From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 12:05:10 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05c7ac2205633acefba6029c527b59bae9127806;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-ec-evaluate-_reg-outside-the-ec-scope-more-carefully.patch acpica-add-a-depth-argument-to-acpi_execute_reg_methods.patch drm-scheduler-signal-scheduled-fence-when-kill-job.patch net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch netfilter-nft_set_pipapo-do-not-rely-on-zero_size_ptr.patch revert-acpi-ec-evaluate-orphan-_reg-under-ec-device.patch revert-mptcp-add-needs_id-for-netlink-appending-addr.patch rfkill-sync-before-userspace-visibility-changes.patch rfkill-use-sysfs_emit-to-instead-of-sprintf.patch seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch usb-gadget-u_ether-fix-race-between-gether_disconnect-and-eth_stop.patch --- diff --git a/queue-6.1/acpi-ec-evaluate-_reg-outside-the-ec-scope-more-carefully.patch b/queue-6.1/acpi-ec-evaluate-_reg-outside-the-ec-scope-more-carefully.patch new file mode 100644 index 0000000000..9b9facacc9 --- /dev/null +++ b/queue-6.1/acpi-ec-evaluate-_reg-outside-the-ec-scope-more-carefully.patch @@ -0,0 +1,107 @@ +From stable+bounces-235776-greg=kroah.com@vger.kernel.org Sun Apr 12 03:02:44 2026 +From: Sasha Levin +Date: Sat, 11 Apr 2026 21:02:30 -0400 +Subject: ACPI: EC: Evaluate _REG outside the EC scope more carefully +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Hans de Goede , Sasha Levin +Message-ID: <20260412010230.1904734-3-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit 71bf41b8e913ec9fc91f0d39ab8fb320229ec604 ] + +Commit 60fa6ae6e6d0 ("ACPI: EC: Install address space handler at the +namespace root") caused _REG methods for EC operation regions outside +the EC device scope to be evaluated which on some systems leads to the +evaluation of _REG methods in the scopes of device objects representing +devices that are not present and not functional according to the _STA +return values. Some of those device objects represent EC "alternatives" +and if _REG is evaluated for their operation regions, the platform +firmware may be confused and the platform may start to behave +incorrectly. + +To avoid this problem, only evaluate _REG for EC operation regions +located in the scopes of device objects representing known-to-be-present +devices. + +For this purpose, partially revert commit 60fa6ae6e6d0 and trigger the +evaluation of _REG for EC operation regions from acpi_bus_attach() for +the known-valid devices. + +Fixes: 60fa6ae6e6d0 ("ACPI: EC: Install address space handler at the namespace root") +Link: https://lore.kernel.org/linux-acpi/1f76b7e2-1928-4598-8037-28a1785c2d13@redhat.com +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2298938 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2302253 +Reported-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Cc: All applicable +Link: https://patch.msgid.link/23612351.6Emhk5qWAg@rjwysocki.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/ec.c | 11 +++++++++-- + drivers/acpi/internal.h | 1 + + drivers/acpi/scan.c | 2 ++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1512,12 +1512,13 @@ static bool install_gpio_irq_event_handl + static int ec_install_handlers(struct acpi_ec *ec, struct acpi_device *device, + bool call_reg) + { +- acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle; + acpi_status status; + + acpi_ec_start(ec, false); + + if (!test_bit(EC_FLAGS_EC_HANDLER_INSTALLED, &ec->flags)) { ++ acpi_handle scope_handle = ec == first_ec ? ACPI_ROOT_OBJECT : ec->handle; ++ + acpi_ec_enter_noirq(ec); + status = acpi_install_address_space_handler_no_reg(scope_handle, + ACPI_ADR_SPACE_EC, +@@ -1531,7 +1532,7 @@ static int ec_install_handlers(struct ac + } + + if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) { +- acpi_execute_reg_methods(scope_handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC); ++ acpi_execute_reg_methods(ec->handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC); + set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags); + } + +@@ -1749,6 +1750,12 @@ static int acpi_ec_remove(struct acpi_de + return 0; + } + ++void acpi_ec_register_opregions(struct acpi_device *adev) ++{ ++ if (first_ec && first_ec->handle != adev->handle) ++ acpi_execute_reg_methods(adev->handle, 1, ACPI_ADR_SPACE_EC); ++} ++ + static acpi_status + ec_parse_io_ports(struct acpi_resource *resource, void *context) + { +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -210,6 +210,7 @@ int acpi_ec_add_query_handler(struct acp + acpi_handle handle, acpi_ec_query_func func, + void *data); + void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit); ++void acpi_ec_register_opregions(struct acpi_device *adev); + + #ifdef CONFIG_PM_SLEEP + void acpi_ec_flush_work(void); +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -2198,6 +2198,8 @@ static int acpi_bus_attach(struct acpi_d + if (device->handler) + goto ok; + ++ acpi_ec_register_opregions(device); ++ + if (!device->flags.initialized) { + device->flags.power_manageable = + device->power.states[ACPI_STATE_D0].flags.valid; diff --git a/queue-6.1/acpica-add-a-depth-argument-to-acpi_execute_reg_methods.patch b/queue-6.1/acpica-add-a-depth-argument-to-acpi_execute_reg_methods.patch new file mode 100644 index 0000000000..ba64422705 --- /dev/null +++ b/queue-6.1/acpica-add-a-depth-argument-to-acpi_execute_reg_methods.patch @@ -0,0 +1,140 @@ +From stable+bounces-235775-greg=kroah.com@vger.kernel.org Sun Apr 12 03:02:38 2026 +From: Sasha Levin +Date: Sat, 11 Apr 2026 21:02:29 -0400 +Subject: ACPICA: Add a depth argument to acpi_execute_reg_methods() +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Hans de Goede , Sasha Levin +Message-ID: <20260412010230.1904734-2-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit cdf65d73e001fde600b18d7e45afadf559425ce5 ] + +A subsequent change will need to pass a depth argument to +acpi_execute_reg_methods(), so prepare that function for it. + +No intentional functional changes. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Cc: All applicable +Link: https://patch.msgid.link/8451567.NyiUUSuA9g@rjwysocki.net +Stable-dep-of: 71bf41b8e913 ("ACPI: EC: Evaluate _REG outside the EC scope more carefully") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/acevents.h | 2 +- + drivers/acpi/acpica/evregion.c | 6 ++++-- + drivers/acpi/acpica/evxfregn.c | 10 +++++++--- + drivers/acpi/ec.c | 2 +- + include/acpi/acpixf.h | 1 + + 5 files changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/acpi/acpica/acevents.h ++++ b/drivers/acpi/acpica/acevents.h +@@ -188,7 +188,7 @@ acpi_ev_detach_region(union acpi_operand + u8 acpi_ns_is_locked); + + void +-acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, ++acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, u32 max_depth, + acpi_adr_space_type space_id, u32 function); + + acpi_status +--- a/drivers/acpi/acpica/evregion.c ++++ b/drivers/acpi/acpica/evregion.c +@@ -65,6 +65,7 @@ acpi_status acpi_ev_initialize_op_region + acpi_gbl_default_address_spaces + [i])) { + acpi_ev_execute_reg_methods(acpi_gbl_root_node, ++ ACPI_UINT32_MAX, + acpi_gbl_default_address_spaces + [i], ACPI_REG_CONNECT); + } +@@ -665,6 +666,7 @@ cleanup1: + * FUNCTION: acpi_ev_execute_reg_methods + * + * PARAMETERS: node - Namespace node for the device ++ * max_depth - Depth to which search for _REG + * space_id - The address space ID + * function - Passed to _REG: On (1) or Off (0) + * +@@ -676,7 +678,7 @@ cleanup1: + ******************************************************************************/ + + void +-acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, ++acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, u32 max_depth, + acpi_adr_space_type space_id, u32 function) + { + struct acpi_reg_walk_info info; +@@ -710,7 +712,7 @@ acpi_ev_execute_reg_methods(struct acpi_ + * regions and _REG methods. (i.e. handlers must be installed for all + * regions of this Space ID before we can run any _REG methods) + */ +- (void)acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, ACPI_UINT32_MAX, ++ (void)acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, max_depth, + ACPI_NS_WALK_UNLOCK, acpi_ev_reg_run, NULL, + &info, NULL); + +--- a/drivers/acpi/acpica/evxfregn.c ++++ b/drivers/acpi/acpica/evxfregn.c +@@ -85,7 +85,8 @@ acpi_install_address_space_handler_inter + /* Run all _REG methods for this address space */ + + if (run_reg) { +- acpi_ev_execute_reg_methods(node, space_id, ACPI_REG_CONNECT); ++ acpi_ev_execute_reg_methods(node, ACPI_UINT32_MAX, space_id, ++ ACPI_REG_CONNECT); + } + + unlock_and_exit: +@@ -261,6 +262,7 @@ ACPI_EXPORT_SYMBOL(acpi_remove_address_s + * FUNCTION: acpi_execute_reg_methods + * + * PARAMETERS: device - Handle for the device ++ * max_depth - Depth to which search for _REG + * space_id - The address space ID + * + * RETURN: Status +@@ -269,7 +271,8 @@ ACPI_EXPORT_SYMBOL(acpi_remove_address_s + * + ******************************************************************************/ + acpi_status +-acpi_execute_reg_methods(acpi_handle device, acpi_adr_space_type space_id) ++acpi_execute_reg_methods(acpi_handle device, u32 max_depth, ++ acpi_adr_space_type space_id) + { + struct acpi_namespace_node *node; + acpi_status status; +@@ -294,7 +297,8 @@ acpi_execute_reg_methods(acpi_handle dev + + /* Run all _REG methods for this address space */ + +- acpi_ev_execute_reg_methods(node, space_id, ACPI_REG_CONNECT); ++ acpi_ev_execute_reg_methods(node, max_depth, space_id, ++ ACPI_REG_CONNECT); + } else { + status = AE_BAD_PARAMETER; + } +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1531,7 +1531,7 @@ static int ec_install_handlers(struct ac + } + + if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) { +- acpi_execute_reg_methods(scope_handle, ACPI_ADR_SPACE_EC); ++ acpi_execute_reg_methods(scope_handle, ACPI_UINT32_MAX, ACPI_ADR_SPACE_EC); + set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags); + } + +--- a/include/acpi/acpixf.h ++++ b/include/acpi/acpixf.h +@@ -666,6 +666,7 @@ ACPI_EXTERNAL_RETURN_STATUS(acpi_status + void *context)) + ACPI_EXTERNAL_RETURN_STATUS(acpi_status + acpi_execute_reg_methods(acpi_handle device, ++ u32 nax_depth, + acpi_adr_space_type + space_id)) + ACPI_EXTERNAL_RETURN_STATUS(acpi_status diff --git a/queue-6.1/drm-scheduler-signal-scheduled-fence-when-kill-job.patch b/queue-6.1/drm-scheduler-signal-scheduled-fence-when-kill-job.patch new file mode 100644 index 0000000000..404a5ca992 --- /dev/null +++ b/queue-6.1/drm-scheduler-signal-scheduled-fence-when-kill-job.patch @@ -0,0 +1,46 @@ +From 471db2c2d4f80ee94225a1ef246e4f5011733e50 Mon Sep 17 00:00:00 2001 +From: "Lin.Cao" +Date: Thu, 15 May 2025 10:07:13 +0800 +Subject: drm/scheduler: signal scheduled fence when kill job +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lin.Cao + +commit 471db2c2d4f80ee94225a1ef246e4f5011733e50 upstream. + +When an entity from application B is killed, drm_sched_entity_kill() +removes all jobs belonging to that entity through +drm_sched_entity_kill_jobs_work(). If application A's job depends on a +scheduled fence from application B's job, and that fence is not properly +signaled during the killing process, application A's dependency cannot be +cleared. + +This leads to application A hanging indefinitely while waiting for a +dependency that will never be resolved. Fix this issue by ensuring that +scheduled fences are properly signaled when an entity is killed, allowing +dependent applications to continue execution. + +Signed-off-by: Lin.Cao +Reviewed-by: Philipp Stanner +Signed-off-by: Christian König +Link: https://lore.kernel.org/r/20250515020713.1110476-1-lincao12@amd.com +[ Modified drm_sched_fence_scheduled(job->s_fence, NULL) to + drm_sched_fence_scheduled(job->s_fence) for kernel 6.1.y ] +Signed-off-by: Leon Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -196,6 +196,7 @@ static void drm_sched_entity_kill_jobs_w + { + struct drm_sched_job *job = container_of(wrk, typeof(*job), work); + ++ drm_sched_fence_scheduled(job->s_fence); + drm_sched_fence_finished(job->s_fence); + WARN_ON(job->s_fence->parent); + job->sched->ops->free_job(job); diff --git a/queue-6.1/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch b/queue-6.1/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch new file mode 100644 index 0000000000..e96b1d9895 --- /dev/null +++ b/queue-6.1/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch @@ -0,0 +1,118 @@ +From stable+bounces-235818-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:48 2026 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:55:17 -0400 +Subject: net: rfkill: prevent unlimited numbers of rfkill events from being created +To: stable@vger.kernel.org +Cc: Greg Kroah-Hartman , Johannes Berg , Yuan Tan , Yifan Wu , Juefei Pu , Xin Liu , stable , Johannes Berg , Sasha Levin +Message-ID: <20260412125517.2219007-4-sashal@kernel.org> + +From: Greg Kroah-Hartman + +[ Upstream commit ea245d78dec594372e27d8c79616baf49e98a4a1 ] + +Userspace can create an unlimited number of rfkill events if the system +is so configured, while not consuming them from the rfkill file +descriptor, causing a potential out of memory situation. Prevent this +from bounding the number of pending rfkill events at a "large" number +(i.e. 1000) to prevent abuses like this. + +Cc: Johannes Berg +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026033013-disfigure-scroll-e25e@gregkh +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/core.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -73,11 +73,14 @@ struct rfkill_int_event { + struct rfkill_event_ext ev; + }; + ++/* Max rfkill events that can be "in-flight" for one data source */ ++#define MAX_RFKILL_EVENT 1000 + struct rfkill_data { + struct list_head list; + struct list_head events; + struct mutex mtx; + wait_queue_head_t read_wait; ++ u32 event_count; + bool input_handler; + u8 max_size; + }; +@@ -255,10 +258,12 @@ static void rfkill_global_led_trigger_un + } + #endif /* CONFIG_RFKILL_LEDS */ + +-static void rfkill_fill_event(struct rfkill_event_ext *ev, +- struct rfkill *rfkill, +- enum rfkill_operation op) ++static int rfkill_fill_event(struct rfkill_int_event *int_ev, ++ struct rfkill *rfkill, ++ struct rfkill_data *data, ++ enum rfkill_operation op) + { ++ struct rfkill_event_ext *ev = &int_ev->ev; + unsigned long flags; + + ev->idx = rfkill->idx; +@@ -271,6 +276,15 @@ static void rfkill_fill_event(struct rfk + RFKILL_BLOCK_SW_PREV)); + ev->hard_block_reasons = rfkill->hard_block_reasons; + spin_unlock_irqrestore(&rfkill->lock, flags); ++ ++ scoped_guard(mutex, &data->mtx) { ++ if (data->event_count++ > MAX_RFKILL_EVENT) { ++ data->event_count--; ++ return -ENOSPC; ++ } ++ list_add_tail(&int_ev->list, &data->events); ++ } ++ return 0; + } + + static void rfkill_send_events(struct rfkill *rfkill, enum rfkill_operation op) +@@ -282,10 +296,10 @@ static void rfkill_send_events(struct rf + ev = kzalloc(sizeof(*ev), GFP_KERNEL); + if (!ev) + continue; +- rfkill_fill_event(&ev->ev, rfkill, op); +- mutex_lock(&data->mtx); +- list_add_tail(&ev->list, &data->events); +- mutex_unlock(&data->mtx); ++ if (rfkill_fill_event(ev, rfkill, data, op)) { ++ kfree(ev); ++ continue; ++ } + wake_up_interruptible(&data->read_wait); + } + } +@@ -1190,10 +1204,8 @@ static int rfkill_fop_open(struct inode + if (!ev) + goto free; + rfkill_sync(rfkill); +- rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD); +- mutex_lock(&data->mtx); +- list_add_tail(&ev->list, &data->events); +- mutex_unlock(&data->mtx); ++ if (rfkill_fill_event(ev, rfkill, data, RFKILL_OP_ADD)) ++ kfree(ev); + } + list_add(&data->list, &rfkill_fds); + mutex_unlock(&rfkill_global_mutex); +@@ -1263,6 +1275,7 @@ static ssize_t rfkill_fop_read(struct fi + ret = -EFAULT; + + list_del(&ev->list); ++ data->event_count--; + kfree(ev); + out: + mutex_unlock(&data->mtx); diff --git a/queue-6.1/net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch b/queue-6.1/net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch new file mode 100644 index 0000000000..934bee2652 --- /dev/null +++ b/queue-6.1/net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch @@ -0,0 +1,69 @@ +From stable+bounces-235817-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:40 2026 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:55:16 -0400 +Subject: net: rfkill: reduce data->mtx scope in rfkill_fop_open +To: stable@vger.kernel.org +Cc: Johannes Berg , syzbot+509238e523e032442b80@syzkaller.appspotmail.com, Sasha Levin +Message-ID: <20260412125517.2219007-3-sashal@kernel.org> + +From: Johannes Berg + +[ Upstream commit f2ac54ebf85615a6d78f5eb213a8bbeeb17ebe5d ] + +In syzbot runs, lockdep reports that there's a (potential) +deadlock here of data->mtx being locked recursively. This +isn't really a deadlock since they are different instances, +but lockdep cannot know, and teaching it would be far more +difficult than other fixes. + +At the same time we don't even really _need_ the mutex to +be locked in rfkill_fop_open(), since we're modifying only +a completely fresh instance of 'data' (struct rfkill_data) +that's not yet added to the global list. + +However, to avoid any reordering etc. within the globally +locked section, and to make the code look more symmetric, +we should still lock the data->events list manipulation, +but also need to lock _only_ that. So do that. + +Reported-by: syzbot+509238e523e032442b80@syzkaller.appspotmail.com +Fixes: 2c3dfba4cf84 ("rfkill: sync before userspace visibility/changes") +Signed-off-by: Johannes Berg +Stable-dep-of: ea245d78dec5 ("net: rfkill: prevent unlimited numbers of rfkill events from being created") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -1180,7 +1180,6 @@ static int rfkill_fop_open(struct inode + init_waitqueue_head(&data->read_wait); + + mutex_lock(&rfkill_global_mutex); +- mutex_lock(&data->mtx); + /* + * start getting events from elsewhere but hold mtx to get + * startup events added first +@@ -1192,10 +1191,11 @@ static int rfkill_fop_open(struct inode + goto free; + rfkill_sync(rfkill); + rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD); ++ mutex_lock(&data->mtx); + list_add_tail(&ev->list, &data->events); ++ mutex_unlock(&data->mtx); + } + list_add(&data->list, &rfkill_fds); +- mutex_unlock(&data->mtx); + mutex_unlock(&rfkill_global_mutex); + + file->private_data = data; +@@ -1203,7 +1203,6 @@ static int rfkill_fop_open(struct inode + return stream_open(inode, file); + + free: +- mutex_unlock(&data->mtx); + mutex_unlock(&rfkill_global_mutex); + mutex_destroy(&data->mtx); + list_for_each_entry_safe(ev, tmp, &data->events, list) diff --git a/queue-6.1/netfilter-nft_set_pipapo-do-not-rely-on-zero_size_ptr.patch b/queue-6.1/netfilter-nft_set_pipapo-do-not-rely-on-zero_size_ptr.patch new file mode 100644 index 0000000000..fa2fd8885f --- /dev/null +++ b/queue-6.1/netfilter-nft_set_pipapo-do-not-rely-on-zero_size_ptr.patch @@ -0,0 +1,72 @@ +From keerthana.kalyanasundaram@broadcom.com Mon Apr 13 06:40:15 2026 +From: Keerthana K +Date: Mon, 13 Apr 2026 04:32:47 +0000 +Subject: netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Stefano Brivio , Mukul Sikka , Brennan Lamoreaux , Keerthana K +Message-ID: <20260413043247.3327855-1-keerthana.kalyanasundaram@broadcom.com> + +From: Florian Westphal + +commit 07ace0bbe03b3d8e85869af1dec5e4087b1d57b8 upstream + +pipapo relies on kmalloc(0) returning ZERO_SIZE_PTR (i.e., not NULL +but pointer is invalid). + +Rework this to not call slab allocator when we'd request a 0-byte +allocation. + +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Mukul Sikka +Signed-off-by: Brennan Lamoreaux +[Keerthana: In older stable branches (v6.6 and earlier), the allocation logic in +pipapo_clone() still relies on `src->rules` rather than `src->rules_alloc` +(introduced in v6.9 via 9f439bd6ef4f). Consequently, the previously +backported INT_MAX clamping check uses `src->rules`. This patch correctly +moves that `src->rules > (INT_MAX / ...)` check inside the new +`if (src->rules > 0)` block] +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_set_pipapo.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -525,6 +525,8 @@ static struct nft_pipapo_elem *pipapo_ge + int i; + + m = priv->clone; ++ if (m->bsize_max == 0) ++ return ret; + + res_map = kmalloc_array(m->bsize_max, sizeof(*res_map), GFP_ATOMIC); + if (!res_map) { +@@ -1395,14 +1397,20 @@ static struct nft_pipapo_match *pipapo_c + src->bsize * sizeof(*dst->lt) * + src->groups * NFT_PIPAPO_BUCKETS(src->bb)); + +- if (src->rules > (INT_MAX / sizeof(*src->mt))) +- goto out_mt; ++ if (src->rules > 0) { ++ if (src->rules > (INT_MAX / sizeof(*src->mt))) ++ goto out_mt; ++ ++ dst->mt = kvmalloc_array(src->rules, sizeof(*src->mt), ++ GFP_KERNEL); ++ if (!dst->mt) ++ goto out_mt; + +- dst->mt = kvmalloc(src->rules * sizeof(*src->mt), GFP_KERNEL_ACCOUNT); +- if (!dst->mt) +- goto out_mt; ++ memcpy(dst->mt, src->mt, src->rules * sizeof(*src->mt)); ++ } else { ++ dst->mt = NULL; ++ } + +- memcpy(dst->mt, src->mt, src->rules * sizeof(*src->mt)); + src++; + dst++; + } diff --git a/queue-6.1/revert-acpi-ec-evaluate-orphan-_reg-under-ec-device.patch b/queue-6.1/revert-acpi-ec-evaluate-orphan-_reg-under-ec-device.patch new file mode 100644 index 0000000000..f056d18460 --- /dev/null +++ b/queue-6.1/revert-acpi-ec-evaluate-orphan-_reg-under-ec-device.patch @@ -0,0 +1,151 @@ +From stable+bounces-235774-greg=kroah.com@vger.kernel.org Sun Apr 12 03:02:36 2026 +From: Sasha Levin +Date: Sat, 11 Apr 2026 21:02:28 -0400 +Subject: Revert "ACPI: EC: Evaluate orphan _REG under EC device" +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Hans de Goede , Sasha Levin +Message-ID: <20260412010230.1904734-1-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit 779bac9994452f6a894524f70c00cfb0cd4b6364 ] + +This reverts commit 0e6b6dedf168 ("Revert "ACPI: EC: Evaluate orphan +_REG under EC device") because the problem addressed by it will be +addressed differently in what follows. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Cc: All applicable +Link: https://patch.msgid.link/3236716.5fSG56mABF@rjwysocki.net +Stable-dep-of: 71bf41b8e913 ("ACPI: EC: Evaluate _REG outside the EC scope more carefully") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/acevents.h | 4 --- + drivers/acpi/acpica/evregion.c | 6 +++- + drivers/acpi/acpica/evxfregn.c | 54 ----------------------------------------- + drivers/acpi/ec.c | 3 -- + include/acpi/acpixf.h | 4 --- + 5 files changed, 5 insertions(+), 66 deletions(-) + +--- a/drivers/acpi/acpica/acevents.h ++++ b/drivers/acpi/acpica/acevents.h +@@ -191,10 +191,6 @@ void + acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, + acpi_adr_space_type space_id, u32 function); + +-void +-acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *node, +- acpi_adr_space_type space_id); +- + acpi_status + acpi_ev_execute_reg_method(union acpi_operand_object *region_obj, u32 function); + +--- a/drivers/acpi/acpica/evregion.c ++++ b/drivers/acpi/acpica/evregion.c +@@ -20,6 +20,10 @@ extern u8 acpi_gbl_default_address_space + + /* Local prototypes */ + ++static void ++acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *device_node, ++ acpi_adr_space_type space_id); ++ + static acpi_status + acpi_ev_reg_run(acpi_handle obj_handle, + u32 level, void *context, void **return_value); +@@ -807,7 +811,7 @@ acpi_ev_reg_run(acpi_handle obj_handle, + * + ******************************************************************************/ + +-void ++static void + acpi_ev_execute_orphan_reg_method(struct acpi_namespace_node *device_node, + acpi_adr_space_type space_id) + { +--- a/drivers/acpi/acpica/evxfregn.c ++++ b/drivers/acpi/acpica/evxfregn.c +@@ -304,57 +304,3 @@ acpi_execute_reg_methods(acpi_handle dev + } + + ACPI_EXPORT_SYMBOL(acpi_execute_reg_methods) +- +-/******************************************************************************* +- * +- * FUNCTION: acpi_execute_orphan_reg_method +- * +- * PARAMETERS: device - Handle for the device +- * space_id - The address space ID +- * +- * RETURN: Status +- * +- * DESCRIPTION: Execute an "orphan" _REG method that appears under an ACPI +- * device. This is a _REG method that has no corresponding region +- * within the device's scope. +- * +- ******************************************************************************/ +-acpi_status +-acpi_execute_orphan_reg_method(acpi_handle device, acpi_adr_space_type space_id) +-{ +- struct acpi_namespace_node *node; +- acpi_status status; +- +- ACPI_FUNCTION_TRACE(acpi_execute_orphan_reg_method); +- +- /* Parameter validation */ +- +- if (!device) { +- return_ACPI_STATUS(AE_BAD_PARAMETER); +- } +- +- status = acpi_ut_acquire_mutex(ACPI_MTX_NAMESPACE); +- if (ACPI_FAILURE(status)) { +- return_ACPI_STATUS(status); +- } +- +- /* Convert and validate the device handle */ +- +- node = acpi_ns_validate_handle(device); +- if (node) { +- +- /* +- * If an "orphan" _REG method is present in the device's scope +- * for the given address space ID, run it. +- */ +- +- acpi_ev_execute_orphan_reg_method(node, space_id); +- } else { +- status = AE_BAD_PARAMETER; +- } +- +- (void)acpi_ut_release_mutex(ACPI_MTX_NAMESPACE); +- return_ACPI_STATUS(status); +-} +- +-ACPI_EXPORT_SYMBOL(acpi_execute_orphan_reg_method) +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1532,9 +1532,6 @@ static int ec_install_handlers(struct ac + + if (call_reg && !test_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags)) { + acpi_execute_reg_methods(scope_handle, ACPI_ADR_SPACE_EC); +- if (scope_handle != ec->handle) +- acpi_execute_orphan_reg_method(ec->handle, ACPI_ADR_SPACE_EC); +- + set_bit(EC_FLAGS_EC_REG_CALLED, &ec->flags); + } + +--- a/include/acpi/acpixf.h ++++ b/include/acpi/acpixf.h +@@ -669,10 +669,6 @@ ACPI_EXTERNAL_RETURN_STATUS(acpi_status + acpi_adr_space_type + space_id)) + ACPI_EXTERNAL_RETURN_STATUS(acpi_status +- acpi_execute_orphan_reg_method(acpi_handle device, +- acpi_adr_space_type +- space_id)) +-ACPI_EXTERNAL_RETURN_STATUS(acpi_status + acpi_remove_address_space_handler(acpi_handle + device, + acpi_adr_space_type diff --git a/queue-6.1/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch b/queue-6.1/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch new file mode 100644 index 0000000000..cd49bd65bf --- /dev/null +++ b/queue-6.1/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch @@ -0,0 +1,109 @@ +From stable+bounces-235849-greg=kroah.com@vger.kernel.org Sun Apr 12 22:03:00 2026 +From: Sasha Levin +Date: Sun, 12 Apr 2026 16:02:51 -0400 +Subject: Revert "mptcp: add needs_id for netlink appending addr" +To: stable@vger.kernel.org +Cc: "Matthieu Baerts (NGI0)" , Geliang Tang , Jakub Kicinski , Sasha Levin +Message-ID: <20260412200251.2405108-1-sashal@kernel.org> + +From: "Matthieu Baerts (NGI0)" + +[ Upstream commit 8e2760eaab778494fc1fa257031e0e1799647f46 ] + +This commit was originally adding the ability to add MPTCP endpoints +with ID 0 by accident. The in-kernel PM, handling MPTCP endpoints at the +net namespace level, is not supposed to handle endpoints with such ID, +because this ID 0 is reserved to the initial subflow, as mentioned in +the MPTCPv1 protocol [1], a per-connection setting. + +Note that 'ip mptcp endpoint add id 0' stops early with an error, but +other tools might still request the in-kernel PM to create MPTCP +endpoints with this restricted ID 0. + +In other words, it was wrong to call the mptcp_pm_has_addr_attr_id +helper to check whether the address ID attribute is set: if it was set +to 0, a new MPTCP endpoint would be created with ID 0, which is not +expected, and might cause various issues later. + +Fixes: 584f38942626 ("mptcp: add needs_id for netlink appending addr") +Cc: stable@vger.kernel.org +Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.2-9 [1] +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260407-net-mptcp-revert-pm-needs-id-v2-1-7a25cbc324f8@kernel.org +Signed-off-by: Jakub Kicinski +[ applied changes to net/mptcp/pm_netlink.c instead of renamed net/mptcp/pm_kernel.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 24 +++++------------------- + 1 file changed, 5 insertions(+), 19 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1080,7 +1080,7 @@ static void __mptcp_pm_release_addr_entr + + static int mptcp_pm_nl_append_new_local_addr(struct pm_nl_pernet *pernet, + struct mptcp_pm_addr_entry *entry, +- bool needs_id, bool replace) ++ bool replace) + { + struct mptcp_pm_addr_entry *cur, *del_entry = NULL; + unsigned int addr_max; +@@ -1133,7 +1133,7 @@ static int mptcp_pm_nl_append_new_local_ + } + } + +- if (!entry->addr.id && needs_id) { ++ if (!entry->addr.id) { + find_next: + entry->addr.id = find_next_zero_bit(pernet->id_bitmap, + MPTCP_PM_MAX_ADDR_ID + 1, +@@ -1144,7 +1144,7 @@ find_next: + } + } + +- if (!entry->addr.id && needs_id) ++ if (!entry->addr.id) + goto out; + + __set_bit(entry->addr.id, pernet->id_bitmap); +@@ -1271,7 +1271,7 @@ int mptcp_pm_nl_get_local_id(struct mptc + entry->ifindex = 0; + entry->flags = MPTCP_PM_ADDR_FLAG_IMPLICIT; + entry->lsk = NULL; +- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true, false); ++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, false); + if (ret < 0) + kfree(entry); + +@@ -1513,18 +1513,6 @@ next: + return 0; + } + +-static bool mptcp_pm_has_addr_attr_id(const struct nlattr *attr, +- struct genl_info *info) +-{ +- struct nlattr *tb[MPTCP_PM_ADDR_ATTR_MAX + 1]; +- +- if (!nla_parse_nested_deprecated(tb, MPTCP_PM_ADDR_ATTR_MAX, attr, +- mptcp_pm_addr_policy, info->extack) && +- tb[MPTCP_PM_ADDR_ATTR_ID]) +- return true; +- return false; +-} +- + static int mptcp_nl_cmd_add_addr(struct sk_buff *skb, struct genl_info *info) + { + struct nlattr *attr = info->attrs[MPTCP_PM_ATTR_ADDR]; +@@ -1566,9 +1554,7 @@ static int mptcp_nl_cmd_add_addr(struct + goto out_free; + } + } +- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, +- !mptcp_pm_has_addr_attr_id(attr, info), +- true); ++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true); + if (ret < 0) { + GENL_SET_ERR_MSG(info, "too many addresses or duplicate one"); + goto out_free; diff --git a/queue-6.1/rfkill-sync-before-userspace-visibility-changes.patch b/queue-6.1/rfkill-sync-before-userspace-visibility-changes.patch new file mode 100644 index 0000000000..9f894b0077 --- /dev/null +++ b/queue-6.1/rfkill-sync-before-userspace-visibility-changes.patch @@ -0,0 +1,128 @@ +From stable+bounces-235816-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:30 2026 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:55:15 -0400 +Subject: rfkill: sync before userspace visibility/changes +To: stable@vger.kernel.org +Cc: Johannes Berg , Sasha Levin +Message-ID: <20260412125517.2219007-2-sashal@kernel.org> + +From: Johannes Berg + +[ Upstream commit 2c3dfba4cf84ac4f306cc6653b37b6dd6859ae9d ] + +If userspace quickly opens /dev/rfkill after a new +instance was created, it might see the old state of +the instance from before the sync work runs and may +even _change_ the state, only to have the sync work +change it again. + +Fix this by doing the sync inline where needed, not +just for /dev/rfkill but also for sysfs. + +Signed-off-by: Johannes Berg +Stable-dep-of: ea245d78dec5 ("net: rfkill: prevent unlimited numbers of rfkill events from being created") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/core.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -48,6 +48,7 @@ struct rfkill { + bool persistent; + bool polling_paused; + bool suspended; ++ bool need_sync; + + const struct rfkill_ops *ops; + void *data; +@@ -368,6 +369,17 @@ static void rfkill_set_block(struct rfki + rfkill_event(rfkill); + } + ++static void rfkill_sync(struct rfkill *rfkill) ++{ ++ lockdep_assert_held(&rfkill_global_mutex); ++ ++ if (!rfkill->need_sync) ++ return; ++ ++ rfkill_set_block(rfkill, rfkill_global_states[rfkill->type].cur); ++ rfkill->need_sync = false; ++} ++ + static void rfkill_update_global_state(enum rfkill_type type, bool blocked) + { + int i; +@@ -730,6 +742,10 @@ static ssize_t soft_show(struct device * + { + struct rfkill *rfkill = to_rfkill(dev); + ++ mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); ++ mutex_unlock(&rfkill_global_mutex); ++ + return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0); + } + +@@ -751,6 +767,7 @@ static ssize_t soft_store(struct device + return -EINVAL; + + mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); + rfkill_set_block(rfkill, state); + mutex_unlock(&rfkill_global_mutex); + +@@ -783,6 +800,10 @@ static ssize_t state_show(struct device + { + struct rfkill *rfkill = to_rfkill(dev); + ++ mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); ++ mutex_unlock(&rfkill_global_mutex); ++ + return sysfs_emit(buf, "%d\n", user_state_from_blocked(rfkill->state)); + } + +@@ -805,6 +826,7 @@ static ssize_t state_store(struct device + return -EINVAL; + + mutex_lock(&rfkill_global_mutex); ++ rfkill_sync(rfkill); + rfkill_set_block(rfkill, state == RFKILL_USER_STATE_SOFT_BLOCKED); + mutex_unlock(&rfkill_global_mutex); + +@@ -1032,14 +1054,10 @@ static void rfkill_uevent_work(struct wo + + static void rfkill_sync_work(struct work_struct *work) + { +- struct rfkill *rfkill; +- bool cur; +- +- rfkill = container_of(work, struct rfkill, sync_work); ++ struct rfkill *rfkill = container_of(work, struct rfkill, sync_work); + + mutex_lock(&rfkill_global_mutex); +- cur = rfkill_global_states[rfkill->type].cur; +- rfkill_set_block(rfkill, cur); ++ rfkill_sync(rfkill); + mutex_unlock(&rfkill_global_mutex); + } + +@@ -1087,6 +1105,7 @@ int __must_check rfkill_register(struct + round_jiffies_relative(POLL_INTERVAL)); + + if (!rfkill->persistent || rfkill_epo_lock_active) { ++ rfkill->need_sync = true; + schedule_work(&rfkill->sync_work); + } else { + #ifdef CONFIG_RFKILL_INPUT +@@ -1171,6 +1190,7 @@ static int rfkill_fop_open(struct inode + ev = kzalloc(sizeof(*ev), GFP_KERNEL); + if (!ev) + goto free; ++ rfkill_sync(rfkill); + rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD); + list_add_tail(&ev->list, &data->events); + } diff --git a/queue-6.1/rfkill-use-sysfs_emit-to-instead-of-sprintf.patch b/queue-6.1/rfkill-use-sysfs_emit-to-instead-of-sprintf.patch new file mode 100644 index 0000000000..1211f123eb --- /dev/null +++ b/queue-6.1/rfkill-use-sysfs_emit-to-instead-of-sprintf.patch @@ -0,0 +1,101 @@ +From stable+bounces-235815-greg=kroah.com@vger.kernel.org Sun Apr 12 14:55:22 2026 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:55:14 -0400 +Subject: rfkill: Use sysfs_emit() to instead of sprintf() +To: stable@vger.kernel.org +Cc: Bo Liu , Simon Horman , Johannes Berg , Sasha Levin +Message-ID: <20260412125517.2219007-1-sashal@kernel.org> + +From: Bo Liu + +[ Upstream commit 796703baead0c2862f7f2ebb9b177590af533035 ] + +Follow the advice of the Documentation/filesystems/sysfs.rst and show() +should only use sysfs_emit() or sysfs_emit_at() when formatting the +value to be returned to user space. + +Signed-off-by: Bo Liu +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230206081641.3193-1-liubo03@inspur.com +Signed-off-by: Johannes Berg +Stable-dep-of: ea245d78dec5 ("net: rfkill: prevent unlimited numbers of rfkill events from being created") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -685,7 +685,7 @@ static ssize_t name_show(struct device * + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "%s\n", rfkill->name); ++ return sysfs_emit(buf, "%s\n", rfkill->name); + } + static DEVICE_ATTR_RO(name); + +@@ -694,7 +694,7 @@ static ssize_t type_show(struct device * + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "%s\n", rfkill_types[rfkill->type]); ++ return sysfs_emit(buf, "%s\n", rfkill_types[rfkill->type]); + } + static DEVICE_ATTR_RO(type); + +@@ -703,7 +703,7 @@ static ssize_t index_show(struct device + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "%d\n", rfkill->idx); ++ return sysfs_emit(buf, "%d\n", rfkill->idx); + } + static DEVICE_ATTR_RO(index); + +@@ -712,7 +712,7 @@ static ssize_t persistent_show(struct de + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "%d\n", rfkill->persistent); ++ return sysfs_emit(buf, "%d\n", rfkill->persistent); + } + static DEVICE_ATTR_RO(persistent); + +@@ -721,7 +721,7 @@ static ssize_t hard_show(struct device * + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_HW) ? 1 : 0 ); ++ return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_HW) ? 1 : 0); + } + static DEVICE_ATTR_RO(hard); + +@@ -730,7 +730,7 @@ static ssize_t soft_show(struct device * + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0 ); ++ return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0); + } + + static ssize_t soft_store(struct device *dev, struct device_attribute *attr, +@@ -764,7 +764,7 @@ static ssize_t hard_block_reasons_show(s + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "0x%lx\n", rfkill->hard_block_reasons); ++ return sysfs_emit(buf, "0x%lx\n", rfkill->hard_block_reasons); + } + static DEVICE_ATTR_RO(hard_block_reasons); + +@@ -783,7 +783,7 @@ static ssize_t state_show(struct device + { + struct rfkill *rfkill = to_rfkill(dev); + +- return sprintf(buf, "%d\n", user_state_from_blocked(rfkill->state)); ++ return sysfs_emit(buf, "%d\n", user_state_from_blocked(rfkill->state)); + } + + static ssize_t state_store(struct device *dev, struct device_attribute *attr, diff --git a/queue-6.1/seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch b/queue-6.1/seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch new file mode 100644 index 0000000000..71648aa95b --- /dev/null +++ b/queue-6.1/seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch @@ -0,0 +1,132 @@ +From stable+bounces-235848-greg=kroah.com@vger.kernel.org Sun Apr 12 22:02:56 2026 +From: Sasha Levin +Date: Sun, 12 Apr 2026 16:02:48 -0400 +Subject: seg6: separate dst_cache for input and output paths in seg6 lwtunnel +To: stable@vger.kernel.org +Cc: Andrea Mayer , Nicolas Dichtel , Justin Iurman , Jakub Kicinski , Sasha Levin +Message-ID: <20260412200248.2405054-1-sashal@kernel.org> + +From: Andrea Mayer + +[ Upstream commit c3812651b522fe8437ebb7063b75ddb95b571643 ] + +The seg6 lwtunnel uses a single dst_cache per encap route, shared +between seg6_input_core() and seg6_output_core(). These two paths +can perform the post-encap SID lookup in different routing contexts +(e.g., ip rules matching on the ingress interface, or VRF table +separation). Whichever path runs first populates the cache, and the +other reuses it blindly, bypassing its own lookup. + +Fix this by splitting the cache into cache_input and cache_output, +so each path maintains its own cached dst independently. + +Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") +Cc: stable@vger.kernel.org +Signed-off-by: Andrea Mayer +Reviewed-by: Nicolas Dichtel +Reviewed-by: Justin Iurman +Link: https://patch.msgid.link/20260404004405.4057-2-andrea.mayer@uniroma2.it +Signed-off-by: Jakub Kicinski +[ added missing dst reference loop guard in seg6_output_core() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/seg6_iptunnel.c | 41 ++++++++++++++++++++++++++++------------- + 1 file changed, 28 insertions(+), 13 deletions(-) + +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -48,7 +48,8 @@ static size_t seg6_lwt_headroom(struct s + } + + struct seg6_lwt { +- struct dst_cache cache; ++ struct dst_cache cache_input; ++ struct dst_cache cache_output; + struct seg6_iptunnel_encap tuninfo[]; + }; + +@@ -486,7 +487,7 @@ static int seg6_input_core(struct net *n + slwt = seg6_lwt_lwtunnel(lwtst); + + local_bh_disable(); +- dst = dst_cache_get(&slwt->cache); ++ dst = dst_cache_get(&slwt->cache_input); + local_bh_enable(); + + err = seg6_do_srh(skb, dst); +@@ -502,7 +503,7 @@ static int seg6_input_core(struct net *n + /* cache only if we don't create a dst reference loop */ + if (!dst->error && lwtst != dst->lwtstate) { + local_bh_disable(); +- dst_cache_set_ip6(&slwt->cache, dst, ++ dst_cache_set_ip6(&slwt->cache_input, dst, + &ipv6_hdr(skb)->saddr); + local_bh_enable(); + } +@@ -561,7 +562,7 @@ static int seg6_output_core(struct net * + slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); + + local_bh_disable(); +- dst = dst_cache_get(&slwt->cache); ++ dst = dst_cache_get(&slwt->cache_output); + local_bh_enable(); + + err = seg6_do_srh(skb, dst); +@@ -586,9 +587,12 @@ static int seg6_output_core(struct net * + goto drop; + } + +- local_bh_disable(); +- dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr); +- local_bh_enable(); ++ /* cache only if we don't create a dst reference loop */ ++ if (orig_dst->lwtstate != dst->lwtstate) { ++ local_bh_disable(); ++ dst_cache_set_ip6(&slwt->cache_output, dst, &fl6.saddr); ++ local_bh_enable(); ++ } + + err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); + if (unlikely(err)) +@@ -695,11 +699,13 @@ static int seg6_build_state(struct net * + + slwt = seg6_lwt_lwtunnel(newts); + +- err = dst_cache_init(&slwt->cache, GFP_ATOMIC); +- if (err) { +- kfree(newts); +- return err; +- } ++ err = dst_cache_init(&slwt->cache_input, GFP_ATOMIC); ++ if (err) ++ goto err_free_newts; ++ ++ err = dst_cache_init(&slwt->cache_output, GFP_ATOMIC); ++ if (err) ++ goto err_destroy_input; + + memcpy(&slwt->tuninfo, tuninfo, tuninfo_len); + +@@ -714,11 +720,20 @@ static int seg6_build_state(struct net * + *ts = newts; + + return 0; ++ ++err_destroy_input: ++ dst_cache_destroy(&slwt->cache_input); ++err_free_newts: ++ kfree(newts); ++ return err; + } + + static void seg6_destroy_state(struct lwtunnel_state *lwt) + { +- dst_cache_destroy(&seg6_lwt_lwtunnel(lwt)->cache); ++ struct seg6_lwt *slwt = seg6_lwt_lwtunnel(lwt); ++ ++ dst_cache_destroy(&slwt->cache_input); ++ dst_cache_destroy(&slwt->cache_output); + } + + static int seg6_fill_encap_info(struct sk_buff *skb, diff --git a/queue-6.1/series b/queue-6.1/series index 061a202fe4..9706345801 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -20,3 +20,16 @@ apparmor-fix-unprivileged-local-user-can-do-privileged-policy-management.patch apparmor-fix-differential-encoding-verification.patch apparmor-fix-race-on-rawdata-dereference.patch apparmor-fix-race-between-freeing-data-and-fs-accessing-it.patch +usb-gadget-u_ether-fix-race-between-gether_disconnect-and-eth_stop.patch +revert-acpi-ec-evaluate-orphan-_reg-under-ec-device.patch +acpica-add-a-depth-argument-to-acpi_execute_reg_methods.patch +acpi-ec-evaluate-_reg-outside-the-ec-scope-more-carefully.patch +usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch +rfkill-use-sysfs_emit-to-instead-of-sprintf.patch +rfkill-sync-before-userspace-visibility-changes.patch +net-rfkill-reduce-data-mtx-scope-in-rfkill_fop_open.patch +net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch +seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch +revert-mptcp-add-needs_id-for-netlink-appending-addr.patch +drm-scheduler-signal-scheduled-fence-when-kill-job.patch +netfilter-nft_set_pipapo-do-not-rely-on-zero_size_ptr.patch diff --git a/queue-6.1/usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch b/queue-6.1/usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch new file mode 100644 index 0000000000..35c6feeb38 --- /dev/null +++ b/queue-6.1/usb-gadget-f_hid-move-list-and-spinlock-inits-from-bind-to-alloc.patch @@ -0,0 +1,72 @@ +From stable+bounces-235779-greg=kroah.com@vger.kernel.org Sun Apr 12 03:47:26 2026 +From: Sasha Levin +Date: Sat, 11 Apr 2026 21:47:15 -0400 +Subject: usb: gadget: f_hid: move list and spinlock inits from bind to alloc +To: stable@vger.kernel.org +Cc: Michael Zimmermann , stable , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260412014715.1926028-1-sashal@kernel.org> + +From: Michael Zimmermann + +[ Upstream commit 4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 ] + +There was an issue when you did the following: +- setup and bind an hid gadget +- open /dev/hidg0 +- use the resulting fd in EPOLL_CTL_ADD +- unbind the UDC +- bind the UDC +- use the fd in EPOLL_CTL_DEL + +When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported +within remove_wait_queue (via ep_remove_wait_queue). After some +debugging I found out that the queues, which f_hid registers via +poll_wait were the problem. These were initialized using +init_waitqueue_head inside hidg_bind. So effectively, the bind function +re-initialized the queues while there were still items in them. + +The solution is to move the initialization from hidg_bind to hidg_alloc +to extend their lifetimes to the lifetime of the function instance. + +Additionally, I found many other possibly problematic init calls in the +bind function, which I moved as well. + +Signed-off-by: Michael Zimmermann +Cc: stable +Link: https://patch.msgid.link/20260331184844.2388761-1-sigmaepsilon92@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_hid.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -996,13 +996,8 @@ static int hidg_bind(struct usb_configur + if (status) + goto fail; + +- spin_lock_init(&hidg->write_spinlock); + hidg->write_pending = 1; + hidg->req = NULL; +- spin_lock_init(&hidg->read_spinlock); +- init_waitqueue_head(&hidg->write_queue); +- init_waitqueue_head(&hidg->read_queue); +- INIT_LIST_HEAD(&hidg->completed_out_req); + + /* create char device */ + cdev_init(&hidg->cdev, &f_hidg_fops); +@@ -1272,6 +1267,12 @@ static struct usb_function *hidg_alloc(s + mutex_lock(&opts->lock); + ++opts->refcnt; + ++ spin_lock_init(&hidg->write_spinlock); ++ spin_lock_init(&hidg->read_spinlock); ++ init_waitqueue_head(&hidg->write_queue); ++ init_waitqueue_head(&hidg->read_queue); ++ INIT_LIST_HEAD(&hidg->completed_out_req); ++ + device_initialize(&hidg->dev); + hidg->dev.release = hidg_release; + hidg->dev.class = hidg_class; diff --git a/queue-6.1/usb-gadget-u_ether-fix-race-between-gether_disconnect-and-eth_stop.patch b/queue-6.1/usb-gadget-u_ether-fix-race-between-gether_disconnect-and-eth_stop.patch new file mode 100644 index 0000000000..414a21a982 --- /dev/null +++ b/queue-6.1/usb-gadget-u_ether-fix-race-between-gether_disconnect-and-eth_stop.patch @@ -0,0 +1,80 @@ +From stable+bounces-235732-greg=kroah.com@vger.kernel.org Sat Apr 11 16:13:58 2026 +From: Sasha Levin +Date: Sat, 11 Apr 2026 10:11:18 -0400 +Subject: usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop +To: stable@vger.kernel.org +Cc: Kuen-Han Tsai , stable , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260411141118.767712-1-sashal@kernel.org> + +From: Kuen-Han Tsai + +[ Upstream commit e1eabb072c75681f78312c484ccfffb7430f206e ] + +A race condition between gether_disconnect() and eth_stop() leads to a +NULL pointer dereference. Specifically, if eth_stop() is triggered +concurrently while gether_disconnect() is tearing down the endpoints, +eth_stop() attempts to access the cleared endpoint descriptor, causing +the following NPE: + + Unable to handle kernel NULL pointer dereference + Call trace: + __dwc3_gadget_ep_enable+0x60/0x788 + dwc3_gadget_ep_enable+0x70/0xe4 + usb_ep_enable+0x60/0x15c + eth_stop+0xb8/0x108 + +Because eth_stop() crashes while holding the dev->lock, the thread +running gether_disconnect() fails to acquire the same lock and spins +forever, resulting in a hardlockup: + + Core - Debugging Information for Hardlockup core(7) + Call trace: + queued_spin_lock_slowpath+0x94/0x488 + _raw_spin_lock+0x64/0x6c + gether_disconnect+0x19c/0x1e8 + ncm_set_alt+0x68/0x1a0 + composite_setup+0x6a0/0xc50 + +The root cause is that the clearing of dev->port_usb in +gether_disconnect() is delayed until the end of the function. + +Move the clearing of dev->port_usb to the very beginning of +gether_disconnect() while holding dev->lock. This cuts off the link +immediately, ensuring eth_stop() will see dev->port_usb as NULL and +safely bail out. + +Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core") +Cc: stable +Signed-off-by: Kuen-Han Tsai +Link: https://patch.msgid.link/20260311-gether-disconnect-npe-v1-1-454966adf7c7@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_ether.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -1175,6 +1175,10 @@ void gether_disconnect(struct gether *li + + DBG(dev, "%s\n", __func__); + ++ spin_lock(&dev->lock); ++ dev->port_usb = NULL; ++ spin_unlock(&dev->lock); ++ + netif_stop_queue(dev->net); + netif_carrier_off(dev->net); + +@@ -1212,10 +1216,6 @@ void gether_disconnect(struct gether *li + dev->header_len = 0; + dev->unwrap = NULL; + dev->wrap = NULL; +- +- spin_lock(&dev->lock); +- dev->port_usb = NULL; +- spin_unlock(&dev->lock); + } + EXPORT_SYMBOL_GPL(gether_disconnect); +