diff options
41 files changed, 3643 insertions, 0 deletions
diff --git a/queue-6.15/af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch b/queue-6.15/af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch new file mode 100644 index 0000000000..9a5cff7d49 --- /dev/null +++ b/queue-6.15/af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch @@ -0,0 +1,99 @@ +From c30c4ab1bfbb232756ff7a229723ffde70b36a20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 18 Jun 2025 21:13:57 -0700 +Subject: af_unix: Don't set -ECONNRESET for consumed OOB skb. + +From: Kuniyuki Iwashima <kuniyu@google.com> + +[ Upstream commit 2a5a4841846b079b5fca5752fe94e59346fbda40 ] + +Christian Brauner reported that even after MSG_OOB data is consumed, +calling close() on the receiver socket causes the peer's recv() to +return -ECONNRESET: + + 1. send() and recv() an OOB data. + + >>> from socket import * + >>> s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) + >>> s1.send(b'x', MSG_OOB) + 1 + >>> s2.recv(1, MSG_OOB) + b'x' + + 2. close() for s2 sets ECONNRESET to s1->sk_err even though + s2 consumed the OOB data + + >>> s2.close() + >>> s1.recv(10, MSG_DONTWAIT) + ... + ConnectionResetError: [Errno 104] Connection reset by peer + +Even after being consumed, the skb holding the OOB 1-byte data stays in +the recv queue to mark the OOB boundary and break recv() at that point. + +This must be considered while close()ing a socket. + +Let's skip the leading consumed OOB skb while checking the -ECONNRESET +condition in unix_release_sock(). + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Reported-by: Christian Brauner <brauner@kernel.org> +Closes: https://lore.kernel.org/netdev/20250529-sinkt-abfeuern-e7b08200c6b0@brauner/ +Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> +Acked-by: Christian Brauner <brauner@kernel.org> +Link: https://patch.msgid.link/20250619041457.1132791-4-kuni1840@gmail.com +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/unix/af_unix.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index af003831f4c67..52f2812d2fa5b 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -654,6 +654,11 @@ static void unix_sock_destructor(struct sock *sk) + #endif + } + ++static unsigned int unix_skb_len(const struct sk_buff *skb) ++{ ++ return skb->len - UNIXCB(skb).consumed; ++} ++ + static void unix_release_sock(struct sock *sk, int embrion) + { + struct unix_sock *u = unix_sk(sk); +@@ -688,10 +693,16 @@ static void unix_release_sock(struct sock *sk, int embrion) + + if (skpair != NULL) { + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { ++ struct sk_buff *skb = skb_peek(&sk->sk_receive_queue); ++ ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ if (skb && !unix_skb_len(skb)) ++ skb = skb_peek_next(skb, &sk->sk_receive_queue); ++#endif + unix_state_lock(skpair); + /* No more writes */ + WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK); +- if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion) ++ if (skb || embrion) + WRITE_ONCE(skpair->sk_err, ECONNRESET); + unix_state_unlock(skpair); + skpair->sk_state_change(skpair); +@@ -2578,11 +2589,6 @@ static long unix_stream_data_wait(struct sock *sk, long timeo, + return timeo; + } + +-static unsigned int unix_skb_len(const struct sk_buff *skb) +-{ +- return skb->len - UNIXCB(skb).consumed; +-} +- + struct unix_stream_read_state { + int (*recv_actor)(struct sk_buff *, int, int, + struct unix_stream_read_state *); +-- +2.39.5 + diff --git a/queue-6.15/alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch b/queue-6.15/alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch new file mode 100644 index 0000000000..dacc7459e2 --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch @@ -0,0 +1,39 @@ +From 1690afd785a3a8b97fc08838c270a632b4d4038b Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 25 Jun 2025 20:41:28 +0200 +Subject: ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR + +From: Salvatore Bonaccorso <carnil@debian.org> + +[ Upstream commit 7ab6847a03229e73bb7c58ca397630f699e79b53 ] + +The built-in mic of ASUS VivoBook X507UAR is broken recently by the fix +of the pin sort. The fixup ALC256_FIXUP_ASUS_MIC_NO_PRESENCE is working +for addressing the regression, too. + +Fixes: 3b4309546b48 ("ALSA: hda: Fix headset detection failure due to unstable sort") +Reported-by: Igor Tamara <igor.tamara@gmail.com> +Closes: https://bugs.debian.org/1108069 +Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> +Link: https://lore.kernel.org/CADdHDco7_o=4h_epjEAb92Dj-vUz_PoTC2-W9g5ncT2E0NzfeQ@mail.gmail.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 02a424b7a9920..03ffaec49998d 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11002,6 +11002,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1df3, "ASUS UM5606WA", ALC294_FIXUP_BASS_SPEAKER_15), + SND_PCI_QUIRK(0x1043, 0x1264, "ASUS UM5606KA", ALC294_FIXUP_BASS_SPEAKER_15), + SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402ZA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x1e10, "ASUS VivoBook X507UAR", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1e11, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA502), + SND_PCI_QUIRK(0x1043, 0x1e12, "ASUS UM3402", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1e1f, "ASUS Vivobook 15 X1504VAP", ALC2XX_FIXUP_HEADSET_MIC), +-- +2.39.5 + diff --git a/queue-6.15/alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch b/queue-6.15/alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch new file mode 100644 index 0000000000..7325f20145 --- /dev/null +++ b/queue-6.15/alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch @@ -0,0 +1,47 @@ +From d53906d3c891150c39704f6662439c0efe18b771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 23 Jun 2025 20:05:25 +0900 +Subject: ALSA: usb-audio: Fix out-of-bounds read in + snd_usb_get_audioformat_uac3() + +From: Youngjun Lee <yjjuny.lee@samsung.com> + +[ Upstream commit fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a ] + +In snd_usb_get_audioformat_uac3(), the length value returned from +snd_usb_ctl_msg() is used directly for memory allocation without +validation. This length is controlled by the USB device. + +The allocated buffer is cast to a uac3_cluster_header_descriptor +and its fields are accessed without verifying that the buffer +is large enough. If the device returns a smaller than expected +length, this leads to an out-of-bounds read. + +Add a length check to ensure the buffer is large enough for +uac3_cluster_header_descriptor. + +Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com> +Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") +Link: https://patch.msgid.link/20250623-uac3-oob-fix-v1-1-527303eaf40a@samsung.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/usb/stream.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index c1ea8844a46fc..aa91d63749f2c 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -987,6 +987,8 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip, + * and request Cluster Descriptor + */ + wLength = le16_to_cpu(hc_header.wLength); ++ if (wLength < sizeof(cluster)) ++ return NULL; + cluster = kzalloc(wLength, GFP_KERNEL); + if (!cluster) + return ERR_PTR(-ENOMEM); +-- +2.39.5 + diff --git a/queue-6.15/asoc-amd-ps-fix-for-soundwire-failures-during-hibern.patch b/queue-6.15/asoc-amd-ps-fix-for-soundwire-failures-during-hibern.patch new file mode 100644 index 0000000000..9d2eac5f93 --- /dev/null +++ b/queue-6.15/asoc-amd-ps-fix-for-soundwire-failures-during-hibern.patch @@ -0,0 +1,123 @@ +From af5208b1cd859bba9793462c6a34628a3d22ef35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 23 Jun 2025 14:14:55 +0530 +Subject: ASoC: amd: ps: fix for soundwire failures during hibernation exit + sequence + +From: Vijendar Mukunda <Vijendar.Mukunda@amd.com> + +[ Upstream commit dc6458ed95e40146699f9c523e34cb13ff127170 ] + +During the hibernate entry sequence, ACP registers will be reset to +default values and acp ip will be completely powered off including acp +SoundWire pads. During resume sequence, if acp SoundWire pad keeper enable +register is not restored along with pad pulldown control register value, +then SoundWire manager links won't be powered on correctly results in +peripheral register access failures and completely audio function is +broken. + +Add code to store the acp SoundWire pad keeper enable register and acp pad +pulldown ctrl register values before entering into suspend state and +restore the register values during resume sequence based on condition check +for acp SoundWire pad keeper enable register for ACP6.3, ACP7.0 & ACP7.1 +platforms. + +Fixes: 491628388005 ("ASoC: amd: ps: add callback functions for acp pci driver pm ops") +Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com> +Link: https://patch.msgid.link/20250623084630.3100279-1-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/soc/amd/ps/acp63.h | 4 ++++ + sound/soc/amd/ps/ps-common.c | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/sound/soc/amd/ps/acp63.h b/sound/soc/amd/ps/acp63.h +index 85feae45c44c5..d7c994e26e4df 100644 +--- a/sound/soc/amd/ps/acp63.h ++++ b/sound/soc/amd/ps/acp63.h +@@ -334,6 +334,8 @@ struct acp_hw_ops { + * @addr: pci ioremap address + * @reg_range: ACP reigister range + * @acp_rev: ACP PCI revision id ++ * @acp_sw_pad_keeper_en: store acp SoundWire pad keeper enable register value ++ * @acp_pad_pulldown_ctrl: store acp pad pulldown control register value + * @acp63_sdw0-dma_intr_stat: DMA interrupt status array for ACP6.3 platform SoundWire + * manager-SW0 instance + * @acp63_sdw_dma_intr_stat: DMA interrupt status array for ACP6.3 platform SoundWire +@@ -367,6 +369,8 @@ struct acp63_dev_data { + u32 addr; + u32 reg_range; + u32 acp_rev; ++ u32 acp_sw_pad_keeper_en; ++ u32 acp_pad_pulldown_ctrl; + u16 acp63_sdw0_dma_intr_stat[ACP63_SDW0_DMA_MAX_STREAMS]; + u16 acp63_sdw1_dma_intr_stat[ACP63_SDW1_DMA_MAX_STREAMS]; + u16 acp70_sdw0_dma_intr_stat[ACP70_SDW0_DMA_MAX_STREAMS]; +diff --git a/sound/soc/amd/ps/ps-common.c b/sound/soc/amd/ps/ps-common.c +index 1c89fb5fe1da5..7b4966b75dc67 100644 +--- a/sound/soc/amd/ps/ps-common.c ++++ b/sound/soc/amd/ps/ps-common.c +@@ -160,6 +160,8 @@ static int __maybe_unused snd_acp63_suspend(struct device *dev) + + adata = dev_get_drvdata(dev); + if (adata->is_sdw_dev) { ++ adata->acp_sw_pad_keeper_en = readl(adata->acp63_base + ACP_SW0_PAD_KEEPER_EN); ++ adata->acp_pad_pulldown_ctrl = readl(adata->acp63_base + ACP_PAD_PULLDOWN_CTRL); + adata->sdw_en_stat = check_acp_sdw_enable_status(adata); + if (adata->sdw_en_stat) { + writel(1, adata->acp63_base + ACP_ZSC_DSP_CTRL); +@@ -197,6 +199,7 @@ static int __maybe_unused snd_acp63_runtime_resume(struct device *dev) + static int __maybe_unused snd_acp63_resume(struct device *dev) + { + struct acp63_dev_data *adata; ++ u32 acp_sw_pad_keeper_en; + int ret; + + adata = dev_get_drvdata(dev); +@@ -209,6 +212,12 @@ static int __maybe_unused snd_acp63_resume(struct device *dev) + if (ret) + dev_err(dev, "ACP init failed\n"); + ++ acp_sw_pad_keeper_en = readl(adata->acp63_base + ACP_SW0_PAD_KEEPER_EN); ++ dev_dbg(dev, "ACP_SW0_PAD_KEEPER_EN:0x%x\n", acp_sw_pad_keeper_en); ++ if (!acp_sw_pad_keeper_en) { ++ writel(adata->acp_sw_pad_keeper_en, adata->acp63_base + ACP_SW0_PAD_KEEPER_EN); ++ writel(adata->acp_pad_pulldown_ctrl, adata->acp63_base + ACP_PAD_PULLDOWN_CTRL); ++ } + return ret; + } + +@@ -408,6 +417,8 @@ static int __maybe_unused snd_acp70_suspend(struct device *dev) + + adata = dev_get_drvdata(dev); + if (adata->is_sdw_dev) { ++ adata->acp_sw_pad_keeper_en = readl(adata->acp63_base + ACP_SW0_PAD_KEEPER_EN); ++ adata->acp_pad_pulldown_ctrl = readl(adata->acp63_base + ACP_PAD_PULLDOWN_CTRL); + adata->sdw_en_stat = check_acp_sdw_enable_status(adata); + if (adata->sdw_en_stat) { + writel(1, adata->acp63_base + ACP_ZSC_DSP_CTRL); +@@ -445,6 +456,7 @@ static int __maybe_unused snd_acp70_runtime_resume(struct device *dev) + static int __maybe_unused snd_acp70_resume(struct device *dev) + { + struct acp63_dev_data *adata; ++ u32 acp_sw_pad_keeper_en; + int ret; + + adata = dev_get_drvdata(dev); +@@ -459,6 +471,12 @@ static int __maybe_unused snd_acp70_resume(struct device *dev) + if (ret) + dev_err(dev, "ACP init failed\n"); + ++ acp_sw_pad_keeper_en = readl(adata->acp63_base + ACP_SW0_PAD_KEEPER_EN); ++ dev_dbg(dev, "ACP_SW0_PAD_KEEPER_EN:0x%x\n", acp_sw_pad_keeper_en); ++ if (!acp_sw_pad_keeper_en) { ++ writel(adata->acp_sw_pad_keeper_en, adata->acp63_base + ACP_SW0_PAD_KEEPER_EN); ++ writel(adata->acp_pad_pulldown_ctrl, adata->acp63_base + ACP_PAD_PULLDOWN_CTRL); ++ } + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.15/atm-clip-prevent-null-deref-in-clip_push.patch b/queue-6.15/atm-clip-prevent-null-deref-in-clip_push.patch new file mode 100644 index 0000000000..69a3a01f7b --- /dev/null +++ b/queue-6.15/atm-clip-prevent-null-deref-in-clip_push.patch @@ -0,0 +1,60 @@ +From e79a52f8a51f3376afb114932a0101dfb06974de Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 20 Jun 2025 14:28:44 +0000 +Subject: atm: clip: prevent NULL deref in clip_push() + +From: Eric Dumazet <edumazet@google.com> + +[ Upstream commit b993ea46b3b601915ceaaf3c802adf11e7d6bac6 ] + +Blamed commit missed that vcc_destroy_socket() calls +clip_push() with a NULL skb. + +If clip_devs is NULL, clip_push() then crashes when reading +skb->truesize. + +Fixes: 93a2014afbac ("atm: fix a UAF in lec_arp_clear_vccs()") +Reported-by: syzbot+1316233c4c6803382a8b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68556f59.a00a0220.137b3.004e.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Cong Wang <xiyou.wangcong@gmail.com> +Cc: Gengming Liu <l.dmxcsnsbh@gmail.com> +Reviewed-by: Simon Horman <horms@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/atm/clip.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 61b5b700817de..b234dc3bcb0d4 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -193,12 +193,6 @@ static void clip_push(struct atm_vcc *vcc, struct sk_buff *skb) + + pr_debug("\n"); + +- if (!clip_devs) { +- atm_return(vcc, skb->truesize); +- kfree_skb(skb); +- return; +- } +- + if (!skb) { + pr_debug("removing VCC %p\n", clip_vcc); + if (clip_vcc->entry) +@@ -208,6 +202,11 @@ static void clip_push(struct atm_vcc *vcc, struct sk_buff *skb) + return; + } + atm_return(vcc, skb->truesize); ++ if (!clip_devs) { ++ kfree_skb(skb); ++ return; ++ } ++ + skb->dev = clip_vcc->entry ? clip_vcc->entry->neigh->dev : clip_devs; + /* clip_vcc->entry == NULL if we don't have an IP address yet */ + if (!skb->dev) { +-- +2.39.5 + diff --git a/queue-6.15/atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch b/queue-6.15/atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch new file mode 100644 index 0000000000..8a5a9d6798 --- /dev/null +++ b/queue-6.15/atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch @@ -0,0 +1,106 @@ +From 4518a100a40feccb454b869a2f198559a7e56fd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 14:45:00 -0700 +Subject: atm: Release atm_dev_mutex after removing procfs in + atm_dev_deregister(). + +From: Kuniyuki Iwashima <kuniyu@google.com> + +[ Upstream commit a433791aeaea6e84df709e0b9584b9bbe040cd1c ] + +syzbot reported a warning below during atm_dev_register(). [0] + +Before creating a new device and procfs/sysfs for it, atm_dev_register() +looks up a duplicated device by __atm_dev_lookup(). These operations are +done under atm_dev_mutex. + +However, when removing a device in atm_dev_deregister(), it releases the +mutex just after removing the device from the list that __atm_dev_lookup() +iterates over. + +So, there will be a small race window where the device does not exist on +the device list but procfs/sysfs are still not removed, triggering the +splat. + +Let's hold the mutex until procfs/sysfs are removed in +atm_dev_deregister(). + +[0]: +proc_dir_entry 'atm/atmtcp:0' already registered +WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 +Modules linked in: +CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 +Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 +RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 +RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 +RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 +R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 +FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + proc_create_data+0xbe/0x110 fs/proc/generic.c:585 + atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 + atm_dev_register+0x46d/0x890 net/atm/resources.c:113 + atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 + atmtcp_attach drivers/atm/atmtcp.c:403 [inline] + atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 + do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 + sock_do_ioctl+0x115/0x280 net/socket.c:1190 + sock_ioctl+0x227/0x6b0 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl fs/ioctl.c:893 [inline] + __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f38b3b74459 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 +RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 +RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f +R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac +R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b + </TASK> + +Fixes: 64bf69ddff76 ("[ATM]: deregistration removes device from atm_devs list immediately") +Reported-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/685316de.050a0220.216029.0087.GAE@google.com/ +Tested-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> +Link: https://patch.msgid.link/20250624214505.570679-1-kuni1840@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/atm/resources.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index 995d29e7fb138..b19d851e1f443 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -146,11 +146,10 @@ void atm_dev_deregister(struct atm_dev *dev) + */ + mutex_lock(&atm_dev_mutex); + list_del(&dev->dev_list); +- mutex_unlock(&atm_dev_mutex); +- + atm_dev_release_vccs(dev); + atm_unregister_sysfs(dev); + atm_proc_dev_deregister(dev); ++ mutex_unlock(&atm_dev_mutex); + + atm_dev_put(dev); + } +-- +2.39.5 + diff --git a/queue-6.15/attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch b/queue-6.15/attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch new file mode 100644 index 0000000000..db348dab26 --- /dev/null +++ b/queue-6.15/attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch @@ -0,0 +1,51 @@ +From f07c63254acf74daf2f1348e085bf0cb9500316b Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 22 Jun 2025 18:03:29 -0400 +Subject: attach_recursive_mnt(): do not lock the covering tree when sliding + something under it + +From: Al Viro <viro@zeniv.linux.org.uk> + +[ Upstream commit ce7df19686530920f2f6b636e71ce5eb1d9303ef ] + +If we are propagating across the userns boundary, we need to lock the +mounts added there. However, in case when something has already +been mounted there and we end up sliding a new tree under that, +the stuff that had been there before should not get locked. + +IOW, lock_mnt_tree() should be called before we reparent the +preexisting tree on top of what we are adding. + +Fixes: 3bd045cc9c4b ("separate copying and locking mount tree on cross-userns copies") +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/namespace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index d6ac7e533b021..24b087ba88159 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2765,14 +2765,14 @@ static int attach_recursive_mnt(struct mount *source_mnt, + hlist_for_each_entry_safe(child, n, &tree_list, mnt_hash) { + struct mount *q; + hlist_del_init(&child->mnt_hash); +- q = __lookup_mnt(&child->mnt_parent->mnt, +- child->mnt_mountpoint); +- if (q) +- mnt_change_mountpoint(child, smp, q); + /* Notice when we are propagating across user namespaces */ + if (child->mnt_parent->mnt_ns->user_ns != user_ns) + lock_mnt_tree(child); + child->mnt.mnt_flags &= ~MNT_LOCKED; ++ q = __lookup_mnt(&child->mnt_parent->mnt, ++ child->mnt_mountpoint); ++ if (q) ++ mnt_change_mountpoint(child, smp, q); + commit_tree(child); + } + put_mountpoint(smp); +-- +2.39.5 + diff --git a/queue-6.15/bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch b/queue-6.15/bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch new file mode 100644 index 0000000000..6d8db3b20a --- /dev/null +++ b/queue-6.15/bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch @@ -0,0 +1,252 @@ +From a0cbe4fc6d61d4e29bacabdbe17716d70b951488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 17 Jun 2025 09:58:13 -0700 +Subject: Bluetooth: hci_core: Fix use-after-free in vhci_flush() + +From: Kuniyuki Iwashima <kuniyu@google.com> + +[ Upstream commit 1d6123102e9fbedc8d25bf4731da6d513173e49e ] + +syzbot reported use-after-free in vhci_flush() without repro. [0] + +From the splat, a thread close()d a vhci file descriptor while +its device was being used by iotcl() on another thread. + +Once the last fd refcnt is released, vhci_release() calls +hci_unregister_dev(), hci_free_dev(), and kfree() for struct +vhci_data, which is set to hci_dev->dev->driver_data. + +The problem is that there is no synchronisation after unlinking +hdev from hci_dev_list in hci_unregister_dev(). There might be +another thread still accessing the hdev which was fetched before +the unlink operation. + +We can use SRCU for such synchronisation. + +Let's run hci_dev_reset() under SRCU and wait for its completion +in hci_unregister_dev(). + +Another option would be to restore hci_dev->destruct(), which was +removed in commit 587ae086f6e4 ("Bluetooth: Remove unused +hci-destruct cb"). However, this would not be a good solution, as +we should not run hci_unregister_dev() while there are in-flight +ioctl() requests, which could lead to another data-race KCSAN splat. + +Note that other drivers seem to have the same problem, for exmaple, +virtbt_remove(). + +[0]: +BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] +BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 +Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718 + +CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +Call Trace: + <TASK> + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0xd2/0x2b0 mm/kasan/report.c:521 + kasan_report+0x118/0x150 mm/kasan/report.c:634 + skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] + skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 + skb_queue_purge include/linux/skbuff.h:3368 [inline] + vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69 + hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline] + hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592 + sock_do_ioctl+0xd9/0x300 net/socket.c:1190 + sock_ioctl+0x576/0x790 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fcf5b98e929 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 +RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 +RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528 + </TASK> + +Allocated by task 6535: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 + kmalloc_noprof include/linux/slab.h:905 [inline] + kzalloc_noprof include/linux/slab.h:1039 [inline] + vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635 + misc_open+0x2bc/0x330 drivers/char/misc.c:161 + chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414 + do_dentry_open+0xdf0/0x1970 fs/open.c:964 + vfs_open+0x3b/0x340 fs/open.c:1094 + do_open fs/namei.c:3887 [inline] + path_openat+0x2ee5/0x3830 fs/namei.c:4046 + do_filp_open+0x1fa/0x410 fs/namei.c:4073 + do_sys_openat2+0x121/0x1c0 fs/open.c:1437 + do_sys_open fs/open.c:1452 [inline] + __do_sys_openat fs/open.c:1468 [inline] + __se_sys_openat fs/open.c:1463 [inline] + __x64_sys_openat+0x138/0x170 fs/open.c:1463 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 6535: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2381 [inline] + slab_free mm/slub.c:4643 [inline] + kfree+0x18e/0x440 mm/slub.c:4842 + vhci_release+0xbc/0xd0 drivers/bluetooth/hci_vhci.c:671 + __fput+0x44c/0xa70 fs/file_table.c:465 + task_work_run+0x1d1/0x260 kernel/task_work.c:227 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0x6ad/0x22e0 kernel/exit.c:955 + do_group_exit+0x21c/0x2d0 kernel/exit.c:1104 + __do_sys_exit_group kernel/exit.c:1115 [inline] + __se_sys_exit_group kernel/exit.c:1113 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113 + x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The buggy address belongs to the object at ffff88807cb8d800 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 88 bytes inside of + freed 1024-byte region [ffff88807cb8d800, ffff88807cb8dc00) + +Fixes: bf18c7118cf8 ("Bluetooth: vhci: Free driver_data on file release") +Reported-by: syzbot+2faa4825e556199361f9@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f62d64848fc4c7c30cd6 +Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> +Acked-by: Paul Menzel <pmenzel@molgen.mpg.de> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/net/bluetooth/hci_core.h | 2 ++ + net/bluetooth/hci_core.c | 34 ++++++++++++++++++++++++++++---- + 2 files changed, 32 insertions(+), 4 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index d15316bffd70b..6e9d2a856a6b0 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -29,6 +29,7 @@ + #include <linux/idr.h> + #include <linux/leds.h> + #include <linux/rculist.h> ++#include <linux/srcu.h> + + #include <net/bluetooth/hci.h> + #include <net/bluetooth/hci_sync.h> +@@ -345,6 +346,7 @@ struct adv_monitor { + + struct hci_dev { + struct list_head list; ++ struct srcu_struct srcu; + struct mutex lock; + + struct ida unset_handle_ida; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index af30a420bab75..abff4690cb88f 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -64,7 +64,7 @@ static DEFINE_IDA(hci_index_ida); + + /* Get HCI device by index. + * Device is held on return. */ +-struct hci_dev *hci_dev_get(int index) ++static struct hci_dev *__hci_dev_get(int index, int *srcu_index) + { + struct hci_dev *hdev = NULL, *d; + +@@ -77,6 +77,8 @@ struct hci_dev *hci_dev_get(int index) + list_for_each_entry(d, &hci_dev_list, list) { + if (d->id == index) { + hdev = hci_dev_hold(d); ++ if (srcu_index) ++ *srcu_index = srcu_read_lock(&d->srcu); + break; + } + } +@@ -84,6 +86,22 @@ struct hci_dev *hci_dev_get(int index) + return hdev; + } + ++struct hci_dev *hci_dev_get(int index) ++{ ++ return __hci_dev_get(index, NULL); ++} ++ ++static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index) ++{ ++ return __hci_dev_get(index, srcu_index); ++} ++ ++static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index) ++{ ++ srcu_read_unlock(&hdev->srcu, srcu_index); ++ hci_dev_put(hdev); ++} ++ + /* ---- Inquiry support ---- */ + + bool hci_discovery_active(struct hci_dev *hdev) +@@ -568,9 +586,9 @@ static int hci_dev_do_reset(struct hci_dev *hdev) + int hci_dev_reset(__u16 dev) + { + struct hci_dev *hdev; +- int err; ++ int err, srcu_index; + +- hdev = hci_dev_get(dev); ++ hdev = hci_dev_get_srcu(dev, &srcu_index); + if (!hdev) + return -ENODEV; + +@@ -592,7 +610,7 @@ int hci_dev_reset(__u16 dev) + err = hci_dev_do_reset(hdev); + + done: +- hci_dev_put(hdev); ++ hci_dev_put_srcu(hdev, srcu_index); + return err; + } + +@@ -2419,6 +2437,11 @@ struct hci_dev *hci_alloc_dev_priv(int sizeof_priv) + if (!hdev) + return NULL; + ++ if (init_srcu_struct(&hdev->srcu)) { ++ kfree(hdev); ++ return NULL; ++ } ++ + hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1); + hdev->esco_type = (ESCO_HV1); + hdev->link_mode = (HCI_LM_ACCEPT); +@@ -2664,6 +2687,9 @@ void hci_unregister_dev(struct hci_dev *hdev) + list_del(&hdev->list); + write_unlock(&hci_dev_list_lock); + ++ synchronize_srcu(&hdev->srcu); ++ cleanup_srcu_struct(&hdev->srcu); ++ + disable_work_sync(&hdev->rx_work); + disable_work_sync(&hdev->cmd_work); + disable_work_sync(&hdev->tx_work); +-- +2.39.5 + diff --git a/queue-6.15/bnxt-properly-flush-xdp-redirect-lists.patch b/queue-6.15/bnxt-properly-flush-xdp-redirect-lists.patch new file mode 100644 index 0000000000..73376a8e58 --- /dev/null +++ b/queue-6.15/bnxt-properly-flush-xdp-redirect-lists.patch @@ -0,0 +1,139 @@ +From 38b6ee4bad6e39f34d91bdb87a75a173415fd451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 23 Jun 2025 09:06:38 -0700 +Subject: bnxt: properly flush XDP redirect lists + +From: Yan Zhai <yan@cloudflare.com> + +[ Upstream commit 9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f ] + +We encountered following crash when testing a XDP_REDIRECT feature +in production: + +[56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd +40f30). +[56251.601413] ------------[ cut here ]------------ +[56251.611357] kernel BUG at lib/list_debug.c:29! +[56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6. +3 #1 +[56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE +[56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025 +[56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0 +[56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48 + 89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89 +[56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246 +[56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000 +[56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80 +[56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18 +[56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000 +[56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40 +[56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000 +[56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0 +[56251.831365] PKRU: 55555554 +[56251.838653] Call Trace: +[56251.845560] <IRQ> +[56251.851943] cpu_map_enqueue.cold+0x5/0xa +[56251.860243] xdp_do_redirect+0x2d9/0x480 +[56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en] +[56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en] +[56251.885665] ? cpu_max_write+0x1e/0x100 +[56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5 +[56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en] +[56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en] +[56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5 +[56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5 +[56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5 +[56251.944250] __napi_poll+0x2b/0x160 +[56251.951155] bpf_trampoline_6442548651+0x79/0x123 +[56251.959262] __napi_poll+0x5/0x160 +[56251.966037] net_rx_action+0x3d2/0x880 +[56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5 +[56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5 +[56251.989262] ? __hrtimer_run_queues+0x162/0x2a0 +[56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5 +[56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5 +[56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en] +[56252.019903] handle_softirqs+0xcf/0x270 +[56252.026650] irq_exit_rcu+0x67/0x90 +[56252.032933] common_interrupt+0x85/0xa0 +[56252.039498] </IRQ> +[56252.044246] <TASK> +[56252.048935] asm_common_interrupt+0x26/0x40 +[56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420 +[56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae + 01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29 +[56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202 +[56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000 +[56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000 +[56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e +[56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860 +[56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000 +[56252.146667] ? cpuidle_enter_state+0xab/0x420 +[56252.153909] cpuidle_enter+0x2d/0x40 +[56252.160360] do_idle+0x176/0x1c0 +[56252.166456] cpu_startup_entry+0x29/0x30 +[56252.173248] start_secondary+0xf7/0x100 +[56252.179941] common_startup_64+0x13e/0x141 +[56252.186886] </TASK> + +From the crash dump, we found that the cpu_map_flush_list inside +redirect info is partially corrupted: its list_head->next points to +itself, but list_head->prev points to a valid list of unflushed bq +entries. + +This turned out to be a result of missed XDP flush on redirect lists. By +digging in the actual source code, we found that +commit 7f0a168b0441 ("bnxt_en: Add completion ring pointer in TX and RX +ring structures") incorrectly overwrites the event mask for XDP_REDIRECT +in bnxt_rx_xdp. We can stably reproduce this crash by returning XDP_TX +and XDP_REDIRECT randomly for incoming packets in a naive XDP program. +Properly propagate the XDP_REDIRECT events back fixes the crash. + +Fixes: a7559bc8c17c ("bnxt: support transmit and free of aggregation buffers") +Tested-by: Andrew Rzeznik <arzeznik@cloudflare.com> +Signed-off-by: Yan Zhai <yan@cloudflare.com> +Acked-by: Jesper Dangaard Brouer <hawk@kernel.org> +Reviewed-by: Michael Chan <michael.chan@broadcom.com> +Reviewed-by: Andy Gospodarek <gospo@broadcom.com> +Link: https://patch.msgid.link/aFl7jpCNzscumuN2@debian.debian +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index c365a9e64f728..9de6eefad9791 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -2958,6 +2958,7 @@ static int __bnxt_poll_work(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + { + struct bnxt_napi *bnapi = cpr->bnapi; + u32 raw_cons = cpr->cp_raw_cons; ++ bool flush_xdp = false; + u32 cons; + int rx_pkts = 0; + u8 event = 0; +@@ -3011,6 +3012,8 @@ static int __bnxt_poll_work(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + else + rc = bnxt_force_rx_discard(bp, cpr, &raw_cons, + &event); ++ if (event & BNXT_REDIRECT_EVENT) ++ flush_xdp = true; + if (likely(rc >= 0)) + rx_pkts += rc; + /* Increment rx_pkts when rc is -ENOMEM to count towards +@@ -3035,7 +3038,7 @@ static int __bnxt_poll_work(struct bnxt *bp, struct bnxt_cp_ring_info *cpr, + } + } + +- if (event & BNXT_REDIRECT_EVENT) { ++ if (flush_xdp) { + xdp_do_flush(); + event &= ~BNXT_REDIRECT_EVENT; + } +-- +2.39.5 + diff --git a/queue-6.15/bridge-mcast-fix-use-after-free-during-router-port-c.patch b/queue-6.15/bridge-mcast-fix-use-after-free-during-router-port-c.patch new file mode 100644 index 0000000000..1a9d3299f5 --- /dev/null +++ b/queue-6.15/bridge-mcast-fix-use-after-free-during-router-port-c.patch @@ -0,0 +1,183 @@ +From 2e70119fafab30d88ec1409b5965c7398c143272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 19 Jun 2025 21:22:28 +0300 +Subject: bridge: mcast: Fix use-after-free during router port configuration + +From: Ido Schimmel <idosch@nvidia.com> + +[ Upstream commit 7544f3f5b0b58c396f374d060898b5939da31709 ] + +The bridge maintains a global list of ports behind which a multicast +router resides. The list is consulted during forwarding to ensure +multicast packets are forwarded to these ports even if the ports are not +member in the matching MDB entry. + +When per-VLAN multicast snooping is enabled, the per-port multicast +context is disabled on each port and the port is removed from the global +router port list: + + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 + # ip link add name dummy1 up master br1 type dummy + # ip link set dev dummy1 type bridge_slave mcast_router 2 + $ bridge -d mdb show | grep router + router ports on br1: dummy1 + # ip link set dev br1 type bridge mcast_vlan_snooping 1 + $ bridge -d mdb show | grep router + +However, the port can be re-added to the global list even when per-VLAN +multicast snooping is enabled: + + # ip link set dev dummy1 type bridge_slave mcast_router 0 + # ip link set dev dummy1 type bridge_slave mcast_router 2 + $ bridge -d mdb show | grep router + router ports on br1: dummy1 + +Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement +br_multicast_{enable, disable}_port functions"), when per-VLAN multicast +snooping is enabled, multicast disablement on a port will disable the +per-{port, VLAN} multicast contexts and not the per-port one. As a +result, a port will remain in the global router port list even after it +is deleted. This will lead to a use-after-free [1] when the list is +traversed (when adding a new port to the list, for example): + + # ip link del dev dummy1 + # ip link add name dummy2 up master br1 type dummy + # ip link set dev dummy2 type bridge_slave mcast_router 2 + +Similarly, stale entries can also be found in the per-VLAN router port +list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} +contexts are disabled on each port and the port is removed from the +per-VLAN router port list: + + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 + # ip link add name dummy1 up master br1 type dummy + # bridge vlan add vid 2 dev dummy1 + # bridge vlan global set vid 2 dev br1 mcast_snooping 1 + # bridge vlan set vid 2 dev dummy1 mcast_router 2 + $ bridge vlan global show dev br1 vid 2 | grep router + router ports: dummy1 + # ip link set dev br1 type bridge mcast_vlan_snooping 0 + $ bridge vlan global show dev br1 vid 2 | grep router + +However, the port can be re-added to the per-VLAN list even when +per-VLAN multicast snooping is disabled: + + # bridge vlan set vid 2 dev dummy1 mcast_router 0 + # bridge vlan set vid 2 dev dummy1 mcast_router 2 + $ bridge vlan global show dev br1 vid 2 | grep router + router ports: dummy1 + +When the VLAN is deleted from the port, the per-{port, VLAN} multicast +context will not be disabled since multicast snooping is not enabled +on the VLAN. As a result, the port will remain in the per-VLAN router +port list even after it is no longer member in the VLAN. This will lead +to a use-after-free [2] when the list is traversed (when adding a new +port to the list, for example): + + # ip link add name dummy2 up master br1 type dummy + # bridge vlan add vid 2 dev dummy2 + # bridge vlan del vid 2 dev dummy1 + # bridge vlan set vid 2 dev dummy2 mcast_router 2 + +Fix these issues by removing the port from the relevant (global or +per-VLAN) router port list in br_multicast_port_ctx_deinit(). The +function is invoked during port deletion with the per-port multicast +context and during VLAN deletion with the per-{port, VLAN} multicast +context. + +Note that deleting the multicast router timer is not enough as it only +takes care of the temporary multicast router states (1 or 3) and not the +permanent one (2). + +[1] +BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 +Write of size 8 at addr ffff888004a67328 by task ip/384 +[...] +Call Trace: + <TASK> + dump_stack_lvl+0x6f/0xa0 + print_address_description.constprop.0+0x6f/0x350 + print_report+0x108/0x205 + kasan_report+0xdf/0x110 + br_multicast_add_router.part.0+0x3f1/0x560 + br_multicast_set_port_router+0x74e/0xac0 + br_setport+0xa55/0x1870 + br_port_slave_changelink+0x95/0x120 + __rtnl_newlink+0x5e8/0xa40 + rtnl_newlink+0x627/0xb00 + rtnetlink_rcv_msg+0x6fb/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + __sys_sendmsg+0x124/0x1c0 + do_syscall_64+0xbb/0x360 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] +BUG: KASAN: slab-use-after-free in br_multicast_add_router.part.0+0x378/0x560 +Read of size 8 at addr ffff888009f00840 by task bridge/391 +[...] +Call Trace: + <TASK> + dump_stack_lvl+0x6f/0xa0 + print_address_description.constprop.0+0x6f/0x350 + print_report+0x108/0x205 + kasan_report+0xdf/0x110 + br_multicast_add_router.part.0+0x378/0x560 + br_multicast_set_port_router+0x6f9/0xac0 + br_vlan_process_options+0x8b6/0x1430 + br_vlan_rtm_process_one+0x605/0xa30 + br_vlan_rtm_process+0x396/0x4c0 + rtnetlink_rcv_msg+0x2f7/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + __sys_sendmsg+0x124/0x1c0 + do_syscall_64+0xbb/0x360 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: 2796d846d74a ("net: bridge: vlan: convert mcast router global option to per-vlan entry") +Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions") +Reported-by: syzbot+7bfa4b72c6a5da128d32@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/684c18bd.a00a0220.279073.000b.GAE@google.com/T/ +Signed-off-by: Ido Schimmel <idosch@nvidia.com> +Link: https://patch.msgid.link/20250619182228.1656906-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/bridge/br_multicast.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 7e0b2362b9ee5..d35a409b5e4aa 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2014,10 +2014,19 @@ void br_multicast_port_ctx_init(struct net_bridge_port *port, + + void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx) + { ++ struct net_bridge *br = pmctx->port->br; ++ bool del = false; ++ + #if IS_ENABLED(CONFIG_IPV6) + timer_delete_sync(&pmctx->ip6_mc_router_timer); + #endif + timer_delete_sync(&pmctx->ip4_mc_router_timer); ++ ++ spin_lock_bh(&br->multicast_lock); ++ del |= br_ip6_multicast_rport_del(pmctx); ++ del |= br_ip4_multicast_rport_del(pmctx); ++ br_multicast_rport_del_notify(pmctx, del); ++ spin_unlock_bh(&br->multicast_lock); + } + + int br_multicast_add_port(struct net_bridge_port *port) +-- +2.39.5 + diff --git a/queue-6.15/cxl-ras-fix-cper-handler-device-confusion.patch b/queue-6.15/cxl-ras-fix-cper-handler-device-confusion.patch new file mode 100644 index 0000000000..3e0e138b8a --- /dev/null +++ b/queue-6.15/cxl-ras-fix-cper-handler-device-confusion.patch @@ -0,0 +1,144 @@ +From 9d4186cce04e74e44f5e7dbd995bee8067658566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 12 Jun 2025 12:20:43 -0700 +Subject: cxl/ras: Fix CPER handler device confusion + +From: Dan Williams <dan.j.williams@intel.com> + +[ Upstream commit 3c70ec71abdaf4e4fa48cd8fdfbbd864d78235a8 ] + +By inspection, cxl_cper_handle_prot_err() is making a series of fragile +assumptions that can lead to crashes: + +1/ It assumes that endpoints identified in the record are a CXL-type-3 + device, nothing guarantees that. + +2/ It assumes that the device is bound to the cxl_pci driver, nothing + guarantees that. + +3/ Minor, it holds the device lock over the switch-port tracing for no + reason as the trace is 100% generated from data in the record. + +Correct those by checking that the PCIe endpoint parents a cxl_memdev +before assuming the format of the driver data, and move the lock to where +it is required. Consequently this also makes the implementation ready for +CXL accelerators that are not bound to cxl_pci. + +Fixes: 36f257e3b0ba ("acpi/ghes, cxl/pci: Process CXL CPER Protocol Errors") +Cc: Terry Bowman <terry.bowman@amd.com> +Cc: Li Ming <ming.li@zohomail.com> +Cc: Alison Schofield <alison.schofield@intel.com> +Cc: Ira Weiny <ira.weiny@intel.com> +Cc: Tony Luck <tony.luck@intel.com> +Reviewed-by: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com> +Reviewed-by: Dave Jiang <dave.jiang@intel.com> +Signed-off-by: Dan Williams <dan.j.williams@intel.com> +Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> +Reviewed-by: Li Ming <ming.li@zohomail.com> +Link: https://patch.msgid.link/20250612192043.2254617-1-dan.j.williams@intel.com +Signed-off-by: Dave Jiang <dave.jiang@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/cxl/core/ras.c | 47 ++++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 20 deletions(-) + +diff --git a/drivers/cxl/core/ras.c b/drivers/cxl/core/ras.c +index 485a831695c70..2731ba3a07993 100644 +--- a/drivers/cxl/core/ras.c ++++ b/drivers/cxl/core/ras.c +@@ -31,40 +31,38 @@ static void cxl_cper_trace_uncorr_port_prot_err(struct pci_dev *pdev, + ras_cap.header_log); + } + +-static void cxl_cper_trace_corr_prot_err(struct pci_dev *pdev, +- struct cxl_ras_capability_regs ras_cap) ++static void cxl_cper_trace_corr_prot_err(struct cxl_memdev *cxlmd, ++ struct cxl_ras_capability_regs ras_cap) + { + u32 status = ras_cap.cor_status & ~ras_cap.cor_mask; +- struct cxl_dev_state *cxlds; + +- cxlds = pci_get_drvdata(pdev); +- if (!cxlds) +- return; +- +- trace_cxl_aer_correctable_error(cxlds->cxlmd, status); ++ trace_cxl_aer_correctable_error(cxlmd, status); + } + +-static void cxl_cper_trace_uncorr_prot_err(struct pci_dev *pdev, +- struct cxl_ras_capability_regs ras_cap) ++static void ++cxl_cper_trace_uncorr_prot_err(struct cxl_memdev *cxlmd, ++ struct cxl_ras_capability_regs ras_cap) + { + u32 status = ras_cap.uncor_status & ~ras_cap.uncor_mask; +- struct cxl_dev_state *cxlds; + u32 fe; + +- cxlds = pci_get_drvdata(pdev); +- if (!cxlds) +- return; +- + if (hweight32(status) > 1) + fe = BIT(FIELD_GET(CXL_RAS_CAP_CONTROL_FE_MASK, + ras_cap.cap_control)); + else + fe = status; + +- trace_cxl_aer_uncorrectable_error(cxlds->cxlmd, status, fe, ++ trace_cxl_aer_uncorrectable_error(cxlmd, status, fe, + ras_cap.header_log); + } + ++static int match_memdev_by_parent(struct device *dev, const void *uport) ++{ ++ if (is_cxl_memdev(dev) && dev->parent == uport) ++ return 1; ++ return 0; ++} ++ + static void cxl_cper_handle_prot_err(struct cxl_cper_prot_err_work_data *data) + { + unsigned int devfn = PCI_DEVFN(data->prot_err.agent_addr.device, +@@ -73,13 +71,12 @@ static void cxl_cper_handle_prot_err(struct cxl_cper_prot_err_work_data *data) + pci_get_domain_bus_and_slot(data->prot_err.agent_addr.segment, + data->prot_err.agent_addr.bus, + devfn); ++ struct cxl_memdev *cxlmd; + int port_type; + + if (!pdev) + return; + +- guard(device)(&pdev->dev); +- + port_type = pci_pcie_type(pdev); + if (port_type == PCI_EXP_TYPE_ROOT_PORT || + port_type == PCI_EXP_TYPE_DOWNSTREAM || +@@ -92,10 +89,20 @@ static void cxl_cper_handle_prot_err(struct cxl_cper_prot_err_work_data *data) + return; + } + ++ guard(device)(&pdev->dev); ++ if (!pdev->dev.driver) ++ return; ++ ++ struct device *mem_dev __free(put_device) = bus_find_device( ++ &cxl_bus_type, NULL, pdev, match_memdev_by_parent); ++ if (!mem_dev) ++ return; ++ ++ cxlmd = to_cxl_memdev(mem_dev); + if (data->severity == AER_CORRECTABLE) +- cxl_cper_trace_corr_prot_err(pdev, data->ras_cap); ++ cxl_cper_trace_corr_prot_err(cxlmd, data->ras_cap); + else +- cxl_cper_trace_uncorr_prot_err(pdev, data->ras_cap); ++ cxl_cper_trace_uncorr_prot_err(cxlmd, data->ras_cap); + } + + static void cxl_cper_prot_err_work_fn(struct work_struct *work) +-- +2.39.5 + diff --git a/queue-6.15/drm-amd-adjust-output-for-discovery-error-handling.patch b/queue-6.15/drm-amd-adjust-output-for-discovery-error-handling.patch new file mode 100644 index 0000000000..84dd62a043 --- /dev/null +++ b/queue-6.15/drm-amd-adjust-output-for-discovery-error-handling.patch @@ -0,0 +1,101 @@ +From 9f6c768c160ca8dd254f469a7a73def4be425aca Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 17 Jun 2025 13:30:52 -0500 +Subject: drm/amd: Adjust output for discovery error handling + +From: Mario Limonciello <mario.limonciello@amd.com> + +[ Upstream commit 73eab78721f7b85216f1ca8c7b732f13213b5b32 ] + +commit 017fbb6690c2 ("drm/amdgpu/discovery: check ip_discovery fw file +available") added support for reading an amdgpu IP discovery bin file +for some specific products. If it's not found then it will fallback to +hardcoded values. However if it's not found there is also a lot of noise +about missing files and errors. + +Adjust the error handling to decrease most messages to DEBUG and to show +users less about missing files. + +Reviewed-by: Lijo Lazar <lijo.lazar@amd.com> +Reported-by: Marcus Seyfarth <m.seyfarth@gmail.com> +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4312 +Tested-by: Marcus Seyfarth <m.seyfarth@gmail.com> +Fixes: 017fbb6690c2 ("drm/amdgpu/discovery: check ip_discovery fw file available") +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Link: https://lore.kernel.org/r/20250617183052.1692059-1-superm1@kernel.org +Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +(cherry picked from commit 49f1f9f6c3c9febf8ba93f94a8d9c8d03e1ea0a1) +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 28 +++++++++---------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +index 9e738fae2b74f..6d34eac0539d4 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +@@ -311,10 +311,12 @@ static int amdgpu_discovery_read_binary_from_file(struct amdgpu_device *adev, + const struct firmware *fw; + int r; + +- r = request_firmware(&fw, fw_name, adev->dev); ++ r = firmware_request_nowarn(&fw, fw_name, adev->dev); + if (r) { +- dev_err(adev->dev, "can't load firmware \"%s\"\n", +- fw_name); ++ if (amdgpu_discovery == 2) ++ dev_err(adev->dev, "can't load firmware \"%s\"\n", fw_name); ++ else ++ drm_info(&adev->ddev, "Optional firmware \"%s\" was not found\n", fw_name); + return r; + } + +@@ -449,16 +451,12 @@ static int amdgpu_discovery_init(struct amdgpu_device *adev) + /* Read from file if it is the preferred option */ + fw_name = amdgpu_discovery_get_fw_name(adev); + if (fw_name != NULL) { +- dev_info(adev->dev, "use ip discovery information from file"); ++ drm_dbg(&adev->ddev, "use ip discovery information from file"); + r = amdgpu_discovery_read_binary_from_file(adev, adev->mman.discovery_bin, fw_name); +- +- if (r) { +- dev_err(adev->dev, "failed to read ip discovery binary from file\n"); +- r = -EINVAL; ++ if (r) + goto out; +- } +- + } else { ++ drm_dbg(&adev->ddev, "use ip discovery information from memory"); + r = amdgpu_discovery_read_binary_from_mem( + adev, adev->mman.discovery_bin); + if (r) +@@ -1328,10 +1326,8 @@ static int amdgpu_discovery_reg_base_init(struct amdgpu_device *adev) + int r; + + r = amdgpu_discovery_init(adev); +- if (r) { +- DRM_ERROR("amdgpu_discovery_init failed\n"); ++ if (r) + return r; +- } + + wafl_ver = 0; + adev->gfx.xcc_mask = 0; +@@ -2569,8 +2565,10 @@ int amdgpu_discovery_set_ip_blocks(struct amdgpu_device *adev) + break; + default: + r = amdgpu_discovery_reg_base_init(adev); +- if (r) +- return -EINVAL; ++ if (r) { ++ drm_err(&adev->ddev, "discovery failed: %d\n", r); ++ return r; ++ } + + amdgpu_discovery_harvest_ip(adev); + amdgpu_discovery_get_gfx_info(adev); +-- +2.39.5 + diff --git a/queue-6.15/drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch b/queue-6.15/drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch new file mode 100644 index 0000000000..48e226e647 --- /dev/null +++ b/queue-6.15/drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch @@ -0,0 +1,150 @@ +From 6aecec2d41e0920d048dced4d4244f4f2e61af18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 10:18:35 +0530 +Subject: drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type + +From: Jayesh Choudhary <j-choudhary@ti.com> + +[ Upstream commit 55e8ff842051b1150461d7595d8f1d033c69d66b ] + +By default, HPD was disabled on SN65DSI86 bridge. When the driver was +added (commit "a095f15c00e27"), the HPD_DISABLE bit was set in pre-enable +call which was moved to other function calls subsequently. +Later on, commit "c312b0df3b13" added detect utility for DP mode. But with +HPD_DISABLE bit set, all the HPD events are disabled[0] and the debounced +state always return 1 (always connected state). + +Set HPD_DISABLE bit conditionally based on display sink's connector type. +Since the HPD_STATE is reflected correctly only after waiting for debounce +time (~100-400ms) and adding this delay in detect() is not feasible +owing to the performace impact (glitches and frame drop), remove runtime +calls in detect() and add hpd_enable()/disable() bridge hooks with runtime +calls, to detect hpd properly without any delay. + +[0]: <https://www.ti.com/lit/gpn/SN65DSI86> (Pg. 32) + +Fixes: c312b0df3b13 ("drm/bridge: ti-sn65dsi86: Implement bridge connector operations for DP") +Cc: Max Krummenacher <max.krummenacher@toradex.com> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Tested-by: Ernest Van Hoecke <ernest.vanhoecke@toradex.com> +Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com> +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Link: https://lore.kernel.org/r/20250624044835.165708-1-j-choudhary@ti.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 69 +++++++++++++++++++++++---- + 1 file changed, 60 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index c1ed1a3d68447..4ea13e5a3a54a 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -330,12 +330,18 @@ static void ti_sn65dsi86_enable_comms(struct ti_sn65dsi86 *pdata) + * 200 ms. We'll assume that the panel driver will have the hardcoded + * delay in its prepare and always disable HPD. + * +- * If HPD somehow makes sense on some future panel we'll have to +- * change this to be conditional on someone specifying that HPD should +- * be used. ++ * For DisplayPort bridge type, we need HPD. So we use the bridge type ++ * to conditionally disable HPD. ++ * NOTE: The bridge type is set in ti_sn_bridge_probe() but enable_comms() ++ * can be called before. So for DisplayPort, HPD will be enabled once ++ * bridge type is set. We are using bridge type instead of "no-hpd" ++ * property because it is not used properly in devicetree description ++ * and hence is unreliable. + */ +- regmap_update_bits(pdata->regmap, SN_HPD_DISABLE_REG, HPD_DISABLE, +- HPD_DISABLE); ++ ++ if (pdata->bridge.type != DRM_MODE_CONNECTOR_DisplayPort) ++ regmap_update_bits(pdata->regmap, SN_HPD_DISABLE_REG, HPD_DISABLE, ++ HPD_DISABLE); + + pdata->comms_enabled = true; + +@@ -1172,9 +1178,14 @@ static enum drm_connector_status ti_sn_bridge_detect(struct drm_bridge *bridge) + struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); + int val = 0; + +- pm_runtime_get_sync(pdata->dev); ++ /* ++ * Runtime reference is grabbed in ti_sn_bridge_hpd_enable() ++ * as the chip won't report HPD just after being powered on. ++ * HPD_DEBOUNCED_STATE reflects correct state only after the ++ * debounce time (~100-400 ms). ++ */ ++ + regmap_read(pdata->regmap, SN_HPD_DISABLE_REG, &val); +- pm_runtime_put_autosuspend(pdata->dev); + + return val & HPD_DEBOUNCED_STATE ? connector_status_connected + : connector_status_disconnected; +@@ -1197,6 +1208,26 @@ static void ti_sn65dsi86_debugfs_init(struct drm_bridge *bridge, struct dentry * + debugfs_create_file("status", 0600, debugfs, pdata, &status_fops); + } + ++static void ti_sn_bridge_hpd_enable(struct drm_bridge *bridge) ++{ ++ struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); ++ ++ /* ++ * Device needs to be powered on before reading the HPD state ++ * for reliable hpd detection in ti_sn_bridge_detect() due to ++ * the high debounce time. ++ */ ++ ++ pm_runtime_get_sync(pdata->dev); ++} ++ ++static void ti_sn_bridge_hpd_disable(struct drm_bridge *bridge) ++{ ++ struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); ++ ++ pm_runtime_put_autosuspend(pdata->dev); ++} ++ + static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .attach = ti_sn_bridge_attach, + .detach = ti_sn_bridge_detach, +@@ -1211,6 +1242,8 @@ static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, + .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, + .debugfs_init = ti_sn65dsi86_debugfs_init, ++ .hpd_enable = ti_sn_bridge_hpd_enable, ++ .hpd_disable = ti_sn_bridge_hpd_disable, + }; + + static void ti_sn_bridge_parse_lanes(struct ti_sn65dsi86 *pdata, +@@ -1299,8 +1332,26 @@ static int ti_sn_bridge_probe(struct auxiliary_device *adev, + pdata->bridge.type = pdata->next_bridge->type == DRM_MODE_CONNECTOR_DisplayPort + ? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP; + +- if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) +- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT; ++ if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) { ++ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT | ++ DRM_BRIDGE_OP_HPD; ++ /* ++ * If comms were already enabled they would have been enabled ++ * with the wrong value of HPD_DISABLE. Update it now. Comms ++ * could be enabled if anyone is holding a pm_runtime reference ++ * (like if a GPIO is in use). Note that in most cases nobody ++ * is doing AUX channel xfers before the bridge is added so ++ * HPD doesn't _really_ matter then. The only exception is in ++ * the eDP case where the panel wants to read the EDID before ++ * the bridge is added. We always consistently have HPD disabled ++ * for eDP. ++ */ ++ mutex_lock(&pdata->comms_mutex); ++ if (pdata->comms_enabled) ++ regmap_update_bits(pdata->regmap, SN_HPD_DISABLE_REG, ++ HPD_DISABLE, 0); ++ mutex_unlock(&pdata->comms_mutex); ++ }; + + drm_bridge_add(&pdata->bridge); + +-- +2.39.5 + diff --git a/queue-6.15/drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch b/queue-6.15/drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch new file mode 100644 index 0000000000..5d3fa28e92 --- /dev/null +++ b/queue-6.15/drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch @@ -0,0 +1,104 @@ +From 16b93d27cec691ff0ec601f58997b5156f52647f Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 15 Mar 2025 21:15:11 +0100 +Subject: drm/bridge: ti-sn65dsi86: make use of debugfs_init callback + +From: Wolfram Sang <wsa+renesas@sang-engineering.com> + +[ Upstream commit 1d1f7b15cb9c11974cebfd39da51dc69b8cb31ff ] + +Do not create a custom directory in debugfs-root, but use the +debugfs_init callback to create a custom directory at the given place +for the bridge. The new directory layout looks like this on a Renesas +GrayHawk-Single with a R-Car V4M SoC: + + /sys/kernel/debug/dri/feb00000.display/DP-1/1-002c + +Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Link: https://patchwork.freedesktop.org/patch/msgid/20250315201651.7339-2-wsa+renesas@sang-engineering.com +Stable-dep-of: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 40 +++++++-------------------- + 1 file changed, 10 insertions(+), 30 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index 01d456b955abb..c1ed1a3d68447 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -423,36 +423,8 @@ static int status_show(struct seq_file *s, void *data) + + return 0; + } +- + DEFINE_SHOW_ATTRIBUTE(status); + +-static void ti_sn65dsi86_debugfs_remove(void *data) +-{ +- debugfs_remove_recursive(data); +-} +- +-static void ti_sn65dsi86_debugfs_init(struct ti_sn65dsi86 *pdata) +-{ +- struct device *dev = pdata->dev; +- struct dentry *debugfs; +- int ret; +- +- debugfs = debugfs_create_dir(dev_name(dev), NULL); +- +- /* +- * We might get an error back if debugfs wasn't enabled in the kernel +- * so let's just silently return upon failure. +- */ +- if (IS_ERR_OR_NULL(debugfs)) +- return; +- +- ret = devm_add_action_or_reset(dev, ti_sn65dsi86_debugfs_remove, debugfs); +- if (ret) +- return; +- +- debugfs_create_file("status", 0600, debugfs, pdata, &status_fops); +-} +- + /* ----------------------------------------------------------------------------- + * Auxiliary Devices (*not* AUX) + */ +@@ -1216,6 +1188,15 @@ static const struct drm_edid *ti_sn_bridge_edid_read(struct drm_bridge *bridge, + return drm_edid_read_ddc(connector, &pdata->aux.ddc); + } + ++static void ti_sn65dsi86_debugfs_init(struct drm_bridge *bridge, struct dentry *root) ++{ ++ struct ti_sn65dsi86 *pdata = bridge_to_ti_sn65dsi86(bridge); ++ struct dentry *debugfs; ++ ++ debugfs = debugfs_create_dir(dev_name(pdata->dev), root); ++ debugfs_create_file("status", 0600, debugfs, pdata, &status_fops); ++} ++ + static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .attach = ti_sn_bridge_attach, + .detach = ti_sn_bridge_detach, +@@ -1229,6 +1210,7 @@ static const struct drm_bridge_funcs ti_sn_bridge_funcs = { + .atomic_reset = drm_atomic_helper_bridge_reset, + .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, + .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, ++ .debugfs_init = ti_sn65dsi86_debugfs_init, + }; + + static void ti_sn_bridge_parse_lanes(struct ti_sn65dsi86 *pdata, +@@ -1937,8 +1919,6 @@ static int ti_sn65dsi86_probe(struct i2c_client *client) + if (ret) + return ret; + +- ti_sn65dsi86_debugfs_init(pdata); +- + /* + * Break ourselves up into a collection of aux devices. The only real + * motiviation here is to solve the chicken-and-egg problem of probe +-- +2.39.5 + diff --git a/queue-6.15/drm-i915-fix-build-error-some-more.patch b/queue-6.15/drm-i915-fix-build-error-some-more.patch new file mode 100644 index 0000000000..18e8a52cd6 --- /dev/null +++ b/queue-6.15/drm-i915-fix-build-error-some-more.patch @@ -0,0 +1,52 @@ +From fc58f45513e1327f2f82e03f7155a27ee184fcd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 20 Jun 2025 13:18:18 +0200 +Subject: drm/i915: fix build error some more + +From: Arnd Bergmann <arnd@arndb.de> + +[ Upstream commit d02b2103a08b6d6908f1d3d8e8783d3f342555ac ] + +An earlier patch fixed a build failure with clang, but I still see the +same problem with some configurations using gcc: + +drivers/gpu/drm/i915/i915_pmu.c: In function 'config_mask': +include/linux/compiler_types.h:568:38: error: call to '__compiletime_assert_462' declared with attribute error: BUILD_BUG_ON failed: bit > BITS_PER_TYPE(typeof_member(struct i915_pmu, enable)) - 1 +drivers/gpu/drm/i915/i915_pmu.c:116:3: note: in expansion of macro 'BUILD_BUG_ON' + 116 | BUILD_BUG_ON(bit > + +As I understand it, the problem is that the function is not always fully +inlined, but the __builtin_constant_p() can still evaluate the argument +as being constant. + +Marking it as __always_inline so far works for me in all configurations. + +Fixes: a7137b1825b5 ("drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled") +Fixes: a644fde77ff7 ("drm/i915/pmu: Change bitmask of enabled events to u32") +Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com> +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Link: https://lore.kernel.org/r/20250620111824.3395007-1-arnd@kernel.org +Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> +(cherry picked from commit ef69f9dd1cd7301cdf04ba326ed28152a3affcf6) +Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/i915/i915_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/i915_pmu.c b/drivers/gpu/drm/i915/i915_pmu.c +index 990bfaba3ce4e..5bc696bfbb0fe 100644 +--- a/drivers/gpu/drm/i915/i915_pmu.c ++++ b/drivers/gpu/drm/i915/i915_pmu.c +@@ -108,7 +108,7 @@ static unsigned int config_bit(const u64 config) + return other_bit(config); + } + +-static u32 config_mask(const u64 config) ++static __always_inline u32 config_mask(const u64 config) + { + unsigned int bit = config_bit(config); + +-- +2.39.5 + diff --git a/queue-6.15/drm-writeback-fix-drm_writeback_connector_cleanup-si.patch b/queue-6.15/drm-writeback-fix-drm_writeback_connector_cleanup-si.patch new file mode 100644 index 0000000000..bf37d68999 --- /dev/null +++ b/queue-6.15/drm-writeback-fix-drm_writeback_connector_cleanup-si.patch @@ -0,0 +1,77 @@ +From 7d9795ff5b818edc54584dd0c3adbf4f673cd6a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 29 Apr 2025 10:36:23 +0200 +Subject: drm: writeback: Fix drm_writeback_connector_cleanup signature +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Louis Chauvet <louis.chauvet@bootlin.com> + +[ Upstream commit fb721b2c35b1829b8ecf62e3adb41cf30260316a ] + +The drm_writeback_connector_cleanup have the signature: + + static void drm_writeback_connector_cleanup( + struct drm_device *dev, + struct drm_writeback_connector *wb_connector) + +But it is stored and used as a drmres_release_t + + typedef void (*drmres_release_t)(struct drm_device *dev, void *res); + +While the current code is valid and does not produce any warning, the +CFI runtime check (CONFIG_CFI_CLANG) can fail because the function +signature is not the same as drmres_release_t. + +In order to fix this, change the function signature to match what is +expected by drmres_release_t. + +Fixes: 1914ba2b91ea ("drm: writeback: Create drmm variants for drm_writeback_connector initialization") + +Suggested-by: Mark Yacoub <markyacoub@google.com> +Reviewed-by: Maíra Canal <mcanal@igalia.com> +Link: https://lore.kernel.org/r/20250429-drm-fix-writeback-cleanup-v2-1-548ff3a4e284@bootlin.com +Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/drm_writeback.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_writeback.c b/drivers/gpu/drm/drm_writeback.c +index edbeab88ff2b6..d983ee85cf134 100644 +--- a/drivers/gpu/drm/drm_writeback.c ++++ b/drivers/gpu/drm/drm_writeback.c +@@ -343,17 +343,18 @@ EXPORT_SYMBOL(drm_writeback_connector_init_with_encoder); + /** + * drm_writeback_connector_cleanup - Cleanup the writeback connector + * @dev: DRM device +- * @wb_connector: Pointer to the writeback connector to clean up ++ * @data: Pointer to the writeback connector to clean up + * + * This will decrement the reference counter of blobs and destroy properties. It + * will also clean the remaining jobs in this writeback connector. Caution: This helper will not + * clean up the attached encoder and the drm_connector. + */ + static void drm_writeback_connector_cleanup(struct drm_device *dev, +- struct drm_writeback_connector *wb_connector) ++ void *data) + { + unsigned long flags; + struct drm_writeback_job *pos, *n; ++ struct drm_writeback_connector *wb_connector = data; + + delete_writeback_properties(dev); + drm_property_blob_put(wb_connector->pixel_formats_blob_ptr); +@@ -405,7 +406,7 @@ int drmm_writeback_connector_init(struct drm_device *dev, + if (ret) + return ret; + +- ret = drmm_add_action_or_reset(dev, (void *)drm_writeback_connector_cleanup, ++ ret = drmm_add_action_or_reset(dev, drm_writeback_connector_cleanup, + wb_connector); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-guc-explicitly-exit-ct-safe-mode-on-unwind.patch b/queue-6.15/drm-xe-guc-explicitly-exit-ct-safe-mode-on-unwind.patch new file mode 100644 index 0000000000..e146950bd7 --- /dev/null +++ b/queue-6.15/drm-xe-guc-explicitly-exit-ct-safe-mode-on-unwind.patch @@ -0,0 +1,79 @@ +From 691e6ad36d077a3025f5038d8c2ea7d2b5a0f4de Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 13 Jun 2025 00:09:37 +0200 +Subject: drm/xe/guc: Explicitly exit CT safe mode on unwind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Wajdeczko <michal.wajdeczko@intel.com> + +[ Upstream commit ad40098da5c3b43114d860a5b5740e7204158534 ] + +During driver probe we might be briefly using CT safe mode, which +is based on a delayed work, but usually we are able to stop this +once we have IRQ fully operational. However, if we abort the probe +quite early then during unwind we might try to destroy the workqueue +while there is still a pending delayed work that attempts to restart +itself which triggers a WARN. + +This was recently observed during unsuccessful VF initialization: + + [ ] xe 0000:00:02.1: probe with driver xe failed with error -62 + [ ] ------------[ cut here ]------------ + [ ] workqueue: cannot queue safe_mode_worker_func [xe] on wq xe-g2h-wq + [ ] WARNING: CPU: 9 PID: 0 at kernel/workqueue.c:2257 __queue_work+0x287/0x710 + [ ] RIP: 0010:__queue_work+0x287/0x710 + [ ] Call Trace: + [ ] delayed_work_timer_fn+0x19/0x30 + [ ] call_timer_fn+0xa1/0x2a0 + +Exit the CT safe mode on unwind to avoid that warning. + +Fixes: 09b286950f29 ("drm/xe/guc: Allow CTB G2H processing without G2H IRQ") +Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com> +Cc: Matthew Brost <matthew.brost@intel.com> +Reviewed-by: Matthew Brost <matthew.brost@intel.com> +Link: https://lore.kernel.org/r/20250612220937.857-3-michal.wajdeczko@intel.com +(cherry picked from commit 2ddbb73ec20b98e70a5200cb85deade22ccea2ec) +Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/xe/xe_guc_ct.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c +index 72ad576fc18eb..c9abca63998b1 100644 +--- a/drivers/gpu/drm/xe/xe_guc_ct.c ++++ b/drivers/gpu/drm/xe/xe_guc_ct.c +@@ -34,6 +34,11 @@ + #include "xe_pm.h" + #include "xe_trace_guc.h" + ++static void receive_g2h(struct xe_guc_ct *ct); ++static void g2h_worker_func(struct work_struct *w); ++static void safe_mode_worker_func(struct work_struct *w); ++static void ct_exit_safe_mode(struct xe_guc_ct *ct); ++ + #if IS_ENABLED(CONFIG_DRM_XE_DEBUG) + enum { + /* Internal states, not error conditions */ +@@ -186,14 +191,11 @@ static void guc_ct_fini(struct drm_device *drm, void *arg) + { + struct xe_guc_ct *ct = arg; + ++ ct_exit_safe_mode(ct); + destroy_workqueue(ct->g2h_wq); + xa_destroy(&ct->fence_lookup); + } + +-static void receive_g2h(struct xe_guc_ct *ct); +-static void g2h_worker_func(struct work_struct *w); +-static void safe_mode_worker_func(struct work_struct *w); +- + static void primelockdep(struct xe_guc_ct *ct) + { + if (!IS_ENABLED(CONFIG_LOCKDEP)) +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-process-deferred-ggtt-node-removals-on-device.patch b/queue-6.15/drm-xe-process-deferred-ggtt-node-removals-on-device.patch new file mode 100644 index 0000000000..a07ca01981 --- /dev/null +++ b/queue-6.15/drm-xe-process-deferred-ggtt-node-removals-on-device.patch @@ -0,0 +1,99 @@ +From 72a8e70744f8304a87fa8be693c721d0eb02eff9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 13 Jun 2025 00:09:36 +0200 +Subject: drm/xe: Process deferred GGTT node removals on device unwind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Wajdeczko <michal.wajdeczko@intel.com> + +[ Upstream commit af2b588abe006bd55ddd358c4c3b87523349c475 ] + +While we are indirectly draining our dedicated workqueue ggtt->wq +that we use to complete asynchronous removal of some GGTT nodes, +this happends as part of the managed-drm unwinding (ggtt_fini_early), +which could be later then manage-device unwinding, where we could +already unmap our MMIO/GMS mapping (mmio_fini). + +This was recently observed during unsuccessful VF initialization: + + [ ] xe 0000:00:02.1: probe with driver xe failed with error -62 + [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 __xe_bo_unpin_map_no_vm (16 bytes) + [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 __xe_bo_unpin_map_no_vm (16 bytes) + [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 __xe_bo_unpin_map_no_vm (16 bytes) + [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tiles_fini (16 bytes) + [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmio_fini (16 bytes) + [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xe_bo_pinned_fini (16 bytes) + [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devm_drm_dev_init_release (16 bytes) + [ ] xe 0000:00:02.1: [drm:drm_managed_release] drmres release begin + [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef81640 __fini_relay (8 bytes) + [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80d40 guc_ct_fini (8 bytes) + [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80040 __drmm_mutex_release (8 bytes) + [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80140 ggtt_fini_early (8 bytes) + +and this was leading to: + + [ ] BUG: unable to handle page fault for address: ffffc900058162a0 + [ ] #PF: supervisor write access in kernel mode + [ ] #PF: error_code(0x0002) - not-present page + [ ] Oops: Oops: 0002 [#1] SMP NOPTI + [ ] Tainted: [W]=WARN + [ ] Workqueue: xe-ggtt-wq ggtt_node_remove_work_func [xe] + [ ] RIP: 0010:xe_ggtt_set_pte+0x6d/0x350 [xe] + [ ] Call Trace: + [ ] <TASK> + [ ] xe_ggtt_clear+0xb0/0x270 [xe] + [ ] ggtt_node_remove+0xbb/0x120 [xe] + [ ] ggtt_node_remove_work_func+0x30/0x50 [xe] + [ ] process_one_work+0x22b/0x6f0 + [ ] worker_thread+0x1e8/0x3d + +Add managed-device action that will explicitly drain the workqueue +with all pending node removals prior to releasing MMIO/GSM mapping. + +Fixes: 919bb54e989c ("drm/xe: Fix missing runtime outer protection for ggtt_remove_node") +Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com> +Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> +Cc: Lucas De Marchi <lucas.demarchi@intel.com> +Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com> +Link: https://lore.kernel.org/r/20250612220937.857-2-michal.wajdeczko@intel.com +(cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391) +Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpu/drm/xe/xe_ggtt.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_ggtt.c b/drivers/gpu/drm/xe/xe_ggtt.c +index 5fcb2b4c2c139..60bce5de52725 100644 +--- a/drivers/gpu/drm/xe/xe_ggtt.c ++++ b/drivers/gpu/drm/xe/xe_ggtt.c +@@ -201,6 +201,13 @@ static const struct xe_ggtt_pt_ops xelpg_pt_wa_ops = { + .ggtt_set_pte = xe_ggtt_set_pte_and_flush, + }; + ++static void dev_fini_ggtt(void *arg) ++{ ++ struct xe_ggtt *ggtt = arg; ++ ++ drain_workqueue(ggtt->wq); ++} ++ + /** + * xe_ggtt_init_early - Early GGTT initialization + * @ggtt: the &xe_ggtt to be initialized +@@ -257,6 +264,10 @@ int xe_ggtt_init_early(struct xe_ggtt *ggtt) + if (err) + return err; + ++ err = devm_add_action_or_reset(xe->drm.dev, dev_fini_ggtt, ggtt); ++ if (err) ++ return err; ++ + if (IS_SRIOV_VF(xe)) { + err = xe_gt_sriov_vf_prepare_ggtt(xe_tile_get_gt(ggtt->tile, 0)); + if (err) +-- +2.39.5 + diff --git a/queue-6.15/ethernet-ionic-fix-dma-mapping-tests.patch b/queue-6.15/ethernet-ionic-fix-dma-mapping-tests.patch new file mode 100644 index 0000000000..a3cd11ad98 --- /dev/null +++ b/queue-6.15/ethernet-ionic-fix-dma-mapping-tests.patch @@ -0,0 +1,89 @@ +From 558d081ce9e856014513418522e2fc3b1ccb04f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 19 Jun 2025 11:45:30 +0200 +Subject: ethernet: ionic: Fix DMA mapping tests + +From: Thomas Fourier <fourier.thomas@gmail.com> + +[ Upstream commit d5e3241c5a386a2425823c8c7afb77a465bd040f ] + +Change error values of `ionic_tx_map_single()` and `ionic_tx_map_frag()` +from 0 to `DMA_MAPPING_ERROR` to prevent collision with 0 as a valid +address. + +This also fixes the use of `dma_mapping_error()` to test against 0 in +`ionic_xdp_post_frame()` + +Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") +Fixes: 56e41ee12d2d ("ionic: better dma-map error handling") +Fixes: ac8813c0ab7d ("ionic: convert Rx queue buffers to use page_pool") +Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> +Reviewed-by: Brett Creeley <brett.creeley@amd.com> +Link: https://patch.msgid.link/20250619094538.283723-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +index 2ac59564ded18..d10b58ebf6034 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c +@@ -321,7 +321,7 @@ static int ionic_xdp_post_frame(struct ionic_queue *q, struct xdp_frame *frame, + len, DMA_TO_DEVICE); + } else /* XDP_REDIRECT */ { + dma_addr = ionic_tx_map_single(q, frame->data, len); +- if (!dma_addr) ++ if (dma_addr == DMA_MAPPING_ERROR) + return -EIO; + } + +@@ -357,7 +357,7 @@ static int ionic_xdp_post_frame(struct ionic_queue *q, struct xdp_frame *frame, + } else { + dma_addr = ionic_tx_map_frag(q, frag, 0, + skb_frag_size(frag)); +- if (dma_mapping_error(q->dev, dma_addr)) { ++ if (dma_addr == DMA_MAPPING_ERROR) { + ionic_tx_desc_unmap_bufs(q, desc_info); + return -EIO; + } +@@ -1083,7 +1083,7 @@ static dma_addr_t ionic_tx_map_single(struct ionic_queue *q, + net_warn_ratelimited("%s: DMA single map failed on %s!\n", + dev_name(dev), q->name); + q_to_tx_stats(q)->dma_map_err++; +- return 0; ++ return DMA_MAPPING_ERROR; + } + return dma_addr; + } +@@ -1100,7 +1100,7 @@ static dma_addr_t ionic_tx_map_frag(struct ionic_queue *q, + net_warn_ratelimited("%s: DMA frag map failed on %s!\n", + dev_name(dev), q->name); + q_to_tx_stats(q)->dma_map_err++; +- return 0; ++ return DMA_MAPPING_ERROR; + } + return dma_addr; + } +@@ -1116,7 +1116,7 @@ static int ionic_tx_map_skb(struct ionic_queue *q, struct sk_buff *skb, + int frag_idx; + + dma_addr = ionic_tx_map_single(q, skb->data, skb_headlen(skb)); +- if (!dma_addr) ++ if (dma_addr == DMA_MAPPING_ERROR) + return -EIO; + buf_info->dma_addr = dma_addr; + buf_info->len = skb_headlen(skb); +@@ -1126,7 +1126,7 @@ static int ionic_tx_map_skb(struct ionic_queue *q, struct sk_buff *skb, + nfrags = skb_shinfo(skb)->nr_frags; + for (frag_idx = 0; frag_idx < nfrags; frag_idx++, frag++) { + dma_addr = ionic_tx_map_frag(q, frag, 0, skb_frag_size(frag)); +- if (!dma_addr) ++ if (dma_addr == DMA_MAPPING_ERROR) + goto dma_fail; + buf_info->dma_addr = dma_addr; + buf_info->len = skb_frag_size(frag); +-- +2.39.5 + diff --git a/queue-6.15/hid-intel-thc-hid-intel-quicki2c-enhance-quicki2c-re.patch b/queue-6.15/hid-intel-thc-hid-intel-quicki2c-enhance-quicki2c-re.patch new file mode 100644 index 0000000000..4abf73e5c7 --- /dev/null +++ b/queue-6.15/hid-intel-thc-hid-intel-quicki2c-enhance-quicki2c-re.patch @@ -0,0 +1,86 @@ +From 0d59d092bd9b3f0d282e3958443f7fe82f63a3c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 14 May 2025 14:26:38 +0800 +Subject: HID: Intel-thc-hid: Intel-quicki2c: Enhance QuickI2C reset flow + +From: Even Xu <even.xu@intel.com> + +[ Upstream commit 73f3a7415d93cf418c7625d03bce72da84344406 ] + +During customer board enabling, it was found: some touch devices +prepared reset response, but either forgot sending interrupt or +THC missed reset interrupt because of timing issue. THC QuickI2C +driver depends on interrupt to read reset response, in this case, +it will cause driver waiting timeout. + +This patch enhances the flow by adding manually reset response +reading after waiting for reset interrupt timeout. + +Signed-off-by: Even Xu <even.xu@intel.com> +Tested-by: Chong Han <chong.han@intel.com> +Fixes: 66b59bfce6d9 ("HID: intel-thc-hid: intel-quicki2c: Complete THC QuickI2C driver") +Signed-off-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + .../intel-quicki2c/quicki2c-protocol.c | 26 ++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-protocol.c b/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-protocol.c +index f493df0d5dc4e..a63f8c833252d 100644 +--- a/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-protocol.c ++++ b/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-protocol.c +@@ -4,6 +4,7 @@ + #include <linux/bitfield.h> + #include <linux/hid.h> + #include <linux/hid-over-i2c.h> ++#include <linux/unaligned.h> + + #include "intel-thc-dev.h" + #include "intel-thc-dma.h" +@@ -200,6 +201,9 @@ int quicki2c_set_report(struct quicki2c_device *qcdev, u8 report_type, + + int quicki2c_reset(struct quicki2c_device *qcdev) + { ++ u16 input_reg = le16_to_cpu(qcdev->dev_desc.input_reg); ++ size_t read_len = HIDI2C_LENGTH_LEN; ++ u32 prd_len = read_len; + int ret; + + qcdev->reset_ack = false; +@@ -213,12 +217,32 @@ int quicki2c_reset(struct quicki2c_device *qcdev) + + ret = wait_event_interruptible_timeout(qcdev->reset_ack_wq, qcdev->reset_ack, + HIDI2C_RESET_TIMEOUT * HZ); +- if (ret <= 0 || !qcdev->reset_ack) { ++ if (qcdev->reset_ack) ++ return 0; ++ ++ /* ++ * Manually read reset response if it wasn't received, in case reset interrupt ++ * was missed by touch device or THC hardware. ++ */ ++ ret = thc_tic_pio_read(qcdev->thc_hw, input_reg, read_len, &prd_len, ++ (u32 *)qcdev->input_buf); ++ if (ret) { ++ dev_err_once(qcdev->dev, "Read Reset Response failed, ret %d\n", ret); ++ return ret; ++ } ++ ++ /* ++ * Check response packet length, it's first 16 bits of packet. ++ * If response packet length is zero, it's reset response, otherwise not. ++ */ ++ if (get_unaligned_le16(qcdev->input_buf)) { + dev_err_once(qcdev->dev, + "Wait reset response timed out ret:%d timeout:%ds\n", + ret, HIDI2C_RESET_TIMEOUT); + return -ETIMEDOUT; + } + ++ qcdev->reset_ack = true; ++ + return 0; + } +-- +2.39.5 + diff --git a/queue-6.15/hid-wacom-fix-crash-in-wacom_aes_battery_handler.patch b/queue-6.15/hid-wacom-fix-crash-in-wacom_aes_battery_handler.patch new file mode 100644 index 0000000000..4e854b6697 --- /dev/null +++ b/queue-6.15/hid-wacom-fix-crash-in-wacom_aes_battery_handler.patch @@ -0,0 +1,46 @@ +From 0235a3560ea96941271241caaef4e001b96dc4c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 19 May 2025 10:54:46 +0200 +Subject: HID: wacom: fix crash in wacom_aes_battery_handler() + +From: Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at> + +[ Upstream commit f3054152c12e2eed1e72704aff47b0ea58229584 ] + +Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended +inactivity") introduced wacom_aes_battery_handler() which is scheduled +as a delayed work (aes_battery_work). + +In wacom_remove(), aes_battery_work is not canceled. Consequently, if +the device is removed while aes_battery_work is still pending, then hard +crashes or "Oops: general protection fault..." are experienced when +wacom_aes_battery_handler() is finally called. E.g., this happens with +built-in USB devices after resume from hibernate when aes_battery_work +was still pending at the time of hibernation. + +So, take care to cancel aes_battery_work in wacom_remove(). + +Fixes: fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") +Signed-off-by: Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at> +Acked-by: Ping Cheng <ping.cheng@wacom.com> +Signed-off-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/hid/wacom_sys.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c +index eaf099b2efdb0..e74c1a4c5b61c 100644 +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2901,6 +2901,7 @@ static void wacom_remove(struct hid_device *hdev) + hid_hw_stop(hdev); + + cancel_delayed_work_sync(&wacom->init_work); ++ cancel_delayed_work_sync(&wacom->aes_battery_work); + cancel_work_sync(&wacom->wireless_work); + cancel_work_sync(&wacom->battery_work); + cancel_work_sync(&wacom->remote_work); +-- +2.39.5 + diff --git a/queue-6.15/io_uring-net-mark-iov-as-dynamically-allocated-even-.patch b/queue-6.15/io_uring-net-mark-iov-as-dynamically-allocated-even-.patch new file mode 100644 index 0000000000..d4efa88e23 --- /dev/null +++ b/queue-6.15/io_uring-net-mark-iov-as-dynamically-allocated-even-.patch @@ -0,0 +1,55 @@ +From c484faa90189d375e12dc5c7c6109b665aec4af8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 25 Jun 2025 10:17:06 -0600 +Subject: io_uring/net: mark iov as dynamically allocated even for single + segments + +From: Jens Axboe <axboe@kernel.dk> + +[ Upstream commit 9a709b7e98e6fa51600b5f2d24c5068efa6d39de ] + +A bigger array of vecs could've been allocated, but +io_ring_buffers_peek() still decided to cap the mapped range depending +on how much data was available. Hence don't rely on the segment count +to know if the request should be marked as needing cleanup, always +check upfront if the iov array is different than the fast_iov array. + +Fixes: 26ec15e4b0c1 ("io_uring/kbuf: don't truncate end buffer for multiple buffer peeks") +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + io_uring/net.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/io_uring/net.c b/io_uring/net.c +index 3feceb2b5b97e..adfdcea01e39b 100644 +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1084,6 +1084,12 @@ static int io_recv_buf_select(struct io_kiocb *req, struct io_async_msghdr *kmsg + if (unlikely(ret < 0)) + return ret; + ++ if (arg.iovs != &kmsg->fast_iov && arg.iovs != kmsg->vec.iovec) { ++ kmsg->vec.nr = ret; ++ kmsg->vec.iovec = arg.iovs; ++ req->flags |= REQ_F_NEED_CLEANUP; ++ } ++ + /* special case 1 vec, can be a fast path */ + if (ret == 1) { + sr->buf = arg.iovs[0].iov_base; +@@ -1092,11 +1098,6 @@ static int io_recv_buf_select(struct io_kiocb *req, struct io_async_msghdr *kmsg + } + iov_iter_init(&kmsg->msg.msg_iter, ITER_DEST, arg.iovs, ret, + arg.out_len); +- if (arg.iovs != &kmsg->fast_iov && arg.iovs != kmsg->vec.iovec) { +- kmsg->vec.nr = ret; +- kmsg->vec.iovec = arg.iovs; +- req->flags |= REQ_F_NEED_CLEANUP; +- } + } else { + void __user *buf; + +-- +2.39.5 + diff --git a/queue-6.15/libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch b/queue-6.15/libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch new file mode 100644 index 0000000000..4bf947bd8a --- /dev/null +++ b/queue-6.15/libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch @@ -0,0 +1,42 @@ +From 809b66bd8c7cbf015ec6bf14bd39eabaac10d88f Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 18 Jun 2025 09:19:33 +0800 +Subject: libbpf: Fix null pointer dereference in btf_dump__free on allocation + failure + +From: Yuan Chen <chenyuan@kylinos.cn> + +[ Upstream commit aa485e8789d56a4573f7c8d000a182b749eaa64d ] + +When btf_dump__new() fails to allocate memory for the internal hashmap +(btf_dump->type_names), it returns an error code. However, the cleanup +function btf_dump__free() does not check if btf_dump->type_names is NULL +before attempting to free it. This leads to a null pointer dereference +when btf_dump__free() is called on a btf_dump object. + +Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") +Signed-off-by: Yuan Chen <chenyuan@kylinos.cn> +Signed-off-by: Andrii Nakryiko <andrii@kernel.org> +Link: https://lore.kernel.org/bpf/20250618011933.11423-1-chenyuan_fl@163.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + tools/lib/bpf/btf_dump.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index 460c3e57fadb6..0381f209920a6 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -226,6 +226,9 @@ static void btf_dump_free_names(struct hashmap *map) + size_t bkt; + struct hashmap_entry *cur; + ++ if (!map) ++ return; ++ + hashmap__for_each_entry(map, cur, bkt) + free((void *)cur->pkey); + +-- +2.39.5 + diff --git a/queue-6.15/libbpf-fix-possible-use-after-free-for-externs.patch b/queue-6.15/libbpf-fix-possible-use-after-free-for-externs.patch new file mode 100644 index 0000000000..85fcfcc60e --- /dev/null +++ b/queue-6.15/libbpf-fix-possible-use-after-free-for-externs.patch @@ -0,0 +1,113 @@ +From fc9ab7f722a9d504611cf83c9760ef5487284763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 22:02:15 -0700 +Subject: libbpf: Fix possible use-after-free for externs + +From: Adin Scannell <amscanne@meta.com> + +[ Upstream commit fa6f092cc0a02d0fcee37e9e8172eda372a03d33 ] + +The `name` field in `obj->externs` points into the BTF data at initial +open time. However, some functions may invalidate this after opening and +before loading (e.g. `bpf_map__set_value_size`), which results in +pointers into freed memory and undefined behavior. + +The simplest solution is to simply `strdup` these strings, similar to +the `essent_name`, and free them at the same time. + +In order to test this path, the `global_map_resize` BPF selftest is +modified slightly to ensure the presence of an extern, which causes this +test to fail prior to the fix. Given there isn't an obvious API or error +to test against, I opted to add this to the existing test as an aspect +of the resizing feature rather than duplicate the test. + +Fixes: 9d0a23313b1a ("libbpf: Add capability for resizing datasec maps") +Signed-off-by: Adin Scannell <amscanne@meta.com> +Signed-off-by: Andrii Nakryiko <andrii@kernel.org> +Link: https://lore.kernel.org/bpf/20250625050215.2777374-1-amscanne@meta.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + tools/lib/bpf/libbpf.c | 10 +++++++--- + .../selftests/bpf/progs/test_global_map_resize.c | 16 ++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 30cf210261032..97605ea8093ff 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -597,7 +597,7 @@ struct extern_desc { + int sym_idx; + int btf_id; + int sec_btf_id; +- const char *name; ++ char *name; + char *essent_name; + bool is_set; + bool is_weak; +@@ -4259,7 +4259,9 @@ static int bpf_object__collect_externs(struct bpf_object *obj) + return ext->btf_id; + } + t = btf__type_by_id(obj->btf, ext->btf_id); +- ext->name = btf__name_by_offset(obj->btf, t->name_off); ++ ext->name = strdup(btf__name_by_offset(obj->btf, t->name_off)); ++ if (!ext->name) ++ return -ENOMEM; + ext->sym_idx = i; + ext->is_weak = ELF64_ST_BIND(sym->st_info) == STB_WEAK; + +@@ -9138,8 +9140,10 @@ void bpf_object__close(struct bpf_object *obj) + zfree(&obj->btf_custom_path); + zfree(&obj->kconfig); + +- for (i = 0; i < obj->nr_extern; i++) ++ for (i = 0; i < obj->nr_extern; i++) { ++ zfree(&obj->externs[i].name); + zfree(&obj->externs[i].essent_name); ++ } + + zfree(&obj->externs); + obj->nr_extern = 0; +diff --git a/tools/testing/selftests/bpf/progs/test_global_map_resize.c b/tools/testing/selftests/bpf/progs/test_global_map_resize.c +index a3f220ba7025b..ee65bad0436d0 100644 +--- a/tools/testing/selftests/bpf/progs/test_global_map_resize.c ++++ b/tools/testing/selftests/bpf/progs/test_global_map_resize.c +@@ -32,6 +32,16 @@ int my_int_last SEC(".data.array_not_last"); + + int percpu_arr[1] SEC(".data.percpu_arr"); + ++/* at least one extern is included, to ensure that a specific ++ * regression is tested whereby resizing resulted in a free-after-use ++ * bug after type information is invalidated by the resize operation. ++ * ++ * There isn't a particularly good API to test for this specific condition, ++ * but by having externs for the resizing tests it will cover this path. ++ */ ++extern int LINUX_KERNEL_VERSION __kconfig; ++long version_sink; ++ + SEC("tp/syscalls/sys_enter_getpid") + int bss_array_sum(void *ctx) + { +@@ -44,6 +54,9 @@ int bss_array_sum(void *ctx) + for (size_t i = 0; i < bss_array_len; ++i) + sum += array[i]; + ++ /* see above; ensure this is not optimized out */ ++ version_sink = LINUX_KERNEL_VERSION; ++ + return 0; + } + +@@ -59,6 +72,9 @@ int data_array_sum(void *ctx) + for (size_t i = 0; i < data_array_len; ++i) + sum += my_array[i]; + ++ /* see above; ensure this is not optimized out */ ++ version_sink = LINUX_KERNEL_VERSION; ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.15/net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch b/queue-6.15/net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch new file mode 100644 index 0000000000..8299a9ab45 --- /dev/null +++ b/queue-6.15/net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch @@ -0,0 +1,60 @@ +From 1e43e2c8674328429553c7d4f7f7c6ac0ed77035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 17:35:12 +0100 +Subject: net: enetc: Correct endianness handling in _enetc_rd_reg64 + +From: Simon Horman <horms@kernel.org> + +[ Upstream commit 7b515f35a911fdc31fbde6531828dcd6ae9803d3 ] + +enetc_hw.h provides two versions of _enetc_rd_reg64. +One which simply calls ioread64() when available. +And another that composes the 64-bit result from ioread32() calls. + +In the second case the code appears to assume that each ioread32() call +returns a little-endian value. However both the shift and logical or +used to compose the return value would not work correctly on big endian +systems if this were the case. Moreover, this is inconsistent with the +first case where the return value of ioread64() is assumed to be in host +byte order. + +It appears that the correct approach is for both versions to treat the +return value of ioread*() functions as being in host byte order. And +this patch corrects the ioread32()-based version to do so. + +This is a bug but would only manifest on big endian systems +that make use of the ioread32-based implementation of _enetc_rd_reg64. +While all in-tree users of this driver are little endian and +make use of the ioread64-based implementation of _enetc_rd_reg64. +Thus, no in-tree user of this driver is affected by this bug. + +Flagged by Sparse. +Compile tested only. + +Fixes: 16eb4c85c964 ("enetc: Add ethtool statistics") +Closes: https://lore.kernel.org/all/AM9PR04MB850500D3FC24FE23DEFCEA158879A@AM9PR04MB8505.eurprd04.prod.outlook.com/ +Signed-off-by: Simon Horman <horms@kernel.org> +Reviewed-by: Wei Fang <wei.fang@nxp.com> +Link: https://patch.msgid.link/20250624-etnetc-le-v1-1-a73a95d96e4e@kernel.org +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_hw.h b/drivers/net/ethernet/freescale/enetc/enetc_hw.h +index 4098f01479bc0..53e8d18c7a34a 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_hw.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc_hw.h +@@ -507,7 +507,7 @@ static inline u64 _enetc_rd_reg64(void __iomem *reg) + tmp = ioread32(reg + 4); + } while (high != tmp); + +- return le64_to_cpu((__le64)high << 32 | low); ++ return (u64)high << 32 | low; + } + #endif + +-- +2.39.5 + diff --git a/queue-6.15/net-netpoll-initialize-udp-checksum-field-before-che.patch b/queue-6.15/net-netpoll-initialize-udp-checksum-field-before-che.patch new file mode 100644 index 0000000000..ba5ccc6ab6 --- /dev/null +++ b/queue-6.15/net-netpoll-initialize-udp-checksum-field-before-che.patch @@ -0,0 +1,48 @@ +From 8ef7788484af47b27e7947256abc869d641374c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 20 Jun 2025 11:48:55 -0700 +Subject: net: netpoll: Initialize UDP checksum field before checksumming + +From: Breno Leitao <leitao@debian.org> + +[ Upstream commit f5990207026987a353d5a95204c4d9cb725637fd ] + +commit f1fce08e63fe ("netpoll: Eliminate redundant assignment") removed +the initialization of the UDP checksum, which was wrong and broke +netpoll IPv6 transmission due to bad checksumming. + +udph->check needs to be set before calling csum_ipv6_magic(). + +Fixes: f1fce08e63fe ("netpoll: Eliminate redundant assignment") +Signed-off-by: Breno Leitao <leitao@debian.org> +Reviewed-by: Simon Horman <horms@kernel.org> +Link: https://patch.msgid.link/20250620-netpoll_fix-v1-1-f9f0b82bc059@debian.org +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/core/netpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 4ddb7490df4b8..6ad84d4a2b464 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -432,6 +432,7 @@ int netpoll_send_udp(struct netpoll *np, const char *msg, int len) + udph->dest = htons(np->remote_port); + udph->len = htons(udp_len); + ++ udph->check = 0; + if (np->ipv6) { + udph->check = csum_ipv6_magic(&np->local_ip.in6, + &np->remote_ip.in6, +@@ -460,7 +461,6 @@ int netpoll_send_udp(struct netpoll *np, const char *msg, int len) + skb_reset_mac_header(skb); + skb->protocol = eth->h_proto = htons(ETH_P_IPV6); + } else { +- udph->check = 0; + udph->check = csum_tcpudp_magic(np->local_ip.ip, + np->remote_ip.ip, + udp_len, IPPROTO_UDP, +-- +2.39.5 + diff --git a/queue-6.15/net-selftests-fix-tcp-packet-checksum.patch b/queue-6.15/net-selftests-fix-tcp-packet-checksum.patch new file mode 100644 index 0000000000..8c68acc506 --- /dev/null +++ b/queue-6.15/net-selftests-fix-tcp-packet-checksum.patch @@ -0,0 +1,46 @@ +From 62eb2fa5a0ce485e3aeb7cb0463cf0bd6fc0c440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 11:32:58 -0700 +Subject: net: selftests: fix TCP packet checksum + +From: Jakub Kicinski <kuba@kernel.org> + +[ Upstream commit 8d89661a36dd3bb8c9902cff36dc0c144dce3faf ] + +The length in the pseudo header should be the length of the L3 payload +AKA the L4 header+payload. The selftest code builds the packet from +the lower layers up, so all the headers are pushed already when it +constructs L4. We need to subtract the lower layer headers from skb->len. + +Fixes: 3e1e58d64c3d ("net: add generic selftest support") +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com> +Reported-by: Oleksij Rempel <o.rempel@pengutronix.de> +Tested-by: Oleksij Rempel <o.rempel@pengutronix.de> +Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de> +Link: https://patch.msgid.link/20250624183258.3377740-1-kuba@kernel.org +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/core/selftests.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/core/selftests.c b/net/core/selftests.c +index 35f807ea99523..406faf8e5f3f9 100644 +--- a/net/core/selftests.c ++++ b/net/core/selftests.c +@@ -160,8 +160,9 @@ static struct sk_buff *net_test_get_skb(struct net_device *ndev, + skb->csum = 0; + skb->ip_summed = CHECKSUM_PARTIAL; + if (attr->tcp) { +- thdr->check = ~tcp_v4_check(skb->len, ihdr->saddr, +- ihdr->daddr, 0); ++ int l4len = skb->len - skb_transport_offset(skb); ++ ++ thdr->check = ~tcp_v4_check(l4len, ihdr->saddr, ihdr->daddr, 0); + skb->csum_start = skb_transport_header(skb) - skb->head; + skb->csum_offset = offsetof(struct tcphdr, check); + } else { +-- +2.39.5 + diff --git a/queue-6.15/netlink-specs-tc-replace-underscores-with-dashes-in-.patch b/queue-6.15/netlink-specs-tc-replace-underscores-with-dashes-in-.patch new file mode 100644 index 0000000000..96c9f892f0 --- /dev/null +++ b/queue-6.15/netlink-specs-tc-replace-underscores-with-dashes-in-.patch @@ -0,0 +1,48 @@ +From 5d36a7c469452ba4bcedda227cdabfebe493563d Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 14:10:01 -0700 +Subject: netlink: specs: tc: replace underscores with dashes in names + +From: Jakub Kicinski <kuba@kernel.org> + +[ Upstream commit eef0eaeca7fa8e358a31e89802f564451b797718 ] + +We're trying to add a strict regexp for the name format in the spec. +Underscores will not be allowed, dashes should be used instead. +This makes no difference to C (codegen, if used, replaces special +chars in names) but it gives more uniform naming in Python. + +Fixes: a1bcfde83669 ("doc/netlink/specs: Add a spec for tc") +Reviewed-by: Donald Hunter <donald.hunter@gmail.com> +Link: https://patch.msgid.link/20250624211002.3475021-10-kuba@kernel.org +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + Documentation/netlink/specs/tc.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/netlink/specs/tc.yaml b/Documentation/netlink/specs/tc.yaml +index 953aa837958b3..5702a6d21038c 100644 +--- a/Documentation/netlink/specs/tc.yaml ++++ b/Documentation/netlink/specs/tc.yaml +@@ -227,7 +227,7 @@ definitions: + type: u8 + doc: log(P_max / (qth-max - qth-min)) + - +- name: Scell_log ++ name: Scell-log + type: u8 + doc: cell size for idle damping + - +@@ -248,7 +248,7 @@ definitions: + name: DPs + type: u32 + - +- name: def_DP ++ name: def-DP + type: u32 + - + name: grio +-- +2.39.5 + diff --git a/queue-6.15/nvme-fix-atomic-write-size-validation.patch b/queue-6.15/nvme-fix-atomic-write-size-validation.patch new file mode 100644 index 0000000000..f7e6ff33f5 --- /dev/null +++ b/queue-6.15/nvme-fix-atomic-write-size-validation.patch @@ -0,0 +1,130 @@ +From caa51c7eaa7d536fd4c8db1ff8ae73efc746ae14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 11 Jun 2025 06:54:56 +0200 +Subject: nvme: fix atomic write size validation + +From: Christoph Hellwig <hch@lst.de> + +[ Upstream commit f46d273449ba65afd53f3dd8fe0182c9df877e08 ] + +Don't mix the namespace and controller values, and validate the +per-controller limit when probing the controller. This avoid spurious +failures for controllers with namespaces that have different namespaces +with different logical block sizes, or report the per-namespace values +only for some namespaces. + +It also fixes a missing queue_limits_cancel_update in an error path by +removing that error path. + +Fixes: 8695f060a029 ("nvme: all namespaces in a subsystem must adhere to a common atomic write size") +Reported-by: Yi Zhang <yi.zhang@redhat.com> +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> +Reviewed-by: John Garry <john.g.garry@oracle.com> +Tested-by: Yi Zhang <yi.zhang@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/nvme/host/core.c | 33 +++++++++++---------------------- + drivers/nvme/host/nvme.h | 3 +-- + 2 files changed, 12 insertions(+), 24 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 1c853c5b8169b..d253b82901110 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2022,17 +2022,7 @@ static u32 nvme_configure_atomic_write(struct nvme_ns *ns, + * no clear language in the specification prohibiting different + * values for different controllers in the subsystem. + */ +- atomic_bs = (1 + ns->ctrl->awupf) * bs; +- } +- +- if (!ns->ctrl->subsys->atomic_bs) { +- ns->ctrl->subsys->atomic_bs = atomic_bs; +- } else if (ns->ctrl->subsys->atomic_bs != atomic_bs) { +- dev_err_ratelimited(ns->ctrl->device, +- "%s: Inconsistent Atomic Write Size, Namespace will not be added: Subsystem=%d bytes, Controller/Namespace=%d bytes\n", +- ns->disk ? ns->disk->disk_name : "?", +- ns->ctrl->subsys->atomic_bs, +- atomic_bs); ++ atomic_bs = (1 + ns->ctrl->subsys->awupf) * bs; + } + + lim->atomic_write_hw_max = atomic_bs; +@@ -2219,16 +2209,6 @@ static int nvme_update_ns_info_block(struct nvme_ns *ns, + if (!nvme_update_disk_info(ns, id, &lim)) + capacity = 0; + +- /* +- * Validate the max atomic write size fits within the subsystem's +- * atomic write capabilities. +- */ +- if (lim.atomic_write_hw_max > ns->ctrl->subsys->atomic_bs) { +- blk_mq_unfreeze_queue(ns->disk->queue, memflags); +- ret = -ENXIO; +- goto out; +- } +- + nvme_config_discard(ns, &lim); + if (IS_ENABLED(CONFIG_BLK_DEV_ZONED) && + ns->head->ids.csi == NVME_CSI_ZNS) +@@ -3044,6 +3024,7 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + memcpy(subsys->model, id->mn, sizeof(subsys->model)); + subsys->vendor_id = le16_to_cpu(id->vid); + subsys->cmic = id->cmic; ++ subsys->awupf = le16_to_cpu(id->awupf); + + /* Versions prior to 1.4 don't necessarily report a valid type */ + if (id->cntrltype == NVME_CTRL_DISC || +@@ -3373,6 +3354,15 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl) + if (ret) + goto out_free; + } ++ ++ if (le16_to_cpu(id->awupf) != ctrl->subsys->awupf) { ++ dev_err_ratelimited(ctrl->device, ++ "inconsistent AWUPF, controller not added (%u/%u).\n", ++ le16_to_cpu(id->awupf), ctrl->subsys->awupf); ++ ret = -EINVAL; ++ goto out_free; ++ } ++ + memcpy(ctrl->subsys->firmware_rev, id->fr, + sizeof(ctrl->subsys->firmware_rev)); + +@@ -3468,7 +3458,6 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl) + dev_pm_qos_expose_latency_tolerance(ctrl->device); + else if (!ctrl->apst_enabled && prev_apst_enabled) + dev_pm_qos_hide_latency_tolerance(ctrl->device); +- ctrl->awupf = le16_to_cpu(id->awupf); + out_free: + kfree(id); + return ret; +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 8fc4683418a3a..d8c4e545f732c 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -410,7 +410,6 @@ struct nvme_ctrl { + + enum nvme_ctrl_type cntrltype; + enum nvme_dctype dctype; +- u16 awupf; /* 0's based value. */ + }; + + static inline enum nvme_ctrl_state nvme_ctrl_state(struct nvme_ctrl *ctrl) +@@ -443,11 +442,11 @@ struct nvme_subsystem { + u8 cmic; + enum nvme_subsys_type subtype; + u16 vendor_id; ++ u16 awupf; /* 0's based value. */ + struct ida ns_ida; + #ifdef CONFIG_NVME_MULTIPATH + enum nvme_iopolicy iopolicy; + #endif +- u32 atomic_bs; + }; + + /* +-- +2.39.5 + diff --git a/queue-6.15/nvme-refactor-the-atomic-write-unit-detection.patch b/queue-6.15/nvme-refactor-the-atomic-write-unit-detection.patch new file mode 100644 index 0000000000..32e7ead500 --- /dev/null +++ b/queue-6.15/nvme-refactor-the-atomic-write-unit-detection.patch @@ -0,0 +1,123 @@ +From 8a2eb1b9b57b27bbfe38993cd5507da655c9254c Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 11 Jun 2025 07:09:21 +0200 +Subject: nvme: refactor the atomic write unit detection + +From: Christoph Hellwig <hch@lst.de> + +[ Upstream commit b2e607fecac15e07f50269c080e2e71b5049dfa2 ] + +Move all the code out of nvme_update_disk_info into the helper, and +rename the helper to have a somewhat less clumsy name. + +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> +Reviewed-by: John Garry <john.g.garry@oracle.com> +Stable-dep-of: f46d273449ba ("nvme: fix atomic write size validation") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/nvme/host/core.c | 72 +++++++++++++++++++++------------------- + 1 file changed, 38 insertions(+), 34 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 93a8119ad5ca6..1c853c5b8169b 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1996,21 +1996,51 @@ static void nvme_configure_metadata(struct nvme_ctrl *ctrl, + } + + +-static void nvme_update_atomic_write_disk_info(struct nvme_ns *ns, +- struct nvme_id_ns *id, struct queue_limits *lim, +- u32 bs, u32 atomic_bs) ++static u32 nvme_configure_atomic_write(struct nvme_ns *ns, ++ struct nvme_id_ns *id, struct queue_limits *lim, u32 bs) + { +- unsigned int boundary = 0; ++ u32 atomic_bs, boundary = 0; + +- if (id->nsfeat & NVME_NS_FEAT_ATOMICS && id->nawupf) { +- if (le16_to_cpu(id->nabspf)) ++ /* ++ * We do not support an offset for the atomic boundaries. ++ */ ++ if (id->nabo) ++ return bs; ++ ++ if ((id->nsfeat & NVME_NS_FEAT_ATOMICS) && id->nawupf) { ++ /* ++ * Use the per-namespace atomic write unit when available. ++ */ ++ atomic_bs = (1 + le16_to_cpu(id->nawupf)) * bs; ++ if (id->nabspf) + boundary = (le16_to_cpu(id->nabspf) + 1) * bs; ++ } else { ++ /* ++ * Use the controller wide atomic write unit. This sucks ++ * because the limit is defined in terms of logical blocks while ++ * namespaces can have different formats, and because there is ++ * no clear language in the specification prohibiting different ++ * values for different controllers in the subsystem. ++ */ ++ atomic_bs = (1 + ns->ctrl->awupf) * bs; ++ } ++ ++ if (!ns->ctrl->subsys->atomic_bs) { ++ ns->ctrl->subsys->atomic_bs = atomic_bs; ++ } else if (ns->ctrl->subsys->atomic_bs != atomic_bs) { ++ dev_err_ratelimited(ns->ctrl->device, ++ "%s: Inconsistent Atomic Write Size, Namespace will not be added: Subsystem=%d bytes, Controller/Namespace=%d bytes\n", ++ ns->disk ? ns->disk->disk_name : "?", ++ ns->ctrl->subsys->atomic_bs, ++ atomic_bs); + } ++ + lim->atomic_write_hw_max = atomic_bs; + lim->atomic_write_hw_boundary = boundary; + lim->atomic_write_hw_unit_min = bs; + lim->atomic_write_hw_unit_max = rounddown_pow_of_two(atomic_bs); + lim->features |= BLK_FEAT_ATOMIC_WRITES; ++ return atomic_bs; + } + + static u32 nvme_max_drv_segments(struct nvme_ctrl *ctrl) +@@ -2048,34 +2078,8 @@ static bool nvme_update_disk_info(struct nvme_ns *ns, struct nvme_id_ns *id, + valid = false; + } + +- atomic_bs = phys_bs = bs; +- if (id->nabo == 0) { +- /* +- * Bit 1 indicates whether NAWUPF is defined for this namespace +- * and whether it should be used instead of AWUPF. If NAWUPF == +- * 0 then AWUPF must be used instead. +- */ +- if (id->nsfeat & NVME_NS_FEAT_ATOMICS && id->nawupf) +- atomic_bs = (1 + le16_to_cpu(id->nawupf)) * bs; +- else +- atomic_bs = (1 + ns->ctrl->awupf) * bs; +- +- /* +- * Set subsystem atomic bs. +- */ +- if (ns->ctrl->subsys->atomic_bs) { +- if (atomic_bs != ns->ctrl->subsys->atomic_bs) { +- dev_err_ratelimited(ns->ctrl->device, +- "%s: Inconsistent Atomic Write Size, Namespace will not be added: Subsystem=%d bytes, Controller/Namespace=%d bytes\n", +- ns->disk ? ns->disk->disk_name : "?", +- ns->ctrl->subsys->atomic_bs, +- atomic_bs); +- } +- } else +- ns->ctrl->subsys->atomic_bs = atomic_bs; +- +- nvme_update_atomic_write_disk_info(ns, id, lim, bs, atomic_bs); +- } ++ phys_bs = bs; ++ atomic_bs = nvme_configure_atomic_write(ns, id, lim, bs); + + if (id->nsfeat & NVME_NS_FEAT_IO_OPT) { + /* NPWG = Namespace Preferred Write Granularity */ +-- +2.39.5 + diff --git a/queue-6.15/riscv-fix-runtime-constant-support-for-nommu-kernels.patch b/queue-6.15/riscv-fix-runtime-constant-support-for-nommu-kernels.patch new file mode 100644 index 0000000000..3a8ee2cf4d --- /dev/null +++ b/queue-6.15/riscv-fix-runtime-constant-support-for-nommu-kernels.patch @@ -0,0 +1,55 @@ +From 9ae4821212aa08a65e894dfb79e01476ee875ddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 30 May 2025 17:14:22 -0400 +Subject: riscv: fix runtime constant support for nommu kernels + +From: Charles Mirabile <cmirabil@redhat.com> + +[ Upstream commit 8d90d9872edae7e78c3a12b98e239bfaa66f3639 ] + +the `__runtime_fixup_32` function does not handle the case where `val` is +zero correctly (as might occur when patching a nommu kernel and referring +to a physical address below the 4GiB boundary whose upper 32 bits are all +zero) because nothing in the existing logic prevents the code from taking +the `else` branch of both nop-checks and emitting two `nop` instructions. + +This leaves random garbage in the register that is supposed to receive the +upper 32 bits of the pointer instead of zero that when combined with the +value for the lower 32 bits yields an invalid pointer and causes a kernel +panic when that pointer is eventually accessed. + +The author clearly considered the fact that if the `lui` is converted into +a `nop` that the second instruction needs to be adjusted to become an `li` +instead of an `addi`, hence introducing the `addi_insn_mask` variable, but +didn't follow that logic through fully to the case where the `else` branch +executes. To fix it just adjust the logic to ensure that the second `else` +branch is not taken if the first instruction will be patched to a `nop`. + +Fixes: a44fb5722199 ("riscv: Add runtime constant support") + +Signed-off-by: Charles Mirabile <cmirabil@redhat.com> +Reviewed-by: Charlie Jenkins <charlie@rivosinc.com> +Tested-by: Charlie Jenkins <charlie@rivosinc.com> +Link: https://lore.kernel.org/r/20250530211422.784415-2-cmirabil@redhat.com +Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/riscv/include/asm/runtime-const.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/runtime-const.h b/arch/riscv/include/asm/runtime-const.h +index 451fd76b88115..d766e2b9e6df1 100644 +--- a/arch/riscv/include/asm/runtime-const.h ++++ b/arch/riscv/include/asm/runtime-const.h +@@ -206,7 +206,7 @@ static inline void __runtime_fixup_32(__le16 *lui_parcel, __le16 *addi_parcel, u + addi_insn_mask &= 0x07fff; + } + +- if (lower_immediate & 0x00000fff) { ++ if (lower_immediate & 0x00000fff || lui_insn == RISCV_INSN_NOP4) { + /* replace upper 12 bits of addi with lower 12 bits of val */ + addi_insn &= addi_insn_mask; + addi_insn |= (lower_immediate & 0x00000fff) << 20; +-- +2.39.5 + diff --git a/queue-6.15/scsi-fnic-fix-missing-dma-mapping-error-in-fnic_send.patch b/queue-6.15/scsi-fnic-fix-missing-dma-mapping-error-in-fnic_send.patch new file mode 100644 index 0000000000..9e4ed4d73c --- /dev/null +++ b/queue-6.15/scsi-fnic-fix-missing-dma-mapping-error-in-fnic_send.patch @@ -0,0 +1,39 @@ +From d28f8adcf60e339a626dd2aa2815ab338ddea9fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 18 Jun 2025 08:57:04 +0200 +Subject: scsi: fnic: Fix missing DMA mapping error in fnic_send_frame() + +From: Thomas Fourier <fourier.thomas@gmail.com> + +[ Upstream commit 85d6fbc47c3087c5d048e6734926b0c36af34fe9 ] + +dma_map_XXX() can fail and should be tested for errors with +dma_mapping_error(). + +Fixes: a63e78eb2b0f ("scsi: fnic: Add support for fabric based solicited requests and responses") +Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com> +Link: https://lore.kernel.org/r/20250618065715.14740-2-fourier.thomas@gmail.com +Reviewed-by: Karan Tilak Kumar <kartilak@cisco.com> +Reviewed-by: John Menghini <jmeneghi@redhat.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/scsi/fnic/fnic_fcs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/fnic/fnic_fcs.c b/drivers/scsi/fnic/fnic_fcs.c +index 1e8cd64f9a5c5..103ab6f1f7cd1 100644 +--- a/drivers/scsi/fnic/fnic_fcs.c ++++ b/drivers/scsi/fnic/fnic_fcs.c +@@ -636,6 +636,8 @@ static int fnic_send_frame(struct fnic *fnic, void *frame, int frame_len) + unsigned long flags; + + pa = dma_map_single(&fnic->pdev->dev, frame, frame_len, DMA_TO_DEVICE); ++ if (dma_mapping_error(&fnic->pdev->dev, pa)) ++ return -ENOMEM; + + if ((fnic_fc_trace_set_data(fnic->fnic_num, + FNIC_FC_SEND | 0x80, (char *) frame, +-- +2.39.5 + diff --git a/queue-6.15/series b/queue-6.15/series index 5c03570b55..5210a0e800 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -128,3 +128,43 @@ drm-xe-display-add-check-for-alloc_ordered_workqueue.patch drm-i915-snps_hdmi_pll-fix-64-bit-divisor-truncation-by-using-div64_u64.patch drm-xe-move-dsb-l2-flush-to-a-more-sensible-place.patch drm-xe-move-dpt-l2-flush-to-a-more-sensible-place.patch +hid-intel-thc-hid-intel-quicki2c-enhance-quicki2c-re.patch +hid-wacom-fix-crash-in-wacom_aes_battery_handler.patch +cxl-ras-fix-cper-handler-device-confusion.patch +scsi-fnic-fix-missing-dma-mapping-error-in-fnic_send.patch +atm-clip-prevent-null-deref-in-clip_push.patch +asoc-amd-ps-fix-for-soundwire-failures-during-hibern.patch +bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch +alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch +attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch +libbpf-fix-null-pointer-dereference-in-btf_dump__fre.patch +net-netpoll-initialize-udp-checksum-field-before-che.patch +ethernet-ionic-fix-dma-mapping-tests.patch +bridge-mcast-fix-use-after-free-during-router-port-c.patch +wifi-mac80211-fix-beacon-interval-calculation-overfl.patch +af_unix-don-t-set-econnreset-for-consumed-oob-skb.patch +wifi-mac80211-add-link-iteration-macro-for-link-data.patch +wifi-mac80211-create-separate-links-for-vlan-interfa.patch +wifi-mac80211-finish-link-init-before-rcu-publish.patch +userns-and-mnt_idmap-leak-in-open_tree_attr-2.patch +vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch +bnxt-properly-flush-xdp-redirect-lists.patch +um-ubd-add-missing-error-check-in-start_io_thread.patch +io_uring-net-mark-iov-as-dynamically-allocated-even-.patch +libbpf-fix-possible-use-after-free-for-externs.patch +net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch +netlink-specs-tc-replace-underscores-with-dashes-in-.patch +atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch +alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch +net-selftests-fix-tcp-packet-checksum.patch +nvme-refactor-the-atomic-write-unit-detection.patch +nvme-fix-atomic-write-size-validation.patch +riscv-fix-runtime-constant-support-for-nommu-kernels.patch +drm-writeback-fix-drm_writeback_connector_cleanup-si.patch +drm-amd-adjust-output-for-discovery-error-handling.patch +drm-i915-fix-build-error-some-more.patch +drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch +drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch +drm-xe-guc-explicitly-exit-ct-safe-mode-on-unwind.patch +drm-xe-process-deferred-ggtt-node-removals-on-device.patch +smb-client-fix-potential-deadlock-when-reconnecting-.patch diff --git a/queue-6.15/smb-client-fix-potential-deadlock-when-reconnecting-.patch b/queue-6.15/smb-client-fix-potential-deadlock-when-reconnecting-.patch new file mode 100644 index 0000000000..5de11b6168 --- /dev/null +++ b/queue-6.15/smb-client-fix-potential-deadlock-when-reconnecting-.patch @@ -0,0 +1,214 @@ +From a1a46d10ddbb8f661db0537ceaabf812e192ab56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 25 Jun 2025 12:22:38 -0300 +Subject: smb: client: fix potential deadlock when reconnecting channels + +From: Paulo Alcantara <pc@manguebit.org> + +[ Upstream commit 711741f94ac3cf9f4e3aa73aa171e76d188c0819 ] + +Fix cifs_signal_cifsd_for_reconnect() to take the correct lock order +and prevent the following deadlock from happening + +====================================================== +WARNING: possible circular locking dependency detected +6.16.0-rc3-build2+ #1301 Tainted: G S W +------------------------------------------------------ +cifsd/6055 is trying to acquire lock: +ffff88810ad56038 (&tcp_ses->srv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200 + +but task is already holding lock: +ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #2 (&ret_buf->chan_lock){+.+.}-{3:3}: + validate_chain+0x1cf/0x270 + __lock_acquire+0x60e/0x780 + lock_acquire.part.0+0xb4/0x1f0 + _raw_spin_lock+0x2f/0x40 + cifs_setup_session+0x81/0x4b0 + cifs_get_smb_ses+0x771/0x900 + cifs_mount_get_session+0x7e/0x170 + cifs_mount+0x92/0x2d0 + cifs_smb3_do_mount+0x161/0x460 + smb3_get_tree+0x55/0x90 + vfs_get_tree+0x46/0x180 + do_new_mount+0x1b0/0x2e0 + path_mount+0x6ee/0x740 + do_mount+0x98/0xe0 + __do_sys_mount+0x148/0x180 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +-> #1 (&ret_buf->ses_lock){+.+.}-{3:3}: + validate_chain+0x1cf/0x270 + __lock_acquire+0x60e/0x780 + lock_acquire.part.0+0xb4/0x1f0 + _raw_spin_lock+0x2f/0x40 + cifs_match_super+0x101/0x320 + sget+0xab/0x270 + cifs_smb3_do_mount+0x1e0/0x460 + smb3_get_tree+0x55/0x90 + vfs_get_tree+0x46/0x180 + do_new_mount+0x1b0/0x2e0 + path_mount+0x6ee/0x740 + do_mount+0x98/0xe0 + __do_sys_mount+0x148/0x180 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +-> #0 (&tcp_ses->srv_lock){+.+.}-{3:3}: + check_noncircular+0x95/0xc0 + check_prev_add+0x115/0x2f0 + validate_chain+0x1cf/0x270 + __lock_acquire+0x60e/0x780 + lock_acquire.part.0+0xb4/0x1f0 + _raw_spin_lock+0x2f/0x40 + cifs_signal_cifsd_for_reconnect+0x134/0x200 + __cifs_reconnect+0x8f/0x500 + cifs_handle_standard+0x112/0x280 + cifs_demultiplex_thread+0x64d/0xbc0 + kthread+0x2f7/0x310 + ret_from_fork+0x2a/0x230 + ret_from_fork_asm+0x1a/0x30 + +other info that might help us debug this: + +Chain exists of: + &tcp_ses->srv_lock --> &ret_buf->ses_lock --> &ret_buf->chan_lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&ret_buf->chan_lock); + lock(&ret_buf->ses_lock); + lock(&ret_buf->chan_lock); + lock(&tcp_ses->srv_lock); + + *** DEADLOCK *** + +3 locks held by cifsd/6055: + #0: ffffffff857de398 (&cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200 + #1: ffff888119c64060 (&ret_buf->ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200 + #2: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 + +Cc: linux-cifs@vger.kernel.org +Reported-by: David Howells <dhowells@redhat.com> +Fixes: d7d7a66aacd6 ("cifs: avoid use of global locks for high contention data") +Reviewed-by: David Howells <dhowells@redhat.com> +Tested-by: David Howells <dhowells@redhat.com> +Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/smb/client/cifsglob.h | 1 + + fs/smb/client/connect.c | 58 +++++++++++++++++++++++++--------------- + 2 files changed, 37 insertions(+), 22 deletions(-) + +diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h +index 214e53acf72a8..56381cbb63990 100644 +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -709,6 +709,7 @@ inc_rfc1001_len(void *buf, int count) + struct TCP_Server_Info { + struct list_head tcp_ses_list; + struct list_head smb_ses_list; ++ struct list_head rlist; /* reconnect list */ + spinlock_t srv_lock; /* protect anything here that is not protected */ + __u64 conn_id; /* connection identifier (useful for debugging) */ + int srv_count; /* reference counter */ +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index f9aef60f1901a..e92c7b71626fd 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -124,6 +124,14 @@ static void smb2_query_server_interfaces(struct work_struct *work) + (SMB_INTERFACE_POLL_INTERVAL * HZ)); + } + ++#define set_need_reco(server) \ ++do { \ ++ spin_lock(&server->srv_lock); \ ++ if (server->tcpStatus != CifsExiting) \ ++ server->tcpStatus = CifsNeedReconnect; \ ++ spin_unlock(&server->srv_lock); \ ++} while (0) ++ + /* + * Update the tcpStatus for the server. + * This is used to signal the cifsd thread to call cifs_reconnect +@@ -137,39 +145,45 @@ void + cifs_signal_cifsd_for_reconnect(struct TCP_Server_Info *server, + bool all_channels) + { +- struct TCP_Server_Info *pserver; ++ struct TCP_Server_Info *nserver; + struct cifs_ses *ses; ++ LIST_HEAD(reco); + int i; + +- /* If server is a channel, select the primary channel */ +- pserver = SERVER_IS_CHAN(server) ? server->primary_server : server; +- + /* if we need to signal just this channel */ + if (!all_channels) { +- spin_lock(&server->srv_lock); +- if (server->tcpStatus != CifsExiting) +- server->tcpStatus = CifsNeedReconnect; +- spin_unlock(&server->srv_lock); ++ set_need_reco(server); + return; + } + +- spin_lock(&cifs_tcp_ses_lock); +- list_for_each_entry(ses, &pserver->smb_ses_list, smb_ses_list) { +- if (cifs_ses_exiting(ses)) +- continue; +- spin_lock(&ses->chan_lock); +- for (i = 0; i < ses->chan_count; i++) { +- if (!ses->chans[i].server) ++ if (SERVER_IS_CHAN(server)) ++ server = server->primary_server; ++ scoped_guard(spinlock, &cifs_tcp_ses_lock) { ++ set_need_reco(server); ++ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { ++ spin_lock(&ses->ses_lock); ++ if (ses->ses_status == SES_EXITING) { ++ spin_unlock(&ses->ses_lock); + continue; +- +- spin_lock(&ses->chans[i].server->srv_lock); +- if (ses->chans[i].server->tcpStatus != CifsExiting) +- ses->chans[i].server->tcpStatus = CifsNeedReconnect; +- spin_unlock(&ses->chans[i].server->srv_lock); ++ } ++ spin_lock(&ses->chan_lock); ++ for (i = 1; i < ses->chan_count; i++) { ++ nserver = ses->chans[i].server; ++ if (!nserver) ++ continue; ++ nserver->srv_count++; ++ list_add(&nserver->rlist, &reco); ++ } ++ spin_unlock(&ses->chan_lock); ++ spin_unlock(&ses->ses_lock); + } +- spin_unlock(&ses->chan_lock); + } +- spin_unlock(&cifs_tcp_ses_lock); ++ ++ list_for_each_entry_safe(server, nserver, &reco, rlist) { ++ list_del_init(&server->rlist); ++ set_need_reco(server); ++ cifs_put_tcp_session(server, 0); ++ } + } + + /* +-- +2.39.5 + diff --git a/queue-6.15/um-ubd-add-missing-error-check-in-start_io_thread.patch b/queue-6.15/um-ubd-add-missing-error-check-in-start_io_thread.patch new file mode 100644 index 0000000000..7e52d94a35 --- /dev/null +++ b/queue-6.15/um-ubd-add-missing-error-check-in-start_io_thread.patch @@ -0,0 +1,37 @@ +From 78478e33b3dd16897414d58df23f3f38404f55a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 6 Jun 2025 20:44:25 +0800 +Subject: um: ubd: Add missing error check in start_io_thread() + +From: Tiwei Bie <tiwei.btw@antgroup.com> + +[ Upstream commit c55c7a85e02a7bfee20a3ffebdff7cbeb41613ef ] + +The subsequent call to os_set_fd_block() overwrites the previous +return value. OR the two return values together to fix it. + +Fixes: f88f0bdfc32f ("um: UBD Improvements") +Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com> +Link: https://patch.msgid.link/20250606124428.148164-2-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/um/drivers/ubd_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/drivers/ubd_user.c b/arch/um/drivers/ubd_user.c +index c5e6545f6fcf6..8e8a8bf518b63 100644 +--- a/arch/um/drivers/ubd_user.c ++++ b/arch/um/drivers/ubd_user.c +@@ -41,7 +41,7 @@ int start_io_thread(struct os_helper_thread **td_out, int *fd_out) + *fd_out = fds[1]; + + err = os_set_fd_block(*fd_out, 0); +- err = os_set_fd_block(kernel_fd, 0); ++ err |= os_set_fd_block(kernel_fd, 0); + if (err) { + printk("start_io_thread - failed to set nonblocking I/O.\n"); + goto out_close; +-- +2.39.5 + diff --git a/queue-6.15/userns-and-mnt_idmap-leak-in-open_tree_attr-2.patch b/queue-6.15/userns-and-mnt_idmap-leak-in-open_tree_attr-2.patch new file mode 100644 index 0000000000..b6071d48f9 --- /dev/null +++ b/queue-6.15/userns-and-mnt_idmap-leak-in-open_tree_attr-2.patch @@ -0,0 +1,51 @@ +From bbba35622c8f14960c6c49d5bc17d224cc06fce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 10:25:04 -0400 +Subject: userns and mnt_idmap leak in open_tree_attr(2) + +From: Al Viro <viro@zeniv.linux.org.uk> + +[ Upstream commit 0748e553df0225754c316a92af3a77fdc057b358 ] + +Once want_mount_setattr() has returned a positive, it does require +finish_mount_kattr() to release ->mnt_userns. Failing do_mount_setattr() +does not change that. + +As the result, we can end up leaking userns and possibly mnt_idmap as +well. + +Fixes: c4a16820d901 ("fs: add open_tree_attr()") +Reviewed-by: Christian Brauner <brauner@kernel.org> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/namespace.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 24b087ba88159..dfb72f827d4a7 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -5307,16 +5307,12 @@ SYSCALL_DEFINE5(open_tree_attr, int, dfd, const char __user *, filename, + kattr.kflags |= MOUNT_KATTR_RECURSE; + + ret = wants_mount_setattr(uattr, usize, &kattr); +- if (ret < 0) +- return ret; +- +- if (ret) { ++ if (ret > 0) { + ret = do_mount_setattr(&file->f_path, &kattr); +- if (ret) +- return ret; +- + finish_mount_kattr(&kattr); + } ++ if (ret) ++ return ret; + } + + fd = get_unused_fd_flags(flags & O_CLOEXEC); +-- +2.39.5 + diff --git a/queue-6.15/vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch b/queue-6.15/vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch new file mode 100644 index 0000000000..cecc6c05a2 --- /dev/null +++ b/queue-6.15/vsock-uapi-fix-linux-vm_sockets.h-userspace-compilat.patch @@ -0,0 +1,54 @@ +From 87b4ff012624d4f8a26c9cd79363f0219d659835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 23 Jun 2025 12:00:53 +0200 +Subject: vsock/uapi: fix linux/vm_sockets.h userspace compilation errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefano Garzarella <sgarzare@redhat.com> + +[ Upstream commit 22bbc1dcd0d6785fb390c41f0dd5b5e218d23bdd ] + +If a userspace application just include <linux/vm_sockets.h> will fail +to build with the following errors: + + /usr/include/linux/vm_sockets.h:182:39: error: invalid application of ‘sizeof’ to incomplete type ‘struct sockaddr’ + 182 | unsigned char svm_zero[sizeof(struct sockaddr) - + | ^~~~~~ + /usr/include/linux/vm_sockets.h:183:39: error: ‘sa_family_t’ undeclared here (not in a function) + 183 | sizeof(sa_family_t) - + | + +Include <sys/socket.h> for userspace (guarded by ifndef __KERNEL__) +where `struct sockaddr` and `sa_family_t` are defined. +We already do something similar in <linux/mptcp.h> and <linux/if.h>. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reported-by: Daan De Meyer <daan.j.demeyer@gmail.com> +Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> +Link: https://patch.msgid.link/20250623100053.40979-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/uapi/linux/vm_sockets.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/uapi/linux/vm_sockets.h b/include/uapi/linux/vm_sockets.h +index ed07181d4eff9..e05280e415228 100644 +--- a/include/uapi/linux/vm_sockets.h ++++ b/include/uapi/linux/vm_sockets.h +@@ -17,6 +17,10 @@ + #ifndef _UAPI_VM_SOCKETS_H + #define _UAPI_VM_SOCKETS_H + ++#ifndef __KERNEL__ ++#include <sys/socket.h> /* for struct sockaddr and sa_family_t */ ++#endif ++ + #include <linux/socket.h> + #include <linux/types.h> + +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-add-link-iteration-macro-for-link-data.patch b/queue-6.15/wifi-mac80211-add-link-iteration-macro-for-link-data.patch new file mode 100644 index 0000000000..4c5e862d22 --- /dev/null +++ b/queue-6.15/wifi-mac80211-add-link-iteration-macro-for-link-data.patch @@ -0,0 +1,48 @@ +From 80ba590d48cb25e0d210602dbd90cddb28a4c327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 25 Mar 2025 14:31:23 -0700 +Subject: wifi: mac80211: Add link iteration macro for link data + +From: Muna Sinada <muna.sinada@oss.qualcomm.com> + +[ Upstream commit f61c7b3d442bef91dd432d468d08f72eadcc3209 ] + +Currently before iterating through valid links we are utilizing +open-coding when checking if vif valid_links is a non-zero value. + +Add new macro, for_each_link_data(), which iterates through link_id +and checks if it is set on vif valid_links. If it is a valid link then +access link data for that link id. + +Signed-off-by: Muna Sinada <muna.sinada@oss.qualcomm.com> +Link: https://patch.msgid.link/20250325213125.1509362-2-muna.sinada@oss.qualcomm.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Stable-dep-of: d87c3ca0f8f1 ("wifi: mac80211: finish link init before RCU publish") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/mac80211/ieee80211_i.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index fb05f3cd37ec4..c956072e0d77e 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1226,6 +1226,15 @@ struct ieee80211_sub_if_data *vif_to_sdata(struct ieee80211_vif *p) + if ((_link = wiphy_dereference((_local)->hw.wiphy, \ + ___sdata->link[___link_id]))) + ++#define for_each_link_data(sdata, __link) \ ++ struct ieee80211_sub_if_data *__sdata = sdata; \ ++ for (int __link_id = 0; \ ++ __link_id < ARRAY_SIZE((__sdata)->link); __link_id++) \ ++ if ((!(__sdata)->vif.valid_links || \ ++ (__sdata)->vif.valid_links & BIT(__link_id)) && \ ++ ((__link) = sdata_dereference((__sdata)->link[__link_id], \ ++ (__sdata)))) ++ + static inline int + ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems, + struct cfg80211_rnr_elems *rnr_elems, +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-create-separate-links-for-vlan-interfa.patch b/queue-6.15/wifi-mac80211-create-separate-links-for-vlan-interfa.patch new file mode 100644 index 0000000000..cb24d3ba27 --- /dev/null +++ b/queue-6.15/wifi-mac80211-create-separate-links-for-vlan-interfa.patch @@ -0,0 +1,228 @@ +From 4f59b4f3ccda7e94c8b74485b11440207e90bc2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 25 Mar 2025 14:31:24 -0700 +Subject: wifi: mac80211: Create separate links for VLAN interfaces + +From: Muna Sinada <muna.sinada@oss.qualcomm.com> + +[ Upstream commit 90233b0ad215efc9ea56a7c0b09021bcd4eea4ac ] + +Currently, MLD links for an AP_VLAN interface type is not fully +supported. + +Add allocation of separate links for each VLAN interface and copy +chanctx and chandef of AP bss to VLAN where necessary. Separate +links are created because for Dynamic VLAN each link will have its own +default_multicast_key. + +Signed-off-by: Muna Sinada <muna.sinada@oss.qualcomm.com> +Link: https://patch.msgid.link/20250325213125.1509362-3-muna.sinada@oss.qualcomm.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Stable-dep-of: d87c3ca0f8f1 ("wifi: mac80211: finish link init before RCU publish") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/mac80211/chan.c | 3 ++ + net/mac80211/ieee80211_i.h | 3 ++ + net/mac80211/iface.c | 12 ++++- + net/mac80211/link.c | 90 ++++++++++++++++++++++++++++++++++++-- + 4 files changed, 103 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c +index c3bfac58151f6..3aaf5abf1acc1 100644 +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -2131,6 +2131,9 @@ void ieee80211_link_release_channel(struct ieee80211_link_data *link) + { + struct ieee80211_sub_if_data *sdata = link->sdata; + ++ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) ++ return; ++ + lockdep_assert_wiphy(sdata->local->hw.wiphy); + + if (rcu_access_pointer(link->conf->chanctx_conf)) +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index c956072e0d77e..e0b44dbebe001 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -2087,6 +2087,9 @@ static inline void ieee80211_vif_clear_links(struct ieee80211_sub_if_data *sdata + ieee80211_vif_set_links(sdata, 0, 0); + } + ++void ieee80211_apvlan_link_setup(struct ieee80211_sub_if_data *sdata); ++void ieee80211_apvlan_link_clear(struct ieee80211_sub_if_data *sdata); ++ + /* tx handling */ + void ieee80211_clear_tx_pending(struct ieee80211_local *local); + void ieee80211_tx_pending(struct tasklet_struct *t); +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 969b3e2c496af..7d93e5aa595b2 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -485,6 +485,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do + case NL80211_IFTYPE_MONITOR: + list_del_rcu(&sdata->u.mntr.list); + break; ++ case NL80211_IFTYPE_AP_VLAN: ++ ieee80211_apvlan_link_clear(sdata); ++ break; + default: + break; + } +@@ -1268,6 +1271,8 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up) + sdata->crypto_tx_tailroom_needed_cnt += + master->crypto_tx_tailroom_needed_cnt; + ++ ieee80211_apvlan_link_setup(sdata); ++ + break; + } + case NL80211_IFTYPE_AP: +@@ -1324,7 +1329,12 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up) + case NL80211_IFTYPE_AP_VLAN: + /* no need to tell driver, but set carrier and chanctx */ + if (sdata->bss->active) { +- ieee80211_link_vlan_copy_chanctx(&sdata->deflink); ++ struct ieee80211_link_data *link; ++ ++ for_each_link_data(sdata, link) { ++ ieee80211_link_vlan_copy_chanctx(link); ++ } ++ + netif_carrier_on(dev); + ieee80211_set_vif_encap_ops(sdata); + } else { +diff --git a/net/mac80211/link.c b/net/mac80211/link.c +index 58a76bcd6ae68..d40c2bd3b50b0 100644 +--- a/net/mac80211/link.c ++++ b/net/mac80211/link.c +@@ -12,6 +12,71 @@ + #include "key.h" + #include "debugfs_netdev.h" + ++static void ieee80211_update_apvlan_links(struct ieee80211_sub_if_data *sdata) ++{ ++ struct ieee80211_sub_if_data *vlan; ++ struct ieee80211_link_data *link; ++ u16 ap_bss_links = sdata->vif.valid_links; ++ u16 new_links, vlan_links; ++ unsigned long add; ++ ++ list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list) { ++ int link_id; ++ ++ if (!vlan) ++ continue; ++ ++ /* No support for 4addr with MLO yet */ ++ if (vlan->wdev.use_4addr) ++ return; ++ ++ vlan_links = vlan->vif.valid_links; ++ ++ new_links = ap_bss_links; ++ ++ add = new_links & ~vlan_links; ++ if (!add) ++ continue; ++ ++ ieee80211_vif_set_links(vlan, add, 0); ++ ++ for_each_set_bit(link_id, &add, IEEE80211_MLD_MAX_NUM_LINKS) { ++ link = sdata_dereference(vlan->link[link_id], vlan); ++ ieee80211_link_vlan_copy_chanctx(link); ++ } ++ } ++} ++ ++void ieee80211_apvlan_link_setup(struct ieee80211_sub_if_data *sdata) ++{ ++ struct ieee80211_sub_if_data *ap_bss = container_of(sdata->bss, ++ struct ieee80211_sub_if_data, u.ap); ++ u16 new_links = ap_bss->vif.valid_links; ++ unsigned long add; ++ int link_id; ++ ++ if (!ap_bss->vif.valid_links) ++ return; ++ ++ add = new_links; ++ for_each_set_bit(link_id, &add, IEEE80211_MLD_MAX_NUM_LINKS) { ++ sdata->wdev.valid_links |= BIT(link_id); ++ ether_addr_copy(sdata->wdev.links[link_id].addr, ++ ap_bss->wdev.links[link_id].addr); ++ } ++ ++ ieee80211_vif_set_links(sdata, new_links, 0); ++} ++ ++void ieee80211_apvlan_link_clear(struct ieee80211_sub_if_data *sdata) ++{ ++ if (!sdata->wdev.valid_links) ++ return; ++ ++ sdata->wdev.valid_links = 0; ++ ieee80211_vif_clear_links(sdata); ++} ++ + void ieee80211_link_setup(struct ieee80211_link_data *link) + { + if (link->sdata->vif.type == NL80211_IFTYPE_STATION) +@@ -31,6 +96,17 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata, + rcu_assign_pointer(sdata->vif.link_conf[link_id], link_conf); + rcu_assign_pointer(sdata->link[link_id], link); + ++ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) { ++ struct ieee80211_sub_if_data *ap_bss; ++ struct ieee80211_bss_conf *ap_bss_conf; ++ ++ ap_bss = container_of(sdata->bss, ++ struct ieee80211_sub_if_data, u.ap); ++ ap_bss_conf = sdata_dereference(ap_bss->vif.link_conf[link_id], ++ ap_bss); ++ memcpy(link_conf, ap_bss_conf, sizeof(*link_conf)); ++ } ++ + link->sdata = sdata; + link->link_id = link_id; + link->conf = link_conf; +@@ -54,6 +130,7 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata, + if (!deflink) { + switch (sdata->vif.type) { + case NL80211_IFTYPE_AP: ++ case NL80211_IFTYPE_AP_VLAN: + ether_addr_copy(link_conf->addr, + sdata->wdev.links[link_id].addr); + link_conf->bssid = link_conf->addr; +@@ -177,6 +254,7 @@ static void ieee80211_set_vif_links_bitmaps(struct ieee80211_sub_if_data *sdata, + + switch (sdata->vif.type) { + case NL80211_IFTYPE_AP: ++ case NL80211_IFTYPE_AP_VLAN: + /* in an AP all links are always active */ + sdata->vif.active_links = valid_links; + +@@ -278,12 +356,16 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata, + ieee80211_set_vif_links_bitmaps(sdata, new_links, dormant_links); + + /* tell the driver */ +- ret = drv_change_vif_links(sdata->local, sdata, +- old_links & old_active, +- new_links & sdata->vif.active_links, +- old); ++ if (sdata->vif.type != NL80211_IFTYPE_AP_VLAN) ++ ret = drv_change_vif_links(sdata->local, sdata, ++ old_links & old_active, ++ new_links & sdata->vif.active_links, ++ old); + if (!new_links) + ieee80211_debugfs_recreate_netdev(sdata, false); ++ ++ if (sdata->vif.type == NL80211_IFTYPE_AP) ++ ieee80211_update_apvlan_links(sdata); + } + + if (ret) { +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-finish-link-init-before-rcu-publish.patch b/queue-6.15/wifi-mac80211-finish-link-init-before-rcu-publish.patch new file mode 100644 index 0000000000..33d6a8cfd6 --- /dev/null +++ b/queue-6.15/wifi-mac80211-finish-link-init-before-rcu-publish.patch @@ -0,0 +1,48 @@ +From 1d9273975c880aea9cfe6c02a5c22816ee23180c Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 24 Jun 2025 13:07:49 +0200 +Subject: wifi: mac80211: finish link init before RCU publish + +From: Johannes Berg <johannes.berg@intel.com> + +[ Upstream commit d87c3ca0f8f1ca4c25f2ed819e954952f4d8d709 ] + +Since the link/conf pointers can be accessed without any +protection other than RCU, make sure the data is actually +set up before publishing the structures. + +Fixes: b2e8434f1829 ("wifi: mac80211: set up/tear down client vif links properly") +Link: https://patch.msgid.link/20250624130749.9a308b713c74.I4a80f5eead112a38730939ea591d2e275c721256@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/mac80211/link.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/link.c b/net/mac80211/link.c +index d40c2bd3b50b0..4f7b7d0f64f24 100644 +--- a/net/mac80211/link.c ++++ b/net/mac80211/link.c +@@ -93,9 +93,6 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata, + if (link_id < 0) + link_id = 0; + +- rcu_assign_pointer(sdata->vif.link_conf[link_id], link_conf); +- rcu_assign_pointer(sdata->link[link_id], link); +- + if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) { + struct ieee80211_sub_if_data *ap_bss; + struct ieee80211_bss_conf *ap_bss_conf; +@@ -145,6 +142,9 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata, + + ieee80211_link_debugfs_add(link); + } ++ ++ rcu_assign_pointer(sdata->vif.link_conf[link_id], link_conf); ++ rcu_assign_pointer(sdata->link[link_id], link); + } + + void ieee80211_link_stop(struct ieee80211_link_data *link) +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-fix-beacon-interval-calculation-overfl.patch b/queue-6.15/wifi-mac80211-fix-beacon-interval-calculation-overfl.patch new file mode 100644 index 0000000000..2ec8f5881d --- /dev/null +++ b/queue-6.15/wifi-mac80211-fix-beacon-interval-calculation-overfl.patch @@ -0,0 +1,38 @@ +From 459b7176bd0242af009d26b982b5ee70b9dd1170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 21 Jun 2025 22:32:09 +1000 +Subject: wifi: mac80211: fix beacon interval calculation overflow + +From: Lachlan Hodges <lachlan.hodges@morsemicro.com> + +[ Upstream commit 7a3750ff0f2e8fee338a9c168f429f6c37f0e820 ] + +As we are converting from TU to usecs, a beacon interval of +100*1024 usecs will lead to integer wrapping. To fix change +to use a u32. + +Fixes: 057d5f4ba1e4 ("mac80211: sync dtim_count to TSF") +Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com> +Link: https://patch.msgid.link/20250621123209.511796-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/mac80211/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index dec6e16b8c7d2..82256eddd16bd 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -3899,7 +3899,7 @@ void ieee80211_recalc_dtim(struct ieee80211_local *local, + { + u64 tsf = drv_get_tsf(local, sdata); + u64 dtim_count = 0; +- u16 beacon_int = sdata->vif.bss_conf.beacon_int * 1024; ++ u32 beacon_int = sdata->vif.bss_conf.beacon_int * 1024; + u8 dtim_period = sdata->vif.bss_conf.dtim_period; + struct ps_data *ps; + u8 bcns_from_dtim; +-- +2.39.5 + |