From: Sasha Levin Date: Thu, 2 Jul 2026 00:38:30 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;ds=inline;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch b/queue-5.10/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch new file mode 100644 index 0000000000..f3a64aee97 --- /dev/null +++ b/queue-5.10/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch @@ -0,0 +1,42 @@ +From d8c634633a3a7347d5d5d8bd3cf89a851690227f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 19:01:21 +0300 +Subject: crypto: af_alg - Set merge to zero early in af_alg_sendmsg + +From: Herbert Xu + +commit 9574b2330dbd2b5459b74d3b5e9619d39299fc6f upstream. + +If an error causes af_alg_sendmsg to abort, ctx->merge may contain +a garbage value from the previous loop. This may then trigger a +crash on the next entry into af_alg_sendmsg when it attempts to do +a merge that can't be done. + +Fix this by setting ctx->merge to zero near the start of the loop. + +Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") +Reported-by: Muhammad Alifa Ramdhan +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: Herbert Xu +Signed-off-by: Mikhail Dmitrichenko +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 4983dd68578e24..6acee8e0041a42 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -892,6 +892,8 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, + continue; + } + ++ ctx->merge = 0; ++ + if (!af_alg_writable(sk)) { + err = af_alg_wait_for_wmem(sk, msg->msg_flags); + if (err) +-- +2.53.0 + diff --git a/queue-5.10/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch b/queue-5.10/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch new file mode 100644 index 0000000000..8f5e5aabb4 --- /dev/null +++ b/queue-5.10/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch @@ -0,0 +1,52 @@ +From 2a757875c8655b2a236b936876fd3eae46ab8861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2026 17:42:56 +0100 +Subject: ext4: add bounds check for inline data length in + ext4_read_inline_page + +From: Yuto Ohnuki + +[ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ] + +ext4_read_inline_page() does not validate that the inline data length +fits within a page before copying data. If the inline size exceeds +PAGE_SIZE due to filesystem corruption, this could lead to a kernel +memory write beyond the page boundary. + +Add a bounds check after computing len, returning -EFSCORRUPTED if the +value exceeds PAGE_SIZE. + +The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in +ext4_read_inline_folio(). In 6.1 and earlier, the function is still named +ext4_read_inline_page() and the BUG_ON was never present, so this patch +adds the bounds check directly. + +Fixes: 46c7f254543d ("ext4: add read support for inline data") +Signed-off-by: Yuto Ohnuki +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 129f7ff56b43bd..edaa8820226070 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -513,6 +513,14 @@ static int ext4_read_inline_page(struct inode *inode, struct page *page) + goto out; + + len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode)); ++ if (len > PAGE_SIZE) { ++ ext4_error_inode(inode, __func__, __LINE__, 0, ++ "inline size %zu exceeds PAGE_SIZE", len); ++ ret = -EFSCORRUPTED; ++ brelse(iloc.bh); ++ goto out; ++ } ++ + kaddr = kmap_atomic(page); + ret = ext4_read_inline_data(inode, kaddr, len, &iloc); + flush_dcache_page(page); +-- +2.53.0 + diff --git a/queue-5.10/net-cpsw_new-fix-potential-unregister-of-netdev-that.patch b/queue-5.10/net-cpsw_new-fix-potential-unregister-of-netdev-that.patch new file mode 100644 index 0000000000..5a1cb2cdc7 --- /dev/null +++ b/queue-5.10/net-cpsw_new-fix-potential-unregister-of-netdev-that.patch @@ -0,0 +1,57 @@ +From 0f8c78da995877183e5a77242d296934023bf4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2026 23:07:17 +0300 +Subject: net: cpsw_new: Fix potential unregister of netdev that has not been + registered yet + +From: Kevin Hao + +commit 9d724b34fbe13b71865ad0906a4be97571f19cf5 upstream. + +If an error occurs during register_netdev() for the first MAC in +cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, +cpsw->slaves[1].ndev would remain unchanged. This could later cause +cpsw_unregister_ports() to attempt unregistering the second MAC. +To address this, add a check for ndev->reg_state before calling +unregister_netdev(). With this change, setting cpsw->slaves[i].ndev +to NULL becomes unnecessary and can be removed accordingly. + +Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac") +Signed-off-by: Kevin Hao +Cc: stable@vger.kernel.org +Reviewed-by: Alexander Sverdlin +Link: https://patch.msgid.link/20260205-cpsw-error-path-v1-2-6e58bae6b299@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +Signed-off-by: Elizaveta Tereshkina +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_new.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c +index 66b1620b6f5b0e..cc276241f39161 100644 +--- a/drivers/net/ethernet/ti/cpsw_new.c ++++ b/drivers/net/ethernet/ti/cpsw_new.c +@@ -1456,7 +1456,8 @@ static void cpsw_unregister_ports(struct cpsw_common *cpsw) + int i = 0; + + for (i = 0; i < cpsw->data.slaves; i++) { +- if (!cpsw->slaves[i].ndev) ++ if (!cpsw->slaves[i].ndev || ++ cpsw->slaves[i].ndev->reg_state != NETREG_REGISTERED) + continue; + + unregister_netdev(cpsw->slaves[i].ndev); +@@ -1476,7 +1477,6 @@ static int cpsw_register_ports(struct cpsw_common *cpsw) + if (ret) { + dev_err(cpsw->dev, + "cpsw: err registering net device%d\n", i); +- cpsw->slaves[i].ndev = NULL; + break; + } + } +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 66b432cd84..3c2d421562 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -55,3 +55,6 @@ batman-adv-dat-prevent-false-sharing-between-vlans.patch batman-adv-tvlv-enforce-2-byte-alignment.patch batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch ring-buffer-remove-ring_buffer_read_prepare_sync.patch +ext4-add-bounds-check-for-inline-data-length-in-ext4.patch +crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch +net-cpsw_new-fix-potential-unregister-of-netdev-that.patch diff --git a/queue-5.15/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch b/queue-5.15/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch new file mode 100644 index 0000000000..c2da998c6f --- /dev/null +++ b/queue-5.15/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch @@ -0,0 +1,42 @@ +From 9151d9c2fc5cb46a97c7be4c5354b17fa8662eeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 19:01:21 +0300 +Subject: crypto: af_alg - Set merge to zero early in af_alg_sendmsg + +From: Herbert Xu + +commit 9574b2330dbd2b5459b74d3b5e9619d39299fc6f upstream. + +If an error causes af_alg_sendmsg to abort, ctx->merge may contain +a garbage value from the previous loop. This may then trigger a +crash on the next entry into af_alg_sendmsg when it attempts to do +a merge that can't be done. + +Fix this by setting ctx->merge to zero near the start of the loop. + +Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") +Reported-by: Muhammad Alifa Ramdhan +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: Herbert Xu +Signed-off-by: Mikhail Dmitrichenko +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index b66a1681692d6e..bbd47d04f89dc2 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -892,6 +892,8 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, + continue; + } + ++ ctx->merge = 0; ++ + if (!af_alg_writable(sk)) { + err = af_alg_wait_for_wmem(sk, msg->msg_flags); + if (err) +-- +2.53.0 + diff --git a/queue-5.15/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch b/queue-5.15/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch new file mode 100644 index 0000000000..5ead871219 --- /dev/null +++ b/queue-5.15/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch @@ -0,0 +1,52 @@ +From 144591565784a44bd9fad2908537e2ca8593eff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2026 17:39:24 +0100 +Subject: ext4: add bounds check for inline data length in + ext4_read_inline_page + +From: Yuto Ohnuki + +[ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ] + +ext4_read_inline_page() does not validate that the inline data length +fits within a page before copying data. If the inline size exceeds +PAGE_SIZE due to filesystem corruption, this could lead to a kernel +memory write beyond the page boundary. + +Add a bounds check after computing len, returning -EFSCORRUPTED if the +value exceeds PAGE_SIZE. + +The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in +ext4_read_inline_folio(). In 6.1 and earlier, the function is still named +ext4_read_inline_page() and the BUG_ON was never present, so this patch +adds the bounds check directly. + +Fixes: 46c7f254543d ("ext4: add read support for inline data") +Signed-off-by: Yuto Ohnuki +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index c5b1f9af230952..5d5f99ed974687 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -517,6 +517,14 @@ static int ext4_read_inline_page(struct inode *inode, struct page *page) + goto out; + + len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode)); ++ if (len > PAGE_SIZE) { ++ ext4_error_inode(inode, __func__, __LINE__, 0, ++ "inline size %zu exceeds PAGE_SIZE", len); ++ ret = -EFSCORRUPTED; ++ brelse(iloc.bh); ++ goto out; ++ } ++ + kaddr = kmap_atomic(page); + ret = ext4_read_inline_data(inode, kaddr, len, &iloc); + flush_dcache_page(page); +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 23e864aaf7..9ca13f6dd0 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -52,3 +52,5 @@ batman-adv-tvlv-enforce-2-byte-alignment.patch batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch ring-buffer-remove-ring_buffer_read_prepare_sync.patch ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch +ext4-add-bounds-check-for-inline-data-length-in-ext4.patch +crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch diff --git a/queue-6.1/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch b/queue-6.1/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch new file mode 100644 index 0000000000..69b100926c --- /dev/null +++ b/queue-6.1/ext4-add-bounds-check-for-inline-data-length-in-ext4.patch @@ -0,0 +1,52 @@ +From 1e0a79ba3d5e19cc91880a98c7b4418d8cf4cb20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2026 17:35:53 +0100 +Subject: ext4: add bounds check for inline data length in + ext4_read_inline_page + +From: Yuto Ohnuki + +[ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ] + +ext4_read_inline_page() does not validate that the inline data length +fits within a page before copying data. If the inline size exceeds +PAGE_SIZE due to filesystem corruption, this could lead to a kernel +memory write beyond the page boundary. + +Add a bounds check after computing len, returning -EFSCORRUPTED if the +value exceeds PAGE_SIZE. + +The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in +ext4_read_inline_folio(). In 6.1 and earlier, the function is still named +ext4_read_inline_page() and the BUG_ON was never present, so this patch +adds the bounds check directly. + +Fixes: 46c7f254543d ("ext4: add read support for inline data") +Signed-off-by: Yuto Ohnuki +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index a1fb99d2b472bf..c0c1e865270785 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -518,6 +518,14 @@ static int ext4_read_inline_page(struct inode *inode, struct page *page) + goto out; + + len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode)); ++ if (len > PAGE_SIZE) { ++ ext4_error_inode(inode, __func__, __LINE__, 0, ++ "inline size %zu exceeds PAGE_SIZE", len); ++ ret = -EFSCORRUPTED; ++ brelse(iloc.bh); ++ goto out; ++ } ++ + kaddr = kmap_atomic(page); + ret = ext4_read_inline_data(inode, kaddr, len, &iloc); + flush_dcache_page(page); +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 93c97e5702..9d5c83b88a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -73,3 +73,4 @@ batman-adv-dat-prevent-false-sharing-between-vlans.patch batman-adv-tvlv-enforce-2-byte-alignment.patch batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch +ext4-add-bounds-check-for-inline-data-length-in-ext4.patch diff --git a/queue-6.12/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch b/queue-6.12/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch new file mode 100644 index 0000000000..04cf66790e --- /dev/null +++ b/queue-6.12/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch @@ -0,0 +1,64 @@ +From ccd4b07c2bccd40756e385a1065240d9d112ba25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 09:53:06 +0300 +Subject: af_unix: Set gc_in_progress to true in unix_gc(). + +From: Kuniyuki Iwashima + +[ Upstream commit d82ba05263c69fa2437fe93e4e561cc40f4c03af ] + +Igor Ushakov reported that unix_gc() could run with gc_in_progress +being false if the work is scheduled while running: + + Thread 1 Thread 2 Thread 3 + -------- -------- -------- + unix_schedule_gc() unix_schedule_gc() + `- if (!gc_in_progress) `- if (!gc_in_progress) + |- gc_in_progress = true | + `- queue_work() | + unix_gc() <----------------/ | + | |- gc_in_progress = true + ... `- queue_work() + | | + `- gc_in_progress = false | + | + unix_gc() <---------------------------------------------' + | + ... /* gc_in_progress == false */ + | + `- gc_in_progress = false + +unix_peek_fpl() relies on gc_in_progress not to confuse GC +by MSG_PEEK. + +Let's set gc_in_progress to true in unix_gc(). + +Fixes: 8b90a9f819dc ("af_unix: Run GC on only one CPU.") +Reported-by: Igor Ushakov +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260501073945.1884564-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +[ Add setting gc_in_progress in __unix_gc(). Keep the existing + set in unix_gc() for wait_for_unix_gc() over-limit throttling. ] +Signed-off-by: Igor Ushakov +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 1cdb54c61619f5..fa6983dc3181d9 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -583,6 +583,8 @@ static void __unix_gc(struct work_struct *work) + struct sk_buff_head hitlist; + struct sk_buff *skb; + ++ WRITE_ONCE(gc_in_progress, true); ++ + spin_lock(&unix_gc_lock); + + if (!unix_graph_maybe_cyclic) { +-- +2.53.0 + diff --git a/queue-6.12/kvm-sev-move-sev_free_vcpu-down-below-sev_es_unmap_g.patch b/queue-6.12/kvm-sev-move-sev_free_vcpu-down-below-sev_es_unmap_g.patch new file mode 100644 index 0000000000..3e530f66f1 --- /dev/null +++ b/queue-6.12/kvm-sev-move-sev_free_vcpu-down-below-sev_es_unmap_g.patch @@ -0,0 +1,116 @@ +From 0abe6117795497e1968dbe80cd245d4b19805b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2026 10:22:03 -0700 +Subject: KVM: SEV: Move sev_free_vcpu() down below sev_es_unmap_ghcb() + +From: Sean Christopherson + +[ Upstream commit 08385c5e1814edee829ffe475d559ed730354335 ] + +Relocate sev_free_vcpu() down in sev.c so that it's definition comes after +sev_es_unmap_ghcb(). This will allow sharing unmap functionality between +the two functions without needing a forward declaration (or weird placement +of the common code). + +No functional change intended. + +Cc: stable@vger.kernel.org +Reviewed-by: Tom Lendacky +Reviewed-by: Michael Roth +Signed-off-by: Sean Christopherson +Message-ID: <20260501202250.2115252-16-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Message-ID: <20260529183549.1104619-16-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +[sean: Preserve use of sev_es_guest() as is_sev_es_guest() doesn't exist + in 6.12, resolve superficial conflict due to pre_sev_run() + prototype mismatch.] +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm/sev.c | 62 +++++++++++++++++++++--------------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c +index 73e49317735173..7ddce0685293de 100644 +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -3168,37 +3168,6 @@ void sev_guest_memory_reclaimed(struct kvm *kvm) + wbinvd_on_all_cpus(); + } + +-void sev_free_vcpu(struct kvm_vcpu *vcpu) +-{ +- struct vcpu_svm *svm; +- +- if (!sev_es_guest(vcpu->kvm)) +- return; +- +- svm = to_svm(vcpu); +- +- /* +- * If it's an SNP guest, then the VMSA was marked in the RMP table as +- * a guest-owned page. Transition the page to hypervisor state before +- * releasing it back to the system. +- */ +- if (sev_snp_guest(vcpu->kvm)) { +- u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT; +- +- if (kvm_rmp_make_shared(vcpu->kvm, pfn, PG_LEVEL_4K)) +- goto skip_vmsa_free; +- } +- +- if (vcpu->arch.guest_state_protected) +- sev_flush_encrypted_page(vcpu, svm->sev_es.vmsa); +- +- __free_page(virt_to_page(svm->sev_es.vmsa)); +- +-skip_vmsa_free: +- if (svm->sev_es.ghcb_sa_free) +- kvfree(svm->sev_es.ghcb_sa); +-} +- + static void dump_ghcb(struct vcpu_svm *svm) + { + struct ghcb *ghcb = svm->sev_es.ghcb; +@@ -3475,6 +3444,37 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm) + svm->sev_es.ghcb = NULL; + } + ++void sev_free_vcpu(struct kvm_vcpu *vcpu) ++{ ++ struct vcpu_svm *svm; ++ ++ if (!sev_es_guest(vcpu->kvm)) ++ return; ++ ++ svm = to_svm(vcpu); ++ ++ /* ++ * If it's an SNP guest, then the VMSA was marked in the RMP table as ++ * a guest-owned page. Transition the page to hypervisor state before ++ * releasing it back to the system. ++ */ ++ if (sev_snp_guest(vcpu->kvm)) { ++ u64 pfn = __pa(svm->sev_es.vmsa) >> PAGE_SHIFT; ++ ++ if (kvm_rmp_make_shared(vcpu->kvm, pfn, PG_LEVEL_4K)) ++ goto skip_vmsa_free; ++ } ++ ++ if (vcpu->arch.guest_state_protected) ++ sev_flush_encrypted_page(vcpu, svm->sev_es.vmsa); ++ ++ __free_page(virt_to_page(svm->sev_es.vmsa)); ++ ++skip_vmsa_free: ++ if (svm->sev_es.ghcb_sa_free) ++ kvfree(svm->sev_es.ghcb_sa); ++} ++ + void pre_sev_run(struct vcpu_svm *svm, int cpu) + { + struct svm_cpu_data *sd = per_cpu_ptr(&svm_data, cpu); +-- +2.53.0 + diff --git a/queue-6.12/kvm-sev-unmap-and-unpin-the-ghcb-as-needed-on-vcpu-f.patch b/queue-6.12/kvm-sev-unmap-and-unpin-the-ghcb-as-needed-on-vcpu-f.patch new file mode 100644 index 0000000000..679e80333e --- /dev/null +++ b/queue-6.12/kvm-sev-unmap-and-unpin-the-ghcb-as-needed-on-vcpu-f.patch @@ -0,0 +1,89 @@ +From 90d24236fa61a065317eb9d56da09264302e874c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2026 10:22:04 -0700 +Subject: KVM: SEV: Unmap and unpin the GHCB as needed on vCPU free + +From: Sean Christopherson + +[ Upstream commit db38bcb3311053954f62b865cd2d86e164b04351 ] + +Unmap and unpin the GHCB as needed when freeing a vCPU. If the VM is +destroyed after mapping+pinning the GHCB on #VMGEXIT, without re-running +the vCPU, KVM will effectively leak the GHCB and any mappings created for +the GHCB. + +Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT") +Cc: stable@vger.kernel.org +Tested-by: Michael Roth +Reviewed-by: Tom Lendacky +Reviewed-by: Michael Roth +Signed-off-by: Sean Christopherson +Message-ID: <20260501202250.2115252-18-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Message-ID: <20260529183549.1104619-18-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +[sean: Preserve @dirty=true param to kvm_vcpu_unmap()] +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm/sev.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c +index 7ddce0685293de..6032d7e69a20e7 100644 +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -3412,6 +3412,20 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *svm) + return 1; + } + ++static void __sev_es_unmap_ghcb(struct vcpu_svm *svm) ++{ ++ if (svm->sev_es.ghcb_sa_free) { ++ kvfree(svm->sev_es.ghcb_sa); ++ svm->sev_es.ghcb_sa = NULL; ++ svm->sev_es.ghcb_sa_free = false; ++ } ++ ++ if (svm->sev_es.ghcb) { ++ kvm_vcpu_unmap(&svm->vcpu, &svm->sev_es.ghcb_map, true); ++ svm->sev_es.ghcb = NULL; ++ } ++} ++ + void sev_es_unmap_ghcb(struct vcpu_svm *svm) + { + /* Clear any indication that the vCPU is in a type of AP Reset Hold */ +@@ -3430,18 +3444,11 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm) + svm->sev_es.ghcb_sa_sync = false; + } + +- if (svm->sev_es.ghcb_sa_free) { +- kvfree(svm->sev_es.ghcb_sa); +- svm->sev_es.ghcb_sa = NULL; +- svm->sev_es.ghcb_sa_free = false; +- } +- + trace_kvm_vmgexit_exit(svm->vcpu.vcpu_id, svm->sev_es.ghcb); + + sev_es_sync_to_ghcb(svm); + +- kvm_vcpu_unmap(&svm->vcpu, &svm->sev_es.ghcb_map, true); +- svm->sev_es.ghcb = NULL; ++ __sev_es_unmap_ghcb(svm); + } + + void sev_free_vcpu(struct kvm_vcpu *vcpu) +@@ -3471,8 +3478,7 @@ void sev_free_vcpu(struct kvm_vcpu *vcpu) + __free_page(virt_to_page(svm->sev_es.vmsa)); + + skip_vmsa_free: +- if (svm->sev_es.ghcb_sa_free) +- kvfree(svm->sev_es.ghcb_sa); ++ __sev_es_unmap_ghcb(svm); + } + + void pre_sev_run(struct vcpu_svm *svm, int cpu) +-- +2.53.0 + diff --git a/queue-6.12/mtd-spi-nor-macronix-add-post_sfdp-fixups-for-quad-i.patch b/queue-6.12/mtd-spi-nor-macronix-add-post_sfdp-fixups-for-quad-i.patch new file mode 100644 index 0000000000..a08b7819ba --- /dev/null +++ b/queue-6.12/mtd-spi-nor-macronix-add-post_sfdp-fixups-for-quad-i.patch @@ -0,0 +1,96 @@ +From 4fcbca2ea702c3828aa0b14a979847c536cfcb5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 10:42:03 +0800 +Subject: mtd: spi-nor: macronix: Add post_sfdp fixups for Quad Input Page + Program + +From: Cheng Ming Lin + +commit 798aafeffb369c5eb36e406b18970ef27baa820d upstream. + +Although certain Macronix NOR flash support the Quad Input Page Program +feature, the corresponding information in the 4-byte Address Instruction +Table of these flash is not properly filled. As a result, this feature +cannot be enabled as expected. + +To address this issue, a post_sfdp fixups implementation is required to +correct the missing information. + +Signed-off-by: Cheng Ming Lin +Link: https://lore.kernel.org/r/20250211063028.382169-2-linchengming884@gmail.com +Signed-off-by: Tudor Ambarus +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/macronix.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/mtd/spi-nor/macronix.c b/drivers/mtd/spi-nor/macronix.c +index ea6be95e75a526..678ebaa220ca98 100644 +--- a/drivers/mtd/spi-nor/macronix.c ++++ b/drivers/mtd/spi-nor/macronix.c +@@ -28,8 +28,26 @@ mx25l25635_post_bfpt_fixups(struct spi_nor *nor, + return 0; + } + ++static int ++macronix_qpp4b_post_sfdp_fixups(struct spi_nor *nor) ++{ ++ /* PP_1_1_4_4B is supported but missing in 4BAIT. */ ++ struct spi_nor_flash_parameter *params = nor->params; ++ ++ params->hwcaps.mask |= SNOR_HWCAPS_PP_1_1_4; ++ spi_nor_set_pp_settings(¶ms->page_programs[SNOR_CMD_PP_1_1_4], ++ SPINOR_OP_PP_1_1_4_4B, SNOR_PROTO_1_1_4); ++ ++ return 0; ++} ++ + static const struct spi_nor_fixups mx25l25635_fixups = { + .post_bfpt = mx25l25635_post_bfpt_fixups, ++ .post_sfdp = macronix_qpp4b_post_sfdp_fixups, ++}; ++ ++static const struct spi_nor_fixups macronix_qpp4b_fixups = { ++ .post_sfdp = macronix_qpp4b_post_sfdp_fixups, + }; + + static const struct flash_info macronix_nor_parts[] = { +@@ -85,11 +103,13 @@ static const struct flash_info macronix_nor_parts[] = { + .size = SZ_64M, + .no_sfdp_flags = SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ, + .fixup_flags = SPI_NOR_4B_OPCODES, ++ .fixups = ¯onix_qpp4b_fixups, + }, { + .id = SNOR_ID(0xc2, 0x20, 0x1b), + .name = "mx66l1g45g", + .size = SZ_128M, + .no_sfdp_flags = SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ, ++ .fixups = ¯onix_qpp4b_fixups, + }, { + .id = SNOR_ID(0xc2, 0x23, 0x14), + .name = "mx25v8035f", +@@ -137,18 +157,21 @@ static const struct flash_info macronix_nor_parts[] = { + .size = SZ_64M, + .no_sfdp_flags = SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ, + .fixup_flags = SPI_NOR_4B_OPCODES, ++ .fixups = ¯onix_qpp4b_fixups, + }, { + .id = SNOR_ID(0xc2, 0x25, 0x3a), + .name = "mx66u51235f", + .size = SZ_64M, + .no_sfdp_flags = SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ, + .fixup_flags = SPI_NOR_4B_OPCODES, ++ .fixups = ¯onix_qpp4b_fixups, + }, { + .id = SNOR_ID(0xc2, 0x25, 0x3c), + .name = "mx66u2g45g", + .size = SZ_256M, + .no_sfdp_flags = SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ, + .fixup_flags = SPI_NOR_4B_OPCODES, ++ .fixups = ¯onix_qpp4b_fixups, + }, { + .id = SNOR_ID(0xc2, 0x26, 0x18), + .name = "mx25l12855e", +-- +2.53.0 + diff --git a/queue-6.12/mtd-spi-nor-macronix-add-support-for-mx66-l2-u1-g45g.patch b/queue-6.12/mtd-spi-nor-macronix-add-support-for-mx66-l2-u1-g45g.patch new file mode 100644 index 0000000000..560fa1b519 --- /dev/null +++ b/queue-6.12/mtd-spi-nor-macronix-add-support-for-mx66-l2-u1-g45g.patch @@ -0,0 +1,49 @@ +From eb67862d54e19d81c8d60710db74b6824292fcad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 10:42:04 +0800 +Subject: mtd: spi-nor: macronix: add support for mx66{l2, u1}g45g + +From: Cheng Ming Lin + +commit 797bbaa7531f75985b199e484451fa3f954382b3 upstream. + +Due to incorrect values in the 4-BAIT table for these two flash IDs, +it is necessary to add these two flash IDs with fixups. + +Signed-off-by: Cheng Ming Lin +Link: https://lore.kernel.org/r/20250211063028.382169-3-linchengming884@gmail.com +Signed-off-by: Tudor Ambarus +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/macronix.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/mtd/spi-nor/macronix.c b/drivers/mtd/spi-nor/macronix.c +index 678ebaa220ca98..6127565372c529 100644 +--- a/drivers/mtd/spi-nor/macronix.c ++++ b/drivers/mtd/spi-nor/macronix.c +@@ -110,6 +110,10 @@ static const struct flash_info macronix_nor_parts[] = { + .size = SZ_128M, + .no_sfdp_flags = SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ, + .fixups = ¯onix_qpp4b_fixups, ++ }, { ++ /* MX66L2G45G */ ++ .id = SNOR_ID(0xc2, 0x20, 0x1c), ++ .fixups = ¯onix_qpp4b_fixups, + }, { + .id = SNOR_ID(0xc2, 0x23, 0x14), + .name = "mx25v8035f", +@@ -165,6 +169,10 @@ static const struct flash_info macronix_nor_parts[] = { + .no_sfdp_flags = SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ, + .fixup_flags = SPI_NOR_4B_OPCODES, + .fixups = ¯onix_qpp4b_fixups, ++ }, { ++ /* MX66U1G45G */ ++ .id = SNOR_ID(0xc2, 0x25, 0x3b), ++ .fixups = ¯onix_qpp4b_fixups, + }, { + .id = SNOR_ID(0xc2, 0x25, 0x3c), + .name = "mx66u2g45g", +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 89b3f905f0..a3a53049f7 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -128,3 +128,8 @@ selinux-fix-overlayfs-mmap-and-mprotect-access-check.patch inet-add-indirect-call-wrapper-for-getfrag-calls.patch ipv4-account-for-fraggap-on-the-paged-allocation-pat.patch ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch +kvm-sev-move-sev_free_vcpu-down-below-sev_es_unmap_g.patch +kvm-sev-unmap-and-unpin-the-ghcb-as-needed-on-vcpu-f.patch +af_unix-set-gc_in_progress-to-true-in-unix_gc.patch +mtd-spi-nor-macronix-add-post_sfdp-fixups-for-quad-i.patch +mtd-spi-nor-macronix-add-support-for-mx66-l2-u1-g45g.patch diff --git a/queue-6.18/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch b/queue-6.18/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch new file mode 100644 index 0000000000..44410f95db --- /dev/null +++ b/queue-6.18/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch @@ -0,0 +1,64 @@ +From 1bd676fc9c833e27741c6af8a41996cdc7b749fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 09:53:06 +0300 +Subject: af_unix: Set gc_in_progress to true in unix_gc(). + +From: Kuniyuki Iwashima + +[ Upstream commit d82ba05263c69fa2437fe93e4e561cc40f4c03af ] + +Igor Ushakov reported that unix_gc() could run with gc_in_progress +being false if the work is scheduled while running: + + Thread 1 Thread 2 Thread 3 + -------- -------- -------- + unix_schedule_gc() unix_schedule_gc() + `- if (!gc_in_progress) `- if (!gc_in_progress) + |- gc_in_progress = true | + `- queue_work() | + unix_gc() <----------------/ | + | |- gc_in_progress = true + ... `- queue_work() + | | + `- gc_in_progress = false | + | + unix_gc() <---------------------------------------------' + | + ... /* gc_in_progress == false */ + | + `- gc_in_progress = false + +unix_peek_fpl() relies on gc_in_progress not to confuse GC +by MSG_PEEK. + +Let's set gc_in_progress to true in unix_gc(). + +Fixes: 8b90a9f819dc ("af_unix: Run GC on only one CPU.") +Reported-by: Igor Ushakov +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260501073945.1884564-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +[ Add setting gc_in_progress in __unix_gc(). Keep the existing + set in unix_gc() for wait_for_unix_gc() over-limit throttling. ] +Signed-off-by: Igor Ushakov +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 529b21d043d927..39867170902662 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -606,6 +606,8 @@ static void __unix_gc(struct work_struct *work) + struct sk_buff_head hitlist; + struct sk_buff *skb; + ++ WRITE_ONCE(gc_in_progress, true); ++ + spin_lock(&unix_gc_lock); + + if (unix_graph_state == UNIX_GRAPH_NOT_CYCLIC) { +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 9918b73b39..4e174a8525 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -33,3 +33,4 @@ ipv6-account-for-fraggap-on-the-paged-allocation-path.patch ipv4-account-for-fraggap-on-the-paged-allocation-pat.patch ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch wifi-mt76-add-wcid-publish-check-in-mt76_sta_add.patch +af_unix-set-gc_in_progress-to-true-in-unix_gc.patch diff --git a/queue-6.6/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch b/queue-6.6/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch new file mode 100644 index 0000000000..9804f5daea --- /dev/null +++ b/queue-6.6/af_unix-set-gc_in_progress-to-true-in-unix_gc.patch @@ -0,0 +1,64 @@ +From 829c8383f635b956f50ac7f8270e50ebdac31595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 09:53:06 +0300 +Subject: af_unix: Set gc_in_progress to true in unix_gc(). + +From: Kuniyuki Iwashima + +[ Upstream commit d82ba05263c69fa2437fe93e4e561cc40f4c03af ] + +Igor Ushakov reported that unix_gc() could run with gc_in_progress +being false if the work is scheduled while running: + + Thread 1 Thread 2 Thread 3 + -------- -------- -------- + unix_schedule_gc() unix_schedule_gc() + `- if (!gc_in_progress) `- if (!gc_in_progress) + |- gc_in_progress = true | + `- queue_work() | + unix_gc() <----------------/ | + | |- gc_in_progress = true + ... `- queue_work() + | | + `- gc_in_progress = false | + | + unix_gc() <---------------------------------------------' + | + ... /* gc_in_progress == false */ + | + `- gc_in_progress = false + +unix_peek_fpl() relies on gc_in_progress not to confuse GC +by MSG_PEEK. + +Let's set gc_in_progress to true in unix_gc(). + +Fixes: 8b90a9f819dc ("af_unix: Run GC on only one CPU.") +Reported-by: Igor Ushakov +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260501073945.1884564-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +[ Add setting gc_in_progress in __unix_gc(). Keep the existing + set in unix_gc() for wait_for_unix_gc() over-limit throttling. ] +Signed-off-by: Igor Ushakov +Signed-off-by: Sasha Levin +--- + net/unix/garbage.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 1cdb54c61619f5..fa6983dc3181d9 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -583,6 +583,8 @@ static void __unix_gc(struct work_struct *work) + struct sk_buff_head hitlist; + struct sk_buff *skb; + ++ WRITE_ONCE(gc_in_progress, true); ++ + spin_lock(&unix_gc_lock); + + if (!unix_graph_maybe_cyclic) { +-- +2.53.0 + diff --git a/queue-6.6/nvmet-tcp-fix-race-between-icreq-handling-and-queue-.patch b/queue-6.6/nvmet-tcp-fix-race-between-icreq-handling-and-queue-.patch new file mode 100644 index 0000000000..c286fa6d4c --- /dev/null +++ b/queue-6.6/nvmet-tcp-fix-race-between-icreq-handling-and-queue-.patch @@ -0,0 +1,108 @@ +From db292b982d175ca4814783ce7d65fde66fdefbf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2026 21:49:33 +0800 +Subject: nvmet-tcp: fix race between ICReq handling and queue teardown + +From: Chaitanya Kulkarni + +commit 5293a8882c549fab4a878bc76b0b6c951f980a61 upstream. + +nvmet_tcp_handle_icreq() updates queue->state after sending an +Initialization Connection Response (ICResp), but it does so without +serializing against target-side queue teardown. + +If an NVMe/TCP host sends an Initialization Connection Request +(ICReq) and immediately closes the connection, target-side teardown +may start in softirq context before io_work drains the already +buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() +sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue +reference under state_lock. + +If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can +still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the +DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and +allows a later socket state change to re-enter teardown and issue a +second kref_put() on an already released queue. + +The ICResp send failure path has the same problem. If teardown has +already moved the queue to DISCONNECTING, a send error can still +overwrite the state with NVMET_TCP_Q_FAILED, again reopening the +window for a second teardown path to drop the queue reference. + +Fix this by serializing both post-send state transitions with +state_lock and bailing out if teardown has already started. + +Use -ESHUTDOWN as an internal sentinel for that bail-out path rather +than propagating it as a transport error like -ECONNRESET. Keep +nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before +honoring that sentinel so receive-side parsing stays quiesced until the +existing release path completes. + +Fixes: c46a6465bac2 ("nvmet-tcp: add NVMe over TCP target driver") +Cc: stable@vger.kernel.org +Reported-by: Shivam Kumar +Tested-by: Shivam Kumar +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +[ context diff adaptation: drop `queue->state = NVMET_TCP_Q_FAILED` since + the enum introduced in 6.7, 675b453e0241 ("nvmet-tcp: enable TLS handshake + upcall" ] +Signed-off-by: Philo Lu +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 5f85c4a812abcd..4174fef03eac7f 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -380,6 +380,19 @@ static int nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + + static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) + { ++ /* ++ * Keep rcv_state at RECV_ERR even for the internal -ESHUTDOWN path. ++ * nvmet_tcp_handle_icreq() can return -ESHUTDOWN after the ICReq has ++ * already been consumed and queue teardown has started. ++ * ++ * If nvmet_tcp_data_ready() or nvmet_tcp_write_space() queues ++ * nvmet_tcp_io_work() again before nvmet_tcp_release_queue_work() ++ * cancels it, the queue must not keep that old receive state. ++ * Otherwise the next nvmet_tcp_io_work() run can reach ++ * nvmet_tcp_done_recv_pdu() and try to handle the same ICReq again. ++ * ++ * That is why queue->rcv_state needs to be updated before we return. ++ */ + queue->rcv_state = NVMET_TCP_RECV_ERR; + if (queue->nvme_sq.ctrl) + nvmet_ctrl_fatal_error(queue->nvme_sq.ctrl); +@@ -935,10 +948,24 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) + iov.iov_base = icresp; + iov.iov_len = sizeof(*icresp); + ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); +- if (ret < 0) ++ if (ret < 0) { ++ spin_lock_bh(&queue->state_lock); ++ if (queue->state == NVMET_TCP_Q_DISCONNECTING) { ++ spin_unlock_bh(&queue->state_lock); ++ return -ESHUTDOWN; ++ } ++ spin_unlock_bh(&queue->state_lock); + return ret; /* queue removal will cleanup */ ++ } + ++ spin_lock_bh(&queue->state_lock); ++ if (queue->state == NVMET_TCP_Q_DISCONNECTING) { ++ spin_unlock_bh(&queue->state_lock); ++ /* Tell nvmet_tcp_socket_error() teardown is in progress. */ ++ return -ESHUTDOWN; ++ } + queue->state = NVMET_TCP_Q_LIVE; ++ spin_unlock_bh(&queue->state_lock); + nvmet_prepare_receive_pdu(queue); + return 0; + } +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series index a36495ba41..1843ef230b 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -117,3 +117,5 @@ ipv6-account-for-fraggap-on-the-paged-allocation-path.patch inet-add-indirect-call-wrapper-for-getfrag-calls.patch ipv4-account-for-fraggap-on-the-paged-allocation-pat.patch ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch +nvmet-tcp-fix-race-between-icreq-handling-and-queue-.patch +af_unix-set-gc_in_progress-to-true-in-unix_gc.patch