From: Greg Kroah-Hartman Date: Mon, 24 Nov 2025 13:30:55 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.118~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0160e8755feff4bd26049e7b90a90e6446a7608f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch be2net-pass-wrb_params-in-case-of-os2bmc.patch exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch hid-amd_sfh-stop-sensor-before-starting.patch hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch mptcp-disallow-mptcp-subflows-from-sockmap.patch mptcp-fix-proto-fallback-detection-with-bpf.patch mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch mtdchar-fix-integer-overflow-in-read-write-ioctls.patch net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch smb-client-introduce-close_cached_dir_locked.patch timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch --- diff --git a/queue-6.12/arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch b/queue-6.12/arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch new file mode 100644 index 0000000000..29e120938b --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch @@ -0,0 +1,59 @@ +From baa18d577cd445145039e731d3de0fa49ca57204 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Wed, 12 Nov 2025 16:01:53 +0100 +Subject: arm64: dts: rockchip: disable HS400 on RK3588 Tiger + +From: Quentin Schulz + +commit baa18d577cd445145039e731d3de0fa49ca57204 upstream. + +We've had reports from the field that some RK3588 Tiger have random +issues with eMMC errors. + +Applying commit a28352cf2d2f ("mmc: sdhci-of-dwcmshc: Change +DLL_STRBIN_TAPNUM_DEFAULT to 0x4") didn't help and seemed to have made +things worse for our board. + +Our HW department checked the eMMC lines and reported that they are too +long and don't look great so signal integrity is probably not the best. + +Note that not all Tigers with the same eMMC chip have errors, so the +suspicion is that we're really on the edge in terms of signal integrity +and only a handful devices are failing. Additionally, we have RK3588 +Jaguars with the same eMMC chip but the layout is different and we also +haven't received reports about those so far. + +Lowering the max-frequency to 150MHz from 200MHz instead of simply +disabling HS400 was briefly tested and seem to work as well. We've +disabled HS400 downstream and haven't received reports since so we'll go +with that instead of lowering the max-frequency. + +Signed-off-by: Quentin Schulz +Fixes: 6173ef24b35b ("arm64: dts: rockchip: add RK3588-Q7 (Tiger) SoM") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251112-tiger-hs200-v1-1-b50adac107c0@cherry.de +[added Fixes tag and stable-cc from 2nd mail] +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi +@@ -359,14 +359,12 @@ + cap-mmc-highspeed; + mmc-ddr-1_8v; + mmc-hs200-1_8v; +- mmc-hs400-1_8v; +- mmc-hs400-enhanced-strobe; + mmc-pwrseq = <&emmc_pwrseq>; + no-sdio; + no-sd; + non-removable; + pinctrl-names = "default"; +- pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk &emmc_data_strobe>; ++ pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk>; + vmmc-supply = <&vcc_3v3_s3>; + vqmmc-supply = <&vcc_1v8_s3>; + status = "okay"; diff --git a/queue-6.12/arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch b/queue-6.12/arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch new file mode 100644 index 0000000000..d294514a66 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch @@ -0,0 +1,39 @@ +From b5414520793e68d266fdd97a84989d9831156aad Mon Sep 17 00:00:00 2001 +From: Mykola Kvach +Date: Mon, 3 Nov 2025 12:27:40 +0200 +Subject: arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 + +From: Mykola Kvach + +commit b5414520793e68d266fdd97a84989d9831156aad upstream. + +The vcc3v3_pcie20 fixed regulator powers the PCIe device-side 3.3V rail +for pcie2x1l2 via vpcie3v3-supply. The DTS mistakenly set its +regulator-min/max-microvolt to 1800000 (1.8 V). Correct both to 3300000 +(3.3 V) to match the rail name, the PCIe/M.2 power requirement, and the +actual hardware wiring on Orange Pi 5. + +Fixes: b6bc755d806e ("arm64: dts: rockchip: Add Orange Pi 5") +Cc: stable@vger.kernel.org +Signed-off-by: Mykola Kvach +Reviewed-by: Michael Riesch +Link: https://patch.msgid.link/cf6e08dfdfbf1c540685d12388baab1326f95d2c.1762165324.git.xakep.amatop@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts +@@ -85,8 +85,8 @@ + gpios = <&gpio0 RK_PC5 GPIO_ACTIVE_HIGH>; + regulator-name = "vcc3v3_pcie20"; + regulator-boot-on; +- regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <1800000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + startup-delay-us = <50000>; + vin-supply = <&vcc5v0_sys>; + }; diff --git a/queue-6.12/arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch b/queue-6.12/arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch new file mode 100644 index 0000000000..1861c91333 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch @@ -0,0 +1,35 @@ +From 03c7e964a02e388ee168c804add7404eda23908c Mon Sep 17 00:00:00 2001 +From: Diederik de Haas +Date: Mon, 27 Oct 2025 16:54:28 +0100 +Subject: arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 + +From: Diederik de Haas + +commit 03c7e964a02e388ee168c804add7404eda23908c upstream. + +Page 13 of the PineTab2 v2 schematic dd 20230417 shows VCCIO4's power +source is VCCIO_WL. Page 19 shows that VCCIO_WL is connected to +VCCA1V8_PMU, so fix the PineTab2 dtsi to reflect that. + +Fixes: 1b7e19448f8f ("arm64: dts: rockchip: Add devicetree for Pine64 PineTab2") +Cc: stable@vger.kernel.org +Reviewed-by: Dragan Simic +Signed-off-by: Diederik de Haas +Link: https://patch.msgid.link/20251027155724.138096-1-diederik@cknow-tech.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi +@@ -789,7 +789,7 @@ + vccio1-supply = <&vccio_acodec>; + vccio2-supply = <&vcc_1v8>; + vccio3-supply = <&vccio_sd>; +- vccio4-supply = <&vcc_1v8>; ++ vccio4-supply = <&vcca1v8_pmu>; + vccio5-supply = <&vcc_1v8>; + vccio6-supply = <&vcc1v8_dvp>; + vccio7-supply = <&vcc_3v3>; diff --git a/queue-6.12/arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch b/queue-6.12/arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch new file mode 100644 index 0000000000..36de66e0c7 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch @@ -0,0 +1,54 @@ +From 08d70143e3033d267507deb98a5fd187df3e6640 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Wed, 29 Oct 2025 14:50:59 +0100 +Subject: arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 + +From: Quentin Schulz + +commit 08d70143e3033d267507deb98a5fd187df3e6640 upstream. + +In commit 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi +files for SoC variants"), everything shared between variants of RK3399 +was put into rk3399-base.dtsi and the rest in variant-specific DTSI, +such as rk3399-t, rk3399-op1, rk3399, etc. +Therefore, the variant-specific DTSI should include rk3399-base.dtsi and +not another variant's DTSI. + +rk3399-op1 wrongly includes rk3399 (a variant) DTSI instead of +rk3399-base DTSI, let's fix this oversight by including the intended +DTSI. + +Fortunately, this had no impact on the resulting DTB since all nodes +were named the same and all node properties were overridden in +rk3399-op1.dtsi. This was checked by doing a checksum of rk3399-op1 DTBs +before and after this commit. + +No intended change in behavior. + +Fixes: 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi files for SoC variants") +Cc: stable@vger.kernel.org +Signed-off-by: Quentin Schulz +Reviewed-by: Dragan Simic +Link: https://patch.msgid.link/20251029-rk3399-op1-include-v1-1-2472ee60e7f8@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi +index c4f4f1ff6117..9da6fd82e46b 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi +@@ -3,7 +3,7 @@ + * Copyright (c) 2016-2017 Fuzhou Rockchip Electronics Co., Ltd + */ + +-#include "rk3399.dtsi" ++#include "rk3399-base.dtsi" + + / { + cluster0_opp: opp-table-0 { +-- +2.52.0 + diff --git a/queue-6.12/ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch b/queue-6.12/ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch new file mode 100644 index 0000000000..554ae88615 --- /dev/null +++ b/queue-6.12/ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch @@ -0,0 +1,36 @@ +From b32cc17d607e8ae7af037303fe101368cb4dc44c Mon Sep 17 00:00:00 2001 +From: Yihang Li +Date: Thu, 20 Nov 2025 11:50:23 +0800 +Subject: ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() + +From: Yihang Li + +commit b32cc17d607e8ae7af037303fe101368cb4dc44c upstream. + +Call scsi_device_put() in ata_scsi_dev_rescan() if the device or its +queue are not running. + +Fixes: 0c76106cb975 ("scsi: sd: Fix TCG OPAL unlock on system resume") +Cc: stable@vger.kernel.org +Signed-off-by: Yihang Li +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4807,8 +4807,10 @@ void ata_scsi_dev_rescan(struct work_str + spin_unlock_irqrestore(ap->lock, flags); + if (do_resume) { + ret = scsi_resume_device(sdev); +- if (ret == -EWOULDBLOCK) ++ if (ret == -EWOULDBLOCK) { ++ scsi_device_put(sdev); + goto unlock_scan; ++ } + dev->flags &= ~ATA_DFLAG_RESUMING; + } + ret = scsi_rescan_device(sdev); diff --git a/queue-6.12/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch b/queue-6.12/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch new file mode 100644 index 0000000000..fda39e1cc0 --- /dev/null +++ b/queue-6.12/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch @@ -0,0 +1,76 @@ +From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Wed, 19 Nov 2025 15:13:14 +0100 +Subject: ata: libata-scsi: Fix system suspend for a security locked drive + +From: Niklas Cassel + +commit b11890683380a36b8488229f818d5e76e8204587 upstream. + +Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status +handling") fixed ata_to_sense_error() to properly generate sense key +ABORTED COMMAND (without any additional sense code), instead of the +previous bogus sense key ILLEGAL REQUEST with the additional sense code +UNALIGNED WRITE COMMAND, for a failed command. + +However, this broke suspend for Security locked drives (drives that have +Security enabled, and have not been Security unlocked by boot firmware). + +The reason for this is that the SCSI disk driver, for the Synchronize +Cache command only, treats any sense data with sense key ILLEGAL REQUEST +as a successful command (regardless of ASC / ASCQ). + +After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() +status handling") the code that treats any sense data with sense key +ILLEGAL REQUEST as a successful command is no longer applicable, so the +command fails, which causes the system suspend to be aborted: + + sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5 + sd 1:0:0:0: PM: failed to suspend async: error -5 + PM: Some devices failed to suspend, or early wake event detected + +To make suspend work once again, for a Security locked device only, +return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense +data which a real SCSI device would have returned if locked. +The SCSI disk driver treats this sense data as a successful command. + +Cc: stable@vger.kernel.org +Reported-by: Ilia Baryshnikov +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704 +Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 7 +++++++ + include/linux/ata.h | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -991,6 +991,13 @@ static void ata_gen_ata_sense(struct ata + return; + } + ++ if (ata_id_is_locked(dev->id)) { ++ /* Security locked */ ++ /* LOGICAL UNIT ACCESS NOT AUTHORIZED */ ++ ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71); ++ return; ++ } ++ + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { + ata_dev_dbg(dev, + "Missing result TF: reporting aborted command\n"); +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -566,6 +566,7 @@ struct ata_bmdma_prd { + #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8)) + #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1) + #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7)) ++#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7) + #define ata_id_has_atapi_AN(id) \ + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ diff --git a/queue-6.12/be2net-pass-wrb_params-in-case-of-os2bmc.patch b/queue-6.12/be2net-pass-wrb_params-in-case-of-os2bmc.patch new file mode 100644 index 0000000000..3112c00229 --- /dev/null +++ b/queue-6.12/be2net-pass-wrb_params-in-case-of-os2bmc.patch @@ -0,0 +1,60 @@ +From 7d277a7a58578dd62fd546ddaef459ec24ccae36 Mon Sep 17 00:00:00 2001 +From: Andrey Vatoropin +Date: Wed, 19 Nov 2025 10:51:12 +0000 +Subject: be2net: pass wrb_params in case of OS2BMC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Vatoropin + +commit 7d277a7a58578dd62fd546ddaef459ec24ccae36 upstream. + +be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL +at be_send_pkt_to_bmc() call site.  This may lead to dereferencing a NULL +pointer when processing a workaround for specific packet, as commit +bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 +packet") states. + +The correct way would be to pass the wrb_params from be_xmit(). + +Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.") +Cc: stable@vger.kernel.org +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20251119105015.194501-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1296,7 +1296,8 @@ static void be_xmit_flush(struct be_adap + (adapter->bmc_filt_mask & BMC_FILT_MULTICAST) + + static bool be_send_pkt_to_bmc(struct be_adapter *adapter, +- struct sk_buff **skb) ++ struct sk_buff **skb, ++ struct be_wrb_params *wrb_params) + { + struct ethhdr *eh = (struct ethhdr *)(*skb)->data; + bool os2bmc = false; +@@ -1360,7 +1361,7 @@ done: + * to BMC, asic expects the vlan to be inline in the packet. + */ + if (os2bmc) +- *skb = be_insert_vlan_in_pkt(adapter, *skb, NULL); ++ *skb = be_insert_vlan_in_pkt(adapter, *skb, wrb_params); + + return os2bmc; + } +@@ -1387,7 +1388,7 @@ static netdev_tx_t be_xmit(struct sk_buf + /* if os2bmc is enabled and if the pkt is destined to bmc, + * enqueue the pkt a 2nd time with mgmt bit set. + */ +- if (be_send_pkt_to_bmc(adapter, &skb)) { ++ if (be_send_pkt_to_bmc(adapter, &skb, &wrb_params)) { + BE_WRB_F_SET(wrb_params.features, OS2BMC, 1); + wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params); + if (unlikely(!wrb_cnt)) diff --git a/queue-6.12/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch b/queue-6.12/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch new file mode 100644 index 0000000000..8a01730678 --- /dev/null +++ b/queue-6.12/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch @@ -0,0 +1,37 @@ +From f2c1f631630e01821fe4c3fdf6077bc7a8284f82 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Tue, 4 Nov 2025 20:50:07 +0800 +Subject: exfat: check return value of sb_min_blocksize in exfat_read_boot_sector + +From: Yongpeng Yang + +commit f2c1f631630e01821fe4c3fdf6077bc7a8284f82 upstream. + +sb_min_blocksize() may return 0. Check its return value to avoid +accessing the filesystem super block when sb->s_blocksize is 0. + +Cc: stable@vger.kernel.org # v6.15 +Fixes: 719c1e1829166d ("exfat: add super block operations") +Reviewed-by: Christoph Hellwig +Signed-off-by: Yongpeng Yang +Link: https://patch.msgid.link/20251104125009.2111925-3-yangyongpeng.storage@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/exfat/super.c ++++ b/fs/exfat/super.c +@@ -452,7 +452,10 @@ static int exfat_read_boot_sector(struct + struct exfat_sb_info *sbi = EXFAT_SB(sb); + + /* set block size to read super block */ +- sb_min_blocksize(sb, 512); ++ if (!sb_min_blocksize(sb, 512)) { ++ exfat_err(sb, "unable to set blocksize"); ++ return -EINVAL; ++ } + + /* read boot sector */ + sbi->boot_bh = sb_bread(sb, 0); diff --git a/queue-6.12/hid-amd_sfh-stop-sensor-before-starting.patch b/queue-6.12/hid-amd_sfh-stop-sensor-before-starting.patch new file mode 100644 index 0000000000..6b4a146c05 --- /dev/null +++ b/queue-6.12/hid-amd_sfh-stop-sensor-before-starting.patch @@ -0,0 +1,39 @@ +From 4d3a13afa8b64dc49293b3eab3e7beac11072c12 Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Mon, 20 Oct 2025 10:50:42 -0500 +Subject: HID: amd_sfh: Stop sensor before starting + +From: Mario Limonciello (AMD) + +commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 upstream. + +Titas reports that the accelerometer sensor on their laptop only +works after a warm boot or unloading/reloading the amd-sfh kernel +module. + +Presumably the sensor is in a bad state on cold boot and failing to +start, so explicitly stop it before starting. + +Cc: stable@vger.kernel.org +Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality") +Reported-by: Titas +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670 +Tested-by: Titas +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +@@ -172,6 +172,8 @@ static int amd_sfh1_1_hid_client_init(st + if (rc) + goto cleanup; + ++ mp2_ops->stop(privdata, cl_data->sensor_idx[i]); ++ amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR); + writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0)); + mp2_ops->start(privdata, info); + status = amd_sfh_wait_for_response diff --git a/queue-6.12/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch b/queue-6.12/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch new file mode 100644 index 0000000000..6fa3c9f574 --- /dev/null +++ b/queue-6.12/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch @@ -0,0 +1,70 @@ +From beab067dbcff642243291fd528355d64c41dc3b2 Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Fri, 12 Sep 2025 20:38:18 +0800 +Subject: HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 + +From: Zhang Heng + +commit beab067dbcff642243291fd528355d64c41dc3b2 upstream. + +Based on available evidence, the USB ID 4c4a:4155 used by multiple +devices has been attributed to Jieli. The commit 1a8953f4f774 +("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") affected touchscreen +functionality. Added checks for manufacturer and serial number to +maintain microphone compatibility, enabling both devices to function +properly. + +[jkosina@suse.com: edit shortlog] +Fixes: 1a8953f4f774 ("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") +Cc: stable@vger.kernel.org +Tested-by: staffan.melin@oscillator.se +Reviewed-by: Terry Junge +Signed-off-by: Zhang Heng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 4 ++-- + drivers/hid/hid-quirks.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1528,7 +1528,7 @@ + #define USB_VENDOR_ID_SIGNOTEC 0x2133 + #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018 + +-#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a +-#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155 ++#define USB_VENDOR_ID_JIELI_SDK_DEFAULT 0x4c4a ++#define USB_DEVICE_ID_JIELI_SDK_4155 0x4155 + + #endif +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -900,7 +900,6 @@ static const struct hid_device_id hid_ig + #endif + { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) }, +- { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) }, + { } + }; + +@@ -1057,6 +1056,18 @@ bool hid_ignore(struct hid_device *hdev) + strlen(elan_acpi_id[i].id))) + return true; + break; ++ case USB_VENDOR_ID_JIELI_SDK_DEFAULT: ++ /* ++ * Multiple USB devices with identical IDs (mic & touchscreen). ++ * The touch screen requires hid core processing, but the ++ * microphone does not. They can be distinguished by manufacturer ++ * and serial number. ++ */ ++ if (hdev->product == USB_DEVICE_ID_JIELI_SDK_4155 && ++ strncmp(hdev->name, "SmartlinkTechnology", 19) == 0 && ++ strncmp(hdev->uniq, "20201111000001", 14) == 0) ++ return true; ++ break; + } + + if (hdev->type == HID_TYPE_USBMOUSE && diff --git a/queue-6.12/isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch b/queue-6.12/isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch new file mode 100644 index 0000000000..f79c5c7402 --- /dev/null +++ b/queue-6.12/isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch @@ -0,0 +1,38 @@ +From e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Tue, 4 Nov 2025 20:50:08 +0800 +Subject: isofs: check the return value of sb_min_blocksize() in isofs_fill_super + +From: Yongpeng Yang + +commit e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 upstream. + +sb_min_blocksize() may return 0. Check its return value to avoid +opt->blocksize and sb->s_blocksize is 0. + +Cc: stable@vger.kernel.org # v6.15 +Fixes: 1b17a46c9243e9 ("isofs: convert isofs to use the new mount API") +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Signed-off-by: Yongpeng Yang +Link: https://patch.msgid.link/20251104125009.2111925-4-yangyongpeng.storage@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/inode.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -610,6 +610,11 @@ static int isofs_fill_super(struct super + goto out_freesbi; + } + opt->blocksize = sb_min_blocksize(s, opt->blocksize); ++ if (!opt->blocksize) { ++ printk(KERN_ERR ++ "ISOFS: unable to set blocksize\n"); ++ goto out_freesbi; ++ } + + sbi->s_high_sierra = 0; /* default is iso9660 */ + sbi->s_session = opt->session; diff --git a/queue-6.12/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch b/queue-6.12/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch new file mode 100644 index 0000000000..7dff5ac699 --- /dev/null +++ b/queue-6.12/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch @@ -0,0 +1,174 @@ +From 9f048fa487409e364cf866c957cf0b0d782ca5a3 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Thu, 13 Nov 2025 05:21:10 +0000 +Subject: MIPS: mm: Prevent a TLB shutdown on initial uniquification + +From: Maciej W. Rozycki + +commit 9f048fa487409e364cf866c957cf0b0d782ca5a3 upstream. + +Depending on the particular CPU implementation a TLB shutdown may occur +if multiple matching entries are detected upon the execution of a TLBP +or the TLBWI/TLBWR instructions. Given that we don't know what entries +we have been handed we need to be very careful with the initial TLB +setup and avoid all these instructions. + +Therefore read all the TLB entries one by one with the TLBR instruction, +bypassing the content addressing logic, and truncate any large pages in +place so as to avoid a case in the second step where an incoming entry +for a large page at a lower address overlaps with a replacement entry +chosen at another index. Then preinitialize the TLB using addresses +outside our usual unique range and avoiding clashes with any entries +received, before making the usual call to local_flush_tlb_all(). + +This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB +entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual +address). + +Signed-off-by: Maciej W. Rozycki +Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init") +Cc: stable@vger.kernel.org +Reviewed-by: Jiaxun Yang +Tested-by: Jiaxun Yang # Boston I6400, M5150 sim +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 102 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 64 insertions(+), 38 deletions(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -508,55 +509,79 @@ static int __init set_ntlb(char *str) + + __setup("ntlb=", set_ntlb); + +-/* Initialise all TLB entries with unique values */ ++ ++/* Comparison function for EntryHi VPN fields. */ ++static int r4k_vpn_cmp(const void *a, const void *b) ++{ ++ long v = *(unsigned long *)a - *(unsigned long *)b; ++ int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0; ++ return s ? (v != 0) | v >> s : v; ++} ++ ++/* ++ * Initialise all TLB entries with unique values that do not clash with ++ * what we have been handed over and what we'll be using ourselves. ++ */ + static void r4k_tlb_uniquify(void) + { +- int entry = num_wired_entries(); ++ unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE]; ++ int tlbsize = current_cpu_data.tlbsize; ++ int start = num_wired_entries(); ++ unsigned long vpn_mask; ++ int cnt, ent, idx, i; ++ ++ vpn_mask = GENMASK(cpu_vmbits - 1, 13); ++ vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31; + + htw_stop(); +- write_c0_entrylo0(0); +- write_c0_entrylo1(0); + +- while (entry < current_cpu_data.tlbsize) { +- unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data); +- unsigned long asid = 0; +- int idx; ++ for (i = start, cnt = 0; i < tlbsize; i++, cnt++) { ++ unsigned long vpn; + +- /* Skip wired MMID to make ginvt_mmid work */ +- if (cpu_has_mmid) +- asid = MMID_KERNEL_WIRED + 1; ++ write_c0_index(i); ++ mtc0_tlbr_hazard(); ++ tlb_read(); ++ tlb_read_hazard(); ++ vpn = read_c0_entryhi(); ++ vpn &= vpn_mask & PAGE_MASK; ++ tlb_vpns[cnt] = vpn; + +- /* Check for match before using UNIQUE_ENTRYHI */ +- do { +- if (cpu_has_mmid) { +- write_c0_memorymapid(asid); +- write_c0_entryhi(UNIQUE_ENTRYHI(entry)); +- } else { +- write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid); +- } +- mtc0_tlbw_hazard(); +- tlb_probe(); +- tlb_probe_hazard(); +- idx = read_c0_index(); +- /* No match or match is on current entry */ +- if (idx < 0 || idx == entry) +- break; +- /* +- * If we hit a match, we need to try again with +- * a different ASID. +- */ +- asid++; +- } while (asid < asid_mask); +- +- if (idx >= 0 && idx != entry) +- panic("Unable to uniquify TLB entry %d", idx); +- +- write_c0_index(entry); ++ /* Prevent any large pages from overlapping regular ones. */ ++ write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK); + mtc0_tlbw_hazard(); + tlb_write_indexed(); +- entry++; ++ tlbw_use_hazard(); + } + ++ sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL); ++ ++ write_c0_pagemask(PM_DEFAULT_MASK); ++ write_c0_entrylo0(0); ++ write_c0_entrylo1(0); ++ ++ idx = 0; ++ ent = tlbsize; ++ for (i = start; i < tlbsize; i++) ++ while (1) { ++ unsigned long entryhi, vpn; ++ ++ entryhi = UNIQUE_ENTRYHI(ent); ++ vpn = entryhi & vpn_mask & PAGE_MASK; ++ ++ if (idx >= cnt || vpn < tlb_vpns[idx]) { ++ write_c0_entryhi(entryhi); ++ write_c0_index(i); ++ mtc0_tlbw_hazard(); ++ tlb_write_indexed(); ++ ent++; ++ break; ++ } else if (vpn == tlb_vpns[idx]) { ++ ent++; ++ } else { ++ idx++; ++ } ++ } ++ + tlbw_use_hazard(); + htw_start(); + flush_micro_tlb(); +@@ -602,6 +627,7 @@ static void r4k_tlb_configure(void) + + /* From this point on the ARC firmware is dead. */ + r4k_tlb_uniquify(); ++ local_flush_tlb_all(); + + /* Did I tell you that ARC SUCKS? */ + } diff --git a/queue-6.12/mptcp-disallow-mptcp-subflows-from-sockmap.patch b/queue-6.12/mptcp-disallow-mptcp-subflows-from-sockmap.patch new file mode 100644 index 0000000000..9578a8ba3c --- /dev/null +++ b/queue-6.12/mptcp-disallow-mptcp-subflows-from-sockmap.patch @@ -0,0 +1,80 @@ +From fbade4bd08ba52cbc74a71c4e86e736f059f99f7 Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Tue, 11 Nov 2025 14:02:50 +0800 +Subject: mptcp: Disallow MPTCP subflows from sockmap + +From: Jiayuan Chen + +commit fbade4bd08ba52cbc74a71c4e86e736f059f99f7 upstream. + +The sockmap feature allows bpf syscall from userspace, or based on bpf +sockops, replacing the sk_prot of sockets during protocol stack processing +with sockmap's custom read/write interfaces. +''' +tcp_rcv_state_process() + subflow_syn_recv_sock() + tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) + bpf_skops_established <== sockops + bpf_sock_map_update(sk) <== call bpf helper + tcp_bpf_update_proto() <== update sk_prot +''' +Consider two scenarios: + +1. When the server has MPTCP enabled and the client also requests MPTCP, + the sk passed to the BPF program is a subflow sk. Since subflows only + handle partial data, replacing their sk_prot is meaningless and will + cause traffic disruption. + +2. When the server has MPTCP enabled but the client sends a TCP SYN + without MPTCP, subflow_syn_recv_sock() performs a fallback on the + subflow, replacing the subflow sk's sk_prot with the native sk_prot. + ''' + subflow_ulp_fallback() + subflow_drop_ctx() + mptcp_subflow_ops_undo_override() + ''' + Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops() + converts the subflow to plain TCP. + +For the first case, we should prevent it from being combined with sockmap +by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by +sockmap's own flow. + +For the second case, since subflow_syn_recv_sock() has already restored +sk_prot to native tcp_prot/tcpv6_prot, no further action is needed. + +Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: Matthieu Baerts (NGI0) +Cc: +Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -2150,6 +2150,10 @@ void __init mptcp_subflow_init(void) + tcp_prot_override = tcp_prot; + tcp_prot_override.release_cb = tcp_release_cb_override; + tcp_prot_override.diag_destroy = tcp_abort_override; ++#ifdef CONFIG_BPF_SYSCALL ++ /* Disable sockmap processing for subflows */ ++ tcp_prot_override.psock_update_sk_prot = NULL; ++#endif + + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + /* In struct mptcp_subflow_request_sock, we assume the TCP request sock +@@ -2186,6 +2190,10 @@ void __init mptcp_subflow_init(void) + tcpv6_prot_override = tcpv6_prot; + tcpv6_prot_override.release_cb = tcp_release_cb_override; + tcpv6_prot_override.diag_destroy = tcp_abort_override; ++#ifdef CONFIG_BPF_SYSCALL ++ /* Disable sockmap processing for subflows */ ++ tcpv6_prot_override.psock_update_sk_prot = NULL; ++#endif + #endif + + mptcp_diag_subflow_init(&subflow_ulp_ops); diff --git a/queue-6.12/mptcp-fix-proto-fallback-detection-with-bpf.patch b/queue-6.12/mptcp-fix-proto-fallback-detection-with-bpf.patch new file mode 100644 index 0000000000..fdb23704e4 --- /dev/null +++ b/queue-6.12/mptcp-fix-proto-fallback-detection-with-bpf.patch @@ -0,0 +1,92 @@ +From c77b3b79a92e3345aa1ee296180d1af4e7031f8f Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Tue, 11 Nov 2025 14:02:51 +0800 +Subject: mptcp: Fix proto fallback detection with BPF + +From: Jiayuan Chen + +commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f upstream. + +The sockmap feature allows bpf syscall from userspace, or based +on bpf sockops, replacing the sk_prot of sockets during protocol stack +processing with sockmap's custom read/write interfaces. +''' +tcp_rcv_state_process() + syn_recv_sock()/subflow_syn_recv_sock() + tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) + bpf_skops_established <== sockops + bpf_sock_map_update(sk) <== call bpf helper + tcp_bpf_update_proto() <== update sk_prot +''' + +When the server has MPTCP enabled but the client sends a TCP SYN +without MPTCP, subflow_syn_recv_sock() performs a fallback on the +subflow, replacing the subflow sk's sk_prot with the native sk_prot. +''' +subflow_syn_recv_sock() + subflow_ulp_fallback() + subflow_drop_ctx() + mptcp_subflow_ops_undo_override() +''' + +Then, this subflow can be normally used by sockmap, which replaces the +native sk_prot with sockmap's custom sk_prot. The issue occurs when the +user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). +Here, it uses sk->sk_prot to compare with the native sk_prot, but this +is incorrect when sockmap is used, as we may incorrectly set +sk->sk_socket->ops. + +This fix uses the more generic sk_family for the comparison instead. + +Additionally, this also prevents a WARNING from occurring: + +result from ./scripts/decode_stacktrace.sh: +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ +(net/mptcp/protocol.c:4005) +Modules linked in: +... + +PKRU: 55555554 +Call Trace: + +do_accept (net/socket.c:1989) +__sys_accept4 (net/socket.c:2028 net/socket.c:2057) +__x64_sys_accept (net/socket.c:2067) +x64_sys_call (arch/x86/entry/syscall_64.c:41) +do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +RIP: 0033:0x7f87ac92b83d + +---[ end trace 0000000000000000 ]--- + +Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash") +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: Jakub Sitnicki +Reviewed-by: Matthieu Baerts (NGI0) +Cc: +Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -57,11 +57,13 @@ static u64 mptcp_wnd_end(const struct mp + + static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk) + { ++ unsigned short family = READ_ONCE(sk->sk_family); ++ + #if IS_ENABLED(CONFIG_MPTCP_IPV6) +- if (sk->sk_prot == &tcpv6_prot) ++ if (family == AF_INET6) + return &inet6_stream_ops; + #endif +- WARN_ON_ONCE(sk->sk_prot != &tcp_prot); ++ WARN_ON_ONCE(family != AF_INET); + return &inet_stream_ops; + } + diff --git a/queue-6.12/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch b/queue-6.12/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch new file mode 100644 index 0000000000..bf6a7245c4 --- /dev/null +++ b/queue-6.12/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 5c56bf214af85ca042bf97f8584aab2151035840 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Thu, 23 Oct 2025 11:32:01 +0800 +Subject: mtd: rawnand: cadence: fix DMA device NULL pointer dereference + +From: Niravkumar L Rabara + +commit 5c56bf214af85ca042bf97f8584aab2151035840 upstream. + +The DMA device pointer `dma_dev` was being dereferenced before ensuring +that `cdns_ctrl->dmac` is properly initialized. + +Move the assignment of `dma_dev` after successfully acquiring the DMA +channel to ensure the pointer is valid before use. + +Fixes: d76d22b5096c ("mtd: rawnand: cadence: use dma_map_resource for sdma address") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2871,7 +2871,7 @@ cadence_nand_irq_cleanup(int irqnum, str + static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl) + { + dma_cap_mask_t mask; +- struct dma_device *dma_dev = cdns_ctrl->dmac->device; ++ struct dma_device *dma_dev; + int ret; + + cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev, +@@ -2915,6 +2915,7 @@ static int cadence_nand_init(struct cdns + } + } + ++ dma_dev = cdns_ctrl->dmac->device; + cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma, + cdns_ctrl->io.size, + DMA_BIDIRECTIONAL, 0); diff --git a/queue-6.12/mtdchar-fix-integer-overflow-in-read-write-ioctls.patch b/queue-6.12/mtdchar-fix-integer-overflow-in-read-write-ioctls.patch new file mode 100644 index 0000000000..8eafc3a6df --- /dev/null +++ b/queue-6.12/mtdchar-fix-integer-overflow-in-read-write-ioctls.patch @@ -0,0 +1,62 @@ +From e4185bed738da755b191aa3f2e16e8b48450e1b8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 30 Sep 2025 15:32:34 +0300 +Subject: mtdchar: fix integer overflow in read/write ioctls + +From: Dan Carpenter + +commit e4185bed738da755b191aa3f2e16e8b48450e1b8 upstream. + +The "req.start" and "req.len" variables are u64 values that come from the +user at the start of the function. We mask away the high 32 bits of +"req.len" so that's capped at U32_MAX but the "req.start" variable can go +up to U64_MAX which means that the addition can still integer overflow. + +Use check_add_overflow() to fix this bug. + +Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl") +Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdchar.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -599,6 +599,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd + uint8_t *datbuf = NULL, *oobbuf = NULL; + size_t datbuf_len, oobbuf_len; + int ret = 0; ++ u64 end; + + if (copy_from_user(&req, argp, sizeof(req))) + return -EFAULT; +@@ -618,7 +619,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd + req.len &= 0xffffffff; + req.ooblen &= 0xffffffff; + +- if (req.start + req.len > mtd->size) ++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) + return -EINVAL; + + datbuf_len = min_t(size_t, req.len, mtd->erasesize); +@@ -698,6 +699,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, + size_t datbuf_len, oobbuf_len; + size_t orig_len, orig_ooblen; + int ret = 0; ++ u64 end; + + if (copy_from_user(&req, argp, sizeof(req))) + return -EFAULT; +@@ -724,7 +726,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, + req.len &= 0xffffffff; + req.ooblen &= 0xffffffff; + +- if (req.start + req.len > mtd->size) { ++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) { + ret = -EINVAL; + goto out; + } diff --git a/queue-6.12/net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch b/queue-6.12/net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch new file mode 100644 index 0000000000..b09e1b183f --- /dev/null +++ b/queue-6.12/net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch @@ -0,0 +1,48 @@ +From 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 14 Nov 2025 10:09:51 +0100 +Subject: net: dsa: microchip: lan937x: Fix RGMII delay tuning + +From: Oleksij Rempel + +commit 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 upstream. + +Correct RGMII delay application logic in lan937x_set_tune_adj(). + +The function was missing `data16 &= ~PORT_TUNE_ADJ` before setting the +new delay value. This caused the new value to be bitwise-OR'd with the +existing PORT_TUNE_ADJ field instead of replacing it. + +For example, when setting the RGMII 2 TX delay on port 4, the +intended TUNE_ADJUST value of 0 (RGMII_2_TX_DELAY_2NS) was +incorrectly OR'd with the default 0x1B (from register value 0xDA3), +leaving the delay at the wrong setting. + +This patch adds the missing mask to clear the field, ensuring the +correct delay value is written. Physical measurements on the RGMII TX +lines confirm the fix, showing the delay changing from ~1ns (before +change) to ~2ns. + +While testing on i.MX 8MP showed this was within the platform's timing +tolerance, it did not match the intended hardware-characterized value. + +Fixes: b19ac41faa3f ("net: dsa: microchip: apply rgmii tx and rx delay in phylink mac config") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20251114090951.4057261-1-o.rempel@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/lan937x_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/microchip/lan937x_main.c ++++ b/drivers/net/dsa/microchip/lan937x_main.c +@@ -339,6 +339,7 @@ static void lan937x_set_tune_adj(struct + ksz_pread16(dev, port, reg, &data16); + + /* Update tune Adjust */ ++ data16 &= ~PORT_TUNE_ADJ; + data16 |= FIELD_PREP(PORT_TUNE_ADJ, val); + ksz_pwrite16(dev, port, reg, data16); + diff --git a/queue-6.12/revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch b/queue-6.12/revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch new file mode 100644 index 0000000000..ccc6128cc1 --- /dev/null +++ b/queue-6.12/revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch @@ -0,0 +1,56 @@ +From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001 +From: Diogo Ivo +Date: Mon, 3 Nov 2025 14:14:15 +0000 +Subject: Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" + +From: Diogo Ivo + +commit 660b299bed2a2a55a1f9102d029549d0235f881c upstream. + +Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a +known state") was introduced so that all power domains get initialized +to a known working state when booting and it does this by shutting them +down (including asserting resets and disabling clocks) before registering +each power domain with the genpd framework, leaving it to each driver to +later on power its needed domains. + +This caused the Google Pixel C to hang when booting due to a workaround +in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi: +Clear enable register if powered by bootloader") meant to handle the case +where the bootloader enabled the DSI hardware module. The workaround relies +on reading a hardware register to determine the current status and after +b6bcbce33596 that now happens in a powered down state thus leading to +the boot hang. + +Fix this by reverting b22fd0b9639e since currently we are guaranteed +that the hardware will be fully reset by the time we start enabling the +DSI module. + +Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") +Cc: stable@vger.kernel.org +Signed-off-by: Diogo Ivo +Signed-off-by: Thierry Reding +Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@tecnico.ulisboa.pt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tegra/dsi.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(str + u32 value; + int err; + +- /* If the bootloader enabled DSI it needs to be disabled +- * in order for the panel initialization commands to be +- * properly sent. +- */ +- value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL); +- +- if (value & DSI_POWER_CONTROL_ENABLE) +- tegra_dsi_disable(dsi); +- + err = tegra_dsi_prepare(dsi); + if (err < 0) { + dev_err(dsi->dev, "failed to prepare: %d\n", err); diff --git a/queue-6.12/series b/queue-6.12/series index 361fd0455c..91390ca831 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -1 +1,22 @@ kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch +timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch +hid-amd_sfh-stop-sensor-before-starting.patch +hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch +arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch +arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch +arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch +arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch +mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch +mtdchar-fix-integer-overflow-in-read-write-ioctls.patch +isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch +shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch +exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch +mptcp-disallow-mptcp-subflows-from-sockmap.patch +mptcp-fix-proto-fallback-detection-with-bpf.patch +ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch +mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch +smb-client-introduce-close_cached_dir_locked.patch +ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch +be2net-pass-wrb_params-in-case-of-os2bmc.patch +net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch +revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch diff --git a/queue-6.12/shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch b/queue-6.12/shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch new file mode 100644 index 0000000000..edea45d23e --- /dev/null +++ b/queue-6.12/shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch @@ -0,0 +1,85 @@ +From 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 8 Nov 2025 19:09:47 +0000 +Subject: shmem: fix tmpfs reconfiguration (remount) when noswap is set + +From: Mike Yuan + +commit 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 upstream. + +In systemd we're trying to switch the internal credentials setup logic +to new mount API [1], and I noticed fsconfig(FSCONFIG_CMD_RECONFIGURE) +consistently fails on tmpfs with noswap option. This can be trivially +reproduced with the following: + +``` +int fs_fd = fsopen("tmpfs", 0); +fsconfig(fs_fd, FSCONFIG_SET_FLAG, "noswap", NULL, 0); +fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); +fsmount(fs_fd, 0, 0); +fsconfig(fs_fd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0); <------ EINVAL +``` + +After some digging the culprit is shmem_reconfigure() rejecting +!(ctx->seen & SHMEM_SEEN_NOSWAP) && sbinfo->noswap, which is bogus +as ctx->seen serves as a mask for whether certain options are touched +at all. On top of that, noswap option doesn't use fsparam_flag_no, +hence it's not really possible to "reenable" swap to begin with. +Drop the check and redundant SHMEM_SEEN_NOSWAP flag. + +[1] https://github.com/systemd/systemd/pull/39637 + +Fixes: 2c6efe9cf2d7 ("shmem: add support to ignore swap") +Signed-off-by: Mike Yuan +Link: https://patch.msgid.link/20251108190930.440685-1-me@yhndnzj.com +Cc: Luis Chamberlain +Cc: Christian Brauner +Cc: Hugh Dickins +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -127,8 +127,7 @@ struct shmem_options { + #define SHMEM_SEEN_INODES 2 + #define SHMEM_SEEN_HUGE 4 + #define SHMEM_SEEN_INUMS 8 +-#define SHMEM_SEEN_NOSWAP 16 +-#define SHMEM_SEEN_QUOTA 32 ++#define SHMEM_SEEN_QUOTA 16 + }; + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +@@ -4330,7 +4329,6 @@ static int shmem_parse_one(struct fs_con + "Turning off swap in unprivileged tmpfs mounts unsupported"); + } + ctx->noswap = true; +- ctx->seen |= SHMEM_SEEN_NOSWAP; + break; + case Opt_quota: + if (fc->user_ns != &init_user_ns) +@@ -4480,14 +4478,15 @@ static int shmem_reconfigure(struct fs_c + err = "Current inum too high to switch to 32-bit inums"; + goto out; + } +- if ((ctx->seen & SHMEM_SEEN_NOSWAP) && ctx->noswap && !sbinfo->noswap) { ++ ++ /* ++ * "noswap" doesn't use fsparam_flag_no, i.e. there's no "swap" ++ * counterpart for (re-)enabling swap. ++ */ ++ if (ctx->noswap && !sbinfo->noswap) { + err = "Cannot disable swap on remount"; + goto out; + } +- if (!(ctx->seen & SHMEM_SEEN_NOSWAP) && !ctx->noswap && sbinfo->noswap) { +- err = "Cannot enable swap on remount if it was disabled on first mount"; +- goto out; +- } + + if (ctx->seen & SHMEM_SEEN_QUOTA && + !sb_any_quota_loaded(fc->root->d_sb)) { diff --git a/queue-6.12/smb-client-introduce-close_cached_dir_locked.patch b/queue-6.12/smb-client-introduce-close_cached_dir_locked.patch new file mode 100644 index 0000000000..d66b1b0292 --- /dev/null +++ b/queue-6.12/smb-client-introduce-close_cached_dir_locked.patch @@ -0,0 +1,100 @@ +From a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 13 Nov 2025 15:09:13 -0300 +Subject: smb: client: introduce close_cached_dir_locked() + +From: Henrique Carvalho + +commit a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 upstream. + +Replace close_cached_dir() calls under cfid_list_lock with a new +close_cached_dir_locked() variant that uses kref_put() instead of +kref_put_lock() to avoid recursive locking when dropping references. + +While the existing code works if the refcount >= 2 invariant holds, +this area has proven error-prone. Make deadlocks impossible and WARN +on invariant violations. + +Cc: stable@vger.kernel.org +Reviewed-by: David Howells +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cached_dir.c | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/cached_dir.c ++++ b/fs/smb/client/cached_dir.c +@@ -16,6 +16,7 @@ static struct cached_fid *init_cached_di + static void free_cached_dir(struct cached_fid *cfid); + static void smb2_close_cached_fid(struct kref *ref); + static void cfids_laundromat_worker(struct work_struct *work); ++static void close_cached_dir_locked(struct cached_fid *cfid); + + struct cached_dir_dentry { + struct list_head entry; +@@ -362,7 +363,7 @@ out: + * lease. Release one here, and the second below. + */ + cfid->has_lease = false; +- close_cached_dir(cfid); ++ close_cached_dir_locked(cfid); + } + spin_unlock(&cfids->cfid_list_lock); + +@@ -448,18 +449,52 @@ void drop_cached_dir_by_name(const unsig + spin_lock(&cfid->cfids->cfid_list_lock); + if (cfid->has_lease) { + cfid->has_lease = false; +- close_cached_dir(cfid); ++ close_cached_dir_locked(cfid); + } + spin_unlock(&cfid->cfids->cfid_list_lock); + close_cached_dir(cfid); + } + +- ++/** ++ * close_cached_dir - drop a reference of a cached dir ++ * ++ * The release function will be called with cfid_list_lock held to remove the ++ * cached dirs from the list before any other thread can take another @cfid ++ * ref. Must not be called with cfid_list_lock held; use ++ * close_cached_dir_locked() called instead. ++ * ++ * @cfid: cached dir ++ */ + void close_cached_dir(struct cached_fid *cfid) + { ++ lockdep_assert_not_held(&cfid->cfids->cfid_list_lock); + kref_put_lock(&cfid->refcount, smb2_close_cached_fid, &cfid->cfids->cfid_list_lock); + } + ++/** ++ * close_cached_dir_locked - put a reference of a cached dir with ++ * cfid_list_lock held ++ * ++ * Calling close_cached_dir() with cfid_list_lock held has the potential effect ++ * of causing a deadlock if the invariant of refcount >= 2 is false. ++ * ++ * This function is used in paths that hold cfid_list_lock and expect at least ++ * two references. If that invariant is violated, WARNs and returns without ++ * dropping a reference; the final put must still go through ++ * close_cached_dir(). ++ * ++ * @cfid: cached dir ++ */ ++static void close_cached_dir_locked(struct cached_fid *cfid) ++{ ++ lockdep_assert_held(&cfid->cfids->cfid_list_lock); ++ ++ if (WARN_ON(kref_read(&cfid->refcount) < 2)) ++ return; ++ ++ kref_put(&cfid->refcount, smb2_close_cached_fid); ++} ++ + /* + * Called from cifs_kill_sb when we unmount a share + */ diff --git a/queue-6.12/timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch b/queue-6.12/timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch new file mode 100644 index 0000000000..c06ae40843 --- /dev/null +++ b/queue-6.12/timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch @@ -0,0 +1,88 @@ +From 20739af07383e6eb1ec59dcd70b72ebfa9ac362c Mon Sep 17 00:00:00 2001 +From: Yipeng Zou +Date: Sat, 22 Nov 2025 09:39:42 +0000 +Subject: timers: Fix NULL function pointer race in timer_shutdown_sync() + +From: Yipeng Zou + +commit 20739af07383e6eb1ec59dcd70b72ebfa9ac362c upstream. + +There is a race condition between timer_shutdown_sync() and timer +expiration that can lead to hitting a WARN_ON in expire_timers(). + +The issue occurs when timer_shutdown_sync() clears the timer function +to NULL while the timer is still running on another CPU. The race +scenario looks like this: + +CPU0 CPU1 + + lock_timer_base() + expire_timers() + base->running_timer = timer; + unlock_timer_base() + [call_timer_fn enter] + mod_timer() + ... +timer_shutdown_sync() +lock_timer_base() +// For now, will not detach the timer but only clear its function to NULL +if (base->running_timer != timer) + ret = detach_if_pending(timer, base, true); +if (shutdown) + timer->function = NULL; +unlock_timer_base() + [call_timer_fn exit] + lock_timer_base() + base->running_timer = NULL; + unlock_timer_base() + ... + // Now timer is pending while its function set to NULL. + // next timer trigger + + expire_timers() + WARN_ON_ONCE(!fn) // hit + ... +lock_timer_base() +// Now timer will detach +if (base->running_timer != timer) + ret = detach_if_pending(timer, base, true); +if (shutdown) + timer->function = NULL; +unlock_timer_base() + +The problem is that timer_shutdown_sync() clears the timer function +regardless of whether the timer is currently running. This can leave a +pending timer with a NULL function pointer, which triggers the +WARN_ON_ONCE(!fn) check in expire_timers(). + +Fix this by only clearing the timer function when actually detaching the +timer. If the timer is running, leave the function pointer intact, which is +safe because the timer will be properly detached when it finishes running. + +Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions") +Signed-off-by: Yipeng Zou +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1505,10 +1505,11 @@ static int __try_to_del_timer_sync(struc + + base = lock_timer_base(timer, &flags); + +- if (base->running_timer != timer) ++ if (base->running_timer != timer) { + ret = detach_if_pending(timer, base, true); +- if (shutdown) +- timer->function = NULL; ++ if (shutdown) ++ timer->function = NULL; ++ } + + raw_spin_unlock_irqrestore(&base->lock, flags); +