diff options
19 files changed, 1452 insertions, 0 deletions
diff --git a/queue-6.1/bluetooth-l2cap-fix-l2cap-mtu-negotiation.patch b/queue-6.1/bluetooth-l2cap-fix-l2cap-mtu-negotiation.patch new file mode 100644 index 0000000000..bb109c4ebe --- /dev/null +++ b/queue-6.1/bluetooth-l2cap-fix-l2cap-mtu-negotiation.patch @@ -0,0 +1,226 @@ +From 042bb9603c44620dce98717a2d23235ca57a00d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com> +Date: Thu, 12 Jun 2025 09:50:34 +0200 +Subject: Bluetooth: L2CAP: Fix L2CAP MTU negotiation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frédéric Danis <frederic.danis@collabora.com> + +commit 042bb9603c44620dce98717a2d23235ca57a00d7 upstream. + +OBEX download from iPhone is currently slow due to small packet size +used to transfer data which doesn't follow the MTU negotiated during +L2CAP connection, i.e. 672 bytes instead of 32767: + + < ACL Data TX: Handle 11 flags 0x00 dlen 12 + L2CAP: Connection Request (0x02) ident 18 len 4 + PSM: 4103 (0x1007) + Source CID: 72 + > ACL Data RX: Handle 11 flags 0x02 dlen 16 + L2CAP: Connection Response (0x03) ident 18 len 8 + Destination CID: 14608 + Source CID: 72 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) + < ACL Data TX: Handle 11 flags 0x00 dlen 27 + L2CAP: Configure Request (0x04) ident 20 len 19 + Destination CID: 14608 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 32767 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 63 + Max transmit: 3 + Retransmission timeout: 2000 + Monitor timeout: 12000 + Maximum PDU size: 1009 + > ACL Data RX: Handle 11 flags 0x02 dlen 26 + L2CAP: Configure Request (0x04) ident 72 len 18 + Destination CID: 72 + Flags: 0x0000 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 32 + Max transmit: 255 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 65527 + Option: Frame Check Sequence (0x05) [mandatory] + FCS: 16-bit FCS (0x01) + < ACL Data TX: Handle 11 flags 0x00 dlen 29 + L2CAP: Configure Response (0x05) ident 72 len 21 + Source CID: 14608 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 672 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 32 + Max transmit: 255 + Retransmission timeout: 2000 + Monitor timeout: 12000 + Maximum PDU size: 1009 + > ACL Data RX: Handle 11 flags 0x02 dlen 32 + L2CAP: Configure Response (0x05) ident 20 len 24 + Source CID: 72 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 32767 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 63 + Max transmit: 3 + Retransmission timeout: 2000 + Monitor timeout: 12000 + Maximum PDU size: 1009 + Option: Frame Check Sequence (0x05) [mandatory] + FCS: 16-bit FCS (0x01) + ... + > ACL Data RX: Handle 11 flags 0x02 dlen 680 + Channel: 72 len 676 ctrl 0x0202 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8} + I-frame: Unsegmented TxSeq 1 ReqSeq 2 + < ACL Data TX: Handle 11 flags 0x00 dlen 13 + Channel: 14608 len 9 ctrl 0x0204 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8} + I-frame: Unsegmented TxSeq 2 ReqSeq 2 + > ACL Data RX: Handle 11 flags 0x02 dlen 680 + Channel: 72 len 676 ctrl 0x0304 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8} + I-frame: Unsegmented TxSeq 2 ReqSeq 3 + +The MTUs are negotiated for each direction. In this traces 32767 for +iPhone->localhost and no MTU for localhost->iPhone, which based on +'4.4 L2CAP_CONFIGURATION_REQ' (Core specification v5.4, Vol. 3, Part +A): + + The only parameters that should be included in the + L2CAP_CONFIGURATION_REQ packet are those that require different + values than the default or previously agreed values. + ... + Any missing configuration parameters are assumed to have their + most recently explicitly or implicitly accepted values. + +and '5.1 Maximum transmission unit (MTU)': + + If the remote device sends a positive L2CAP_CONFIGURATION_RSP + packet it should include the actual MTU to be used on this channel + for traffic flowing into the local device. + ... + The default value is 672 octets. + +is set by BlueZ to 672 bytes. + +It seems that the iPhone used the lowest negotiated value to transfer +data to the localhost instead of the negotiated one for the incoming +direction. + +This could be fixed by using the MTU negotiated for the other +direction, if exists, in the L2CAP_CONFIGURATION_RSP. +This allows to use segmented packets as in the following traces: + + < ACL Data TX: Handle 11 flags 0x00 dlen 12 + L2CAP: Connection Request (0x02) ident 22 len 4 + PSM: 4103 (0x1007) + Source CID: 72 + < ACL Data TX: Handle 11 flags 0x00 dlen 27 + L2CAP: Configure Request (0x04) ident 24 len 19 + Destination CID: 2832 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 32767 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 63 + Max transmit: 3 + Retransmission timeout: 2000 + Monitor timeout: 12000 + Maximum PDU size: 1009 + > ACL Data RX: Handle 11 flags 0x02 dlen 26 + L2CAP: Configure Request (0x04) ident 15 len 18 + Destination CID: 72 + Flags: 0x0000 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 32 + Max transmit: 255 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 65527 + Option: Frame Check Sequence (0x05) [mandatory] + FCS: 16-bit FCS (0x01) + < ACL Data TX: Handle 11 flags 0x00 dlen 29 + L2CAP: Configure Response (0x05) ident 15 len 21 + Source CID: 2832 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 32767 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 32 + Max transmit: 255 + Retransmission timeout: 2000 + Monitor timeout: 12000 + Maximum PDU size: 1009 + > ACL Data RX: Handle 11 flags 0x02 dlen 32 + L2CAP: Configure Response (0x05) ident 24 len 24 + Source CID: 72 + Flags: 0x0000 + Result: Success (0x0000) + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 32767 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Enhanced Retransmission (0x03) + TX window size: 63 + Max transmit: 3 + Retransmission timeout: 2000 + Monitor timeout: 12000 + Maximum PDU size: 1009 + Option: Frame Check Sequence (0x05) [mandatory] + FCS: 16-bit FCS (0x01) + ... + > ACL Data RX: Handle 11 flags 0x02 dlen 1009 + Channel: 72 len 1005 ctrl 0x4202 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8} + I-frame: Start (len 21884) TxSeq 1 ReqSeq 2 + > ACL Data RX: Handle 11 flags 0x02 dlen 1009 + Channel: 72 len 1005 ctrl 0xc204 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8} + I-frame: Continuation TxSeq 2 ReqSeq 2 + +This has been tested with kernel 5.4 and BlueZ 5.77. + +Cc: stable@vger.kernel.org +Signed-off-by: Frédéric Danis <frederic.danis@collabora.com> +Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/bluetooth/l2cap_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3600,7 +3600,7 @@ static int l2cap_parse_conf_req(struct l + struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC }; + struct l2cap_conf_efs efs; + u8 remote_efs = 0; +- u16 mtu = L2CAP_DEFAULT_MTU; ++ u16 mtu = 0; + u16 result = L2CAP_CONF_SUCCESS; + u16 size; + +@@ -3711,6 +3711,13 @@ done: + /* Configure output options and let the other side know + * which ones we don't like. */ + ++ /* If MTU is not provided in configure request, use the most recently ++ * explicitly or implicitly accepted value for the other direction, ++ * or the default value. ++ */ ++ if (mtu == 0) ++ mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU; ++ + if (mtu < L2CAP_DEFAULT_MIN_MTU) + result = L2CAP_CONF_UNACCEPT; + else { diff --git a/queue-6.1/btrfs-fix-a-race-between-renames-and-directory-logging.patch b/queue-6.1/btrfs-fix-a-race-between-renames-and-directory-logging.patch new file mode 100644 index 0000000000..8f1813fdb9 --- /dev/null +++ b/queue-6.1/btrfs-fix-a-race-between-renames-and-directory-logging.patch @@ -0,0 +1,246 @@ +From 3ca864de852bc91007b32d2a0d48993724f4abad Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Wed, 28 May 2025 12:28:27 +0100 +Subject: btrfs: fix a race between renames and directory logging + +From: Filipe Manana <fdmanana@suse.com> + +commit 3ca864de852bc91007b32d2a0d48993724f4abad upstream. + +We have a race between a rename and directory inode logging that if it +happens and we crash/power fail before the rename completes, the next time +the filesystem is mounted, the log replay code will end up deleting the +file that was being renamed. + +This is best explained following a step by step analysis of an interleaving +of steps that lead into this situation. + +Consider the initial conditions: + +1) We are at transaction N; + +2) We have directories A and B created in a past transaction (< N); + +3) We have inode X corresponding to a file that has 2 hardlinks, one in + directory A and the other in directory B, so we'll name them as + "A/foo_link1" and "B/foo_link2". Both hard links were persisted in a + past transaction (< N); + +4) We have inode Y corresponding to a file that as a single hard link and + is located in directory A, we'll name it as "A/bar". This file was also + persisted in a past transaction (< N). + +The steps leading to a file loss are the following and for all of them we +are under transaction N: + + 1) Link "A/foo_link1" is removed, so inode's X last_unlink_trans field + is updated to N, through btrfs_unlink() -> btrfs_record_unlink_dir(); + + 2) Task A starts a rename for inode Y, with the goal of renaming from + "A/bar" to "A/baz", so we enter btrfs_rename(); + + 3) Task A inserts the new BTRFS_INODE_REF_KEY for inode Y by calling + btrfs_insert_inode_ref(); + + 4) Because the rename happens in the same directory, we don't set the + last_unlink_trans field of directoty A's inode to the current + transaction id, that is, we don't cal btrfs_record_unlink_dir(); + + 5) Task A then removes the entries from directory A (BTRFS_DIR_ITEM_KEY + and BTRFS_DIR_INDEX_KEY items) when calling __btrfs_unlink_inode() + (actually the dir index item is added as a delayed item, but the + effect is the same); + + 6) Now before task A adds the new entry "A/baz" to directory A by + calling btrfs_add_link(), another task, task B is logging inode X; + + 7) Task B starts a fsync of inode X and after logging inode X, at + btrfs_log_inode_parent() it calls btrfs_log_all_parents(), since + inode X has a last_unlink_trans value of N, set at in step 1; + + 8) At btrfs_log_all_parents() we search for all parent directories of + inode X using the commit root, so we find directories A and B and log + them. Bu when logging direct A, we don't have a dir index item for + inode Y anymore, neither the old name "A/bar" nor for the new name + "A/baz" since the rename has deleted the old name but has not yet + inserted the new name - task A hasn't called yet btrfs_add_link() to + do that. + + Note that logging directory A doesn't fallback to a transaction + commit because its last_unlink_trans has a lower value than the + current transaction's id (see step 4); + + 9) Task B finishes logging directories A and B and gets back to + btrfs_sync_file() where it calls btrfs_sync_log() to persist the log + tree; + +10) Task B successfully persisted the log tree, btrfs_sync_log() completed + with success, and a power failure happened. + + We have a log tree without any directory entry for inode Y, so the + log replay code deletes the entry for inode Y, name "A/bar", from the + subvolume tree since it doesn't exist in the log tree and the log + tree is authorative for its index (we logged a BTRFS_DIR_LOG_INDEX_KEY + item that covers the index range for the dentry that corresponds to + "A/bar"). + + Since there's no other hard link for inode Y and the log replay code + deletes the name "A/bar", the file is lost. + +The issue wouldn't happen if task B synced the log only after task A +called btrfs_log_new_name(), which would update the log with the new name +for inode Y ("A/bar"). + +Fix this by pinning the log root during renames before removing the old +directory entry, and unpinning after btrfs_log_new_name() is called. + +Fixes: 259c4b96d78d ("btrfs: stop doing unnecessary log updates during a rename") +CC: stable@vger.kernel.org # 5.18+ +Reviewed-by: Boris Burkov <boris@bur.io> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/inode.c | 81 +++++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 64 insertions(+), 17 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9181,6 +9181,7 @@ static int btrfs_rename_exchange(struct + int ret; + int ret2; + bool need_abort = false; ++ bool logs_pinned = false; + struct fscrypt_name old_fname, new_fname; + struct fscrypt_str *old_name, *new_name; + +@@ -9309,6 +9310,31 @@ static int btrfs_rename_exchange(struct + old_inode->i_ctime = ctime; + new_inode->i_ctime = ctime; + ++ if (old_ino != BTRFS_FIRST_FREE_OBJECTID && ++ new_ino != BTRFS_FIRST_FREE_OBJECTID) { ++ /* ++ * If we are renaming in the same directory (and it's not for ++ * root entries) pin the log early to prevent any concurrent ++ * task from logging the directory after we removed the old ++ * entries and before we add the new entries, otherwise that ++ * task can sync a log without any entry for the inodes we are ++ * renaming and therefore replaying that log, if a power failure ++ * happens after syncing the log, would result in deleting the ++ * inodes. ++ * ++ * If the rename affects two different directories, we want to ++ * make sure the that there's no log commit that contains ++ * updates for only one of the directories but not for the ++ * other. ++ * ++ * If we are renaming an entry for a root, we don't care about ++ * log updates since we called btrfs_set_log_full_commit(). ++ */ ++ btrfs_pin_log_trans(root); ++ btrfs_pin_log_trans(dest); ++ logs_pinned = true; ++ } ++ + if (old_dentry->d_parent != new_dentry->d_parent) { + btrfs_record_unlink_dir(trans, BTRFS_I(old_dir), + BTRFS_I(old_inode), 1); +@@ -9366,30 +9392,23 @@ static int btrfs_rename_exchange(struct + BTRFS_I(new_inode)->dir_index = new_idx; + + /* +- * Now pin the logs of the roots. We do it to ensure that no other task +- * can sync the logs while we are in progress with the rename, because +- * that could result in an inconsistency in case any of the inodes that +- * are part of this rename operation were logged before. ++ * Do the log updates for all inodes. ++ * ++ * If either entry is for a root we don't need to update the logs since ++ * we've called btrfs_set_log_full_commit() before. + */ +- if (old_ino != BTRFS_FIRST_FREE_OBJECTID) +- btrfs_pin_log_trans(root); +- if (new_ino != BTRFS_FIRST_FREE_OBJECTID) +- btrfs_pin_log_trans(dest); +- +- /* Do the log updates for all inodes. */ +- if (old_ino != BTRFS_FIRST_FREE_OBJECTID) ++ if (logs_pinned) { + btrfs_log_new_name(trans, old_dentry, BTRFS_I(old_dir), + old_rename_ctx.index, new_dentry->d_parent); +- if (new_ino != BTRFS_FIRST_FREE_OBJECTID) + btrfs_log_new_name(trans, new_dentry, BTRFS_I(new_dir), + new_rename_ctx.index, old_dentry->d_parent); ++ } + +- /* Now unpin the logs. */ +- if (old_ino != BTRFS_FIRST_FREE_OBJECTID) ++out_fail: ++ if (logs_pinned) { + btrfs_end_log_trans(root); +- if (new_ino != BTRFS_FIRST_FREE_OBJECTID) + btrfs_end_log_trans(dest); +-out_fail: ++ } + ret2 = btrfs_end_transaction(trans); + ret = ret ? ret : ret2; + out_notrans: +@@ -9439,6 +9458,7 @@ static int btrfs_rename(struct user_name + int ret2; + u64 old_ino = btrfs_ino(BTRFS_I(old_inode)); + struct fscrypt_name old_fname, new_fname; ++ bool logs_pinned = false; + + if (btrfs_ino(BTRFS_I(new_dir)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID) + return -EPERM; +@@ -9577,6 +9597,29 @@ static int btrfs_rename(struct user_name + new_dir->i_ctime = old_dir->i_mtime; + old_inode->i_ctime = old_dir->i_mtime; + ++ if (old_ino != BTRFS_FIRST_FREE_OBJECTID) { ++ /* ++ * If we are renaming in the same directory (and it's not a ++ * root entry) pin the log to prevent any concurrent task from ++ * logging the directory after we removed the old entry and ++ * before we add the new entry, otherwise that task can sync ++ * a log without any entry for the inode we are renaming and ++ * therefore replaying that log, if a power failure happens ++ * after syncing the log, would result in deleting the inode. ++ * ++ * If the rename affects two different directories, we want to ++ * make sure the that there's no log commit that contains ++ * updates for only one of the directories but not for the ++ * other. ++ * ++ * If we are renaming an entry for a root, we don't care about ++ * log updates since we called btrfs_set_log_full_commit(). ++ */ ++ btrfs_pin_log_trans(root); ++ btrfs_pin_log_trans(dest); ++ logs_pinned = true; ++ } ++ + if (old_dentry->d_parent != new_dentry->d_parent) + btrfs_record_unlink_dir(trans, BTRFS_I(old_dir), + BTRFS_I(old_inode), 1); +@@ -9626,7 +9669,7 @@ static int btrfs_rename(struct user_name + if (old_inode->i_nlink == 1) + BTRFS_I(old_inode)->dir_index = index; + +- if (old_ino != BTRFS_FIRST_FREE_OBJECTID) ++ if (logs_pinned) + btrfs_log_new_name(trans, old_dentry, BTRFS_I(old_dir), + rename_ctx.index, new_dentry->d_parent); + +@@ -9642,6 +9685,10 @@ static int btrfs_rename(struct user_name + } + } + out_fail: ++ if (logs_pinned) { ++ btrfs_end_log_trans(root); ++ btrfs_end_log_trans(dest); ++ } + ret2 = btrfs_end_transaction(trans); + ret = ret ? ret : ret2; + out_notrans: diff --git a/queue-6.1/btrfs-update-superblock-s-device-bytes_used-when-dropping-chunk.patch b/queue-6.1/btrfs-update-superblock-s-device-bytes_used-when-dropping-chunk.patch new file mode 100644 index 0000000000..10b23da5e4 --- /dev/null +++ b/queue-6.1/btrfs-update-superblock-s-device-bytes_used-when-dropping-chunk.patch @@ -0,0 +1,66 @@ +From ae4477f937569d097ca5dbce92a89ba384b49bc6 Mon Sep 17 00:00:00 2001 +From: Mark Harmstone <maharmstone@fb.com> +Date: Thu, 29 May 2025 10:37:44 +0100 +Subject: btrfs: update superblock's device bytes_used when dropping chunk + +From: Mark Harmstone <maharmstone@fb.com> + +commit ae4477f937569d097ca5dbce92a89ba384b49bc6 upstream. + +Each superblock contains a copy of the device item for that device. In a +transaction which drops a chunk but doesn't create any new ones, we were +correctly updating the device item in the chunk tree but not copying +over the new bytes_used value to the superblock. + +This can be seen by doing the following: + + # dd if=/dev/zero of=test bs=4096 count=2621440 + # mkfs.btrfs test + # mount test /root/temp + + # cd /root/temp + # for i in {00..10}; do dd if=/dev/zero of=$i bs=4096 count=32768; done + # sync + # rm * + # sync + # btrfs balance start -dusage=0 . + # sync + + # cd + # umount /root/temp + # btrfs check test + +For btrfs-check to detect this, you will also need my patch at +https://github.com/kdave/btrfs-progs/pull/991. + +Change btrfs_remove_dev_extents() so that it adds the devices to the +fs_info->post_commit_list if they're not there already. This causes +btrfs_commit_device_sizes() to be called, which updates the bytes_used +value in the superblock. + +Fixes: bbbf7243d62d ("btrfs: combine device update operations during transaction commit") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Qu Wenruo <wqu@suse.com> +Signed-off-by: Mark Harmstone <maharmstone@fb.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/btrfs/volumes.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3203,6 +3203,12 @@ int btrfs_remove_chunk(struct btrfs_tran + device->bytes_used - dev_extent_len); + atomic64_add(dev_extent_len, &fs_info->free_chunk_space); + btrfs_clear_space_info_full(fs_info); ++ ++ if (list_empty(&device->post_commit_list)) { ++ list_add_tail(&device->post_commit_list, ++ &trans->transaction->dev_update_list); ++ } ++ + mutex_unlock(&fs_info->chunk_mutex); + } + } diff --git a/queue-6.1/dm-raid-fix-variable-in-journal-device-check.patch b/queue-6.1/dm-raid-fix-variable-in-journal-device-check.patch new file mode 100644 index 0000000000..4df02128ac --- /dev/null +++ b/queue-6.1/dm-raid-fix-variable-in-journal-device-check.patch @@ -0,0 +1,31 @@ +From db53805156f1e0aa6d059c0d3f9ac660d4ef3eb4 Mon Sep 17 00:00:00 2001 +From: Heinz Mauelshagen <heinzm@redhat.com> +Date: Tue, 10 Jun 2025 20:53:30 +0200 +Subject: dm-raid: fix variable in journal device check + +From: Heinz Mauelshagen <heinzm@redhat.com> + +commit db53805156f1e0aa6d059c0d3f9ac660d4ef3eb4 upstream. + +Replace "rdev" with correct loop variable name "r". + +Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com> +Cc: stable@vger.kernel.org +Fixes: 63c32ed4afc2 ("dm raid: add raid4/5/6 journaling support") +Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/md/dm-raid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2381,7 +2381,7 @@ static int super_init_validation(struct + */ + sb_retrieve_failed_devices(sb, failed_devices); + rdev_for_each(r, mddev) { +- if (test_bit(Journal, &rdev->flags) || ++ if (test_bit(Journal, &r->flags) || + !r->sb_page) + continue; + sb2 = page_address(r->sb_page); diff --git a/queue-6.1/drm-amdkfd-fix-race-in-gws-queue-scheduling.patch b/queue-6.1/drm-amdkfd-fix-race-in-gws-queue-scheduling.patch new file mode 100644 index 0000000000..255ae8ab92 --- /dev/null +++ b/queue-6.1/drm-amdkfd-fix-race-in-gws-queue-scheduling.patch @@ -0,0 +1,37 @@ +From cfb05257ae168a0496c7637e1d9e3ab8a25cbffe Mon Sep 17 00:00:00 2001 +From: Jay Cornwall <jay.cornwall@amd.com> +Date: Wed, 11 Jun 2025 09:52:14 -0500 +Subject: drm/amdkfd: Fix race in GWS queue scheduling + +From: Jay Cornwall <jay.cornwall@amd.com> + +commit cfb05257ae168a0496c7637e1d9e3ab8a25cbffe upstream. + +q->gws is not updated atomically with qpd->mapped_gws_queue. If a +runlist is created between pqm_set_gws and update_queue it will +contain a queue which uses GWS in a process with no GWS allocated. +This will result in a scheduler hang. + +Use q->properties.is_gws which is changed while holding the DQM lock. + +Signed-off-by: Jay Cornwall <jay.cornwall@amd.com> +Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +(cherry picked from commit b98370220eb3110e82248e3354e16a489a492cfb) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c +@@ -201,7 +201,7 @@ static int pm_map_queues_v9(struct packe + + packet->bitfields2.engine_sel = + engine_sel__mes_map_queues__compute_vi; +- packet->bitfields2.gws_control_queue = q->gws ? 1 : 0; ++ packet->bitfields2.gws_control_queue = q->properties.is_gws ? 1 : 0; + packet->bitfields2.extended_engine_sel = + extended_engine_sel__mes_map_queues__legacy_engine_sel; + packet->bitfields2.queue_type = diff --git a/queue-6.1/drm-etnaviv-protect-the-scheduler-s-pending-list-with-its-lock.patch b/queue-6.1/drm-etnaviv-protect-the-scheduler-s-pending-list-with-its-lock.patch new file mode 100644 index 0000000000..0f1de99d65 --- /dev/null +++ b/queue-6.1/drm-etnaviv-protect-the-scheduler-s-pending-list-with-its-lock.patch @@ -0,0 +1,55 @@ +From 61ee19dedb8d753249e20308782bf4e9e2fb7344 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com> +Date: Mon, 2 Jun 2025 10:22:16 -0300 +Subject: drm/etnaviv: Protect the scheduler's pending list with its lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal <mcanal@igalia.com> + +commit 61ee19dedb8d753249e20308782bf4e9e2fb7344 upstream. + +Commit 704d3d60fec4 ("drm/etnaviv: don't block scheduler when GPU is still +active") ensured that active jobs are returned to the pending list when +extending the timeout. However, it didn't use the pending list's lock to +manipulate the list, which causes a race condition as the scheduler's +workqueues are running. + +Hold the lock while manipulating the scheduler's pending list to prevent +a race. + +Cc: stable@vger.kernel.org +Fixes: 704d3d60fec4 ("drm/etnaviv: don't block scheduler when GPU is still active") +Reported-by: Philipp Stanner <phasta@kernel.org> +Closes: https://lore.kernel.org/dri-devel/964e59ba1539083ef29b06d3c78f5e2e9b138ab8.camel@mailbox.org/ +Reviewed-by: Lucas Stach <l.stach@pengutronix.de> +Reviewed-by: Philipp Stanner <phasta@kernel.org> +Link: https://lore.kernel.org/r/20250602132240.93314-1-mcanal@igalia.com +Signed-off-by: Maíra Canal <mcanal@igalia.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_sched.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_sched.c +@@ -34,6 +34,7 @@ static enum drm_gpu_sched_stat etnaviv_s + *sched_job) + { + struct etnaviv_gem_submit *submit = to_etnaviv_submit(sched_job); ++ struct drm_gpu_scheduler *sched = sched_job->sched; + struct etnaviv_gpu *gpu = submit->gpu; + u32 dma_addr; + int change; +@@ -75,7 +76,9 @@ static enum drm_gpu_sched_stat etnaviv_s + return DRM_GPU_SCHED_STAT_NOMINAL; + + out_no_timeout: +- list_add(&sched_job->list, &sched_job->sched->pending_list); ++ spin_lock(&sched->job_list_lock); ++ list_add(&sched_job->list, &sched->pending_list); ++ spin_unlock(&sched->job_list_lock); + return DRM_GPU_SCHED_STAT_NOMINAL; + } + diff --git a/queue-6.1/drm-msm-gpu-fix-crash-when-throttling-gpu-immediately-during-boot.patch b/queue-6.1/drm-msm-gpu-fix-crash-when-throttling-gpu-immediately-during-boot.patch new file mode 100644 index 0000000000..78e1fe5ff6 --- /dev/null +++ b/queue-6.1/drm-msm-gpu-fix-crash-when-throttling-gpu-immediately-during-boot.patch @@ -0,0 +1,76 @@ +From b71717735be48d7743a34897e9e44a0b53e30c0e Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold <stephan.gerhold@linaro.org> +Date: Tue, 29 Apr 2025 10:33:56 +0200 +Subject: drm/msm/gpu: Fix crash when throttling GPU immediately during boot + +From: Stephan Gerhold <stephan.gerhold@linaro.org> + +commit b71717735be48d7743a34897e9e44a0b53e30c0e upstream. + +There is a small chance that the GPU is already hot during boot. In that +case, the call to of_devfreq_cooling_register() will immediately try to +apply devfreq cooling, as seen in the following crash: + + Unable to handle kernel paging request at virtual address 0000000000014110 + pc : a6xx_gpu_busy+0x1c/0x58 [msm] + lr : msm_devfreq_get_dev_status+0xbc/0x140 [msm] + Call trace: + a6xx_gpu_busy+0x1c/0x58 [msm] (P) + devfreq_simple_ondemand_func+0x3c/0x150 + devfreq_update_target+0x44/0xd8 + qos_max_notifier_call+0x30/0x84 + blocking_notifier_call_chain+0x6c/0xa0 + pm_qos_update_target+0xd0/0x110 + freq_qos_apply+0x3c/0x74 + apply_constraint+0x88/0x148 + __dev_pm_qos_update_request+0x7c/0xcc + dev_pm_qos_update_request+0x38/0x5c + devfreq_cooling_set_cur_state+0x98/0xf0 + __thermal_cdev_update+0x64/0xb4 + thermal_cdev_update+0x4c/0x58 + step_wise_manage+0x1f0/0x318 + __thermal_zone_device_update+0x278/0x424 + __thermal_cooling_device_register+0x2bc/0x308 + thermal_of_cooling_device_register+0x10/0x1c + of_devfreq_cooling_register_power+0x240/0x2bc + of_devfreq_cooling_register+0x14/0x20 + msm_devfreq_init+0xc4/0x1a0 [msm] + msm_gpu_init+0x304/0x574 [msm] + adreno_gpu_init+0x1c4/0x2e0 [msm] + a6xx_gpu_init+0x5c8/0x9c8 [msm] + adreno_bind+0x2a8/0x33c [msm] + ... + +At this point we haven't initialized the GMU at all yet, so we cannot read +the GMU registers inside a6xx_gpu_busy(). A similar issue was fixed before +in commit 6694482a70e9 ("drm/msm: Avoid unclocked GMU register access in +6xx gpu_busy"): msm_devfreq_init() does call devfreq_suspend_device(), but +unlike msm_devfreq_suspend(), it doesn't set the df->suspended flag +accordingly. This means the df->suspended flag does not match the actual +devfreq state after initialization and msm_devfreq_get_dev_status() will +end up accessing GMU registers, causing the crash. + +Fix this by setting df->suspended correctly during initialization. + +Cc: stable@vger.kernel.org +Fixes: 6694482a70e9 ("drm/msm: Avoid unclocked GMU register access in 6xx gpu_busy") +Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> +Patchwork: https://patchwork.freedesktop.org/patch/650772/ +Signed-off-by: Rob Clark <robdclark@chromium.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/msm/msm_gpu_devfreq.c ++++ b/drivers/gpu/drm/msm/msm_gpu_devfreq.c +@@ -147,6 +147,7 @@ void msm_devfreq_init(struct msm_gpu *gp + return; + + mutex_init(&df->lock); ++ df->suspended = true; + + ret = dev_pm_qos_add_request(&gpu->pdev->dev, &df->boost_freq, + DEV_PM_QOS_MIN_FREQUENCY, 0); diff --git a/queue-6.1/drm-tegra-assign-plane-type-before-registration.patch b/queue-6.1/drm-tegra-assign-plane-type-before-registration.patch new file mode 100644 index 0000000000..a8d9a4b651 --- /dev/null +++ b/queue-6.1/drm-tegra-assign-plane-type-before-registration.patch @@ -0,0 +1,87 @@ +From 9ff4fdf4f44b69237c0afc1d3a8dac916ce66f3e Mon Sep 17 00:00:00 2001 +From: Thierry Reding <treding@nvidia.com> +Date: Mon, 21 Apr 2025 11:13:05 -0500 +Subject: drm/tegra: Assign plane type before registration + +From: Thierry Reding <treding@nvidia.com> + +commit 9ff4fdf4f44b69237c0afc1d3a8dac916ce66f3e upstream. + +Changes to a plane's type after it has been registered aren't propagated +to userspace automatically. This could possibly be achieved by updating +the property, but since we can already determine which type this should +be before the registration, passing in the right type from the start is +a much better solution. + +Suggested-by: Aaron Kling <webgeek1234@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Cc: stable@vger.kernel.org +Fixes: 473079549f27 ("drm/tegra: dc: Add Tegra186 support") +Signed-off-by: Aaron Kling <webgeek1234@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Link: https://lore.kernel.org/r/20250421-tegra-drm-primary-v2-1-7f740c4c2121@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/tegra/dc.c | 12 ++++++++---- + drivers/gpu/drm/tegra/hub.c | 4 ++-- + drivers/gpu/drm/tegra/hub.h | 3 ++- + 3 files changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/tegra/dc.c ++++ b/drivers/gpu/drm/tegra/dc.c +@@ -1319,10 +1319,16 @@ static struct drm_plane *tegra_dc_add_sh + if (wgrp->dc == dc->pipe) { + for (j = 0; j < wgrp->num_windows; j++) { + unsigned int index = wgrp->windows[j]; ++ enum drm_plane_type type; ++ ++ if (primary) ++ type = DRM_PLANE_TYPE_OVERLAY; ++ else ++ type = DRM_PLANE_TYPE_PRIMARY; + + plane = tegra_shared_plane_create(drm, dc, + wgrp->index, +- index); ++ index, type); + if (IS_ERR(plane)) + return plane; + +@@ -1330,10 +1336,8 @@ static struct drm_plane *tegra_dc_add_sh + * Choose the first shared plane owned by this + * head as the primary plane. + */ +- if (!primary) { +- plane->type = DRM_PLANE_TYPE_PRIMARY; ++ if (!primary) + primary = plane; +- } + } + } + } +--- a/drivers/gpu/drm/tegra/hub.c ++++ b/drivers/gpu/drm/tegra/hub.c +@@ -756,9 +756,9 @@ static const struct drm_plane_helper_fun + struct drm_plane *tegra_shared_plane_create(struct drm_device *drm, + struct tegra_dc *dc, + unsigned int wgrp, +- unsigned int index) ++ unsigned int index, ++ enum drm_plane_type type) + { +- enum drm_plane_type type = DRM_PLANE_TYPE_OVERLAY; + struct tegra_drm *tegra = drm->dev_private; + struct tegra_display_hub *hub = tegra->hub; + struct tegra_shared_plane *plane; +--- a/drivers/gpu/drm/tegra/hub.h ++++ b/drivers/gpu/drm/tegra/hub.h +@@ -80,7 +80,8 @@ void tegra_display_hub_cleanup(struct te + struct drm_plane *tegra_shared_plane_create(struct drm_device *drm, + struct tegra_dc *dc, + unsigned int wgrp, +- unsigned int index); ++ unsigned int index, ++ enum drm_plane_type type); + + int tegra_display_hub_atomic_check(struct drm_device *drm, + struct drm_atomic_state *state); diff --git a/queue-6.1/drm-tegra-fix-a-possible-null-pointer-dereference.patch b/queue-6.1/drm-tegra-fix-a-possible-null-pointer-dereference.patch new file mode 100644 index 0000000000..251128f820 --- /dev/null +++ b/queue-6.1/drm-tegra-fix-a-possible-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From 780351a5f61416ed2ba1199cc57e4a076fca644d Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen <chenqiuji666@gmail.com> +Date: Wed, 6 Nov 2024 17:59:06 +0800 +Subject: drm/tegra: Fix a possible null pointer dereference + +From: Qiu-ji Chen <chenqiuji666@gmail.com> + +commit 780351a5f61416ed2ba1199cc57e4a076fca644d upstream. + +In tegra_crtc_reset(), new memory is allocated with kzalloc(), but +no check is performed. Before calling __drm_atomic_helper_crtc_reset, +state should be checked to prevent possible null pointer dereference. + +Fixes: b7e0b04ae450 ("drm/tegra: Convert to using __drm_atomic_helper_crtc_reset() for reset.") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com> +Signed-off-by: Thierry Reding <treding@nvidia.com> +Link: https://lore.kernel.org/r/20241106095906.15247-1-chenqiuji666@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/tegra/dc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/tegra/dc.c ++++ b/drivers/gpu/drm/tegra/dc.c +@@ -1391,7 +1391,10 @@ static void tegra_crtc_reset(struct drm_ + if (crtc->state) + tegra_crtc_atomic_destroy_state(crtc, crtc->state); + +- __drm_atomic_helper_crtc_reset(crtc, &state->base); ++ if (state) ++ __drm_atomic_helper_crtc_reset(crtc, &state->base); ++ else ++ __drm_atomic_helper_crtc_reset(crtc, NULL); + } + + static struct drm_crtc_state * diff --git a/queue-6.1/drm-udl-unregister-device-before-cleaning-up-on-disconnect.patch b/queue-6.1/drm-udl-unregister-device-before-cleaning-up-on-disconnect.patch new file mode 100644 index 0000000000..217af9754c --- /dev/null +++ b/queue-6.1/drm-udl-unregister-device-before-cleaning-up-on-disconnect.patch @@ -0,0 +1,48 @@ +From ff9cb6d2035c586ea7c8f1754d4409eec7a2d26d Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann <tzimmermann@suse.de> +Date: Mon, 3 Mar 2025 15:52:56 +0100 +Subject: drm/udl: Unregister device before cleaning up on disconnect + +From: Thomas Zimmermann <tzimmermann@suse.de> + +commit ff9cb6d2035c586ea7c8f1754d4409eec7a2d26d upstream. + +Disconnecting a DisplayLink device results in the following kernel +error messages + +[ 93.041748] [drm:udl_urb_completion [udl]] *ERROR* udl_urb_completion - nonzero write bulk status received: -115 +[ 93.055299] [drm:udl_submit_urb [udl]] *ERROR* usb_submit_urb error fffffffe +[ 93.065363] [drm:udl_urb_completion [udl]] *ERROR* udl_urb_completion - nonzero write bulk status received: -115 +[ 93.078207] [drm:udl_submit_urb [udl]] *ERROR* usb_submit_urb error fffffffe + +coming from KMS poll helpers. Shutting down poll helpers runs them +one final time when the USB device is already gone. + +Run drm_dev_unplug() first in udl's USB disconnect handler. Udl's +polling code already handles disconnects gracefully if the device has +been marked as unplugged. + +Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> +Fixes: b1a981bd5576 ("drm/udl: drop drm_driver.release hook") +Cc: dri-devel@lists.freedesktop.org +Cc: <stable@vger.kernel.org> # v5.8+ +Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> +Link: https://patchwork.freedesktop.org/patch/msgid/20250303145604.62962-2-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/udl/udl_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/udl/udl_drv.c ++++ b/drivers/gpu/drm/udl/udl_drv.c +@@ -126,9 +126,9 @@ static void udl_usb_disconnect(struct us + { + struct drm_device *dev = usb_get_intfdata(interface); + ++ drm_dev_unplug(dev); + drm_kms_helper_poll_fini(dev); + udl_drop_usb(dev); +- drm_dev_unplug(dev); + } + + /* diff --git a/queue-6.1/dt-bindings-serial-8250-make-clocks-and-clock-frequency-exclusive.patch b/queue-6.1/dt-bindings-serial-8250-make-clocks-and-clock-frequency-exclusive.patch new file mode 100644 index 0000000000..94802533a2 --- /dev/null +++ b/queue-6.1/dt-bindings-serial-8250-make-clocks-and-clock-frequency-exclusive.patch @@ -0,0 +1,51 @@ +From 09812134071b3941fb81def30b61ed36d3a5dfb5 Mon Sep 17 00:00:00 2001 +From: Yao Zi <ziyao@disroot.org> +Date: Mon, 23 Jun 2025 09:34:45 +0000 +Subject: dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive + +From: Yao Zi <ziyao@disroot.org> + +commit 09812134071b3941fb81def30b61ed36d3a5dfb5 upstream. + +The 8250 binding before converting to json-schema states, + + - clock-frequency : the input clock frequency for the UART + or + - clocks phandle to refer to the clk used as per Documentation/devicetree + +for clock-related properties, where "or" indicates these properties +shouldn't exist at the same time. + +Additionally, the behavior of Linux's driver is strange when both clocks +and clock-frequency are specified: it ignores clocks and obtains the +frequency from clock-frequency, left the specified clocks unclaimed. It +may even be disabled, which is undesired most of the time. + +But "anyOf" doesn't prevent these two properties from coexisting, as it +considers the object valid as long as there's at LEAST one match. + +Let's switch to "oneOf" and disallows the other property if one exists, +precisely matching the original binding and avoiding future confusion on +the driver's behavior. + +Fixes: e69f5dc623f9 ("dt-bindings: serial: Convert 8250 to json-schema") +Cc: stable <stable@kernel.org> +Signed-off-by: Yao Zi <ziyao@disroot.org> +Reviewed-by: Conor Dooley <conor.dooley@microchip.com> +Link: https://lore.kernel.org/r/20250623093445.62327-1-ziyao@disroot.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + Documentation/devicetree/bindings/serial/8250.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/serial/8250.yaml ++++ b/Documentation/devicetree/bindings/serial/8250.yaml +@@ -44,7 +44,7 @@ allOf: + - ns16550 + - ns16550a + then: +- anyOf: ++ oneOf: + - required: [ clock-frequency ] + - required: [ clocks ] + diff --git a/queue-6.1/hid-lenovo-restrict-f7-9-11-mode-to-compact-keyboards-only.patch b/queue-6.1/hid-lenovo-restrict-f7-9-11-mode-to-compact-keyboards-only.patch new file mode 100644 index 0000000000..b3a672d1f6 --- /dev/null +++ b/queue-6.1/hid-lenovo-restrict-f7-9-11-mode-to-compact-keyboards-only.patch @@ -0,0 +1,49 @@ +From 9327e3ee5b077c4ab4495a09b67624f670ed88b6 Mon Sep 17 00:00:00 2001 +From: Iusico Maxim <iusico.maxim@libero.it> +Date: Thu, 5 Jun 2025 19:55:50 +0200 +Subject: HID: lenovo: Restrict F7/9/11 mode to compact keyboards only + +From: Iusico Maxim <iusico.maxim@libero.it> + +commit 9327e3ee5b077c4ab4495a09b67624f670ed88b6 upstream. + +Commit 2f2bd7cbd1d1 ("hid: lenovo: Resend all settings on reset_resume +for compact keyboards") introduced a regression for ThinkPad TrackPoint +Keyboard II by removing the conditional check for enabling F7/9/11 mode +needed for compact keyboards only. As a result, the non-compact +keyboards can no longer toggle Fn-lock via Fn+Esc, although it can be +controlled via sysfs knob that directly sends raw commands. + +This patch restores the previous conditional check without any +additions. + +Cc: stable@vger.kernel.org +Fixes: 2f2bd7cbd1d1 ("hid: lenovo: Resend all settings on reset_resume for compact keyboards") +Signed-off-by: Iusico Maxim <iusico.maxim@libero.it> +Signed-off-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/hid/hid-lenovo.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -529,11 +529,14 @@ static void lenovo_features_set_cptkbd(s + + /* + * Tell the keyboard a driver understands it, and turn F7, F9, F11 into +- * regular keys ++ * regular keys (Compact only) + */ +- ret = lenovo_send_cmd_cptkbd(hdev, 0x01, 0x03); +- if (ret) +- hid_warn(hdev, "Failed to switch F7/9/11 mode: %d\n", ret); ++ if (hdev->product == USB_DEVICE_ID_LENOVO_CUSBKBD || ++ hdev->product == USB_DEVICE_ID_LENOVO_CBTKBD) { ++ ret = lenovo_send_cmd_cptkbd(hdev, 0x01, 0x03); ++ if (ret) ++ hid_warn(hdev, "Failed to switch F7/9/11 mode: %d\n", ret); ++ } + + /* Switch middle button to native mode */ + ret = lenovo_send_cmd_cptkbd(hdev, 0x09, 0x01); diff --git a/queue-6.1/hid-wacom-fix-kobject-reference-count-leak.patch b/queue-6.1/hid-wacom-fix-kobject-reference-count-leak.patch new file mode 100644 index 0000000000..9b560a7752 --- /dev/null +++ b/queue-6.1/hid-wacom-fix-kobject-reference-count-leak.patch @@ -0,0 +1,37 @@ +From 85a720f4337f0ddf1603c8b75a8f1ffbbe022ef9 Mon Sep 17 00:00:00 2001 +From: Qasim Ijaz <qasdev00@gmail.com> +Date: Fri, 6 Jun 2025 19:49:59 +0100 +Subject: HID: wacom: fix kobject reference count leak + +From: Qasim Ijaz <qasdev00@gmail.com> + +commit 85a720f4337f0ddf1603c8b75a8f1ffbbe022ef9 upstream. + +When sysfs_create_files() fails in wacom_initialize_remotes() the error +is returned and the cleanup action will not have been registered yet. + +As a result the kobject???s refcount is never dropped, so the +kobject can never be freed leading to a reference leak. + +Fix this by calling kobject_put() before returning. + +Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") +Acked-by: Ping Cheng <ping.cheng@wacom.com> +Cc: stable@vger.kernel.org +Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/hid/wacom_sys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2023,6 +2023,7 @@ static int wacom_initialize_remotes(stru + hid_err(wacom->hdev, + "cannot create sysfs group err: %d\n", error); + kfifo_free(&remote->remote_fifo); ++ kobject_put(remote->remote_dir); + return error; + } + diff --git a/queue-6.1/hid-wacom-fix-memory-leak-on-kobject-creation-failure.patch b/queue-6.1/hid-wacom-fix-memory-leak-on-kobject-creation-failure.patch new file mode 100644 index 0000000000..af6558d287 --- /dev/null +++ b/queue-6.1/hid-wacom-fix-memory-leak-on-kobject-creation-failure.patch @@ -0,0 +1,44 @@ +From 5ae416c5b1e2e816aee7b3fc8347adf70afabb4c Mon Sep 17 00:00:00 2001 +From: Qasim Ijaz <qasdev00@gmail.com> +Date: Fri, 6 Jun 2025 19:49:57 +0100 +Subject: HID: wacom: fix memory leak on kobject creation failure + +From: Qasim Ijaz <qasdev00@gmail.com> + +commit 5ae416c5b1e2e816aee7b3fc8347adf70afabb4c upstream. + +During wacom_initialize_remotes() a fifo buffer is allocated +with kfifo_alloc() and later a cleanup action is registered +during devm_add_action_or_reset() to clean it up. + +However if the code fails to create a kobject and register it +with sysfs the code simply returns -ENOMEM before the cleanup +action is registered leading to a memory leak. + +Fix this by ensuring the fifo is freed when the kobject creation +and registration process fails. + +Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") +Reviewed-by: Ping Cheng <ping.cheng@wacom.com> +Cc: stable@vger.kernel.org +Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/hid/wacom_sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2012,8 +2012,10 @@ static int wacom_initialize_remotes(stru + + remote->remote_dir = kobject_create_and_add("wacom_remote", + &wacom->hdev->dev.kobj); +- if (!remote->remote_dir) ++ if (!remote->remote_dir) { ++ kfifo_free(&remote->remote_fifo); + return -ENOMEM; ++ } + + error = sysfs_create_files(remote->remote_dir, remote_unpair_attrs); + diff --git a/queue-6.1/hid-wacom-fix-memory-leak-on-sysfs-attribute-creation-failure.patch b/queue-6.1/hid-wacom-fix-memory-leak-on-sysfs-attribute-creation-failure.patch new file mode 100644 index 0000000000..0fe143757e --- /dev/null +++ b/queue-6.1/hid-wacom-fix-memory-leak-on-sysfs-attribute-creation-failure.patch @@ -0,0 +1,34 @@ +From 1a19ae437ca5d5c7d9ec2678946fb339b1c706bf Mon Sep 17 00:00:00 2001 +From: Qasim Ijaz <qasdev00@gmail.com> +Date: Fri, 6 Jun 2025 19:49:58 +0100 +Subject: HID: wacom: fix memory leak on sysfs attribute creation failure + +From: Qasim Ijaz <qasdev00@gmail.com> + +commit 1a19ae437ca5d5c7d9ec2678946fb339b1c706bf upstream. + +When sysfs_create_files() fails during wacom_initialize_remotes() the +fifo buffer is not freed leading to a memory leak. + +Fix this by calling kfifo_free() before returning. + +Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") +Reviewed-by: Ping Cheng <ping.cheng@wacom.com> +Cc: stable@vger.kernel.org +Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/hid/wacom_sys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -2022,6 +2022,7 @@ static int wacom_initialize_remotes(stru + if (error) { + hid_err(wacom->hdev, + "cannot create sysfs group err: %d\n", error); ++ kfifo_free(&remote->remote_fifo); + return error; + } + diff --git a/queue-6.1/scsi-megaraid_sas-fix-invalid-node-index.patch b/queue-6.1/scsi-megaraid_sas-fix-invalid-node-index.patch new file mode 100644 index 0000000000..008d041275 --- /dev/null +++ b/queue-6.1/scsi-megaraid_sas-fix-invalid-node-index.patch @@ -0,0 +1,66 @@ +From 752eb816b55adb0673727ba0ed96609a17895654 Mon Sep 17 00:00:00 2001 +From: Chen Yu <yu.c.chen@intel.com> +Date: Wed, 4 Jun 2025 12:25:56 +0800 +Subject: scsi: megaraid_sas: Fix invalid node index + +From: Chen Yu <yu.c.chen@intel.com> + +commit 752eb816b55adb0673727ba0ed96609a17895654 upstream. + +On a system with DRAM interleave enabled, out-of-bound access is +detected: + +megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 +index -1 is out of range for type 'cpumask *[1024]' +dump_stack_lvl+0x5d/0x80 +ubsan_epilogue+0x5/0x2b +__ubsan_handle_out_of_bounds.cold+0x46/0x4b +megasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas] +megasas_probe_one.cold+0xa4d/0x189c [megaraid_sas] +local_pci_probe+0x42/0x90 +pci_device_probe+0xdc/0x290 +really_probe+0xdb/0x340 +__driver_probe_device+0x78/0x110 +driver_probe_device+0x1f/0xa0 +__driver_attach+0xba/0x1c0 +bus_for_each_dev+0x8b/0xe0 +bus_add_driver+0x142/0x220 +driver_register+0x72/0xd0 +megasas_init+0xdf/0xff0 [megaraid_sas] +do_one_initcall+0x57/0x310 +do_init_module+0x90/0x250 +init_module_from_file+0x85/0xc0 +idempotent_init_module+0x114/0x310 +__x64_sys_finit_module+0x65/0xc0 +do_syscall_64+0x82/0x170 +entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fix it accordingly. + +Signed-off-by: Chen Yu <yu.c.chen@intel.com> +Link: https://lore.kernel.org/r/20250604042556.3731059-1-yu.c.chen@intel.com +Fixes: 8049da6f3943 ("scsi: megaraid_sas: Use irq_set_affinity_and_hint()") +Cc: stable@vger.kernel.org +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -5909,7 +5909,11 @@ megasas_set_high_iops_queue_affinity_and + const struct cpumask *mask; + + if (instance->perf_mode == MR_BALANCED_PERF_MODE) { +- mask = cpumask_of_node(dev_to_node(&instance->pdev->dev)); ++ int nid = dev_to_node(&instance->pdev->dev); ++ ++ if (nid == NUMA_NO_NODE) ++ nid = 0; ++ mask = cpumask_of_node(nid); + + for (i = 0; i < instance->low_latency_index_start; i++) { + irq = pci_irq_vector(instance->pdev, i); diff --git a/queue-6.1/serial-imx-restore-original-rxtl-for-console-to-fix-data-loss.patch b/queue-6.1/serial-imx-restore-original-rxtl-for-console-to-fix-data-loss.patch new file mode 100644 index 0000000000..f5e544a7d7 --- /dev/null +++ b/queue-6.1/serial-imx-restore-original-rxtl-for-console-to-fix-data-loss.patch @@ -0,0 +1,107 @@ +From f23c52aafb1675ab1d1f46914556d8e29cbbf7b3 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam <festevam@gmail.com> +Date: Thu, 19 Jun 2025 08:46:17 -0300 +Subject: serial: imx: Restore original RXTL for console to fix data loss + +From: Fabio Estevam <festevam@gmail.com> + +commit f23c52aafb1675ab1d1f46914556d8e29cbbf7b3 upstream. + +Commit 7a637784d517 ("serial: imx: reduce RX interrupt frequency") +introduced a regression on the i.MX6UL EVK board. The issue can be +reproduced with the following steps: + +- Open vi on the board. +- Paste a text file (~150 characters). +- Save the file, then repeat the process. +- Compare the sha256sum of the saved files. + +The checksums do not match due to missing characters or entire lines. + +Fix this by restoring the RXTL value to 1 when the UART is used as a +console. + +This ensures timely RX interrupts and reliable data reception in console +mode. + +With this change, pasted content is saved correctly, and checksums are +always consistent. + +Cc: stable <stable@kernel.org> +Fixes: 7a637784d517 ("serial: imx: reduce RX interrupt frequency") +Signed-off-by: Fabio Estevam <festevam@gmail.com> +Reviewed-by: Stefan Wahren <wahrenst@gmx.net> +Link: https://lore.kernel.org/r/20250619114617.2791939-1-festevam@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tty/serial/imx.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -239,6 +239,7 @@ struct imx_port { + enum imx_tx_state tx_state; + struct hrtimer trigger_start_tx; + struct hrtimer trigger_stop_tx; ++ unsigned int rxtl; + }; + + struct imx_port_ucrs { +@@ -1320,6 +1321,7 @@ static void imx_uart_clear_rx_errors(str + + #define TXTL_DEFAULT 8 + #define RXTL_DEFAULT 8 /* 8 characters or aging timer */ ++#define RXTL_CONSOLE_DEFAULT 1 + #define TXTL_DMA 8 /* DMA burst setting */ + #define RXTL_DMA 9 /* DMA burst setting */ + +@@ -1432,7 +1434,7 @@ static void imx_uart_disable_dma(struct + ucr1 &= ~(UCR1_RXDMAEN | UCR1_TXDMAEN | UCR1_ATDMAEN); + imx_uart_writel(sport, ucr1, UCR1); + +- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT); ++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl); + + sport->dma_is_enabled = 0; + } +@@ -1457,7 +1459,12 @@ static int imx_uart_startup(struct uart_ + return retval; + } + +- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT); ++ if (uart_console(&sport->port)) ++ sport->rxtl = RXTL_CONSOLE_DEFAULT; ++ else ++ sport->rxtl = RXTL_DEFAULT; ++ ++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl); + + /* disable the DREN bit (Data Ready interrupt enable) before + * requesting IRQs +@@ -1906,7 +1913,7 @@ static int imx_uart_poll_init(struct uar + if (retval) + clk_disable_unprepare(sport->clk_ipg); + +- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT); ++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl); + + spin_lock_irqsave(&sport->port.lock, flags); + +@@ -1998,7 +2005,7 @@ static int imx_uart_rs485_config(struct + /* If the receiver trigger is 0, set it to a default value */ + ufcr = imx_uart_readl(sport, UFCR); + if ((ufcr & UFCR_RXTL_MASK) == 0) +- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT); ++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl); + imx_uart_start_rx(port); + } + +@@ -2183,7 +2190,7 @@ imx_uart_console_setup(struct console *c + else + imx_uart_console_get_options(sport, &baud, &parity, &bits); + +- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT); ++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl); + + retval = uart_set_options(&sport->port, co, baud, parity, bits, flow); + diff --git a/queue-6.1/series b/queue-6.1/series index a29d1a5e8c..537480fc9e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -87,3 +87,21 @@ alsa-hda-realtek-fix-built-in-mic-on-asus-vivobook-x.patch net-selftests-fix-tcp-packet-checksum.patch drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch +staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch +dt-bindings-serial-8250-make-clocks-and-clock-frequency-exclusive.patch +serial-imx-restore-original-rxtl-for-console-to-fix-data-loss.patch +bluetooth-l2cap-fix-l2cap-mtu-negotiation.patch +dm-raid-fix-variable-in-journal-device-check.patch +btrfs-fix-a-race-between-renames-and-directory-logging.patch +btrfs-update-superblock-s-device-bytes_used-when-dropping-chunk.patch +hid-lenovo-restrict-f7-9-11-mode-to-compact-keyboards-only.patch +hid-wacom-fix-memory-leak-on-kobject-creation-failure.patch +hid-wacom-fix-memory-leak-on-sysfs-attribute-creation-failure.patch +hid-wacom-fix-kobject-reference-count-leak.patch +scsi-megaraid_sas-fix-invalid-node-index.patch +drm-etnaviv-protect-the-scheduler-s-pending-list-with-its-lock.patch +drm-tegra-assign-plane-type-before-registration.patch +drm-tegra-fix-a-possible-null-pointer-dereference.patch +drm-udl-unregister-device-before-cleaning-up-on-disconnect.patch +drm-msm-gpu-fix-crash-when-throttling-gpu-immediately-during-boot.patch +drm-amdkfd-fix-race-in-gws-queue-scheduling.patch diff --git a/queue-6.1/staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch b/queue-6.1/staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch new file mode 100644 index 0000000000..3d88c48b38 --- /dev/null +++ b/queue-6.1/staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch @@ -0,0 +1,137 @@ +From a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor <nathan@kernel.org> +Date: Mon, 9 Jun 2025 14:13:14 -0700 +Subject: staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() + +From: Nathan Chancellor <nathan@kernel.org> + +commit a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 upstream. + +After commit 6f110a5e4f99 ("Disable SLUB_TINY for build testing"), which +causes CONFIG_KASAN to be enabled in allmodconfig again, arm64 +allmodconfig builds with older versions of clang (15 through 17) show an +instance of -Wframe-larger-than (which breaks the build with +CONFIG_WERROR=y): + + drivers/staging/rtl8723bs/core/rtw_security.c:1287:5: error: stack frame size (2208) exceeds limit (2048) in 'rtw_aes_decrypt' [-Werror,-Wframe-larger-than] + 1287 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe) + | ^ + +This comes from aes_decipher() being inlined in rtw_aes_decrypt(). +Running the same build with CONFIG_FRAME_WARN=128 shows aes_cipher() +also uses a decent amount of stack, just under the limit of 2048: + + drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1952) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than] + 864 | static signed int aes_cipher(u8 *key, uint hdrlen, + | ^ + +-Rpass-analysis=stack-frame-layout only shows one large structure on the +stack, which is the ctx variable inlined from aes128k128d(). A good +number of the other variables come from the additional checks of +fortified string routines, which are present in memset(), which both +aes_cipher() and aes_decipher() use to initialize some temporary +buffers. In this case, since the size is known at compile time, these +additional checks should not result in any code generation changes but +allmodconfig has several sanitizers enabled, which may make it harder +for the compiler to eliminate the compile time checks and the variables +that come about from them. + +The memset() calls are just initializing these buffers to zero, so use +'= {}' instead, which is used all over the kernel and does the exact +same thing as memset() without the fortify checks, which drops the stack +usage of these functions by a few hundred kilobytes. + + drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1584) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than] + 864 | static signed int aes_cipher(u8 *key, uint hdrlen, + | ^ + drivers/staging/rtl8723bs/core/rtw_security.c:1271:5: warning: stack frame size (1456) exceeds limit (128) in 'rtw_aes_decrypt' [-Wframe-larger-than] + 1271 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe) + | ^ + +Cc: stable@vger.kernel.org +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Nathan Chancellor <nathan@kernel.org> +Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> +Link: https://lore.kernel.org/r/20250609-rtl8723bs-fix-clang-arm64-wflt-v1-1-e2accba43def@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/staging/rtl8723bs/core/rtw_security.c | 44 ++++++++------------------ + 1 file changed, 14 insertions(+), 30 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_security.c ++++ b/drivers/staging/rtl8723bs/core/rtw_security.c +@@ -869,29 +869,21 @@ static signed int aes_cipher(u8 *key, ui + num_blocks, payload_index; + + u8 pn_vector[6]; +- u8 mic_iv[16]; +- u8 mic_header1[16]; +- u8 mic_header2[16]; +- u8 ctr_preload[16]; ++ u8 mic_iv[16] = {}; ++ u8 mic_header1[16] = {}; ++ u8 mic_header2[16] = {}; ++ u8 ctr_preload[16] = {}; + + /* Intermediate Buffers */ +- u8 chain_buffer[16]; +- u8 aes_out[16]; +- u8 padded_buffer[16]; ++ u8 chain_buffer[16] = {}; ++ u8 aes_out[16] = {}; ++ u8 padded_buffer[16] = {}; + u8 mic[8]; + uint frtype = GetFrameType(pframe); + uint frsubtype = GetFrameSubType(pframe); + + frsubtype = frsubtype>>4; + +- memset((void *)mic_iv, 0, 16); +- memset((void *)mic_header1, 0, 16); +- memset((void *)mic_header2, 0, 16); +- memset((void *)ctr_preload, 0, 16); +- memset((void *)chain_buffer, 0, 16); +- memset((void *)aes_out, 0, 16); +- memset((void *)padded_buffer, 0, 16); +- + if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN)) + a4_exists = 0; + else +@@ -1081,15 +1073,15 @@ static signed int aes_decipher(u8 *key, + num_blocks, payload_index; + signed int res = _SUCCESS; + u8 pn_vector[6]; +- u8 mic_iv[16]; +- u8 mic_header1[16]; +- u8 mic_header2[16]; +- u8 ctr_preload[16]; ++ u8 mic_iv[16] = {}; ++ u8 mic_header1[16] = {}; ++ u8 mic_header2[16] = {}; ++ u8 ctr_preload[16] = {}; + + /* Intermediate Buffers */ +- u8 chain_buffer[16]; +- u8 aes_out[16]; +- u8 padded_buffer[16]; ++ u8 chain_buffer[16] = {}; ++ u8 aes_out[16] = {}; ++ u8 padded_buffer[16] = {}; + u8 mic[8]; + + uint frtype = GetFrameType(pframe); +@@ -1097,14 +1089,6 @@ static signed int aes_decipher(u8 *key, + + frsubtype = frsubtype>>4; + +- memset((void *)mic_iv, 0, 16); +- memset((void *)mic_header1, 0, 16); +- memset((void *)mic_header2, 0, 16); +- memset((void *)ctr_preload, 0, 16); +- memset((void *)chain_buffer, 0, 16); +- memset((void *)aes_out, 0, 16); +- memset((void *)padded_buffer, 0, 16); +- + /* start to decrypt the payload */ + + num_blocks = (plen-8) / 16; /* plen including LLC, payload_length and mic) */ |