From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 11:54:43 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.18.19~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=064a1113729c0903f5f5f43aaebbc02ab6b3afd2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: btrfs-fix-chunk-map-leak-in-btrfs_map_block-after-btrfs_chunk_map_num_copies.patch device-property-allow-secondary-lookup-in-fwnode_get_next_child_node.patch drm-amd-disable-mes-lr-compute-w-a.patch drm-bridge-samsung-dsim-fix-memory-leak-in-error-path.patch drm-bridge-ti-sn65dsi86-enable-hpd-polling-if-irq-is-not-used.patch ice-reintroduce-retry-mechanism-for-indirect-aq.patch irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch ixgbevf-fix-link-setup-issue.patch nfsd-fix-cred-ref-leak-in-nfsd_nl_listener_set_doit.patch s390-pfault-fix-virtual-vs-physical-address-confusion.patch staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch --- diff --git a/queue-6.12/btrfs-fix-chunk-map-leak-in-btrfs_map_block-after-btrfs_chunk_map_num_copies.patch b/queue-6.12/btrfs-fix-chunk-map-leak-in-btrfs_map_block-after-btrfs_chunk_map_num_copies.patch new file mode 100644 index 0000000000..94c625078f --- /dev/null +++ b/queue-6.12/btrfs-fix-chunk-map-leak-in-btrfs_map_block-after-btrfs_chunk_map_num_copies.patch @@ -0,0 +1,38 @@ +From f15fb3d41543244d1179f423da4a4832a55bc050 Mon Sep 17 00:00:00 2001 +From: Mark Harmstone +Date: Fri, 20 Feb 2026 12:53:17 +0000 +Subject: btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() + +From: Mark Harmstone + +commit f15fb3d41543244d1179f423da4a4832a55bc050 upstream. + +Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL, +we're not freeing the chunk map that we've just looked up. + +Fixes: 0ae653fbec2b ("btrfs: reduce chunk_map lookups in btrfs_map_block()") +CC: stable@vger.kernel.org # 6.12+ +Reviewed-by: Filipe Manana +Signed-off-by: Mark Harmstone +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6522,8 +6522,10 @@ int btrfs_map_block(struct btrfs_fs_info + return PTR_ERR(map); + + num_copies = btrfs_chunk_map_num_copies(map); +- if (io_geom.mirror_num > num_copies) +- return -EINVAL; ++ if (io_geom.mirror_num > num_copies) { ++ ret = -EINVAL; ++ goto out; ++ } + + map_offset = logical - map->start; + io_geom.raid56_full_stripe_start = (u64)-1; diff --git a/queue-6.12/device-property-allow-secondary-lookup-in-fwnode_get_next_child_node.patch b/queue-6.12/device-property-allow-secondary-lookup-in-fwnode_get_next_child_node.patch new file mode 100644 index 0000000000..9b97b82b79 --- /dev/null +++ b/queue-6.12/device-property-allow-secondary-lookup-in-fwnode_get_next_child_node.patch @@ -0,0 +1,75 @@ +From 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 10 Feb 2026 14:58:22 +0100 +Subject: device property: Allow secondary lookup in fwnode_get_next_child_node() + +From: Andy Shevchenko + +commit 2692c614f8f05929d692b3dbfd3faef1f00fbaf0 upstream. + +When device_get_child_node_count() got split to the fwnode and device +respective APIs, the fwnode didn't inherit the ability to traverse over +the secondary fwnode. Hence any user, that switches from device to fwnode +API misses this feature. In particular, this was revealed by the commit +1490cbb9dbfd ("device property: Split fwnode_get_child_node_count()") +that effectively broke the GPIO enumeration on Intel Galileo boards. +Fix this by moving the secondary lookup from device to fwnode API. + +Note, in general no device_*() API should go into the depth of the fwnode +implementation. + +Fixes: 114dbb4fa7c4 ("drivers property: When no children in primary, try secondary") +Cc: stable@vger.kernel.org +Signed-off-by: Andy Shevchenko +Reviewed-by: Rafael J. Wysocki (Intel) +Reviewed-by: Sakari Ailus +Link: https://patch.msgid.link/20260210135822.47335-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/property.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/drivers/base/property.c ++++ b/drivers/base/property.c +@@ -759,7 +759,18 @@ struct fwnode_handle * + fwnode_get_next_child_node(const struct fwnode_handle *fwnode, + struct fwnode_handle *child) + { +- return fwnode_call_ptr_op(fwnode, get_next_child_node, child); ++ struct fwnode_handle *next; ++ ++ if (IS_ERR_OR_NULL(fwnode)) ++ return NULL; ++ ++ /* Try to find a child in primary fwnode */ ++ next = fwnode_call_ptr_op(fwnode, get_next_child_node, child); ++ if (next) ++ return next; ++ ++ /* When no more children in primary, continue with secondary */ ++ return fwnode_call_ptr_op(fwnode->secondary, get_next_child_node, child); + } + EXPORT_SYMBOL_GPL(fwnode_get_next_child_node); + +@@ -803,19 +814,7 @@ EXPORT_SYMBOL_GPL(fwnode_get_next_availa + struct fwnode_handle *device_get_next_child_node(const struct device *dev, + struct fwnode_handle *child) + { +- const struct fwnode_handle *fwnode = dev_fwnode(dev); +- struct fwnode_handle *next; +- +- if (IS_ERR_OR_NULL(fwnode)) +- return NULL; +- +- /* Try to find a child in primary fwnode */ +- next = fwnode_get_next_child_node(fwnode, child); +- if (next) +- return next; +- +- /* When no more children in primary, continue with secondary */ +- return fwnode_get_next_child_node(fwnode->secondary, child); ++ return fwnode_get_next_child_node(dev_fwnode(dev), child); + } + EXPORT_SYMBOL_GPL(device_get_next_child_node); + diff --git a/queue-6.12/drm-amd-disable-mes-lr-compute-w-a.patch b/queue-6.12/drm-amd-disable-mes-lr-compute-w-a.patch new file mode 100644 index 0000000000..a15e59f1e0 --- /dev/null +++ b/queue-6.12/drm-amd-disable-mes-lr-compute-w-a.patch @@ -0,0 +1,60 @@ +From 6b0d812971370c64b837a2db4275410f478272fe Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 25 Feb 2026 10:51:16 -0600 +Subject: drm/amd: Disable MES LR compute W/A + +From: Mario Limonciello + +commit 6b0d812971370c64b837a2db4275410f478272fe upstream. + +A workaround was introduced in commit 1fb710793ce2 ("drm/amdgpu: Enable +MES lr_compute_wa by default") to help with some hangs observed in gfx1151. + +This WA didn't fully fix the issue. It was actually fixed by adjusting +the VGPR size to the correct value that matched the hardware in commit +b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151"). + +There are reports of instability on other products with newer GC microcode +versions, and I believe they're caused by this workaround. As we don't +need the workaround any more, remove it. + +Fixes: b42f3bf9536c ("drm/amdkfd: bump minimum vgpr size for gfx1151") +Acked-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 9973e64bd6ee7642860a6f3b6958cbf14e89cabd) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 5 ----- + 2 files changed, 10 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +@@ -677,11 +677,6 @@ static int mes_v11_0_set_hw_resources(st + mes_set_hw_res_pkt.enable_reg_active_poll = 1; + mes_set_hw_res_pkt.enable_level_process_quantum_check = 1; + mes_set_hw_res_pkt.oversubscription_timer = 50; +- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x7f) +- mes_set_hw_res_pkt.enable_lr_compute_wa = 1; +- else +- dev_info_once(mes->adev->dev, +- "MES FW version must be >= 0x7f to enable LR compute workaround.\n"); + + if (amdgpu_mes_log_enable) { + mes_set_hw_res_pkt.enable_mes_event_int_logging = 1; +--- a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c +@@ -615,11 +615,6 @@ static int mes_v12_0_set_hw_resources(st + mes_set_hw_res_pkt.use_different_vmid_compute = 1; + mes_set_hw_res_pkt.enable_reg_active_poll = 1; + mes_set_hw_res_pkt.enable_level_process_quantum_check = 1; +- if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x82) +- mes_set_hw_res_pkt.enable_lr_compute_wa = 1; +- else +- dev_info_once(adev->dev, +- "MES FW version must be >= 0x82 to enable LR compute workaround.\n"); + + /* + * Keep oversubscribe timer for sdma . When we have unmapped doorbell diff --git a/queue-6.12/drm-bridge-samsung-dsim-fix-memory-leak-in-error-path.patch b/queue-6.12/drm-bridge-samsung-dsim-fix-memory-leak-in-error-path.patch new file mode 100644 index 0000000000..9a0248df16 --- /dev/null +++ b/queue-6.12/drm-bridge-samsung-dsim-fix-memory-leak-in-error-path.patch @@ -0,0 +1,87 @@ +From 803ec1faf7c1823e6e3b1f2aaa81be18528c9436 Mon Sep 17 00:00:00 2001 +From: Osama Abdelkader +Date: Mon, 9 Feb 2026 19:41:14 +0100 +Subject: drm/bridge: samsung-dsim: Fix memory leak in error path + +From: Osama Abdelkader + +commit 803ec1faf7c1823e6e3b1f2aaa81be18528c9436 upstream. + +In samsung_dsim_host_attach(), drm_bridge_add() is called to add the +bridge. However, if samsung_dsim_register_te_irq() or +pdata->host_ops->attach() fails afterwards, the function returns +without removing the bridge, causing a memory leak. + +Fix this by adding proper error handling with goto labels to ensure +drm_bridge_remove() is called in all error paths. Also ensure that +samsung_dsim_unregister_te_irq() is called if the attach operation +fails after the TE IRQ has been registered. + +samsung_dsim_unregister_te_irq() function is moved without changes +to be before samsung_dsim_host_attach() to avoid forward declaration. + +Fixes: e7447128ca4a ("drm: bridge: Generalize Exynos-DSI driver into a Samsung DSIM bridge") +Cc: stable@vger.kernel.org +Signed-off-by: Osama Abdelkader +Reviewed-by: Luca Ceresoli +Link: https://patch.msgid.link/20260209184115.10937-1-osama.abdelkader@gmail.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/samsung-dsim.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/bridge/samsung-dsim.c ++++ b/drivers/gpu/drm/bridge/samsung-dsim.c +@@ -1697,6 +1697,14 @@ static int samsung_dsim_register_te_irq( + return 0; + } + ++static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi) ++{ ++ if (dsi->te_gpio) { ++ free_irq(gpiod_to_irq(dsi->te_gpio), dsi); ++ gpiod_put(dsi->te_gpio); ++ } ++} ++ + static int samsung_dsim_host_attach(struct mipi_dsi_host *host, + struct mipi_dsi_device *device) + { +@@ -1771,13 +1779,13 @@ of_find_panel_or_bridge: + if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO)) { + ret = samsung_dsim_register_te_irq(dsi, &device->dev); + if (ret) +- return ret; ++ goto err_remove_bridge; + } + + if (pdata->host_ops && pdata->host_ops->attach) { + ret = pdata->host_ops->attach(dsi, device); + if (ret) +- return ret; ++ goto err_unregister_te_irq; + } + + dsi->lanes = device->lanes; +@@ -1785,14 +1793,13 @@ of_find_panel_or_bridge: + dsi->mode_flags = device->mode_flags; + + return 0; +-} + +-static void samsung_dsim_unregister_te_irq(struct samsung_dsim *dsi) +-{ +- if (dsi->te_gpio) { +- free_irq(gpiod_to_irq(dsi->te_gpio), dsi); +- gpiod_put(dsi->te_gpio); +- } ++err_unregister_te_irq: ++ if (!(device->mode_flags & MIPI_DSI_MODE_VIDEO)) ++ samsung_dsim_unregister_te_irq(dsi); ++err_remove_bridge: ++ drm_bridge_remove(&dsi->bridge); ++ return ret; + } + + static int samsung_dsim_host_detach(struct mipi_dsi_host *host, diff --git a/queue-6.12/drm-bridge-ti-sn65dsi86-enable-hpd-polling-if-irq-is-not-used.patch b/queue-6.12/drm-bridge-ti-sn65dsi86-enable-hpd-polling-if-irq-is-not-used.patch new file mode 100644 index 0000000000..968a700f37 --- /dev/null +++ b/queue-6.12/drm-bridge-ti-sn65dsi86-enable-hpd-polling-if-irq-is-not-used.patch @@ -0,0 +1,51 @@ +From 0b87d51690dd5131cbe9fbd23746b037aab89815 Mon Sep 17 00:00:00 2001 +From: Franz Schnyder +Date: Fri, 6 Feb 2026 13:37:36 +0100 +Subject: drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used + +From: Franz Schnyder + +commit 0b87d51690dd5131cbe9fbd23746b037aab89815 upstream. + +Fallback to polling to detect hotplug events on systems without +interrupts. + +On systems where the interrupt line of the bridge is not connected, +the bridge cannot notify hotplug events. Only add the +DRM_BRIDGE_OP_HPD flag if an interrupt has been registered +otherwise remain in polling mode. + +Fixes: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type") +Cc: stable@vger.kernel.org # 6.16: 9133bc3f0564: drm/bridge: ti-sn65dsi86: Add +Signed-off-by: Franz Schnyder +Reviewed-by: Douglas Anderson +[dianders: Adjusted Fixes/stable line based on discussion] +Signed-off-by: Douglas Anderson +Link: https://patch.msgid.link/20260206123758.374555-1-fra.schnyder@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -1326,6 +1326,7 @@ static int ti_sn_bridge_probe(struct aux + { + struct ti_sn65dsi86 *pdata = dev_get_drvdata(adev->dev.parent); + struct device_node *np = pdata->dev->of_node; ++ const struct i2c_client *client = to_i2c_client(pdata->dev); + int ret; + + pdata->next_bridge = devm_drm_of_get_bridge(&adev->dev, np, 1, 0); +@@ -1345,8 +1346,9 @@ static int ti_sn_bridge_probe(struct aux + ? DRM_MODE_CONNECTOR_DisplayPort : DRM_MODE_CONNECTOR_eDP; + + if (pdata->bridge.type == DRM_MODE_CONNECTOR_DisplayPort) { +- pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT | +- DRM_BRIDGE_OP_HPD; ++ pdata->bridge.ops = DRM_BRIDGE_OP_EDID | DRM_BRIDGE_OP_DETECT; ++ if (client->irq) ++ pdata->bridge.ops |= DRM_BRIDGE_OP_HPD; + /* + * If comms were already enabled they would have been enabled + * with the wrong value of HPD_DISABLE. Update it now. Comms diff --git a/queue-6.12/ice-reintroduce-retry-mechanism-for-indirect-aq.patch b/queue-6.12/ice-reintroduce-retry-mechanism-for-indirect-aq.patch new file mode 100644 index 0000000000..9c884e3837 --- /dev/null +++ b/queue-6.12/ice-reintroduce-retry-mechanism-for-indirect-aq.patch @@ -0,0 +1,74 @@ +From 326256c0a72d4877cec1d4df85357da106233128 Mon Sep 17 00:00:00 2001 +From: Jakub Staniszewski +Date: Tue, 13 Jan 2026 20:38:16 +0100 +Subject: ice: reintroduce retry mechanism for indirect AQ + +From: Jakub Staniszewski + +commit 326256c0a72d4877cec1d4df85357da106233128 upstream. + +Add retry mechanism for indirect Admin Queue (AQ) commands. To do so we +need to keep the command buffer. + +This technically reverts commit 43a630e37e25 +("ice: remove unused buffer copy code in ice_sq_send_cmd_retry()"), +but combines it with a fix in the logic by using a kmemdup() call, +making it more robust and less likely to break in the future due to +programmer error. + +Cc: Michal Schmidt +Cc: stable@vger.kernel.org +Fixes: 3056df93f7a8 ("ice: Re-send some AQ commands, as result of EBUSY AQ error") +Signed-off-by: Jakub Staniszewski +Co-developed-by: Dawid Osuchowski +Signed-off-by: Dawid Osuchowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_common.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1579,6 +1579,7 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + { + struct ice_aq_desc desc_cpy; + bool is_cmd_for_retry; ++ u8 *buf_cpy = NULL; + u8 idx = 0; + u16 opcode; + int status; +@@ -1588,8 +1589,11 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + memset(&desc_cpy, 0, sizeof(desc_cpy)); + + if (is_cmd_for_retry) { +- /* All retryable cmds are direct, without buf. */ +- WARN_ON(buf); ++ if (buf) { ++ buf_cpy = kmemdup(buf, buf_size, GFP_KERNEL); ++ if (!buf_cpy) ++ return -ENOMEM; ++ } + + memcpy(&desc_cpy, desc, sizeof(desc_cpy)); + } +@@ -1601,12 +1605,14 @@ ice_sq_send_cmd_retry(struct ice_hw *hw, + hw->adminq.sq_last_status != ICE_AQ_RC_EBUSY) + break; + ++ if (buf_cpy) ++ memcpy(buf, buf_cpy, buf_size); + memcpy(desc, &desc_cpy, sizeof(desc_cpy)); +- + msleep(ICE_SQ_SEND_DELAY_TIME_MS); + + } while (++idx < ICE_SQ_SEND_MAX_EXECUTE); + ++ kfree(buf_cpy); + return status; + } + diff --git a/queue-6.12/irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch b/queue-6.12/irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch new file mode 100644 index 0000000000..3a0c31a72f --- /dev/null +++ b/queue-6.12/irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch @@ -0,0 +1,62 @@ +From ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 6 Feb 2026 15:48:16 +0000 +Subject: irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports + +From: Marc Zyngier + +commit ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 upstream. + +The ITS driver blindly assumes that EventIDs are in abundant supply, to the +point where it never checks how many the hardware actually supports. + +It turns out that some pretty esoteric integrations make it so that only a +few bits are available, all the way down to a single bit. + +Enforce the advertised limitation at the point of allocating the device +structure, and hope that the endpoint driver can deal with such limitation. + +Fixes: 84a6a2e7fc18d ("irqchip: GICv3: ITS: device allocation and configuration") +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Reviewed-by: Robin Murphy +Reviewed-by: Zenghui Yu +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260206154816.3582887-1-maz@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 4 ++++ + include/linux/irqchip/arm-gic-v3.h | 1 + + 2 files changed, 5 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3393,6 +3393,7 @@ static struct its_device *its_create_dev + int lpi_base; + int nr_lpis; + int nr_ites; ++ int id_bits; + int sz; + + if (!its_alloc_device_table(its, dev_id)) +@@ -3405,7 +3406,10 @@ static struct its_device *its_create_dev + /* + * Even if the device wants a single LPI, the ITT must be + * sized as a power of two (and you need at least one bit...). ++ * Also honor the ITS's own EID limit. + */ ++ id_bits = FIELD_GET(GITS_TYPER_IDBITS, its->typer) + 1; ++ nvecs = min_t(unsigned int, nvecs, BIT(id_bits)); + nr_ites = max(2, nvecs); + sz = nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, its->typer) + 1); + sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1; +--- a/include/linux/irqchip/arm-gic-v3.h ++++ b/include/linux/irqchip/arm-gic-v3.h +@@ -394,6 +394,7 @@ + #define GITS_TYPER_VLPIS (1UL << 1) + #define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4 + #define GITS_TYPER_ITT_ENTRY_SIZE GENMASK_ULL(7, 4) ++#define GITS_TYPER_IDBITS GENMASK_ULL(12, 8) + #define GITS_TYPER_IDBITS_SHIFT 8 + #define GITS_TYPER_DEVBITS_SHIFT 13 + #define GITS_TYPER_DEVBITS GENMASK_ULL(17, 13) diff --git a/queue-6.12/ixgbevf-fix-link-setup-issue.patch b/queue-6.12/ixgbevf-fix-link-setup-issue.patch new file mode 100644 index 0000000000..e99b86285d --- /dev/null +++ b/queue-6.12/ixgbevf-fix-link-setup-issue.patch @@ -0,0 +1,50 @@ +From feae40a6a178bb525a15f19288016e5778102a99 Mon Sep 17 00:00:00 2001 +From: Jedrzej Jagielski +Date: Wed, 10 Dec 2025 12:26:51 +0100 +Subject: ixgbevf: fix link setup issue + +From: Jedrzej Jagielski + +commit feae40a6a178bb525a15f19288016e5778102a99 upstream. + +It may happen that VF spawned for E610 adapter has problem with setting +link up. This happens when ixgbevf supporting mailbox API 1.6 cooperates +with PF driver which doesn't support this version of API, and hence +doesn't support new approach for getting PF link data. + +In that case VF asks PF to provide link data but as PF doesn't support +it, returns -EOPNOTSUPP what leads to early bail from link configuration +sequence. + +Avoid such situation by using legacy VFLINKS approach whenever negotiated +API version is less than 1.6. + +To reproduce the issue just create VF and set its link up - adapter must +be any from the E610 family, ixgbevf must support API 1.6 or higher while +ixgbevf must not. + +Fixes: 53f0eb62b4d2 ("ixgbevf: fix getting link speed data for E610 devices") +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Piotr Kwapulinski +Reviewed-by: Paul Menzel +Cc: stable@vger.kernel.org +Signed-off-by: Jedrzej Jagielski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbevf/vf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbevf/vf.c ++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c +@@ -852,7 +852,8 @@ static s32 ixgbevf_check_mac_link_vf(str + if (!mac->get_link_status) + goto out; + +- if (hw->mac.type == ixgbe_mac_e610_vf) { ++ if (hw->mac.type == ixgbe_mac_e610_vf && ++ hw->api_version >= ixgbe_mbox_api_16) { + ret_val = ixgbevf_get_pf_link_state(hw, speed, link_up); + if (ret_val) + goto out; diff --git a/queue-6.12/nfsd-fix-cred-ref-leak-in-nfsd_nl_listener_set_doit.patch b/queue-6.12/nfsd-fix-cred-ref-leak-in-nfsd_nl_listener_set_doit.patch new file mode 100644 index 0000000000..c98ec77f27 --- /dev/null +++ b/queue-6.12/nfsd-fix-cred-ref-leak-in-nfsd_nl_listener_set_doit.patch @@ -0,0 +1,41 @@ +From 92978c83bb4eef55d02a6c990c01c423131eefa7 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Sat, 24 Jan 2026 04:18:41 +0000 +Subject: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). + +From: Kuniyuki Iwashima + +commit 92978c83bb4eef55d02a6c990c01c423131eefa7 upstream. + +nfsd_nl_listener_set_doit() uses get_current_cred() without +put_cred(). + +As we can see from other callers, svc_xprt_create_from_sa() +does not require the extra refcount. + +nfsd_nl_listener_set_doit() is always in the process context, +sendmsg(), and current->cred does not go away. + +Let's use current_cred() in nfsd_nl_listener_set_doit(). + +Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command") +Cc: stable@vger.kernel.org +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -2081,7 +2081,7 @@ int nfsd_nl_listener_set_doit(struct sk_ + } + + ret = svc_xprt_create_from_sa(serv, xcl_name, net, sa, 0, +- get_current_cred()); ++ current_cred()); + /* always save the latest error */ + if (ret < 0) + err = ret; diff --git a/queue-6.12/s390-pfault-fix-virtual-vs-physical-address-confusion.patch b/queue-6.12/s390-pfault-fix-virtual-vs-physical-address-confusion.patch new file mode 100644 index 0000000000..55fa5d8e83 --- /dev/null +++ b/queue-6.12/s390-pfault-fix-virtual-vs-physical-address-confusion.patch @@ -0,0 +1,54 @@ +From d879ac6756b662a085a743e76023c768c3241579 Mon Sep 17 00:00:00 2001 +From: Alexander Gordeev +Date: Tue, 24 Feb 2026 07:41:07 +0100 +Subject: s390/pfault: Fix virtual vs physical address confusion + +From: Alexander Gordeev + +commit d879ac6756b662a085a743e76023c768c3241579 upstream. + +When Linux is running as guest, runs a user space process and the +user space process accesses a page that the host has paged out, +the guest gets a pfault interrupt and schedules a different process. +Without this mechanism the host would have to suspend the whole +virtual CPU until the page has been paged in. + +To setup the pfault interrupt the real address of parameter list +should be passed to DIAGNOSE 0x258, but a virtual address is passed +instead. + +That has a performance impact, since the pfault setup never succeeds, +the interrupt is never delivered to a guest and the whole virtual CPU +is suspended as result. + +Cc: stable@vger.kernel.org +Fixes: c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces") +Reported-by: Claudio Imbrenda +Reviewed-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/pfault.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/mm/pfault.c ++++ b/arch/s390/mm/pfault.c +@@ -61,7 +61,7 @@ int __pfault_init(void) + "0: nopr %%r7\n" + EX_TABLE(0b, 0b) + : [rc] "+d" (rc) +- : [refbk] "a" (&pfault_init_refbk), "m" (pfault_init_refbk) ++ : [refbk] "a" (virt_to_phys(&pfault_init_refbk)), "m" (pfault_init_refbk) + : "cc"); + return rc; + } +@@ -83,7 +83,7 @@ void __pfault_fini(void) + "0: nopr %%r7\n" + EX_TABLE(0b, 0b) + : +- : [refbk] "a" (&pfault_fini_refbk), "m" (pfault_fini_refbk) ++ : [refbk] "a" (virt_to_phys(&pfault_fini_refbk)), "m" (pfault_fini_refbk) + : "cc"); + } + diff --git a/queue-6.12/series b/queue-6.12/series index be70e37318..6f1883b8a9 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -139,3 +139,15 @@ scsi-hisi_sas-fix-null-pointer-exception-during-user.patch kbuild-disable-cc_has_asm_goto_output-on-clang-17.patch fix-cc_has_asm_goto_output-on-non-x86-architectures.patch revert-tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch +drm-amd-disable-mes-lr-compute-w-a.patch +drm-bridge-samsung-dsim-fix-memory-leak-in-error-path.patch +drm-bridge-ti-sn65dsi86-enable-hpd-polling-if-irq-is-not-used.patch +s390-pfault-fix-virtual-vs-physical-address-confusion.patch +nfsd-fix-cred-ref-leak-in-nfsd_nl_listener_set_doit.patch +device-property-allow-secondary-lookup-in-fwnode_get_next_child_node.patch +irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch +btrfs-fix-chunk-map-leak-in-btrfs_map_block-after-btrfs_chunk_map_num_copies.patch +ice-reintroduce-retry-mechanism-for-indirect-aq.patch +ixgbevf-fix-link-setup-issue.patch +staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch +staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch diff --git a/queue-6.12/staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch b/queue-6.12/staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch new file mode 100644 index 0000000000..d606a2eeea --- /dev/null +++ b/queue-6.12/staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch @@ -0,0 +1,39 @@ +From a75281626fc8fa6dc6c9cc314ee423e8bc45203b Mon Sep 17 00:00:00 2001 +From: Luka Gejak +Date: Tue, 24 Feb 2026 14:26:47 +0100 +Subject: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie + +From: Luka Gejak + +commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream. + +The current code checks 'i + 5 < in_len' at the end of the if statement. +However, it accesses 'in_ie[i + 5]' before that check, which can lead +to an out-of-bounds read. Move the length check to the beginning of the +conditional to ensure the index is within bounds before accessing the +array. + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Cc: stable +Signed-off-by: Luka Gejak +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c +@@ -1929,7 +1929,10 @@ int rtw_restruct_wmm_ie(struct adapter * + while (i < in_len) { + ielength = initial_out_len; + +- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */ ++ if (i + 5 < in_len && ++ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && ++ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && ++ in_ie[i + 5] == 0x02) { + for (j = i; j < i + 9; j++) { + out_ie[ielength] = in_ie[j]; + ielength++; diff --git a/queue-6.12/staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch b/queue-6.12/staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch new file mode 100644 index 0000000000..8dc5c2ee3f --- /dev/null +++ b/queue-6.12/staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch @@ -0,0 +1,56 @@ +From f0109b9d3e1e455429279d602f6276e34689750a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 14:31:35 +0100 +Subject: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() + +From: Greg Kroah-Hartman + +commit f0109b9d3e1e455429279d602f6276e34689750a upstream. + +Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds +read in rtw_get_ie() parser"), we don't trust the data in the frame so +we should check the length better before acting on it + +Cc: stable +Assisted-by: gkh_clanker_2000 +Tested-by: Navaneeth K +Reviewed-by: Navaneeth K +Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c ++++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +@@ -187,20 +187,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len + + cnt = 0; + +- while (cnt < in_len) { ++ while (cnt + 2 <= in_len) { ++ u8 ie_len = in_ie[cnt + 1]; ++ ++ if (cnt + 2 + ie_len > in_len) ++ break; ++ + if (eid == in_ie[cnt] +- && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) { ++ && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) { + target_ie = &in_ie[cnt]; + + if (ie) +- memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2); ++ memcpy(ie, &in_ie[cnt], ie_len + 2); + + if (ielen) +- *ielen = in_ie[cnt+1]+2; ++ *ielen = ie_len + 2; + + break; + } +- cnt += in_ie[cnt+1]+2; /* goto next */ ++ cnt += ie_len + 2; /* goto next */ + } + + return target_ie;