From: Greg Kroah-Hartman Date: Fri, 15 Aug 2025 15:37:29 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v6.12.43~88 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45ec0773624aa2c58709712f070c2f9b912e7260;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch arm64-dts-ti-k3-j722s-evm-fix-usb-gpio-hog-level-for-type-c.patch fhandle-raise-fileid_is_dir-in-handle_type.patch gpio-mlxbf2-use-platform_get_irq_optional.patch gpio-mlxbf3-use-platform_get_irq_optional.patch gpio-virtio-fix-config-space-reading.patch io_uring-don-t-use-int-for-abi.patch io_uring-export-io_account_mem.patch io_uring-memmap-cast-nr_pages-to-size_t-before-shifting.patch io_uring-net-commit-partial-buffers-on-retry.patch leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch media-i2c-set-lt6911uxe-s-reset_gpio-to-gpiod_out_low.patch net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch net-enetc-fix-device-and-of-node-leak-at-probe.patch net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch net-mtk_eth_soc-fix-device-leak-at-probe.patch net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch net-usb-qmi_wwan-add-telit-cinterion-fn990a-w-audio-composition.patch netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch series smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch --- diff --git a/queue-6.15/alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch b/queue-6.15/alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch new file mode 100644 index 0000000000..4178795c46 --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch @@ -0,0 +1,31 @@ +From 0db77eccd964b11ab2b757031d1354fcc5a025ea Mon Sep 17 00:00:00 2001 +From: Christopher Eby +Date: Sat, 9 Aug 2025 20:00:06 -0700 +Subject: ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks + +From: Christopher Eby + +commit 0db77eccd964b11ab2b757031d1354fcc5a025ea upstream. + +Framework Laptop 13 (AMD Ryzen AI 300) requires the same quirk for +headset detection as other Framework 13 models. + +Signed-off-by: Christopher Eby +Cc: +Link: https://patch.msgid.link/20250810030006.9060-1-kreed@kreed.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11422,6 +11422,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 diff --git a/queue-6.15/alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch b/queue-6.15/alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch new file mode 100644 index 0000000000..799214390f --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch @@ -0,0 +1,31 @@ +From b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Mon, 11 Aug 2025 16:27:16 +0300 +Subject: ALSA: hda/realtek: Fix headset mic on HONOR BRB-X + +From: Vasiliy Kovalev + +commit b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 upstream. + +Add a PCI quirk to enable microphone input on the headphone jack on +the HONOR BRB-X M1010 laptop. + +Signed-off-by: Vasiliy Kovalev +Cc: +Link: https://patch.msgid.link/20250811132716.45076-1-kovalev@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11405,6 +11405,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1ee7, 0x2078, "HONOR BRB-X M1010", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x2014, 0x800a, "Positivo ARN50", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-6.15/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch b/queue-6.15/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch new file mode 100644 index 0000000000..8d5fff83bf --- /dev/null +++ b/queue-6.15/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch @@ -0,0 +1,91 @@ +From ecfd41166b72b67d3bdeb88d224ff445f6163869 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Aug 2025 10:12:43 +0200 +Subject: ALSA: usb-audio: Validate UAC3 cluster segment descriptors + +From: Takashi Iwai + +commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream. + +UAC3 class segment descriptors need to be verified whether their sizes +match with the declared lengths and whether they fit with the +allocated buffer sizes, too. Otherwise malicious firmware may lead to +the unexpected OOB accesses. + +Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support") +Reported-and-tested-by: Youngjun Lee +Cc: +Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -341,20 +341,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str + + len = le16_to_cpu(cluster->wLength); + c = 0; +- p += sizeof(struct uac3_cluster_header_descriptor); ++ p += sizeof(*cluster); ++ len -= sizeof(*cluster); + +- while (((p - (void *)cluster) < len) && (c < channels)) { ++ while (len > 0 && (c < channels)) { + struct uac3_cluster_segment_descriptor *cs_desc = p; + u16 cs_len; + u8 cs_type; + ++ if (len < sizeof(*p)) ++ break; + cs_len = le16_to_cpu(cs_desc->wLength); ++ if (len < cs_len) ++ break; + cs_type = cs_desc->bSegmentType; + + if (cs_type == UAC3_CHANNEL_INFORMATION) { + struct uac3_cluster_information_segment_descriptor *is = p; + unsigned char map; + ++ if (cs_len < sizeof(*is)) ++ break; ++ + /* + * TODO: this conversion is not complete, update it + * after adding UAC3 values to asound.h +@@ -456,6 +464,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str + chmap->map[c++] = map; + } + p += cs_len; ++ len -= cs_len; + } + + if (channels < c) +@@ -880,7 +889,7 @@ snd_usb_get_audioformat_uac3(struct snd_ + u64 badd_formats = 0; + unsigned int num_channels; + struct audioformat *fp; +- u16 cluster_id, wLength; ++ u16 cluster_id, wLength, cluster_wLength; + int clock = 0; + int err; + +@@ -1008,6 +1017,16 @@ snd_usb_get_audioformat_uac3(struct snd_ + iface_no, altno); + kfree(cluster); + return ERR_PTR(-EIO); ++ } ++ ++ cluster_wLength = le16_to_cpu(cluster->wLength); ++ if (cluster_wLength < sizeof(*cluster) || ++ cluster_wLength > wLength) { ++ dev_err(&dev->dev, ++ "%u:%d : invalid Cluster Descriptor size\n", ++ iface_no, altno); ++ kfree(cluster); ++ return ERR_PTR(-EIO); + } + + num_channels = cluster->bNrChannels; diff --git a/queue-6.15/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch b/queue-6.15/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch new file mode 100644 index 0000000000..cf5680e1ba --- /dev/null +++ b/queue-6.15/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch @@ -0,0 +1,51 @@ +From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Aug 2025 10:12:42 +0200 +Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too + +From: Takashi Iwai + +commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream. + +UAC3 power domain descriptors need to be verified with its variable +bLength for avoiding the unexpected OOB accesses by malicious +firmware, too. + +Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") +Reported-and-tested-by: Youngjun Lee +Cc: +Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/validate.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c + return d->bLength >= sizeof(*d) + 4 + 2; + } + ++static bool validate_uac3_power_domain_unit(const void *p, ++ const struct usb_desc_validator *v) ++{ ++ const struct uac3_power_domain_descriptor *d = p; ++ ++ if (d->bLength < sizeof(*d)) ++ return false; ++ /* baEntities[] + wPDomainDescrStr */ ++ return d->bLength >= sizeof(*d) + d->bNrEntities + 2; ++} ++ + static bool validate_midi_out_jack(const void *p, + const struct usb_desc_validator *v) + { +@@ -285,6 +296,7 @@ static const struct usb_desc_validator a + struct uac3_clock_multiplier_descriptor), + /* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */ + /* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */ ++ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit), + { } /* terminator */ + }; + diff --git a/queue-6.15/arm64-dts-ti-k3-j722s-evm-fix-usb-gpio-hog-level-for-type-c.patch b/queue-6.15/arm64-dts-ti-k3-j722s-evm-fix-usb-gpio-hog-level-for-type-c.patch new file mode 100644 index 0000000000..f67726320e --- /dev/null +++ b/queue-6.15/arm64-dts-ti-k3-j722s-evm-fix-usb-gpio-hog-level-for-type-c.patch @@ -0,0 +1,40 @@ +From 65ba2a6e77e9e5c843a591055789050e77b5c65e Mon Sep 17 00:00:00 2001 +From: Siddharth Vadapalli +Date: Mon, 23 Jun 2025 15:36:57 +0530 +Subject: arm64: dts: ti: k3-j722s-evm: Fix USB gpio-hog level for Type-C + +From: Siddharth Vadapalli + +commit 65ba2a6e77e9e5c843a591055789050e77b5c65e upstream. + +According to the "GPIO Expander Map / Table" section of the J722S EVM +Schematic within the Evaluation Module Design Files package [0], the +GPIO Pin P05 located on the GPIO Expander 1 (I2C0/0x23) has to be pulled +down to select the Type-C interface. Since commit under Fixes claims to +enable the Type-C interface, update the property within "p05-hog" from +"output-high" to "output-low", thereby switching from the Type-A +interface to the Type-C interface. + +[0]: https://www.ti.com/lit/zip/sprr495 + +Cc: stable@vger.kernel.org +Fixes: 485705df5d5f ("arm64: dts: ti: k3-j722s: Enable PCIe and USB support on J722S-EVM") +Signed-off-by: Siddharth Vadapalli +Link: https://lore.kernel.org/r/20250623100657.4082031-1-s-vadapalli@ti.com +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/ti/k3-j722s-evm.dts ++++ b/arch/arm64/boot/dts/ti/k3-j722s-evm.dts +@@ -598,7 +598,7 @@ + /* P05 - USB2.0_MUX_SEL */ + gpio-hog; + gpios = <5 GPIO_ACTIVE_LOW>; +- output-high; ++ output-low; + }; + + p01_hog: p01-hog { diff --git a/queue-6.15/fhandle-raise-fileid_is_dir-in-handle_type.patch b/queue-6.15/fhandle-raise-fileid_is_dir-in-handle_type.patch new file mode 100644 index 0000000000..eeeba4f6f2 --- /dev/null +++ b/queue-6.15/fhandle-raise-fileid_is_dir-in-handle_type.patch @@ -0,0 +1,34 @@ +From cc678bf7aa9e2e6c2356fd7f955513c1bd7d4c97 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 24 Jun 2025 10:29:04 +0200 +Subject: fhandle: raise FILEID_IS_DIR in handle_type + +From: Christian Brauner + +commit cc678bf7aa9e2e6c2356fd7f955513c1bd7d4c97 upstream. + +Currently FILEID_IS_DIR is raised in fh_flags which is wrong. +Raise it in handle->handle_type were it's supposed to be. + +Link: https://lore.kernel.org/20250624-work-pidfs-fhandle-v2-1-d02a04858fe3@kernel.org +Fixes: c374196b2b9f ("fs: name_to_handle_at() support for "explicit connectable" file handles") +Reviewed-by: Jan Kara +Reviewed-by: Amir Goldstein +Cc: stable@kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fhandle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -88,7 +88,7 @@ static long do_sys_name_to_handle(const + if (fh_flags & EXPORT_FH_CONNECTABLE) { + handle->handle_type |= FILEID_IS_CONNECTABLE; + if (d_is_dir(path->dentry)) +- fh_flags |= FILEID_IS_DIR; ++ handle->handle_type |= FILEID_IS_DIR; + } + retval = 0; + } diff --git a/queue-6.15/gpio-mlxbf2-use-platform_get_irq_optional.patch b/queue-6.15/gpio-mlxbf2-use-platform_get_irq_optional.patch new file mode 100644 index 0000000000..833ac47b55 --- /dev/null +++ b/queue-6.15/gpio-mlxbf2-use-platform_get_irq_optional.patch @@ -0,0 +1,39 @@ +From 63c7bc53a35e785accdc2ceab8f72d94501931ab Mon Sep 17 00:00:00 2001 +From: David Thompson +Date: Mon, 28 Jul 2025 10:46:19 -0400 +Subject: gpio: mlxbf2: use platform_get_irq_optional() + +From: David Thompson + +commit 63c7bc53a35e785accdc2ceab8f72d94501931ab upstream. + +The gpio-mlxbf2 driver interfaces with four GPIO controllers, +device instances 0-3. There are two IRQ resources shared between +the four controllers, and they are found in the ACPI table for +instances 0 and 3. The driver should not use platform_get_irq(), +otherwise this error is logged when probing instances 1 and 2: + mlxbf2_gpio MLNXBF22:01: error -ENXIO: IRQ index 0 not found + +Fixes: 2b725265cb08 ("gpio: mlxbf2: Introduce IRQ support") +Cc: stable@vger.kernel.org +Signed-off-by: David Thompson +Reviewed-by: Shravan Kumar Ramani +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20250728144619.29894-1-davthompson@nvidia.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mlxbf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mlxbf2.c ++++ b/drivers/gpio/gpio-mlxbf2.c +@@ -397,7 +397,7 @@ mlxbf2_gpio_probe(struct platform_device + gc->ngpio = npins; + gc->owner = THIS_MODULE; + +- irq = platform_get_irq(pdev, 0); ++ irq = platform_get_irq_optional(pdev, 0); + if (irq >= 0) { + girq = &gs->gc.irq; + gpio_irq_chip_set_chip(girq, &mlxbf2_gpio_irq_chip); diff --git a/queue-6.15/gpio-mlxbf3-use-platform_get_irq_optional.patch b/queue-6.15/gpio-mlxbf3-use-platform_get_irq_optional.patch new file mode 100644 index 0000000000..fa87ea3ed6 --- /dev/null +++ b/queue-6.15/gpio-mlxbf3-use-platform_get_irq_optional.patch @@ -0,0 +1,38 @@ +From 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 Mon Sep 17 00:00:00 2001 +From: David Thompson +Date: Mon, 11 Aug 2025 13:50:45 -0400 +Subject: gpio: mlxbf3: use platform_get_irq_optional() + +From: David Thompson + +commit 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 upstream. + +The gpio-mlxbf3 driver interfaces with two GPIO controllers, +device instance 0 and 1. There is a single IRQ resource shared +between the two controllers, and it is found in the ACPI table for +device instance 0. The driver should not use platform_get_irq(), +otherwise this error is logged when probing instance 1: + mlxbf3_gpio MLNXBF33:01: error -ENXIO: IRQ index 0 not found + +Cc: stable@vger.kernel.org +Fixes: cd33f216d241 ("gpio: mlxbf3: Add gpio driver support") +Signed-off-by: David Thompson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/ce70b98a201ce82b9df9aa80ac7a5eeaa2268e52.1754928650.git.davthompson@nvidia.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mlxbf3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mlxbf3.c ++++ b/drivers/gpio/gpio-mlxbf3.c +@@ -227,7 +227,7 @@ static int mlxbf3_gpio_probe(struct plat + gc->owner = THIS_MODULE; + gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges; + +- irq = platform_get_irq(pdev, 0); ++ irq = platform_get_irq_optional(pdev, 0); + if (irq >= 0) { + girq = &gs->gc.irq; + gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); diff --git a/queue-6.15/gpio-virtio-fix-config-space-reading.patch b/queue-6.15/gpio-virtio-fix-config-space-reading.patch new file mode 100644 index 0000000000..56e6a89f26 --- /dev/null +++ b/queue-6.15/gpio-virtio-fix-config-space-reading.patch @@ -0,0 +1,52 @@ +From 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 Mon Sep 17 00:00:00 2001 +From: Harald Mommer +Date: Thu, 24 Jul 2025 16:36:53 +0200 +Subject: gpio: virtio: Fix config space reading. + +From: Harald Mommer + +commit 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 upstream. + +Quote from the virtio specification chapter 4.2.2.2: + +"For the device-specific configuration space, the driver MUST use 8 bit +wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses +for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and +64 bit wide fields." + +Signed-off-by: Harald Mommer +Cc: stable@vger.kernel.org +Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver") +Acked-by: Viresh Kumar +Link: https://lore.kernel.org/r/20250724143718.5442-2-harald.mommer@oss.qualcomm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-virtio.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-virtio.c ++++ b/drivers/gpio/gpio-virtio.c +@@ -526,7 +526,6 @@ static const char **virtio_gpio_get_name + + static int virtio_gpio_probe(struct virtio_device *vdev) + { +- struct virtio_gpio_config config; + struct device *dev = &vdev->dev; + struct virtio_gpio *vgpio; + struct irq_chip *gpio_irq_chip; +@@ -539,9 +538,11 @@ static int virtio_gpio_probe(struct virt + return -ENOMEM; + + /* Read configuration */ +- virtio_cread_bytes(vdev, 0, &config, sizeof(config)); +- gpio_names_size = le32_to_cpu(config.gpio_names_size); +- ngpio = le16_to_cpu(config.ngpio); ++ gpio_names_size = ++ virtio_cread32(vdev, offsetof(struct virtio_gpio_config, ++ gpio_names_size)); ++ ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config, ++ ngpio)); + if (!ngpio) { + dev_err(dev, "Number of GPIOs can't be zero\n"); + return -EINVAL; diff --git a/queue-6.15/io_uring-don-t-use-int-for-abi.patch b/queue-6.15/io_uring-don-t-use-int-for-abi.patch new file mode 100644 index 0000000000..b3d47d81af --- /dev/null +++ b/queue-6.15/io_uring-don-t-use-int-for-abi.patch @@ -0,0 +1,35 @@ +From cf73d9970ea4f8cace5d8f02d2565a2723003112 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 2 Jul 2025 21:31:54 +0100 +Subject: io_uring: don't use int for ABI + +From: Pavel Begunkov + +commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream. + +__kernel_rwf_t is defined as int, the actual size of which is +implementation defined. It won't go well if some compiler / archs +ever defines it as i64, so replace it with __u32, hoping that +there is no one using i16 for it. + +Cc: stable@vger.kernel.org +Fixes: 2b188cc1bb857 ("Add io_uring IO interface") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/io_uring.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/io_uring.h ++++ b/include/uapi/linux/io_uring.h +@@ -50,7 +50,7 @@ struct io_uring_sqe { + }; + __u32 len; /* buffer size or number of iovecs */ + union { +- __kernel_rwf_t rw_flags; ++ __u32 rw_flags; + __u32 fsync_flags; + __u16 poll_events; /* compatibility */ + __u32 poll32_events; /* word-reversed for BE */ diff --git a/queue-6.15/io_uring-export-io_account_mem.patch b/queue-6.15/io_uring-export-io_account_mem.patch new file mode 100644 index 0000000000..e95edf330b --- /dev/null +++ b/queue-6.15/io_uring-export-io_account_mem.patch @@ -0,0 +1,54 @@ +From 11fbada7184f9e19bcdfa2f6b15828a78b8897a6 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 16 Jul 2025 22:04:08 +0100 +Subject: io_uring: export io_[un]account_mem + +From: Pavel Begunkov + +commit 11fbada7184f9e19bcdfa2f6b15828a78b8897a6 upstream. + +Export pinned memory accounting helpers, they'll be used by zcrx +shortly. + +Cc: stable@vger.kernel.org +Fixes: cf96310c5f9a0 ("io_uring/zcrx: add io_zcrx_area") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/9a61e54bd89289b39570ae02fe620e12487439e4.1752699568.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rsrc.c | 4 ++-- + io_uring/rsrc.h | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -55,7 +55,7 @@ int __io_account_mem(struct user_struct + return 0; + } + +-static void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages) ++void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages) + { + if (ctx->user) + __io_unaccount_mem(ctx->user, nr_pages); +@@ -64,7 +64,7 @@ static void io_unaccount_mem(struct io_r + atomic64_sub(nr_pages, &ctx->mm_account->pinned_vm); + } + +-static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages) ++int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages) + { + int ret; + +--- a/io_uring/rsrc.h ++++ b/io_uring/rsrc.h +@@ -146,6 +146,8 @@ int io_files_update(struct io_kiocb *req + int io_files_update_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe); + + int __io_account_mem(struct user_struct *user, unsigned long nr_pages); ++int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages); ++void io_unaccount_mem(struct io_ring_ctx *ctx, unsigned long nr_pages); + + static inline void __io_unaccount_mem(struct user_struct *user, + unsigned long nr_pages) diff --git a/queue-6.15/io_uring-memmap-cast-nr_pages-to-size_t-before-shifting.patch b/queue-6.15/io_uring-memmap-cast-nr_pages-to-size_t-before-shifting.patch new file mode 100644 index 0000000000..4415260003 --- /dev/null +++ b/queue-6.15/io_uring-memmap-cast-nr_pages-to-size_t-before-shifting.patch @@ -0,0 +1,39 @@ +From 33503c083fda048c77903460ac0429e1e2c0e341 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Fri, 8 Aug 2025 06:35:14 -0600 +Subject: io_uring/memmap: cast nr_pages to size_t before shifting + +From: Jens Axboe + +commit 33503c083fda048c77903460ac0429e1e2c0e341 upstream. + +If the allocated size exceeds UINT_MAX, then it's necessary to cast +the mr->nr_pages value to size_t to prevent it from overflowing. In +practice this isn't much of a concern as the required memory size will +have been validated upfront, and accounted to the user. And > 4GB sizes +will be necessary to make the lack of a cast a problem, which greatly +exceeds normal user locked_vm settings that are generally in the kb to +mb range. However, if root is used, then accounting isn't done, and +then it's possible to hit this issue. + +Link: https://lore.kernel.org/all/6895b298.050a0220.7f033.0059.GAE@google.com/ +Cc: stable@vger.kernel.org +Reported-by: syzbot+23727438116feb13df15@syzkaller.appspotmail.com +Fixes: 087f997870a9 ("io_uring/memmap: implement mmap for regions") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/memmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/io_uring/memmap.c ++++ b/io_uring/memmap.c +@@ -155,7 +155,7 @@ static int io_region_allocate_pages(stru + unsigned long mmap_offset) + { + gfp_t gfp = GFP_KERNEL_ACCOUNT | __GFP_ZERO | __GFP_NOWARN; +- unsigned long size = mr->nr_pages << PAGE_SHIFT; ++ size_t size = (size_t) mr->nr_pages << PAGE_SHIFT; + unsigned long nr_allocated; + struct page **pages; + void *p; diff --git a/queue-6.15/io_uring-net-commit-partial-buffers-on-retry.patch b/queue-6.15/io_uring-net-commit-partial-buffers-on-retry.patch new file mode 100644 index 0000000000..392479f9fa --- /dev/null +++ b/queue-6.15/io_uring-net-commit-partial-buffers-on-retry.patch @@ -0,0 +1,114 @@ +From 41b70df5b38bc80967d2e0ed55cc3c3896bba781 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 12 Aug 2025 08:30:11 -0600 +Subject: io_uring/net: commit partial buffers on retry + +From: Jens Axboe + +commit 41b70df5b38bc80967d2e0ed55cc3c3896bba781 upstream. + +Ring provided buffers are potentially only valid within the single +execution context in which they were acquired. io_uring deals with this +and invalidates them on retry. But on the networking side, if +MSG_WAITALL is set, or if the socket is of the streaming type and too +little was processed, then it will hang on to the buffer rather than +recycle or commit it. This is problematic for two reasons: + +1) If someone unregisters the provided buffer ring before a later retry, + then the req->buf_list will no longer be valid. + +2) If multiple sockers are using the same buffer group, then multiple + receives can consume the same memory. This can cause data corruption + in the application, as either receive could land in the same + userspace buffer. + +Fix this by disallowing partial retries from pinning a provided buffer +across multiple executions, if ring provided buffers are used. + +Cc: stable@vger.kernel.org +Reported-by: pt x +Fixes: c56e022c0a27 ("io_uring: add support for user mapped provided buffer ring") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -482,6 +482,15 @@ static int io_bundle_nbufs(struct io_asy + return nbufs; + } + ++static int io_net_kbuf_recyle(struct io_kiocb *req, ++ struct io_async_msghdr *kmsg, int len) ++{ ++ req->flags |= REQ_F_BL_NO_RECYCLE; ++ if (req->flags & REQ_F_BUFFERS_COMMIT) ++ io_kbuf_commit(req, req->buf_list, len, io_bundle_nbufs(kmsg, len)); ++ return IOU_RETRY; ++} ++ + static inline bool io_send_finish(struct io_kiocb *req, int *ret, + struct io_async_msghdr *kmsg, + unsigned issue_flags) +@@ -550,8 +559,7 @@ int io_sendmsg(struct io_kiocb *req, uns + kmsg->msg.msg_controllen = 0; + kmsg->msg.msg_control = NULL; + sr->done_io += ret; +- req->flags |= REQ_F_BL_NO_RECYCLE; +- return -EAGAIN; ++ return io_net_kbuf_recyle(req, kmsg, ret); + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +@@ -661,8 +669,7 @@ retry_bundle: + sr->len -= ret; + sr->buf += ret; + sr->done_io += ret; +- req->flags |= REQ_F_BL_NO_RECYCLE; +- return -EAGAIN; ++ return io_net_kbuf_recyle(req, kmsg, ret); + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +@@ -1034,8 +1041,7 @@ retry_multishot: + } + if (ret > 0 && io_net_retry(sock, flags)) { + sr->done_io += ret; +- req->flags |= REQ_F_BL_NO_RECYCLE; +- return IOU_RETRY; ++ return io_net_kbuf_recyle(req, kmsg, ret); + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +@@ -1175,8 +1181,7 @@ retry_multishot: + sr->len -= ret; + sr->buf += ret; + sr->done_io += ret; +- req->flags |= REQ_F_BL_NO_RECYCLE; +- return -EAGAIN; ++ return io_net_kbuf_recyle(req, kmsg, ret); + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +@@ -1461,8 +1466,7 @@ int io_send_zc(struct io_kiocb *req, uns + zc->len -= ret; + zc->buf += ret; + zc->done_io += ret; +- req->flags |= REQ_F_BL_NO_RECYCLE; +- return -EAGAIN; ++ return io_net_kbuf_recyle(req, kmsg, ret); + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +@@ -1532,8 +1536,7 @@ int io_sendmsg_zc(struct io_kiocb *req, + + if (ret > 0 && io_net_retry(sock, flags)) { + sr->done_io += ret; +- req->flags |= REQ_F_BL_NO_RECYCLE; +- return -EAGAIN; ++ return io_net_kbuf_recyle(req, kmsg, ret); + } + if (ret == -ERESTARTSYS) + ret = -EINTR; diff --git a/queue-6.15/leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch b/queue-6.15/leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch new file mode 100644 index 0000000000..20dd01e6c0 --- /dev/null +++ b/queue-6.15/leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch @@ -0,0 +1,78 @@ +From fab15f57360b1e6620a1d0d6b0fbee896e6c1f07 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 29 May 2025 08:33:36 +0200 +Subject: leds: flash: leds-qcom-flash: Fix registry access after re-bind + +From: Krzysztof Kozlowski + +commit fab15f57360b1e6620a1d0d6b0fbee896e6c1f07 upstream. + +Driver in probe() updates each of 'reg_field' with 'reg_base': + + for (i = 0; i < REG_MAX_COUNT; i++) + regs[i].reg += reg_base; + +'reg_field' array (under variable 'regs' above) is statically allocated, +thus each re-bind would add another 'reg_base' leading to bogus +register addresses. Constify the local 'reg_field' array and duplicate +it in probe to solve this. + +Fixes: 96a2e242a5dc ("leds: flash: Add driver to support flash LED module in QCOM PMICs") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Fenglin Wu +Link: https://lore.kernel.org/r/20250529063335.8785-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/flash/leds-qcom-flash.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/leds/flash/leds-qcom-flash.c ++++ b/drivers/leds/flash/leds-qcom-flash.c +@@ -117,7 +117,7 @@ enum { + REG_MAX_COUNT, + }; + +-static struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { ++static const struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { + REG_FIELD(0x08, 0, 7), /* status1 */ + REG_FIELD(0x09, 0, 7), /* status2 */ + REG_FIELD(0x0a, 0, 7), /* status3 */ +@@ -132,7 +132,7 @@ static struct reg_field mvflash_3ch_regs + REG_FIELD(0x58, 0, 2), /* therm_thrsh3 */ + }; + +-static struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { ++static const struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { + REG_FIELD(0x06, 0, 7), /* status1 */ + REG_FIELD(0x07, 0, 6), /* status2 */ + REG_FIELD(0x09, 0, 7), /* status3 */ +@@ -854,11 +854,17 @@ static int qcom_flash_led_probe(struct p + if (val == FLASH_SUBTYPE_3CH_PM8150_VAL || val == FLASH_SUBTYPE_3CH_PMI8998_VAL) { + flash_data->hw_type = QCOM_MVFLASH_3CH; + flash_data->max_channels = 3; +- regs = mvflash_3ch_regs; ++ regs = devm_kmemdup(dev, mvflash_3ch_regs, sizeof(mvflash_3ch_regs), ++ GFP_KERNEL); ++ if (!regs) ++ return -ENOMEM; + } else if (val == FLASH_SUBTYPE_4CH_VAL) { + flash_data->hw_type = QCOM_MVFLASH_4CH; + flash_data->max_channels = 4; +- regs = mvflash_4ch_regs; ++ regs = devm_kmemdup(dev, mvflash_4ch_regs, sizeof(mvflash_4ch_regs), ++ GFP_KERNEL); ++ if (!regs) ++ return -ENOMEM; + + rc = regmap_read(regmap, reg_base + FLASH_REVISION_REG, &val); + if (rc < 0) { +@@ -880,6 +886,7 @@ static int qcom_flash_led_probe(struct p + dev_err(dev, "Failed to allocate regmap field, rc=%d\n", rc); + return rc; + } ++ devm_kfree(dev, regs); /* devm_regmap_field_bulk_alloc() makes copies */ + + platform_set_drvdata(pdev, flash_data); + mutex_init(&flash_data->lock); diff --git a/queue-6.15/media-i2c-set-lt6911uxe-s-reset_gpio-to-gpiod_out_low.patch b/queue-6.15/media-i2c-set-lt6911uxe-s-reset_gpio-to-gpiod_out_low.patch new file mode 100644 index 0000000000..9abc2a2d06 --- /dev/null +++ b/queue-6.15/media-i2c-set-lt6911uxe-s-reset_gpio-to-gpiod_out_low.patch @@ -0,0 +1,36 @@ +From 3c607baf68639d6bfe1a336523c4c9597f4b512a Mon Sep 17 00:00:00 2001 +From: Dongcheng Yan +Date: Wed, 21 May 2025 15:15:19 +0800 +Subject: media: i2c: set lt6911uxe's reset_gpio to GPIOD_OUT_LOW + +From: Dongcheng Yan + +commit 3c607baf68639d6bfe1a336523c4c9597f4b512a upstream. + +reset_gpio needs to be an output and set to GPIOD_OUT_LOW, to ensure +lt6911uxe is in reset state during probe. + +This issue was found on the onboard lt6911uxe, where the reset_pin was +not reset, causing the lt6911uxe to fail to probe. + +Fixes: e49563c3be09d4 ("media: i2c: add lt6911uxe hdmi bridge driver") +Cc: stable@vger.kernel.org +Signed-off-by: Dongcheng Yan +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/lt6911uxe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/lt6911uxe.c ++++ b/drivers/media/i2c/lt6911uxe.c +@@ -600,7 +600,7 @@ static int lt6911uxe_probe(struct i2c_cl + + v4l2_i2c_subdev_init(<6911uxe->sd, client, <6911uxe_subdev_ops); + +- lt6911uxe->reset_gpio = devm_gpiod_get(dev, "reset", GPIOD_IN); ++ lt6911uxe->reset_gpio = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW); + if (IS_ERR(lt6911uxe->reset_gpio)) + return dev_err_probe(dev, PTR_ERR(lt6911uxe->reset_gpio), + "failed to get reset gpio\n"); diff --git a/queue-6.15/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch b/queue-6.15/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch new file mode 100644 index 0000000000..b99f6b141c --- /dev/null +++ b/queue-6.15/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch @@ -0,0 +1,41 @@ +From 3fa840230f534385b34a4f39c8dd313fbe723f05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:09 +0200 +Subject: net: dpaa: fix device leak when querying time stamp info + +From: Johan Hovold + +commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream. + +Make sure to drop the reference to the ptp device taken by +of_find_device_by_node() when querying the time stamping capabilities. + +Note that holding a reference to the ptp device does not prevent its +driver data from going away. + +Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool") +Cc: stable@vger.kernel.org # 4.19 +Cc: Yangbo Lu +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -401,8 +401,10 @@ static int dpaa_get_ts_info(struct net_d + of_node_put(ptp_node); + } + +- if (ptp_dev) ++ if (ptp_dev) { + ptp = platform_get_drvdata(ptp_dev); ++ put_device(&ptp_dev->dev); ++ } + + if (ptp) + info->phc_index = ptp->phc_index; diff --git a/queue-6.15/net-enetc-fix-device-and-of-node-leak-at-probe.patch b/queue-6.15/net-enetc-fix-device-and-of-node-leak-at-probe.patch new file mode 100644 index 0000000000..5d8cfa1448 --- /dev/null +++ b/queue-6.15/net-enetc-fix-device-and-of-node-leak-at-probe.patch @@ -0,0 +1,58 @@ +From 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:10 +0200 +Subject: net: enetc: fix device and OF node leak at probe + +From: Johan Hovold + +commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed upstream. + +Make sure to drop the references to the IERB OF node and platform device +taken by of_parse_phandle() and of_find_device_by_node() during probe. + +Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block") +Cc: stable@vger.kernel.org # 5.13 +Cc: Vladimir Oltean +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c +@@ -924,19 +924,29 @@ static int enetc_pf_register_with_ierb(s + { + struct platform_device *ierb_pdev; + struct device_node *ierb_node; ++ int ret; + + ierb_node = of_find_compatible_node(NULL, NULL, + "fsl,ls1028a-enetc-ierb"); +- if (!ierb_node || !of_device_is_available(ierb_node)) ++ if (!ierb_node) + return -ENODEV; + ++ if (!of_device_is_available(ierb_node)) { ++ of_node_put(ierb_node); ++ return -ENODEV; ++ } ++ + ierb_pdev = of_find_device_by_node(ierb_node); + of_node_put(ierb_node); + + if (!ierb_pdev) + return -EPROBE_DEFER; + +- return enetc_ierb_register_pf(ierb_pdev, pdev); ++ ret = enetc_ierb_register_pf(ierb_pdev, pdev); ++ ++ put_device(&ierb_pdev->dev); ++ ++ return ret; + } + + static struct enetc_si *enetc_psi_create(struct pci_dev *pdev) diff --git a/queue-6.15/net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch b/queue-6.15/net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch new file mode 100644 index 0000000000..113fc4ab55 --- /dev/null +++ b/queue-6.15/net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch @@ -0,0 +1,47 @@ +From e88fbc30dda1cb7438515303704ceddb3ade4ecd Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Wed, 30 Jul 2025 22:23:23 +0200 +Subject: net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect + +From: Heiner Kallweit + +commit e88fbc30dda1cb7438515303704ceddb3ade4ecd upstream. + +After the call to phy_disconnect() netdev->phydev is reset to NULL. +So fixed_phy_unregister() would be called with a NULL pointer as argument. +Therefore cache the phy_device before this call. + +Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI") +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Reviewed-by: Dawid Osuchowski +Link: https://patch.msgid.link/2b80a77a-06db-4dd7-85dc-3a8e0de55a1d@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -1730,16 +1730,17 @@ err_register_mdiobus: + static void ftgmac100_phy_disconnect(struct net_device *netdev) + { + struct ftgmac100 *priv = netdev_priv(netdev); ++ struct phy_device *phydev = netdev->phydev; + +- if (!netdev->phydev) ++ if (!phydev) + return; + +- phy_disconnect(netdev->phydev); ++ phy_disconnect(phydev); + if (of_phy_is_fixed_link(priv->dev->of_node)) + of_phy_deregister_fixed_link(priv->dev->of_node); + + if (priv->use_ncsi) +- fixed_phy_unregister(netdev->phydev); ++ fixed_phy_unregister(phydev); + } + + static void ftgmac100_destroy_mdio(struct net_device *netdev) diff --git a/queue-6.15/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch b/queue-6.15/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch new file mode 100644 index 0000000000..1e32ee3dc2 --- /dev/null +++ b/queue-6.15/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch @@ -0,0 +1,41 @@ +From da717540acd34e5056e3fa35791d50f6b3303f55 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:11 +0200 +Subject: net: gianfar: fix device leak when querying time stamp info + +From: Johan Hovold + +commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream. + +Make sure to drop the reference to the ptp device taken by +of_find_device_by_node() when querying the time stamping capabilities. + +Note that holding a reference to the ptp device does not prevent its +driver data from going away. + +Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata") +Cc: stable@vger.kernel.org # 4.18 +Cc: Yangbo Lu +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c ++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c +@@ -1466,8 +1466,10 @@ static int gfar_get_ts_info(struct net_d + if (ptp_node) { + ptp_dev = of_find_device_by_node(ptp_node); + of_node_put(ptp_node); +- if (ptp_dev) ++ if (ptp_dev) { + ptp = platform_get_drvdata(ptp_dev); ++ put_device(&ptp_dev->dev); ++ } + } + + if (ptp) diff --git a/queue-6.15/net-mtk_eth_soc-fix-device-leak-at-probe.patch b/queue-6.15/net-mtk_eth_soc-fix-device-leak-at-probe.patch new file mode 100644 index 0000000000..a5b9e77e3f --- /dev/null +++ b/queue-6.15/net-mtk_eth_soc-fix-device-leak-at-probe.patch @@ -0,0 +1,35 @@ +From 3e13274ca8750823e8b68181bdf185d238febe0d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:12 +0200 +Subject: net: mtk_eth_soc: fix device leak at probe + +From: Johan Hovold + +commit 3e13274ca8750823e8b68181bdf185d238febe0d upstream. + +The reference count to the WED devices has already been incremented when +looking them up using of_find_device_by_node() so drop the bogus +additional reference taken during probe. + +Fixes: 804775dfc288 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)") +Cc: stable@vger.kernel.org # 5.19 +Cc: Felix Fietkau +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-5-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mediatek/mtk_wed.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/mediatek/mtk_wed.c ++++ b/drivers/net/ethernet/mediatek/mtk_wed.c +@@ -2794,7 +2794,6 @@ void mtk_wed_add_hw(struct device_node * + if (!pdev) + goto err_of_node_put; + +- get_device(&pdev->dev); + irq = platform_get_irq(pdev, 0); + if (irq < 0) + goto err_put_device; diff --git a/queue-6.15/net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch b/queue-6.15/net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch new file mode 100644 index 0000000000..73b981db65 --- /dev/null +++ b/queue-6.15/net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch @@ -0,0 +1,43 @@ +From 49db61c27c4bbd24364086dc0892bd3e14c1502e Mon Sep 17 00:00:00 2001 +From: Florian Larysch +Date: Thu, 24 Jul 2025 00:20:42 +0200 +Subject: net: phy: micrel: fix KSZ8081/KSZ8091 cable test + +From: Florian Larysch + +commit 49db61c27c4bbd24364086dc0892bd3e14c1502e upstream. + +Commit 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 +phy") introduced cable_test support for the LAN8814 that reuses parts of +the KSZ886x logic and introduced the cable_diag_reg and pair_mask +parameters to account for differences between those chips. + +However, it did not update the ksz8081_type struct, so those members are +now 0, causing no pairs to be tested in ksz886x_cable_test_get_status +and ksz886x_cable_test_wait_for_completion to poll the wrong register +for the affected PHYs (Basic Control/Reset, which is 0 in normal +operation) and exit immediately. + +Fix this by setting both struct members accordingly. + +Fixes: 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 phy") +Cc: stable@vger.kernel.org +Signed-off-by: Florian Larysch +Link: https://patch.msgid.link/20250723222250.13960-1-fl@n621.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -472,6 +472,8 @@ static const struct kszphy_type ksz8051_ + + static const struct kszphy_type ksz8081_type = { + .led_mode_reg = MII_KSZPHY_CTRL_2, ++ .cable_diag_reg = KSZ8081_LMD, ++ .pair_mask = KSZPHY_WIRE_PAIR_MASK, + .has_broadcast_disable = true, + .has_nand_tree_disable = true, + .has_rmii_ref_clk_sel = true, diff --git a/queue-6.15/net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch b/queue-6.15/net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch new file mode 100644 index 0000000000..2fb1079055 --- /dev/null +++ b/queue-6.15/net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch @@ -0,0 +1,82 @@ +From e05c54974a05ab19658433545d6ced88d9075cf0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:13 +0200 +Subject: net: ti: icss-iep: fix device and OF node leaks at probe + +From: Johan Hovold + +commit e05c54974a05ab19658433545d6ced88d9075cf0 upstream. + +Make sure to drop the references to the IEP OF node and device taken by +of_parse_phandle() and of_find_device_by_node() when looking up IEP +devices during probe. + +Drop the bogus additional reference taken on successful lookup so that +the device is released correctly by icss_iep_put(). + +Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver") +Cc: stable@vger.kernel.org # 6.6 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-6-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/icssg/icss_iep.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/ti/icssg/icss_iep.c ++++ b/drivers/net/ethernet/ti/icssg/icss_iep.c +@@ -685,11 +685,17 @@ struct icss_iep *icss_iep_get_idx(struct + struct platform_device *pdev; + struct device_node *iep_np; + struct icss_iep *iep; ++ int ret; + + iep_np = of_parse_phandle(np, "ti,iep", idx); +- if (!iep_np || !of_device_is_available(iep_np)) ++ if (!iep_np) + return ERR_PTR(-ENODEV); + ++ if (!of_device_is_available(iep_np)) { ++ of_node_put(iep_np); ++ return ERR_PTR(-ENODEV); ++ } ++ + pdev = of_find_device_by_node(iep_np); + of_node_put(iep_np); + +@@ -698,21 +704,28 @@ struct icss_iep *icss_iep_get_idx(struct + return ERR_PTR(-EPROBE_DEFER); + + iep = platform_get_drvdata(pdev); +- if (!iep) +- return ERR_PTR(-EPROBE_DEFER); ++ if (!iep) { ++ ret = -EPROBE_DEFER; ++ goto err_put_pdev; ++ } + + device_lock(iep->dev); + if (iep->client_np) { + device_unlock(iep->dev); + dev_err(iep->dev, "IEP is already acquired by %s", + iep->client_np->name); +- return ERR_PTR(-EBUSY); ++ ret = -EBUSY; ++ goto err_put_pdev; + } + iep->client_np = np; + device_unlock(iep->dev); +- get_device(iep->dev); + + return iep; ++ ++err_put_pdev: ++ put_device(&pdev->dev); ++ ++ return ERR_PTR(ret); + } + EXPORT_SYMBOL_GPL(icss_iep_get_idx); + diff --git a/queue-6.15/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch b/queue-6.15/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch new file mode 100644 index 0000000000..8c1e686f9a --- /dev/null +++ b/queue-6.15/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch @@ -0,0 +1,42 @@ +From 4faff70959d51078f9ee8372f8cff0d7045e4114 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 11 Aug 2025 17:29:31 +0800 +Subject: net: usb: asix_devices: add phy_mask for ax88772 mdio bus + +From: Xu Yang + +commit 4faff70959d51078f9ee8372f8cff0d7045e4114 upstream. + +Without setting phy_mask for ax88772 mdio bus, current driver may create +at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. +DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy +device will bind to net phy driver. This is creating issue during system +suspend/resume since phy_polling_mode() in phy_state_machine() will +directly deference member of phydev->drv for non-main phy devices. Then +NULL pointer dereference issue will occur. Due to only external phy or +internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud +the issue. + +Closes: https://lore.kernel.org/netdev/20250806082931.3289134-1-xu.yang_2@nxp.com +Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support") +Cc: stable@vger.kernel.org +Signed-off-by: Xu Yang +Tested-by: Oleksij Rempel +Reviewed-by: Oleksij Rempel +Link: https://patch.msgid.link/20250811092931.860333-1-xu.yang_2@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_devices.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbn + priv->mdio->read = &asix_mdio_bus_read; + priv->mdio->write = &asix_mdio_bus_write; + priv->mdio->name = "Asix MDIO Bus"; ++ priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR)); + /* mii bus name is usb-- */ + snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d", + dev->udev->bus->busnum, dev->udev->devnum); diff --git a/queue-6.15/net-usb-qmi_wwan-add-telit-cinterion-fn990a-w-audio-composition.patch b/queue-6.15/net-usb-qmi_wwan-add-telit-cinterion-fn990a-w-audio-composition.patch new file mode 100644 index 0000000000..dd9640d3b5 --- /dev/null +++ b/queue-6.15/net-usb-qmi_wwan-add-telit-cinterion-fn990a-w-audio-composition.patch @@ -0,0 +1,74 @@ +From 61aaca8b89fb98be58b8df19f01181bb983cccff Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Fri, 8 Aug 2025 15:31:08 +0200 +Subject: net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabio Porcedda + +commit 61aaca8b89fb98be58b8df19f01181bb983cccff upstream. + +Add the following Telit Cinterion FN990A w/audio composition: + +0x1077: tty (diag) + adb + rmnet + audio + tty (AT/NMEA) + tty (AT) + +tty (AT) + tty (AT) +T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1077 Rev=05.04 +S: Manufacturer=Telit Wireless Solutions +S: Product=FN990 +S: SerialNumber=67e04c35 +C: #Ifs=10 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 0 Cls=01(audio) Sub=01 Prot=20 Driver=snd-usb-audio +I: If#= 4 Alt= 1 #EPs= 1 Cls=01(audio) Sub=02 Prot=20 Driver=snd-usb-audio +E: Ad=03(O) Atr=0d(Isoc) MxPS= 68 Ivl=1ms +I: If#= 5 Alt= 1 #EPs= 1 Cls=01(audio) Sub=02 Prot=20 Driver=snd-usb-audio +E: Ad=84(I) Atr=0d(Isoc) MxPS= 68 Ivl=1ms +I: If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 7 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 9 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8c(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Porcedda +Acked-by: Bjørn Mork +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1361,6 +1361,7 @@ static const struct usb_device_id produc + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1057, 2)}, /* Telit FN980 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990A */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1077, 2)}, /* Telit FN990A w/audio */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990A */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */ diff --git a/queue-6.15/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch b/queue-6.15/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch new file mode 100644 index 0000000000..4c3ea2648b --- /dev/null +++ b/queue-6.15/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch @@ -0,0 +1,80 @@ +From 759dfc7d04bab1b0b86113f1164dc1fec192b859 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Mon, 28 Jul 2025 11:06:47 +0300 +Subject: netlink: avoid infinite retry looping in netlink_unicast() + +From: Fedor Pchelkin + +commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream. + +netlink_attachskb() checks for the socket's read memory allocation +constraints. Firstly, it has: + + rmem < READ_ONCE(sk->sk_rcvbuf) + +to check if the just increased rmem value fits into the socket's receive +buffer. If not, it proceeds and tries to wait for the memory under: + + rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) + +The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is +equal to sk->sk_rcvbuf. Thus the function neither successfully accepts +these conditions, nor manages to reschedule the task - and is called in +retry loop for indefinite time which is caught as: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 + (t=26000 jiffies g=230833 q=259957) + NMI backtrace for cpu 0 + CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 + Call Trace: + + dump_stack lib/dump_stack.c:120 + nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 + nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 + rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 + rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 + update_process_times kernel/time/timer.c:1953 + tick_sched_handle kernel/time/tick-sched.c:227 + tick_sched_timer kernel/time/tick-sched.c:1399 + __hrtimer_run_queues kernel/time/hrtimer.c:1652 + hrtimer_interrupt kernel/time/hrtimer.c:1717 + __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 + asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 + + + netlink_attachskb net/netlink/af_netlink.c:1234 + netlink_unicast net/netlink/af_netlink.c:1349 + kauditd_send_queue kernel/audit.c:776 + kauditd_thread kernel/audit.c:897 + kthread kernel/kthread.c:328 + ret_from_fork arch/x86/entry/entry_64.S:304 + +Restore the original behavior of the check which commit in Fixes +accidentally missed when restructuring the code. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1218,7 +1218,7 @@ int netlink_attachskb(struct sock *sk, s + nlk = nlk_sk(sk); + rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); + +- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) && ++ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) && + !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { + netlink_skb_set_owner_r(skb, sk); + return 0; diff --git a/queue-6.15/revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch b/queue-6.15/revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch new file mode 100644 index 0000000000..0014c2a7b4 --- /dev/null +++ b/queue-6.15/revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch @@ -0,0 +1,98 @@ +From 56bdf7270ff4f870e2d4bfacdc00161e766dba2d Mon Sep 17 00:00:00 2001 +From: David Thompson +Date: Mon, 11 Aug 2025 13:50:44 -0400 +Subject: Revert "gpio: mlxbf3: only get IRQ for device instance 0" + +From: David Thompson + +commit 56bdf7270ff4f870e2d4bfacdc00161e766dba2d upstream. + +This reverts commit 10af0273a35ab4513ca1546644b8c853044da134. + +While this change was merged, it is not the preferred solution. +During review of a similar change to the gpio-mlxbf2 driver, the +use of "platform_get_irq_optional" was identified as the preferred +solution, so let's use it for gpio-mlxbf3 driver as well. + +Cc: stable@vger.kernel.org +Fixes: 10af0273a35a ("gpio: mlxbf3: only get IRQ for device instance 0") +Signed-off-by: David Thompson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/8d2b630c71b3742f2c74242cf7d602706a6108e6.1754928650.git.davthompson@nvidia.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mlxbf3.c | 54 +++++++++++++++------------------------------ + 1 file changed, 19 insertions(+), 35 deletions(-) + +--- a/drivers/gpio/gpio-mlxbf3.c ++++ b/drivers/gpio/gpio-mlxbf3.c +@@ -190,9 +190,7 @@ static int mlxbf3_gpio_probe(struct plat + struct mlxbf3_gpio_context *gs; + struct gpio_irq_chip *girq; + struct gpio_chip *gc; +- char *colon_ptr; + int ret, irq; +- long num; + + gs = devm_kzalloc(dev, sizeof(*gs), GFP_KERNEL); + if (!gs) +@@ -229,39 +227,25 @@ static int mlxbf3_gpio_probe(struct plat + gc->owner = THIS_MODULE; + gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges; + +- colon_ptr = strchr(dev_name(dev), ':'); +- if (!colon_ptr) { +- dev_err(dev, "invalid device name format\n"); +- return -EINVAL; +- } +- +- ret = kstrtol(++colon_ptr, 16, &num); +- if (ret) { +- dev_err(dev, "invalid device instance\n"); +- return ret; +- } +- +- if (!num) { +- irq = platform_get_irq(pdev, 0); +- if (irq >= 0) { +- girq = &gs->gc.irq; +- gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); +- girq->default_type = IRQ_TYPE_NONE; +- /* This will let us handle the parent IRQ in the driver */ +- girq->num_parents = 0; +- girq->parents = NULL; +- girq->parent_handler = NULL; +- girq->handler = handle_bad_irq; +- +- /* +- * Directly request the irq here instead of passing +- * a flow-handler because the irq is shared. +- */ +- ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler, +- IRQF_SHARED, dev_name(dev), gs); +- if (ret) +- return dev_err_probe(dev, ret, "failed to request IRQ"); +- } ++ irq = platform_get_irq(pdev, 0); ++ if (irq >= 0) { ++ girq = &gs->gc.irq; ++ gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); ++ girq->default_type = IRQ_TYPE_NONE; ++ /* This will let us handle the parent IRQ in the driver */ ++ girq->num_parents = 0; ++ girq->parents = NULL; ++ girq->parent_handler = NULL; ++ girq->handler = handle_bad_irq; ++ ++ /* ++ * Directly request the irq here instead of passing ++ * a flow-handler because the irq is shared. ++ */ ++ ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler, ++ IRQF_SHARED, dev_name(dev), gs); ++ if (ret) ++ return dev_err_probe(dev, ret, "failed to request IRQ"); + } + + platform_set_drvdata(pdev, gs); diff --git a/queue-6.15/revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch b/queue-6.15/revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch new file mode 100644 index 0000000000..732fd4fc2b --- /dev/null +++ b/queue-6.15/revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch @@ -0,0 +1,85 @@ +From 26f732791f2bcab18f59c61915bbe35225f30136 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sat, 12 Jul 2025 16:39:21 +0100 +Subject: Revert "leds: trigger: netdev: Configure LED blink interval for HW offload" + +From: Daniel Golle + +commit 26f732791f2bcab18f59c61915bbe35225f30136 upstream. + +This reverts commit c629c972b310af41e9e072febb6dae9a299edde6. + +While .led_blink_set() would previously put an LED into an unconditional +permanently blinking state, the offending commit now uses same operation +to (also?) set the blink timing of the netdev trigger when offloading. + +This breaks many if not all of the existing PHY drivers which offer +offloading LED operations, as those drivers would just put the LED into +blinking state after .led_blink_set() has been called. + +Unfortunately the change even made it into stable kernels for unknown +reasons, so it should be reverted there as well. + +Fixes: c629c972b310a ("leds: trigger: netdev: Configure LED blink interval for HW offload") +Link: https://lore.kernel.org/linux-leds/c6134e26-2e45-4121-aa15-58aaef327201@lunn.ch/T/#m9d6fe81bbcb273e59f12bbedbd633edd32118387 +Suggested-by: Andrew Lunn +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Golle +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/6dcc77ee1c9676891d6250d8994850f521426a0f.1752334655.git.daniel@makrotopia.org +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/trigger/ledtrig-netdev.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -68,7 +68,6 @@ struct led_netdev_data { + unsigned int last_activity; + + unsigned long mode; +- unsigned long blink_delay; + int link_speed; + __ETHTOOL_DECLARE_LINK_MODE_MASK(supported_link_modes); + u8 duplex; +@@ -87,10 +86,6 @@ static void set_baseline_state(struct le + /* Already validated, hw control is possible with the requested mode */ + if (trigger_data->hw_control) { + led_cdev->hw_control_set(led_cdev, trigger_data->mode); +- if (led_cdev->blink_set) { +- led_cdev->blink_set(led_cdev, &trigger_data->blink_delay, +- &trigger_data->blink_delay); +- } + + return; + } +@@ -459,11 +454,10 @@ static ssize_t interval_store(struct dev + size_t size) + { + struct led_netdev_data *trigger_data = led_trigger_get_drvdata(dev); +- struct led_classdev *led_cdev = trigger_data->led_cdev; + unsigned long value; + int ret; + +- if (trigger_data->hw_control && !led_cdev->blink_set) ++ if (trigger_data->hw_control) + return -EINVAL; + + ret = kstrtoul(buf, 0, &value); +@@ -472,13 +466,9 @@ static ssize_t interval_store(struct dev + + /* impose some basic bounds on the timer interval */ + if (value >= 5 && value <= 10000) { +- if (trigger_data->hw_control) { +- trigger_data->blink_delay = value; +- } else { +- cancel_delayed_work_sync(&trigger_data->work); ++ cancel_delayed_work_sync(&trigger_data->work); + +- atomic_set(&trigger_data->interval, msecs_to_jiffies(value)); +- } ++ atomic_set(&trigger_data->interval, msecs_to_jiffies(value)); + set_baseline_state(trigger_data); /* resets timer */ + } + diff --git a/queue-6.15/series b/queue-6.15/series new file mode 100644 index 0000000000..d5b071072b --- /dev/null +++ b/queue-6.15/series @@ -0,0 +1,29 @@ +io_uring-don-t-use-int-for-abi.patch +io_uring-export-io_account_mem.patch +io_uring-memmap-cast-nr_pages-to-size_t-before-shifting.patch +io_uring-net-commit-partial-buffers-on-retry.patch +alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch +alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch +alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch +alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch +smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch +smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch +gpio-virtio-fix-config-space-reading.patch +arm64-dts-ti-k3-j722s-evm-fix-usb-gpio-hog-level-for-type-c.patch +media-i2c-set-lt6911uxe-s-reset_gpio-to-gpiod_out_low.patch +gpio-mlxbf2-use-platform_get_irq_optional.patch +revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch +gpio-mlxbf3-use-platform_get_irq_optional.patch +leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch +revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch +netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch +net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch +net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch +net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch +net-enetc-fix-device-and-of-node-leak-at-probe.patch +net-mtk_eth_soc-fix-device-leak-at-probe.patch +net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch +net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch +net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch +net-usb-qmi_wwan-add-telit-cinterion-fn990a-w-audio-composition.patch +fhandle-raise-fileid_is_dir-in-handle_type.patch diff --git a/queue-6.15/smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch b/queue-6.15/smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch new file mode 100644 index 0000000000..0ad9d8e895 --- /dev/null +++ b/queue-6.15/smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch @@ -0,0 +1,52 @@ +From e19d8dd694d261ac26adb2a26121a37c107c81ad Mon Sep 17 00:00:00 2001 +From: Wang Zhaolong +Date: Fri, 1 Aug 2025 17:07:24 +0800 +Subject: smb: client: remove redundant lstrp update in negotiate protocol + +From: Wang Zhaolong + +commit e19d8dd694d261ac26adb2a26121a37c107c81ad upstream. + +Commit 34331d7beed7 ("smb: client: fix first command failure during +re-negotiation") addressed a race condition by updating lstrp before +entering negotiate state. However, this approach may have some unintended +side effects. + +The lstrp field is documented as "when we got last response from this +server", and updating it before actually receiving a server response +could potentially affect other mechanisms that rely on this timestamp. +For example, the SMB echo detection logic also uses lstrp as a reference +point. In scenarios with frequent user operations during reconnect states, +the repeated calls to cifs_negotiate_protocol() might continuously +update lstrp, which could interfere with the echo detection timing. + +Additionally, commit 266b5d02e14f ("smb: client: fix race condition in +negotiate timeout by using more precise timing") introduced a dedicated +neg_start field specifically for tracking negotiate start time. This +provides a more precise solution for the original race condition while +preserving the intended semantics of lstrp. + +Since the race condition is now properly handled by the neg_start +mechanism, the lstrp update in cifs_negotiate_protocol() is no longer +necessary and can be safely removed. + +Fixes: 266b5d02e14f ("smb: client: fix race condition in negotiate timeout by using more precise timing") +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -4198,7 +4198,6 @@ retry: + return 0; + } + +- server->lstrp = jiffies; + server->tcpStatus = CifsInNegotiate; + server->neg_start = jiffies; + spin_unlock(&server->srv_lock); diff --git a/queue-6.15/smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch b/queue-6.15/smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch new file mode 100644 index 0000000000..1c8e9419da --- /dev/null +++ b/queue-6.15/smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch @@ -0,0 +1,95 @@ +From 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 11 Aug 2025 23:14:55 -0500 +Subject: smb3: fix for slab out of bounds on mount to ksmbd + +From: Steve French + +commit 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc upstream. + +With KASAN enabled, it is possible to get a slab out of bounds +during mount to ksmbd due to missing check in parse_server_interfaces() +(see below): + + BUG: KASAN: slab-out-of-bounds in + parse_server_interfaces+0x14ee/0x1880 [cifs] + Read of size 4 at addr ffff8881433dba98 by task mount/9827 + + CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G + OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) + Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE + Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, + BIOS 2.13.1 06/14/2019 + Call Trace: + + dump_stack_lvl+0x9f/0xf0 + print_report+0xd1/0x670 + __virt_addr_valid+0x22c/0x430 + ? parse_server_interfaces+0x14ee/0x1880 [cifs] + ? kasan_complete_mode_report_info+0x2a/0x1f0 + ? parse_server_interfaces+0x14ee/0x1880 [cifs] + kasan_report+0xd6/0x110 + parse_server_interfaces+0x14ee/0x1880 [cifs] + __asan_report_load_n_noabort+0x13/0x20 + parse_server_interfaces+0x14ee/0x1880 [cifs] + ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] + ? trace_hardirqs_on+0x51/0x60 + SMB3_request_interfaces+0x1ad/0x3f0 [cifs] + ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] + ? SMB2_tcon+0x23c/0x15d0 [cifs] + smb3_qfs_tcon+0x173/0x2b0 [cifs] + ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] + ? cifs_get_tcon+0x105d/0x2120 [cifs] + ? do_raw_spin_unlock+0x5d/0x200 + ? cifs_get_tcon+0x105d/0x2120 [cifs] + ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] + cifs_mount_get_tcon+0x369/0xb90 [cifs] + ? dfs_cache_find+0xe7/0x150 [cifs] + dfs_mount_share+0x985/0x2970 [cifs] + ? check_path.constprop.0+0x28/0x50 + ? save_trace+0x54/0x370 + ? __pfx_dfs_mount_share+0x10/0x10 [cifs] + ? __lock_acquire+0xb82/0x2ba0 + ? __kasan_check_write+0x18/0x20 + cifs_mount+0xbc/0x9e0 [cifs] + ? __pfx_cifs_mount+0x10/0x10 [cifs] + ? do_raw_spin_unlock+0x5d/0x200 + ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] + cifs_smb3_do_mount+0x263/0x1990 [cifs] + +Reported-by: Namjae Jeon +Tested-by: Namjae Jeon +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -772,6 +772,13 @@ next_iface: + bytes_left -= sizeof(*p); + break; + } ++ /* Validate that Next doesn't point beyond the buffer */ ++ if (next > bytes_left) { ++ cifs_dbg(VFS, "%s: invalid Next pointer %zu > %zd\n", ++ __func__, next, bytes_left); ++ rc = -EINVAL; ++ goto out; ++ } + p = (struct network_interface_info_ioctl_rsp *)((u8 *)p+next); + bytes_left -= next; + } +@@ -783,7 +790,9 @@ next_iface: + } + + /* Azure rounds the buffer size up 8, to a 16 byte boundary */ +- if ((bytes_left > 8) || p->Next) ++ if ((bytes_left > 8) || ++ (bytes_left >= offsetof(struct network_interface_info_ioctl_rsp, Next) ++ + sizeof(p->Next) && p->Next)) + cifs_dbg(VFS, "%s: incomplete interface info\n", __func__); + + ses->iface_last_update = jiffies;