From 8b08d35669a1a440fb0d9a08f690c11b1382b125 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 29 Aug 2025 08:28:29 -0400 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...tial-warning-in-trace_printk_seq-dur.patch | 74 ++++++++ ...mfx-add-missing-has_iomem-dependency.patch | 44 +++++ ...correct-sysfs-attributes-access-righ.patch | 49 +++++ queue-5.10/series | 3 + ...acro-correct-tx_macro_component_drv-.patch | 39 ++++ ...tial-warning-in-trace_printk_seq-dur.patch | 74 ++++++++ ...mfx-add-missing-has_iomem-dependency.patch | 44 +++++ ...correct-sysfs-attributes-access-righ.patch | 49 +++++ queue-5.15/series | 4 + ...tial-warning-in-trace_printk_seq-dur.patch | 74 ++++++++ ...mfx-add-missing-has_iomem-dependency.patch | 44 +++++ ...correct-sysfs-attributes-access-righ.patch | 49 +++++ queue-5.4/series | 3 + ...acro-correct-tx_macro_component_drv-.patch | 39 ++++ ...tial-warning-in-trace_printk_seq-dur.patch | 74 ++++++++ ...danube-add-missing-burst-length-prop.patch | 45 +++++ ...iq-xway-sysctrl-rename-the-etop-node.patch | 79 +++++++++ ...mfx-add-missing-has_iomem-dependency.patch | 44 +++++ ...correct-sysfs-attributes-access-righ.patch | 49 +++++ queue-6.1/series | 8 + ...ace-with-concurrent-opens-in-rename-.patch | 88 +++++++++ ...ace-with-concurrent-opens-in-unlink-.patch | 86 +++++++++ ...acro-correct-tx_macro_component_drv-.patch | 39 ++++ ...-context-detection-when-config_debug.patch | 128 ++++++++++++++ ...tial-warning-in-trace_printk_seq-dur.patch | 74 ++++++++ ...danube-add-missing-burst-length-prop.patch | 45 +++++ ...iq-xway-sysctrl-rename-the-etop-node.patch | 79 +++++++++ ...emleak-when-of_pci_add_properties-fa.patch | 47 +++++ ...se-after-free-in-of_changeset_add_pr.patch | 47 +++++ ...mal-fix-ehdr-reading-in-filename__re.patch | 147 +++++++++++++++ ...mfx-add-missing-has_iomem-dependency.patch | 44 +++++ .../rtla-check-pkg-config-install.patch | 56 ++++++ ...correct-sysfs-attributes-access-righ.patch | 49 +++++ queue-6.12/series | 16 ++ ...ace-with-concurrent-opens-in-rename-.patch | 87 +++++++++ ...ace-with-concurrent-opens-in-unlink-.patch | 86 +++++++++ ...y-collector-check-pkg-config-install.patch | 53 ++++++ ...-the-warning-caused-by-missing-unreg.patch | 58 ++++++ ...ctl-for-vhost_-gs-et_fork_from_owner.patch | 57 ++++++ ...acro-correct-tx_macro_component_drv-.patch | 39 ++++ ...c-rt1320-fix-random-cycle-mute-issue.patch | 43 +++++ ...u33-boost-volume-control-not-working.patch | 58 ++++++ ...o-normal-access-if-dax-is-not-suppor.patch | 90 ++++++++++ ...-context-detection-when-config_debug.patch | 128 ++++++++++++++ ...s-in-intermediate-storage-with-entry.patch | 117 ++++++++++++ ...tial-warning-in-trace_printk_seq-dur.patch | 74 ++++++++ ...dd-check-free-worker-before-create-n.patch | 68 +++++++ ...danube-add-missing-burst-length-prop.patch | 45 +++++ ...iq-xway-sysctrl-rename-the-etop-node.patch | 79 +++++++++ ...emleak-when-of_pci_add_properties-fa.patch | 47 +++++ ...se-after-free-in-of_changeset_add_pr.patch | 47 +++++ ...add-missing-ioresource_mem-flag-on-r.patch | 42 +++++ ...ined-behavior-from-stopping-starting.patch | 84 +++++++++ ...mal-fix-ehdr-reading-in-filename__re.patch | 147 +++++++++++++++ ...ix-return-value-in-pinconf-callbacks.patch | 60 +++++++ ...mfx-add-missing-has_iomem-dependency.patch | 44 +++++ ...-reject-shm-region-if-length-is-zero.patch | 53 ++++++ .../rtla-check-pkg-config-install.patch | 56 ++++++ ...correct-sysfs-attributes-access-righ.patch | 49 +++++ queue-6.16/series | 25 +++ ...ace-with-concurrent-opens-in-rename-.patch | 87 +++++++++ ...ace-with-concurrent-opens-in-unlink-.patch | 86 +++++++++ ...y-collector-check-pkg-config-install.patch | 53 ++++++ ...-the-warning-caused-by-missing-unreg.patch | 58 ++++++ ...ctl-for-vhost_-gs-et_fork_from_owner.patch | 57 ++++++ ...acro-correct-tx_macro_component_drv-.patch | 39 ++++ ...-context-detection-when-config_debug.patch | 128 ++++++++++++++ ...tial-warning-in-trace_printk_seq-dur.patch | 74 ++++++++ ...danube-add-missing-burst-length-prop.patch | 45 +++++ ...iq-xway-sysctrl-rename-the-etop-node.patch | 79 +++++++++ ...add-a-helper-to-free-property-struct.patch | 167 ++++++++++++++++++ ...emleak-when-of_pci_add_properties-fa.patch | 47 +++++ ...se-after-free-in-of_changeset_add_pr.patch | 47 +++++ ...mfx-add-missing-has_iomem-dependency.patch | 44 +++++ ...correct-sysfs-attributes-access-righ.patch | 49 +++++ queue-6.6/series | 12 ++ ...ace-with-concurrent-opens-in-rename-.patch | 87 +++++++++ ...ace-with-concurrent-opens-in-unlink-.patch | 86 +++++++++ 78 files changed, 4814 insertions(+) create mode 100644 queue-5.10/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch create mode 100644 queue-5.10/pinctrl-stmfx-add-missing-has_iomem-dependency.patch create mode 100644 queue-5.10/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch create mode 100644 queue-5.10/series create mode 100644 queue-5.15/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch create mode 100644 queue-5.15/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch create mode 100644 queue-5.15/pinctrl-stmfx-add-missing-has_iomem-dependency.patch create mode 100644 queue-5.15/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch create mode 100644 queue-5.15/series create mode 100644 queue-5.4/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch create mode 100644 queue-5.4/pinctrl-stmfx-add-missing-has_iomem-dependency.patch create mode 100644 queue-5.4/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch create mode 100644 queue-5.4/series create mode 100644 queue-6.1/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch create mode 100644 queue-6.1/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch create mode 100644 queue-6.1/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch create mode 100644 queue-6.1/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch create mode 100644 queue-6.1/pinctrl-stmfx-add-missing-has_iomem-dependency.patch create mode 100644 queue-6.1/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch create mode 100644 queue-6.1/series create mode 100644 queue-6.1/smb-client-fix-race-with-concurrent-opens-in-rename-.patch create mode 100644 queue-6.1/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch create mode 100644 queue-6.12/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch create mode 100644 queue-6.12/erofs-fix-atomic-context-detection-when-config_debug.patch create mode 100644 queue-6.12/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch create mode 100644 queue-6.12/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch create mode 100644 queue-6.12/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch create mode 100644 queue-6.12/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch create mode 100644 queue-6.12/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch create mode 100644 queue-6.12/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch create mode 100644 queue-6.12/pinctrl-stmfx-add-missing-has_iomem-dependency.patch create mode 100644 queue-6.12/rtla-check-pkg-config-install.patch create mode 100644 queue-6.12/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch create mode 100644 queue-6.12/series create mode 100644 queue-6.12/smb-client-fix-race-with-concurrent-opens-in-rename-.patch create mode 100644 queue-6.12/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch create mode 100644 queue-6.12/tools-latency-collector-check-pkg-config-install.patch create mode 100644 queue-6.12/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch create mode 100644 queue-6.12/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch create mode 100644 queue-6.16/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch create mode 100644 queue-6.16/asoc-rt1320-fix-random-cycle-mute-issue.patch create mode 100644 queue-6.16/asoc-rt721-fix-fu33-boost-volume-control-not-working.patch create mode 100644 queue-6.16/erofs-fallback-to-normal-access-if-dax-is-not-suppor.patch create mode 100644 queue-6.16/erofs-fix-atomic-context-detection-when-config_debug.patch create mode 100644 queue-6.16/fgraph-copy-args-in-intermediate-storage-with-entry.patch create mode 100644 queue-6.16/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch create mode 100644 queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch create mode 100644 queue-6.16/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch create mode 100644 queue-6.16/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch create mode 100644 queue-6.16/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch create mode 100644 queue-6.16/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch create mode 100644 queue-6.16/of-reserved_mem-add-missing-ioresource_mem-flag-on-r.patch create mode 100644 queue-6.16/perf-avoid-undefined-behavior-from-stopping-starting.patch create mode 100644 queue-6.16/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch create mode 100644 queue-6.16/pinctrl-airoha-fix-return-value-in-pinconf-callbacks.patch create mode 100644 queue-6.16/pinctrl-stmfx-add-missing-has_iomem-dependency.patch create mode 100644 queue-6.16/revert-virtio-reject-shm-region-if-length-is-zero.patch create mode 100644 queue-6.16/rtla-check-pkg-config-install.patch create mode 100644 queue-6.16/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch create mode 100644 queue-6.16/series create mode 100644 queue-6.16/smb-client-fix-race-with-concurrent-opens-in-rename-.patch create mode 100644 queue-6.16/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch create mode 100644 queue-6.16/tools-latency-collector-check-pkg-config-install.patch create mode 100644 queue-6.16/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch create mode 100644 queue-6.16/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch create mode 100644 queue-6.6/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch create mode 100644 queue-6.6/erofs-fix-atomic-context-detection-when-config_debug.patch create mode 100644 queue-6.6/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch create mode 100644 queue-6.6/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch create mode 100644 queue-6.6/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch create mode 100644 queue-6.6/of-add-a-helper-to-free-property-struct.patch create mode 100644 queue-6.6/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch create mode 100644 queue-6.6/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch create mode 100644 queue-6.6/pinctrl-stmfx-add-missing-has_iomem-dependency.patch create mode 100644 queue-6.6/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch create mode 100644 queue-6.6/series create mode 100644 queue-6.6/smb-client-fix-race-with-concurrent-opens-in-rename-.patch create mode 100644 queue-6.6/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch diff --git a/queue-5.10/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch b/queue-5.10/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch new file mode 100644 index 0000000000..d500eb6490 --- /dev/null +++ b/queue-5.10/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch @@ -0,0 +1,74 @@ +From 35a865378acfe71308c2309658b4a0ca11d0fc4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 03:33:43 +0000 +Subject: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump + +From: Tengda Wu + +[ Upstream commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a ] + +When calling ftrace_dump_one() concurrently with reading trace_pipe, +a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race +condition. + +The issue occurs because: + +CPU0 (ftrace_dump) CPU1 (reader) +echo z > /proc/sysrq-trigger + +!trace_empty(&iter) +trace_iterator_reset(&iter) <- len = size = 0 + cat /sys/kernel/tracing/trace_pipe +trace_find_next_entry_inc(&iter) + __find_next_entry + ring_buffer_empty_cpu <- all empty + return NULL + +trace_printk_seq(&iter.seq) + WARN_ON_ONCE(s->seq.len >= s->seq.size) + +In the context between trace_empty() and trace_find_next_entry_inc() +during ftrace_dump, the ring buffer data was consumed by other readers. +This caused trace_find_next_entry_inc to return NULL, failing to populate +`iter.seq`. At this point, due to the prior trace_iterator_reset, both +`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, +the WARN_ON_ONCE condition is triggered. + +Move the trace_printk_seq() into the if block that checks to make sure the +return value of trace_find_next_entry_inc() is non-NULL in +ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before +subsequent operations. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Link: https://lore.kernel.org/20250822033343.3000289-1-wutengda@huaweicloud.com +Fixes: d769041f8653 ("ring_buffer: implement new locking") +Signed-off-by: Tengda Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 0c7aa47fb4d3b..d08320c47a150 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -9617,10 +9617,10 @@ void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) + ret = print_trace_line(&iter); + if (ret != TRACE_TYPE_NO_CONSUME) + trace_consume(&iter); ++ ++ trace_printk_seq(&iter.seq); + } + touch_nmi_watchdog(); +- +- trace_printk_seq(&iter.seq); + } + + if (!cnt) +-- +2.50.1 + diff --git a/queue-5.10/pinctrl-stmfx-add-missing-has_iomem-dependency.patch b/queue-5.10/pinctrl-stmfx-add-missing-has_iomem-dependency.patch new file mode 100644 index 0000000000..b9f8ad96ee --- /dev/null +++ b/queue-5.10/pinctrl-stmfx-add-missing-has_iomem-dependency.patch @@ -0,0 +1,44 @@ +From e1de02fd074aaaf796080c3ac3d381a26bea626f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 19:27:21 -0700 +Subject: pinctrl: STMFX: add missing HAS_IOMEM dependency + +From: Randy Dunlap + +[ Upstream commit a12946bef0407cf2db0899c83d42c47c00af3fbc ] + +When building on ARCH=um (which does not set HAS_IOMEM), kconfig +reports an unmet dependency caused by PINCTRL_STMFX. It selects +MFD_STMFX, which depends on HAS_IOMEM. To stop this warning, +PINCTRL_STMFX should also depend on HAS_IOMEM. + +kconfig warning: +WARNING: unmet direct dependencies detected for MFD_STMFX + Depends on [n]: HAS_IOMEM [=n] && I2C [=y] && OF [=y] + Selected by [y]: + - PINCTRL_STMFX [=y] && PINCTRL [=y] && I2C [=y] && OF_GPIO [=y] + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/20250815022721.1650885-1-rdunlap@infradead.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index 815095326e2d6..72c27181a4270 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -268,6 +268,7 @@ config PINCTRL_STMFX + tristate "STMicroelectronics STMFX GPIO expander pinctrl driver" + depends on I2C + depends on OF_GPIO ++ depends on HAS_IOMEM + select GENERIC_PINCONF + select GPIOLIB_IRQCHIP + select MFD_STMFX +-- +2.50.1 + diff --git a/queue-5.10/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch b/queue-5.10/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch new file mode 100644 index 0000000000..13491b8086 --- /dev/null +++ b/queue-5.10/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch @@ -0,0 +1,49 @@ +From e8ccd012e0a2d334be0df05a9d66bdcac6f8806f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 13:17:00 +0900 +Subject: scsi: core: sysfs: Correct sysfs attributes access rights + +From: Damien Le Moal + +[ Upstream commit a2f54ff15c3bdc0132e20aae041607e2320dbd73 ] + +The SCSI sysfs attributes "supported_mode" and "active_mode" do not +define a store method and thus cannot be modified. Correct the +DEVICE_ATTR() call for these two attributes to not include S_IWUSR to +allow write access as they are read-only. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250728041700.76660-1-dlemoal@kernel.org +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index bb37d698da1a1..4992027f125e8 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -264,7 +264,7 @@ show_shost_supported_mode(struct device *dev, struct device_attribute *attr, + return show_shost_mode(supported_mode, buf); + } + +-static DEVICE_ATTR(supported_mode, S_IRUGO | S_IWUSR, show_shost_supported_mode, NULL); ++static DEVICE_ATTR(supported_mode, S_IRUGO, show_shost_supported_mode, NULL); + + static ssize_t + show_shost_active_mode(struct device *dev, +@@ -278,7 +278,7 @@ show_shost_active_mode(struct device *dev, + return show_shost_mode(shost->active_mode, buf); + } + +-static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL); ++static DEVICE_ATTR(active_mode, S_IRUGO, show_shost_active_mode, NULL); + + static int check_reset_type(const char *str) + { +-- +2.50.1 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..5a73c0b3dc --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,3 @@ +pinctrl-stmfx-add-missing-has_iomem-dependency.patch +ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch +scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch diff --git a/queue-5.15/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch b/queue-5.15/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch new file mode 100644 index 0000000000..85f1aac7bc --- /dev/null +++ b/queue-5.15/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch @@ -0,0 +1,39 @@ +From ce34fb883668d9ea7555d8e9a6b8d7ed0720e1c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Aug 2025 15:00:30 +0100 +Subject: ASoC: codecs: tx-macro: correct tx_macro_component_drv name + +From: Alexey Klimov + +[ Upstream commit 43e0da37d5cfb23eec6aeee9422f84d86621ce2b ] + +We already have a component driver named "RX-MACRO", which is +lpass-rx-macro.c. The tx macro component driver's name should +be "TX-MACRO" accordingly. Fix it. + +Cc: Srinivas Kandagatla +Signed-off-by: Alexey Klimov +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20250806140030.691477-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index 4377e91733b87..095c6dc564465 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -1782,7 +1782,7 @@ static int tx_macro_register_mclk_output(struct tx_macro *tx) + } + + static const struct snd_soc_component_driver tx_macro_component_drv = { +- .name = "RX-MACRO", ++ .name = "TX-MACRO", + .probe = tx_macro_component_probe, + .controls = tx_macro_snd_controls, + .num_controls = ARRAY_SIZE(tx_macro_snd_controls), +-- +2.50.1 + diff --git a/queue-5.15/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch b/queue-5.15/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch new file mode 100644 index 0000000000..158e915380 --- /dev/null +++ b/queue-5.15/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch @@ -0,0 +1,74 @@ +From b3fb98e3e7ba0f4cbfd18e424b5834bd18859e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 03:33:43 +0000 +Subject: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump + +From: Tengda Wu + +[ Upstream commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a ] + +When calling ftrace_dump_one() concurrently with reading trace_pipe, +a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race +condition. + +The issue occurs because: + +CPU0 (ftrace_dump) CPU1 (reader) +echo z > /proc/sysrq-trigger + +!trace_empty(&iter) +trace_iterator_reset(&iter) <- len = size = 0 + cat /sys/kernel/tracing/trace_pipe +trace_find_next_entry_inc(&iter) + __find_next_entry + ring_buffer_empty_cpu <- all empty + return NULL + +trace_printk_seq(&iter.seq) + WARN_ON_ONCE(s->seq.len >= s->seq.size) + +In the context between trace_empty() and trace_find_next_entry_inc() +during ftrace_dump, the ring buffer data was consumed by other readers. +This caused trace_find_next_entry_inc to return NULL, failing to populate +`iter.seq`. At this point, due to the prior trace_iterator_reset, both +`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, +the WARN_ON_ONCE condition is triggered. + +Move the trace_printk_seq() into the if block that checks to make sure the +return value of trace_find_next_entry_inc() is non-NULL in +ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before +subsequent operations. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Link: https://lore.kernel.org/20250822033343.3000289-1-wutengda@huaweicloud.com +Fixes: d769041f8653 ("ring_buffer: implement new locking") +Signed-off-by: Tengda Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 23f6a9941be1d..7af8bbc57531c 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -10122,10 +10122,10 @@ void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) + ret = print_trace_line(&iter); + if (ret != TRACE_TYPE_NO_CONSUME) + trace_consume(&iter); ++ ++ trace_printk_seq(&iter.seq); + } + touch_nmi_watchdog(); +- +- trace_printk_seq(&iter.seq); + } + + if (!cnt) +-- +2.50.1 + diff --git a/queue-5.15/pinctrl-stmfx-add-missing-has_iomem-dependency.patch b/queue-5.15/pinctrl-stmfx-add-missing-has_iomem-dependency.patch new file mode 100644 index 0000000000..9d91152c1b --- /dev/null +++ b/queue-5.15/pinctrl-stmfx-add-missing-has_iomem-dependency.patch @@ -0,0 +1,44 @@ +From 76bbb6c84be0913879ed7c4287dc2cd7c85a814f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 19:27:21 -0700 +Subject: pinctrl: STMFX: add missing HAS_IOMEM dependency + +From: Randy Dunlap + +[ Upstream commit a12946bef0407cf2db0899c83d42c47c00af3fbc ] + +When building on ARCH=um (which does not set HAS_IOMEM), kconfig +reports an unmet dependency caused by PINCTRL_STMFX. It selects +MFD_STMFX, which depends on HAS_IOMEM. To stop this warning, +PINCTRL_STMFX should also depend on HAS_IOMEM. + +kconfig warning: +WARNING: unmet direct dependencies detected for MFD_STMFX + Depends on [n]: HAS_IOMEM [=n] && I2C [=y] && OF [=y] + Selected by [y]: + - PINCTRL_STMFX [=y] && PINCTRL [=y] && I2C [=y] && OF_GPIO [=y] + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/20250815022721.1650885-1-rdunlap@infradead.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index 31921108e4569..546a8f1bb10bc 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -269,6 +269,7 @@ config PINCTRL_STMFX + tristate "STMicroelectronics STMFX GPIO expander pinctrl driver" + depends on I2C + depends on OF_GPIO ++ depends on HAS_IOMEM + select GENERIC_PINCONF + select GPIOLIB_IRQCHIP + select MFD_STMFX +-- +2.50.1 + diff --git a/queue-5.15/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch b/queue-5.15/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch new file mode 100644 index 0000000000..4ac76c3929 --- /dev/null +++ b/queue-5.15/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch @@ -0,0 +1,49 @@ +From 45e62da232c1d95364ef23e1ffeb87cef9b2a70e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 13:17:00 +0900 +Subject: scsi: core: sysfs: Correct sysfs attributes access rights + +From: Damien Le Moal + +[ Upstream commit a2f54ff15c3bdc0132e20aae041607e2320dbd73 ] + +The SCSI sysfs attributes "supported_mode" and "active_mode" do not +define a store method and thus cannot be modified. Correct the +DEVICE_ATTR() call for these two attributes to not include S_IWUSR to +allow write access as they are read-only. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250728041700.76660-1-dlemoal@kernel.org +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 4c72116c8693c..7d3cbf4e6bc6e 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -265,7 +265,7 @@ show_shost_supported_mode(struct device *dev, struct device_attribute *attr, + return show_shost_mode(supported_mode, buf); + } + +-static DEVICE_ATTR(supported_mode, S_IRUGO | S_IWUSR, show_shost_supported_mode, NULL); ++static DEVICE_ATTR(supported_mode, S_IRUGO, show_shost_supported_mode, NULL); + + static ssize_t + show_shost_active_mode(struct device *dev, +@@ -279,7 +279,7 @@ show_shost_active_mode(struct device *dev, + return show_shost_mode(shost->active_mode, buf); + } + +-static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL); ++static DEVICE_ATTR(active_mode, S_IRUGO, show_shost_active_mode, NULL); + + static int check_reset_type(const char *str) + { +-- +2.50.1 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 0000000000..840dd32b34 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,4 @@ +pinctrl-stmfx-add-missing-has_iomem-dependency.patch +ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch +scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch +asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch diff --git a/queue-5.4/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch b/queue-5.4/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch new file mode 100644 index 0000000000..c9648c35c9 --- /dev/null +++ b/queue-5.4/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch @@ -0,0 +1,74 @@ +From da20ba7b21e3a31d35f46e7dd447a0588550dd05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 03:33:43 +0000 +Subject: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump + +From: Tengda Wu + +[ Upstream commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a ] + +When calling ftrace_dump_one() concurrently with reading trace_pipe, +a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race +condition. + +The issue occurs because: + +CPU0 (ftrace_dump) CPU1 (reader) +echo z > /proc/sysrq-trigger + +!trace_empty(&iter) +trace_iterator_reset(&iter) <- len = size = 0 + cat /sys/kernel/tracing/trace_pipe +trace_find_next_entry_inc(&iter) + __find_next_entry + ring_buffer_empty_cpu <- all empty + return NULL + +trace_printk_seq(&iter.seq) + WARN_ON_ONCE(s->seq.len >= s->seq.size) + +In the context between trace_empty() and trace_find_next_entry_inc() +during ftrace_dump, the ring buffer data was consumed by other readers. +This caused trace_find_next_entry_inc to return NULL, failing to populate +`iter.seq`. At this point, due to the prior trace_iterator_reset, both +`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, +the WARN_ON_ONCE condition is triggered. + +Move the trace_printk_seq() into the if block that checks to make sure the +return value of trace_find_next_entry_inc() is non-NULL in +ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before +subsequent operations. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Link: https://lore.kernel.org/20250822033343.3000289-1-wutengda@huaweicloud.com +Fixes: d769041f8653 ("ring_buffer: implement new locking") +Signed-off-by: Tengda Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 26b17776e8d24..54601c3ecbe59 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -9166,10 +9166,10 @@ void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) + ret = print_trace_line(&iter); + if (ret != TRACE_TYPE_NO_CONSUME) + trace_consume(&iter); ++ ++ trace_printk_seq(&iter.seq); + } + touch_nmi_watchdog(); +- +- trace_printk_seq(&iter.seq); + } + + if (!cnt) +-- +2.50.1 + diff --git a/queue-5.4/pinctrl-stmfx-add-missing-has_iomem-dependency.patch b/queue-5.4/pinctrl-stmfx-add-missing-has_iomem-dependency.patch new file mode 100644 index 0000000000..2976d2f062 --- /dev/null +++ b/queue-5.4/pinctrl-stmfx-add-missing-has_iomem-dependency.patch @@ -0,0 +1,44 @@ +From f52b116694a86368e728c7e260570da6f3d63f86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 19:27:21 -0700 +Subject: pinctrl: STMFX: add missing HAS_IOMEM dependency + +From: Randy Dunlap + +[ Upstream commit a12946bef0407cf2db0899c83d42c47c00af3fbc ] + +When building on ARCH=um (which does not set HAS_IOMEM), kconfig +reports an unmet dependency caused by PINCTRL_STMFX. It selects +MFD_STMFX, which depends on HAS_IOMEM. To stop this warning, +PINCTRL_STMFX should also depend on HAS_IOMEM. + +kconfig warning: +WARNING: unmet direct dependencies detected for MFD_STMFX + Depends on [n]: HAS_IOMEM [=n] && I2C [=y] && OF [=y] + Selected by [y]: + - PINCTRL_STMFX [=y] && PINCTRL [=y] && I2C [=y] && OF_GPIO [=y] + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/20250815022721.1650885-1-rdunlap@infradead.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index b372419d61f26..57426dc52f9f0 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -278,6 +278,7 @@ config PINCTRL_STMFX + tristate "STMicroelectronics STMFX GPIO expander pinctrl driver" + depends on I2C + depends on OF_GPIO ++ depends on HAS_IOMEM + select GENERIC_PINCONF + select GPIOLIB_IRQCHIP + select MFD_STMFX +-- +2.50.1 + diff --git a/queue-5.4/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch b/queue-5.4/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch new file mode 100644 index 0000000000..969bdf3a78 --- /dev/null +++ b/queue-5.4/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch @@ -0,0 +1,49 @@ +From 07a61b4afcdabcf1e21c66e27b73327f26584733 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 13:17:00 +0900 +Subject: scsi: core: sysfs: Correct sysfs attributes access rights + +From: Damien Le Moal + +[ Upstream commit a2f54ff15c3bdc0132e20aae041607e2320dbd73 ] + +The SCSI sysfs attributes "supported_mode" and "active_mode" do not +define a store method and thus cannot be modified. Correct the +DEVICE_ATTR() call for these two attributes to not include S_IWUSR to +allow write access as they are read-only. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250728041700.76660-1-dlemoal@kernel.org +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 530b14685fd71..8949848fe6a74 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -264,7 +264,7 @@ show_shost_supported_mode(struct device *dev, struct device_attribute *attr, + return show_shost_mode(supported_mode, buf); + } + +-static DEVICE_ATTR(supported_mode, S_IRUGO | S_IWUSR, show_shost_supported_mode, NULL); ++static DEVICE_ATTR(supported_mode, S_IRUGO, show_shost_supported_mode, NULL); + + static ssize_t + show_shost_active_mode(struct device *dev, +@@ -278,7 +278,7 @@ show_shost_active_mode(struct device *dev, + return show_shost_mode(shost->active_mode, buf); + } + +-static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL); ++static DEVICE_ATTR(active_mode, S_IRUGO, show_shost_active_mode, NULL); + + static int check_reset_type(const char *str) + { +-- +2.50.1 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 0000000000..5a73c0b3dc --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,3 @@ +pinctrl-stmfx-add-missing-has_iomem-dependency.patch +ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch +scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch diff --git a/queue-6.1/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch b/queue-6.1/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch new file mode 100644 index 0000000000..e73f203c9f --- /dev/null +++ b/queue-6.1/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch @@ -0,0 +1,39 @@ +From dbe24a11436fcab9f43d0423308d13742c1935b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Aug 2025 15:00:30 +0100 +Subject: ASoC: codecs: tx-macro: correct tx_macro_component_drv name + +From: Alexey Klimov + +[ Upstream commit 43e0da37d5cfb23eec6aeee9422f84d86621ce2b ] + +We already have a component driver named "RX-MACRO", which is +lpass-rx-macro.c. The tx macro component driver's name should +be "TX-MACRO" accordingly. Fix it. + +Cc: Srinivas Kandagatla +Signed-off-by: Alexey Klimov +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20250806140030.691477-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index 840bbe991cd3a..aef2897e00fef 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -1795,7 +1795,7 @@ static int tx_macro_register_mclk_output(struct tx_macro *tx) + } + + static const struct snd_soc_component_driver tx_macro_component_drv = { +- .name = "RX-MACRO", ++ .name = "TX-MACRO", + .probe = tx_macro_component_probe, + .controls = tx_macro_snd_controls, + .num_controls = ARRAY_SIZE(tx_macro_snd_controls), +-- +2.50.1 + diff --git a/queue-6.1/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch b/queue-6.1/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch new file mode 100644 index 0000000000..d35ed3b5c3 --- /dev/null +++ b/queue-6.1/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch @@ -0,0 +1,74 @@ +From 608c84e30f570b1b8047e8d7e36ecd728a10980f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 03:33:43 +0000 +Subject: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump + +From: Tengda Wu + +[ Upstream commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a ] + +When calling ftrace_dump_one() concurrently with reading trace_pipe, +a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race +condition. + +The issue occurs because: + +CPU0 (ftrace_dump) CPU1 (reader) +echo z > /proc/sysrq-trigger + +!trace_empty(&iter) +trace_iterator_reset(&iter) <- len = size = 0 + cat /sys/kernel/tracing/trace_pipe +trace_find_next_entry_inc(&iter) + __find_next_entry + ring_buffer_empty_cpu <- all empty + return NULL + +trace_printk_seq(&iter.seq) + WARN_ON_ONCE(s->seq.len >= s->seq.size) + +In the context between trace_empty() and trace_find_next_entry_inc() +during ftrace_dump, the ring buffer data was consumed by other readers. +This caused trace_find_next_entry_inc to return NULL, failing to populate +`iter.seq`. At this point, due to the prior trace_iterator_reset, both +`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, +the WARN_ON_ONCE condition is triggered. + +Move the trace_printk_seq() into the if block that checks to make sure the +return value of trace_find_next_entry_inc() is non-NULL in +ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before +subsequent operations. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Link: https://lore.kernel.org/20250822033343.3000289-1-wutengda@huaweicloud.com +Fixes: d769041f8653 ("ring_buffer: implement new locking") +Signed-off-by: Tengda Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 874f869ae72e6..7e8ab09d98cc7 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -10183,10 +10183,10 @@ void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) + ret = print_trace_line(&iter); + if (ret != TRACE_TYPE_NO_CONSUME) + trace_consume(&iter); ++ ++ trace_printk_seq(&iter.seq); + } + touch_nmi_watchdog(); +- +- trace_printk_seq(&iter.seq); + } + + if (!cnt) +-- +2.50.1 + diff --git a/queue-6.1/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch b/queue-6.1/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch new file mode 100644 index 0000000000..b06d4d4997 --- /dev/null +++ b/queue-6.1/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch @@ -0,0 +1,45 @@ +From 4497fa485c3ab73fc60b17f3a4f7b565bf4d6f70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:06 +0200 +Subject: mips: dts: lantiq: danube: add missing burst length property + +From: Aleksander Jan Bajkowski + +[ Upstream commit 7b28232921782aa38048249132899c337405eaa8 ] + +The upstream dts lacks the lantiq,{rx/tx}-burst-length property. Other +issues were also fixed: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'interrupt-names' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,tx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,rx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: 14d4e308e0aa ("net: lantiq: configure the burst length in ethernet drivers") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index 1ce20b7d05cb8..d8b3cd69eda3c 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -87,8 +87,11 @@ etop@e180000 { + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; + interrupts = <73 78>; ++ interrupt-names = "tx", "rx"; + phy-mode = "rmii"; + mac-address = [ 00 11 22 33 44 55 ]; ++ lantiq,rx-burst-length = <4>; ++ lantiq,tx-burst-length = <4>; + }; + + stp0: stp@e100bb0 { +-- +2.50.1 + diff --git a/queue-6.1/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch b/queue-6.1/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch new file mode 100644 index 0000000000..de0ada6c1f --- /dev/null +++ b/queue-6.1/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch @@ -0,0 +1,79 @@ +From 5f94fcf98cb55cbc98b42c734ae7a266e9619cfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:07 +0200 +Subject: mips: lantiq: xway: sysctrl: rename the etop node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksander Jan Bajkowski + +[ Upstream commit 8c431ea8f3f795c4b9cfa57a85bc4166b9cce0ac ] + +Bindig requires a node name matching ‘^ethernet@[0-9a-f]+$’. This patch +changes the clock name from “etop” to “ethernet”. + +This fixes the following warning: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): $nodename:0: 'etop@e180000' does not match '^ethernet@[0-9a-f]+$' + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: dac0bad93741 ("dt-bindings: net: lantiq,etop-xway: Document Lantiq Xway ETOP bindings") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 2 +- + arch/mips/lantiq/xway/sysctrl.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index d8b3cd69eda3c..c4d7aa5753b04 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -82,7 +82,7 @@ conf_out { + }; + }; + +- etop@e180000 { ++ ethernet@e180000 { + compatible = "lantiq,etop-xway"; + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; +diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c +index d444a1b98a724..edf914393ad96 100644 +--- a/arch/mips/lantiq/xway/sysctrl.c ++++ b/arch/mips/lantiq/xway/sysctrl.c +@@ -479,7 +479,7 @@ void __init ltq_soc_init(void) + ifccr = CGU_IFCCR_VR9; + pcicr = CGU_PCICR_VR9; + } else { +- clkdev_add_pmu("1e180000.etop", NULL, 1, 0, PMU_PPE); ++ clkdev_add_pmu("1e180000.ethernet", NULL, 1, 0, PMU_PPE); + } + + if (!of_machine_is_compatible("lantiq,ase")) +@@ -513,9 +513,9 @@ void __init ltq_soc_init(void) + CLOCK_133M, CLOCK_133M); + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0); + clkdev_add_pmu("1f203018.usb2-phy", "phy", 1, 0, PMU_USB0_P); +- clkdev_add_pmu("1e180000.etop", "ppe", 1, 0, PMU_PPE); +- clkdev_add_cgu("1e180000.etop", "ephycgu", CGU_EPHY); +- clkdev_add_pmu("1e180000.etop", "ephy", 1, 0, PMU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ppe", 1, 0, PMU_PPE); ++ clkdev_add_cgu("1e180000.ethernet", "ephycgu", CGU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ephy", 1, 0, PMU_EPHY); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_ASE_SDIO); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); + } else if (of_machine_is_compatible("lantiq,grx390")) { +@@ -574,7 +574,7 @@ void __init ltq_soc_init(void) + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0 | PMU_AHBM); + clkdev_add_pmu("1f203034.usb2-phy", "phy", 1, 0, PMU_USB1_P); + clkdev_add_pmu("1e106000.usb", "otg", 1, 0, PMU_USB1 | PMU_AHBM); +- clkdev_add_pmu("1e180000.etop", "switch", 1, 0, PMU_SWITCH); ++ clkdev_add_pmu("1e180000.ethernet", "switch", 1, 0, PMU_SWITCH); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_SDIO); + clkdev_add_pmu("1e103100.deu", NULL, 1, 0, PMU_DEU); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); +-- +2.50.1 + diff --git a/queue-6.1/pinctrl-stmfx-add-missing-has_iomem-dependency.patch b/queue-6.1/pinctrl-stmfx-add-missing-has_iomem-dependency.patch new file mode 100644 index 0000000000..aa14924933 --- /dev/null +++ b/queue-6.1/pinctrl-stmfx-add-missing-has_iomem-dependency.patch @@ -0,0 +1,44 @@ +From c22e7e598a638aee700f76c908a9640ed42bf19b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 19:27:21 -0700 +Subject: pinctrl: STMFX: add missing HAS_IOMEM dependency + +From: Randy Dunlap + +[ Upstream commit a12946bef0407cf2db0899c83d42c47c00af3fbc ] + +When building on ARCH=um (which does not set HAS_IOMEM), kconfig +reports an unmet dependency caused by PINCTRL_STMFX. It selects +MFD_STMFX, which depends on HAS_IOMEM. To stop this warning, +PINCTRL_STMFX should also depend on HAS_IOMEM. + +kconfig warning: +WARNING: unmet direct dependencies detected for MFD_STMFX + Depends on [n]: HAS_IOMEM [=n] && I2C [=y] && OF [=y] + Selected by [y]: + - PINCTRL_STMFX [=y] && PINCTRL [=y] && I2C [=y] && OF_GPIO [=y] + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/20250815022721.1650885-1-rdunlap@infradead.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index f71fefff400f5..6d61be061ff54 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -438,6 +438,7 @@ config PINCTRL_STMFX + tristate "STMicroelectronics STMFX GPIO expander pinctrl driver" + depends on I2C + depends on OF_GPIO ++ depends on HAS_IOMEM + select GENERIC_PINCONF + select GPIOLIB_IRQCHIP + select MFD_STMFX +-- +2.50.1 + diff --git a/queue-6.1/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch b/queue-6.1/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch new file mode 100644 index 0000000000..e670181957 --- /dev/null +++ b/queue-6.1/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch @@ -0,0 +1,49 @@ +From 685772e0ae72476296750a80fa85ea0506ba2117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 13:17:00 +0900 +Subject: scsi: core: sysfs: Correct sysfs attributes access rights + +From: Damien Le Moal + +[ Upstream commit a2f54ff15c3bdc0132e20aae041607e2320dbd73 ] + +The SCSI sysfs attributes "supported_mode" and "active_mode" do not +define a store method and thus cannot be modified. Correct the +DEVICE_ATTR() call for these two attributes to not include S_IWUSR to +allow write access as they are read-only. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250728041700.76660-1-dlemoal@kernel.org +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 1f531063d6331..456b92c3a7811 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -265,7 +265,7 @@ show_shost_supported_mode(struct device *dev, struct device_attribute *attr, + return show_shost_mode(supported_mode, buf); + } + +-static DEVICE_ATTR(supported_mode, S_IRUGO | S_IWUSR, show_shost_supported_mode, NULL); ++static DEVICE_ATTR(supported_mode, S_IRUGO, show_shost_supported_mode, NULL); + + static ssize_t + show_shost_active_mode(struct device *dev, +@@ -279,7 +279,7 @@ show_shost_active_mode(struct device *dev, + return show_shost_mode(shost->active_mode, buf); + } + +-static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL); ++static DEVICE_ATTR(active_mode, S_IRUGO, show_shost_active_mode, NULL); + + static int check_reset_type(const char *str) + { +-- +2.50.1 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..25f2e86de9 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,8 @@ +pinctrl-stmfx-add-missing-has_iomem-dependency.patch +mips-dts-lantiq-danube-add-missing-burst-length-prop.patch +mips-lantiq-xway-sysctrl-rename-the-etop-node.patch +ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch +scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch +smb-client-fix-race-with-concurrent-opens-in-unlink-.patch +smb-client-fix-race-with-concurrent-opens-in-rename-.patch +asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch diff --git a/queue-6.1/smb-client-fix-race-with-concurrent-opens-in-rename-.patch b/queue-6.1/smb-client-fix-race-with-concurrent-opens-in-rename-.patch new file mode 100644 index 0000000000..cc68e758e7 --- /dev/null +++ b/queue-6.1/smb-client-fix-race-with-concurrent-opens-in-rename-.patch @@ -0,0 +1,88 @@ +From 4c67c5fd8c58b020651bb5cba4c21f4ed0db6084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 11:43:29 -0300 +Subject: smb: client: fix race with concurrent opens in rename(2) + +From: Paulo Alcantara + +[ Upstream commit d84291fc7453df7881a970716f8256273aca5747 ] + +Besides sending the rename request to the server, the rename process +also involves closing any deferred close, waiting for outstanding I/O +to complete as well as marking all existing open handles as deleted to +prevent them from deferring closes, which increases the race window +for potential concurrent opens on the target file. + +Fix this by unhashing the dentry in advance to prevent any concurrent +opens on the target. + +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index ffc05ebc92f43..f3ed5134ecfa9 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -2165,6 +2165,7 @@ cifs_rename2(struct user_namespace *mnt_userns, struct inode *source_dir, + struct cifs_sb_info *cifs_sb; + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ bool rehash = false; + unsigned int xid; + int rc, tmprc; + int retry_count = 0; +@@ -2180,6 +2181,17 @@ cifs_rename2(struct user_namespace *mnt_userns, struct inode *source_dir, + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* ++ * Prevent any concurrent opens on the target by unhashing the dentry. ++ * VFS already unhashes the target when renaming directories. ++ */ ++ if (d_is_positive(target_dentry) && !d_is_dir(target_dentry)) { ++ if (!d_unhashed(target_dentry)) { ++ d_drop(target_dentry); ++ rehash = true; ++ } ++ } ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -2219,6 +2231,8 @@ cifs_rename2(struct user_namespace *mnt_userns, struct inode *source_dir, + } + } + ++ if (!rc) ++ rehash = false; + /* + * No-replace is the natural behavior for CIFS, so skip unlink hacks. + */ +@@ -2277,6 +2291,8 @@ cifs_rename2(struct user_namespace *mnt_userns, struct inode *source_dir, + goto cifs_rename_exit; + rc = cifs_do_rename(xid, source_dentry, from_name, + target_dentry, to_name); ++ if (!rc) ++ rehash = false; + } + + /* force revalidate to go get info when needed */ +@@ -2286,6 +2302,8 @@ cifs_rename2(struct user_namespace *mnt_userns, struct inode *source_dir, + target_dir->i_mtime = current_time(source_dir); + + cifs_rename_exit: ++ if (rehash) ++ d_rehash(target_dentry); + kfree(info_buf_source); + free_dentry_path(page2); + free_dentry_path(page1); +-- +2.50.1 + diff --git a/queue-6.1/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch b/queue-6.1/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch new file mode 100644 index 0000000000..24b50df13e --- /dev/null +++ b/queue-6.1/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch @@ -0,0 +1,86 @@ +From bf1db1b439282a37ebd8990537ffbccbf5b9a673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:20:17 -0300 +Subject: smb: client: fix race with concurrent opens in unlink(2) + +From: Paulo Alcantara + +[ Upstream commit 0af1561b2d60bab2a2b00720a5c7b292ecc549ec ] + +According to some logs reported by customers, CIFS client might end up +reporting unlinked files as existing in stat(2) due to concurrent +opens racing with unlink(2). + +Besides sending the removal request to the server, the unlink process +could involve closing any deferred close as well as marking all +existing open handles as deleted to prevent them from deferring +closes, which increases the race window for potential concurrent +opens. + +Fix this by unhashing the dentry in cifs_unlink() to prevent any +subsequent opens. Any open attempts, while we're still unlinking, +will block on parent's i_rwsem. + +Reported-by: Jay Shin +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index 634f28f0d331e..ffc05ebc92f43 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1649,15 +1649,24 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ __u32 dosattr = 0, origattr = 0; + struct TCP_Server_Info *server; + struct iattr *attrs = NULL; +- __u32 dosattr = 0, origattr = 0; ++ bool rehash = false; + + cifs_dbg(FYI, "cifs_unlink, dir=0x%p, dentry=0x%p\n", dir, dentry); + + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* Unhash dentry in advance to prevent any concurrent opens */ ++ spin_lock(&dentry->d_lock); ++ if (!d_unhashed(dentry)) { ++ __d_drop(dentry); ++ rehash = true; ++ } ++ spin_unlock(&dentry->d_lock); ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -1706,7 +1715,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + if (inode) + cifs_drop_nlink(inode); + } else if (rc == -ENOENT) { +- d_drop(dentry); ++ if (simple_positive(dentry)) ++ d_delete(dentry); + } else if (rc == -EBUSY) { + if (server->ops->rename_pending_delete) { + rc = server->ops->rename_pending_delete(full_path, +@@ -1757,6 +1767,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + kfree(attrs); + free_xid(xid); + cifs_put_tlink(tlink); ++ if (rehash) ++ d_rehash(dentry); + return rc; + } + +-- +2.50.1 + diff --git a/queue-6.12/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch b/queue-6.12/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch new file mode 100644 index 0000000000..917a3c5eb2 --- /dev/null +++ b/queue-6.12/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch @@ -0,0 +1,39 @@ +From d47c29486a30957498ee7a2bab3902cca4e180ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Aug 2025 15:00:30 +0100 +Subject: ASoC: codecs: tx-macro: correct tx_macro_component_drv name + +From: Alexey Klimov + +[ Upstream commit 43e0da37d5cfb23eec6aeee9422f84d86621ce2b ] + +We already have a component driver named "RX-MACRO", which is +lpass-rx-macro.c. The tx macro component driver's name should +be "TX-MACRO" accordingly. Fix it. + +Cc: Srinivas Kandagatla +Signed-off-by: Alexey Klimov +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20250806140030.691477-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index a134584acf909..74e69572796b5 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -2230,7 +2230,7 @@ static int tx_macro_register_mclk_output(struct tx_macro *tx) + } + + static const struct snd_soc_component_driver tx_macro_component_drv = { +- .name = "RX-MACRO", ++ .name = "TX-MACRO", + .probe = tx_macro_component_probe, + .controls = tx_macro_snd_controls, + .num_controls = ARRAY_SIZE(tx_macro_snd_controls), +-- +2.50.1 + diff --git a/queue-6.12/erofs-fix-atomic-context-detection-when-config_debug.patch b/queue-6.12/erofs-fix-atomic-context-detection-when-config_debug.patch new file mode 100644 index 0000000000..b80053cdbe --- /dev/null +++ b/queue-6.12/erofs-fix-atomic-context-detection-when-config_debug.patch @@ -0,0 +1,128 @@ +From a58af62783a6443c2e0ed3e5b10e4d23e8b5652d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 09:19:58 +0800 +Subject: erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC + +From: Junli Liu + +[ Upstream commit c99fab6e80b76422741d34aafc2f930a482afbdd ] + +Since EROFS handles decompression in non-atomic contexts due to +uncontrollable decompression latencies and vmap() usage, it tries +to detect atomic contexts and only kicks off a kworker on demand +in order to reduce unnecessary scheduling overhead. + +However, the current approach is insufficient and can lead to +sleeping function calls in invalid contexts, causing kernel +warnings and potential system instability. See the stacktrace [1] +and previous discussion [2]. + +The current implementation only checks rcu_read_lock_any_held(), +which behaves inconsistently across different kernel configurations: + +- When CONFIG_DEBUG_LOCK_ALLOC is enabled: correctly detects + RCU critical sections by checking rcu_lock_map +- When CONFIG_DEBUG_LOCK_ALLOC is disabled: compiles to + "!preemptible()", which only checks preempt_count and misses + RCU critical sections + +This patch introduces z_erofs_in_atomic() to provide comprehensive +atomic context detection: + +1. Check RCU preemption depth when CONFIG_PREEMPTION is enabled, + as RCU critical sections may not affect preempt_count but still + require atomic handling + +2. Always use async processing when CONFIG_PREEMPT_COUNT is disabled, + as preemption state cannot be reliably determined + +3. Fall back to standard preemptible() check for remaining cases + +The function replaces the previous complex condition check and ensures +that z_erofs always uses (kthread_)work in atomic contexts to minimize +scheduling overhead and prevent sleeping in invalid contexts. + +[1] Problem stacktrace +[ 61.266692] BUG: sleeping function called from invalid context at kernel/locking/rtmutex_api.c:510 +[ 61.266702] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 107, name: irq/54-ufshcd +[ 61.266704] preempt_count: 0, expected: 0 +[ 61.266705] RCU nest depth: 2, expected: 0 +[ 61.266710] CPU: 0 UID: 0 PID: 107 Comm: irq/54-ufshcd Tainted: G W O 6.12.17 #1 +[ 61.266714] Tainted: [W]=WARN, [O]=OOT_MODULE +[ 61.266715] Hardware name: schumacher (DT) +[ 61.266717] Call trace: +[ 61.266718] dump_backtrace+0x9c/0x100 +[ 61.266727] show_stack+0x20/0x38 +[ 61.266728] dump_stack_lvl+0x78/0x90 +[ 61.266734] dump_stack+0x18/0x28 +[ 61.266736] __might_resched+0x11c/0x180 +[ 61.266743] __might_sleep+0x64/0xc8 +[ 61.266745] mutex_lock+0x2c/0xc0 +[ 61.266748] z_erofs_decompress_queue+0xe8/0x978 +[ 61.266753] z_erofs_decompress_kickoff+0xa8/0x190 +[ 61.266756] z_erofs_endio+0x168/0x288 +[ 61.266758] bio_endio+0x160/0x218 +[ 61.266762] blk_update_request+0x244/0x458 +[ 61.266766] scsi_end_request+0x38/0x278 +[ 61.266770] scsi_io_completion+0x4c/0x600 +[ 61.266772] scsi_finish_command+0xc8/0xe8 +[ 61.266775] scsi_complete+0x88/0x148 +[ 61.266777] blk_mq_complete_request+0x3c/0x58 +[ 61.266780] scsi_done_internal+0xcc/0x158 +[ 61.266782] scsi_done+0x1c/0x30 +[ 61.266783] ufshcd_compl_one_cqe+0x12c/0x438 +[ 61.266786] __ufshcd_transfer_req_compl+0x2c/0x78 +[ 61.266788] ufshcd_poll+0xf4/0x210 +[ 61.266789] ufshcd_transfer_req_compl+0x50/0x88 +[ 61.266791] ufshcd_intr+0x21c/0x7c8 +[ 61.266792] irq_forced_thread_fn+0x44/0xd8 +[ 61.266796] irq_thread+0x1a4/0x358 +[ 61.266799] kthread+0x12c/0x138 +[ 61.266802] ret_from_fork+0x10/0x20 + +[2] https://lore.kernel.org/r/58b661d0-0ebb-4b45-a10d-c5927fb791cd@paulmck-laptop + +Signed-off-by: Junli Liu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250805011957.911186-1-liujunli@lixiang.com +[ Gao Xiang: Use the original trace in v1. ] +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index f35d2eb0ed11c..63acd91d15aad 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1410,6 +1410,16 @@ static void z_erofs_decompressqueue_kthread_work(struct kthread_work *work) + } + #endif + ++/* Use (kthread_)work in atomic contexts to minimize scheduling overhead */ ++static inline bool z_erofs_in_atomic(void) ++{ ++ if (IS_ENABLED(CONFIG_PREEMPTION) && rcu_preempt_depth()) ++ return true; ++ if (!IS_ENABLED(CONFIG_PREEMPT_COUNT)) ++ return true; ++ return !preemptible(); ++} ++ + static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + int bios) + { +@@ -1424,8 +1434,7 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + + if (atomic_add_return(bios, &io->pending_bios)) + return; +- /* Use (kthread_)work and sync decompression for atomic contexts only */ +- if (!in_task() || irqs_disabled() || rcu_read_lock_any_held()) { ++ if (z_erofs_in_atomic()) { + #ifdef CONFIG_EROFS_FS_PCPU_KTHREAD + struct kthread_worker *worker; + +-- +2.50.1 + diff --git a/queue-6.12/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch b/queue-6.12/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch new file mode 100644 index 0000000000..05570c8ed5 --- /dev/null +++ b/queue-6.12/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch @@ -0,0 +1,74 @@ +From 4781898995ab19f37d2304683e44806939ba8a38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 03:33:43 +0000 +Subject: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump + +From: Tengda Wu + +[ Upstream commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a ] + +When calling ftrace_dump_one() concurrently with reading trace_pipe, +a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race +condition. + +The issue occurs because: + +CPU0 (ftrace_dump) CPU1 (reader) +echo z > /proc/sysrq-trigger + +!trace_empty(&iter) +trace_iterator_reset(&iter) <- len = size = 0 + cat /sys/kernel/tracing/trace_pipe +trace_find_next_entry_inc(&iter) + __find_next_entry + ring_buffer_empty_cpu <- all empty + return NULL + +trace_printk_seq(&iter.seq) + WARN_ON_ONCE(s->seq.len >= s->seq.size) + +In the context between trace_empty() and trace_find_next_entry_inc() +during ftrace_dump, the ring buffer data was consumed by other readers. +This caused trace_find_next_entry_inc to return NULL, failing to populate +`iter.seq`. At this point, due to the prior trace_iterator_reset, both +`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, +the WARN_ON_ONCE condition is triggered. + +Move the trace_printk_seq() into the if block that checks to make sure the +return value of trace_find_next_entry_inc() is non-NULL in +ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before +subsequent operations. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Link: https://lore.kernel.org/20250822033343.3000289-1-wutengda@huaweicloud.com +Fixes: d769041f8653 ("ring_buffer: implement new locking") +Signed-off-by: Tengda Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 2f662ca4d3ffd..ba3358eef34ba 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -10130,10 +10130,10 @@ static void ftrace_dump_one(struct trace_array *tr, enum ftrace_dump_mode dump_m + ret = print_trace_line(&iter); + if (ret != TRACE_TYPE_NO_CONSUME) + trace_consume(&iter); ++ ++ trace_printk_seq(&iter.seq); + } + touch_nmi_watchdog(); +- +- trace_printk_seq(&iter.seq); + } + + if (!cnt) +-- +2.50.1 + diff --git a/queue-6.12/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch b/queue-6.12/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch new file mode 100644 index 0000000000..8e7e32f733 --- /dev/null +++ b/queue-6.12/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch @@ -0,0 +1,45 @@ +From 8bdeb2e851ee9e35dc9fa84645f62c150c93ac29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:06 +0200 +Subject: mips: dts: lantiq: danube: add missing burst length property + +From: Aleksander Jan Bajkowski + +[ Upstream commit 7b28232921782aa38048249132899c337405eaa8 ] + +The upstream dts lacks the lantiq,{rx/tx}-burst-length property. Other +issues were also fixed: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'interrupt-names' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,tx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,rx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: 14d4e308e0aa ("net: lantiq: configure the burst length in ethernet drivers") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index 1ce20b7d05cb8..d8b3cd69eda3c 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -87,8 +87,11 @@ etop@e180000 { + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; + interrupts = <73 78>; ++ interrupt-names = "tx", "rx"; + phy-mode = "rmii"; + mac-address = [ 00 11 22 33 44 55 ]; ++ lantiq,rx-burst-length = <4>; ++ lantiq,tx-burst-length = <4>; + }; + + stp0: stp@e100bb0 { +-- +2.50.1 + diff --git a/queue-6.12/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch b/queue-6.12/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch new file mode 100644 index 0000000000..13035dce38 --- /dev/null +++ b/queue-6.12/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch @@ -0,0 +1,79 @@ +From 936dc3db367ddcf0d84ff0281591943906d1f913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:07 +0200 +Subject: mips: lantiq: xway: sysctrl: rename the etop node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksander Jan Bajkowski + +[ Upstream commit 8c431ea8f3f795c4b9cfa57a85bc4166b9cce0ac ] + +Bindig requires a node name matching ‘^ethernet@[0-9a-f]+$’. This patch +changes the clock name from “etop” to “ethernet”. + +This fixes the following warning: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): $nodename:0: 'etop@e180000' does not match '^ethernet@[0-9a-f]+$' + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: dac0bad93741 ("dt-bindings: net: lantiq,etop-xway: Document Lantiq Xway ETOP bindings") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 2 +- + arch/mips/lantiq/xway/sysctrl.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index d8b3cd69eda3c..c4d7aa5753b04 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -82,7 +82,7 @@ conf_out { + }; + }; + +- etop@e180000 { ++ ethernet@e180000 { + compatible = "lantiq,etop-xway"; + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; +diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c +index 5a75283d17f10..6031a0272d874 100644 +--- a/arch/mips/lantiq/xway/sysctrl.c ++++ b/arch/mips/lantiq/xway/sysctrl.c +@@ -497,7 +497,7 @@ void __init ltq_soc_init(void) + ifccr = CGU_IFCCR_VR9; + pcicr = CGU_PCICR_VR9; + } else { +- clkdev_add_pmu("1e180000.etop", NULL, 1, 0, PMU_PPE); ++ clkdev_add_pmu("1e180000.ethernet", NULL, 1, 0, PMU_PPE); + } + + if (!of_machine_is_compatible("lantiq,ase")) +@@ -531,9 +531,9 @@ void __init ltq_soc_init(void) + CLOCK_133M, CLOCK_133M); + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0); + clkdev_add_pmu("1f203018.usb2-phy", "phy", 1, 0, PMU_USB0_P); +- clkdev_add_pmu("1e180000.etop", "ppe", 1, 0, PMU_PPE); +- clkdev_add_cgu("1e180000.etop", "ephycgu", CGU_EPHY); +- clkdev_add_pmu("1e180000.etop", "ephy", 1, 0, PMU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ppe", 1, 0, PMU_PPE); ++ clkdev_add_cgu("1e180000.ethernet", "ephycgu", CGU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ephy", 1, 0, PMU_EPHY); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_ASE_SDIO); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); + } else if (of_machine_is_compatible("lantiq,grx390")) { +@@ -592,7 +592,7 @@ void __init ltq_soc_init(void) + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0 | PMU_AHBM); + clkdev_add_pmu("1f203034.usb2-phy", "phy", 1, 0, PMU_USB1_P); + clkdev_add_pmu("1e106000.usb", "otg", 1, 0, PMU_USB1 | PMU_AHBM); +- clkdev_add_pmu("1e180000.etop", "switch", 1, 0, PMU_SWITCH); ++ clkdev_add_pmu("1e180000.ethernet", "switch", 1, 0, PMU_SWITCH); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_SDIO); + clkdev_add_pmu("1e103100.deu", NULL, 1, 0, PMU_DEU); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); +-- +2.50.1 + diff --git a/queue-6.12/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch b/queue-6.12/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch new file mode 100644 index 0000000000..1da83b0e86 --- /dev/null +++ b/queue-6.12/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch @@ -0,0 +1,47 @@ +From f20f496a2083e0d68c084ec1aa8af23672c4c500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 08:22:21 -0700 +Subject: of: dynamic: Fix memleak when of_pci_add_properties() failed + +From: Lizhi Hou + +[ Upstream commit c81f6ce16785cc07ae81f53deb07b662ed0bb3a5 ] + +When of_pci_add_properties() failed, of_changeset_destroy() is called to +free the changeset. And of_changeset_destroy() puts device tree node in +each entry but does not free property in the entry. This leads to memory +leak in the failure case. + +In of_changeset_add_prop_helper(), add the property to the device tree node +deadprops list. Thus, the property will also be freed along with device +tree node. + +Fixes: b544fc2b8606 ("of: dynamic: Add interfaces for creating device node dynamically") +Reported-by: Lorenzo Pieralisi +Closes: https://lore.kernel.org/all/aJms+YT8TnpzpCY8@lpieralisi/ +Tested-by: Lorenzo Pieralisi +Signed-off-by: Lizhi Hou +Link: https://lore.kernel.org/r/20250818152221.3685724-1-lizhi.hou@amd.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index 110104a936d9c..fcaaadc2eca1d 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -938,6 +938,9 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs, + if (ret) + __of_prop_free(new_pp); + ++ new_pp->next = np->deadprops; ++ np->deadprops = new_pp; ++ + return ret; + } + +-- +2.50.1 + diff --git a/queue-6.12/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch b/queue-6.12/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch new file mode 100644 index 0000000000..2853a7df95 --- /dev/null +++ b/queue-6.12/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch @@ -0,0 +1,47 @@ +From 7d125f4dda70608a20213906dbc24c8207d3c4ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:08:46 +0300 +Subject: of: dynamic: Fix use after free in of_changeset_add_prop_helper() + +From: Dan Carpenter + +[ Upstream commit 80af3745ca465c6c47e833c1902004a7fa944f37 ] + +If the of_changeset_add_property() function call fails, then this code +frees "new_pp" and then dereference it on the next line. Return the +error code directly instead. + +Fixes: c81f6ce16785 ("of: dynamic: Fix memleak when of_pci_add_properties() failed") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/aKgljjhnpa4lVpdx@stanley.mountain +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index fcaaadc2eca1d..492f0354a7922 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -935,13 +935,15 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs, + return -ENOMEM; + + ret = of_changeset_add_property(ocs, np, new_pp); +- if (ret) ++ if (ret) { + __of_prop_free(new_pp); ++ return ret; ++ } + + new_pp->next = np->deadprops; + np->deadprops = new_pp; + +- return ret; ++ return 0; + } + + /** +-- +2.50.1 + diff --git a/queue-6.12/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch b/queue-6.12/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch new file mode 100644 index 0000000000..5a368c29ce --- /dev/null +++ b/queue-6.12/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch @@ -0,0 +1,147 @@ +From 62fedf59a14d7b2d11b127ea4bed901bc96c587d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:00:23 -0700 +Subject: perf symbol-minimal: Fix ehdr reading in filename__read_build_id + +From: Ian Rogers + +[ Upstream commit ba0b7081f7a521d7c28b527a4f18666a148471e7 ] + +The e_ident is part of the ehdr and so reading it a second time would +mean the read ehdr was displaced by 16-bytes. Switch from stdio to +open/read/lseek syscalls for similarity with the symbol-elf version of +the function and so that later changes can alter then open flags. + +Fixes: fef8f648bb47 ("perf symbol: Fix use-after-free in filename__read_build_id") +Signed-off-by: Ian Rogers +Link: https://lore.kernel.org/r/20250823000024.724394-2-irogers@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-minimal.c | 55 ++++++++++++++++---------------- + 1 file changed, 27 insertions(+), 28 deletions(-) + +diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c +index 36c1d3090689f..f114f75ebeb98 100644 +--- a/tools/perf/util/symbol-minimal.c ++++ b/tools/perf/util/symbol-minimal.c +@@ -4,7 +4,6 @@ + + #include + #include +-#include + #include + #include + #include +@@ -88,11 +87,8 @@ int filename__read_debuglink(const char *filename __maybe_unused, + */ + int filename__read_build_id(const char *filename, struct build_id *bid) + { +- FILE *fp; +- int ret = -1; ++ int fd, ret = -1; + bool need_swap = false, elf32; +- u8 e_ident[EI_NIDENT]; +- int i; + union { + struct { + Elf32_Ehdr ehdr32; +@@ -103,28 +99,27 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + Elf64_Phdr *phdr64; + }; + } hdrs; +- void *phdr; +- size_t phdr_size; +- void *buf = NULL; +- size_t buf_size = 0; ++ void *phdr, *buf = NULL; ++ ssize_t phdr_size, ehdr_size, buf_size = 0; + +- fp = fopen(filename, "r"); +- if (fp == NULL) ++ fd = open(filename, O_RDONLY); ++ if (fd < 0) + return -1; + +- if (fread(e_ident, sizeof(e_ident), 1, fp) != 1) ++ if (read(fd, hdrs.ehdr32.e_ident, EI_NIDENT) != EI_NIDENT) + goto out; + +- if (memcmp(e_ident, ELFMAG, SELFMAG) || +- e_ident[EI_VERSION] != EV_CURRENT) ++ if (memcmp(hdrs.ehdr32.e_ident, ELFMAG, SELFMAG) || ++ hdrs.ehdr32.e_ident[EI_VERSION] != EV_CURRENT) + goto out; + +- need_swap = check_need_swap(e_ident[EI_DATA]); +- elf32 = e_ident[EI_CLASS] == ELFCLASS32; ++ need_swap = check_need_swap(hdrs.ehdr32.e_ident[EI_DATA]); ++ elf32 = hdrs.ehdr32.e_ident[EI_CLASS] == ELFCLASS32; ++ ehdr_size = (elf32 ? sizeof(hdrs.ehdr32) : sizeof(hdrs.ehdr64)) - EI_NIDENT; + +- if (fread(elf32 ? (void *)&hdrs.ehdr32 : (void *)&hdrs.ehdr64, +- elf32 ? sizeof(hdrs.ehdr32) : sizeof(hdrs.ehdr64), +- 1, fp) != 1) ++ if (read(fd, ++ (elf32 ? (void *)&hdrs.ehdr32 : (void *)&hdrs.ehdr64) + EI_NIDENT, ++ ehdr_size) != ehdr_size) + goto out; + + if (need_swap) { +@@ -138,14 +133,18 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + hdrs.ehdr64.e_phnum = bswap_16(hdrs.ehdr64.e_phnum); + } + } +- phdr_size = elf32 ? hdrs.ehdr32.e_phentsize * hdrs.ehdr32.e_phnum +- : hdrs.ehdr64.e_phentsize * hdrs.ehdr64.e_phnum; ++ if ((elf32 && hdrs.ehdr32.e_phentsize != sizeof(Elf32_Phdr)) || ++ (!elf32 && hdrs.ehdr64.e_phentsize != sizeof(Elf64_Phdr))) ++ goto out; ++ ++ phdr_size = elf32 ? sizeof(Elf32_Phdr) * hdrs.ehdr32.e_phnum ++ : sizeof(Elf64_Phdr) * hdrs.ehdr64.e_phnum; + phdr = malloc(phdr_size); + if (phdr == NULL) + goto out; + +- fseek(fp, elf32 ? hdrs.ehdr32.e_phoff : hdrs.ehdr64.e_phoff, SEEK_SET); +- if (fread(phdr, phdr_size, 1, fp) != 1) ++ lseek(fd, elf32 ? hdrs.ehdr32.e_phoff : hdrs.ehdr64.e_phoff, SEEK_SET); ++ if (read(fd, phdr, phdr_size) != phdr_size) + goto out_free; + + if (elf32) +@@ -153,8 +152,8 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + else + hdrs.phdr64 = phdr; + +- for (i = 0; i < elf32 ? hdrs.ehdr32.e_phnum : hdrs.ehdr64.e_phnum; i++) { +- size_t p_filesz; ++ for (int i = 0; i < (elf32 ? hdrs.ehdr32.e_phnum : hdrs.ehdr64.e_phnum); i++) { ++ ssize_t p_filesz; + + if (need_swap) { + if (elf32) { +@@ -180,8 +179,8 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + goto out_free; + buf = tmp; + } +- fseek(fp, elf32 ? hdrs.phdr32[i].p_offset : hdrs.phdr64[i].p_offset, SEEK_SET); +- if (fread(buf, p_filesz, 1, fp) != 1) ++ lseek(fd, elf32 ? hdrs.phdr32[i].p_offset : hdrs.phdr64[i].p_offset, SEEK_SET); ++ if (read(fd, buf, p_filesz) != p_filesz) + goto out_free; + + ret = read_build_id(buf, p_filesz, bid, need_swap); +@@ -194,7 +193,7 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + free(buf); + free(phdr); + out: +- fclose(fp); ++ close(fd); + return ret; + } + +-- +2.50.1 + diff --git a/queue-6.12/pinctrl-stmfx-add-missing-has_iomem-dependency.patch b/queue-6.12/pinctrl-stmfx-add-missing-has_iomem-dependency.patch new file mode 100644 index 0000000000..9cc1d419fe --- /dev/null +++ b/queue-6.12/pinctrl-stmfx-add-missing-has_iomem-dependency.patch @@ -0,0 +1,44 @@ +From b76803c2676e7a8f55e006d634b9be30ecc8d7e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 19:27:21 -0700 +Subject: pinctrl: STMFX: add missing HAS_IOMEM dependency + +From: Randy Dunlap + +[ Upstream commit a12946bef0407cf2db0899c83d42c47c00af3fbc ] + +When building on ARCH=um (which does not set HAS_IOMEM), kconfig +reports an unmet dependency caused by PINCTRL_STMFX. It selects +MFD_STMFX, which depends on HAS_IOMEM. To stop this warning, +PINCTRL_STMFX should also depend on HAS_IOMEM. + +kconfig warning: +WARNING: unmet direct dependencies detected for MFD_STMFX + Depends on [n]: HAS_IOMEM [=n] && I2C [=y] && OF [=y] + Selected by [y]: + - PINCTRL_STMFX [=y] && PINCTRL [=y] && I2C [=y] && OF_GPIO [=y] + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/20250815022721.1650885-1-rdunlap@infradead.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index 354536de564b6..e05174e5efbc3 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -504,6 +504,7 @@ config PINCTRL_STMFX + tristate "STMicroelectronics STMFX GPIO expander pinctrl driver" + depends on I2C + depends on OF_GPIO ++ depends on HAS_IOMEM + select GENERIC_PINCONF + select GPIOLIB_IRQCHIP + select MFD_STMFX +-- +2.50.1 + diff --git a/queue-6.12/rtla-check-pkg-config-install.patch b/queue-6.12/rtla-check-pkg-config-install.patch new file mode 100644 index 0000000000..ae2cda870b --- /dev/null +++ b/queue-6.12/rtla-check-pkg-config-install.patch @@ -0,0 +1,56 @@ +From fcbfd23637262598d555719731174839567d7a0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:05:27 +0800 +Subject: rtla: Check pkg-config install + +From: Tao Chen + +[ Upstream commit 7b128f1d53dcaa324d4aa05d821a6bf4a7b203e7 ] + +The tool pkg-config used to check libtraceevent and libtracefs, if not +installed, it will report the libs not found, even though they have +already been installed. + +Before: +libtraceevent is missing. Please install libtraceevent-dev/libtraceevent-devel +libtracefs is missing. Please install libtracefs-dev/libtracefs-devel + +After: +Makefile.config:10: *** Error: pkg-config needed by libtraceevent/libtracefs is missing +on this system, please install it. + +Link: https://lore.kernel.org/20250808040527.2036023-2-chen.dylane@linux.dev +Fixes: 01474dc706ca ("tools/rtla: Use tools/build makefiles to build rtla") +Signed-off-by: Tao Chen +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/Makefile.config | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/rtla/Makefile.config b/tools/tracing/rtla/Makefile.config +index 5f8c286712d4c..a35d6ee55ffcd 100644 +--- a/tools/tracing/rtla/Makefile.config ++++ b/tools/tracing/rtla/Makefile.config +@@ -1,10 +1,18 @@ + # SPDX-License-Identifier: GPL-2.0-only + ++include $(srctree)/tools/scripts/utilities.mak ++ + STOP_ERROR := + + LIBTRACEEVENT_MIN_VERSION = 1.5 + LIBTRACEFS_MIN_VERSION = 1.6 + ++ifndef ($(NO_LIBTRACEEVENT),1) ++ ifeq ($(call get-executable,$(PKG_CONFIG)),) ++ $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it) ++ endif ++endif ++ + define lib_setup + $(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)")) + $(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)")) +-- +2.50.1 + diff --git a/queue-6.12/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch b/queue-6.12/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch new file mode 100644 index 0000000000..696a0252e4 --- /dev/null +++ b/queue-6.12/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch @@ -0,0 +1,49 @@ +From 6247a1f4ec51b4d2511c92c22cb813a067a4b768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 13:17:00 +0900 +Subject: scsi: core: sysfs: Correct sysfs attributes access rights + +From: Damien Le Moal + +[ Upstream commit a2f54ff15c3bdc0132e20aae041607e2320dbd73 ] + +The SCSI sysfs attributes "supported_mode" and "active_mode" do not +define a store method and thus cannot be modified. Correct the +DEVICE_ATTR() call for these two attributes to not include S_IWUSR to +allow write access as they are read-only. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250728041700.76660-1-dlemoal@kernel.org +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 32f94db6d6bf5..e669768a7a5bf 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -265,7 +265,7 @@ show_shost_supported_mode(struct device *dev, struct device_attribute *attr, + return show_shost_mode(supported_mode, buf); + } + +-static DEVICE_ATTR(supported_mode, S_IRUGO | S_IWUSR, show_shost_supported_mode, NULL); ++static DEVICE_ATTR(supported_mode, S_IRUGO, show_shost_supported_mode, NULL); + + static ssize_t + show_shost_active_mode(struct device *dev, +@@ -279,7 +279,7 @@ show_shost_active_mode(struct device *dev, + return show_shost_mode(shost->active_mode, buf); + } + +-static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL); ++static DEVICE_ATTR(active_mode, S_IRUGO, show_shost_active_mode, NULL); + + static int check_reset_type(const char *str) + { +-- +2.50.1 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..407a319141 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,16 @@ +tools-latency-collector-check-pkg-config-install.patch +rtla-check-pkg-config-install.patch +trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch +of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch +pinctrl-stmfx-add-missing-has_iomem-dependency.patch +mips-dts-lantiq-danube-add-missing-burst-length-prop.patch +mips-lantiq-xway-sysctrl-rename-the-etop-node.patch +of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch +ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch +perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch +vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch +scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch +smb-client-fix-race-with-concurrent-opens-in-unlink-.patch +smb-client-fix-race-with-concurrent-opens-in-rename-.patch +asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch +erofs-fix-atomic-context-detection-when-config_debug.patch diff --git a/queue-6.12/smb-client-fix-race-with-concurrent-opens-in-rename-.patch b/queue-6.12/smb-client-fix-race-with-concurrent-opens-in-rename-.patch new file mode 100644 index 0000000000..2947f3e6ff --- /dev/null +++ b/queue-6.12/smb-client-fix-race-with-concurrent-opens-in-rename-.patch @@ -0,0 +1,87 @@ +From 2b5f0cfe953661a02e727413d853a8df6c2eb2fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 11:43:29 -0300 +Subject: smb: client: fix race with concurrent opens in rename(2) + +From: Paulo Alcantara + +[ Upstream commit d84291fc7453df7881a970716f8256273aca5747 ] + +Besides sending the rename request to the server, the rename process +also involves closing any deferred close, waiting for outstanding I/O +to complete as well as marking all existing open handles as deleted to +prevent them from deferring closes, which increases the race window +for potential concurrent opens on the target file. + +Fix this by unhashing the dentry in advance to prevent any concurrent +opens on the target. + +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index 02f78e58e11d0..c0df2c1841243 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -2441,6 +2441,7 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + struct cifs_sb_info *cifs_sb; + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ bool rehash = false; + unsigned int xid; + int rc, tmprc; + int retry_count = 0; +@@ -2456,6 +2457,17 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* ++ * Prevent any concurrent opens on the target by unhashing the dentry. ++ * VFS already unhashes the target when renaming directories. ++ */ ++ if (d_is_positive(target_dentry) && !d_is_dir(target_dentry)) { ++ if (!d_unhashed(target_dentry)) { ++ d_drop(target_dentry); ++ rehash = true; ++ } ++ } ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -2497,6 +2509,8 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + } + } + ++ if (!rc) ++ rehash = false; + /* + * No-replace is the natural behavior for CIFS, so skip unlink hacks. + */ +@@ -2555,12 +2569,16 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + goto cifs_rename_exit; + rc = cifs_do_rename(xid, source_dentry, from_name, + target_dentry, to_name); ++ if (!rc) ++ rehash = false; + } + + /* force revalidate to go get info when needed */ + CIFS_I(source_dir)->time = CIFS_I(target_dir)->time = 0; + + cifs_rename_exit: ++ if (rehash) ++ d_rehash(target_dentry); + kfree(info_buf_source); + free_dentry_path(page2); + free_dentry_path(page1); +-- +2.50.1 + diff --git a/queue-6.12/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch b/queue-6.12/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch new file mode 100644 index 0000000000..8c321a37ce --- /dev/null +++ b/queue-6.12/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch @@ -0,0 +1,86 @@ +From df4e369f3ee09eaec974fd9d03480b1f767a9323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:20:17 -0300 +Subject: smb: client: fix race with concurrent opens in unlink(2) + +From: Paulo Alcantara + +[ Upstream commit 0af1561b2d60bab2a2b00720a5c7b292ecc549ec ] + +According to some logs reported by customers, CIFS client might end up +reporting unlinked files as existing in stat(2) due to concurrent +opens racing with unlink(2). + +Besides sending the removal request to the server, the unlink process +could involve closing any deferred close as well as marking all +existing open handles as deleted to prevent them from deferring +closes, which increases the race window for potential concurrent +opens. + +Fix this by unhashing the dentry in cifs_unlink() to prevent any +subsequent opens. Any open attempts, while we're still unlinking, +will block on parent's i_rwsem. + +Reported-by: Jay Shin +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index 31fce0a1b5719..02f78e58e11d0 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1917,15 +1917,24 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ __u32 dosattr = 0, origattr = 0; + struct TCP_Server_Info *server; + struct iattr *attrs = NULL; +- __u32 dosattr = 0, origattr = 0; ++ bool rehash = false; + + cifs_dbg(FYI, "cifs_unlink, dir=0x%p, dentry=0x%p\n", dir, dentry); + + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* Unhash dentry in advance to prevent any concurrent opens */ ++ spin_lock(&dentry->d_lock); ++ if (!d_unhashed(dentry)) { ++ __d_drop(dentry); ++ rehash = true; ++ } ++ spin_unlock(&dentry->d_lock); ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -1977,7 +1986,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + cifs_drop_nlink(inode); + } + } else if (rc == -ENOENT) { +- d_drop(dentry); ++ if (simple_positive(dentry)) ++ d_delete(dentry); + } else if (rc == -EBUSY) { + if (server->ops->rename_pending_delete) { + rc = server->ops->rename_pending_delete(full_path, +@@ -2030,6 +2040,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + kfree(attrs); + free_xid(xid); + cifs_put_tlink(tlink); ++ if (rehash) ++ d_rehash(dentry); + return rc; + } + +-- +2.50.1 + diff --git a/queue-6.12/tools-latency-collector-check-pkg-config-install.patch b/queue-6.12/tools-latency-collector-check-pkg-config-install.patch new file mode 100644 index 0000000000..20b066cc07 --- /dev/null +++ b/queue-6.12/tools-latency-collector-check-pkg-config-install.patch @@ -0,0 +1,53 @@ +From a5cd09fb5fcf663415634751a0a70542ee7df539 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:05:26 +0800 +Subject: tools/latency-collector: Check pkg-config install + +From: Tao Chen + +[ Upstream commit 26ebba25e210116053609f4c7ee701bffa7ebd7d ] + +The tool pkg-config used to check libtraceevent and libtracefs, if not +installed, it will report the libs not found, even though they have +already been installed. + +Before: +libtraceevent is missing. Please install libtraceevent-dev/libtraceevent-devel +libtracefs is missing. Please install libtracefs-dev/libtracefs-devel + +After: +Makefile.config:10: *** Error: pkg-config needed by libtraceevent/libtracefs is missing +on this system, please install it. + +Link: https://lore.kernel.org/20250808040527.2036023-1-chen.dylane@linux.dev +Fixes: 9d56c88e5225 ("tools/tracing: Use tools/build makefiles on latency-collector") +Signed-off-by: Tao Chen +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/latency/Makefile.config | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/latency/Makefile.config b/tools/tracing/latency/Makefile.config +index 0fe6b50f029bf..6efa13e3ca93f 100644 +--- a/tools/tracing/latency/Makefile.config ++++ b/tools/tracing/latency/Makefile.config +@@ -1,7 +1,15 @@ + # SPDX-License-Identifier: GPL-2.0-only + ++include $(srctree)/tools/scripts/utilities.mak ++ + STOP_ERROR := + ++ifndef ($(NO_LIBTRACEEVENT),1) ++ ifeq ($(call get-executable,$(PKG_CONFIG)),) ++ $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it) ++ endif ++endif ++ + define lib_setup + $(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)")) + $(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)")) +-- +2.50.1 + diff --git a/queue-6.12/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch b/queue-6.12/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch new file mode 100644 index 0000000000..7f8ae1f2df --- /dev/null +++ b/queue-6.12/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch @@ -0,0 +1,58 @@ +From d3d585f1d2c55ce35b53f82415c8ead545a47072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 07:33:32 +0000 +Subject: trace/fgraph: Fix the warning caused by missing unregister notifier + +From: Ye Weihua + +[ Upstream commit edede7a6dcd7435395cf757d053974aaab6ab1c2 ] + +This warning was triggered during testing on v6.16: + +notifier callback ftrace_suspend_notifier_call already registered +WARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0 +... +Call Trace: + + blocking_notifier_chain_register+0x34/0x60 + register_ftrace_graph+0x330/0x410 + ftrace_profile_write+0x1e9/0x340 + vfs_write+0xf8/0x420 + ? filp_flush+0x8a/0xa0 + ? filp_close+0x1f/0x30 + ? do_dup2+0xaf/0x160 + ksys_write+0x65/0xe0 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When writing to the function_profile_enabled interface, the notifier was +not unregistered after start_graph_tracing failed, causing a warning the +next time function_profile_enabled was written. + +Fixed by adding unregister_pm_notifier in the exception path. + +Link: https://lore.kernel.org/20250818073332.3890629-1-yeweihua4@huawei.com +Fixes: 4a2b8dda3f870 ("tracing/function-graph-tracer: fix a regression while suspend to disk") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Ye Weihua +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/fgraph.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c +index c12335499ec91..2eed8bc672f91 100644 +--- a/kernel/trace/fgraph.c ++++ b/kernel/trace/fgraph.c +@@ -1316,6 +1316,7 @@ int register_ftrace_graph(struct fgraph_ops *gops) + ftrace_graph_active--; + gops->saved_func = NULL; + fgraph_lru_release_index(i); ++ unregister_pm_notifier(&ftrace_suspend_notifier); + } + return ret; + } +-- +2.50.1 + diff --git a/queue-6.12/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch b/queue-6.12/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch new file mode 100644 index 0000000000..a560590989 --- /dev/null +++ b/queue-6.12/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch @@ -0,0 +1,57 @@ +From f80fad5357f25311d1367ea9f21f008208ffc981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 23:39:57 -0700 +Subject: vhost: Fix ioctl # for VHOST_[GS]ET_FORK_FROM_OWNER +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Namhyung Kim + +[ Upstream commit 24fc631539cc78225f5c61f99c7666fcff48024d ] + +The VHOST_[GS]ET_FEATURES_ARRAY ioctl already took 0x83 and it would +result in a build error when the vhost uapi header is used for perf tool +build like below. + + In file included from trace/beauty/ioctl.c:93: + tools/perf/trace/beauty/generated/ioctl/vhost_virtio_ioctl_array.c: In function ‘ioctl__scnprintf_vhost_virtio_cmd’: + tools/perf/trace/beauty/generated/ioctl/vhost_virtio_ioctl_array.c:36:18: error: initialized field overwritten [-Werror=override-init] + 36 | [0x83] = "SET_FORK_FROM_OWNER", + | ^~~~~~~~~~~~~~~~~~~~~ + tools/perf/trace/beauty/generated/ioctl/vhost_virtio_ioctl_array.c:36:18: note: (near initialization for ‘vhost_virtio_ioctl_cmds[131]’) + +Fixes: 7d9896e9f6d02d8a ("vhost: Reintroduce kthread API and add mode selection") +Signed-off-by: Namhyung Kim +Message-Id: <20250819063958.833770-1-namhyung@kernel.org> +Signed-off-by: Michael S. Tsirkin +Tested-by: Lei Yang +Signed-off-by: Sasha Levin +--- + include/uapi/linux/vhost.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/vhost.h b/include/uapi/linux/vhost.h +index 1c7e7035fc49d..96b178f1bd5ca 100644 +--- a/include/uapi/linux/vhost.h ++++ b/include/uapi/linux/vhost.h +@@ -254,7 +254,7 @@ + * When fork_owner is set to VHOST_FORK_OWNER_KTHREAD: + * - Vhost will create vhost workers as kernel threads. + */ +-#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x83, __u8) ++#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x84, __u8) + + /** + * VHOST_GET_FORK_OWNER - Get the current fork_owner flag for the vhost device. +@@ -262,6 +262,6 @@ + * + * @return: An 8-bit value indicating the current thread mode. + */ +-#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x84, __u8) ++#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x85, __u8) + + #endif +-- +2.50.1 + diff --git a/queue-6.16/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch b/queue-6.16/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch new file mode 100644 index 0000000000..f891baa702 --- /dev/null +++ b/queue-6.16/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch @@ -0,0 +1,39 @@ +From 46cb963914101ef263fbe8054333fa6bb7963dd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Aug 2025 15:00:30 +0100 +Subject: ASoC: codecs: tx-macro: correct tx_macro_component_drv name + +From: Alexey Klimov + +[ Upstream commit 43e0da37d5cfb23eec6aeee9422f84d86621ce2b ] + +We already have a component driver named "RX-MACRO", which is +lpass-rx-macro.c. The tx macro component driver's name should +be "TX-MACRO" accordingly. Fix it. + +Cc: Srinivas Kandagatla +Signed-off-by: Alexey Klimov +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20250806140030.691477-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index 27bae58f40725..fe000ff522d24 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -2230,7 +2230,7 @@ static int tx_macro_register_mclk_output(struct tx_macro *tx) + } + + static const struct snd_soc_component_driver tx_macro_component_drv = { +- .name = "RX-MACRO", ++ .name = "TX-MACRO", + .probe = tx_macro_component_probe, + .controls = tx_macro_snd_controls, + .num_controls = ARRAY_SIZE(tx_macro_snd_controls), +-- +2.50.1 + diff --git a/queue-6.16/asoc-rt1320-fix-random-cycle-mute-issue.patch b/queue-6.16/asoc-rt1320-fix-random-cycle-mute-issue.patch new file mode 100644 index 0000000000..ca82313418 --- /dev/null +++ b/queue-6.16/asoc-rt1320-fix-random-cycle-mute-issue.patch @@ -0,0 +1,43 @@ +From b426666d7e61012573fc676d93d79df22d6c8a5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 17:24:32 +0800 +Subject: ASoC: rt1320: fix random cycle mute issue + +From: Shuming Fan + +[ Upstream commit f48d7a1b0bf11d16d8c9f77a5b9c80a82272f625 ] + +This patch fixed the random cycle mute issue that occurs during long-time playback. + +Signed-off-by: Shuming Fan +Link: https://patch.msgid.link/20250807092432.997989-1-shumingf@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt1320-sdw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/rt1320-sdw.c b/sound/soc/codecs/rt1320-sdw.c +index 015cc710e6dc0..d6d54168cccd0 100644 +--- a/sound/soc/codecs/rt1320-sdw.c ++++ b/sound/soc/codecs/rt1320-sdw.c +@@ -109,6 +109,7 @@ static const struct reg_sequence rt1320_blind_write[] = { + { 0x0000d540, 0x01 }, + { 0xd172, 0x2a }, + { 0xc5d6, 0x01 }, ++ { 0xd478, 0xff }, + }; + + static const struct reg_sequence rt1320_vc_blind_write[] = { +@@ -159,7 +160,7 @@ static const struct reg_sequence rt1320_vc_blind_write[] = { + { 0xd471, 0x3a }, + { 0xd474, 0x11 }, + { 0xd475, 0x32 }, +- { 0xd478, 0x64 }, ++ { 0xd478, 0xff }, + { 0xd479, 0x20 }, + { 0xd47a, 0x10 }, + { 0xd47c, 0xff }, +-- +2.50.1 + diff --git a/queue-6.16/asoc-rt721-fix-fu33-boost-volume-control-not-working.patch b/queue-6.16/asoc-rt721-fix-fu33-boost-volume-control-not-working.patch new file mode 100644 index 0000000000..a215958843 --- /dev/null +++ b/queue-6.16/asoc-rt721-fix-fu33-boost-volume-control-not-working.patch @@ -0,0 +1,58 @@ +From 1beed8c086717450f2e7457e890758560ec54b21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 13:57:06 +0800 +Subject: ASoC: rt721: fix FU33 Boost Volume control not working + +From: Shuming Fan + +[ Upstream commit 633e391d45bda3fc848d26bee6bbe57ef2935713 ] + +This patch fixed FU33 Boost Volume control not working. + +Signed-off-by: Shuming Fan +Link: https://patch.msgid.link/20250808055706.1110766-1-shumingf@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt721-sdca.c | 2 ++ + sound/soc/codecs/rt721-sdca.h | 4 ++++ + 2 files changed, 6 insertions(+) + +diff --git a/sound/soc/codecs/rt721-sdca.c b/sound/soc/codecs/rt721-sdca.c +index ba080957e9336..98d8ebc6607ff 100644 +--- a/sound/soc/codecs/rt721-sdca.c ++++ b/sound/soc/codecs/rt721-sdca.c +@@ -278,6 +278,8 @@ static void rt721_sdca_jack_preset(struct rt721_sdca_priv *rt721) + RT721_ENT_FLOAT_CTL1, 0x4040); + rt_sdca_index_write(rt721->mbq_regmap, RT721_HDA_SDCA_FLOAT, + RT721_ENT_FLOAT_CTL4, 0x1201); ++ rt_sdca_index_write(rt721->mbq_regmap, RT721_BOOST_CTRL, ++ RT721_BST_4CH_TOP_GATING_CTRL1, 0x002a); + regmap_write(rt721->regmap, 0x2f58, 0x07); + } + +diff --git a/sound/soc/codecs/rt721-sdca.h b/sound/soc/codecs/rt721-sdca.h +index 0a82c107b19a2..71fac9cd87394 100644 +--- a/sound/soc/codecs/rt721-sdca.h ++++ b/sound/soc/codecs/rt721-sdca.h +@@ -56,6 +56,7 @@ struct rt721_sdca_dmic_kctrl_priv { + #define RT721_CBJ_CTRL 0x0a + #define RT721_CAP_PORT_CTRL 0x0c + #define RT721_CLASD_AMP_CTRL 0x0d ++#define RT721_BOOST_CTRL 0x0f + #define RT721_VENDOR_REG 0x20 + #define RT721_RC_CALIB_CTRL 0x40 + #define RT721_VENDOR_EQ_L 0x53 +@@ -93,6 +94,9 @@ struct rt721_sdca_dmic_kctrl_priv { + /* Index (NID:0dh) */ + #define RT721_CLASD_AMP_2CH_CAL 0x14 + ++/* Index (NID:0fh) */ ++#define RT721_BST_4CH_TOP_GATING_CTRL1 0x05 ++ + /* Index (NID:20h) */ + #define RT721_JD_PRODUCT_NUM 0x00 + #define RT721_ANALOG_BIAS_CTL3 0x04 +-- +2.50.1 + diff --git a/queue-6.16/erofs-fallback-to-normal-access-if-dax-is-not-suppor.patch b/queue-6.16/erofs-fallback-to-normal-access-if-dax-is-not-suppor.patch new file mode 100644 index 0000000000..b41eb39df5 --- /dev/null +++ b/queue-6.16/erofs-fallback-to-normal-access-if-dax-is-not-suppor.patch @@ -0,0 +1,90 @@ +From 7e7e284be1bb79b6c1dab35ddacba5393f43864d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Aug 2025 16:20:31 +0800 +Subject: erofs: Fallback to normal access if DAX is not supported on extra + device + +From: Yuezhang Mo + +[ Upstream commit c6993c4cb91803fceb82d6b5e0ec5e0aec2d0ad6 ] + +If using multiple devices, we should check if the extra device support +DAX instead of checking the primary device when deciding if to use DAX +to access a file. + +If an extra device does not support DAX we should fallback to normal +access otherwise the data on that device will be inaccessible. + +Signed-off-by: Yuezhang Mo +Reviewed-by: Friendy Su +Reviewed-by: Jacky Cao +Reviewed-by: Daniel Palmer +Reviewed-by: Gao Xiang +Reviewed-by: Hongbo Li +Link: https://lore.kernel.org/r/20250804082030.3667257-2-Yuezhang.Mo@sony.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 799fef437aa8e..cad87e4d66943 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -174,6 +174,11 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb, + if (!erofs_is_fileio_mode(sbi)) { + dif->dax_dev = fs_dax_get_by_bdev(file_bdev(file), + &dif->dax_part_off, NULL, NULL); ++ if (!dif->dax_dev && test_opt(&sbi->opt, DAX_ALWAYS)) { ++ erofs_info(sb, "DAX unsupported by %s. Turning off DAX.", ++ dif->path); ++ clear_opt(&sbi->opt, DAX_ALWAYS); ++ } + } else if (!S_ISREG(file_inode(file)->i_mode)) { + fput(file); + return -EINVAL; +@@ -210,8 +215,13 @@ static int erofs_scan_devices(struct super_block *sb, + ondisk_extradevs, sbi->devs->extra_devices); + return -EINVAL; + } +- if (!ondisk_extradevs) ++ if (!ondisk_extradevs) { ++ if (test_opt(&sbi->opt, DAX_ALWAYS) && !sbi->dif0.dax_dev) { ++ erofs_info(sb, "DAX unsupported by block device. Turning off DAX."); ++ clear_opt(&sbi->opt, DAX_ALWAYS); ++ } + return 0; ++ } + + if (!sbi->devs->extra_devices && !erofs_is_fscache_mode(sb)) + sbi->devs->flatdev = true; +@@ -330,7 +340,6 @@ static int erofs_read_superblock(struct super_block *sb) + if (ret < 0) + goto out; + +- /* handle multiple devices */ + ret = erofs_scan_devices(sb, dsb); + + if (erofs_sb_has_48bit(sbi)) +@@ -661,14 +670,9 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + return invalfc(fc, "cannot use fsoffset in fscache mode"); + } + +- if (test_opt(&sbi->opt, DAX_ALWAYS)) { +- if (!sbi->dif0.dax_dev) { +- errorfc(fc, "DAX unsupported by block device. Turning off DAX."); +- clear_opt(&sbi->opt, DAX_ALWAYS); +- } else if (sbi->blkszbits != PAGE_SHIFT) { +- errorfc(fc, "unsupported blocksize for DAX"); +- clear_opt(&sbi->opt, DAX_ALWAYS); +- } ++ if (test_opt(&sbi->opt, DAX_ALWAYS) && sbi->blkszbits != PAGE_SHIFT) { ++ erofs_info(sb, "unsupported blocksize for DAX"); ++ clear_opt(&sbi->opt, DAX_ALWAYS); + } + + sb->s_time_gran = 1; +-- +2.50.1 + diff --git a/queue-6.16/erofs-fix-atomic-context-detection-when-config_debug.patch b/queue-6.16/erofs-fix-atomic-context-detection-when-config_debug.patch new file mode 100644 index 0000000000..2a5f962250 --- /dev/null +++ b/queue-6.16/erofs-fix-atomic-context-detection-when-config_debug.patch @@ -0,0 +1,128 @@ +From 105abc125128864c9dbda4294a3d8ba88c720ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 09:19:58 +0800 +Subject: erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC + +From: Junli Liu + +[ Upstream commit c99fab6e80b76422741d34aafc2f930a482afbdd ] + +Since EROFS handles decompression in non-atomic contexts due to +uncontrollable decompression latencies and vmap() usage, it tries +to detect atomic contexts and only kicks off a kworker on demand +in order to reduce unnecessary scheduling overhead. + +However, the current approach is insufficient and can lead to +sleeping function calls in invalid contexts, causing kernel +warnings and potential system instability. See the stacktrace [1] +and previous discussion [2]. + +The current implementation only checks rcu_read_lock_any_held(), +which behaves inconsistently across different kernel configurations: + +- When CONFIG_DEBUG_LOCK_ALLOC is enabled: correctly detects + RCU critical sections by checking rcu_lock_map +- When CONFIG_DEBUG_LOCK_ALLOC is disabled: compiles to + "!preemptible()", which only checks preempt_count and misses + RCU critical sections + +This patch introduces z_erofs_in_atomic() to provide comprehensive +atomic context detection: + +1. Check RCU preemption depth when CONFIG_PREEMPTION is enabled, + as RCU critical sections may not affect preempt_count but still + require atomic handling + +2. Always use async processing when CONFIG_PREEMPT_COUNT is disabled, + as preemption state cannot be reliably determined + +3. Fall back to standard preemptible() check for remaining cases + +The function replaces the previous complex condition check and ensures +that z_erofs always uses (kthread_)work in atomic contexts to minimize +scheduling overhead and prevent sleeping in invalid contexts. + +[1] Problem stacktrace +[ 61.266692] BUG: sleeping function called from invalid context at kernel/locking/rtmutex_api.c:510 +[ 61.266702] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 107, name: irq/54-ufshcd +[ 61.266704] preempt_count: 0, expected: 0 +[ 61.266705] RCU nest depth: 2, expected: 0 +[ 61.266710] CPU: 0 UID: 0 PID: 107 Comm: irq/54-ufshcd Tainted: G W O 6.12.17 #1 +[ 61.266714] Tainted: [W]=WARN, [O]=OOT_MODULE +[ 61.266715] Hardware name: schumacher (DT) +[ 61.266717] Call trace: +[ 61.266718] dump_backtrace+0x9c/0x100 +[ 61.266727] show_stack+0x20/0x38 +[ 61.266728] dump_stack_lvl+0x78/0x90 +[ 61.266734] dump_stack+0x18/0x28 +[ 61.266736] __might_resched+0x11c/0x180 +[ 61.266743] __might_sleep+0x64/0xc8 +[ 61.266745] mutex_lock+0x2c/0xc0 +[ 61.266748] z_erofs_decompress_queue+0xe8/0x978 +[ 61.266753] z_erofs_decompress_kickoff+0xa8/0x190 +[ 61.266756] z_erofs_endio+0x168/0x288 +[ 61.266758] bio_endio+0x160/0x218 +[ 61.266762] blk_update_request+0x244/0x458 +[ 61.266766] scsi_end_request+0x38/0x278 +[ 61.266770] scsi_io_completion+0x4c/0x600 +[ 61.266772] scsi_finish_command+0xc8/0xe8 +[ 61.266775] scsi_complete+0x88/0x148 +[ 61.266777] blk_mq_complete_request+0x3c/0x58 +[ 61.266780] scsi_done_internal+0xcc/0x158 +[ 61.266782] scsi_done+0x1c/0x30 +[ 61.266783] ufshcd_compl_one_cqe+0x12c/0x438 +[ 61.266786] __ufshcd_transfer_req_compl+0x2c/0x78 +[ 61.266788] ufshcd_poll+0xf4/0x210 +[ 61.266789] ufshcd_transfer_req_compl+0x50/0x88 +[ 61.266791] ufshcd_intr+0x21c/0x7c8 +[ 61.266792] irq_forced_thread_fn+0x44/0xd8 +[ 61.266796] irq_thread+0x1a4/0x358 +[ 61.266799] kthread+0x12c/0x138 +[ 61.266802] ret_from_fork+0x10/0x20 + +[2] https://lore.kernel.org/r/58b661d0-0ebb-4b45-a10d-c5927fb791cd@paulmck-laptop + +Signed-off-by: Junli Liu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250805011957.911186-1-liujunli@lixiang.com +[ Gao Xiang: Use the original trace in v1. ] +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index e3f28a1bb9452..9bb53f00c2c62 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1430,6 +1430,16 @@ static void z_erofs_decompressqueue_kthread_work(struct kthread_work *work) + } + #endif + ++/* Use (kthread_)work in atomic contexts to minimize scheduling overhead */ ++static inline bool z_erofs_in_atomic(void) ++{ ++ if (IS_ENABLED(CONFIG_PREEMPTION) && rcu_preempt_depth()) ++ return true; ++ if (!IS_ENABLED(CONFIG_PREEMPT_COUNT)) ++ return true; ++ return !preemptible(); ++} ++ + static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + int bios) + { +@@ -1444,8 +1454,7 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + + if (atomic_add_return(bios, &io->pending_bios)) + return; +- /* Use (kthread_)work and sync decompression for atomic contexts only */ +- if (!in_task() || irqs_disabled() || rcu_read_lock_any_held()) { ++ if (z_erofs_in_atomic()) { + #ifdef CONFIG_EROFS_FS_PCPU_KTHREAD + struct kthread_worker *worker; + +-- +2.50.1 + diff --git a/queue-6.16/fgraph-copy-args-in-intermediate-storage-with-entry.patch b/queue-6.16/fgraph-copy-args-in-intermediate-storage-with-entry.patch new file mode 100644 index 0000000000..16e8b3b8bc --- /dev/null +++ b/queue-6.16/fgraph-copy-args-in-intermediate-storage-with-entry.patch @@ -0,0 +1,117 @@ +From 20475c13f300eee9c0df749f0064b9ea8d724380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 19:55:22 -0400 +Subject: fgraph: Copy args in intermediate storage with entry + +From: Steven Rostedt + +[ Upstream commit e3d01979e4bff5c87eb4054a22e7568bb679b1fe ] + +The output of the function graph tracer has two ways to display its +entries. One way for leaf functions with no events recorded within them, +and the other is for functions with events recorded inside it. As function +graph has an entry and exit event, to simplify the output of leaf +functions it combines the two, where as non leaf functions are separate: + + 2) | invoke_rcu_core() { + 2) | raise_softirq() { + 2) 0.391 us | __raise_softirq_irqoff(); + 2) 1.191 us | } + 2) 2.086 us | } + +The __raise_softirq_irqoff() function above is really two events that were +merged into one. Otherwise it would have looked like: + + 2) | invoke_rcu_core() { + 2) | raise_softirq() { + 2) | __raise_softirq_irqoff() { + 2) 0.391 us | } + 2) 1.191 us | } + 2) 2.086 us | } + +In order to do this merge, the reading of the trace output file needs to +look at the next event before printing. But since the pointer to the event +is on the ring buffer, it needs to save the entry event before it looks at +the next event as the next event goes out of focus as soon as a new event +is read from the ring buffer. After it reads the next event, it will print +the entry event with either the '{' (non leaf) or ';' and timestamps (leaf). + +The iterator used to read the trace file has storage for this event. The +problem happens when the function graph tracer has arguments attached to +the entry event as the entry now has a variable length "args" field. This +field only gets set when funcargs option is used. But the args are not +recorded in this temp data and garbage could be printed. The entry field +is copied via: + + data->ent = *curr; + +Where "curr" is the entry field. But this method only saves the non +variable length fields from the structure. + +Add a helper structure to the iterator data that adds the max args size to +the data storage in the iterator. Then simply copy the entire entry into +this storage (with size protection). + +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Mark Rutland +Link: https://lore.kernel.org/20250820195522.51d4a268@gandalf.local.home +Reported-by: Sasha Levin +Tested-by: Sasha Levin +Closes: https://lore.kernel.org/all/aJaxRVKverIjF4a6@lappy/ +Fixes: ff5c9c576e75 ("ftrace: Add support for function argument to graph tracer") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_functions_graph.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index 14d74a7491b8c..97fb32aaebeb9 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -27,14 +27,21 @@ struct fgraph_cpu_data { + unsigned long enter_funcs[FTRACE_RETFUNC_DEPTH]; + }; + ++struct fgraph_ent_args { ++ struct ftrace_graph_ent_entry ent; ++ /* Force the sizeof of args[] to have FTRACE_REGS_MAX_ARGS entries */ ++ unsigned long args[FTRACE_REGS_MAX_ARGS]; ++}; ++ + struct fgraph_data { + struct fgraph_cpu_data __percpu *cpu_data; + + /* Place to preserve last processed entry. */ + union { +- struct ftrace_graph_ent_entry ent; ++ struct fgraph_ent_args ent; ++ /* TODO allow retaddr to have args */ + struct fgraph_retaddr_ent_entry rent; +- } ent; ++ }; + struct ftrace_graph_ret_entry ret; + int failed; + int cpu; +@@ -627,10 +634,13 @@ get_return_for_leaf(struct trace_iterator *iter, + * Save current and next entries for later reference + * if the output fails. + */ +- if (unlikely(curr->ent.type == TRACE_GRAPH_RETADDR_ENT)) +- data->ent.rent = *(struct fgraph_retaddr_ent_entry *)curr; +- else +- data->ent.ent = *curr; ++ if (unlikely(curr->ent.type == TRACE_GRAPH_RETADDR_ENT)) { ++ data->rent = *(struct fgraph_retaddr_ent_entry *)curr; ++ } else { ++ int size = min((int)sizeof(data->ent), (int)iter->ent_size); ++ ++ memcpy(&data->ent, curr, size); ++ } + /* + * If the next event is not a return type, then + * we only care about what type it is. Otherwise we can +-- +2.50.1 + diff --git a/queue-6.16/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch b/queue-6.16/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch new file mode 100644 index 0000000000..0f1ecf3687 --- /dev/null +++ b/queue-6.16/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch @@ -0,0 +1,74 @@ +From 045fefd143955c9ed9a97ae625147380a5f329fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 03:33:43 +0000 +Subject: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump + +From: Tengda Wu + +[ Upstream commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a ] + +When calling ftrace_dump_one() concurrently with reading trace_pipe, +a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race +condition. + +The issue occurs because: + +CPU0 (ftrace_dump) CPU1 (reader) +echo z > /proc/sysrq-trigger + +!trace_empty(&iter) +trace_iterator_reset(&iter) <- len = size = 0 + cat /sys/kernel/tracing/trace_pipe +trace_find_next_entry_inc(&iter) + __find_next_entry + ring_buffer_empty_cpu <- all empty + return NULL + +trace_printk_seq(&iter.seq) + WARN_ON_ONCE(s->seq.len >= s->seq.size) + +In the context between trace_empty() and trace_find_next_entry_inc() +during ftrace_dump, the ring buffer data was consumed by other readers. +This caused trace_find_next_entry_inc to return NULL, failing to populate +`iter.seq`. At this point, due to the prior trace_iterator_reset, both +`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, +the WARN_ON_ONCE condition is triggered. + +Move the trace_printk_seq() into the if block that checks to make sure the +return value of trace_find_next_entry_inc() is non-NULL in +ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before +subsequent operations. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Link: https://lore.kernel.org/20250822033343.3000289-1-wutengda@huaweicloud.com +Fixes: d769041f8653 ("ring_buffer: implement new locking") +Signed-off-by: Tengda Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 8ea6ada38c40e..b91fa02cc54a6 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -10700,10 +10700,10 @@ static void ftrace_dump_one(struct trace_array *tr, enum ftrace_dump_mode dump_m + ret = print_trace_line(&iter); + if (ret != TRACE_TYPE_NO_CONSUME) + trace_consume(&iter); ++ ++ trace_printk_seq(&iter.seq); + } + touch_nmi_watchdog(); +- +- trace_printk_seq(&iter.seq); + } + + if (!cnt) +-- +2.50.1 + diff --git a/queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch b/queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch new file mode 100644 index 0000000000..54e879cf48 --- /dev/null +++ b/queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch @@ -0,0 +1,68 @@ +From 168aef239a9adb845aad2929dddc9faf270d1b2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 20:02:14 +0800 +Subject: io_uring/io-wq: add check free worker before create new worker + +From: Fengnan Chang + +[ Upstream commit 9d83e1f05c98bab5de350bef89177e2be8b34db0 ] + +After commit 0b2b066f8a85 ("io_uring/io-wq: only create a new worker +if it can make progress"), in our produce environment, we still +observe that part of io_worker threads keeps creating and destroying. +After analysis, it was confirmed that this was due to a more complex +scenario involving a large number of fsync operations, which can be +abstracted as frequent write + fsync operations on multiple files in +a single uring instance. Since write is a hash operation while fsync +is not, and fsync is likely to be suspended during execution, the +action of checking the hash value in +io_wqe_dec_running cannot handle such scenarios. +Similarly, if hash-based work and non-hash-based work are sent at the +same time, similar issues are likely to occur. +Returning to the starting point of the issue, when a new work +arrives, io_wq_enqueue may wake up free worker A, while +io_wq_dec_running may create worker B. Ultimately, only one of A and +B can obtain and process the task, leaving the other in an idle +state. In the end, the issue is caused by inconsistent logic in the +checks performed by io_wq_enqueue and io_wq_dec_running. +Therefore, the problem can be resolved by checking for available +workers in io_wq_dec_running. + +Signed-off-by: Fengnan Chang +Reviewed-by: Diangang Li +Link: https://lore.kernel.org/r/20250813120214.18729-1-changfengnan@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io-wq.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c +index be91edf34f013..17dfaa0395c46 100644 +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -357,6 +357,13 @@ static void create_worker_cb(struct callback_head *cb) + worker = container_of(cb, struct io_worker, create_work); + wq = worker->wq; + acct = worker->acct; ++ ++ rcu_read_lock(); ++ do_create = !io_acct_activate_free_worker(acct); ++ rcu_read_unlock(); ++ if (!do_create) ++ goto no_need_create; ++ + raw_spin_lock(&acct->workers_lock); + + if (acct->nr_workers < acct->max_workers) { +@@ -367,6 +374,7 @@ static void create_worker_cb(struct callback_head *cb) + if (do_create) { + create_io_worker(wq, acct); + } else { ++no_need_create: + atomic_dec(&acct->nr_running); + io_worker_ref_put(wq); + } +-- +2.50.1 + diff --git a/queue-6.16/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch b/queue-6.16/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch new file mode 100644 index 0000000000..0b7dec3c15 --- /dev/null +++ b/queue-6.16/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch @@ -0,0 +1,45 @@ +From b901d5d120b40c4bc7a36ca3ceb6dd783d708f2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:06 +0200 +Subject: mips: dts: lantiq: danube: add missing burst length property + +From: Aleksander Jan Bajkowski + +[ Upstream commit 7b28232921782aa38048249132899c337405eaa8 ] + +The upstream dts lacks the lantiq,{rx/tx}-burst-length property. Other +issues were also fixed: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'interrupt-names' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,tx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,rx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: 14d4e308e0aa ("net: lantiq: configure the burst length in ethernet drivers") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index 1ce20b7d05cb8..d8b3cd69eda3c 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -87,8 +87,11 @@ etop@e180000 { + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; + interrupts = <73 78>; ++ interrupt-names = "tx", "rx"; + phy-mode = "rmii"; + mac-address = [ 00 11 22 33 44 55 ]; ++ lantiq,rx-burst-length = <4>; ++ lantiq,tx-burst-length = <4>; + }; + + stp0: stp@e100bb0 { +-- +2.50.1 + diff --git a/queue-6.16/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch b/queue-6.16/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch new file mode 100644 index 0000000000..a58c9e7158 --- /dev/null +++ b/queue-6.16/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch @@ -0,0 +1,79 @@ +From acbc5fd76868b4574443670620ea68fa9df2d078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:07 +0200 +Subject: mips: lantiq: xway: sysctrl: rename the etop node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksander Jan Bajkowski + +[ Upstream commit 8c431ea8f3f795c4b9cfa57a85bc4166b9cce0ac ] + +Bindig requires a node name matching ‘^ethernet@[0-9a-f]+$’. This patch +changes the clock name from “etop” to “ethernet”. + +This fixes the following warning: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): $nodename:0: 'etop@e180000' does not match '^ethernet@[0-9a-f]+$' + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: dac0bad93741 ("dt-bindings: net: lantiq,etop-xway: Document Lantiq Xway ETOP bindings") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 2 +- + arch/mips/lantiq/xway/sysctrl.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index d8b3cd69eda3c..c4d7aa5753b04 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -82,7 +82,7 @@ conf_out { + }; + }; + +- etop@e180000 { ++ ethernet@e180000 { + compatible = "lantiq,etop-xway"; + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; +diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c +index 5a75283d17f10..6031a0272d874 100644 +--- a/arch/mips/lantiq/xway/sysctrl.c ++++ b/arch/mips/lantiq/xway/sysctrl.c +@@ -497,7 +497,7 @@ void __init ltq_soc_init(void) + ifccr = CGU_IFCCR_VR9; + pcicr = CGU_PCICR_VR9; + } else { +- clkdev_add_pmu("1e180000.etop", NULL, 1, 0, PMU_PPE); ++ clkdev_add_pmu("1e180000.ethernet", NULL, 1, 0, PMU_PPE); + } + + if (!of_machine_is_compatible("lantiq,ase")) +@@ -531,9 +531,9 @@ void __init ltq_soc_init(void) + CLOCK_133M, CLOCK_133M); + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0); + clkdev_add_pmu("1f203018.usb2-phy", "phy", 1, 0, PMU_USB0_P); +- clkdev_add_pmu("1e180000.etop", "ppe", 1, 0, PMU_PPE); +- clkdev_add_cgu("1e180000.etop", "ephycgu", CGU_EPHY); +- clkdev_add_pmu("1e180000.etop", "ephy", 1, 0, PMU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ppe", 1, 0, PMU_PPE); ++ clkdev_add_cgu("1e180000.ethernet", "ephycgu", CGU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ephy", 1, 0, PMU_EPHY); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_ASE_SDIO); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); + } else if (of_machine_is_compatible("lantiq,grx390")) { +@@ -592,7 +592,7 @@ void __init ltq_soc_init(void) + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0 | PMU_AHBM); + clkdev_add_pmu("1f203034.usb2-phy", "phy", 1, 0, PMU_USB1_P); + clkdev_add_pmu("1e106000.usb", "otg", 1, 0, PMU_USB1 | PMU_AHBM); +- clkdev_add_pmu("1e180000.etop", "switch", 1, 0, PMU_SWITCH); ++ clkdev_add_pmu("1e180000.ethernet", "switch", 1, 0, PMU_SWITCH); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_SDIO); + clkdev_add_pmu("1e103100.deu", NULL, 1, 0, PMU_DEU); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); +-- +2.50.1 + diff --git a/queue-6.16/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch b/queue-6.16/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch new file mode 100644 index 0000000000..1898bbd23e --- /dev/null +++ b/queue-6.16/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch @@ -0,0 +1,47 @@ +From 87de095ef75aab8587555506898c475aa738e1fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 08:22:21 -0700 +Subject: of: dynamic: Fix memleak when of_pci_add_properties() failed + +From: Lizhi Hou + +[ Upstream commit c81f6ce16785cc07ae81f53deb07b662ed0bb3a5 ] + +When of_pci_add_properties() failed, of_changeset_destroy() is called to +free the changeset. And of_changeset_destroy() puts device tree node in +each entry but does not free property in the entry. This leads to memory +leak in the failure case. + +In of_changeset_add_prop_helper(), add the property to the device tree node +deadprops list. Thus, the property will also be freed along with device +tree node. + +Fixes: b544fc2b8606 ("of: dynamic: Add interfaces for creating device node dynamically") +Reported-by: Lorenzo Pieralisi +Closes: https://lore.kernel.org/all/aJms+YT8TnpzpCY8@lpieralisi/ +Tested-by: Lorenzo Pieralisi +Signed-off-by: Lizhi Hou +Link: https://lore.kernel.org/r/20250818152221.3685724-1-lizhi.hou@amd.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index 0aba760f7577e..dd30b7d8b5e46 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -938,6 +938,9 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs, + if (ret) + __of_prop_free(new_pp); + ++ new_pp->next = np->deadprops; ++ np->deadprops = new_pp; ++ + return ret; + } + +-- +2.50.1 + diff --git a/queue-6.16/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch b/queue-6.16/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch new file mode 100644 index 0000000000..45f71c3fea --- /dev/null +++ b/queue-6.16/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch @@ -0,0 +1,47 @@ +From 62389d82913acdd69a48f6488007e86c29e934b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:08:46 +0300 +Subject: of: dynamic: Fix use after free in of_changeset_add_prop_helper() + +From: Dan Carpenter + +[ Upstream commit 80af3745ca465c6c47e833c1902004a7fa944f37 ] + +If the of_changeset_add_property() function call fails, then this code +frees "new_pp" and then dereference it on the next line. Return the +error code directly instead. + +Fixes: c81f6ce16785 ("of: dynamic: Fix memleak when of_pci_add_properties() failed") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/aKgljjhnpa4lVpdx@stanley.mountain +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index dd30b7d8b5e46..2eaaddcb0ec4e 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -935,13 +935,15 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs, + return -ENOMEM; + + ret = of_changeset_add_property(ocs, np, new_pp); +- if (ret) ++ if (ret) { + __of_prop_free(new_pp); ++ return ret; ++ } + + new_pp->next = np->deadprops; + np->deadprops = new_pp; + +- return ret; ++ return 0; + } + + /** +-- +2.50.1 + diff --git a/queue-6.16/of-reserved_mem-add-missing-ioresource_mem-flag-on-r.patch b/queue-6.16/of-reserved_mem-add-missing-ioresource_mem-flag-on-r.patch new file mode 100644 index 0000000000..2af5d53d98 --- /dev/null +++ b/queue-6.16/of-reserved_mem-add-missing-ioresource_mem-flag-on-r.patch @@ -0,0 +1,42 @@ +From 0652f46ef8c3c331ee5e74f1ba40a7a3721a39dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 14:28:04 -0500 +Subject: of: reserved_mem: Add missing IORESOURCE_MEM flag on resources + +From: Rob Herring (Arm) + +[ Upstream commit aea70964b5a7ca491a3701f2dde6c9d05d51878d ] + +Commit f4fcfdda2fd8 ('of: reserved_mem: Add functions to parse +"memory-region"') failed to set IORESOURCE_MEM flag on the resources. +The result is functions such as devm_ioremap_resource_wc() will fail. +Add the missing flag. + +Fixes: f4fcfdda2fd8 ('of: reserved_mem: Add functions to parse "memory-region"') +Reported-by: Iuliana Prodan +Reported-by: Daniel Baluta +Tested-by: Iuliana Prodan +Reviewed-by: Iuliana Prodan +Reviewed-by: Saravana Kannan +Link: https://lore.kernel.org/r/20250820192805.565568-1-robh@kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/of_reserved_mem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c +index 77016c0cc296e..d3b7c4ae429c7 100644 +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -771,6 +771,7 @@ int of_reserved_mem_region_to_resource(const struct device_node *np, + return -EINVAL; + + resource_set_range(res, rmem->base, rmem->size); ++ res->flags = IORESOURCE_MEM; + res->name = rmem->name; + return 0; + } +-- +2.50.1 + diff --git a/queue-6.16/perf-avoid-undefined-behavior-from-stopping-starting.patch b/queue-6.16/perf-avoid-undefined-behavior-from-stopping-starting.patch new file mode 100644 index 0000000000..d52db77db4 --- /dev/null +++ b/queue-6.16/perf-avoid-undefined-behavior-from-stopping-starting.patch @@ -0,0 +1,84 @@ +From d46e094075d35debb182e30f4995902b83d1ee8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Aug 2025 18:10:47 +0000 +Subject: perf: Avoid undefined behavior from stopping/starting inactive events + +From: Yunseong Kim + +[ Upstream commit b64fdd422a85025b5e91ead794db9d3ef970e369 ] + +Calling pmu->start()/stop() on perf events in PERF_EVENT_STATE_OFF can +leave event->hw.idx at -1. When PMU drivers later attempt to use this +negative index as a shift exponent in bitwise operations, it leads to UBSAN +shift-out-of-bounds reports. + +The issue is a logical flaw in how event groups handle throttling when some +members are intentionally disabled. Based on the analysis and the +reproducer provided by Mark Rutland (this issue on both arm64 and x86-64). + +The scenario unfolds as follows: + + 1. A group leader event is configured with a very aggressive sampling + period (e.g., sample_period = 1). This causes frequent interrupts and + triggers the throttling mechanism. + 2. A child event in the same group is created in a disabled state + (.disabled = 1). This event remains in PERF_EVENT_STATE_OFF. + Since it hasn't been scheduled onto the PMU, its event->hw.idx remains + initialized at -1. + 3. When throttling occurs, perf_event_throttle_group() and later + perf_event_unthrottle_group() iterate through all siblings, including + the disabled child event. + 4. perf_event_throttle()/unthrottle() are called on this inactive child + event, which then call event->pmu->start()/stop(). + 5. The PMU driver receives the event with hw.idx == -1 and attempts to + use it as a shift exponent. e.g., in macros like PMCNTENSET(idx), + leading to the UBSAN report. + +The throttling mechanism attempts to start/stop events that are not +actively scheduled on the hardware. + +Move the state check into perf_event_throttle()/perf_event_unthrottle() so +that inactive events are skipped entirely. This ensures only active events +with a valid hw.idx are processed, preventing undefined behavior and +silencing UBSAN warnings. The corrected check ensures true before +proceeding with PMU operations. + +The problem can be reproduced with the syzkaller reproducer: + +Fixes: 9734e25fbf5a ("perf: Fix the throttle logic for a group") +Signed-off-by: Yunseong Kim +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Kan Liang +Link: https://lore.kernel.org/r/20250812181046.292382-2-ysk@kzalloc.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 8060c2857bb2b..872122e074e5f 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2665,6 +2665,9 @@ static void perf_log_itrace_start(struct perf_event *event); + + static void perf_event_unthrottle(struct perf_event *event, bool start) + { ++ if (event->state != PERF_EVENT_STATE_ACTIVE) ++ return; ++ + event->hw.interrupts = 0; + if (start) + event->pmu->start(event, 0); +@@ -2674,6 +2677,9 @@ static void perf_event_unthrottle(struct perf_event *event, bool start) + + static void perf_event_throttle(struct perf_event *event) + { ++ if (event->state != PERF_EVENT_STATE_ACTIVE) ++ return; ++ + event->hw.interrupts = MAX_INTERRUPTS; + event->pmu->stop(event, 0); + if (event == event->group_leader) +-- +2.50.1 + diff --git a/queue-6.16/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch b/queue-6.16/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch new file mode 100644 index 0000000000..3e170921af --- /dev/null +++ b/queue-6.16/perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch @@ -0,0 +1,147 @@ +From 4d71d1a168030981ca1b08142a67de1c8baf79f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:00:23 -0700 +Subject: perf symbol-minimal: Fix ehdr reading in filename__read_build_id + +From: Ian Rogers + +[ Upstream commit ba0b7081f7a521d7c28b527a4f18666a148471e7 ] + +The e_ident is part of the ehdr and so reading it a second time would +mean the read ehdr was displaced by 16-bytes. Switch from stdio to +open/read/lseek syscalls for similarity with the symbol-elf version of +the function and so that later changes can alter then open flags. + +Fixes: fef8f648bb47 ("perf symbol: Fix use-after-free in filename__read_build_id") +Signed-off-by: Ian Rogers +Link: https://lore.kernel.org/r/20250823000024.724394-2-irogers@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-minimal.c | 55 ++++++++++++++++---------------- + 1 file changed, 27 insertions(+), 28 deletions(-) + +diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c +index c73fe2e09fe91..fc9c6f39d5dd3 100644 +--- a/tools/perf/util/symbol-minimal.c ++++ b/tools/perf/util/symbol-minimal.c +@@ -4,7 +4,6 @@ + + #include + #include +-#include + #include + #include + #include +@@ -88,11 +87,8 @@ int filename__read_debuglink(const char *filename __maybe_unused, + */ + int filename__read_build_id(const char *filename, struct build_id *bid) + { +- FILE *fp; +- int ret = -1; ++ int fd, ret = -1; + bool need_swap = false, elf32; +- u8 e_ident[EI_NIDENT]; +- int i; + union { + struct { + Elf32_Ehdr ehdr32; +@@ -103,28 +99,27 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + Elf64_Phdr *phdr64; + }; + } hdrs; +- void *phdr; +- size_t phdr_size; +- void *buf = NULL; +- size_t buf_size = 0; ++ void *phdr, *buf = NULL; ++ ssize_t phdr_size, ehdr_size, buf_size = 0; + +- fp = fopen(filename, "r"); +- if (fp == NULL) ++ fd = open(filename, O_RDONLY); ++ if (fd < 0) + return -1; + +- if (fread(e_ident, sizeof(e_ident), 1, fp) != 1) ++ if (read(fd, hdrs.ehdr32.e_ident, EI_NIDENT) != EI_NIDENT) + goto out; + +- if (memcmp(e_ident, ELFMAG, SELFMAG) || +- e_ident[EI_VERSION] != EV_CURRENT) ++ if (memcmp(hdrs.ehdr32.e_ident, ELFMAG, SELFMAG) || ++ hdrs.ehdr32.e_ident[EI_VERSION] != EV_CURRENT) + goto out; + +- need_swap = check_need_swap(e_ident[EI_DATA]); +- elf32 = e_ident[EI_CLASS] == ELFCLASS32; ++ need_swap = check_need_swap(hdrs.ehdr32.e_ident[EI_DATA]); ++ elf32 = hdrs.ehdr32.e_ident[EI_CLASS] == ELFCLASS32; ++ ehdr_size = (elf32 ? sizeof(hdrs.ehdr32) : sizeof(hdrs.ehdr64)) - EI_NIDENT; + +- if (fread(elf32 ? (void *)&hdrs.ehdr32 : (void *)&hdrs.ehdr64, +- elf32 ? sizeof(hdrs.ehdr32) : sizeof(hdrs.ehdr64), +- 1, fp) != 1) ++ if (read(fd, ++ (elf32 ? (void *)&hdrs.ehdr32 : (void *)&hdrs.ehdr64) + EI_NIDENT, ++ ehdr_size) != ehdr_size) + goto out; + + if (need_swap) { +@@ -138,14 +133,18 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + hdrs.ehdr64.e_phnum = bswap_16(hdrs.ehdr64.e_phnum); + } + } +- phdr_size = elf32 ? hdrs.ehdr32.e_phentsize * hdrs.ehdr32.e_phnum +- : hdrs.ehdr64.e_phentsize * hdrs.ehdr64.e_phnum; ++ if ((elf32 && hdrs.ehdr32.e_phentsize != sizeof(Elf32_Phdr)) || ++ (!elf32 && hdrs.ehdr64.e_phentsize != sizeof(Elf64_Phdr))) ++ goto out; ++ ++ phdr_size = elf32 ? sizeof(Elf32_Phdr) * hdrs.ehdr32.e_phnum ++ : sizeof(Elf64_Phdr) * hdrs.ehdr64.e_phnum; + phdr = malloc(phdr_size); + if (phdr == NULL) + goto out; + +- fseek(fp, elf32 ? hdrs.ehdr32.e_phoff : hdrs.ehdr64.e_phoff, SEEK_SET); +- if (fread(phdr, phdr_size, 1, fp) != 1) ++ lseek(fd, elf32 ? hdrs.ehdr32.e_phoff : hdrs.ehdr64.e_phoff, SEEK_SET); ++ if (read(fd, phdr, phdr_size) != phdr_size) + goto out_free; + + if (elf32) +@@ -153,8 +152,8 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + else + hdrs.phdr64 = phdr; + +- for (i = 0; i < elf32 ? hdrs.ehdr32.e_phnum : hdrs.ehdr64.e_phnum; i++) { +- size_t p_filesz; ++ for (int i = 0; i < (elf32 ? hdrs.ehdr32.e_phnum : hdrs.ehdr64.e_phnum); i++) { ++ ssize_t p_filesz; + + if (need_swap) { + if (elf32) { +@@ -180,8 +179,8 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + goto out_free; + buf = tmp; + } +- fseek(fp, elf32 ? hdrs.phdr32[i].p_offset : hdrs.phdr64[i].p_offset, SEEK_SET); +- if (fread(buf, p_filesz, 1, fp) != 1) ++ lseek(fd, elf32 ? hdrs.phdr32[i].p_offset : hdrs.phdr64[i].p_offset, SEEK_SET); ++ if (read(fd, buf, p_filesz) != p_filesz) + goto out_free; + + ret = read_build_id(buf, p_filesz, bid, need_swap); +@@ -194,7 +193,7 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + free(buf); + free(phdr); + out: +- fclose(fp); ++ close(fd); + return ret; + } + +-- +2.50.1 + diff --git a/queue-6.16/pinctrl-airoha-fix-return-value-in-pinconf-callbacks.patch b/queue-6.16/pinctrl-airoha-fix-return-value-in-pinconf-callbacks.patch new file mode 100644 index 0000000000..42ce1ae90a --- /dev/null +++ b/queue-6.16/pinctrl-airoha-fix-return-value-in-pinconf-callbacks.patch @@ -0,0 +1,60 @@ +From b5eda2676c5bc2871bb848b7b186fe2ebadd65fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 14:14:18 +0200 +Subject: pinctrl: airoha: Fix return value in pinconf callbacks + +From: Lorenzo Bianconi + +[ Upstream commit 563fcd6475931c5c8c652a4dd548256314cc87ed ] + +Pinctrl stack requires ENOTSUPP error code if the parameter is not +supported by the pinctrl driver. Fix the returned error code in pinconf +callbacks if the operation is not supported. + +Fixes: 1c8ace2d0725 ("pinctrl: airoha: Add support for EN7581 SoC") +Signed-off-by: Lorenzo Bianconi +Link: https://lore.kernel.org/20250822-airoha-pinconf-err-val-fix-v1-1-87b4f264ced2@kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-airoha.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-airoha.c b/drivers/pinctrl/mediatek/pinctrl-airoha.c +index b97b28ebb37a6..3fa5131d81e52 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-airoha.c ++++ b/drivers/pinctrl/mediatek/pinctrl-airoha.c +@@ -2696,7 +2696,7 @@ static int airoha_pinconf_get(struct pinctrl_dev *pctrl_dev, + arg = 1; + break; + default: +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + } + + *config = pinconf_to_config_packed(param, arg); +@@ -2788,7 +2788,7 @@ static int airoha_pinconf_set(struct pinctrl_dev *pctrl_dev, + break; + } + default: +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + } + } + +@@ -2805,10 +2805,10 @@ static int airoha_pinconf_group_get(struct pinctrl_dev *pctrl_dev, + if (airoha_pinconf_get(pctrl_dev, + airoha_pinctrl_groups[group].pins[i], + config)) +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + + if (i && cur_config != *config) +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + + cur_config = *config; + } +-- +2.50.1 + diff --git a/queue-6.16/pinctrl-stmfx-add-missing-has_iomem-dependency.patch b/queue-6.16/pinctrl-stmfx-add-missing-has_iomem-dependency.patch new file mode 100644 index 0000000000..c8d116f53c --- /dev/null +++ b/queue-6.16/pinctrl-stmfx-add-missing-has_iomem-dependency.patch @@ -0,0 +1,44 @@ +From 6d64a394ff86ee71c11cfa1b24332b4ba4b2b537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 19:27:21 -0700 +Subject: pinctrl: STMFX: add missing HAS_IOMEM dependency + +From: Randy Dunlap + +[ Upstream commit a12946bef0407cf2db0899c83d42c47c00af3fbc ] + +When building on ARCH=um (which does not set HAS_IOMEM), kconfig +reports an unmet dependency caused by PINCTRL_STMFX. It selects +MFD_STMFX, which depends on HAS_IOMEM. To stop this warning, +PINCTRL_STMFX should also depend on HAS_IOMEM. + +kconfig warning: +WARNING: unmet direct dependencies detected for MFD_STMFX + Depends on [n]: HAS_IOMEM [=n] && I2C [=y] && OF [=y] + Selected by [y]: + - PINCTRL_STMFX [=y] && PINCTRL [=y] && I2C [=y] && OF_GPIO [=y] + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/20250815022721.1650885-1-rdunlap@infradead.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index 33db9104df178..3952f77081a35 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -527,6 +527,7 @@ config PINCTRL_STMFX + tristate "STMicroelectronics STMFX GPIO expander pinctrl driver" + depends on I2C + depends on OF_GPIO ++ depends on HAS_IOMEM + select GENERIC_PINCONF + select GPIOLIB_IRQCHIP + select MFD_STMFX +-- +2.50.1 + diff --git a/queue-6.16/revert-virtio-reject-shm-region-if-length-is-zero.patch b/queue-6.16/revert-virtio-reject-shm-region-if-length-is-zero.patch new file mode 100644 index 0000000000..6613162273 --- /dev/null +++ b/queue-6.16/revert-virtio-reject-shm-region-if-length-is-zero.patch @@ -0,0 +1,53 @@ +From e0562d250e5b9dd10423f07b97ff960c1d6b3b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 09:41:45 -0300 +Subject: Revert "virtio: reject shm region if length is zero" + +From: Igor Torrente + +[ Upstream commit ced17ee32a9988b8a260628e7c31a100d7dc082e ] + +The commit 206cc44588f7 ("virtio: reject shm region if length is zero") +breaks the Virtio-gpu `host_visible` feature. + +As you can see in the snippet below, host_visible_region is zero because +of the `kzalloc`. It's using the `vm_get_shm_region` +(drivers/virtio/virtio_mmio.c:536) to read the `addr` and `len` from +qemu/crosvm. + +``` +drivers/gpu/drm/virtio/virtgpu_kms.c +132 vgdev = drmm_kzalloc(dev, sizeof(struct virtio_gpu_device), GFP_KERNEL); +[...] +177 if (virtio_get_shm_region(vgdev->vdev, &vgdev->host_visible_region, +178 VIRTIO_GPU_SHM_ID_HOST_VISIBLE)) { +``` +Now it always fails. + +To fix, revert the offending commit. + +Fixes: 206cc44588f7 ("virtio: reject shm region if length is zero") +Signed-off-by: Igor Torrente +Message-Id: <20250807124145.81816-1-igor.torrente@collabora.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + include/linux/virtio_config.h | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/include/linux/virtio_config.h b/include/linux/virtio_config.h +index b3e1d30c765bc..169c7d367facb 100644 +--- a/include/linux/virtio_config.h ++++ b/include/linux/virtio_config.h +@@ -329,8 +329,6 @@ static inline + bool virtio_get_shm_region(struct virtio_device *vdev, + struct virtio_shm_region *region, u8 id) + { +- if (!region->len) +- return false; + if (!vdev->config->get_shm_region) + return false; + return vdev->config->get_shm_region(vdev, region, id); +-- +2.50.1 + diff --git a/queue-6.16/rtla-check-pkg-config-install.patch b/queue-6.16/rtla-check-pkg-config-install.patch new file mode 100644 index 0000000000..8d54167de5 --- /dev/null +++ b/queue-6.16/rtla-check-pkg-config-install.patch @@ -0,0 +1,56 @@ +From 0eb9e40101a89c0bb76279e1226df1de6ea21e04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:05:27 +0800 +Subject: rtla: Check pkg-config install + +From: Tao Chen + +[ Upstream commit 7b128f1d53dcaa324d4aa05d821a6bf4a7b203e7 ] + +The tool pkg-config used to check libtraceevent and libtracefs, if not +installed, it will report the libs not found, even though they have +already been installed. + +Before: +libtraceevent is missing. Please install libtraceevent-dev/libtraceevent-devel +libtracefs is missing. Please install libtracefs-dev/libtracefs-devel + +After: +Makefile.config:10: *** Error: pkg-config needed by libtraceevent/libtracefs is missing +on this system, please install it. + +Link: https://lore.kernel.org/20250808040527.2036023-2-chen.dylane@linux.dev +Fixes: 01474dc706ca ("tools/rtla: Use tools/build makefiles to build rtla") +Signed-off-by: Tao Chen +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/Makefile.config | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/rtla/Makefile.config b/tools/tracing/rtla/Makefile.config +index 5f2231d8d6266..07ff5e8f3006e 100644 +--- a/tools/tracing/rtla/Makefile.config ++++ b/tools/tracing/rtla/Makefile.config +@@ -1,10 +1,18 @@ + # SPDX-License-Identifier: GPL-2.0-only + ++include $(srctree)/tools/scripts/utilities.mak ++ + STOP_ERROR := + + LIBTRACEEVENT_MIN_VERSION = 1.5 + LIBTRACEFS_MIN_VERSION = 1.6 + ++ifndef ($(NO_LIBTRACEEVENT),1) ++ ifeq ($(call get-executable,$(PKG_CONFIG)),) ++ $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it) ++ endif ++endif ++ + define lib_setup + $(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)")) + $(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)")) +-- +2.50.1 + diff --git a/queue-6.16/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch b/queue-6.16/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch new file mode 100644 index 0000000000..11fae123c9 --- /dev/null +++ b/queue-6.16/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch @@ -0,0 +1,49 @@ +From 981de2d5bfa33ea7631bd63d4527a60f1990e35c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 13:17:00 +0900 +Subject: scsi: core: sysfs: Correct sysfs attributes access rights + +From: Damien Le Moal + +[ Upstream commit a2f54ff15c3bdc0132e20aae041607e2320dbd73 ] + +The SCSI sysfs attributes "supported_mode" and "active_mode" do not +define a store method and thus cannot be modified. Correct the +DEVICE_ATTR() call for these two attributes to not include S_IWUSR to +allow write access as they are read-only. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250728041700.76660-1-dlemoal@kernel.org +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index d772258e29ad2..e6464b9989609 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -265,7 +265,7 @@ show_shost_supported_mode(struct device *dev, struct device_attribute *attr, + return show_shost_mode(supported_mode, buf); + } + +-static DEVICE_ATTR(supported_mode, S_IRUGO | S_IWUSR, show_shost_supported_mode, NULL); ++static DEVICE_ATTR(supported_mode, S_IRUGO, show_shost_supported_mode, NULL); + + static ssize_t + show_shost_active_mode(struct device *dev, +@@ -279,7 +279,7 @@ show_shost_active_mode(struct device *dev, + return show_shost_mode(shost->active_mode, buf); + } + +-static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL); ++static DEVICE_ATTR(active_mode, S_IRUGO, show_shost_active_mode, NULL); + + static int check_reset_type(const char *str) + { +-- +2.50.1 + diff --git a/queue-6.16/series b/queue-6.16/series new file mode 100644 index 0000000000..d6a2d767ce --- /dev/null +++ b/queue-6.16/series @@ -0,0 +1,25 @@ +perf-avoid-undefined-behavior-from-stopping-starting.patch +tools-latency-collector-check-pkg-config-install.patch +rtla-check-pkg-config-install.patch +trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch +of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch +of-reserved_mem-add-missing-ioresource_mem-flag-on-r.patch +pinctrl-stmfx-add-missing-has_iomem-dependency.patch +pinctrl-airoha-fix-return-value-in-pinconf-callbacks.patch +mips-dts-lantiq-danube-add-missing-burst-length-prop.patch +mips-lantiq-xway-sysctrl-rename-the-etop-node.patch +of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch +fgraph-copy-args-in-intermediate-storage-with-entry.patch +ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch +perf-symbol-minimal-fix-ehdr-reading-in-filename__re.patch +revert-virtio-reject-shm-region-if-length-is-zero.patch +vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch +scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch +smb-client-fix-race-with-concurrent-opens-in-unlink-.patch +smb-client-fix-race-with-concurrent-opens-in-rename-.patch +asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch +asoc-rt721-fix-fu33-boost-volume-control-not-working.patch +asoc-rt1320-fix-random-cycle-mute-issue.patch +erofs-fallback-to-normal-access-if-dax-is-not-suppor.patch +erofs-fix-atomic-context-detection-when-config_debug.patch +io_uring-io-wq-add-check-free-worker-before-create-n.patch diff --git a/queue-6.16/smb-client-fix-race-with-concurrent-opens-in-rename-.patch b/queue-6.16/smb-client-fix-race-with-concurrent-opens-in-rename-.patch new file mode 100644 index 0000000000..7efbf9c339 --- /dev/null +++ b/queue-6.16/smb-client-fix-race-with-concurrent-opens-in-rename-.patch @@ -0,0 +1,87 @@ +From f05829a1e76c1737f9ca8af7550dc1d49ea134f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 11:43:29 -0300 +Subject: smb: client: fix race with concurrent opens in rename(2) + +From: Paulo Alcantara + +[ Upstream commit d84291fc7453df7881a970716f8256273aca5747 ] + +Besides sending the rename request to the server, the rename process +also involves closing any deferred close, waiting for outstanding I/O +to complete as well as marking all existing open handles as deleted to +prevent them from deferring closes, which increases the race window +for potential concurrent opens on the target file. + +Fix this by unhashing the dentry in advance to prevent any concurrent +opens on the target. + +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index cf9060f0fc08e..fe453a4b3dc83 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -2474,6 +2474,7 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + struct cifs_sb_info *cifs_sb; + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ bool rehash = false; + unsigned int xid; + int rc, tmprc; + int retry_count = 0; +@@ -2489,6 +2490,17 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* ++ * Prevent any concurrent opens on the target by unhashing the dentry. ++ * VFS already unhashes the target when renaming directories. ++ */ ++ if (d_is_positive(target_dentry) && !d_is_dir(target_dentry)) { ++ if (!d_unhashed(target_dentry)) { ++ d_drop(target_dentry); ++ rehash = true; ++ } ++ } ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -2530,6 +2542,8 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + } + } + ++ if (!rc) ++ rehash = false; + /* + * No-replace is the natural behavior for CIFS, so skip unlink hacks. + */ +@@ -2588,12 +2602,16 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + goto cifs_rename_exit; + rc = cifs_do_rename(xid, source_dentry, from_name, + target_dentry, to_name); ++ if (!rc) ++ rehash = false; + } + + /* force revalidate to go get info when needed */ + CIFS_I(source_dir)->time = CIFS_I(target_dir)->time = 0; + + cifs_rename_exit: ++ if (rehash) ++ d_rehash(target_dentry); + kfree(info_buf_source); + free_dentry_path(page2); + free_dentry_path(page1); +-- +2.50.1 + diff --git a/queue-6.16/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch b/queue-6.16/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch new file mode 100644 index 0000000000..b814126729 --- /dev/null +++ b/queue-6.16/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch @@ -0,0 +1,86 @@ +From 90049662570b1a5acbf28bc6cdcd9e3e25943b6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:20:17 -0300 +Subject: smb: client: fix race with concurrent opens in unlink(2) + +From: Paulo Alcantara + +[ Upstream commit 0af1561b2d60bab2a2b00720a5c7b292ecc549ec ] + +According to some logs reported by customers, CIFS client might end up +reporting unlinked files as existing in stat(2) due to concurrent +opens racing with unlink(2). + +Besides sending the removal request to the server, the unlink process +could involve closing any deferred close as well as marking all +existing open handles as deleted to prevent them from deferring +closes, which increases the race window for potential concurrent +opens. + +Fix this by unhashing the dentry in cifs_unlink() to prevent any +subsequent opens. Any open attempts, while we're still unlinking, +will block on parent's i_rwsem. + +Reported-by: Jay Shin +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index 75be4b46bc6f1..cf9060f0fc08e 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1943,15 +1943,24 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ __u32 dosattr = 0, origattr = 0; + struct TCP_Server_Info *server; + struct iattr *attrs = NULL; +- __u32 dosattr = 0, origattr = 0; ++ bool rehash = false; + + cifs_dbg(FYI, "cifs_unlink, dir=0x%p, dentry=0x%p\n", dir, dentry); + + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* Unhash dentry in advance to prevent any concurrent opens */ ++ spin_lock(&dentry->d_lock); ++ if (!d_unhashed(dentry)) { ++ __d_drop(dentry); ++ rehash = true; ++ } ++ spin_unlock(&dentry->d_lock); ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -2003,7 +2012,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + cifs_drop_nlink(inode); + } + } else if (rc == -ENOENT) { +- d_drop(dentry); ++ if (simple_positive(dentry)) ++ d_delete(dentry); + } else if (rc == -EBUSY) { + if (server->ops->rename_pending_delete) { + rc = server->ops->rename_pending_delete(full_path, +@@ -2056,6 +2066,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + kfree(attrs); + free_xid(xid); + cifs_put_tlink(tlink); ++ if (rehash) ++ d_rehash(dentry); + return rc; + } + +-- +2.50.1 + diff --git a/queue-6.16/tools-latency-collector-check-pkg-config-install.patch b/queue-6.16/tools-latency-collector-check-pkg-config-install.patch new file mode 100644 index 0000000000..1f1bed9c0d --- /dev/null +++ b/queue-6.16/tools-latency-collector-check-pkg-config-install.patch @@ -0,0 +1,53 @@ +From be4cadd08ac0c9e56a41e637277c1f0eb5bb69cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:05:26 +0800 +Subject: tools/latency-collector: Check pkg-config install + +From: Tao Chen + +[ Upstream commit 26ebba25e210116053609f4c7ee701bffa7ebd7d ] + +The tool pkg-config used to check libtraceevent and libtracefs, if not +installed, it will report the libs not found, even though they have +already been installed. + +Before: +libtraceevent is missing. Please install libtraceevent-dev/libtraceevent-devel +libtracefs is missing. Please install libtracefs-dev/libtracefs-devel + +After: +Makefile.config:10: *** Error: pkg-config needed by libtraceevent/libtracefs is missing +on this system, please install it. + +Link: https://lore.kernel.org/20250808040527.2036023-1-chen.dylane@linux.dev +Fixes: 9d56c88e5225 ("tools/tracing: Use tools/build makefiles on latency-collector") +Signed-off-by: Tao Chen +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/latency/Makefile.config | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/latency/Makefile.config b/tools/tracing/latency/Makefile.config +index 0fe6b50f029bf..6efa13e3ca93f 100644 +--- a/tools/tracing/latency/Makefile.config ++++ b/tools/tracing/latency/Makefile.config +@@ -1,7 +1,15 @@ + # SPDX-License-Identifier: GPL-2.0-only + ++include $(srctree)/tools/scripts/utilities.mak ++ + STOP_ERROR := + ++ifndef ($(NO_LIBTRACEEVENT),1) ++ ifeq ($(call get-executable,$(PKG_CONFIG)),) ++ $(error Error: $(PKG_CONFIG) needed by libtraceevent/libtracefs is missing on this system, please install it) ++ endif ++endif ++ + define lib_setup + $(eval LIB_INCLUDES += $(shell sh -c "$(PKG_CONFIG) --cflags lib$(1)")) + $(eval LDFLAGS += $(shell sh -c "$(PKG_CONFIG) --libs-only-L lib$(1)")) +-- +2.50.1 + diff --git a/queue-6.16/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch b/queue-6.16/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch new file mode 100644 index 0000000000..6b99b4355b --- /dev/null +++ b/queue-6.16/trace-fgraph-fix-the-warning-caused-by-missing-unreg.patch @@ -0,0 +1,58 @@ +From a34a162c3196c258c98508d084d16e75df17019e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 07:33:32 +0000 +Subject: trace/fgraph: Fix the warning caused by missing unregister notifier + +From: Ye Weihua + +[ Upstream commit edede7a6dcd7435395cf757d053974aaab6ab1c2 ] + +This warning was triggered during testing on v6.16: + +notifier callback ftrace_suspend_notifier_call already registered +WARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0 +... +Call Trace: + + blocking_notifier_chain_register+0x34/0x60 + register_ftrace_graph+0x330/0x410 + ftrace_profile_write+0x1e9/0x340 + vfs_write+0xf8/0x420 + ? filp_flush+0x8a/0xa0 + ? filp_close+0x1f/0x30 + ? do_dup2+0xaf/0x160 + ksys_write+0x65/0xe0 + do_syscall_64+0xa4/0x260 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When writing to the function_profile_enabled interface, the notifier was +not unregistered after start_graph_tracing failed, causing a warning the +next time function_profile_enabled was written. + +Fixed by adding unregister_pm_notifier in the exception path. + +Link: https://lore.kernel.org/20250818073332.3890629-1-yeweihua4@huawei.com +Fixes: 4a2b8dda3f870 ("tracing/function-graph-tracer: fix a regression while suspend to disk") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Ye Weihua +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/fgraph.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/trace/fgraph.c b/kernel/trace/fgraph.c +index c5b207992fb49..dac2d58f39490 100644 +--- a/kernel/trace/fgraph.c ++++ b/kernel/trace/fgraph.c +@@ -1393,6 +1393,7 @@ int register_ftrace_graph(struct fgraph_ops *gops) + ftrace_graph_active--; + gops->saved_func = NULL; + fgraph_lru_release_index(i); ++ unregister_pm_notifier(&ftrace_suspend_notifier); + } + return ret; + } +-- +2.50.1 + diff --git a/queue-6.16/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch b/queue-6.16/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch new file mode 100644 index 0000000000..8ea2094c5c --- /dev/null +++ b/queue-6.16/vhost-fix-ioctl-for-vhost_-gs-et_fork_from_owner.patch @@ -0,0 +1,57 @@ +From 7363ac91519c8a279ae87d0e2317108098ee660a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 23:39:57 -0700 +Subject: vhost: Fix ioctl # for VHOST_[GS]ET_FORK_FROM_OWNER +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Namhyung Kim + +[ Upstream commit 24fc631539cc78225f5c61f99c7666fcff48024d ] + +The VHOST_[GS]ET_FEATURES_ARRAY ioctl already took 0x83 and it would +result in a build error when the vhost uapi header is used for perf tool +build like below. + + In file included from trace/beauty/ioctl.c:93: + tools/perf/trace/beauty/generated/ioctl/vhost_virtio_ioctl_array.c: In function ‘ioctl__scnprintf_vhost_virtio_cmd’: + tools/perf/trace/beauty/generated/ioctl/vhost_virtio_ioctl_array.c:36:18: error: initialized field overwritten [-Werror=override-init] + 36 | [0x83] = "SET_FORK_FROM_OWNER", + | ^~~~~~~~~~~~~~~~~~~~~ + tools/perf/trace/beauty/generated/ioctl/vhost_virtio_ioctl_array.c:36:18: note: (near initialization for ‘vhost_virtio_ioctl_cmds[131]’) + +Fixes: 7d9896e9f6d02d8a ("vhost: Reintroduce kthread API and add mode selection") +Signed-off-by: Namhyung Kim +Message-Id: <20250819063958.833770-1-namhyung@kernel.org> +Signed-off-by: Michael S. Tsirkin +Tested-by: Lei Yang +Signed-off-by: Sasha Levin +--- + include/uapi/linux/vhost.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/vhost.h b/include/uapi/linux/vhost.h +index e72f2655459e4..d284a35d8104b 100644 +--- a/include/uapi/linux/vhost.h ++++ b/include/uapi/linux/vhost.h +@@ -254,7 +254,7 @@ + * When fork_owner is set to VHOST_FORK_OWNER_KTHREAD: + * - Vhost will create vhost workers as kernel threads. + */ +-#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x83, __u8) ++#define VHOST_SET_FORK_FROM_OWNER _IOW(VHOST_VIRTIO, 0x84, __u8) + + /** + * VHOST_GET_FORK_OWNER - Get the current fork_owner flag for the vhost device. +@@ -262,6 +262,6 @@ + * + * @return: An 8-bit value indicating the current thread mode. + */ +-#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x84, __u8) ++#define VHOST_GET_FORK_FROM_OWNER _IOR(VHOST_VIRTIO, 0x85, __u8) + + #endif +-- +2.50.1 + diff --git a/queue-6.6/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch b/queue-6.6/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch new file mode 100644 index 0000000000..8a8265876c --- /dev/null +++ b/queue-6.6/asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch @@ -0,0 +1,39 @@ +From a4340741a09e3a22b293fe87bb91f00ddc15086e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Aug 2025 15:00:30 +0100 +Subject: ASoC: codecs: tx-macro: correct tx_macro_component_drv name + +From: Alexey Klimov + +[ Upstream commit 43e0da37d5cfb23eec6aeee9422f84d86621ce2b ] + +We already have a component driver named "RX-MACRO", which is +lpass-rx-macro.c. The tx macro component driver's name should +be "TX-MACRO" accordingly. Fix it. + +Cc: Srinivas Kandagatla +Signed-off-by: Alexey Klimov +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20250806140030.691477-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index ebddfa74ce0a0..150ed10c8377a 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -1940,7 +1940,7 @@ static int tx_macro_register_mclk_output(struct tx_macro *tx) + } + + static const struct snd_soc_component_driver tx_macro_component_drv = { +- .name = "RX-MACRO", ++ .name = "TX-MACRO", + .probe = tx_macro_component_probe, + .controls = tx_macro_snd_controls, + .num_controls = ARRAY_SIZE(tx_macro_snd_controls), +-- +2.50.1 + diff --git a/queue-6.6/erofs-fix-atomic-context-detection-when-config_debug.patch b/queue-6.6/erofs-fix-atomic-context-detection-when-config_debug.patch new file mode 100644 index 0000000000..d799056aeb --- /dev/null +++ b/queue-6.6/erofs-fix-atomic-context-detection-when-config_debug.patch @@ -0,0 +1,128 @@ +From 89c2b0aa2a096baff5f99d95b8debcffa1907681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 09:19:58 +0800 +Subject: erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC + +From: Junli Liu + +[ Upstream commit c99fab6e80b76422741d34aafc2f930a482afbdd ] + +Since EROFS handles decompression in non-atomic contexts due to +uncontrollable decompression latencies and vmap() usage, it tries +to detect atomic contexts and only kicks off a kworker on demand +in order to reduce unnecessary scheduling overhead. + +However, the current approach is insufficient and can lead to +sleeping function calls in invalid contexts, causing kernel +warnings and potential system instability. See the stacktrace [1] +and previous discussion [2]. + +The current implementation only checks rcu_read_lock_any_held(), +which behaves inconsistently across different kernel configurations: + +- When CONFIG_DEBUG_LOCK_ALLOC is enabled: correctly detects + RCU critical sections by checking rcu_lock_map +- When CONFIG_DEBUG_LOCK_ALLOC is disabled: compiles to + "!preemptible()", which only checks preempt_count and misses + RCU critical sections + +This patch introduces z_erofs_in_atomic() to provide comprehensive +atomic context detection: + +1. Check RCU preemption depth when CONFIG_PREEMPTION is enabled, + as RCU critical sections may not affect preempt_count but still + require atomic handling + +2. Always use async processing when CONFIG_PREEMPT_COUNT is disabled, + as preemption state cannot be reliably determined + +3. Fall back to standard preemptible() check for remaining cases + +The function replaces the previous complex condition check and ensures +that z_erofs always uses (kthread_)work in atomic contexts to minimize +scheduling overhead and prevent sleeping in invalid contexts. + +[1] Problem stacktrace +[ 61.266692] BUG: sleeping function called from invalid context at kernel/locking/rtmutex_api.c:510 +[ 61.266702] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 107, name: irq/54-ufshcd +[ 61.266704] preempt_count: 0, expected: 0 +[ 61.266705] RCU nest depth: 2, expected: 0 +[ 61.266710] CPU: 0 UID: 0 PID: 107 Comm: irq/54-ufshcd Tainted: G W O 6.12.17 #1 +[ 61.266714] Tainted: [W]=WARN, [O]=OOT_MODULE +[ 61.266715] Hardware name: schumacher (DT) +[ 61.266717] Call trace: +[ 61.266718] dump_backtrace+0x9c/0x100 +[ 61.266727] show_stack+0x20/0x38 +[ 61.266728] dump_stack_lvl+0x78/0x90 +[ 61.266734] dump_stack+0x18/0x28 +[ 61.266736] __might_resched+0x11c/0x180 +[ 61.266743] __might_sleep+0x64/0xc8 +[ 61.266745] mutex_lock+0x2c/0xc0 +[ 61.266748] z_erofs_decompress_queue+0xe8/0x978 +[ 61.266753] z_erofs_decompress_kickoff+0xa8/0x190 +[ 61.266756] z_erofs_endio+0x168/0x288 +[ 61.266758] bio_endio+0x160/0x218 +[ 61.266762] blk_update_request+0x244/0x458 +[ 61.266766] scsi_end_request+0x38/0x278 +[ 61.266770] scsi_io_completion+0x4c/0x600 +[ 61.266772] scsi_finish_command+0xc8/0xe8 +[ 61.266775] scsi_complete+0x88/0x148 +[ 61.266777] blk_mq_complete_request+0x3c/0x58 +[ 61.266780] scsi_done_internal+0xcc/0x158 +[ 61.266782] scsi_done+0x1c/0x30 +[ 61.266783] ufshcd_compl_one_cqe+0x12c/0x438 +[ 61.266786] __ufshcd_transfer_req_compl+0x2c/0x78 +[ 61.266788] ufshcd_poll+0xf4/0x210 +[ 61.266789] ufshcd_transfer_req_compl+0x50/0x88 +[ 61.266791] ufshcd_intr+0x21c/0x7c8 +[ 61.266792] irq_forced_thread_fn+0x44/0xd8 +[ 61.266796] irq_thread+0x1a4/0x358 +[ 61.266799] kthread+0x12c/0x138 +[ 61.266802] ret_from_fork+0x10/0x20 + +[2] https://lore.kernel.org/r/58b661d0-0ebb-4b45-a10d-c5927fb791cd@paulmck-laptop + +Signed-off-by: Junli Liu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250805011957.911186-1-liujunli@lixiang.com +[ Gao Xiang: Use the original trace in v1. ] +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index d852b43ac43e3..c1f802ecc47b2 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1401,6 +1401,16 @@ static void z_erofs_decompressqueue_kthread_work(struct kthread_work *work) + } + #endif + ++/* Use (kthread_)work in atomic contexts to minimize scheduling overhead */ ++static inline bool z_erofs_in_atomic(void) ++{ ++ if (IS_ENABLED(CONFIG_PREEMPTION) && rcu_preempt_depth()) ++ return true; ++ if (!IS_ENABLED(CONFIG_PREEMPT_COUNT)) ++ return true; ++ return !preemptible(); ++} ++ + static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + int bios) + { +@@ -1415,8 +1425,7 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + + if (atomic_add_return(bios, &io->pending_bios)) + return; +- /* Use (kthread_)work and sync decompression for atomic contexts only */ +- if (!in_task() || irqs_disabled() || rcu_read_lock_any_held()) { ++ if (z_erofs_in_atomic()) { + #ifdef CONFIG_EROFS_FS_PCPU_KTHREAD + struct kthread_worker *worker; + +-- +2.50.1 + diff --git a/queue-6.6/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch b/queue-6.6/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch new file mode 100644 index 0000000000..82c47eb7ae --- /dev/null +++ b/queue-6.6/ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch @@ -0,0 +1,74 @@ +From 7c2018b6f96a1fd49080fd14429ca1491da4e5cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 03:33:43 +0000 +Subject: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump + +From: Tengda Wu + +[ Upstream commit 4013aef2ced9b756a410f50d12df9ebe6a883e4a ] + +When calling ftrace_dump_one() concurrently with reading trace_pipe, +a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race +condition. + +The issue occurs because: + +CPU0 (ftrace_dump) CPU1 (reader) +echo z > /proc/sysrq-trigger + +!trace_empty(&iter) +trace_iterator_reset(&iter) <- len = size = 0 + cat /sys/kernel/tracing/trace_pipe +trace_find_next_entry_inc(&iter) + __find_next_entry + ring_buffer_empty_cpu <- all empty + return NULL + +trace_printk_seq(&iter.seq) + WARN_ON_ONCE(s->seq.len >= s->seq.size) + +In the context between trace_empty() and trace_find_next_entry_inc() +during ftrace_dump, the ring buffer data was consumed by other readers. +This caused trace_find_next_entry_inc to return NULL, failing to populate +`iter.seq`. At this point, due to the prior trace_iterator_reset, both +`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, +the WARN_ON_ONCE condition is triggered. + +Move the trace_printk_seq() into the if block that checks to make sure the +return value of trace_find_next_entry_inc() is non-NULL in +ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before +subsequent operations. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Link: https://lore.kernel.org/20250822033343.3000289-1-wutengda@huaweicloud.com +Fixes: d769041f8653 ("ring_buffer: implement new locking") +Signed-off-by: Tengda Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 907e45361939b..a32c8637503d1 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -10162,10 +10162,10 @@ void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) + ret = print_trace_line(&iter); + if (ret != TRACE_TYPE_NO_CONSUME) + trace_consume(&iter); ++ ++ trace_printk_seq(&iter.seq); + } + touch_nmi_watchdog(); +- +- trace_printk_seq(&iter.seq); + } + + if (!cnt) +-- +2.50.1 + diff --git a/queue-6.6/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch b/queue-6.6/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch new file mode 100644 index 0000000000..32f51d8b6c --- /dev/null +++ b/queue-6.6/mips-dts-lantiq-danube-add-missing-burst-length-prop.patch @@ -0,0 +1,45 @@ +From eab1654e428998e6a503002dc79201e9d67230da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:06 +0200 +Subject: mips: dts: lantiq: danube: add missing burst length property + +From: Aleksander Jan Bajkowski + +[ Upstream commit 7b28232921782aa38048249132899c337405eaa8 ] + +The upstream dts lacks the lantiq,{rx/tx}-burst-length property. Other +issues were also fixed: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'interrupt-names' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,tx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): 'lantiq,rx-burst-length' is a required property + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: 14d4e308e0aa ("net: lantiq: configure the burst length in ethernet drivers") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index 1ce20b7d05cb8..d8b3cd69eda3c 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -87,8 +87,11 @@ etop@e180000 { + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; + interrupts = <73 78>; ++ interrupt-names = "tx", "rx"; + phy-mode = "rmii"; + mac-address = [ 00 11 22 33 44 55 ]; ++ lantiq,rx-burst-length = <4>; ++ lantiq,tx-burst-length = <4>; + }; + + stp0: stp@e100bb0 { +-- +2.50.1 + diff --git a/queue-6.6/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch b/queue-6.6/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch new file mode 100644 index 0000000000..157b09a5fe --- /dev/null +++ b/queue-6.6/mips-lantiq-xway-sysctrl-rename-the-etop-node.patch @@ -0,0 +1,79 @@ +From 09c110c37d801f93302e04172b15561be8cba6fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Aug 2025 14:49:07 +0200 +Subject: mips: lantiq: xway: sysctrl: rename the etop node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksander Jan Bajkowski + +[ Upstream commit 8c431ea8f3f795c4b9cfa57a85bc4166b9cce0ac ] + +Bindig requires a node name matching ‘^ethernet@[0-9a-f]+$’. This patch +changes the clock name from “etop” to “ethernet”. + +This fixes the following warning: +arch/mips/boot/dts/lantiq/danube_easy50712.dtb: etop@e180000 (lantiq,etop-xway): $nodename:0: 'etop@e180000' does not match '^ethernet@[0-9a-f]+$' + from schema $id: http://devicetree.org/schemas/net/lantiq,etop-xway.yaml# + +Fixes: dac0bad93741 ("dt-bindings: net: lantiq,etop-xway: Document Lantiq Xway ETOP bindings") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 2 +- + arch/mips/lantiq/xway/sysctrl.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/mips/boot/dts/lantiq/danube_easy50712.dts b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +index d8b3cd69eda3c..c4d7aa5753b04 100644 +--- a/arch/mips/boot/dts/lantiq/danube_easy50712.dts ++++ b/arch/mips/boot/dts/lantiq/danube_easy50712.dts +@@ -82,7 +82,7 @@ conf_out { + }; + }; + +- etop@e180000 { ++ ethernet@e180000 { + compatible = "lantiq,etop-xway"; + reg = <0xe180000 0x40000>; + interrupt-parent = <&icu0>; +diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c +index 3ed0782252229..4c72b59fdf98c 100644 +--- a/arch/mips/lantiq/xway/sysctrl.c ++++ b/arch/mips/lantiq/xway/sysctrl.c +@@ -478,7 +478,7 @@ void __init ltq_soc_init(void) + ifccr = CGU_IFCCR_VR9; + pcicr = CGU_PCICR_VR9; + } else { +- clkdev_add_pmu("1e180000.etop", NULL, 1, 0, PMU_PPE); ++ clkdev_add_pmu("1e180000.ethernet", NULL, 1, 0, PMU_PPE); + } + + if (!of_machine_is_compatible("lantiq,ase")) +@@ -512,9 +512,9 @@ void __init ltq_soc_init(void) + CLOCK_133M, CLOCK_133M); + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0); + clkdev_add_pmu("1f203018.usb2-phy", "phy", 1, 0, PMU_USB0_P); +- clkdev_add_pmu("1e180000.etop", "ppe", 1, 0, PMU_PPE); +- clkdev_add_cgu("1e180000.etop", "ephycgu", CGU_EPHY); +- clkdev_add_pmu("1e180000.etop", "ephy", 1, 0, PMU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ppe", 1, 0, PMU_PPE); ++ clkdev_add_cgu("1e180000.ethernet", "ephycgu", CGU_EPHY); ++ clkdev_add_pmu("1e180000.ethernet", "ephy", 1, 0, PMU_EPHY); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_ASE_SDIO); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); + } else if (of_machine_is_compatible("lantiq,grx390")) { +@@ -573,7 +573,7 @@ void __init ltq_soc_init(void) + clkdev_add_pmu("1e101000.usb", "otg", 1, 0, PMU_USB0 | PMU_AHBM); + clkdev_add_pmu("1f203034.usb2-phy", "phy", 1, 0, PMU_USB1_P); + clkdev_add_pmu("1e106000.usb", "otg", 1, 0, PMU_USB1 | PMU_AHBM); +- clkdev_add_pmu("1e180000.etop", "switch", 1, 0, PMU_SWITCH); ++ clkdev_add_pmu("1e180000.ethernet", "switch", 1, 0, PMU_SWITCH); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_SDIO); + clkdev_add_pmu("1e103100.deu", NULL, 1, 0, PMU_DEU); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); +-- +2.50.1 + diff --git a/queue-6.6/of-add-a-helper-to-free-property-struct.patch b/queue-6.6/of-add-a-helper-to-free-property-struct.patch new file mode 100644 index 0000000000..bba87929cf --- /dev/null +++ b/queue-6.6/of-add-a-helper-to-free-property-struct.patch @@ -0,0 +1,167 @@ +From b56e1078b918e4a38576502d48d6cb5aa526fff7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 13:59:39 -0500 +Subject: of: Add a helper to free property struct + +From: Rob Herring + +[ Upstream commit 1c5e3d9bf33b811e1c6dd9081b322004acc4a1fd ] + +Freeing a property struct is 3 kfree()'s which is duplicated in multiple +spots. Add a helper, __of_prop_free(), and replace all the open coded +cases in the DT code. + +Reviewed-by: Saravana Kannan +Reviewed-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20240409-dt-cleanup-free-v2-1-5b419a4af38d@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 80af3745ca46 ("of: dynamic: Fix use after free in of_changeset_add_prop_helper()") +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 26 ++++++++++++-------------- + drivers/of/of_private.h | 1 + + drivers/of/overlay.c | 11 +++-------- + drivers/of/unittest.c | 12 +++--------- + 4 files changed, 19 insertions(+), 31 deletions(-) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index 7f78fba502ec4..72531f44adf09 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -306,15 +306,20 @@ int of_detach_node(struct device_node *np) + } + EXPORT_SYMBOL_GPL(of_detach_node); + ++void __of_prop_free(struct property *prop) ++{ ++ kfree(prop->name); ++ kfree(prop->value); ++ kfree(prop); ++} ++ + static void property_list_free(struct property *prop_list) + { + struct property *prop, *next; + + for (prop = prop_list; prop != NULL; prop = next) { + next = prop->next; +- kfree(prop->name); +- kfree(prop->value); +- kfree(prop); ++ __of_prop_free(prop); + } + } + +@@ -427,9 +432,7 @@ struct property *__of_prop_dup(const struct property *prop, gfp_t allocflags) + return new; + + err_free: +- kfree(new->name); +- kfree(new->value); +- kfree(new); ++ __of_prop_free(new); + return NULL; + } + +@@ -471,9 +474,7 @@ struct device_node *__of_node_dup(const struct device_node *np, + if (!new_pp) + goto err_prop; + if (__of_add_property(node, new_pp)) { +- kfree(new_pp->name); +- kfree(new_pp->value); +- kfree(new_pp); ++ __of_prop_free(new_pp); + goto err_prop; + } + } +@@ -933,11 +934,8 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs, + return -ENOMEM; + + ret = of_changeset_add_property(ocs, np, new_pp); +- if (ret) { +- kfree(new_pp->name); +- kfree(new_pp->value); +- kfree(new_pp); +- } ++ if (ret) ++ __of_prop_free(new_pp); + + new_pp->next = np->deadprops; + np->deadprops = new_pp; +diff --git a/drivers/of/of_private.h b/drivers/of/of_private.h +index 21f8f5e80917d..73b55f4f84a3c 100644 +--- a/drivers/of/of_private.h ++++ b/drivers/of/of_private.h +@@ -123,6 +123,7 @@ extern void *__unflatten_device_tree(const void *blob, + * own the devtree lock or work on detached trees only. + */ + struct property *__of_prop_dup(const struct property *prop, gfp_t allocflags); ++void __of_prop_free(struct property *prop); + struct device_node *__of_node_dup(const struct device_node *np, + const char *full_name); + +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index a9a292d6d59b2..dc13299586414 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -262,9 +262,7 @@ static struct property *dup_and_fixup_symbol_prop( + return new_prop; + + err_free_new_prop: +- kfree(new_prop->name); +- kfree(new_prop->value); +- kfree(new_prop); ++ __of_prop_free(new_prop); + err_free_target_path: + kfree(target_path); + +@@ -361,11 +359,8 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + pr_err("WARNING: memory leak will occur if overlay removed, property: %pOF/%s\n", + target->np, new_prop->name); + +- if (ret) { +- kfree(new_prop->name); +- kfree(new_prop->value); +- kfree(new_prop); +- } ++ if (ret) ++ __of_prop_free(new_prop); + return ret; + } + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 3b22c36bfb0b7..5bfec440b4fd7 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -800,15 +800,11 @@ static void __init of_unittest_property_copy(void) + + new = __of_prop_dup(&p1, GFP_KERNEL); + unittest(new && propcmp(&p1, new), "empty property didn't copy correctly\n"); +- kfree(new->value); +- kfree(new->name); +- kfree(new); ++ __of_prop_free(new); + + new = __of_prop_dup(&p2, GFP_KERNEL); + unittest(new && propcmp(&p2, new), "non-empty property didn't copy correctly\n"); +- kfree(new->value); +- kfree(new->name); +- kfree(new); ++ __of_prop_free(new); + #endif + } + +@@ -3665,9 +3661,7 @@ static __init void of_unittest_overlay_high_level(void) + goto err_unlock; + } + if (__of_add_property(of_symbols, new_prop)) { +- kfree(new_prop->name); +- kfree(new_prop->value); +- kfree(new_prop); ++ __of_prop_free(new_prop); + /* "name" auto-generated by unflatten */ + if (!strcmp(prop->name, "name")) + continue; +-- +2.50.1 + diff --git a/queue-6.6/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch b/queue-6.6/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch new file mode 100644 index 0000000000..abbcb25441 --- /dev/null +++ b/queue-6.6/of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch @@ -0,0 +1,47 @@ +From e65c2ea14a0c042ee70ab2ee540b817036ec38aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 08:22:21 -0700 +Subject: of: dynamic: Fix memleak when of_pci_add_properties() failed + +From: Lizhi Hou + +[ Upstream commit c81f6ce16785cc07ae81f53deb07b662ed0bb3a5 ] + +When of_pci_add_properties() failed, of_changeset_destroy() is called to +free the changeset. And of_changeset_destroy() puts device tree node in +each entry but does not free property in the entry. This leads to memory +leak in the failure case. + +In of_changeset_add_prop_helper(), add the property to the device tree node +deadprops list. Thus, the property will also be freed along with device +tree node. + +Fixes: b544fc2b8606 ("of: dynamic: Add interfaces for creating device node dynamically") +Reported-by: Lorenzo Pieralisi +Closes: https://lore.kernel.org/all/aJms+YT8TnpzpCY8@lpieralisi/ +Tested-by: Lorenzo Pieralisi +Signed-off-by: Lizhi Hou +Link: https://lore.kernel.org/r/20250818152221.3685724-1-lizhi.hou@amd.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index 4d57a4e341054..7f78fba502ec4 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -939,6 +939,9 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs, + kfree(new_pp); + } + ++ new_pp->next = np->deadprops; ++ np->deadprops = new_pp; ++ + return ret; + } + +-- +2.50.1 + diff --git a/queue-6.6/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch b/queue-6.6/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch new file mode 100644 index 0000000000..de1a27a9f4 --- /dev/null +++ b/queue-6.6/of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch @@ -0,0 +1,47 @@ +From b09dfa5c17a0662497d5178e8df58161a2fae720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 11:08:46 +0300 +Subject: of: dynamic: Fix use after free in of_changeset_add_prop_helper() + +From: Dan Carpenter + +[ Upstream commit 80af3745ca465c6c47e833c1902004a7fa944f37 ] + +If the of_changeset_add_property() function call fails, then this code +frees "new_pp" and then dereference it on the next line. Return the +error code directly instead. + +Fixes: c81f6ce16785 ("of: dynamic: Fix memleak when of_pci_add_properties() failed") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/aKgljjhnpa4lVpdx@stanley.mountain +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/dynamic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c +index 72531f44adf09..18393800546c1 100644 +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -934,13 +934,15 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs, + return -ENOMEM; + + ret = of_changeset_add_property(ocs, np, new_pp); +- if (ret) ++ if (ret) { + __of_prop_free(new_pp); ++ return ret; ++ } + + new_pp->next = np->deadprops; + np->deadprops = new_pp; + +- return ret; ++ return 0; + } + + /** +-- +2.50.1 + diff --git a/queue-6.6/pinctrl-stmfx-add-missing-has_iomem-dependency.patch b/queue-6.6/pinctrl-stmfx-add-missing-has_iomem-dependency.patch new file mode 100644 index 0000000000..d159009247 --- /dev/null +++ b/queue-6.6/pinctrl-stmfx-add-missing-has_iomem-dependency.patch @@ -0,0 +1,44 @@ +From 857845cef2534f8c168501bf0cab1780d80af4fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 19:27:21 -0700 +Subject: pinctrl: STMFX: add missing HAS_IOMEM dependency + +From: Randy Dunlap + +[ Upstream commit a12946bef0407cf2db0899c83d42c47c00af3fbc ] + +When building on ARCH=um (which does not set HAS_IOMEM), kconfig +reports an unmet dependency caused by PINCTRL_STMFX. It selects +MFD_STMFX, which depends on HAS_IOMEM. To stop this warning, +PINCTRL_STMFX should also depend on HAS_IOMEM. + +kconfig warning: +WARNING: unmet direct dependencies detected for MFD_STMFX + Depends on [n]: HAS_IOMEM [=n] && I2C [=y] && OF [=y] + Selected by [y]: + - PINCTRL_STMFX [=y] && PINCTRL [=y] && I2C [=y] && OF_GPIO [=y] + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/20250815022721.1650885-1-rdunlap@infradead.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/Kconfig b/drivers/pinctrl/Kconfig +index 7dfb7190580ef..ab3908a923e3a 100644 +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -438,6 +438,7 @@ config PINCTRL_STMFX + tristate "STMicroelectronics STMFX GPIO expander pinctrl driver" + depends on I2C + depends on OF_GPIO ++ depends on HAS_IOMEM + select GENERIC_PINCONF + select GPIOLIB_IRQCHIP + select MFD_STMFX +-- +2.50.1 + diff --git a/queue-6.6/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch b/queue-6.6/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch new file mode 100644 index 0000000000..071d448f9c --- /dev/null +++ b/queue-6.6/scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch @@ -0,0 +1,49 @@ +From 434fa9c00d2ea31ebd7615bc75932aab07c0ae60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 13:17:00 +0900 +Subject: scsi: core: sysfs: Correct sysfs attributes access rights + +From: Damien Le Moal + +[ Upstream commit a2f54ff15c3bdc0132e20aae041607e2320dbd73 ] + +The SCSI sysfs attributes "supported_mode" and "active_mode" do not +define a store method and thus cannot be modified. Correct the +DEVICE_ATTR() call for these two attributes to not include S_IWUSR to +allow write access as they are read-only. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250728041700.76660-1-dlemoal@kernel.org +Reviewed-by: John Garry +Reviewed-by: Johannes Thumshin +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 24f6eefb68030..df37ac81620e6 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -265,7 +265,7 @@ show_shost_supported_mode(struct device *dev, struct device_attribute *attr, + return show_shost_mode(supported_mode, buf); + } + +-static DEVICE_ATTR(supported_mode, S_IRUGO | S_IWUSR, show_shost_supported_mode, NULL); ++static DEVICE_ATTR(supported_mode, S_IRUGO, show_shost_supported_mode, NULL); + + static ssize_t + show_shost_active_mode(struct device *dev, +@@ -279,7 +279,7 @@ show_shost_active_mode(struct device *dev, + return show_shost_mode(shost->active_mode, buf); + } + +-static DEVICE_ATTR(active_mode, S_IRUGO | S_IWUSR, show_shost_active_mode, NULL); ++static DEVICE_ATTR(active_mode, S_IRUGO, show_shost_active_mode, NULL); + + static int check_reset_type(const char *str) + { +-- +2.50.1 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..c7c38c3096 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,12 @@ +of-dynamic-fix-memleak-when-of_pci_add_properties-fa.patch +pinctrl-stmfx-add-missing-has_iomem-dependency.patch +mips-dts-lantiq-danube-add-missing-burst-length-prop.patch +mips-lantiq-xway-sysctrl-rename-the-etop-node.patch +of-add-a-helper-to-free-property-struct.patch +of-dynamic-fix-use-after-free-in-of_changeset_add_pr.patch +ftrace-fix-potential-warning-in-trace_printk_seq-dur.patch +scsi-core-sysfs-correct-sysfs-attributes-access-righ.patch +smb-client-fix-race-with-concurrent-opens-in-unlink-.patch +smb-client-fix-race-with-concurrent-opens-in-rename-.patch +asoc-codecs-tx-macro-correct-tx_macro_component_drv-.patch +erofs-fix-atomic-context-detection-when-config_debug.patch diff --git a/queue-6.6/smb-client-fix-race-with-concurrent-opens-in-rename-.patch b/queue-6.6/smb-client-fix-race-with-concurrent-opens-in-rename-.patch new file mode 100644 index 0000000000..a7b6bf9160 --- /dev/null +++ b/queue-6.6/smb-client-fix-race-with-concurrent-opens-in-rename-.patch @@ -0,0 +1,87 @@ +From 6cf1c86b8ad23c0ccc4bfe40328a638c2eed9648 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 11:43:29 -0300 +Subject: smb: client: fix race with concurrent opens in rename(2) + +From: Paulo Alcantara + +[ Upstream commit d84291fc7453df7881a970716f8256273aca5747 ] + +Besides sending the rename request to the server, the rename process +also involves closing any deferred close, waiting for outstanding I/O +to complete as well as marking all existing open handles as deleted to +prevent them from deferring closes, which increases the race window +for potential concurrent opens on the target file. + +Fix this by unhashing the dentry in advance to prevent any concurrent +opens on the target. + +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index df01029918fd4..6c16c4f34d882 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -2379,6 +2379,7 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + struct cifs_sb_info *cifs_sb; + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ bool rehash = false; + unsigned int xid; + int rc, tmprc; + int retry_count = 0; +@@ -2394,6 +2395,17 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* ++ * Prevent any concurrent opens on the target by unhashing the dentry. ++ * VFS already unhashes the target when renaming directories. ++ */ ++ if (d_is_positive(target_dentry) && !d_is_dir(target_dentry)) { ++ if (!d_unhashed(target_dentry)) { ++ d_drop(target_dentry); ++ rehash = true; ++ } ++ } ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -2433,6 +2445,8 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + } + } + ++ if (!rc) ++ rehash = false; + /* + * No-replace is the natural behavior for CIFS, so skip unlink hacks. + */ +@@ -2491,12 +2505,16 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir, + goto cifs_rename_exit; + rc = cifs_do_rename(xid, source_dentry, from_name, + target_dentry, to_name); ++ if (!rc) ++ rehash = false; + } + + /* force revalidate to go get info when needed */ + CIFS_I(source_dir)->time = CIFS_I(target_dir)->time = 0; + + cifs_rename_exit: ++ if (rehash) ++ d_rehash(target_dentry); + kfree(info_buf_source); + free_dentry_path(page2); + free_dentry_path(page1); +-- +2.50.1 + diff --git a/queue-6.6/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch b/queue-6.6/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch new file mode 100644 index 0000000000..2c655f7101 --- /dev/null +++ b/queue-6.6/smb-client-fix-race-with-concurrent-opens-in-unlink-.patch @@ -0,0 +1,86 @@ +From adfdcb5940cc7eb0febaa714a8e9a14ba3f86ad2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Aug 2025 12:20:17 -0300 +Subject: smb: client: fix race with concurrent opens in unlink(2) + +From: Paulo Alcantara + +[ Upstream commit 0af1561b2d60bab2a2b00720a5c7b292ecc549ec ] + +According to some logs reported by customers, CIFS client might end up +reporting unlinked files as existing in stat(2) due to concurrent +opens racing with unlink(2). + +Besides sending the removal request to the server, the unlink process +could involve closing any deferred close as well as marking all +existing open handles as deleted to prevent them from deferring +closes, which increases the race window for potential concurrent +opens. + +Fix this by unhashing the dentry in cifs_unlink() to prevent any +subsequent opens. Any open attempts, while we're still unlinking, +will block on parent's i_rwsem. + +Reported-by: Jay Shin +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Al Viro +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/inode.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c +index d93ebd58ecae1..df01029918fd4 100644 +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1856,15 +1856,24 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct tcon_link *tlink; + struct cifs_tcon *tcon; ++ __u32 dosattr = 0, origattr = 0; + struct TCP_Server_Info *server; + struct iattr *attrs = NULL; +- __u32 dosattr = 0, origattr = 0; ++ bool rehash = false; + + cifs_dbg(FYI, "cifs_unlink, dir=0x%p, dentry=0x%p\n", dir, dentry); + + if (unlikely(cifs_forced_shutdown(cifs_sb))) + return -EIO; + ++ /* Unhash dentry in advance to prevent any concurrent opens */ ++ spin_lock(&dentry->d_lock); ++ if (!d_unhashed(dentry)) { ++ __d_drop(dentry); ++ rehash = true; ++ } ++ spin_unlock(&dentry->d_lock); ++ + tlink = cifs_sb_tlink(cifs_sb); + if (IS_ERR(tlink)) + return PTR_ERR(tlink); +@@ -1915,7 +1924,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + cifs_drop_nlink(inode); + } + } else if (rc == -ENOENT) { +- d_drop(dentry); ++ if (simple_positive(dentry)) ++ d_delete(dentry); + } else if (rc == -EBUSY) { + if (server->ops->rename_pending_delete) { + rc = server->ops->rename_pending_delete(full_path, +@@ -1968,6 +1978,8 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry) + kfree(attrs); + free_xid(xid); + cifs_put_tlink(tlink); ++ if (rehash) ++ d_rehash(dentry); + return rc; + } + +-- +2.50.1 + -- 2.47.3