From: Greg Kroah-Hartman Date: Sun, 2 Nov 2025 14:06:15 +0000 (+0900) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01966ecd06af31376b23a1070767e640bb0135b8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: acpi-button-call-input_free_device-on-failing-input-device-registration.patch acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch bluetooth-rfcomm-fix-modem-control-handling.patch fbcon-set-fb_display-mode-to-null-when-the-mode-is-released.patch fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch mptcp-restore-window-probe.patch net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch nfsd-fix-crash-in-nfsd4_read_release.patch series smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch x86-fpu-ensure-xfd-state-on-signal-delivery.patch --- diff --git a/queue-6.6/acpi-button-call-input_free_device-on-failing-input-device-registration.patch b/queue-6.6/acpi-button-call-input_free_device-on-failing-input-device-registration.patch new file mode 100644 index 0000000000..5170939016 --- /dev/null +++ b/queue-6.6/acpi-button-call-input_free_device-on-failing-input-device-registration.patch @@ -0,0 +1,38 @@ +From 20594cd104abaaabb676c7a2915b150ae5ff093d Mon Sep 17 00:00:00 2001 +From: Kaushlendra Kumar +Date: Mon, 6 Oct 2025 14:17:06 +0530 +Subject: ACPI: button: Call input_free_device() on failing input device registration + +From: Kaushlendra Kumar + +commit 20594cd104abaaabb676c7a2915b150ae5ff093d upstream. + +Make acpi_button_add() call input_free_device() when +input_register_device() fails as required according to the +documentation of the latter. + +Fixes: 0d51157dfaac ("ACPI: button: Eliminate the driver notify callback") +Signed-off-by: Kaushlendra Kumar +Cc: 6.5+ # 6.5+ +[ rjw: Subject and changelog rewrite, Fixes: tag ] +Link: https://patch.msgid.link/20251006084706.971855-1-kaushlendra.kumar@intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/button.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -603,8 +603,10 @@ static int acpi_button_add(struct acpi_d + + input_set_drvdata(input, device); + error = input_register_device(input); +- if (error) ++ if (error) { ++ input_free_device(input); + goto err_remove_fs; ++ } + + switch (device->device_type) { + case ACPI_BUS_TYPE_POWER_BUTTON: diff --git a/queue-6.6/acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch b/queue-6.6/acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch new file mode 100644 index 0000000000..be48c994d6 --- /dev/null +++ b/queue-6.6/acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch @@ -0,0 +1,49 @@ +From 8f067aa59430266386b83c18b983ca583faa6a11 Mon Sep 17 00:00:00 2001 +From: Yuhao Jiang +Date: Wed, 22 Oct 2025 15:07:04 -0500 +Subject: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() + +From: Yuhao Jiang + +commit 8f067aa59430266386b83c18b983ca583faa6a11 upstream. + +The switch_brightness_work delayed work accesses device->brightness +and device->backlight, freed by acpi_video_dev_unregister_backlight() +during device removal. + +If the work executes after acpi_video_bus_unregister_backlight() +frees these resources, it causes a use-after-free when +acpi_video_switch_brightness() dereferences device->brightness or +device->backlight. + +Fix this by calling cancel_delayed_work_sync() for each device's +switch_brightness_work in acpi_video_bus_remove_notify_handler() +after removing the notify handler that queues the work. This ensures +the work completes before the memory is freed. + +Fixes: 8ab58e8e7e097 ("ACPI / video: Fix backlight taking 2 steps on a brightness up/down keypress") +Cc: All applicable +Signed-off-by: Yuhao Jiang +Reviewed-by: Hans de Goede +[ rjw: Changelog edit ] +Link: https://patch.msgid.link/20251022200704.2655507-1-danisjiang@gmail.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_video.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -1952,8 +1952,10 @@ static void acpi_video_bus_remove_notify + struct acpi_video_device *dev; + + mutex_lock(&video->device_list_lock); +- list_for_each_entry(dev, &video->video_device_list, entry) ++ list_for_each_entry(dev, &video->video_device_list, entry) { + acpi_video_dev_remove_notify_handler(dev); ++ cancel_delayed_work_sync(&dev->switch_brightness_work); ++ } + mutex_unlock(&video->device_list_lock); + + acpi_video_bus_stop_devices(video); diff --git a/queue-6.6/asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch b/queue-6.6/asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch new file mode 100644 index 0000000000..dc5bfb0449 --- /dev/null +++ b/queue-6.6/asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch @@ -0,0 +1,37 @@ +From fdbb53d318aa94a094434e5f226617f0eb1e8f22 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 17 Oct 2025 09:52:56 +0100 +Subject: ASoC: qdsp6: q6asm: do not sleep while atomic + +From: Srinivas Kandagatla + +commit fdbb53d318aa94a094434e5f226617f0eb1e8f22 upstream. + +For some reason we ended up kfree between spinlock lock and unlock, +which can sleep. + +move the kfree out of spinlock section. + +Fixes: a2a5d30218fd ("ASoC: qdsp6: q6asm: Add support to memory map and unmap") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20251017085307.4325-2-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6asm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/qcom/qdsp6/q6asm.c ++++ b/sound/soc/qcom/qdsp6/q6asm.c +@@ -376,9 +376,9 @@ static void q6asm_audio_client_free_buf( + + spin_lock_irqsave(&ac->lock, flags); + port->num_periods = 0; ++ spin_unlock_irqrestore(&ac->lock, flags); + kfree(port->buf); + port->buf = NULL; +- spin_unlock_irqrestore(&ac->lock, flags); + } + + /** diff --git a/queue-6.6/bluetooth-rfcomm-fix-modem-control-handling.patch b/queue-6.6/bluetooth-rfcomm-fix-modem-control-handling.patch new file mode 100644 index 0000000000..80ee5d8a3b --- /dev/null +++ b/queue-6.6/bluetooth-rfcomm-fix-modem-control-handling.patch @@ -0,0 +1,89 @@ +From 91d35ec9b3956d6b3cf789c1593467e58855b03a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 23 Oct 2025 14:05:30 +0200 +Subject: Bluetooth: rfcomm: fix modem control handling + +From: Johan Hovold + +commit 91d35ec9b3956d6b3cf789c1593467e58855b03a upstream. + +The RFCOMM driver confuses the local and remote modem control signals, +which specifically means that the reported DTR and RTS state will +instead reflect the remote end (i.e. DSR and CTS). + +This issue dates back to the original driver (and a follow-on update) +merged in 2002, which resulted in a non-standard implementation of +TIOCMSET that allowed controlling also the TS07.10 IC and DV signals by +mapping them to the RI and DCD input flags, while TIOCMGET failed to +return the actual state of DTR and RTS. + +Note that the bogus control of input signals in tiocmset() is just +dead code as those flags will have been masked out by the tty layer +since 2003. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/tty.c | 26 +++++++++++--------------- + 1 file changed, 11 insertions(+), 15 deletions(-) + +--- a/net/bluetooth/rfcomm/tty.c ++++ b/net/bluetooth/rfcomm/tty.c +@@ -651,8 +651,8 @@ static void rfcomm_dev_modem_status(stru + tty_port_tty_hangup(&dev->port, true); + + dev->modem_status = +- ((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) | +- ((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) | ++ ((v24_sig & RFCOMM_V24_RTC) ? TIOCM_DSR : 0) | ++ ((v24_sig & RFCOMM_V24_RTR) ? TIOCM_CTS : 0) | + ((v24_sig & RFCOMM_V24_IC) ? TIOCM_RI : 0) | + ((v24_sig & RFCOMM_V24_DV) ? TIOCM_CD : 0); + } +@@ -1063,10 +1063,14 @@ static void rfcomm_tty_hangup(struct tty + static int rfcomm_tty_tiocmget(struct tty_struct *tty) + { + struct rfcomm_dev *dev = tty->driver_data; ++ struct rfcomm_dlc *dlc = dev->dlc; ++ u8 v24_sig; + + BT_DBG("tty %p dev %p", tty, dev); + +- return dev->modem_status; ++ rfcomm_dlc_get_modem_status(dlc, &v24_sig); ++ ++ return (v24_sig & (TIOCM_DTR | TIOCM_RTS)) | dev->modem_status; + } + + static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear) +@@ -1079,23 +1083,15 @@ static int rfcomm_tty_tiocmset(struct tt + + rfcomm_dlc_get_modem_status(dlc, &v24_sig); + +- if (set & TIOCM_DSR || set & TIOCM_DTR) ++ if (set & TIOCM_DTR) + v24_sig |= RFCOMM_V24_RTC; +- if (set & TIOCM_RTS || set & TIOCM_CTS) ++ if (set & TIOCM_RTS) + v24_sig |= RFCOMM_V24_RTR; +- if (set & TIOCM_RI) +- v24_sig |= RFCOMM_V24_IC; +- if (set & TIOCM_CD) +- v24_sig |= RFCOMM_V24_DV; + +- if (clear & TIOCM_DSR || clear & TIOCM_DTR) ++ if (clear & TIOCM_DTR) + v24_sig &= ~RFCOMM_V24_RTC; +- if (clear & TIOCM_RTS || clear & TIOCM_CTS) ++ if (clear & TIOCM_RTS) + v24_sig &= ~RFCOMM_V24_RTR; +- if (clear & TIOCM_RI) +- v24_sig &= ~RFCOMM_V24_IC; +- if (clear & TIOCM_CD) +- v24_sig &= ~RFCOMM_V24_DV; + + rfcomm_dlc_set_modem_status(dlc, v24_sig); + diff --git a/queue-6.6/fbcon-set-fb_display-mode-to-null-when-the-mode-is-released.patch b/queue-6.6/fbcon-set-fb_display-mode-to-null-when-the-mode-is-released.patch new file mode 100644 index 0000000000..113363a5d1 --- /dev/null +++ b/queue-6.6/fbcon-set-fb_display-mode-to-null-when-the-mode-is-released.patch @@ -0,0 +1,113 @@ +From a1f3058930745d2b938b6b4f5bd9630dc74b26b7 Mon Sep 17 00:00:00 2001 +From: Quanmin Yan +Date: Fri, 10 Oct 2025 16:16:59 +0800 +Subject: fbcon: Set fb_display[i]->mode to NULL when the mode is released + +From: Quanmin Yan + +commit a1f3058930745d2b938b6b4f5bd9630dc74b26b7 upstream. + +Recently, we discovered the following issue through syzkaller: + +BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 +Read of size 4 at addr ff11000001b3c69c by task syz.xxx +... +Call Trace: + + dump_stack_lvl+0xab/0xe0 + print_address_description.constprop.0+0x2c/0x390 + print_report+0xb9/0x280 + kasan_report+0xb8/0xf0 + fb_mode_is_equal+0x285/0x2f0 + fbcon_mode_deleted+0x129/0x180 + fb_set_var+0xe7f/0x11d0 + do_fb_ioctl+0x6a0/0x750 + fb_ioctl+0xe0/0x140 + __x64_sys_ioctl+0x193/0x210 + do_syscall_64+0x5f/0x9c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Based on experimentation and analysis, during framebuffer unregistration, +only the memory of fb_info->modelist is freed, without setting the +corresponding fb_display[i]->mode to NULL for the freed modes. This leads +to UAF issues during subsequent accesses. Here's an example of reproduction +steps: +1. With /dev/fb0 already registered in the system, load a kernel module + to register a new device /dev/fb1; +2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); +3. Switch console from fb to VGA (to allow normal rmmod of the ko); +4. Unload the kernel module, at this point fb1's modelist is freed, leaving + a wild pointer in fb_display[]; +5. Trigger the bug via system calls through fb0 attempting to delete a mode + from fb0. + +Add a check in do_unregister_framebuffer(): if the mode to be freed exists +in fb_display[], set the corresponding mode pointer to NULL. + +Signed-off-by: Quanmin Yan +Reviewed-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 19 +++++++++++++++++++ + drivers/video/fbdev/core/fbmem.c | 1 + + include/linux/fbcon.h | 2 ++ + 3 files changed, 22 insertions(+) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2824,6 +2824,25 @@ int fbcon_mode_deleted(struct fb_info *i + return found; + } + ++static void fbcon_delete_mode(struct fb_videomode *m) ++{ ++ struct fbcon_display *p; ++ ++ for (int i = first_fb_vc; i <= last_fb_vc; i++) { ++ p = &fb_display[i]; ++ if (p->mode == m) ++ p->mode = NULL; ++ } ++} ++ ++void fbcon_delete_modelist(struct list_head *head) ++{ ++ struct fb_modelist *modelist; ++ ++ list_for_each_entry(modelist, head, list) ++ fbcon_delete_mode(&modelist->mode); ++} ++ + #ifdef CONFIG_VT_HW_CONSOLE_BINDING + static void fbcon_unbind(void) + { +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1030,6 +1030,7 @@ static void do_unregister_framebuffer(st + fb_info->pixmap.addr = NULL; + } + ++ fbcon_delete_modelist(&fb_info->modelist); + fb_destroy_modelist(&fb_info->modelist); + registered_fb[fb_info->node] = NULL; + num_registered_fb--; +--- a/include/linux/fbcon.h ++++ b/include/linux/fbcon.h +@@ -11,6 +11,7 @@ void fbcon_suspended(struct fb_info *inf + void fbcon_resumed(struct fb_info *info); + int fbcon_mode_deleted(struct fb_info *info, + struct fb_videomode *mode); ++void fbcon_delete_modelist(struct list_head *head); + void fbcon_new_modelist(struct fb_info *info); + void fbcon_get_requirement(struct fb_info *info, + struct fb_blit_caps *caps); +@@ -31,6 +32,7 @@ static inline void fbcon_suspended(struc + static inline void fbcon_resumed(struct fb_info *info) {} + static inline int fbcon_mode_deleted(struct fb_info *info, + struct fb_videomode *mode) { return 0; } ++static inline void fbcon_delete_modelist(struct list_head *head) {} + static inline void fbcon_new_modelist(struct fb_info *info) {} + static inline void fbcon_get_requirement(struct fb_info *info, + struct fb_blit_caps *caps) {} diff --git a/queue-6.6/fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch b/queue-6.6/fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch new file mode 100644 index 0000000000..b385adb3fa --- /dev/null +++ b/queue-6.6/fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch @@ -0,0 +1,49 @@ +From 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b Mon Sep 17 00:00:00 2001 +From: Daniel Palmer +Date: Fri, 24 Oct 2025 18:37:15 +0900 +Subject: fbdev: atyfb: Check if pll_ops->init_pll failed + +From: Daniel Palmer + +commit 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b upstream. + +Actually check the return value from pll_ops->init_pll() +as it can return an error. + +If the card's BIOS didn't run because it's not the primary VGA card +the fact that the xclk source is unsupported is printed as shown +below but the driver continues on regardless and on my machine causes +a hard lock up. + +[ 61.470088] atyfb 0000:03:05.0: enabling device (0080 -> 0083) +[ 61.476191] atyfb: using auxiliary register aperture +[ 61.481239] atyfb: 3D RAGE XL (Mach64 GR, PCI-33) [0x4752 rev 0x27] +[ 61.487569] atyfb: 512K SGRAM (1:1), 14.31818 MHz XTAL, 230 MHz PLL, 83 Mhz MCLK, 63 MHz XCLK +[ 61.496112] atyfb: Unsupported xclk source: 5. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Daniel Palmer +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/aty/atyfb_base.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/aty/atyfb_base.c ++++ b/drivers/video/fbdev/aty/atyfb_base.c +@@ -2611,8 +2611,12 @@ static int aty_init(struct fb_info *info + pr_cont("\n"); + } + #endif +- if (par->pll_ops->init_pll) +- par->pll_ops->init_pll(info, &par->pll); ++ if (par->pll_ops->init_pll) { ++ ret = par->pll_ops->init_pll(info, &par->pll); ++ if (ret) ++ return ret; ++ } ++ + if (par->pll_ops->resume_pll) + par->pll_ops->resume_pll(info, &par->pll); + diff --git a/queue-6.6/fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch b/queue-6.6/fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch new file mode 100644 index 0000000000..0c4e5a2819 --- /dev/null +++ b/queue-6.6/fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch @@ -0,0 +1,70 @@ +From 18c4ef4e765a798b47980555ed665d78b71aeadf Mon Sep 17 00:00:00 2001 +From: Junjie Cao +Date: Mon, 20 Oct 2025 21:47:01 +0800 +Subject: fbdev: bitblit: bound-check glyph index in bit_putcs* + +From: Junjie Cao + +commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. + +bit_putcs_aligned()/unaligned() derived the glyph pointer from the +character value masked by 0xff/0x1ff, which may exceed the actual font's +glyph count and read past the end of the built-in font array. +Clamp the index to the actual glyph count before computing the address. + +This fixes a global out-of-bounds read reported by syzbot. + +Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 +Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com +Signed-off-by: Junjie Cao +Reviewed-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/video/fbdev/core/bitblit.c ++++ b/drivers/video/fbdev/core/bitblit.c +@@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(str + struct fb_image *image, u8 *buf, u8 *dst) + { + u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; ++ unsigned int charcnt = vc->vc_font.charcount; + u32 idx = vc->vc_font.width >> 3; + u8 *src; + + while (cnt--) { +- src = vc->vc_font.data + (scr_readw(s++)& +- charmask)*cellsize; ++ u16 ch = scr_readw(s++) & charmask; ++ ++ if (ch >= charcnt) ++ ch = 0; ++ src = vc->vc_font.data + (unsigned int)ch * cellsize; + + if (attr) { + update_attr(buf, src, attr, vc); +@@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(s + u8 *dst) + { + u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; ++ unsigned int charcnt = vc->vc_font.charcount; + u32 shift_low = 0, mod = vc->vc_font.width % 8; + u32 shift_high = 8; + u32 idx = vc->vc_font.width >> 3; + u8 *src; + + while (cnt--) { +- src = vc->vc_font.data + (scr_readw(s++)& +- charmask)*cellsize; ++ u16 ch = scr_readw(s++) & charmask; ++ ++ if (ch >= charcnt) ++ ch = 0; ++ src = vc->vc_font.data + (unsigned int)ch * cellsize; + + if (attr) { + update_attr(buf, src, attr, vc); diff --git a/queue-6.6/fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch b/queue-6.6/fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch new file mode 100644 index 0000000000..e05e769a4f --- /dev/null +++ b/queue-6.6/fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch @@ -0,0 +1,34 @@ +From 5f566c0ac51cd2474e47da68dbe719d3acf7d999 Mon Sep 17 00:00:00 2001 +From: Florian Fuchs +Date: Sun, 26 Oct 2025 00:38:50 +0200 +Subject: fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS + +From: Florian Fuchs + +commit 5f566c0ac51cd2474e47da68dbe719d3acf7d999 upstream. + +Commit e24cca19babe ("sh: Kill off MAX_DMA_ADDRESS leftovers.") removed +the define ONCHIP_NR_DMA_CHANNELS. So that the leftover reference needs +to be replaced by CONFIG_NR_ONCHIP_DMA_CHANNELS to compile successfully +with CONFIG_PVR2_DMA enabled. + +Signed-off-by: Florian Fuchs +Reviewed-by: John Paul Adrian Glaubitz +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/pvr2fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/pvr2fb.c ++++ b/drivers/video/fbdev/pvr2fb.c +@@ -192,7 +192,7 @@ static unsigned long pvr2fb_map; + + #ifdef CONFIG_PVR2_DMA + static unsigned int shdma = PVR2_CASCADE_CHAN; +-static unsigned int pvr2dma = ONCHIP_NR_DMA_CHANNELS; ++static unsigned int pvr2dma = CONFIG_NR_ONCHIP_DMA_CHANNELS; + #endif + + static struct fb_videomode pvr2_modedb[] = { diff --git a/queue-6.6/fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch b/queue-6.6/fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch new file mode 100644 index 0000000000..020e791471 --- /dev/null +++ b/queue-6.6/fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch @@ -0,0 +1,40 @@ +From eb53368f8d6e2dfba84c8a94d245719bcf9ae270 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 16:43:37 +0800 +Subject: fbdev: valkyriefb: Fix reference count leak in valkyriefb_init + +From: Miaoqian Lin + +commit eb53368f8d6e2dfba84c8a94d245719bcf9ae270 upstream. + +The of_find_node_by_name() function returns a device tree node with its +reference count incremented. The caller is responsible for calling +of_node_put() to release this reference when done. + +Found via static analysis. + +Fixes: cc5d0189b9ba ("[PATCH] powerpc: Remove device_node addrs/n_addr") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/valkyriefb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/valkyriefb.c ++++ b/drivers/video/fbdev/valkyriefb.c +@@ -329,11 +329,13 @@ static int __init valkyriefb_init(void) + + if (of_address_to_resource(dp, 0, &r)) { + printk(KERN_ERR "can't find address for valkyrie\n"); ++ of_node_put(dp); + return 0; + } + + frame_buffer_phys = r.start; + cmap_regs_phys = r.start + 0x304000; ++ of_node_put(dp); + } + #endif /* ppc (!CONFIG_MAC) */ + diff --git a/queue-6.6/mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch b/queue-6.6/mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch new file mode 100644 index 0000000000..f9a192995e --- /dev/null +++ b/queue-6.6/mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch @@ -0,0 +1,95 @@ +From 27b0e701d3872ba59c5b579a9e8a02ea49ad3d3b Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 28 Oct 2025 09:16:52 +0100 +Subject: mptcp: drop bogus optimization in __mptcp_check_push() + +From: Paolo Abeni + +commit 27b0e701d3872ba59c5b579a9e8a02ea49ad3d3b upstream. + +Accessing the transmit queue without owning the msk socket lock is +inherently racy, hence __mptcp_check_push() could actually quit early +even when there is pending data. + +That in turn could cause unexpected tx lock and timeout. + +Dropping the early check avoids the race, implicitly relaying on later +tests under the relevant lock. With such change, all the other +mptcp_send_head() call sites are now under the msk socket lock and we +can additionally drop the now unneeded annotation on the transmit head +pointer accesses. + +Fixes: 6e628cd3a8f7 ("mptcp: use mptcp release_cb for delayed tasks") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Geliang Tang +Tested-by: Geliang Tang +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-1-38ffff5a9ec8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 11 ++++------- + net/mptcp/protocol.h | 2 +- + 2 files changed, 5 insertions(+), 8 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1044,7 +1044,7 @@ static void __mptcp_clean_una(struct soc + if (WARN_ON_ONCE(!msk->recovery)) + break; + +- WRITE_ONCE(msk->first_pending, mptcp_send_next(sk)); ++ msk->first_pending = mptcp_send_next(sk); + } + + dfrag_clear(sk, dfrag); +@@ -1588,7 +1588,7 @@ static int __subflow_push_pending(struct + + mptcp_update_post_push(msk, dfrag, ret); + } +- WRITE_ONCE(msk->first_pending, mptcp_send_next(sk)); ++ msk->first_pending = mptcp_send_next(sk); + + if (msk->snd_burst <= 0 || + !sk_stream_memory_free(ssk) || +@@ -1900,7 +1900,7 @@ static int mptcp_sendmsg(struct sock *sk + get_page(dfrag->page); + list_add_tail(&dfrag->list, &msk->rtx_queue); + if (!msk->first_pending) +- WRITE_ONCE(msk->first_pending, dfrag); ++ msk->first_pending = dfrag; + } + pr_debug("msk=%p dfrag at seq=%llu len=%u sent=%u new=%d\n", msk, + dfrag->data_seq, dfrag->data_len, dfrag->already_sent, +@@ -2899,7 +2899,7 @@ static void __mptcp_clear_xmit(struct so + struct mptcp_sock *msk = mptcp_sk(sk); + struct mptcp_data_frag *dtmp, *dfrag; + +- WRITE_ONCE(msk->first_pending, NULL); ++ msk->first_pending = NULL; + list_for_each_entry_safe(dfrag, dtmp, &msk->rtx_queue, list) + dfrag_clear(sk, dfrag); + } +@@ -3456,9 +3456,6 @@ void __mptcp_data_acked(struct sock *sk) + + void __mptcp_check_push(struct sock *sk, struct sock *ssk) + { +- if (!mptcp_send_head(sk)) +- return; +- + if (!sock_owned_by_user(sk)) + __mptcp_subflow_push_pending(sk, ssk, false); + else +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -379,7 +379,7 @@ static inline struct mptcp_data_frag *mp + { + const struct mptcp_sock *msk = mptcp_sk(sk); + +- return READ_ONCE(msk->first_pending); ++ return msk->first_pending; + } + + static inline struct mptcp_data_frag *mptcp_send_next(struct sock *sk) diff --git a/queue-6.6/mptcp-restore-window-probe.patch b/queue-6.6/mptcp-restore-window-probe.patch new file mode 100644 index 0000000000..bf08b313cd --- /dev/null +++ b/queue-6.6/mptcp-restore-window-probe.patch @@ -0,0 +1,48 @@ +From a824084b98d8a1dbd6e85d0842a8eb5e73467f59 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 28 Oct 2025 09:16:54 +0100 +Subject: mptcp: restore window probe + +From: Paolo Abeni + +commit a824084b98d8a1dbd6e85d0842a8eb5e73467f59 upstream. + +Since commit 72377ab2d671 ("mptcp: more conservative check for zero +probes") the MPTCP-level zero window probe check is always disabled, as +the TCP-level write queue always contains at least the newly allocated +skb. + +Refine the relevant check tacking in account that the above condition +and that such skb can have zero length. + +Fixes: 72377ab2d671 ("mptcp: more conservative check for zero probes") +Cc: stable@vger.kernel.org +Reported-by: Geliang Tang +Closes: https://lore.kernel.org/d0a814c364e744ca6b836ccd5b6e9146882e8d42.camel@kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Paolo Abeni +Tested-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-3-38ffff5a9ec8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1335,7 +1335,12 @@ alloc_skb: + if (copy == 0) { + u64 snd_una = READ_ONCE(msk->snd_una); + +- if (snd_una != msk->snd_nxt || tcp_write_queue_tail(ssk)) { ++ /* No need for zero probe if there are any data pending ++ * either at the msk or ssk level; skb is the current write ++ * queue tail and can be empty at this point. ++ */ ++ if (snd_una != msk->snd_nxt || skb->len || ++ skb != tcp_send_head(ssk)) { + tcp_remove_empty_skb(ssk); + return 0; + } diff --git a/queue-6.6/net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch b/queue-6.6/net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch new file mode 100644 index 0000000000..26fca70535 --- /dev/null +++ b/queue-6.6/net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch @@ -0,0 +1,61 @@ +From dc89548c6926d68dfdda11bebc1a5258bc41d887 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 00:43:16 +0800 +Subject: net: usb: asix_devices: Check return value of usbnet_get_endpoints + +From: Miaoqian Lin + +commit dc89548c6926d68dfdda11bebc1a5258bc41d887 upstream. + +The code did not check the return value of usbnet_get_endpoints. +Add checks and return the error if it fails to transfer the error. + +Found via static anlaysis and this is similar to +commit 07161b2416f7 ("sr9800: Add check for usbnet_get_endpoints"). + +Fixes: 933a27d39e0e ("USB: asix - Add AX88178 support and many other changes") +Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Link: https://patch.msgid.link/20251026164318.57624-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_devices.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -230,7 +230,9 @@ static int ax88172_bind(struct usbnet *d + int i; + unsigned long gpio_bits = dev->driver_info->data; + +- usbnet_get_endpoints(dev,intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ goto out; + + /* Toggle the GPIOs in a manufacturer/model specific way */ + for (i = 2; i >= 0; i--) { +@@ -848,7 +850,9 @@ static int ax88772_bind(struct usbnet *d + + dev->driver_priv = priv; + +- usbnet_get_endpoints(dev, intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ return ret; + + /* Maybe the boot loader passed the MAC address via device tree */ + if (!eth_platform_get_mac_address(&dev->udev->dev, buf)) { +@@ -1281,7 +1285,9 @@ static int ax88178_bind(struct usbnet *d + int ret; + u8 buf[ETH_ALEN] = {0}; + +- usbnet_get_endpoints(dev,intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ return ret; + + /* Get the MAC address */ + ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0); diff --git a/queue-6.6/nfsd-fix-crash-in-nfsd4_read_release.patch b/queue-6.6/nfsd-fix-crash-in-nfsd4_read_release.patch new file mode 100644 index 0000000000..38e2b3cedf --- /dev/null +++ b/queue-6.6/nfsd-fix-crash-in-nfsd4_read_release.patch @@ -0,0 +1,38 @@ +From abb1f08a2121dd270193746e43b2a9373db9ad84 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 30 Sep 2025 10:05:20 -0400 +Subject: NFSD: Fix crash in nfsd4_read_release() + +From: Chuck Lever + +commit abb1f08a2121dd270193746e43b2a9373db9ad84 upstream. + +When tracing is enabled, the trace_nfsd_read_done trace point +crashes during the pynfs read.testNoFh test. + +Fixes: 15a8b55dbb1b ("nfsd: call op_release, even when op_func returns an error") +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -978,10 +978,11 @@ nfsd4_read(struct svc_rqst *rqstp, struc + static void + nfsd4_read_release(union nfsd4_op_u *u) + { +- if (u->read.rd_nf) ++ if (u->read.rd_nf) { ++ trace_nfsd_read_done(u->read.rd_rqstp, u->read.rd_fhp, ++ u->read.rd_offset, u->read.rd_length); + nfsd_file_put(u->read.rd_nf); +- trace_nfsd_read_done(u->read.rd_rqstp, u->read.rd_fhp, +- u->read.rd_offset, u->read.rd_length); ++ } + } + + static __be32 diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..b609e43b53 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,16 @@ +nfsd-fix-crash-in-nfsd4_read_release.patch +net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch +fbcon-set-fb_display-mode-to-null-when-the-mode-is-released.patch +fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch +acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch +acpi-button-call-input_free_device-on-failing-input-device-registration.patch +fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch +bluetooth-rfcomm-fix-modem-control-handling.patch +wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch +fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch +fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch +mptcp-drop-bogus-optimization-in-__mptcp_check_push.patch +mptcp-restore-window-probe.patch +asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch +smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch +x86-fpu-ensure-xfd-state-on-signal-delivery.patch diff --git a/queue-6.6/smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch b/queue-6.6/smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch new file mode 100644 index 0000000000..c49a309911 --- /dev/null +++ b/queue-6.6/smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch @@ -0,0 +1,67 @@ +From 5c76f9961c170552c1d07c830b5e145475151600 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Mon, 27 Oct 2025 18:29:19 -0300 +Subject: smb: client: fix potential cfid UAF in smb2_query_info_compound + +From: Henrique Carvalho + +commit 5c76f9961c170552c1d07c830b5e145475151600 upstream. + +When smb2_query_info_compound() retries, a previously allocated cfid may +have been freed in the first attempt. +Because cfid wasn't reset on replay, later cleanup could act on a stale +pointer, leading to a potential use-after-free. + +Reinitialize cfid to NULL under the replay label. + +Example trace (trimmed): + +refcount_t: underflow; use-after-free. +WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 +[...] +RIP: 0010:refcount_warn_saturate+0x9c/0x110 +[...] +Call Trace: + + smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] + ? step_into+0x10d/0x690 + ? __legitimize_path+0x28/0x60 + smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] + smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] + ? kmem_cache_alloc+0x18a/0x340 + ? getname_flags+0x46/0x1e0 + cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] + statfs_by_dentry+0x67/0x90 + vfs_statfs+0x16/0xd0 + user_statfs+0x54/0xa0 + __do_sys_statfs+0x20/0x50 + do_syscall_64+0x58/0x80 + +Cc: stable@kernel.org +Fixes: 4f1fffa237692 ("cifs: commands that are retried should have replay flag set") +Reviewed-by: Paulo Alcantara (Red Hat) +Acked-by: Shyam Prasad N +Reviewed-by: Enzo Matsumiya +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -2663,11 +2663,12 @@ smb2_query_info_compound(const unsigned + struct cifs_fid fid; + int rc; + __le16 *utf16_path; +- struct cached_fid *cfid = NULL; ++ struct cached_fid *cfid; + int retries = 0, cur_sleep = 1; + + replay_again: + /* reinitialize for possible replay */ ++ cfid = NULL; + flags = CIFS_CP_CREATE_CLOSE_OP; + oplock = SMB2_OPLOCK_LEVEL_NONE; + server = cifs_pick_channel(ses); diff --git a/queue-6.6/wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch b/queue-6.6/wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch new file mode 100644 index 0000000000..e25916bee6 --- /dev/null +++ b/queue-6.6/wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch @@ -0,0 +1,191 @@ +From 3776c685ebe5f43e9060af06872661de55e80b9a Mon Sep 17 00:00:00 2001 +From: Gokul Sivakumar +Date: Mon, 13 Oct 2025 15:58:19 +0530 +Subject: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode + +From: Gokul Sivakumar + +commit 3776c685ebe5f43e9060af06872661de55e80b9a upstream. + +Currently, whenever there is a need to transmit an Action frame, +the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to +firmware. The P2P interfaces were available when wpa_supplicant is managing +the wlan interface. + +However, the P2P interfaces are not created/initialized when only hostapd +is managing the wlan interface. And if hostapd receives an ANQP Query REQ +Action frame even from an un-associated STA, the brcmfmac driver tries +to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. +This NULL pointer dereferencing triggers a driver crash. + + [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual + address 0000000000000000 + [...] + [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) + [...] + [ 1417.075653] Call trace: + [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] + [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] + [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] + [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] + [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 + [ 1417.076302] genl_rcv_msg+0x220/0x2a0 + [ 1417.076317] netlink_rcv_skb+0x68/0x140 + [ 1417.076330] genl_rcv+0x40/0x60 + [ 1417.076343] netlink_unicast+0x330/0x3b8 + [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 + [ 1417.076370] __sock_sendmsg+0x64/0xc0 + [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 + [ 1417.076408] ___sys_sendmsg+0xb8/0x118 + [ 1417.076427] __sys_sendmsg+0x90/0xf8 + [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 + [ 1417.076465] invoke_syscall+0x50/0x120 + [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 + [ 1417.076506] do_el0_svc+0x24/0x38 + [ 1417.076525] el0_svc+0x30/0x100 + [ 1417.076548] el0t_64_sync_handler+0x100/0x130 + [ 1417.076569] el0t_64_sync+0x190/0x198 + [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) + +Fix this, by always using the vif corresponding to the wdev on which the +Action frame Transmission request was initiated by the userspace. This way, +even if P2P vif is not available, the IOVAR is sent to firmware on AP vif +and the ANQP Query RESP Action frame is transmitted without crashing the +driver. + +Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev() +to brcmf_p2p_attach(). Because the former function would not get executed +when only hostapd is managing wlan interface, and it is not safe to do +reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior +init_completion(). + +And in the brcmf_p2p_tx_action_frame() function, the condition check for +P2P Presence response frame is not needed, since the wpa_supplicant is +properly sending the P2P Presense Response frame on the P2P-GO vif instead +of the P2P-Device vif. + +Cc: stable@vger.kernel.org +Fixes: 18e2f61db3b7 ("brcmfmac: P2P action frame tx") +Signed-off-by: Gokul Sivakumar +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20251013102819.9727-1-gokulkumar.sivakumar@infineon.com +[Cc stable] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 - + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 ++++-------- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 - + 3 files changed, 12 insertions(+), 22 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -5594,8 +5594,7 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip + brcmf_dbg(TRACE, "Action frame, cookie=%lld, len=%d, freq=%d\n", + *cookie, le16_to_cpu(action_frame->len), freq); + +- ack = brcmf_p2p_send_action_frame(cfg, cfg_to_ndev(cfg), +- af_params); ++ ack = brcmf_p2p_send_action_frame(vif->ifp, af_params); + + cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, ack, + GFP_KERNEL); +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +@@ -1529,6 +1529,7 @@ int brcmf_p2p_notify_action_tx_complete( + /** + * brcmf_p2p_tx_action_frame() - send action frame over fil. + * ++ * @ifp: interface to transmit on. + * @p2p: p2p info struct for vif. + * @af_params: action frame data/info. + * +@@ -1538,12 +1539,11 @@ int brcmf_p2p_notify_action_tx_complete( + * The WLC_E_ACTION_FRAME_COMPLETE event will be received when the action + * frame is transmitted. + */ +-static s32 brcmf_p2p_tx_action_frame(struct brcmf_p2p_info *p2p, ++static s32 brcmf_p2p_tx_action_frame(struct brcmf_if *ifp, ++ struct brcmf_p2p_info *p2p, + struct brcmf_fil_af_params_le *af_params) + { + struct brcmf_pub *drvr = p2p->cfg->pub; +- struct brcmf_cfg80211_vif *vif; +- struct brcmf_p2p_action_frame *p2p_af; + s32 err = 0; + + brcmf_dbg(TRACE, "Enter\n"); +@@ -1552,14 +1552,7 @@ static s32 brcmf_p2p_tx_action_frame(str + clear_bit(BRCMF_P2P_STATUS_ACTION_TX_COMPLETED, &p2p->status); + clear_bit(BRCMF_P2P_STATUS_ACTION_TX_NOACK, &p2p->status); + +- /* check if it is a p2p_presence response */ +- p2p_af = (struct brcmf_p2p_action_frame *)af_params->action_frame.data; +- if (p2p_af->subtype == P2P_AF_PRESENCE_RSP) +- vif = p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif; +- else +- vif = p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif; +- +- err = brcmf_fil_bsscfg_data_set(vif->ifp, "actframe", af_params, ++ err = brcmf_fil_bsscfg_data_set(ifp, "actframe", af_params, + sizeof(*af_params)); + if (err) { + bphy_err(drvr, " sending action frame has failed\n"); +@@ -1711,16 +1704,14 @@ static bool brcmf_p2p_check_dwell_overfl + /** + * brcmf_p2p_send_action_frame() - send action frame . + * +- * @cfg: driver private data for cfg80211 interface. +- * @ndev: net device to transmit on. ++ * @ifp: interface to transmit on. + * @af_params: configuration data for action frame. + */ +-bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg, +- struct net_device *ndev, ++bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp, + struct brcmf_fil_af_params_le *af_params) + { ++ struct brcmf_cfg80211_info *cfg = ifp->drvr->config; + struct brcmf_p2p_info *p2p = &cfg->p2p; +- struct brcmf_if *ifp = netdev_priv(ndev); + struct brcmf_fil_action_frame_le *action_frame; + struct brcmf_config_af_params config_af_params; + struct afx_hdl *afx_hdl = &p2p->afx_hdl; +@@ -1857,7 +1848,7 @@ bool brcmf_p2p_send_action_frame(struct + if (af_params->channel) + msleep(P2P_AF_RETRY_DELAY_TIME); + +- ack = !brcmf_p2p_tx_action_frame(p2p, af_params); ++ ack = !brcmf_p2p_tx_action_frame(ifp, p2p, af_params); + tx_retry++; + dwell_overflow = brcmf_p2p_check_dwell_overflow(requested_dwell, + dwell_jiffies); +@@ -2217,7 +2208,6 @@ static struct wireless_dev *brcmf_p2p_cr + + WARN_ON(p2p_ifp->bsscfgidx != bsscfgidx); + +- init_completion(&p2p->send_af_done); + INIT_WORK(&p2p->afx_hdl.afx_work, brcmf_p2p_afx_handler); + init_completion(&p2p->afx_hdl.act_frm_scan); + init_completion(&p2p->wait_next_af); +@@ -2513,6 +2503,8 @@ s32 brcmf_p2p_attach(struct brcmf_cfg802 + pri_ifp = brcmf_get_ifp(cfg->pub, 0); + p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif = pri_ifp->vif; + ++ init_completion(&p2p->send_af_done); ++ + if (p2pdev_forced) { + err_ptr = brcmf_p2p_create_p2pdev(p2p, NULL, NULL); + if (IS_ERR(err_ptr)) { +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h +@@ -168,8 +168,7 @@ int brcmf_p2p_notify_action_frame_rx(str + int brcmf_p2p_notify_action_tx_complete(struct brcmf_if *ifp, + const struct brcmf_event_msg *e, + void *data); +-bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg, +- struct net_device *ndev, ++bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp, + struct brcmf_fil_af_params_le *af_params); + bool brcmf_p2p_scan_finding_common_channel(struct brcmf_cfg80211_info *cfg, + struct brcmf_bss_info_le *bi); diff --git a/queue-6.6/x86-fpu-ensure-xfd-state-on-signal-delivery.patch b/queue-6.6/x86-fpu-ensure-xfd-state-on-signal-delivery.patch new file mode 100644 index 0000000000..56fb18ba52 --- /dev/null +++ b/queue-6.6/x86-fpu-ensure-xfd-state-on-signal-delivery.patch @@ -0,0 +1,64 @@ +From 388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 Mon Sep 17 00:00:00 2001 +From: "Chang S. Bae" +Date: Mon, 9 Jun 2025 17:16:59 -0700 +Subject: x86/fpu: Ensure XFD state on signal delivery + +From: Chang S. Bae + +commit 388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 upstream. + +Sean reported [1] the following splat when running KVM tests: + + WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 + Call Trace: + + fpu__clear_user_states+0x9c/0x100 + arch_do_signal_or_restart+0x142/0x210 + exit_to_user_mode_loop+0x55/0x100 + do_syscall_64+0x205/0x2c0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Chao further identified [2] a reproducible scenario involving signal +delivery: a non-AMX task is preempted by an AMX-enabled task which +modifies the XFD MSR. + +When the non-AMX task resumes and reloads XSTATE with init values, +a warning is triggered due to a mismatch between fpstate::xfd and the +CPU's current XFD state. fpu__clear_user_states() does not currently +re-synchronize the XFD state after such preemption. + +Invoke xfd_update_state() which detects and corrects the mismatch if +there is a dynamic feature. + +This also benefits the sigreturn path, as fpu__restore_sig() may call +fpu__clear_user_states() when the sigframe is inaccessible. + +[ dhansen: minor changelog munging ] + +Closes: https://lore.kernel.org/lkml/aDCo_SczQOUaB2rS@google.com [1] +Fixes: 672365477ae8a ("x86/fpu: Update XFD state where required") +Reported-by: Sean Christopherson +Signed-off-by: Chang S. Bae +Signed-off-by: Dave Hansen +Reviewed-by: Chao Gao +Tested-by: Chao Gao +Link: https://lore.kernel.org/all/aDWbctO%2FRfTGiCg3@intel.com [2] +Cc:stable@vger.kernel.org +Link: https://patch.msgid.link/20250610001700.4097-1-chang.seok.bae%40intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/fpu/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -757,6 +757,9 @@ void fpu__clear_user_states(struct fpu * + !fpregs_state_valid(fpu, smp_processor_id())) + os_xrstor_supervisor(fpu->fpstate); + ++ /* Ensure XFD state is in sync before reloading XSTATE */ ++ xfd_update_state(fpu->fpstate); ++ + /* Reset user states in registers. */ + restore_fpregs_from_init_fpstate(XFEATURE_MASK_USER_RESTORE); +