From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 12:12:00 +0000 (+0100) Subject: 6.18-stable patches X-Git-Tag: v6.18.19~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ba9688264d3b57acba1fc3ad39abb9fd1bc7eff;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: arm64-contpte-fix-set_access_flags-no-op-check-for-smmu-ats-faults.patch arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch ata-libata-core-disable-lpm-on-st1000dm010-2ep102.patch batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch crypto-ccp-allow-callers-to-use-hv-fixed-page-api-when-sev-is-disabled.patch drm-amd-display-fallback-to-boot-snapshot-for-dispclk.patch drm-xe-xe2_hpg-correct-implementation-of-wa_16025250150.patch hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch ice-fix-retry-for-aq-command-0x06ee.patch io_uring-net-reject-send_vectorized-when-unsupported.patch io_uring-zcrx-use-read_once-with-user-shared-rqes.patch ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch memcg-fix-slab-accounting-in-refill_obj_stock-trylock-path.patch net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch net-mana-ring-doorbell-at-4-cq-wraparounds.patch net-mctp-fix-device-leak-on-probe-failure.patch net-ncsi-fix-skb-leak-in-error-paths.patch net-nexthop-fix-percpu-use-after-free-in-remove_nh_grp_entry.patch net-tcp-ao-fix-mac-comparison-to-be-constant-time.patch nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch parisc-check-kernel-mapping-earlier-at-bootup.patch parisc-fix-initial-page-table-creation-for-boot.patch parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch pinctrl-cy8c95x0-don-t-miss-reading-the-last-bank-registers.patch pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch pmdomain-rockchip-fix-pd_vcodec-for-rk3588.patch regulator-pf9453-respect-irq-trigger-settings-from-firmware.patch s390-stackleak-fix-__stackleak_poison-inline-assembly-constraint.patch s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch s390-xor-fix-xor_xc_5-inline-assembly.patch selftests-fix-mntns-iteration-selftests.patch slab-distinguish-lock-and-trylock-for-sheaf_flush_main.patch smb-server-fix-use-after-free-in-smb2_open.patch tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch --- diff --git a/queue-6.18/arm64-contpte-fix-set_access_flags-no-op-check-for-smmu-ats-faults.patch b/queue-6.18/arm64-contpte-fix-set_access_flags-no-op-check-for-smmu-ats-faults.patch new file mode 100644 index 0000000000..87bf283769 --- /dev/null +++ b/queue-6.18/arm64-contpte-fix-set_access_flags-no-op-check-for-smmu-ats-faults.patch @@ -0,0 +1,133 @@ +From 97c5550b763171dbef61e6239cab372b9f9cd4a2 Mon Sep 17 00:00:00 2001 +From: Piotr Jaroszynski +Date: Thu, 5 Mar 2026 15:26:29 -0800 +Subject: arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults + +From: Piotr Jaroszynski + +commit 97c5550b763171dbef61e6239cab372b9f9cd4a2 upstream. + +contpte_ptep_set_access_flags() compared the gathered ptep_get() value +against the requested entry to detect no-ops. ptep_get() ORs AF/dirty +from all sub-PTEs in the CONT block, so a dirty sibling can make the +target appear already-dirty. When the gathered value matches entry, the +function returns 0 even though the target sub-PTE still has PTE_RDONLY +set in hardware. + +For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may +set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered +across the CONT range. But page-table walkers that evaluate each +descriptor individually (e.g. a CPU without DBM support, or an SMMU +without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the +unchanged target sub-PTE, causing an infinite fault loop. + +Gathering can therefore cause false no-ops when only a sibling has been +updated: + - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared) + - read faults: target still lacks PTE_AF + +Fix by checking each sub-PTE against the requested AF/dirty/write state +(the same bits consumed by __ptep_set_access_flags()), using raw +per-PTE values rather than the gathered ptep_get() view, before +returning no-op. Keep using the raw target PTE for the write-bit unfold +decision. + +Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT +range may become the effective cached translation and software must +maintain consistent attributes across the range. + +Fixes: 4602e5757bcc ("arm64/mm: wire up PTE_CONT for user mappings") +Cc: Ryan Roberts +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: Zi Yan +Cc: Breno Leitao +Cc: stable@vger.kernel.org +Reviewed-by: Alistair Popple +Reviewed-by: James Houghton +Reviewed-by: Ryan Roberts +Reviewed-by: Catalin Marinas +Tested-by: Breno Leitao +Signed-off-by: Piotr Jaroszynski +Acked-by: Balbir Singh +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/contpte.c | 53 ++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 49 insertions(+), 4 deletions(-) + +--- a/arch/arm64/mm/contpte.c ++++ b/arch/arm64/mm/contpte.c +@@ -581,6 +581,27 @@ void contpte_clear_young_dirty_ptes(stru + } + EXPORT_SYMBOL_GPL(contpte_clear_young_dirty_ptes); + ++static bool contpte_all_subptes_match_access_flags(pte_t *ptep, pte_t entry) ++{ ++ pte_t *cont_ptep = contpte_align_down(ptep); ++ /* ++ * PFNs differ per sub-PTE. Match only bits consumed by ++ * __ptep_set_access_flags(): AF, DIRTY and write permission. ++ */ ++ const pteval_t cmp_mask = PTE_RDONLY | PTE_AF | PTE_WRITE | PTE_DIRTY; ++ pteval_t entry_cmp = pte_val(entry) & cmp_mask; ++ int i; ++ ++ for (i = 0; i < CONT_PTES; i++) { ++ pteval_t pte_cmp = pte_val(__ptep_get(cont_ptep + i)) & cmp_mask; ++ ++ if (pte_cmp != entry_cmp) ++ return false; ++ } ++ ++ return true; ++} ++ + int contpte_ptep_set_access_flags(struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep, + pte_t entry, int dirty) +@@ -590,14 +611,38 @@ int contpte_ptep_set_access_flags(struct + int i; + + /* +- * Gather the access/dirty bits for the contiguous range. If nothing has +- * changed, its a noop. ++ * Check whether all sub-PTEs in the CONT block already match the ++ * requested access flags/write permission, using raw per-PTE values ++ * rather than the gathered ptep_get() view. ++ * ++ * __ptep_set_access_flags() can update AF, dirty and write ++ * permission, but only to make the mapping more permissive. ++ * ++ * ptep_get() gathers AF/dirty state across the whole CONT block, ++ * which is correct for a CPU with FEAT_HAFDBS. But page-table ++ * walkers that evaluate each descriptor individually (e.g. a CPU ++ * without DBM support, or an SMMU without HTTU, or with HA/HD ++ * disabled in CD.TCR) can keep faulting on the target sub-PTE if ++ * only a sibling has been updated. Gathering can therefore cause ++ * false no-ops when only a sibling has been updated: ++ * - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared) ++ * - read faults: target still lacks PTE_AF ++ * ++ * Per Arm ARM (DDI 0487) D8.7.1, any sub-PTE in a CONT range may ++ * become the effective cached translation, so all entries must have ++ * consistent attributes. Check the full CONT block before returning ++ * no-op, and when any sub-PTE mismatches, proceed to update the whole ++ * range. + */ +- orig_pte = pte_mknoncont(ptep_get(ptep)); +- if (pte_val(orig_pte) == pte_val(entry)) ++ if (contpte_all_subptes_match_access_flags(ptep, entry)) + return 0; + + /* ++ * Use raw target pte (not gathered) for write-bit unfold decision. ++ */ ++ orig_pte = pte_mknoncont(__ptep_get(ptep)); ++ ++ /* + * We can fix up access/dirty bits without having to unfold the contig + * range. But if the write bit is changing, we must unfold. + */ diff --git a/queue-6.18/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch b/queue-6.18/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch new file mode 100644 index 0000000000..1837241505 --- /dev/null +++ b/queue-6.18/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch @@ -0,0 +1,63 @@ +From c25c4aa3f79a488cc270507935a29c07dc6bddfc Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Fri, 27 Feb 2026 18:53:06 +0000 +Subject: arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation + +From: Catalin Marinas + +commit c25c4aa3f79a488cc270507935a29c07dc6bddfc upstream. + +Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in +pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY +when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap +pages that haven't actually been written. + +However, this broke kexec and hibernation for some platforms. Both go +through trans_pgd_create_copy() -> _copy_pte(), which calls +pte_mkwrite_novma() to make the temporary linear-map copy fully +writable. With the updated pte_mkwrite_novma(), read-only kernel pages +(without PTE_DIRTY) remain read-only in the temporary mapping. +While such behaviour is fine for user pages where hardware DBM or +trapping will make them writeable, subsequent in-kernel writes by the +kexec relocation code will fault. + +Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was +the case prior to 5.4, commit aa57157be69f ("arm64: Ensure +VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel +linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma() +correctly clears PTE_RDONLY. + +Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()") +Signed-off-by: Catalin Marinas +Cc: stable@vger.kernel.org +Reported-by: Jianpeng Chang +Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com +Cc: Will Deacon +Cc: Huang, Ying +Cc: Guenter Roeck +Reviewed-by: Huang Ying +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/pgtable-prot.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -50,11 +50,11 @@ + + #define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL)) + +-#define _PAGE_KERNEL (PROT_NORMAL) +-#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY) +-#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY) +-#define _PAGE_KERNEL_EXEC (PROT_NORMAL & ~PTE_PXN) +-#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT) ++#define _PAGE_KERNEL (PROT_NORMAL | PTE_DIRTY) ++#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY) ++#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY) ++#define _PAGE_KERNEL_EXEC ((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY) ++#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY) + + #define _PAGE_SHARED (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE) + #define _PAGE_SHARED_EXEC (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE) diff --git a/queue-6.18/ata-libata-core-disable-lpm-on-st1000dm010-2ep102.patch b/queue-6.18/ata-libata-core-disable-lpm-on-st1000dm010-2ep102.patch new file mode 100644 index 0000000000..1353c533ba --- /dev/null +++ b/queue-6.18/ata-libata-core-disable-lpm-on-st1000dm010-2ep102.patch @@ -0,0 +1,35 @@ +From b3b1d3ae1d87bc9398fb715c945968bf4c75a09a Mon Sep 17 00:00:00 2001 +From: Maximilian Pezzullo +Date: Wed, 4 Mar 2026 08:22:59 +0100 +Subject: ata: libata-core: Disable LPM on ST1000DM010-2EP102 + +From: Maximilian Pezzullo + +commit b3b1d3ae1d87bc9398fb715c945968bf4c75a09a upstream. + +According to a user report, the ST1000DM010-2EP102 has problems with LPM, +causing random system freezes. The drive belongs to the same BarraCuda +family as the ST2000DM008-2FR102 which has the same issue. + +Cc: stable@vger.kernel.org +Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type") +Reported-by: Filippo Baiamonte +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221163 +Signed-off-by: Maximilian Pezzullo +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4157,6 +4157,7 @@ static const struct ata_dev_quirks_entry + ATA_QUIRK_FIRMWARE_WARN }, + + /* Seagate disks with LPM issues */ ++ { "ST1000DM010-2EP102", NULL, ATA_QUIRK_NOLPM }, + { "ST2000DM008-2FR102", NULL, ATA_QUIRK_NOLPM }, + + /* drives which fail FPDMA_AA activation (some may freeze afterwards) diff --git a/queue-6.18/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch b/queue-6.18/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch new file mode 100644 index 0000000000..0f56b8a537 --- /dev/null +++ b/queue-6.18/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch @@ -0,0 +1,106 @@ +From cfc83a3c71517b59c1047db57da31e26a9dc2f33 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 16 Feb 2026 11:20:29 +0100 +Subject: batman-adv: Avoid double-rtnl_lock ELP metric worker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sven Eckelmann + +commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream. + +batadv_v_elp_get_throughput() might be called when the RTNL lock is already +held. This could be problematic when the work queue item is cancelled via +cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, +an rtnl_lock() would cause a deadlock. + +To avoid this, rtnl_trylock() was used in this function to skip the +retrieval of the ethtool information in case the RTNL lock was already +held. + +But for cfg80211 interfaces, batadv_get_real_netdev() was called - which +also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must +also be used instead and the lockless version __batadv_get_real_netdev() +has to be called. + +Cc: stable@vger.kernel.org +Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker") +Reported-by: Christian Schmidbauer +Signed-off-by: Sven Eckelmann +Tested-by: Sören Skaarup +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 10 +++++++++- + net/batman-adv/hard-interface.c | 8 ++++---- + net/batman-adv/hard-interface.h | 1 + + 3 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -111,7 +111,15 @@ static bool batadv_v_elp_get_throughput( + /* unsupported WiFi driver version */ + goto default_throughput; + +- real_netdev = batadv_get_real_netdev(hard_iface->net_dev); ++ /* only use rtnl_trylock because the elp worker will be cancelled while ++ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise ++ * wait forever when the elp work_item was started and it is then also ++ * trying to rtnl_lock ++ */ ++ if (!rtnl_trylock()) ++ return false; ++ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev); ++ rtnl_unlock(); + if (!real_netdev) + goto default_throughput; + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -204,7 +204,7 @@ static bool batadv_is_valid_iface(const + } + + /** +- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual ++ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual + * interface on top of another 'real' interface + * @netdev: the device to check + * +@@ -214,7 +214,7 @@ static bool batadv_is_valid_iface(const + * Return: the 'real' net device or the original net device and NULL in case + * of an error. + */ +-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev) ++struct net_device *__batadv_get_real_netdev(struct net_device *netdev) + { + struct batadv_hard_iface *hard_iface = NULL; + struct net_device *real_netdev = NULL; +@@ -267,7 +267,7 @@ struct net_device *batadv_get_real_netde + struct net_device *real_netdev; + + rtnl_lock(); +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + rtnl_unlock(); + + return real_netdev; +@@ -336,7 +336,7 @@ static u32 batadv_wifi_flags_evaluate(st + if (batadv_is_cfg80211_netdev(net_device)) + wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT; + +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + if (!real_netdev) + return wifi_flags; + +--- a/net/batman-adv/hard-interface.h ++++ b/net/batman-adv/hard-interface.h +@@ -67,6 +67,7 @@ enum batadv_hard_if_bcast { + + extern struct notifier_block batadv_hard_if_notifier; + ++struct net_device *__batadv_get_real_netdev(struct net_device *net_device); + struct net_device *batadv_get_real_netdev(struct net_device *net_device); + bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface); + bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface); diff --git a/queue-6.18/crypto-ccp-allow-callers-to-use-hv-fixed-page-api-when-sev-is-disabled.patch b/queue-6.18/crypto-ccp-allow-callers-to-use-hv-fixed-page-api-when-sev-is-disabled.patch new file mode 100644 index 0000000000..2f63e7605c --- /dev/null +++ b/queue-6.18/crypto-ccp-allow-callers-to-use-hv-fixed-page-api-when-sev-is-disabled.patch @@ -0,0 +1,63 @@ +From 8168a7b72bdee3790b126f63bd30306759206b15 Mon Sep 17 00:00:00 2001 +From: Ashish Kalra +Date: Fri, 6 Feb 2026 21:26:45 +0000 +Subject: crypto: ccp - allow callers to use HV-Fixed page API when SEV is disabled + +From: Ashish Kalra + +commit 8168a7b72bdee3790b126f63bd30306759206b15 upstream. + +When SEV is disabled, the HV-Fixed page allocation call fails, which in +turn causes SFS initialization to fail. + +Fix the HV-Fixed API so callers (for example, SFS) can use it even when +SEV is disabled by performing normal page allocation and freeing. + +Fixes: e09701dcdd9c ("crypto: ccp - Add new HV-Fixed page allocation/free API") +Cc: stable@vger.kernel.org +Signed-off-by: Ashish Kalra +Reviewed-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -1109,15 +1109,12 @@ struct page *snp_alloc_hv_fixed_pages(un + { + struct psp_device *psp_master = psp_get_master_device(); + struct snp_hv_fixed_pages_entry *entry; +- struct sev_device *sev; + unsigned int order; + struct page *page; + +- if (!psp_master || !psp_master->sev_data) ++ if (!psp_master) + return NULL; + +- sev = psp_master->sev_data; +- + order = get_order(PMD_SIZE * num_2mb_pages); + + /* +@@ -1130,7 +1127,8 @@ struct page *snp_alloc_hv_fixed_pages(un + * This API uses SNP_INIT_EX to transition allocated pages to HV_Fixed + * page state, fail if SNP is already initialized. + */ +- if (sev->snp_initialized) ++ if (psp_master->sev_data && ++ ((struct sev_device *)psp_master->sev_data)->snp_initialized) + return NULL; + + /* Re-use freed pages that match the request */ +@@ -1166,7 +1164,7 @@ void snp_free_hv_fixed_pages(struct page + struct psp_device *psp_master = psp_get_master_device(); + struct snp_hv_fixed_pages_entry *entry, *nentry; + +- if (!psp_master || !psp_master->sev_data) ++ if (!psp_master) + return; + + /* diff --git a/queue-6.18/drm-amd-display-fallback-to-boot-snapshot-for-dispclk.patch b/queue-6.18/drm-amd-display-fallback-to-boot-snapshot-for-dispclk.patch new file mode 100644 index 0000000000..d5fa7e59e3 --- /dev/null +++ b/queue-6.18/drm-amd-display-fallback-to-boot-snapshot-for-dispclk.patch @@ -0,0 +1,42 @@ +From 30d937f63bd19bbcaafa4b892eb251f8bbbf04ef Mon Sep 17 00:00:00 2001 +From: Dillon Varone +Date: Wed, 18 Feb 2026 14:34:28 -0500 +Subject: drm/amd/display: Fallback to boot snapshot for dispclk + +From: Dillon Varone + +commit 30d937f63bd19bbcaafa4b892eb251f8bbbf04ef upstream. + +[WHY & HOW] +If the dentist is unavailable, fallback to reading CLKIP via the boot +snapshot to get the current dispclk. + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Dillon Varone +Signed-off-by: Alex Hung +Cc: Mario Limonciello +Cc: Alex Deucher +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 2ab77600d1e55a042c02437326d3c7563e853c6c) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +@@ -68,7 +68,11 @@ void dcn401_initialize_min_clocks(struct + * audio corruption. Read current DISPCLK from DENTIST and request the same + * freq to ensure that the timing is valid and unchanged. + */ +- clocks->dispclk_khz = dc->clk_mgr->funcs->get_dispclk_from_dentist(dc->clk_mgr); ++ if (dc->clk_mgr->funcs->get_dispclk_from_dentist) { ++ clocks->dispclk_khz = dc->clk_mgr->funcs->get_dispclk_from_dentist(dc->clk_mgr); ++ } else { ++ clocks->dispclk_khz = dc->clk_mgr->boot_snapshot.dispclk * 1000; ++ } + } + clocks->ref_dtbclk_khz = dc->clk_mgr->bw_params->clk_table.entries[0].dtbclk_mhz * 1000; + clocks->fclk_p_state_change_support = true; diff --git a/queue-6.18/drm-xe-xe2_hpg-correct-implementation-of-wa_16025250150.patch b/queue-6.18/drm-xe-xe2_hpg-correct-implementation-of-wa_16025250150.patch new file mode 100644 index 0000000000..f63cb2368a --- /dev/null +++ b/queue-6.18/drm-xe-xe2_hpg-correct-implementation-of-wa_16025250150.patch @@ -0,0 +1,52 @@ +From 89865e6dc8487b627302bdced3f965cd0c406835 Mon Sep 17 00:00:00 2001 +From: Matt Roper +Date: Fri, 27 Feb 2026 08:43:41 -0800 +Subject: drm/xe/xe2_hpg: Correct implementation of Wa_16025250150 + +From: Matt Roper + +commit 89865e6dc8487b627302bdced3f965cd0c406835 upstream. + +Wa_16025250150 asks us to set five register fields of the register to +0x1 each. However we were just OR'ing this into the existing register +value (which has a default of 0x4 for each nibble-sized field) resulting +in final field values of 0x5 instead of the desired 0x1. Correct the +RTP programming (use FIELD_SET instead of SET) to ensure each field is +assigned to exactly the value we want. + +Cc: Aradhya Bhatia +Cc: Tejas Upadhyay +Cc: stable@vger.kernel.org # v6.16+ +Fixes: 7654d51f1fd8 ("drm/xe/xe2hpg: Add Wa_16025250150") +Reviewed-by: Ngai-Mint Kwan +Link: https://patch.msgid.link/20260227164341.3600098-2-matthew.d.roper@intel.com +Signed-off-by: Matt Roper +(cherry picked from commit d139209ef88e48af1f6731cd45440421c757b6b5) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_wa.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_wa.c ++++ b/drivers/gpu/drm/xe/xe_wa.c +@@ -255,12 +255,13 @@ static const struct xe_rtp_entry_sr gt_w + + { XE_RTP_NAME("16025250150"), + XE_RTP_RULES(GRAPHICS_VERSION(2001)), +- XE_RTP_ACTIONS(SET(LSN_VC_REG2, +- LSN_LNI_WGT(1) | +- LSN_LNE_WGT(1) | +- LSN_DIM_X_WGT(1) | +- LSN_DIM_Y_WGT(1) | +- LSN_DIM_Z_WGT(1))) ++ XE_RTP_ACTIONS(FIELD_SET(LSN_VC_REG2, ++ LSN_LNI_WGT_MASK | LSN_LNE_WGT_MASK | ++ LSN_DIM_X_WGT_MASK | LSN_DIM_Y_WGT_MASK | ++ LSN_DIM_Z_WGT_MASK, ++ LSN_LNI_WGT(1) | LSN_LNE_WGT(1) | ++ LSN_DIM_X_WGT(1) | LSN_DIM_Y_WGT(1) | ++ LSN_DIM_Z_WGT(1))) + }, + + /* Xe2_HPM */ diff --git a/queue-6.18/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch b/queue-6.18/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch new file mode 100644 index 0000000000..abca6f72fb --- /dev/null +++ b/queue-6.18/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch @@ -0,0 +1,86 @@ +From 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Wed, 4 Mar 2026 15:51:17 -0800 +Subject: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read + +From: Sanman Pradhan + +commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream. + +The q54sj108a2_debugfs_read function suffers from a stack buffer overflow +due to incorrect arguments passed to bin2hex(). The function currently +passes 'data' as the destination and 'data_char' as the source. + +Because bin2hex() converts each input byte into two hex characters, a +32-byte block read results in 64 bytes of output. Since 'data' is only +34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end +of the buffer onto the stack. + +Additionally, the arguments were swapped: it was reading from the +zero-initialized 'data_char' and writing to 'data', resulting in +all-zero output regardless of the actual I2C read. + +Fix this by: +1. Expanding 'data_char' to 66 bytes to safely hold the hex output. +2. Correcting the bin2hex() argument order and using the actual read count. +3. Using a pointer to select the correct output buffer for the final + simple_read_from_buffer call. + +Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/hwmon/pmbus/q54sj108a2.c ++++ b/drivers/hwmon/pmbus/q54sj108a2.c +@@ -78,7 +78,8 @@ static ssize_t q54sj108a2_debugfs_read(s + int idx = *idxp; + struct q54sj108a2_data *psu = to_psu(idxp, idx); + char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; +- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; ++ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 }; ++ char *out = data; + char *res; + + switch (idx) { +@@ -149,27 +150,27 @@ static ssize_t q54sj108a2_debugfs_read(s + if (rc < 0) + return rc; + +- res = bin2hex(data, data_char, 32); +- rc = res - data; +- ++ res = bin2hex(data_char, data, rc); ++ rc = res - data_char; ++ out = data_char; + break; + case Q54SJ108A2_DEBUGFS_FLASH_KEY: + rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data); + if (rc < 0) + return rc; + +- res = bin2hex(data, data_char, 4); +- rc = res - data; +- ++ res = bin2hex(data_char, data, rc); ++ rc = res - data_char; ++ out = data_char; + break; + default: + return -EINVAL; + } + +- data[rc] = '\n'; ++ out[rc] = '\n'; + rc += 2; + +- return simple_read_from_buffer(buf, count, ppos, data, rc); ++ return simple_read_from_buffer(buf, count, ppos, out, rc); + } + + static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf, diff --git a/queue-6.18/ice-fix-retry-for-aq-command-0x06ee.patch b/queue-6.18/ice-fix-retry-for-aq-command-0x06ee.patch new file mode 100644 index 0000000000..f9ef09c568 --- /dev/null +++ b/queue-6.18/ice-fix-retry-for-aq-command-0x06ee.patch @@ -0,0 +1,103 @@ +From fb4903b3354aed4a2301180cf991226f896c87ed Mon Sep 17 00:00:00 2001 +From: Jakub Staniszewski +Date: Tue, 13 Jan 2026 20:38:17 +0100 +Subject: ice: fix retry for AQ command 0x06EE + +From: Jakub Staniszewski + +commit fb4903b3354aed4a2301180cf991226f896c87ed upstream. + +Executing ethtool -m can fail reporting a netlink I/O error while firmware +link management holds the i2c bus used to communicate with the module. + +According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1] +Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE) +request should to be retried upon receiving EBUSY from firmware. + +Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool") +implemented it only for part of ice_get_module_eeprom(), leaving all other +calls to ice_aq_sff_eeprom() vulnerable to returning early on getting +EBUSY without retrying. + +Remove the retry loop from ice_get_module_eeprom() and add Admin Queue +(AQ) command with opcode 0x06EE to the list of commands that should be +retried on receiving EBUSY from firmware. + +Cc: stable@vger.kernel.org +Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool") +Signed-off-by: Jakub Staniszewski +Co-developed-by: Dawid Osuchowski +Signed-off-by: Dawid Osuchowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1] +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_common.c | 1 + drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++----------------- + 2 files changed, 15 insertions(+), 21 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1854,6 +1854,7 @@ static bool ice_should_retry_sq_send_cmd + case ice_aqc_opc_lldp_stop: + case ice_aqc_opc_lldp_start: + case ice_aqc_opc_lldp_filter_ctrl: ++ case ice_aqc_opc_sff_eeprom: + return true; + } + +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -4495,7 +4495,7 @@ ice_get_module_eeprom(struct net_device + struct ice_pf *pf = vsi->back; + struct ice_hw *hw = &pf->hw; + bool is_sfp = false; +- unsigned int i, j; ++ unsigned int i; + u16 offset = 0; + u8 page = 0; + int status; +@@ -4537,26 +4537,19 @@ ice_get_module_eeprom(struct net_device + if (page == 0 || !(data[0x2] & 0x4)) { + u32 copy_len; + +- /* If i2c bus is busy due to slow page change or +- * link management access, call can fail. This is normal. +- * So we retry this a few times. +- */ +- for (j = 0; j < 4; j++) { +- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page, +- !is_sfp, value, +- SFF_READ_BLOCK_SIZE, +- 0, NULL); +- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n", +- addr, offset, page, is_sfp, +- value[0], value[1], value[2], value[3], +- value[4], value[5], value[6], value[7], +- status); +- if (status) { +- usleep_range(1500, 2500); +- memset(value, 0, SFF_READ_BLOCK_SIZE); +- continue; +- } +- break; ++ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page, ++ !is_sfp, value, ++ SFF_READ_BLOCK_SIZE, ++ 0, NULL); ++ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n", ++ addr, offset, page, is_sfp, ++ value[0], value[1], value[2], value[3], ++ value[4], value[5], value[6], value[7], ++ ERR_PTR(status)); ++ if (status) { ++ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n", ++ __func__, ERR_PTR(status)); ++ return status; + } + + /* Make sure we have enough room for the new block */ diff --git a/queue-6.18/io_uring-net-reject-send_vectorized-when-unsupported.patch b/queue-6.18/io_uring-net-reject-send_vectorized-when-unsupported.patch new file mode 100644 index 0000000000..e794baca2d --- /dev/null +++ b/queue-6.18/io_uring-net-reject-send_vectorized-when-unsupported.patch @@ -0,0 +1,34 @@ +From c36e28becd0586ac98318fd335e5e91d19cd2623 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 2 Mar 2026 14:32:04 +0000 +Subject: io_uring/net: reject SEND_VECTORIZED when unsupported + +From: Pavel Begunkov + +commit c36e28becd0586ac98318fd335e5e91d19cd2623 upstream. + +IORING_SEND_VECTORIZED with registered buffers is not implemented but +could be. Don't silently ignore the flag in this case but reject it with +an error. It only affects sendzc as normal sends don't support +registered buffers. + +Fixes: 6f02527729bd3 ("io_uring/net: Allow to do vectorized send") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -376,6 +376,8 @@ static int io_send_setup(struct io_kiocb + kmsg->msg.msg_namelen = addr_len; + } + if (sr->flags & IORING_RECVSEND_FIXED_BUF) { ++ if (sr->flags & IORING_SEND_VECTORIZED) ++ return -EINVAL; + req->flags |= REQ_F_IMPORT_BUFFER; + return 0; + } diff --git a/queue-6.18/io_uring-zcrx-use-read_once-with-user-shared-rqes.patch b/queue-6.18/io_uring-zcrx-use-read_once-with-user-shared-rqes.patch new file mode 100644 index 0000000000..89b9528341 --- /dev/null +++ b/queue-6.18/io_uring-zcrx-use-read_once-with-user-shared-rqes.patch @@ -0,0 +1,38 @@ +From 531bb98a030cc1073bd7ed9a502c0a3a781e92ee Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 4 Mar 2026 12:37:43 +0000 +Subject: io_uring/zcrx: use READ_ONCE with user shared RQEs + +From: Pavel Begunkov + +commit 531bb98a030cc1073bd7ed9a502c0a3a781e92ee upstream. + +Refill queue entries are shared with the user space, use READ_ONCE when +reading them. + +Fixes: 34a3e60821ab9 ("io_uring/zcrx: implement zerocopy receive pp memory provider"); +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/zcrx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/io_uring/zcrx.c ++++ b/io_uring/zcrx.c +@@ -767,11 +767,12 @@ static inline bool io_parse_rqe(struct i + struct io_zcrx_ifq *ifq, + struct net_iov **ret_niov) + { ++ __u64 off = READ_ONCE(rqe->off); + unsigned niov_idx, area_idx; + struct io_zcrx_area *area; + +- area_idx = rqe->off >> IORING_ZCRX_AREA_SHIFT; +- niov_idx = (rqe->off & ~IORING_ZCRX_AREA_MASK) >> ifq->niov_shift; ++ area_idx = off >> IORING_ZCRX_AREA_SHIFT; ++ niov_idx = (off & ~IORING_ZCRX_AREA_MASK) >> ifq->niov_shift; + + if (unlikely(rqe->__pad || area_idx)) + return false; diff --git a/queue-6.18/ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch b/queue-6.18/ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch new file mode 100644 index 0000000000..65a73ea793 --- /dev/null +++ b/queue-6.18/ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch @@ -0,0 +1,114 @@ +From 1dfd062caa165ec9d7ee0823087930f3ab8a6294 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 7 Mar 2026 11:32:31 +0900 +Subject: ksmbd: fix use-after-free by using call_rcu() for oplock_info + +From: Namjae Jeon + +commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294 upstream. + +ksmbd currently frees oplock_info immediately using kfree(), even +though it is accessed under RCU read-side critical sections in places +like opinfo_get() and proc_show_files(). + +Since there is no RCU grace period delay between nullifying the pointer +and freeing the memory, a reader can still access oplock_info +structure after it has been freed. This can leads to a use-after-free +especially in opinfo_get() where atomic_inc_not_zero() is called on +already freed memory. + +Fix this by switching to deferred freeing using call_rcu(). + +Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()") +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 29 +++++++++++++++++++++-------- + fs/smb/server/oplock.h | 5 +++-- + 2 files changed, 24 insertions(+), 10 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -120,7 +120,7 @@ static void free_lease(struct oplock_inf + kfree(lease); + } + +-static void free_opinfo(struct oplock_info *opinfo) ++static void __free_opinfo(struct oplock_info *opinfo) + { + if (opinfo->is_lease) + free_lease(opinfo); +@@ -129,6 +129,18 @@ static void free_opinfo(struct oplock_in + kfree(opinfo); + } + ++static void free_opinfo_rcu(struct rcu_head *rcu) ++{ ++ struct oplock_info *opinfo = container_of(rcu, struct oplock_info, rcu); ++ ++ __free_opinfo(opinfo); ++} ++ ++static void free_opinfo(struct oplock_info *opinfo) ++{ ++ call_rcu(&opinfo->rcu, free_opinfo_rcu); ++} ++ + struct oplock_info *opinfo_get(struct ksmbd_file *fp) + { + struct oplock_info *opinfo; +@@ -176,9 +188,9 @@ void opinfo_put(struct oplock_info *opin + free_opinfo(opinfo); + } + +-static void opinfo_add(struct oplock_info *opinfo) ++static void opinfo_add(struct oplock_info *opinfo, struct ksmbd_file *fp) + { +- struct ksmbd_inode *ci = opinfo->o_fp->f_ci; ++ struct ksmbd_inode *ci = fp->f_ci; + + down_write(&ci->m_lock); + list_add(&opinfo->op_entry, &ci->m_op_list); +@@ -1279,20 +1291,21 @@ set_lev: + set_oplock_level(opinfo, req_op_level, lctx); + + out: +- rcu_assign_pointer(fp->f_opinfo, opinfo); +- opinfo->o_fp = fp; +- + opinfo_count_inc(fp); +- opinfo_add(opinfo); ++ opinfo_add(opinfo, fp); ++ + if (opinfo->is_lease) { + err = add_lease_global_list(opinfo); + if (err) + goto err_out; + } + ++ rcu_assign_pointer(fp->f_opinfo, opinfo); ++ opinfo->o_fp = fp; ++ + return 0; + err_out: +- free_opinfo(opinfo); ++ __free_opinfo(opinfo); + return err; + } + +--- a/fs/smb/server/oplock.h ++++ b/fs/smb/server/oplock.h +@@ -69,8 +69,9 @@ struct oplock_info { + struct lease *o_lease; + struct list_head op_entry; + struct list_head lease_entry; +- wait_queue_head_t oplock_q; /* Other server threads */ +- wait_queue_head_t oplock_brk; /* oplock breaking wait */ ++ wait_queue_head_t oplock_q; /* Other server threads */ ++ wait_queue_head_t oplock_brk; /* oplock breaking wait */ ++ struct rcu_head rcu; + }; + + struct lease_break_info { diff --git a/queue-6.18/ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch b/queue-6.18/ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch new file mode 100644 index 0000000000..a7bffdeee4 --- /dev/null +++ b/queue-6.18/ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch @@ -0,0 +1,41 @@ +From eac3361e3d5dd8067b3258c69615888eb45e9f25 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 2 Mar 2026 12:55:02 +0900 +Subject: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() + +From: Namjae Jeon + +commit eac3361e3d5dd8067b3258c69615888eb45e9f25 upstream. + +opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being +accessed after rcu_read_unlock() has been called. This creates a +race condition where the memory could be freed by a concurrent +writer between the unlock and the subsequent pointer dereferences +(opinfo->is_lease, etc.), leading to a use-after-free. + +Fixes: 5fb282ba4fef ("ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close") +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1123,10 +1123,12 @@ void smb_lazy_parent_lease_break_close(s + + rcu_read_lock(); + opinfo = rcu_dereference(fp->f_opinfo); +- rcu_read_unlock(); + +- if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) ++ if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) { ++ rcu_read_unlock(); + return; ++ } ++ rcu_read_unlock(); + + p_ci = ksmbd_inode_lookup_lock(fp->filp->f_path.dentry->d_parent); + if (!p_ci) diff --git a/queue-6.18/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch b/queue-6.18/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch new file mode 100644 index 0000000000..bcef47e83d --- /dev/null +++ b/queue-6.18/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch @@ -0,0 +1,41 @@ +From 24d87712727a5017ad142d63940589a36cd25647 Mon Sep 17 00:00:00 2001 +From: Ariel Silver +Date: Sat, 21 Feb 2026 15:26:00 +0100 +Subject: media: dvb-net: fix OOB access in ULE extension header tables + +From: Ariel Silver + +commit 24d87712727a5017ad142d63940589a36cd25647 upstream. + +The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables +in handle_one_ule_extension() are declared with 255 elements (valid +indices 0-254), but the index htype is derived from network-controlled +data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When +htype equals 255, an out-of-bounds read occurs on the function pointer +table, and the OOB value may be called as a function pointer. + +Add a bounds check on htype against the array size before either table +is accessed. Out-of-range values now cause the SNDU to be discarded. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Ariel Silver +Signed-off-by: Ariel Silver +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_net.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str + unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8; + unsigned char htype = p->ule_sndu_type & 0x00FF; + ++ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers)) ++ return -1; ++ + /* Discriminate mandatory and optional extension headers. */ + if (hlen == 0) { + /* Mandatory extension header */ diff --git a/queue-6.18/memcg-fix-slab-accounting-in-refill_obj_stock-trylock-path.patch b/queue-6.18/memcg-fix-slab-accounting-in-refill_obj_stock-trylock-path.patch new file mode 100644 index 0000000000..5ae478ff23 --- /dev/null +++ b/queue-6.18/memcg-fix-slab-accounting-in-refill_obj_stock-trylock-path.patch @@ -0,0 +1,52 @@ +From dccd5ee2625d50239510bcd73ed78559005e00a3 Mon Sep 17 00:00:00 2001 +From: Hao Li +Date: Thu, 26 Feb 2026 19:51:37 +0800 +Subject: memcg: fix slab accounting in refill_obj_stock() trylock path + +From: Hao Li + +commit dccd5ee2625d50239510bcd73ed78559005e00a3 upstream. + +In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should use +the real alloc/free bytes (i.e., nr_acct) for accounting, rather than +nr_bytes. + +The user-visible impact is that the NR_SLAB_RECLAIMABLE_B and +NR_SLAB_UNRECLAIMABLE_B stats can end up being incorrect. + +For example, if a user allocates a 6144-byte object, then before this +fix efill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=2048), even +though it should account for 6144 bytes (i.e., nr_acct). + +When the user later frees the same object with kfree(), +refill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=6144). This +ends up adding 6144 to the stats, but it should be applying -6144 +(i.e., nr_acct) since the object is being freed. + +Link: https://lkml.kernel.org/r/20260226115145.62903-1-hao.li@linux.dev +Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling") +Signed-off-by: Hao Li +Acked-by: Shakeel Butt +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Muchun Song +Cc: Roman Gushchin +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3028,7 +3028,7 @@ static void refill_obj_stock(struct obj_ + + if (!local_trylock(&obj_stock.lock)) { + if (pgdat) +- mod_objcg_mlstate(objcg, pgdat, idx, nr_bytes); ++ mod_objcg_mlstate(objcg, pgdat, idx, nr_acct); + nr_pages = nr_bytes >> PAGE_SHIFT; + nr_bytes = nr_bytes & (PAGE_SIZE - 1); + atomic_add(nr_bytes, &objcg->nr_charged_bytes); diff --git a/queue-6.18/net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch b/queue-6.18/net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch new file mode 100644 index 0000000000..13c503975a --- /dev/null +++ b/queue-6.18/net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch @@ -0,0 +1,56 @@ +From 99c8c16a4aad0b37293cae213e15957c573cf79b Mon Sep 17 00:00:00 2001 +From: "Bastien Curutchet (Schneider Electric)" +Date: Mon, 9 Mar 2026 14:15:43 +0100 +Subject: net: dsa: microchip: Fix error path in PTP IRQ setup + +From: Bastien Curutchet (Schneider Electric) + +commit 99c8c16a4aad0b37293cae213e15957c573cf79b upstream. + +If request_threaded_irq() fails during the PTP message IRQ setup, the +newly created IRQ mapping is never disposed. Indeed, the +ksz_ptp_irq_setup()'s error path only frees the mappings that were +successfully set up. + +Dispose the newly created mapping if the associated +request_threaded_irq() fails at setup. + +Cc: stable@vger.kernel.org +Fixes: d0b8fec8ae505 ("net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}()") +Signed-off-by: Bastien Curutchet (Schneider Electric) +Reviewed-by: Simon Horman +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20260309-ksz-ptp-irq-fix-v1-1-757b3b985955@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_ptp.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_ptp.c ++++ b/drivers/net/dsa/microchip/ksz_ptp.c +@@ -1095,6 +1095,7 @@ static int ksz_ptp_msg_irq_setup(struct + const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops; + struct ksz_irq *ptpirq = &port->ptpirq; + struct ksz_ptp_irq *ptpmsg_irq; ++ int ret; + + ptpmsg_irq = &port->ptpmsg_irq[n]; + ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n); +@@ -1106,9 +1107,13 @@ static int ksz_ptp_msg_irq_setup(struct + + strscpy(ptpmsg_irq->name, name[n]); + +- return request_threaded_irq(ptpmsg_irq->num, NULL, +- ksz_ptp_msg_thread_fn, IRQF_ONESHOT, +- ptpmsg_irq->name, ptpmsg_irq); ++ ret = request_threaded_irq(ptpmsg_irq->num, NULL, ++ ksz_ptp_msg_thread_fn, IRQF_ONESHOT, ++ ptpmsg_irq->name, ptpmsg_irq); ++ if (ret) ++ irq_dispose_mapping(ptpmsg_irq->num); ++ ++ return ret; + } + + int ksz_ptp_irq_setup(struct dsa_switch *ds, u8 p) diff --git a/queue-6.18/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch b/queue-6.18/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch new file mode 100644 index 0000000000..2db2ef3f4e --- /dev/null +++ b/queue-6.18/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch @@ -0,0 +1,53 @@ +From 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c Mon Sep 17 00:00:00 2001 +From: Fan Wu +Date: Mon, 9 Mar 2026 13:24:09 +0000 +Subject: net: ethernet: arc: emac: quiesce interrupts before requesting IRQ + +From: Fan Wu + +commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream. + +Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe +should not see interrupt delivery in the usual case. However, hardware may +still present stale or latched interrupt status left by firmware or the +bootloader. + +If probe later unwinds after devm_request_irq() has installed the handler, +such a stale interrupt can still reach arc_emac_intr() during teardown and +race with release of the associated net_device. + +Avoid that window by putting the device into a known quiescent state before +requesting the IRQ: disable all EMAC interrupt sources and clear any +pending EMAC interrupt status bits. This keeps the change hardware-focused +and minimal, while preventing spurious IRQ delivery from leftover state. + +Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver") +Cc: stable@vger.kernel.org +Signed-off-by: Fan Wu +Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/arc/emac_main.c ++++ b/drivers/net/ethernet/arc/emac_main.c +@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd + /* Set poll rate so that it polls every 1 ms */ + arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000); + ++ /* ++ * Put the device into a known quiescent state before requesting ++ * the IRQ. Clear only EMAC interrupt status bits here; leave the ++ * MDIO completion bit alone and avoid writing TXPL_MASK, which is ++ * used to force TX polling rather than acknowledge interrupts. ++ */ ++ arc_reg_set(priv, R_ENABLE, 0); ++ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK | ++ TXCH_MASK | MSER_MASK | RXCR_MASK | ++ RXFR_MASK | RXFL_MASK); ++ + ndev->irq = irq; + dev_info(dev, "IRQ is %d\n", ndev->irq); + diff --git a/queue-6.18/net-mana-ring-doorbell-at-4-cq-wraparounds.patch b/queue-6.18/net-mana-ring-doorbell-at-4-cq-wraparounds.patch new file mode 100644 index 0000000000..80fc37460d --- /dev/null +++ b/queue-6.18/net-mana-ring-doorbell-at-4-cq-wraparounds.patch @@ -0,0 +1,88 @@ +From dabffd08545ffa1d7183bc45e387860984025291 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Thu, 26 Feb 2026 11:28:33 -0800 +Subject: net: mana: Ring doorbell at 4 CQ wraparounds + +From: Long Li + +commit dabffd08545ffa1d7183bc45e387860984025291 upstream. + +MANA hardware requires at least one doorbell ring every 8 wraparounds +of the CQ. The driver rings the doorbell as a form of flow control to +inform hardware that CQEs have been consumed. + +The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can +poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ +has fewer than 512 entries, a single poll call can process more than +4 wraparounds without ringing the doorbell. The doorbell threshold +check also uses ">" instead of ">=", delaying the ring by one extra +CQE beyond 4 wraparounds. Combined, these issues can cause the driver +to exceed the 8-wraparound hardware limit, leading to missed +completions and stalled queues. + +Fix this by capping the number of CQEs polled per call to 4 wraparounds +of the CQ in both TX and RX paths. Also change the doorbell threshold +from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are +reached. + +Cc: stable@vger.kernel.org +Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings") +Signed-off-by: Long Li +Reviewed-by: Haiyang Zhang +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1645,8 +1645,14 @@ static void mana_poll_tx_cq(struct mana_ + ndev = txq->ndev; + apc = netdev_priv(ndev); + ++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the ++ * doorbell can be rung in time for the hardware's requirement ++ * of at least one doorbell ring every 8 wraparounds. ++ */ + comp_read = mana_gd_poll_cq(cq->gdma_cq, completions, +- CQE_POLLING_BUFFER); ++ min((cq->gdma_cq->queue_size / ++ COMP_ENTRY_SIZE) * 4, ++ CQE_POLLING_BUFFER)); + + if (comp_read < 1) + return; +@@ -2031,7 +2037,14 @@ static void mana_poll_rx_cq(struct mana_ + struct mana_rxq *rxq = cq->rxq; + int comp_read, i; + +- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER); ++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the ++ * doorbell can be rung in time for the hardware's requirement ++ * of at least one doorbell ring every 8 wraparounds. ++ */ ++ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, ++ min((cq->gdma_cq->queue_size / ++ COMP_ENTRY_SIZE) * 4, ++ CQE_POLLING_BUFFER)); + WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER); + + rxq->xdp_flush = false; +@@ -2076,11 +2089,11 @@ static int mana_cq_handler(void *context + mana_gd_ring_cq(gdma_queue, SET_ARM_BIT); + cq->work_done_since_doorbell = 0; + napi_complete_done(&cq->napi, w); +- } else if (cq->work_done_since_doorbell > +- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) { ++ } else if (cq->work_done_since_doorbell >= ++ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) { + /* MANA hardware requires at least one doorbell ring every 8 + * wraparounds of CQ even if there is no need to arm the CQ. +- * This driver rings the doorbell as soon as we have exceeded ++ * This driver rings the doorbell as soon as it has processed + * 4 wraparounds. + */ + mana_gd_ring_cq(gdma_queue, 0); diff --git a/queue-6.18/net-mctp-fix-device-leak-on-probe-failure.patch b/queue-6.18/net-mctp-fix-device-leak-on-probe-failure.patch new file mode 100644 index 0000000000..7528be3ea8 --- /dev/null +++ b/queue-6.18/net-mctp-fix-device-leak-on-probe-failure.patch @@ -0,0 +1,51 @@ +From 224a0d284c3caf1951302d1744a714784febed71 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 5 Mar 2026 11:45:49 +0100 +Subject: net: mctp: fix device leak on probe failure + +From: Johan Hovold + +commit 224a0d284c3caf1951302d1744a714784febed71 upstream. + +Driver core holds a reference to the USB interface and its parent USB +device while the interface is bound to a driver and there is no need to +take additional references unless the structures are needed after +disconnect. + +This driver takes a reference to the USB device during probe but does +not to release it on probe failures. + +Drop the redundant device reference to fix the leak, reduce cargo +culting, make it easier to spot drivers where an extra reference is +needed, and reduce the risk of further memory leaks. + +Fixes: 0791c0327a6e ("net: mctp: Add MCTP USB transport driver") +Cc: stable@vger.kernel.org # 6.15 +Signed-off-by: Johan Hovold +Acked-by: Jeremy Kerr +Link: https://patch.msgid.link/20260305104549.16110-1-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/mctp/mctp-usb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/mctp/mctp-usb.c ++++ b/drivers/net/mctp/mctp-usb.c +@@ -329,7 +329,7 @@ static int mctp_usb_probe(struct usb_int + SET_NETDEV_DEV(netdev, &intf->dev); + dev = netdev_priv(netdev); + dev->netdev = netdev; +- dev->usbdev = usb_get_dev(interface_to_usbdev(intf)); ++ dev->usbdev = interface_to_usbdev(intf); + dev->intf = intf; + usb_set_intfdata(intf, dev); + +@@ -365,7 +365,6 @@ static void mctp_usb_disconnect(struct u + mctp_unregister_netdev(dev->netdev); + usb_free_urb(dev->tx_urb); + usb_free_urb(dev->rx_urb); +- usb_put_dev(dev->usbdev); + free_netdev(dev->netdev); + } + diff --git a/queue-6.18/net-ncsi-fix-skb-leak-in-error-paths.patch b/queue-6.18/net-ncsi-fix-skb-leak-in-error-paths.patch new file mode 100644 index 0000000000..af37831cd9 --- /dev/null +++ b/queue-6.18/net-ncsi-fix-skb-leak-in-error-paths.patch @@ -0,0 +1,85 @@ +From 5c3398a54266541610c8d0a7082e654e9ff3e259 Mon Sep 17 00:00:00 2001 +From: Jian Zhang +Date: Thu, 5 Mar 2026 14:06:55 +0800 +Subject: net: ncsi: fix skb leak in error paths + +From: Jian Zhang + +commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream. + +Early return paths in NCSI RX and AEN handlers fail to release +the received skb, resulting in a memory leak. + +Specifically, ncsi_aen_handler() returns on invalid AEN packets +without consuming the skb. Similarly, ncsi_rcv_rsp() exits early +when failing to resolve the NCSI device, response handler, or +request, leaving the skb unfreed. + +CC: stable@vger.kernel.org +Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler") +Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") +Signed-off-by: Jian Zhang +Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-aen.c | 3 ++- + net/ncsi/ncsi-rsp.c | 16 ++++++++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/ncsi/ncsi-aen.c ++++ b/net/ncsi/ncsi-aen.c +@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri + if (!nah) { + netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n", + h->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto out; + } + + ret = ncsi_validate_aen_pkt(h, nah->payload); +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + /* Find the NCSI device */ + nd = ncsi_find_dev(orig_dev); + ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL; +- if (!ndp) +- return -ENODEV; ++ if (!ndp) { ++ ret = -ENODEV; ++ goto err_free_skb; ++ } + + /* Check if it is AEN packet */ + hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb); +@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + if (!nrh) { + netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n", + hdr->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto err_free_skb; + } + + /* Associate with the request */ +@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + nr = &ndp->requests[hdr->id]; + if (!nr->used) { + spin_unlock_irqrestore(&ndp->lock, flags); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_free_skb; + } + + nr->rsp = skb; +@@ -1261,4 +1265,8 @@ out_netlink: + out: + ncsi_free_request(nr); + return ret; ++ ++err_free_skb: ++ kfree_skb(skb); ++ return ret; + } diff --git a/queue-6.18/net-nexthop-fix-percpu-use-after-free-in-remove_nh_grp_entry.patch b/queue-6.18/net-nexthop-fix-percpu-use-after-free-in-remove_nh_grp_entry.patch new file mode 100644 index 0000000000..512dc6646c --- /dev/null +++ b/queue-6.18/net-nexthop-fix-percpu-use-after-free-in-remove_nh_grp_entry.patch @@ -0,0 +1,83 @@ +From b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 Mon Sep 17 00:00:00 2001 +From: Mehul Rao +Date: Fri, 6 Mar 2026 18:38:20 -0500 +Subject: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry + +From: Mehul Rao + +commit b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 upstream. + +When removing a nexthop from a group, remove_nh_grp_entry() publishes +the new group via rcu_assign_pointer() then immediately frees the +removed entry's percpu stats with free_percpu(). However, the +synchronize_net() grace period in the caller remove_nexthop_from_groups() +runs after the free. RCU readers that entered before the publish still +see the old group and can dereference the freed stats via +nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a +use-after-free on percpu memory. + +Fix by deferring the free_percpu() until after synchronize_net() in the +caller. Removed entries are chained via nh_list onto a local deferred +free list. After the grace period completes and all RCU readers have +finished, the percpu stats are safely freed. + +Fixes: f4676ea74b85 ("net: nexthop: Add nexthop group entry stats") +Cc: stable@vger.kernel.org +Signed-off-by: Mehul Rao +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260306233821.196789-1-mehulrao@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/nexthop.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -2005,7 +2005,8 @@ static void nh_hthr_group_rebalance(stru + } + + static void remove_nh_grp_entry(struct net *net, struct nh_grp_entry *nhge, +- struct nl_info *nlinfo) ++ struct nl_info *nlinfo, ++ struct list_head *deferred_free) + { + struct nh_grp_entry *nhges, *new_nhges; + struct nexthop *nhp = nhge->nh_parent; +@@ -2065,8 +2066,8 @@ static void remove_nh_grp_entry(struct n + rcu_assign_pointer(nhp->nh_grp, newg); + + list_del(&nhge->nh_list); +- free_percpu(nhge->stats); + nexthop_put(nhge->nh); ++ list_add(&nhge->nh_list, deferred_free); + + /* Removal of a NH from a resilient group is notified through + * bucket notifications. +@@ -2086,6 +2087,7 @@ static void remove_nexthop_from_groups(s + struct nl_info *nlinfo) + { + struct nh_grp_entry *nhge, *tmp; ++ LIST_HEAD(deferred_free); + + /* If there is nothing to do, let's avoid the costly call to + * synchronize_net() +@@ -2094,10 +2096,16 @@ static void remove_nexthop_from_groups(s + return; + + list_for_each_entry_safe(nhge, tmp, &nh->grp_list, nh_list) +- remove_nh_grp_entry(net, nhge, nlinfo); ++ remove_nh_grp_entry(net, nhge, nlinfo, &deferred_free); + + /* make sure all see the newly published array before releasing rtnl */ + synchronize_net(); ++ ++ /* Now safe to free percpu stats — all RCU readers have finished */ ++ list_for_each_entry_safe(nhge, tmp, &deferred_free, nh_list) { ++ list_del(&nhge->nh_list); ++ free_percpu(nhge->stats); ++ } + } + + static void remove_nexthop_group(struct nexthop *nh, struct nl_info *nlinfo) diff --git a/queue-6.18/net-tcp-ao-fix-mac-comparison-to-be-constant-time.patch b/queue-6.18/net-tcp-ao-fix-mac-comparison-to-be-constant-time.patch new file mode 100644 index 0000000000..406a77d709 --- /dev/null +++ b/queue-6.18/net-tcp-ao-fix-mac-comparison-to-be-constant-time.patch @@ -0,0 +1,53 @@ +From 67edfec516d30d3e62925c397be4a1e5185802fc Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 2 Mar 2026 12:36:00 -0800 +Subject: net/tcp-ao: Fix MAC comparison to be constant-time + +From: Eric Biggers + +commit 67edfec516d30d3e62925c397be4a1e5185802fc upstream. + +To prevent timing attacks, MACs need to be compared in constant +time. Use the appropriate helper function for this. + +Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Link: https://patch.msgid.link/20260302203600.13561-1-ebiggers@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/Kconfig | 1 + + net/ipv4/tcp_ao.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -748,6 +748,7 @@ config TCP_SIGPOOL + config TCP_AO + bool "TCP: Authentication Option (RFC5925)" + select CRYPTO ++ select CRYPTO_LIB_UTILS + select TCP_SIGPOOL + depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64) + help +--- a/net/ipv4/tcp_ao.c ++++ b/net/ipv4/tcp_ao.c +@@ -10,6 +10,7 @@ + #define pr_fmt(fmt) "TCP: " fmt + + #include ++#include + #include + #include + +@@ -922,7 +923,7 @@ tcp_ao_verify_hash(const struct sock *sk + /* XXX: make it per-AF callback? */ + tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key, + (phash - (u8 *)th), sne); +- if (memcmp(phash, hash_buf, maclen)) { ++ if (crypto_memneq(phash, hash_buf, maclen)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); + atomic64_inc(&info->counters.pkt_bad); + atomic64_inc(&key->pkt_bad); diff --git a/queue-6.18/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch b/queue-6.18/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch new file mode 100644 index 0000000000..79e0ede5ce --- /dev/null +++ b/queue-6.18/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch @@ -0,0 +1,45 @@ +From 8f3c6f08ababad2e3bdd239728cf66a9949446b4 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 24 Feb 2026 13:17:50 +1000 +Subject: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep + +From: Dave Airlie + +commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream. + +If we have runtime suspended, and userspace wants to use /dev/drm_dp_* +then just tell it the device is busy instead of crashing in the GSP +code. + +WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] +CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) +Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 +RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] + +This is a simple fix to get backported. We should probably engineer a +proper power domain solution to wake up devices and keep them awake +while fw updates are happening. + +Cc: stable@vger.kernel.org +Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector") +Reviewed-by: Lyude Paul +Signed-off-by: Dave Airlie +Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -1230,6 +1230,9 @@ nouveau_connector_aux_xfer(struct drm_dp + u8 size = msg->size; + int ret; + ++ if (pm_runtime_suspended(nv_connector->base.dev->dev)) ++ return -EBUSY; ++ + nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP); + if (!nv_encoder) + return -ENODEV; diff --git a/queue-6.18/parisc-check-kernel-mapping-earlier-at-bootup.patch b/queue-6.18/parisc-check-kernel-mapping-earlier-at-bootup.patch new file mode 100644 index 0000000000..b61b51351c --- /dev/null +++ b/queue-6.18/parisc-check-kernel-mapping-earlier-at-bootup.patch @@ -0,0 +1,60 @@ +From 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 3 Mar 2026 23:36:11 +0100 +Subject: parisc: Check kernel mapping earlier at bootup + +From: Helge Deller + +commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream. + +The check if the initial mapping is sufficient needs to happen much +earlier during bootup. Move this test directly to the start_parisc() +function and use native PDC iodc functions to print the warning, because +panic() and printk() are not functional yet. + +This fixes boot when enabling various KALLSYSMS options which need +much more space. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/setup.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/arch/parisc/kernel/setup.c ++++ b/arch/parisc/kernel/setup.c +@@ -120,14 +120,6 @@ void __init setup_arch(char **cmdline_p) + #endif + printk(KERN_CONT ".\n"); + +- /* +- * Check if initial kernel page mappings are sufficient. +- * panic early if not, else we may access kernel functions +- * and variables which can't be reached. +- */ +- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE) +- panic("KERNEL_INITIAL_ORDER too small!"); +- + #ifdef CONFIG_64BIT + if(parisc_narrow_firmware) { + printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n"); +@@ -279,6 +271,18 @@ void __init start_parisc(void) + int ret, cpunum; + struct pdc_coproc_cfg coproc_cfg; + ++ /* ++ * Check if initial kernel page mapping is sufficient. ++ * Print warning if not, because we may access kernel functions and ++ * variables which can't be reached yet through the initial mappings. ++ * Note that the panic() and printk() functions are not functional ++ * yet, so we need to use direct iodc() firmware calls instead. ++ */ ++ const char warn1[] = "CRITICAL: Kernel may crash because " ++ "KERNEL_INITIAL_ORDER is too small.\n"; ++ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE) ++ pdc_iodc_print(warn1, sizeof(warn1) - 1); ++ + /* check QEMU/SeaBIOS marker in PAGE0 */ + running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0); + diff --git a/queue-6.18/parisc-fix-initial-page-table-creation-for-boot.patch b/queue-6.18/parisc-fix-initial-page-table-creation-for-boot.patch new file mode 100644 index 0000000000..8a750d508e --- /dev/null +++ b/queue-6.18/parisc-fix-initial-page-table-creation-for-boot.patch @@ -0,0 +1,46 @@ +From 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 4 Mar 2026 22:24:18 +0100 +Subject: parisc: Fix initial page table creation for boot + +From: Helge Deller + +commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream. + +The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or +64 MB) of the page table during bootup. Up until now the whole area was +initialized with PTE entries, but there was no check if we filled too +many entries. Change the code to fill up with so many entries that the +"_end" symbol can be reached by the kernel, but not more entries than +actually fit into the initial PTE tables. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/head.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start) + + .import __bss_start,data + .import __bss_stop,data ++ .import __end,data + + load32 PA(__bss_start),%r3 + load32 PA(__bss_stop),%r4 +@@ -149,7 +150,11 @@ $cpu_ok: + * everything ... it will get remapped correctly later */ + ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */ + load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */ +- load32 PA(pg0),%r1 ++ load32 PA(_end),%r1 ++ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */ ++ cmpb,<<,n %r11,%r1,1f ++ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */ ++1: load32 PA(pg0),%r1 + + $pgt_fill_loop: + STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1) diff --git a/queue-6.18/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch b/queue-6.18/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch new file mode 100644 index 0000000000..67df5531c7 --- /dev/null +++ b/queue-6.18/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch @@ -0,0 +1,30 @@ +From 8e732934fb81282be41602550e7e07baf265e972 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 3 Mar 2026 23:36:10 +0100 +Subject: parisc: Increase initial mapping to 64 MB with KALLSYMS + +From: Helge Deller + +commit 8e732934fb81282be41602550e7e07baf265e972 upstream. + +The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS +is used. Increase the mapping to 64 MB in this case. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -85,7 +85,7 @@ extern void __update_cache(pte_t pte); + printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e)) + + /* This is the size of the initially mapped kernel memory */ +-#if defined(CONFIG_64BIT) ++#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS) + #define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */ + #else + #define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */ diff --git a/queue-6.18/pinctrl-cy8c95x0-don-t-miss-reading-the-last-bank-registers.patch b/queue-6.18/pinctrl-cy8c95x0-don-t-miss-reading-the-last-bank-registers.patch new file mode 100644 index 0000000000..5e5e2576cf --- /dev/null +++ b/queue-6.18/pinctrl-cy8c95x0-don-t-miss-reading-the-last-bank-registers.patch @@ -0,0 +1,45 @@ +From b6c3af46c26f2d07c10a1452adc34b821719327e Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 23 Feb 2026 19:06:51 +0100 +Subject: pinctrl: cy8c95x0: Don't miss reading the last bank registers + +From: Andy Shevchenko + +commit b6c3af46c26f2d07c10a1452adc34b821719327e upstream. + +When code had been changed to use for_each_set_clump8(), it mistakenly +switched from chip->nport to chip->tpin since the cy8c9540 and cy8c9560 +have a 4-pin gap. This, in particular, led to the missed read of +the last bank interrupt status register and hence missing interrupts +on those pins. Restore the upper limit in for_each_set_clump8() to take +into consideration that gap. + +Fixes: 83e29a7a1fdf ("pinctrl: cy8c95x0; Switch to use for_each_set_clump8()") +Cc: stable@vger.kernel.org +Signed-off-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-cy8c95x0.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-cy8c95x0.c ++++ b/drivers/pinctrl/pinctrl-cy8c95x0.c +@@ -627,7 +627,7 @@ static int cy8c95x0_write_regs_mask(stru + bitmap_scatter(tmask, mask, chip->map, MAX_LINE); + bitmap_scatter(tval, val, chip->map, MAX_LINE); + +- for_each_set_clump8(offset, bits, tmask, chip->tpin) { ++ for_each_set_clump8(offset, bits, tmask, chip->nport * BANK_SZ) { + unsigned int i = offset / 8; + + write_val = bitmap_get_value8(tval, offset); +@@ -655,7 +655,7 @@ static int cy8c95x0_read_regs_mask(struc + bitmap_scatter(tmask, mask, chip->map, MAX_LINE); + bitmap_scatter(tval, val, chip->map, MAX_LINE); + +- for_each_set_clump8(offset, bits, tmask, chip->tpin) { ++ for_each_set_clump8(offset, bits, tmask, chip->nport * BANK_SZ) { + unsigned int i = offset / 8; + + ret = cy8c95x0_regmap_read_bits(chip, reg, i, bits, &read_val); diff --git a/queue-6.18/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch b/queue-6.18/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch new file mode 100644 index 0000000000..8a55c19612 --- /dev/null +++ b/queue-6.18/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch @@ -0,0 +1,55 @@ +From 550bae2c0931dbb664a61b08c21cf156f0a5362a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Thu, 12 Feb 2026 11:49:44 -0300 +Subject: pmdomain: bcm: bcm2835-power: Fix broken reset status read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit 550bae2c0931dbb664a61b08c21cf156f0a5362a upstream. + +bcm2835_reset_status() has a misplaced parenthesis on every PM_READ() +call. Since PM_READ(reg) expands to readl(power->base + (reg)), the +expression: + + PM_READ(PM_GRAFX & PM_V3DRSTN) + +computes the bitwise AND of the register offset PM_GRAFX with the +bitmask PM_V3DRSTN before using the result as a register offset, reading +from the wrong MMIO address instead of the intended PM_GRAFX register. +The same issue affects the PM_IMAGE cases. + +Fix by moving the closing parenthesis so PM_READ() receives only the +register offset, and the bitmask is applied to the value returned by +the read. + +Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.") +Signed-off-by: Maíra Canal +Reviewed-by: Florian Fainelli +Reviewed-by: Stefan Wahren +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/bcm/bcm2835-power.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pmdomain/bcm/bcm2835-power.c ++++ b/drivers/pmdomain/bcm/bcm2835-power.c +@@ -573,11 +573,11 @@ static int bcm2835_reset_status(struct r + + switch (id) { + case BCM2835_RESET_V3D: +- return !PM_READ(PM_GRAFX & PM_V3DRSTN); ++ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN); + case BCM2835_RESET_H264: +- return !PM_READ(PM_IMAGE & PM_H264RSTN); ++ return !(PM_READ(PM_IMAGE) & PM_H264RSTN); + case BCM2835_RESET_ISP: +- return !PM_READ(PM_IMAGE & PM_ISPRSTN); ++ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN); + default: + return -EINVAL; + } diff --git a/queue-6.18/pmdomain-rockchip-fix-pd_vcodec-for-rk3588.patch b/queue-6.18/pmdomain-rockchip-fix-pd_vcodec-for-rk3588.patch new file mode 100644 index 0000000000..5b3775a283 --- /dev/null +++ b/queue-6.18/pmdomain-rockchip-fix-pd_vcodec-for-rk3588.patch @@ -0,0 +1,77 @@ +From 0fb59eaca18f1254ecdce34354eec3cb1b3b5e10 Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Wed, 25 Feb 2026 10:55:01 +0800 +Subject: pmdomain: rockchip: Fix PD_VCODEC for RK3588 + +From: Shawn Lin + +commit 0fb59eaca18f1254ecdce34354eec3cb1b3b5e10 upstream. + +>From the RK3588 TRM Table 7-1 RK3588 Voltage Domain and Power Domain Summary, +PD_RKVDEC0/1 and PD_VENC0/1 rely on VD_VCODEC which require extra voltages to +be applied, otherwise it breaks RK3588-evb1-v10 board after vdec support landed[1]. +The panic looks like below: + + rockchip-pm-domain fd8d8000.power-management:power-controller: failed to set domain 'rkvdec0' on, val=0 + rockchip-pm-domain fd8d8000.power-management:power-controller: failed to set domain 'rkvdec1' on, val=0 + ... + Hardware name: Rockchip RK3588S EVB1 V10 Board (DT) + Workqueue: pm genpd_power_off_work_fn + Call trace: + show_stack+0x18/0x24 (C) + dump_stack_lvl+0x40/0x84 + dump_stack+0x18/0x24 + vpanic+0x1ec/0x4fc + vpanic+0x0/0x4fc + check_panic_on_warn+0x0/0x94 + arm64_serror_panic+0x6c/0x78 + do_serror+0xc4/0xcc + el1h_64_error_handler+0x3c/0x5c + el1h_64_error+0x6c/0x70 + regmap_mmio_read32le+0x18/0x24 (P) + regmap_bus_reg_read+0xfc/0x130 + regmap_read+0x188/0x1ac + regmap_read+0x54/0x78 + rockchip_pd_power+0xcc/0x5f0 + rockchip_pd_power_off+0x1c/0x4c + genpd_power_off+0x84/0x120 + genpd_power_off+0x1b4/0x260 + genpd_power_off_work_fn+0x38/0x58 + process_scheduled_works+0x194/0x2c4 + worker_thread+0x2ac/0x3d8 + kthread+0x104/0x124 + ret_from_fork+0x10/0x20 + SMP: stopping secondary CPUs + Kernel Offset: disabled + CPU features: 0x3000000,000e0005,40230521,0400720b + Memory Limit: none + ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]--- + +Chaoyi pointed out the PD_VCODEC is the parent of PD_RKVDEC0/1 and PD_VENC0/1, so checking +the PD_VCODEC is enough. + +[1] https://lore.kernel.org/linux-rockchip/20251020212009.8852-2-detlev.casanova@collabora.com/ + +Fixes: db6df2e3fc16 ("pmdomain: rockchip: add regulator support") +Cc: stable@vger.kernel.org +Suggested-by: Chaoyi Chen +Signed-off-by: Shawn Lin +Reviewed-by: Chaoyi Chen +Reviewed-by: Sebastian Reichel +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/rockchip/pm-domains.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pmdomain/rockchip/pm-domains.c ++++ b/drivers/pmdomain/rockchip/pm-domains.c +@@ -1286,7 +1286,7 @@ static const struct rockchip_domain_info + static const struct rockchip_domain_info rk3588_pm_domains[] = { + [RK3588_PD_GPU] = DOMAIN_RK3588("gpu", 0x0, BIT(0), 0, 0x0, 0, BIT(1), 0x0, BIT(0), BIT(0), false, true), + [RK3588_PD_NPU] = DOMAIN_RK3588("npu", 0x0, BIT(1), BIT(1), 0x0, 0, 0, 0x0, 0, 0, false, true), +- [RK3588_PD_VCODEC] = DOMAIN_RK3588("vcodec", 0x0, BIT(2), BIT(2), 0x0, 0, 0, 0x0, 0, 0, false, false), ++ [RK3588_PD_VCODEC] = DOMAIN_RK3588("vcodec", 0x0, BIT(2), BIT(2), 0x0, 0, 0, 0x0, 0, 0, false, true), + [RK3588_PD_NPUTOP] = DOMAIN_RK3588("nputop", 0x0, BIT(3), 0, 0x0, BIT(11), BIT(2), 0x0, BIT(1), BIT(1), false, false), + [RK3588_PD_NPU1] = DOMAIN_RK3588("npu1", 0x0, BIT(4), 0, 0x0, BIT(12), BIT(3), 0x0, BIT(2), BIT(2), false, false), + [RK3588_PD_NPU2] = DOMAIN_RK3588("npu2", 0x0, BIT(5), 0, 0x0, BIT(13), BIT(4), 0x0, BIT(3), BIT(3), false, false), diff --git a/queue-6.18/regulator-pf9453-respect-irq-trigger-settings-from-firmware.patch b/queue-6.18/regulator-pf9453-respect-irq-trigger-settings-from-firmware.patch new file mode 100644 index 0000000000..c312cf63df --- /dev/null +++ b/queue-6.18/regulator-pf9453-respect-irq-trigger-settings-from-firmware.patch @@ -0,0 +1,38 @@ +From 2d85ecd6fb0eb2fee0ffa040ec1ddea57b09bc38 Mon Sep 17 00:00:00 2001 +From: Franz Schnyder +Date: Wed, 18 Feb 2026 11:25:14 +0100 +Subject: regulator: pf9453: Respect IRQ trigger settings from firmware + +From: Franz Schnyder + +commit 2d85ecd6fb0eb2fee0ffa040ec1ddea57b09bc38 upstream. + +The datasheet specifies, that the IRQ_B pin is pulled low when any +unmasked interrupt bit status is changed, and it is released high once +the application processor reads the INT1 register. As it specifies a +level-low behavior, it should not force a falling-edge interrupt. + +Remove the IRQF_TRIGGER_FALLING to not force the falling-edge interrupt +and instead rely on the flag from the device tree. + +Fixes: 0959b6706325 ("regulator: pf9453: add PMIC PF9453 support") +Cc: stable@vger.kernel.org +Signed-off-by: Franz Schnyder +Link: https://patch.msgid.link/20260218102518.238943-2-fra.schnyder@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/pf9453-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/pf9453-regulator.c ++++ b/drivers/regulator/pf9453-regulator.c +@@ -819,7 +819,7 @@ static int pf9453_i2c_probe(struct i2c_c + } + + ret = devm_request_threaded_irq(pf9453->dev, pf9453->irq, NULL, pf9453_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ IRQF_ONESHOT, + "pf9453-irq", pf9453); + if (ret) + return dev_err_probe(pf9453->dev, ret, "Failed to request IRQ: %d\n", pf9453->irq); diff --git a/queue-6.18/s390-stackleak-fix-__stackleak_poison-inline-assembly-constraint.patch b/queue-6.18/s390-stackleak-fix-__stackleak_poison-inline-assembly-constraint.patch new file mode 100644 index 0000000000..a5dbab0bec --- /dev/null +++ b/queue-6.18/s390-stackleak-fix-__stackleak_poison-inline-assembly-constraint.patch @@ -0,0 +1,42 @@ +From 674c5ff0f440a051ebf299d29a4c013133d81a65 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 2 Mar 2026 14:35:00 +0100 +Subject: s390/stackleak: Fix __stackleak_poison() inline assembly constraint + +From: Heiko Carstens + +commit 674c5ff0f440a051ebf299d29a4c013133d81a65 upstream. + +The __stackleak_poison() inline assembly comes with a "count" operand where +the "d" constraint is used. "count" is used with the exrl instruction and +"d" means that the compiler may allocate any register from 0 to 15. + +If the compiler would allocate register 0 then the exrl instruction would +not or the value of "count" into the executed instruction - resulting in a +stackframe which is only partially poisoned. + +Use the correct "a" constraint, which excludes register 0 from register +allocation. + +Fixes: 2a405f6bb3a5 ("s390/stackleak: provide fast __stackleak_poison() implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Reviewed-by: Vasily Gorbik +Link: https://lore.kernel.org/r/20260302133500.1560531-4-hca@linux.ibm.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/processor.h ++++ b/arch/s390/include/asm/processor.h +@@ -164,7 +164,7 @@ static __always_inline void __stackleak_ + " j 4f\n" + "3: mvc 8(1,%[addr]),0(%[addr])\n" + "4:" +- : [addr] "+&a" (erase_low), [count] "+&d" (count), [tmp] "=&a" (tmp) ++ : [addr] "+&a" (erase_low), [count] "+&a" (count), [tmp] "=&a" (tmp) + : [poison] "d" (poison) + : "memory", "cc" + ); diff --git a/queue-6.18/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch b/queue-6.18/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch new file mode 100644 index 0000000000..c1cfb35c7c --- /dev/null +++ b/queue-6.18/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch @@ -0,0 +1,39 @@ +From f775276edc0c505dc0f782773796c189f31a1123 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 2 Mar 2026 14:34:58 +0100 +Subject: s390/xor: Fix xor_xc_2() inline assembly constraints + +From: Heiko Carstens + +commit f775276edc0c505dc0f782773796c189f31a1123 upstream. + +The inline assembly constraints for xor_xc_2() are incorrect. "bytes", +"p1", and "p2" are input operands, while all three of them are modified +within the inline assembly. Given that the function consists only of this +inline assembly it seems unlikely that this may cause any problems, however +fix this in any case. + +Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Reviewed-by: Vasily Gorbik +Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/lib/xor.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/lib/xor.c ++++ b/arch/s390/lib/xor.c +@@ -28,8 +28,8 @@ static void xor_xc_2(unsigned long bytes + " j 3f\n" + "2: xc 0(1,%1),0(%2)\n" + "3:" +- : : "d" (bytes), "a" (p1), "a" (p2) +- : "0", "cc", "memory"); ++ : "+d" (bytes), "+a" (p1), "+a" (p2) ++ : : "0", "cc", "memory"); + } + + static void xor_xc_3(unsigned long bytes, unsigned long * __restrict p1, diff --git a/queue-6.18/s390-xor-fix-xor_xc_5-inline-assembly.patch b/queue-6.18/s390-xor-fix-xor_xc_5-inline-assembly.patch new file mode 100644 index 0000000000..d769fc4ed7 --- /dev/null +++ b/queue-6.18/s390-xor-fix-xor_xc_5-inline-assembly.patch @@ -0,0 +1,34 @@ +From 5f25805303e201f3afaff0a90f7c7ce257468704 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Mon, 2 Mar 2026 19:03:34 +0100 +Subject: s390/xor: Fix xor_xc_5() inline assembly + +From: Vasily Gorbik + +commit 5f25805303e201f3afaff0a90f7c7ce257468704 upstream. + +xor_xc_5() contains a larl 1,2f that is not used by the asm and is not +declared as a clobber. This can corrupt a compiler-allocated value in %r1 +and lead to miscompilation. Remove the instruction. + +Fixes: 745600ed6965 ("s390/lib: Use exrl instead of ex in xor functions") +Cc: stable@vger.kernel.org +Reviewed-by: Juergen Christ +Reviewed-by: Heiko Carstens +Reviewed-by: Sven Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/lib/xor.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/s390/lib/xor.c ++++ b/arch/s390/lib/xor.c +@@ -96,7 +96,6 @@ static void xor_xc_5(unsigned long bytes + const unsigned long * __restrict p5) + { + asm volatile( +- " larl 1,2f\n" + " aghi %0,-1\n" + " jm 6f\n" + " srlg 0,%0,8\n" diff --git a/queue-6.18/selftests-fix-mntns-iteration-selftests.patch b/queue-6.18/selftests-fix-mntns-iteration-selftests.patch new file mode 100644 index 0000000000..dd559d70ea --- /dev/null +++ b/queue-6.18/selftests-fix-mntns-iteration-selftests.patch @@ -0,0 +1,101 @@ +From 4c7b2ec23cc5d880e3ffe35e8c2aad686b67723a Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 26 Feb 2026 14:50:12 +0100 +Subject: selftests: fix mntns iteration selftests + +From: Christian Brauner + +commit 4c7b2ec23cc5d880e3ffe35e8c2aad686b67723a upstream. + +Now that we changed permission checking make sure that we reflect that +in the selftests. + +Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-4-d2c2853313bd@kernel.org +Fixes: 9d87b1067382 ("selftests: add tests for mntns iteration") +Reviewed-by: Jeff Layton +Cc: stable@kernel.org # v6.14+ +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/filesystems/nsfs/iterate_mntns.c | 25 +++++++++------ + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/tools/testing/selftests/filesystems/nsfs/iterate_mntns.c ++++ b/tools/testing/selftests/filesystems/nsfs/iterate_mntns.c +@@ -37,17 +37,20 @@ FIXTURE(iterate_mount_namespaces) { + __u64 mnt_ns_id[MNT_NS_COUNT]; + }; + ++static inline bool mntns_in_list(__u64 *mnt_ns_id, struct mnt_ns_info *info) ++{ ++ for (int i = 0; i < MNT_NS_COUNT; i++) { ++ if (mnt_ns_id[i] == info->mnt_ns_id) ++ return true; ++ } ++ return false; ++} ++ + FIXTURE_SETUP(iterate_mount_namespaces) + { + for (int i = 0; i < MNT_NS_COUNT; i++) + self->fd_mnt_ns[i] = -EBADF; + +- /* +- * Creating a new user namespace let's us guarantee that we only see +- * mount namespaces that we did actually create. +- */ +- ASSERT_EQ(unshare(CLONE_NEWUSER), 0); +- + for (int i = 0; i < MNT_NS_COUNT; i++) { + struct mnt_ns_info info = {}; + +@@ -75,13 +78,15 @@ TEST_F(iterate_mount_namespaces, iterate + fd_mnt_ns_cur = fcntl(self->fd_mnt_ns[0], F_DUPFD_CLOEXEC); + ASSERT_GE(fd_mnt_ns_cur, 0); + +- for (;; count++) { ++ for (;;) { + struct mnt_ns_info info = {}; + int fd_mnt_ns_next; + + fd_mnt_ns_next = ioctl(fd_mnt_ns_cur, NS_MNT_GET_NEXT, &info); + if (fd_mnt_ns_next < 0 && errno == ENOENT) + break; ++ if (mntns_in_list(self->mnt_ns_id, &info)) ++ count++; + ASSERT_GE(fd_mnt_ns_next, 0); + ASSERT_EQ(close(fd_mnt_ns_cur), 0); + fd_mnt_ns_cur = fd_mnt_ns_next; +@@ -96,13 +101,15 @@ TEST_F(iterate_mount_namespaces, iterate + fd_mnt_ns_cur = fcntl(self->fd_mnt_ns[MNT_NS_LAST_INDEX], F_DUPFD_CLOEXEC); + ASSERT_GE(fd_mnt_ns_cur, 0); + +- for (;; count++) { ++ for (;;) { + struct mnt_ns_info info = {}; + int fd_mnt_ns_prev; + + fd_mnt_ns_prev = ioctl(fd_mnt_ns_cur, NS_MNT_GET_PREV, &info); + if (fd_mnt_ns_prev < 0 && errno == ENOENT) + break; ++ if (mntns_in_list(self->mnt_ns_id, &info)) ++ count++; + ASSERT_GE(fd_mnt_ns_prev, 0); + ASSERT_EQ(close(fd_mnt_ns_cur), 0); + fd_mnt_ns_cur = fd_mnt_ns_prev; +@@ -125,7 +132,6 @@ TEST_F(iterate_mount_namespaces, iterate + ASSERT_GE(fd_mnt_ns_next, 0); + ASSERT_EQ(close(fd_mnt_ns_cur), 0); + fd_mnt_ns_cur = fd_mnt_ns_next; +- ASSERT_EQ(info.mnt_ns_id, self->mnt_ns_id[i]); + } + } + +@@ -144,7 +150,6 @@ TEST_F(iterate_mount_namespaces, iterate + ASSERT_GE(fd_mnt_ns_prev, 0); + ASSERT_EQ(close(fd_mnt_ns_cur), 0); + fd_mnt_ns_cur = fd_mnt_ns_prev; +- ASSERT_EQ(info.mnt_ns_id, self->mnt_ns_id[i]); + } + } + diff --git a/queue-6.18/series b/queue-6.18/series index d26fce5f9c..6cbdeec7c4 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -210,3 +210,40 @@ mm-slab-fix-an-incorrect-check-in-obj_exts_alloc_size.patch staging-sm750fb-add-missing-pci_release_region-on-error-and-removal.patch staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch +pinctrl-cy8c95x0-don-t-miss-reading-the-last-bank-registers.patch +selftests-fix-mntns-iteration-selftests.patch +media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch +net-mana-ring-doorbell-at-4-cq-wraparounds.patch +ice-fix-retry-for-aq-command-0x06ee.patch +tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch +net-tcp-ao-fix-mac-comparison-to-be-constant-time.patch +batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch +drm-xe-xe2_hpg-correct-implementation-of-wa_16025250150.patch +pmdomain-rockchip-fix-pd_vcodec-for-rk3588.patch +parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch +nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch +arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch +hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch +io_uring-zcrx-use-read_once-with-user-shared-rqes.patch +parisc-fix-initial-page-table-creation-for-boot.patch +arm64-contpte-fix-set_access_flags-no-op-check-for-smmu-ats-faults.patch +parisc-check-kernel-mapping-earlier-at-bootup.patch +io_uring-net-reject-send_vectorized-when-unsupported.patch +regulator-pf9453-respect-irq-trigger-settings-from-firmware.patch +pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch +crypto-ccp-allow-callers-to-use-hv-fixed-page-api-when-sev-is-disabled.patch +s390-stackleak-fix-__stackleak_poison-inline-assembly-constraint.patch +ata-libata-core-disable-lpm-on-st1000dm010-2ep102.patch +s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch +drm-amd-display-fallback-to-boot-snapshot-for-dispclk.patch +s390-xor-fix-xor_xc_5-inline-assembly.patch +slab-distinguish-lock-and-trylock-for-sheaf_flush_main.patch +memcg-fix-slab-accounting-in-refill_obj_stock-trylock-path.patch +ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch +smb-server-fix-use-after-free-in-smb2_open.patch +ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch +net-mctp-fix-device-leak-on-probe-failure.patch +net-nexthop-fix-percpu-use-after-free-in-remove_nh_grp_entry.patch +net-ncsi-fix-skb-leak-in-error-paths.patch +net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch +net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch diff --git a/queue-6.18/slab-distinguish-lock-and-trylock-for-sheaf_flush_main.patch b/queue-6.18/slab-distinguish-lock-and-trylock-for-sheaf_flush_main.patch new file mode 100644 index 0000000000..af96674e0a --- /dev/null +++ b/queue-6.18/slab-distinguish-lock-and-trylock-for-sheaf_flush_main.patch @@ -0,0 +1,121 @@ +From 48647d3f9a644d1e81af6558102d43cdb260597b Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Wed, 11 Feb 2026 10:42:30 +0100 +Subject: slab: distinguish lock and trylock for sheaf_flush_main() + +From: Vlastimil Babka + +commit 48647d3f9a644d1e81af6558102d43cdb260597b upstream. + +sheaf_flush_main() can be called from __pcs_replace_full_main() where +it's fine if the trylock fails, and pcs_flush_all() where it's not +expected to and for some flush callers (when destroying the cache or +memory hotremove) it would be actually a problem if it failed and left +the main sheaf not flushed. The flush callers can however safely use +local_lock() instead of trylock. + +The trylock failure should not happen in practice on !PREEMPT_RT, but +can happen on PREEMPT_RT. The impact is limited in practice because when +a trylock fails in the kmem_cache_destroy() path, it means someone is +using the cache while destroying it, which is a bug on its own. The memory +hotremove path is unlikely to be employed in a production RT config, but +it's possible. + +To fix this, split the function into sheaf_flush_main() (using +local_lock()) and sheaf_try_flush_main() (using local_trylock()) where +both call __sheaf_flush_main_batch() to flush a single batch of objects. +This will also allow lockdep to verify our context assumptions. + +The problem was raised in an off-list question by Marcelo. + +Fixes: 2d517aa09bbc ("slab: add opt-in caching layer of percpu sheaves") +Cc: stable@vger.kernel.org +Reported-by: Marcelo Tosatti +Signed-off-by: Vlastimil Babka +Reviewed-by: Harry Yoo +Reviewed-by: Hao Li +Link: https://patch.msgid.link/20260211-b4-sheaf-flush-v1-1-4e7f492f0055@suse.cz +Signed-off-by: Vlastimil Babka (SUSE) +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 47 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 37 insertions(+), 10 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2713,19 +2713,19 @@ static void __kmem_cache_free_bulk(struc + * object pointers are moved to a on-stack array under the lock. To bound the + * stack usage, limit each batch to PCS_BATCH_MAX. + * +- * returns true if at least partially flushed ++ * Must be called with s->cpu_sheaves->lock locked, returns with the lock ++ * unlocked. ++ * ++ * Returns how many objects are remaining to be flushed + */ +-static bool sheaf_flush_main(struct kmem_cache *s) ++static unsigned int __sheaf_flush_main_batch(struct kmem_cache *s) + { + struct slub_percpu_sheaves *pcs; + unsigned int batch, remaining; + void *objects[PCS_BATCH_MAX]; + struct slab_sheaf *sheaf; +- bool ret = false; + +-next_batch: +- if (!local_trylock(&s->cpu_sheaves->lock)) +- return ret; ++ lockdep_assert_held(this_cpu_ptr(&s->cpu_sheaves->lock)); + + pcs = this_cpu_ptr(s->cpu_sheaves); + sheaf = pcs->main; +@@ -2743,10 +2743,37 @@ next_batch: + + stat_add(s, SHEAF_FLUSH, batch); + +- ret = true; ++ return remaining; ++} + +- if (remaining) +- goto next_batch; ++static void sheaf_flush_main(struct kmem_cache *s) ++{ ++ unsigned int remaining; ++ ++ do { ++ local_lock(&s->cpu_sheaves->lock); ++ ++ remaining = __sheaf_flush_main_batch(s); ++ ++ } while (remaining); ++} ++ ++/* ++ * Returns true if the main sheaf was at least partially flushed. ++ */ ++static bool sheaf_try_flush_main(struct kmem_cache *s) ++{ ++ unsigned int remaining; ++ bool ret = false; ++ ++ do { ++ if (!local_trylock(&s->cpu_sheaves->lock)) ++ return ret; ++ ++ ret = true; ++ remaining = __sheaf_flush_main_batch(s); ++ ++ } while (remaining); + + return ret; + } +@@ -6140,7 +6167,7 @@ alloc_empty: + if (put_fail) + stat(s, BARN_PUT_FAIL); + +- if (!sheaf_flush_main(s)) ++ if (!sheaf_try_flush_main(s)) + return NULL; + + if (!local_trylock(&s->cpu_sheaves->lock)) diff --git a/queue-6.18/smb-server-fix-use-after-free-in-smb2_open.patch b/queue-6.18/smb-server-fix-use-after-free-in-smb2_open.patch new file mode 100644 index 0000000000..ba46ae0ddb --- /dev/null +++ b/queue-6.18/smb-server-fix-use-after-free-in-smb2_open.patch @@ -0,0 +1,44 @@ +From 1e689a56173827669a35da7cb2a3c78ed5c53680 Mon Sep 17 00:00:00 2001 +From: Marios Makassikis +Date: Tue, 3 Mar 2026 11:14:32 +0100 +Subject: smb: server: fix use-after-free in smb2_open() + +From: Marios Makassikis + +commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream. + +The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is +dereferenced after rcu_read_unlock(), creating a use-after-free +window. + +Cc: stable@vger.kernel.org +Signed-off-by: Marios Makassikis +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3625,10 +3625,8 @@ int smb2_open(struct ksmbd_work *work) + + reconnected_fp: + rsp->StructureSize = cpu_to_le16(89); +- rcu_read_lock(); +- opinfo = rcu_dereference(fp->f_opinfo); ++ opinfo = opinfo_get(fp); + rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0; +- rcu_read_unlock(); + rsp->Flags = 0; + rsp->CreateAction = cpu_to_le32(file_info); + rsp->CreationTime = cpu_to_le64(fp->create_time); +@@ -3669,6 +3667,7 @@ reconnected_fp: + next_ptr = &lease_ccontext->Next; + next_off = conn->vals->create_lease_size; + } ++ opinfo_put(opinfo); + + if (maximal_access_ctxt) { + struct create_context *mxac_ccontext; diff --git a/queue-6.18/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch b/queue-6.18/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch new file mode 100644 index 0000000000..f24e024255 --- /dev/null +++ b/queue-6.18/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch @@ -0,0 +1,119 @@ +From 0a663b764dbdf135a126284f454c9f01f95a87d4 Mon Sep 17 00:00:00 2001 +From: Huiwen He +Date: Tue, 24 Feb 2026 10:35:44 +0800 +Subject: tracing: Fix syscall events activation by ensuring refcount hits zero + +From: Huiwen He + +commit 0a663b764dbdf135a126284f454c9f01f95a87d4 upstream. + +When multiple syscall events are specified in the kernel command line +(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close), +they are often not captured after boot, even though they appear enabled +in the tracing/set_event file. + +The issue stems from how syscall events are initialized. Syscall +tracepoints require the global reference count (sys_tracepoint_refcount) +to transition from 0 to 1 to trigger the registration of the syscall +work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1). + +The current implementation of early_enable_events() with disable_first=true +used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B". +If multiple syscalls are enabled, the refcount never drops to zero, +preventing the 0->1 transition that triggers actual registration. + +Fix this by splitting early_enable_events() into two distinct phases: +1. Disable all events specified in the buffer. +2. Enable all events specified in the buffer. + +This ensures the refcount hits zero before re-enabling, allowing syscall +events to be properly activated during early boot. + +The code is also refactored to use a helper function to avoid logic +duplication between the disable and enable phases. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn +Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line") +Signed-off-by: Huiwen He +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 52 +++++++++++++++++++++++++++++++------------- + 1 file changed, 37 insertions(+), 15 deletions(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -4513,26 +4513,22 @@ static __init int event_trace_memsetup(v + return 0; + } + +-__init void +-early_enable_events(struct trace_array *tr, char *buf, bool disable_first) ++/* ++ * Helper function to enable or disable a comma-separated list of events ++ * from the bootup buffer. ++ */ ++static __init void __early_set_events(struct trace_array *tr, char *buf, bool enable) + { + char *token; +- int ret; +- +- while (true) { +- token = strsep(&buf, ","); +- +- if (!token) +- break; + ++ while ((token = strsep(&buf, ","))) { + if (*token) { +- /* Restarting syscalls requires that we stop them first */ +- if (disable_first) ++ if (enable) { ++ if (ftrace_set_clr_event(tr, token, 1)) ++ pr_warn("Failed to enable trace event: %s\n", token); ++ } else { + ftrace_set_clr_event(tr, token, 0); +- +- ret = ftrace_set_clr_event(tr, token, 1); +- if (ret) +- pr_warn("Failed to enable trace event: %s\n", token); ++ } + } + + /* Put back the comma to allow this to be called again */ +@@ -4541,6 +4537,32 @@ early_enable_events(struct trace_array * + } + } + ++/** ++ * early_enable_events - enable events from the bootup buffer ++ * @tr: The trace array to enable the events in ++ * @buf: The buffer containing the comma separated list of events ++ * @disable_first: If true, disable all events in @buf before enabling them ++ * ++ * This function enables events from the bootup buffer. If @disable_first ++ * is true, it will first disable all events in the buffer before enabling ++ * them. ++ * ++ * For syscall events, which rely on a global refcount to register the ++ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must ++ * ensure the refcount hits zero before re-enabling them. A simple ++ * "disable then enable" per-event is not enough if multiple syscalls are ++ * used, as the refcount will stay above zero. Thus, we need a two-phase ++ * approach: disable all, then enable all. ++ */ ++__init void ++early_enable_events(struct trace_array *tr, char *buf, bool disable_first) ++{ ++ if (disable_first) ++ __early_set_events(tr, buf, false); ++ ++ __early_set_events(tr, buf, true); ++} ++ + static __init int event_trace_enable(void) + { + struct trace_array *tr = top_trace_array();