From: Greg Kroah-Hartman Date: Mon, 12 Jan 2026 10:48:18 +0000 (+0100) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5183860e243027e8151541e04adc313ef9025884;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: atm-fix-dma_free_coherent-size.patch btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch counter-interrupt-cnt-drop-irqf_no_thread-flag.patch drm-pl111-fix-error-handling-in-pl111_amba_probe.patch gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch libceph-make-calc_target-set-t-paused-not-just-clear-it.patch libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch libceph-return-the-handler-error-from-mon_handle_auth_done.patch mei-me-add-nova-lake-point-s-did.patch net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch series wifi-avoid-kernel-infoleak-from-struct-iw_point.patch --- diff --git a/queue-6.1/atm-fix-dma_free_coherent-size.patch b/queue-6.1/atm-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..ca2baed6ff --- /dev/null +++ b/queue-6.1/atm-fix-dma_free_coherent-size.patch @@ -0,0 +1,34 @@ +From 4d984b0574ff708e66152763fbfdef24ea40933f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 7 Jan 2026 10:01:36 +0100 +Subject: atm: Fix dma_free_coherent() size + +From: Thomas Fourier + +commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream. + +The size of the buffer is not the same when alloc'd with +dma_alloc_coherent() in he_init_tpdrq() and freed. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/he.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/atm/he.c ++++ b/drivers/atm/he.c +@@ -1587,7 +1587,8 @@ he_stop(struct he_dev *he_dev) + he_dev->tbrq_base, he_dev->tbrq_phys); + + if (he_dev->tpdrq_base) +- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq), ++ dma_free_coherent(&he_dev->pci_dev->dev, ++ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq), + he_dev->tpdrq_base, he_dev->tpdrq_phys); + + dma_pool_destroy(he_dev->tpd_pool); diff --git a/queue-6.1/btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch b/queue-6.1/btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch new file mode 100644 index 0000000000..6b26a387ac --- /dev/null +++ b/queue-6.1/btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch @@ -0,0 +1,174 @@ +From 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 11 Dec 2025 15:06:26 +0000 +Subject: btrfs: always detect conflicting inodes when logging inode refs + +From: Filipe Manana + +commit 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 upstream. + +After rename exchanging (either with the rename exchange operation or +regular renames in multiple non-atomic steps) two inodes and at least +one of them is a directory, we can end up with a log tree that contains +only of the inodes and after a power failure that can result in an attempt +to delete the other inode when it should not because it was not deleted +before the power failure. In some case that delete attempt fails when +the target inode is a directory that contains a subvolume inside it, since +the log replay code is not prepared to deal with directory entries that +point to root items (only inode items). + +1) We have directories "dir1" (inode A) and "dir2" (inode B) under the + same parent directory; + +2) We have a file (inode C) under directory "dir1" (inode A); + +3) We have a subvolume inside directory "dir2" (inode B); + +4) All these inodes were persisted in a past transaction and we are + currently at transaction N; + +5) We rename the file (inode C), so at btrfs_log_new_name() we update + inode C's last_unlink_trans to N; + +6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B), + so after the exchange "dir1" is inode B and "dir2" is inode A. + During the rename exchange we call btrfs_log_new_name() for inodes + A and B, but because they are directories, we don't update their + last_unlink_trans to N; + +7) An fsync against the file (inode C) is done, and because its inode + has a last_unlink_trans with a value of N we log its parent directory + (inode A) (through btrfs_log_all_parents(), called from + btrfs_log_inode_parent()). + +8) So we end up with inode B not logged, which now has the old name + of inode A. At copy_inode_items_to_log(), when logging inode A, we + did not check if we had any conflicting inode to log because inode + A has a generation lower than the current transaction (created in + a past transaction); + +9) After a power failure, when replaying the log tree, since we find that + inode A has a new name that conflicts with the name of inode B in the + fs tree, we attempt to delete inode B... this is wrong since that + directory was never deleted before the power failure, and because there + is a subvolume inside that directory, attempting to delete it will fail + since replay_dir_deletes() and btrfs_unlink_inode() are not prepared + to deal with dir items that point to roots instead of inodes. + + When that happens the mount fails and we get a stack trace like the + following: + + [87.2314] BTRFS info (device dm-0): start tree-log replay + [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 + [87.2332] ------------[ cut here ]------------ + [87.2338] BTRFS: Transaction aborted (error -2) + [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] + [87.2368] Modules linked in: btrfs loop dm_thin_pool (...) + [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) + [87.2489] Tainted: [W]=WARN + [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] + [87.2538] Code: c0 89 04 24 (...) + [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 + [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 + [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff + [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 + [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 + [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 + [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 + [87.2629] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [87.2637] CR2: 00007ffc9ec33b98 CR3: 000000011273e003 CR4: 0000000000370ef0 + [87.2648] Call Trace: + [87.2651] + [87.2654] btrfs_unlink_inode+0x15/0x40 [btrfs] + [87.2661] unlink_inode_for_log_replay+0x27/0xf0 [btrfs] + [87.2669] check_item_in_log+0x1ea/0x2c0 [btrfs] + [87.2676] replay_dir_deletes+0x16b/0x380 [btrfs] + [87.2684] fixup_inode_link_count+0x34b/0x370 [btrfs] + [87.2696] fixup_inode_link_counts+0x41/0x160 [btrfs] + [87.2703] btrfs_recover_log_trees+0x1ff/0x7c0 [btrfs] + [87.2711] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs] + [87.2719] open_ctree+0x10bb/0x15f0 [btrfs] + [87.2726] btrfs_get_tree.cold+0xb/0x16c [btrfs] + [87.2734] ? fscontext_read+0x15c/0x180 + [87.2740] ? rw_verify_area+0x50/0x180 + [87.2746] vfs_get_tree+0x25/0xd0 + [87.2750] vfs_cmd_create+0x59/0xe0 + [87.2755] __do_sys_fsconfig+0x4f6/0x6b0 + [87.2760] do_syscall_64+0x50/0x1220 + [87.2764] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [87.2770] RIP: 0033:0x7f7b9625f4aa + [87.2775] Code: 73 01 c3 48 (...) + [87.2803] RSP: 002b:00007ffc9ec35b08 EFLAGS: 00000246 ORIG_RAX: 00000000000001af + [87.2817] RAX: ffffffffffffffda RBX: 0000558bfa91ac20 RCX: 00007f7b9625f4aa + [87.2829] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 + [87.2842] RBP: 0000558bfa91b120 R08: 0000000000000000 R09: 0000000000000000 + [87.2854] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + [87.2864] R13: 00007f7b963f1580 R14: 00007f7b963f326c R15: 00007f7b963d8a23 + [87.2877] + [87.2882] ---[ end trace 0000000000000000 ]--- + [87.2891] BTRFS: error (device dm-0 state A) in __btrfs_unlink_inode:4345: errno=-2 No such entry + [87.2904] BTRFS: error (device dm-0 state EAO) in do_abort_log_replay:191: errno=-2 No such entry + [87.2915] BTRFS critical (device dm-0 state EAO): log tree (for root 5) leaf currently being processed (slot 7 key (258 12 257)): + [87.2929] BTRFS info (device dm-0 state EAO): leaf 30736384 gen 10 total ptrs 7 free space 15712 owner 18446744073709551610 + [87.2929] BTRFS info (device dm-0 state EAO): refs 3 lock_owner 0 current 638968 + [87.2929] item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 + [87.2929] inode generation 9 transid 10 size 0 nbytes 0 + [87.2929] block group 0 mode 40755 links 1 uid 0 gid 0 + [87.2929] rdev 0 sequence 7 flags 0x0 + [87.2929] atime 1765464494.678070921 + [87.2929] ctime 1765464494.686606513 + [87.2929] mtime 1765464494.686606513 + [87.2929] otime 1765464494.678070921 + [87.2929] item 1 key (257 INODE_REF 256) itemoff 16109 itemsize 14 + [87.2929] index 4 name_len 4 + [87.2929] item 2 key (257 DIR_LOG_INDEX 2) itemoff 16101 itemsize 8 + [87.2929] dir log end 2 + [87.2929] item 3 key (257 DIR_LOG_INDEX 3) itemoff 16093 itemsize 8 + [87.2929] dir log end 18446744073709551615 + [87.2930] item 4 key (257 DIR_INDEX 3) itemoff 16060 itemsize 33 + [87.2930] location key (258 1 0) type 1 + [87.2930] transid 10 data_len 0 name_len 3 + [87.2930] item 5 key (258 INODE_ITEM 0) itemoff 15900 itemsize 160 + [87.2930] inode generation 9 transid 10 size 0 nbytes 0 + [87.2930] block group 0 mode 100644 links 1 uid 0 gid 0 + [87.2930] rdev 0 sequence 2 flags 0x0 + [87.2930] atime 1765464494.678456467 + [87.2930] ctime 1765464494.686606513 + [87.2930] mtime 1765464494.678456467 + [87.2930] otime 1765464494.678456467 + [87.2930] item 6 key (258 INODE_REF 257) itemoff 15887 itemsize 13 + [87.2930] index 3 name_len 3 + [87.2930] BTRFS critical (device dm-0 state EAO): log replay failed in unlink_inode_for_log_replay:1045 for root 5, stage 3, with error -2: failed to unlink inode 256 parent dir 259 name subvol root 5 + [87.2963] BTRFS: error (device dm-0 state EAO) in btrfs_recover_log_trees:7743: errno=-2 No such entry + [87.2981] BTRFS: error (device dm-0 state EAO) in btrfs_replay_log:2083: errno=-2 No such entry (Failed to recover log tr + +So fix this by changing copy_inode_items_to_log() to always detect if +there are conflicting inodes for the ref/extref of the inode being logged +even if the inode was created in a past transaction. + +A test case for fstests will follow soon. + +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5940,10 +5940,8 @@ again: + * and no keys greater than that, so bail out. + */ + break; +- } else if ((min_key->type == BTRFS_INODE_REF_KEY || +- min_key->type == BTRFS_INODE_EXTREF_KEY) && +- (inode->generation == trans->transid || +- ctx->logging_conflict_inodes)) { ++ } else if (min_key->type == BTRFS_INODE_REF_KEY || ++ min_key->type == BTRFS_INODE_EXTREF_KEY) { + u64 other_ino = 0; + u64 other_parent = 0; + diff --git a/queue-6.1/counter-interrupt-cnt-drop-irqf_no_thread-flag.patch b/queue-6.1/counter-interrupt-cnt-drop-irqf_no_thread-flag.patch new file mode 100644 index 0000000000..6f149c2951 --- /dev/null +++ b/queue-6.1/counter-interrupt-cnt-drop-irqf_no_thread-flag.patch @@ -0,0 +1,77 @@ +From 23f9485510c338476b9735d516c1d4aacb810d46 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Tue, 18 Nov 2025 09:35:48 +0100 +Subject: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag + +From: Alexander Sverdlin + +commit 23f9485510c338476b9735d516c1d4aacb810d46 upstream. + +An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as +CONFIG_PROVE_RAW_LOCK_NESTING warns: +============================= +[ BUG: Invalid wait context ] +6.18.0-rc1+git... #1 +----------------------------- +some-user-space-process/1251 is trying to lock: +(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter] +other info that might help us debug this: +context-{2:2} +no locks held by some-user-space-process/.... +stack backtrace: +CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT +Call trace: + show_stack (C) + dump_stack_lvl + dump_stack + __lock_acquire + lock_acquire + _raw_spin_lock_irqsave + counter_push_event [counter] + interrupt_cnt_isr [interrupt_cnt] + __handle_irq_event_percpu + handle_irq_event + handle_simple_irq + handle_irq_desc + generic_handle_domain_irq + gpio_irq_handler + handle_irq_desc + generic_handle_domain_irq + gic_handle_irq + call_on_irq_stack + do_interrupt_handler + el0_interrupt + __el0_irq_handler_common + el0t_64_irq_handler + el0t_64_irq + +... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an +alternative to switching to raw_spinlock_t, because the latter would limit +all potential nested locks to raw_spinlock_t only. + +Cc: Sebastian Andrzej Siewior +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20251117151314.xwLAZrWY@linutronix.de/ +Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Sebastian Andrzej Siewior +Reviewed-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20251118083603.778626-1-alexander.sverdlin@siemens.com +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/counter/interrupt-cnt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/counter/interrupt-cnt.c ++++ b/drivers/counter/interrupt-cnt.c +@@ -229,8 +229,7 @@ static int interrupt_cnt_probe(struct pl + + irq_set_status_flags(priv->irq, IRQ_NOAUTOEN); + ret = devm_request_irq(dev, priv->irq, interrupt_cnt_isr, +- IRQF_TRIGGER_RISING | IRQF_NO_THREAD, +- dev_name(dev), counter); ++ IRQF_TRIGGER_RISING, dev_name(dev), counter); + if (ret) + return ret; + diff --git a/queue-6.1/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch b/queue-6.1/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch new file mode 100644 index 0000000000..ee0c97da32 --- /dev/null +++ b/queue-6.1/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch @@ -0,0 +1,37 @@ +From 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 11 Dec 2025 16:33:44 +0400 +Subject: drm/pl111: Fix error handling in pl111_amba_probe + +From: Miaoqian Lin + +commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream. + +Jump to the existing dev_put label when devm_request_irq() fails +so drm_dev_put() and of_reserved_mem_device_release() run +instead of returning early and leaking resources. + +Found via static analysis and code review. + +Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/pl111/pl111_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/pl111/pl111_drv.c ++++ b/drivers/gpu/drm/pl111/pl111_drv.c +@@ -297,7 +297,7 @@ static int pl111_amba_probe(struct amba_ + variant->name, priv); + if (ret != 0) { + dev_err(dev, "%s failed irq %d\n", __func__, ret); +- return ret; ++ goto dev_put; + } + + ret = pl111_modeset_init(drm); diff --git a/queue-6.1/gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch b/queue-6.1/gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch new file mode 100644 index 0000000000..001c57ab70 --- /dev/null +++ b/queue-6.1/gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch @@ -0,0 +1,98 @@ +From 20cf2aed89ac6d78a0122e31c875228e15247194 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 6 Jan 2026 10:00:11 +0100 +Subject: gpio: rockchip: mark the GPIO controller as sleeping + +From: Bartosz Golaszewski + +commit 20cf2aed89ac6d78a0122e31c875228e15247194 upstream. + +The GPIO controller is configured as non-sleeping but it uses generic +pinctrl helpers which use a mutex for synchronization. + +This can cause the following lockdep splat with shared GPIOs enabled on +boards which have multiple devices using the same GPIO: + +BUG: sleeping function called from invalid context at +kernel/locking/mutex.c:591 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 12, name: +kworker/u16:0 +preempt_count: 1, expected: 0 +RCU nest depth: 0, expected: 0 +6 locks held by kworker/u16:0/12: + #0: ffff0001f0018d48 ((wq_completion)events_unbound#2){+.+.}-{0:0}, +at: process_one_work+0x18c/0x604 + #1: ffff8000842dbdf0 (deferred_probe_work){+.+.}-{0:0}, at: +process_one_work+0x1b4/0x604 + #2: ffff0001f18498f8 (&dev->mutex){....}-{4:4}, at: +__device_attach+0x38/0x1b0 + #3: ffff0001f75f1e90 (&gdev->srcu){.+.?}-{0:0}, at: +gpiod_direction_output_raw_commit+0x0/0x360 + #4: ffff0001f46e3db8 (&shared_desc->spinlock){....}-{3:3}, at: +gpio_shared_proxy_direction_output+0xd0/0x144 [gpio_shared_proxy] + #5: ffff0001f180ee90 (&gdev->srcu){.+.?}-{0:0}, at: +gpiod_direction_output_raw_commit+0x0/0x360 +irq event stamp: 81450 +hardirqs last enabled at (81449): [] +_raw_spin_unlock_irqrestore+0x74/0x78 +hardirqs last disabled at (81450): [] +_raw_spin_lock_irqsave+0x84/0x88 +softirqs last enabled at (79616): [] +__alloc_skb+0x17c/0x1e8 +softirqs last disabled at (79614): [] +__alloc_skb+0x17c/0x1e8 +CPU: 2 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted +6.19.0-rc4-next-20260105+ #11975 PREEMPT +Hardware name: Hardkernel ODROID-M1 (DT) +Workqueue: events_unbound deferred_probe_work_func +Call trace: + show_stack+0x18/0x24 (C) + dump_stack_lvl+0x90/0xd0 + dump_stack+0x18/0x24 + __might_resched+0x144/0x248 + __might_sleep+0x48/0x98 + __mutex_lock+0x5c/0x894 + mutex_lock_nested+0x24/0x30 + pinctrl_get_device_gpio_range+0x44/0x128 + pinctrl_gpio_direction+0x3c/0xe0 + pinctrl_gpio_direction_output+0x14/0x20 + rockchip_gpio_direction_output+0xb8/0x19c + gpiochip_direction_output+0x38/0x94 + gpiod_direction_output_raw_commit+0x1d8/0x360 + gpiod_direction_output_nonotify+0x7c/0x230 + gpiod_direction_output+0x34/0xf8 + gpio_shared_proxy_direction_output+0xec/0x144 [gpio_shared_proxy] + gpiochip_direction_output+0x38/0x94 + gpiod_direction_output_raw_commit+0x1d8/0x360 + gpiod_direction_output_nonotify+0x7c/0x230 + gpiod_configure_flags+0xbc/0x480 + gpiod_find_and_request+0x1a0/0x574 + gpiod_get_index+0x58/0x84 + devm_gpiod_get_index+0x20/0xb4 + devm_gpiod_get_optional+0x18/0x30 + rockchip_pcie_probe+0x98/0x380 + platform_probe+0x5c/0xac + really_probe+0xbc/0x298 + +Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio") +Cc: stable@vger.kernel.org +Reported-by: Marek Szyprowski +Closes: https://lore.kernel.org/all/d035fc29-3b03-4cd6-b8ec-001f93540bc6@samsung.com/ +Acked-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20260106090011.21603-1-bartosz.golaszewski@oss.qualcomm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -584,6 +584,7 @@ static int rockchip_gpiolib_register(str + gc->ngpio = bank->nr_pins; + gc->label = bank->name; + gc->parent = bank->dev; ++ gc->can_sleep = true; + + ret = gpiochip_add_data(gc, bank); + if (ret) { diff --git a/queue-6.1/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch b/queue-6.1/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch new file mode 100644 index 0000000000..d76fb66710 --- /dev/null +++ b/queue-6.1/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch @@ -0,0 +1,46 @@ +From 74d74bb78aeccc9edc10db216d6be121cf7ec176 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 6 Jan 2026 21:20:23 -0800 +Subject: lib/crypto: aes: Fix missing MMU protection for AES S-box + +From: Eric Biggers + +commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream. + +__cacheline_aligned puts the data in the ".data..cacheline_aligned" +section, which isn't marked read-only i.e. it doesn't receive MMU +protection. Replace it with ____cacheline_aligned which does the right +thing and just aligns the data while keeping it in ".rodata". + +Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher") +Cc: stable@vger.kernel.org +Reported-by: Qingfang Deng +Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/ +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/aes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/crypto/aes.c ++++ b/lib/crypto/aes.c +@@ -12,7 +12,7 @@ + * Emit the sbox as volatile const to prevent the compiler from doing + * constant folding on sbox references involving fixed indexes. + */ +-static volatile const u8 __cacheline_aligned aes_sbox[] = { ++static volatile const u8 ____cacheline_aligned aes_sbox[] = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, + 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, +@@ -47,7 +47,7 @@ static volatile const u8 __cacheline_ali + 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16, + }; + +-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = { ++static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = { + 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, + 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, + 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, diff --git a/queue-6.1/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch b/queue-6.1/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch new file mode 100644 index 0000000000..655deddf2a --- /dev/null +++ b/queue-6.1/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch @@ -0,0 +1,74 @@ +From c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 5 Jan 2026 19:23:19 +0100 +Subject: libceph: make calc_target() set t->paused, not just clear it + +From: Ilya Dryomov + +commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream. + +Currently calc_target() clears t->paused if the request shouldn't be +paused anymore, but doesn't ever set t->paused even though it's able to +determine when the request should be paused. Setting t->paused is left +to __submit_request() which is fine for regular requests but doesn't +work for linger requests -- since __submit_request() doesn't operate +on linger requests, there is nowhere for lreq->t.paused to be set. +One consequence of this is that watches don't get reestablished on +paused -> unpaused transitions in cases where requests have been paused +long enough for the (paused) unwatch request to time out and for the +subsequent (re)watch request to enter the paused state. On top of the +watch not getting reestablished, rbd_reregister_watch() gets stuck with +rbd_dev->watch_mutex held: + + rbd_register_watch + __rbd_register_watch + ceph_osdc_watch + linger_reg_commit_wait + +It's waiting for lreq->reg_commit_wait to be completed, but for that to +happen the respective request needs to end up on need_resend_linger list +and be kicked when requests are unpaused. There is no chance for that +if the request in question is never marked paused in the first place. + +The fact that rbd_dev->watch_mutex remains taken out forever then +prevents the image from getting unmapped -- "rbd unmap" would inevitably +hang in D state on an attempt to grab the mutex. + +Cc: stable@vger.kernel.org +Reported-by: Raphael Zimmer +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osd_client.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -1529,6 +1529,7 @@ static enum calc_target_result calc_targ + struct ceph_pg_pool_info *pi; + struct ceph_pg pgid, last_pgid; + struct ceph_osds up, acting; ++ bool should_be_paused; + bool is_read = t->flags & CEPH_OSD_FLAG_READ; + bool is_write = t->flags & CEPH_OSD_FLAG_WRITE; + bool force_resend = false; +@@ -1597,10 +1598,16 @@ static enum calc_target_result calc_targ + &last_pgid)) + force_resend = true; + +- if (t->paused && !target_should_be_paused(osdc, t, pi)) { +- t->paused = false; ++ should_be_paused = target_should_be_paused(osdc, t, pi); ++ if (t->paused && !should_be_paused) { + unpaused = true; + } ++ if (t->paused != should_be_paused) { ++ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused, ++ should_be_paused); ++ t->paused = should_be_paused; ++ } ++ + legacy_change = ceph_pg_compare(&t->pgid, &pgid) || + ceph_osds_changed(&t->acting, &acting, + t->used_replica || any_change); diff --git a/queue-6.1/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch b/queue-6.1/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch new file mode 100644 index 0000000000..6e738ab76f --- /dev/null +++ b/queue-6.1/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch @@ -0,0 +1,69 @@ +From e3fe30e57649c551757a02e1cad073c47e1e075e Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Sun, 21 Dec 2025 02:11:49 +0800 +Subject: libceph: make free_choose_arg_map() resilient to partial allocation + +From: Tuo Li + +commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream. + +free_choose_arg_map() may dereference a NULL pointer if its caller fails +after a partial allocation. + +For example, in decode_choose_args(), if allocation of arg_map->args +fails, execution jumps to the fail label and free_choose_arg_map() is +called. Since arg_map->size is updated to a non-zero value before memory +allocation, free_choose_arg_map() will iterate over arg_map->args and +dereference a NULL pointer. + +To prevent this potential NULL pointer dereference and make +free_choose_arg_map() more resilient, add checks for pointers before +iterating. + +Cc: stable@vger.kernel.org +Co-authored-by: Ilya Dryomov +Signed-off-by: Tuo Li +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -241,22 +241,26 @@ static struct crush_choose_arg_map *allo + + static void free_choose_arg_map(struct crush_choose_arg_map *arg_map) + { +- if (arg_map) { +- int i, j; ++ int i, j; + +- WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); ++ if (!arg_map) ++ return; + ++ WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); ++ ++ if (arg_map->args) { + for (i = 0; i < arg_map->size; i++) { + struct crush_choose_arg *arg = &arg_map->args[i]; +- +- for (j = 0; j < arg->weight_set_size; j++) +- kfree(arg->weight_set[j].weights); +- kfree(arg->weight_set); ++ if (arg->weight_set) { ++ for (j = 0; j < arg->weight_set_size; j++) ++ kfree(arg->weight_set[j].weights); ++ kfree(arg->weight_set); ++ } + kfree(arg->ids); + } + kfree(arg_map->args); +- kfree(arg_map); + } ++ kfree(arg_map); + } + + DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index, diff --git a/queue-6.1/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch b/queue-6.1/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch new file mode 100644 index 0000000000..c23873ccee --- /dev/null +++ b/queue-6.1/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch @@ -0,0 +1,35 @@ +From 818156caffbf55cb4d368f9c3cac64e458fb49c9 Mon Sep 17 00:00:00 2001 +From: ziming zhang +Date: Thu, 11 Dec 2025 16:52:58 +0800 +Subject: libceph: prevent potential out-of-bounds reads in handle_auth_done() + +From: ziming zhang + +commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream. + +Perform an explicit bounds check on payload_len to avoid a possible +out-of-bounds access in the callout. + +[ idryomov: changelog ] + +Cc: stable@vger.kernel.org +Signed-off-by: ziming zhang +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/messenger_v2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ceph/messenger_v2.c ++++ b/net/ceph/messenger_v2.c +@@ -2187,7 +2187,9 @@ static int process_auth_done(struct ceph + + ceph_decode_64_safe(&p, end, global_id, bad); + ceph_decode_32_safe(&p, end, con->v2.con_mode, bad); ++ + ceph_decode_32_safe(&p, end, payload_len, bad); ++ ceph_decode_need(&p, end, payload_len, bad); + + dout("%s con %p global_id %llu con_mode %d payload_len %d\n", + __func__, con, global_id, con->v2.con_mode, payload_len); diff --git a/queue-6.1/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch b/queue-6.1/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch new file mode 100644 index 0000000000..d7755745cc --- /dev/null +++ b/queue-6.1/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch @@ -0,0 +1,38 @@ +From e00c3f71b5cf75681dbd74ee3f982a99cb690c2b Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 15 Dec 2025 11:53:31 +0100 +Subject: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() + +From: Ilya Dryomov + +commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream. + +If the osdmap is (maliciously) corrupted such that the incremental +osdmap epoch is different from what is expected, there is no need to +BUG. Instead, just declare the incremental osdmap to be invalid. + +Cc: stable@vger.kernel.org +Reported-by: ziming zhang +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1979,11 +1979,13 @@ struct ceph_osdmap *osdmap_apply_increme + sizeof(u64) + sizeof(u32), e_inval); + ceph_decode_copy(p, &fsid, sizeof(fsid)); + epoch = ceph_decode_32(p); +- BUG_ON(epoch != map->epoch+1); + ceph_decode_copy(p, &modified, sizeof(modified)); + new_pool_max = ceph_decode_64(p); + new_flags = ceph_decode_32(p); + ++ if (epoch != map->epoch + 1) ++ goto e_inval; ++ + /* full map? */ + ceph_decode_32_safe(p, end, len, e_inval); + if (len > 0) { diff --git a/queue-6.1/libceph-return-the-handler-error-from-mon_handle_auth_done.patch b/queue-6.1/libceph-return-the-handler-error-from-mon_handle_auth_done.patch new file mode 100644 index 0000000000..5f9127691c --- /dev/null +++ b/queue-6.1/libceph-return-the-handler-error-from-mon_handle_auth_done.patch @@ -0,0 +1,38 @@ +From e84b48d31b5008932c0a0902982809fbaa1d3b70 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 29 Dec 2025 15:14:48 +0100 +Subject: libceph: return the handler error from mon_handle_auth_done() + +From: Ilya Dryomov + +commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream. + +Currently any error from ceph_auth_handle_reply_done() is propagated +via finish_auth() but isn't returned from mon_handle_auth_done(). This +results in higher layers learning that (despite the monitor considering +us to be successfully authenticated) something went wrong in the +authentication phase and reacting accordingly, but msgr2 still trying +to proceed with establishing the session in the background. In the +case of secure mode this can trigger a WARN in setup_crypto() and later +lead to a NULL pointer dereference inside of prepare_auth_signature(). + +Cc: stable@vger.kernel.org +Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)") +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/mon_client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -1417,7 +1417,7 @@ static int mon_handle_auth_done(struct c + if (!ret) + finish_hunting(monc); + mutex_unlock(&monc->mutex); +- return 0; ++ return ret; + } + + static int mon_handle_auth_bad_method(struct ceph_connection *con, diff --git a/queue-6.1/mei-me-add-nova-lake-point-s-did.patch b/queue-6.1/mei-me-add-nova-lake-point-s-did.patch new file mode 100644 index 0000000000..c068b648d7 --- /dev/null +++ b/queue-6.1/mei-me-add-nova-lake-point-s-did.patch @@ -0,0 +1,44 @@ +From 420f423defcf6d0af2263d38da870ca4a20c0990 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Mon, 15 Dec 2025 12:59:15 +0200 +Subject: mei: me: add nova lake point S DID + +From: Alexander Usyskin + +commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream. + +Add Nova Lake S device id. + +Cc: stable +Co-developed-by: Tomas Winkler +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -122,6 +122,8 @@ + + #define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */ + ++#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */ ++ + /* + * MEI HW Section + */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -129,6 +129,8 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)}, ++ + /* required last entry */ + {0, } + }; diff --git a/queue-6.1/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch b/queue-6.1/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch new file mode 100644 index 0000000000..aad554010f --- /dev/null +++ b/queue-6.1/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch @@ -0,0 +1,33 @@ +From a4e305ed60f7c41bbf9aabc16dd75267194e0de3 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Tue, 6 Jan 2026 10:47:21 +0100 +Subject: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() + +From: Thomas Fourier + +commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream. + +pdev can be null and free_ring: can be called in 1297 with a null +pdev. + +Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/3c59x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/3com/3c59x.c ++++ b/drivers/net/ethernet/3com/3c59x.c +@@ -1473,7 +1473,7 @@ static int vortex_probe1(struct device * + return 0; + + free_ring: +- dma_free_coherent(&pdev->dev, ++ dma_free_coherent(gendev, + sizeof(struct boom_rx_desc) * RX_RING_SIZE + + sizeof(struct boom_tx_desc) * TX_RING_SIZE, + vp->rx_ring, vp->rx_ring_dma); diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..2be510d6b8 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,14 @@ +atm-fix-dma_free_coherent-size.patch +net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch +btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch +mei-me-add-nova-lake-point-s-did.patch +lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch +counter-interrupt-cnt-drop-irqf_no_thread-flag.patch +drm-pl111-fix-error-handling-in-pl111_amba_probe.patch +gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch +wifi-avoid-kernel-infoleak-from-struct-iw_point.patch +libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch +libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch +libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch +libceph-return-the-handler-error-from-mon_handle_auth_done.patch +libceph-make-calc_target-set-t-paused-not-just-clear-it.patch diff --git a/queue-6.1/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch b/queue-6.1/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch new file mode 100644 index 0000000000..3896aab15a --- /dev/null +++ b/queue-6.1/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch @@ -0,0 +1,59 @@ +From 21cbf883d073abbfe09e3924466aa5e0449e7261 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 8 Jan 2026 10:19:27 +0000 +Subject: wifi: avoid kernel-infoleak from struct iw_point + +From: Eric Dumazet + +commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream. + +struct iw_point has a 32bit hole on 64bit arches. + +struct iw_point { + void __user *pointer; /* Pointer to the data (in user space) */ + __u16 length; /* number of fields or size in bytes */ + __u16 flags; /* Optional params */ +}; + +Make sure to zero the structure to avoid disclosing 32bits of kernel data +to user space. + +Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c") +Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/wext-core.c | 4 ++++ + net/wireless/wext-priv.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -1084,6 +1084,10 @@ static int compat_standard_call(struct n + return ioctl_standard_call(dev, iwr, cmd, info, handler); + + iwp_compat = (struct compat_iw_point *) &iwr->u.data; ++ ++ /* struct iw_point has a 32bit hole on 64bit arches. */ ++ memset(&iwp, 0, sizeof(iwp)); ++ + iwp.pointer = compat_ptr(iwp_compat->pointer); + iwp.length = iwp_compat->length; + iwp.flags = iwp_compat->flags; +--- a/net/wireless/wext-priv.c ++++ b/net/wireless/wext-priv.c +@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic + struct iw_point iwp; + + iwp_compat = (struct compat_iw_point *) &iwr->u.data; ++ ++ /* struct iw_point has a 32bit hole on 64bit arches. */ ++ memset(&iwp, 0, sizeof(iwp)); ++ + iwp.pointer = compat_ptr(iwp_compat->pointer); + iwp.length = iwp_compat->length; + iwp.flags = iwp_compat->flags;