From: Greg Kroah-Hartman Date: Mon, 12 Jan 2026 10:48:51 +0000 (+0100) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5519a4839eacbcec5153a1b0501697511c7917ab;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: alsa-ac97-fix-a-double-free-in-snd_ac97_controller_register.patch alsa-hda-tas2781-properly-initialize-speaker_id-for-tas2563.patch arm64-dts-imx95-correct-i3c2-pclk-to-imx95_clk_buswakeup.patch arm64-fix-cleared-e0poe-bit-after-cpu_suspend-resume.patch atm-fix-dma_free_coherent-size.patch bnxt_en-fix-null-pointer-crash-in-bnxt_ptp_enable-during-error-cleanup.patch btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch counter-104-quad-8-fix-incorrect-return-value-in-irq-handler.patch counter-interrupt-cnt-drop-irqf_no_thread-flag.patch drm-amd-display-apply-e4479aecf658-to-dml.patch drm-amdgpu-fix-query-for-vpe-block_type-and-ip_count.patch drm-atomic-helper-export-and-namespace-some-functions.patch drm-pl111-fix-error-handling-in-pl111_amba_probe.patch drm-radeon-remove-__counted_by-from-clockinfoarray.clockinfo.patch drm-tidss-fix-enable-disable-order.patch gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch io_uring-io-wq-fix-incorrect-io_wq_for_each_worker-termination-logic.patch lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch libceph-make-calc_target-set-t-paused-not-just-clear-it.patch libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch libceph-reset-sparse-read-state-in-osd_fault.patch libceph-return-the-handler-error-from-mon_handle_auth_done.patch mei-me-add-nova-lake-point-s-did.patch net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch net-do-not-write-to-msg_get_inq-in-callee.patch nfsd-check-that-server-is-running-in-unlock_filesystem.patch nfsd-fix-permission-check-for-read-access-to-executable-only-files.patch nfsd-net-ref-data-still-needs-to-be-freed-even-if-net-hasn-t-startup.patch nfsd-provide-locking-for-v4_end_grace.patch nfsd-remove-nfserr_eagain.patch nfsd-use-correct-loop-termination-in-nfsd4_revoke_states.patch nouveau-don-t-attempt-fwsec-on-sb-on-newer-platforms.patch pci-meson-report-that-link-is-up-while-in-aspm-l0s-and-l1-states.patch pinctrl-qcom-lpass-lpi-mark-the-gpio-controller-as-sleeping.patch pm-hibernate-fix-crash-when-freeing-invalid-crypto-compressor.patch revert-drm-atomic-helper-re-order-bridge-chain-pre-enable-and-post-disable.patch revert-drm-mediatek-dsi-fix-dsi-host-and-panel-bridge-pre-enable-order.patch riscv-boot-always-make-image-from-vmlinux-not-vmlinux.unstripped.patch rust_binder-remove-spin_lock-in-rust_shrink_free_page.patch series tracing-add-recursion-protection-in-kernel-stack-trace-recording.patch wifi-avoid-kernel-infoleak-from-struct-iw_point.patch wifi-mac80211-restore-non-chanctx-injection-behaviour.patch --- diff --git a/queue-6.18/alsa-ac97-fix-a-double-free-in-snd_ac97_controller_register.patch b/queue-6.18/alsa-ac97-fix-a-double-free-in-snd_ac97_controller_register.patch new file mode 100644 index 0000000000..0305169234 --- /dev/null +++ b/queue-6.18/alsa-ac97-fix-a-double-free-in-snd_ac97_controller_register.patch @@ -0,0 +1,63 @@ +From 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Sat, 20 Dec 2025 00:28:45 +0800 +Subject: ALSA: ac97: fix a double free in snd_ac97_controller_register() + +From: Haoxiang Li + +commit 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f upstream. + +If ac97_add_adapter() fails, put_device() is the correct way to drop +the device reference. kfree() is not required. +Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do +the cleanup. + +Found by code review. + +Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20251219162845.657525-1-lihaoxiang@isrc.iscas.ac.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/ac97/bus.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/sound/ac97/bus.c ++++ b/sound/ac97/bus.c +@@ -298,6 +298,7 @@ static void ac97_adapter_release(struct + idr_remove(&ac97_adapter_idr, ac97_ctrl->nr); + dev_dbg(&ac97_ctrl->adap, "adapter unregistered by %s\n", + dev_name(ac97_ctrl->parent)); ++ kfree(ac97_ctrl); + } + + static const struct device_type ac97_adapter_type = { +@@ -319,7 +320,9 @@ static int ac97_add_adapter(struct ac97_ + ret = device_register(&ac97_ctrl->adap); + if (ret) + put_device(&ac97_ctrl->adap); +- } ++ } else ++ kfree(ac97_ctrl); ++ + if (!ret) { + list_add(&ac97_ctrl->controllers, &ac97_controllers); + dev_dbg(&ac97_ctrl->adap, "adapter registered by %s\n", +@@ -361,14 +364,11 @@ struct ac97_controller *snd_ac97_control + ret = ac97_add_adapter(ac97_ctrl); + + if (ret) +- goto err; ++ return ERR_PTR(ret); + ac97_bus_reset(ac97_ctrl); + ac97_bus_scan(ac97_ctrl); + + return ac97_ctrl; +-err: +- kfree(ac97_ctrl); +- return ERR_PTR(ret); + } + EXPORT_SYMBOL_GPL(snd_ac97_controller_register); + diff --git a/queue-6.18/alsa-hda-tas2781-properly-initialize-speaker_id-for-tas2563.patch b/queue-6.18/alsa-hda-tas2781-properly-initialize-speaker_id-for-tas2563.patch new file mode 100644 index 0000000000..9a0d382dd9 --- /dev/null +++ b/queue-6.18/alsa-hda-tas2781-properly-initialize-speaker_id-for-tas2563.patch @@ -0,0 +1,49 @@ +From e340663bbf2a75dae5d4fddf90b49281f5c9df3f Mon Sep 17 00:00:00 2001 +From: August Wikerfors +Date: Mon, 22 Dec 2025 20:47:04 +0100 +Subject: ALSA: hda/tas2781: properly initialize speaker_id for TAS2563 + +From: August Wikerfors + +commit e340663bbf2a75dae5d4fddf90b49281f5c9df3f upstream. + +After speaker id retrieval was refactored to happen in tas2781_read_acpi, +devices that do not use a speaker id need a negative speaker_id value +instead of NULL, but no initialization was added to the TAS2563 code path. +This causes the driver to attempt to load a non-existent firmware file name +with a speaker id of 0 ("TAS2XXX38700.bin") instead of the correct file +name without a speaker id ("TAS2XXX3870.bin"), resulting in low volume and +these dmesg errors: + + tas2781-hda i2c-INT8866:00: Direct firmware load for TAS2XXX38700.bin failed with error -2 + tas2781-hda i2c-INT8866:00: tasdevice_dsp_parser: load TAS2XXX38700.bin error + tas2781-hda i2c-INT8866:00: dspfw load TAS2XXX38700.bin error + [...] + tas2781-hda i2c-INT8866:00: tasdevice_prmg_load: Firmware is NULL + +Fix this by setting speaker_id to -1 as is done for other models. + +Fixes: 945865a0ddf3 ("ALSA: hda/tas2781: fix speaker id retrieval for multiple probes") +Cc: stable@vger.kernel.org +Signed-off-by: August Wikerfors +Link: https://patch.msgid.link/20251222194704.87232-1-git@augustwikerfors.se +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c ++++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c +@@ -111,8 +111,10 @@ static int tas2781_read_acpi(struct tasd + sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev)); + if (IS_ERR(sub)) { + /* No subsys id in older tas2563 projects. */ +- if (!strncmp(hid, "INT8866", sizeof("INT8866"))) ++ if (!strncmp(hid, "INT8866", sizeof("INT8866"))) { ++ p->speaker_id = -1; + goto end_2563; ++ } + dev_err(p->dev, "Failed to get SUBSYS ID.\n"); + ret = PTR_ERR(sub); + goto err; diff --git a/queue-6.18/arm64-dts-imx95-correct-i3c2-pclk-to-imx95_clk_buswakeup.patch b/queue-6.18/arm64-dts-imx95-correct-i3c2-pclk-to-imx95_clk_buswakeup.patch new file mode 100644 index 0000000000..41a2c768d2 --- /dev/null +++ b/queue-6.18/arm64-dts-imx95-correct-i3c2-pclk-to-imx95_clk_buswakeup.patch @@ -0,0 +1,32 @@ +From cd0caaf2005547eaef8170356939aaabfcad4837 Mon Sep 17 00:00:00 2001 +From: Carlos Song +Date: Tue, 18 Nov 2025 14:28:54 +0800 +Subject: arm64: dts: imx95: correct I3C2 pclk to IMX95_CLK_BUSWAKEUP + +From: Carlos Song + +commit cd0caaf2005547eaef8170356939aaabfcad4837 upstream. + +I3C2 is in WAKEUP domain. Its pclk should be IMX95_CLK_BUSWAKEUP. + +Fixes: 969497ebefcf ("arm64: dts: imx95: Add i3c1 and i3c2") +Signed-off-by: Carlos Song +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx95.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx95.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx95.dtsi +@@ -806,7 +806,7 @@ + interrupts = ; + #address-cells = <3>; + #size-cells = <0>; +- clocks = <&scmi_clk IMX95_CLK_BUSAON>, ++ clocks = <&scmi_clk IMX95_CLK_BUSWAKEUP>, + <&scmi_clk IMX95_CLK_I3C2SLOW>; + clock-names = "pclk", "fast_clk"; + status = "disabled"; diff --git a/queue-6.18/arm64-fix-cleared-e0poe-bit-after-cpu_suspend-resume.patch b/queue-6.18/arm64-fix-cleared-e0poe-bit-after-cpu_suspend-resume.patch new file mode 100644 index 0000000000..0dc8b7c151 --- /dev/null +++ b/queue-6.18/arm64-fix-cleared-e0poe-bit-after-cpu_suspend-resume.patch @@ -0,0 +1,67 @@ +From bdf3f4176092df5281877cacf42f843063b4784d Mon Sep 17 00:00:00 2001 +From: Yeoreum Yun +Date: Wed, 7 Jan 2026 16:21:15 +0000 +Subject: arm64: Fix cleared E0POE bit after cpu_suspend()/resume() + +From: Yeoreum Yun + +commit bdf3f4176092df5281877cacf42f843063b4784d upstream. + +TCR2_ELx.E0POE is set during smp_init(). +However, this bit is not reprogrammed when the CPU enters suspension and +later resumes via cpu_resume(), as __cpu_setup() does not re-enable E0POE +and there is no save/restore logic for the TCR2_ELx system register. + +As a result, the E0POE feature no longer works after cpu_resume(). + +To address this, save and restore TCR2_EL1 in the cpu_suspend()/cpu_resume() +path, rather than adding related logic to __cpu_setup(), taking into account +possible future extensions of the TCR2_ELx feature. + +Fixes: bf83dae90fbc ("arm64: enable the Permission Overlay Extension for EL0") +Cc: # 6.12.x +Signed-off-by: Yeoreum Yun +Reviewed-by: Anshuman Khandual +Reviewed-by: Kevin Brodsky +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/suspend.h | 2 +- + arch/arm64/mm/proc.S | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/suspend.h ++++ b/arch/arm64/include/asm/suspend.h +@@ -2,7 +2,7 @@ + #ifndef __ASM_SUSPEND_H + #define __ASM_SUSPEND_H + +-#define NR_CTX_REGS 13 ++#define NR_CTX_REGS 14 + #define NR_CALLEE_SAVED_REGS 12 + + /* +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -100,6 +100,10 @@ SYM_FUNC_START(cpu_do_suspend) + * call stack. + */ + str x18, [x0, #96] ++alternative_if ARM64_HAS_TCR2 ++ mrs x2, REG_TCR2_EL1 ++ str x2, [x0, #104] ++alternative_else_nop_endif + ret + SYM_FUNC_END(cpu_do_suspend) + +@@ -134,6 +138,10 @@ SYM_FUNC_START(cpu_do_resume) + msr tcr_el1, x8 + msr vbar_el1, x9 + msr mdscr_el1, x10 ++alternative_if ARM64_HAS_TCR2 ++ ldr x2, [x0, #104] ++ msr REG_TCR2_EL1, x2 ++alternative_else_nop_endif + + msr sctlr_el1, x12 + set_this_cpu_offset x13 diff --git a/queue-6.18/atm-fix-dma_free_coherent-size.patch b/queue-6.18/atm-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..ca2baed6ff --- /dev/null +++ b/queue-6.18/atm-fix-dma_free_coherent-size.patch @@ -0,0 +1,34 @@ +From 4d984b0574ff708e66152763fbfdef24ea40933f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 7 Jan 2026 10:01:36 +0100 +Subject: atm: Fix dma_free_coherent() size + +From: Thomas Fourier + +commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream. + +The size of the buffer is not the same when alloc'd with +dma_alloc_coherent() in he_init_tpdrq() and freed. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/he.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/atm/he.c ++++ b/drivers/atm/he.c +@@ -1587,7 +1587,8 @@ he_stop(struct he_dev *he_dev) + he_dev->tbrq_base, he_dev->tbrq_phys); + + if (he_dev->tpdrq_base) +- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq), ++ dma_free_coherent(&he_dev->pci_dev->dev, ++ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq), + he_dev->tpdrq_base, he_dev->tpdrq_phys); + + dma_pool_destroy(he_dev->tpd_pool); diff --git a/queue-6.18/bnxt_en-fix-null-pointer-crash-in-bnxt_ptp_enable-during-error-cleanup.patch b/queue-6.18/bnxt_en-fix-null-pointer-crash-in-bnxt_ptp_enable-during-error-cleanup.patch new file mode 100644 index 0000000000..acb89ed1d0 --- /dev/null +++ b/queue-6.18/bnxt_en-fix-null-pointer-crash-in-bnxt_ptp_enable-during-error-cleanup.patch @@ -0,0 +1,71 @@ +From 3358995b1a7f9dcb52a56ec8251570d71024dad0 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Tue, 6 Jan 2026 06:31:14 -0800 +Subject: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup + +From: Breno Leitao + +commit 3358995b1a7f9dcb52a56ec8251570d71024dad0 upstream. + +When bnxt_init_one() fails during initialization (e.g., +bnxt_init_int_mode returns -ENODEV), the error path calls +bnxt_free_hwrm_resources() which destroys the DMA pool and sets +bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, +which invokes ptp_clock_unregister(). + +Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to +disable events"), ptp_clock_unregister() now calls +ptp_disable_all_events(), which in turn invokes the driver's .enable() +callback (bnxt_ptp_enable()) to disable PTP events before completing the +unregistration. + +bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() +and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This +function tries to allocate from bp->hwrm_dma_pool, causing a NULL +pointer dereference: + + bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed + KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] + Call Trace: + __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) + bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) + ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) + ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) + bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) + bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) + +Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") + +Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before +freeing HWRM resources. + +Suggested-by: Pavan Chebbi +Signed-off-by: Breno Leitao +Fixes: a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events") +Cc: stable@vger.kernel.org +Reviewed-by: Pavan Chebbi +Link: https://patch.msgid.link/20260106-bnxt-v3-1-71f37e11446a@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -16856,12 +16856,12 @@ init_err_dl: + + init_err_pci_clean: + bnxt_hwrm_func_drv_unrgtr(bp); +- bnxt_free_hwrm_resources(bp); +- bnxt_hwmon_uninit(bp); +- bnxt_ethtool_free(bp); + bnxt_ptp_clear(bp); + kfree(bp->ptp_cfg); + bp->ptp_cfg = NULL; ++ bnxt_free_hwrm_resources(bp); ++ bnxt_hwmon_uninit(bp); ++ bnxt_ethtool_free(bp); + kfree(bp->fw_health); + bp->fw_health = NULL; + bnxt_cleanup_pci(bp); diff --git a/queue-6.18/btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch b/queue-6.18/btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch new file mode 100644 index 0000000000..e4a1a95617 --- /dev/null +++ b/queue-6.18/btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch @@ -0,0 +1,174 @@ +From 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 11 Dec 2025 15:06:26 +0000 +Subject: btrfs: always detect conflicting inodes when logging inode refs + +From: Filipe Manana + +commit 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 upstream. + +After rename exchanging (either with the rename exchange operation or +regular renames in multiple non-atomic steps) two inodes and at least +one of them is a directory, we can end up with a log tree that contains +only of the inodes and after a power failure that can result in an attempt +to delete the other inode when it should not because it was not deleted +before the power failure. In some case that delete attempt fails when +the target inode is a directory that contains a subvolume inside it, since +the log replay code is not prepared to deal with directory entries that +point to root items (only inode items). + +1) We have directories "dir1" (inode A) and "dir2" (inode B) under the + same parent directory; + +2) We have a file (inode C) under directory "dir1" (inode A); + +3) We have a subvolume inside directory "dir2" (inode B); + +4) All these inodes were persisted in a past transaction and we are + currently at transaction N; + +5) We rename the file (inode C), so at btrfs_log_new_name() we update + inode C's last_unlink_trans to N; + +6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B), + so after the exchange "dir1" is inode B and "dir2" is inode A. + During the rename exchange we call btrfs_log_new_name() for inodes + A and B, but because they are directories, we don't update their + last_unlink_trans to N; + +7) An fsync against the file (inode C) is done, and because its inode + has a last_unlink_trans with a value of N we log its parent directory + (inode A) (through btrfs_log_all_parents(), called from + btrfs_log_inode_parent()). + +8) So we end up with inode B not logged, which now has the old name + of inode A. At copy_inode_items_to_log(), when logging inode A, we + did not check if we had any conflicting inode to log because inode + A has a generation lower than the current transaction (created in + a past transaction); + +9) After a power failure, when replaying the log tree, since we find that + inode A has a new name that conflicts with the name of inode B in the + fs tree, we attempt to delete inode B... this is wrong since that + directory was never deleted before the power failure, and because there + is a subvolume inside that directory, attempting to delete it will fail + since replay_dir_deletes() and btrfs_unlink_inode() are not prepared + to deal with dir items that point to roots instead of inodes. + + When that happens the mount fails and we get a stack trace like the + following: + + [87.2314] BTRFS info (device dm-0): start tree-log replay + [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 + [87.2332] ------------[ cut here ]------------ + [87.2338] BTRFS: Transaction aborted (error -2) + [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] + [87.2368] Modules linked in: btrfs loop dm_thin_pool (...) + [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) + [87.2489] Tainted: [W]=WARN + [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] + [87.2538] Code: c0 89 04 24 (...) + [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 + [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 + [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff + [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 + [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 + [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 + [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 + [87.2629] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [87.2637] CR2: 00007ffc9ec33b98 CR3: 000000011273e003 CR4: 0000000000370ef0 + [87.2648] Call Trace: + [87.2651] + [87.2654] btrfs_unlink_inode+0x15/0x40 [btrfs] + [87.2661] unlink_inode_for_log_replay+0x27/0xf0 [btrfs] + [87.2669] check_item_in_log+0x1ea/0x2c0 [btrfs] + [87.2676] replay_dir_deletes+0x16b/0x380 [btrfs] + [87.2684] fixup_inode_link_count+0x34b/0x370 [btrfs] + [87.2696] fixup_inode_link_counts+0x41/0x160 [btrfs] + [87.2703] btrfs_recover_log_trees+0x1ff/0x7c0 [btrfs] + [87.2711] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs] + [87.2719] open_ctree+0x10bb/0x15f0 [btrfs] + [87.2726] btrfs_get_tree.cold+0xb/0x16c [btrfs] + [87.2734] ? fscontext_read+0x15c/0x180 + [87.2740] ? rw_verify_area+0x50/0x180 + [87.2746] vfs_get_tree+0x25/0xd0 + [87.2750] vfs_cmd_create+0x59/0xe0 + [87.2755] __do_sys_fsconfig+0x4f6/0x6b0 + [87.2760] do_syscall_64+0x50/0x1220 + [87.2764] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [87.2770] RIP: 0033:0x7f7b9625f4aa + [87.2775] Code: 73 01 c3 48 (...) + [87.2803] RSP: 002b:00007ffc9ec35b08 EFLAGS: 00000246 ORIG_RAX: 00000000000001af + [87.2817] RAX: ffffffffffffffda RBX: 0000558bfa91ac20 RCX: 00007f7b9625f4aa + [87.2829] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 + [87.2842] RBP: 0000558bfa91b120 R08: 0000000000000000 R09: 0000000000000000 + [87.2854] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + [87.2864] R13: 00007f7b963f1580 R14: 00007f7b963f326c R15: 00007f7b963d8a23 + [87.2877] + [87.2882] ---[ end trace 0000000000000000 ]--- + [87.2891] BTRFS: error (device dm-0 state A) in __btrfs_unlink_inode:4345: errno=-2 No such entry + [87.2904] BTRFS: error (device dm-0 state EAO) in do_abort_log_replay:191: errno=-2 No such entry + [87.2915] BTRFS critical (device dm-0 state EAO): log tree (for root 5) leaf currently being processed (slot 7 key (258 12 257)): + [87.2929] BTRFS info (device dm-0 state EAO): leaf 30736384 gen 10 total ptrs 7 free space 15712 owner 18446744073709551610 + [87.2929] BTRFS info (device dm-0 state EAO): refs 3 lock_owner 0 current 638968 + [87.2929] item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 + [87.2929] inode generation 9 transid 10 size 0 nbytes 0 + [87.2929] block group 0 mode 40755 links 1 uid 0 gid 0 + [87.2929] rdev 0 sequence 7 flags 0x0 + [87.2929] atime 1765464494.678070921 + [87.2929] ctime 1765464494.686606513 + [87.2929] mtime 1765464494.686606513 + [87.2929] otime 1765464494.678070921 + [87.2929] item 1 key (257 INODE_REF 256) itemoff 16109 itemsize 14 + [87.2929] index 4 name_len 4 + [87.2929] item 2 key (257 DIR_LOG_INDEX 2) itemoff 16101 itemsize 8 + [87.2929] dir log end 2 + [87.2929] item 3 key (257 DIR_LOG_INDEX 3) itemoff 16093 itemsize 8 + [87.2929] dir log end 18446744073709551615 + [87.2930] item 4 key (257 DIR_INDEX 3) itemoff 16060 itemsize 33 + [87.2930] location key (258 1 0) type 1 + [87.2930] transid 10 data_len 0 name_len 3 + [87.2930] item 5 key (258 INODE_ITEM 0) itemoff 15900 itemsize 160 + [87.2930] inode generation 9 transid 10 size 0 nbytes 0 + [87.2930] block group 0 mode 100644 links 1 uid 0 gid 0 + [87.2930] rdev 0 sequence 2 flags 0x0 + [87.2930] atime 1765464494.678456467 + [87.2930] ctime 1765464494.686606513 + [87.2930] mtime 1765464494.678456467 + [87.2930] otime 1765464494.678456467 + [87.2930] item 6 key (258 INODE_REF 257) itemoff 15887 itemsize 13 + [87.2930] index 3 name_len 3 + [87.2930] BTRFS critical (device dm-0 state EAO): log replay failed in unlink_inode_for_log_replay:1045 for root 5, stage 3, with error -2: failed to unlink inode 256 parent dir 259 name subvol root 5 + [87.2963] BTRFS: error (device dm-0 state EAO) in btrfs_recover_log_trees:7743: errno=-2 No such entry + [87.2981] BTRFS: error (device dm-0 state EAO) in btrfs_replay_log:2083: errno=-2 No such entry (Failed to recover log tr + +So fix this by changing copy_inode_items_to_log() to always detect if +there are conflicting inodes for the ref/extref of the inode being logged +even if the inode was created in a past transaction. + +A test case for fstests will follow soon. + +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6348,10 +6348,8 @@ again: + * and no keys greater than that, so bail out. + */ + break; +- } else if ((min_key->type == BTRFS_INODE_REF_KEY || +- min_key->type == BTRFS_INODE_EXTREF_KEY) && +- (inode->generation == trans->transid || +- ctx->logging_conflict_inodes)) { ++ } else if (min_key->type == BTRFS_INODE_REF_KEY || ++ min_key->type == BTRFS_INODE_EXTREF_KEY) { + u64 other_ino = 0; + u64 other_parent = 0; + diff --git a/queue-6.18/counter-104-quad-8-fix-incorrect-return-value-in-irq-handler.patch b/queue-6.18/counter-104-quad-8-fix-incorrect-return-value-in-irq-handler.patch new file mode 100644 index 0000000000..71226d41d8 --- /dev/null +++ b/queue-6.18/counter-104-quad-8-fix-incorrect-return-value-in-irq-handler.patch @@ -0,0 +1,78 @@ +From 9517d76dd160208b7a432301ce7bec8fc1ddc305 Mon Sep 17 00:00:00 2001 +From: Haotian Zhang +Date: Mon, 15 Dec 2025 10:01:14 +0800 +Subject: counter: 104-quad-8: Fix incorrect return value in IRQ handler + +From: Haotian Zhang + +commit 9517d76dd160208b7a432301ce7bec8fc1ddc305 upstream. + +quad8_irq_handler() should return irqreturn_t enum values, but it +directly returns negative errno codes from regmap operations on error. + +Return IRQ_NONE if the interrupt status cannot be read. If clearing the +interrupt fails, return IRQ_HANDLED to prevent the kernel from disabling +the IRQ line due to a spurious interrupt storm. Also, log these regmap +failures with dev_WARN_ONCE. + +Fixes: 98ffe0252911 ("counter: 104-quad-8: Migrate to the regmap API") +Suggested-by: Andy Shevchenko +Signed-off-by: Haotian Zhang +Link: https://lore.kernel.org/r/20251215020114.1913-1-vulab@iscas.ac.cn +Cc: stable@vger.kernel.org +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/counter/104-quad-8.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/counter/104-quad-8.c ++++ b/drivers/counter/104-quad-8.c +@@ -1192,6 +1192,7 @@ static irqreturn_t quad8_irq_handler(int + { + struct counter_device *counter = private; + struct quad8 *const priv = counter_priv(counter); ++ struct device *dev = counter->parent; + unsigned int status; + unsigned long irq_status; + unsigned long channel; +@@ -1200,8 +1201,11 @@ static irqreturn_t quad8_irq_handler(int + int ret; + + ret = regmap_read(priv->map, QUAD8_INTERRUPT_STATUS, &status); +- if (ret) +- return ret; ++ if (ret) { ++ dev_WARN_ONCE(dev, true, ++ "Attempt to read Interrupt Status Register failed: %d\n", ret); ++ return IRQ_NONE; ++ } + if (!status) + return IRQ_NONE; + +@@ -1223,8 +1227,9 @@ static irqreturn_t quad8_irq_handler(int + break; + default: + /* should never reach this path */ +- WARN_ONCE(true, "invalid interrupt trigger function %u configured for channel %lu\n", +- flg_pins, channel); ++ dev_WARN_ONCE(dev, true, ++ "invalid interrupt trigger function %u configured for channel %lu\n", ++ flg_pins, channel); + continue; + } + +@@ -1232,8 +1237,11 @@ static irqreturn_t quad8_irq_handler(int + } + + ret = regmap_write(priv->map, QUAD8_CHANNEL_OPERATION, CLEAR_PENDING_INTERRUPTS); +- if (ret) +- return ret; ++ if (ret) { ++ dev_WARN_ONCE(dev, true, ++ "Attempt to clear pending interrupts by writing to Channel Operation Register failed: %d\n", ret); ++ return IRQ_HANDLED; ++ } + + return IRQ_HANDLED; + } diff --git a/queue-6.18/counter-interrupt-cnt-drop-irqf_no_thread-flag.patch b/queue-6.18/counter-interrupt-cnt-drop-irqf_no_thread-flag.patch new file mode 100644 index 0000000000..6f149c2951 --- /dev/null +++ b/queue-6.18/counter-interrupt-cnt-drop-irqf_no_thread-flag.patch @@ -0,0 +1,77 @@ +From 23f9485510c338476b9735d516c1d4aacb810d46 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Tue, 18 Nov 2025 09:35:48 +0100 +Subject: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag + +From: Alexander Sverdlin + +commit 23f9485510c338476b9735d516c1d4aacb810d46 upstream. + +An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as +CONFIG_PROVE_RAW_LOCK_NESTING warns: +============================= +[ BUG: Invalid wait context ] +6.18.0-rc1+git... #1 +----------------------------- +some-user-space-process/1251 is trying to lock: +(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter] +other info that might help us debug this: +context-{2:2} +no locks held by some-user-space-process/.... +stack backtrace: +CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT +Call trace: + show_stack (C) + dump_stack_lvl + dump_stack + __lock_acquire + lock_acquire + _raw_spin_lock_irqsave + counter_push_event [counter] + interrupt_cnt_isr [interrupt_cnt] + __handle_irq_event_percpu + handle_irq_event + handle_simple_irq + handle_irq_desc + generic_handle_domain_irq + gpio_irq_handler + handle_irq_desc + generic_handle_domain_irq + gic_handle_irq + call_on_irq_stack + do_interrupt_handler + el0_interrupt + __el0_irq_handler_common + el0t_64_irq_handler + el0t_64_irq + +... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an +alternative to switching to raw_spinlock_t, because the latter would limit +all potential nested locks to raw_spinlock_t only. + +Cc: Sebastian Andrzej Siewior +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20251117151314.xwLAZrWY@linutronix.de/ +Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Sebastian Andrzej Siewior +Reviewed-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20251118083603.778626-1-alexander.sverdlin@siemens.com +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/counter/interrupt-cnt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/counter/interrupt-cnt.c ++++ b/drivers/counter/interrupt-cnt.c +@@ -229,8 +229,7 @@ static int interrupt_cnt_probe(struct pl + + irq_set_status_flags(priv->irq, IRQ_NOAUTOEN); + ret = devm_request_irq(dev, priv->irq, interrupt_cnt_isr, +- IRQF_TRIGGER_RISING | IRQF_NO_THREAD, +- dev_name(dev), counter); ++ IRQF_TRIGGER_RISING, dev_name(dev), counter); + if (ret) + return ret; + diff --git a/queue-6.18/drm-amd-display-apply-e4479aecf658-to-dml.patch b/queue-6.18/drm-amd-display-apply-e4479aecf658-to-dml.patch new file mode 100644 index 0000000000..f8bf3f69df --- /dev/null +++ b/queue-6.18/drm-amd-display-apply-e4479aecf658-to-dml.patch @@ -0,0 +1,57 @@ +From 70740454377f1ba3ff32f5df4acd965db99d055b Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sat, 13 Dec 2025 15:16:43 +0900 +Subject: drm/amd/display: Apply e4479aecf658 to dml + +From: Nathan Chancellor + +commit 70740454377f1ba3ff32f5df4acd965db99d055b upstream. + +After an innocuous optimization change in clang-22, allmodconfig (which +enables CONFIG_KASAN and CONFIG_WERROR) breaks with: + + drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (3144) exceeds limit (3072) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] + 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) + | ^ + +With clang-21, this function was already pretty close to the existing +limit of 3072 bytes. + + drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (2904) exceeds limit (2048) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] + 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) + | ^ + +A similar situation occurred in dml2, which was resolved by +commit e4479aecf658 ("drm/amd/display: Increase sanitizer frame larger +than limit when compile testing with clang") by increasing the limit for +clang when compile testing with certain sanitizer enabled, so that +allmodconfig (an easy testing target) continues to work. + +Apply that same change to the dml folder to clear up the warning for +allmodconfig, unbreaking the build. + +Closes: https://github.com/ClangBuiltLinux/linux/issues/2135 +Signed-off-by: Nathan Chancellor +Signed-off-by: Alex Deucher +(cherry picked from commit 25314b453cf812150e9951a32007a32bba85707e) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile +@@ -30,7 +30,11 @@ dml_rcflags := $(CC_FLAGS_NO_FPU) + + ifneq ($(CONFIG_FRAME_WARN),0) + ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) +- frame_warn_limit := 3072 ++ ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy) ++ frame_warn_limit := 4096 ++ else ++ frame_warn_limit := 3072 ++ endif + else + frame_warn_limit := 2048 + endif diff --git a/queue-6.18/drm-amdgpu-fix-query-for-vpe-block_type-and-ip_count.patch b/queue-6.18/drm-amdgpu-fix-query-for-vpe-block_type-and-ip_count.patch new file mode 100644 index 0000000000..dc9ce82180 --- /dev/null +++ b/queue-6.18/drm-amdgpu-fix-query-for-vpe-block_type-and-ip_count.patch @@ -0,0 +1,47 @@ +From 72d7f4573660287f1b66c30319efecd6fcde92ee Mon Sep 17 00:00:00 2001 +From: Alan Liu +Date: Mon, 22 Dec 2025 12:26:35 +0800 +Subject: drm/amdgpu: Fix query for VPE block_type and ip_count + +From: Alan Liu + +commit 72d7f4573660287f1b66c30319efecd6fcde92ee upstream. + +[Why] +Query for VPE block_type and ip_count is missing. + +[How] +Add VPE case in ip_block_type and hw_ip_count query. + +Reviewed-by: Lang Yu +Signed-off-by: Alan Liu +Signed-off-by: Alex Deucher +(cherry picked from commit a6ea0a430aca5932b9c75d8e38deeb45665dd2ae) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -201,6 +201,9 @@ static enum amd_ip_block_type + type = (amdgpu_device_ip_get_ip_block(adev, AMD_IP_BLOCK_TYPE_JPEG)) ? + AMD_IP_BLOCK_TYPE_JPEG : AMD_IP_BLOCK_TYPE_VCN; + break; ++ case AMDGPU_HW_IP_VPE: ++ type = AMD_IP_BLOCK_TYPE_VPE; ++ break; + default: + type = AMD_IP_BLOCK_TYPE_NUM; + break; +@@ -721,6 +724,9 @@ int amdgpu_info_ioctl(struct drm_device + case AMD_IP_BLOCK_TYPE_UVD: + count = adev->uvd.num_uvd_inst; + break; ++ case AMD_IP_BLOCK_TYPE_VPE: ++ count = adev->vpe.num_instances; ++ break; + /* For all other IP block types not listed in the switch statement + * the ip status is valid here and the instance count is one. + */ diff --git a/queue-6.18/drm-atomic-helper-export-and-namespace-some-functions.patch b/queue-6.18/drm-atomic-helper-export-and-namespace-some-functions.patch new file mode 100644 index 0000000000..d152b238a6 --- /dev/null +++ b/queue-6.18/drm-atomic-helper-export-and-namespace-some-functions.patch @@ -0,0 +1,293 @@ +From d1c7dc57ff2400b141e6582a8d2dc5170108cf81 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 5 Dec 2025 11:51:50 +0200 +Subject: drm/atomic-helper: Export and namespace some functions + +From: Linus Walleij + +commit d1c7dc57ff2400b141e6582a8d2dc5170108cf81 upstream. + +Export and namespace those not prefixed with drm_* so +it becomes possible to write custom commit tail functions +in individual drivers using the helper infrastructure. + +Tested-by: Marek Vasut +Reviewed-by: Maxime Ripard +Signed-off-by: Tomi Valkeinen +Cc: stable@vger.kernel.org # v6.17+ +Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable") +Reviewed-by: Aradhya Bhatia +Reviewed-by: Linus Walleij +Tested-by: Linus Walleij +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-3-fda68fa1b3de@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic_helper.c | 122 +++++++++++++++++++++++++++++------- + include/drm/drm_atomic_helper.h | 22 ++++++ + 2 files changed, 121 insertions(+), 23 deletions(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1162,8 +1162,18 @@ crtc_needs_disable(struct drm_crtc_state + new_state->self_refresh_active; + } + +-static void +-encoder_bridge_disable(struct drm_device *dev, struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_encoder_bridge_disable - disable bridges and encoder ++ * @dev: DRM device ++ * @state: the driver state object ++ * ++ * Loops over all connectors in the current state and if the CRTC needs ++ * it, disables the bridge chain all the way, then disables the encoder ++ * afterwards. ++ */ ++void ++drm_atomic_helper_commit_encoder_bridge_disable(struct drm_device *dev, ++ struct drm_atomic_state *state) + { + struct drm_connector *connector; + struct drm_connector_state *old_conn_state, *new_conn_state; +@@ -1229,9 +1239,18 @@ encoder_bridge_disable(struct drm_device + } + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_disable); + +-static void +-crtc_disable(struct drm_device *dev, struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_crtc_disable - disable CRTSs ++ * @dev: DRM device ++ * @state: the driver state object ++ * ++ * Loops over all CRTCs in the current state and if the CRTC needs ++ * it, disables it. ++ */ ++void ++drm_atomic_helper_commit_crtc_disable(struct drm_device *dev, struct drm_atomic_state *state) + { + struct drm_crtc *crtc; + struct drm_crtc_state *old_crtc_state, *new_crtc_state; +@@ -1282,9 +1301,18 @@ crtc_disable(struct drm_device *dev, str + drm_crtc_vblank_put(crtc); + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_disable); + +-static void +-encoder_bridge_post_disable(struct drm_device *dev, struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_encoder_bridge_post_disable - post-disable encoder bridges ++ * @dev: DRM device ++ * @state: the driver state object ++ * ++ * Loops over all connectors in the current state and if the CRTC needs ++ * it, post-disables all encoder bridges. ++ */ ++void ++drm_atomic_helper_commit_encoder_bridge_post_disable(struct drm_device *dev, struct drm_atomic_state *state) + { + struct drm_connector *connector; + struct drm_connector_state *old_conn_state, *new_conn_state; +@@ -1335,15 +1363,16 @@ encoder_bridge_post_disable(struct drm_d + drm_bridge_put(bridge); + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_post_disable); + + static void + disable_outputs(struct drm_device *dev, struct drm_atomic_state *state) + { +- encoder_bridge_disable(dev, state); ++ drm_atomic_helper_commit_encoder_bridge_disable(dev, state); + +- encoder_bridge_post_disable(dev, state); ++ drm_atomic_helper_commit_encoder_bridge_post_disable(dev, state); + +- crtc_disable(dev, state); ++ drm_atomic_helper_commit_crtc_disable(dev, state); + } + + /** +@@ -1446,8 +1475,17 @@ void drm_atomic_helper_calc_timestamping + } + EXPORT_SYMBOL(drm_atomic_helper_calc_timestamping_constants); + +-static void +-crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_crtc_set_mode - set the new mode ++ * @dev: DRM device ++ * @state: the driver state object ++ * ++ * Loops over all connectors in the current state and if the mode has ++ * changed, change the mode of the CRTC, then call down the bridge ++ * chain and change the mode in all bridges as well. ++ */ ++void ++drm_atomic_helper_commit_crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *state) + { + struct drm_crtc *crtc; + struct drm_crtc_state *new_crtc_state; +@@ -1508,6 +1546,7 @@ crtc_set_mode(struct drm_device *dev, st + drm_bridge_put(bridge); + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_set_mode); + + /** + * drm_atomic_helper_commit_modeset_disables - modeset commit to disable outputs +@@ -1531,12 +1570,21 @@ void drm_atomic_helper_commit_modeset_di + drm_atomic_helper_update_legacy_modeset_state(dev, state); + drm_atomic_helper_calc_timestamping_constants(state); + +- crtc_set_mode(dev, state); ++ drm_atomic_helper_commit_crtc_set_mode(dev, state); + } + EXPORT_SYMBOL(drm_atomic_helper_commit_modeset_disables); + +-static void drm_atomic_helper_commit_writebacks(struct drm_device *dev, +- struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_writebacks - issue writebacks ++ * @dev: DRM device ++ * @state: atomic state object being committed ++ * ++ * This loops over the connectors, checks if the new state requires ++ * a writeback job to be issued and in that case issues an atomic ++ * commit on each connector. ++ */ ++void drm_atomic_helper_commit_writebacks(struct drm_device *dev, ++ struct drm_atomic_state *state) + { + struct drm_connector *connector; + struct drm_connector_state *new_conn_state; +@@ -1555,9 +1603,18 @@ static void drm_atomic_helper_commit_wri + } + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_writebacks); + +-static void +-encoder_bridge_pre_enable(struct drm_device *dev, struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_encoder_bridge_pre_enable - pre-enable bridges ++ * @dev: DRM device ++ * @state: atomic state object being committed ++ * ++ * This loops over the connectors and if the CRTC needs it, pre-enables ++ * the entire bridge chain. ++ */ ++void ++drm_atomic_helper_commit_encoder_bridge_pre_enable(struct drm_device *dev, struct drm_atomic_state *state) + { + struct drm_connector *connector; + struct drm_connector_state *new_conn_state; +@@ -1588,9 +1645,18 @@ encoder_bridge_pre_enable(struct drm_dev + drm_bridge_put(bridge); + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_pre_enable); + +-static void +-crtc_enable(struct drm_device *dev, struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_crtc_enable - enables the CRTCs ++ * @dev: DRM device ++ * @state: atomic state object being committed ++ * ++ * This loops over CRTCs in the new state, and of the CRTC needs ++ * it, enables it. ++ */ ++void ++drm_atomic_helper_commit_crtc_enable(struct drm_device *dev, struct drm_atomic_state *state) + { + struct drm_crtc *crtc; + struct drm_crtc_state *old_crtc_state; +@@ -1619,9 +1685,18 @@ crtc_enable(struct drm_device *dev, stru + } + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_enable); + +-static void +-encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state) ++/** ++ * drm_atomic_helper_commit_encoder_bridge_enable - enables the bridges ++ * @dev: DRM device ++ * @state: atomic state object being committed ++ * ++ * This loops over all connectors in the new state, and of the CRTC needs ++ * it, enables the entire bridge chain. ++ */ ++void ++drm_atomic_helper_commit_encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state) + { + struct drm_connector *connector; + struct drm_connector_state *new_conn_state; +@@ -1664,6 +1739,7 @@ encoder_bridge_enable(struct drm_device + drm_bridge_put(bridge); + } + } ++EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_enable); + + /** + * drm_atomic_helper_commit_modeset_enables - modeset commit to enable outputs +@@ -1682,11 +1758,11 @@ encoder_bridge_enable(struct drm_device + void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev, + struct drm_atomic_state *state) + { +- crtc_enable(dev, state); ++ drm_atomic_helper_commit_crtc_enable(dev, state); + +- encoder_bridge_pre_enable(dev, state); ++ drm_atomic_helper_commit_encoder_bridge_pre_enable(dev, state); + +- encoder_bridge_enable(dev, state); ++ drm_atomic_helper_commit_encoder_bridge_enable(dev, state); + + drm_atomic_helper_commit_writebacks(dev, state); + } +--- a/include/drm/drm_atomic_helper.h ++++ b/include/drm/drm_atomic_helper.h +@@ -60,6 +60,12 @@ int drm_atomic_helper_check_plane_state( + int drm_atomic_helper_check_planes(struct drm_device *dev, + struct drm_atomic_state *state); + int drm_atomic_helper_check_crtc_primary_plane(struct drm_crtc_state *crtc_state); ++void drm_atomic_helper_commit_encoder_bridge_disable(struct drm_device *dev, ++ struct drm_atomic_state *state); ++void drm_atomic_helper_commit_crtc_disable(struct drm_device *dev, ++ struct drm_atomic_state *state); ++void drm_atomic_helper_commit_encoder_bridge_post_disable(struct drm_device *dev, ++ struct drm_atomic_state *state); + int drm_atomic_helper_check(struct drm_device *dev, + struct drm_atomic_state *state); + void drm_atomic_helper_commit_tail(struct drm_atomic_state *state); +@@ -89,8 +95,24 @@ drm_atomic_helper_update_legacy_modeset_ + void + drm_atomic_helper_calc_timestamping_constants(struct drm_atomic_state *state); + ++void drm_atomic_helper_commit_crtc_set_mode(struct drm_device *dev, ++ struct drm_atomic_state *state); ++ + void drm_atomic_helper_commit_modeset_disables(struct drm_device *dev, + struct drm_atomic_state *state); ++ ++void drm_atomic_helper_commit_writebacks(struct drm_device *dev, ++ struct drm_atomic_state *state); ++ ++void drm_atomic_helper_commit_encoder_bridge_pre_enable(struct drm_device *dev, ++ struct drm_atomic_state *state); ++ ++void drm_atomic_helper_commit_crtc_enable(struct drm_device *dev, ++ struct drm_atomic_state *state); ++ ++void drm_atomic_helper_commit_encoder_bridge_enable(struct drm_device *dev, ++ struct drm_atomic_state *state); ++ + void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev, + struct drm_atomic_state *old_state); + diff --git a/queue-6.18/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch b/queue-6.18/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch new file mode 100644 index 0000000000..a693cd8060 --- /dev/null +++ b/queue-6.18/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch @@ -0,0 +1,37 @@ +From 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 11 Dec 2025 16:33:44 +0400 +Subject: drm/pl111: Fix error handling in pl111_amba_probe + +From: Miaoqian Lin + +commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream. + +Jump to the existing dev_put label when devm_request_irq() fails +so drm_dev_put() and of_reserved_mem_device_release() run +instead of returning early and leaking resources. + +Found via static analysis and code review. + +Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/pl111/pl111_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/pl111/pl111_drv.c ++++ b/drivers/gpu/drm/pl111/pl111_drv.c +@@ -295,7 +295,7 @@ static int pl111_amba_probe(struct amba_ + variant->name, priv); + if (ret != 0) { + dev_err(dev, "%s failed irq %d\n", __func__, ret); +- return ret; ++ goto dev_put; + } + + ret = pl111_modeset_init(drm); diff --git a/queue-6.18/drm-radeon-remove-__counted_by-from-clockinfoarray.clockinfo.patch b/queue-6.18/drm-radeon-remove-__counted_by-from-clockinfoarray.clockinfo.patch new file mode 100644 index 0000000000..644e876bf1 --- /dev/null +++ b/queue-6.18/drm-radeon-remove-__counted_by-from-clockinfoarray.clockinfo.patch @@ -0,0 +1,33 @@ +From 19158c7332468bc28572bdca428e89c7954ee1b1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 30 Jun 2025 10:47:09 -0400 +Subject: drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[] + +From: Alex Deucher + +commit 19158c7332468bc28572bdca428e89c7954ee1b1 upstream. + +clockInfo[] is a generic uchar pointer to variable sized structures +which vary from ASIC to ASIC. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4374 +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +(cherry picked from commit dc135aa73561b5acc74eadf776e48530996529a3) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/pptable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/pptable.h ++++ b/drivers/gpu/drm/radeon/pptable.h +@@ -450,7 +450,7 @@ typedef struct _ClockInfoArray{ + //sizeof(ATOM_PPLIB_CLOCK_INFO) + UCHAR ucEntrySize; + +- UCHAR clockInfo[] __counted_by(ucNumEntries); ++ UCHAR clockInfo[] /*__counted_by(ucNumEntries)*/; + }ClockInfoArray; + + typedef struct _NonClockInfoArray{ diff --git a/queue-6.18/drm-tidss-fix-enable-disable-order.patch b/queue-6.18/drm-tidss-fix-enable-disable-order.patch new file mode 100644 index 0000000000..c6720663a9 --- /dev/null +++ b/queue-6.18/drm-tidss-fix-enable-disable-order.patch @@ -0,0 +1,77 @@ +From 2fc04340cf30d7960eed2525d26ffb8905aca02b Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Fri, 5 Dec 2025 11:51:51 +0200 +Subject: drm/tidss: Fix enable/disable order + +From: Tomi Valkeinen + +commit 2fc04340cf30d7960eed2525d26ffb8905aca02b upstream. + +TI's OLDI and DSI encoders need to be set up before the crtc is enabled, +but the DRM helpers will enable the crtc first. This causes various +issues on TI platforms, like visual artifacts or crtc sync lost +warnings. + +Thus drm_atomic_helper_commit_modeset_enables() and +drm_atomic_helper_commit_modeset_disables() cannot be used, as they +enable the crtc before bridges' pre-enable, and disable the crtc after +bridges' post-disable. + +Open code the drm_atomic_helper_commit_modeset_enables() and +drm_atomic_helper_commit_modeset_disables(), and first call the bridges' +pre-enables, then crtc enable, then bridges' post-enable (and vice versa +for disable). + +Signed-off-by: Tomi Valkeinen +Cc: stable@vger.kernel.org # v6.17+ +Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable") +Reviewed-by: Aradhya Bhatia +Reviewed-by: Maxime Ripard +Reviewed-by: Linus Walleij +Tested-by: Linus Walleij +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-4-fda68fa1b3de@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tidss/tidss_kms.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/tidss/tidss_kms.c ++++ b/drivers/gpu/drm/tidss/tidss_kms.c +@@ -28,9 +28,33 @@ static void tidss_atomic_commit_tail(str + + tidss_runtime_get(tidss); + +- drm_atomic_helper_commit_modeset_disables(ddev, old_state); +- drm_atomic_helper_commit_planes(ddev, old_state, DRM_PLANE_COMMIT_ACTIVE_ONLY); +- drm_atomic_helper_commit_modeset_enables(ddev, old_state); ++ /* ++ * TI's OLDI and DSI encoders need to be set up before the crtc is ++ * enabled. Thus drm_atomic_helper_commit_modeset_enables() and ++ * drm_atomic_helper_commit_modeset_disables() cannot be used here, as ++ * they enable the crtc before bridges' pre-enable, and disable the crtc ++ * after bridges' post-disable. ++ * ++ * Open code the functions here and first call the bridges' pre-enables, ++ * then crtc enable, then bridges' post-enable (and vice versa for ++ * disable). ++ */ ++ ++ drm_atomic_helper_commit_encoder_bridge_disable(ddev, old_state); ++ drm_atomic_helper_commit_crtc_disable(ddev, old_state); ++ drm_atomic_helper_commit_encoder_bridge_post_disable(ddev, old_state); ++ ++ drm_atomic_helper_update_legacy_modeset_state(ddev, old_state); ++ drm_atomic_helper_calc_timestamping_constants(old_state); ++ drm_atomic_helper_commit_crtc_set_mode(ddev, old_state); ++ ++ drm_atomic_helper_commit_planes(ddev, old_state, ++ DRM_PLANE_COMMIT_ACTIVE_ONLY); ++ ++ drm_atomic_helper_commit_encoder_bridge_pre_enable(ddev, old_state); ++ drm_atomic_helper_commit_crtc_enable(ddev, old_state); ++ drm_atomic_helper_commit_encoder_bridge_enable(ddev, old_state); ++ drm_atomic_helper_commit_writebacks(ddev, old_state); + + drm_atomic_helper_commit_hw_done(old_state); + drm_atomic_helper_wait_for_flip_done(ddev, old_state); diff --git a/queue-6.18/gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch b/queue-6.18/gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch new file mode 100644 index 0000000000..0fea7bd17b --- /dev/null +++ b/queue-6.18/gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch @@ -0,0 +1,98 @@ +From 20cf2aed89ac6d78a0122e31c875228e15247194 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 6 Jan 2026 10:00:11 +0100 +Subject: gpio: rockchip: mark the GPIO controller as sleeping + +From: Bartosz Golaszewski + +commit 20cf2aed89ac6d78a0122e31c875228e15247194 upstream. + +The GPIO controller is configured as non-sleeping but it uses generic +pinctrl helpers which use a mutex for synchronization. + +This can cause the following lockdep splat with shared GPIOs enabled on +boards which have multiple devices using the same GPIO: + +BUG: sleeping function called from invalid context at +kernel/locking/mutex.c:591 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 12, name: +kworker/u16:0 +preempt_count: 1, expected: 0 +RCU nest depth: 0, expected: 0 +6 locks held by kworker/u16:0/12: + #0: ffff0001f0018d48 ((wq_completion)events_unbound#2){+.+.}-{0:0}, +at: process_one_work+0x18c/0x604 + #1: ffff8000842dbdf0 (deferred_probe_work){+.+.}-{0:0}, at: +process_one_work+0x1b4/0x604 + #2: ffff0001f18498f8 (&dev->mutex){....}-{4:4}, at: +__device_attach+0x38/0x1b0 + #3: ffff0001f75f1e90 (&gdev->srcu){.+.?}-{0:0}, at: +gpiod_direction_output_raw_commit+0x0/0x360 + #4: ffff0001f46e3db8 (&shared_desc->spinlock){....}-{3:3}, at: +gpio_shared_proxy_direction_output+0xd0/0x144 [gpio_shared_proxy] + #5: ffff0001f180ee90 (&gdev->srcu){.+.?}-{0:0}, at: +gpiod_direction_output_raw_commit+0x0/0x360 +irq event stamp: 81450 +hardirqs last enabled at (81449): [] +_raw_spin_unlock_irqrestore+0x74/0x78 +hardirqs last disabled at (81450): [] +_raw_spin_lock_irqsave+0x84/0x88 +softirqs last enabled at (79616): [] +__alloc_skb+0x17c/0x1e8 +softirqs last disabled at (79614): [] +__alloc_skb+0x17c/0x1e8 +CPU: 2 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted +6.19.0-rc4-next-20260105+ #11975 PREEMPT +Hardware name: Hardkernel ODROID-M1 (DT) +Workqueue: events_unbound deferred_probe_work_func +Call trace: + show_stack+0x18/0x24 (C) + dump_stack_lvl+0x90/0xd0 + dump_stack+0x18/0x24 + __might_resched+0x144/0x248 + __might_sleep+0x48/0x98 + __mutex_lock+0x5c/0x894 + mutex_lock_nested+0x24/0x30 + pinctrl_get_device_gpio_range+0x44/0x128 + pinctrl_gpio_direction+0x3c/0xe0 + pinctrl_gpio_direction_output+0x14/0x20 + rockchip_gpio_direction_output+0xb8/0x19c + gpiochip_direction_output+0x38/0x94 + gpiod_direction_output_raw_commit+0x1d8/0x360 + gpiod_direction_output_nonotify+0x7c/0x230 + gpiod_direction_output+0x34/0xf8 + gpio_shared_proxy_direction_output+0xec/0x144 [gpio_shared_proxy] + gpiochip_direction_output+0x38/0x94 + gpiod_direction_output_raw_commit+0x1d8/0x360 + gpiod_direction_output_nonotify+0x7c/0x230 + gpiod_configure_flags+0xbc/0x480 + gpiod_find_and_request+0x1a0/0x574 + gpiod_get_index+0x58/0x84 + devm_gpiod_get_index+0x20/0xb4 + devm_gpiod_get_optional+0x18/0x30 + rockchip_pcie_probe+0x98/0x380 + platform_probe+0x5c/0xac + really_probe+0xbc/0x298 + +Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio") +Cc: stable@vger.kernel.org +Reported-by: Marek Szyprowski +Closes: https://lore.kernel.org/all/d035fc29-3b03-4cd6-b8ec-001f93540bc6@samsung.com/ +Acked-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20260106090011.21603-1-bartosz.golaszewski@oss.qualcomm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -593,6 +593,7 @@ static int rockchip_gpiolib_register(str + gc->ngpio = bank->nr_pins; + gc->label = bank->name; + gc->parent = bank->dev; ++ gc->can_sleep = true; + + ret = gpiochip_add_data(gc, bank); + if (ret) { diff --git a/queue-6.18/io_uring-io-wq-fix-incorrect-io_wq_for_each_worker-termination-logic.patch b/queue-6.18/io_uring-io-wq-fix-incorrect-io_wq_for_each_worker-termination-logic.patch new file mode 100644 index 0000000000..680c6c18e0 --- /dev/null +++ b/queue-6.18/io_uring-io-wq-fix-incorrect-io_wq_for_each_worker-termination-logic.patch @@ -0,0 +1,43 @@ +From e0392a10c9e80a3991855a81317da3039fcbe32c Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 5 Jan 2026 07:42:48 -0700 +Subject: io_uring/io-wq: fix incorrect io_wq_for_each_worker() termination logic + +From: Jens Axboe + +commit e0392a10c9e80a3991855a81317da3039fcbe32c upstream. + +A previous commit added this helper, and had it terminate if false is +returned from the handler. However, that is completely opposite, it +should abort the loop if true is returned. + +Fix this up by having io_wq_for_each_worker() keep iterating as long +as false is returned, and only abort if true is returned. + +Cc: stable@vger.kernel.org +Fixes: 751eedc4b4b7 ("io_uring/io-wq: move worker lists to struct io_wq_acct") +Reported-by: Lewis Campbell +Reviewed-by: Gabriel Krisman Bertazi +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io-wq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -951,11 +951,11 @@ static bool io_wq_for_each_worker(struct + void *data) + { + for (int i = 0; i < IO_WQ_ACCT_NR; i++) { +- if (!io_acct_for_each_worker(&wq->acct[i], func, data)) +- return false; ++ if (io_acct_for_each_worker(&wq->acct[i], func, data)) ++ return true; + } + +- return true; ++ return false; + } + + static bool io_wq_worker_wake(struct io_worker *worker, void *data) diff --git a/queue-6.18/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch b/queue-6.18/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch new file mode 100644 index 0000000000..8696a5f45b --- /dev/null +++ b/queue-6.18/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch @@ -0,0 +1,46 @@ +From 74d74bb78aeccc9edc10db216d6be121cf7ec176 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 6 Jan 2026 21:20:23 -0800 +Subject: lib/crypto: aes: Fix missing MMU protection for AES S-box + +From: Eric Biggers + +commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream. + +__cacheline_aligned puts the data in the ".data..cacheline_aligned" +section, which isn't marked read-only i.e. it doesn't receive MMU +protection. Replace it with ____cacheline_aligned which does the right +thing and just aligns the data while keeping it in ".rodata". + +Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher") +Cc: stable@vger.kernel.org +Reported-by: Qingfang Deng +Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/ +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/aes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/crypto/aes.c ++++ b/lib/crypto/aes.c +@@ -13,7 +13,7 @@ + * Emit the sbox as volatile const to prevent the compiler from doing + * constant folding on sbox references involving fixed indexes. + */ +-static volatile const u8 __cacheline_aligned aes_sbox[] = { ++static volatile const u8 ____cacheline_aligned aes_sbox[] = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, + 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, +@@ -48,7 +48,7 @@ static volatile const u8 __cacheline_ali + 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16, + }; + +-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = { ++static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = { + 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, + 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, + 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, diff --git a/queue-6.18/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch b/queue-6.18/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch new file mode 100644 index 0000000000..075ad343e6 --- /dev/null +++ b/queue-6.18/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch @@ -0,0 +1,74 @@ +From c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 5 Jan 2026 19:23:19 +0100 +Subject: libceph: make calc_target() set t->paused, not just clear it + +From: Ilya Dryomov + +commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream. + +Currently calc_target() clears t->paused if the request shouldn't be +paused anymore, but doesn't ever set t->paused even though it's able to +determine when the request should be paused. Setting t->paused is left +to __submit_request() which is fine for regular requests but doesn't +work for linger requests -- since __submit_request() doesn't operate +on linger requests, there is nowhere for lreq->t.paused to be set. +One consequence of this is that watches don't get reestablished on +paused -> unpaused transitions in cases where requests have been paused +long enough for the (paused) unwatch request to time out and for the +subsequent (re)watch request to enter the paused state. On top of the +watch not getting reestablished, rbd_reregister_watch() gets stuck with +rbd_dev->watch_mutex held: + + rbd_register_watch + __rbd_register_watch + ceph_osdc_watch + linger_reg_commit_wait + +It's waiting for lreq->reg_commit_wait to be completed, but for that to +happen the respective request needs to end up on need_resend_linger list +and be kicked when requests are unpaused. There is no chance for that +if the request in question is never marked paused in the first place. + +The fact that rbd_dev->watch_mutex remains taken out forever then +prevents the image from getting unmapped -- "rbd unmap" would inevitably +hang in D state on an attempt to grab the mutex. + +Cc: stable@vger.kernel.org +Reported-by: Raphael Zimmer +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osd_client.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -1588,6 +1588,7 @@ static enum calc_target_result calc_targ + struct ceph_pg_pool_info *pi; + struct ceph_pg pgid, last_pgid; + struct ceph_osds up, acting; ++ bool should_be_paused; + bool is_read = t->flags & CEPH_OSD_FLAG_READ; + bool is_write = t->flags & CEPH_OSD_FLAG_WRITE; + bool force_resend = false; +@@ -1656,10 +1657,16 @@ static enum calc_target_result calc_targ + &last_pgid)) + force_resend = true; + +- if (t->paused && !target_should_be_paused(osdc, t, pi)) { +- t->paused = false; ++ should_be_paused = target_should_be_paused(osdc, t, pi); ++ if (t->paused && !should_be_paused) { + unpaused = true; + } ++ if (t->paused != should_be_paused) { ++ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused, ++ should_be_paused); ++ t->paused = should_be_paused; ++ } ++ + legacy_change = ceph_pg_compare(&t->pgid, &pgid) || + ceph_osds_changed(&t->acting, &acting, + t->used_replica || any_change); diff --git a/queue-6.18/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch b/queue-6.18/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch new file mode 100644 index 0000000000..6e738ab76f --- /dev/null +++ b/queue-6.18/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch @@ -0,0 +1,69 @@ +From e3fe30e57649c551757a02e1cad073c47e1e075e Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Sun, 21 Dec 2025 02:11:49 +0800 +Subject: libceph: make free_choose_arg_map() resilient to partial allocation + +From: Tuo Li + +commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream. + +free_choose_arg_map() may dereference a NULL pointer if its caller fails +after a partial allocation. + +For example, in decode_choose_args(), if allocation of arg_map->args +fails, execution jumps to the fail label and free_choose_arg_map() is +called. Since arg_map->size is updated to a non-zero value before memory +allocation, free_choose_arg_map() will iterate over arg_map->args and +dereference a NULL pointer. + +To prevent this potential NULL pointer dereference and make +free_choose_arg_map() more resilient, add checks for pointers before +iterating. + +Cc: stable@vger.kernel.org +Co-authored-by: Ilya Dryomov +Signed-off-by: Tuo Li +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -241,22 +241,26 @@ static struct crush_choose_arg_map *allo + + static void free_choose_arg_map(struct crush_choose_arg_map *arg_map) + { +- if (arg_map) { +- int i, j; ++ int i, j; + +- WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); ++ if (!arg_map) ++ return; + ++ WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); ++ ++ if (arg_map->args) { + for (i = 0; i < arg_map->size; i++) { + struct crush_choose_arg *arg = &arg_map->args[i]; +- +- for (j = 0; j < arg->weight_set_size; j++) +- kfree(arg->weight_set[j].weights); +- kfree(arg->weight_set); ++ if (arg->weight_set) { ++ for (j = 0; j < arg->weight_set_size; j++) ++ kfree(arg->weight_set[j].weights); ++ kfree(arg->weight_set); ++ } + kfree(arg->ids); + } + kfree(arg_map->args); +- kfree(arg_map); + } ++ kfree(arg_map); + } + + DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index, diff --git a/queue-6.18/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch b/queue-6.18/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch new file mode 100644 index 0000000000..4a12e2112b --- /dev/null +++ b/queue-6.18/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch @@ -0,0 +1,35 @@ +From 818156caffbf55cb4d368f9c3cac64e458fb49c9 Mon Sep 17 00:00:00 2001 +From: ziming zhang +Date: Thu, 11 Dec 2025 16:52:58 +0800 +Subject: libceph: prevent potential out-of-bounds reads in handle_auth_done() + +From: ziming zhang + +commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream. + +Perform an explicit bounds check on payload_len to avoid a possible +out-of-bounds access in the callout. + +[ idryomov: changelog ] + +Cc: stable@vger.kernel.org +Signed-off-by: ziming zhang +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/messenger_v2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ceph/messenger_v2.c ++++ b/net/ceph/messenger_v2.c +@@ -2377,7 +2377,9 @@ static int process_auth_done(struct ceph + + ceph_decode_64_safe(&p, end, global_id, bad); + ceph_decode_32_safe(&p, end, con->v2.con_mode, bad); ++ + ceph_decode_32_safe(&p, end, payload_len, bad); ++ ceph_decode_need(&p, end, payload_len, bad); + + dout("%s con %p global_id %llu con_mode %d payload_len %d\n", + __func__, con, global_id, con->v2.con_mode, payload_len); diff --git a/queue-6.18/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch b/queue-6.18/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch new file mode 100644 index 0000000000..d7755745cc --- /dev/null +++ b/queue-6.18/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch @@ -0,0 +1,38 @@ +From e00c3f71b5cf75681dbd74ee3f982a99cb690c2b Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 15 Dec 2025 11:53:31 +0100 +Subject: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() + +From: Ilya Dryomov + +commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream. + +If the osdmap is (maliciously) corrupted such that the incremental +osdmap epoch is different from what is expected, there is no need to +BUG. Instead, just declare the incremental osdmap to be invalid. + +Cc: stable@vger.kernel.org +Reported-by: ziming zhang +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1979,11 +1979,13 @@ struct ceph_osdmap *osdmap_apply_increme + sizeof(u64) + sizeof(u32), e_inval); + ceph_decode_copy(p, &fsid, sizeof(fsid)); + epoch = ceph_decode_32(p); +- BUG_ON(epoch != map->epoch+1); + ceph_decode_copy(p, &modified, sizeof(modified)); + new_pool_max = ceph_decode_64(p); + new_flags = ceph_decode_32(p); + ++ if (epoch != map->epoch + 1) ++ goto e_inval; ++ + /* full map? */ + ceph_decode_32_safe(p, end, len, e_inval); + if (len > 0) { diff --git a/queue-6.18/libceph-reset-sparse-read-state-in-osd_fault.patch b/queue-6.18/libceph-reset-sparse-read-state-in-osd_fault.patch new file mode 100644 index 0000000000..e52419a518 --- /dev/null +++ b/queue-6.18/libceph-reset-sparse-read-state-in-osd_fault.patch @@ -0,0 +1,51 @@ +From 11194b416ef95012c2cfe5f546d71af07b639e93 Mon Sep 17 00:00:00 2001 +From: Sam Edwards +Date: Tue, 30 Dec 2025 20:05:06 -0800 +Subject: libceph: reset sparse-read state in osd_fault() + +From: Sam Edwards + +commit 11194b416ef95012c2cfe5f546d71af07b639e93 upstream. + +When a fault occurs, the connection is abandoned, reestablished, and any +pending operations are retried. The OSD client tracks the progress of a +sparse-read reply using a separate state machine, largely independent of +the messenger's state. + +If a connection is lost mid-payload or the sparse-read state machine +returns an error, the sparse-read state is not reset. The OSD client +will then interpret the beginning of a new reply as the continuation of +the old one. If this makes the sparse-read machinery enter a failure +state, it may never recover, producing loops like: + + libceph: [0] got 0 extents + libceph: data len 142248331 != extent len 0 + libceph: osd0 (1)...:6801 socket error on read + libceph: data len 142248331 != extent len 0 + libceph: osd0 (1)...:6801 socket error on read + +Therefore, reset the sparse-read state in osd_fault(), ensuring retries +start from a clean state. + +Cc: stable@vger.kernel.org +Fixes: f628d7999727 ("libceph: add sparse read support to OSD client") +Signed-off-by: Sam Edwards +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osd_client.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -4283,6 +4283,9 @@ static void osd_fault(struct ceph_connec + goto out_unlock; + } + ++ osd->o_sparse_op_idx = -1; ++ ceph_init_sparse_read(&osd->o_sparse_read); ++ + if (!reopen_osd(osd)) + kick_osd_requests(osd); + maybe_request_map(osdc); diff --git a/queue-6.18/libceph-return-the-handler-error-from-mon_handle_auth_done.patch b/queue-6.18/libceph-return-the-handler-error-from-mon_handle_auth_done.patch new file mode 100644 index 0000000000..5f9127691c --- /dev/null +++ b/queue-6.18/libceph-return-the-handler-error-from-mon_handle_auth_done.patch @@ -0,0 +1,38 @@ +From e84b48d31b5008932c0a0902982809fbaa1d3b70 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 29 Dec 2025 15:14:48 +0100 +Subject: libceph: return the handler error from mon_handle_auth_done() + +From: Ilya Dryomov + +commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream. + +Currently any error from ceph_auth_handle_reply_done() is propagated +via finish_auth() but isn't returned from mon_handle_auth_done(). This +results in higher layers learning that (despite the monitor considering +us to be successfully authenticated) something went wrong in the +authentication phase and reacting accordingly, but msgr2 still trying +to proceed with establishing the session in the background. In the +case of secure mode this can trigger a WARN in setup_crypto() and later +lead to a NULL pointer dereference inside of prepare_auth_signature(). + +Cc: stable@vger.kernel.org +Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)") +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/mon_client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -1417,7 +1417,7 @@ static int mon_handle_auth_done(struct c + if (!ret) + finish_hunting(monc); + mutex_unlock(&monc->mutex); +- return 0; ++ return ret; + } + + static int mon_handle_auth_bad_method(struct ceph_connection *con, diff --git a/queue-6.18/mei-me-add-nova-lake-point-s-did.patch b/queue-6.18/mei-me-add-nova-lake-point-s-did.patch new file mode 100644 index 0000000000..c068b648d7 --- /dev/null +++ b/queue-6.18/mei-me-add-nova-lake-point-s-did.patch @@ -0,0 +1,44 @@ +From 420f423defcf6d0af2263d38da870ca4a20c0990 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Mon, 15 Dec 2025 12:59:15 +0200 +Subject: mei: me: add nova lake point S DID + +From: Alexander Usyskin + +commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream. + +Add Nova Lake S device id. + +Cc: stable +Co-developed-by: Tomas Winkler +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -122,6 +122,8 @@ + + #define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */ + ++#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */ ++ + /* + * MEI HW Section + */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -129,6 +129,8 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)}, ++ + /* required last entry */ + {0, } + }; diff --git a/queue-6.18/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch b/queue-6.18/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch new file mode 100644 index 0000000000..aad554010f --- /dev/null +++ b/queue-6.18/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch @@ -0,0 +1,33 @@ +From a4e305ed60f7c41bbf9aabc16dd75267194e0de3 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Tue, 6 Jan 2026 10:47:21 +0100 +Subject: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() + +From: Thomas Fourier + +commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream. + +pdev can be null and free_ring: can be called in 1297 with a null +pdev. + +Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/3c59x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/3com/3c59x.c ++++ b/drivers/net/ethernet/3com/3c59x.c +@@ -1473,7 +1473,7 @@ static int vortex_probe1(struct device * + return 0; + + free_ring: +- dma_free_coherent(&pdev->dev, ++ dma_free_coherent(gendev, + sizeof(struct boom_rx_desc) * RX_RING_SIZE + + sizeof(struct boom_tx_desc) * TX_RING_SIZE, + vp->rx_ring, vp->rx_ring_dma); diff --git a/queue-6.18/net-do-not-write-to-msg_get_inq-in-callee.patch b/queue-6.18/net-do-not-write-to-msg_get_inq-in-callee.patch new file mode 100644 index 0000000000..d3564f2bdb --- /dev/null +++ b/queue-6.18/net-do-not-write-to-msg_get_inq-in-callee.patch @@ -0,0 +1,110 @@ +From 7d11e047eda5f98514ae62507065ac961981c025 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 6 Jan 2026 10:05:46 -0500 +Subject: net: do not write to msg_get_inq in callee + +From: Willem de Bruijn + +commit 7d11e047eda5f98514ae62507065ac961981c025 upstream. + +NULL pointer dereference fix. + +msg_get_inq is an input field from caller to callee. Don't set it in +the callee, as the caller may not clear it on struct reuse. + +This is a kernel-internal variant of msghdr only, and the only user +does reinitialize the field. So this is not critical for that reason. +But it is more robust to avoid the write, and slightly simpler code. +And it fixes a bug, see below. + +Callers set msg_get_inq to request the input queue length to be +returned in msg_inq. This is equivalent to but independent from the +SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). +To reduce branching in the hot path the second also sets the msg_inq. +That is WAI. + +This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for +SO_INQ unless explicitly asked for"), which fixed the inverse. + +Also avoid NULL pointer dereference in unix_stream_read_generic if +state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg +can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: +implement splice for stream af_unix sockets"). + +Also collapse two branches using a bitwise or. + +Cc: stable@vger.kernel.org +Fixes: 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for") +Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.24d8030f7a3de@gmail.com/ +Signed-off-by: Willem de Bruijn +Reviewed-by: Jens Axboe +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260106150626.3944363-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 8 +++----- + net/unix/af_unix.c | 8 +++----- + 2 files changed, 6 insertions(+), 10 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2651,10 +2651,8 @@ static int tcp_recvmsg_locked(struct soc + if (sk->sk_state == TCP_LISTEN) + goto out; + +- if (tp->recvmsg_inq) { ++ if (tp->recvmsg_inq) + *cmsg_flags = TCP_CMSG_INQ; +- msg->msg_get_inq = 1; +- } + timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + + /* Urgent data needs to be handled specially. */ +@@ -2928,10 +2926,10 @@ int tcp_recvmsg(struct sock *sk, struct + ret = tcp_recvmsg_locked(sk, msg, len, flags, &tss, &cmsg_flags); + release_sock(sk); + +- if ((cmsg_flags || msg->msg_get_inq) && ret >= 0) { ++ if ((cmsg_flags | msg->msg_get_inq) && ret >= 0) { + if (cmsg_flags & TCP_CMSG_TS) + tcp_recv_timestamp(msg, sk, &tss); +- if (msg->msg_get_inq) { ++ if ((cmsg_flags & TCP_CMSG_INQ) | msg->msg_get_inq) { + msg->msg_inq = tcp_inq_hint(sk); + if (cmsg_flags & TCP_CMSG_INQ) + put_cmsg(msg, SOL_TCP, TCP_CM_INQ, +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2929,7 +2929,6 @@ static int unix_stream_read_generic(stru + unsigned int last_len; + struct unix_sock *u; + int copied = 0; +- bool do_cmsg; + int err = 0; + long timeo; + int target; +@@ -2955,9 +2954,6 @@ static int unix_stream_read_generic(stru + + u = unix_sk(sk); + +- do_cmsg = READ_ONCE(u->recvmsg_inq); +- if (do_cmsg) +- msg->msg_get_inq = 1; + redo: + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg +@@ -3115,9 +3111,11 @@ unlock: + + mutex_unlock(&u->iolock); + if (msg) { ++ bool do_cmsg = READ_ONCE(u->recvmsg_inq); ++ + scm_recv_unix(sock, msg, &scm, flags); + +- if (msg->msg_get_inq && (copied ?: err) >= 0) { ++ if ((do_cmsg | msg->msg_get_inq) && (copied ?: err) >= 0) { + msg->msg_inq = READ_ONCE(u->inq_len); + if (do_cmsg) + put_cmsg(msg, SOL_SOCKET, SCM_INQ, diff --git a/queue-6.18/nfsd-check-that-server-is-running-in-unlock_filesystem.patch b/queue-6.18/nfsd-check-that-server-is-running-in-unlock_filesystem.patch new file mode 100644 index 0000000000..afc6b0dbe9 --- /dev/null +++ b/queue-6.18/nfsd-check-that-server-is-running-in-unlock_filesystem.patch @@ -0,0 +1,106 @@ +From d0424066fcd294977f310964bed6f2a487fa4515 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Mon, 15 Dec 2025 14:10:36 -0500 +Subject: nfsd: check that server is running in unlock_filesystem + +From: Olga Kornievskaia + +commit d0424066fcd294977f310964bed6f2a487fa4515 upstream. + +If we are trying to unlock the filesystem via an administrative +interface and nfsd isn't running, it crashes the server. This +happens currently because nfsd4_revoke_states() access state +structures (eg., conf_id_hashtbl) that has been freed as a part +of the server shutdown. + +[ 59.465072] Call trace: +[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P) +[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd] +[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd] +[ 59.466780] vfs_write+0x1f0/0x938 +[ 59.467088] ksys_write+0xfc/0x1f8 +[ 59.467395] __arm64_sys_write+0x74/0xb8 +[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8 +[ 59.468177] do_el0_svc+0x154/0x1d8 +[ 59.468489] el0_svc+0x40/0xe0 +[ 59.468767] el0t_64_sync_handler+0xa0/0xe8 +[ 59.469138] el0t_64_sync+0x1ac/0x1b0 + +Ensure this can't happen by taking the nfsd_mutex and checking that +the server is still up, and then holding the mutex across the call to +nfsd4_revoke_states(). + +Reviewed-by: NeilBrown +Reviewed-by: Jeff Layton +Fixes: 1ac3629bf0125 ("nfsd: prepare for supporting admin-revocation of state") +Cc: stable@vger.kernel.org +Signed-off-by: Olga Kornievskaia +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 5 ++--- + fs/nfsd/nfsctl.c | 9 ++++++++- + fs/nfsd/state.h | 4 ++-- + 3 files changed, 12 insertions(+), 6 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1759,7 +1759,7 @@ static struct nfs4_stid *find_one_sb_sti + + /** + * nfsd4_revoke_states - revoke all nfsv4 states associated with given filesystem +- * @net: used to identify instance of nfsd (there is one per net namespace) ++ * @nn: used to identify instance of nfsd (there is one per net namespace) + * @sb: super_block used to identify target filesystem + * + * All nfs4 states (open, lock, delegation, layout) held by the server instance +@@ -1771,9 +1771,8 @@ static struct nfs4_stid *find_one_sb_sti + * The clients which own the states will subsequently being notified that the + * states have been "admin-revoked". + */ +-void nfsd4_revoke_states(struct net *net, struct super_block *sb) ++void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb) + { +- struct nfsd_net *nn = net_generic(net, nfsd_net_id); + unsigned int idhashval; + unsigned int sc_types; + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -259,6 +259,7 @@ static ssize_t write_unlock_fs(struct fi + struct path path; + char *fo_path; + int error; ++ struct nfsd_net *nn; + + /* sanity check */ + if (size == 0) +@@ -285,7 +286,13 @@ static ssize_t write_unlock_fs(struct fi + * 3. Is that directory the root of an exported file system? + */ + error = nlmsvc_unlock_all_by_sb(path.dentry->d_sb); +- nfsd4_revoke_states(netns(file), path.dentry->d_sb); ++ mutex_lock(&nfsd_mutex); ++ nn = net_generic(netns(file), nfsd_net_id); ++ if (nn->nfsd_serv) ++ nfsd4_revoke_states(nn, path.dentry->d_sb); ++ else ++ error = -EINVAL; ++ mutex_unlock(&nfsd_mutex); + + path_put(&path); + return error; +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -841,9 +841,9 @@ static inline void get_nfs4_file(struct + struct nfsd_file *find_any_file(struct nfs4_file *f); + + #ifdef CONFIG_NFSD_V4 +-void nfsd4_revoke_states(struct net *net, struct super_block *sb); ++void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb); + #else +-static inline void nfsd4_revoke_states(struct net *net, struct super_block *sb) ++static inline void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb) + { + } + #endif diff --git a/queue-6.18/nfsd-fix-permission-check-for-read-access-to-executable-only-files.patch b/queue-6.18/nfsd-fix-permission-check-for-read-access-to-executable-only-files.patch new file mode 100644 index 0000000000..a749a20ac5 --- /dev/null +++ b/queue-6.18/nfsd-fix-permission-check-for-read-access-to-executable-only-files.patch @@ -0,0 +1,46 @@ +From e901c7fce59e72d9f3c92733c379849c4034ac50 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Thu, 11 Dec 2025 07:34:34 -0500 +Subject: NFSD: Fix permission check for read access to executable-only files + +From: Scott Mayhew + +commit e901c7fce59e72d9f3c92733c379849c4034ac50 upstream. + +Commit abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET") +added NFSD_MAY_OWNER_OVERRIDE to the access flags passed from +nfsd4_layoutget() to fh_verify(). This causes LAYOUTGET to fail for +executable-only files, and causes xfstests generic/126 to fail on +pNFS SCSI. + +To allow read access to executable-only files, what we really want is: +1. The "permissions" portion of the access flags (the lower 6 bits) + must be exactly NFSD_MAY_READ +2. The "hints" portion of the access flags (the upper 26 bits) can + contain any combination of NFSD_MAY_OWNER_OVERRIDE and + NFSD_MAY_READ_IF_EXEC + +Fixes: abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET") +Cc: stable@vger.kernel.org # v6.6+ +Signed-off-by: Scott Mayhew +Reviewed-by: Jeff Layton +Reviewed-by: NeilBrown +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -2683,8 +2683,8 @@ nfsd_permission(struct svc_cred *cred, s + + /* Allow read access to binaries even when mode 111 */ + if (err == -EACCES && S_ISREG(inode->i_mode) && +- (acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE) || +- acc == (NFSD_MAY_READ | NFSD_MAY_READ_IF_EXEC))) ++ (((acc & NFSD_MAY_MASK) == NFSD_MAY_READ) && ++ (acc & (NFSD_MAY_OWNER_OVERRIDE | NFSD_MAY_READ_IF_EXEC)))) + err = inode_permission(&nop_mnt_idmap, inode, MAY_EXEC); + + return err? nfserrno(err) : 0; diff --git a/queue-6.18/nfsd-net-ref-data-still-needs-to-be-freed-even-if-net-hasn-t-startup.patch b/queue-6.18/nfsd-net-ref-data-still-needs-to-be-freed-even-if-net-hasn-t-startup.patch new file mode 100644 index 0000000000..f5c4bdca95 --- /dev/null +++ b/queue-6.18/nfsd-net-ref-data-still-needs-to-be-freed-even-if-net-hasn-t-startup.patch @@ -0,0 +1,83 @@ +From 0b88bfa42e5468baff71909c2f324a495318532b Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Tue, 16 Dec 2025 18:27:37 +0800 +Subject: NFSD: net ref data still needs to be freed even if net hasn't startup + +From: Edward Adam Davis + +commit 0b88bfa42e5468baff71909c2f324a495318532b upstream. + +When the NFSD instance doesn't to startup, the net ref data memory is +not properly reclaimed, which triggers the memory leak issue reported +by syzbot [1]. + +To avoid the problem reported in [1], the net ref data memory reclamation +action is moved outside of nfsd_net_up when the net is shutdown. + +[1] +unreferenced object 0xffff88812a39dfc0 (size 64): + backtrace (crc a2262fc6): + percpu_ref_init+0x94/0x1e0 lib/percpu-refcount.c:76 + nfsd_create_serv+0xbe/0x260 fs/nfsd/nfssvc.c:605 + nfsd_nl_listener_set_doit+0x62/0xb00 fs/nfsd/nfsctl.c:1882 + genl_family_rcv_msg_doit+0x11e/0x190 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1210 + +BUG: memory leak + +Reported-by: syzbot+6ee3b889bdeada0a6226@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6ee3b889bdeada0a6226 +Fixes: 39972494e318 ("nfsd: update percpu_ref to manage references on nfsd_net") +Cc: stable@vger.kernel.org +Signed-off-by: Edward Adam Davis +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfssvc.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -424,26 +424,26 @@ static void nfsd_shutdown_net(struct net + { + struct nfsd_net *nn = net_generic(net, nfsd_net_id); + +- if (!nn->nfsd_net_up) +- return; +- +- percpu_ref_kill_and_confirm(&nn->nfsd_net_ref, nfsd_net_done); +- wait_for_completion(&nn->nfsd_net_confirm_done); +- +- nfsd_export_flush(net); +- nfs4_state_shutdown_net(net); +- nfsd_reply_cache_shutdown(nn); +- nfsd_file_cache_shutdown_net(net); +- if (nn->lockd_up) { +- lockd_down(net); +- nn->lockd_up = false; ++ if (nn->nfsd_net_up) { ++ percpu_ref_kill_and_confirm(&nn->nfsd_net_ref, nfsd_net_done); ++ wait_for_completion(&nn->nfsd_net_confirm_done); ++ ++ nfsd_export_flush(net); ++ nfs4_state_shutdown_net(net); ++ nfsd_reply_cache_shutdown(nn); ++ nfsd_file_cache_shutdown_net(net); ++ if (nn->lockd_up) { ++ lockd_down(net); ++ nn->lockd_up = false; ++ } ++ wait_for_completion(&nn->nfsd_net_free_done); + } + +- wait_for_completion(&nn->nfsd_net_free_done); + percpu_ref_exit(&nn->nfsd_net_ref); + ++ if (nn->nfsd_net_up) ++ nfsd_shutdown_generic(); + nn->nfsd_net_up = false; +- nfsd_shutdown_generic(); + } + + static DEFINE_SPINLOCK(nfsd_notifier_lock); diff --git a/queue-6.18/nfsd-provide-locking-for-v4_end_grace.patch b/queue-6.18/nfsd-provide-locking-for-v4_end_grace.patch new file mode 100644 index 0000000000..e9b8297327 --- /dev/null +++ b/queue-6.18/nfsd-provide-locking-for-v4_end_grace.patch @@ -0,0 +1,182 @@ +From 2857bd59feb63fcf40fe4baf55401baea6b4feb4 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Sat, 13 Dec 2025 13:41:59 -0500 +Subject: nfsd: provide locking for v4_end_grace + +From: NeilBrown + +commit 2857bd59feb63fcf40fe4baf55401baea6b4feb4 upstream. + +Writing to v4_end_grace can race with server shutdown and result in +memory being accessed after it was freed - reclaim_str_hashtbl in +particularly. + +We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is +held while client_tracking_op->init() is called and that can wait for +an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a +deadlock. + +nfsd4_end_grace() is also called by the landromat work queue and this +doesn't require locking as server shutdown will stop the work and wait +for it before freeing anything that nfsd4_end_grace() might access. + +However, we must be sure that writing to v4_end_grace doesn't restart +the work item after shutdown has already waited for it. For this we +add a new flag protected with nn->client_lock. It is set only while it +is safe to make client tracking calls, and v4_end_grace only schedules +work while the flag is set with the spinlock held. + +So this patch adds a nfsd_net field "client_tracking_active" which is +set as described. Another field "grace_end_forced", is set when +v4_end_grace is written. After this is set, and providing +client_tracking_active is set, the laundromat is scheduled. +This "grace_end_forced" field bypasses other checks for whether the +grace period has finished. + +This resolves a race which can result in use-after-free. + +Reported-by: Li Lingfeng +Closes: https://lore.kernel.org/linux-nfs/20250623030015.2353515-1-neil@brown.name/T/#t +Fixes: 7f5ef2e900d9 ("nfsd: add a v4_end_grace file to /proc/fs/nfsd") +Cc: stable@vger.kernel.org +Signed-off-by: NeilBrown +Tested-by: Li Lingfeng +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/netns.h | 2 ++ + fs/nfsd/nfs4state.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + fs/nfsd/nfsctl.c | 3 +-- + fs/nfsd/state.h | 2 +- + 4 files changed, 44 insertions(+), 5 deletions(-) + +--- a/fs/nfsd/netns.h ++++ b/fs/nfsd/netns.h +@@ -66,6 +66,8 @@ struct nfsd_net { + + struct lock_manager nfsd4_manager; + bool grace_ended; ++ bool grace_end_forced; ++ bool client_tracking_active; + time64_t boot_time; + + struct dentry *nfsd_client_dir; +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -84,7 +84,7 @@ static u64 current_sessionid = 1; + /* forward declarations */ + static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner); + static void nfs4_free_ol_stateid(struct nfs4_stid *stid); +-void nfsd4_end_grace(struct nfsd_net *nn); ++static void nfsd4_end_grace(struct nfsd_net *nn); + static void _free_cpntf_state_locked(struct nfsd_net *nn, struct nfs4_cpntf_state *cps); + static void nfsd4_file_hash_remove(struct nfs4_file *fi); + static void deleg_reaper(struct nfsd_net *nn); +@@ -6597,7 +6597,7 @@ nfsd4_renew(struct svc_rqst *rqstp, stru + return nfs_ok; + } + +-void ++static void + nfsd4_end_grace(struct nfsd_net *nn) + { + /* do nothing if grace period already ended */ +@@ -6630,6 +6630,33 @@ nfsd4_end_grace(struct nfsd_net *nn) + */ + } + ++/** ++ * nfsd4_force_end_grace - forcibly end the NFSv4 grace period ++ * @nn: network namespace for the server instance to be updated ++ * ++ * Forces bypass of normal grace period completion, then schedules ++ * the laundromat to end the grace period immediately. Does not wait ++ * for the grace period to fully terminate before returning. ++ * ++ * Return values: ++ * %true: Grace termination schedule ++ * %false: No action was taken ++ */ ++bool nfsd4_force_end_grace(struct nfsd_net *nn) ++{ ++ if (!nn->client_tracking_ops) ++ return false; ++ spin_lock(&nn->client_lock); ++ if (nn->grace_ended || !nn->client_tracking_active) { ++ spin_unlock(&nn->client_lock); ++ return false; ++ } ++ WRITE_ONCE(nn->grace_end_forced, true); ++ mod_delayed_work(laundry_wq, &nn->laundromat_work, 0); ++ spin_unlock(&nn->client_lock); ++ return true; ++} ++ + /* + * If we've waited a lease period but there are still clients trying to + * reclaim, wait a little longer to give them a chance to finish. +@@ -6639,6 +6666,8 @@ static bool clients_still_reclaiming(str + time64_t double_grace_period_end = nn->boot_time + + 2 * nn->nfsd4_lease; + ++ if (READ_ONCE(nn->grace_end_forced)) ++ return false; + if (nn->track_reclaim_completes && + atomic_read(&nn->nr_reclaim_complete) == + nn->reclaim_str_hashtbl_size) +@@ -8942,6 +8971,8 @@ static int nfs4_state_create_net(struct + nn->unconf_name_tree = RB_ROOT; + nn->boot_time = ktime_get_real_seconds(); + nn->grace_ended = false; ++ nn->grace_end_forced = false; ++ nn->client_tracking_active = false; + nn->nfsd4_manager.block_opens = true; + INIT_LIST_HEAD(&nn->nfsd4_manager.list); + INIT_LIST_HEAD(&nn->client_lru); +@@ -9022,6 +9053,10 @@ nfs4_state_start_net(struct net *net) + return ret; + locks_start_grace(net, &nn->nfsd4_manager); + nfsd4_client_tracking_init(net); ++ /* safe for laundromat to run now */ ++ spin_lock(&nn->client_lock); ++ nn->client_tracking_active = true; ++ spin_unlock(&nn->client_lock); + if (nn->track_reclaim_completes && nn->reclaim_str_hashtbl_size == 0) + goto skip_grace; + printk(KERN_INFO "NFSD: starting %lld-second grace period (net %x)\n", +@@ -9070,6 +9105,9 @@ nfs4_state_shutdown_net(struct net *net) + + shrinker_free(nn->nfsd_client_shrinker); + cancel_work_sync(&nn->nfsd_shrinker_work); ++ spin_lock(&nn->client_lock); ++ nn->client_tracking_active = false; ++ spin_unlock(&nn->client_lock); + cancel_delayed_work_sync(&nn->laundromat_work); + locks_end_grace(&nn->nfsd4_manager); + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1082,10 +1082,9 @@ static ssize_t write_v4_end_grace(struct + case 'Y': + case 'y': + case '1': +- if (!nn->nfsd_serv) ++ if (!nfsd4_force_end_grace(nn)) + return -EBUSY; + trace_nfsd_end_grace(netns(file)); +- nfsd4_end_grace(nn); + break; + default: + return -EINVAL; +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -849,7 +849,7 @@ static inline void nfsd4_revoke_states(s + #endif + + /* grace period management */ +-void nfsd4_end_grace(struct nfsd_net *nn); ++bool nfsd4_force_end_grace(struct nfsd_net *nn); + + /* nfs4recover operations */ + extern int nfsd4_client_tracking_init(struct net *net); diff --git a/queue-6.18/nfsd-remove-nfserr_eagain.patch b/queue-6.18/nfsd-remove-nfserr_eagain.patch new file mode 100644 index 0000000000..061d72e4db --- /dev/null +++ b/queue-6.18/nfsd-remove-nfserr_eagain.patch @@ -0,0 +1,97 @@ +From c6c209ceb87f64a6ceebe61761951dcbbf4a0baa Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 9 Dec 2025 19:28:49 -0500 +Subject: NFSD: Remove NFSERR_EAGAIN + +From: Chuck Lever + +commit c6c209ceb87f64a6ceebe61761951dcbbf4a0baa upstream. + +I haven't found an NFSERR_EAGAIN in RFCs 1094, 1813, 7530, or 8881. +None of these RFCs have an NFS status code that match the numeric +value "11". + +Based on the meaning of the EAGAIN errno, I presume the use of this +status in NFSD means NFS4ERR_DELAY. So replace the one usage of +nfserr_eagain, and remove it from NFSD's NFS status conversion +tables. + +As far as I can tell, NFSERR_EAGAIN has existed since the pre-git +era, but was not actually used by any code until commit f4e44b393389 +("NFSD: delay unmount source's export after inter-server copy +completed."), at which time it become possible for NFSD to return +a status code of 11 (which is not valid NFS protocol). + +Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.") +Cc: stable@vger.kernel.org +Reviewed-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs_common/common.c | 1 - + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfsd.h | 1 - + include/trace/misc/nfs.h | 2 -- + include/uapi/linux/nfs.h | 1 - + 5 files changed, 1 insertion(+), 6 deletions(-) + +--- a/fs/nfs_common/common.c ++++ b/fs/nfs_common/common.c +@@ -17,7 +17,6 @@ static const struct { + { NFSERR_NOENT, -ENOENT }, + { NFSERR_IO, -EIO }, + { NFSERR_NXIO, -ENXIO }, +-/* { NFSERR_EAGAIN, -EAGAIN }, */ + { NFSERR_ACCES, -EACCES }, + { NFSERR_EXIST, -EEXIST }, + { NFSERR_XDEV, -EXDEV }, +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1506,7 +1506,7 @@ try_again: + (schedule_timeout(20*HZ) == 0)) { + finish_wait(&nn->nfsd_ssc_waitq, &wait); + kfree(work); +- return nfserr_eagain; ++ return nfserr_jukebox; + } + finish_wait(&nn->nfsd_ssc_waitq, &wait); + goto try_again; +--- a/fs/nfsd/nfsd.h ++++ b/fs/nfsd/nfsd.h +@@ -232,7 +232,6 @@ void nfsd_lockd_shutdown(void); + #define nfserr_noent cpu_to_be32(NFSERR_NOENT) + #define nfserr_io cpu_to_be32(NFSERR_IO) + #define nfserr_nxio cpu_to_be32(NFSERR_NXIO) +-#define nfserr_eagain cpu_to_be32(NFSERR_EAGAIN) + #define nfserr_acces cpu_to_be32(NFSERR_ACCES) + #define nfserr_exist cpu_to_be32(NFSERR_EXIST) + #define nfserr_xdev cpu_to_be32(NFSERR_XDEV) +--- a/include/trace/misc/nfs.h ++++ b/include/trace/misc/nfs.h +@@ -16,7 +16,6 @@ TRACE_DEFINE_ENUM(NFSERR_PERM); + TRACE_DEFINE_ENUM(NFSERR_NOENT); + TRACE_DEFINE_ENUM(NFSERR_IO); + TRACE_DEFINE_ENUM(NFSERR_NXIO); +-TRACE_DEFINE_ENUM(NFSERR_EAGAIN); + TRACE_DEFINE_ENUM(NFSERR_ACCES); + TRACE_DEFINE_ENUM(NFSERR_EXIST); + TRACE_DEFINE_ENUM(NFSERR_XDEV); +@@ -52,7 +51,6 @@ TRACE_DEFINE_ENUM(NFSERR_JUKEBOX); + { NFSERR_NXIO, "NXIO" }, \ + { ECHILD, "CHILD" }, \ + { ETIMEDOUT, "TIMEDOUT" }, \ +- { NFSERR_EAGAIN, "AGAIN" }, \ + { NFSERR_ACCES, "ACCES" }, \ + { NFSERR_EXIST, "EXIST" }, \ + { NFSERR_XDEV, "XDEV" }, \ +--- a/include/uapi/linux/nfs.h ++++ b/include/uapi/linux/nfs.h +@@ -49,7 +49,6 @@ + NFSERR_NOENT = 2, /* v2 v3 v4 */ + NFSERR_IO = 5, /* v2 v3 v4 */ + NFSERR_NXIO = 6, /* v2 v3 v4 */ +- NFSERR_EAGAIN = 11, /* v2 v3 */ + NFSERR_ACCES = 13, /* v2 v3 v4 */ + NFSERR_EXIST = 17, /* v2 v3 v4 */ + NFSERR_XDEV = 18, /* v3 v4 */ diff --git a/queue-6.18/nfsd-use-correct-loop-termination-in-nfsd4_revoke_states.patch b/queue-6.18/nfsd-use-correct-loop-termination-in-nfsd4_revoke_states.patch new file mode 100644 index 0000000000..46562db9d2 --- /dev/null +++ b/queue-6.18/nfsd-use-correct-loop-termination-in-nfsd4_revoke_states.patch @@ -0,0 +1,37 @@ +From fb321998de7639f1954430674475e469fb529d9c Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 15 Dec 2025 08:07:28 +1100 +Subject: nfsd: use correct loop termination in nfsd4_revoke_states() + +From: NeilBrown + +commit fb321998de7639f1954430674475e469fb529d9c upstream. + +The loop in nfsd4_revoke_states() stops one too early because +the end value given is CLIENT_HASH_MASK where it should be +CLIENT_HASH_SIZE. + +This means that an admin request to drop all locks for a filesystem will +miss locks held by clients which hash to the maximum possible hash value. + +Fixes: 1ac3629bf012 ("nfsd: prepare for supporting admin-revocation of state") +Cc: stable@vger.kernel.org +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1780,7 +1780,7 @@ void nfsd4_revoke_states(struct net *net + sc_types = SC_TYPE_OPEN | SC_TYPE_LOCK | SC_TYPE_DELEG | SC_TYPE_LAYOUT; + + spin_lock(&nn->client_lock); +- for (idhashval = 0; idhashval < CLIENT_HASH_MASK; idhashval++) { ++ for (idhashval = 0; idhashval < CLIENT_HASH_SIZE; idhashval++) { + struct list_head *head = &nn->conf_id_hashtbl[idhashval]; + struct nfs4_client *clp; + retry: diff --git a/queue-6.18/nouveau-don-t-attempt-fwsec-on-sb-on-newer-platforms.patch b/queue-6.18/nouveau-don-t-attempt-fwsec-on-sb-on-newer-platforms.patch new file mode 100644 index 0000000000..dd87c1c7e5 --- /dev/null +++ b/queue-6.18/nouveau-don-t-attempt-fwsec-on-sb-on-newer-platforms.patch @@ -0,0 +1,205 @@ +From e8b3627bec357698f2d4d6dbf27cdcfa0e9d8715 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Fri, 2 Jan 2026 14:18:29 +1000 +Subject: nouveau: don't attempt fwsec on sb on newer platforms. + +From: Dave Airlie + +commit e8b3627bec357698f2d4d6dbf27cdcfa0e9d8715 upstream. + +The changes to always loads fwsec sb causes problems on newer GPUs +which don't use this path. + +Add hooks and pass through the device specific layers. + +Fixes: da67179e5538 ("drm/nouveau/gsp: Allocate fwsec-sb at boot") +Cc: # v6.16+ +Cc: Lyude Paul +Cc: Timur Tabi +Tested-by: Matthew Schwartz +Tested-by: Christopher Snowhill +Reviewed-by: Lyude Paul +Signed-off-by: Dave Airlie +Link: https://patch.msgid.link/20260102041829.2748009-1-airlied@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + .../gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c | 3 +++ + .../gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c | 8 +------ + .../gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c | 3 +++ + .../gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c | 3 +++ + .../gpu/drm/nouveau/nvkm/subdev/gsp/priv.h | 23 +++++++++++++++++-- + .../gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c | 15 ++++++++++++ + .../gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c | 3 +++ + 7 files changed, 49 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c +index 35d1fcef520b..c456a9626823 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c +@@ -30,6 +30,9 @@ ad102_gsp = { + + .booter.ctor = ga102_gsp_booter_ctor, + ++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor, ++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor, ++ + .dtor = r535_gsp_dtor, + .oneinit = tu102_gsp_oneinit, + .init = tu102_gsp_init, +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c +index 503760246660..851140e80122 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c +@@ -337,18 +337,12 @@ nvkm_gsp_fwsec_sb(struct nvkm_gsp *gsp) + } + + int +-nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp) ++nvkm_gsp_fwsec_sb_init(struct nvkm_gsp *gsp) + { + return nvkm_gsp_fwsec_init(gsp, &gsp->fws.falcon.sb, "fwsec-sb", + NVFW_FALCON_APPIF_DMEMMAPPER_CMD_SB); + } + +-void +-nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp) +-{ +- nvkm_falcon_fw_dtor(&gsp->fws.falcon.sb); +-} +- + int + nvkm_gsp_fwsec_frts(struct nvkm_gsp *gsp) + { +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c +index d201e8697226..27a13aeccd3c 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c +@@ -47,6 +47,9 @@ ga100_gsp = { + + .booter.ctor = tu102_gsp_booter_ctor, + ++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor, ++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor, ++ + .dtor = r535_gsp_dtor, + .oneinit = tu102_gsp_oneinit, + .init = tu102_gsp_init, +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c +index 917f7e2f6c46..b6b3eb6f4c00 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c +@@ -158,6 +158,9 @@ ga102_gsp_r535 = { + + .booter.ctor = ga102_gsp_booter_ctor, + ++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor, ++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor, ++ + .dtor = r535_gsp_dtor, + .oneinit = tu102_gsp_oneinit, + .init = tu102_gsp_init, +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h +index 86bdd203bc10..9dd66a2e3801 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h +@@ -7,9 +7,8 @@ enum nvkm_acr_lsf_id; + + int nvkm_gsp_fwsec_frts(struct nvkm_gsp *); + +-int nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *); + int nvkm_gsp_fwsec_sb(struct nvkm_gsp *); +-void nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *); ++int nvkm_gsp_fwsec_sb_init(struct nvkm_gsp *gsp); + + struct nvkm_gsp_fwif { + int version; +@@ -52,6 +51,11 @@ struct nvkm_gsp_func { + struct nvkm_falcon *, struct nvkm_falcon_fw *); + } booter; + ++ struct { ++ int (*ctor)(struct nvkm_gsp *); ++ void (*dtor)(struct nvkm_gsp *); ++ } fwsec_sb; ++ + void (*dtor)(struct nvkm_gsp *); + int (*oneinit)(struct nvkm_gsp *); + int (*init)(struct nvkm_gsp *); +@@ -67,6 +71,8 @@ extern const struct nvkm_falcon_func tu102_gsp_flcn; + extern const struct nvkm_falcon_fw_func tu102_gsp_fwsec; + int tu102_gsp_booter_ctor(struct nvkm_gsp *, const char *, const struct firmware *, + struct nvkm_falcon *, struct nvkm_falcon_fw *); ++int tu102_gsp_fwsec_sb_ctor(struct nvkm_gsp *); ++void tu102_gsp_fwsec_sb_dtor(struct nvkm_gsp *); + int tu102_gsp_oneinit(struct nvkm_gsp *); + int tu102_gsp_init(struct nvkm_gsp *); + int tu102_gsp_fini(struct nvkm_gsp *, bool suspend); +@@ -91,5 +97,18 @@ int r535_gsp_fini(struct nvkm_gsp *, bool suspend); + int nvkm_gsp_new_(const struct nvkm_gsp_fwif *, struct nvkm_device *, enum nvkm_subdev_type, int, + struct nvkm_gsp **); + ++static inline int nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp) ++{ ++ if (gsp->func->fwsec_sb.ctor) ++ return gsp->func->fwsec_sb.ctor(gsp); ++ return 0; ++} ++ ++static inline void nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp) ++{ ++ if (gsp->func->fwsec_sb.dtor) ++ gsp->func->fwsec_sb.dtor(gsp); ++} ++ + extern const struct nvkm_gsp_func gv100_gsp; + #endif +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c +index 81e56da0474a..04b642a1f730 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c +@@ -30,6 +30,18 @@ + #include + #include + ++int ++tu102_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp) ++{ ++ return nvkm_gsp_fwsec_sb_init(gsp); ++} ++ ++void ++tu102_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp) ++{ ++ nvkm_falcon_fw_dtor(&gsp->fws.falcon.sb); ++} ++ + static int + tu102_gsp_booter_unload(struct nvkm_gsp *gsp, u32 mbox0, u32 mbox1) + { +@@ -370,6 +382,9 @@ tu102_gsp = { + + .booter.ctor = tu102_gsp_booter_ctor, + ++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor, ++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor, ++ + .dtor = r535_gsp_dtor, + .oneinit = tu102_gsp_oneinit, + .init = tu102_gsp_init, +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c +index 97eb046c25d0..58cf25842421 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c +@@ -30,6 +30,9 @@ tu116_gsp = { + + .booter.ctor = tu102_gsp_booter_ctor, + ++ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor, ++ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor, ++ + .dtor = r535_gsp_dtor, + .oneinit = tu102_gsp_oneinit, + .init = tu102_gsp_init, +-- +2.52.0 + diff --git a/queue-6.18/pci-meson-report-that-link-is-up-while-in-aspm-l0s-and-l1-states.patch b/queue-6.18/pci-meson-report-that-link-is-up-while-in-aspm-l0s-and-l1-states.patch new file mode 100644 index 0000000000..d900b658ee --- /dev/null +++ b/queue-6.18/pci-meson-report-that-link-is-up-while-in-aspm-l0s-and-l1-states.patch @@ -0,0 +1,98 @@ +From df27c03b9e3ef2baa9e9c9f56a771d463a84489d Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Mon, 3 Nov 2025 16:19:26 -0600 +Subject: PCI: meson: Report that link is up while in ASPM L0s and L1 states + +From: Bjorn Helgaas + +commit df27c03b9e3ef2baa9e9c9f56a771d463a84489d upstream. + +Previously meson_pcie_link_up() only returned true if the link was in the +L0 state. This was incorrect because hardware autonomously manages +transitions between L0, L0s, and L1 while both components on the link stay +in D0. Those states should all be treated as "link is active". + +Returning false when the device was in L0s or L1 broke config accesses +because dw_pcie_other_conf_map_bus() fails if the link is down, which +caused errors like this: + + meson-pcie fc000000.pcie: error: wait linkup timeout + pci 0000:01:00.0: BAR 0: error updating (0xfc700004 != 0xffffffff) + +Remove the LTSSM state check, timeout, speed check, and error message from +meson_pcie_link_up(), the dw_pcie_ops.link_up() method, so it is a simple +boolean check of whether the link is active. Timeouts and error messages +are handled at a higher level, e.g., dw_pcie_wait_for_link(). + +Fixes: 9c0ef6d34fdb ("PCI: amlogic: Add the Amlogic Meson PCIe controller driver") +Reported-by: Linnaea Lavia +Closes: https://lore.kernel.org/r/DM4PR05MB102707B8CDF84D776C39F22F2C7F0A@DM4PR05MB10270.namprd05.prod.outlook.com +[bhelgaas: squash removal of unused WAIT_LINKUP_TIMEOUT by +Martin Blumenstingl : +https://patch.msgid.link/20260105125625.239497-1-martin.blumenstingl@googlemail.com] +Signed-off-by: Bjorn Helgaas +Tested-by: Linnaea Lavia +Tested-by: Neil Armstrong # on BananaPi M2S +Reviewed-by: Neil Armstrong +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251103221930.1831376-1-helgaas@kernel.org +Link: https://patch.msgid.link/20260105125625.239497-1-martin.blumenstingl@googlemail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-meson.c | 37 ++------------------------------- + 1 file changed, 3 insertions(+), 34 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-meson.c ++++ b/drivers/pci/controller/dwc/pci-meson.c +@@ -37,7 +37,6 @@ + #define PCIE_CFG_STATUS17 0x44 + #define PM_CURRENT_STATE(x) (((x) >> 7) & 0x1) + +-#define WAIT_LINKUP_TIMEOUT 4000 + #define PORT_CLK_RATE 100000000UL + #define MAX_PAYLOAD_SIZE 256 + #define MAX_READ_REQ_SIZE 256 +@@ -350,40 +349,10 @@ static struct pci_ops meson_pci_ops = { + static bool meson_pcie_link_up(struct dw_pcie *pci) + { + struct meson_pcie *mp = to_meson_pcie(pci); +- struct device *dev = pci->dev; +- u32 speed_okay = 0; +- u32 cnt = 0; +- u32 state12, state17, smlh_up, ltssm_up, rdlh_up; +- +- do { +- state12 = meson_cfg_readl(mp, PCIE_CFG_STATUS12); +- state17 = meson_cfg_readl(mp, PCIE_CFG_STATUS17); +- smlh_up = IS_SMLH_LINK_UP(state12); +- rdlh_up = IS_RDLH_LINK_UP(state12); +- ltssm_up = IS_LTSSM_UP(state12); +- +- if (PM_CURRENT_STATE(state17) < PCIE_GEN3) +- speed_okay = 1; +- +- if (smlh_up) +- dev_dbg(dev, "smlh_link_up is on\n"); +- if (rdlh_up) +- dev_dbg(dev, "rdlh_link_up is on\n"); +- if (ltssm_up) +- dev_dbg(dev, "ltssm_up is on\n"); +- if (speed_okay) +- dev_dbg(dev, "speed_okay\n"); +- +- if (smlh_up && rdlh_up && ltssm_up && speed_okay) +- return true; ++ u32 state12; + +- cnt++; +- +- udelay(10); +- } while (cnt < WAIT_LINKUP_TIMEOUT); +- +- dev_err(dev, "error: wait linkup timeout\n"); +- return false; ++ state12 = meson_cfg_readl(mp, PCIE_CFG_STATUS12); ++ return IS_SMLH_LINK_UP(state12) && IS_RDLH_LINK_UP(state12); + } + + static int meson_pcie_host_init(struct dw_pcie_rp *pp) diff --git a/queue-6.18/pinctrl-qcom-lpass-lpi-mark-the-gpio-controller-as-sleeping.patch b/queue-6.18/pinctrl-qcom-lpass-lpi-mark-the-gpio-controller-as-sleeping.patch new file mode 100644 index 0000000000..322091538b --- /dev/null +++ b/queue-6.18/pinctrl-qcom-lpass-lpi-mark-the-gpio-controller-as-sleeping.patch @@ -0,0 +1,87 @@ +From ebc18e9854e5a2b62a041fb57b216a903af45b85 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Wed, 26 Nov 2025 13:22:19 +0100 +Subject: pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping + +From: Bartosz Golaszewski + +commit ebc18e9854e5a2b62a041fb57b216a903af45b85 upstream. + +The gpio_chip settings in this driver say the controller can't sleep +but it actually uses a mutex for synchronization. This triggers the +following BUG(): + +[ 9.233659] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281 +[ 9.233665] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 554, name: (udev-worker) +[ 9.233669] preempt_count: 1, expected: 0 +[ 9.233673] RCU nest depth: 0, expected: 0 +[ 9.233688] Tainted: [W]=WARN +[ 9.233690] Hardware name: Dell Inc. Latitude 7455/0FK7MX, BIOS 2.10.1 05/20/2025 +[ 9.233694] Call trace: +[ 9.233696] show_stack+0x24/0x38 (C) +[ 9.233709] dump_stack_lvl+0x40/0x88 +[ 9.233716] dump_stack+0x18/0x24 +[ 9.233722] __might_resched+0x148/0x160 +[ 9.233731] __might_sleep+0x38/0x98 +[ 9.233736] mutex_lock+0x30/0xd8 +[ 9.233749] lpi_config_set+0x2e8/0x3c8 [pinctrl_lpass_lpi] +[ 9.233757] lpi_gpio_direction_output+0x58/0x90 [pinctrl_lpass_lpi] +[ 9.233761] gpiod_direction_output_raw_commit+0x110/0x428 +[ 9.233772] gpiod_direction_output_nonotify+0x234/0x358 +[ 9.233779] gpiod_direction_output+0x38/0xd0 +[ 9.233786] gpio_shared_proxy_direction_output+0xb8/0x2a8 [gpio_shared_proxy] +[ 9.233792] gpiod_direction_output_raw_commit+0x110/0x428 +[ 9.233799] gpiod_direction_output_nonotify+0x234/0x358 +[ 9.233806] gpiod_configure_flags+0x2c0/0x580 +[ 9.233812] gpiod_find_and_request+0x358/0x4f8 +[ 9.233819] gpiod_get_index+0x7c/0x98 +[ 9.233826] devm_gpiod_get+0x34/0xb0 +[ 9.233829] reset_gpio_probe+0x58/0x128 [reset_gpio] +[ 9.233836] auxiliary_bus_probe+0xb0/0xf0 +[ 9.233845] really_probe+0x14c/0x450 +[ 9.233853] __driver_probe_device+0xb0/0x188 +[ 9.233858] driver_probe_device+0x4c/0x250 +[ 9.233863] __driver_attach+0xf8/0x2a0 +[ 9.233868] bus_for_each_dev+0xf8/0x158 +[ 9.233872] driver_attach+0x30/0x48 +[ 9.233876] bus_add_driver+0x158/0x2b8 +[ 9.233880] driver_register+0x74/0x118 +[ 9.233886] __auxiliary_driver_register+0x94/0xe8 +[ 9.233893] init_module+0x34/0xfd0 [reset_gpio] +[ 9.233898] do_one_initcall+0xec/0x300 +[ 9.233903] do_init_module+0x64/0x260 +[ 9.233910] load_module+0x16c4/0x1900 +[ 9.233915] __arm64_sys_finit_module+0x24c/0x378 +[ 9.233919] invoke_syscall+0x4c/0xe8 +[ 9.233925] el0_svc_common+0x8c/0xf0 +[ 9.233929] do_el0_svc+0x28/0x40 +[ 9.233934] el0_svc+0x38/0x100 +[ 9.233938] el0t_64_sync_handler+0x84/0x130 +[ 9.233943] el0t_64_sync+0x17c/0x180 + +Mark the controller as sleeping. + +Fixes: 6e261d1090d6 ("pinctrl: qcom: Add sm8250 lpass lpi pinctrl driver") +Cc: stable@vger.kernel.org +Reported-by: Val Packett +Closes: https://lore.kernel.org/all/98c0f185-b0e0-49ea-896c-f3972dd011ca@packett.cool/ +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c ++++ b/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c +@@ -498,7 +498,7 @@ int lpi_pinctrl_probe(struct platform_de + pctrl->chip.base = -1; + pctrl->chip.ngpio = data->npins; + pctrl->chip.label = dev_name(dev); +- pctrl->chip.can_sleep = false; ++ pctrl->chip.can_sleep = true; + + mutex_init(&pctrl->lock); + diff --git a/queue-6.18/pm-hibernate-fix-crash-when-freeing-invalid-crypto-compressor.patch b/queue-6.18/pm-hibernate-fix-crash-when-freeing-invalid-crypto-compressor.patch new file mode 100644 index 0000000000..0d8d99f8cb --- /dev/null +++ b/queue-6.18/pm-hibernate-fix-crash-when-freeing-invalid-crypto-compressor.patch @@ -0,0 +1,63 @@ +From 7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 Mon Sep 17 00:00:00 2001 +From: Malaya Kumar Rout +Date: Tue, 30 Dec 2025 17:26:13 +0530 +Subject: PM: hibernate: Fix crash when freeing invalid crypto compressor + +From: Malaya Kumar Rout + +commit 7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 upstream. + +When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL. + +The cleanup code in save_compressed_image() and load_compressed_image() +unconditionally calls crypto_free_acomp() without checking for ERR_PTR, +which causes crypto_acomp_tfm() to dereference an invalid pointer and +crash the kernel. + +This can be triggered when the compression algorithm is unavailable +(e.g., CONFIG_CRYPTO_LZO not enabled). + +Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp() +and acomp_request_free(), similar to the existing kthread_stop() check. + +Fixes: b03d542c3c95 ("PM: hibernate: Use crypto_acomp interface") +Signed-off-by: Malaya Kumar Rout +Cc: 6.15+ # 6.15+ +[ rjw: Added 2 empty code lines ] +Link: https://patch.msgid.link/20251230115613.64080-1-mrout@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/swap.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -897,8 +897,11 @@ out_clean: + for (thr = 0; thr < nr_threads; thr++) { + if (data[thr].thr) + kthread_stop(data[thr].thr); +- acomp_request_free(data[thr].cr); +- crypto_free_acomp(data[thr].cc); ++ if (data[thr].cr) ++ acomp_request_free(data[thr].cr); ++ ++ if (!IS_ERR_OR_NULL(data[thr].cc)) ++ crypto_free_acomp(data[thr].cc); + } + vfree(data); + } +@@ -1519,8 +1522,11 @@ out_clean: + for (thr = 0; thr < nr_threads; thr++) { + if (data[thr].thr) + kthread_stop(data[thr].thr); +- acomp_request_free(data[thr].cr); +- crypto_free_acomp(data[thr].cc); ++ if (data[thr].cr) ++ acomp_request_free(data[thr].cr); ++ ++ if (!IS_ERR_OR_NULL(data[thr].cc)) ++ crypto_free_acomp(data[thr].cc); + } + vfree(data); + } diff --git a/queue-6.18/revert-drm-atomic-helper-re-order-bridge-chain-pre-enable-and-post-disable.patch b/queue-6.18/revert-drm-atomic-helper-re-order-bridge-chain-pre-enable-and-post-disable.patch new file mode 100644 index 0000000000..7d860b624e --- /dev/null +++ b/queue-6.18/revert-drm-atomic-helper-re-order-bridge-chain-pre-enable-and-post-disable.patch @@ -0,0 +1,400 @@ +From c1ef9a6cabb34dbc09e31417b0c0a672fe0de13a Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Fri, 5 Dec 2025 11:51:48 +0200 +Subject: Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-disable" + +From: Tomi Valkeinen + +commit c1ef9a6cabb34dbc09e31417b0c0a672fe0de13a upstream. + +This reverts commit c9b1150a68d9362a0827609fc0dc1664c0d8bfe1. + +Changing the enable/disable sequence has caused regressions on multiple +platforms: R-Car, MCDE, Rockchip. A series (see link below) was sent to +fix these, but it was decided that it's better to revert the original +patch and change the enable/disable sequence only in the tidss driver. + +Reverting this commit breaks tidss's DSI and OLDI outputs, which will be +fixed in the following commits. + +Signed-off-by: Tomi Valkeinen +Link: https://lore.kernel.org/all/20251202-mcde-drm-regression-thirdfix-v6-0-f1bffd4ec0fa%40kernel.org/ +Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable") +Cc: stable@vger.kernel.org # v6.17+ +Reviewed-by: Aradhya Bhatia +Reviewed-by: Maxime Ripard +Reviewed-by: Linus Walleij +Tested-by: Linus Walleij +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-1-fda68fa1b3de@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic_helper.c | 8 +- + include/drm/drm_bridge.h | 249 ++++++++-------------------- + 2 files changed, 70 insertions(+), 187 deletions(-) + +diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c +index 10adac9397cf..ef97f37560b2 100644 +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1341,9 +1341,9 @@ disable_outputs(struct drm_device *dev, struct drm_atomic_state *state) + { + encoder_bridge_disable(dev, state); + +- crtc_disable(dev, state); +- + encoder_bridge_post_disable(dev, state); ++ ++ crtc_disable(dev, state); + } + + /** +@@ -1682,10 +1682,10 @@ encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state) + void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev, + struct drm_atomic_state *state) + { +- encoder_bridge_pre_enable(dev, state); +- + crtc_enable(dev, state); + ++ encoder_bridge_pre_enable(dev, state); ++ + encoder_bridge_enable(dev, state); + + drm_atomic_helper_commit_writebacks(dev, state); +diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h +index 0ff7ab4aa868..dbafe136833f 100644 +--- a/include/drm/drm_bridge.h ++++ b/include/drm/drm_bridge.h +@@ -176,33 +176,17 @@ struct drm_bridge_funcs { + /** + * @disable: + * +- * The @disable callback should disable the bridge. ++ * This callback should disable the bridge. It is called right before ++ * the preceding element in the display pipe is disabled. If the ++ * preceding element is a bridge this means it's called before that ++ * bridge's @disable vfunc. If the preceding element is a &drm_encoder ++ * it's called right before the &drm_encoder_helper_funcs.disable, ++ * &drm_encoder_helper_funcs.prepare or &drm_encoder_helper_funcs.dpms ++ * hook. + * + * The bridge can assume that the display pipe (i.e. clocks and timing + * signals) feeding it is still running when this callback is called. + * +- * +- * If the preceding element is a &drm_bridge, then this is called before +- * that bridge is disabled via one of: +- * +- * - &drm_bridge_funcs.disable +- * - &drm_bridge_funcs.atomic_disable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called before the encoder is disabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_disable +- * - &drm_encoder_helper_funcs.prepare +- * - &drm_encoder_helper_funcs.disable +- * - &drm_encoder_helper_funcs.dpms +- * +- * and the CRTC is disabled via one of: +- * +- * - &drm_crtc_helper_funcs.prepare +- * - &drm_crtc_helper_funcs.atomic_disable +- * - &drm_crtc_helper_funcs.disable +- * - &drm_crtc_helper_funcs.dpms. +- * + * The @disable callback is optional. + * + * NOTE: +@@ -215,34 +199,17 @@ struct drm_bridge_funcs { + /** + * @post_disable: + * ++ * This callback should disable the bridge. It is called right after the ++ * preceding element in the display pipe is disabled. If the preceding ++ * element is a bridge this means it's called after that bridge's ++ * @post_disable function. If the preceding element is a &drm_encoder ++ * it's called right after the encoder's ++ * &drm_encoder_helper_funcs.disable, &drm_encoder_helper_funcs.prepare ++ * or &drm_encoder_helper_funcs.dpms hook. ++ * + * The bridge must assume that the display pipe (i.e. clocks and timing +- * signals) feeding this bridge is no longer running when the +- * @post_disable is called. +- * +- * This callback should perform all the actions required by the hardware +- * after it has stopped receiving signals from the preceding element. +- * +- * If the preceding element is a &drm_bridge, then this is called after +- * that bridge is post-disabled (unless marked otherwise by the +- * @pre_enable_prev_first flag) via one of: +- * +- * - &drm_bridge_funcs.post_disable +- * - &drm_bridge_funcs.atomic_post_disable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called after the encoder is disabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_disable +- * - &drm_encoder_helper_funcs.prepare +- * - &drm_encoder_helper_funcs.disable +- * - &drm_encoder_helper_funcs.dpms +- * +- * and the CRTC is disabled via one of: +- * +- * - &drm_crtc_helper_funcs.prepare +- * - &drm_crtc_helper_funcs.atomic_disable +- * - &drm_crtc_helper_funcs.disable +- * - &drm_crtc_helper_funcs.dpms ++ * signals) feeding it is no longer running when this callback is ++ * called. + * + * The @post_disable callback is optional. + * +@@ -285,30 +252,18 @@ struct drm_bridge_funcs { + /** + * @pre_enable: + * ++ * This callback should enable the bridge. It is called right before ++ * the preceding element in the display pipe is enabled. If the ++ * preceding element is a bridge this means it's called before that ++ * bridge's @pre_enable function. If the preceding element is a ++ * &drm_encoder it's called right before the encoder's ++ * &drm_encoder_helper_funcs.enable, &drm_encoder_helper_funcs.commit or ++ * &drm_encoder_helper_funcs.dpms hook. ++ * + * The display pipe (i.e. clocks and timing signals) feeding this bridge +- * will not yet be running when the @pre_enable is called. +- * +- * This callback should perform all the necessary actions to prepare the +- * bridge to accept signals from the preceding element. +- * +- * If the preceding element is a &drm_bridge, then this is called before +- * that bridge is pre-enabled (unless marked otherwise by +- * @pre_enable_prev_first flag) via one of: +- * +- * - &drm_bridge_funcs.pre_enable +- * - &drm_bridge_funcs.atomic_pre_enable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called before the CRTC is enabled via one of: +- * +- * - &drm_crtc_helper_funcs.atomic_enable +- * - &drm_crtc_helper_funcs.commit +- * +- * and the encoder is enabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_enable +- * - &drm_encoder_helper_funcs.enable +- * - &drm_encoder_helper_funcs.commit ++ * will not yet be running when this callback is called. The bridge must ++ * not enable the display link feeding the next bridge in the chain (if ++ * there is one) when this callback is called. + * + * The @pre_enable callback is optional. + * +@@ -322,31 +277,19 @@ struct drm_bridge_funcs { + /** + * @enable: + * +- * The @enable callback should enable the bridge. ++ * This callback should enable the bridge. It is called right after ++ * the preceding element in the display pipe is enabled. If the ++ * preceding element is a bridge this means it's called after that ++ * bridge's @enable function. If the preceding element is a ++ * &drm_encoder it's called right after the encoder's ++ * &drm_encoder_helper_funcs.enable, &drm_encoder_helper_funcs.commit or ++ * &drm_encoder_helper_funcs.dpms hook. + * + * The bridge can assume that the display pipe (i.e. clocks and timing + * signals) feeding it is running when this callback is called. This + * callback must enable the display link feeding the next bridge in the + * chain if there is one. + * +- * If the preceding element is a &drm_bridge, then this is called after +- * that bridge is enabled via one of: +- * +- * - &drm_bridge_funcs.enable +- * - &drm_bridge_funcs.atomic_enable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called after the CRTC is enabled via one of: +- * +- * - &drm_crtc_helper_funcs.atomic_enable +- * - &drm_crtc_helper_funcs.commit +- * +- * and the encoder is enabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_enable +- * - &drm_encoder_helper_funcs.enable +- * - drm_encoder_helper_funcs.commit +- * + * The @enable callback is optional. + * + * NOTE: +@@ -359,30 +302,17 @@ struct drm_bridge_funcs { + /** + * @atomic_pre_enable: + * ++ * This callback should enable the bridge. It is called right before ++ * the preceding element in the display pipe is enabled. If the ++ * preceding element is a bridge this means it's called before that ++ * bridge's @atomic_pre_enable or @pre_enable function. If the preceding ++ * element is a &drm_encoder it's called right before the encoder's ++ * &drm_encoder_helper_funcs.atomic_enable hook. ++ * + * The display pipe (i.e. clocks and timing signals) feeding this bridge +- * will not yet be running when the @atomic_pre_enable is called. +- * +- * This callback should perform all the necessary actions to prepare the +- * bridge to accept signals from the preceding element. +- * +- * If the preceding element is a &drm_bridge, then this is called before +- * that bridge is pre-enabled (unless marked otherwise by +- * @pre_enable_prev_first flag) via one of: +- * +- * - &drm_bridge_funcs.pre_enable +- * - &drm_bridge_funcs.atomic_pre_enable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called before the CRTC is enabled via one of: +- * +- * - &drm_crtc_helper_funcs.atomic_enable +- * - &drm_crtc_helper_funcs.commit +- * +- * and the encoder is enabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_enable +- * - &drm_encoder_helper_funcs.enable +- * - &drm_encoder_helper_funcs.commit ++ * will not yet be running when this callback is called. The bridge must ++ * not enable the display link feeding the next bridge in the chain (if ++ * there is one) when this callback is called. + * + * The @atomic_pre_enable callback is optional. + */ +@@ -392,31 +322,18 @@ struct drm_bridge_funcs { + /** + * @atomic_enable: + * +- * The @atomic_enable callback should enable the bridge. ++ * This callback should enable the bridge. It is called right after ++ * the preceding element in the display pipe is enabled. If the ++ * preceding element is a bridge this means it's called after that ++ * bridge's @atomic_enable or @enable function. If the preceding element ++ * is a &drm_encoder it's called right after the encoder's ++ * &drm_encoder_helper_funcs.atomic_enable hook. + * + * The bridge can assume that the display pipe (i.e. clocks and timing + * signals) feeding it is running when this callback is called. This + * callback must enable the display link feeding the next bridge in the + * chain if there is one. + * +- * If the preceding element is a &drm_bridge, then this is called after +- * that bridge is enabled via one of: +- * +- * - &drm_bridge_funcs.enable +- * - &drm_bridge_funcs.atomic_enable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called after the CRTC is enabled via one of: +- * +- * - &drm_crtc_helper_funcs.atomic_enable +- * - &drm_crtc_helper_funcs.commit +- * +- * and the encoder is enabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_enable +- * - &drm_encoder_helper_funcs.enable +- * - drm_encoder_helper_funcs.commit +- * + * The @atomic_enable callback is optional. + */ + void (*atomic_enable)(struct drm_bridge *bridge, +@@ -424,32 +341,16 @@ struct drm_bridge_funcs { + /** + * @atomic_disable: + * +- * The @atomic_disable callback should disable the bridge. ++ * This callback should disable the bridge. It is called right before ++ * the preceding element in the display pipe is disabled. If the ++ * preceding element is a bridge this means it's called before that ++ * bridge's @atomic_disable or @disable vfunc. If the preceding element ++ * is a &drm_encoder it's called right before the ++ * &drm_encoder_helper_funcs.atomic_disable hook. + * + * The bridge can assume that the display pipe (i.e. clocks and timing + * signals) feeding it is still running when this callback is called. + * +- * If the preceding element is a &drm_bridge, then this is called before +- * that bridge is disabled via one of: +- * +- * - &drm_bridge_funcs.disable +- * - &drm_bridge_funcs.atomic_disable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called before the encoder is disabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_disable +- * - &drm_encoder_helper_funcs.prepare +- * - &drm_encoder_helper_funcs.disable +- * - &drm_encoder_helper_funcs.dpms +- * +- * and the CRTC is disabled via one of: +- * +- * - &drm_crtc_helper_funcs.prepare +- * - &drm_crtc_helper_funcs.atomic_disable +- * - &drm_crtc_helper_funcs.disable +- * - &drm_crtc_helper_funcs.dpms. +- * + * The @atomic_disable callback is optional. + */ + void (*atomic_disable)(struct drm_bridge *bridge, +@@ -458,34 +359,16 @@ struct drm_bridge_funcs { + /** + * @atomic_post_disable: + * ++ * This callback should disable the bridge. It is called right after the ++ * preceding element in the display pipe is disabled. If the preceding ++ * element is a bridge this means it's called after that bridge's ++ * @atomic_post_disable or @post_disable function. If the preceding ++ * element is a &drm_encoder it's called right after the encoder's ++ * &drm_encoder_helper_funcs.atomic_disable hook. ++ * + * The bridge must assume that the display pipe (i.e. clocks and timing +- * signals) feeding this bridge is no longer running when the +- * @atomic_post_disable is called. +- * +- * This callback should perform all the actions required by the hardware +- * after it has stopped receiving signals from the preceding element. +- * +- * If the preceding element is a &drm_bridge, then this is called after +- * that bridge is post-disabled (unless marked otherwise by the +- * @pre_enable_prev_first flag) via one of: +- * +- * - &drm_bridge_funcs.post_disable +- * - &drm_bridge_funcs.atomic_post_disable +- * +- * If the preceding element of the bridge is a display controller, then +- * this callback is called after the encoder is disabled via one of: +- * +- * - &drm_encoder_helper_funcs.atomic_disable +- * - &drm_encoder_helper_funcs.prepare +- * - &drm_encoder_helper_funcs.disable +- * - &drm_encoder_helper_funcs.dpms +- * +- * and the CRTC is disabled via one of: +- * +- * - &drm_crtc_helper_funcs.prepare +- * - &drm_crtc_helper_funcs.atomic_disable +- * - &drm_crtc_helper_funcs.disable +- * - &drm_crtc_helper_funcs.dpms ++ * signals) feeding it is no longer running when this callback is ++ * called. + * + * The @atomic_post_disable callback is optional. + */ +-- +2.52.0 + diff --git a/queue-6.18/revert-drm-mediatek-dsi-fix-dsi-host-and-panel-bridge-pre-enable-order.patch b/queue-6.18/revert-drm-mediatek-dsi-fix-dsi-host-and-panel-bridge-pre-enable-order.patch new file mode 100644 index 0000000000..013d1c4601 --- /dev/null +++ b/queue-6.18/revert-drm-mediatek-dsi-fix-dsi-host-and-panel-bridge-pre-enable-order.patch @@ -0,0 +1,43 @@ +From 33e8150bd32d7dc25c977bb455f1f5d54bfd5241 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Fri, 5 Dec 2025 11:51:49 +0200 +Subject: Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable order" + +From: Tomi Valkeinen + +commit 33e8150bd32d7dc25c977bb455f1f5d54bfd5241 upstream. + +This reverts commit f5b1819193667bf62c3c99d3921b9429997a14b2. + +As the original commit (c9b1150a68d9 ("drm/atomic-helper: Re-order +bridge chain pre-enable and post-disable")) causing the issue has been +reverted, let's revert the fix for mediatek. + +Signed-off-by: Tomi Valkeinen +Cc: stable@vger.kernel.org # v6.17+ +Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable") +Reviewed-by: Maxime Ripard +Reviewed-by: Linus Walleij +Tested-by: Linus Walleij +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-2-fda68fa1b3de@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_dsi.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/gpu/drm/mediatek/mtk_dsi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c +@@ -1002,12 +1002,6 @@ static int mtk_dsi_host_attach(struct mi + return PTR_ERR(dsi->next_bridge); + } + +- /* +- * set flag to request the DSI host bridge be pre-enabled before device bridge +- * in the chain, so the DSI host is ready when the device bridge is pre-enabled +- */ +- dsi->next_bridge->pre_enable_prev_first = true; +- + drm_bridge_add(&dsi->bridge); + + ret = component_add(host->dev, &mtk_dsi_component_ops); diff --git a/queue-6.18/riscv-boot-always-make-image-from-vmlinux-not-vmlinux.unstripped.patch b/queue-6.18/riscv-boot-always-make-image-from-vmlinux-not-vmlinux.unstripped.patch new file mode 100644 index 0000000000..f056647099 --- /dev/null +++ b/queue-6.18/riscv-boot-always-make-image-from-vmlinux-not-vmlinux.unstripped.patch @@ -0,0 +1,60 @@ +From 66562b66dcbc8f93c1e28632299f449bb2f5c47d Mon Sep 17 00:00:00 2001 +From: Vivian Wang +Date: Tue, 30 Dec 2025 21:39:17 +0800 +Subject: riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped + +From: Vivian Wang + +commit 66562b66dcbc8f93c1e28632299f449bb2f5c47d upstream. + +Since commit 4b47a3aefb29 ("kbuild: Restore pattern to avoid stripping +.rela.dyn from vmlinux") vmlinux has .rel*.dyn preserved. Therefore, use +vmlinux to produce Image, not vmlinux.unstripped. + +Doing so fixes booting a RELOCATABLE=y Image with kexec. The problem is +caused by this chain of events: + +- Since commit 3e86e4d74c04 ("kbuild: keep .modinfo section in + vmlinux.unstripped"), vmlinux.unstripped gets a .modinfo section. +- The .modinfo section has SHF_ALLOC, so it ends up in Image, at the end + of it. +- The Image header's image_size field does not expect to include + .modinfo and does not account for it, since it should not be in Image. +- If .modinfo is large enough, the file size of Image ends up larger + than image_size, which eventually leads to it failing + sanity_check_segment_list(). + +Using vmlinux instead of vmlinux.unstripped means that the unexpected +.modinfo section is gone from Image, fixing the file size problem. + +Cc: stable@vger.kernel.org +Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped") +Signed-off-by: Vivian Wang +Reviewed-by: Nathan Chancellor +Tested-by: Han Gao +Link: https://patch.msgid.link/20251230-riscv-vmlinux-not-unstripped-v1-1-15f49df880df@iscas.ac.cn +Signed-off-by: Paul Walmsley +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/boot/Makefile | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/arch/riscv/boot/Makefile b/arch/riscv/boot/Makefile +index bfc3d0b75b9b..5301adf5f3f5 100644 +--- a/arch/riscv/boot/Makefile ++++ b/arch/riscv/boot/Makefile +@@ -31,11 +31,7 @@ $(obj)/xipImage: vmlinux FORCE + + endif + +-ifdef CONFIG_RELOCATABLE +-$(obj)/Image: vmlinux.unstripped FORCE +-else + $(obj)/Image: vmlinux FORCE +-endif + $(call if_changed,objcopy) + + $(obj)/Image.gz: $(obj)/Image FORCE +-- +2.52.0 + diff --git a/queue-6.18/rust_binder-remove-spin_lock-in-rust_shrink_free_page.patch b/queue-6.18/rust_binder-remove-spin_lock-in-rust_shrink_free_page.patch new file mode 100644 index 0000000000..3472168d43 --- /dev/null +++ b/queue-6.18/rust_binder-remove-spin_lock-in-rust_shrink_free_page.patch @@ -0,0 +1,69 @@ +From 361e0ff456a8daf9753c18030533256e4133ce7a Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Tue, 2 Dec 2025 11:24:24 +0000 +Subject: rust_binder: remove spin_lock() in rust_shrink_free_page() + +From: Alice Ryhl + +commit 361e0ff456a8daf9753c18030533256e4133ce7a upstream. + +When forward-porting Rust Binder to 6.18, I neglected to take commit +fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into +account, and apparently I did not end up running the shrinker callback +when I sanity tested the driver before submission. This leads to crashes +like the following: + + ============================================ + WARNING: possible recursive locking detected + 6.18.0-mainline-maybe-dirty #1 Tainted: G IO + -------------------------------------------- + kswapd0/68 is trying to acquire lock: + ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230 + + but task is already holding lock: + ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&l->lock); + lock(&l->lock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 3 locks held by kswapd0/68: + #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160 + #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 + #2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230 + +To fix this, remove the spin_lock() call from rust_shrink_free_page(). + +Cc: stable +Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver") +Signed-off-by: Alice Ryhl +Link: https://patch.msgid.link/20251202-binder-shrink-unspin-v1-1-263efb9ad625@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder/page_range.rs | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/android/binder/page_range.rs b/drivers/android/binder/page_range.rs +index 9379038f61f5..fdd97112ef5c 100644 +--- a/drivers/android/binder/page_range.rs ++++ b/drivers/android/binder/page_range.rs +@@ -727,8 +727,5 @@ fn drop(self: Pin<&mut Self>) { + drop(mm); + drop(page); + +- // SAFETY: We just unlocked the lru lock, but it should be locked when we return. +- unsafe { bindings::spin_lock(&raw mut (*lru).lock) }; +- + LRU_REMOVED_ENTRY + } +-- +2.52.0 + diff --git a/queue-6.18/series b/queue-6.18/series new file mode 100644 index 0000000000..ccb492a3f3 --- /dev/null +++ b/queue-6.18/series @@ -0,0 +1,44 @@ +nfsd-fix-permission-check-for-read-access-to-executable-only-files.patch +nfsd-provide-locking-for-v4_end_grace.patch +nfsd-use-correct-loop-termination-in-nfsd4_revoke_states.patch +nfsd-check-that-server-is-running-in-unlock_filesystem.patch +nfsd-net-ref-data-still-needs-to-be-freed-even-if-net-hasn-t-startup.patch +nfsd-remove-nfserr_eagain.patch +atm-fix-dma_free_coherent-size.patch +net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch +net-do-not-write-to-msg_get_inq-in-callee.patch +arm64-fix-cleared-e0poe-bit-after-cpu_suspend-resume.patch +bnxt_en-fix-null-pointer-crash-in-bnxt_ptp_enable-during-error-cleanup.patch +btrfs-always-detect-conflicting-inodes-when-logging-inode-refs.patch +mei-me-add-nova-lake-point-s-did.patch +rust_binder-remove-spin_lock-in-rust_shrink_free_page.patch +lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch +counter-104-quad-8-fix-incorrect-return-value-in-irq-handler.patch +counter-interrupt-cnt-drop-irqf_no_thread-flag.patch +tracing-add-recursion-protection-in-kernel-stack-trace-recording.patch +riscv-boot-always-make-image-from-vmlinux-not-vmlinux.unstripped.patch +nouveau-don-t-attempt-fwsec-on-sb-on-newer-platforms.patch +revert-drm-atomic-helper-re-order-bridge-chain-pre-enable-and-post-disable.patch +alsa-ac97-fix-a-double-free-in-snd_ac97_controller_register.patch +alsa-hda-tas2781-properly-initialize-speaker_id-for-tas2563.patch +arm64-dts-imx95-correct-i3c2-pclk-to-imx95_clk_buswakeup.patch +drm-amd-display-apply-e4479aecf658-to-dml.patch +drm-amdgpu-fix-query-for-vpe-block_type-and-ip_count.patch +drm-atomic-helper-export-and-namespace-some-functions.patch +drm-pl111-fix-error-handling-in-pl111_amba_probe.patch +drm-tidss-fix-enable-disable-order.patch +drm-radeon-remove-__counted_by-from-clockinfoarray.clockinfo.patch +gpio-rockchip-mark-the-gpio-controller-as-sleeping.patch +io_uring-io-wq-fix-incorrect-io_wq_for_each_worker-termination-logic.patch +pci-meson-report-that-link-is-up-while-in-aspm-l0s-and-l1-states.patch +pinctrl-qcom-lpass-lpi-mark-the-gpio-controller-as-sleeping.patch +pm-hibernate-fix-crash-when-freeing-invalid-crypto-compressor.patch +revert-drm-mediatek-dsi-fix-dsi-host-and-panel-bridge-pre-enable-order.patch +wifi-avoid-kernel-infoleak-from-struct-iw_point.patch +wifi-mac80211-restore-non-chanctx-injection-behaviour.patch +libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch +libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch +libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch +libceph-return-the-handler-error-from-mon_handle_auth_done.patch +libceph-reset-sparse-read-state-in-osd_fault.patch +libceph-make-calc_target-set-t-paused-not-just-clear-it.patch diff --git a/queue-6.18/tracing-add-recursion-protection-in-kernel-stack-trace-recording.patch b/queue-6.18/tracing-add-recursion-protection-in-kernel-stack-trace-recording.patch new file mode 100644 index 0000000000..2a23d99fec --- /dev/null +++ b/queue-6.18/tracing-add-recursion-protection-in-kernel-stack-trace-recording.patch @@ -0,0 +1,90 @@ +From 5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Mon, 5 Jan 2026 20:31:41 -0500 +Subject: tracing: Add recursion protection in kernel stack trace recording + +From: Steven Rostedt + +commit 5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb upstream. + +A bug was reported about an infinite recursion caused by tracing the rcu +events with the kernel stack trace trigger enabled. The stack trace code +called back into RCU which then called the stack trace again. + +Expand the ftrace recursion protection to add a set of bits to protect +events from recursion. Each bit represents the context that the event is +in (normal, softirq, interrupt and NMI). + +Have the stack trace code use the interrupt context to protect against +recursion. + +Note, the bug showed an issue in both the RCU code as well as the tracing +stacktrace code. This only handles the tracing stack trace side of the +bug. The RCU fix will be handled separately. + +Link: https://lore.kernel.org/all/20260102122807.7025fc87@gandalf.local.home/ + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Joel Fernandes +Cc: "Paul E. McKenney" +Cc: Boqun Feng +Link: https://patch.msgid.link/20260105203141.515cd49f@gandalf.local.home +Reported-by: Yao Kai +Tested-by: Yao Kai +Fixes: 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/trace_recursion.h | 9 +++++++++ + kernel/trace/trace.c | 6 ++++++ + 2 files changed, 15 insertions(+) + +--- a/include/linux/trace_recursion.h ++++ b/include/linux/trace_recursion.h +@@ -34,6 +34,13 @@ enum { + TRACE_INTERNAL_SIRQ_BIT, + TRACE_INTERNAL_TRANSITION_BIT, + ++ /* Internal event use recursion bits */ ++ TRACE_INTERNAL_EVENT_BIT, ++ TRACE_INTERNAL_EVENT_NMI_BIT, ++ TRACE_INTERNAL_EVENT_IRQ_BIT, ++ TRACE_INTERNAL_EVENT_SIRQ_BIT, ++ TRACE_INTERNAL_EVENT_TRANSITION_BIT, ++ + TRACE_BRANCH_BIT, + /* + * Abuse of the trace_recursion. +@@ -58,6 +65,8 @@ enum { + + #define TRACE_LIST_START TRACE_INTERNAL_BIT + ++#define TRACE_EVENT_START TRACE_INTERNAL_EVENT_BIT ++ + #define TRACE_CONTEXT_MASK ((1 << (TRACE_LIST_START + TRACE_CONTEXT_BITS)) - 1) + + /* +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3003,6 +3003,11 @@ static void __ftrace_trace_stack(struct + struct ftrace_stack *fstack; + struct stack_entry *entry; + int stackidx; ++ int bit; ++ ++ bit = trace_test_and_set_recursion(_THIS_IP_, _RET_IP_, TRACE_EVENT_START); ++ if (bit < 0) ++ return; + + /* + * Add one, for this function and the call to save_stack_trace() +@@ -3071,6 +3076,7 @@ static void __ftrace_trace_stack(struct + /* Again, don't let gcc optimize things here */ + barrier(); + __this_cpu_dec(ftrace_stack_reserve); ++ trace_clear_recursion(bit); + } + + static inline void ftrace_trace_stack(struct trace_array *tr, diff --git a/queue-6.18/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch b/queue-6.18/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch new file mode 100644 index 0000000000..23fa1cb08f --- /dev/null +++ b/queue-6.18/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch @@ -0,0 +1,59 @@ +From 21cbf883d073abbfe09e3924466aa5e0449e7261 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 8 Jan 2026 10:19:27 +0000 +Subject: wifi: avoid kernel-infoleak from struct iw_point + +From: Eric Dumazet + +commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream. + +struct iw_point has a 32bit hole on 64bit arches. + +struct iw_point { + void __user *pointer; /* Pointer to the data (in user space) */ + __u16 length; /* number of fields or size in bytes */ + __u16 flags; /* Optional params */ +}; + +Make sure to zero the structure to avoid disclosing 32bits of kernel data +to user space. + +Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c") +Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/wext-core.c | 4 ++++ + net/wireless/wext-priv.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -1101,6 +1101,10 @@ static int compat_standard_call(struct n + return ioctl_standard_call(dev, iwr, cmd, info, handler); + + iwp_compat = (struct compat_iw_point *) &iwr->u.data; ++ ++ /* struct iw_point has a 32bit hole on 64bit arches. */ ++ memset(&iwp, 0, sizeof(iwp)); ++ + iwp.pointer = compat_ptr(iwp_compat->pointer); + iwp.length = iwp_compat->length; + iwp.flags = iwp_compat->flags; +--- a/net/wireless/wext-priv.c ++++ b/net/wireless/wext-priv.c +@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic + struct iw_point iwp; + + iwp_compat = (struct compat_iw_point *) &iwr->u.data; ++ ++ /* struct iw_point has a 32bit hole on 64bit arches. */ ++ memset(&iwp, 0, sizeof(iwp)); ++ + iwp.pointer = compat_ptr(iwp_compat->pointer); + iwp.length = iwp_compat->length; + iwp.flags = iwp_compat->flags; diff --git a/queue-6.18/wifi-mac80211-restore-non-chanctx-injection-behaviour.patch b/queue-6.18/wifi-mac80211-restore-non-chanctx-injection-behaviour.patch new file mode 100644 index 0000000000..ffe962babc --- /dev/null +++ b/queue-6.18/wifi-mac80211-restore-non-chanctx-injection-behaviour.patch @@ -0,0 +1,40 @@ +From d594cc6f2c588810888df70c83a9654b6bc7942d Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 16 Dec 2025 11:52:42 +0100 +Subject: wifi: mac80211: restore non-chanctx injection behaviour + +From: Johannes Berg + +commit d594cc6f2c588810888df70c83a9654b6bc7942d upstream. + +During the transition to use channel contexts throughout, the +ability to do injection while in monitor mode concurrent with +another interface was lost, since the (virtual) monitor won't +have a chanctx assigned in this scenario. + +It's harder to fix drivers that actually transitioned to using +channel contexts themselves, such as mt76, but it's easy to do +those that are (still) just using the emulation. Do that. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218763 +Reported-and-tested-by: Oscar Alfonso Diaz +Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers") +Link: https://patch.msgid.link/20251216105242.18366-2-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -2395,6 +2395,8 @@ netdev_tx_t ieee80211_monitor_start_xmit + + if (chanctx_conf) + chandef = &chanctx_conf->def; ++ else if (local->emulate_chanctx) ++ chandef = &local->hw.conf.chandef; + else + goto fail_rcu; +