diff options
15 files changed, 947 insertions, 0 deletions
diff --git a/queue-6.1/af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch b/queue-6.1/af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch new file mode 100644 index 0000000000..b31aabde37 --- /dev/null +++ b/queue-6.1/af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch @@ -0,0 +1,99 @@ +From e825abab0ab1a3b8c25c616de889185e4546d55b Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 18 Jun 2025 21:13:57 -0700 +Subject: af_unix: Don't set -ECONNRESET for consumed OOB skb. + +From: Kuniyuki Iwashima <kuniyu@google.com> + +[ Upstream commit 2a5a4841846b079b5fca5752fe94e59346fbda40 ] + +Christian Brauner reported that even after MSG_OOB data is consumed, +calling close() on the receiver socket causes the peer's recv() to +return -ECONNRESET: + + 1. send() and recv() an OOB data. + + >>> from socket import * + >>> s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) + >>> s1.send(b'x', MSG_OOB) + 1 + >>> s2.recv(1, MSG_OOB) + b'x' + + 2. close() for s2 sets ECONNRESET to s1->sk_err even though + s2 consumed the OOB data + + >>> s2.close() + >>> s1.recv(10, MSG_DONTWAIT) + ... + ConnectionResetError: [Errno 104] Connection reset by peer + +Even after being consumed, the skb holding the OOB 1-byte data stays in +the recv queue to mark the OOB boundary and break recv() at that point. + +This must be considered while close()ing a socket. + +Let's skip the leading consumed OOB skb while checking the -ECONNRESET +condition in unix_release_sock(). + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Reported-by: Christian Brauner <brauner@kernel.org> +Closes: https://lore.kernel.org/netdev/20250529-sinkt-abfeuern-e7b08200c6b0@brauner/ +Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> +Acked-by: Christian Brauner <brauner@kernel.org> +Link: https://patch.msgid.link/20250619041457.1132791-4-kuni1840@gmail.com +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/unix/af_unix.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 01de31a0f22fe..2c33d787b860d 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -577,6 +577,11 @@ static void unix_sock_destructor(struct sock *sk) + #endif + } + ++static unsigned int unix_skb_len(const struct sk_buff *skb) ++{ ++ return skb->len - UNIXCB(skb).consumed; ++} ++ + static void unix_release_sock(struct sock *sk, int embrion) + { + struct unix_sock *u = unix_sk(sk); +@@ -611,10 +616,16 @@ static void unix_release_sock(struct sock *sk, int embrion) + + if (skpair != NULL) { + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { ++ struct sk_buff *skb = skb_peek(&sk->sk_receive_queue); ++ ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ if (skb && !unix_skb_len(skb)) ++ skb = skb_peek_next(skb, &sk->sk_receive_queue); ++#endif + unix_state_lock(skpair); + /* No more writes */ + WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); +- if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion) ++ if (skb || embrion) + WRITE_ONCE(skpair->sk_err, ECONNRESET); + unix_state_unlock(skpair); + skpair->sk_state_change(skpair); +@@ -2593,11 +2604,6 @@ static long unix_stream_data_wait(struct sock *sk, long timeo, + return timeo; + } + +-static unsigned int unix_skb_len(const struct sk_buff *skb) +-{ +- return skb->len - UNIXCB(skb).consumed; +-} +- + struct unix_stream_read_state { + int (*recv_actor)(struct sk_buff *, int, int, + struct unix_stream_read_state *); +-- +2.39.5 + diff --git a/queue-6.1/alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch b/queue-6.1/alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch new file mode 100644 index 0000000000..6c12f4e59b --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch @@ -0,0 +1,39 @@ +From eeb9af3949f79527513582f0f572c9e71bb2749c Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 25 Jun 2025 20:41:28 +0200 +Subject: ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR + +From: Salvatore Bonaccorso <carnil@debian.org> + +[ Upstream commit 7ab6847a03229e73bb7c58ca397630f699e79b53 ] + +The built-in mic of ASUS VivoBook X507UAR is broken recently by the fix +of the pin sort. The fixup ALC256_FIXUP_ASUS_MIC_NO_PRESENCE is working +for addressing the regression, too. + +Fixes: 3b4309546b48 ("ALSA: hda: Fix headset detection failure due to unstable sort") +Reported-by: Igor Tamara <igor.tamara@gmail.com> +Closes: https://bugs.debian.org/1108069 +Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> +Link: https://lore.kernel.org/CADdHDco7_o=4h_epjEAb92Dj-vUz_PoTC2-W9g5ncT2E0NzfeQ@mail.gmail.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 3cacdbcb0d3ea..13b3ec78010a0 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10154,6 +10154,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1d4e, "ASUS TM420", ALC256_FIXUP_ASUS_HPE), + SND_PCI_QUIRK(0x1043, 0x1da2, "ASUS UP6502ZA/ZD", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402ZA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x1e10, "ASUS VivoBook X507UAR", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1e11, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA502), + SND_PCI_QUIRK(0x1043, 0x1e12, "ASUS UM3402", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1e51, "ASUS Zephyrus M15", ALC294_FIXUP_ASUS_GU502_PINS), +-- +2.39.5 + diff --git a/queue-6.1/alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch b/queue-6.1/alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch new file mode 100644 index 0000000000..12e549832e --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch @@ -0,0 +1,47 @@ +From 185bdea8c46e387abde366b6ef54d0bba8f07854 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 23 Jun 2025 20:05:25 +0900 +Subject: ALSA: usb-audio: Fix out-of-bounds read in + snd_usb_get_audioformat_uac3() + +From: Youngjun Lee <yjjuny.lee@samsung.com> + +[ Upstream commit fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a ] + +In snd_usb_get_audioformat_uac3(), the length value returned from +snd_usb_ctl_msg() is used directly for memory allocation without +validation. This length is controlled by the USB device. + +The allocated buffer is cast to a uac3_cluster_header_descriptor +and its fields are accessed without verifying that the buffer +is large enough. If the device returns a smaller than expected +length, this leads to an out-of-bounds read. + +Add a length check to ensure the buffer is large enough for +uac3_cluster_header_descriptor. + +Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com> +Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") +Link: https://patch.msgid.link/20250623-uac3-oob-fix-v1-1-527303eaf40a@samsung.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/usb/stream.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index e14c725acebf2..0f1558ef85553 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -982,6 +982,8 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip, + * and request Cluster Descriptor + */ + wLength = le16_to_cpu(hc_header.wLength); ++ if (wLength < sizeof(cluster)) ++ return NULL; + cluster = kzalloc(wLength, GFP_KERNEL); + if (!cluster) + return ERR_PTR(-ENOMEM); +-- +2.39.5 + diff --git a/queue-6.1/atm-clip-prevent-null-deref-in-clip_push.patch b/queue-6.1/atm-clip-prevent-null-deref-in-clip_push.patch new file mode 100644 index 0000000000..fc3d40a393 --- /dev/null +++ b/queue-6.1/atm-clip-prevent-null-deref-in-clip_push.patch @@ -0,0 +1,60 @@ +From db4dcb1fd3a9fe8a173682f7e507bc401b855bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 20 Jun 2025 14:28:44 +0000 +Subject: atm: clip: prevent NULL deref in clip_push() + +From: Eric Dumazet <edumazet@google.com> + +[ Upstream commit b993ea46b3b601915ceaaf3c802adf11e7d6bac6 ] + +Blamed commit missed that vcc_destroy_socket() calls +clip_push() with a NULL skb. + +If clip_devs is NULL, clip_push() then crashes when reading +skb->truesize. + +Fixes: 93a2014afbac ("atm: fix a UAF in lec_arp_clear_vccs()") +Reported-by: syzbot+1316233c4c6803382a8b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68556f59.a00a0220.137b3.004e.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Cong Wang <xiyou.wangcong@gmail.com> +Cc: Gengming Liu <l.dmxcsnsbh@gmail.com> +Reviewed-by: Simon Horman <horms@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/atm/clip.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 294cb9efe3d38..511467bb7fe40 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -193,12 +193,6 @@ static void clip_push(struct atm_vcc *vcc, struct sk_buff *skb) + + pr_debug("\n"); + +- if (!clip_devs) { +- atm_return(vcc, skb->truesize); +- kfree_skb(skb); +- return; +- } +- + if (!skb) { + pr_debug("removing VCC %p\n", clip_vcc); + if (clip_vcc->entry) +@@ -208,6 +202,11 @@ static void clip_push(struct atm_vcc *vcc, struct sk_buff *skb) + return; + } + atm_return(vcc, skb->truesize); ++ if (!clip_devs) { ++ kfree_skb(skb); ++ return; ++ } ++ + skb->dev = clip_vcc->entry ? clip_vcc->entry->neigh->dev : clip_devs; + /* clip_vcc->entry == NULL if we don't have an IP address yet */ + if (!skb->dev) { +-- +2.39.5 + diff --git a/queue-6.1/atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch b/queue-6.1/atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch new file mode 100644 index 0000000000..57efb82ce6 --- /dev/null +++ b/queue-6.1/atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch @@ -0,0 +1,106 @@ +From 4d3e0257e20e4d681c1e50a84cc2ea1d858270e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 14:45:00 -0700 +Subject: atm: Release atm_dev_mutex after removing procfs in + atm_dev_deregister(). + +From: Kuniyuki Iwashima <kuniyu@google.com> + +[ Upstream commit a433791aeaea6e84df709e0b9584b9bbe040cd1c ] + +syzbot reported a warning below during atm_dev_register(). [0] + +Before creating a new device and procfs/sysfs for it, atm_dev_register() +looks up a duplicated device by __atm_dev_lookup(). These operations are +done under atm_dev_mutex. + +However, when removing a device in atm_dev_deregister(), it releases the +mutex just after removing the device from the list that __atm_dev_lookup() +iterates over. + +So, there will be a small race window where the device does not exist on +the device list but procfs/sysfs are still not removed, triggering the +splat. + +Let's hold the mutex until procfs/sysfs are removed in +atm_dev_deregister(). + +[0]: +proc_dir_entry 'atm/atmtcp:0' already registered +WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 +Modules linked in: +CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 +Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 +RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 +RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 +RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 +R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 +FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + proc_create_data+0xbe/0x110 fs/proc/generic.c:585 + atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 + atm_dev_register+0x46d/0x890 net/atm/resources.c:113 + atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 + atmtcp_attach drivers/atm/atmtcp.c:403 [inline] + atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 + do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 + sock_do_ioctl+0x115/0x280 net/socket.c:1190 + sock_ioctl+0x227/0x6b0 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl fs/ioctl.c:893 [inline] + __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f38b3b74459 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 +RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 +RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f +R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac +R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b + </TASK> + +Fixes: 64bf69ddff76 ("[ATM]: deregistration removes device from atm_devs list immediately") +Reported-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/685316de.050a0220.216029.0087.GAE@google.com/ +Tested-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> +Link: https://patch.msgid.link/20250624214505.570679-1-kuni1840@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/atm/resources.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index 995d29e7fb138..b19d851e1f443 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -146,11 +146,10 @@ void atm_dev_deregister(struct atm_dev *dev) + */ + mutex_lock(&atm_dev_mutex); + list_del(&dev->dev_list); +- mutex_unlock(&atm_dev_mutex); +- + atm_dev_release_vccs(dev); + atm_unregister_sysfs(dev); + atm_proc_dev_deregister(dev); ++ mutex_unlock(&atm_dev_mutex); + + atm_dev_put(dev); + } +-- +2.39.5 + diff --git a/queue-6.1/attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch b/queue-6.1/attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch new file mode 100644 index 0000000000..7d944afb1a --- /dev/null +++ b/queue-6.1/attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch @@ -0,0 +1,51 @@ +From eb950707098ef9ca719a1375db9095df5572c819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 22 Jun 2025 18:03:29 -0400 +Subject: attach_recursive_mnt(): do not lock the covering tree when sliding + something under it + +From: Al Viro <viro@zeniv.linux.org.uk> + +[ Upstream commit ce7df19686530920f2f6b636e71ce5eb1d9303ef ] + +If we are propagating across the userns boundary, we need to lock the +mounts added there. However, in case when something has already +been mounted there and we end up sliding a new tree under that, +the stuff that had been there before should not get locked. + +IOW, lock_mnt_tree() should be called before we reparent the +preexisting tree on top of what we are adding. + +Fixes: 3bd045cc9c4b ("separate copying and locking mount tree on cross-userns copies") +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/namespace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index aae1a77ac2d3f..67d89ebb5044e 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2249,14 +2249,14 @@ static int attach_recursive_mnt(struct mount *source_mnt, + hlist_for_each_entry_safe(child, n, &tree_list, mnt_hash) { + struct mount *q; + hlist_del_init(&child->mnt_hash); +- q = __lookup_mnt(&child->mnt_parent->mnt, +- child->mnt_mountpoint); +- if (q) +- mnt_change_mountpoint(child, smp, q); + /* Notice when we are propagating across user namespaces */ + if (child->mnt_parent->mnt_ns->user_ns != user_ns) + lock_mnt_tree(child); + child->mnt.mnt_flags &= ~MNT_LOCKED; ++ q = __lookup_mnt(&child->mnt_parent->mnt, ++ child->mnt_mountpoint); ++ if (q) ++ mnt_change_mountpoint(child, smp, q); + commit_tree(child); + } + put_mountpoint(smp); +-- +2.39.5 + diff --git a/queue-6.1/drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch b/queue-6.1/drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch new file mode 100644 index 0000000000..78e5f12df6 --- /dev/null +++ b/queue-6.1/drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch @@ -0,0 +1,150 @@ +From 83ea3a594f867b315b326d3e53b915fab7f946ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 10:18:35 +0530 +Subject: drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type + +From: Jayesh Choudhary <j-choudhary@ti.com> + +[ Upstream commit 55e8ff842051b1150461d7595d8f1d033c69d66b ] + +By default, HPD was disabled on SN65DSI86 bridge. When the driver was +added (commit "a095f15c00e27"), the HPD_DISABLE bit was set in pre-enable +call which was moved to other function calls subsequently. +Later on, commit "c312b0df3b13" added detect utility for DP mode. But with +HPD_DISABLE bit set, all the HPD events are disabled[0] and the debounced +state always return 1 (always connected state). + +Set HPD_DISABLE bit conditionally based on display sink's connector type. +Since the HPD_STATE is reflected correctly only after waiting for debounce +time (~100-400ms) and adding this delay in detect() is not feasible +owing to the performace impact (glitches and frame drop), remove runtime +calls in detect() and add hpd_enable()/disable() bridge hooks with runtime +calls, to detect hpd properly without any delay. + +[0]: <https://www.ti.com/lit/gpn/SN65DSI86> (Pg. 32) + +Fixes: c312b0df3b13 ("drm/bridge: ti-sn65dsi86: Implement bridge connector operations for DP") +Cc: Max Krummenacher <max.krummenacher@toradex.com> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Tested-by: Ernest Van Hoecke <ernest.vanhoecke@toradex.com> +Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com> +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Link: https://lore.kernel.org/r/20250624044835.165708-1-j-choudhary@ti.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 69 +++++++++++++++++++++++---- + 1 file changed, 60 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index 2848aabe8f5b6..26a064624d976 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -331,12 +331,18 @@ static void ti_sn65dsi86_enable_comms(struct ti_sn65dsi86 *pdata) + * 200 ms. We'll assume that the panel driver will have the hardcoded + * delay in its prepare and always disable HPD. + * +- * If HPD somehow makes sense on some future panel we'll have to +- * change this to be conditional on someone specifying that HPD should +- * be used. ++ * For DisplayPort bridge type, we need HPD. So we use the bridge type ++ * to conditionally disable HPD. ++ * NOTE: The bridge type is set in ti_sn_bridge_probe() but enable_comms() ++ * can be called before. So for DisplayPort, HPD will be enabled once ++ * bridge type is set. We are using bridge type instead of "no-hpd" ++ * property because it is not used properly in devicetree description ++ * and hence is unreliable. + */ +- regmap_update_bits(pdata->regmap, SN_HPD_DISABLE_REG, HPD_DISABLE, +- HPD_DISABLE); ++ ++ if (pdata->bridge.type != DRM_MODE_CONNECTOR_DisplayPort) ++ regmap_update_bits(pdata->regmap, SN_HPD_DISABLE_REG, HPD_DISABLE, ++ HPD_DISABLE); + + pdata->comms_enabled = true; + +@@ -1154,9 +1160,14 @@ static enum drm_connector_status ti_sn_bridge_detect(struct drm_bridge *bridge) + struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); + int val = 0; + +- pm_runtime_get_sync(pdata->dev); ++ /* ++ * Runtime reference is grabbed in ti_sn_bridge_hpd_enable() ++ * as the chip won't report HPD just after being powered on. ++ * HPD_DEBOUNCED_STATE reflects correct state only after the ++ * debounce time (~100-400 ms). ++ */ ++ + regmap_read(pdata->regmap, SN_HPD_DISABLE_REG, &val); +- pm_runtime_put_autosuspend(pdata->dev); + + return val & HPD_DEBOUNCED_STATE ? connector_status_connected + : connector_status_disconnected; +@@ -1179,6 +1190,26 @@ static void ti_sn65dsi86_debugfs_init(struct drm_bridge *bridge, struct dentry * + debugfs_create_file("status", 0600, debugfs, pdata, &status_fops); + } + ++static void ti_sn_bridge_hpd_enable(struct drm_bridge *bridge) ++{ ++ struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); ++ ++ /* ++ * Device needs to be powered on before reading the HPD state ++ * for reliable hpd detection in ti_sn_bridge_detect() due to ++ * the high debounce time. ++ */ ++ ++ pm_runtime_get_sync(pdata->dev); ++} ++ ++static void ti_sn_bridge_hpd_disable(struct drm_bridge *bridge) ++{ ++ struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); ++ ++ pm_runtime_put_autosuspend(pdata->dev); ++} ++ + static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .attach = ti_sn_bridge_attach, + .detach = ti_sn_bridge_detach, +@@ -1193,6 +1224,8 @@ static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, + .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, + .debugfs_init = ti_sn65dsi86_debugfs_init, ++ .hpd_enable = ti_sn_bridge_hpd_enable, ++ .hpd_disable = ti_sn_bridge_hpd_disable, + }; + + static void ti_sn_bridge_parse_lanes(struct ti_sn65dsi86 *pdata, +@@ -1281,8 +1314,26 @@ static int ti_sn_bridge_probe(struct auxiliary_device *adev, + pdata->bridge.type = pdata->next_bridge->type == DRM_MODE_CONNECTOR_DisplayPort + ? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP; + +- if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) +- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT; ++ if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) { ++ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT | ++ DRM_BRIDGE_OP_HPD; ++ /* ++ * If comms were already enabled they would have been enabled ++ * with the wrong value of HPD_DISABLE. Update it now. Comms ++ * could be enabled if anyone is holding a pm_runtime reference ++ * (like if a GPIO is in use). Note that in most cases nobody ++ * is doing AUX channel xfers before the bridge is added so ++ * HPD doesn't _really_ matter then. The only exception is in ++ * the eDP case where the panel wants to read the EDID before ++ * the bridge is added. We always consistently have HPD disabled ++ * for eDP. ++ */ ++ mutex_lock(&pdata->comms_mutex); ++ if (pdata->comms_enabled) ++ regmap_update_bits(pdata->regmap, SN_HPD_DISABLE_REG, ++ HPD_DISABLE, 0); ++ mutex_unlock(&pdata->comms_mutex); ++ }; + + drm_bridge_add(&pdata->bridge); + +-- +2.39.5 + diff --git a/queue-6.1/drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch b/queue-6.1/drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch new file mode 100644 index 0000000000..3363f06a30 --- /dev/null +++ b/queue-6.1/drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch @@ -0,0 +1,104 @@ +From fa5bd9806009dee2a44fe3c38e93efa5ea3c198e Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 15 Mar 2025 21:15:11 +0100 +Subject: drm/bridge: ti-sn65dsi86: make use of debugfs_init callback + +From: Wolfram Sang <wsa+renesas@sang-engineering.com> + +[ Upstream commit 1d1f7b15cb9c11974cebfd39da51dc69b8cb31ff ] + +Do not create a custom directory in debugfs-root, but use the +debugfs_init callback to create a custom directory at the given place +for the bridge. The new directory layout looks like this on a Renesas +GrayHawk-Single with a R-Car V4M SoC: + + /sys/kernel/debug/dri/feb00000.display/DP-1/1-002c + +Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20250315201651.7339-2-wsa+renesas@sang-engineering.com +Stable-dep-of: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 40 +++++++-------------------- + 1 file changed, 10 insertions(+), 30 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index 3c8e33f416e70..2848aabe8f5b6 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -424,36 +424,8 @@ static int status_show(struct seq_file *s, void *data) + + return 0; + } +- + DEFINE_SHOW_ATTRIBUTE(status); + +-static void ti_sn65dsi86_debugfs_remove(void *data) +-{ +- debugfs_remove_recursive(data); +-} +- +-static void ti_sn65dsi86_debugfs_init(struct ti_sn65dsi86 *pdata) +-{ +- struct device *dev = pdata->dev; +- struct dentry *debugfs; +- int ret; +- +- debugfs = debugfs_create_dir(dev_name(dev), NULL); +- +- /* +- * We might get an error back if debugfs wasn't enabled in the kernel +- * so let's just silently return upon failure. +- */ +- if (IS_ERR_OR_NULL(debugfs)) +- return; +- +- ret = devm_add_action_or_reset(dev, ti_sn65dsi86_debugfs_remove, debugfs); +- if (ret) +- return; +- +- debugfs_create_file("status", 0600, debugfs, pdata, &status_fops); +-} +- + /* ----------------------------------------------------------------------------- + * Auxiliary Devices (*not* AUX) + */ +@@ -1198,6 +1170,15 @@ static struct edid *ti_sn_bridge_get_edid(struct drm_bridge *bridge, + return drm_get_edid(connector, &pdata->aux.ddc); + } + ++static void ti_sn65dsi86_debugfs_init(struct drm_bridge *bridge, struct dentry *root) ++{ ++ struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); ++ struct dentry *debugfs; ++ ++ debugfs = debugfs_create_dir(dev_name(pdata->dev), root); ++ debugfs_create_file("status", 0600, debugfs, pdata, &status_fops); ++} ++ + static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .attach = ti_sn_bridge_attach, + .detach = ti_sn_bridge_detach, +@@ -1211,6 +1192,7 @@ static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .atomic_reset = drm_atomic_helper_bridge_reset, + .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, + .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, ++ .debugfs_init = ti_sn65dsi86_debugfs_init, + }; + + static void ti_sn_bridge_parse_lanes(struct ti_sn65dsi86 *pdata, +@@ -1917,8 +1899,6 @@ static int ti_sn65dsi86_probe(struct i2c_client *client, + if (ret) + return ret; + +- ti_sn65dsi86_debugfs_init(pdata); +- + /* + * Break ourselves up into a collection of aux devices. The only real + * motiviation here is to solve the chicken-and-egg problem of probe +-- +2.39.5 + diff --git a/queue-6.1/libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch b/queue-6.1/libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch new file mode 100644 index 0000000000..f9ba41b59f --- /dev/null +++ b/queue-6.1/libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch @@ -0,0 +1,42 @@ +From e5c3232de5805e117cbc12216b31b5ee61d442a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 18 Jun 2025 09:19:33 +0800 +Subject: libbpf: Fix null pointer dereference in btf_dump__free on allocation + failure + +From: Yuan Chen <chenyuan@kylinos.cn> + +[ Upstream commit aa485e8789d56a4573f7c8d000a182b749eaa64d ] + +When btf_dump__new() fails to allocate memory for the internal hashmap +(btf_dump->type_names), it returns an error code. However, the cleanup +function btf_dump__free() does not check if btf_dump->type_names is NULL +before attempting to free it. This leads to a null pointer dereference +when btf_dump__free() is called on a btf_dump object. + +Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") +Signed-off-by: Yuan Chen <chenyuan@kylinos.cn> +Signed-off-by: Andrii Nakryiko <andrii@kernel.org> +Link: https://lore.kernel.org/bpf/20250618011933.11423-1-chenyuan_fl@163.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + tools/lib/bpf/btf_dump.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index cfdee656789b2..72334cc14d737 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -224,6 +224,9 @@ static void btf_dump_free_names(struct hashmap *map) + size_t bkt; + struct hashmap_entry *cur; + ++ if (!map) ++ return; ++ + hashmap__for_each_entry(map, cur, bkt) + free((void *)cur->key); + +-- +2.39.5 + diff --git a/queue-6.1/net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch b/queue-6.1/net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch new file mode 100644 index 0000000000..25545862e6 --- /dev/null +++ b/queue-6.1/net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch @@ -0,0 +1,60 @@ +From 1d410aeea73f9d8315c8b2c2631050c0cb858d47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 17:35:12 +0100 +Subject: net: enetc: Correct endianness handling in _enetc_rd_reg64 + +From: Simon Horman <horms@kernel.org> + +[ Upstream commit 7b515f35a911fdc31fbde6531828dcd6ae9803d3 ] + +enetc_hw.h provides two versions of _enetc_rd_reg64. +One which simply calls ioread64() when available. +And another that composes the 64-bit result from ioread32() calls. + +In the second case the code appears to assume that each ioread32() call +returns a little-endian value. However both the shift and logical or +used to compose the return value would not work correctly on big endian +systems if this were the case. Moreover, this is inconsistent with the +first case where the return value of ioread64() is assumed to be in host +byte order. + +It appears that the correct approach is for both versions to treat the +return value of ioread*() functions as being in host byte order. And +this patch corrects the ioread32()-based version to do so. + +This is a bug but would only manifest on big endian systems +that make use of the ioread32-based implementation of _enetc_rd_reg64. +While all in-tree users of this driver are little endian and +make use of the ioread64-based implementation of _enetc_rd_reg64. +Thus, no in-tree user of this driver is affected by this bug. + +Flagged by Sparse. +Compile tested only. + +Fixes: 16eb4c85c964 ("enetc: Add ethtool statistics") +Closes: https://lore.kernel.org/all/AM9PR04MB850500D3FC24FE23DEFCEA158879A@AM9PR04MB8505.eurprd04.prod.outlook.com/ +Signed-off-by: Simon Horman <horms@kernel.org> +Reviewed-by: Wei Fang <wei.fang@nxp.com> +Link: https://patch.msgid.link/20250624-etnetc-le-v1-1-a73a95d96e4e@kernel.org +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_hw.h b/drivers/net/ethernet/freescale/enetc/enetc_hw.h +index 18ca1f42b1f75..04d3e0dedc963 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_hw.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc_hw.h +@@ -461,7 +461,7 @@ static inline u64 _enetc_rd_reg64(void __iomem *reg) + tmp = ioread32(reg + 4); + } while (high != tmp); + +- return le64_to_cpu((__le64)high << 32 | low); ++ return (u64)high << 32 | low; + } + #endif + +-- +2.39.5 + diff --git a/queue-6.1/net-selftests-fix-tcp-packet-checksum.patch b/queue-6.1/net-selftests-fix-tcp-packet-checksum.patch new file mode 100644 index 0000000000..2059826172 --- /dev/null +++ b/queue-6.1/net-selftests-fix-tcp-packet-checksum.patch @@ -0,0 +1,46 @@ +From 1a03ea35fdad74c247094066c3cd25e4b06f92c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 11:32:58 -0700 +Subject: net: selftests: fix TCP packet checksum + +From: Jakub Kicinski <kuba@kernel.org> + +[ Upstream commit 8d89661a36dd3bb8c9902cff36dc0c144dce3faf ] + +The length in the pseudo header should be the length of the L3 payload +AKA the L4 header+payload. The selftest code builds the packet from +the lower layers up, so all the headers are pushed already when it +constructs L4. We need to subtract the lower layer headers from skb->len. + +Fixes: 3e1e58d64c3d ("net: add generic selftest support") +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com> +Reported-by: Oleksij Rempel <o.rempel@pengutronix.de> +Tested-by: Oleksij Rempel <o.rempel@pengutronix.de> +Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de> +Link: https://patch.msgid.link/20250624183258.3377740-1-kuba@kernel.org +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/core/selftests.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/core/selftests.c b/net/core/selftests.c +index 7af99d07762ea..946e92cca2111 100644 +--- a/net/core/selftests.c ++++ b/net/core/selftests.c +@@ -160,8 +160,9 @@ static struct sk_buff *net_test_get_skb(struct net_device *ndev, + skb->csum = 0; + skb->ip_summed = CHECKSUM_PARTIAL; + if (attr->tcp) { +- thdr->check = ~tcp_v4_check(skb->len, ihdr->saddr, +- ihdr->daddr, 0); ++ int l4len = skb->len - skb_transport_offset(skb); ++ ++ thdr->check = ~tcp_v4_check(l4len, ihdr->saddr, ihdr->daddr, 0); + skb->csum_start = skb_transport_header(skb) - skb->head; + skb->csum_offset = offsetof(struct tcphdr, check); + } else { +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 23ec0fc98b..a29d1a5e8c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -73,3 +73,17 @@ i2c-robotfuzz-osif-disable-zero-length-read-messages.patch asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch +atm-clip-prevent-null-deref-in-clip_push.patch +alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch +attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch +libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch +wifi-mac80211-fix-beacon-interval-calculation-overfl.patch +af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch +vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch +um-ubd-add-missing-error-check-in-start_io_thread.patch +net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch +atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch +alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch +net-selftests-fix-tcp-packet-checksum.patch +drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch +drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch diff --git a/queue-6.1/um-ubd-add-missing-error-check-in-start_io_thread.patch b/queue-6.1/um-ubd-add-missing-error-check-in-start_io_thread.patch new file mode 100644 index 0000000000..dd0287ccaa --- /dev/null +++ b/queue-6.1/um-ubd-add-missing-error-check-in-start_io_thread.patch @@ -0,0 +1,37 @@ +From 9e44703667f11d9f7c166630aeb9199e56b3b1d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 6 Jun 2025 20:44:25 +0800 +Subject: um: ubd: Add missing error check in start_io_thread() + +From: Tiwei Bie <tiwei.btw@antgroup.com> + +[ Upstream commit c55c7a85e02a7bfee20a3ffebdff7cbeb41613ef ] + +The subsequent call to os_set_fd_block() overwrites the previous +return value. OR the two return values together to fix it. + +Fixes: f88f0bdfc32f ("um: UBD Improvements") +Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com> +Link: https://patch.msgid.link/20250606124428.148164-2-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/um/drivers/ubd_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/drivers/ubd_user.c b/arch/um/drivers/ubd_user.c +index a1afe414ce481..fb5b1e7c133d8 100644 +--- a/arch/um/drivers/ubd_user.c ++++ b/arch/um/drivers/ubd_user.c +@@ -41,7 +41,7 @@ int start_io_thread(unsigned long sp, int *fd_out) + *fd_out = fds[1]; + + err = os_set_fd_block(*fd_out, 0); +- err = os_set_fd_block(kernel_fd, 0); ++ err |= os_set_fd_block(kernel_fd, 0); + if (err) { + printk("start_io_thread - failed to set nonblocking I/O.\n"); + goto out_close; +-- +2.39.5 + diff --git a/queue-6.1/vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch b/queue-6.1/vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch new file mode 100644 index 0000000000..b108ea0e81 --- /dev/null +++ b/queue-6.1/vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch @@ -0,0 +1,54 @@ +From bb978956e329d1840cbe1f8bb1574a20ebfbcd57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 23 Jun 2025 12:00:53 +0200 +Subject: vsock/uapi: fix linux/vm_sockets.h userspace compilation errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefano Garzarella <sgarzare@redhat.com> + +[ Upstream commit 22bbc1dcd0d6785fb390c41f0dd5b5e218d23bdd ] + +If a userspace application just include <linux/vm_sockets.h> will fail +to build with the following errors: + + /usr/include/linux/vm_sockets.h:182:39: error: invalid application of ‘sizeof’ to incomplete type ‘struct sockaddr’ + 182 | unsigned char svm_zero[sizeof(struct sockaddr) - + | ^~~~~~ + /usr/include/linux/vm_sockets.h:183:39: error: ‘sa_family_t’ undeclared here (not in a function) + 183 | sizeof(sa_family_t) - + | + +Include <sys/socket.h> for userspace (guarded by ifndef __KERNEL__) +where `struct sockaddr` and `sa_family_t` are defined. +We already do something similar in <linux/mptcp.h> and <linux/if.h>. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reported-by: Daan De Meyer <daan.j.demeyer@gmail.com> +Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> +Link: https://patch.msgid.link/20250623100053.40979-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/uapi/linux/vm_sockets.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/uapi/linux/vm_sockets.h b/include/uapi/linux/vm_sockets.h +index ed07181d4eff9..e05280e415228 100644 +--- a/include/uapi/linux/vm_sockets.h ++++ b/include/uapi/linux/vm_sockets.h +@@ -17,6 +17,10 @@ + #ifndef _UAPI_VM_SOCKETS_H + #define _UAPI_VM_SOCKETS_H + ++#ifndef __KERNEL__ ++#include <sys/socket.h> /* for struct sockaddr and sa_family_t */ ++#endif ++ + #include <linux/socket.h> + #include <linux/types.h> + +-- +2.39.5 + diff --git a/queue-6.1/wifi-mac80211-fix-beacon-interval-calculation-overfl.patch b/queue-6.1/wifi-mac80211-fix-beacon-interval-calculation-overfl.patch new file mode 100644 index 0000000000..4e46fe6f3c --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-beacon-interval-calculation-overfl.patch @@ -0,0 +1,38 @@ +From 5ab12386d5ae78d4792c5539165684d4c0f15c6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 21 Jun 2025 22:32:09 +1000 +Subject: wifi: mac80211: fix beacon interval calculation overflow + +From: Lachlan Hodges <lachlan.hodges@morsemicro.com> + +[ Upstream commit 7a3750ff0f2e8fee338a9c168f429f6c37f0e820 ] + +As we are converting from TU to usecs, a beacon interval of +100*1024 usecs will lead to integer wrapping. To fix change +to use a u32. + +Fixes: 057d5f4ba1e4 ("mac80211: sync dtim_count to TSF") +Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com> +Link: https://patch.msgid.link/20250621123209.511796-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/mac80211/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index e8326e09d1b37..e60c8607e4b64 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -4452,7 +4452,7 @@ void ieee80211_recalc_dtim(struct ieee80211_local *local, + { + u64 tsf = drv_get_tsf(local, sdata); + u64 dtim_count = 0; +- u16 beacon_int = sdata->vif.bss_conf.beacon_int * 1024; ++ u32 beacon_int = sdata->vif.bss_conf.beacon_int * 1024; + u8 dtim_period = sdata->vif.bss_conf.dtim_period; + struct ps_data *ps; + u8 bcns_from_dtim; +-- +2.39.5 + |