From: Greg Kroah-Hartman Date: Tue, 27 Jan 2026 13:32:03 +0000 (+0100) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22454d8252f8eb9bbe31f2855e85e8076f18bd3d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch alsa-hda-realtek-add-quirk-for-samsung-730qed-to-fix-headphone.patch alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch arm64-fpsimd-ptrace-fix-sve-writes-on-sme-systems.patch arm64-fpsimd-signal-allocate-ssve-storage-when-restoring-za.patch arm64-fpsimd-signal-fix-restoration-of-sve-context.patch arm64-set-__nocfi-on-swsusp_arch_resume.patch can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch drm-amdgpu-remove-frame-cntl-for-gfx-v12.patch drm-bridge-synopsys-dw-dp-fix-error-paths-of-dw_dp_bind.patch drm-nouveau-disp-set-drm_mode_config_funcs.atomic_-check-commit.patch drm-xe-adjust-page-count-tracepoints-in-shrinker.patch drm-xe-fix-wq_mem_reclaim-passed-as-max_active-to-alloc_workqueue.patch gpio-cdev-correct-return-code-on-memory-allocation-failure.patch gpio-cdev-fix-resource-leaks-on-errors-in-gpiolib_cdev_register.patch gpio-cdev-fix-resource-leaks-on-errors-in-lineinfo_changed_notify.patch iio-accel-adxl380-fix-handling-of-unavailable-int1-interrupt.patch iio-accel-iis328dq-fix-gain-values.patch iio-adc-ad9467-fix-ad9434-vref-mask.patch iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch iio-adc-pac1934-fix-clamped-value-in-pac1934_reg_snapshot.patch iio-chemical-scd4x-fix-reported-channel-endianness.patch iio-dac-ad3552r-hs-fix-out-of-bound-write-in-ad3552r_hs_write_data_source.patch iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch intel_th-fix-device-leak-on-output-open.patch iommu-io-pgtable-arm-fix-size_t-signedness-bug-in-unmap-path.patch irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch ksmbd-smbd-fix-dma_unmap_sg-nents.patch leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch mei-trace-treat-reg-parameter-as-string.patch migrate-correct-lock-ordering-for-hugetlb-file-folios.patch mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch mmc-sdhci-of-dwcmshc-prevent-illegal-clock-reduction-in-hs200-hs400-mode.patch net-fec-account-for-vlan-header-in-frame-length-calculations.patch net-sfp-add-potron-quirk-to-the-h-com-spp425h-gab4-sfp-stick.patch net-txgbe-remove-the-redundant-data-return-in-sw-fw-mailbox.patch netrom-fix-double-free-in-nr_route_frame.patch octeontx2-fix-otx2_dma_map_page-error-return-code.patch of-fix-reference-count-leak-in-of_alias_scan.patch of-platform-use-default-match-table-for-firmware.patch panic-only-warn-about-deprecated-panic_print-on-write-access.patch perf-x86-intel-do-not-enable-bts-for-guests.patch platform-x86-hp-bioscfg-fix-automatic-module-loading.patch pmdomain-imx8m-blk-ctrl-remove-separate-rst-and-clk-mask-for-8mq-vpu.patch pmdomain-rockchip-fix-init-genpd-as-genpd_state_on-before-regulator-ready.patch rust-io-always-inline-functions-using-build_assert-with-arguments.patch rust-irq-always-inline-functions-using-build_assert-with-arguments.patch rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch s390-ap-fix-wrong-apqn-fill-calculation.patch s390-boot-vmlinux.lds.s-ensure-bzimage-ends-with-secureboot-trailer.patch slimbus-core-fix-device-reference-leak-on-report-present.patch slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch tracing-fix-crash-on-synthetic-stacktrace-field-usage.patch uacce-ensure-safe-queue-release-with-state-management.patch uacce-fix-cdev-handling-in-the-cleanup-path.patch uacce-fix-isolate-sysfs-check-condition.patch uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch wifi-ath10k-fix-dma_free_coherent-pointer.patch wifi-ath12k-fix-dma_free_coherent-pointer.patch wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch --- diff --git a/queue-6.18/alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch b/queue-6.18/alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch new file mode 100644 index 0000000000..19d2c2bc3a --- /dev/null +++ b/queue-6.18/alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch @@ -0,0 +1,54 @@ +From 61006c540cbdedea83b05577dc7fb7fa18fe1276 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 19 Jan 2026 14:32:07 +0100 +Subject: ALSA: ctxfi: Fix potential OOB access in audio mixer handling + +From: Takashi Iwai + +commit 61006c540cbdedea83b05577dc7fb7fa18fe1276 upstream. + +In the audio mixer handling code of ctxfi driver, the conf field is +used as a kind of loop index, and it's referred in the index callbacks +(amixer_index() and sum_index()). + +As spotted recently by fuzzers, the current code causes OOB access at +those functions. +| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 +| index 8 is out of range for type 'unsigned char [8]' + +After the analysis, the cause was found to be the lack of the proper +(re-)initialization of conj field. + +This patch addresses those OOB accesses by adding the proper +initializations of the loop indices. + +Reported-by: Salvatore Bonaccorso +Tested-by: Karsten Hohmeier +Closes: https://bugs.debian.org/1121535 +Cc: +Link: https://lore.kernel.org/all/aSk8KJI35H7gFru6@eldamar.lan/ +Link: https://patch.msgid.link/20260119133212.189129-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ctxfi/ctamixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/ctxfi/ctamixer.c ++++ b/sound/pci/ctxfi/ctamixer.c +@@ -205,6 +205,7 @@ static int amixer_rsc_init(struct amixer + + /* Set amixer specific operations */ + amixer->rsc.ops = &amixer_basic_rsc_ops; ++ amixer->rsc.conj = 0; + amixer->ops = &amixer_ops; + amixer->input = NULL; + amixer->sum = NULL; +@@ -367,6 +368,7 @@ static int sum_rsc_init(struct sum *sum, + return err; + + sum->rsc.ops = &sum_basic_rsc_ops; ++ sum->rsc.conj = 0; + + return 0; + } diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-samsung-730qed-to-fix-headphone.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-samsung-730qed-to-fix-headphone.patch new file mode 100644 index 0000000000..9e1b1c75f8 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-samsung-730qed-to-fix-headphone.patch @@ -0,0 +1,32 @@ +From c45385ed624eecc5305ff165e1ac5dfa7548bcd5 Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Thu, 22 Jan 2026 16:52:40 +0800 +Subject: ALSA: hda/realtek: Add quirk for Samsung 730QED to fix headphone + +From: Zhang Heng + +commit c45385ed624eecc5305ff165e1ac5dfa7548bcd5 upstream. + +After applying this quirk for the ALC256 audio codec, the headphone +audio path functions normally; otherwise, headphones produce no sound. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220574 +Cc: +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260122085240.3163975-1-zhangheng@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6906,6 +6906,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc832, "Samsung Galaxy Book Flex Alpha (NP730QCJ)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), ++ SND_PCI_QUIRK(0x144d, 0xc876, "Samsung 730QED (NP730QED-KA2US)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xca03, "Samsung Galaxy Book2 Pro 360 (NP930QED)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xca06, "Samsung Galaxy Book3 360 (NP730QFG)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc868, "Samsung Galaxy Book2 Pro (NP930XED)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-6.18/alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch b/queue-6.18/alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch new file mode 100644 index 0000000000..c4b4b6dd3a --- /dev/null +++ b/queue-6.18/alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch @@ -0,0 +1,51 @@ +From 6f5c69f72e50d51be3a8c028ae7eda42c82902cb Mon Sep 17 00:00:00 2001 +From: Samasth Norway Ananda +Date: Fri, 16 Jan 2026 17:27:06 -0800 +Subject: ALSA: scarlett2: Fix buffer overflow in config retrieval + +From: Samasth Norway Ananda + +commit 6f5c69f72e50d51be3a8c028ae7eda42c82902cb upstream. + +The scarlett2_usb_get_config() function has a logic error in the +endianness conversion code that can cause buffer overflows when +count > 1. + +The code checks `if (size == 2)` where `size` is the total buffer size in +bytes, then loops `count` times treating each element as u16 (2 bytes). +This causes the loop to access `count * 2` bytes when the buffer only +has `size` bytes allocated. + +Fix by checking the element size (config_item->size) instead of the +total buffer size. This ensures the endianness conversion matches the +actual element type. + +Fixes: ac34df733d2d ("ALSA: usb-audio: scarlett2: Update get_config to do endian conversion") +Cc: stable@vger.kernel.org +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260117012706.1715574-1-samasth.norway.ananda@oracle.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/usb/mixer_scarlett2.c ++++ b/sound/usb/mixer_scarlett2.c +@@ -2533,13 +2533,13 @@ static int scarlett2_usb_get_config( + err = scarlett2_usb_get(mixer, config_item->offset, buf, size); + if (err < 0) + return err; +- if (size == 2) { ++ if (config_item->size == 16) { + u16 *buf_16 = buf; + + for (i = 0; i < count; i++, buf_16++) + *buf_16 = le16_to_cpu(*(__le16 *)buf_16); +- } else if (size == 4) { +- u32 *buf_32 = buf; ++ } else if (config_item->size == 32) { ++ u32 *buf_32 = (u32 *)buf; + + for (i = 0; i < count; i++, buf_32++) + *buf_32 = le32_to_cpu(*(__le32 *)buf_32); diff --git a/queue-6.18/alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch b/queue-6.18/alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch new file mode 100644 index 0000000000..feed654ca6 --- /dev/null +++ b/queue-6.18/alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch @@ -0,0 +1,65 @@ +From 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 Mon Sep 17 00:00:00 2001 +From: Berk Cem Goksel +Date: Tue, 20 Jan 2026 13:28:55 +0300 +Subject: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() + +From: Berk Cem Goksel + +commit 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 upstream. + +When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees +mixer->id_elems but the controls already added to the card still +reference the freed memory. Later when snd_card_register() runs, +the OSS mixer layer calls their callbacks and hits a use-after-free read. + +Call trace: + get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 + get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 + mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 + snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 + ... + snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 + usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 + +Fix by calling snd_ctl_remove() for all mixer controls before freeing +id_elems. We save the next pointer first because snd_ctl_remove() +frees the current element. + +Fixes: 6639b6c2367f ("[ALSA] usb-audio - add mixer control notifications") +Cc: stable@vger.kernel.org +Cc: Andrey Konovalov +Signed-off-by: Berk Cem Goksel +Link: https://patch.msgid.link/20260120102855.7300-1-berkcgoksel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2945,10 +2945,23 @@ static int parse_audio_unit(struct mixer + + static void snd_usb_mixer_free(struct usb_mixer_interface *mixer) + { ++ struct usb_mixer_elem_list *list, *next; ++ int id; ++ + /* kill pending URBs */ + snd_usb_mixer_disconnect(mixer); + +- kfree(mixer->id_elems); ++ /* Unregister controls first, snd_ctl_remove() frees the element */ ++ if (mixer->id_elems) { ++ for (id = 0; id < MAX_ID_ELEMS; id++) { ++ for (list = mixer->id_elems[id]; list; list = next) { ++ next = list->next_id_elem; ++ if (list->kctl) ++ snd_ctl_remove(mixer->chip->card, list->kctl); ++ } ++ } ++ kfree(mixer->id_elems); ++ } + if (mixer->urb) { + kfree(mixer->urb->transfer_buffer); + usb_free_urb(mixer->urb); diff --git a/queue-6.18/arm64-fpsimd-ptrace-fix-sve-writes-on-sme-systems.patch b/queue-6.18/arm64-fpsimd-ptrace-fix-sve-writes-on-sme-systems.patch new file mode 100644 index 0000000000..c0ddba0783 --- /dev/null +++ b/queue-6.18/arm64-fpsimd-ptrace-fix-sve-writes-on-sme-systems.patch @@ -0,0 +1,93 @@ +From 128a7494a9f15aad60cc6b7e3546bf481ac54a13 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 20 Jan 2026 14:51:05 +0000 +Subject: arm64/fpsimd: ptrace: Fix SVE writes on !SME systems + +From: Mark Rutland + +commit 128a7494a9f15aad60cc6b7e3546bf481ac54a13 upstream. + +When SVE is supported but SME is not supported, a ptrace write to the +NT_ARM_SVE regset can place the tracee into an invalid state where +(non-streaming) SVE register data is stored in FP_STATE_SVE format but +TIF_SVE is clear. This can result in a later warning from +fpsimd_restore_current_state(), e.g. + + WARNING: CPU: 0 PID: 7214 at arch/arm64/kernel/fpsimd.c:383 fpsimd_restore_current_state+0x50c/0x748 + +When this happens, fpsimd_restore_current_state() will set TIF_SVE, +placing the task into the correct state. This occurs before any other +check of TIF_SVE can possibly occur, as other checks of TIF_SVE only +happen while the FPSIMD/SVE/SME state is live. Thus, aside from the +warning, there is no functional issue. + +This bug was introduced during rework to error handling in commit: + + 9f8bf718f2923 ("arm64/fpsimd: ptrace: Gracefully handle errors") + +... where the setting of TIF_SVE was moved into a block which is only +executed when system_supports_sme() is true. + +Fix this by removing the system_supports_sme() check. This ensures that +TIF_SVE is set for (SVE-formatted) writes to NT_ARM_SVE, at the cost of +unconditionally manipulating the tracee's saved svcr value. The +manipulation of svcr is benign and inexpensive, and we already do +similar elsewhere (e.g. during signal handling), so I don't think it's +worth guarding this with system_supports_sme() checks. + +Aside from the above, there is no functional change. The 'type' argument +to sve_set_common() is only set to ARM64_VEC_SME (in ssve_set())) when +system_supports_sme(), so the ARM64_VEC_SME case in the switch statement +is still unreachable when !system_supports_sme(). When +CONFIG_ARM64_SME=n, the only caller of sve_set_common() is sve_set(), +and the compiler can constant-fold for the case where type is +ARM64_VEC_SVE, removing the logic for other cases. + +Reported-by: syzbot+d4ab35af21e99d07ce67@syzkaller.appspotmail.com +Fixes: 9f8bf718f292 ("arm64/fpsimd: ptrace: Gracefully handle errors") +Signed-off-by: Mark Rutland +Cc: +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -942,20 +942,18 @@ static int sve_set_common(struct task_st + vq = sve_vq_from_vl(task_get_vl(target, type)); + + /* Enter/exit streaming mode */ +- if (system_supports_sme()) { +- switch (type) { +- case ARM64_VEC_SVE: +- target->thread.svcr &= ~SVCR_SM_MASK; +- set_tsk_thread_flag(target, TIF_SVE); +- break; +- case ARM64_VEC_SME: +- target->thread.svcr |= SVCR_SM_MASK; +- set_tsk_thread_flag(target, TIF_SME); +- break; +- default: +- WARN_ON_ONCE(1); +- return -EINVAL; +- } ++ switch (type) { ++ case ARM64_VEC_SVE: ++ target->thread.svcr &= ~SVCR_SM_MASK; ++ set_tsk_thread_flag(target, TIF_SVE); ++ break; ++ case ARM64_VEC_SME: ++ target->thread.svcr |= SVCR_SM_MASK; ++ set_tsk_thread_flag(target, TIF_SME); ++ break; ++ default: ++ WARN_ON_ONCE(1); ++ return -EINVAL; + } + + /* Always zero V regs, FPSR, and FPCR */ diff --git a/queue-6.18/arm64-fpsimd-signal-allocate-ssve-storage-when-restoring-za.patch b/queue-6.18/arm64-fpsimd-signal-allocate-ssve-storage-when-restoring-za.patch new file mode 100644 index 0000000000..2759ced23d --- /dev/null +++ b/queue-6.18/arm64-fpsimd-signal-allocate-ssve-storage-when-restoring-za.patch @@ -0,0 +1,98 @@ +From ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 20 Jan 2026 14:51:06 +0000 +Subject: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA + +From: Mark Rutland + +commit ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 upstream. + +The code to restore a ZA context doesn't attempt to allocate the task's +sve_state before setting TIF_SME. Consequently, restoring a ZA context +can place a task into an invalid state where TIF_SME is set but the +task's sve_state is NULL. + +In legitimate but uncommon cases where the ZA signal context was NOT +created by the kernel in the context of the same task (e.g. if the task +is saved/restored with something like CRIU), we have no guarantee that +sve_state had been allocated previously. In these cases, userspace can +enter streaming mode without trapping while sve_state is NULL, causing a +later NULL pointer dereference when the kernel attempts to store the +register state: + +| # ./sigreturn-za +| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +| Mem abort info: +| ESR = 0x0000000096000046 +| EC = 0x25: DABT (current EL), IL = 32 bits +| SET = 0, FnV = 0 +| EA = 0, S1PTW = 0 +| FSC = 0x06: level 2 translation fault +| Data abort info: +| ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 +| CM = 0, WnR = 1, TnD = 0, TagAccess = 0 +| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 +| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 +| Internal error: Oops: 0000000096000046 [#1] SMP +| Modules linked in: +| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT +| Hardware name: linux,dummy-virt (DT) +| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +| pc : sve_save_state+0x4/0xf0 +| lr : fpsimd_save_user_state+0xb0/0x1c0 +| sp : ffff80008070bcc0 +| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 +| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 +| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 +| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 +| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c +| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 +| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 +| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 +| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 +| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 +| Call trace: +| sve_save_state+0x4/0xf0 (P) +| fpsimd_thread_switch+0x48/0x198 +| __switch_to+0x20/0x1c0 +| __schedule+0x36c/0xce0 +| schedule+0x34/0x11c +| exit_to_user_mode_loop+0x124/0x188 +| el0_interrupt+0xc8/0xd8 +| __el0_irq_handler_common+0x18/0x24 +| el0t_64_irq_handler+0x10/0x1c +| el0t_64_irq+0x198/0x19c +| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) +| ---[ end trace 0000000000000000 ]--- + +Fix this by having restore_za_context() ensure that the task's sve_state +is allocated, matching what we do when taking an SME trap. Any live +SVE/SSVE state (which is restored earlier from a separate signal +context) must be preserved, and hence this is not zeroed. + +Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling") +Signed-off-by: Mark Rutland +Cc: +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/signal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -576,6 +576,10 @@ static int restore_za_context(struct use + if (user->za_size < ZA_SIG_CONTEXT_SIZE(vq)) + return -EINVAL; + ++ sve_alloc(current, false); ++ if (!current->thread.sve_state) ++ return -ENOMEM; ++ + sme_alloc(current, true); + if (!current->thread.sme_state) { + current->thread.svcr &= ~SVCR_ZA_MASK; diff --git a/queue-6.18/arm64-fpsimd-signal-fix-restoration-of-sve-context.patch b/queue-6.18/arm64-fpsimd-signal-fix-restoration-of-sve-context.patch new file mode 100644 index 0000000000..eb730643f0 --- /dev/null +++ b/queue-6.18/arm64-fpsimd-signal-fix-restoration-of-sve-context.patch @@ -0,0 +1,131 @@ +From d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 20 Jan 2026 14:51:07 +0000 +Subject: arm64/fpsimd: signal: Fix restoration of SVE context + +From: Mark Rutland + +commit d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 upstream. + +When SME is supported, Restoring SVE signal context can go wrong in a +few ways, including placing the task into an invalid state where the +kernel may read from out-of-bounds memory (and may potentially take a +fatal fault) and/or may kill the task with a SIGKILL. + +(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into + an invalid state where SVCR.SM is set (and sve_state is non-NULL) + but TIF_SME is clear, consequently resuting in out-of-bounds memory + reads and/or killing the task with SIGKILL. + + This can only occur in unusual (but legitimate) cases where the SVE + signal context has either been modified by userspace or was saved in + the context of another task (e.g. as with CRIU), as otherwise the + presence of an SVE signal context with SVE_SIG_FLAG_SM implies that + TIF_SME is already set. + + While in this state, task_fpsimd_load() will NOT configure SMCR_ELx + (leaving some arbitrary value configured in hardware) before + restoring SVCR and attempting to restore the streaming mode SVE + registers from memory via sve_load_state(). As the value of + SMCR_ELx.LEN may be larger than the task's streaming SVE vector + length, this may read memory outside of the task's allocated + sve_state, reading unrelated data and/or triggering a fault. + + While this can result in secrets being loaded into streaming SVE + registers, these values are never exposed. As TIF_SME is clear, + fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 + accesses to streaming mode SVE registers, so these cannot be + accessed directly at EL0. As fpsimd_save_user_state() verifies the + live vector length before saving (S)SVE state to memory, no secret + values can be saved back to memory (and hence cannot be observed via + ptrace, signals, etc). + + When the live vector length doesn't match the expected vector length + for the task, fpsimd_save_user_state() will send a fatal SIGKILL + signal to the task. Hence the task may be killed after executing + userspace for some period of time. + +(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the + task's SVCR.SM. If SVCR.SM was set prior to restoring the context, + then the task will be left in streaming mode unexpectedly, and some + register state will be combined inconsistently, though the task will + be left in legitimate state from the kernel's PoV. + + This can only occur in unusual (but legitimate) cases where ptrace + has been used to set SVCR.SM after entry to the sigreturn syscall, + as syscall entry clears SVCR.SM. + + In these cases, the the provided SVE register data will be loaded + into the task's sve_state using the non-streaming SVE vector length + and the FPSIMD registers will be merged into this using the + streaming SVE vector length. + +Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires +ensuring that the task's sme_state has been allocated, but as this could +contain live ZA state, it should not be zeroed. Fix (2) by clearing +SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear. + +For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME, +and fp_type earlier, immediately after the allocation of +sve_state/sme_state, before the restore of the actual register state. +This makes it easier to ensure that these are always modified +consistently, even if a fault is taken while reading the register data +from the signal context. I do not expect any software to depend on the +exact state restored when a fault is taken while reading the context. + +Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling") +Signed-off-by: Mark Rutland +Cc: +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/signal.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -449,12 +449,28 @@ static int restore_sve_fpsimd_context(st + if (user->sve_size < SVE_SIG_CONTEXT_SIZE(vq)) + return -EINVAL; + ++ if (sm) { ++ sme_alloc(current, false); ++ if (!current->thread.sme_state) ++ return -ENOMEM; ++ } ++ + sve_alloc(current, true); + if (!current->thread.sve_state) { + clear_thread_flag(TIF_SVE); + return -ENOMEM; + } + ++ if (sm) { ++ current->thread.svcr |= SVCR_SM_MASK; ++ set_thread_flag(TIF_SME); ++ } else { ++ current->thread.svcr &= ~SVCR_SM_MASK; ++ set_thread_flag(TIF_SVE); ++ } ++ ++ current->thread.fp_type = FP_STATE_SVE; ++ + err = __copy_from_user(current->thread.sve_state, + (char __user const *)user->sve + + SVE_SIG_REGS_OFFSET, +@@ -462,12 +478,6 @@ static int restore_sve_fpsimd_context(st + if (err) + return -EFAULT; + +- if (flags & SVE_SIG_FLAG_SM) +- current->thread.svcr |= SVCR_SM_MASK; +- else +- set_thread_flag(TIF_SVE); +- current->thread.fp_type = FP_STATE_SVE; +- + err = read_fpsimd_context(&fpsimd, user); + if (err) + return err; diff --git a/queue-6.18/arm64-set-__nocfi-on-swsusp_arch_resume.patch b/queue-6.18/arm64-set-__nocfi-on-swsusp_arch_resume.patch new file mode 100644 index 0000000000..717ec9264e --- /dev/null +++ b/queue-6.18/arm64-set-__nocfi-on-swsusp_arch_resume.patch @@ -0,0 +1,94 @@ +From e2f8216ca2d8e61a23cb6ec355616339667e0ba6 Mon Sep 17 00:00:00 2001 +From: Zhaoyang Huang +Date: Thu, 22 Jan 2026 19:49:25 +0800 +Subject: arm64: Set __nocfi on swsusp_arch_resume() + +From: Zhaoyang Huang + +commit e2f8216ca2d8e61a23cb6ec355616339667e0ba6 upstream. + +A DABT is reported[1] on an android based system when resume from hiberate. +This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*() +and does not have a CFI hash, but swsusp_arch_resume() will attempt to +verify the CFI hash when calling a copy of swsusp_arch_suspend_exit(). + +Given that there's an existing requirement that the entrypoint to +swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text +section, we cannot fix this by marking swsusp_arch_suspend_exit() with +SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in +swsusp_arch_resume(). + +Mark swsusp_arch_resume() as __nocfi to disable the CFI check. + +[1] +[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc +[ 22.991934][ T1] Mem abort info: +[ 22.991934][ T1] ESR = 0x0000000096000007 +[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits +[ 22.991934][ T1] SET = 0, FnV = 0 +[ 22.991934][ T1] EA = 0, S1PTW = 0 +[ 22.991934][ T1] FSC = 0x07: level 3 translation fault +[ 22.991934][ T1] Data abort info: +[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 +[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper +[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP +[ 22.991934][ T1] Dumping ftrace buffer: +[ 22.991934][ T1] (ftrace buffer empty) +[ 22.991934][ T1] Modules linked in: +[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419 +[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT) +[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344 +[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344 +[ 22.991934][ T1] sp : ffffffc08006b960 +[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000 +[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820 +[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000 +[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058 +[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004 +[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000 +[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000 +[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b +[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530 +[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000 +[ 22.991934][ T1] Call trace: +[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344 +[ 22.991934][ T1] hibernation_restore+0x158/0x18c +[ 22.991934][ T1] load_image_and_restore+0xb0/0xec +[ 22.991934][ T1] software_resume+0xf4/0x19c +[ 22.991934][ T1] software_resume_initcall+0x34/0x78 +[ 22.991934][ T1] do_one_initcall+0xe8/0x370 +[ 22.991934][ T1] do_initcall_level+0xc8/0x19c +[ 22.991934][ T1] do_initcalls+0x70/0xc0 +[ 22.991934][ T1] do_basic_setup+0x1c/0x28 +[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148 +[ 22.991934][ T1] kernel_init+0x20/0x1a8 +[ 22.991934][ T1] ret_from_fork+0x10/0x20 +[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110) + +Co-developed-by: Jeson Gao +Signed-off-by: Jeson Gao +Signed-off-by: Zhaoyang Huang +Acked-by: Will Deacon +Acked-by: Mark Rutland +Cc: +[catalin.marinas@arm.com: commit log updated by Mark Rutland] +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/hibernate.c ++++ b/arch/arm64/kernel/hibernate.c +@@ -402,7 +402,7 @@ int swsusp_arch_suspend(void) + * Memory allocated by get_safe_page() will be dealt with by the hibernate code, + * we don't need to free it here. + */ +-int swsusp_arch_resume(void) ++int __nocfi swsusp_arch_resume(void) + { + int rc; + void *zero_page; diff --git a/queue-6.18/can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-6.18/can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..054f54d51f --- /dev/null +++ b/queue-6.18/can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,56 @@ +From 0ce73a0eb5a27070957b67fd74059b6da89cc516 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 0ce73a0eb5a27070957b67fd74059b6da89cc516 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In ems_usb_open(), the URBs for USB-in transfers are allocated, added to +the dev->rx_submitted anchor and submitted. In the complete callback +ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +ems_usb_close() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in ems_usb_close(). + +Fix the memory leak by anchoring the URB in the +ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ems_usb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -486,11 +486,17 @@ resubmit_urb: + urb->transfer_buffer, RX_BUFFER_SIZE, + ems_usb_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); + + if (retval == -ENODEV) + netif_device_detach(netdev); +- else if (retval) ++ else + netdev_err(netdev, + "failed resubmitting read bulk urb: %d\n", retval); + } diff --git a/queue-6.18/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-6.18/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..beafaf539d --- /dev/null +++ b/queue-6.18/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,59 @@ +From 5a4391bdc6c8357242f62f22069c865b792406b3 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 5a4391bdc6c8357242f62f22069c865b792406b3 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In esd_usb_open(), the URBs for USB-in transfers are allocated, added to +the dev->rx_submitted anchor and submitted. In the complete callback +esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +esd_usb_close() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in esd_usb_close(). + +Fix the memory leak by anchoring the URB in the +esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/esd_usb.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/esd_usb.c ++++ b/drivers/net/can/usb/esd_usb.c +@@ -541,13 +541,20 @@ resubmit_urb: + urb->transfer_buffer, ESD_USB_RX_BUFFER_SIZE, + esd_usb_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + err = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!err) ++ return; ++ ++ usb_unanchor_urb(urb); ++ + if (err == -ENODEV) { + for (i = 0; i < dev->net_count; i++) { + if (dev->nets[i]) + netif_device_detach(dev->nets[i]->netdev); + } +- } else if (err) { ++ } else { + dev_err(dev->udev->dev.parent, + "failed resubmitting read bulk urb: %pe\n", ERR_PTR(err)); + } diff --git a/queue-6.18/can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-6.18/can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..b6264014dc --- /dev/null +++ b/queue-6.18/can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,62 @@ +From 248e8e1a125fa875158df521b30f2cc7e27eeeaa Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 248e8e1a125fa875158df521b30f2cc7e27eeeaa upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the +URBs for USB-in transfers are allocated, added to the dev->rx_submitted +anchor and submitted. In the complete callback +kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +kvaser_usb_remove_interfaces() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in usb_kill_anchored_urbs(). + +Fix the memory leak by anchoring the URB in the +kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -361,7 +361,14 @@ resubmit_urb: + urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE, + kvaser_usb_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + err = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!err) ++ return; ++ ++ usb_unanchor_urb(urb); ++ + if (err == -ENODEV) { + for (i = 0; i < dev->nchannels; i++) { + struct kvaser_usb_net_priv *priv; +@@ -372,7 +379,7 @@ resubmit_urb: + + netif_device_detach(priv->netdev); + } +- } else if (err) { ++ } else { + dev_err(&dev->intf->dev, + "Failed resubmitting read bulk urb: %d\n", err); + } diff --git a/queue-6.18/can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-6.18/can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..5d23c7b9d3 --- /dev/null +++ b/queue-6.18/can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,56 @@ +From 710a7529fb13c5a470258ff5508ed3c498d54729 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 710a7529fb13c5a470258ff5508ed3c498d54729 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are +allocated, added to the priv->rx_submitted anchor and submitted. In the +complete callback mcba_usb_read_bulk_callback(), the URBs are processed and +resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by +calling usb_kill_anchored_urbs(&priv->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in usb_kill_anchored_urbs(). + +Fix the memory leak by anchoring the URB in the +mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. + +Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-4-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/mcba_usb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -608,11 +608,17 @@ resubmit_urb: + urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE, + mcba_usb_read_bulk_callback, priv); + ++ usb_anchor_urb(urb, &priv->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); + + if (retval == -ENODEV) + netif_device_detach(netdev); +- else if (retval) ++ else + netdev_err(netdev, "failed resubmitting read bulk urb: %d\n", + retval); + } diff --git a/queue-6.18/can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch b/queue-6.18/can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..06969b5181 --- /dev/null +++ b/queue-6.18/can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,56 @@ +From f7a980b3b8f80fe367f679da376cf76e800f9480 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit f7a980b3b8f80fe367f679da376cf76e800f9480 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are +allocated, added to the priv->rx_submitted anchor and submitted. In the +complete callback usb_8dev_read_bulk_callback(), the URBs are processed and +resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by +calling usb_kill_anchored_urbs(&priv->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in usb_kill_anchored_urbs(). + +Fix the memory leak by anchoring the URB in the +usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-5-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/usb_8dev.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -541,11 +541,17 @@ resubmit_urb: + urb->transfer_buffer, RX_BUFFER_SIZE, + usb_8dev_read_bulk_callback, priv); + ++ usb_anchor_urb(urb, &priv->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); + + if (retval == -ENODEV) + netif_device_detach(netdev); +- else if (retval) ++ else + netdev_err(netdev, + "failed resubmitting read bulk urb: %d\n", retval); + } diff --git a/queue-6.18/drm-amdgpu-remove-frame-cntl-for-gfx-v12.patch b/queue-6.18/drm-amdgpu-remove-frame-cntl-for-gfx-v12.patch new file mode 100644 index 0000000000..c8e30675c6 --- /dev/null +++ b/queue-6.18/drm-amdgpu-remove-frame-cntl-for-gfx-v12.patch @@ -0,0 +1,56 @@ +From 10343253328e0dbdb465bff709a2619a08fe01ad Mon Sep 17 00:00:00 2001 +From: Likun Gao +Date: Mon, 15 Dec 2025 11:33:58 +0800 +Subject: drm/amdgpu: remove frame cntl for gfx v12 + +From: Likun Gao + +commit 10343253328e0dbdb465bff709a2619a08fe01ad upstream. + +Remove emit_frame_cntl function for gfx v12, which is not support. + +Signed-off-by: Likun Gao +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit 5aaa5058dec5bfdcb24c42fe17ad91565a3037ca) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c +@@ -278,7 +278,6 @@ static void gfx_v12_0_select_se_sh(struc + u32 sh_num, u32 instance, int xcc_id); + static u32 gfx_v12_0_get_wgp_active_bitmap_per_sh(struct amdgpu_device *adev); + +-static void gfx_v12_0_ring_emit_frame_cntl(struct amdgpu_ring *ring, bool start, bool secure); + static void gfx_v12_0_ring_emit_wreg(struct amdgpu_ring *ring, uint32_t reg, + uint32_t val); + static int gfx_v12_0_wait_for_rlc_autoload_complete(struct amdgpu_device *adev); +@@ -4633,16 +4632,6 @@ static int gfx_v12_0_ring_preempt_ib(str + return r; + } + +-static void gfx_v12_0_ring_emit_frame_cntl(struct amdgpu_ring *ring, +- bool start, +- bool secure) +-{ +- uint32_t v = secure ? FRAME_TMZ : 0; +- +- amdgpu_ring_write(ring, PACKET3(PACKET3_FRAME_CONTROL, 0)); +- amdgpu_ring_write(ring, v | FRAME_CMD(start ? 0 : 1)); +-} +- + static void gfx_v12_0_ring_emit_rreg(struct amdgpu_ring *ring, uint32_t reg, + uint32_t reg_val_offs) + { +@@ -5519,7 +5508,6 @@ static const struct amdgpu_ring_funcs gf + .emit_cntxcntl = gfx_v12_0_ring_emit_cntxcntl, + .init_cond_exec = gfx_v12_0_ring_emit_init_cond_exec, + .preempt_ib = gfx_v12_0_ring_preempt_ib, +- .emit_frame_cntl = gfx_v12_0_ring_emit_frame_cntl, + .emit_wreg = gfx_v12_0_ring_emit_wreg, + .emit_reg_wait = gfx_v12_0_ring_emit_reg_wait, + .emit_reg_write_reg_wait = gfx_v12_0_ring_emit_reg_write_reg_wait, diff --git a/queue-6.18/drm-bridge-synopsys-dw-dp-fix-error-paths-of-dw_dp_bind.patch b/queue-6.18/drm-bridge-synopsys-dw-dp-fix-error-paths-of-dw_dp_bind.patch new file mode 100644 index 0000000000..0ca610e21e --- /dev/null +++ b/queue-6.18/drm-bridge-synopsys-dw-dp-fix-error-paths-of-dw_dp_bind.patch @@ -0,0 +1,92 @@ +From 1a0f69e3c28477b97d3609569b7e8feb4b6162e8 Mon Sep 17 00:00:00 2001 +From: Osama Abdelkader +Date: Fri, 2 Jan 2026 16:55:52 +0100 +Subject: drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind + +From: Osama Abdelkader + +commit 1a0f69e3c28477b97d3609569b7e8feb4b6162e8 upstream. + +Fix several issues in dw_dp_bind() error handling: + +1. Missing return after drm_bridge_attach() failure - the function + continued execution instead of returning an error. + +2. Resource leak: drm_dp_aux_register() is not a devm function, so + drm_dp_aux_unregister() must be called on all error paths after + aux registration succeeds. This affects errors from: + - drm_bridge_attach() + - phy_init() + - devm_add_action_or_reset() + - platform_get_irq() + - devm_request_threaded_irq() + +3. Bug fix: platform_get_irq() returns the IRQ number or a negative + error code, but the error path was returning ERR_PTR(ret) instead + of ERR_PTR(dp->irq). + +Use a goto label for cleanup to ensure consistent error handling. + +Fixes: 86eecc3a9c2e ("drm/bridge: synopsys: Add DW DPTX Controller support library") +Cc: stable@vger.kernel.org + +Signed-off-by: Osama Abdelkader +Reviewed-by: Louis Chauvet +Reviewed-by: Luca Ceresoli +Link: https://patch.msgid.link/20260102155553.13243-1-osama.abdelkader@gmail.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/synopsys/dw-dp.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/bridge/synopsys/dw-dp.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-dp.c +@@ -2060,33 +2060,41 @@ struct dw_dp *dw_dp_bind(struct device * + } + + ret = drm_bridge_attach(encoder, bridge, NULL, DRM_BRIDGE_ATTACH_NO_CONNECTOR); +- if (ret) ++ if (ret) { + dev_err_probe(dev, ret, "Failed to attach bridge\n"); ++ goto unregister_aux; ++ } + + dw_dp_init_hw(dp); + + ret = phy_init(dp->phy); + if (ret) { + dev_err_probe(dev, ret, "phy init failed\n"); +- return ERR_PTR(ret); ++ goto unregister_aux; + } + + ret = devm_add_action_or_reset(dev, dw_dp_phy_exit, dp); + if (ret) +- return ERR_PTR(ret); ++ goto unregister_aux; + + dp->irq = platform_get_irq(pdev, 0); +- if (dp->irq < 0) +- return ERR_PTR(ret); ++ if (dp->irq < 0) { ++ ret = dp->irq; ++ goto unregister_aux; ++ } + + ret = devm_request_threaded_irq(dev, dp->irq, NULL, dw_dp_irq, + IRQF_ONESHOT, dev_name(dev), dp); + if (ret) { + dev_err_probe(dev, ret, "failed to request irq\n"); +- return ERR_PTR(ret); ++ goto unregister_aux; + } + + return dp; ++ ++unregister_aux: ++ drm_dp_aux_unregister(&dp->aux); ++ return ERR_PTR(ret); + } + EXPORT_SYMBOL_GPL(dw_dp_bind); + diff --git a/queue-6.18/drm-nouveau-disp-set-drm_mode_config_funcs.atomic_-check-commit.patch b/queue-6.18/drm-nouveau-disp-set-drm_mode_config_funcs.atomic_-check-commit.patch new file mode 100644 index 0000000000..1cdd82ef0e --- /dev/null +++ b/queue-6.18/drm-nouveau-disp-set-drm_mode_config_funcs.atomic_-check-commit.patch @@ -0,0 +1,35 @@ +From 604826acb3f53c6648a7ee99a3914ead680ab7fb Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Wed, 21 Jan 2026 14:13:10 -0500 +Subject: drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit) + +From: Lyude Paul + +commit 604826acb3f53c6648a7ee99a3914ead680ab7fb upstream. + +Apparently we never actually filled these in, despite the fact that we do +in fact technically support atomic modesetting. + +Since not having these filled in causes us to potentially forget to disable +fbdev and friends during suspend/resume, let's fix it. + +Signed-off-by: Lyude Paul +Cc: stable@vger.kernel.org +Reviewed-by: Dave Airlie +Link: https://patch.msgid.link/20260121191320.210342-1-lyude@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_display.c ++++ b/drivers/gpu/drm/nouveau/nouveau_display.c +@@ -351,6 +351,8 @@ nouveau_user_framebuffer_create(struct d + + static const struct drm_mode_config_funcs nouveau_mode_config_funcs = { + .fb_create = nouveau_user_framebuffer_create, ++ .atomic_commit = drm_atomic_helper_commit, ++ .atomic_check = drm_atomic_helper_check, + }; + + diff --git a/queue-6.18/drm-xe-adjust-page-count-tracepoints-in-shrinker.patch b/queue-6.18/drm-xe-adjust-page-count-tracepoints-in-shrinker.patch new file mode 100644 index 0000000000..637a6dfe1b --- /dev/null +++ b/queue-6.18/drm-xe-adjust-page-count-tracepoints-in-shrinker.patch @@ -0,0 +1,66 @@ +From ca9e5115e870b9a531deb02752055a8a587904e3 Mon Sep 17 00:00:00 2001 +From: Matthew Brost +Date: Wed, 7 Jan 2026 12:57:32 -0800 +Subject: drm/xe: Adjust page count tracepoints in shrinker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Brost + +commit ca9e5115e870b9a531deb02752055a8a587904e3 upstream. + +Page accounting can change via the shrinker without calling +xe_ttm_tt_unpopulate(), which normally updates page count tracepoints +through update_global_total_pages. Add a call to +update_global_total_pages when the shrinker successfully shrinks a BO. + +v2: + - Don't adjust global accounting when pinning (Stuart) + +Cc: stable@vger.kernel.org +Fixes: ce3d39fae3d3 ("drm/xe/bo: add GPU memory trace points") +Signed-off-by: Matthew Brost +Reviewed-by: Stuart Summers +Link: https://patch.msgid.link/20260107205732.2267541-1-matthew.brost@intel.com +(cherry picked from commit cc54eabdfbf0c5b6638edc50002cfafac1f1e18b) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_bo.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_bo.c ++++ b/drivers/gpu/drm/xe/xe_bo.c +@@ -1008,6 +1008,7 @@ static long xe_bo_shrink_purge(struct tt + unsigned long *scanned) + { + struct xe_device *xe = ttm_to_xe_device(bo->bdev); ++ struct ttm_tt *tt = bo->ttm; + long lret; + + /* Fake move to system, without copying data. */ +@@ -1032,8 +1033,10 @@ static long xe_bo_shrink_purge(struct tt + .writeback = false, + .allow_move = false}); + +- if (lret > 0) ++ if (lret > 0) { + xe_ttm_tt_account_subtract(xe, bo->ttm); ++ update_global_total_pages(bo->bdev, -(long)tt->num_pages); ++ } + + return lret; + } +@@ -1119,8 +1122,10 @@ long xe_bo_shrink(struct ttm_operation_c + if (needs_rpm) + xe_pm_runtime_put(xe); + +- if (lret > 0) ++ if (lret > 0) { + xe_ttm_tt_account_subtract(xe, tt); ++ update_global_total_pages(bo->bdev, -(long)tt->num_pages); ++ } + + out_unref: + xe_bo_put(xe_bo); diff --git a/queue-6.18/drm-xe-fix-wq_mem_reclaim-passed-as-max_active-to-alloc_workqueue.patch b/queue-6.18/drm-xe-fix-wq_mem_reclaim-passed-as-max_active-to-alloc_workqueue.patch new file mode 100644 index 0000000000..cf4b1f6db3 --- /dev/null +++ b/queue-6.18/drm-xe-fix-wq_mem_reclaim-passed-as-max_active-to-alloc_workqueue.patch @@ -0,0 +1,44 @@ +From 6f287b1c8d0e255e94e54116ebbe126515f5c911 Mon Sep 17 00:00:00 2001 +From: Marco Crivellari +Date: Thu, 8 Jan 2026 19:01:48 +0100 +Subject: drm/xe: fix WQ_MEM_RECLAIM passed as max_active to alloc_workqueue() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marco Crivellari + +commit 6f287b1c8d0e255e94e54116ebbe126515f5c911 upstream. + +Workqueue xe-ggtt-wq has been allocated using WQ_MEM_RECLAIM, but +the flag has been passed as 3rd parameter (max_active) instead +of 2nd (flags) creating the workqueue as per-cpu with max_active = 8 +(the WQ_MEM_RECLAIM value). + +So change this by set WQ_MEM_RECLAIM as the 2nd parameter with a +default max_active. + +Fixes: 60df57e496e4 ("drm/xe: Mark GGTT work queue with WQ_MEM_RECLAIM") +Cc: stable@vger.kernel.org +Signed-off-by: Marco Crivellari +Reviewed-by: Matthew Brost +Signed-off-by: Matthew Brost +Link: https://patch.msgid.link/20260108180148.423062-1-marco.crivellari@suse.com +(cherry picked from commit aa39abc08e77d66ebb0c8c9ec4cc8d38ded34dc9) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_ggtt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/xe/xe_ggtt.c ++++ b/drivers/gpu/drm/xe/xe_ggtt.c +@@ -291,7 +291,7 @@ int xe_ggtt_init_early(struct xe_ggtt *g + else + ggtt->pt_ops = &xelp_pt_ops; + +- ggtt->wq = alloc_workqueue("xe-ggtt-wq", 0, WQ_MEM_RECLAIM); ++ ggtt->wq = alloc_workqueue("xe-ggtt-wq", WQ_MEM_RECLAIM, 0); + if (!ggtt->wq) + return -ENOMEM; + diff --git a/queue-6.18/gpio-cdev-correct-return-code-on-memory-allocation-failure.patch b/queue-6.18/gpio-cdev-correct-return-code-on-memory-allocation-failure.patch new file mode 100644 index 0000000000..c1bc01f578 --- /dev/null +++ b/queue-6.18/gpio-cdev-correct-return-code-on-memory-allocation-failure.patch @@ -0,0 +1,33 @@ +From faff6846474e99295a139997f93ef6db222b5cee Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Fri, 16 Jan 2026 08:10:18 +0000 +Subject: gpio: cdev: Correct return code on memory allocation failure + +From: Tzung-Bi Shih + +commit faff6846474e99295a139997f93ef6db222b5cee upstream. + +-ENOMEM is a more appropriate return code for memory allocation +failures. Correct it. + +Cc: stable@vger.kernel.org +Fixes: 20bddcb40b2b ("gpiolib: cdev: replace locking wrappers for gpio_device with guards") +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20260116081036.352286-6-tzungbi@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-cdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -2720,7 +2720,7 @@ static int gpio_chrdev_open(struct inode + + cdev = kzalloc(sizeof(*cdev), GFP_KERNEL); + if (!cdev) +- return -ENODEV; ++ return -ENOMEM; + + cdev->watched_lines = bitmap_zalloc(gdev->ngpio, GFP_KERNEL); + if (!cdev->watched_lines) diff --git a/queue-6.18/gpio-cdev-fix-resource-leaks-on-errors-in-gpiolib_cdev_register.patch b/queue-6.18/gpio-cdev-fix-resource-leaks-on-errors-in-gpiolib_cdev_register.patch new file mode 100644 index 0000000000..5c2700ba94 --- /dev/null +++ b/queue-6.18/gpio-cdev-fix-resource-leaks-on-errors-in-gpiolib_cdev_register.patch @@ -0,0 +1,46 @@ +From 8a8c942cad4cd12f739a8bb60cac77fd173c4e07 Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Tue, 20 Jan 2026 09:26:50 +0000 +Subject: gpio: cdev: Fix resource leaks on errors in gpiolib_cdev_register() + +From: Tzung-Bi Shih + +commit 8a8c942cad4cd12f739a8bb60cac77fd173c4e07 upstream. + +On error handling paths, gpiolib_cdev_register() doesn't free the +allocated resources which results leaks. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 7b9b77a8bba9 ("gpiolib: add a per-gpio_device line state notification workqueue") +Fixes: d83cee3d2bb1 ("gpio: protect the pointer to gpio_chip in gpio_device with SRCU") +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20260120092650.2305319-1-tzungbi@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-cdev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -2821,13 +2821,18 @@ int gpiolib_cdev_register(struct gpio_de + return -ENOMEM; + + ret = cdev_device_add(&gdev->chrdev, &gdev->dev); +- if (ret) ++ if (ret) { ++ destroy_workqueue(gdev->line_state_wq); + return ret; ++ } + + guard(srcu)(&gdev->srcu); + gc = srcu_dereference(gdev->chip, &gdev->srcu); +- if (!gc) ++ if (!gc) { ++ cdev_device_del(&gdev->chrdev, &gdev->dev); ++ destroy_workqueue(gdev->line_state_wq); + return -ENODEV; ++ } + + gpiochip_dbg(gc, "added GPIO chardev (%d:%d)\n", MAJOR(devt), gdev->id); + diff --git a/queue-6.18/gpio-cdev-fix-resource-leaks-on-errors-in-lineinfo_changed_notify.patch b/queue-6.18/gpio-cdev-fix-resource-leaks-on-errors-in-lineinfo_changed_notify.patch new file mode 100644 index 0000000000..2b65950527 --- /dev/null +++ b/queue-6.18/gpio-cdev-fix-resource-leaks-on-errors-in-lineinfo_changed_notify.patch @@ -0,0 +1,32 @@ +From 70b3c280533167749a8f740acaa8ef720f78f984 Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Tue, 20 Jan 2026 03:08:56 +0000 +Subject: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() + +From: Tzung-Bi Shih + +commit 70b3c280533167749a8f740acaa8ef720f78f984 upstream. + +On error handling paths, lineinfo_changed_notify() doesn't free the +allocated resources which results leaks. Fix it. + +Cc: stable@vger.kernel.org +Fixes: d4cd0902c156 ("gpio: cdev: make sure the cdev fd is still active before emitting events") +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20260120030857.2144847-1-tzungbi@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-cdev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -2573,6 +2573,7 @@ static int lineinfo_changed_notify(struc + ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); + if (!ctx) { + pr_err("Failed to allocate memory for line info notification\n"); ++ fput(fp); + return NOTIFY_DONE; + } + diff --git a/queue-6.18/iio-accel-adxl380-fix-handling-of-unavailable-int1-interrupt.patch b/queue-6.18/iio-accel-adxl380-fix-handling-of-unavailable-int1-interrupt.patch new file mode 100644 index 0000000000..6aa09de26d --- /dev/null +++ b/queue-6.18/iio-accel-adxl380-fix-handling-of-unavailable-int1-interrupt.patch @@ -0,0 +1,43 @@ +From 4ff39d6de4bf359ec6d5cd2be34b36d077dd0a07 Mon Sep 17 00:00:00 2001 +From: Francesco Lavra +Date: Fri, 28 Nov 2025 18:21:38 +0100 +Subject: iio: accel: adxl380: fix handling of unavailable "INT1" interrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Francesco Lavra + +commit 4ff39d6de4bf359ec6d5cd2be34b36d077dd0a07 upstream. + +fwnode_irq_get_byname() returns a negative value on failure; if a negative +value is returned, use it as `err` argument for dev_err_probe(). +While at it, add a missing trailing newline to the dev_err_probe() error +message. + +Fixes: df36de13677a ("iio: accel: add ADXL380 driver") +Signed-off-by: Francesco Lavra +Reviewed-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/adxl380.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/adxl380.c ++++ b/drivers/iio/accel/adxl380.c +@@ -1728,9 +1728,9 @@ static int adxl380_config_irq(struct iio + st->int_map[1] = ADXL380_INT0_MAP1_REG; + } else { + st->irq = fwnode_irq_get_byname(dev_fwnode(st->dev), "INT1"); +- if (st->irq > 0) +- return dev_err_probe(st->dev, -ENODEV, +- "no interrupt name specified"); ++ if (st->irq < 0) ++ return dev_err_probe(st->dev, st->irq, ++ "no interrupt name specified\n"); + st->int_map[0] = ADXL380_INT1_MAP0_REG; + st->int_map[1] = ADXL380_INT1_MAP1_REG; + } diff --git a/queue-6.18/iio-accel-iis328dq-fix-gain-values.patch b/queue-6.18/iio-accel-iis328dq-fix-gain-values.patch new file mode 100644 index 0000000000..d182711759 --- /dev/null +++ b/queue-6.18/iio-accel-iis328dq-fix-gain-values.patch @@ -0,0 +1,118 @@ +From b8f15d1df2e73322e2112de21a4a7f3553c7fb60 Mon Sep 17 00:00:00 2001 +From: Markus Koeniger +Date: Wed, 7 Jan 2026 16:32:18 +0100 +Subject: iio: accel: iis328dq: fix gain values + +From: Markus Koeniger + +commit b8f15d1df2e73322e2112de21a4a7f3553c7fb60 upstream. + +The sensors IIS328DQ and H3LIS331DL share one configuration but +H3LIS331DL has different gain parameters, configs therefore +need to be split up. +The gain parameters for the IIS328DQ are 0.98, 1.95 and 3.91, +depending on the selected measurement range. + +See sensor manuals, chapter 2.1 "mechanical characteristics", +parameter "Sensitivity". + +Datasheet: https://www.st.com/resource/en/datasheet/iis328dq.pdf +Datasheet: https://www.st.com/resource/en/datasheet/h3lis331dl.pdf +Fixes: 46e33707fe95 ("iio: accel: add support for IIS328DQ variant") +Reviewed-by: Dimitri Fedrau +Signed-off-by: Markus Koeniger +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/st_accel_core.c | 72 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 71 insertions(+), 1 deletion(-) + +--- a/drivers/iio/accel/st_accel_core.c ++++ b/drivers/iio/accel/st_accel_core.c +@@ -517,7 +517,6 @@ static const struct st_sensor_settings s + .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS, + .sensors_supported = { + [0] = H3LIS331DL_ACCEL_DEV_NAME, +- [1] = IIS328DQ_ACCEL_DEV_NAME, + }, + .ch = (struct iio_chan_spec *)st_accel_12bit_channels, + .odr = { +@@ -561,6 +560,77 @@ static const struct st_sensor_settings s + }, + }, + }, ++ .bdu = { ++ .addr = 0x23, ++ .mask = 0x80, ++ }, ++ .drdy_irq = { ++ .int1 = { ++ .addr = 0x22, ++ .mask = 0x02, ++ }, ++ .int2 = { ++ .addr = 0x22, ++ .mask = 0x10, ++ }, ++ .addr_ihl = 0x22, ++ .mask_ihl = 0x80, ++ }, ++ .sim = { ++ .addr = 0x23, ++ .value = BIT(0), ++ }, ++ .multi_read_bit = true, ++ .bootime = 2, ++ }, ++ { ++ .wai = 0x32, ++ .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS, ++ .sensors_supported = { ++ [0] = IIS328DQ_ACCEL_DEV_NAME, ++ }, ++ .ch = (struct iio_chan_spec *)st_accel_12bit_channels, ++ .odr = { ++ .addr = 0x20, ++ .mask = 0x18, ++ .odr_avl = { ++ { .hz = 50, .value = 0x00, }, ++ { .hz = 100, .value = 0x01, }, ++ { .hz = 400, .value = 0x02, }, ++ { .hz = 1000, .value = 0x03, }, ++ }, ++ }, ++ .pw = { ++ .addr = 0x20, ++ .mask = 0x20, ++ .value_on = ST_SENSORS_DEFAULT_POWER_ON_VALUE, ++ .value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE, ++ }, ++ .enable_axis = { ++ .addr = ST_SENSORS_DEFAULT_AXIS_ADDR, ++ .mask = ST_SENSORS_DEFAULT_AXIS_MASK, ++ }, ++ .fs = { ++ .addr = 0x23, ++ .mask = 0x30, ++ .fs_avl = { ++ [0] = { ++ .num = ST_ACCEL_FS_AVL_100G, ++ .value = 0x00, ++ .gain = IIO_G_TO_M_S_2(980), ++ }, ++ [1] = { ++ .num = ST_ACCEL_FS_AVL_200G, ++ .value = 0x01, ++ .gain = IIO_G_TO_M_S_2(1950), ++ }, ++ [2] = { ++ .num = ST_ACCEL_FS_AVL_400G, ++ .value = 0x03, ++ .gain = IIO_G_TO_M_S_2(3910), ++ }, ++ }, ++ }, + .bdu = { + .addr = 0x23, + .mask = 0x80, diff --git a/queue-6.18/iio-adc-ad9467-fix-ad9434-vref-mask.patch b/queue-6.18/iio-adc-ad9467-fix-ad9434-vref-mask.patch new file mode 100644 index 0000000000..a449b71b29 --- /dev/null +++ b/queue-6.18/iio-adc-ad9467-fix-ad9434-vref-mask.patch @@ -0,0 +1,40 @@ +From 92452b1760ff2d1d411414965d4d06f75e1bda9a Mon Sep 17 00:00:00 2001 +From: Tomas Melin +Date: Wed, 3 Dec 2025 09:28:11 +0000 +Subject: iio: adc: ad9467: fix ad9434 vref mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomas Melin + +commit 92452b1760ff2d1d411414965d4d06f75e1bda9a upstream. + +The mask setting is 5 bits wide for the ad9434 +(ref. data sheet register 0x18 FLEX_VREF). Apparently the settings +from ad9265 were copied by mistake when support for the device was added +to the driver. + +Fixes: 4606d0f4b05f ("iio: adc: ad9467: add support for AD9434 high-speed ADC") +Reviewed-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Reviewed-by: David Lechner +Signed-off-by: Tomas Melin +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad9467.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad9467.c ++++ b/drivers/iio/adc/ad9467.c +@@ -95,7 +95,7 @@ + + #define CHIPID_AD9434 0x6A + #define AD9434_DEF_OUTPUT_MODE 0x00 +-#define AD9434_REG_VREF_MASK 0xC0 ++#define AD9434_REG_VREF_MASK GENMASK(4, 0) + + /* + * Analog Devices AD9467 16-Bit, 200/250 MSPS ADC diff --git a/queue-6.18/iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch b/queue-6.18/iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch new file mode 100644 index 0000000000..4524f9cfa3 --- /dev/null +++ b/queue-6.18/iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch @@ -0,0 +1,48 @@ +From dbdb442218cd9d613adeab31a88ac973f22c4873 Mon Sep 17 00:00:00 2001 +From: Pei Xiao +Date: Wed, 29 Oct 2025 10:40:16 +0800 +Subject: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver + +From: Pei Xiao + +commit dbdb442218cd9d613adeab31a88ac973f22c4873 upstream. + +at91_adc_interrupt can call at91_adc_touch_data_handler function +to start the work by schedule_work(&st->touch_st.workq). + +If we remove the module which will call at91_adc_remove to +make cleanup, it will free indio_dev through iio_device_unregister but +quite a bit later. While the work mentioned above will be used. The +sequence of operations that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | at91_adc_workq_handler +at91_adc_remove | +iio_device_unregister(indio_dev) | +//free indio_dev a bit later | + | iio_push_to_buffers(indio_dev) + | //use indio_dev + +Fix it by ensuring that the work is canceled before proceeding with +the cleanup in at91_adc_remove. + +Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels") +Signed-off-by: Pei Xiao +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91-sama5d2_adc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -2481,6 +2481,7 @@ static void at91_adc_remove(struct platf + struct at91_adc_state *st = iio_priv(indio_dev); + + iio_device_unregister(indio_dev); ++ cancel_work_sync(&st->touch_st.workq); + + at91_adc_dma_disable(st); + diff --git a/queue-6.18/iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch b/queue-6.18/iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch new file mode 100644 index 0000000000..9c8fbcb1c8 --- /dev/null +++ b/queue-6.18/iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch @@ -0,0 +1,65 @@ +From ea6b4feba85e996e840e0b661bc42793df6eb701 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 19 Dec 2025 12:05:45 +0100 +Subject: iio: adc: exynos_adc: fix OF populate on driver rebind + +From: Johan Hovold + +commit ea6b4feba85e996e840e0b661bc42793df6eb701 upstream. + +Since commit c6e126de43e7 ("of: Keep track of populated platform +devices") child devices will not be created by of_platform_populate() +if the devices had previously been deregistered individually so that the +OF_POPULATED flag is still set in the corresponding OF nodes. + +Switch to using of_platform_depopulate() instead of open coding so that +the child devices are created if the driver is rebound. + +Fixes: c6e126de43e7 ("of: Keep track of populated platform devices") +Cc: stable@vger.kernel.org # 3.16 +Signed-off-by: Johan Hovold +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/exynos_adc.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +--- a/drivers/iio/adc/exynos_adc.c ++++ b/drivers/iio/adc/exynos_adc.c +@@ -540,15 +540,6 @@ static const struct iio_chan_spec exynos + ADC_CHANNEL(9, "adc9"), + }; + +-static int exynos_adc_remove_devices(struct device *dev, void *c) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- +- platform_device_unregister(pdev); +- +- return 0; +-} +- + static int exynos_adc_probe(struct platform_device *pdev) + { + struct exynos_adc *info = NULL; +@@ -660,8 +651,7 @@ static int exynos_adc_probe(struct platf + return 0; + + err_of_populate: +- device_for_each_child(&indio_dev->dev, NULL, +- exynos_adc_remove_devices); ++ of_platform_depopulate(&indio_dev->dev); + iio_device_unregister(indio_dev); + err_irq: + free_irq(info->irq, info); +@@ -681,8 +671,7 @@ static void exynos_adc_remove(struct pla + struct iio_dev *indio_dev = platform_get_drvdata(pdev); + struct exynos_adc *info = iio_priv(indio_dev); + +- device_for_each_child(&indio_dev->dev, NULL, +- exynos_adc_remove_devices); ++ of_platform_depopulate(&indio_dev->dev); + iio_device_unregister(indio_dev); + free_irq(info->irq, info); + if (info->data->exit_hw) diff --git a/queue-6.18/iio-adc-pac1934-fix-clamped-value-in-pac1934_reg_snapshot.patch b/queue-6.18/iio-adc-pac1934-fix-clamped-value-in-pac1934_reg_snapshot.patch new file mode 100644 index 0000000000..57a53db2e1 --- /dev/null +++ b/queue-6.18/iio-adc-pac1934-fix-clamped-value-in-pac1934_reg_snapshot.patch @@ -0,0 +1,38 @@ +From da934ef0fdff5ba21e82ec3ab3f95fe73137b0c9 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 2 Dec 2025 19:13:06 +0100 +Subject: iio: adc: pac1934: Fix clamped value in pac1934_reg_snapshot + +From: Thorsten Blum + +commit da934ef0fdff5ba21e82ec3ab3f95fe73137b0c9 upstream. + +The local variable 'curr_energy' was never clamped to +PAC_193X_MIN_POWER_ACC or PAC_193X_MAX_POWER_ACC because the return +value of clamp() was not used. Fix this by assigning the clamped value +back to 'curr_energy'. + +Cc: stable@vger.kernel.org +Fixes: 0fb528c8255b ("iio: adc: adding support for PAC193x") +Signed-off-by: Thorsten Blum +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/pac1934.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/adc/pac1934.c ++++ b/drivers/iio/adc/pac1934.c +@@ -665,9 +665,9 @@ static int pac1934_reg_snapshot(struct p + /* add the power_acc field */ + curr_energy += inc; + +- clamp(curr_energy, PAC_193X_MIN_POWER_ACC, PAC_193X_MAX_POWER_ACC); +- +- reg_data->energy_sec_acc[cnt] = curr_energy; ++ reg_data->energy_sec_acc[cnt] = clamp(curr_energy, ++ PAC_193X_MIN_POWER_ACC, ++ PAC_193X_MAX_POWER_ACC); + } + + offset_reg_data_p += PAC1934_VPOWER_ACC_REG_LEN; diff --git a/queue-6.18/iio-chemical-scd4x-fix-reported-channel-endianness.patch b/queue-6.18/iio-chemical-scd4x-fix-reported-channel-endianness.patch new file mode 100644 index 0000000000..a45c3ea4e0 --- /dev/null +++ b/queue-6.18/iio-chemical-scd4x-fix-reported-channel-endianness.patch @@ -0,0 +1,57 @@ +From 81d5a5366d3c20203fb9d7345e1aa46d668445a2 Mon Sep 17 00:00:00 2001 +From: Fiona Klute +Date: Sat, 13 Dec 2025 17:32:26 +0100 +Subject: iio: chemical: scd4x: fix reported channel endianness + +From: Fiona Klute + +commit 81d5a5366d3c20203fb9d7345e1aa46d668445a2 upstream. + +The driver converts values read from the sensor from BE to CPU +endianness in scd4x_read_meas(). The result is then pushed into the +buffer in scd4x_trigger_handler(), so on LE architectures parsing the +buffer using the reported BE type gave wrong results. + +scd4x_read_raw() which provides sysfs *_raw values is not affected, it +used the values returned by scd4x_read_meas() without further +conversion. + +Fixes: 49d22b695cbb6 ("drivers: iio: chemical: Add support for Sensirion SCD4x CO2 sensor") +Signed-off-by: Fiona Klute +Reviewed-by: David Lechner +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/scd4x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/chemical/scd4x.c ++++ b/drivers/iio/chemical/scd4x.c +@@ -584,7 +584,7 @@ static const struct iio_chan_spec scd4x_ + .sign = 'u', + .realbits = 16, + .storagebits = 16, +- .endianness = IIO_BE, ++ .endianness = IIO_CPU, + }, + }, + { +@@ -599,7 +599,7 @@ static const struct iio_chan_spec scd4x_ + .sign = 'u', + .realbits = 16, + .storagebits = 16, +- .endianness = IIO_BE, ++ .endianness = IIO_CPU, + }, + }, + { +@@ -612,7 +612,7 @@ static const struct iio_chan_spec scd4x_ + .sign = 'u', + .realbits = 16, + .storagebits = 16, +- .endianness = IIO_BE, ++ .endianness = IIO_CPU, + }, + }, + }; diff --git a/queue-6.18/iio-dac-ad3552r-hs-fix-out-of-bound-write-in-ad3552r_hs_write_data_source.patch b/queue-6.18/iio-dac-ad3552r-hs-fix-out-of-bound-write-in-ad3552r_hs_write_data_source.patch new file mode 100644 index 0000000000..9e34b724d4 --- /dev/null +++ b/queue-6.18/iio-dac-ad3552r-hs-fix-out-of-bound-write-in-ad3552r_hs_write_data_source.patch @@ -0,0 +1,65 @@ +From 978d28136c53df38f8f0b747191930e2f95e9084 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 7 Jan 2026 22:35:50 +0800 +Subject: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miaoqian Lin + +commit 978d28136c53df38f8f0b747191930e2f95e9084 upstream. + +When simple_write_to_buffer() succeeds, it returns the number of bytes +actually copied to the buffer. The code incorrectly uses 'count' +as the index for null termination instead of the actual bytes copied. +If count exceeds the buffer size, this leads to out-of-bounds write. +Add a check for the count and use the return value as the index. + +The bug was validated using a demo module that mirrors the original +code and was tested under QEMU. + +Pattern of the bug: +- A fixed 64-byte stack buffer is filled using count. +- If count > 64, the code still does buf[count] = '\0', causing an +- out-of-bounds write on the stack. + +Steps for reproduce: +- Opens the device node. +- Writes 128 bytes of A to it. +- This overflows the 64-byte stack buffer and KASAN reports the OOB. + +Found via static analysis. This is similar to the +commit da9374819eb3 ("iio: backend: fix out-of-bound write") + +Fixes: b1c5d68ea66e ("iio: dac: ad3552r-hs: add support for internal ramp") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Nuno Sá +Reviewed-by: Andy Shevchenko +Reviewed-by: David Lechner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad3552r-hs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad3552r-hs.c ++++ b/drivers/iio/dac/ad3552r-hs.c +@@ -549,12 +549,15 @@ static ssize_t ad3552r_hs_write_data_sou + + guard(mutex)(&st->lock); + ++ if (count >= sizeof(buf)) ++ return -ENOSPC; ++ + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, + count); + if (ret < 0) + return ret; + +- buf[count] = '\0'; ++ buf[ret] = '\0'; + + ret = match_string(dbgfs_attr_source, ARRAY_SIZE(dbgfs_attr_source), + buf); diff --git a/queue-6.18/iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch b/queue-6.18/iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch new file mode 100644 index 0000000000..85a06e9af2 --- /dev/null +++ b/queue-6.18/iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch @@ -0,0 +1,45 @@ +From 441ac29923c9172bc5e4b2c4f52ae756192f5715 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?K=C3=BCbrich=2C=20Andreas?= + +Date: Mon, 17 Nov 2025 12:35:13 +0000 +Subject: iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kübrich, Andreas + +commit 441ac29923c9172bc5e4b2c4f52ae756192f5715 upstream. + +The chip info for this variant (I2C, four channels, 14 bit, internal +reference) seems to have been left out due to oversight, so +ad5686_chip_info_tbl[ID_AD5695R] is all zeroes. Initialisation of an +AD5695R still succeeds, but the resulting IIO device has no channels and no +/dev/iio:device* node. + +Add the missing chip info to the table. + +Fixes: 4177381b4401 ("iio:dac:ad5686: Add AD5671R/75R/94/94R/95R/96/96R support") +Signed-off-by: Andreas Kübrich +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5686.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iio/dac/ad5686.c ++++ b/drivers/iio/dac/ad5686.c +@@ -434,6 +434,12 @@ static const struct ad5686_chip_info ad5 + .num_channels = 4, + .regmap_type = AD5686_REGMAP, + }, ++ [ID_AD5695R] = { ++ .channels = ad5685r_channels, ++ .int_vref_mv = 2500, ++ .num_channels = 4, ++ .regmap_type = AD5686_REGMAP, ++ }, + [ID_AD5696] = { + .channels = ad5686_channels, + .num_channels = 4, diff --git a/queue-6.18/intel_th-fix-device-leak-on-output-open.patch b/queue-6.18/intel_th-fix-device-leak-on-output-open.patch new file mode 100644 index 0000000000..877c4e9785 --- /dev/null +++ b/queue-6.18/intel_th-fix-device-leak-on-output-open.patch @@ -0,0 +1,69 @@ +From 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 8 Dec 2025 16:35:23 +0100 +Subject: intel_th: fix device leak on output open() + +From: Johan Hovold + +commit 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 upstream. + +Make sure to drop the reference taken when looking up the th device +during output device open() on errors and on close(). + +Note that a recent commit fixed the leak in a couple of open() error +paths but not all of them, and the reference is still leaking on +successful open(). + +Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") +Fixes: 6d5925b667e4 ("intel_th: Fix error handling in intel_th_output_open") +Cc: stable@vger.kernel.org # 4.4: 6d5925b667e4 +Cc: Alexander Shishkin +Cc: Ma Ke +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251208153524.68637-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/core.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -810,9 +810,12 @@ static int intel_th_output_open(struct i + int err; + + dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); +- if (!dev || !dev->driver) { ++ if (!dev) ++ return -ENODEV; ++ ++ if (!dev->driver) { + err = -ENODEV; +- goto out_no_device; ++ goto out_put_device; + } + + thdrv = to_intel_th_driver(dev->driver); +@@ -836,12 +839,22 @@ static int intel_th_output_open(struct i + + out_put_device: + put_device(dev); +-out_no_device: ++ + return err; + } + ++static int intel_th_output_release(struct inode *inode, struct file *file) ++{ ++ struct intel_th_device *thdev = file->private_data; ++ ++ put_device(&thdev->dev); ++ ++ return 0; ++} ++ + static const struct file_operations intel_th_output_fops = { + .open = intel_th_output_open, ++ .release = intel_th_output_release, + .llseek = noop_llseek, + }; + diff --git a/queue-6.18/iommu-io-pgtable-arm-fix-size_t-signedness-bug-in-unmap-path.patch b/queue-6.18/iommu-io-pgtable-arm-fix-size_t-signedness-bug-in-unmap-path.patch new file mode 100644 index 0000000000..ade63bbea6 --- /dev/null +++ b/queue-6.18/iommu-io-pgtable-arm-fix-size_t-signedness-bug-in-unmap-path.patch @@ -0,0 +1,52 @@ +From 374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 Mon Sep 17 00:00:00 2001 +From: Chaitanya Kulkarni +Date: Fri, 19 Dec 2025 15:28:58 -0800 +Subject: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path + +From: Chaitanya Kulkarni + +commit 374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 upstream. + +__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative +error code) when encountering an unmapped PTE. Since size_t is unsigned, +-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE +on 64-bit systems). + +This corrupted value propagates through the call chain: + __arm_lpae_unmap() returns -ENOENT as size_t + -> arm_lpae_unmap_pages() returns it + -> __iommu_unmap() adds it to iova address + -> iommu_pgsize() triggers BUG_ON due to corrupted iova + +This can cause IOVA address overflow in __iommu_unmap() loop and +trigger BUG_ON in iommu_pgsize() from invalid address alignment. + +Fix by returning 0 instead of -ENOENT. The WARN_ON already signals +the error condition, and returning 0 (meaning "nothing unmapped") +is the correct semantic for size_t return type. This matches the +behavior of other io-pgtable implementations (io-pgtable-arm-v7s, +io-pgtable-dart) which return 0 on error conditions. + +Fixes: 3318f7b5cefb ("iommu/io-pgtable-arm: Add quirk to quiet WARN_ON()") +Cc: stable@vger.kernel.org +Signed-off-by: Chaitanya Kulkarni +Acked-by: Will Deacon +Reviewed-by: Jason Gunthorpe +Reviewed-by: Rob Clark +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/io-pgtable-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/io-pgtable-arm.c ++++ b/drivers/iommu/io-pgtable-arm.c +@@ -639,7 +639,7 @@ static size_t __arm_lpae_unmap(struct ar + pte = READ_ONCE(*ptep); + if (!pte) { + WARN_ON(!(data->iop.cfg.quirks & IO_PGTABLE_QUIRK_NO_WARN)); +- return -ENOENT; ++ return 0; + } + + /* If the size matches this level, we're in the right place */ diff --git a/queue-6.18/irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch b/queue-6.18/irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch new file mode 100644 index 0000000000..be9fb42d94 --- /dev/null +++ b/queue-6.18/irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch @@ -0,0 +1,74 @@ +From 8d76a7d89c12d08382b66e2f21f20d0627d14859 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 19 Jan 2026 21:15:12 +0100 +Subject: irqchip/gic-v3-its: Avoid truncating memory addresses + +From: Arnd Bergmann + +commit 8d76a7d89c12d08382b66e2f21f20d0627d14859 upstream. + +On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem +allocations to be backed by addresses physical memory above the 32-bit +address limit, as found while experimenting with larger VMSPLIT +configurations. + +This caused the qemu virt model to crash in the GICv3 driver, which +allocates the 'itt' object using GFP_KERNEL. Since all memory below +the 4GB physical address limit is in ZONE_DMA in this configuration, +kmalloc() defaults to higher addresses for ZONE_NORMAL, and the +ITS driver stores the physical address in a 32-bit 'unsigned long' +variable. + +Change the itt_addr variable to the correct phys_addr_t type instead, +along with all other variables in this driver that hold a physical +address. + +The gicv5 driver correctly uses u64 variables, while all other irqchip +drivers don't call virt_to_phys or similar interfaces. It's expected that +other device drivers have similar issues, but fixing this one is +sufficient for booting a virtio based guest. + +Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue") +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Reviewed-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260119201603.2713066-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -709,7 +709,7 @@ static struct its_collection *its_build_ + struct its_cmd_block *cmd, + struct its_cmd_desc *desc) + { +- unsigned long itt_addr; ++ phys_addr_t itt_addr; + u8 size = ilog2(desc->its_mapd_cmd.dev->nr_ites); + + itt_addr = virt_to_phys(desc->its_mapd_cmd.dev->itt); +@@ -879,7 +879,7 @@ static struct its_vpe *its_build_vmapp_c + struct its_cmd_desc *desc) + { + struct its_vpe *vpe = valid_vpe(its, desc->its_vmapp_cmd.vpe); +- unsigned long vpt_addr, vconf_addr; ++ phys_addr_t vpt_addr, vconf_addr; + u64 target; + bool alloc; + +@@ -2477,10 +2477,10 @@ retry_baser: + baser->psz = psz; + tmp = indirect ? GITS_LVL1_ENTRY_SIZE : esz; + +- pr_info("ITS@%pa: allocated %d %s @%lx (%s, esz %d, psz %dK, shr %d)\n", ++ pr_info("ITS@%pa: allocated %d %s @%llx (%s, esz %d, psz %dK, shr %d)\n", + &its->phys_base, (int)(PAGE_ORDER_TO_SIZE(order) / (int)tmp), + its_base_type_string[type], +- (unsigned long)virt_to_phys(base), ++ (u64)virt_to_phys(base), + indirect ? "indirect" : "flat", (int)esz, + psz / SZ_1K, (int)shr >> GITS_BASER_SHAREABILITY_SHIFT); + diff --git a/queue-6.18/ksmbd-smbd-fix-dma_unmap_sg-nents.patch b/queue-6.18/ksmbd-smbd-fix-dma_unmap_sg-nents.patch new file mode 100644 index 0000000000..d360e9cd54 --- /dev/null +++ b/queue-6.18/ksmbd-smbd-fix-dma_unmap_sg-nents.patch @@ -0,0 +1,67 @@ +From 98e3e2b561bc88f4dd218d1c05890672874692f6 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Fri, 9 Jan 2026 11:38:39 +0100 +Subject: ksmbd: smbd: fix dma_unmap_sg() nents + +From: Thomas Fourier + +commit 98e3e2b561bc88f4dd218d1c05890672874692f6 upstream. + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Cc: +Signed-off-by: Thomas Fourier +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -1251,14 +1251,12 @@ static int get_sg_list(void *buf, int si + + static int get_mapped_sg_list(struct ib_device *device, void *buf, int size, + struct scatterlist *sg_list, int nentries, +- enum dma_data_direction dir) ++ enum dma_data_direction dir, int *npages) + { +- int npages; +- +- npages = get_sg_list(buf, size, sg_list, nentries); +- if (npages < 0) ++ *npages = get_sg_list(buf, size, sg_list, nentries); ++ if (*npages < 0) + return -EINVAL; +- return ib_dma_map_sg(device, sg_list, npages, dir); ++ return ib_dma_map_sg(device, sg_list, *npages, dir); + } + + static int post_sendmsg(struct smbdirect_socket *sc, +@@ -1329,12 +1327,13 @@ static int smb_direct_post_send_data(str + for (i = 0; i < niov; i++) { + struct ib_sge *sge; + int sg_cnt; ++ int npages; + + sg_init_table(sg, SMBDIRECT_SEND_IO_MAX_SGE - 1); + sg_cnt = get_mapped_sg_list(sc->ib.dev, + iov[i].iov_base, iov[i].iov_len, + sg, SMBDIRECT_SEND_IO_MAX_SGE - 1, +- DMA_TO_DEVICE); ++ DMA_TO_DEVICE, &npages); + if (sg_cnt <= 0) { + pr_err("failed to map buffer\n"); + ret = -ENOMEM; +@@ -1342,7 +1341,7 @@ static int smb_direct_post_send_data(str + } else if (sg_cnt + msg->num_sge > SMBDIRECT_SEND_IO_MAX_SGE) { + pr_err("buffer not fitted into sges\n"); + ret = -E2BIG; +- ib_dma_unmap_sg(sc->ib.dev, sg, sg_cnt, ++ ib_dma_unmap_sg(sc->ib.dev, sg, npages, + DMA_TO_DEVICE); + goto err; + } diff --git a/queue-6.18/leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch b/queue-6.18/leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch new file mode 100644 index 0000000000..a27381f907 --- /dev/null +++ b/queue-6.18/leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch @@ -0,0 +1,80 @@ +From d1883cefd31752f0504b94c3bcfa1f6d511d6e87 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 11 Dec 2025 17:37:27 +0100 +Subject: leds: led-class: Only Add LED to leds_list when it is fully ready + +From: Hans de Goede + +commit d1883cefd31752f0504b94c3bcfa1f6d511d6e87 upstream. + +Before this change the LED was added to leds_list before led_init_core() +gets called adding it the list before led_classdev.set_brightness_work gets +initialized. + +This leaves a window where led_trigger_register() of a LED's default +trigger will call led_trigger_set() which calls led_set_brightness() +which in turn will end up queueing the *uninitialized* +led_classdev.set_brightness_work. + +This race gets hit by the lenovo-thinkpad-t14s EC driver which registers +2 LEDs with a default trigger provided by snd_ctl_led.ko in quick +succession. The first led_classdev_register() causes an async modprobe of +snd_ctl_led to run and that async modprobe manages to exactly hit +the window where the second LED is on the leds_list without led_init_core() +being called for it, resulting in: + + ------------[ cut here ]------------ + WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 + Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 + ... + Call trace: + __flush_work+0x344/0x390 (P) + flush_work+0x2c/0x50 + led_trigger_set+0x1c8/0x340 + led_trigger_register+0x17c/0x1c0 + led_trigger_register_simple+0x84/0xe8 + snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] + do_one_initcall+0x5c/0x318 + do_init_module+0x9c/0x2b8 + load_module+0x7e0/0x998 + +Close the race window by moving the adding of the LED to leds_list to +after the led_init_core() call. + +Cc: stable@vger.kernel.org +Fixes: d23a22a74fde ("leds: delay led_set_brightness if stopping soft-blink") +Signed-off-by: Hans de Goede +Reviewed-by: Sebastian Reichel +Link: https://patch.msgid.link/20251211163727.366441-1-johannes.goede@oss.qualcomm.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/led-class.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -560,11 +560,6 @@ int led_classdev_register_ext(struct dev + #ifdef CONFIG_LEDS_BRIGHTNESS_HW_CHANGED + led_cdev->brightness_hw_changed = -1; + #endif +- /* add to the list of leds */ +- down_write(&leds_list_lock); +- list_add_tail(&led_cdev->node, &leds_list); +- up_write(&leds_list_lock); +- + if (!led_cdev->max_brightness) + led_cdev->max_brightness = LED_FULL; + +@@ -574,6 +569,11 @@ int led_classdev_register_ext(struct dev + + led_init_core(led_cdev); + ++ /* add to the list of leds */ ++ down_write(&leds_list_lock); ++ list_add_tail(&led_cdev->node, &leds_list); ++ up_write(&leds_list_lock); ++ + #ifdef CONFIG_LEDS_TRIGGERS + led_trigger_set_default(led_cdev); + #endif diff --git a/queue-6.18/mei-trace-treat-reg-parameter-as-string.patch b/queue-6.18/mei-trace-treat-reg-parameter-as-string.patch new file mode 100644 index 0000000000..3bdcb67d6c --- /dev/null +++ b/queue-6.18/mei-trace-treat-reg-parameter-as-string.patch @@ -0,0 +1,98 @@ +From 06d5a7afe1d0b47102936d8fba568572c2b4b941 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 11 Jan 2026 16:51:25 +0200 +Subject: mei: trace: treat reg parameter as string + +From: Alexander Usyskin + +commit 06d5a7afe1d0b47102936d8fba568572c2b4b941 upstream. + +The commit +afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") +forbids to emit event with a plain char* without a wrapper. + +The reg parameter always passed as static string and wrapper +is not strictly required, contrary to dev parameter. +Use the string wrapper anyway to check sanity of the reg parameters, +store it value independently and prevent internal kernel data leaks. + +Since some code refactoring has taken place, explicit backporting may +be needed for kernels older than 6.10. + +Cc: stable@vger.kernel.org # v6.11+ +Fixes: a0a927d06d79 ("mei: me: add io register tracing") +Signed-off-by: Alexander Usyskin +Link: https://patch.msgid.link/20260111145125.1754912-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/mei-trace.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/misc/mei/mei-trace.h ++++ b/drivers/misc/mei/mei-trace.h +@@ -21,18 +21,18 @@ TRACE_EVENT(mei_reg_read, + TP_ARGS(dev, reg, offs, val), + TP_STRUCT__entry( + __string(dev, dev_name(dev)) +- __field(const char *, reg) ++ __string(reg, reg) + __field(u32, offs) + __field(u32, val) + ), + TP_fast_assign( + __assign_str(dev); +- __entry->reg = reg; ++ __assign_str(reg); + __entry->offs = offs; + __entry->val = val; + ), + TP_printk("[%s] read %s:[%#x] = %#x", +- __get_str(dev), __entry->reg, __entry->offs, __entry->val) ++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val) + ); + + TRACE_EVENT(mei_reg_write, +@@ -40,18 +40,18 @@ TRACE_EVENT(mei_reg_write, + TP_ARGS(dev, reg, offs, val), + TP_STRUCT__entry( + __string(dev, dev_name(dev)) +- __field(const char *, reg) ++ __string(reg, reg) + __field(u32, offs) + __field(u32, val) + ), + TP_fast_assign( + __assign_str(dev); +- __entry->reg = reg; ++ __assign_str(reg); + __entry->offs = offs; + __entry->val = val; + ), + TP_printk("[%s] write %s[%#x] = %#x", +- __get_str(dev), __entry->reg, __entry->offs, __entry->val) ++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val) + ); + + TRACE_EVENT(mei_pci_cfg_read, +@@ -59,18 +59,18 @@ TRACE_EVENT(mei_pci_cfg_read, + TP_ARGS(dev, reg, offs, val), + TP_STRUCT__entry( + __string(dev, dev_name(dev)) +- __field(const char *, reg) ++ __string(reg, reg) + __field(u32, offs) + __field(u32, val) + ), + TP_fast_assign( + __assign_str(dev); +- __entry->reg = reg; ++ __assign_str(reg); + __entry->offs = offs; + __entry->val = val; + ), + TP_printk("[%s] pci cfg read %s:[%#x] = %#x", +- __get_str(dev), __entry->reg, __entry->offs, __entry->val) ++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val) + ); + + #endif /* _MEI_TRACE_H_ */ diff --git a/queue-6.18/migrate-correct-lock-ordering-for-hugetlb-file-folios.patch b/queue-6.18/migrate-correct-lock-ordering-for-hugetlb-file-folios.patch new file mode 100644 index 0000000000..3743797234 --- /dev/null +++ b/queue-6.18/migrate-correct-lock-ordering-for-hugetlb-file-folios.patch @@ -0,0 +1,105 @@ +From b7880cb166ab62c2409046b2347261abf701530e Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Fri, 9 Jan 2026 04:13:42 +0000 +Subject: migrate: correct lock ordering for hugetlb file folios + +From: Matthew Wilcox (Oracle) + +commit b7880cb166ab62c2409046b2347261abf701530e upstream. + +Syzbot has found a deadlock (analyzed by Lance Yang): + +1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). +2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire +folio_lock. + +migrate_pages() + -> migrate_hugetlbs() + -> unmap_and_move_huge_page() <- Takes folio_lock! + -> remove_migration_ptes() + -> __rmap_walk_file() + -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)! + +hugetlbfs_fallocate() + -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! + -> hugetlbfs_zero_partial_page() + -> filemap_lock_hugetlb_folio() + -> filemap_lock_folio() + -> __filemap_get_folio <- Waits for folio_lock! + +The migration path is the one taking locks in the wrong order according to +the documentation at the top of mm/rmap.c. So expand the scope of the +existing i_mmap_lock to cover the calls to remove_migration_ptes() too. + +This is (mostly) how it used to be after commit c0d0381ade79. That was +removed by 336bf30eb765 for both file & anon hugetlb pages when it should +only have been removed for anon hugetlb pages. + +Link: https://lkml.kernel.org/r/20260109041345.3863089-2-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Fixes: 336bf30eb765 ("hugetlbfs: fix anon huge page migration race") +Reported-by: syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/68e9715a.050a0220.1186a4.000d.GAE@google.com +Debugged-by: Lance Yang +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Zi Yan +Cc: Alistair Popple +Cc: Byungchul Park +Cc: Gregory Price +Cc: Jann Horn +Cc: Joshua Hahn +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Matthew Brost +Cc: Rakie Kim +Cc: Rik van Riel +Cc: Vlastimil Babka +Cc: Ying Huang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -1450,6 +1450,7 @@ static int unmap_and_move_huge_page(new_ + int page_was_mapped = 0; + struct anon_vma *anon_vma = NULL; + struct address_space *mapping = NULL; ++ enum ttu_flags ttu = 0; + + if (folio_ref_count(src) == 1) { + /* page was freed from under us. So we are done. */ +@@ -1490,8 +1491,6 @@ static int unmap_and_move_huge_page(new_ + goto put_anon; + + if (folio_mapped(src)) { +- enum ttu_flags ttu = 0; +- + if (!folio_test_anon(src)) { + /* + * In shared mappings, try_to_unmap could potentially +@@ -1508,16 +1507,17 @@ static int unmap_and_move_huge_page(new_ + + try_to_migrate(src, ttu); + page_was_mapped = 1; +- +- if (ttu & TTU_RMAP_LOCKED) +- i_mmap_unlock_write(mapping); + } + + if (!folio_mapped(src)) + rc = move_to_new_folio(dst, src, mode); + + if (page_was_mapped) +- remove_migration_ptes(src, !rc ? dst : src, 0); ++ remove_migration_ptes(src, !rc ? dst : src, ++ ttu ? RMP_LOCKED : 0); ++ ++ if (ttu & TTU_RMAP_LOCKED) ++ i_mmap_unlock_write(mapping); + + unlock_put_anon: + folio_unlock(dst); diff --git a/queue-6.18/mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch b/queue-6.18/mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch new file mode 100644 index 0000000000..77348012f3 --- /dev/null +++ b/queue-6.18/mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch @@ -0,0 +1,84 @@ +From 122610220134b32c742cc056eaf64f7017ac8cd9 Mon Sep 17 00:00:00 2001 +From: Matthew Schwartz +Date: Mon, 29 Dec 2025 12:45:26 -0800 +Subject: mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function + +From: Matthew Schwartz + +commit 122610220134b32c742cc056eaf64f7017ac8cd9 upstream. + +rtsx_pci_sdmmc does not have an sdmmc_card_busy function, so any voltage +switches cause a kernel warning, "mmc0: cannot verify signal voltage +switch." + +Copy the sdmmc_card_busy function from rtsx_pci_usb to rtsx_pci_sdmmc to +fix this. + +Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver") +Signed-off-by: Matthew Schwartz +Tested-by: Ricky WU +Reviewed-by: Ricky WU +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/rtsx_pci_sdmmc.c | 41 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/drivers/mmc/host/rtsx_pci_sdmmc.c ++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c +@@ -1306,6 +1306,46 @@ out: + return err; + } + ++static int sdmmc_card_busy(struct mmc_host *mmc) ++{ ++ struct realtek_pci_sdmmc *host = mmc_priv(mmc); ++ struct rtsx_pcr *pcr = host->pcr; ++ int err; ++ u8 stat; ++ u8 mask = SD_DAT3_STATUS | SD_DAT2_STATUS | SD_DAT1_STATUS ++ | SD_DAT0_STATUS; ++ ++ mutex_lock(&pcr->pcr_mutex); ++ ++ rtsx_pci_start_run(pcr); ++ ++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT, ++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, ++ SD_CLK_TOGGLE_EN); ++ if (err) ++ goto out; ++ ++ mdelay(1); ++ ++ err = rtsx_pci_read_register(pcr, SD_BUS_STAT, &stat); ++ if (err) ++ goto out; ++ ++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT, ++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, 0); ++out: ++ mutex_unlock(&pcr->pcr_mutex); ++ ++ if (err) ++ return err; ++ ++ /* check if any pin between dat[0:3] is low */ ++ if ((stat & mask) != mask) ++ return 1; ++ else ++ return 0; ++} ++ + static int sdmmc_execute_tuning(struct mmc_host *mmc, u32 opcode) + { + struct realtek_pci_sdmmc *host = mmc_priv(mmc); +@@ -1418,6 +1458,7 @@ static const struct mmc_host_ops realtek + .get_ro = sdmmc_get_ro, + .get_cd = sdmmc_get_cd, + .start_signal_voltage_switch = sdmmc_switch_voltage, ++ .card_busy = sdmmc_card_busy, + .execute_tuning = sdmmc_execute_tuning, + .init_sd_express = sdmmc_init_sd_express, + }; diff --git a/queue-6.18/mmc-sdhci-of-dwcmshc-prevent-illegal-clock-reduction-in-hs200-hs400-mode.patch b/queue-6.18/mmc-sdhci-of-dwcmshc-prevent-illegal-clock-reduction-in-hs200-hs400-mode.patch new file mode 100644 index 0000000000..b440444932 --- /dev/null +++ b/queue-6.18/mmc-sdhci-of-dwcmshc-prevent-illegal-clock-reduction-in-hs200-hs400-mode.patch @@ -0,0 +1,56 @@ +From 3009738a855cf938bbfc9078bec725031ae623a4 Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Mon, 22 Dec 2025 15:11:25 +0800 +Subject: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode + +From: Shawn Lin + +commit 3009738a855cf938bbfc9078bec725031ae623a4 upstream. + +When operating in HS200 or HS400 timing modes, reducing the clock frequency +below 52MHz will lead to link broken as the Rockchip DWC MSHC controller +requires maintaining a minimum clock of 52MHz in these modes. + +Add a check to prevent illegal clock reduction through debugfs: + +root@debian:/# echo 50000000 > /sys/kernel/debug/mmc0/clock +root@debian:/# [ 30.090146] mmc0: running CQE recovery +mmc0: cqhci: Failed to halt +mmc0: cqhci: spurious TCN for tag 0 +WARNING: drivers/mmc/host/cqhci-core.c:797 at cqhci_irq+0x254/0x818, CPU#1: kworker/1:0H/24 +Modules linked in: +CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0H Not tainted 6.19.0-rc1-00001-g09db0998649d-dirty #204 PREEMPT +Hardware name: Rockchip RK3588 EVB1 V10 Board (DT) +Workqueue: kblockd blk_mq_run_work_fn +pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : cqhci_irq+0x254/0x818 +lr : cqhci_irq+0x254/0x818 +... + +Fixes: c6f361cba51c ("mmc: sdhci-of-dwcmshc: add support for rk3588") +Cc: Sebastian Reichel +Cc: Yifeng Zhao +Signed-off-by: Shawn Lin +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-dwcmshc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/host/sdhci-of-dwcmshc.c ++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c +@@ -608,6 +608,13 @@ static void dwcmshc_rk3568_set_clock(str + sdhci_writel(host, extra, reg); + + if (clock <= 52000000) { ++ if (host->mmc->ios.timing == MMC_TIMING_MMC_HS200 || ++ host->mmc->ios.timing == MMC_TIMING_MMC_HS400) { ++ dev_err(mmc_dev(host->mmc), ++ "Can't reduce the clock below 52MHz in HS200/HS400 mode"); ++ return; ++ } ++ + /* + * Disable DLL and reset both of sample and drive clock. + * The bypass bit and start bit need to be set if DLL is not locked. diff --git a/queue-6.18/net-fec-account-for-vlan-header-in-frame-length-calculations.patch b/queue-6.18/net-fec-account-for-vlan-header-in-frame-length-calculations.patch new file mode 100644 index 0000000000..94f4edfe49 --- /dev/null +++ b/queue-6.18/net-fec-account-for-vlan-header-in-frame-length-calculations.patch @@ -0,0 +1,77 @@ +From ca1bb3fedf26a08ed31974131bc0064d4fe33649 Mon Sep 17 00:00:00 2001 +From: Clemens Gruber +Date: Wed, 21 Jan 2026 09:37:51 +0100 +Subject: net: fec: account for VLAN header in frame length calculations + +From: Clemens Gruber + +commit ca1bb3fedf26a08ed31974131bc0064d4fe33649 upstream. + +The MAX_FL (maximum frame length) and related calculations used ETH_HLEN, +which does not account for the 4-byte VLAN tag in tagged frames. This +caused the hardware to reject valid VLAN frames as oversized, resulting +in RX errors and dropped packets. + +Use VLAN_ETH_HLEN instead of ETH_HLEN in the MAX_FL register setup, +cut-through mode threshold, buffer allocation, and max_mtu calculation. + +Cc: stable@kernel.org # v6.18+ +Fixes: 62b5bb7be7bc ("net: fec: update MAX_FL based on the current MTU") +Fixes: d466c16026e9 ("net: fec: enable the Jumbo frame support for i.MX8QM") +Fixes: 59e9bf037d75 ("net: fec: add change_mtu to support dynamic buffer allocation") +Fixes: ec2a1681ed4f ("net: fec: use a member variable for maximum buffer size") +Signed-off-by: Clemens Gruber +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20260121083751.66997-1-mail@clemensgruber.at +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1151,7 +1151,7 @@ fec_restart(struct net_device *ndev) + u32 rcntl = FEC_RCR_MII; + + if (OPT_ARCH_HAS_MAX_FL) +- rcntl |= (fep->netdev->mtu + ETH_HLEN + ETH_FCS_LEN) << 16; ++ rcntl |= (fep->netdev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN) << 16; + + if (fep->bufdesc_ex) + fec_ptp_save_state(fep); +@@ -1286,12 +1286,13 @@ fec_restart(struct net_device *ndev) + + /* When Jumbo Frame is enabled, the FIFO may not be large enough + * to hold an entire frame. In such cases, if the MTU exceeds +- * (PKT_MAXBUF_SIZE - ETH_HLEN - ETH_FCS_LEN), configure the interface +- * to operate in cut-through mode, triggered by the FIFO threshold. ++ * (PKT_MAXBUF_SIZE - VLAN_ETH_HLEN - ETH_FCS_LEN), configure ++ * the interface to operate in cut-through mode, triggered by ++ * the FIFO threshold. + * Otherwise, enable the ENET store-and-forward mode. + */ + if ((fep->quirks & FEC_QUIRK_JUMBO_FRAME) && +- (ndev->mtu > (PKT_MAXBUF_SIZE - ETH_HLEN - ETH_FCS_LEN))) ++ (ndev->mtu > (PKT_MAXBUF_SIZE - VLAN_ETH_HLEN - ETH_FCS_LEN))) + writel(0xF, fep->hwp + FEC_X_WMRK); + else + writel(FEC_TXWMRK_STRFWD, fep->hwp + FEC_X_WMRK); +@@ -4052,7 +4053,7 @@ static int fec_change_mtu(struct net_dev + if (netif_running(ndev)) + return -EBUSY; + +- order = get_order(new_mtu + ETH_HLEN + ETH_FCS_LEN ++ order = get_order(new_mtu + VLAN_ETH_HLEN + ETH_FCS_LEN + + FEC_DRV_RESERVE_SPACE); + fep->rx_frame_size = (PAGE_SIZE << order) - FEC_DRV_RESERVE_SPACE; + fep->pagepool_order = order; +@@ -4609,7 +4610,7 @@ fec_probe(struct platform_device *pdev) + else + fep->max_buf_size = PKT_MAXBUF_SIZE; + +- ndev->max_mtu = fep->max_buf_size - ETH_HLEN - ETH_FCS_LEN; ++ ndev->max_mtu = fep->max_buf_size - VLAN_ETH_HLEN - ETH_FCS_LEN; + + ret = register_netdev(ndev); + if (ret) diff --git a/queue-6.18/net-sfp-add-potron-quirk-to-the-h-com-spp425h-gab4-sfp-stick.patch b/queue-6.18/net-sfp-add-potron-quirk-to-the-h-com-spp425h-gab4-sfp-stick.patch new file mode 100644 index 0000000000..541ebae652 --- /dev/null +++ b/queue-6.18/net-sfp-add-potron-quirk-to-the-h-com-spp425h-gab4-sfp-stick.patch @@ -0,0 +1,33 @@ +From a92a6c50e35b75a8021265507f3c2a9084df0b94 Mon Sep 17 00:00:00 2001 +From: Hamza Mahfooz +Date: Tue, 13 Jan 2026 18:29:57 -0500 +Subject: net: sfp: add potron quirk to the H-COM SPP425H-GAB4 SFP+ Stick + +From: Hamza Mahfooz + +commit a92a6c50e35b75a8021265507f3c2a9084df0b94 upstream. + +This is another one of those XGSPON ONU sticks that's using the +X-ONU-SFPP internally, thus it also requires the potron quirk to avoid tx +faults. So, add an entry for it in sfp_quirks[]. + +Cc: stable@vger.kernel.org +Signed-off-by: Hamza Mahfooz +Link: https://patch.msgid.link/20260113232957.609642-1-someguy@effective-light.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/sfp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -519,6 +519,8 @@ static const struct sfp_quirk sfp_quirks + + SFP_QUIRK_F("HALNy", "HL-GSFP", sfp_fixup_halny_gsfp), + ++ SFP_QUIRK_F("H-COM", "SPP425H-GAB4", sfp_fixup_potron), ++ + // HG MXPD-483II-F 2.5G supports 2500Base-X, but incorrectly reports + // 2600MBd in their EERPOM + SFP_QUIRK_S("HG GENUINE", "MXPD-483II", sfp_quirk_2500basex), diff --git a/queue-6.18/net-txgbe-remove-the-redundant-data-return-in-sw-fw-mailbox.patch b/queue-6.18/net-txgbe-remove-the-redundant-data-return-in-sw-fw-mailbox.patch new file mode 100644 index 0000000000..94bc3780a4 --- /dev/null +++ b/queue-6.18/net-txgbe-remove-the-redundant-data-return-in-sw-fw-mailbox.patch @@ -0,0 +1,49 @@ +From 3d778e65b4f44c6af4901d83020bb8a0a010f39e Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Mon, 19 Jan 2026 14:59:35 +0800 +Subject: net: txgbe: remove the redundant data return in SW-FW mailbox + +From: Jiawen Wu + +commit 3d778e65b4f44c6af4901d83020bb8a0a010f39e upstream. + +For these two firmware mailbox commands, in txgbe_test_hostif() and +txgbe_set_phy_link_hostif(), there is no need to read data from the +buffer. + +Under the current setting, OEM firmware will cause the driver to fail to +probe. Because OEM firmware returns more link information, with a larger +OEM structure txgbe_hic_ephy_getlink. However, the current driver does +not support the OEM function. So just fix it in the way that does not +involve reading the returned data. + +Fixes: d84a3ff9aae8 ("net: txgbe: Restrict the use of mismatched FW versions") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Link: https://patch.msgid.link/2914AB0BC6158DDA+20260119065935.6015-1-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c +@@ -65,7 +65,7 @@ int txgbe_test_hostif(struct wx *wx) + buffer.hdr.cmd_or_resp.cmd_resv = FW_CEM_CMD_RESERVED; + + return wx_host_interface_command(wx, (u32 *)&buffer, sizeof(buffer), +- WX_HI_COMMAND_TIMEOUT, true); ++ WX_HI_COMMAND_TIMEOUT, false); + } + + static int txgbe_identify_sfp_hostif(struct wx *wx, struct txgbe_hic_i2c_read *buffer) +@@ -103,7 +103,7 @@ static int txgbe_set_phy_link_hostif(str + buffer.duplex = duplex; + + return wx_host_interface_command(wx, (u32 *)&buffer, sizeof(buffer), +- WX_HI_COMMAND_TIMEOUT, true); ++ WX_HI_COMMAND_TIMEOUT, false); + } + + static void txgbe_get_link_capabilities(struct wx *wx) diff --git a/queue-6.18/netrom-fix-double-free-in-nr_route_frame.patch b/queue-6.18/netrom-fix-double-free-in-nr_route_frame.patch new file mode 100644 index 0000000000..2a98fcbf03 --- /dev/null +++ b/queue-6.18/netrom-fix-double-free-in-nr_route_frame.patch @@ -0,0 +1,69 @@ +From ba1096c315283ee3292765f6aea4cca15816c4f7 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 15:33:59 +0900 +Subject: netrom: fix double-free in nr_route_frame() + +From: Jeongjun Park + +commit ba1096c315283ee3292765f6aea4cca15816c4f7 upstream. + +In nr_route_frame(), old_skb is immediately freed without checking if +nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, +the caller function will free old_skb again, causing a double-free bug. + +Therefore, to prevent this, we need to modify it to check whether +nr_neigh->ax25 is NULL before freeing old_skb. + +Cc: +Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/ +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jeongjun Park +Link: https://patch.msgid.link/20260119063359.10604-1-aha310510@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/nr_route.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -752,7 +752,7 @@ int nr_route_frame(struct sk_buff *skb, + unsigned char *dptr; + ax25_cb *ax25s; + int ret; +- struct sk_buff *skbn; ++ struct sk_buff *nskb, *oskb; + + /* + * Reject malformed packets early. Check that it contains at least 2 +@@ -811,14 +811,16 @@ int nr_route_frame(struct sk_buff *skb, + /* We are going to change the netrom headers so we should get our + own skb, we also did not know until now how much header space + we had to reserve... - RXQ */ +- if ((skbn=skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC)) == NULL) { ++ nskb = skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC); ++ ++ if (!nskb) { + nr_node_unlock(nr_node); + nr_node_put(nr_node); + dev_put(dev); + return 0; + } +- kfree_skb(skb); +- skb=skbn; ++ oskb = skb; ++ skb = nskb; + skb->data[14]--; + + dptr = skb_push(skb, 1); +@@ -837,6 +839,9 @@ int nr_route_frame(struct sk_buff *skb, + nr_node_unlock(nr_node); + nr_node_put(nr_node); + ++ if (ret) ++ kfree_skb(oskb); ++ + return ret; + } + diff --git a/queue-6.18/octeontx2-fix-otx2_dma_map_page-error-return-code.patch b/queue-6.18/octeontx2-fix-otx2_dma_map_page-error-return-code.patch new file mode 100644 index 0000000000..c33ebdc719 --- /dev/null +++ b/queue-6.18/octeontx2-fix-otx2_dma_map_page-error-return-code.patch @@ -0,0 +1,46 @@ +From d998b0e5afffa90d0f03770bad31083767079858 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 14 Jan 2026 13:31:06 +0100 +Subject: octeontx2: Fix otx2_dma_map_page() error return code + +From: Thomas Fourier + +commit d998b0e5afffa90d0f03770bad31083767079858 upstream. + +0 is a valid DMA address [1] so using it as the error value can lead to +errors. The error value of dma_map_XXX() functions is DMA_MAPPING_ERROR +which is ~0. The callers of otx2_dma_map_page() use dma_mapping_error() +to test the return value of otx2_dma_map_page(). This means that they +would not detect an error in otx2_dma_map_page(). + +Make otx2_dma_map_page() return the raw value of dma_map_page_attrs(). + +[1] https://lore.kernel.org/all/f977f68b-cec5-4ab7-b4bd-2cf6aca46267@intel.com + +Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260114123107.42387-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +@@ -934,13 +934,8 @@ static inline dma_addr_t otx2_dma_map_pa + size_t offset, size_t size, + enum dma_data_direction dir) + { +- dma_addr_t iova; +- +- iova = dma_map_page_attrs(pfvf->dev, page, ++ return dma_map_page_attrs(pfvf->dev, page, + offset, size, dir, DMA_ATTR_SKIP_CPU_SYNC); +- if (unlikely(dma_mapping_error(pfvf->dev, iova))) +- return (dma_addr_t)NULL; +- return iova; + } + + static inline void otx2_dma_unmap_page(struct otx2_nic *pfvf, diff --git a/queue-6.18/of-fix-reference-count-leak-in-of_alias_scan.patch b/queue-6.18/of-fix-reference-count-leak-in-of_alias_scan.patch new file mode 100644 index 0000000000..a373cbbbd0 --- /dev/null +++ b/queue-6.18/of-fix-reference-count-leak-in-of_alias_scan.patch @@ -0,0 +1,49 @@ +From 81122fba08fa3ccafab6ed272a5c6f2203923a7e Mon Sep 17 00:00:00 2001 +From: Weigang He +Date: Sat, 17 Jan 2026 09:12:38 +0000 +Subject: of: fix reference count leak in of_alias_scan() + +From: Weigang He + +commit 81122fba08fa3ccafab6ed272a5c6f2203923a7e upstream. + +of_find_node_by_path() returns a device_node with its refcount +incremented. When kstrtoint() fails or dt_alloc() fails, the function +continues to the next iteration without calling of_node_put(), causing +a reference count leak. + +Add of_node_put(np) before continue on both error paths to properly +release the device_node reference. + +Fixes: 611cad720148 ("dt: add of_alias_scan and of_alias_get_id") +Cc: stable@vger.kernel.org +Signed-off-by: Weigang He +Link: https://patch.msgid.link/20260117091238.481243-1-geoffreyhe2@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1895,13 +1895,17 @@ void of_alias_scan(void * (*dt_alloc)(u6 + end--; + len = end - start; + +- if (kstrtoint(end, 10, &id) < 0) ++ if (kstrtoint(end, 10, &id) < 0) { ++ of_node_put(np); + continue; ++ } + + /* Allocate an alias_prop with enough space for the stem */ + ap = dt_alloc(sizeof(*ap) + len + 1, __alignof__(*ap)); +- if (!ap) ++ if (!ap) { ++ of_node_put(np); + continue; ++ } + memset(ap, 0, sizeof(*ap) + len + 1); + ap->alias = start; + of_alias_add(ap, np, id, start, len); diff --git a/queue-6.18/of-platform-use-default-match-table-for-firmware.patch b/queue-6.18/of-platform-use-default-match-table-for-firmware.patch new file mode 100644 index 0000000000..8f139e05f6 --- /dev/null +++ b/queue-6.18/of-platform-use-default-match-table-for-firmware.patch @@ -0,0 +1,40 @@ +From 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 Mon Sep 17 00:00:00 2001 +From: "Rob Herring (Arm)" +Date: Tue, 13 Jan 2026 19:51:58 -0600 +Subject: of: platform: Use default match table for /firmware + +From: Rob Herring (Arm) + +commit 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 upstream. + +Calling of_platform_populate() without a match table will only populate +the immediate child nodes under /firmware. This is usually fine, but in +the case of something like a "simple-mfd" node such as +"raspberrypi,bcm2835-firmware", those child nodes will not be populated. +And subsequent calls won't work either because the /firmware node is +marked as processed already. + +Switch the call to of_platform_default_populate() to solve this problem. +It should be a nop for existing cases. + +Fixes: 3aa0582fdb82 ("of: platform: populate /firmware/ node from of_platform_default_populate_init()") +Cc: stable@vger.kernel.org +Reviewed-by: Sudeep Holla +Link: https://patch.msgid.link/20260114015158.692170-2-robh@kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -569,7 +569,7 @@ static int __init of_platform_default_po + + node = of_find_node_by_path("/firmware"); + if (node) { +- of_platform_populate(node, NULL, NULL, NULL); ++ of_platform_default_populate(node, NULL, NULL); + of_node_put(node); + } + diff --git a/queue-6.18/panic-only-warn-about-deprecated-panic_print-on-write-access.patch b/queue-6.18/panic-only-warn-about-deprecated-panic_print-on-write-access.patch new file mode 100644 index 0000000000..8b733fddb7 --- /dev/null +++ b/queue-6.18/panic-only-warn-about-deprecated-panic_print-on-write-access.patch @@ -0,0 +1,61 @@ +From 90f3c123247e9564f2ecf861946ec41ceaf5e198 Mon Sep 17 00:00:00 2001 +From: Gal Pressman +Date: Tue, 6 Jan 2026 18:33:21 +0200 +Subject: panic: only warn about deprecated panic_print on write access + +From: Gal Pressman + +commit 90f3c123247e9564f2ecf861946ec41ceaf5e198 upstream. + +The panic_print_deprecated() warning is being triggered on both read and +write operations to the panic_print parameter. + +This causes spurious warnings when users run 'sysctl -a' to list all +sysctl values, since that command reads /proc/sys/kernel/panic_print and +triggers the deprecation notice. + +Modify the handlers to only emit the deprecation warning when the +parameter is actually being set: + + - sysctl_panic_print_handler(): check 'write' flag before warning. + - panic_print_get(): remove the deprecation call entirely. + +This way, users are only warned when they actively try to use the +deprecated parameter, not when passively querying system state. + +Link: https://lkml.kernel.org/r/20260106163321.83586-1-gal@nvidia.com +Fixes: ee13240cd78b ("panic: add note that panic_print sysctl interface is deprecated") +Fixes: 2683df6539cb ("panic: add note that 'panic_print' parameter is deprecated") +Signed-off-by: Gal Pressman +Reviewed-by: Mark Bloch +Reviewed-by: Nimrod Oren +Cc: Feng Tang +Cc: Joel Granados +Cc: Petr Mladek +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/panic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -131,7 +131,8 @@ static int proc_taint(const struct ctl_t + static int sysctl_panic_print_handler(const struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- panic_print_deprecated(); ++ if (write) ++ panic_print_deprecated(); + return proc_doulongvec_minmax(table, write, buffer, lenp, ppos); + } + +@@ -1010,7 +1011,6 @@ static int panic_print_set(const char *v + + static int panic_print_get(char *val, const struct kernel_param *kp) + { +- panic_print_deprecated(); + return param_get_ulong(val, kp); + } + diff --git a/queue-6.18/perf-x86-intel-do-not-enable-bts-for-guests.patch b/queue-6.18/perf-x86-intel-do-not-enable-bts-for-guests.patch new file mode 100644 index 0000000000..34bdccba10 --- /dev/null +++ b/queue-6.18/perf-x86-intel-do-not-enable-bts-for-guests.patch @@ -0,0 +1,59 @@ +From 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 Mon Sep 17 00:00:00 2001 +From: Fernand Sieber +Date: Thu, 11 Dec 2025 20:36:04 +0200 +Subject: perf/x86/intel: Do not enable BTS for guests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fernand Sieber + +commit 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 upstream. + +By default when users program perf to sample branch instructions +(PERF_COUNT_HW_BRANCH_INSTRUCTIONS) with a sample period of 1, perf +interprets this as a special case and enables BTS (Branch Trace Store) +as an optimization to avoid taking an interrupt on every branch. + +Since BTS doesn't virtualize, this optimization doesn't make sense when +the request originates from a guest. Add an additional check that +prevents this optimization for virtualized events (exclude_host). + +Reported-by: Jan H. Schönherr +Suggested-by: Peter Zijlstra +Signed-off-by: Fernand Sieber +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Link: https://patch.msgid.link/20251211183604.868641-1-sieberf@amazon.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/perf_event.h | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -1558,13 +1558,22 @@ static inline bool intel_pmu_has_bts_per + struct hw_perf_event *hwc = &event->hw; + unsigned int hw_event, bts_event; + +- if (event->attr.freq) ++ /* ++ * Only use BTS for fixed rate period==1 events. ++ */ ++ if (event->attr.freq || period != 1) ++ return false; ++ ++ /* ++ * BTS doesn't virtualize. ++ */ ++ if (event->attr.exclude_host) + return false; + + hw_event = hwc->config & INTEL_ARCH_EVENT_MASK; + bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS); + +- return hw_event == bts_event && period == 1; ++ return hw_event == bts_event; + } + + static inline bool intel_pmu_has_bts(struct perf_event *event) diff --git a/queue-6.18/platform-x86-hp-bioscfg-fix-automatic-module-loading.patch b/queue-6.18/platform-x86-hp-bioscfg-fix-automatic-module-loading.patch new file mode 100644 index 0000000000..1ef91634c6 --- /dev/null +++ b/queue-6.18/platform-x86-hp-bioscfg-fix-automatic-module-loading.patch @@ -0,0 +1,51 @@ +From 467d4afc6caa64b84a6db1634f8091e931f4a7cb Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 15 Jan 2026 14:31:12 -0600 +Subject: platform/x86: hp-bioscfg: Fix automatic module loading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +commit 467d4afc6caa64b84a6db1634f8091e931f4a7cb upstream. + +hp-bioscfg has a MODULE_DEVICE_TABLE with a GUID in it that looks +plausible, but the module doesn't automatically load on applicable +systems. + +This is because the GUID has some lower case characters and so it +doesn't match the modalias during boot. Update the GUIDs to be all +uppercase. + +Cc: stable@vger.kernel.org +Fixes: 5f94f181ca25 ("platform/x86: hp-bioscfg: bioscfg-h") +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260115203725.828434-4-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h ++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h +@@ -57,14 +57,14 @@ enum mechanism_values { + + #define PASSWD_MECHANISM_TYPES "password" + +-#define HP_WMI_BIOS_GUID "5FB7F034-2C63-45e9-BE91-3D44E2C707E4" ++#define HP_WMI_BIOS_GUID "5FB7F034-2C63-45E9-BE91-3D44E2C707E4" + +-#define HP_WMI_BIOS_STRING_GUID "988D08E3-68F4-4c35-AF3E-6A1B8106F83C" ++#define HP_WMI_BIOS_STRING_GUID "988D08E3-68F4-4C35-AF3E-6A1B8106F83C" + #define HP_WMI_BIOS_INTEGER_GUID "8232DE3D-663D-4327-A8F4-E293ADB9BF05" + #define HP_WMI_BIOS_ENUMERATION_GUID "2D114B49-2DFB-4130-B8FE-4A3C09E75133" + #define HP_WMI_BIOS_ORDERED_LIST_GUID "14EA9746-CE1F-4098-A0E0-7045CB4DA745" + #define HP_WMI_BIOS_PASSWORD_GUID "322F2028-0F84-4901-988E-015176049E2D" +-#define HP_WMI_SET_BIOS_SETTING_GUID "1F4C91EB-DC5C-460b-951D-C7CB9B4B8D5E" ++#define HP_WMI_SET_BIOS_SETTING_GUID "1F4C91EB-DC5C-460B-951D-C7CB9B4B8D5E" + + enum hp_wmi_spm_commandtype { + HPWMI_SECUREPLATFORM_GET_STATE = 0x10, diff --git a/queue-6.18/pmdomain-imx8m-blk-ctrl-remove-separate-rst-and-clk-mask-for-8mq-vpu.patch b/queue-6.18/pmdomain-imx8m-blk-ctrl-remove-separate-rst-and-clk-mask-for-8mq-vpu.patch new file mode 100644 index 0000000000..9e9fc2012a --- /dev/null +++ b/queue-6.18/pmdomain-imx8m-blk-ctrl-remove-separate-rst-and-clk-mask-for-8mq-vpu.patch @@ -0,0 +1,59 @@ +From 3de49966499634454fd59e0e6fecd50baab7febd Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Fri, 5 Dec 2025 09:54:25 +0800 +Subject: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu + +From: Ming Qian + +commit 3de49966499634454fd59e0e6fecd50baab7febd upstream. + +For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset +and clock enable bits, but is ungated and reset together with the VPUs. +So we can't reset G1 or G2 separately, it may led to the system hang. +Remove rst_mask and clk_mask of imx8mq_vpu_blk_ctl_domain_data. +Let imx8mq_vpu_power_notifier() do really vpu reset. + +Fixes: 608d7c325e85 ("soc: imx: imx8m-blk-ctrl: add i.MX8MQ VPU blk-ctrl") +Signed-off-by: Ming Qian +Reviewed-by: Benjamin Gaignard +Reviewed-by: Peng Fan +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/imx8m-blk-ctrl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/pmdomain/imx/imx8m-blk-ctrl.c ++++ b/drivers/pmdomain/imx/imx8m-blk-ctrl.c +@@ -846,22 +846,25 @@ static int imx8mq_vpu_power_notifier(str + return NOTIFY_OK; + } + ++/* ++ * For i.MX8MQ, the ADB in the VPUMIX domain has no separate reset and clock ++ * enable bits, but is ungated and reset together with the VPUs. ++ * Resetting G1 or G2 separately may led to system hang. ++ * Remove the rst_mask and clk_mask from the domain data of G1 and G2, ++ * Let imx8mq_vpu_power_notifier() do really vpu reset. ++ */ + static const struct imx8m_blk_ctrl_domain_data imx8mq_vpu_blk_ctl_domain_data[] = { + [IMX8MQ_VPUBLK_PD_G1] = { + .name = "vpublk-g1", + .clk_names = (const char *[]){ "g1", }, + .num_clks = 1, + .gpc_name = "g1", +- .rst_mask = BIT(1), +- .clk_mask = BIT(1), + }, + [IMX8MQ_VPUBLK_PD_G2] = { + .name = "vpublk-g2", + .clk_names = (const char *[]){ "g2", }, + .num_clks = 1, + .gpc_name = "g2", +- .rst_mask = BIT(0), +- .clk_mask = BIT(0), + }, + }; + diff --git a/queue-6.18/pmdomain-rockchip-fix-init-genpd-as-genpd_state_on-before-regulator-ready.patch b/queue-6.18/pmdomain-rockchip-fix-init-genpd-as-genpd_state_on-before-regulator-ready.patch new file mode 100644 index 0000000000..b02edf95ed --- /dev/null +++ b/queue-6.18/pmdomain-rockchip-fix-init-genpd-as-genpd_state_on-before-regulator-ready.patch @@ -0,0 +1,50 @@ +From 861d21c43c98478eef70e68e31d4ff86400c6ef7 Mon Sep 17 00:00:00 2001 +From: Frank Zhang +Date: Tue, 16 Dec 2025 13:52:47 +0800 +Subject: pmdomain:rockchip: Fix init genpd as GENPD_STATE_ON before regulator ready + +From: Frank Zhang + +commit 861d21c43c98478eef70e68e31d4ff86400c6ef7 upstream. + +RK3588_PD_NPU initialize as GENPD_STATE_ON before regulator ready. +rknn_iommu initlized success and suspend RK3588_PD_NPU. When rocket +driver register, it will resume rknn_iommu. + +If regulator is still not ready at this point, rknn_iommu resume fail, +pm runtime status will be error: -EPROBE_DEFER. + +This patch set pmdomain to off if it need regulator during probe, +consumer device can power on pmdomain after regulator ready. + +Signed-off-by: Frank Zhang +Tested-by: Chaoyi Chen +Tested-by: Quentin Schulz +Reviewed-by: Sebastian Reichel +Fixes: db6df2e3fc16 ("pmdomain: rockchip: add regulator support") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/rockchip/pm-domains.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/pmdomain/rockchip/pm-domains.c ++++ b/drivers/pmdomain/rockchip/pm-domains.c +@@ -861,6 +861,16 @@ static int rockchip_pm_add_one_domain(st + pd->genpd.name = pd->info->name; + else + pd->genpd.name = kbasename(node->full_name); ++ ++ /* ++ * power domain's needing a regulator should default to off, since ++ * the regulator state is unknown at probe time. Also the regulator ++ * state cannot be checked, since that usually requires IP needing ++ * (a different) power domain. ++ */ ++ if (pd->info->need_regulator) ++ rockchip_pd_power(pd, false); ++ + pd->genpd.power_off = rockchip_pd_power_off; + pd->genpd.power_on = rockchip_pd_power_on; + pd->genpd.attach_dev = rockchip_pd_attach_dev; diff --git a/queue-6.18/rust-io-always-inline-functions-using-build_assert-with-arguments.patch b/queue-6.18/rust-io-always-inline-functions-using-build_assert-with-arguments.patch new file mode 100644 index 0000000000..14fa56c095 --- /dev/null +++ b/queue-6.18/rust-io-always-inline-functions-using-build_assert-with-arguments.patch @@ -0,0 +1,70 @@ +From 33d19f621641de1b6ec6fe1bb2ac68a7d2c61f6a Mon Sep 17 00:00:00 2001 +From: Alexandre Courbot +Date: Mon, 8 Dec 2025 11:47:00 +0900 +Subject: rust: io: always inline functions using build_assert with arguments + +From: Alexandre Courbot + +commit 33d19f621641de1b6ec6fe1bb2ac68a7d2c61f6a upstream. + +`build_assert` relies on the compiler to optimize out its error path. +Functions using it with its arguments must thus always be inlined, +otherwise the error path of `build_assert` might not be optimized out, +triggering a build error. + +Cc: stable@vger.kernel.org +Fixes: ce30d94e6855 ("rust: add `io::{Io, IoRaw}` base types") +Reviewed-by: Daniel Almeida +Signed-off-by: Alexandre Courbot +Tested-by: Timur Tabi +Link: https://patch.msgid.link/20251208-io-build-assert-v3-2-98aded02c1ea@nvidia.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/io.rs | 9 ++++++--- + rust/kernel/io/resource.rs | 2 ++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/rust/kernel/io.rs ++++ b/rust/kernel/io.rs +@@ -140,7 +140,8 @@ macro_rules! define_read { + /// Bound checks are performed on compile time, hence if the offset is not known at compile + /// time, the build will fail. + $(#[$attr])* +- #[inline] ++ // Always inline to optimize out error path of `io_addr_assert`. ++ #[inline(always)] + pub fn $name(&self, offset: usize) -> $type_name { + let addr = self.io_addr_assert::<$type_name>(offset); + +@@ -169,7 +170,8 @@ macro_rules! define_write { + /// Bound checks are performed on compile time, hence if the offset is not known at compile + /// time, the build will fail. + $(#[$attr])* +- #[inline] ++ // Always inline to optimize out error path of `io_addr_assert`. ++ #[inline(always)] + pub fn $name(&self, value: $type_name, offset: usize) { + let addr = self.io_addr_assert::<$type_name>(offset); + +@@ -237,7 +239,8 @@ impl Io { + self.addr().checked_add(offset).ok_or(EINVAL) + } + +- #[inline] ++ // Always inline to optimize out error path of `build_assert`. ++ #[inline(always)] + fn io_addr_assert(&self, offset: usize) -> usize { + build_assert!(Self::offset_valid::(offset, SIZE)); + +--- a/rust/kernel/io/resource.rs ++++ b/rust/kernel/io/resource.rs +@@ -222,6 +222,8 @@ impl Flags { + /// Resource represents a memory region that must be ioremaped using `ioremap_np`. + pub const IORESOURCE_MEM_NONPOSTED: Flags = Flags::new(bindings::IORESOURCE_MEM_NONPOSTED); + ++ // Always inline to optimize out error path of `build_assert`. ++ #[inline(always)] + const fn new(value: u32) -> Self { + crate::build_assert!(value as u64 <= c_ulong::MAX as u64); + Flags(value as c_ulong) diff --git a/queue-6.18/rust-irq-always-inline-functions-using-build_assert-with-arguments.patch b/queue-6.18/rust-irq-always-inline-functions-using-build_assert-with-arguments.patch new file mode 100644 index 0000000000..0dab168996 --- /dev/null +++ b/queue-6.18/rust-irq-always-inline-functions-using-build_assert-with-arguments.patch @@ -0,0 +1,41 @@ +From 5d9c4c272ba06055d19e05c2a02e16e58acc8943 Mon Sep 17 00:00:00 2001 +From: Alexandre Courbot +Date: Mon, 8 Dec 2025 11:47:04 +0900 +Subject: rust: irq: always inline functions using build_assert with arguments + +From: Alexandre Courbot + +commit 5d9c4c272ba06055d19e05c2a02e16e58acc8943 upstream. + +`build_assert` relies on the compiler to optimize out its error path. +Functions using it with its arguments must thus always be inlined, +otherwise the error path of `build_assert` might not be optimized out, +triggering a build error. + +Cc: stable@vger.kernel.org +Fixes: 746680ec6696 ("rust: irq: add flags module") +Reviewed-by: Daniel Almeida +Signed-off-by: Alexandre Courbot +Link: https://patch.msgid.link/20251208-io-build-assert-v3-6-98aded02c1ea@nvidia.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/irq/flags.rs | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rust/kernel/irq/flags.rs b/rust/kernel/irq/flags.rs +index adfde96ec47c..d26e25af06ee 100644 +--- a/rust/kernel/irq/flags.rs ++++ b/rust/kernel/irq/flags.rs +@@ -96,6 +96,8 @@ pub(crate) fn into_inner(self) -> c_ulong { + self.0 + } + ++ // Always inline to optimize out error path of `build_assert`. ++ #[inline(always)] + const fn new(value: u32) -> Self { + build_assert!(value as u64 <= c_ulong::MAX as u64); + Self(value as c_ulong) +-- +2.52.0 + diff --git a/queue-6.18/rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch b/queue-6.18/rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch new file mode 100644 index 0000000000..0c27f76568 --- /dev/null +++ b/queue-6.18/rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch @@ -0,0 +1,228 @@ +From 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 20 Jan 2026 10:13:05 +0000 +Subject: rxrpc: Fix data-race warning and potential load/store tearing + +From: David Howells + +commit 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b upstream. + +Fix the following: + + BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet + +which is reporting an issue with the reads and writes to ->last_tx_at in: + + conn->peer->last_tx_at = ktime_get_seconds(); + +and: + + keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME; + +The lockless accesses to these to values aren't actually a problem as the +read only needs an approximate time of last transmission for the purposes +of deciding whether or not the transmission of a keepalive packet is +warranted yet. + +Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bit +arch. + +Fix both of these by switching to an unsigned int for ->last_tx_at and only +storing the LSW of the time64_t. It can then be reconstructed at need +provided no more than 68 years has elapsed since the last transmission. + +Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive") +Reported-by: syzbot+6182afad5045e6703b3d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/695e7cfb.050a0220.1c677c.036b.GAE@google.com/ +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/1107124.1768903985@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/ar-internal.h | 9 ++++++++- + net/rxrpc/conn_event.c | 2 +- + net/rxrpc/output.c | 14 +++++++------- + net/rxrpc/peer_event.c | 17 ++++++++++++++++- + net/rxrpc/proc.c | 4 ++-- + net/rxrpc/rxgk.c | 2 +- + net/rxrpc/rxkad.c | 2 +- + 7 files changed, 36 insertions(+), 14 deletions(-) + +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -387,7 +387,7 @@ struct rxrpc_peer { + struct rb_root service_conns; /* Service connections */ + struct list_head keepalive_link; /* Link in net->peer_keepalive[] */ + unsigned long app_data; /* Application data (e.g. afs_server) */ +- time64_t last_tx_at; /* Last time packet sent here */ ++ unsigned int last_tx_at; /* Last time packet sent here (time64_t LSW) */ + seqlock_t service_conn_lock; + spinlock_t lock; /* access lock */ + int debug_id; /* debug ID for printks */ +@@ -1379,6 +1379,13 @@ void rxrpc_peer_keepalive_worker(struct + void rxrpc_input_probe_for_pmtud(struct rxrpc_connection *conn, rxrpc_serial_t acked_serial, + bool sendmsg_fail); + ++/* Update the last transmission time on a peer for keepalive purposes. */ ++static inline void rxrpc_peer_mark_tx(struct rxrpc_peer *peer) ++{ ++ /* To avoid tearing on 32-bit systems, we only keep the LSW. */ ++ WRITE_ONCE(peer->last_tx_at, ktime_get_seconds()); ++} ++ + /* + * peer_object.c + */ +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -194,7 +194,7 @@ void rxrpc_conn_retransmit_call(struct r + } + + ret = kernel_sendmsg(conn->local->socket, &msg, iov, ioc, len); +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + if (ret < 0) + trace_rxrpc_tx_fail(chan->call_debug_id, serial, ret, + rxrpc_tx_point_call_final_resend); +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -275,7 +275,7 @@ static void rxrpc_send_ack_packet(struct + rxrpc_local_dont_fragment(conn->local, why == rxrpc_propose_ack_ping_for_mtu_probe); + + ret = do_udp_sendmsg(conn->local->socket, &msg, len); +- call->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(call->peer); + if (ret < 0) { + trace_rxrpc_tx_fail(call->debug_id, serial, ret, + rxrpc_tx_point_call_ack); +@@ -411,7 +411,7 @@ int rxrpc_send_abort_packet(struct rxrpc + + iov_iter_kvec(&msg.msg_iter, WRITE, iov, 1, sizeof(pkt)); + ret = do_udp_sendmsg(conn->local->socket, &msg, sizeof(pkt)); +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + if (ret < 0) + trace_rxrpc_tx_fail(call->debug_id, serial, ret, + rxrpc_tx_point_call_abort); +@@ -698,7 +698,7 @@ void rxrpc_send_data_packet(struct rxrpc + ret = 0; + trace_rxrpc_tx_data(call, txb->seq, txb->serial, txb->flags, + rxrpc_txdata_inject_loss); +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + goto done; + } + } +@@ -711,7 +711,7 @@ void rxrpc_send_data_packet(struct rxrpc + */ + rxrpc_inc_stat(call->rxnet, stat_tx_data_send); + ret = do_udp_sendmsg(conn->local->socket, &msg, len); +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + + if (ret == -EMSGSIZE) { + rxrpc_inc_stat(call->rxnet, stat_tx_data_send_msgsize); +@@ -797,7 +797,7 @@ void rxrpc_send_conn_abort(struct rxrpc_ + + trace_rxrpc_tx_packet(conn->debug_id, &whdr, rxrpc_tx_point_conn_abort); + +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + } + + /* +@@ -917,7 +917,7 @@ void rxrpc_send_keepalive(struct rxrpc_p + trace_rxrpc_tx_packet(peer->debug_id, &whdr, + rxrpc_tx_point_version_keepalive); + +- peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(peer); + _leave(""); + } + +@@ -973,7 +973,7 @@ void rxrpc_send_response(struct rxrpc_co + if (ret < 0) + goto fail; + +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + return; + + fail: +--- a/net/rxrpc/peer_event.c ++++ b/net/rxrpc/peer_event.c +@@ -238,6 +238,21 @@ static void rxrpc_distribute_error(struc + } + + /* ++ * Reconstruct the last transmission time. The difference calculated should be ++ * valid provided no more than ~68 years elapsed since the last transmission. ++ */ ++static time64_t rxrpc_peer_get_tx_mark(const struct rxrpc_peer *peer, time64_t base) ++{ ++ s32 last_tx_at = READ_ONCE(peer->last_tx_at); ++ s32 base_lsw = base; ++ s32 diff = last_tx_at - base_lsw; ++ ++ diff = clamp(diff, -RXRPC_KEEPALIVE_TIME, RXRPC_KEEPALIVE_TIME); ++ ++ return diff + base; ++} ++ ++/* + * Perform keep-alive pings. + */ + static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet, +@@ -265,7 +280,7 @@ static void rxrpc_peer_keepalive_dispatc + spin_unlock_bh(&rxnet->peer_hash_lock); + + if (use) { +- keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME; ++ keepalive_at = rxrpc_peer_get_tx_mark(peer, base) + RXRPC_KEEPALIVE_TIME; + slot = keepalive_at - base; + _debug("%02x peer %u t=%d {%pISp}", + cursor, peer->debug_id, slot, &peer->srx.transport); +--- a/net/rxrpc/proc.c ++++ b/net/rxrpc/proc.c +@@ -296,13 +296,13 @@ static int rxrpc_peer_seq_show(struct se + + now = ktime_get_seconds(); + seq_printf(seq, +- "UDP %-47.47s %-47.47s %3u %4u %5u %6llus %8d %8d\n", ++ "UDP %-47.47s %-47.47s %3u %4u %5u %6ds %8d %8d\n", + lbuff, + rbuff, + refcount_read(&peer->ref), + peer->cong_ssthresh, + peer->max_data, +- now - peer->last_tx_at, ++ (s32)now - (s32)READ_ONCE(peer->last_tx_at), + READ_ONCE(peer->recent_srtt_us), + READ_ONCE(peer->recent_rto_us)); + +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -678,7 +678,7 @@ static int rxgk_issue_challenge(struct r + + ret = do_udp_sendmsg(conn->local->socket, &msg, len); + if (ret > 0) +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + __free_page(page); + + if (ret < 0) { +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -694,7 +694,7 @@ static int rxkad_issue_challenge(struct + return -EAGAIN; + } + +- conn->peer->last_tx_at = ktime_get_seconds(); ++ rxrpc_peer_mark_tx(conn->peer); + trace_rxrpc_tx_packet(conn->debug_id, &whdr, + rxrpc_tx_point_rxkad_challenge); + _leave(" = 0"); diff --git a/queue-6.18/s390-ap-fix-wrong-apqn-fill-calculation.patch b/queue-6.18/s390-ap-fix-wrong-apqn-fill-calculation.patch new file mode 100644 index 0000000000..32b6d43ff3 --- /dev/null +++ b/queue-6.18/s390-ap-fix-wrong-apqn-fill-calculation.patch @@ -0,0 +1,52 @@ +From 3317785a8803db629efc759d811d0f589d3a0b2d Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 19 Jan 2026 10:37:28 +0100 +Subject: s390/ap: Fix wrong APQN fill calculation + +From: Harald Freudenberger + +commit 3317785a8803db629efc759d811d0f589d3a0b2d upstream. + +The upper limit of the firmware queue fill state for each APQN +is reported by the hwinfo.qd field. This field shows the +numbers 0-7 for 1-8 queue spaces available. But the exploiting +code assumed the real boundary is stored there and thus stoppes +queuing in messages one tick too early. + +Correct the limit calculation and thus offer a boost +of 12.5% performance for high traffic on one APQN. + +Fixes: d4c53ae8e4948 ("s390/ap: store TAPQ hwinfo in struct ap_card") +Cc: stable@vger.kernel.org +Reported-by: Ingo Franzki +Reviewed-by: Ingo Franzki +Signed-off-by: Harald Freudenberger +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/ap_card.c | 2 +- + drivers/s390/crypto/ap_queue.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/s390/crypto/ap_card.c ++++ b/drivers/s390/crypto/ap_card.c +@@ -44,7 +44,7 @@ static ssize_t depth_show(struct device + { + struct ap_card *ac = to_ap_card(dev); + +- return sysfs_emit(buf, "%d\n", ac->hwinfo.qd); ++ return sysfs_emit(buf, "%d\n", ac->hwinfo.qd + 1); + } + + static DEVICE_ATTR_RO(depth); +--- a/drivers/s390/crypto/ap_queue.c ++++ b/drivers/s390/crypto/ap_queue.c +@@ -269,7 +269,7 @@ static enum ap_sm_wait ap_sm_write(struc + list_move_tail(&ap_msg->list, &aq->pendingq); + aq->requestq_count--; + aq->pendingq_count++; +- if (aq->queue_count < aq->card->hwinfo.qd) { ++ if (aq->queue_count < aq->card->hwinfo.qd + 1) { + aq->sm_state = AP_SM_STATE_WORKING; + return AP_SM_WAIT_AGAIN; + } diff --git a/queue-6.18/s390-boot-vmlinux.lds.s-ensure-bzimage-ends-with-secureboot-trailer.patch b/queue-6.18/s390-boot-vmlinux.lds.s-ensure-bzimage-ends-with-secureboot-trailer.patch new file mode 100644 index 0000000000..aae05d8b4d --- /dev/null +++ b/queue-6.18/s390-boot-vmlinux.lds.s-ensure-bzimage-ends-with-secureboot-trailer.patch @@ -0,0 +1,60 @@ +From ddc6cbef3ef10359b5640b4ee810a520edc73586 Mon Sep 17 00:00:00 2001 +From: Alexander Egorenkov +Date: Wed, 21 Jan 2026 14:59:50 +0100 +Subject: s390/boot/vmlinux.lds.S: Ensure bzImage ends with SecureBoot trailer + +From: Alexander Egorenkov + +commit ddc6cbef3ef10359b5640b4ee810a520edc73586 upstream. + +Since commit 3e86e4d74c04 ("kbuild: keep .modinfo section in +vmlinux.unstripped") the .modinfo section which has SHF_ALLOC ends up +in bzImage after the SecureBoot trailer. This breaks SecureBoot because +the bootloader can no longer find the SecureBoot trailer with kernel's +signature at the expected location in bzImage. To fix the bug, +move discarded sections before the ELF_DETAILS macro and discard +the .modinfo section which is not needed by the decompressor. + +Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped") +Cc: stable@vger.kernel.org +Suggested-by: Vasily Gorbik +Reviewed-by: Vasily Gorbik +Tested-by: Vasily Gorbik +Signed-off-by: Alexander Egorenkov +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/boot/vmlinux.lds.S | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/s390/boot/vmlinux.lds.S ++++ b/arch/s390/boot/vmlinux.lds.S +@@ -137,6 +137,15 @@ SECTIONS + } + _end = .; + ++ /* Sections to be discarded */ ++ /DISCARD/ : { ++ COMMON_DISCARDS ++ *(.eh_frame) ++ *(*__ksymtab*) ++ *(___kcrctab*) ++ *(.modinfo) ++ } ++ + DWARF_DEBUG + ELF_DETAILS + +@@ -161,12 +170,4 @@ SECTIONS + *(.rela.*) *(.rela_*) + } + ASSERT(SIZEOF(.rela.dyn) == 0, "Unexpected run-time relocations (.rela) detected!") +- +- /* Sections to be discarded */ +- /DISCARD/ : { +- COMMON_DISCARDS +- *(.eh_frame) +- *(*__ksymtab*) +- *(___kcrctab*) +- } + } diff --git a/queue-6.18/series b/queue-6.18/series index 5c9640c27f..4ece3858db 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -149,3 +149,70 @@ dpll-prevent-duplicate-registrations.patch octeontx2-af-add-proper-checks-for-fwdata.patch x86-make-page-fault-handling-disable-interrupts-prop.patch keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch +leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch +panic-only-warn-about-deprecated-panic_print-on-write-access.patch +of-fix-reference-count-leak-in-of_alias_scan.patch +of-platform-use-default-match-table-for-firmware.patch +migrate-correct-lock-ordering-for-hugetlb-file-folios.patch +iio-accel-adxl380-fix-handling-of-unavailable-int1-interrupt.patch +iio-accel-iis328dq-fix-gain-values.patch +iio-adc-ad9467-fix-ad9434-vref-mask.patch +iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch +iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch +iio-adc-pac1934-fix-clamped-value-in-pac1934_reg_snapshot.patch +iio-chemical-scd4x-fix-reported-channel-endianness.patch +iio-dac-ad3552r-hs-fix-out-of-bound-write-in-ad3552r_hs_write_data_source.patch +iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch +alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch +alsa-hda-realtek-add-quirk-for-samsung-730qed-to-fix-headphone.patch +alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch +alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch +mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch +mmc-sdhci-of-dwcmshc-prevent-illegal-clock-reduction-in-hs200-hs400-mode.patch +iommu-io-pgtable-arm-fix-size_t-signedness-bug-in-unmap-path.patch +drm-nouveau-disp-set-drm_mode_config_funcs.atomic_-check-commit.patch +wifi-ath10k-fix-dma_free_coherent-pointer.patch +wifi-ath12k-fix-dma_free_coherent-pointer.patch +wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch +wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch +arm64-fpsimd-ptrace-fix-sve-writes-on-sme-systems.patch +arm64-fpsimd-signal-allocate-ssve-storage-when-restoring-za.patch +arm64-fpsimd-signal-fix-restoration-of-sve-context.patch +arm64-set-__nocfi-on-swsusp_arch_resume.patch +ksmbd-smbd-fix-dma_unmap_sg-nents.patch +octeontx2-fix-otx2_dma_map_page-error-return-code.patch +slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch +slimbus-core-fix-device-reference-leak-on-report-present.patch +tracing-fix-crash-on-synthetic-stacktrace-field-usage.patch +intel_th-fix-device-leak-on-output-open.patch +mei-trace-treat-reg-parameter-as-string.patch +s390-ap-fix-wrong-apqn-fill-calculation.patch +s390-boot-vmlinux.lds.s-ensure-bzimage-ends-with-secureboot-trailer.patch +uacce-fix-cdev-handling-in-the-cleanup-path.patch +uacce-fix-isolate-sysfs-check-condition.patch +uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch +uacce-ensure-safe-queue-release-with-state-management.patch +netrom-fix-double-free-in-nr_route_frame.patch +platform-x86-hp-bioscfg-fix-automatic-module-loading.patch +pmdomain-imx8m-blk-ctrl-remove-separate-rst-and-clk-mask-for-8mq-vpu.patch +pmdomain-rockchip-fix-init-genpd-as-genpd_state_on-before-regulator-ready.patch +rust-io-always-inline-functions-using-build_assert-with-arguments.patch +rust-irq-always-inline-functions-using-build_assert-with-arguments.patch +rxrpc-fix-data-race-warning-and-potential-load-store-tearing.patch +perf-x86-intel-do-not-enable-bts-for-guests.patch +irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch +net-fec-account-for-vlan-header-in-frame-length-calculations.patch +net-sfp-add-potron-quirk-to-the-h-com-spp425h-gab4-sfp-stick.patch +net-txgbe-remove-the-redundant-data-return-in-sw-fw-mailbox.patch +can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch +can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch +can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch +can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch +can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch +drm-amdgpu-remove-frame-cntl-for-gfx-v12.patch +drm-bridge-synopsys-dw-dp-fix-error-paths-of-dw_dp_bind.patch +drm-xe-adjust-page-count-tracepoints-in-shrinker.patch +drm-xe-fix-wq_mem_reclaim-passed-as-max_active-to-alloc_workqueue.patch +gpio-cdev-correct-return-code-on-memory-allocation-failure.patch +gpio-cdev-fix-resource-leaks-on-errors-in-lineinfo_changed_notify.patch +gpio-cdev-fix-resource-leaks-on-errors-in-gpiolib_cdev_register.patch diff --git a/queue-6.18/slimbus-core-fix-device-reference-leak-on-report-present.patch b/queue-6.18/slimbus-core-fix-device-reference-leak-on-report-present.patch new file mode 100644 index 0000000000..6bf09a0831 --- /dev/null +++ b/queue-6.18/slimbus-core-fix-device-reference-leak-on-report-present.patch @@ -0,0 +1,46 @@ +From 9391380eb91ea5ac792aae9273535c8da5b9aa01 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 26 Nov 2025 15:53:26 +0100 +Subject: slimbus: core: fix device reference leak on report present + +From: Johan Hovold + +commit 9391380eb91ea5ac792aae9273535c8da5b9aa01 upstream. + +Slimbus devices can be allocated dynamically upon reception of +report-present messages. + +Make sure to drop the reference taken when looking up already registered +devices. + +Note that this requires taking an extra reference in case the device has +not yet been registered and has to be allocated. + +Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support") +Cc: stable@vger.kernel.org # 4.16 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251126145329.5022-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -379,6 +379,8 @@ struct slim_device *slim_get_device(stru + sbdev = slim_alloc_device(ctrl, e_addr, NULL); + if (!sbdev) + return ERR_PTR(-ENOMEM); ++ ++ get_device(&sbdev->dev); + } + + return sbdev; +@@ -505,6 +507,7 @@ int slim_device_report_present(struct sl + ret = slim_device_alloc_laddr(sbdev, true); + } + ++ put_device(&sbdev->dev); + out_put_rpm: + pm_runtime_mark_last_busy(ctrl->dev); + pm_runtime_put_autosuspend(ctrl->dev); diff --git a/queue-6.18/slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch b/queue-6.18/slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch new file mode 100644 index 0000000000..22820a414d --- /dev/null +++ b/queue-6.18/slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch @@ -0,0 +1,55 @@ +From 0eb4ff6596114aabba1070a66afa2c2f5593739f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 26 Nov 2025 15:53:25 +0100 +Subject: slimbus: core: fix runtime PM imbalance on report present + +From: Johan Hovold + +commit 0eb4ff6596114aabba1070a66afa2c2f5593739f upstream. + +Make sure to balance the runtime PM usage count in case slimbus device +or address allocation fails on report present, which would otherwise +prevent the controller from suspending. + +Fixes: 4b14e62ad3c9 ("slimbus: Add support for 'clock-pause' feature") +Cc: stable@vger.kernel.org # 4.16 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251126145329.5022-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/core.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -489,21 +489,23 @@ int slim_device_report_present(struct sl + if (ctrl->sched.clk_state != SLIM_CLK_ACTIVE) { + dev_err(ctrl->dev, "slim ctrl not active,state:%d, ret:%d\n", + ctrl->sched.clk_state, ret); +- goto slimbus_not_active; ++ goto out_put_rpm; + } + + sbdev = slim_get_device(ctrl, e_addr); +- if (IS_ERR(sbdev)) +- return -ENODEV; ++ if (IS_ERR(sbdev)) { ++ ret = -ENODEV; ++ goto out_put_rpm; ++ } + + if (sbdev->is_laddr_valid) { + *laddr = sbdev->laddr; +- return 0; ++ ret = 0; ++ } else { ++ ret = slim_device_alloc_laddr(sbdev, true); + } + +- ret = slim_device_alloc_laddr(sbdev, true); +- +-slimbus_not_active: ++out_put_rpm: + pm_runtime_mark_last_busy(ctrl->dev); + pm_runtime_put_autosuspend(ctrl->dev); + return ret; diff --git a/queue-6.18/tracing-fix-crash-on-synthetic-stacktrace-field-usage.patch b/queue-6.18/tracing-fix-crash-on-synthetic-stacktrace-field-usage.patch new file mode 100644 index 0000000000..2dd171da08 --- /dev/null +++ b/queue-6.18/tracing-fix-crash-on-synthetic-stacktrace-field-usage.patch @@ -0,0 +1,160 @@ +From 90f9f5d64cae4e72defd96a2a22760173cb3c9ec Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 22 Jan 2026 19:48:24 -0500 +Subject: tracing: Fix crash on synthetic stacktrace field usage + +From: Steven Rostedt + +commit 90f9f5d64cae4e72defd96a2a22760173cb3c9ec upstream. + +When creating a synthetic event based on an existing synthetic event that +had a stacktrace field and the new synthetic event used that field a +kernel crash occurred: + + ~# cd /sys/kernel/tracing + ~# echo 's:stack unsigned long stack[];' > dynamic_events + ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger + ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger + +The above creates a synthetic event that takes a stacktrace when a task +schedules out in a non-running state and passes that stacktrace to the +sched_switch event when that task schedules back in. It triggers the +"stack" synthetic event that has a stacktrace as its field (called "stack"). + + ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events + ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger + ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger + +The above makes another synthetic event called "syscall_stack" that +attaches the first synthetic event (stack) to the sys_exit trace event and +records the stacktrace from the stack event with the id of the system call +that is exiting. + +When enabling this event (or using it in a historgram): + + ~# echo 1 > events/synthetic/syscall_stack/enable + +Produces a kernel crash! + + BUG: unable to handle page fault for address: 0000000000400010 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP PTI + CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 + RIP: 0010:trace_event_raw_event_synth+0x90/0x380 + Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f + RSP: 0018:ffffd2670388f958 EFLAGS: 00010202 + RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0 + RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50 + R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010 + R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90 + FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0 + Call Trace: + + ? __tracing_map_insert+0x208/0x3a0 + action_trace+0x67/0x70 + event_hist_trigger+0x633/0x6d0 + event_triggers_call+0x82/0x130 + trace_event_buffer_commit+0x19d/0x250 + trace_event_raw_event_sys_exit+0x62/0xb0 + syscall_exit_work+0x9d/0x140 + do_syscall_64+0x20a/0x2f0 + ? trace_event_raw_event_sched_switch+0x12b/0x170 + ? save_fpregs_to_fpstate+0x3e/0x90 + ? _raw_spin_unlock+0xe/0x30 + ? finish_task_switch.isra.0+0x97/0x2c0 + ? __rseq_handle_notify_resume+0xad/0x4c0 + ? __schedule+0x4b8/0xd00 + ? restore_fpregs_from_fpstate+0x3c/0x90 + ? switch_fpu_return+0x5b/0xe0 + ? do_syscall_64+0x1ef/0x2f0 + ? do_fault+0x2e9/0x540 + ? __handle_mm_fault+0x7d1/0xf70 + ? count_memcg_events+0x167/0x1d0 + ? handle_mm_fault+0x1d7/0x2e0 + ? do_user_addr_fault+0x2c3/0x7f0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The reason is that the stacktrace field is not labeled as such, and is +treated as a normal field and not as a dynamic event that it is. + +In trace_event_raw_event_synth() the event is field is still treated as a +dynamic array, but the retrieval of the data is considered a normal field, +and the reference is just the meta data: + +// Meta data is retrieved instead of a dynamic array + str_val = (char *)(long)var_ref_vals[val_idx]; + +// Then when it tries to process it: + len = *((unsigned long *)str_val) + 1; + +It triggers a kernel page fault. + +To fix this, first when defining the fields of the first synthetic event, +set the filter type to FILTER_STACKTRACE. This is used later by the second +synthetic event to know that this field is a stacktrace. When creating +the field of the new synthetic event, have it use this FILTER_STACKTRACE +to know to create a stacktrace field to copy the stacktrace into. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Link: https://patch.msgid.link/20260122194824.6905a38e@gandalf.local.home +Fixes: 00cf3d672a9d ("tracing: Allow synthetic events to pass around stacktraces") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 9 +++++++++ + kernel/trace/trace_events_synth.c | 8 +++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -2057,6 +2057,15 @@ static struct hist_field *create_hist_fi + hist_field->fn_num = HIST_FIELD_FN_RELDYNSTRING; + else + hist_field->fn_num = HIST_FIELD_FN_PSTRING; ++ } else if (field->filter_type == FILTER_STACKTRACE) { ++ flags |= HIST_FIELD_FL_STACKTRACE; ++ ++ hist_field->size = MAX_FILTER_STR_VAL; ++ hist_field->type = kstrdup_const(field->type, GFP_KERNEL); ++ if (!hist_field->type) ++ goto free; ++ ++ hist_field->fn_num = HIST_FIELD_FN_STACK; + } else { + hist_field->size = field->size; + hist_field->is_signed = field->is_signed; +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -130,7 +130,9 @@ static int synth_event_define_fields(str + struct synth_event *event = call->data; + unsigned int i, size, n_u64; + char *name, *type; ++ int filter_type; + bool is_signed; ++ bool is_stack; + int ret = 0; + + for (i = 0, n_u64 = 0; i < event->n_fields; i++) { +@@ -138,8 +140,12 @@ static int synth_event_define_fields(str + is_signed = event->fields[i]->is_signed; + type = event->fields[i]->type; + name = event->fields[i]->name; ++ is_stack = event->fields[i]->is_stack; ++ ++ filter_type = is_stack ? FILTER_STACKTRACE : FILTER_OTHER; ++ + ret = trace_define_field(call, type, name, offset, size, +- is_signed, FILTER_OTHER); ++ is_signed, filter_type); + if (ret) + break; + diff --git a/queue-6.18/uacce-ensure-safe-queue-release-with-state-management.patch b/queue-6.18/uacce-ensure-safe-queue-release-with-state-management.patch new file mode 100644 index 0000000000..88778cfe00 --- /dev/null +++ b/queue-6.18/uacce-ensure-safe-queue-release-with-state-management.patch @@ -0,0 +1,89 @@ +From 26c08dabe5475d99a13f353d8dd70e518de45663 Mon Sep 17 00:00:00 2001 +From: Chenghai Huang +Date: Tue, 2 Dec 2025 14:12:56 +0800 +Subject: uacce: ensure safe queue release with state management + +From: Chenghai Huang + +commit 26c08dabe5475d99a13f353d8dd70e518de45663 upstream. + +Directly calling `put_queue` carries risks since it cannot +guarantee that resources of `uacce_queue` have been fully released +beforehand. So adding a `stop_queue` operation for the +UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to +the final resource release ensures safety. + +Queue states are defined as follows: +- UACCE_Q_ZOMBIE: Initial state +- UACCE_Q_INIT: After opening `uacce` +- UACCE_Q_STARTED: After `start` is issued via `ioctl` + +When executing `poweroff -f` in virt while accelerator are still +working, `uacce_fops_release` and `uacce_remove` may execute +concurrently. This can cause `uacce_put_queue` within +`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add +state checks to prevent accessing freed pointers. + +Fixes: 015d239ac014 ("uacce: add uacce driver") +Cc: stable@vger.kernel.org +Signed-off-by: Chenghai Huang +Signed-off-by: Yang Shen +Acked-by: Zhangfei Gao +Link: https://patch.msgid.link/20251202061256.4158641-5-huangchenghai2@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/misc/uacce/uacce.c ++++ b/drivers/misc/uacce/uacce.c +@@ -40,20 +40,34 @@ static int uacce_start_queue(struct uacc + return 0; + } + +-static int uacce_put_queue(struct uacce_queue *q) ++static int uacce_stop_queue(struct uacce_queue *q) + { + struct uacce_device *uacce = q->uacce; + +- if ((q->state == UACCE_Q_STARTED) && uacce->ops->stop_queue) ++ if (q->state != UACCE_Q_STARTED) ++ return 0; ++ ++ if (uacce->ops->stop_queue) + uacce->ops->stop_queue(q); + +- if ((q->state == UACCE_Q_INIT || q->state == UACCE_Q_STARTED) && +- uacce->ops->put_queue) ++ q->state = UACCE_Q_INIT; ++ ++ return 0; ++} ++ ++static void uacce_put_queue(struct uacce_queue *q) ++{ ++ struct uacce_device *uacce = q->uacce; ++ ++ uacce_stop_queue(q); ++ ++ if (q->state != UACCE_Q_INIT) ++ return; ++ ++ if (uacce->ops->put_queue) + uacce->ops->put_queue(q); + + q->state = UACCE_Q_ZOMBIE; +- +- return 0; + } + + static long uacce_fops_unl_ioctl(struct file *filep, +@@ -80,7 +94,7 @@ static long uacce_fops_unl_ioctl(struct + ret = uacce_start_queue(q); + break; + case UACCE_CMD_PUT_Q: +- ret = uacce_put_queue(q); ++ ret = uacce_stop_queue(q); + break; + default: + if (uacce->ops->ioctl) diff --git a/queue-6.18/uacce-fix-cdev-handling-in-the-cleanup-path.patch b/queue-6.18/uacce-fix-cdev-handling-in-the-cleanup-path.patch new file mode 100644 index 0000000000..8052232731 --- /dev/null +++ b/queue-6.18/uacce-fix-cdev-handling-in-the-cleanup-path.patch @@ -0,0 +1,50 @@ +From a3bece3678f6c88db1f44c602b2a63e84b4040ac Mon Sep 17 00:00:00 2001 +From: Wenkai Lin +Date: Tue, 2 Dec 2025 14:12:53 +0800 +Subject: uacce: fix cdev handling in the cleanup path + +From: Wenkai Lin + +commit a3bece3678f6c88db1f44c602b2a63e84b4040ac upstream. + +When cdev_device_add fails, it internally releases the cdev memory, +and if cdev_device_del is then executed, it will cause a hang error. +To fix it, we check the return value of cdev_device_add() and clear +uacce->cdev to avoid calling cdev_device_del in the uacce_remove. + +Fixes: 015d239ac014 ("uacce: add uacce driver") +Cc: stable@vger.kernel.org +Signed-off-by: Wenkai Lin +Signed-off-by: Chenghai Huang +Acked-by: Zhangfei Gao +Link: https://patch.msgid.link/20251202061256.4158641-2-huangchenghai2@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/uacce/uacce.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/misc/uacce/uacce.c ++++ b/drivers/misc/uacce/uacce.c +@@ -519,6 +519,8 @@ EXPORT_SYMBOL_GPL(uacce_alloc); + */ + int uacce_register(struct uacce_device *uacce) + { ++ int ret; ++ + if (!uacce) + return -ENODEV; + +@@ -529,7 +531,11 @@ int uacce_register(struct uacce_device * + uacce->cdev->ops = &uacce_fops; + uacce->cdev->owner = THIS_MODULE; + +- return cdev_device_add(uacce->cdev, &uacce->dev); ++ ret = cdev_device_add(uacce->cdev, &uacce->dev); ++ if (ret) ++ uacce->cdev = NULL; ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(uacce_register); + diff --git a/queue-6.18/uacce-fix-isolate-sysfs-check-condition.patch b/queue-6.18/uacce-fix-isolate-sysfs-check-condition.patch new file mode 100644 index 0000000000..164be43a38 --- /dev/null +++ b/queue-6.18/uacce-fix-isolate-sysfs-check-condition.patch @@ -0,0 +1,54 @@ +From 98eec349259b1fd876f350b1c600403bcef8f85d Mon Sep 17 00:00:00 2001 +From: Chenghai Huang +Date: Tue, 2 Dec 2025 14:12:54 +0800 +Subject: uacce: fix isolate sysfs check condition + +From: Chenghai Huang + +commit 98eec349259b1fd876f350b1c600403bcef8f85d upstream. + +uacce supports the device isolation feature. If the driver +implements the isolate_err_threshold_read and +isolate_err_threshold_write callback functions, uacce will create +sysfs files now. Users can read and configure the isolation policy +through sysfs. Currently, sysfs files are created as long as either +isolate_err_threshold_read or isolate_err_threshold_write callback +functions are present. + +However, accessing a non-existent callback function may cause the +system to crash. Therefore, intercept the creation of sysfs if +neither read nor write exists; create sysfs if either is supported, +but intercept unsupported operations at the call site. + +Fixes: e3e289fbc0b5 ("uacce: supports device isolation feature") +Cc: stable@vger.kernel.org +Signed-off-by: Chenghai Huang +Acked-by: Zhangfei Gao +Link: https://patch.msgid.link/20251202061256.4158641-3-huangchenghai2@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/uacce/uacce.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/misc/uacce/uacce.c ++++ b/drivers/misc/uacce/uacce.c +@@ -382,6 +382,9 @@ static ssize_t isolate_strategy_show(str + struct uacce_device *uacce = to_uacce_device(dev); + u32 val; + ++ if (!uacce->ops->isolate_err_threshold_read) ++ return -ENOENT; ++ + val = uacce->ops->isolate_err_threshold_read(uacce); + + return sysfs_emit(buf, "%u\n", val); +@@ -394,6 +397,9 @@ static ssize_t isolate_strategy_store(st + unsigned long val; + int ret; + ++ if (!uacce->ops->isolate_err_threshold_write) ++ return -ENOENT; ++ + if (kstrtoul(buf, 0, &val) < 0) + return -EINVAL; + diff --git a/queue-6.18/uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch b/queue-6.18/uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch new file mode 100644 index 0000000000..d989171f52 --- /dev/null +++ b/queue-6.18/uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch @@ -0,0 +1,52 @@ +From 02695347be532b628f22488300d40c4eba48b9b7 Mon Sep 17 00:00:00 2001 +From: Yang Shen +Date: Tue, 2 Dec 2025 14:12:55 +0800 +Subject: uacce: implement mremap in uacce_vm_ops to return -EPERM + +From: Yang Shen + +commit 02695347be532b628f22488300d40c4eba48b9b7 upstream. + +The current uacce_vm_ops does not support the mremap operation of +vm_operations_struct. Implement .mremap to return -EPERM to remind +users. + +The reason we need to explicitly disable mremap is that when the +driver does not implement .mremap, it uses the default mremap +method. This could lead to a risk scenario: + +An application might first mmap address p1, then mremap to p2, +followed by munmap(p1), and finally munmap(p2). Since the default +mremap copies the original vma's vm_private_data (i.e., q) to the +new vma, both munmap operations would trigger vma_close, causing +q->qfr to be freed twice(qfr will be set to null here, so repeated +release is ok). + +Fixes: 015d239ac014 ("uacce: add uacce driver") +Cc: stable@vger.kernel.org +Signed-off-by: Yang Shen +Signed-off-by: Chenghai Huang +Acked-by: Zhangfei Gao +Link: https://patch.msgid.link/20251202061256.4158641-4-huangchenghai2@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/uacce/uacce.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/misc/uacce/uacce.c ++++ b/drivers/misc/uacce/uacce.c +@@ -214,8 +214,14 @@ static void uacce_vma_close(struct vm_ar + } + } + ++static int uacce_vma_mremap(struct vm_area_struct *area) ++{ ++ return -EPERM; ++} ++ + static const struct vm_operations_struct uacce_vm_ops = { + .close = uacce_vma_close, ++ .mremap = uacce_vma_mremap, + }; + + static int uacce_fops_mmap(struct file *filep, struct vm_area_struct *vma) diff --git a/queue-6.18/wifi-ath10k-fix-dma_free_coherent-pointer.patch b/queue-6.18/wifi-ath10k-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..d04d2af716 --- /dev/null +++ b/queue-6.18/wifi-ath10k-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,70 @@ +From 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 5 Jan 2026 22:04:38 +0100 +Subject: wifi: ath10k: fix dma_free_coherent() pointer + +From: Thomas Fourier + +commit 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f upstream. + +dma_alloc_coherent() allocates a DMA mapped buffer and stores the +addresses in XXX_unaligned fields. Those should be reused when freeing +the buffer rather than the aligned addresses. + +Fixes: 2a1e1ad3fd37 ("ath10k: Add support for 64 bit ce descriptor") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20260105210439.20131-2-fourier.thomas@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/ce.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/ce.c ++++ b/drivers/net/wireless/ath/ath10k/ce.c +@@ -1727,8 +1727,8 @@ static void _ath10k_ce_free_pipe(struct + (ce_state->src_ring->nentries * + sizeof(struct ce_desc) + + CE_DESC_RING_ALIGN), +- ce_state->src_ring->base_addr_owner_space, +- ce_state->src_ring->base_addr_ce_space); ++ ce_state->src_ring->base_addr_owner_space_unaligned, ++ ce_state->src_ring->base_addr_ce_space_unaligned); + kfree(ce_state->src_ring); + } + +@@ -1737,8 +1737,8 @@ static void _ath10k_ce_free_pipe(struct + (ce_state->dest_ring->nentries * + sizeof(struct ce_desc) + + CE_DESC_RING_ALIGN), +- ce_state->dest_ring->base_addr_owner_space, +- ce_state->dest_ring->base_addr_ce_space); ++ ce_state->dest_ring->base_addr_owner_space_unaligned, ++ ce_state->dest_ring->base_addr_ce_space_unaligned); + kfree(ce_state->dest_ring); + } + +@@ -1758,8 +1758,8 @@ static void _ath10k_ce_free_pipe_64(stru + (ce_state->src_ring->nentries * + sizeof(struct ce_desc_64) + + CE_DESC_RING_ALIGN), +- ce_state->src_ring->base_addr_owner_space, +- ce_state->src_ring->base_addr_ce_space); ++ ce_state->src_ring->base_addr_owner_space_unaligned, ++ ce_state->src_ring->base_addr_ce_space_unaligned); + kfree(ce_state->src_ring); + } + +@@ -1768,8 +1768,8 @@ static void _ath10k_ce_free_pipe_64(stru + (ce_state->dest_ring->nentries * + sizeof(struct ce_desc_64) + + CE_DESC_RING_ALIGN), +- ce_state->dest_ring->base_addr_owner_space, +- ce_state->dest_ring->base_addr_ce_space); ++ ce_state->dest_ring->base_addr_owner_space_unaligned, ++ ce_state->dest_ring->base_addr_ce_space_unaligned); + kfree(ce_state->dest_ring); + } + diff --git a/queue-6.18/wifi-ath12k-fix-dma_free_coherent-pointer.patch b/queue-6.18/wifi-ath12k-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..d77834cf62 --- /dev/null +++ b/queue-6.18/wifi-ath12k-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,59 @@ +From bb97131fbf9b708dd9616ac2bdc793ad102b5c48 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Tue, 6 Jan 2026 09:49:04 +0100 +Subject: wifi: ath12k: fix dma_free_coherent() pointer + +From: Thomas Fourier + +commit bb97131fbf9b708dd9616ac2bdc793ad102b5c48 upstream. + +dma_alloc_coherent() allocates a DMA mapped buffer and stores the +addresses in XXX_unaligned fields. Those should be reused when freeing +the buffer rather than the aligned addresses. + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20260106084905.18622-2-fourier.thomas@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath12k/ce.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath12k/ce.c ++++ b/drivers/net/wireless/ath/ath12k/ce.c +@@ -984,8 +984,8 @@ void ath12k_ce_free_pipes(struct ath12k_ + dma_free_coherent(ab->dev, + pipe->src_ring->nentries * desc_sz + + CE_DESC_RING_ALIGN, +- pipe->src_ring->base_addr_owner_space, +- pipe->src_ring->base_addr_ce_space); ++ pipe->src_ring->base_addr_owner_space_unaligned, ++ pipe->src_ring->base_addr_ce_space_unaligned); + kfree(pipe->src_ring); + pipe->src_ring = NULL; + } +@@ -995,8 +995,8 @@ void ath12k_ce_free_pipes(struct ath12k_ + dma_free_coherent(ab->dev, + pipe->dest_ring->nentries * desc_sz + + CE_DESC_RING_ALIGN, +- pipe->dest_ring->base_addr_owner_space, +- pipe->dest_ring->base_addr_ce_space); ++ pipe->dest_ring->base_addr_owner_space_unaligned, ++ pipe->dest_ring->base_addr_ce_space_unaligned); + kfree(pipe->dest_ring); + pipe->dest_ring = NULL; + } +@@ -1007,8 +1007,8 @@ void ath12k_ce_free_pipes(struct ath12k_ + dma_free_coherent(ab->dev, + pipe->status_ring->nentries * desc_sz + + CE_DESC_RING_ALIGN, +- pipe->status_ring->base_addr_owner_space, +- pipe->status_ring->base_addr_ce_space); ++ pipe->status_ring->base_addr_owner_space_unaligned, ++ pipe->status_ring->base_addr_ce_space_unaligned); + kfree(pipe->status_ring); + pipe->status_ring = NULL; + } diff --git a/queue-6.18/wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch b/queue-6.18/wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch new file mode 100644 index 0000000000..53384aea0f --- /dev/null +++ b/queue-6.18/wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch @@ -0,0 +1,46 @@ +From 2120f3a3738a65730c81bf10447b1ff776078915 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 8 Jan 2026 23:00:24 +0300 +Subject: wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() + +From: Dan Carpenter + +commit 2120f3a3738a65730c81bf10447b1ff776078915 upstream. + +The "i" iterator variable is used to count two different things but +unfortunately we can't store two different numbers in the same variable. +Use "i" for the outside loop and "j" for the inside loop. + +Cc: stable@vger.kernel.org +Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size") +Signed-off-by: Dan Carpenter +Reviewed-by: Jeff Chen +Link: https://patch.msgid.link/aWAM2MGUWRP0zWUd@stanley.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +@@ -825,7 +825,7 @@ void mwifiex_update_rxreor_flags(struct + static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter, + bool coex_flag) + { +- u8 i; ++ u8 i, j; + u32 rx_win_size; + struct mwifiex_private *priv; + +@@ -863,8 +863,8 @@ static void mwifiex_update_ampdu_rxwinsi + if (rx_win_size != priv->add_ba_param.rx_win_size) { + if (!priv->media_connected) + continue; +- for (i = 0; i < MAX_NUM_TID; i++) +- mwifiex_11n_delba(priv, i); ++ for (j = 0; j < MAX_NUM_TID; j++) ++ mwifiex_11n_delba(priv, j); + } + } + } diff --git a/queue-6.18/wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch b/queue-6.18/wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch new file mode 100644 index 0000000000..adc064869e --- /dev/null +++ b/queue-6.18/wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch @@ -0,0 +1,57 @@ +From 4f431d88ea8093afc7ba55edf4652978c5a68f33 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 10 Jan 2026 00:56:29 +0100 +Subject: wifi: rsi: Fix memory corruption due to not set vif driver data size + +From: Marek Vasut + +commit 4f431d88ea8093afc7ba55edf4652978c5a68f33 upstream. + +The struct ieee80211_vif contains trailing space for vif driver data, +when struct ieee80211_vif is allocated, the total memory size that is +allocated is sizeof(struct ieee80211_vif) + size of vif driver data. +The size of vif driver data is set by each WiFi driver as needed. + +The RSI911x driver does not set vif driver data size, no trailing space +for vif driver data is therefore allocated past struct ieee80211_vif . +The RSI911x driver does however use the vif driver data to store its +vif driver data structure "struct vif_priv". An access to vif->drv_priv +leads to access out of struct ieee80211_vif bounds and corruption of +some memory. + +In case of the failure observed locally, rsi_mac80211_add_interface() +would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; +vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member +struct list_head new_flows . The flow = list_first_entry(head, struct +fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus +address, which when accessed causes a crash. + +The trigger is very simple, boot the machine with init=/bin/sh , mount +devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", +"ip link set wlan0 down" and the crash occurs. + +Fix this by setting the correct size of vif driver data, which is the +size of "struct vif_priv", so that memory is allocated and the driver +can store its driver data in it, instead of corrupting memory around +it. + +Cc: stable@vger.kernel.org +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Signed-off-by: Marek Vasut +Link: https://patch.msgid.link/20260109235817.150330-1-marex@nabladev.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c +@@ -2035,6 +2035,7 @@ int rsi_mac80211_attach(struct rsi_commo + + hw->queues = MAX_HW_QUEUES; + hw->extra_tx_headroom = RSI_NEEDED_HEADROOM; ++ hw->vif_data_size = sizeof(struct vif_priv); + + hw->max_rates = 1; + hw->max_rate_tries = MAX_RETRIES;