6.12-stable patches

added patches:
	cgroup-fix-kernfs_node-uaf-in-css_free_rwork_fn.patch
	ksmbd-smbd-fix-dma_unmap_sg-nents.patch
	libbpf-fix-wdiscarded-qualifiers-under-c23.patch
	mm-kfence-randomize-the-freelist-on-initialization.patch
	rust-kbuild-support-cjump-tables-n-for-rust-1.93.0.patch
	rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch
	wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch

diff --git a/queue-6.12/cgroup-fix-kernfs_node-uaf-in-css_free_rwork_fn.patch b/queue-6.12/cgroup-fix-kernfs_node-uaf-in-css_free_rwork_fn.patch
new file mode 100644 (file)
index 0000000..e58e072
--- /dev/null
+++ b/queue-6.12/cgroup-fix-kernfs_node-uaf-in-css_free_rwork_fn.patch
@@ -0,0 +1,129 @@
+From stable+bounces-212810-greg=kroah.com@vger.kernel.org Thu Jan 29 20:10:54 2026
+From: "T.J. Mercier" <tjmercier@google.com>
+Date: Thu, 29 Jan 2026 11:10:34 -0800
+Subject: cgroup: Fix kernfs_node UAF in css_free_rwork_fn
+To: stable@vger.kernel.org, tj@kernel.org, hannes@cmpxchg.org,  mkoutny@suse.com, cgroups@vger.kernel.org, hawk@kernel.org,  linux-kernel@vger.kernel.org
+Cc: "T.J. Mercier" <tjmercier@google.com>
+Message-ID: <20260129191034.3181412-1-tjmercier@google.com>
+
+From: "T.J. Mercier" <tjmercier@google.com>
+
+This fix patch is not upstream, and is applicable only to kernels 6.10
+(where the cgroup_rstat_lock tracepoint was added) through 6.15 after
+which commit 5da3bfa029d6 ("cgroup: use separate rstat trees for each
+subsystem") reordered cgroup_rstat_flush as part of a new feature
+addition and inadvertently fixed this UAF.
+
+css_free_rwork_fn first releases the last reference on the cgroup's
+kernfs_node, and then calls cgroup_rstat_exit which attempts to use it
+in the cgroup_rstat_lock tracepoint:
+
+kernfs_put(cgrp->kn);
+cgroup_rstat_exit
+  cgroup_rstat_flush
+    __cgroup_rstat_lock
+      trace_cgroup_rstat_locked:
+        TP_fast_assign(
+          __entry->root = cgrp->root->hierarchy_id;
+          __entry->id = cgroup_id(cgrp);
+
+Where cgroup_id is:
+static inline u64 cgroup_id(const struct cgroup *cgrp)
+{
+       return cgrp->kn->id;
+}
+
+Fix this by reordering the kernfs_put after cgroup_rstat_exit.
+
+[78782.605161][ T9861] BUG: KASAN: slab-use-after-free in trace_event_raw_event_cgroup_rstat+0x110/0x1dc
+[78782.605182][ T9861] Read of size 8 at addr ffffff890270e610 by task kworker/6:1/9861
+[78782.605199][ T9861] CPU: 6 UID: 0 PID: 9861 Comm: kworker/6:1 Tainted: G        W  OE      6.12.23-android16-5-gabaf21382e8f-4k #1 0308449da8ad70d2d3649ae989c1d02f0fbf562c
+[78782.605220][ T9861] Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+[78782.605226][ T9861] Hardware name: Qualcomm Technologies, Inc. Alor QRD + WCN7750 WLAN + Kundu PD2536F_EX (DT)
+[78782.605235][ T9861] Workqueue: cgroup_destroy css_free_rwork_fn
+[78782.605251][ T9861] Call trace:
+[78782.605254][ T9861]  dump_backtrace+0x120/0x170
+[78782.605267][ T9861]  show_stack+0x2c/0x40
+[78782.605276][ T9861]  dump_stack_lvl+0x84/0xb4
+[78782.605286][ T9861]  print_report+0x144/0x7a4
+[78782.605301][ T9861]  kasan_report+0xe0/0x140
+[78782.605315][ T9861]  __asan_load8+0x98/0xa0
+[78782.605329][ T9861]  trace_event_raw_event_cgroup_rstat+0x110/0x1dc
+[78782.605339][ T9861]  __traceiter_cgroup_rstat_locked+0x78/0xc4
+[78782.605355][ T9861]  __cgroup_rstat_lock+0xe8/0x1dc
+[78782.605368][ T9861]  cgroup_rstat_flush_locked+0x7dc/0xaec
+[78782.605383][ T9861]  cgroup_rstat_flush+0x34/0x108
+[78782.605396][ T9861]  cgroup_rstat_exit+0x2c/0x120
+[78782.605409][ T9861]  css_free_rwork_fn+0x504/0xa18
+[78782.605421][ T9861]  process_scheduled_works+0x378/0x8e0
+[78782.605435][ T9861]  worker_thread+0x5a8/0x77c
+[78782.605446][ T9861]  kthread+0x1c4/0x270
+[78782.605455][ T9861]  ret_from_fork+0x10/0x20
+[78782.605470][ T9861] Allocated by task 2864 on cpu 7 at 78781.564561s:
+[78782.605467][    C5] ENHANCE: rpm_suspend+0x93c/0xafc: 0:0:0:0 ret=0
+[78782.605481][ T9861]  kasan_save_track+0x44/0x9c
+[78782.605497][ T9861]  kasan_save_alloc_info+0x40/0x54
+[78782.605507][ T9861]  __kasan_slab_alloc+0x70/0x8c
+[78782.605521][ T9861]  kmem_cache_alloc_noprof+0x1a0/0x428
+[78782.605534][ T9861]  __kernfs_new_node+0xd4/0x3e4
+[78782.605545][ T9861]  kernfs_new_node+0xbc/0x168
+[78782.605554][ T9861]  kernfs_create_dir_ns+0x58/0xe8
+[78782.605565][ T9861]  cgroup_mkdir+0x25c/0xc9c
+[78782.605576][ T9861]  kernfs_iop_mkdir+0x130/0x214
+[78782.605586][ T9861]  vfs_mkdir+0x290/0x388
+[78782.605599][ T9861]  do_mkdirat+0xfc/0x27c
+[78782.605612][ T9861]  __arm64_sys_mkdirat+0x5c/0x78
+[78782.605625][ T9861]  invoke_syscall+0x90/0x1e8
+[78782.605634][ T9861]  el0_svc_common+0x134/0x168
+[78782.605643][ T9861]  do_el0_svc+0x34/0x44
+[78782.605652][ T9861]  el0_svc+0x38/0x84
+[78782.605667][ T9861]  el0t_64_sync_handler+0x70/0xbc
+[78782.605681][ T9861]  el0t_64_sync+0x19c/0x1a0
+[78782.605695][ T9861] Freed by task 69 on cpu 1 at 78782.573275s:
+[78782.605705][ T9861]  kasan_save_track+0x44/0x9c
+[78782.605719][ T9861]  kasan_save_free_info+0x54/0x70
+[78782.605729][ T9861]  __kasan_slab_free+0x68/0x8c
+[78782.605743][ T9861]  kmem_cache_free+0x118/0x488
+[78782.605755][ T9861]  kernfs_free_rcu+0xa0/0xb8
+[78782.605765][ T9861]  rcu_do_batch+0x324/0xaa0
+[78782.605775][ T9861]  rcu_nocb_cb_kthread+0x388/0x690
+[78782.605785][ T9861]  kthread+0x1c4/0x270
+[78782.605794][ T9861]  ret_from_fork+0x10/0x20
+[78782.605809][ T9861] Last potentially related work creation:
+[78782.605814][ T9861]  kasan_save_stack+0x40/0x70
+[78782.605829][ T9861]  __kasan_record_aux_stack+0xb0/0xcc
+[78782.605839][ T9861]  kasan_record_aux_stack_noalloc+0x14/0x24
+[78782.605849][ T9861]  __call_rcu_common+0x54/0x390
+[78782.605863][ T9861]  call_rcu+0x18/0x28
+[78782.605875][ T9861]  kernfs_put+0x17c/0x28c
+[78782.605884][ T9861]  css_free_rwork_fn+0x4f4/0xa18
+[78782.605897][ T9861]  process_scheduled_works+0x378/0x8e0
+[78782.605910][ T9861]  worker_thread+0x5a8/0x77c
+[78782.605923][ T9861]  kthread+0x1c4/0x270
+[78782.605932][ T9861]  ret_from_fork+0x10/0x20
+[78782.605947][ T9861] The buggy address belongs to the object at ffffff890270e5b0
+[78782.605947][ T9861]  which belongs to the cache kernfs_node_cache of size 144
+[78782.605957][ T9861] The buggy address is located 96 bytes inside of
+[78782.605957][ T9861]  freed 144-byte region [ffffff890270e5b0, ffffff890270e640)
+
+Fixes: fc29e04ae1ad ("cgroup/rstat: add cgroup_rstat_lock helpers and tracepoints")
+Signed-off-by: T.J. Mercier <tjmercier@google.com>
+Acked-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cgroup.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -5481,9 +5481,9 @@ static void css_free_rwork_fn(struct wor
+                        * children.
+                        */
+                       cgroup_put(cgroup_parent(cgrp));
+-                      kernfs_put(cgrp->kn);
+                       psi_cgroup_free(cgrp);
+                       cgroup_rstat_exit(cgrp);
++                      kernfs_put(cgrp->kn);
+                       kfree(cgrp);
+               } else {
+                       /*

diff --git a/queue-6.12/ksmbd-smbd-fix-dma_unmap_sg-nents.patch b/queue-6.12/ksmbd-smbd-fix-dma_unmap_sg-nents.patch
new file mode 100644 (file)
index 0000000..2abf8f3
--- /dev/null
+++ b/queue-6.12/ksmbd-smbd-fix-dma_unmap_sg-nents.patch
@@ -0,0 +1,72 @@
+From stable+bounces-212671-greg=kroah.com@vger.kernel.org Wed Jan 28 21:33:02 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 15:32:52 -0500
+Subject: ksmbd: smbd: fix dma_unmap_sg() nents
+To: stable@vger.kernel.org
+Cc: Thomas Fourier <fourier.thomas@gmail.com>, Namjae Jeon <linkinjeon@kernel.org>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260128203252.2719545-1-sashal@kernel.org>
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 98e3e2b561bc88f4dd218d1c05890672874692f6 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ Context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_rdma.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -1108,14 +1108,12 @@ static int get_sg_list(void *buf, int si
+ 
+ static int get_mapped_sg_list(struct ib_device *device, void *buf, int size,
+                             struct scatterlist *sg_list, int nentries,
+-                            enum dma_data_direction dir)
++                            enum dma_data_direction dir, int *npages)
+ {
+-      int npages;
+-
+-      npages = get_sg_list(buf, size, sg_list, nentries);
+-      if (npages < 0)
++      *npages = get_sg_list(buf, size, sg_list, nentries);
++      if (*npages < 0)
+               return -EINVAL;
+-      return ib_dma_map_sg(device, sg_list, npages, dir);
++      return ib_dma_map_sg(device, sg_list, *npages, dir);
+ }
+ 
+ static int post_sendmsg(struct smb_direct_transport *t,
+@@ -1184,12 +1182,13 @@ static int smb_direct_post_send_data(str
+       for (i = 0; i < niov; i++) {
+               struct ib_sge *sge;
+               int sg_cnt;
++              int npages;
+ 
+               sg_init_table(sg, SMB_DIRECT_MAX_SEND_SGES - 1);
+               sg_cnt = get_mapped_sg_list(t->cm_id->device,
+                                           iov[i].iov_base, iov[i].iov_len,
+                                           sg, SMB_DIRECT_MAX_SEND_SGES - 1,
+-                                          DMA_TO_DEVICE);
++                                          DMA_TO_DEVICE, &npages);
+               if (sg_cnt <= 0) {
+                       pr_err("failed to map buffer\n");
+                       ret = -ENOMEM;
+@@ -1197,7 +1196,7 @@ static int smb_direct_post_send_data(str
+               } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES) {
+                       pr_err("buffer not fitted into sges\n");
+                       ret = -E2BIG;
+-                      ib_dma_unmap_sg(t->cm_id->device, sg, sg_cnt,
++                      ib_dma_unmap_sg(t->cm_id->device, sg, npages,
+                                       DMA_TO_DEVICE);
+                       goto err;
+               }

diff --git a/queue-6.12/libbpf-fix-wdiscarded-qualifiers-under-c23.patch b/queue-6.12/libbpf-fix-wdiscarded-qualifiers-under-c23.patch
new file mode 100644 (file)
index 0000000..f633fcc
--- /dev/null
+++ b/queue-6.12/libbpf-fix-wdiscarded-qualifiers-under-c23.patch
@@ -0,0 +1,55 @@
+From d70f79fef65810faf64dbae1f3a1b5623cdb2345 Mon Sep 17 00:00:00 2001
+From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Date: Sat, 6 Dec 2025 14:28:25 +0500
+Subject: libbpf: Fix -Wdiscarded-qualifiers under C23
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+
+commit d70f79fef65810faf64dbae1f3a1b5623cdb2345 upstream.
+
+glibc ≥ 2.42 (GCC 15) defaults to -std=gnu23, which promotes
+-Wdiscarded-qualifiers to an error.
+
+In C23, strstr() and strchr() return "const char *".
+
+Change variable types to const char * where the pointers are never
+modified (res, sym_sfx, next_path).
+
+Suggested-by: Florian Weimer <fweimer@redhat.com>
+Suggested-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Link: https://lore.kernel.org/r/20251206092825.1471385-1-mikhail.v.gavrilov@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+[ shung-hsi.yu: needed to fix kernel build failure due to libbpf since glibc
+  2.43+ (which adds 'const' qualifier to strstr). 'sym_sfx' hunk dropped because
+  commit f8a05692de06 ("libbpf: Work around kernel inconsistently stripping
+  '.llvm.' suffix") is not present. ]
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/lib/bpf/libbpf.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -8174,7 +8174,7 @@ static int kallsyms_cb(unsigned long lon
+       struct bpf_object *obj = ctx;
+       const struct btf_type *t;
+       struct extern_desc *ext;
+-      char *res;
++      const char *res;
+ 
+       res = strstr(sym_name, ".llvm.");
+       if (sym_type == 'd' && res)
+@@ -11959,7 +11959,7 @@ static int resolve_full_path(const char
+               if (!search_paths[i])
+                       continue;
+               for (s = search_paths[i]; s != NULL; s = strchr(s, ':')) {
+-                      char *next_path;
++                      const char *next_path;
+                       int seg_len;
+ 
+                       if (s[0] == ':')

diff --git a/queue-6.12/mm-kfence-randomize-the-freelist-on-initialization.patch b/queue-6.12/mm-kfence-randomize-the-freelist-on-initialization.patch
new file mode 100644 (file)
index 0000000..8786347
--- /dev/null
+++ b/queue-6.12/mm-kfence-randomize-the-freelist-on-initialization.patch
@@ -0,0 +1,85 @@
+From 870ff19251bf3910dda7a7245da826924045fedd Mon Sep 17 00:00:00 2001
+From: Pimyn Girgis <pimyn@google.com>
+Date: Tue, 20 Jan 2026 17:15:10 +0100
+Subject: mm/kfence: randomize the freelist on initialization
+
+From: Pimyn Girgis <pimyn@google.com>
+
+commit 870ff19251bf3910dda7a7245da826924045fedd upstream.
+
+Randomize the KFENCE freelist during pool initialization to make
+allocation patterns less predictable.  This is achieved by shuffling the
+order in which metadata objects are added to the freelist using
+get_random_u32_below().
+
+Additionally, ensure the error path correctly calculates the address range
+to be reset if initialization fails, as the address increment logic has
+been moved to a separate loop.
+
+Link: https://lkml.kernel.org/r/20260120161510.3289089-1-pimyn@google.com
+Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
+Signed-off-by: Pimyn Girgis <pimyn@google.com>
+Reviewed-by: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Ernesto Martnez Garca <ernesto.martinezgarcia@tugraz.at>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Pimyn Girgis <pimyn@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kfence/core.c |   23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/mm/kfence/core.c
++++ b/mm/kfence/core.c
+@@ -596,7 +596,7 @@ static unsigned long kfence_init_pool(vo
+ {
+       unsigned long addr;
+       struct page *pages;
+-      int i;
++      int i, rand;
+ 
+       if (!arch_kfence_init_pool())
+               return (unsigned long)__kfence_pool;
+@@ -645,13 +645,27 @@ static unsigned long kfence_init_pool(vo
+               INIT_LIST_HEAD(&meta->list);
+               raw_spin_lock_init(&meta->lock);
+               meta->state = KFENCE_OBJECT_UNUSED;
+-              meta->addr = addr; /* Initialize for validation in metadata_to_pageaddr(). */
+-              list_add_tail(&meta->list, &kfence_freelist);
++              /* Use addr to randomize the freelist. */
++              meta->addr = i;
+ 
+               /* Protect the right redzone. */
+-              if (unlikely(!kfence_protect(addr + PAGE_SIZE)))
++              if (unlikely(!kfence_protect(addr + 2 * i * PAGE_SIZE + PAGE_SIZE)))
+                       goto reset_slab;
++      }
++
++      for (i = CONFIG_KFENCE_NUM_OBJECTS; i > 0; i--) {
++              rand = get_random_u32_below(i);
++              swap(kfence_metadata_init[i - 1].addr, kfence_metadata_init[rand].addr);
++      }
+ 
++      for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) {
++              struct kfence_metadata *meta_1 = &kfence_metadata_init[i];
++              struct kfence_metadata *meta_2 = &kfence_metadata_init[meta_1->addr];
++
++              list_add_tail(&meta_2->list, &kfence_freelist);
++      }
++      for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) {
++              kfence_metadata_init[i].addr = addr;
+               addr += 2 * PAGE_SIZE;
+       }
+ 
+@@ -664,6 +678,7 @@ static unsigned long kfence_init_pool(vo
+       return 0;
+ 
+ reset_slab:
++      addr += 2 * i * PAGE_SIZE;
+       for (i = 0; i < KFENCE_POOL_SIZE / PAGE_SIZE; i++) {
+               struct slab *slab = page_slab(nth_page(pages, i));
+ 

diff --git a/queue-6.12/rust-kbuild-support-cjump-tables-n-for-rust-1.93.0.patch b/queue-6.12/rust-kbuild-support-cjump-tables-n-for-rust-1.93.0.patch
new file mode 100644 (file)
index 0000000..f028dc3
--- /dev/null
+++ b/queue-6.12/rust-kbuild-support-cjump-tables-n-for-rust-1.93.0.patch
@@ -0,0 +1,44 @@
+From 789521b4717fd6bd85164ba5c131f621a79c9736 Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Sat, 1 Nov 2025 10:40:11 +0100
+Subject: rust: kbuild: support `-Cjump-tables=n` for Rust 1.93.0
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 789521b4717fd6bd85164ba5c131f621a79c9736 upstream.
+
+Rust 1.93.0 (expected 2026-01-22) is stabilizing `-Zno-jump-tables`
+[1][2] as `-Cjump-tables=n` [3].
+
+Without this change, one would eventually see:
+
+      RUSTC L rust/core.o
+    error: unknown unstable option: `no-jump-tables`
+
+Thus support the upcoming version.
+
+Link: https://github.com/rust-lang/rust/issues/116592 [1]
+Link: https://github.com/rust-lang/rust/pull/105812 [2]
+Link: https://github.com/rust-lang/rust/pull/145974 [3]
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Trevor Gross <tmgross@umich.edu>
+Acked-by: Nicolas Schier <nsc@kernel.org>
+Link: https://patch.msgid.link/20251101094011.1024534-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/Makefile |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -109,7 +109,7 @@ ifeq ($(CONFIG_X86_KERNEL_IBT),y)
+ #   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104816
+ #
+ KBUILD_CFLAGS += $(call cc-option,-fcf-protection=branch -fno-jump-tables)
+-KBUILD_RUSTFLAGS += -Zcf-protection=branch -Zno-jump-tables
++KBUILD_RUSTFLAGS += -Zcf-protection=branch $(if $(call rustc-min-version,109300),-Cjump-tables=n,-Zno-jump-tables)
+ else
+ KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
+ endif

diff --git a/queue-6.12/rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch b/queue-6.12/rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch
new file mode 100644 (file)
index 0000000..d574028
--- /dev/null
+++ b/queue-6.12/rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch
@@ -0,0 +1,212 @@
+From stable+bounces-212715-greg=kroah.com@vger.kernel.org Thu Jan 29 01:11:05 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jan 2026 19:10:48 -0500
+Subject: rxrpc: Fix data-race warning and potential load/store tearing
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, syzbot+6182afad5045e6703b3d@syzkaller.appspotmail.com, Marc Dionne <marc.dionne@auristor.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260129001048.2933922-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b ]
+
+Fix the following:
+
+        BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet
+
+which is reporting an issue with the reads and writes to ->last_tx_at in:
+
+        conn->peer->last_tx_at = ktime_get_seconds();
+
+and:
+
+        keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
+
+The lockless accesses to these to values aren't actually a problem as the
+read only needs an approximate time of last transmission for the purposes
+of deciding whether or not the transmission of a keepalive packet is
+warranted yet.
+
+Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bit
+arch.
+
+Fix both of these by switching to an unsigned int for ->last_tx_at and only
+storing the LSW of the time64_t.  It can then be reconstructed at need
+provided no more than 68 years has elapsed since the last transmission.
+
+Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
+Reported-by: syzbot+6182afad5045e6703b3d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/695e7cfb.050a0220.1c677c.036b.GAE@google.com/
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/1107124.1768903985@warthog.procyon.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ different struct fields (peer->mtu, peer->srtt_us, peer->rto_us) and different output.c code structure ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/ar-internal.h |    9 ++++++++-
+ net/rxrpc/conn_event.c  |    2 +-
+ net/rxrpc/output.c      |   10 +++++-----
+ net/rxrpc/peer_event.c  |   17 ++++++++++++++++-
+ net/rxrpc/proc.c        |    4 ++--
+ net/rxrpc/rxkad.c       |    4 ++--
+ 6 files changed, 34 insertions(+), 12 deletions(-)
+
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -335,7 +335,7 @@ struct rxrpc_peer {
+       struct hlist_head       error_targets;  /* targets for net error distribution */
+       struct rb_root          service_conns;  /* Service connections */
+       struct list_head        keepalive_link; /* Link in net->peer_keepalive[] */
+-      time64_t                last_tx_at;     /* Last time packet sent here */
++      unsigned int            last_tx_at;     /* Last time packet sent here (time64_t LSW) */
+       seqlock_t               service_conn_lock;
+       spinlock_t              lock;           /* access lock */
+       unsigned int            if_mtu;         /* interface MTU for this peer */
+@@ -1161,6 +1161,13 @@ void rxrpc_transmit_one(struct rxrpc_cal
+ void rxrpc_input_error(struct rxrpc_local *, struct sk_buff *);
+ void rxrpc_peer_keepalive_worker(struct work_struct *);
+ 
++/* Update the last transmission time on a peer for keepalive purposes. */
++static inline void rxrpc_peer_mark_tx(struct rxrpc_peer *peer)
++{
++      /* To avoid tearing on 32-bit systems, we only keep the LSW. */
++      WRITE_ONCE(peer->last_tx_at, ktime_get_seconds());
++}
++
+ /*
+  * peer_object.c
+  */
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -180,7 +180,7 @@ void rxrpc_conn_retransmit_call(struct r
+       }
+ 
+       ret = kernel_sendmsg(conn->local->socket, &msg, iov, ioc, len);
+-      conn->peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(conn->peer);
+       if (ret < 0)
+               trace_rxrpc_tx_fail(chan->call_debug_id, serial, ret,
+                                   rxrpc_tx_point_call_final_resend);
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -209,7 +209,7 @@ static void rxrpc_send_ack_packet(struct
+       iov_iter_kvec(&msg.msg_iter, WRITE, txb->kvec, txb->nr_kvec, txb->len);
+       rxrpc_local_dont_fragment(conn->local, false);
+       ret = do_udp_sendmsg(conn->local->socket, &msg, txb->len);
+-      call->peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(call->peer);
+       if (ret < 0) {
+               trace_rxrpc_tx_fail(call->debug_id, txb->serial, ret,
+                                   rxrpc_tx_point_call_ack);
+@@ -310,7 +310,7 @@ int rxrpc_send_abort_packet(struct rxrpc
+ 
+       iov_iter_kvec(&msg.msg_iter, WRITE, iov, 1, sizeof(pkt));
+       ret = do_udp_sendmsg(conn->local->socket, &msg, sizeof(pkt));
+-      conn->peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(conn->peer);
+       if (ret < 0)
+               trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+                                   rxrpc_tx_point_call_abort);
+@@ -486,7 +486,7 @@ retry:
+        */
+       rxrpc_inc_stat(call->rxnet, stat_tx_data_send);
+       ret = do_udp_sendmsg(conn->local->socket, &msg, len);
+-      conn->peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(conn->peer);
+ 
+       if (ret < 0) {
+               rxrpc_inc_stat(call->rxnet, stat_tx_data_send_fail);
+@@ -573,7 +573,7 @@ void rxrpc_send_conn_abort(struct rxrpc_
+ 
+       trace_rxrpc_tx_packet(conn->debug_id, &whdr, rxrpc_tx_point_conn_abort);
+ 
+-      conn->peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(conn->peer);
+ }
+ 
+ /*
+@@ -692,7 +692,7 @@ void rxrpc_send_keepalive(struct rxrpc_p
+               trace_rxrpc_tx_packet(peer->debug_id, &whdr,
+                                     rxrpc_tx_point_version_keepalive);
+ 
+-      peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(peer);
+       _leave("");
+ }
+ 
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -225,6 +225,21 @@ static void rxrpc_distribute_error(struc
+ }
+ 
+ /*
++ * Reconstruct the last transmission time.  The difference calculated should be
++ * valid provided no more than ~68 years elapsed since the last transmission.
++ */
++static time64_t rxrpc_peer_get_tx_mark(const struct rxrpc_peer *peer, time64_t base)
++{
++      s32 last_tx_at = READ_ONCE(peer->last_tx_at);
++      s32 base_lsw = base;
++      s32 diff = last_tx_at - base_lsw;
++
++      diff = clamp(diff, -RXRPC_KEEPALIVE_TIME, RXRPC_KEEPALIVE_TIME);
++
++      return diff + base;
++}
++
++/*
+  * Perform keep-alive pings.
+  */
+ static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet,
+@@ -252,7 +267,7 @@ static void rxrpc_peer_keepalive_dispatc
+               spin_unlock_bh(&rxnet->peer_hash_lock);
+ 
+               if (use) {
+-                      keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
++                      keepalive_at = rxrpc_peer_get_tx_mark(peer, base) + RXRPC_KEEPALIVE_TIME;
+                       slot = keepalive_at - base;
+                       _debug("%02x peer %u t=%d {%pISp}",
+                              cursor, peer->debug_id, slot, &peer->srx.transport);
+--- a/net/rxrpc/proc.c
++++ b/net/rxrpc/proc.c
+@@ -299,13 +299,13 @@ static int rxrpc_peer_seq_show(struct se
+       now = ktime_get_seconds();
+       seq_printf(seq,
+                  "UDP   %-47.47s %-47.47s %3u"
+-                 " %3u %5u %6llus %8u %8u\n",
++                 " %3u %5u %6ds %8u %8u\n",
+                  lbuff,
+                  rbuff,
+                  refcount_read(&peer->ref),
+                  peer->cong_ssthresh,
+                  peer->mtu,
+-                 now - peer->last_tx_at,
++                 (s32)now - (s32)READ_ONCE(peer->last_tx_at),
+                  peer->srtt_us >> 3,
+                  peer->rto_us);
+ 
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -676,7 +676,7 @@ static int rxkad_issue_challenge(struct
+               return -EAGAIN;
+       }
+ 
+-      conn->peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(conn->peer);
+       trace_rxrpc_tx_packet(conn->debug_id, &whdr,
+                             rxrpc_tx_point_rxkad_challenge);
+       _leave(" = 0");
+@@ -734,7 +734,7 @@ static int rxkad_send_response(struct rx
+               return -EAGAIN;
+       }
+ 
+-      conn->peer->last_tx_at = ktime_get_seconds();
++      rxrpc_peer_mark_tx(conn->peer);
+       _leave(" = 0");
+       return 0;
+ }

diff --git a/queue-6.12/series b/queue-6.12/series
index fe7bdc4afaf6ec8b55728127ab1f7775417c397a..19979d86b2fea5e4cf2ac831d331b8a9c8794812 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -65,3 +65,10 @@ drm-amdgpu-gfx12-fix-wptr-reset-in-kgq-init.patch
 drm-amdgpu-fix-null-pointer-dereference-in-amdgpu_gmc_filter_faults_remove.patch
 drm-amdgpu-fix-cond_exec-handling-in-amdgpu_ib_schedule.patch
 gpiolib-acpi-fix-potential-out-of-boundary-left-shift.patch
+rust-kbuild-support-cjump-tables-n-for-rust-1.93.0.patch
+cgroup-fix-kernfs_node-uaf-in-css_free_rwork_fn.patch
+rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch
+ksmbd-smbd-fix-dma_unmap_sg-nents.patch
+libbpf-fix-wdiscarded-qualifiers-under-c23.patch
+mm-kfence-randomize-the-freelist-on-initialization.patch
+wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch

diff --git a/queue-6.12/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch b/queue-6.12/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch
new file mode 100644 (file)
index 0000000..7561b45
--- /dev/null
+++ b/queue-6.12/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch
@@ -0,0 +1,105 @@
+From stable+bounces-213160-greg=kroah.com@vger.kernel.org Tue Feb  3 04:14:45 2026
+From: Li hongliang <1468888505@139.com>
+Date: Tue,  3 Feb 2026 11:13:55 +0800
+Subject: wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, quic_kangyang@quicinc.com
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, kvalo@kernel.org, jjohnson@kernel.org, quic_vthiagar@quicinc.com, quic_vnaralas@quicinc.com, quic_msinada@quicinc.com, gseset@codeaurora.org, linux-wireless@vger.kernel.org, ath11k@lists.infradead.org, quic_jjohnson@quicinc.com, jeff.johnson@oss.qualcomm.com
+Message-ID: <20260203031355.1359867-1-1468888505@139.com>
+
+From: Kang Yang <quic_kangyang@quicinc.com>
+
+[ Upstream commit 63b7af49496d0e32f7a748b6af3361ec138b1bd3 ]
+
+ath11k_hal_srng_* should be used with srng->lock to protect srng data.
+
+For ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx(),
+they use ath11k_hal_srng_* for many times but never call srng->lock.
+
+So when running (full) monitor mode, warning will occur:
+RIP: 0010:ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]
+Call Trace:
+ ? ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k]
+ ath11k_dp_rx_process_mon_status+0xc45/0x1190 [ath11k]
+ ? idr_alloc_u32+0x97/0xd0
+ ath11k_dp_rx_process_mon_rings+0x32a/0x550 [ath11k]
+ ath11k_dp_service_srng+0x289/0x5a0 [ath11k]
+ ath11k_pcic_ext_grp_napi_poll+0x30/0xd0 [ath11k]
+ __napi_poll+0x30/0x1f0
+ net_rx_action+0x198/0x320
+ __do_softirq+0xdd/0x319
+
+So add srng->lock for them to avoid such warnings.
+
+Inorder to fetch the srng->lock, should change srng's definition from
+'void' to 'struct hal_srng'. And initialize them elsewhere to prevent
+one line of code from being too long. This is consistent with other ring
+process functions, such as ath11k_dp_process_rx().
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Kang Yang <quic_kangyang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Link: https://patch.msgid.link/20241219110531.2096-3-quic_kangyang@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -5142,7 +5142,7 @@ static void ath11k_dp_rx_mon_dest_proces
+       struct ath11k_mon_data *pmon = (struct ath11k_mon_data *)&dp->mon_data;
+       const struct ath11k_hw_hal_params *hal_params;
+       void *ring_entry;
+-      void *mon_dst_srng;
++      struct hal_srng *mon_dst_srng;
+       u32 ppdu_id;
+       u32 rx_bufs_used;
+       u32 ring_id;
+@@ -5159,6 +5159,7 @@ static void ath11k_dp_rx_mon_dest_proces
+ 
+       spin_lock_bh(&pmon->mon_lock);
+ 
++      spin_lock_bh(&mon_dst_srng->lock);
+       ath11k_hal_srng_access_begin(ar->ab, mon_dst_srng);
+ 
+       ppdu_id = pmon->mon_ppdu_info.ppdu_id;
+@@ -5217,6 +5218,7 @@ static void ath11k_dp_rx_mon_dest_proces
+                                                               mon_dst_srng);
+       }
+       ath11k_hal_srng_access_end(ar->ab, mon_dst_srng);
++      spin_unlock_bh(&mon_dst_srng->lock);
+ 
+       spin_unlock_bh(&pmon->mon_lock);
+ 
+@@ -5606,7 +5608,7 @@ static int ath11k_dp_full_mon_process_rx
+       struct hal_sw_mon_ring_entries *sw_mon_entries;
+       struct ath11k_pdev_mon_stats *rx_mon_stats;
+       struct sk_buff *head_msdu, *tail_msdu;
+-      void *mon_dst_srng = &ar->ab->hal.srng_list[dp->rxdma_mon_dst_ring.ring_id];
++      struct hal_srng *mon_dst_srng;
+       void *ring_entry;
+       u32 rx_bufs_used = 0, mpdu_rx_bufs_used;
+       int quota = 0, ret;
+@@ -5622,6 +5624,9 @@ static int ath11k_dp_full_mon_process_rx
+               goto reap_status_ring;
+       }
+ 
++      mon_dst_srng = &ar->ab->hal.srng_list[dp->rxdma_mon_dst_ring.ring_id];
++      spin_lock_bh(&mon_dst_srng->lock);
++
+       ath11k_hal_srng_access_begin(ar->ab, mon_dst_srng);
+       while ((ring_entry = ath11k_hal_srng_dst_peek(ar->ab, mon_dst_srng))) {
+               head_msdu = NULL;
+@@ -5665,6 +5670,7 @@ next_entry:
+       }
+ 
+       ath11k_hal_srng_access_end(ar->ab, mon_dst_srng);
++      spin_unlock_bh(&mon_dst_srng->lock);
+       spin_unlock_bh(&pmon->mon_lock);
+ 
+       if (rx_bufs_used) {