100644 queue-5.15/ucount-fix-atomic_long_inc_below-argument-type.patch create mode 100644 queue-5.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch create mode 100644 queue-5.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch create mode 100644 queue-5.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch create mode 100644 queue-5.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch create mode 100644 queue-5.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch create mode 100644 queue-5.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch create mode 100644 queue-5.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch create mode 100644 queue-5.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch create mode 100644 queue-5.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch create mode 100644 queue-5.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch create mode 100644 queue-5.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch create mode 100644 queue-5.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch create mode 100644 queue-5.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch create mode 100644 queue-5.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch create mode 100644 queue-5.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch diff --git a/queue-5.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch b/queue-5.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch new file mode 100644 index 0000000000..eb0b6ebc05 --- /dev/null +++ b/queue-5.15/apparmor-ensure-wb_history_size-value-is-a-power-of-.patch @@ -0,0 +1,55 @@ +From 0fb2076e5211f95e87975efc89f496330f1d3b25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 12:54:38 -0700 +Subject: apparmor: ensure WB_HISTORY_SIZE value is a power of 2 + +From: Ryan Lee + +[ Upstream commit 6c055e62560b958354625604293652753d82bcae ] + +WB_HISTORY_SIZE was defined to be a value not a power of 2, despite a +comment in the declaration of struct match_workbuf stating it is and a +modular arithmetic usage in the inc_wb_pos macro assuming that it is. Bump +WB_HISTORY_SIZE's value up to 32 and add a BUILD_BUG_ON_NOT_POWER_OF_2 +line to ensure that any future changes to the value of WB_HISTORY_SIZE +respect this requirement. + +Fixes: 136db994852a ("apparmor: increase left match history buffer size") + +Signed-off-by: Ryan Lee +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/include/match.h | 3 ++- + security/apparmor/match.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h +index 884489590588..29306ec87fd1 100644 +--- a/security/apparmor/include/match.h ++++ b/security/apparmor/include/match.h +@@ -141,7 +141,8 @@ unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start, + + void aa_dfa_free_kref(struct kref *kref); + +-#define WB_HISTORY_SIZE 24 ++/* This needs to be a power of 2 */ ++#define WB_HISTORY_SIZE 32 + struct match_workbuf { + unsigned int count; + unsigned int pos; +diff --git a/security/apparmor/match.c b/security/apparmor/match.c +index 3e9e1eaf990e..0e683ee323e3 100644 +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c +@@ -672,6 +672,7 @@ unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start, + + #define inc_wb_pos(wb) \ + do { \ ++ BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \ + wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \ + wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \ + } while (0) +-- +2.39.5 + diff --git a/queue-5.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch b/queue-5.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch new file mode 100644 index 0000000000..e8a6454a56 --- /dev/null +++ b/queue-5.15/apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch @@ -0,0 +1,60 @@ +From 16c571cb29f3df48742f9a22378c1baae59a7098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 May 2025 17:08:22 +0200 +Subject: apparmor: Fix unaligned memory accesses in KUnit test + +From: Helge Deller + +[ Upstream commit c68804199dd9d63868497a27b5da3c3cd15356db ] + +The testcase triggers some unnecessary unaligned memory accesses on the +parisc architecture: + Kernel: unaligned access to 0x12f28e27 in policy_unpack_test_init+0x180/0x374 (iir 0x0cdc1280) + Kernel: unaligned access to 0x12f28e67 in policy_unpack_test_init+0x270/0x374 (iir 0x64dc00ce) + +Use the existing helper functions put_unaligned_le32() and +put_unaligned_le16() to avoid such warnings on architectures which +prefer aligned memory accesses. + +Signed-off-by: Helge Deller +Fixes: 98c0cc48e27e ("apparmor: fix policy_unpack_test on big endian systems") +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/policy_unpack_test.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/policy_unpack_test.c b/security/apparmor/policy_unpack_test.c +index 128baa08a989..50fdc390ad2d 100644 +--- a/security/apparmor/policy_unpack_test.c ++++ b/security/apparmor/policy_unpack_test.c +@@ -8,6 +8,8 @@ + #include "include/policy.h" + #include "include/policy_unpack.h" + ++#include ++ + #define TEST_STRING_NAME "TEST_STRING" + #define TEST_STRING_DATA "testing" + #define TEST_STRING_BUF_OFFSET \ +@@ -78,7 +80,7 @@ struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf, + *(buf + 1) = strlen(TEST_U32_NAME) + 1; + strcpy(buf + 3, TEST_U32_NAME); + *(buf + 3 + strlen(TEST_U32_NAME) + 1) = AA_U32; +- *((__le32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = cpu_to_le32(TEST_U32_DATA); ++ put_unaligned_le32(TEST_U32_DATA, buf + 3 + strlen(TEST_U32_NAME) + 2); + + buf = e->start + TEST_NAMED_U64_BUF_OFFSET; + *buf = AA_NAME; +@@ -101,7 +103,7 @@ struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf, + *(buf + 1) = strlen(TEST_ARRAY_NAME) + 1; + strcpy(buf + 3, TEST_ARRAY_NAME); + *(buf + 3 + strlen(TEST_ARRAY_NAME) + 1) = AA_ARRAY; +- *((__le16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = cpu_to_le16(TEST_ARRAY_SIZE); ++ put_unaligned_le16(TEST_ARRAY_SIZE, buf + 3 + strlen(TEST_ARRAY_NAME) + 2); + + return e; + } +-- +2.39.5 + diff --git a/queue-5.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch b/queue-5.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch new file mode 100644 index 0000000000..09ab4f0ac2 --- /dev/null +++ b/queue-5.15/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch @@ -0,0 +1,38 @@ +From f93e58c006dc50a0f2d05a92c9d9c6713515919e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Mar 2025 20:11:16 +0100 +Subject: arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX + +From: Johan Korsnes + +[ Upstream commit 75cd37c5f28b85979fd5a65174013010f6b78f27 ] + +This option was removed from the Kconfig in commit +8c710f75256b ("net/sched: Retire tcindex classifier") but it was not +removed from the defconfigs. + +Fixes: 8c710f75256b ("net/sched: Retire tcindex classifier") +Signed-off-by: Johan Korsnes +Reviewed-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250323191116.113482-1-johan.korsnes@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/configs/ppc6xx_defconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig +index 7f7e7add44e7..cdaf8469d484 100644 +--- a/arch/powerpc/configs/ppc6xx_defconfig ++++ b/arch/powerpc/configs/ppc6xx_defconfig +@@ -263,7 +263,6 @@ CONFIG_NET_SCH_DSMARK=m + CONFIG_NET_SCH_NETEM=m + CONFIG_NET_SCH_INGRESS=m + CONFIG_NET_CLS_BASIC=m +-CONFIG_NET_CLS_TCINDEX=m + CONFIG_NET_CLS_ROUTE4=m + CONFIG_NET_CLS_FW=m + CONFIG_NET_CLS_U32=m +-- +2.39.5 + diff --git a/queue-5.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch b/queue-5.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch new file mode 100644 index 0000000000..ca53e21bee --- /dev/null +++ b/queue-5.15/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch @@ -0,0 +1,38 @@ +From df3fe069e46c8989e37a911e49ea757ca5339829 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 14:24:41 +0200 +Subject: ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 + interface + +From: Annette Kobou + +[ Upstream commit 47ef5256124fb939d8157b13ca048c902435cf23 ] + +The polarity of the DE signal of the transceiver is active-high for +sending. Therefore rs485-rts-active-low is wrong and needs to be +removed to make RS485 transmissions work. + +Signed-off-by: Annette Kobou +Signed-off-by: Frieder Schrempf +Fixes: 1ea4b76cdfde ("ARM: dts: imx6ul-kontron-n6310: Add Kontron i.MX6UL N6310 SoM and boards") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi b/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi +index 770f59b23102..44477206ba0f 100644 +--- a/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi ++++ b/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi +@@ -170,7 +170,6 @@ &uart2 { + pinctrl-0 = <&pinctrl_uart2>; + linux,rs485-enabled-at-boot-time; + rs485-rx-during-tx; +- rs485-rts-active-low; + uart-has-rtscts; + status = "okay"; + }; +-- +2.39.5 + diff --git a/queue-5.15/arm-dts-ti-omap-fixup-pinheader-typo.patch b/queue-5.15/arm-dts-ti-omap-fixup-pinheader-typo.patch new file mode 100644 index 0000000000..974565d699 --- /dev/null +++ b/queue-5.15/arm-dts-ti-omap-fixup-pinheader-typo.patch @@ -0,0 +1,44 @@ +From c1c889052cc864ebfcdceb413fa69f3e1410c9f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 13:48:39 +0200 +Subject: arm: dts: ti: omap: Fixup pinheader typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Albin Törnqvist + +[ Upstream commit a3a4be32b69c99fc20a66e0de83b91f8c882bf4c ] + +This commit fixes a typo introduced in commit +ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names"). +gpio0_7 is located on the P9 header on the BBB. +This was verified with a BeagleBone Black by toggling the pin and +checking with a multimeter that it corresponds to pin 42 on the P9 +header. + +Signed-off-by: Albin Törnqvist +Link: https://lore.kernel.org/r/20250624114839.1465115-2-albin.tornqvist@codiax.se +Fixes: ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names") +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am335x-boneblack.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts +index 9312197316f0..db1bf9452e57 100644 +--- a/arch/arm/boot/dts/am335x-boneblack.dts ++++ b/arch/arm/boot/dts/am335x-boneblack.dts +@@ -34,7 +34,7 @@ &gpio0 { + "P9_18 [spi0_d1]", + "P9_17 [spi0_cs0]", + "[mmc0_cd]", +- "P8_42A [ecappwm0]", ++ "P9_42A [ecappwm0]", + "P8_35 [lcd d12]", + "P8_33 [lcd d13]", + "P8_31 [lcd d14]", +-- +2.39.5 + diff --git a/queue-5.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch b/queue-5.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch new file mode 100644 index 0000000000..9cf5de2708 --- /dev/null +++ b/queue-5.15/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch @@ -0,0 +1,37 @@ +From 5f404d21ae010bbeb0e2edcefcb571a8a65e3768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 09:19:22 +0200 +Subject: ARM: dts: vfxxx: Correctly use two tuples for timer address + +From: Krzysztof Kozlowski + +[ Upstream commit f3440dcf8b994197c968fbafe047ce27eed226e8 ] + +Address and size-cells are 1 and the ftm timer node takes two address +spaces in "reg" property, so this should be in two <> tuples. Change +has no functional impact, but original code is confusing/less readable. + +Fixes: 07513e1330a9 ("ARM: dts: vf610: Add Freescale FlexTimer Module timer node.") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/vfxxx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/vfxxx.dtsi b/arch/arm/boot/dts/vfxxx.dtsi +index d53f9c9db8bf..eb7973fb4713 100644 +--- a/arch/arm/boot/dts/vfxxx.dtsi ++++ b/arch/arm/boot/dts/vfxxx.dtsi +@@ -617,7 +617,7 @@ usbmisc1: usb@400b4800 { + + ftm: ftm@400b8000 { + compatible = "fsl,ftm-timer"; +- reg = <0x400b8000 0x1000 0x400b9000 0x1000>; ++ reg = <0x400b8000 0x1000>, <0x400b9000 0x1000>; + interrupts = <44 IRQ_TYPE_LEVEL_HIGH>; + clock-names = "ftm-evt", "ftm-src", + "ftm-evt-counter-en", "ftm-src-counter-en"; +-- +2.39.5 + diff --git a/queue-5.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch b/queue-5.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch new file mode 100644 index 0000000000..36e5030b07 --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch @@ -0,0 +1,41 @@ +From d87b489d92c92362130c211297f2b2636c26b35f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 16:34:45 -0500 +Subject: arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed + +From: Adam Ford + +[ Upstream commit f83f69097a302ed2a2775975ddcf12e6a5ac6ec3 ] + +The reference manual for the i.MX8MM states the clock rate in +MMC mode is 1/2 of the input clock, therefore to properly run +at HS400 rates, the input clock must be 400MHz to operate at +200MHz. Currently the clock is set to 200MHz which is half the +rate it should be, so the throughput is half of what it should be +for HS400 operation. + +Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit") +Signed-off-by: Adam Ford +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +index 7ed267bf9b8f..c4b97cbb55d6 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +@@ -285,6 +285,8 @@ &usdhc3 { + pinctrl-0 = <&pinctrl_usdhc3>; + pinctrl-1 = <&pinctrl_usdhc3_100mhz>; + pinctrl-2 = <&pinctrl_usdhc3_200mhz>; ++ assigned-clocks = <&clk IMX8MM_CLK_USDHC3>; ++ assigned-clock-rates = <400000000>; + bus-width = <8>; + non-removable; + status = "okay"; +-- +2.39.5 + diff --git a/queue-5.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch b/queue-5.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch new file mode 100644 index 0000000000..ba8330c35f --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch @@ -0,0 +1,41 @@ +From e8f8eaef2eda341097208d3037a554cf8e60c461 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 16:34:46 -0500 +Subject: arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed + +From: Adam Ford + +[ Upstream commit e16ad6c79906bba5e2ac499492b6a5b29ab19d6c ] + +The reference manual for the i.MX8MN states the clock rate in +MMC mode is 1/2 of the input clock, therefore to properly run +at HS400 rates, the input clock must be 400MHz to operate at +200MHz. Currently the clock is set to 200MHz which is half the +rate it should be, so the throughput is half of what it should be +for HS400 operation. + +Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit") +Signed-off-by: Adam Ford +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +index 4c339b06c87e..d197319e3b58 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +@@ -296,6 +296,8 @@ &usdhc3 { + pinctrl-0 = <&pinctrl_usdhc3>; + pinctrl-1 = <&pinctrl_usdhc3_100mhz>; + pinctrl-2 = <&pinctrl_usdhc3_200mhz>; ++ assigned-clocks = <&clk IMX8MN_CLK_USDHC3>; ++ assigned-clock-rates = <400000000>; + bus-width = <8>; + non-removable; + status = "okay"; +-- +2.39.5 + diff --git a/queue-5.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch b/queue-5.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch new file mode 100644 index 0000000000..7940bd0a2d --- /dev/null +++ b/queue-5.15/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch @@ -0,0 +1,79 @@ +From 2929e40d5f510a13c50aeab753ad476b7015cbc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 11:30:53 +0200 +Subject: ASoC: ops: dynamically allocate struct snd_ctl_elem_value + +From: Arnd Bergmann + +[ Upstream commit 7e10d7242ea8a5947878880b912ffa5806520705 ] + +This structure is really too larget to be allocated on the stack: + +sound/soc/soc-ops.c:435:5: error: stack frame size (1296) exceeds limit (1280) in 'snd_soc_limit_volume' [-Werror,-Wframe-larger-than] + +Change the function to dynamically allocate it instead. + +There is probably a better way to do it since only two integer fields +inside of that structure are actually used, but this is the simplest +rework for the moment. + +Fixes: 783db6851c18 ("ASoC: ops: Enforce platform maximum on initial value") +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20250610093057.2643233-1-arnd@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-ops.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c +index 9eb4181c6697..7cb3a3f9d3ae 100644 +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -624,28 +624,32 @@ EXPORT_SYMBOL_GPL(snd_soc_get_volsw_range); + static int snd_soc_clip_to_platform_max(struct snd_kcontrol *kctl) + { + struct soc_mixer_control *mc = (struct soc_mixer_control *)kctl->private_value; +- struct snd_ctl_elem_value uctl; ++ struct snd_ctl_elem_value *uctl; + int ret; + + if (!mc->platform_max) + return 0; + +- ret = kctl->get(kctl, &uctl); ++ uctl = kzalloc(sizeof(*uctl), GFP_KERNEL); ++ if (!uctl) ++ return -ENOMEM; ++ ++ ret = kctl->get(kctl, uctl); + if (ret < 0) +- return ret; ++ goto out; + +- if (uctl.value.integer.value[0] > mc->platform_max) +- uctl.value.integer.value[0] = mc->platform_max; ++ if (uctl->value.integer.value[0] > mc->platform_max) ++ uctl->value.integer.value[0] = mc->platform_max; + + if (snd_soc_volsw_is_stereo(mc) && +- uctl.value.integer.value[1] > mc->platform_max) +- uctl.value.integer.value[1] = mc->platform_max; ++ uctl->value.integer.value[1] > mc->platform_max) ++ uctl->value.integer.value[1] = mc->platform_max; + +- ret = kctl->put(kctl, &uctl); +- if (ret < 0) +- return ret; ++ ret = kctl->put(kctl, uctl); + +- return 0; ++out: ++ kfree(uctl); ++ return ret; + } + + /** +-- +2.39.5 + diff --git a/queue-5.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch b/queue-5.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch new file mode 100644 index 0000000000..df7ebe028f --- /dev/null +++ b/queue-5.15/asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch @@ -0,0 +1,88 @@ +From 92a3bd05a17328acb777cfe823a918d2bc0d31b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 01:59:15 +0000 +Subject: ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kuninori Morimoto + +[ Upstream commit f4c77d5af0a9cd0ee22617baa8b49d0e151fbda7 ] + +commit 7f1186a8d738661 ("ASoC: soc-dai: check return value at +snd_soc_dai_set_tdm_slot()") checks return value of +xlate_tdm_slot_mask() (A1)(A2). + + /* + * ... +(Y) * TDM mode can be disabled by passing 0 for @slots. In this case @tx_mask, + * @rx_mask and @slot_width will be ignored. + * ... + */ + int snd_soc_dai_set_tdm_slot(...) + { + ... + if (...) +(A1) ret = dai->driver->ops->xlate_tdm_slot_mask(...); + else +(A2) ret = snd_soc_xlate_tdm_slot_mask(...); + if (ret) + goto err; + ... + } + +snd_soc_xlate_tdm_slot_mask() (A2) will return -EINVAL if slots was 0 (X), +but snd_soc_dai_set_tdm_slot() allow to use it (Y). + +(A) static int snd_soc_xlate_tdm_slot_mask(...) + { + ... + if (!slots) +(X) return -EINVAL; + ... + } + +Call xlate_tdm_slot_mask() only if slots was non zero. + +Reported-by: Giedrius Trainavičius +Closes: https://lore.kernel.org/r/CAMONXLtSL7iKyvH6w=CzPTxQdBECf++hn8RKL6Y4=M_ou2YHow@mail.gmail.com +Fixes: 7f1186a8d738661 ("ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()") +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/8734cdfx59.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dai.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c +index 05a9404544de..8165f5537043 100644 +--- a/sound/soc/soc-dai.c ++++ b/sound/soc/soc-dai.c +@@ -269,13 +269,15 @@ int snd_soc_dai_set_tdm_slot(struct snd_soc_dai *dai, + { + int ret = -ENOTSUPP; + +- if (dai->driver->ops && +- dai->driver->ops->xlate_tdm_slot_mask) +- ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); +- else +- ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); +- if (ret) +- goto err; ++ if (slots) { ++ if (dai->driver->ops && ++ dai->driver->ops->xlate_tdm_slot_mask) ++ ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); ++ else ++ ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask); ++ if (ret) ++ goto err; ++ } + + dai->tx_mask = tx_mask; + dai->rx_mask = rx_mask; +-- +2.39.5 + diff --git a/queue-5.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch b/queue-5.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch new file mode 100644 index 0000000000..686f44f257 --- /dev/null +++ b/queue-5.15/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch @@ -0,0 +1,48 @@ +From 4fe279617a2e0ba1bbdb08159c5537f711db4c57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 11:47:23 +0200 +Subject: bpf: Check flow_dissector ctx accesses are aligned + +From: Paul Chaignon + +[ Upstream commit ead3d7b2b6afa5ee7958620c4329982a7d9c2b78 ] + +flow_dissector_is_valid_access doesn't check that the context access is +aligned. As a consequence, an unaligned access within one of the exposed +field is considered valid and later rejected by +flow_dissector_convert_ctx_access when we try to convert it. + +The later rejection is problematic because it's reported as a verifier +bug with a kernel warning and doesn't point to the right instruction in +verifier logs. + +Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") +Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa +Signed-off-by: Paul Chaignon +Acked-by: Yonghong Song +Acked-by: Eduard Zingerman +Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 169d9ba4e7a0..f346f19cf468 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -8764,6 +8764,9 @@ static bool flow_dissector_is_valid_access(int off, int size, + if (off < 0 || off >= sizeof(struct __sk_buff)) + return false; + ++ if (off % size != 0) ++ return false; ++ + if (type == BPF_WRITE) + return false; + +-- +2.39.5 + diff --git a/queue-5.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch b/queue-5.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch new file mode 100644 index 0000000000..0ba4f23936 --- /dev/null +++ b/queue-5.15/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch @@ -0,0 +1,59 @@ +From 1b90224fac7a7963fd4c2ec1884ff48da345c330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 10:08:52 +0800 +Subject: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls + +From: Jiayuan Chen + +[ Upstream commit 178f6a5c8cb3b6be1602de0964cd440243f493c9 ] + +When sending plaintext data, we initially calculated the corresponding +ciphertext length. However, if we later reduced the plaintext data length +via socket policy, we failed to recalculate the ciphertext length. + +This results in transmitting buffers containing uninitialized data during +ciphertext transmission. + +This causes uninitialized bytes to be appended after a complete +"Application Data" packet, leading to errors on the receiving end when +parsing TLS record. + +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Reported-by: Cong Wang +Signed-off-by: Jiayuan Chen +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Acked-by: Jakub Kicinski +Link: https://lore.kernel.org/bpf/20250609020910.397930-2-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 6648008f5da7..6b0fd0e5fc88 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -857,6 +857,19 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + delta = msg->sg.size; + psock->eval = sk_psock_msg_verdict(sk, psock, msg); + delta -= msg->sg.size; ++ ++ if ((s32)delta > 0) { ++ /* It indicates that we executed bpf_msg_pop_data(), ++ * causing the plaintext data size to decrease. ++ * Therefore the encrypted data size also needs to ++ * correspondingly decrease. We only need to subtract ++ * delta to calculate the new ciphertext length since ++ * ktls does not support block encryption. ++ */ ++ struct sk_msg *enc = &ctx->open_rec->msg_encrypted; ++ ++ sk_msg_trim(sk, enc, enc->sg.size - delta); ++ } + } + if (msg->cork_bytes && msg->cork_bytes > msg->sg.size && + !enospc && !full_record) { +-- +2.39.5 + diff --git a/queue-5.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch b/queue-5.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch new file mode 100644 index 0000000000..521611ec31 --- /dev/null +++ b/queue-5.15/bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch @@ -0,0 +1,82 @@ +From 54d6733c4fed60a6c0f1ef2863a12099a0e115b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 10:59:08 +0800 +Subject: bpf, sockmap: Fix psock incorrectly pointing to sk + +From: Jiayuan Chen + +[ Upstream commit 76be5fae32febb1fdb848ba09f78c4b2c76cb337 ] + +We observed an issue from the latest selftest: sockmap_redir where +sk_psock(psock->sk) != psock in the backlog. The root cause is the special +behavior in sockmap_redir - it frequently performs map_update() and +map_delete() on the same socket. During map_update(), we create a new +psock and during map_delete(), we eventually free the psock via rcu_work +in sk_psock_drop(). However, pending workqueues might still exist and not +be processed yet. If users immediately perform another map_update(), a new +psock will be allocated for the same sk, resulting in two psocks pointing +to the same sk. + +When the pending workqueue is later triggered, it uses the old psock to +access sk for I/O operations, which is incorrect. + +Timing Diagram: + +cpu0 cpu1 + +map_update(sk): + sk->psock = psock1 + psock1->sk = sk +map_delete(sk): + rcu_work_free(psock1) + +map_update(sk): + sk->psock = psock2 + psock2->sk = sk + workqueue: + wakeup with psock1, but the sk of psock1 + doesn't belong to psock1 +rcu_handler: + clean psock1 + free(psock1) + +Previously, we used reference counting to address the concurrency issue +between backlog and sock_map_close(). This logic remains necessary as it +prevents the sk from being freed while processing the backlog. But this +patch prevents pending backlogs from using a psock after it has been +stopped. + +Note: We cannot call cancel_delayed_work_sync() in map_delete() since this +might be invoked in BPF context by BPF helper, and the function may sleep. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Jiayuan Chen +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/bpf/20250609025908.79331-1-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 1d7cf920bf4e..68e5fd7aa128 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -648,6 +648,13 @@ static void sk_psock_backlog(struct work_struct *work) + bool ingress; + int ret; + ++ /* If sk is quickly removed from the map and then added back, the old ++ * psock should not be scheduled, because there are now two psocks ++ * pointing to the same sk. ++ */ ++ if (!sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) ++ return; ++ + /* Increment the psock refcnt to synchronize with close(fd) path in + * sock_map_close(), ensuring we wait for backlog thread completion + * before sk_socket freed. If refcnt increment fails, it indicates +-- +2.39.5 + diff --git a/queue-5.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch b/queue-5.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch new file mode 100644 index 0000000000..3408f84420 --- /dev/null +++ b/queue-5.15/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch @@ -0,0 +1,77 @@ +From fb090b26afb166692d63978e7664d547971e1963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:21:33 +0800 +Subject: bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure + +From: Yuan Chen + +[ Upstream commit 99fe8af069a9fa5b09140518b1364e35713a642e ] + +In function dump_xx_nlmsg(), when realloc() fails to allocate memory, +the original pointer to the buffer is overwritten with NULL. This causes +a memory leak because the previously allocated buffer becomes unreachable +without being freed. + +Fixes: 7900efc19214 ("tools/bpf: bpftool: improve output format for bpftool net") +Signed-off-by: Yuan Chen +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/r/20250620012133.14819-1-chenyuan_fl@163.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/net.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c +index 649053704bd7..18e5e5faa2aa 100644 +--- a/tools/bpf/bpftool/net.c ++++ b/tools/bpf/bpftool/net.c +@@ -353,17 +353,18 @@ static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb) + { + struct bpf_netdev_t *netinfo = cookie; + struct ifinfomsg *ifinfo = msg; ++ struct ip_devname_ifindex *tmp; + + if (netinfo->filter_idx > 0 && netinfo->filter_idx != ifinfo->ifi_index) + return 0; + + if (netinfo->used_len == netinfo->array_len) { +- netinfo->devices = realloc(netinfo->devices, +- (netinfo->array_len + 16) * +- sizeof(struct ip_devname_ifindex)); +- if (!netinfo->devices) ++ tmp = realloc(netinfo->devices, ++ (netinfo->array_len + 16) * sizeof(struct ip_devname_ifindex)); ++ if (!tmp) + return -ENOMEM; + ++ netinfo->devices = tmp; + netinfo->array_len += 16; + } + netinfo->devices[netinfo->used_len].ifindex = ifinfo->ifi_index; +@@ -382,6 +383,7 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb) + { + struct bpf_tcinfo_t *tcinfo = cookie; + struct tcmsg *info = msg; ++ struct tc_kind_handle *tmp; + + if (tcinfo->is_qdisc) { + /* skip clsact qdisc */ +@@ -393,11 +395,12 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb) + } + + if (tcinfo->used_len == tcinfo->array_len) { +- tcinfo->handle_array = realloc(tcinfo->handle_array, ++ tmp = realloc(tcinfo->handle_array, + (tcinfo->array_len + 16) * sizeof(struct tc_kind_handle)); +- if (!tcinfo->handle_array) ++ if (!tmp) + return -ENOMEM; + ++ tcinfo->handle_array = tmp; + tcinfo->array_len += 16; + } + tcinfo->handle_array[tcinfo->used_len].handle = info->tcm_handle; +-- +2.39.5 + diff --git a/queue-5.15/caif-reduce-stack-size-again.patch b/queue-5.15/caif-reduce-stack-size-again.patch new file mode 100644 index 0000000000..1535e6b8e4 --- /dev/null +++ b/queue-5.15/caif-reduce-stack-size-again.patch @@ -0,0 +1,359 @@ +From 4d379bac8daeb8dae82d3d31e473ffa4ad561453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:22:39 +0200 +Subject: caif: reduce stack size, again + +From: Arnd Bergmann + +[ Upstream commit b630c781bcf6ff87657146661816d0d30a902139 ] + +I tried to fix the stack usage in this function a couple of years ago, +but there is still a problem with the latest gcc versions in some +configurations: + +net/caif/cfctrl.c:553:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=] + +Reduce this once again, with a separate cfctrl_link_setup() function that +holds the bulk of all the local variables. It also turns out that the +param[] array that takes up a large portion of the stack is write-only +and can be left out here. + +Fixes: ce6289661b14 ("caif: reduce stack size with KASAN") +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20250620112244.3425554-1-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/caif/cfctrl.c | 294 +++++++++++++++++++++++----------------------- + 1 file changed, 144 insertions(+), 150 deletions(-) + +diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c +index d8cb4b2a076b..3eec293ab22f 100644 +--- a/net/caif/cfctrl.c ++++ b/net/caif/cfctrl.c +@@ -351,17 +351,154 @@ int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer) + return found; + } + ++static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp) ++{ ++ u8 len; ++ u8 linkid = 0; ++ enum cfctrl_srv serv; ++ enum cfctrl_srv servtype; ++ u8 endpoint; ++ u8 physlinkid; ++ u8 prio; ++ u8 tmp; ++ u8 *cp; ++ int i; ++ struct cfctrl_link_param linkparam; ++ struct cfctrl_request_info rsp, *req; ++ ++ memset(&linkparam, 0, sizeof(linkparam)); ++ ++ tmp = cfpkt_extr_head_u8(pkt); ++ ++ serv = tmp & CFCTRL_SRV_MASK; ++ linkparam.linktype = serv; ++ ++ servtype = tmp >> 4; ++ linkparam.chtype = servtype; ++ ++ tmp = cfpkt_extr_head_u8(pkt); ++ physlinkid = tmp & 0x07; ++ prio = tmp >> 3; ++ ++ linkparam.priority = prio; ++ linkparam.phyid = physlinkid; ++ endpoint = cfpkt_extr_head_u8(pkt); ++ linkparam.endpoint = endpoint & 0x03; ++ ++ switch (serv) { ++ case CFCTRL_SRV_VEI: ++ case CFCTRL_SRV_DBG: ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ break; ++ case CFCTRL_SRV_VIDEO: ++ tmp = cfpkt_extr_head_u8(pkt); ++ linkparam.u.video.connid = tmp; ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ break; ++ ++ case CFCTRL_SRV_DATAGRAM: ++ linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt); ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ break; ++ case CFCTRL_SRV_RFM: ++ /* Construct a frame, convert ++ * DatagramConnectionID ++ * to network format long and copy it out... ++ */ ++ linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt); ++ cp = (u8 *) linkparam.u.rfm.volume; ++ for (tmp = cfpkt_extr_head_u8(pkt); ++ cfpkt_more(pkt) && tmp != '\0'; ++ tmp = cfpkt_extr_head_u8(pkt)) ++ *cp++ = tmp; ++ *cp = '\0'; ++ ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ ++ break; ++ case CFCTRL_SRV_UTIL: ++ /* Construct a frame, convert ++ * DatagramConnectionID ++ * to network format long and copy it out... ++ */ ++ /* Fifosize KB */ ++ linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt); ++ /* Fifosize bufs */ ++ linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt); ++ /* name */ ++ cp = (u8 *) linkparam.u.utility.name; ++ caif_assert(sizeof(linkparam.u.utility.name) ++ >= UTILITY_NAME_LENGTH); ++ for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) { ++ tmp = cfpkt_extr_head_u8(pkt); ++ *cp++ = tmp; ++ } ++ /* Length */ ++ len = cfpkt_extr_head_u8(pkt); ++ linkparam.u.utility.paramlen = len; ++ /* Param Data */ ++ cp = linkparam.u.utility.params; ++ while (cfpkt_more(pkt) && len--) { ++ tmp = cfpkt_extr_head_u8(pkt); ++ *cp++ = tmp; ++ } ++ if (CFCTRL_ERR_BIT & cmdrsp) ++ break; ++ /* Link ID */ ++ linkid = cfpkt_extr_head_u8(pkt); ++ /* Length */ ++ len = cfpkt_extr_head_u8(pkt); ++ /* Param Data */ ++ cfpkt_extr_head(pkt, NULL, len); ++ break; ++ default: ++ pr_warn("Request setup, invalid type (%d)\n", serv); ++ return -1; ++ } ++ ++ rsp.cmd = CFCTRL_CMD_LINK_SETUP; ++ rsp.param = linkparam; ++ spin_lock_bh(&cfctrl->info_list_lock); ++ req = cfctrl_remove_req(cfctrl, &rsp); ++ ++ if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) || ++ cfpkt_erroneous(pkt)) { ++ pr_err("Invalid O/E bit or parse error " ++ "on CAIF control channel\n"); ++ cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0, ++ req ? req->client_layer : NULL); ++ } else { ++ cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid, ++ serv, physlinkid, ++ req ? req->client_layer : NULL); ++ } ++ ++ kfree(req); ++ ++ spin_unlock_bh(&cfctrl->info_list_lock); ++ ++ return 0; ++} ++ + static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + { + u8 cmdrsp; + u8 cmd; +- int ret = -1; +- u8 len; +- u8 param[255]; ++ int ret = 0; + u8 linkid = 0; + struct cfctrl *cfctrl = container_obj(layer); +- struct cfctrl_request_info rsp, *req; +- + + cmdrsp = cfpkt_extr_head_u8(pkt); + cmd = cmdrsp & CFCTRL_CMD_MASK; +@@ -374,150 +511,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + + switch (cmd) { + case CFCTRL_CMD_LINK_SETUP: +- { +- enum cfctrl_srv serv; +- enum cfctrl_srv servtype; +- u8 endpoint; +- u8 physlinkid; +- u8 prio; +- u8 tmp; +- u8 *cp; +- int i; +- struct cfctrl_link_param linkparam; +- memset(&linkparam, 0, sizeof(linkparam)); +- +- tmp = cfpkt_extr_head_u8(pkt); +- +- serv = tmp & CFCTRL_SRV_MASK; +- linkparam.linktype = serv; +- +- servtype = tmp >> 4; +- linkparam.chtype = servtype; +- +- tmp = cfpkt_extr_head_u8(pkt); +- physlinkid = tmp & 0x07; +- prio = tmp >> 3; +- +- linkparam.priority = prio; +- linkparam.phyid = physlinkid; +- endpoint = cfpkt_extr_head_u8(pkt); +- linkparam.endpoint = endpoint & 0x03; +- +- switch (serv) { +- case CFCTRL_SRV_VEI: +- case CFCTRL_SRV_DBG: +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- break; +- case CFCTRL_SRV_VIDEO: +- tmp = cfpkt_extr_head_u8(pkt); +- linkparam.u.video.connid = tmp; +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- break; +- +- case CFCTRL_SRV_DATAGRAM: +- linkparam.u.datagram.connid = +- cfpkt_extr_head_u32(pkt); +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- break; +- case CFCTRL_SRV_RFM: +- /* Construct a frame, convert +- * DatagramConnectionID +- * to network format long and copy it out... +- */ +- linkparam.u.rfm.connid = +- cfpkt_extr_head_u32(pkt); +- cp = (u8 *) linkparam.u.rfm.volume; +- for (tmp = cfpkt_extr_head_u8(pkt); +- cfpkt_more(pkt) && tmp != '\0'; +- tmp = cfpkt_extr_head_u8(pkt)) +- *cp++ = tmp; +- *cp = '\0'; +- +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- +- break; +- case CFCTRL_SRV_UTIL: +- /* Construct a frame, convert +- * DatagramConnectionID +- * to network format long and copy it out... +- */ +- /* Fifosize KB */ +- linkparam.u.utility.fifosize_kb = +- cfpkt_extr_head_u16(pkt); +- /* Fifosize bufs */ +- linkparam.u.utility.fifosize_bufs = +- cfpkt_extr_head_u16(pkt); +- /* name */ +- cp = (u8 *) linkparam.u.utility.name; +- caif_assert(sizeof(linkparam.u.utility.name) +- >= UTILITY_NAME_LENGTH); +- for (i = 0; +- i < UTILITY_NAME_LENGTH +- && cfpkt_more(pkt); i++) { +- tmp = cfpkt_extr_head_u8(pkt); +- *cp++ = tmp; +- } +- /* Length */ +- len = cfpkt_extr_head_u8(pkt); +- linkparam.u.utility.paramlen = len; +- /* Param Data */ +- cp = linkparam.u.utility.params; +- while (cfpkt_more(pkt) && len--) { +- tmp = cfpkt_extr_head_u8(pkt); +- *cp++ = tmp; +- } +- if (CFCTRL_ERR_BIT & cmdrsp) +- break; +- /* Link ID */ +- linkid = cfpkt_extr_head_u8(pkt); +- /* Length */ +- len = cfpkt_extr_head_u8(pkt); +- /* Param Data */ +- cfpkt_extr_head(pkt, ¶m, len); +- break; +- default: +- pr_warn("Request setup, invalid type (%d)\n", +- serv); +- goto error; +- } +- +- rsp.cmd = cmd; +- rsp.param = linkparam; +- spin_lock_bh(&cfctrl->info_list_lock); +- req = cfctrl_remove_req(cfctrl, &rsp); +- +- if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) || +- cfpkt_erroneous(pkt)) { +- pr_err("Invalid O/E bit or parse error " +- "on CAIF control channel\n"); +- cfctrl->res.reject_rsp(cfctrl->serv.layer.up, +- 0, +- req ? req->client_layer +- : NULL); +- } else { +- cfctrl->res.linksetup_rsp(cfctrl->serv. +- layer.up, linkid, +- serv, physlinkid, +- req ? req-> +- client_layer : NULL); +- } +- +- kfree(req); +- +- spin_unlock_bh(&cfctrl->info_list_lock); +- } ++ ret = cfctrl_link_setup(cfctrl, pkt, cmdrsp); + break; + case CFCTRL_CMD_LINK_DESTROY: + linkid = cfpkt_extr_head_u8(pkt); +@@ -544,9 +538,9 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt) + break; + default: + pr_err("Unrecognized Control Frame\n"); ++ ret = -1; + goto error; + } +- ret = 0; + error: + cfpkt_destroy(pkt); + return ret; +-- +2.39.5 + diff --git a/queue-5.15/can-kvaser_pciefd-store-device-channel-index.patch b/queue-5.15/can-kvaser_pciefd-store-device-channel-index.patch new file mode 100644 index 0000000000..71ac02a8e5 --- /dev/null +++ b/queue-5.15/can-kvaser_pciefd-store-device-channel-index.patch @@ -0,0 +1,36 @@ +From 9f863a0eb822f4bb0d1a1c7e54eb75946f110235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:32:25 +0200 +Subject: can: kvaser_pciefd: Store device channel index + +From: Jimmy Assarsson + +[ Upstream commit d54b16b40ddadb7d0a77fff48af7b319a0cd6aae ] + +Store device channel index in netdev.dev_port. + +Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") +Reviewed-by: Vincent Mailhol +Signed-off-by: Jimmy Assarsson +Link: https://patch.msgid.link/20250725123230.8-6-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/kvaser_pciefd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c +index 26bc8c7ad75b..23c6632319a1 100644 +--- a/drivers/net/can/kvaser_pciefd.c ++++ b/drivers/net/can/kvaser_pciefd.c +@@ -955,6 +955,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) + can->err_rep_cnt = 0; + can->bec.txerr = 0; + can->bec.rxerr = 0; ++ can->can.dev->dev_port = i; + + init_completion(&can->start_comp); + init_completion(&can->flush_comp); +-- +2.39.5 + diff --git a/queue-5.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch b/queue-5.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch new file mode 100644 index 0000000000..ca9524af1e --- /dev/null +++ b/queue-5.15/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch @@ -0,0 +1,39 @@ +From 0938b88dece1fc72bf39837bc94a49d7d3a79ac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:34:44 +0200 +Subject: can: kvaser_usb: Assign netdev.dev_port based on device channel index + +From: Jimmy Assarsson + +[ Upstream commit c151b06a087a61c7a1790b75ee2f1d6edb6a8a45 ] + +Assign netdev.dev_port based on the device channel index, to indicate the +port number of the network device. +While this driver already uses netdev.dev_id for that purpose, dev_port is +more appropriate. However, retain dev_id to avoid potential regressions. + +Fixes: 3e66d0138c05 ("can: populate netdev::dev_id for udev discrimination") +Reviewed-by: Vincent Mailhol +Signed-off-by: Jimmy Assarsson +Link: https://patch.msgid.link/20250725123452.41-4-extja@kvaser.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +index f6cb5ba61ac9..d5f119f607ef 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -838,6 +838,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel) + + SET_NETDEV_DEV(netdev, &dev->intf->dev); + netdev->dev_id = channel; ++ netdev->dev_port = channel; + + dev->nets[channel] = priv; + +-- +2.39.5 + diff --git a/queue-5.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch b/queue-5.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch new file mode 100644 index 0000000000..87d61c8c5e --- /dev/null +++ b/queue-5.15/clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch @@ -0,0 +1,43 @@ +From 7c9757e2b346d8b6a80963d773c9457ca6f961f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 16:41:06 +0100 +Subject: clk: clk-axi-clkgen: fix fpfd_max frequency for zynq +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit ce8a9096699500e2c5bca09dde27b16edda5f636 ] + +The fpfd_max frequency should be set to 450 MHz instead of 300 MHz. +Well, it actually depends on the platform speed grade but we are being +conservative for ultrascale so let's be consistent. In a following +change we will set these limits at runtime. + +Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20250519-dev-axi-clkgen-limits-v6-1-bc4b3b61d1d4@analog.com +Reviewed-by: David Lechner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-axi-clkgen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c +index bb5cd9d38993..df9a4c778351 100644 +--- a/drivers/clk/clk-axi-clkgen.c ++++ b/drivers/clk/clk-axi-clkgen.c +@@ -118,7 +118,7 @@ static const struct axi_clkgen_limits axi_clkgen_zynqmp_default_limits = { + + static const struct axi_clkgen_limits axi_clkgen_zynq_default_limits = { + .fpfd_min = 10000, +- .fpfd_max = 300000, ++ .fpfd_max = 450000, + .fvco_min = 600000, + .fvco_max = 1200000, + }; +-- +2.39.5 + diff --git a/queue-5.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch b/queue-5.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch new file mode 100644 index 0000000000..b082a28f4d --- /dev/null +++ b/queue-5.15/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch @@ -0,0 +1,45 @@ +From e0018b8df337fa80761eef77a9394b0ba3c0be1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 21:13:41 +0800 +Subject: clk: davinci: Add NULL check in davinci_lpsc_clk_register() + +From: Henry Martin + +[ Upstream commit 13de464f445d42738fe18c9a28bab056ba3a290a ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +davinci_lpsc_clk_register() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue and ensuring +no resources are left allocated. + +Fixes: c6ed4d734bc7 ("clk: davinci: New driver for davinci PSC clocks") +Signed-off-by: Henry Martin +Link: https://lore.kernel.org/r/20250401131341.26800-1-bsdhenrymartin@gmail.com +Reviewed-by: David Lechner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/davinci/psc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/clk/davinci/psc.c b/drivers/clk/davinci/psc.c +index 7387e7f6276e..4e1abfc1e564 100644 +--- a/drivers/clk/davinci/psc.c ++++ b/drivers/clk/davinci/psc.c +@@ -278,6 +278,11 @@ davinci_lpsc_clk_register(struct device *dev, const char *name, + + lpsc->pm_domain.name = devm_kasprintf(dev, GFP_KERNEL, "%s: %s", + best_dev_name(dev), name); ++ if (!lpsc->pm_domain.name) { ++ clk_hw_unregister(&lpsc->hw); ++ kfree(lpsc); ++ return ERR_PTR(-ENOMEM); ++ } + lpsc->pm_domain.attach_dev = davinci_psc_genpd_attach_dev; + lpsc->pm_domain.detach_dev = davinci_psc_genpd_detach_dev; + lpsc->pm_domain.flags = GENPD_FLAG_PM_CLK; +-- +2.39.5 + diff --git a/queue-5.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch b/queue-5.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch new file mode 100644 index 0000000000..1422429b7d --- /dev/null +++ b/queue-5.15/clk-sunxi-ng-v3s-fix-de-clock-definition.patch @@ -0,0 +1,44 @@ +From 9d80adf0c2564fb0da6754a18cbb2240e72477dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 17:40:07 +0200 +Subject: clk: sunxi-ng: v3s: Fix de clock definition + +From: Paul Kocialkowski + +[ Upstream commit e8ab346f9907a1a3aa2f0e5decf849925c06ae2e ] + +The de clock is marked with CLK_SET_RATE_PARENT, which is really not +necessary (as confirmed from experimentation) and significantly +restricts flexibility for other clocks using the same parent. + +In addition the source selection (parent) field is marked as using +2 bits, when it the documentation reports that it uses 3. + +Fix both issues in the de clock definition. + +Fixes: d0f11d14b0bc ("clk: sunxi-ng: add support for V3s CCU") +Signed-off-by: Paul Kocialkowski +Link: https://patch.msgid.link/20250704154008.3463257-1-paulk@sys-base.io +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +index ce150f83ab54..2501de774874 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c ++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +@@ -345,8 +345,7 @@ static SUNXI_CCU_GATE(dram_ohci_clk, "dram-ohci", "dram", + + static const char * const de_parents[] = { "pll-video", "pll-periph0" }; + static SUNXI_CCU_M_WITH_MUX_GATE(de_clk, "de", de_parents, +- 0x104, 0, 4, 24, 2, BIT(31), +- CLK_SET_RATE_PARENT); ++ 0x104, 0, 4, 24, 3, BIT(31), 0); + + static const char * const tcon_parents[] = { "pll-video" }; + static SUNXI_CCU_M_WITH_MUX_GATE(tcon_clk, "tcon", tcon_parents, +-- +2.39.5 + diff --git a/queue-5.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch b/queue-5.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch new file mode 100644 index 0000000000..df57585b74 --- /dev/null +++ b/queue-5.15/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch @@ -0,0 +1,50 @@ +From 6f1bb230ab6e07e1f307eea9e13c8e219d76f172 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 03:36:13 -0800 +Subject: clk: xilinx: vcu: unregister pll_post only if registered correctly + +From: Rohit Visavalia + +[ Upstream commit 3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d ] + +If registration of pll_post is failed, it will be set to NULL or ERR, +unregistering same will fail with following call trace: + +Unable to handle kernel NULL pointer dereference at virtual address 008 +pc : clk_hw_unregister+0xc/0x20 +lr : clk_hw_unregister_fixed_factor+0x18/0x30 +sp : ffff800011923850 +... +Call trace: + clk_hw_unregister+0xc/0x20 + clk_hw_unregister_fixed_factor+0x18/0x30 + xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu] + xvcu_probe+0x2bc/0x53c [xlnx_vcu] + +Fixes: 4472e1849db7 ("soc: xilinx: vcu: make pll post divider explicit") +Signed-off-by: Rohit Visavalia +Link: https://lore.kernel.org/r/20250210113614.4149050-2-rohit.visavalia@amd.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/xilinx/xlnx_vcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/xilinx/xlnx_vcu.c b/drivers/clk/xilinx/xlnx_vcu.c +index d66b1315114e..292d50ba0112 100644 +--- a/drivers/clk/xilinx/xlnx_vcu.c ++++ b/drivers/clk/xilinx/xlnx_vcu.c +@@ -587,8 +587,8 @@ static void xvcu_unregister_clock_provider(struct xvcu_device *xvcu) + xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_MCU]); + if (!IS_ERR_OR_NULL(hws[CLK_XVCU_ENC_CORE])) + xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_CORE]); +- +- clk_hw_unregister_fixed_factor(xvcu->pll_post); ++ if (!IS_ERR_OR_NULL(xvcu->pll_post)) ++ clk_hw_unregister_fixed_factor(xvcu->pll_post); + } + + /** +-- +2.39.5 + diff --git a/queue-5.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch b/queue-5.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch new file mode 100644 index 0000000000..9273393630 --- /dev/null +++ b/queue-5.15/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch @@ -0,0 +1,49 @@ +From 9648caa3d351a8c54cc2140223bbf3594e709b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:41:43 +0800 +Subject: cpufreq: Init policy->rwsem before it may be possibly used + +From: Lifeng Zheng + +[ Upstream commit d1378d1d7edb3a4c4935a44fe834ae135be03564 ] + +In cpufreq_policy_put_kobj(), policy->rwsem is used. But in +cpufreq_policy_alloc(), if freq_qos_add_notifier() returns an error, error +path via err_kobj_remove or err_min_qos_notifier will be reached and +cpufreq_policy_put_kobj() will be called before policy->rwsem is +initialized. Thus, the calling of init_rwsem() should be moved to where +before these two error paths can be reached. + +Fixes: 67d874c3b2c6 ("cpufreq: Register notifiers with the PM QoS framework") +Signed-off-by: Lifeng Zheng +Link: https://patch.msgid.link/20250709104145.2348017-3-zhenglifeng1@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 7d7158fa70c5..33c080e08623 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1228,6 +1228,8 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu) + goto err_free_real_cpus; + } + ++ init_rwsem(&policy->rwsem); ++ + freq_constraints_init(&policy->constraints); + + policy->nb_min.notifier_call = cpufreq_notifier_min; +@@ -1250,7 +1252,6 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu) + } + + INIT_LIST_HEAD(&policy->policy_list); +- init_rwsem(&policy->rwsem); + spin_lock_init(&policy->transition_lock); + init_waitqueue_head(&policy->transition_wait); + INIT_WORK(&policy->update, handle_update); +-- +2.39.5 + diff --git a/queue-5.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch b/queue-5.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch new file mode 100644 index 0000000000..73577163f7 --- /dev/null +++ b/queue-5.15/cpufreq-initialize-cpufreq-based-frequency-invarianc.patch @@ -0,0 +1,63 @@ +From 8dc631f916fc8d75986f42bf04888d79310c1683 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:41:42 +0800 +Subject: cpufreq: Initialize cpufreq-based frequency-invariance later + +From: Lifeng Zheng + +[ Upstream commit 2a6c727387062a2ea79eb6cf5004820cb1b0afe2 ] + +The cpufreq-based invariance is enabled in cpufreq_register_driver(), +but never disabled after registration fails. Move the invariance +initialization to where all other initializations have been successfully +done to solve this problem. + +Fixes: 874f63531064 ("cpufreq: report whether cpufreq supports Frequency Invariance (FI)") +Signed-off-by: Lifeng Zheng +Link: https://patch.msgid.link/20250709104145.2348017-2-zhenglifeng1@huawei.com +[ rjw: New subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index bbb0cbb2eb8c..7d7158fa70c5 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2841,15 +2841,6 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) + cpufreq_driver = driver_data; + write_unlock_irqrestore(&cpufreq_driver_lock, flags); + +- /* +- * Mark support for the scheduler's frequency invariance engine for +- * drivers that implement target(), target_index() or fast_switch(). +- */ +- if (!cpufreq_driver->setpolicy) { +- static_branch_enable_cpuslocked(&cpufreq_freq_invariance); +- pr_debug("supports frequency invariance"); +- } +- + if (driver_data->setpolicy) + driver_data->flags |= CPUFREQ_CONST_LOOPS; + +@@ -2880,6 +2871,15 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) + hp_online = ret; + ret = 0; + ++ /* ++ * Mark support for the scheduler's frequency invariance engine for ++ * drivers that implement target(), target_index() or fast_switch(). ++ */ ++ if (!cpufreq_driver->setpolicy) { ++ static_branch_enable_cpuslocked(&cpufreq_freq_invariance); ++ pr_debug("supports frequency invariance"); ++ } ++ + pr_debug("driver %s up and running\n", driver_data->name); + goto out; + +-- +2.39.5 + diff --git a/queue-5.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch b/queue-5.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch new file mode 100644 index 0000000000..3505b0ffaa --- /dev/null +++ b/queue-5.15/cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch @@ -0,0 +1,51 @@ +From a4c4b380c938533d7e31c725e2927e61184911f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 20:19:19 +0200 +Subject: cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode + +From: Rafael J. Wysocki + +[ Upstream commit 1cefe495cacba5fb0417da3a75a1a76e3546d176 ] + +In the passive mode, intel_cpufreq_update_pstate() sets HWP_MIN_PERF in +accordance with the target frequency to ensure delivering adequate +performance, but it sets HWP_DESIRED_PERF to 0, so the processor has no +indication that the desired performance level is actually equal to the +floor one. This may cause it to choose a performance point way above +the desired level. + +Moreover, this is inconsistent with intel_cpufreq_adjust_perf() which +actually sets HWP_DESIRED_PERF in accordance with the target performance +value. + +Address this by adjusting intel_cpufreq_update_pstate() to pass +target_pstate as both the minimum and the desired performance levels +to intel_cpufreq_hwp_update(). + +Fixes: a365ab6b9dfb ("cpufreq: intel_pstate: Implement the ->adjust_perf() callback") +Signed-off-by: Rafael J. Wysocki +Tested-by: Shashank Balaji +Link: https://patch.msgid.link/6173276.lOV4Wx5bFT@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 4de71e772f51..9d7a4ef21077 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -2703,8 +2703,8 @@ static int intel_cpufreq_update_pstate(struct cpufreq_policy *policy, + int max_pstate = policy->strict_target ? + target_pstate : cpu->max_perf_ratio; + +- intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate, 0, +- fast_switch); ++ intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate, ++ target_pstate, fast_switch); + } else if (target_pstate != old_pstate) { + intel_cpufreq_perf_ctl_update(cpu, target_pstate, fast_switch); + } +-- +2.39.5 + diff --git a/queue-5.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch b/queue-5.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch new file mode 100644 index 0000000000..79fcd745d3 --- /dev/null +++ b/queue-5.15/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch @@ -0,0 +1,81 @@ +From 06925f578a522d75b8c746c6940a5d704cc61864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 14:54:18 +0800 +Subject: crypto: ccp - Fix crash when rebind ccp device for ccp.ko + +From: Mengbiao Xiong + +[ Upstream commit 181698af38d3f93381229ad89c09b5bd0496661a ] + +When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding +the ccp device causes the following crash: + +$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind +$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind + +[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 +[ 204.978026] #PF: supervisor write access in kernel mode +[ 204.979126] #PF: error_code(0x0002) - not-present page +[ 204.980226] PGD 0 P4D 0 +[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI +... +[ 204.997852] Call Trace: +[ 204.999074] +[ 205.000297] start_creating+0x9f/0x1c0 +[ 205.001533] debugfs_create_dir+0x1f/0x170 +[ 205.002769] ? srso_return_thunk+0x5/0x5f +[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] +[ 205.005241] ccp5_init+0x8b2/0x960 [ccp] +[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] +[ 205.007709] sp_init+0x5f/0x80 [ccp] +[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] +[ 205.010165] ? srso_return_thunk+0x5/0x5f +[ 205.011376] local_pci_probe+0x4f/0xb0 +[ 205.012584] pci_device_probe+0xdb/0x230 +[ 205.013810] really_probe+0xed/0x380 +[ 205.015024] __driver_probe_device+0x7e/0x160 +[ 205.016240] device_driver_attach+0x2f/0x60 +[ 205.017457] bind_store+0x7c/0xb0 +[ 205.018663] drv_attr_store+0x28/0x40 +[ 205.019868] sysfs_kf_write+0x5f/0x70 +[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 +[ 205.022267] vfs_write+0x308/0x440 +[ 205.023453] ksys_write+0x6d/0xe0 +[ 205.024616] __x64_sys_write+0x1e/0x30 +[ 205.025778] x64_sys_call+0x16ba/0x2150 +[ 205.026942] do_syscall_64+0x56/0x1e0 +[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 205.029276] RIP: 0033:0x7fbc36f10104 +[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 + +This patch sets ccp_debugfs_dir to NULL after destroying it in +ccp5_debugfs_destroy, allowing the directory dentry to be +recreated when rebinding the ccp device. + +Tested on AMD Ryzen 7 1700X. + +Fixes: 3cdbe346ed3f ("crypto: ccp - Add debugfs entries for CCP information") +Signed-off-by: Mengbiao Xiong +Reviewed-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-debugfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/ccp/ccp-debugfs.c b/drivers/crypto/ccp/ccp-debugfs.c +index a1055554b47a..dc26bc22c91d 100644 +--- a/drivers/crypto/ccp/ccp-debugfs.c ++++ b/drivers/crypto/ccp/ccp-debugfs.c +@@ -319,5 +319,8 @@ void ccp5_debugfs_setup(struct ccp_device *ccp) + + void ccp5_debugfs_destroy(void) + { ++ mutex_lock(&ccp_debugfs_lock); + debugfs_remove_recursive(ccp_debugfs_dir); ++ ccp_debugfs_dir = NULL; ++ mutex_unlock(&ccp_debugfs_lock); + } +-- +2.39.5 + diff --git a/queue-5.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch b/queue-5.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..b62a583d67 --- /dev/null +++ b/queue-5.15/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,36 @@ +From 66d2c61851912475bf73ed29ae6e417c29b54300 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 11:16:22 +0200 +Subject: crypto: img-hash - Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 34b283636181ce02c52633551f594fec9876bec7 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator") +Signed-off-by: Thomas Fourier +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/img-hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c +index 34b41cbcfa8d..28b75632d1d1 100644 +--- a/drivers/crypto/img-hash.c ++++ b/drivers/crypto/img-hash.c +@@ -436,7 +436,7 @@ static int img_hash_write_via_dma_stop(struct img_hash_dev *hdev) + struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req); + + if (ctx->flags & DRIVER_FLAGS_SG) +- dma_unmap_sg(hdev->dev, ctx->sg, ctx->dma_ct, DMA_TO_DEVICE); ++ dma_unmap_sg(hdev->dev, ctx->sg, 1, DMA_TO_DEVICE); + + return 0; + } +-- +2.39.5 + diff --git a/queue-5.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch b/queue-5.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..4391d1c91b --- /dev/null +++ b/queue-5.15/crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,50 @@ +From 9a178a9d569d11e1f721a6a0426b928b00fb9682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:29:26 +0200 +Subject: crypto: inside-secure - Fix `dma_unmap_sg()` nents value + +From: Thomas Fourier + +[ Upstream commit cb7fa6b6fc71e0c801e271aa498e2f19e6df2931 ] + +The `dma_unmap_sg()` functions should be called with the same nents as the +`dma_map_sg()`, not the value the map function returned. + +Fixes: c957f8b3e2e5 ("crypto: inside-secure - avoid unmapping DMA memory that was not mapped") +Signed-off-by: Thomas Fourier +Reviewed-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/inside-secure/safexcel_hash.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c +index 2124416742f8..de0a093d8f50 100644 +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -249,7 +249,9 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv, + safexcel_complete(priv, ring); + + if (sreq->nents) { +- dma_unmap_sg(priv->dev, areq->src, sreq->nents, DMA_TO_DEVICE); ++ dma_unmap_sg(priv->dev, areq->src, ++ sg_nents_for_len(areq->src, areq->nbytes), ++ DMA_TO_DEVICE); + sreq->nents = 0; + } + +@@ -497,7 +499,9 @@ static int safexcel_ahash_send_req(struct crypto_async_request *async, int ring, + DMA_FROM_DEVICE); + unmap_sg: + if (req->nents) { +- dma_unmap_sg(priv->dev, areq->src, req->nents, DMA_TO_DEVICE); ++ dma_unmap_sg(priv->dev, areq->src, ++ sg_nents_for_len(areq->src, areq->nbytes), ++ DMA_TO_DEVICE); + req->nents = 0; + } + cdesc_rollback: +-- +2.39.5 + diff --git a/queue-5.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch b/queue-5.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..056aef745f --- /dev/null +++ b/queue-5.15/crypto-keembay-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,63 @@ +From c594cdd93bda512097509328f1a9fa12c6305d2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 10:57:06 +0200 +Subject: crypto: keembay - Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 01951a7dc5ac1a37e5fb7d86ea7eb2dfbf96e8b6 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 472b04444cd3 ("crypto: keembay - Add Keem Bay OCS HCU driver") +Signed-off-by: Thomas Fourier +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/keembay/keembay-ocs-hcu-core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/keembay/keembay-ocs-hcu-core.c b/drivers/crypto/keembay/keembay-ocs-hcu-core.c +index 0379dbf32a4c..6b46c37f00ae 100644 +--- a/drivers/crypto/keembay/keembay-ocs-hcu-core.c ++++ b/drivers/crypto/keembay/keembay-ocs-hcu-core.c +@@ -68,6 +68,7 @@ struct ocs_hcu_ctx { + * @sg_data_total: Total data in the SG list at any time. + * @sg_data_offset: Offset into the data of the current individual SG node. + * @sg_dma_nents: Number of sg entries mapped in dma_list. ++ * @nents: Number of entries in the scatterlist. + */ + struct ocs_hcu_rctx { + struct ocs_hcu_dev *hcu_dev; +@@ -91,6 +92,7 @@ struct ocs_hcu_rctx { + unsigned int sg_data_total; + unsigned int sg_data_offset; + unsigned int sg_dma_nents; ++ unsigned int nents; + }; + + /** +@@ -199,7 +201,7 @@ static void kmb_ocs_hcu_dma_cleanup(struct ahash_request *req, + + /* Unmap req->src (if mapped). */ + if (rctx->sg_dma_nents) { +- dma_unmap_sg(dev, req->src, rctx->sg_dma_nents, DMA_TO_DEVICE); ++ dma_unmap_sg(dev, req->src, rctx->nents, DMA_TO_DEVICE); + rctx->sg_dma_nents = 0; + } + +@@ -260,6 +262,10 @@ static int kmb_ocs_dma_prepare(struct ahash_request *req) + rc = -ENOMEM; + goto cleanup; + } ++ ++ /* Save the value of nents to pass to dma_unmap_sg. */ ++ rctx->nents = nents; ++ + /* + * The value returned by dma_map_sg() can be < nents; so update + * nents accordingly. +-- +2.39.5 + diff --git a/queue-5.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch b/queue-5.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch new file mode 100644 index 0000000000..7ed7237909 --- /dev/null +++ b/queue-5.15/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch @@ -0,0 +1,75 @@ +From 7d68702a6b48f026b75c26187eeb71e6b14d1496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 20:41:28 +0800 +Subject: crypto: marvell/cesa - Fix engine load inaccuracy + +From: Herbert Xu + +[ Upstream commit 442134ab30e75b7229c4bfc1ac5641d245cffe27 ] + +If an error occurs during queueing the engine load will never be +decremented. Fix this by moving the engine load adjustment into +the cleanup function. + +Fixes: bf8f91e71192 ("crypto: marvell - Add load balancing between engines") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/cipher.c | 4 +++- + drivers/crypto/marvell/cesa/hash.c | 5 +++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c +index 3876e3ce822f..eabed9d977df 100644 +--- a/drivers/crypto/marvell/cesa/cipher.c ++++ b/drivers/crypto/marvell/cesa/cipher.c +@@ -75,9 +75,12 @@ mv_cesa_skcipher_dma_cleanup(struct skcipher_request *req) + static inline void mv_cesa_skcipher_cleanup(struct skcipher_request *req) + { + struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req); ++ struct mv_cesa_engine *engine = creq->base.engine; + + if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) + mv_cesa_skcipher_dma_cleanup(req); ++ ++ atomic_sub(req->cryptlen, &engine->load); + } + + static void mv_cesa_skcipher_std_step(struct skcipher_request *req) +@@ -212,7 +215,6 @@ mv_cesa_skcipher_complete(struct crypto_async_request *req) + struct mv_cesa_engine *engine = creq->base.engine; + unsigned int ivsize; + +- atomic_sub(skreq->cryptlen, &engine->load); + ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(skreq)); + + if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) { +diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c +index 72b0f863dee0..66ebe26e59cb 100644 +--- a/drivers/crypto/marvell/cesa/hash.c ++++ b/drivers/crypto/marvell/cesa/hash.c +@@ -110,9 +110,12 @@ static inline void mv_cesa_ahash_dma_cleanup(struct ahash_request *req) + static inline void mv_cesa_ahash_cleanup(struct ahash_request *req) + { + struct mv_cesa_ahash_req *creq = ahash_request_ctx(req); ++ struct mv_cesa_engine *engine = creq->base.engine; + + if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) + mv_cesa_ahash_dma_cleanup(req); ++ ++ atomic_sub(req->nbytes, &engine->load); + } + + static void mv_cesa_ahash_last_cleanup(struct ahash_request *req) +@@ -395,8 +398,6 @@ static void mv_cesa_ahash_complete(struct crypto_async_request *req) + } + } + } +- +- atomic_sub(ahashreq->nbytes, &engine->load); + } + + static void mv_cesa_ahash_prepare(struct crypto_async_request *req, +-- +2.39.5 + diff --git a/queue-5.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch b/queue-5.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch new file mode 100644 index 0000000000..c4a0679c32 --- /dev/null +++ b/queue-5.15/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch @@ -0,0 +1,49 @@ +From f6a3146f60af823d3efb824f1a9127df0ce8f213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 08:10:29 +0100 +Subject: crypto: qat - fix seq_file position update in adf_ring_next() + +From: Giovanni Cabiddu + +[ Upstream commit 6908c5f4f066a0412c3d9a6f543a09fa7d87824b ] + +The `adf_ring_next()` function in the QAT debug transport interface +fails to correctly update the position index when reaching the end of +the ring elements. This triggers the following kernel warning when +reading ring files, such as +/sys/kernel/debug/qat_c6xx_/transport/bank_00/ring_00: + + [27725.022965] seq_file: buggy .next function adf_ring_next [intel_qat] did not update position index + +Ensure that the `*pos` index is incremented before returning NULL when +after the last element in the ring is found, satisfying the seq_file API +requirements and preventing the warning. + +Fixes: a672a9dc872e ("crypto: qat - Intel(R) QAT transport code") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Ahsan Atta +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_transport_debug.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_transport_debug.c b/drivers/crypto/qat/qat_common/adf_transport_debug.c +index 006867f410bd..494ddab81df7 100644 +--- a/drivers/crypto/qat/qat_common/adf_transport_debug.c ++++ b/drivers/crypto/qat/qat_common/adf_transport_debug.c +@@ -31,8 +31,10 @@ static void *adf_ring_next(struct seq_file *sfile, void *v, loff_t *pos) + struct adf_etr_ring_data *ring = sfile->private; + + if (*pos >= (ADF_SIZE_TO_RING_SIZE_IN_BYTES(ring->ring_size) / +- ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) ++ ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) { ++ (*pos)++; + return NULL; ++ } + + return ring->base_addr + + (ADF_MSG_SIZE_TO_BYTES(ring->msg_size) * (*pos)++); +-- +2.39.5 + diff --git a/queue-5.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch b/queue-5.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch new file mode 100644 index 0000000000..8ad018619b --- /dev/null +++ b/queue-5.15/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch @@ -0,0 +1,73 @@ +From 0cfcd32ec91398fd892a19cdbae5c11638638c64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 14:37:52 +0200 +Subject: dmaengine: mv_xor: Fix missing check after DMA map and missing unmap + +From: Thomas Fourier + +[ Upstream commit 60095aca6b471b7b7a79c80b7395f7e4e414b479 ] + +The DMA map functions can fail and should be tested for errors. + +In case of error, unmap the already mapped regions. + +Fixes: 22843545b200 ("dma: mv_xor: Add support for DMA_INTERRUPT") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250701123753.46935-2-fourier.thomas@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mv_xor.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c +index ea48661e87ea..ca0ba1d46283 100644 +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -1061,8 +1061,16 @@ mv_xor_channel_add(struct mv_xor_device *xordev, + */ + mv_chan->dummy_src_addr = dma_map_single(dma_dev->dev, + mv_chan->dummy_src, MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE); ++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_src_addr)) ++ return ERR_PTR(-ENOMEM); ++ + mv_chan->dummy_dst_addr = dma_map_single(dma_dev->dev, + mv_chan->dummy_dst, MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE); ++ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_dst_addr)) { ++ ret = -ENOMEM; ++ goto err_unmap_src; ++ } ++ + + /* allocate coherent memory for hardware descriptors + * note: writecombine gives slightly better performance, but +@@ -1071,8 +1079,10 @@ mv_xor_channel_add(struct mv_xor_device *xordev, + mv_chan->dma_desc_pool_virt = + dma_alloc_wc(&pdev->dev, MV_XOR_POOL_SIZE, &mv_chan->dma_desc_pool, + GFP_KERNEL); +- if (!mv_chan->dma_desc_pool_virt) +- return ERR_PTR(-ENOMEM); ++ if (!mv_chan->dma_desc_pool_virt) { ++ ret = -ENOMEM; ++ goto err_unmap_dst; ++ } + + /* discover transaction capabilites from the platform data */ + dma_dev->cap_mask = cap_mask; +@@ -1155,6 +1165,13 @@ mv_xor_channel_add(struct mv_xor_device *xordev, + err_free_dma: + dma_free_coherent(&pdev->dev, MV_XOR_POOL_SIZE, + mv_chan->dma_desc_pool_virt, mv_chan->dma_desc_pool); ++err_unmap_dst: ++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_dst_addr, ++ MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE); ++err_unmap_src: ++ dma_unmap_single(dma_dev->dev, mv_chan->dummy_src_addr, ++ MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE); ++ + return ERR_PTR(ret); + } + +-- +2.39.5 + diff --git a/queue-5.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch b/queue-5.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..a611266fca --- /dev/null +++ b/queue-5.15/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch @@ -0,0 +1,55 @@ +From 8c8e1be3c0404d6f0b5f7ee2889cdb928d0b7e13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:57:16 +0200 +Subject: dmaengine: nbpfaxi: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit c6ee78fc8f3e653bec427cfd06fec7877ee782bd ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, unmap and return an error. + +Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250707075752.28674-2-fourier.thomas@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/nbpfaxi.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c +index bbedf57e3612..94e7e3290691 100644 +--- a/drivers/dma/nbpfaxi.c ++++ b/drivers/dma/nbpfaxi.c +@@ -712,6 +712,9 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan) + list_add_tail(&ldesc->node, &lhead); + ldesc->hwdesc_dma_addr = dma_map_single(dchan->device->dev, + hwdesc, sizeof(*hwdesc), DMA_TO_DEVICE); ++ if (dma_mapping_error(dchan->device->dev, ++ ldesc->hwdesc_dma_addr)) ++ goto unmap_error; + + dev_dbg(dev, "%s(): mapped 0x%p to %pad\n", __func__, + hwdesc, &ldesc->hwdesc_dma_addr); +@@ -738,6 +741,16 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan) + spin_unlock_irq(&chan->lock); + + return ARRAY_SIZE(dpage->desc); ++ ++unmap_error: ++ while (i--) { ++ ldesc--; hwdesc--; ++ ++ dma_unmap_single(dchan->device->dev, ldesc->hwdesc_dma_addr, ++ sizeof(hwdesc), DMA_TO_DEVICE); ++ } ++ ++ return -ENOMEM; + } + + static void nbpf_desc_put(struct nbpf_desc *desc) +-- +2.39.5 + diff --git a/queue-5.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch b/queue-5.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch new file mode 100644 index 0000000000..c3959b1d6b --- /dev/null +++ b/queue-5.15/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch @@ -0,0 +1,44 @@ +From 1f11326e3aff9218aca5291fe7ef9d3d8bc5330d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 23:26:17 +0300 +Subject: drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value + +From: Fedor Pchelkin + +[ Upstream commit a54e4639c4ef37a0241bac7d2a77f2e6ffb57099 ] + +There is a small typo in phm_wait_on_indirect_register(). + +Swap mask and value arguments provided to phm_wait_on_register() so that +they satisfy the function signature and actual usage scheme. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +In practice this doesn't fix any issues because the only place this +function is used uses the same value for the value and mask. + +Fixes: 3bace3591493 ("drm/amd/powerplay: add hardware manager sub-component") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c +index bfe80ac0ad8c..fa2a91d16615 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c +@@ -149,7 +149,7 @@ int phm_wait_on_indirect_register(struct pp_hwmgr *hwmgr, + } + + cgs_write_register(hwmgr->device, indirect_port, index); +- return phm_wait_on_register(hwmgr, indirect_port + 1, mask, value); ++ return phm_wait_on_register(hwmgr, indirect_port + 1, value, mask); + } + + int phm_wait_for_register_unequal(struct pp_hwmgr *hwmgr, +-- +2.39.5 + diff --git a/queue-5.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch b/queue-5.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch new file mode 100644 index 0000000000..5963154d60 --- /dev/null +++ b/queue-5.15/drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch @@ -0,0 +1,52 @@ +From d36d72cd7a67a5f55eaad9202e4ad9d37552b83b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 11:15:59 +0800 +Subject: drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed + +From: Andy Yan + +[ Upstream commit 099593a28138b48feea5be8ce700e5bc4565e31d ] + +In the function drm_gem_fb_init_with_funcs, the framebuffer (fb) +and its corresponding object ID have already been registered. + +So we need to cleanup the drm framebuffer if the subsequent +execution of drm_gem_fb_afbc_init fails. + +Directly call drm_framebuffer_put to ensure that all fb related +resources are cleanup. + +Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc") +Signed-off-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250509031607.2542187-1-andyshrk@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c +index 3aa37e177667..b386c17e8668 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c +@@ -81,16 +81,9 @@ rockchip_fb_create(struct drm_device *dev, struct drm_file *file, + } + + if (drm_is_afbc(mode_cmd->modifier[0])) { +- int ret, i; +- + ret = drm_gem_fb_afbc_init(dev, mode_cmd, afbc_fb); + if (ret) { +- struct drm_gem_object **obj = afbc_fb->base.obj; +- +- for (i = 0; i < info->num_planes; ++i) +- drm_gem_object_put(obj[i]); +- +- kfree(afbc_fb); ++ drm_framebuffer_put(&afbc_fb->base); + return ERR_PTR(ret); + } + } +-- +2.39.5 + diff --git a/queue-5.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch b/queue-5.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch new file mode 100644 index 0000000000..e1495cf072 --- /dev/null +++ b/queue-5.15/f2fs-doc-fix-wrong-quota-mount-option-description.patch @@ -0,0 +1,40 @@ +From d81166aff81d2db773ad28f9e3742236ac480f18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 14:49:25 +0800 +Subject: f2fs: doc: fix wrong quota mount option description + +From: Chao Yu + +[ Upstream commit 81b6ecca2f15922e8d653dc037df5871e754be6e ] + +We should use "{usr,grp,prj}jquota=" to disable journaled quota, +rather than using off{usr,grp,prj}jquota. + +Fixes: 4b2414d04e99 ("f2fs: support journalled quota") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/f2fs.rst | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/filesystems/f2fs.rst b/Documentation/filesystems/f2fs.rst +index 7fe50b0bccde..f3e9ba8d6892 100644 +--- a/Documentation/filesystems/f2fs.rst ++++ b/Documentation/filesystems/f2fs.rst +@@ -211,9 +211,9 @@ usrjquota= Appoint specified file and type during mount, so that quota + grpjquota= information can be properly updated during recovery flow, + prjjquota= : must be in root directory; + jqfmt= : [vfsold,vfsv0,vfsv1]. +-offusrjquota Turn off user journalled quota. +-offgrpjquota Turn off group journalled quota. +-offprjjquota Turn off project journalled quota. ++usrjquota= Turn off user journalled quota. ++grpjquota= Turn off group journalled quota. ++prjjquota= Turn off project journalled quota. + quota Enable plain user disk quota accounting. + noquota Disable all plain disk quota option. + whint_mode=%s Control which write hints are passed down to block +-- +2.39.5 + diff --git a/queue-5.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch b/queue-5.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch new file mode 100644 index 0000000000..1f9ecc8539 --- /dev/null +++ b/queue-5.15/f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch @@ -0,0 +1,47 @@ +From 0f225e964c4bfccf4a824a7a383c6e1850f34881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 16:35:37 +0530 +Subject: f2fs: fix KMSAN uninit-value in extent_info usage + +From: Abinash Singh + +[ Upstream commit 154467f4ad033473e5c903a03e7b9bca7df9a0fa ] + +KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` + and `__is_back_mergeable()` via the read extent tree path. + +The root cause is that `get_read_extent_info()` only initializes three +fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the +remaining fields uninitialized. This leads to undefined behavior +when those fields are accessed later, especially during +extent merging. + +Fix it by zero-initializing the `extent_info` struct before population. + +Reported-by: syzbot+b8c1d60e95df65e827d4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b8c1d60e95df65e827d4 +Fixes: 94afd6d6e525 ("f2fs: extent cache: support unaligned extent") +Reviewed-by: Chao Yu +Signed-off-by: Abinash Singh +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/extent_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c +index 30b8924d1493..5808791efd98 100644 +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -365,7 +365,7 @@ static void __f2fs_init_extent_tree(struct inode *inode, struct page *ipage) + struct f2fs_extent *i_ext = ipage ? &F2FS_INODE(ipage)->i_ext : NULL; + struct extent_tree *et; + struct extent_node *en; +- struct extent_info ei; ++ struct extent_info ei = {0}; + + if (!f2fs_may_extent_tree(inode)) { + /* drop largest extent */ +-- +2.39.5 + diff --git a/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch b/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch new file mode 100644 index 0000000000..63619a00f4 --- /dev/null +++ b/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch @@ -0,0 +1,60 @@ +From a00fcda6c8fafb4018b70243708be3a8f8f176bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 15:14:50 +0800 +Subject: f2fs: fix to avoid out-of-boundary access in devs.path + +From: Chao Yu + +[ Upstream commit 5661998536af52848cc4d52a377e90368196edea ] + +- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123 +- truncate -s $((1024*1024*1024)) \ + /mnt/f2fs/012345678901234567890123456789012345678901234567890123 +- touch /mnt/f2fs/file +- truncate -s $((1024*1024*1024)) /mnt/f2fs/file +- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ + -c /mnt/f2fs/file +- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ + /mnt/f2fs/loop + +[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff +[16937.192268] F2FS-fs (loop0): Failed to find devices + +If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may +not end up w/ null character due to path array is fully filled, So +accidently, fields locate after path[] may be treated as part of +device path, result in parsing wrong device path. + +struct f2fs_dev_info { +... + char path[MAX_PATH_LEN]; +... +}; + +Let's add one byte space for sbi->devs.path[] to store null +character of device path string. + +Fixes: 3c62be17d4f5 ("f2fs: support multiple devices") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 28db323dd400..5475d017ad1e 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1209,7 +1209,7 @@ struct f2fs_bio_info { + #define RDEV(i) (raw_super->devs[i]) + struct f2fs_dev_info { + struct block_device *bdev; +- char path[MAX_PATH_LEN]; ++ char path[MAX_PATH_LEN + 1]; + unsigned int total_segments; + block_t start_blk; + block_t end_blk; +-- +2.39.5 + diff --git a/queue-5.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch b/queue-5.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch new file mode 100644 index 0000000000..e709dfdb43 --- /dev/null +++ b/queue-5.15/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch @@ -0,0 +1,282 @@ +From 0a3c8de03389bb2ea8ae1bd6f21aeb4d69396d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 17:56:57 +0800 +Subject: f2fs: fix to avoid panic in f2fs_evict_inode + +From: Chao Yu + +[ Upstream commit a509a55f8eecc8970b3980c6f06886bbff0e2f68 ] + +As syzbot [1] reported as below: + +R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450 +R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 + +---[ end trace 0000000000000000 ]--- +================================================================== +BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 +Read of size 8 at addr ffff88812d962278 by task syz-executor/564 + +CPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Call Trace: + + __dump_stack+0x21/0x24 lib/dump_stack.c:88 + dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106 + print_address_description+0x71/0x210 mm/kasan/report.c:316 + print_report+0x4a/0x60 mm/kasan/report.c:427 + kasan_report+0x122/0x150 mm/kasan/report.c:531 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 + __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 + __list_del_entry include/linux/list.h:134 [inline] + list_del_init include/linux/list.h:206 [inline] + f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531 + f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585 + f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703 + f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731 + write_inode fs/fs-writeback.c:1460 [inline] + __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677 + writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733 + sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789 + f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159 + block_operations fs/f2fs/checkpoint.c:1269 [inline] + f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658 + kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668 + deactivate_locked_super+0x98/0x100 fs/super.c:332 + deactivate_super+0xaf/0xe0 fs/super.c:363 + cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186 + __cleanup_mnt+0x19/0x20 fs/namespace.c:1193 + task_work_run+0x1c6/0x230 kernel/task_work.c:203 + exit_task_work include/linux/task_work.h:39 [inline] + do_exit+0x9fb/0x2410 kernel/exit.c:871 + do_group_exit+0x210/0x2d0 kernel/exit.c:1021 + __do_sys_exit_group kernel/exit.c:1032 [inline] + __se_sys_exit_group kernel/exit.c:1030 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030 + x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 +RIP: 0033:0x7f28b1b8e169 +Code: Unable to access opcode bytes at 0x7f28b1b8e13f. +RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 +RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360 +R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360 +R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 + + +Allocated by task 569: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505 + __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:201 [inline] + slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737 + slab_alloc_node mm/slub.c:3398 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429 + alloc_inode_sb include/linux/fs.h:3245 [inline] + f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x186/0x880 fs/inode.c:1373 + f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483 + f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487 + __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690 + lookup_slow+0x57/0x70 fs/namei.c:1707 + walk_component+0x2e6/0x410 fs/namei.c:1998 + lookup_last fs/namei.c:2455 [inline] + path_lookupat+0x180/0x490 fs/namei.c:2479 + filename_lookup+0x1f0/0x500 fs/namei.c:2508 + vfs_statx+0x10b/0x660 fs/stat.c:229 + vfs_fstatat fs/stat.c:267 [inline] + vfs_lstat include/linux/fs.h:3424 [inline] + __do_sys_newlstat fs/stat.c:423 [inline] + __se_sys_newlstat+0xd5/0x350 fs/stat.c:417 + __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417 + x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +Freed by task 13: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516 + ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:236 + __kasan_slab_free+0x11/0x20 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1750 + slab_free mm/slub.c:3661 [inline] + kmem_cache_free+0x12d/0x2a0 mm/slub.c:3683 + f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1562 + i_callback+0x4c/0x70 fs/inode.c:250 + rcu_do_batch+0x503/0xb80 kernel/rcu/tree.c:2297 + rcu_core+0x5a2/0xe70 kernel/rcu/tree.c:2557 + rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574 + handle_softirqs+0x178/0x500 kernel/softirq.c:578 + run_ksoftirqd+0x28/0x30 kernel/softirq.c:945 + smpboot_thread_fn+0x45a/0x8c0 kernel/smpboot.c:164 + kthread+0x270/0x310 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + +Last potentially related work creation: + kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486 + kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496 + call_rcu+0xd4/0xf70 kernel/rcu/tree.c:2845 + destroy_inode fs/inode.c:316 [inline] + evict+0x7da/0x870 fs/inode.c:720 + iput_final fs/inode.c:1834 [inline] + iput+0x62b/0x830 fs/inode.c:1860 + do_unlinkat+0x356/0x540 fs/namei.c:4397 + __do_sys_unlink fs/namei.c:4438 [inline] + __se_sys_unlink fs/namei.c:4436 [inline] + __x64_sys_unlink+0x49/0x50 fs/namei.c:4436 + x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +The buggy address belongs to the object at ffff88812d961f20 + which belongs to the cache f2fs_inode_cache of size 1200 +The buggy address is located 856 bytes inside of + 1200-byte region [ffff88812d961f20, ffff88812d9623d0) + +The buggy address belongs to the physical page: +page:ffffea0004b65800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d960 +head:ffffea0004b65800 order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=1) +raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810a94c500 +raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 569, tgid 568 (syz.2.16), ts 55943246141, free_ts 0 + set_page_owner include/linux/page_owner.h:31 [inline] + post_alloc_hook+0x1d0/0x1f0 mm/page_alloc.c:2532 + prep_new_page mm/page_alloc.c:2539 [inline] + get_page_from_freelist+0x2e63/0x2ef0 mm/page_alloc.c:4328 + __alloc_pages+0x235/0x4b0 mm/page_alloc.c:5605 + alloc_slab_page include/linux/gfp.h:-1 [inline] + allocate_slab mm/slub.c:1939 [inline] + new_slab+0xec/0x4b0 mm/slub.c:1992 + ___slab_alloc+0x6f6/0xb50 mm/slub.c:3180 + __slab_alloc+0x5e/0xa0 mm/slub.c:3279 + slab_alloc_node mm/slub.c:3364 [inline] + slab_alloc mm/slub.c:3406 [inline] + __kmem_cache_alloc_lru mm/slub.c:3413 [inline] + kmem_cache_alloc_lru+0x13f/0x220 mm/slub.c:3429 + alloc_inode_sb include/linux/fs.h:3245 [inline] + f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x186/0x880 fs/inode.c:1373 + f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483 + f2fs_fill_super+0x3ad7/0x6bb0 fs/f2fs/super.c:4293 + mount_bdev+0x2ae/0x3e0 fs/super.c:1443 + f2fs_mount+0x34/0x40 fs/f2fs/super.c:4642 + legacy_get_tree+0xea/0x190 fs/fs_context.c:632 + vfs_get_tree+0x89/0x260 fs/super.c:1573 + do_new_mount+0x25a/0xa20 fs/namespace.c:3056 +page_owner free stack trace missing + +Memory state around the buggy address: + ffff88812d962100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88812d962180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88812d962200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88812d962280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88812d962300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +[1] https://syzkaller.appspot.com/x/report.txt?x=13448368580000 + +This bug can be reproduced w/ the reproducer [2], once we enable +CONFIG_F2FS_CHECK_FS config, the reproducer will trigger panic as below, +so the direct reason of this bug is the same as the one below patch [3] +fixed. + +kernel BUG at fs/f2fs/inode.c:857! +RIP: 0010:f2fs_evict_inode+0x1204/0x1a20 +Call Trace: + + evict+0x32a/0x7a0 + do_unlinkat+0x37b/0x5b0 + __x64_sys_unlink+0xad/0x100 + do_syscall_64+0x5a/0xb0 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +RIP: 0010:f2fs_evict_inode+0x1204/0x1a20 + +[2] https://syzkaller.appspot.com/x/repro.c?x=17495ccc580000 +[3] https://lore.kernel.org/linux-f2fs-devel/20250702120321.1080759-1-chao@kernel.org + +Tracepoints before panic: + +f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file1 +f2fs_unlink_exit: dev = (7,0), ino = 7, ret = 0 +f2fs_evict_inode: dev = (7,0), ino = 7, pino = 3, i_mode = 0x81ed, i_size = 10, i_nlink = 0, i_blocks = 0, i_advise = 0x0 +f2fs_truncate_node: dev = (7,0), ino = 7, nid = 8, block_address = 0x3c05 + +f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file3 +f2fs_unlink_exit: dev = (7,0), ino = 8, ret = 0 +f2fs_evict_inode: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 9000, i_nlink = 0, i_blocks = 24, i_advise = 0x4 +f2fs_truncate: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 0, i_nlink = 0, i_blocks = 24, i_advise = 0x4 +f2fs_truncate_blocks_enter: dev = (7,0), ino = 8, i_size = 0, i_blocks = 24, start file offset = 0 +f2fs_truncate_blocks_exit: dev = (7,0), ino = 8, ret = -2 + +The root cause is: in the fuzzed image, dnode #8 belongs to inode #7, +after inode #7 eviction, dnode #8 was dropped. + +However there is dirent that has ino #8, so, once we unlink file3, in +f2fs_evict_inode(), both f2fs_truncate() and f2fs_update_inode_page() +will fail due to we can not load node #8, result in we missed to call +f2fs_inode_synced() to clear inode dirty status. + +Let's fix this by calling f2fs_inode_synced() in error path of +f2fs_evict_inode(). + +PS: As I verified, the reproducer [2] can trigger this bug in v6.1.129, +but it failed in v6.16-rc4, this is because the testcase will stop due to +other corruption has been detected by f2fs: + +F2FS-fs (loop0): inconsistent node block, node_type:2, nid:8, node_footer[nid:8,ino:8,ofs:0,cpver:5013063228981249506,blkaddr:15366] +F2FS-fs (loop0): f2fs_lookup: inode (ino=9) has zero i_nlink + +Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing") +Closes: https://syzkaller.appspot.com/x/report.txt?x=13448368580000 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 35760080803f..dc34a999996e 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -826,6 +826,19 @@ void f2fs_evict_inode(struct inode *inode) + f2fs_update_inode_page(inode); + if (dquot_initialize_needed(inode)) + set_sbi_flag(sbi, SBI_QUOTA_NEED_REPAIR); ++ ++ /* ++ * If both f2fs_truncate() and f2fs_update_inode_page() failed ++ * due to fuzzed corrupted inode, call f2fs_inode_synced() to ++ * avoid triggering later f2fs_bug_on(). ++ */ ++ if (is_inode_flag_set(inode, FI_DIRTY_INODE)) { ++ f2fs_warn(sbi, ++ "f2fs_evict_inode: inode is dirty, ino:%lu", ++ inode->i_ino); ++ f2fs_inode_synced(inode); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } + } + if (!is_sbi_flag_set(sbi, SBI_IS_FREEZING)) + sb_end_intwrite(inode->i_sb); +-- +2.39.5 + diff --git a/queue-5.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch b/queue-5.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch new file mode 100644 index 0000000000..0eaa51554b --- /dev/null +++ b/queue-5.15/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch @@ -0,0 +1,235 @@ +From 1d325fd92dbff129b11cff63890a46738adb7185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 17:53:39 +0800 +Subject: f2fs: fix to avoid UAF in f2fs_sync_inode_meta() + +From: Chao Yu + +[ Upstream commit 7c30d79930132466f5be7d0b57add14d1a016bda ] + +syzbot reported an UAF issue as below: [1] [2] + +[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000 + +================================================================== +BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 +Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8 + +CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Workqueue: writeback wb_workfn (flush-7:0) +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:316 [inline] + print_report+0x158/0x4e0 mm/kasan/report.c:427 + kasan_report+0x13c/0x170 mm/kasan/report.c:531 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 + __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 + __list_del_entry include/linux/list.h:134 [inline] + list_del_init include/linux/list.h:206 [inline] + f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553 + f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588 + f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706 + f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734 + write_inode fs/fs-writeback.c:1460 [inline] + __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677 + writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903 + __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974 + wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081 + wb_check_background_flush fs/fs-writeback.c:2151 [inline] + wb_do_writeback fs/fs-writeback.c:2239 [inline] + wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266 + process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299 + worker_thread+0xa60/0x1260 kernel/workqueue.c:2446 + kthread+0x26d/0x300 kernel/kthread.c:386 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + + +Allocated by task 298: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 + __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333 + kasan_slab_alloc include/linux/kasan.h:202 [inline] + slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768 + slab_alloc_node mm/slub.c:3421 [inline] + slab_alloc mm/slub.c:3431 [inline] + __kmem_cache_alloc_lru mm/slub.c:3438 [inline] + kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454 + alloc_inode_sb include/linux/fs.h:3255 [inline] + f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x18c/0x7e0 fs/inode.c:1373 + f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 + f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484 + __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689 + lookup_slow+0x5a/0x80 fs/namei.c:1706 + walk_component+0x2e7/0x410 fs/namei.c:1997 + lookup_last fs/namei.c:2454 [inline] + path_lookupat+0x16d/0x450 fs/namei.c:2478 + filename_lookup+0x251/0x600 fs/namei.c:2507 + vfs_statx+0x107/0x4b0 fs/stat.c:229 + vfs_fstatat fs/stat.c:267 [inline] + vfs_lstat include/linux/fs.h:3434 [inline] + __do_sys_newlstat fs/stat.c:423 [inline] + __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417 + __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417 + x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +Freed by task 0: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 + ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 + __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 + kasan_slab_free include/linux/kasan.h:178 [inline] + slab_free_hook mm/slub.c:1745 [inline] + slab_free_freelist_hook mm/slub.c:1771 [inline] + slab_free mm/slub.c:3686 [inline] + kmem_cache_free+0x291/0x560 mm/slub.c:3711 + f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584 + i_callback+0x4b/0x70 fs/inode.c:250 + rcu_do_batch+0x552/0xbe0 kernel/rcu/tree.c:2297 + rcu_core+0x502/0xf40 kernel/rcu/tree.c:2557 + rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574 + handle_softirqs+0x1db/0x650 kernel/softirq.c:624 + __do_softirq kernel/softirq.c:662 [inline] + invoke_softirq kernel/softirq.c:479 [inline] + __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711 + irq_exit_rcu+0x9/0x10 kernel/softirq.c:723 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] + sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118 + asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691 + +Last potentially related work creation: + kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486 + kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496 + __call_rcu_common kernel/rcu/tree.c:2807 [inline] + call_rcu+0xdc/0x10f0 kernel/rcu/tree.c:2926 + destroy_inode fs/inode.c:316 [inline] + evict+0x87d/0x930 fs/inode.c:720 + iput_final fs/inode.c:1834 [inline] + iput+0x616/0x690 fs/inode.c:1860 + do_unlinkat+0x4e1/0x920 fs/namei.c:4396 + __do_sys_unlink fs/namei.c:4437 [inline] + __se_sys_unlink fs/namei.c:4435 [inline] + __x64_sys_unlink+0x49/0x50 fs/namei.c:4435 + x64_sys_call+0x289/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x68/0xd2 + +The buggy address belongs to the object at ffff888100567a10 + which belongs to the cache f2fs_inode_cache of size 1360 +The buggy address is located 952 bytes inside of + 1360-byte region [ffff888100567a10, ffff888100567f60) + +The buggy address belongs to the physical page: +page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560 +head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=1) +raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80 +raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0 + set_page_owner include/linux/page_owner.h:33 [inline] + post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637 + prep_new_page+0x1b/0x110 mm/page_alloc.c:2644 + get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539 + __alloc_pages+0x234/0x610 mm/page_alloc.c:5837 + alloc_slab_page+0x6c/0xf0 include/linux/gfp.h:-1 + allocate_slab mm/slub.c:1962 [inline] + new_slab+0x90/0x3e0 mm/slub.c:2015 + ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203 + __slab_alloc+0x5d/0xa0 mm/slub.c:3302 + slab_alloc_node mm/slub.c:3387 [inline] + slab_alloc mm/slub.c:3431 [inline] + __kmem_cache_alloc_lru mm/slub.c:3438 [inline] + kmem_cache_alloc_lru+0x149/0x270 mm/slub.c:3454 + alloc_inode_sb include/linux/fs.h:3255 [inline] + f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 + alloc_inode fs/inode.c:261 [inline] + iget_locked+0x18c/0x7e0 fs/inode.c:1373 + f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 + f2fs_fill_super+0x5360/0x6dc0 fs/f2fs/super.c:4488 + mount_bdev+0x282/0x3b0 fs/super.c:1445 + f2fs_mount+0x34/0x40 fs/f2fs/super.c:4743 + legacy_get_tree+0xf1/0x190 fs/fs_context.c:632 +page_owner free stack trace missing + +Memory state around the buggy address: + ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +[2] https://syzkaller.appspot.com/text?tag=CrashLog&x=13654c60580000 + +[ 24.675720][ T28] audit: type=1400 audit(1745327318.732:72): avc: denied { write } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.705426][ T296] ------------[ cut here ]------------ +[ 24.706608][ T28] audit: type=1400 audit(1745327318.732:73): avc: denied { remove_name } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.711550][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540 +[ 24.734141][ T28] audit: type=1400 audit(1745327318.732:74): avc: denied { rename } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.742969][ T296] Modules linked in: +[ 24.765201][ T28] audit: type=1400 audit(1745327318.732:75): avc: denied { add_name } for pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 +[ 24.768847][ T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0 +[ 24.799506][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +[ 24.809401][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540 +[ 24.815018][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61 +[ 24.834584][ T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293 +[ 24.840465][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000 +[ 24.848291][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 +[ 24.856064][ T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d +[ 24.864073][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000 +[ 24.871812][ T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c + +The root cause is w/ a fuzzed image, f2fs may missed to clear FI_DIRTY_INODE +flag for target inode, after f2fs_evict_inode(), the inode is still linked in +sbi->inode_list[DIRTY_META] global list, once it triggers checkpoint, +f2fs_sync_inode_meta() may access the released inode. + +In f2fs_evict_inode(), let's always call f2fs_inode_synced() to clear +FI_DIRTY_INODE flag and drop inode from global dirty list to avoid this +UAF issue. + +Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing") +Closes: https://syzkaller.appspot.com/bug?extid=849174b2efaf0d8be6ba +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 558f478d037d..35760080803f 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -842,8 +842,12 @@ void f2fs_evict_inode(struct inode *inode) + if (likely(!f2fs_cp_error(sbi) && + !is_sbi_flag_set(sbi, SBI_CP_DISABLED))) + f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); +- else +- f2fs_inode_synced(inode); ++ ++ /* ++ * anyway, it needs to remove the inode from sbi->inode_list[DIRTY_META] ++ * list to avoid UAF in f2fs_sync_inode_meta() during checkpoint. ++ */ ++ f2fs_inode_synced(inode); + + /* for the case f2fs_new_inode() was failed, .i_ino is zero, skip it */ + if (inode->i_ino) +-- +2.39.5 + diff --git a/queue-5.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch b/queue-5.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch new file mode 100644 index 0000000000..1cac62db33 --- /dev/null +++ b/queue-5.15/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch @@ -0,0 +1,46 @@ +From 58910e2cd89885ef2f0e8e79168ec80761784e59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:25:34 -0500 +Subject: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref + +From: Chenyuan Yang + +[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ] + +fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot +allocate a struct fb_modelist. If that happens, the modelist stays empty but +the driver continues to register. Add a check for its return value to prevent +poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev: +Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var"). + +Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support") +Signed-off-by: Chenyuan Yang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index cd376a9bfe1b..f9af2b1a91ab 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -1007,8 +1007,13 @@ static int imxfb_probe(struct platform_device *pdev) + + + INIT_LIST_HEAD(&info->modelist); +- for (i = 0; i < fbi->num_modes; i++) +- fb_add_videomode(&fbi->mode[i].mode, &info->modelist); ++ for (i = 0; i < fbi->num_modes; i++) { ++ ret = fb_add_videomode(&fbi->mode[i].mode, &info->modelist); ++ if (ret) { ++ dev_err(&pdev->dev, "Failed to add videomode\n"); ++ goto failed_cmap; ++ } ++ } + + /* + * This makes sure that our colour bitfield +-- +2.39.5 + diff --git a/queue-5.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch b/queue-5.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch new file mode 100644 index 0000000000..49f4417547 --- /dev/null +++ b/queue-5.15/fs-orangefs-allow-2-more-characters-in-do_c_string.patch @@ -0,0 +1,65 @@ +From e9c129476548baaccb299f07c036cba0ed8aa2b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jul 2025 09:19:10 -0500 +Subject: fs/orangefs: Allow 2 more characters in do_c_string() + +From: Dan Carpenter + +[ Upstream commit 2138e89cb066b40386b1d9ddd61253347d356474 ] + +The do_k_string() and do_c_string() functions do essentially the same +thing which is they add a string and a comma onto the end of an existing +string. At the end, the caller will overwrite the last comma with a +newline. Later, in orangefs_kernel_debug_init(), we add a newline to +the string. + +The change to do_k_string() is just cosmetic. I moved the "- 1" to +the other side of the comparison and made it "+ 1". This has no +effect on runtime, I just wanted the functions to match each other +and the rest of the file. + +However in do_c_string(), I removed the "- 2" which allows us to print +two extra characters. I noticed this issue while reviewing the code +and I doubt affects anything in real life. My guess is that this was +double counting the comma and the newline. The "+ 1" accounts for +the newline, and the caller will delete the final comma which ensures +there is enough space for the newline. + +Removing the "- 2" lets us print 2 more characters, but mainly it makes +the code more consistent and understandable for reviewers. + +Fixes: 44f4641073f1 ("orangefs: clean up debugfs globals") +Signed-off-by: Dan Carpenter +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index fa41db088488..b57140ebfad0 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -728,8 +728,8 @@ static void do_k_string(void *k_mask, int index) + + if (*mask & s_kmod_keyword_mask_map[index].mask_val) { + if ((strlen(kernel_debug_string) + +- strlen(s_kmod_keyword_mask_map[index].keyword)) +- < ORANGEFS_MAX_DEBUG_STRING_LEN - 1) { ++ strlen(s_kmod_keyword_mask_map[index].keyword) + 1) ++ < ORANGEFS_MAX_DEBUG_STRING_LEN) { + strcat(kernel_debug_string, + s_kmod_keyword_mask_map[index].keyword); + strcat(kernel_debug_string, ","); +@@ -756,7 +756,7 @@ static void do_c_string(void *c_mask, int index) + (mask->mask2 & cdm_array[index].mask2)) { + if ((strlen(client_debug_string) + + strlen(cdm_array[index].keyword) + 1) +- < ORANGEFS_MAX_DEBUG_STRING_LEN - 2) { ++ < ORANGEFS_MAX_DEBUG_STRING_LEN) { + strcat(client_debug_string, + cdm_array[index].keyword); + strcat(client_debug_string, ","); +-- +2.39.5 + diff --git a/queue-5.15/fs_context-fix-parameter-name-in-infofc-macro.patch b/queue-5.15/fs_context-fix-parameter-name-in-infofc-macro.patch new file mode 100644 index 0000000000..9c7e39f738 --- /dev/null +++ b/queue-5.15/fs_context-fix-parameter-name-in-infofc-macro.patch @@ -0,0 +1,42 @@ +From 52a8fb7072eaa728aaddf3e409f209f4341c0994 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 01:09:27 +0200 +Subject: fs_context: fix parameter name in infofc() macro +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: RubenKelevra + +[ Upstream commit ffaf1bf3737f706e4e9be876de4bc3c8fc578091 ] + +The macro takes a parameter called "p" but references "fc" internally. +This happens to compile as long as callers pass a variable named fc, +but breaks otherwise. Rename the first parameter to “fc” to match the +usage and to be consistent with warnfc() / errorfc(). + +Fixes: a3ff937b33d9 ("prefix-handling analogues of errorf() and friends") +Signed-off-by: RubenKelevra +Link: https://lore.kernel.org/20250617230927.1790401-1-rubenkelevra@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + include/linux/fs_context.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h +index 13fa6f3df8e4..c861b2c894ba 100644 +--- a/include/linux/fs_context.h ++++ b/include/linux/fs_context.h +@@ -209,7 +209,7 @@ void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt, + */ + #define infof(fc, fmt, ...) __logfc(fc, 'i', fmt, ## __VA_ARGS__) + #define info_plog(p, fmt, ...) __plog(p, 'i', fmt, ## __VA_ARGS__) +-#define infofc(p, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__) ++#define infofc(fc, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__) + + /** + * warnf - Store supplementary warning message +-- +2.39.5 + diff --git a/queue-5.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch b/queue-5.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch new file mode 100644 index 0000000000..4849c38c4d --- /dev/null +++ b/queue-5.15/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch @@ -0,0 +1,94 @@ +From 2bd7020c3586b7304635fd45ff7a7d443d484efe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 00:18:06 -0600 +Subject: hfsplus: remove mutex_lock check in hfsplus_free_extents + +From: Yangtao Li + +[ Upstream commit fcb96956c921f1aae7e7b477f2435c56f77a31b4 ] + +Syzbot reported an issue in hfsplus filesystem: + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 + hfsplus_free_extents+0x700/0xad0 +Call Trace: + +hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606 +hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56 +cont_expand_zero fs/buffer.c:2383 [inline] +cont_write_begin+0x2cf/0x860 fs/buffer.c:2446 +hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52 +generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347 +hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263 +notify_change+0xe38/0x10f0 fs/attr.c:420 +do_truncate+0x1fb/0x2e0 fs/open.c:65 +do_sys_ftruncate+0x2eb/0x380 fs/open.c:193 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock +on file truncation") unlock extree before hfsplus_free_extents(), +and add check wheather extree is locked in hfsplus_free_extents(). + +However, when operations such as hfsplus_file_release, +hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed +concurrently in different files, it is very likely to trigger the +WARN_ON, which will lead syzbot and xfstest to consider it as an +abnormality. + +The comment above this warning also describes one of the easy +triggering situations, which can easily trigger and cause +xfstest&syzbot to report errors. + +[task A] [task B] +->hfsplus_file_release + ->hfsplus_file_truncate + ->hfs_find_init + ->mutex_lock + ->mutex_unlock + ->hfsplus_write_begin + ->hfsplus_get_block + ->hfsplus_file_extend + ->hfsplus_ext_read_extent + ->hfs_find_init + ->mutex_lock + ->hfsplus_free_extents + WARN_ON(mutex_is_locked) !!! + +Several threads could try to lock the shared extents tree. +And warning can be triggered in one thread when another thread +has locked the tree. This is the wrong behavior of the code and +we need to remove the warning. + +Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation") +Reported-by: syzbot+8c0bc9f818702ff75b76@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/00000000000057fa4605ef101c4c@google.com/ +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250529061807.2213498-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/extents.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c +index c95a2f0ed4a7..fad1c250f150 100644 +--- a/fs/hfsplus/extents.c ++++ b/fs/hfsplus/extents.c +@@ -342,9 +342,6 @@ static int hfsplus_free_extents(struct super_block *sb, + int i; + int err = 0; + +- /* Mapping the allocation file may lock the extent tree */ +- WARN_ON(mutex_is_locked(&HFSPLUS_SB(sb)->ext_tree->tree_lock)); +- + hfsplus_dump_extent(extent); + for (i = 0; i < 8; extent++, i++) { + count = be32_to_cpu(extent->block_count); +-- +2.39.5 + diff --git a/queue-5.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch b/queue-5.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch new file mode 100644 index 0000000000..6f3727384d --- /dev/null +++ b/queue-5.15/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch @@ -0,0 +1,38 @@ +From e81b72ee9205b5077bcfea3e94ff05f3a99e6399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jun 2025 20:31:41 +0300 +Subject: hwrng: mtk - handle devm_pm_runtime_enable errors + +From: Ovidiu Panait + +[ Upstream commit 522a242a18adc5c63a24836715dbeec4dc3faee1 ] + +Although unlikely, devm_pm_runtime_enable() call might fail, so handle +the return value. + +Fixes: 78cb66caa6ab ("hwrng: mtk - Use devm_pm_runtime_enable") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/mtk-rng.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c +index 3e00506543b6..72269d0f2a4e 100644 +--- a/drivers/char/hw_random/mtk-rng.c ++++ b/drivers/char/hw_random/mtk-rng.c +@@ -142,7 +142,9 @@ static int mtk_rng_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, priv); + pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); +- devm_pm_runtime_enable(&pdev->dev); ++ ret = devm_pm_runtime_enable(&pdev->dev); ++ if (ret) ++ return ret; + + dev_info(&pdev->dev, "registered RNG driver\n"); + +-- +2.39.5 + diff --git a/queue-5.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch b/queue-5.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch new file mode 100644 index 0000000000..553bbd9b6e --- /dev/null +++ b/queue-5.15/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch @@ -0,0 +1,69 @@ +From 61060fe99e1a0649fb48e999f3fa0b9fdcfd10d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 09:48:48 +0800 +Subject: iwlwifi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 90a0d9f339960448a3acc1437a46730f975efd6a ] + +Add check for the return value of alloc_ordered_workqueue since it may +return NULL pointer. + +Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers") +Signed-off-by: Jiasheng Jiang +Link: https://patch.msgid.link/20230110014848.28226-1-jiasheng@iscas.ac.cn +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +index 69d1aae96bbb..0ff9b0a1bd18 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c +@@ -1053,9 +1053,11 @@ static void iwl_bg_restart(struct work_struct *data) + * + *****************************************************************************/ + +-static void iwl_setup_deferred_work(struct iwl_priv *priv) ++static int iwl_setup_deferred_work(struct iwl_priv *priv) + { + priv->workqueue = alloc_ordered_workqueue(DRV_NAME, 0); ++ if (!priv->workqueue) ++ return -ENOMEM; + + INIT_WORK(&priv->restart, iwl_bg_restart); + INIT_WORK(&priv->beacon_update, iwl_bg_beacon_update); +@@ -1072,6 +1074,8 @@ static void iwl_setup_deferred_work(struct iwl_priv *priv) + timer_setup(&priv->statistics_periodic, iwl_bg_statistics_periodic, 0); + + timer_setup(&priv->ucode_trace, iwl_bg_ucode_trace, 0); ++ ++ return 0; + } + + void iwl_cancel_deferred_work(struct iwl_priv *priv) +@@ -1461,7 +1465,9 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans, + /******************** + * 6. Setup services + ********************/ +- iwl_setup_deferred_work(priv); ++ if (iwl_setup_deferred_work(priv)) ++ goto out_uninit_drv; ++ + iwl_setup_rx_handlers(priv); + + iwl_power_initialize(priv); +@@ -1499,6 +1505,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans, + iwl_cancel_deferred_work(priv); + destroy_workqueue(priv->workqueue); + priv->workqueue = NULL; ++out_uninit_drv: + iwl_uninit_drv(priv); + out_free_eeprom_blob: + kfree(priv->eeprom_blob); +-- +2.39.5 + diff --git a/queue-5.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch b/queue-5.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch new file mode 100644 index 0000000000..bbd3d4f7d0 --- /dev/null +++ b/queue-5.15/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch @@ -0,0 +1,45 @@ +From 62f56c3314c6f33f685058f92ad8af75e1bfc49a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jul 2025 01:22:14 +0000 +Subject: jfs: fix metapage reference count leak in dbAllocCtl + +From: Zheng Yu + +[ Upstream commit 856db37592021e9155384094e331e2d4589f28b1 ] + +In dbAllocCtl(), read_metapage() increases the reference count of the +metapage. However, when dp->tree.budmin < 0, the function returns -EIO +without calling release_metapage() to decrease the reference count, +leading to a memory leak. + +Add release_metapage(mp) before the error return to properly manage +the metapage reference count and prevent the leak. + +Fixes: a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ("jfs: fix shift-out-of-bounds in dbSplit") + +Signed-off-by: Zheng Yu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index cfb81bf5881e..c2d4349cd959 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1877,8 +1877,10 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results) + return -EIO; + dp = (struct dmap *) mp->data; + +- if (dp->tree.budmin < 0) ++ if (dp->tree.budmin < 0) { ++ release_metapage(mp); + return -EIO; ++ } + + /* try to allocate the blocks. + */ +-- +2.39.5 + diff --git a/queue-5.15/kconfig-qconf-fix-configlist-updatelistallforall.patch b/queue-5.15/kconfig-qconf-fix-configlist-updatelistallforall.patch new file mode 100644 index 0000000000..3bcd8f5595 --- /dev/null +++ b/queue-5.15/kconfig-qconf-fix-configlist-updatelistallforall.patch @@ -0,0 +1,38 @@ +From bf3fe75da29224af2d2202abd12e0f9a3f9a6346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 03:48:56 +0900 +Subject: kconfig: qconf: fix ConfigList::updateListAllforAll() + +From: Masahiro Yamada + +[ Upstream commit 721bfe583c52ba1ea74b3736a31a9dcfe6dd6d95 ] + +ConfigList::updateListForAll() and ConfigList::updateListAllforAll() +are identical. + +Commit f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All) +to ConfigList class") was a misconversion. + +Fixes: f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All) to ConfigList class") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/qconf.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc +index 61b679f6c2f2..c31dead186cc 100644 +--- a/scripts/kconfig/qconf.cc ++++ b/scripts/kconfig/qconf.cc +@@ -478,7 +478,7 @@ void ConfigList::updateListAllForAll() + while (it.hasNext()) { + ConfigList *list = it.next(); + +- list->updateList(); ++ list->updateListAll(); + } + } + +-- +2.39.5 + diff --git a/queue-5.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch b/queue-5.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch new file mode 100644 index 0000000000..a681d65e4a --- /dev/null +++ b/queue-5.15/kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch @@ -0,0 +1,67 @@ +From 235d4dda6e9709c9138fb14b5f2005b02d47e722 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:12:12 +0200 +Subject: kernel: trace: preemptirq_delay_test: use offstack cpu mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit adc353c0bfb243ebfd29b6222fa3bf149169a6de ] + +A CPU mask on the stack is broken for large values of CONFIG_NR_CPUS: + +kernel/trace/preemptirq_delay_test.c: In function ‘preemptirq_delay_run’: +kernel/trace/preemptirq_delay_test.c:143:1: error: the frame size of 8512 bytes is larger than 1536 bytes [-Werror=frame-larger-than=] + +Fall back to dynamic allocation here. + +Cc: Masami Hiramatsu +Cc: Song Chen +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20250620111215.3365305-1-arnd@kernel.org +Fixes: 4b9091e1c194 ("kernel: trace: preemptirq_delay_test: add cpu affinity") +Signed-off-by: Arnd Bergmann +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/preemptirq_delay_test.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/preemptirq_delay_test.c b/kernel/trace/preemptirq_delay_test.c +index cb0871fbdb07..8af92dbe98f0 100644 +--- a/kernel/trace/preemptirq_delay_test.c ++++ b/kernel/trace/preemptirq_delay_test.c +@@ -119,12 +119,15 @@ static int preemptirq_delay_run(void *data) + { + int i; + int s = MIN(burst_size, NR_TEST_FUNCS); +- struct cpumask cpu_mask; ++ cpumask_var_t cpu_mask; ++ ++ if (!alloc_cpumask_var(&cpu_mask, GFP_KERNEL)) ++ return -ENOMEM; + + if (cpu_affinity > -1) { +- cpumask_clear(&cpu_mask); +- cpumask_set_cpu(cpu_affinity, &cpu_mask); +- if (set_cpus_allowed_ptr(current, &cpu_mask)) ++ cpumask_clear(cpu_mask); ++ cpumask_set_cpu(cpu_affinity, cpu_mask); ++ if (set_cpus_allowed_ptr(current, cpu_mask)) + pr_err("cpu_affinity:%d, failed\n", cpu_affinity); + } + +@@ -141,6 +144,8 @@ static int preemptirq_delay_run(void *data) + + __set_current_state(TASK_RUNNING); + ++ free_cpumask_var(cpu_mask); ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.15/m68k-don-t-unregister-boot-console-needlessly.patch b/queue-5.15/m68k-don-t-unregister-boot-console-needlessly.patch new file mode 100644 index 0000000000..b26d6e793b --- /dev/null +++ b/queue-5.15/m68k-don-t-unregister-boot-console-needlessly.patch @@ -0,0 +1,150 @@ +From 9778dfa5c2855faf3fa4fd44fa017023be084195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:26:44 +1100 +Subject: m68k: Don't unregister boot console needlessly + +From: Finn Thain + +[ Upstream commit 83f672a7f69ec38b1bbb27221e342937f68c11c7 ] + +When MACH_IS_MVME147, the boot console calls mvme147_scc_write() to +generate console output. That will continue to work even after +debug_cons_nputs() becomes unavailable so there's no need to +unregister the boot console. + +Take the opportunity to remove a repeated MACH_IS_* test. Use the +actual .write method (instead of a wrapper) and test that pointer +instead. This means adding an unused parameter to debug_cons_nputs() for +consistency with the struct console API. + +early_printk.c is only built when CONFIG_EARLY_PRINTK=y. As of late, +head.S is only built when CONFIG_MMU_MOTOROLA=y. So let the former symbol +depend on the latter, to obviate some ifdef conditionals. + +Cc: Daniel Palmer +Fixes: 077b33b9e283 ("m68k: mvme147: Reinstate early console") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/d1d4328e5aa9a87bd8352529ce62b767731c0530.1743467205.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.debug | 2 +- + arch/m68k/kernel/early_printk.c | 42 +++++++++++---------------------- + arch/m68k/kernel/head.S | 8 +++---- + 3 files changed, 19 insertions(+), 33 deletions(-) + +diff --git a/arch/m68k/Kconfig.debug b/arch/m68k/Kconfig.debug +index 11b306bdd788..5a3713170a61 100644 +--- a/arch/m68k/Kconfig.debug ++++ b/arch/m68k/Kconfig.debug +@@ -10,7 +10,7 @@ config BOOTPARAM_STRING + + config EARLY_PRINTK + bool "Early printk" +- depends on !(SUN3 || M68000 || COLDFIRE) ++ depends on MMU_MOTOROLA + help + Write kernel log output directly to a serial port. + Where implemented, output goes to the framebuffer as well. +diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c +index f11ef9f1f56f..521cbb8a150c 100644 +--- a/arch/m68k/kernel/early_printk.c ++++ b/arch/m68k/kernel/early_printk.c +@@ -16,25 +16,10 @@ + #include "../mvme147/mvme147.h" + #include "../mvme16x/mvme16x.h" + +-asmlinkage void __init debug_cons_nputs(const char *s, unsigned n); +- +-static void __ref debug_cons_write(struct console *c, +- const char *s, unsigned n) +-{ +-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \ +- defined(CONFIG_COLDFIRE)) +- if (MACH_IS_MVME147) +- mvme147_scc_write(c, s, n); +- else if (MACH_IS_MVME16x) +- mvme16x_cons_write(c, s, n); +- else +- debug_cons_nputs(s, n); +-#endif +-} ++asmlinkage void __init debug_cons_nputs(struct console *c, const char *s, unsigned int n); + + static struct console early_console_instance = { + .name = "debug", +- .write = debug_cons_write, + .flags = CON_PRINTBUFFER | CON_BOOT, + .index = -1 + }; +@@ -44,6 +29,12 @@ static int __init setup_early_printk(char *buf) + if (early_console || buf) + return 0; + ++ if (MACH_IS_MVME147) ++ early_console_instance.write = mvme147_scc_write; ++ else if (MACH_IS_MVME16x) ++ early_console_instance.write = mvme16x_cons_write; ++ else ++ early_console_instance.write = debug_cons_nputs; + early_console = &early_console_instance; + register_console(early_console); + +@@ -51,20 +42,15 @@ static int __init setup_early_printk(char *buf) + } + early_param("earlyprintk", setup_early_printk); + +-/* +- * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be called +- * after init sections are discarded (for platforms that use it). +- */ +-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \ +- defined(CONFIG_COLDFIRE)) +- + static int __init unregister_early_console(void) + { +- if (!early_console || MACH_IS_MVME16x) +- return 0; ++ /* ++ * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be ++ * called after init sections are discarded (for platforms that use it). ++ */ ++ if (early_console && early_console->write == debug_cons_nputs) ++ return unregister_console(early_console); + +- return unregister_console(early_console); ++ return 0; + } + late_initcall(unregister_early_console); +- +-#endif +diff --git a/arch/m68k/kernel/head.S b/arch/m68k/kernel/head.S +index 493c95db0e51..2d40e0f34de5 100644 +--- a/arch/m68k/kernel/head.S ++++ b/arch/m68k/kernel/head.S +@@ -3242,8 +3242,8 @@ func_return putn + * turns around and calls the internal routines. This routine + * is used by the boot console. + * +- * The calling parameters are: +- * void debug_cons_nputs(const char *str, unsigned length) ++ * The function signature is - ++ * void debug_cons_nputs(struct console *c, const char *s, unsigned int n) + * + * This routine does NOT understand variable arguments only + * simple strings! +@@ -3252,8 +3252,8 @@ ENTRY(debug_cons_nputs) + moveml %d0/%d1/%a0,%sp@- + movew %sr,%sp@- + ori #0x0700,%sr +- movel %sp@(18),%a0 /* fetch parameter */ +- movel %sp@(22),%d1 /* fetch parameter */ ++ movel %sp@(22),%a0 /* char *s */ ++ movel %sp@(26),%d1 /* unsigned int n */ + jra 2f + 1: + #ifdef CONSOLE_DEBUG +-- +2.39.5 + diff --git a/queue-5.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch b/queue-5.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch new file mode 100644 index 0000000000..b23c99db37 --- /dev/null +++ b/queue-5.15/media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch @@ -0,0 +1,47 @@ +From 505afbd2b8d696a0b9a0f93c8eaf33bf14632431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 14:38:48 +0000 +Subject: media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check + +From: James Cowgill + +[ Upstream commit 803b9eabc649c778986449eb0596e5ffeb7a8aed ] + +The `separate_colour_plane_flag` element is only present in the SPS if +`chroma_format_idc == 3`, so the corresponding flag should be disabled +whenever that is not the case and not just on profiles where +`chroma_format_idc` is not present. + +Fixes: b32e48503df0 ("media: controls: Validate H264 stateless controls") +Signed-off-by: James Cowgill +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c +index 3798a57bbbd4..19e769420b9b 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c +@@ -431,12 +431,12 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx, + + p_h264_sps->flags &= + ~V4L2_H264_SPS_FLAG_QPPRIME_Y_ZERO_TRANSFORM_BYPASS; +- +- if (p_h264_sps->chroma_format_idc < 3) +- p_h264_sps->flags &= +- ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE; + } + ++ if (p_h264_sps->chroma_format_idc < 3) ++ p_h264_sps->flags &= ++ ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE; ++ + if (p_h264_sps->flags & V4L2_H264_SPS_FLAG_FRAME_MBS_ONLY) + p_h264_sps->flags &= + ~V4L2_H264_SPS_FLAG_MB_ADAPTIVE_FRAME_FIELD; +-- +2.39.5 + diff --git a/queue-5.15/module-restore-the-moduleparam-prefix-length-check.patch b/queue-5.15/module-restore-the-moduleparam-prefix-length-check.patch new file mode 100644 index 0000000000..3c66d86d78 --- /dev/null +++ b/queue-5.15/module-restore-the-moduleparam-prefix-length-check.patch @@ -0,0 +1,61 @@ +From 4239941092443d74a847846d6ac591e7f039d2d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 16:32:34 +0200 +Subject: module: Restore the moduleparam prefix length check + +From: Petr Pavlu + +[ Upstream commit bdc877ba6b7ff1b6d2ebeff11e63da4a50a54854 ] + +The moduleparam code allows modules to provide their own definition of +MODULE_PARAM_PREFIX, instead of using the default KBUILD_MODNAME ".". + +Commit 730b69d22525 ("module: check kernel param length at compile time, +not runtime") added a check to ensure the prefix doesn't exceed +MODULE_NAME_LEN, as this is what param_sysfs_builtin() expects. + +Later, commit 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking +for sysfs perms.") removed this check, but there is no indication this was +intentional. + +Since the check is still useful for param_sysfs_builtin() to function +properly, reintroduce it in __module_param_call(), but in a modernized form +using static_assert(). + +While here, clean up the __module_param_call() comments. In particular, +remove the comment "Default value instead of permissions?", which comes +from commit 9774a1f54f17 ("[PATCH] Compile-time check re world-writeable +module params"). This comment was related to the test variable +__param_perm_check_##name, which was removed in the previously mentioned +commit 58f86cc89c33. + +Fixes: 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking for sysfs perms.") +Signed-off-by: Petr Pavlu +Reviewed-by: Daniel Gomez +Link: https://lore.kernel.org/r/20250630143535.267745-4-petr.pavlu@suse.com +Signed-off-by: Daniel Gomez +Signed-off-by: Sasha Levin +--- + include/linux/moduleparam.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h +index 962cd41a2cb5..061e19c94a6b 100644 +--- a/include/linux/moduleparam.h ++++ b/include/linux/moduleparam.h +@@ -282,10 +282,9 @@ struct kparam_array + #define __moduleparam_const const + #endif + +-/* This is the fundamental function for registering boot/module +- parameters. */ ++/* This is the fundamental function for registering boot/module parameters. */ + #define __module_param_call(prefix, name, ops, arg, perm, level, flags) \ +- /* Default value instead of permissions? */ \ ++ static_assert(sizeof(""prefix) - 1 <= MAX_PARAM_PREFIX_LEN); \ + static const char __param_str_##name[] = prefix #name; \ + static struct kernel_param __moduleparam_const __param_##name \ + __used __section("__param") \ +-- +2.39.5 + diff --git a/queue-5.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch b/queue-5.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch new file mode 100644 index 0000000000..a172c79b27 --- /dev/null +++ b/queue-5.15/mtd-fix-possible-integer-overflow-in-erase_xfer.patch @@ -0,0 +1,41 @@ +From d24be01792cc1bb31cd74b0a12f5cab21a292ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 17:53:13 +0300 +Subject: mtd: fix possible integer overflow in erase_xfer() + +From: Ivan Stepchenko + +[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ] + +The expression '1 << EraseUnitSize' is evaluated in int, which causes +a negative result when shifting by 31 - the upper bound of the valid +range [10, 31], enforced by scan_header(). This leads to incorrect +extension when storing the result in 'erase->len' (uint64_t), producing +a large unexpected value. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ivan Stepchenko +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/ftl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c +index f655d2905270..243d7faa128a 100644 +--- a/drivers/mtd/ftl.c ++++ b/drivers/mtd/ftl.c +@@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part, + return -ENOMEM; + + erase->addr = xfer->Offset; +- erase->len = 1 << part->header.EraseUnitSize; ++ erase->len = 1ULL << part->header.EraseUnitSize; + + ret = mtd_erase(part->mbd.mtd, erase); + if (!ret) { +-- +2.39.5 + diff --git a/queue-5.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch b/queue-5.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch new file mode 100644 index 0000000000..1c6165f7ca --- /dev/null +++ b/queue-5.15/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch @@ -0,0 +1,38 @@ +From 29509605b06aac0cc7d05f6bad930c7da5002f92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 08:45:11 +0200 +Subject: mtd: rawnand: atmel: Fix dma_mapping_error() address + +From: Thomas Fourier + +[ Upstream commit e1e6b933c56b1e9fda93caa0b8bae39f3f421e5c ] + +It seems like what was intended is to test if the dma_map of the +previous line failed but the wrong dma address was passed. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Signed-off-by: Thomas Fourier +Rule: add +Link: https://lore.kernel.org/stable/20250702064515.18145-2-fourier.thomas%40gmail.com +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c +index 73956a9f5449..060e2c11b8e0 100644 +--- a/drivers/mtd/nand/raw/atmel/nand-controller.c ++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c +@@ -373,7 +373,7 @@ static int atmel_nand_dma_transfer(struct atmel_nand_controller *nc, + dma_cookie_t cookie; + + buf_dma = dma_map_single(nc->dev, buf, len, dir); +- if (dma_mapping_error(nc->dev, dev_dma)) { ++ if (dma_mapping_error(nc->dev, buf_dma)) { + dev_err(nc->dev, + "Failed to prepare a buffer for DMA access\n"); + goto err; +-- +2.39.5 + diff --git a/queue-5.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch b/queue-5.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch new file mode 100644 index 0000000000..64a5c51d18 --- /dev/null +++ b/queue-5.15/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch @@ -0,0 +1,57 @@ +From 3fb784f824edb73572c1cff0eb06244697d8afe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 16:13:40 +0530 +Subject: mtd: rawnand: atmel: set pmecc data setup time + +From: Balamanikandan Gunasundar + +[ Upstream commit f552a7c7e0a14215cb8a6fd89e60fa3932a74786 ] + +Setup the pmecc data setup time as 3 clock cycles for 133MHz as recommended +by the datasheet. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Reported-by: Zixun LI +Closes: https://lore.kernel.org/all/c015bb20-6a57-4f63-8102-34b3d83e0f5b@microchip.com +Suggested-by: Ada Couprie Diaz +Signed-off-by: Balamanikandan Gunasundar +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/atmel/pmecc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c +index d1ed5878b3b1..28ed65dd3d43 100644 +--- a/drivers/mtd/nand/raw/atmel/pmecc.c ++++ b/drivers/mtd/nand/raw/atmel/pmecc.c +@@ -143,6 +143,7 @@ struct atmel_pmecc_caps { + int nstrengths; + int el_offset; + bool correct_erased_chunks; ++ bool clk_ctrl; + }; + + struct atmel_pmecc { +@@ -846,6 +847,10 @@ static struct atmel_pmecc *atmel_pmecc_create(struct platform_device *pdev, + if (IS_ERR(pmecc->regs.errloc)) + return ERR_CAST(pmecc->regs.errloc); + ++ /* pmecc data setup time */ ++ if (caps->clk_ctrl) ++ writel(PMECC_CLK_133MHZ, pmecc->regs.base + ATMEL_PMECC_CLK); ++ + /* Disable all interrupts before registering the PMECC handler. */ + writel(0xffffffff, pmecc->regs.base + ATMEL_PMECC_IDR); + atmel_pmecc_reset(pmecc); +@@ -899,6 +904,7 @@ static struct atmel_pmecc_caps at91sam9g45_caps = { + .strengths = atmel_pmecc_strengths, + .nstrengths = 5, + .el_offset = 0x8c, ++ .clk_ctrl = true, + }; + + static struct atmel_pmecc_caps sama5d4_caps = { +-- +2.39.5 + diff --git a/queue-5.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch b/queue-5.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..601a6b25c7 --- /dev/null +++ b/queue-5.15/mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch @@ -0,0 +1,61 @@ +From 4d6d99418f0e553e4298bf44af0203ac80204741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:15:50 +0200 +Subject: mtd: rawnand: rockchip: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit 3b36f86dc47261828f96f826077131a35dd825fd ] + +The DMA map functions can fail and should be tested for errors. + +Fixes: 058e0e847d54 ("mtd: rawnand: rockchip: NFC driver for RK3308, RK2928 and others") +Signed-off-by: Thomas Fourier +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/mtd/nand/raw/rockchip-nand-controller.c b/drivers/mtd/nand/raw/rockchip-nand-controller.c +index f45c85a1a5a3..76721a3b3e33 100644 +--- a/drivers/mtd/nand/raw/rockchip-nand-controller.c ++++ b/drivers/mtd/nand/raw/rockchip-nand-controller.c +@@ -657,9 +657,16 @@ static int rk_nfc_write_page_hwecc(struct nand_chip *chip, const u8 *buf, + + dma_data = dma_map_single(nfc->dev, (void *)nfc->page_buf, + mtd->writesize, DMA_TO_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_data)) ++ return -ENOMEM; ++ + dma_oob = dma_map_single(nfc->dev, nfc->oob_buf, + ecc->steps * oob_step, + DMA_TO_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_oob)) { ++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize, DMA_TO_DEVICE); ++ return -ENOMEM; ++ } + + reinit_completion(&nfc->done); + writel(INT_DMA, nfc->regs + nfc->cfg->int_en_off); +@@ -773,9 +780,17 @@ static int rk_nfc_read_page_hwecc(struct nand_chip *chip, u8 *buf, int oob_on, + dma_data = dma_map_single(nfc->dev, nfc->page_buf, + mtd->writesize, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_data)) ++ return -ENOMEM; ++ + dma_oob = dma_map_single(nfc->dev, nfc->oob_buf, + ecc->steps * oob_step, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(nfc->dev, dma_oob)) { ++ dma_unmap_single(nfc->dev, dma_data, mtd->writesize, ++ DMA_FROM_DEVICE); ++ return -ENOMEM; ++ } + + /* + * The first blocks (4, 8 or 16 depending on the device) +-- +2.39.5 + diff --git a/queue-5.15/mwl8k-add-missing-check-after-dma-map.patch b/queue-5.15/mwl8k-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..2936985d9d --- /dev/null +++ b/queue-5.15/mwl8k-add-missing-check-after-dma-map.patch @@ -0,0 +1,39 @@ +From 0ee9db5f708c47540bc7d25d14a4bb85d5c03170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 13:13:34 +0200 +Subject: mwl8k: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit 50459501b9a212dbe7a673727589ee105a8a9954 ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, unmap and return an error. + +Fixes: 788838ebe8a4 ("mwl8k: use pci_unmap_addr{,set}() to keep track of unmap addresses on rx") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20250709111339.25360-2-fourier.thomas@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index ad9678186c58..6cef5a0d6a6e 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -1222,6 +1222,10 @@ static int rxq_refill(struct ieee80211_hw *hw, int index, int limit) + + addr = dma_map_single(&priv->pdev->dev, skb->data, + MWL8K_RX_MAXSZ, DMA_FROM_DEVICE); ++ if (dma_mapping_error(&priv->pdev->dev, addr)) { ++ kfree_skb(skb); ++ break; ++ } + + rxq->rxd_count++; + rx = rxq->tail++; +-- +2.39.5 + diff --git a/queue-5.15/net-mlx5-check-device-memory-pointer-before-usage.patch b/queue-5.15/net-mlx5-check-device-memory-pointer-before-usage.patch new file mode 100644 index 0000000000..0c351295aa --- /dev/null +++ b/queue-5.15/net-mlx5-check-device-memory-pointer-before-usage.patch @@ -0,0 +1,75 @@ +From cacef1c35bfe1585398f29e4fa714d414ffdeaf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 15:08:12 +0300 +Subject: net/mlx5: Check device memory pointer before usage + +From: Stav Aviram + +[ Upstream commit 70f238c902b8c0461ae6fbb8d1a0bbddc4350eea ] + +Add a NULL check before accessing device memory to prevent a crash if +dev->dm allocation in mlx5_init_once() fails. + +Fixes: c9b9dcb430b3 ("net/mlx5: Move device memory management to mlx5_core") +Signed-off-by: Stav Aviram +Link: https://patch.msgid.link/c88711327f4d74d5cebc730dc629607e989ca187.1751370035.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/dm.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 ++-- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 --- + 3 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/dm.c b/drivers/infiniband/hw/mlx5/dm.c +index 001d766cf291..a85f9f08877e 100644 +--- a/drivers/infiniband/hw/mlx5/dm.c ++++ b/drivers/infiniband/hw/mlx5/dm.c +@@ -282,7 +282,7 @@ static struct ib_dm *handle_alloc_dm_memic(struct ib_ucontext *ctx, + int err; + u64 address; + +- if (!MLX5_CAP_DEV_MEM(dm_db->dev, memic)) ++ if (!dm_db || !MLX5_CAP_DEV_MEM(dm_db->dev, memic)) + return ERR_PTR(-EOPNOTSUPP); + + dm = kzalloc(sizeof(*dm), GFP_KERNEL); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c +index 3d5e57ff558c..15ee84a2a470 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c +@@ -25,7 +25,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev) + + dm = kzalloc(sizeof(*dm), GFP_KERNEL); + if (!dm) +- return ERR_PTR(-ENOMEM); ++ return NULL; + + spin_lock_init(&dm->lock); + +@@ -61,7 +61,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev) + err_steering: + kfree(dm); + +- return ERR_PTR(-ENOMEM); ++ return NULL; + } + + void mlx5_dm_cleanup(struct mlx5_core_dev *dev) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 13eceb601634..b3627163a292 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -901,9 +901,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev) + } + + dev->dm = mlx5_dm_create(dev); +- if (IS_ERR(dev->dm)) +- mlx5_core_warn(dev, "Failed to init device memory %ld\n", PTR_ERR(dev->dm)); +- + dev->tracer = mlx5_fw_tracer_create(dev); + dev->hv_vhca = mlx5_hv_vhca_create(dev); + dev->rsc_dump = mlx5_rsc_dump_create(dev); +-- +2.39.5 + diff --git a/queue-5.15/net-sched-restrict-conditions-for-adding-duplicating.patch b/queue-5.15/net-sched-restrict-conditions-for-adding-duplicating.patch new file mode 100644 index 0000000000..f33004ccfe --- /dev/null +++ b/queue-5.15/net-sched-restrict-conditions-for-adding-duplicating.patch @@ -0,0 +1,117 @@ +From 011ef6a73b05b19736cfe6fb4f7a8e8c482d1a5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 16:43:26 +0000 +Subject: net/sched: Restrict conditions for adding duplicating netems to qdisc + tree + +From: William Liu + +[ Upstream commit ec8e0e3d7adef940cdf9475e2352c0680189d14e ] + +netem_enqueue's duplication prevention logic breaks when a netem +resides in a qdisc tree with other netems - this can lead to a +soft lockup and OOM loop in netem_dequeue, as seen in [1]. +Ensure that a duplicating netem cannot exist in a tree with other +netems. + +Previous approaches suggested in discussions in chronological order: + +1) Track duplication status or ttl in the sk_buff struct. Considered +too specific a use case to extend such a struct, though this would +be a resilient fix and address other previous and potential future +DOS bugs like the one described in loopy fun [2]. + +2) Restrict netem_enqueue recursion depth like in act_mirred with a +per cpu variable. However, netem_dequeue can call enqueue on its +child, and the depth restriction could be bypassed if the child is a +netem. + +3) Use the same approach as in 2, but add metadata in netem_skb_cb +to handle the netem_dequeue case and track a packet's involvement +in duplication. This is an overly complex approach, and Jamal +notes that the skb cb can be overwritten to circumvent this +safeguard. + +4) Prevent the addition of a netem to a qdisc tree if its ancestral +path contains a netem. However, filters and actions can cause a +packet to change paths when re-enqueued to the root from netem +duplication, leading us to the current solution: prevent a +duplicating netem from inhabiting the same tree as other netems. + +[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ +[2] https://lwn.net/Articles/719297/ + +Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication") +Reported-by: William Liu +Reported-by: Savino Dicanosa +Signed-off-by: William Liu +Signed-off-by: Savino Dicanosa +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20250708164141.875402-1-will@willsroot.io +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_netem.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 22f5d9421f6a..951156d7e548 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -962,6 +962,41 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla, + return 0; + } + ++static const struct Qdisc_class_ops netem_class_ops; ++ ++static int check_netem_in_tree(struct Qdisc *sch, bool duplicates, ++ struct netlink_ext_ack *extack) ++{ ++ struct Qdisc *root, *q; ++ unsigned int i; ++ ++ root = qdisc_root_sleeping(sch); ++ ++ if (sch != root && root->ops->cl_ops == &netem_class_ops) { ++ if (duplicates || ++ ((struct netem_sched_data *)qdisc_priv(root))->duplicate) ++ goto err; ++ } ++ ++ if (!qdisc_dev(root)) ++ return 0; ++ ++ hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) { ++ if (sch != q && q->ops->cl_ops == &netem_class_ops) { ++ if (duplicates || ++ ((struct netem_sched_data *)qdisc_priv(q))->duplicate) ++ goto err; ++ } ++ } ++ ++ return 0; ++ ++err: ++ NL_SET_ERR_MSG(extack, ++ "netem: cannot mix duplicating netems with other netems in tree"); ++ return -EINVAL; ++} ++ + /* Parse netlink message to set options */ + static int netem_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) +@@ -1023,6 +1058,11 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt, + q->gap = qopt->gap; + q->counter = 0; + q->loss = qopt->loss; ++ ++ ret = check_netem_in_tree(sch, qopt->duplicate, extack); ++ if (ret) ++ goto unlock; ++ + q->duplicate = qopt->duplicate; + + /* for compatibility with earlier versions. +-- +2.39.5 + diff --git a/queue-5.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch b/queue-5.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch new file mode 100644 index 0000000000..1cfd236c68 --- /dev/null +++ b/queue-5.15/net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch @@ -0,0 +1,106 @@ +From f9e72ede2cb7a379e59b19c10d1d117a49646ac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 09:01:57 +0000 +Subject: net_sched: act_ctinfo: use atomic64_t for three counters + +From: Eric Dumazet + +[ Upstream commit d300335b4e18672913dd792ff9f49e6cccf41d26 ] + +Commit 21c167aa0ba9 ("net/sched: act_ctinfo: use percpu stats") +missed that stats_dscp_set, stats_dscp_error and stats_cpmark_set +might be written (and read) locklessly. + +Use atomic64_t for these three fields, I doubt act_ctinfo is used +heavily on big SMP hosts anyway. + +Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action") +Signed-off-by: Eric Dumazet +Cc: Pedro Tammela +Link: https://patch.msgid.link/20250709090204.797558-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tc_act/tc_ctinfo.h | 6 +++--- + net/sched/act_ctinfo.c | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/include/net/tc_act/tc_ctinfo.h b/include/net/tc_act/tc_ctinfo.h +index f071c1d70a25..a04bcac7adf4 100644 +--- a/include/net/tc_act/tc_ctinfo.h ++++ b/include/net/tc_act/tc_ctinfo.h +@@ -18,9 +18,9 @@ struct tcf_ctinfo_params { + struct tcf_ctinfo { + struct tc_action common; + struct tcf_ctinfo_params __rcu *params; +- u64 stats_dscp_set; +- u64 stats_dscp_error; +- u64 stats_cpmark_set; ++ atomic64_t stats_dscp_set; ++ atomic64_t stats_dscp_error; ++ atomic64_t stats_cpmark_set; + }; + + enum { +diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c +index 56e0a5eb6494..ddacd4fa442c 100644 +--- a/net/sched/act_ctinfo.c ++++ b/net/sched/act_ctinfo.c +@@ -44,9 +44,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + ipv4_change_dsfield(ip_hdr(skb), + INET_ECN_MASK, + newdscp); +- ca->stats_dscp_set++; ++ atomic64_inc(&ca->stats_dscp_set); + } else { +- ca->stats_dscp_error++; ++ atomic64_inc(&ca->stats_dscp_error); + } + } + break; +@@ -57,9 +57,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + ipv6_change_dsfield(ipv6_hdr(skb), + INET_ECN_MASK, + newdscp); +- ca->stats_dscp_set++; ++ atomic64_inc(&ca->stats_dscp_set); + } else { +- ca->stats_dscp_error++; ++ atomic64_inc(&ca->stats_dscp_error); + } + } + break; +@@ -72,7 +72,7 @@ static void tcf_ctinfo_cpmark_set(struct nf_conn *ct, struct tcf_ctinfo *ca, + struct tcf_ctinfo_params *cp, + struct sk_buff *skb) + { +- ca->stats_cpmark_set++; ++ atomic64_inc(&ca->stats_cpmark_set); + skb->mark = READ_ONCE(ct->mark) & cp->cpmarkmask; + } + +@@ -322,15 +322,18 @@ static int tcf_ctinfo_dump(struct sk_buff *skb, struct tc_action *a, + } + + if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_SET, +- ci->stats_dscp_set, TCA_CTINFO_PAD)) ++ atomic64_read(&ci->stats_dscp_set), ++ TCA_CTINFO_PAD)) + goto nla_put_failure; + + if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_ERROR, +- ci->stats_dscp_error, TCA_CTINFO_PAD)) ++ atomic64_read(&ci->stats_dscp_error), ++ TCA_CTINFO_PAD)) + goto nla_put_failure; + + if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_CPMARK_SET, +- ci->stats_cpmark_set, TCA_CTINFO_PAD)) ++ atomic64_read(&ci->stats_cpmark_set), ++ TCA_CTINFO_PAD)) + goto nla_put_failure; + + spin_unlock_bh(&ci->tcf_lock); +-- +2.39.5 + diff --git a/queue-5.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch b/queue-5.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch new file mode 100644 index 0000000000..cf63d7dfee --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch @@ -0,0 +1,51 @@ +From 3d3fa07e70f9cdc0997166b73ccc7a42e7731dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 14:12:15 +0300 +Subject: netfilter: nf_tables: adjust lockdep assertions handling + +From: Fedor Pchelkin + +[ Upstream commit 8df1b40de76979bb8e975201d07b71103d5de820 ] + +It's needed to check the return value of lockdep_commit_lock_is_held(), +otherwise there's no point in this assertion as it doesn't print any +debug information on itself. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +Fixes: b04df3da1b5c ("netfilter: nf_tables: do not defer rule destruction via call_rcu") +Reported-by: Alexey Khoroshilov +Signed-off-by: Fedor Pchelkin +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a1f60f275814..33d03340d9fc 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3443,7 +3443,7 @@ void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) + /* can only be used if rule is no longer visible to dumps */ + static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) + { +- lockdep_commit_lock_is_held(ctx->net); ++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net)); + + nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); + nf_tables_rule_destroy(ctx, rule); +@@ -5180,7 +5180,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase) + { +- lockdep_commit_lock_is_held(ctx->net); ++ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net)); + + switch (phase) { + case NFT_TRANS_PREPARE_ERROR: +-- +2.39.5 + diff --git a/queue-5.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch b/queue-5.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch new file mode 100644 index 0000000000..bf139a199a --- /dev/null +++ b/queue-5.15/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch @@ -0,0 +1,50 @@ +From d02a78fca2dfd390168b710f360bed44b37425a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 13:27:13 +0200 +Subject: netfilter: xt_nfacct: don't assume acct name is null-terminated + +From: Florian Westphal + +[ Upstream commit bf58e667af7d96c8eb9411f926a0a0955f41ce21 ] + +BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 +Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 +[..] + string+0x231/0x2b0 lib/vsprintf.c:721 + vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 + [..] + nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41 + xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523 + +nfnl_acct_find_get() handles non-null input, but the error +printk relied on its presence. + +Reported-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690 +Tested-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com +Fixes: ceb98d03eac5 ("netfilter: xtables: add nfacct match to support extended accounting") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_nfacct.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c +index 7c6bf1c16813..0ca1cdfc4095 100644 +--- a/net/netfilter/xt_nfacct.c ++++ b/net/netfilter/xt_nfacct.c +@@ -38,8 +38,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par) + + nfacct = nfnl_acct_find_get(par->net, info->name); + if (nfacct == NULL) { +- pr_info_ratelimited("accounting object `%s' does not exists\n", +- info->name); ++ pr_info_ratelimited("accounting object `%.*s' does not exist\n", ++ NFACCT_NAME_MAX, info->name); + return -ENOENT; + } + info->nfacct = nfacct; +-- +2.39.5 + diff --git a/queue-5.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch b/queue-5.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch new file mode 100644 index 0000000000..27fc11e592 --- /dev/null +++ b/queue-5.15/pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch @@ -0,0 +1,52 @@ +From 9fcbc0442d3424c7ea54a004e6846317819784e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:20:22 +0530 +Subject: PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem + attribute + +From: Manivannan Sadhasivam + +[ Upstream commit 61ae7f8694fb4b57a8c02a1a8d2b601806afc999 ] + +__iomem attribute is supposed to be used only with variables holding the +MMIO pointer. But here, 'mw_addr' variable is just holding a 'void *' +returned by pci_epf_alloc_space(). So annotating it with __iomem is clearly +wrong. Hence, drop the attribute. + +This also fixes the below sparse warning: + + drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: warning: incorrect type in assignment (different address spaces) + drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: expected void [noderef] __iomem *mw_addr + drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: got void * + drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: warning: incorrect type in assignment (different address spaces) + drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: expected unsigned int [usertype] *epf_db + drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: got void [noderef] __iomem *mw_addr + drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: warning: incorrect type in argument 2 (different address spaces) + drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: expected void *addr + drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: got void [noderef] __iomem *mw_addr + +Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250709125022.22524-1-mani@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c +index 5cc0d2014ed8..45530bca50fb 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c +@@ -520,7 +520,7 @@ static int epf_ntb_db_bar_init(struct epf_ntb *ntb) + struct device *dev = &ntb->epf->dev; + int ret; + struct pci_epf_bar *epf_bar; +- void __iomem *mw_addr; ++ void *mw_addr; + enum pci_barno barno; + size_t size = 4 * ntb->db_count; + +-- +2.39.5 + diff --git a/queue-5.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch b/queue-5.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch new file mode 100644 index 0000000000..b15c87d3ea --- /dev/null +++ b/queue-5.15/pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch @@ -0,0 +1,43 @@ +From be56f671989ad84b18099b7058349784d210c9b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 19:03:38 +0200 +Subject: PCI: endpoint: pci-epf-vntb: Return -ENOENT if + pci_epc_get_next_free_bar() fails + +From: Jerome Brunet + +[ Upstream commit 7ea488cce73263231662e426639dd3e836537068 ] + +According the function documentation of epf_ntb_init_epc_bar(), the +function should return an error code on error. However, it returns -1 when +no BAR is available i.e., when pci_epc_get_next_free_bar() fails. + +Return -ENOENT instead. + +Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") +Signed-off-by: Jerome Brunet +[mani: changed err code to -ENOENT] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250603-pci-vntb-bar-mapping-v2-1-fc685a22ad28@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c +index fb926b300c95..5cc0d2014ed8 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c +@@ -686,7 +686,7 @@ static int epf_ntb_init_epc_bar(struct epf_ntb *ntb) + barno = pci_epc_get_next_free_bar(epc_features, barno); + if (barno < 0) { + dev_err(dev, "Fail to get NTB function BAR\n"); +- return barno; ++ return -ENOENT; + } + ntb->epf_ntb_bar[bar] = barno; + } +-- +2.39.5 + diff --git a/queue-5.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch b/queue-5.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch new file mode 100644 index 0000000000..e95909e9bd --- /dev/null +++ b/queue-5.15/pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch @@ -0,0 +1,229 @@ +From 65e788e604684ed3dba277357ca3fa6a0d9ddb0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:36:07 -0500 +Subject: PCI: pnv_php: Clean up allocated IRQs on unplug + +From: Timothy Pearson + +[ Upstream commit 4668619092554e1b95c9a5ac2941ca47ba6d548a ] + +When the root of a nested PCIe bridge configuration is unplugged, the +pnv_php driver leaked the allocated IRQ resources for the child bridges' +hotplug event notifications, resulting in a panic. + +Fix this by walking all child buses and deallocating all its IRQ resources +before calling pci_hp_remove_devices(). + +Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so +that it is only destroyed in pnv_php_free_slot(), instead of +pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will +now be called by workers triggered by hot unplug interrupts, so the +workqueue needs to stay allocated. + +The abridged kernel panic that occurs without this patch is as follows: + + WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c + CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2 + Call Trace: + msi_device_data_release+0x34/0x9c (unreliable) + release_nodes+0x64/0x13c + devres_release_all+0xc0/0x140 + device_del+0x2d4/0x46c + pci_destroy_dev+0x5c/0x194 + pci_hp_remove_devices+0x90/0x128 + pci_hp_remove_devices+0x44/0x128 + pnv_php_disable_slot+0x54/0xd4 + power_write_file+0xf8/0x18c + pci_slot_attr_store+0x40/0x5c + sysfs_kf_write+0x64/0x78 + kernfs_fop_write_iter+0x1b0/0x290 + vfs_write+0x3bc/0x50c + ksys_write+0x84/0x140 + system_call_exception+0x124/0x230 + system_call_vectored_common+0x15c/0x2ec + +Signed-off-by: Shawn Anastasio +Signed-off-by: Timothy Pearson +[bhelgaas: tidy comments] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/2013845045.1359852.1752615367790.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pnv_php.c | 96 ++++++++++++++++++++++++++++------- + 1 file changed, 77 insertions(+), 19 deletions(-) + +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index e233f8402e8c..c1c1d30bd86b 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -3,6 +3,7 @@ + * PCI Hotplug Driver for PowerPC PowerNV platform. + * + * Copyright Gavin Shan, IBM Corporation 2016. ++ * Copyright (C) 2025 Raptor Engineering, LLC + */ + + #include +@@ -34,8 +35,10 @@ static void pnv_php_register(struct device_node *dn); + static void pnv_php_unregister_one(struct device_node *dn); + static void pnv_php_unregister(struct device_node *dn); + ++static void pnv_php_enable_irq(struct pnv_php_slot *php_slot); ++ + static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, +- bool disable_device) ++ bool disable_device, bool disable_msi) + { + struct pci_dev *pdev = php_slot->pdev; + u16 ctrl; +@@ -51,19 +54,15 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, + php_slot->irq = 0; + } + +- if (php_slot->wq) { +- destroy_workqueue(php_slot->wq); +- php_slot->wq = NULL; +- } +- +- if (disable_device) { ++ if (disable_device || disable_msi) { + if (pdev->msix_enabled) + pci_disable_msix(pdev); + else if (pdev->msi_enabled) + pci_disable_msi(pdev); ++ } + ++ if (disable_device) + pci_disable_device(pdev); +- } + } + + static void pnv_php_free_slot(struct kref *kref) +@@ -72,7 +71,8 @@ static void pnv_php_free_slot(struct kref *kref) + struct pnv_php_slot, kref); + + WARN_ON(!list_empty(&php_slot->children)); +- pnv_php_disable_irq(php_slot, false); ++ pnv_php_disable_irq(php_slot, false, false); ++ destroy_workqueue(php_slot->wq); + kfree(php_slot->name); + kfree(php_slot); + } +@@ -559,8 +559,58 @@ static int pnv_php_reset_slot(struct hotplug_slot *slot, bool probe) + static int pnv_php_enable_slot(struct hotplug_slot *slot) + { + struct pnv_php_slot *php_slot = to_pnv_php_slot(slot); ++ u32 prop32; ++ int ret; ++ ++ ret = pnv_php_enable(php_slot, true); ++ if (ret) ++ return ret; ++ ++ /* (Re-)enable interrupt if the slot supports surprise hotplug */ ++ ret = of_property_read_u32(php_slot->dn, "ibm,slot-surprise-pluggable", ++ &prop32); ++ if (!ret && prop32) ++ pnv_php_enable_irq(php_slot); + +- return pnv_php_enable(php_slot, true); ++ return 0; ++} ++ ++/* ++ * Disable any hotplug interrupts for all slots on the provided bus, as well as ++ * all downstream slots in preparation for a hot unplug. ++ */ ++static int pnv_php_disable_all_irqs(struct pci_bus *bus) ++{ ++ struct pci_bus *child_bus; ++ struct pci_slot *slot; ++ ++ /* First go down child buses */ ++ list_for_each_entry(child_bus, &bus->children, node) ++ pnv_php_disable_all_irqs(child_bus); ++ ++ /* Disable IRQs for all pnv_php slots on this bus */ ++ list_for_each_entry(slot, &bus->slots, list) { ++ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot->hotplug); ++ ++ pnv_php_disable_irq(php_slot, false, true); ++ } ++ ++ return 0; ++} ++ ++/* ++ * Disable any hotplug interrupts for all downstream slots on the provided ++ * bus in preparation for a hot unplug. ++ */ ++static int pnv_php_disable_all_downstream_irqs(struct pci_bus *bus) ++{ ++ struct pci_bus *child_bus; ++ ++ /* Go down child buses, recursively deactivating their IRQs */ ++ list_for_each_entry(child_bus, &bus->children, node) ++ pnv_php_disable_all_irqs(child_bus); ++ ++ return 0; + } + + static int pnv_php_disable_slot(struct hotplug_slot *slot) +@@ -577,6 +627,13 @@ static int pnv_php_disable_slot(struct hotplug_slot *slot) + php_slot->state != PNV_PHP_STATE_REGISTERED) + return 0; + ++ /* ++ * Free all IRQ resources from all child slots before remove. ++ * Note that we do not disable the root slot IRQ here as that ++ * would also deactivate the slot hot (re)plug interrupt! ++ */ ++ pnv_php_disable_all_downstream_irqs(php_slot->bus); ++ + /* Remove all devices behind the slot */ + pci_lock_rescan_remove(); + pci_hp_remove_devices(php_slot->bus); +@@ -645,6 +702,15 @@ static struct pnv_php_slot *pnv_php_alloc_slot(struct device_node *dn) + return NULL; + } + ++ /* Allocate workqueue for this slot's interrupt handling */ ++ php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name); ++ if (!php_slot->wq) { ++ SLOT_WARN(php_slot, "Cannot alloc workqueue\n"); ++ kfree(php_slot->name); ++ kfree(php_slot); ++ return NULL; ++ } ++ + if (dn->child && PCI_DN(dn->child)) + php_slot->slot_no = PCI_SLOT(PCI_DN(dn->child)->devfn); + else +@@ -841,14 +907,6 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq) + u16 sts, ctrl; + int ret; + +- /* Allocate workqueue */ +- php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name); +- if (!php_slot->wq) { +- SLOT_WARN(php_slot, "Cannot alloc workqueue\n"); +- pnv_php_disable_irq(php_slot, true); +- return; +- } +- + /* Check PDC (Presence Detection Change) is broken or not */ + ret = of_property_read_u32(php_slot->dn, "ibm,slot-broken-pdc", + &broken_pdc); +@@ -867,7 +925,7 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq) + ret = request_irq(irq, pnv_php_interrupt, IRQF_SHARED, + php_slot->name, php_slot); + if (ret) { +- pnv_php_disable_irq(php_slot, true); ++ pnv_php_disable_irq(php_slot, true, true); + SLOT_WARN(php_slot, "Error %d enabling IRQ %d\n", ret, irq); + return; + } +-- +2.39.5 + diff --git a/queue-5.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch b/queue-5.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch new file mode 100644 index 0000000000..2623009d60 --- /dev/null +++ b/queue-5.15/pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch @@ -0,0 +1,214 @@ +From 44ed980cdaca1fc5c6c36396cf2d155b15afa302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:39:06 -0500 +Subject: PCI: pnv_php: Fix surprise plug detection and recovery + +From: Timothy Pearson + +[ Upstream commit a2a2a6fc2469524caa713036297c542746d148dc ] + +The existing PowerNV hotplug code did not handle surprise plug events +correctly, leading to a complete failure of the hotplug system after device +removal and a required reboot to detect new devices. + +This comes down to two issues: + + 1) When a device is surprise removed, often the bridge upstream + port will cause a PE freeze on the PHB. If this freeze is not + cleared, the MSI interrupts from the bridge hotplug notification + logic will not be received by the kernel, stalling all plug events + on all slots associated with the PE. + + 2) When a device is removed from a slot, regardless of surprise or + programmatic removal, the associated PHB/PE ls left frozen. + If this freeze is not cleared via a fundamental reset, skiboot + is unable to clear the freeze and cannot retrain / rescan the + slot. This also requires a reboot to clear the freeze and redetect + the device in the slot. + +Issue the appropriate unfreeze and rescan commands on hotplug events, +and don't oops on hotplug if pci_bus_to_OF_node() returns NULL. + +Signed-off-by: Timothy Pearson +[bhelgaas: tidy comments] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/171044224.1359864.1752615546988.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci-hotplug.c | 3 + + drivers/pci/hotplug/pnv_php.c | 110 +++++++++++++++++++++++++++++- + 2 files changed, 110 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/pci-hotplug.c b/arch/powerpc/kernel/pci-hotplug.c +index 2fc12198ec07..62de678f9f50 100644 +--- a/arch/powerpc/kernel/pci-hotplug.c ++++ b/arch/powerpc/kernel/pci-hotplug.c +@@ -110,6 +110,9 @@ void pci_hp_add_devices(struct pci_bus *bus) + struct pci_controller *phb; + struct device_node *dn = pci_bus_to_OF_node(bus); + ++ if (!dn) ++ return; ++ + phb = pci_bus_to_host(bus); + + mode = PCI_PROBE_NORMAL; +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index f99987f26ff0..9ff979678644 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -4,11 +4,13 @@ + * + * Copyright Gavin Shan, IBM Corporation 2016. + * Copyright (C) 2025 Raptor Engineering, LLC ++ * Copyright (C) 2025 Raptor Computing Systems, LLC + */ + + #include + #include + #include ++#include + #include + + #include +@@ -467,6 +469,61 @@ static int pnv_php_set_attention_state(struct hotplug_slot *slot, u8 state) + return 0; + } + ++static int pnv_php_activate_slot(struct pnv_php_slot *php_slot, ++ struct hotplug_slot *slot) ++{ ++ int ret, i; ++ ++ /* ++ * Issue initial slot activation command to firmware ++ * ++ * Firmware will power slot on, attempt to train the link, and ++ * discover any downstream devices. If this process fails, firmware ++ * will return an error code and an invalid device tree. Failure ++ * can be caused for multiple reasons, including a faulty ++ * downstream device, poor connection to the downstream device, or ++ * a previously latched PHB fence. On failure, issue fundamental ++ * reset up to three times before aborting. ++ */ ++ ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON); ++ if (ret) { ++ SLOT_WARN( ++ php_slot, ++ "PCI slot activation failed with error code %d, possible frozen PHB", ++ ret); ++ SLOT_WARN( ++ php_slot, ++ "Attempting complete PHB reset before retrying slot activation\n"); ++ for (i = 0; i < 3; i++) { ++ /* ++ * Slot activation failed, PHB may be fenced from a ++ * prior device failure. ++ * ++ * Use the OPAL fundamental reset call to both try a ++ * device reset and clear any potentially active PHB ++ * fence / freeze. ++ */ ++ SLOT_WARN(php_slot, "Try %d...\n", i + 1); ++ pci_set_pcie_reset_state(php_slot->pdev, ++ pcie_warm_reset); ++ msleep(250); ++ pci_set_pcie_reset_state(php_slot->pdev, ++ pcie_deassert_reset); ++ ++ ret = pnv_php_set_slot_power_state( ++ slot, OPAL_PCI_SLOT_POWER_ON); ++ if (!ret) ++ break; ++ } ++ ++ if (i >= 3) ++ SLOT_WARN(php_slot, ++ "Failed to bring slot online, aborting!\n"); ++ } ++ ++ return ret; ++} ++ + static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan) + { + struct hotplug_slot *slot = &php_slot->slot; +@@ -529,7 +586,7 @@ static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan) + goto scan; + + /* Power is off, turn it on and then scan the slot */ +- ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON); ++ ret = pnv_php_activate_slot(php_slot, slot); + if (ret) + return ret; + +@@ -836,16 +893,63 @@ static int pnv_php_enable_msix(struct pnv_php_slot *php_slot) + return entry.vector; + } + ++static void ++pnv_php_detect_clear_suprise_removal_freeze(struct pnv_php_slot *php_slot) ++{ ++ struct pci_dev *pdev = php_slot->pdev; ++ struct eeh_dev *edev; ++ struct eeh_pe *pe; ++ int i, rc; ++ ++ /* ++ * When a device is surprise removed from a downstream bridge slot, ++ * the upstream bridge port can still end up frozen due to related EEH ++ * events, which will in turn block the MSI interrupts for slot hotplug ++ * detection. ++ * ++ * Detect and thaw any frozen upstream PE after slot deactivation. ++ */ ++ edev = pci_dev_to_eeh_dev(pdev); ++ pe = edev ? edev->pe : NULL; ++ rc = eeh_pe_get_state(pe); ++ if ((rc == -ENODEV) || (rc == -ENOENT)) { ++ SLOT_WARN( ++ php_slot, ++ "Upstream bridge PE state unknown, hotplug detect may fail\n"); ++ } else { ++ if (pe->state & EEH_PE_ISOLATED) { ++ SLOT_WARN( ++ php_slot, ++ "Upstream bridge PE %02x frozen, thawing...\n", ++ pe->addr); ++ for (i = 0; i < 3; i++) ++ if (!eeh_unfreeze_pe(pe)) ++ break; ++ if (i >= 3) ++ SLOT_WARN( ++ php_slot, ++ "Unable to thaw PE %02x, hotplug detect will fail!\n", ++ pe->addr); ++ else ++ SLOT_WARN(php_slot, ++ "PE %02x thawed successfully\n", ++ pe->addr); ++ } ++ } ++} ++ + static void pnv_php_event_handler(struct work_struct *work) + { + struct pnv_php_event *event = + container_of(work, struct pnv_php_event, work); + struct pnv_php_slot *php_slot = event->php_slot; + +- if (event->added) ++ if (event->added) { + pnv_php_enable_slot(&php_slot->slot); +- else ++ } else { + pnv_php_disable_slot(&php_slot->slot); ++ pnv_php_detect_clear_suprise_removal_freeze(php_slot); ++ } + + kfree(event); + } +-- +2.39.5 + diff --git a/queue-5.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch b/queue-5.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch new file mode 100644 index 0000000000..889fad0d24 --- /dev/null +++ b/queue-5.15/pci-pnv_php-work-around-switches-with-broken-presenc.patch @@ -0,0 +1,77 @@ +From 0455c22893213533b22d0c380bbbdc8bcc6acd5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:36:55 -0500 +Subject: PCI: pnv_php: Work around switches with broken presence detection + +From: Timothy Pearson + +[ Upstream commit 80f9fc2362797538ebd4fd70a1dfa838cc2c2cdb ] + +The Microsemi Switchtec PM8533 PFX 48xG3 [11f8:8533] PCIe switch system +was observed to incorrectly assert the Presence Detect Set bit in its +capabilities when tested on a Raptor Computing Systems Blackbird system, +resulting in the hot insert path never attempting a rescan of the bus +and any downstream devices not being re-detected. + +Work around this by additionally checking whether the PCIe data link is +active or not when performing presence detection on downstream switches' +ports, similar to the pciehp_hpc.c driver. + +Signed-off-by: Shawn Anastasio +Signed-off-by: Timothy Pearson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/505981576.1359853.1752615415117.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pnv_php.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index c1c1d30bd86b..f99987f26ff0 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -389,6 +389,20 @@ static int pnv_php_get_power_state(struct hotplug_slot *slot, u8 *state) + return 0; + } + ++static int pcie_check_link_active(struct pci_dev *pdev) ++{ ++ u16 lnk_status; ++ int ret; ++ ++ ret = pcie_capability_read_word(pdev, PCI_EXP_LNKSTA, &lnk_status); ++ if (ret == PCIBIOS_DEVICE_NOT_FOUND || PCI_POSSIBLE_ERROR(lnk_status)) ++ return -ENODEV; ++ ++ ret = !!(lnk_status & PCI_EXP_LNKSTA_DLLLA); ++ ++ return ret; ++} ++ + static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state) + { + struct pnv_php_slot *php_slot = to_pnv_php_slot(slot); +@@ -401,6 +415,19 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state) + */ + ret = pnv_pci_get_presence_state(php_slot->id, &presence); + if (ret >= 0) { ++ if (pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM && ++ presence == OPAL_PCI_SLOT_EMPTY) { ++ /* ++ * Similar to pciehp_hpc, check whether the Link Active ++ * bit is set to account for broken downstream bridges ++ * that don't properly assert Presence Detect State, as ++ * was observed on the Microsemi Switchtec PM8533 PFX ++ * [11f8:8533]. ++ */ ++ if (pcie_check_link_active(php_slot->pdev) > 0) ++ presence = OPAL_PCI_SLOT_PRESENT; ++ } ++ + *state = presence; + ret = 0; + } else { +-- +2.39.5 + diff --git a/queue-5.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch b/queue-5.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch new file mode 100644 index 0000000000..63feef5d82 --- /dev/null +++ b/queue-5.15/pci-rockchip-host-fix-unexpected-completion-log-mess.patch @@ -0,0 +1,41 @@ +From c3f1338cb78d11ecf6129c5dd9e70aece5f5f545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 00:01:59 +0800 +Subject: PCI: rockchip-host: Fix "Unexpected Completion" log message + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit fcc5f586c4edbcc10de23fb9b8c0972a84e945cd ] + +Fix the debug message for the PCIE_CORE_INT_UCR interrupt to clearly +indicate "Unexpected Completion" instead of a duplicate "malformed TLP" +message. + +Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support") +Signed-off-by: Hans Zhang <18255117159@163.com> +[mani: added fixes tag] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Manivannan Sadhasivam +Acked-by: Shawn Lin +Link: https://patch.msgid.link/20250607160201.807043-2-18255117159@163.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-rockchip-host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-rockchip-host.c b/drivers/pci/controller/pcie-rockchip-host.c +index c52316d0bfd2..9e9e90e7c0fe 100644 +--- a/drivers/pci/controller/pcie-rockchip-host.c ++++ b/drivers/pci/controller/pcie-rockchip-host.c +@@ -441,7 +441,7 @@ static irqreturn_t rockchip_pcie_subsys_irq_handler(int irq, void *arg) + dev_dbg(dev, "malformed TLP received from the link\n"); + + if (sub_reg & PCIE_CORE_INT_UCR) +- dev_dbg(dev, "malformed TLP received from the link\n"); ++ dev_dbg(dev, "Unexpected Completion received from the link\n"); + + if (sub_reg & PCIE_CORE_INT_FCE) + dev_dbg(dev, "an error was observed in the flow control advertisements from the other side\n"); +-- +2.39.5 + diff --git a/queue-5.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch b/queue-5.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch new file mode 100644 index 0000000000..d09ee137d4 --- /dev/null +++ b/queue-5.15/perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch @@ -0,0 +1,101 @@ +From 655cb3f1fa7dfda1e46e55e69a6236c111ab2f07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:49:39 -0700 +Subject: perf sched: Fix memory leaks for evsel->priv in timehist + +From: Namhyung Kim + +[ Upstream commit 117e5c33b1c44037af016d77ce6c0b086d55535f ] + +It uses evsel->priv to save per-cpu timing information. It should be +freed when the evsel is released. + +Add the priv destructor for evsel same as thread to handle that. + +Fixes: 49394a2a24c78ce0 ("perf sched timehist: Introduce timehist command") +Reviewed-by: Ian Rogers +Tested-by: Ian Rogers +Link: https://lore.kernel.org/r/20250703014942.1369397-6-namhyung@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 12 ++++++++++++ + tools/perf/util/evsel.c | 11 +++++++++++ + tools/perf/util/evsel.h | 2 ++ + 3 files changed, 25 insertions(+) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 19e96141e7b4..95a549fdabe0 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -1902,6 +1902,16 @@ static u64 evsel__get_time(struct evsel *evsel, u32 cpu) + return r->last_time[cpu]; + } + ++static void timehist__evsel_priv_destructor(void *priv) ++{ ++ struct evsel_runtime *r = priv; ++ ++ if (r) { ++ free(r->last_time); ++ free(r); ++ } ++} ++ + static int comm_width = 30; + + static char *timehist_get_commstr(struct thread *thread) +@@ -3039,6 +3049,8 @@ static int perf_sched__timehist(struct perf_sched *sched) + + setup_pager(); + ++ evsel__set_priv_destructor(timehist__evsel_priv_destructor); ++ + /* prefer sched_waking if it is captured */ + if (evlist__find_tracepoint_by_name(session->evlist, "sched:sched_waking")) + handlers[1].handler = timehist_sched_wakeup_ignore; +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index c19a583ca9f6..f14c83e6829a 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1416,6 +1416,15 @@ static void evsel__free_config_terms(struct evsel *evsel) + free_config_terms(&evsel->config_terms); + } + ++static void (*evsel__priv_destructor)(void *priv); ++ ++void evsel__set_priv_destructor(void (*destructor)(void *priv)) ++{ ++ assert(evsel__priv_destructor == NULL); ++ ++ evsel__priv_destructor = destructor; ++} ++ + void evsel__exit(struct evsel *evsel) + { + assert(list_empty(&evsel->core.node)); +@@ -1436,6 +1445,8 @@ void evsel__exit(struct evsel *evsel) + hashmap__free(evsel->per_pkg_mask); + evsel->per_pkg_mask = NULL; + zfree(&evsel->metric_events); ++ if (evsel__priv_destructor) ++ evsel__priv_destructor(evsel->priv); + perf_evsel__object.fini(evsel); + } + +diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h +index 0492cafac443..d39d8aab3769 100644 +--- a/tools/perf/util/evsel.h ++++ b/tools/perf/util/evsel.h +@@ -231,6 +231,8 @@ void evsel__init(struct evsel *evsel, struct perf_event_attr *attr, int idx); + void evsel__exit(struct evsel *evsel); + void evsel__delete(struct evsel *evsel); + ++void evsel__set_priv_destructor(void (*destructor)(void *priv)); ++ + struct callchain_param; + + void evsel__config(struct evsel *evsel, struct record_opts *opts, +-- +2.39.5 + diff --git a/queue-5.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch b/queue-5.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch new file mode 100644 index 0000000000..5643cd950a --- /dev/null +++ b/queue-5.15/perf-tests-bp_account-fix-leaked-file-descriptor.patch @@ -0,0 +1,57 @@ +From 4a6ce833a5853b8ca23957a591414a0809ce6557 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 12:10:15 +0100 +Subject: perf tests bp_account: Fix leaked file descriptor + +From: Leo Yan + +[ Upstream commit 4a6cdecaa1497f1fbbd1d5307a225b6ca5a62a90 ] + +Since the commit e9846f5ead26 ("perf test: In forked mode add check that +fds aren't leaked"), the test "Breakpoint accounting" reports the error: + + # perf test -vvv "Breakpoint accounting" + 20: Breakpoint accounting: + --- start --- + test child forked, pid 373 + failed opening event 0 + failed opening event 0 + watchpoints count 4, breakpoints count 6, has_ioctl 1, share 0 + wp 0 created + wp 1 created + wp 2 created + wp 3 created + wp 0 modified to bp + wp max created + ---- end(0) ---- + Leak of file descriptor 7 that opened: 'anon_inode:[perf_event]' + +A watchpoint's file descriptor was not properly released. This patch +fixes the leak. + +Fixes: 032db28e5fa3 ("perf tests: Add breakpoint accounting/modify test") +Reported-by: Aishwarya TCV +Signed-off-by: Leo Yan +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250711-perf_fix_breakpoint_accounting-v1-1-b314393023f9@arm.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/tests/bp_account.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/bp_account.c b/tools/perf/tests/bp_account.c +index 489b50604cf2..ac39f4947fd8 100644 +--- a/tools/perf/tests/bp_account.c ++++ b/tools/perf/tests/bp_account.c +@@ -89,6 +89,7 @@ static int bp_accounting(int wp_cnt, int share) + fd_wp = wp_event((void *)&the_var, &attr_new); + TEST_ASSERT_VAL("failed to create max wp\n", fd_wp != -1); + pr_debug("wp max created\n"); ++ close(fd_wp); + } + + for (i = 0; i < wp_cnt; i++) +-- +2.39.5 + diff --git a/queue-5.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch b/queue-5.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch new file mode 100644 index 0000000000..cca3845bd7 --- /dev/null +++ b/queue-5.15/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch @@ -0,0 +1,55 @@ +From a0ebec824f21e9178742cde2cd8cb821719ee10e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:27:08 +0800 +Subject: pinctrl: sunxi: Fix memory leak on krealloc failure + +From: Yuan Chen + +[ Upstream commit e3507c56cbb208d4f160942748c527ef6a528ba1 ] + +In sunxi_pctrl_dt_node_to_map(), when krealloc() fails to resize +the pinctrl_map array, the function returns -ENOMEM directly +without freeing the previously allocated *map buffer. This results +in a memory leak of the original kmalloc_array allocation. + +Fixes: e11dee2e98f8 ("pinctrl: sunxi: Deal with configless pins") +Signed-off-by: Yuan Chen +Link: https://lore.kernel.org/20250620012708.16709-1-chenyuan_fl@163.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +index 30ca0fe5c31a..afe41ea0ff1e 100644 +--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c +@@ -335,6 +335,7 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev, + const char *function, *pin_prop; + const char *group; + int ret, npins, nmaps, configlen = 0, i = 0; ++ struct pinctrl_map *new_map; + + *map = NULL; + *num_maps = 0; +@@ -409,9 +410,13 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev, + * We know have the number of maps we need, we can resize our + * map array + */ +- *map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL); +- if (!*map) +- return -ENOMEM; ++ new_map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL); ++ if (!new_map) { ++ ret = -ENOMEM; ++ goto err_free_map; ++ } ++ ++ *map = new_map; + + return 0; + +-- +2.39.5 + diff --git a/queue-5.15/pm-devfreq-check-governor-before-using-governor-name.patch b/queue-5.15/pm-devfreq-check-governor-before-using-governor-name.patch new file mode 100644 index 0000000000..c0bc234353 --- /dev/null +++ b/queue-5.15/pm-devfreq-check-governor-before-using-governor-name.patch @@ -0,0 +1,50 @@ +From 80559de5106b33c0a6825e59c7b6c8483f3efe99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 11:00:20 +0800 +Subject: PM / devfreq: Check governor before using governor->name + +From: Lifeng Zheng + +[ Upstream commit bab7834c03820eb11269bc48f07c3800192460d2 ] + +Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from +struct devfreq") removes governor_name and uses governor->name to replace +it. But devfreq->governor may be NULL and directly using +devfreq->governor->name may cause null pointer exception. Move the check of +governor to before using governor->name. + +Fixes: 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq") +Signed-off-by: Lifeng Zheng +Link: https://lore.kernel.org/lkml/20250421030020.3108405-5-zhenglifeng1@huawei.com/ +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index 237362316edb..02f86879a5be 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -1347,15 +1347,11 @@ int devfreq_remove_governor(struct devfreq_governor *governor) + int ret; + struct device *dev = devfreq->dev.parent; + ++ if (!devfreq->governor) ++ continue; ++ + if (!strncmp(devfreq->governor->name, governor->name, + DEVFREQ_NAME_LEN)) { +- /* we should have a devfreq governor! */ +- if (!devfreq->governor) { +- dev_warn(dev, "%s: Governor %s NOT present\n", +- __func__, governor->name); +- continue; +- /* Fall through */ +- } + ret = devfreq->governor->event_handler(devfreq, + DEVFREQ_GOV_STOP, NULL); + if (ret) { +-- +2.39.5 + diff --git a/queue-5.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch b/queue-5.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch new file mode 100644 index 0000000000..95000f7187 --- /dev/null +++ b/queue-5.15/power-supply-cpcap-charger-fix-null-check-for-power_.patch @@ -0,0 +1,42 @@ +From 4a9dd1e939c223e3703f9b62605d642b7d4c2621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 10:47:41 +0800 +Subject: power: supply: cpcap-charger: Fix null check for + power_supply_get_by_name + +From: Charles Han + +[ Upstream commit d9fa3aae08f99493e67fb79413c0e95d30fca5e9 ] + +In the cpcap_usb_detect() function, the power_supply_get_by_name() +function may return `NULL` instead of an error pointer. +To prevent potential null pointer dereferences, Added a null check. + +Fixes: eab4e6d953c1 ("power: supply: cpcap-charger: get the battery inserted infomation from cpcap-battery") +Signed-off-by: Charles Han +Link: https://lore.kernel.org/r/20250519024741.5846-1-hanchunchao@inspur.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cpcap-charger.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/supply/cpcap-charger.c b/drivers/power/supply/cpcap-charger.c +index 60e0ce105a29..5c9e3784ed47 100644 +--- a/drivers/power/supply/cpcap-charger.c ++++ b/drivers/power/supply/cpcap-charger.c +@@ -689,9 +689,8 @@ static void cpcap_usb_detect(struct work_struct *work) + struct power_supply *battery; + + battery = power_supply_get_by_name("battery"); +- if (IS_ERR_OR_NULL(battery)) { +- dev_err(ddata->dev, "battery power_supply not available %li\n", +- PTR_ERR(battery)); ++ if (!battery) { ++ dev_err(ddata->dev, "battery power_supply not available\n"); + return; + } + +-- +2.39.5 + diff --git a/queue-5.15/power-supply-max14577-handle-null-pdata-when-config_.patch b/queue-5.15/power-supply-max14577-handle-null-pdata-when-config_.patch new file mode 100644 index 0000000000..966827b7e1 --- /dev/null +++ b/queue-5.15/power-supply-max14577-handle-null-pdata-when-config_.patch @@ -0,0 +1,51 @@ +From 5393a6c25d60dc6b1cf1408f1692b4562391915c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 14:16:01 +0800 +Subject: power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set + +From: Charles Han + +[ Upstream commit 2937f5d2e24eefef8cb126244caec7fe3307f724 ] + +When the kernel is not configured CONFIG_OF, the max14577_charger_dt_init +function returns NULL. Fix the max14577_charger_probe functionby returning +-ENODATA instead of potentially passing a NULL pointer to PTR_ERR. + +This fixes the below smatch warning: +max14577_charger_probe() warn: passing zero to 'PTR_ERR' + +Fixes: e30110e9c96f ("charger: max14577: Configure battery-dependent settings from DTS and sysfs") +Signed-off-by: Charles Han +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250519061601.8755-1-hanchunchao@inspur.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max14577_charger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/max14577_charger.c b/drivers/power/supply/max14577_charger.c +index f244cd902eb9..e4461caecea3 100644 +--- a/drivers/power/supply/max14577_charger.c ++++ b/drivers/power/supply/max14577_charger.c +@@ -501,7 +501,7 @@ static struct max14577_charger_platform_data *max14577_charger_dt_init( + static struct max14577_charger_platform_data *max14577_charger_dt_init( + struct platform_device *pdev) + { +- return NULL; ++ return ERR_PTR(-ENODATA); + } + #endif /* CONFIG_OF */ + +@@ -572,7 +572,7 @@ static int max14577_charger_probe(struct platform_device *pdev) + chg->max14577 = max14577; + + chg->pdata = max14577_charger_dt_init(pdev); +- if (IS_ERR_OR_NULL(chg->pdata)) ++ if (IS_ERR(chg->pdata)) + return PTR_ERR(chg->pdata); + + ret = max14577_charger_reg_init(chg); +-- +2.39.5 + diff --git a/queue-5.15/powerpc-eeh-export-eeh_unfreeze_pe.patch b/queue-5.15/powerpc-eeh-export-eeh_unfreeze_pe.patch new file mode 100644 index 0000000000..3431c2514a --- /dev/null +++ b/queue-5.15/powerpc-eeh-export-eeh_unfreeze_pe.patch @@ -0,0 +1,39 @@ +From d0310782f72082d3c1a26b61dcc3c74d5f76fab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:37:34 -0500 +Subject: powerpc/eeh: Export eeh_unfreeze_pe() + +From: Timothy Pearson + +[ Upstream commit e82b34eed04b0ddcff4548b62633467235672fd3 ] + +The PowerNV hotplug driver needs to be able to clear any frozen PE(s) +on the PHB after suprise removal of a downstream device. + +Export the eeh_unfreeze_pe() symbol to allow implementation of this +functionality in the php_nv module. + +Signed-off-by: Timothy Pearson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/1778535414.1359858.1752615454618.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index 209d1a61eb94..3f68da6c75a2 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -1119,6 +1119,7 @@ int eeh_unfreeze_pe(struct eeh_pe *pe) + + return ret; + } ++EXPORT_SYMBOL_GPL(eeh_unfreeze_pe); + + + static struct pci_device_id eeh_reset_ids[] = { +-- +2.39.5 + diff --git a/queue-5.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch b/queue-5.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch new file mode 100644 index 0000000000..2828d55388 --- /dev/null +++ b/queue-5.15/powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch @@ -0,0 +1,252 @@ +From 59b1611863daf82c97b9ef4e178eff2190aac814 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:38:23 -0500 +Subject: powerpc/eeh: Make EEH driver device hotplug safe + +From: Timothy Pearson + +[ Upstream commit 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 ] + +Multiple race conditions existed between the PCIe hotplug driver and the +EEH driver, leading to a variety of kernel oopses of the same general +nature: + + + + + + + + +A second class of oops is also seen when the underlying bus disappears +during device recovery. + +Refactor the EEH module to be PCI rescan and remove safe. Also clean +up a few minor formatting / readability issues. + +Signed-off-by: Timothy Pearson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/1334208367.1359861.1752615503144.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_driver.c | 48 +++++++++++++++++++++----------- + arch/powerpc/kernel/eeh_pe.c | 10 ++++--- + 2 files changed, 38 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index 665d847ef9b5..ed5be1bff60c 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -258,13 +258,12 @@ static void eeh_pe_report_edev(struct eeh_dev *edev, eeh_report_fn fn, + struct pci_driver *driver; + enum pci_ers_result new_result; + +- pci_lock_rescan_remove(); + pdev = edev->pdev; + if (pdev) + get_device(&pdev->dev); +- pci_unlock_rescan_remove(); + if (!pdev) { + eeh_edev_info(edev, "no device"); ++ *result = PCI_ERS_RESULT_DISCONNECT; + return; + } + device_lock(&pdev->dev); +@@ -305,8 +304,9 @@ static void eeh_pe_report(const char *name, struct eeh_pe *root, + struct eeh_dev *edev, *tmp; + + pr_info("EEH: Beginning: '%s'\n", name); +- eeh_for_each_pe(root, pe) eeh_pe_for_each_dev(pe, edev, tmp) +- eeh_pe_report_edev(edev, fn, result); ++ eeh_for_each_pe(root, pe) ++ eeh_pe_for_each_dev(pe, edev, tmp) ++ eeh_pe_report_edev(edev, fn, result); + if (result) + pr_info("EEH: Finished:'%s' with aggregate recovery state:'%s'\n", + name, pci_ers_result_name(*result)); +@@ -384,6 +384,8 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata) + if (!edev) + return; + ++ pci_lock_rescan_remove(); ++ + /* + * The content in the config space isn't saved because + * the blocked config space on some adapters. We have +@@ -394,14 +396,19 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata) + if (list_is_last(&edev->entry, &edev->pe->edevs)) + eeh_pe_restore_bars(edev->pe); + ++ pci_unlock_rescan_remove(); + return; + } + + pdev = eeh_dev_to_pci_dev(edev); +- if (!pdev) ++ if (!pdev) { ++ pci_unlock_rescan_remove(); + return; ++ } + + pci_restore_state(pdev); ++ ++ pci_unlock_rescan_remove(); + } + + /** +@@ -648,9 +655,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + if (any_passed || driver_eeh_aware || (pe->type & EEH_PE_VF)) { + eeh_pe_dev_traverse(pe, eeh_rmv_device, rmv_data); + } else { +- pci_lock_rescan_remove(); + pci_hp_remove_devices(bus); +- pci_unlock_rescan_remove(); + } + + /* +@@ -666,8 +671,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + if (rc) + return rc; + +- pci_lock_rescan_remove(); +- + /* Restore PE */ + eeh_ops->configure_bridge(pe); + eeh_pe_restore_bars(pe); +@@ -675,7 +678,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + /* Clear frozen state */ + rc = eeh_clear_pe_frozen_state(pe, false); + if (rc) { +- pci_unlock_rescan_remove(); + return rc; + } + +@@ -710,7 +712,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus, + pe->tstamp = tstamp; + pe->freeze_count = cnt; + +- pci_unlock_rescan_remove(); + return 0; + } + +@@ -844,10 +845,13 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + {LIST_HEAD_INIT(rmv_data.removed_vf_list), 0}; + int devices = 0; + ++ pci_lock_rescan_remove(); ++ + bus = eeh_pe_bus_get(pe); + if (!bus) { + pr_err("%s: Cannot find PCI bus for PHB#%x-PE#%x\n", + __func__, pe->phb->global_number, pe->addr); ++ pci_unlock_rescan_remove(); + return; + } + +@@ -1089,10 +1093,15 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true); + eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED); + +- pci_lock_rescan_remove(); +- pci_hp_remove_devices(bus); +- pci_unlock_rescan_remove(); ++ bus = eeh_pe_bus_get(pe); ++ if (bus) ++ pci_hp_remove_devices(bus); ++ else ++ pr_err("%s: PCI bus for PHB#%x-PE#%x disappeared\n", ++ __func__, pe->phb->global_number, pe->addr); ++ + /* The passed PE should no longer be used */ ++ pci_unlock_rescan_remove(); + return; + } + +@@ -1109,6 +1118,8 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + eeh_clear_slot_attention(edev->pdev); + + eeh_pe_state_clear(pe, EEH_PE_RECOVERING, true); ++ ++ pci_unlock_rescan_remove(); + } + + /** +@@ -1127,6 +1138,7 @@ void eeh_handle_special_event(void) + unsigned long flags; + int rc; + ++ pci_lock_rescan_remove(); + + do { + rc = eeh_ops->next_error(&pe); +@@ -1166,10 +1178,12 @@ void eeh_handle_special_event(void) + + break; + case EEH_NEXT_ERR_NONE: ++ pci_unlock_rescan_remove(); + return; + default: + pr_warn("%s: Invalid value %d from next_error()\n", + __func__, rc); ++ pci_unlock_rescan_remove(); + return; + } + +@@ -1181,7 +1195,9 @@ void eeh_handle_special_event(void) + if (rc == EEH_NEXT_ERR_FROZEN_PE || + rc == EEH_NEXT_ERR_FENCED_PHB) { + eeh_pe_state_mark(pe, EEH_PE_RECOVERING); ++ pci_unlock_rescan_remove(); + eeh_handle_normal_event(pe); ++ pci_lock_rescan_remove(); + } else { + eeh_for_each_pe(pe, tmp_pe) + eeh_pe_for_each_dev(tmp_pe, edev, tmp_edev) +@@ -1194,7 +1210,6 @@ void eeh_handle_special_event(void) + eeh_report_failure, NULL); + eeh_set_channel_state(pe, pci_channel_io_perm_failure); + +- pci_lock_rescan_remove(); + list_for_each_entry(hose, &hose_list, list_node) { + phb_pe = eeh_phb_pe_get(hose); + if (!phb_pe || +@@ -1213,7 +1228,6 @@ void eeh_handle_special_event(void) + } + pci_hp_remove_devices(bus); + } +- pci_unlock_rescan_remove(); + } + + /* +@@ -1223,4 +1237,6 @@ void eeh_handle_special_event(void) + if (rc == EEH_NEXT_ERR_DEAD_IOC) + break; + } while (rc != EEH_NEXT_ERR_NONE); ++ ++ pci_unlock_rescan_remove(); + } +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c +index 3f55e372f259..fea58e9546f9 100644 +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -670,10 +670,12 @@ static void eeh_bridge_check_link(struct eeh_dev *edev) + eeh_ops->write_config(edev, cap + PCI_EXP_LNKCTL, 2, val); + + /* Check link */ +- if (!edev->pdev->link_active_reporting) { +- eeh_edev_dbg(edev, "No link reporting capability\n"); +- msleep(1000); +- return; ++ if (edev->pdev) { ++ if (!edev->pdev->link_active_reporting) { ++ eeh_edev_dbg(edev, "No link reporting capability\n"); ++ msleep(1000); ++ return; ++ } + } + + /* Wait the link is up until timeout (5s) */ +-- +2.39.5 + diff --git a/queue-5.15/powerpc-eeh-rely-on-dev-link_active_reporting.patch b/queue-5.15/powerpc-eeh-rely-on-dev-link_active_reporting.patch new file mode 100644 index 0000000000..86de38924b --- /dev/null +++ b/queue-5.15/powerpc-eeh-rely-on-dev-link_active_reporting.patch @@ -0,0 +1,39 @@ +From 9b956611078d8a715ac97ee63fe113610ac381d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jun 2023 18:19:32 +0100 +Subject: powerpc/eeh: Rely on dev->link_active_reporting + +From: Maciej W. Rozycki + +[ Upstream commit 1541a21305ceb10fcf3f7cbb23f3e1a00bbf1789 ] + +Use dev->link_active_reporting to determine whether Data Link Layer Link +Active Reporting is available rather than re-retrieving the capability. + +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2305310124100.59226@angie.orcam.me.uk +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_pe.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c +index a856d9ba42d2..3f55e372f259 100644 +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -670,9 +670,8 @@ static void eeh_bridge_check_link(struct eeh_dev *edev) + eeh_ops->write_config(edev, cap + PCI_EXP_LNKCTL, 2, val); + + /* Check link */ +- eeh_ops->read_config(edev, cap + PCI_EXP_LNKCAP, 4, &val); +- if (!(val & PCI_EXP_LNKCAP_DLLLARC)) { +- eeh_edev_dbg(edev, "No link reporting capability (0x%08x) \n", val); ++ if (!edev->pdev->link_active_reporting) { ++ eeh_edev_dbg(edev, "No link reporting capability\n"); + msleep(1000); + return; + } +-- +2.39.5 + diff --git a/queue-5.15/pps-fix-poll-support.patch b/queue-5.15/pps-fix-poll-support.patch new file mode 100644 index 0000000000..14a24215e1 --- /dev/null +++ b/queue-5.15/pps-fix-poll-support.patch @@ -0,0 +1,102 @@ +From c1e0bb4865b44e09fa9d33287e960a7498570b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 12:57:50 +0200 +Subject: pps: fix poll support + +From: Denis OSTERLAND-HEIM + +[ Upstream commit 12c409aa1ec2592280a2ddcc66ff8f3c7f7bb171 ] + +Because pps_cdev_poll() returns unconditionally EPOLLIN, +a user space program that calls select/poll get always an immediate data +ready-to-read response. As a result the intended use to wait until next +data becomes ready does not work. + +User space snippet: + + struct pollfd pollfd = { + .fd = open("/dev/pps0", O_RDONLY), + .events = POLLIN|POLLERR, + .revents = 0 }; + while(1) { + poll(&pollfd, 1, 2000/*ms*/); // returns immediate, but should wait + if(revents & EPOLLIN) { // always true + struct pps_fdata fdata; + memset(&fdata, 0, sizeof(memdata)); + ioctl(PPS_FETCH, &fdata); // currently fetches data at max speed + } + } + +Lets remember the last fetch event counter and compare this value +in pps_cdev_poll() with most recent event counter +and return 0 if they are equal. + +Signed-off-by: Denis OSTERLAND-HEIM +Co-developed-by: Rodolfo Giometti +Signed-off-by: Rodolfo Giometti +Fixes: eae9d2ba0cfc ("LinuxPPS: core support") +Link: https://lore.kernel.org/all/f6bed779-6d59-4f0f-8a59-b6312bd83b4e@enneenne.com/ +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/c3c50ad1eb19ef553eca8a57c17f4c006413ab70.camel@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/pps/pps.c | 11 +++++++++-- + include/linux/pps_kernel.h | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c +index 2d008e0d116a..ea966fc67d28 100644 +--- a/drivers/pps/pps.c ++++ b/drivers/pps/pps.c +@@ -41,6 +41,9 @@ static __poll_t pps_cdev_poll(struct file *file, poll_table *wait) + + poll_wait(file, &pps->queue, wait); + ++ if (pps->last_fetched_ev == pps->last_ev) ++ return 0; ++ + return EPOLLIN | EPOLLRDNORM; + } + +@@ -186,9 +189,11 @@ static long pps_cdev_ioctl(struct file *file, + if (err) + return err; + +- /* Return the fetched timestamp */ ++ /* Return the fetched timestamp and save last fetched event */ + spin_lock_irq(&pps->lock); + ++ pps->last_fetched_ev = pps->last_ev; ++ + fdata.info.assert_sequence = pps->assert_sequence; + fdata.info.clear_sequence = pps->clear_sequence; + fdata.info.assert_tu = pps->assert_tu; +@@ -272,9 +277,11 @@ static long pps_cdev_compat_ioctl(struct file *file, + if (err) + return err; + +- /* Return the fetched timestamp */ ++ /* Return the fetched timestamp and save last fetched event */ + spin_lock_irq(&pps->lock); + ++ pps->last_fetched_ev = pps->last_ev; ++ + compat.info.assert_sequence = pps->assert_sequence; + compat.info.clear_sequence = pps->clear_sequence; + compat.info.current_mode = pps->current_mode; +diff --git a/include/linux/pps_kernel.h b/include/linux/pps_kernel.h +index c7abce28ed29..aab0aebb529e 100644 +--- a/include/linux/pps_kernel.h ++++ b/include/linux/pps_kernel.h +@@ -52,6 +52,7 @@ struct pps_device { + int current_mode; /* PPS mode at event time */ + + unsigned int last_ev; /* last PPS event id */ ++ unsigned int last_fetched_ev; /* last fetched PPS event id */ + wait_queue_head_t queue; /* PPS event queue */ + + unsigned int id; /* PPS source unique ID */ +-- +2.39.5 + diff --git a/queue-5.15/rdma-hns-fix-wframe-larger-than-issue.patch b/queue-5.15/rdma-hns-fix-wframe-larger-than-issue.patch new file mode 100644 index 0000000000..39ad8b8ff8 --- /dev/null +++ b/queue-5.15/rdma-hns-fix-wframe-larger-than-issue.patch @@ -0,0 +1,67 @@ +From 6e87e30c8e9f0da3652895c276e7fa1348a3d4f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 19:39:05 +0800 +Subject: RDMA/hns: Fix -Wframe-larger-than issue + +From: Junxian Huang + +[ Upstream commit 79d56805c5068f2bc81518043e043c3dedd1c82a ] + +Fix -Wframe-larger-than issue by allocating memory for qpc struct +with kzalloc() instead of using stack memory. + +Fixes: 606bf89e98ef ("RDMA/hns: Refactor for hns_roce_v2_modify_qp function") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506240032.CSgIyFct-lkp@intel.com/ +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250703113905.3597124-7-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index e10fe47d45c1..74f48e201031 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -5008,11 +5008,10 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp, + { + struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device); + struct hns_roce_qp *hr_qp = to_hr_qp(ibqp); +- struct hns_roce_v2_qp_context ctx[2]; +- struct hns_roce_v2_qp_context *context = ctx; +- struct hns_roce_v2_qp_context *qpc_mask = ctx + 1; ++ struct hns_roce_v2_qp_context *context; ++ struct hns_roce_v2_qp_context *qpc_mask; + struct ib_device *ibdev = &hr_dev->ib_dev; +- int ret; ++ int ret = -ENOMEM; + + if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS) + return -EOPNOTSUPP; +@@ -5023,7 +5022,11 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp, + * we should set all bits of the relevant fields in context mask to + * 0 at the same time, else set them to 0x1. + */ +- memset(context, 0, hr_dev->caps.qpc_sz); ++ context = kvzalloc(sizeof(*context), GFP_KERNEL); ++ qpc_mask = kvzalloc(sizeof(*qpc_mask), GFP_KERNEL); ++ if (!context || !qpc_mask) ++ goto out; ++ + memset(qpc_mask, 0xff, hr_dev->caps.qpc_sz); + + ret = hns_roce_v2_set_abs_fields(ibqp, attr, attr_mask, cur_state, +@@ -5065,6 +5068,8 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp, + clear_qp(hr_qp); + + out: ++ kvfree(qpc_mask); ++ kvfree(context); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch b/queue-5.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch new file mode 100644 index 0000000000..8d6ce25d9c --- /dev/null +++ b/queue-5.15/reapply-wifi-mac80211-update-skb-s-control-block-key.patch @@ -0,0 +1,40 @@ +From 50f8dbb1d8463bc1ec5b1f410afd21aa7a870742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 17:45:29 +0200 +Subject: Reapply "wifi: mac80211: Update skb's control block key in + ieee80211_tx_dequeue()" + +From: Remi Pommarel + +[ Upstream commit 754fe848b3b297fc85ec24cd959bad22b6df8cb8 ] + +This reverts commit 0937cb5f345c ("Revert "wifi: mac80211: Update +skb's control block key in ieee80211_tx_dequeue()""). + +This commit broke TX with 802.11 encapsulation HW offloading, now that +this is fixed, reapply it. + +Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue") +Signed-off-by: Remi Pommarel +Link: https://patch.msgid.link/66b8fc39fb0194fa06c9ca7eeb6ffe0118dcb3ec.1752765971.git.repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 4ab891c8416d..a5be5fe5c6b4 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3711,6 +3711,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw, + * The key can be removed while the packet was queued, so need to call + * this here to get the current key. + */ ++ info->control.hw_key = NULL; + r = ieee80211_tx_h_select_key(&tx); + if (r != TX_CONTINUE) { + ieee80211_free_txskb(&local->hw, skb); +-- +2.39.5 + diff --git a/queue-5.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch b/queue-5.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch new file mode 100644 index 0000000000..5db1731c7c --- /dev/null +++ b/queue-5.15/revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch @@ -0,0 +1,45 @@ +From 223cf94ce6affb307eb524461e2cdf2c60bc3efd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 15:11:32 +0200 +Subject: Revert "fs/ntfs3: Replace inode_trylock with inode_lock" + +From: Konstantin Komarov + +[ Upstream commit a49f0abd8959048af18c6c690b065eb0d65b2d21 ] + +This reverts commit 69505fe98f198ee813898cbcaf6770949636430b. + +Initially, conditional lock acquisition was removed to fix an xfstest bug +that was observed during internal testing. The deadlock reported by syzbot +is resolved by reintroducing conditional acquisition. The xfstest bug no +longer occurs on kernel version 6.16-rc1 during internal testing. I +assume that changes in other modules may have contributed to this. + +Fixes: 69505fe98f19 ("fs/ntfs3: Replace inode_trylock with inode_lock") +Reported-by: syzbot+a91fcdbd2698f99db8f4@syzkaller.appspotmail.com +Suggested-by: Lorenzo Stoakes +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/file.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c +index 74cf9c51e322..ffb31420085f 100644 +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -398,7 +398,10 @@ static int ntfs_file_mmap(struct file *file, struct vm_area_struct *vma) + } + + if (ni->i_valid < to) { +- inode_lock(inode); ++ if (!inode_trylock(inode)) { ++ err = -EAGAIN; ++ goto out; ++ } + err = ntfs_extend_initialized_size(file, ni, + ni->i_valid, to); + inode_unlock(inode); +-- +2.39.5 + diff --git a/queue-5.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch b/queue-5.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch new file mode 100644 index 0000000000..97c9f2336b --- /dev/null +++ b/queue-5.15/revert-vmci-prevent-the-dispatching-of-uninitialized.patch @@ -0,0 +1,55 @@ +From 2e605e5c21374b32b1136671abc50ccb9a053ea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 10:30:09 +0200 +Subject: Revert "vmci: Prevent the dispatching of uninitialized payloads" + +From: Greg Kroah-Hartman + +[ Upstream commit 8f5d9bed6122b8d96508436e5ad2498bb797eb6b ] + +This reverts commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031. + +While the code "looks" correct, the compiler has no way to know that +doing "fun" pointer math like this really isn't a write off the end of +the structure as there is no hint anywhere that the structure has data +at the end of it. + +This causes the following build warning: + +In function 'fortify_memset_chk', + inlined from 'ctx_fire_notification.isra' at drivers/misc/vmw_vmci/vmci_context.c:254:3: +include/linux/fortify-string.h:480:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 480 | __write_overflow_field(p_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +So revert it for now and it can come back in the future in a "sane" way +that either correctly makes the structure know that there is trailing +data, OR just the payload structure is properly referenced and zeroed +out. + +Fixes: bfb4cf9fb97e ("vmci: Prevent the dispatching of uninitialized payloads") +Cc: Stephen Rothwell +Cc: Lizhi Xu +Link: https://lore.kernel.org/r/20250703171021.0aee1482@canb.auug.org.au +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_context.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c +index a8df60b9301c..c0b5e339d5a1 100644 +--- a/drivers/misc/vmw_vmci/vmci_context.c ++++ b/drivers/misc/vmw_vmci/vmci_context.c +@@ -251,8 +251,6 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags) + ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID, + VMCI_CONTEXT_RESOURCE_ID); + ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr); +- memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0, +- ev.msg.hdr.payload_size); + ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED; + ev.payload.context_id = context_id; + +-- +2.39.5 + diff --git a/queue-5.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch b/queue-5.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch new file mode 100644 index 0000000000..8fbc97a9e2 --- /dev/null +++ b/queue-5.15/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch @@ -0,0 +1,40 @@ +From fcaf30676ee04ce430945342ceeae28c3157ade4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:21 -0400 +Subject: rtc: ds1307: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit cf6eb547a24af7ad7bbd2abe9c5327f956bbeae8 ] + +When ds3231_clk_sqw_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: 6c6ff145b3346 ("rtc: ds1307: add clock provider support for DS3231") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-1-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index d5a7a377e4a6..1e621080f666 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -1461,7 +1461,7 @@ static long ds3231_clk_sqw_round_rate(struct clk_hw *hw, unsigned long rate, + return ds3231_clk_sqw_rates[i]; + } + +- return 0; ++ return ds3231_clk_sqw_rates[ARRAY_SIZE(ds3231_clk_sqw_rates) - 1]; + } + + static int ds3231_clk_sqw_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-5.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch b/queue-5.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch new file mode 100644 index 0000000000..09f4216bf7 --- /dev/null +++ b/queue-5.15/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch @@ -0,0 +1,40 @@ +From 203845a01ff0442d8ef90f6cd57d3f48cbfda6f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:22 -0400 +Subject: rtc: hym8563: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit d0a518eb0a692a2ab8357e844970660c5ea37720 ] + +When hym8563_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: dcaf038493525 ("rtc: add hym8563 rtc-driver") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-2-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-hym8563.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c +index 0751cae27285..93fd182d440b 100644 +--- a/drivers/rtc/rtc-hym8563.c ++++ b/drivers/rtc/rtc-hym8563.c +@@ -312,7 +312,7 @@ static long hym8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int hym8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-5.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch b/queue-5.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch new file mode 100644 index 0000000000..1190bf81fe --- /dev/null +++ b/queue-5.15/rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch @@ -0,0 +1,40 @@ +From fb288d1ad5e24ba1259e2c986f2cdbbe28fc1b1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:24 -0400 +Subject: rtc: pcf85063: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit 186ae1869880e58bb3f142d222abdb35ecb4df0f ] + +When pcf85063_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: 8c229ab6048b7 ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-4-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf85063.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c +index 89e080798e03..b286e3078025 100644 +--- a/drivers/rtc/rtc-pcf85063.c ++++ b/drivers/rtc/rtc-pcf85063.c +@@ -407,7 +407,7 @@ static long pcf85063_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int pcf85063_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-5.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch b/queue-5.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch new file mode 100644 index 0000000000..566c67a0f4 --- /dev/null +++ b/queue-5.15/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch @@ -0,0 +1,40 @@ +From ffb859f184f87763a0b2057d94bf45b092c02049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:25 -0400 +Subject: rtc: pcf8563: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit 906726a5efeefe0ef0103ccff5312a09080c04ae ] + +When pcf8563_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: a39a6405d5f94 ("rtc: pcf8563: add CLKOUT to common clock framework") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-5-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf8563.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-pcf8563.c b/drivers/rtc/rtc-pcf8563.c +index c8bddfb94129..7d47d1f4802a 100644 +--- a/drivers/rtc/rtc-pcf8563.c ++++ b/drivers/rtc/rtc-pcf8563.c +@@ -399,7 +399,7 @@ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int pcf8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-5.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch b/queue-5.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch new file mode 100644 index 0000000000..90b9ab21d4 --- /dev/null +++ b/queue-5.15/rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch @@ -0,0 +1,40 @@ +From 0bf8fd6a592798063501b8a7e3f5562e05207f38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:20:26 -0400 +Subject: rtc: rv3028: fix incorrect maximum clock rate handling + +From: Brian Masney + +[ Upstream commit b574acb3cf7591d2513a9f29f8c2021ad55fb881 ] + +When rv3028_clkout_round_rate() is called with a requested rate higher +than the highest supported rate, it currently returns 0, which disables +the clock. According to the clk API, round_rate() should instead return +the highest supported rate. Update the function to return the maximum +supported rate in this case. + +Fixes: f583c341a515f ("rtc: rv3028: add clkout support") +Signed-off-by: Brian Masney +Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-6-33140bb2278e@redhat.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-rv3028.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-rv3028.c b/drivers/rtc/rtc-rv3028.c +index 12c807306893..fdcca4bf1ce2 100644 +--- a/drivers/rtc/rtc-rv3028.c ++++ b/drivers/rtc/rtc-rv3028.c +@@ -669,7 +669,7 @@ static long rv3028_clkout_round_rate(struct clk_hw *hw, unsigned long rate, + if (clkout_rates[i] <= rate) + return clkout_rates[i]; + +- return 0; ++ return clkout_rates[0]; + } + + static int rv3028_clkout_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-5.15/samples-mei-fix-building-on-musl-libc.patch b/queue-5.15/samples-mei-fix-building-on-musl-libc.patch new file mode 100644 index 0000000000..cd592f010d --- /dev/null +++ b/queue-5.15/samples-mei-fix-building-on-musl-libc.patch @@ -0,0 +1,75 @@ +From 9a49d94057923817bbe5e5254efa1e920c623b6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 19:29:55 +0530 +Subject: samples: mei: Fix building on musl libc + +From: Brahmajit Das + +[ Upstream commit 239df3e4b4752524e7c0fb3417c218d8063654b4 ] + +The header bits/wordsize.h is glibc specific and on building on musl +with allyesconfig results in + +samples/mei/mei-amt-version.c:77:10: fatal error: bits/wordsize.h: No such file or directory + 77 | #include + | ^~~~~~~~~~~~~~~~~ + +mei-amt-version.c build file without bits/wordsize.h on musl and glibc. + +However on musl we get the follwing error without sys/time.h + +samples/mei/mei-amt-version.c: In function 'mei_recv_msg': +samples/mei/mei-amt-version.c:159:24: error: storage size of 'tv' isn't known + 159 | struct timeval tv; + | ^~ +samples/mei/mei-amt-version.c:160:9: error: unknown type name 'fd_set' + 160 | fd_set set; + | ^~~~~~ +samples/mei/mei-amt-version.c:168:9: error: implicit declaration of function 'FD_ZERO' [-Wimplicit-function-declaration] + 168 | FD_ZERO(&set); + | ^~~~~~~ +samples/mei/mei-amt-version.c:169:9: error: implicit declaration of function 'FD_SET'; did you mean 'L_SET'? [-Wimplicit-function-declaration] + 169 | FD_SET(me->fd, &set); + | ^~~~~~ + | L_SET +samples/mei/mei-amt-version.c:170:14: error: implicit declaration of function 'select' [-Wimplicit-function-declaration] + 170 | rc = select(me->fd + 1, &set, NULL, NULL, &tv); + | ^~~~~~ +samples/mei/mei-amt-version.c:171:23: error: implicit declaration of function 'FD_ISSET' [-Wimplicit-function-declaration] + 171 | if (rc > 0 && FD_ISSET(me->fd, &set)) { + | ^~~~~~~~ +samples/mei/mei-amt-version.c:159:24: warning: unused variable 'tv' [-Wunused-variable] + 159 | struct timeval tv; + | ^~ + +Hence the the file has been included. + +Fixes: c52827cc4ddf ("staging/mei: add mei user space example") +Signed-off-by: Brahmajit Das +Link: https://lore.kernel.org/r/20250702135955.24955-1-listout@listout.xyz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + samples/mei/mei-amt-version.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c +index 867debd3b912..1d7254bcb44c 100644 +--- a/samples/mei/mei-amt-version.c ++++ b/samples/mei/mei-amt-version.c +@@ -69,11 +69,11 @@ + #include + #include + #include ++#include + #include + #include + #include + #include +-#include + #include + + /***************************************************************************** +-- +2.39.5 + diff --git a/queue-5.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch b/queue-5.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..ce71a7d7dc --- /dev/null +++ b/queue-5.15/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,48 @@ +From 88ea6982154fbabf9b4e44de777700d3cabc52e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 13:18:02 +0200 +Subject: scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 023a293b9cd0bb86a9b50cd7688a3d9d266826db ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 88a678bbc34c ("ibmvscsis: Initial commit of IBM VSCSI Tgt Driver") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250630111803.94389-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ibmvscsi_tgt/libsrp.c b/drivers/scsi/ibmvscsi_tgt/libsrp.c +index 8a0e28aec928..0ecad398ed3d 100644 +--- a/drivers/scsi/ibmvscsi_tgt/libsrp.c ++++ b/drivers/scsi/ibmvscsi_tgt/libsrp.c +@@ -184,7 +184,8 @@ static int srp_direct_data(struct ibmvscsis_cmd *cmd, struct srp_direct_buf *md, + err = rdma_io(cmd, sg, nsg, md, 1, dir, len); + + if (dma_map) +- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL); ++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents, ++ DMA_BIDIRECTIONAL); + + return err; + } +@@ -256,7 +257,8 @@ static int srp_indirect_data(struct ibmvscsis_cmd *cmd, struct srp_cmd *srp_cmd, + err = rdma_io(cmd, sg, nsg, md, nmd, dir, len); + + if (dma_map) +- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL); ++ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents, ++ DMA_BIDIRECTIONAL); + + free_mem: + if (token && dma_map) { +-- +2.39.5 + diff --git a/queue-5.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch b/queue-5.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..4af1d18cf8 --- /dev/null +++ b/queue-5.15/scsi-isci-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,37 @@ +From 78dcef3ddb23f756fb4bbddba61faefaa447e756 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 16:24:47 +0200 +Subject: scsi: isci: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 063bec4444d54e5f35d11949c5c90eaa1ff84c11 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: ddcc7e347a89 ("isci: fix dma_unmap_sg usage") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250627142451.241713-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/isci/request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c +index 6ef40993906a..b37ab6fa3d0e 100644 +--- a/drivers/scsi/isci/request.c ++++ b/drivers/scsi/isci/request.c +@@ -2906,7 +2906,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost, + task->total_xfer_len, task->data_dir); + else /* unmap the sgl dma addresses */ + dma_unmap_sg(&ihost->pdev->dev, task->scatter, +- request->num_sg_entries, task->data_dir); ++ task->num_scatter, task->data_dir); + break; + case SAS_PROTOCOL_SMP: { + struct scatterlist *sg = &task->smp_task.smp_req; +-- +2.39.5 + diff --git a/queue-5.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch b/queue-5.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch new file mode 100644 index 0000000000..5545f7d553 --- /dev/null +++ b/queue-5.15/scsi-mpt3sas-fix-a-fw_event-memory-leak.patch @@ -0,0 +1,39 @@ +From 444d8fb78f22e1964fac68d08eb268ed25c7c4d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 17:30:18 +0200 +Subject: scsi: mpt3sas: Fix a fw_event memory leak + +From: Tomas Henzl + +[ Upstream commit 3e90b38781e3bdd651edaf789585687611638862 ] + +In _mpt3sas_fw_work() the fw_event reference is removed, it should also +be freed in all cases. + +Fixes: 4318c7347847 ("scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware.") +Signed-off-by: Tomas Henzl +Link: https://lore.kernel.org/r/20250723153018.50518-1-thenzl@redhat.com +Acked-by: Sathya Prakash Veerichetty +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index bbef78608a67..055929021818 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -10806,8 +10806,7 @@ _mpt3sas_fw_work(struct MPT3SAS_ADAPTER *ioc, struct fw_event_work *fw_event) + break; + case MPI2_EVENT_PCIE_TOPOLOGY_CHANGE_LIST: + _scsih_pcie_topology_change_event(ioc, fw_event); +- ioc->current_event = NULL; +- return; ++ break; + } + out: + fw_event_work_put(fw_event); +-- +2.39.5 + diff --git a/queue-5.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch b/queue-5.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..b6aff15d1b --- /dev/null +++ b/queue-5.15/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,46 @@ +From 3ff27663753231ecb7872d5015d2a3eb422781ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 15:48:18 +0200 +Subject: scsi: mvsas: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +[ Upstream commit 0141618727bc929fe868153d21797f10ce5bef3f ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: b5762948263d ("[SCSI] mvsas: Add Marvell 6440 SAS/SATA driver") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250627134822.234813-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvsas/mv_sas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c +index 04d3710c683f..efd11fabff93 100644 +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -829,7 +829,7 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf + dev_printk(KERN_ERR, mvi->dev, "mvsas prep failed[%d]!\n", rc); + if (!sas_protocol_ata(task->task_proto)) + if (n_elem) +- dma_unmap_sg(mvi->dev, task->scatter, n_elem, ++ dma_unmap_sg(mvi->dev, task->scatter, task->num_scatter, + task->data_dir); + prep_out: + return rc; +@@ -880,7 +880,7 @@ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task, + if (!sas_protocol_ata(task->task_proto)) + if (slot->n_elem) + dma_unmap_sg(mvi->dev, task->scatter, +- slot->n_elem, task->data_dir); ++ task->num_scatter, task->data_dir); + + switch (task->task_proto) { + case SAS_PROTOCOL_SMP: +-- +2.39.5 + diff --git a/queue-5.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch b/queue-5.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch new file mode 100644 index 0000000000..a33c7fcc4c --- /dev/null +++ b/queue-5.15/scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch @@ -0,0 +1,57 @@ +From c593d6d5a507c84e21a67e87b3de2e01d659ae86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 17:12:13 +0900 +Subject: scsi: ufs: core: Use link recovery when h8 exit fails during runtime + resume + +From: Seunghui Lee + +[ Upstream commit 35dabf4503b94a697bababe94678a8bc989c3223 ] + +If the h8 exit fails during runtime resume process, the runtime thread +enters runtime suspend immediately and the error handler operates at the +same time. It becomes stuck and cannot be recovered through the error +handler. To fix this, use link recovery instead of the error handler. + +Fixes: 4db7a2360597 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths") +Signed-off-by: Seunghui Lee +Link: https://lore.kernel.org/r/20250717081213.6811-1-sh043.lee@samsung.com +Reviewed-by: Bean Huo +Acked-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 2b78cc96ccef..3d2b6ee50e2c 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4013,7 +4013,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + hba->uic_async_done = NULL; + if (reenable_intr) + ufshcd_enable_intr(hba, UIC_COMMAND_COMPL); +- if (ret) { ++ if (ret && !hba->pm_op_in_progress) { + ufshcd_set_link_broken(hba); + ufshcd_schedule_eh_work(hba); + } +@@ -4021,6 +4021,14 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + spin_unlock_irqrestore(hba->host->host_lock, flags); + mutex_unlock(&hba->uic_cmd_mutex); + ++ /* ++ * If the h8 exit fails during the runtime resume process, it becomes ++ * stuck and cannot be recovered through the error handler. To fix ++ * this, use link recovery instead of the error handler. ++ */ ++ if (ret && hba->pm_op_in_progress) ++ ret = ufshcd_link_recovery(hba); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch b/queue-5.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch new file mode 100644 index 0000000000..cf972610ea --- /dev/null +++ b/queue-5.15/selftests-fix-errno-checking-in-syscall_user_dispatc.patch @@ -0,0 +1,132 @@ +From f374c8c511d2d554e4eb5d0b9bdc87b79f672e73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 17:04:28 +0200 +Subject: selftests: Fix errno checking in syscall_user_dispatch test + +From: Dmitry Vyukov + +[ Upstream commit b89732c8c8357487185f260a723a060b3476144e ] + +Successful syscalls don't change errno, so checking errno is wrong +to ensure that a syscall has failed. For example for the following +sequence: + + prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0); + EXPECT_EQ(EINVAL, errno); + prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel); + EXPECT_EQ(EINVAL, errno); + +only the first syscall may fail and set errno, but the second may succeed +and keep errno intact, and the check will falsely pass. +Or if errno happened to be EINVAL before, even the first check may falsely +pass. + +Also use EXPECT/ASSERT consistently. Currently there is an inconsistent mix +without obvious reasons for usage of one or another. + +Fixes: 179ef035992e ("selftests: Add kselftest for syscall user dispatch") +Signed-off-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/af6a04dbfef9af8570f5bab43e3ef1416b62699a.1747839857.git.dvyukov@google.com +Signed-off-by: Sasha Levin +--- + .../syscall_user_dispatch/sud_test.c | 50 +++++++++---------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +diff --git a/tools/testing/selftests/syscall_user_dispatch/sud_test.c b/tools/testing/selftests/syscall_user_dispatch/sud_test.c +index d975a6767329..48cf01aeec3e 100644 +--- a/tools/testing/selftests/syscall_user_dispatch/sud_test.c ++++ b/tools/testing/selftests/syscall_user_dispatch/sud_test.c +@@ -79,6 +79,21 @@ TEST_SIGNAL(dispatch_trigger_sigsys, SIGSYS) + } + } + ++static void prctl_valid(struct __test_metadata *_metadata, ++ unsigned long op, unsigned long off, ++ unsigned long size, void *sel) ++{ ++ EXPECT_EQ(0, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel)); ++} ++ ++static void prctl_invalid(struct __test_metadata *_metadata, ++ unsigned long op, unsigned long off, ++ unsigned long size, void *sel, int err) ++{ ++ EXPECT_EQ(-1, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel)); ++ EXPECT_EQ(err, errno); ++} ++ + TEST(bad_prctl_param) + { + char sel = SYSCALL_DISPATCH_FILTER_ALLOW; +@@ -86,57 +101,42 @@ TEST(bad_prctl_param) + + /* Invalid op */ + op = -1; +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0, 0, &sel); +- ASSERT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0, 0, &sel, EINVAL); + + /* PR_SYS_DISPATCH_OFF */ + op = PR_SYS_DISPATCH_OFF; + + /* offset != 0 */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, 0); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x1, 0x0, 0, EINVAL); + + /* len != 0 */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x0, 0xff, 0, EINVAL); + + /* sel != NULL */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x0, 0x0, &sel, EINVAL); + + /* Valid parameter */ +- errno = 0; +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, 0x0); +- EXPECT_EQ(0, errno); ++ prctl_valid(_metadata, op, 0x0, 0x0, 0x0); + + /* PR_SYS_DISPATCH_ON */ + op = PR_SYS_DISPATCH_ON; + + /* Dispatcher region is bad (offset > 0 && len == 0) */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, &sel); +- EXPECT_EQ(EINVAL, errno); +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, -1L, 0x0, &sel); +- EXPECT_EQ(EINVAL, errno); ++ prctl_invalid(_metadata, op, 0x1, 0x0, &sel, EINVAL); ++ prctl_invalid(_metadata, op, -1L, 0x0, &sel, EINVAL); + + /* Invalid selector */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x1, (void *) -1); +- ASSERT_EQ(EFAULT, errno); ++ prctl_invalid(_metadata, op, 0x0, 0x1, (void *) -1, EFAULT); + + /* + * Dispatcher range overflows unsigned long + */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, 1, -1L, &sel); +- ASSERT_EQ(EINVAL, errno) { +- TH_LOG("Should reject bad syscall range"); +- } ++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, 1, -1L, &sel, EINVAL); + + /* + * Allowed range overflows usigned long + */ +- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel); +- ASSERT_EQ(EINVAL, errno) { +- TH_LOG("Should reject bad syscall range"); +- } ++ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel, EINVAL); + } + + /* +-- +2.39.5 + diff --git a/queue-5.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch b/queue-5.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch new file mode 100644 index 0000000000..5bc03040d6 --- /dev/null +++ b/queue-5.15/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch @@ -0,0 +1,62 @@ +From 795eea35c1861e3010f7dfc340af27e096cd9f31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 11:50:28 +0800 +Subject: selftests: rtnetlink.sh: remove esp4_offload after test + +From: Xiumei Mu + +[ Upstream commit 5b32321fdaf3fd1a92ec726af18765e225b0ee2b ] + +The esp4_offload module, loaded during IPsec offload tests, should +be reset to its default settings after testing. +Otherwise, leaving it enabled could unintentionally affect subsequence +test cases by keeping offload active. + +Without this fix: +$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload; +PASS: ipsec_offload +esp4_offload 12288 0 +esp4 32768 1 esp4_offload + +With this fix: +$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload; +PASS: ipsec_offload + +Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test") +Signed-off-by: Xiumei Mu +Reviewed-by: Shannon Nelson +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/6d3a1d777c4de4eb0ca94ced9e77be8d48c5b12f.1753415428.git.xmu@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index a3597b3e579f..0a6212a96415 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -746,6 +746,11 @@ kci_test_ipsec_offload() + sysfsf=$sysfsd/ipsec + sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/ + probed=false ++ esp4_offload_probed_default=false ++ ++ if lsmod | grep -q esp4_offload; then ++ esp4_offload_probed_default=true ++ fi + + # setup netdevsim since dummydev doesn't have offload support + if [ ! -w /sys/bus/netdevsim/new_device ] ; then +@@ -835,6 +840,7 @@ EOF + fi + + # clean up any leftovers ++ ! "$esp4_offload_probed_default" && lsmod | grep -q esp4_offload && rmmod esp4_offload + echo 0 > /sys/bus/netdevsim/del_device + $probed && rmmod netdevsim + +-- +2.39.5 + diff --git a/queue-5.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch b/queue-5.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch new file mode 100644 index 0000000000..f6f4e3f89c --- /dev/null +++ b/queue-5.15/selftests-tracing-fix-false-failure-of-subsystem-eve.patch @@ -0,0 +1,85 @@ +From 0ebcd4aa75ac44eb9bfe7d9a16686882e0b5ad93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 13:42:12 -0400 +Subject: selftests/tracing: Fix false failure of subsystem event test + +From: Steven Rostedt + +[ Upstream commit 213879061a9c60200ba971330dbefec6df3b4a30 ] + +The subsystem event test enables all "sched" events and makes sure there's +at least 3 different events in the output. It used to cat the entire trace +file to | wc -l, but on slow machines, that could last a very long time. +To solve that, it was changed to just read the first 100 lines of the +trace file. This can cause false failures as some events repeat so often, +that the 100 lines that are examined could possibly be of only one event. + +Instead, create an awk script that looks for 3 different events and will +exit out after it finds them. This will find the 3 events the test looks +for (eventually if it works), and still exit out after the test is +satisfied and not cause slower machines to run forever. + +Link: https://lore.kernel.org/r/20250721134212.53c3e140@batman.local.home +Reported-by: Tengda Wu +Closes: https://lore.kernel.org/all/20250710130134.591066-1-wutengda@huaweicloud.com/ +Fixes: 1a4ea83a6e67 ("selftests/ftrace: Limit length in subsystem-enable tests") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/event/subsystem-enable.tc | 28 +++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc +index b7c8f29c09a9..65916bb55dfb 100644 +--- a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc ++++ b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc +@@ -14,11 +14,35 @@ fail() { #msg + exit_fail + } + ++# As reading trace can last forever, simply look for 3 different ++# events then exit out of reading the file. If there's not 3 different ++# events, then the test has failed. ++check_unique() { ++ cat trace | grep -v '^#' | awk ' ++ BEGIN { cnt = 0; } ++ { ++ for (i = 0; i < cnt; i++) { ++ if (event[i] == $5) { ++ break; ++ } ++ } ++ if (i == cnt) { ++ event[cnt++] = $5; ++ if (cnt > 2) { ++ exit; ++ } ++ } ++ } ++ END { ++ printf "%d", cnt; ++ }' ++} ++ + echo 'sched:*' > set_event + + yield + +-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` ++count=`check_unique` + if [ $count -lt 3 ]; then + fail "at least fork, exec and exit events should be recorded" + fi +@@ -29,7 +53,7 @@ echo 1 > events/sched/enable + + yield + +-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` ++count=`check_unique` + if [ $count -lt 3 ]; then + fail "at least fork, exec and exit events should be recorded" + fi +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 36e2bdf194..750074b259 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -108,3 +108,119 @@ usb-chipidea-add-usb-phy-event.patch usb-phy-mxs-disconnect-line-when-usb-charger-is-atta.patch ethernet-intel-fix-building-with-large-nr_cpus.patch asoc-intel-fix-snd_soc_sof-dependencies.patch +fs_context-fix-parameter-name-in-infofc-macro.patch +hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch +revert-fs-ntfs3-replace-inode_trylock-with-inode_loc.patch +asoc-soc-dai-tidyup-return-value-of-snd_soc_xlate_td.patch +asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch +selftests-fix-errno-checking-in-syscall_user_dispatc.patch +arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch +usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch +staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch +vmci-prevent-the-dispatching-of-uninitialized-payloa.patch +pps-fix-poll-support.patch +revert-vmci-prevent-the-dispatching-of-uninitialized.patch +usb-early-xhci-dbc-fix-early_ioremap-leak.patch +arm-dts-ti-omap-fixup-pinheader-typo.patch +arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch +arm64-dts-imx8mm-beacon-fix-hs400-usdhc-clock-speed.patch +arm64-dts-imx8mn-beacon-fix-hs400-usdhc-clock-speed.patch +pm-devfreq-check-governor-before-using-governor-name.patch +cpufreq-intel_pstate-always-use-hwp_desired_perf-in-.patch +cpufreq-initialize-cpufreq-based-frequency-invarianc.patch +cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch +samples-mei-fix-building-on-musl-libc.patch +staging-nvec-fix-incorrect-null-termination-of-batte.patch +selftests-tracing-fix-false-failure-of-subsystem-eve.patch +drm-rockchip-cleanup-fb-when-drm_gem_fb_afbc_init-fa.patch +bpf-sockmap-fix-psock-incorrectly-pointing-to-sk.patch +bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch +bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch +caif-reduce-stack-size-again.patch +wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch +wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch +iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch +wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch +tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch +net-mlx5-check-device-memory-pointer-before-usage.patch +m68k-don-t-unregister-boot-console-needlessly.patch +drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch +netfilter-nf_tables-adjust-lockdep-assertions-handli.patch +arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch +um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch +net-sched-restrict-conditions-for-adding-duplicating.patch +net_sched-act_ctinfo-use-atomic64_t-for-three-counte.patch +xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch +wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch +mwl8k-add-missing-check-after-dma-map.patch +wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch +wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch +reapply-wifi-mac80211-update-skb-s-control-block-key.patch +wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch +can-kvaser_pciefd-store-device-channel-index.patch +can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch +netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch +selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch +vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch +pci-rockchip-host-fix-unexpected-completion-log-mess.patch +crypto-marvell-cesa-fix-engine-load-inaccuracy.patch +mtd-fix-possible-integer-overflow-in-erase_xfer.patch +clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch +media-v4l2-ctrls-fix-h264-separate_colour_plane-chec.patch +clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch +power-supply-cpcap-charger-fix-null-check-for-power_.patch +power-supply-max14577-handle-null-pdata-when-config_.patch +pci-endpoint-pci-epf-vntb-return-enoent-if-pci_epc_g.patch +pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch +clk-clk-axi-clkgen-fix-fpfd_max-frequency-for-zynq.patch +perf-sched-fix-memory-leaks-for-evsel-priv-in-timehi.patch +crypto-inside-secure-fix-dma_unmap_sg-nents-value.patch +crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch +rdma-hns-fix-wframe-larger-than-issue.patch +kernel-trace-preemptirq_delay_test-use-offstack-cpu-.patch +perf-tests-bp_account-fix-leaked-file-descriptor.patch +clk-sunxi-ng-v3s-fix-de-clock-definition.patch +scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch +scsi-mvsas-fix-dma_unmap_sg-nents-value.patch +scsi-isci-fix-dma_unmap_sg-nents-value.patch +watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch +hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch +crypto-keembay-fix-dma_unmap_sg-nents-value.patch +crypto-img-hash-fix-dma_unmap_sg-nents-value.patch +soundwire-stream-restore-params-when-prepare-ports-f.patch +pci-endpoint-pci-epf-vntb-fix-the-incorrect-usage-of.patch +fs-orangefs-allow-2-more-characters-in-do_c_string.patch +dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch +dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch +sh-do-not-use-hyphen-in-exported-variable-name.patch +crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch +fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch +jfs-fix-metapage-reference-count-leak-in-dballocctl.patch +mtd-rawnand-atmel-fix-dma_mapping_error-address.patch +mtd-rawnand-rockchip-add-missing-check-after-dma-map.patch +mtd-rawnand-atmel-set-pmecc-data-setup-time.patch +vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch +bpf-check-flow_dissector-ctx-accesses-are-aligned.patch +apparmor-ensure-wb_history_size-value-is-a-power-of-.patch +apparmor-fix-unaligned-memory-accesses-in-kunit-test.patch +module-restore-the-moduleparam-prefix-length-check.patch +ucount-fix-atomic_long_inc_below-argument-type.patch +rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch +rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch +rtc-pcf85063-fix-incorrect-maximum-clock-rate-handli.patch +rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch +rtc-rv3028-fix-incorrect-maximum-clock-rate-handling.patch +f2fs-fix-kmsan-uninit-value-in-extent_info-usage.patch +f2fs-doc-fix-wrong-quota-mount-option-description.patch +f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch +f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch +f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch +scsi-mpt3sas-fix-a-fw_event-memory-leak.patch +scsi-ufs-core-use-link-recovery-when-h8-exit-fails-d.patch +kconfig-qconf-fix-configlist-updatelistallforall.patch +pci-pnv_php-clean-up-allocated-irqs-on-unplug.patch +pci-pnv_php-work-around-switches-with-broken-presenc.patch +powerpc-eeh-export-eeh_unfreeze_pe.patch +powerpc-eeh-rely-on-dev-link_active_reporting.patch +powerpc-eeh-make-eeh-driver-device-hotplug-safe.patch +pci-pnv_php-fix-surprise-plug-detection-and-recovery.patch diff --git a/queue-5.15/sh-do-not-use-hyphen-in-exported-variable-name.patch b/queue-5.15/sh-do-not-use-hyphen-in-exported-variable-name.patch new file mode 100644 index 0000000000..746a578cd7 --- /dev/null +++ b/queue-5.15/sh-do-not-use-hyphen-in-exported-variable-name.patch @@ -0,0 +1,107 @@ +From cb2b8d9d31b75ae2d9095beac39b1e4565448509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 16:47:32 +0200 +Subject: sh: Do not use hyphen in exported variable name + +From: Ben Hutchings + +[ Upstream commit c32969d0362a790fbc6117e0b6a737a7e510b843 ] + +arch/sh/Makefile defines and exports ld-bfd to be used by +arch/sh/boot/compressed/Makefile and arch/sh/boot/romimage/Makefile. +However some shells, including dash, will not pass through environment +variables whose name includes a hyphen. Usually GNU make does not use +a shell to recurse, but if e.g. $(srctree) contains '~' it will use a +shell here. + +Other instances of this problem were previously fixed by commits +2bfbe7881ee0 "kbuild: Do not use hyphen in exported variable name" +and 82977af93a0d "sh: rename suffix-y to suffix_y". + +Rename the variable to ld_bfd. + +References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0 +Fixes: 7b022d07a0fd ("sh: Tidy up the ldscript output format specifier.") +Signed-off-by: Ben Hutchings +Reviewed-by: John Paul Adrian Glaubitz +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/Makefile | 10 +++++----- + arch/sh/boot/compressed/Makefile | 4 ++-- + arch/sh/boot/romimage/Makefile | 4 ++-- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/sh/Makefile b/arch/sh/Makefile +index 88ddb6f1c75b..ab9b78125544 100644 +--- a/arch/sh/Makefile ++++ b/arch/sh/Makefile +@@ -103,16 +103,16 @@ UTS_MACHINE := sh + LDFLAGS_vmlinux += -e _stext + + ifdef CONFIG_CPU_LITTLE_ENDIAN +-ld-bfd := elf32-sh-linux +-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd) ++ld_bfd := elf32-sh-linux ++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd) + KBUILD_LDFLAGS += -EL + else +-ld-bfd := elf32-shbig-linux +-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd) ++ld_bfd := elf32-shbig-linux ++LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd) + KBUILD_LDFLAGS += -EB + endif + +-export ld-bfd ++export ld_bfd + + head-y := arch/sh/kernel/head_32.o + +diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile +index 589d2d8a573d..d4baaaace17f 100644 +--- a/arch/sh/boot/compressed/Makefile ++++ b/arch/sh/boot/compressed/Makefile +@@ -30,7 +30,7 @@ endif + + ccflags-remove-$(CONFIG_MCOUNT) += -pg + +-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \ ++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \ + -T $(obj)/../../kernel/vmlinux.lds + + # +@@ -68,7 +68,7 @@ $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE + + OBJCOPYFLAGS += -R .empty_zero_page + +-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T ++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T + + $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix-y) FORCE + $(call if_changed,ld) +diff --git a/arch/sh/boot/romimage/Makefile b/arch/sh/boot/romimage/Makefile +index c7c8be58400c..17b03df0a8de 100644 +--- a/arch/sh/boot/romimage/Makefile ++++ b/arch/sh/boot/romimage/Makefile +@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) := $(obj)/mmcif-sh7724.o + load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y) + obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y) + +-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \ ++LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \ + -T $(obj)/../../kernel/vmlinux.lds + + $(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE +@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page + $(obj)/zeropage.bin: vmlinux FORCE + $(call if_changed,objcopy) + +-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T ++LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T + + $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE + $(call if_changed,ld) +-- +2.39.5 + diff --git a/queue-5.15/soundwire-stream-restore-params-when-prepare-ports-f.patch b/queue-5.15/soundwire-stream-restore-params-when-prepare-ports-f.patch new file mode 100644 index 0000000000..6e863a6f32 --- /dev/null +++ b/queue-5.15/soundwire-stream-restore-params-when-prepare-ports-f.patch @@ -0,0 +1,43 @@ +From b2db2ebb354e5050d318c5d2a996a9cc99f5066f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 14:09:52 +0800 +Subject: soundwire: stream: restore params when prepare ports fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bard Liao + +[ Upstream commit dba7d9dbfdc4389361ff3a910e767d3cfca22587 ] + +The bus->params should be restored if the stream is failed to prepare. +The issue exists since beginning. The Fixes tag just indicates the +first commit that the commit can be applied to. + +Fixes: 17ed5bef49f4 ("soundwire: add missing newlines in dynamic debug logs") +Signed-off-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Reviewed-by: Ranjani Sridharan +Link: https://lore.kernel.org/r/20250626060952.405996-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c +index 8f9f4ee7860c..1b62cdadb089 100644 +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -1575,7 +1575,7 @@ static int _sdw_prepare_stream(struct sdw_stream_runtime *stream, + if (ret < 0) { + dev_err(bus->dev, "Prepare port(s) failed ret = %d\n", + ret); +- return ret; ++ goto restore_params; + } + } + +-- +2.39.5 + diff --git a/queue-5.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch b/queue-5.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch new file mode 100644 index 0000000000..41df69ac69 --- /dev/null +++ b/queue-5.15/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch @@ -0,0 +1,39 @@ +From 93a597a0c7cf19d94f02893e4212b7023b83f4ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 22:54:10 +0530 +Subject: staging: fbtft: fix potential memory leak in + fbtft_framebuffer_alloc() + +From: Abdun Nihaal + +[ Upstream commit eb2cb7dab60f9be0b435ac4a674255429a36d72c ] + +In the error paths after fb_info structure is successfully allocated, +the memory allocated in fb_deferred_io_init() for info->pagerefs is not +freed. Fix that by adding the cleanup function on the error path. + +Fixes: c296d5f9957c ("staging: fbtft: core support") +Signed-off-by: Abdun Nihaal +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20250626172412.18355-1-abdun.nihaal@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fbtft/fbtft-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c +index 810ed1fca10b..54620ae6919b 100644 +--- a/drivers/staging/fbtft/fbtft-core.c ++++ b/drivers/staging/fbtft/fbtft-core.c +@@ -747,6 +747,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display, + return info; + + release_framebuf: ++ fb_deferred_io_cleanup(info); + framebuffer_release(info); + + alloc_fail: +-- +2.39.5 + diff --git a/queue-5.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch b/queue-5.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch new file mode 100644 index 0000000000..66c538cf01 --- /dev/null +++ b/queue-5.15/staging-nvec-fix-incorrect-null-termination-of-batte.patch @@ -0,0 +1,41 @@ +From 47f1e49c1198315e98dcb7e03ef9b62ec79880c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jul 2025 01:07:42 -0700 +Subject: staging: nvec: Fix incorrect null termination of battery manufacturer + +From: Alok Tiwari + +[ Upstream commit a8934352ba01081c51d2df428e9d540aae0e88b5 ] + +The battery manufacturer string was incorrectly null terminated using +bat_model instead of bat_manu. This could result in an unintended +write to the wrong field and potentially incorrect behavior. + +fixe the issue by correctly null terminating the bat_manu string. + +Fixes: 32890b983086 ("Staging: initial version of the nvec driver") +Signed-off-by: Alok Tiwari +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20250719080755.3954373-1-alok.a.tiwari@oracle.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/nvec/nvec_power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/nvec/nvec_power.c b/drivers/staging/nvec/nvec_power.c +index b1ef196e1cfe..622d99ea9555 100644 +--- a/drivers/staging/nvec/nvec_power.c ++++ b/drivers/staging/nvec/nvec_power.c +@@ -194,7 +194,7 @@ static int nvec_power_bat_notifier(struct notifier_block *nb, + break; + case MANUFACTURER: + memcpy(power->bat_manu, &res->plc, res->length - 2); +- power->bat_model[res->length - 2] = '\0'; ++ power->bat_manu[res->length - 2] = '\0'; + break; + case MODEL: + memcpy(power->bat_model, &res->plc, res->length - 2); +-- +2.39.5 + diff --git a/queue-5.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch b/queue-5.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch new file mode 100644 index 0000000000..4718844875 --- /dev/null +++ b/queue-5.15/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch @@ -0,0 +1,56 @@ +From ae754650c3fd2f8b662b3bffa252b7be8d08e911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 12:34:19 +0000 +Subject: tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range + +From: xin.guo + +[ Upstream commit a041f70e573e185d5d5fdbba53f0db2fbe7257ad ] + +If the new coming segment covers more than one skbs in the ofo queue, +and which seq is equal to rcv_nxt, then the sequence range +that is duplicated will be sent as DUP SACK, the detail as below, +in step6, the {501,2001} range is clearly including too much +DUP SACK range, in violation of RFC 2883 rules. + +1. client > server: Flags [.], seq 501:1001, ack 1325288529, win 20000, length 500 +2. server > client: Flags [.], ack 1, [nop,nop,sack 1 {501:1001}], length 0 +3. client > server: Flags [.], seq 1501:2001, ack 1325288529, win 20000, length 500 +4. server > client: Flags [.], ack 1, [nop,nop,sack 2 {1501:2001} {501:1001}], length 0 +5. client > server: Flags [.], seq 1:2001, ack 1325288529, win 20000, length 2000 +6. server > client: Flags [.], ack 2001, [nop,nop,sack 1 {501:2001}], length 0 + +After this fix, the final ACK is as below: + +6. server > client: Flags [.], ack 2001, options [nop,nop,sack 1 {501:1001}], length 0 + +[edumazet] added a new packetdrill test in the following patch. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: xin.guo +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250626123420.1933835-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 10f39b2762a7..fea019cc92d3 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4826,8 +4826,9 @@ static void tcp_ofo_queue(struct sock *sk) + + if (before(TCP_SKB_CB(skb)->seq, dsack_high)) { + __u32 dsack = dsack_high; ++ + if (before(TCP_SKB_CB(skb)->end_seq, dsack_high)) +- dsack_high = TCP_SKB_CB(skb)->end_seq; ++ dsack = TCP_SKB_CB(skb)->end_seq; + tcp_dsack_extend(sk, TCP_SKB_CB(skb)->seq, dsack); + } + p = rb_next(p); +-- +2.39.5 + diff --git a/queue-5.15/ucount-fix-atomic_long_inc_below-argument-type.patch b/queue-5.15/ucount-fix-atomic_long_inc_below-argument-type.patch new file mode 100644 index 0000000000..d9ccc0f9e7 --- /dev/null +++ b/queue-5.15/ucount-fix-atomic_long_inc_below-argument-type.patch @@ -0,0 +1,66 @@ +From 2a699186328f0ac70eabbe9916518c97a01a07e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 19:45:57 +0200 +Subject: ucount: fix atomic_long_inc_below() argument type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uros Bizjak + +[ Upstream commit f8cd9193b62e92ad25def5370ca8ea2bc7585381 ] + +The type of u argument of atomic_long_inc_below() should be long to avoid +unwanted truncation to int. + +The patch fixes the wrong argument type of an internal function to +prevent unwanted argument truncation. It fixes an internal locking +primitive; it should not have any direct effect on userspace. + +Mark said + +: AFAICT there's no problem in practice because atomic_long_inc_below() +: is only used by inc_ucount(), and it looks like the value is +: constrained between 0 and INT_MAX. +: +: In inc_ucount() the limit value is taken from +: user_namespace::ucount_max[], and AFAICT that's only written by +: sysctls, to the table setup by setup_userns_sysctls(), where +: UCOUNT_ENTRY() limits the value between 0 and INT_MAX. +: +: This is certainly a cleanup, but there might be no functional issue in +: practice as above. + +Link: https://lkml.kernel.org/r/20250721174610.28361-1-ubizjak@gmail.com +Fixes: f9c82a4ea89c ("Increase size of ucounts to atomic_long_t") +Signed-off-by: Uros Bizjak +Reviewed-by: "Eric W. Biederman" +Cc: Sebastian Andrzej Siewior +Cc: "Paul E. McKenney" +Cc: Alexey Gladkov +Cc: Roman Gushchin +Cc: MengEn Sun +Cc: "Thomas Weißschuh" +Cc: Mark Rutland +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/ucount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/ucount.c b/kernel/ucount.c +index 85d7c19b0b80..8c21398f7b4f 100644 +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -210,7 +210,7 @@ void put_ucounts(struct ucounts *ucounts) + } + } + +-static inline bool atomic_long_inc_below(atomic_long_t *v, int u) ++static inline bool atomic_long_inc_below(atomic_long_t *v, long u) + { + long c, old; + c = atomic_long_read(v); +-- +2.39.5 + diff --git a/queue-5.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch b/queue-5.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch new file mode 100644 index 0000000000..fe22f5af9a --- /dev/null +++ b/queue-5.15/um-rtc-avoid-shadowing-err-in-uml_rtc_start.patch @@ -0,0 +1,38 @@ +From fc7fd8ecc16d0489ed2a63b7d9386e0c405cc134 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 17:04:03 +0800 +Subject: um: rtc: Avoid shadowing err in uml_rtc_start() + +From: Tiwei Bie + +[ Upstream commit 4c916e3b224a02019b3cc3983a15f32bfd9a22df ] + +Remove the declaration of 'err' inside the 'if (timetravel)' block, +as it would otherwise be unavailable outside that block, potentially +leading to uml_rtc_start() returning an uninitialized value. + +Fixes: dde8b58d5127 ("um: add a pseudo RTC") +Signed-off-by: Tiwei Bie +Link: https://patch.msgid.link/20250708090403.1067440-5-tiwei.bie@linux.dev +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/rtc_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/drivers/rtc_user.c b/arch/um/drivers/rtc_user.c +index 7c3cec4c68cf..006a5a164ea9 100644 +--- a/arch/um/drivers/rtc_user.c ++++ b/arch/um/drivers/rtc_user.c +@@ -28,7 +28,7 @@ int uml_rtc_start(bool timetravel) + int err; + + if (timetravel) { +- int err = os_pipe(uml_rtc_irq_fds, 1, 1); ++ err = os_pipe(uml_rtc_irq_fds, 1, 1); + if (err) + goto fail; + } else { +-- +2.39.5 + diff --git a/queue-5.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch b/queue-5.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch new file mode 100644 index 0000000000..e7b6689266 --- /dev/null +++ b/queue-5.15/usb-early-xhci-dbc-fix-early_ioremap-leak.patch @@ -0,0 +1,56 @@ +From 74aa959f8820afa6695be59a96102b62b61a13cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 14:47:47 -0700 +Subject: usb: early: xhci-dbc: Fix early_ioremap leak + +From: Lucas De Marchi + +[ Upstream commit 2b7eec2ec3015f52fc74cf45d0408925e984ecd1 ] + +Using the kernel param earlyprintk=xdbc,keep without proper hardware +setup leads to this: + + [ ] xhci_dbc:early_xdbc_parse_parameter: dbgp_num: 0 + ... + [ ] xhci_dbc:early_xdbc_setup_hardware: failed to setup the connection to host + ... + [ ] calling kmemleak_late_init+0x0/0xa0 @ 1 + [ ] kmemleak: Kernel memory leak detector initialized (mem pool available: 14919) + [ ] kmemleak: Automatic memory scanning thread started + [ ] initcall kmemleak_late_init+0x0/0xa0 returned 0 after 417 usecs + [ ] calling check_early_ioremap_leak+0x0/0x70 @ 1 + [ ] ------------[ cut here ]------------ + [ ] Debug warning: early ioremap leak of 1 areas detected. + please boot with early_ioremap_debug and report the dmesg. + [ ] WARNING: CPU: 11 PID: 1 at mm/early_ioremap.c:90 check_early_ioremap_leak+0x4e/0x70 + +When early_xdbc_setup_hardware() fails, make sure to call +early_iounmap() since xdbc_init() won't handle it. + +Signed-off-by: Lucas De Marchi +Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability") +Link: https://lore.kernel.org/r/20250627-xdbc-v1-1-43cc8c317b1b@intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/early/xhci-dbc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c +index b0c4071f0b16..8963d2b8d8f7 100644 +--- a/drivers/usb/early/xhci-dbc.c ++++ b/drivers/usb/early/xhci-dbc.c +@@ -679,6 +679,10 @@ int __init early_xdbc_setup_hardware(void) + + xdbc.table_base = NULL; + xdbc.out_buf = NULL; ++ ++ early_iounmap(xdbc.xhci_base, xdbc.xhci_length); ++ xdbc.xhci_base = NULL; ++ xdbc.xhci_length = 0; + } + + return ret; +-- +2.39.5 + diff --git a/queue-5.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch b/queue-5.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch new file mode 100644 index 0000000000..7cbe36fc09 --- /dev/null +++ b/queue-5.15/usb-misc-apple-mfi-fastcharge-make-power-supply-name.patch @@ -0,0 +1,110 @@ +From d8584ff2c62837e95bc62548127a87dd9e537c75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 18:26:17 +0000 +Subject: usb: misc: apple-mfi-fastcharge: Make power supply names unique + +From: Charalampos Mitrodimas + +[ Upstream commit 43007b89fb2de746443fbbb84aedd1089afdf582 ] + +When multiple Apple devices are connected concurrently, the +apple-mfi-fastcharge driver fails to probe the subsequent devices with +the following error: + + sysfs: cannot create duplicate filename '/class/power_supply/apple_mfi_fastcharge' + apple-mfi-fastcharge 5-2.4.3.3: probe of 5-2.4.3.3 failed with error -17 + +This happens because the driver uses a fixed power supply name +("apple_mfi_fastcharge") for all devices, causing a sysfs name +conflict when a second device is connected. + +Fix this by generating unique names using the USB bus and device +number (e.g., "apple_mfi_fastcharge_5-12"). This ensures each +connected device gets a unique power supply entry in sysfs. + +The change requires storing a copy of the power_supply_desc structure +in the per-device mfi_device struct, since the name pointer needs to +remain valid for the lifetime of the power supply registration. + +Fixes: 249fa8217b84 ("USB: Add driver to control USB fast charge for iOS devices") +Signed-off-by: Charalampos Mitrodimas +Link: https://lore.kernel.org/r/20250602-apple-mfi-fastcharge-duplicate-sysfs-v1-1-5d84de34fac6@posteo.net +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/apple-mfi-fastcharge.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/misc/apple-mfi-fastcharge.c b/drivers/usb/misc/apple-mfi-fastcharge.c +index ac8695195c13..8e852f4b8262 100644 +--- a/drivers/usb/misc/apple-mfi-fastcharge.c ++++ b/drivers/usb/misc/apple-mfi-fastcharge.c +@@ -44,6 +44,7 @@ MODULE_DEVICE_TABLE(usb, mfi_fc_id_table); + struct mfi_device { + struct usb_device *udev; + struct power_supply *battery; ++ struct power_supply_desc battery_desc; + int charge_type; + }; + +@@ -178,6 +179,7 @@ static int mfi_fc_probe(struct usb_device *udev) + { + struct power_supply_config battery_cfg = {}; + struct mfi_device *mfi = NULL; ++ char *battery_name; + int err; + + if (!mfi_fc_match(udev)) +@@ -187,23 +189,38 @@ static int mfi_fc_probe(struct usb_device *udev) + if (!mfi) + return -ENOMEM; + ++ battery_name = kasprintf(GFP_KERNEL, "apple_mfi_fastcharge_%d-%d", ++ udev->bus->busnum, udev->devnum); ++ if (!battery_name) { ++ err = -ENOMEM; ++ goto err_free_mfi; ++ } ++ ++ mfi->battery_desc = apple_mfi_fc_desc; ++ mfi->battery_desc.name = battery_name; ++ + battery_cfg.drv_data = mfi; + + mfi->charge_type = POWER_SUPPLY_CHARGE_TYPE_TRICKLE; + mfi->battery = power_supply_register(&udev->dev, +- &apple_mfi_fc_desc, ++ &mfi->battery_desc, + &battery_cfg); + if (IS_ERR(mfi->battery)) { + dev_err(&udev->dev, "Can't register battery\n"); + err = PTR_ERR(mfi->battery); +- kfree(mfi); +- return err; ++ goto err_free_name; + } + + mfi->udev = usb_get_dev(udev); + dev_set_drvdata(&udev->dev, mfi); + + return 0; ++ ++err_free_name: ++ kfree(battery_name); ++err_free_mfi: ++ kfree(mfi); ++ return err; + } + + static void mfi_fc_disconnect(struct usb_device *udev) +@@ -213,6 +230,7 @@ static void mfi_fc_disconnect(struct usb_device *udev) + mfi = dev_get_drvdata(&udev->dev); + if (mfi->battery) + power_supply_unregister(mfi->battery); ++ kfree(mfi->battery_desc.name); + dev_set_drvdata(&udev->dev, NULL); + usb_put_dev(mfi->udev); + kfree(mfi); +-- +2.39.5 + diff --git a/queue-5.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch b/queue-5.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch new file mode 100644 index 0000000000..c04d0314a4 --- /dev/null +++ b/queue-5.15/vhost-scsi-fix-log-flooding-with-target-does-not-exi.patch @@ -0,0 +1,65 @@ +From 55b4a7a7e244ff8a00a71467e22d2cc306e244c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 16:01:13 -0500 +Subject: vhost-scsi: Fix log flooding with target does not exist errors + +From: Mike Christie + +[ Upstream commit 69cd720a8a5e9ef0f05ce5dd8c9ea6e018245c82 ] + +As part of the normal initiator side scanning the guest's scsi layer +will loop over all possible targets and send an inquiry. Since the +max number of targets for virtio-scsi is 256, this can result in 255 +error messages about targets not existing if you only have a single +target. When there's more than 1 vhost-scsi device each with a single +target, then you get N * 255 log messages. + +It looks like the log message was added by accident in: + +commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from +control queue handler") + +when we added common helpers. Then in: + +commit 09d7583294aa ("vhost/scsi: Use common handling code in request +queue handler") + +we converted the scsi command processing path to use the new +helpers so we started to see the extra log messages during scanning. + +The patches were just making some code common but added the vq_err +call and I'm guessing the patch author forgot to enable the vq_err +call (vq_err is implemented by pr_debug which defaults to off). So +this patch removes the call since it's expected to hit this path +during device discovery. + +Fixes: 09d7583294aa ("vhost/scsi: Use common handling code in request queue handler") +Signed-off-by: Mike Christie +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Stefano Garzarella +Message-Id: <20250611210113.10912-1-michael.christie@oracle.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/scsi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index 2c19fa02141d..dff93612fcfd 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -907,10 +907,8 @@ vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc, + /* validated at handler entry */ + vs_tpg = vhost_vq_get_backend(vq); + tpg = READ_ONCE(vs_tpg[*vc->target]); +- if (unlikely(!tpg)) { +- vq_err(vq, "Target 0x%x does not exist\n", *vc->target); ++ if (unlikely(!tpg)) + goto out; +- } + } + + if (tpgp) +-- +2.39.5 + diff --git a/queue-5.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch b/queue-5.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch new file mode 100644 index 0000000000..4d4540ba23 --- /dev/null +++ b/queue-5.15/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch @@ -0,0 +1,49 @@ +From 052abca65c80a86a466c36e651e779e50302d750 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 13:52:14 +0800 +Subject: vmci: Prevent the dispatching of uninitialized payloads + +From: Lizhi Xu + +[ Upstream commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031 ] + +The reproducer executes the host's unlocked_ioctl call in two different +tasks. When init_context fails, the struct vmci_event_ctx is not fully +initialized when executing vmci_datagram_dispatch() to send events to all +vm contexts. This affects the datagram taken from the datagram queue of +its context by another task, because the datagram payload is not initialized +according to the size payload_size, which causes the kernel data to leak +to the user space. + +Before dispatching the datagram, and before setting the payload content, +explicitly set the payload content to 0 to avoid data leakage caused by +incomplete payload initialization. + +Fixes: 28d6692cd8fb ("VMCI: context implementation.") +Reported-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9b9124ae9b12d5af5d95 +Tested-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com +Signed-off-by: Lizhi Xu +Link: https://lore.kernel.org/r/20250627055214.2967129-1-lizhi.xu@windriver.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_context.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c +index c0b5e339d5a1..a8df60b9301c 100644 +--- a/drivers/misc/vmw_vmci/vmci_context.c ++++ b/drivers/misc/vmw_vmci/vmci_context.c +@@ -251,6 +251,8 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags) + ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID, + VMCI_CONTEXT_RESOURCE_ID); + ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr); ++ memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0, ++ ev.msg.hdr.payload_size); + ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED; + ev.payload.context_id = context_id; + +-- +2.39.5 + diff --git a/queue-5.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch b/queue-5.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch new file mode 100644 index 0000000000..4e35cf01c0 --- /dev/null +++ b/queue-5.15/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch @@ -0,0 +1,65 @@ +From 213c12d134ac149cdbf4c8950e33037842b30792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 09:00:43 -0700 +Subject: vrf: Drop existing dst reference in vrf_ip6_input_dst + +From: Stanislav Fomichev + +[ Upstream commit f388f807eca1de9e6e70f9ffb1a573c3811c4215 ] + +Commit ff3fbcdd4724 ("selftests: tc: Add generic erspan_opts matching support +for tc-flower") started triggering the following kmemleak warning: + +unreferenced object 0xffff888015fb0e00 (size 512): + comm "softirq", pid 0, jiffies 4294679065 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 40 d2 85 9e ff ff ff ff ........@....... + 41 69 59 9d ff ff ff ff 00 00 00 00 00 00 00 00 AiY............. + backtrace (crc 30b71e8b): + __kmalloc_noprof+0x359/0x460 + metadata_dst_alloc+0x28/0x490 + erspan_rcv+0x4f1/0x1160 [ip_gre] + gre_rcv+0x217/0x240 [ip_gre] + gre_rcv+0x1b8/0x400 [gre] + ip_protocol_deliver_rcu+0x31d/0x3a0 + ip_local_deliver_finish+0x37d/0x620 + ip_local_deliver+0x174/0x460 + ip_rcv+0x52b/0x6b0 + __netif_receive_skb_one_core+0x149/0x1a0 + process_backlog+0x3c8/0x1390 + __napi_poll.constprop.0+0xa1/0x390 + net_rx_action+0x59b/0xe00 + handle_softirqs+0x22b/0x630 + do_softirq+0xb1/0xf0 + __local_bh_enable_ip+0x115/0x150 + +vrf_ip6_input_dst unconditionally sets skb dst entry, add a call to +skb_dst_drop to drop any existing entry. + +Cc: David Ahern +Reviewed-by: Ido Schimmel +Fixes: 9ff74384600a ("net: vrf: Handle ipv6 multicast and link-local addresses") +Signed-off-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250725160043.350725-1-sdf@fomichev.me +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index 27ab443ffa65..6c719d6da5b8 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -1364,6 +1364,8 @@ static void vrf_ip6_input_dst(struct sk_buff *skb, struct net_device *vrf_dev, + struct net *net = dev_net(vrf_dev); + struct rt6_info *rt6; + ++ skb_dst_drop(skb); ++ + rt6 = vrf_ip6_route_lookup(net, vrf_dev, &fl6, ifindex, skb, + RT6_LOOKUP_F_HAS_SADDR | RT6_LOOKUP_F_IFACE); + if (unlikely(!rt6)) +-- +2.39.5 + diff --git a/queue-5.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch b/queue-5.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch new file mode 100644 index 0000000000..3a1e546cd8 --- /dev/null +++ b/queue-5.15/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch @@ -0,0 +1,42 @@ +From 8aa2fa813ebd4d13e4197908ee278f925700cbba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 23:22:19 +0300 +Subject: watchdog: ziirave_wdt: check record length in ziirave_firm_verify() + +From: Dan Carpenter + +[ Upstream commit 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 ] + +The "rec->len" value comes from the firmware. We generally do +trust firmware, but it's always better to double check. If +the length value is too large it would lead to memory corruption +when we set "data[i] = ret;" + +Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.") +Signed-off-by: Dan Carpenter +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/ziirave_wdt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c +index c5a9b820d43a..48c68c66e530 100644 +--- a/drivers/watchdog/ziirave_wdt.c ++++ b/drivers/watchdog/ziirave_wdt.c +@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd, + const u16 len = be16_to_cpu(rec->len); + const u32 addr = be32_to_cpu(rec->addr); + ++ if (len > sizeof(data)) ++ return -EINVAL; ++ + if (ziirave_firm_addr_readonly(addr)) + continue; + +-- +2.39.5 + diff --git a/queue-5.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch b/queue-5.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch new file mode 100644 index 0000000000..220f702fd4 --- /dev/null +++ b/queue-5.15/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch @@ -0,0 +1,97 @@ +From 108340ab5cfbcdac29863fae5a70f3828078730f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 17:45:06 +0900 +Subject: wifi: ath11k: clear initialized flag for deinit-ed srng lists + +From: Sergey Senozhatsky + +[ Upstream commit a5b46aa7cf5f05c213316a018e49a8e086efd98e ] + +In a number of cases we see kernel panics on resume due +to ath11k kernel page fault, which happens under the +following circumstances: + +1) First ath11k_hal_dump_srng_stats() call + + Last interrupt received for each group: + ath11k_pci 0000:01:00.0: group_id 0 22511ms before + ath11k_pci 0000:01:00.0: group_id 1 14440788ms before + [..] + ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. + ath11k_pci 0000:01:00.0: Service connect timeout + ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 + ath11k_pci 0000:01:00.0: failed to start core: -110 + ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM + ath11k_pci 0000:01:00.0: already resetting count 2 + ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 + ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 + ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery + [..] + +2) At this point reconfiguration fails (we have 2 resets) and + ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() + which destroys srng lists. However, it does not reset per-list + ->initialized flag. + +3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized + flag and attempts to dump srng stats: + + Last interrupt received for each group: + ath11k_pci 0000:01:00.0: group_id 0 66785ms before + ath11k_pci 0000:01:00.0: group_id 1 14485062ms before + ath11k_pci 0000:01:00.0: group_id 2 14485062ms before + ath11k_pci 0000:01:00.0: group_id 3 14485062ms before + ath11k_pci 0000:01:00.0: group_id 4 14780845ms before + ath11k_pci 0000:01:00.0: group_id 5 14780845ms before + ath11k_pci 0000:01:00.0: group_id 6 14485062ms before + ath11k_pci 0000:01:00.0: group_id 7 66814ms before + ath11k_pci 0000:01:00.0: group_id 8 68997ms before + ath11k_pci 0000:01:00.0: group_id 9 67588ms before + ath11k_pci 0000:01:00.0: group_id 10 69511ms before + BUG: unable to handle page fault for address: ffffa007404eb010 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] + Call Trace: + + ? __die_body+0xae/0xb0 + ? page_fault_oops+0x381/0x3e0 + ? exc_page_fault+0x69/0xa0 + ? asm_exc_page_fault+0x22/0x30 + ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] + ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] + worker_thread+0x389/0x930 + kthread+0x149/0x170 + +Clear per-list ->initialized flag in ath11k_hal_srng_deinit(). + +Signed-off-by: Sergey Senozhatsky +Reviewed-by: Baochen Qiang +Fixes: 5118935b1bc2 ("ath11k: dump SRNG stats during FW assert") +Link: https://patch.msgid.link/20250612084551.702803-1-senozhatsky@chromium.org +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/hal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c +index 5dbf5596c9e8..ee68f67d8ab8 100644 +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -1286,6 +1286,10 @@ EXPORT_SYMBOL(ath11k_hal_srng_init); + void ath11k_hal_srng_deinit(struct ath11k_base *ab) + { + struct ath11k_hal *hal = &ab->hal; ++ int i; ++ ++ for (i = 0; i < HAL_SRNG_RING_ID_MAX; i++) ++ ab->hal.srng_list[i].initialized = 0; + + ath11k_hal_unregister_srng_key(ab); + ath11k_hal_free_cont_rdp(ab); +-- +2.39.5 + diff --git a/queue-5.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch b/queue-5.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch new file mode 100644 index 0000000000..a1b3d6fb53 --- /dev/null +++ b/queue-5.15/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch @@ -0,0 +1,65 @@ +From b2131d16cc34ad6c41913dff30f99b6c21a22884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 10:37:02 +0530 +Subject: wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing + P2P IE + +From: Gokul Sivakumar + +[ Upstream commit 579bf8037b70b644a674c126a32bbb2212cf5c21 ] + +After commit bd99a3013bdc ("brcmfmac: move configuration of probe request +IEs"), the probe request MGMT IE addition operation brcmf_vif_set_mgmt_ie() +got moved from the brcmf_p2p_scan_prep() to the brcmf_cfg80211_scan(). + +Because of this, as part of the scan request handler for the P2P Discovery, +vif struct used for adding the Probe Request P2P IE in firmware got changed +from the P2PAPI_BSSCFG_DEVICE vif to P2PAPI_BSSCFG_PRIMARY vif incorrectly. +So the firmware stopped adding P2P IE to the outgoing P2P Discovery probe +requests frames and the other P2P peers were unable to discover this device +causing a regression on the P2P feature. + +To fix this, while setting the P2P IE in firmware, properly use the vif of +the P2P discovery wdev on which the driver received the P2P scan request. +This is done by not changing the vif pointer, until brcmf_vif_set_mgmt_ie() +is completed. + +Fixes: bd99a3013bdc ("brcmfmac: move configuration of probe request IEs") +Signed-off-by: Gokul Sivakumar +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20250626050706.7271-1-gokulkumar.sivakumar@infineon.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 1c95e8f75916..ebd2db226488 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -1199,10 +1199,6 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request) + return -EAGAIN; + } + +- /* If scan req comes for p2p0, send it over primary I/F */ +- if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif) +- vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif; +- + brcmf_dbg(SCAN, "START ESCAN\n"); + + cfg->scan_request = request; +@@ -1218,6 +1214,10 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request) + if (err) + goto scan_out; + ++ /* If scan req comes for p2p0, send it over primary I/F */ ++ if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif) ++ vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif; ++ + err = brcmf_do_escan(vif->ifp, request); + if (err) + goto scan_out; +-- +2.39.5 + diff --git a/queue-5.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch b/queue-5.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch new file mode 100644 index 0000000000..1986962e2b --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch @@ -0,0 +1,40 @@ +From ddaadbae628702c978e2fec6f4cce6956fe865cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 11:52:13 +0800 +Subject: wifi: iwlwifi: Fix memory leak in iwl_mvm_init() + +From: Xiu Jianfeng + +[ Upstream commit ed2e916c890944633d6826dce267579334f63ea5 ] + +When iwl_opmode_register() fails, it does not unregster rate control, +which will cause a memory leak issue, this patch fixes it. + +Fixes: 9f66a397c877 ("iwlwifi: mvm: rs: add ops for the new rate scaling in the FW") +Signed-off-by: Xiu Jianfeng +Link: https://patch.msgid.link/20221109035213.570-1-xiujianfeng@huawei.com +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index e2c244ceaf70..05e1a6de8c2e 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -61,8 +61,10 @@ static int __init iwl_mvm_init(void) + } + + ret = iwl_opmode_register("iwlmvm", &iwl_mvm_ops); +- if (ret) ++ if (ret) { + pr_err("Unable to register MVM op_mode: %d\n", ret); ++ iwl_mvm_rate_control_unregister(); ++ } + + return ret; + } +-- +2.39.5 + diff --git a/queue-5.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch b/queue-5.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch new file mode 100644 index 0000000000..b0427f2356 --- /dev/null +++ b/queue-5.15/wifi-mac80211-check-802.11-encaps-offloading-in-ieee.patch @@ -0,0 +1,45 @@ +From 495d01b010c0420a3eea9bbdbced8caf584f0cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 17:45:28 +0200 +Subject: wifi: mac80211: Check 802.11 encaps offloading in + ieee80211_tx_h_select_key() + +From: Remi Pommarel + +[ Upstream commit 4037c468d1b3c508d69e6df0ef47fdee3d440e39 ] + +With 802.11 encapsulation offloading, ieee80211_tx_h_select_key() is +called on 802.3 frames. In that case do not try to use skb data as +valid 802.11 headers. + +Reported-by: Bert Karwatzki +Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de +Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue") +Signed-off-by: Remi Pommarel +Link: https://patch.msgid.link/1af4b5b903a5fca5ebe67333d5854f93b2be5abe.1752765971.git.repk@triplefau.lt +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 4f2183f23117..4ab891c8416d 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -608,6 +608,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx) + else + tx->key = NULL; + ++ if (info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) { ++ if (tx->key && tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE) ++ info->control.hw_key = &tx->key->conf; ++ return TX_CONTINUE; ++ } ++ + if (tx->key) { + bool skip_hw = false; + +-- +2.39.5 + diff --git a/queue-5.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch b/queue-5.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch new file mode 100644 index 0000000000..bc8770c3f0 --- /dev/null +++ b/queue-5.15/wifi-mac80211-don-t-call-fq_flow_idx-for-management-.patch @@ -0,0 +1,45 @@ +From 8cd72efb582d88e650e0984df9a2c065ea889289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 18:25:47 +0200 +Subject: wifi: mac80211: Don't call fq_flow_idx() for management frames + +From: Alexander Wetzel + +[ Upstream commit cb3bb3d88dfcd177a1050c0a009a3ee147b2e5b9 ] + +skb_get_hash() can only be used when the skb is linked to a netdev +device. + +Signed-off-by: Alexander Wetzel +Fixes: 73bc9e0af594 ("mac80211: don't apply flow control on management frames") +Link: https://patch.msgid.link/20250717162547.94582-3-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index c4e6fbe4343e..4f2183f23117 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1417,7 +1417,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local, + { + struct fq *fq = &local->fq; + struct fq_tin *tin = &txqi->tin; +- u32 flow_idx = fq_flow_idx(fq, skb); ++ u32 flow_idx; + + ieee80211_set_skb_enqueue_time(skb); + +@@ -1433,6 +1433,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local, + IEEE80211_TX_INTCFL_NEED_TXPROCESSING; + __skb_queue_tail(&txqi->frags, skb); + } else { ++ flow_idx = fq_flow_idx(fq, skb); + fq_tin_enqueue(fq, tin, flow_idx, skb, + fq_skb_free_func); + } +-- +2.39.5 + diff --git a/queue-5.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch b/queue-5.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch new file mode 100644 index 0000000000..c8eb8fef56 --- /dev/null +++ b/queue-5.15/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch @@ -0,0 +1,68 @@ +From 9ad3968aca183f5f1e7f2167d18d51a8b14d9ab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 16:56:34 +0300 +Subject: wifi: rtl818x: Kill URBs before clearing tx status queue + +From: Daniil Dulov + +[ Upstream commit 16d8fd74dbfca0ea58645cd2fca13be10cae3cdd ] + +In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing +b_tx_status.queue. This change prevents callbacks from using already freed +skb due to anchor was not killed before freeing such skb. + + BUG: kernel NULL pointer dereference, address: 0000000000000080 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 + RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] + Call Trace: + + rtl8187_tx_cb+0x116/0x150 [rtl8187] + __usb_hcd_giveback_urb+0x9d/0x120 + usb_giveback_urb_bh+0xbb/0x140 + process_one_work+0x19b/0x3c0 + bh_worker+0x1a7/0x210 + tasklet_action+0x10/0x30 + handle_softirqs+0xf0/0x340 + __irq_exit_rcu+0xcd/0xf0 + common_interrupt+0x85/0xa0 + + +Tested on RTL8187BvE device. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: c1db52b9d27e ("rtl8187: Use usb anchor facilities to manage urbs") +Signed-off-by: Daniil Dulov +Reviewed-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250617135634.21760-1-d.dulov@aladdin.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +index eb68b2d3caa1..c9df185dc3f4 100644 +--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +@@ -1041,10 +1041,11 @@ static void rtl8187_stop(struct ieee80211_hw *dev) + rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF); + rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL); + ++ usb_kill_anchored_urbs(&priv->anchored); ++ + while ((skb = skb_dequeue(&priv->b_tx_status.queue))) + dev_kfree_skb_any(skb); + +- usb_kill_anchored_urbs(&priv->anchored); + mutex_unlock(&priv->conf_mutex); + + if (!priv->is_rtl8187b) +-- +2.39.5 + diff --git a/queue-5.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch b/queue-5.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch new file mode 100644 index 0000000000..c806bdc3d1 --- /dev/null +++ b/queue-5.15/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch @@ -0,0 +1,45 @@ +From b872e539a97fd0b1d78652e12547af7dba37b4e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 14:15:22 +0200 +Subject: wifi: rtl8xxxu: Fix RX skb size for aggregation disabled + +From: Martin Kaistra + +[ Upstream commit d76a1abcf57734d2bcd4a7ec051617edd4513d7f ] + +Commit 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for +phystats") increased the skb size when aggregation is enabled but decreased +it for the aggregation disabled case. + +As a result, if a frame near the maximum size is received, +rtl8xxxu_rx_complete() is called with status -EOVERFLOW and then the +driver starts to malfunction and no further communication is possible. + +Restore the skb size in the aggregation disabled case. + +Fixes: 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for phystats") +Signed-off-by: Martin Kaistra +Reviewed-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250709121522.1992366-1-martin.kaistra@linutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index b042dff4ac93..9bcc137da20f 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5795,7 +5795,7 @@ static int rtl8xxxu_submit_rx_urb(struct rtl8xxxu_priv *priv, + skb_size = fops->rx_agg_buf_size; + skb_size += (rx_desc_sz + sizeof(struct rtl8723au_phy_stats)); + } else { +- skb_size = IEEE80211_MAX_FRAME_LEN; ++ skb_size = IEEE80211_MAX_FRAME_LEN + rx_desc_sz; + } + + skb = __netdev_alloc_skb(NULL, skb_size, GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch b/queue-5.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch new file mode 100644 index 0000000000..31a3a8abea --- /dev/null +++ b/queue-5.15/xen-gntdev-remove-struct-gntdev_copy_batch-from-stac.patch @@ -0,0 +1,187 @@ +From b309c8c0745aafb5d3e080e601f055b2a6c61617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 09:32:59 +0200 +Subject: xen/gntdev: remove struct gntdev_copy_batch from stack + +From: Juergen Gross + +[ Upstream commit 70045cf6593cbf0740956ea9b7b4269142c6ee38 ] + +When compiling the kernel with LLVM, the following warning was issued: + + drivers/xen/gntdev.c:991: warning: stack frame size (1160) exceeds + limit (1024) in function 'gntdev_ioctl' + +The main reason is struct gntdev_copy_batch which is located on the +stack and has a size of nearly 1kb. + +For performance reasons it shouldn't by just dynamically allocated +instead, so allocate a new instance when needed and instead of freeing +it put it into a list of free structs anchored in struct gntdev_priv. + +Fixes: a4cdb556cae0 ("xen/gntdev: add ioctl for grant copy") +Reported-by: Abinash Singh +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Message-ID: <20250703073259.17356-1-jgross@suse.com> +Signed-off-by: Sasha Levin +--- + drivers/xen/gntdev-common.h | 4 +++ + drivers/xen/gntdev.c | 71 ++++++++++++++++++++++++++----------- + 2 files changed, 54 insertions(+), 21 deletions(-) + +diff --git a/drivers/xen/gntdev-common.h b/drivers/xen/gntdev-common.h +index 9c286b2a1900..ac8ce3179ba2 100644 +--- a/drivers/xen/gntdev-common.h ++++ b/drivers/xen/gntdev-common.h +@@ -26,6 +26,10 @@ struct gntdev_priv { + /* lock protects maps and freeable_maps. */ + struct mutex lock; + ++ /* Free instances of struct gntdev_copy_batch. */ ++ struct gntdev_copy_batch *batch; ++ struct mutex batch_lock; ++ + #ifdef CONFIG_XEN_GRANT_DMA_ALLOC + /* Device for which DMA memory is allocated. */ + struct device *dma_dev; +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index 4d9a3050de6a..de8a36502aa2 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -56,6 +56,18 @@ MODULE_AUTHOR("Derek G. Murray , " + "Gerd Hoffmann "); + MODULE_DESCRIPTION("User-space granted page access driver"); + ++#define GNTDEV_COPY_BATCH 16 ++ ++struct gntdev_copy_batch { ++ struct gnttab_copy ops[GNTDEV_COPY_BATCH]; ++ struct page *pages[GNTDEV_COPY_BATCH]; ++ s16 __user *status[GNTDEV_COPY_BATCH]; ++ unsigned int nr_ops; ++ unsigned int nr_pages; ++ bool writeable; ++ struct gntdev_copy_batch *next; ++}; ++ + static unsigned int limit = 64*1024; + module_param(limit, uint, 0644); + MODULE_PARM_DESC(limit, +@@ -584,6 +596,8 @@ static int gntdev_open(struct inode *inode, struct file *flip) + INIT_LIST_HEAD(&priv->maps); + mutex_init(&priv->lock); + ++ mutex_init(&priv->batch_lock); ++ + #ifdef CONFIG_XEN_GNTDEV_DMABUF + priv->dmabuf_priv = gntdev_dmabuf_init(flip); + if (IS_ERR(priv->dmabuf_priv)) { +@@ -608,6 +622,7 @@ static int gntdev_release(struct inode *inode, struct file *flip) + { + struct gntdev_priv *priv = flip->private_data; + struct gntdev_grant_map *map; ++ struct gntdev_copy_batch *batch; + + pr_debug("priv %p\n", priv); + +@@ -620,6 +635,14 @@ static int gntdev_release(struct inode *inode, struct file *flip) + } + mutex_unlock(&priv->lock); + ++ mutex_lock(&priv->batch_lock); ++ while (priv->batch) { ++ batch = priv->batch; ++ priv->batch = batch->next; ++ kfree(batch); ++ } ++ mutex_unlock(&priv->batch_lock); ++ + #ifdef CONFIG_XEN_GNTDEV_DMABUF + gntdev_dmabuf_fini(priv->dmabuf_priv); + #endif +@@ -785,17 +808,6 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u) + return rc; + } + +-#define GNTDEV_COPY_BATCH 16 +- +-struct gntdev_copy_batch { +- struct gnttab_copy ops[GNTDEV_COPY_BATCH]; +- struct page *pages[GNTDEV_COPY_BATCH]; +- s16 __user *status[GNTDEV_COPY_BATCH]; +- unsigned int nr_ops; +- unsigned int nr_pages; +- bool writeable; +-}; +- + static int gntdev_get_page(struct gntdev_copy_batch *batch, void __user *virt, + unsigned long *gfn) + { +@@ -953,36 +965,53 @@ static int gntdev_grant_copy_seg(struct gntdev_copy_batch *batch, + static long gntdev_ioctl_grant_copy(struct gntdev_priv *priv, void __user *u) + { + struct ioctl_gntdev_grant_copy copy; +- struct gntdev_copy_batch batch; ++ struct gntdev_copy_batch *batch; + unsigned int i; + int ret = 0; + + if (copy_from_user(©, u, sizeof(copy))) + return -EFAULT; + +- batch.nr_ops = 0; +- batch.nr_pages = 0; ++ mutex_lock(&priv->batch_lock); ++ if (!priv->batch) { ++ batch = kmalloc(sizeof(*batch), GFP_KERNEL); ++ } else { ++ batch = priv->batch; ++ priv->batch = batch->next; ++ } ++ mutex_unlock(&priv->batch_lock); ++ if (!batch) ++ return -ENOMEM; ++ ++ batch->nr_ops = 0; ++ batch->nr_pages = 0; + + for (i = 0; i < copy.count; i++) { + struct gntdev_grant_copy_segment seg; + + if (copy_from_user(&seg, ©.segments[i], sizeof(seg))) { + ret = -EFAULT; ++ gntdev_put_pages(batch); + goto out; + } + +- ret = gntdev_grant_copy_seg(&batch, &seg, ©.segments[i].status); +- if (ret < 0) ++ ret = gntdev_grant_copy_seg(batch, &seg, ©.segments[i].status); ++ if (ret < 0) { ++ gntdev_put_pages(batch); + goto out; ++ } + + cond_resched(); + } +- if (batch.nr_ops) +- ret = gntdev_copy(&batch); +- return ret; ++ if (batch->nr_ops) ++ ret = gntdev_copy(batch); ++ ++ out: ++ mutex_lock(&priv->batch_lock); ++ batch->next = priv->batch; ++ priv->batch = batch; ++ mutex_unlock(&priv->batch_lock); + +- out: +- gntdev_put_pages(&batch); + return ret; + } + +-- +2.39.5 + -- 2.47.2