From: Greg Kroah-Hartman Date: Thu, 8 Jan 2026 16:27:36 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.1.160~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a11fe17592e72b2224c57e2eb3cc0d17b7d444c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: asoc-stm-use-dev_err_probe-helper.patch asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch leds-leds-lp50xx-enable-chip-before-any-communication.patch leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch leds-lp50xx-reduce-level-of-dereferences.patch leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch lockd-fix-vfs_test_lock-calls.patch media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch media-vpif_capture-fix-section-mismatch.patch mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch mm-mprotect-use-long-for-page-accountings-and-retval.patch nfsd-nfsv4-file-creation-neglects-setting-acl.patch ovl-use-buf-flexible-array-for-memcpy-destination.patch pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch pmdomain-use-device_get_match_data.patch powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch scsi-iscsi-move-pool-freeing.patch scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch --- diff --git a/queue-5.10/asoc-stm-use-dev_err_probe-helper.patch b/queue-5.10/asoc-stm-use-dev_err_probe-helper.patch new file mode 100644 index 0000000000..24992ab36d --- /dev/null +++ b/queue-5.10/asoc-stm-use-dev_err_probe-helper.patch @@ -0,0 +1,307 @@ +From stable+bounces-204812-greg=kroah.com@vger.kernel.org Mon Jan 5 15:40:46 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 09:36:24 -0500 +Subject: ASoC: stm: Use dev_err_probe() helper +To: stable@vger.kernel.org +Cc: Kuninori Morimoto , Mark Brown , Sasha Levin +Message-ID: <20260105143626.2605607-1-sashal@kernel.org> + +From: Kuninori Morimoto + +[ Upstream commit efc162cbd480f1fb47d439c193ec9731bcc6c749 ] + +Use the dev_err_probe() helper, instead of open-coding the same +operation. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20211214020843.2225831-22-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 312ec2f0d9d1 ("ASoC: stm32: sai: fix clk prepare imbalance on probe failure") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/stm/stm32_i2s.c | 62 ++++++++++++++---------------------------- + sound/soc/stm/stm32_sai.c | 37 ++++++++----------------- + sound/soc/stm/stm32_sai_sub.c | 25 +++++----------- + sound/soc/stm/stm32_spdifrx.c | 44 ++++++++++------------------- + 4 files changed, 57 insertions(+), 111 deletions(-) + +--- a/sound/soc/stm/stm32_i2s.c ++++ b/sound/soc/stm/stm32_i2s.c +@@ -830,36 +830,24 @@ static int stm32_i2s_parse_dt(struct pla + + /* Get clocks */ + i2s->pclk = devm_clk_get(&pdev->dev, "pclk"); +- if (IS_ERR(i2s->pclk)) { +- if (PTR_ERR(i2s->pclk) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Could not get pclk: %ld\n", +- PTR_ERR(i2s->pclk)); +- return PTR_ERR(i2s->pclk); +- } ++ if (IS_ERR(i2s->pclk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->pclk), ++ "Could not get pclk\n"); + + i2s->i2sclk = devm_clk_get(&pdev->dev, "i2sclk"); +- if (IS_ERR(i2s->i2sclk)) { +- if (PTR_ERR(i2s->i2sclk) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Could not get i2sclk: %ld\n", +- PTR_ERR(i2s->i2sclk)); +- return PTR_ERR(i2s->i2sclk); +- } ++ if (IS_ERR(i2s->i2sclk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->i2sclk), ++ "Could not get i2sclk\n"); + + i2s->x8kclk = devm_clk_get(&pdev->dev, "x8k"); +- if (IS_ERR(i2s->x8kclk)) { +- if (PTR_ERR(i2s->x8kclk) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Could not get x8k parent clock: %ld\n", +- PTR_ERR(i2s->x8kclk)); +- return PTR_ERR(i2s->x8kclk); +- } ++ if (IS_ERR(i2s->x8kclk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->x8kclk), ++ "Could not get x8k parent clock\n"); + + i2s->x11kclk = devm_clk_get(&pdev->dev, "x11k"); +- if (IS_ERR(i2s->x11kclk)) { +- if (PTR_ERR(i2s->x11kclk) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Could not get x11k parent clock: %ld\n", +- PTR_ERR(i2s->x11kclk)); +- return PTR_ERR(i2s->x11kclk); +- } ++ if (IS_ERR(i2s->x11kclk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->x11kclk), ++ "Could not get x11k parent clock\n"); + + /* Get irqs */ + irq = platform_get_irq(pdev, 0); +@@ -875,12 +863,10 @@ static int stm32_i2s_parse_dt(struct pla + + /* Reset */ + rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL); +- if (IS_ERR(rst)) { +- if (PTR_ERR(rst) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Reset controller error %ld\n", +- PTR_ERR(rst)); +- return PTR_ERR(rst); +- } ++ if (IS_ERR(rst)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(rst), ++ "Reset controller error\n"); ++ + reset_control_assert(rst); + udelay(2); + reset_control_deassert(rst); +@@ -922,19 +908,13 @@ static int stm32_i2s_probe(struct platfo + + i2s->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "pclk", + i2s->base, i2s->regmap_conf); +- if (IS_ERR(i2s->regmap)) { +- if (PTR_ERR(i2s->regmap) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Regmap init error %ld\n", +- PTR_ERR(i2s->regmap)); +- return PTR_ERR(i2s->regmap); +- } ++ if (IS_ERR(i2s->regmap)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->regmap), ++ "Regmap init error\n"); + + ret = snd_dmaengine_pcm_register(&pdev->dev, &stm32_i2s_pcm_config, 0); +- if (ret) { +- if (ret != -EPROBE_DEFER) +- dev_err(&pdev->dev, "PCM DMA register error %d\n", ret); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n"); + + ret = snd_soc_register_component(&pdev->dev, &stm32_i2s_component, + i2s->dai_drv, 1); +--- a/sound/soc/stm/stm32_sai.c ++++ b/sound/soc/stm/stm32_sai.c +@@ -173,29 +173,20 @@ static int stm32_sai_probe(struct platfo + + if (!STM_SAI_IS_F4(sai)) { + sai->pclk = devm_clk_get(&pdev->dev, "pclk"); +- if (IS_ERR(sai->pclk)) { +- if (PTR_ERR(sai->pclk) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "missing bus clock pclk: %ld\n", +- PTR_ERR(sai->pclk)); +- return PTR_ERR(sai->pclk); +- } ++ if (IS_ERR(sai->pclk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(sai->pclk), ++ "missing bus clock pclk\n"); + } + + sai->clk_x8k = devm_clk_get(&pdev->dev, "x8k"); +- if (IS_ERR(sai->clk_x8k)) { +- if (PTR_ERR(sai->clk_x8k) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "missing x8k parent clock: %ld\n", +- PTR_ERR(sai->clk_x8k)); +- return PTR_ERR(sai->clk_x8k); +- } ++ if (IS_ERR(sai->clk_x8k)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(sai->clk_x8k), ++ "missing x8k parent clock\n"); + + sai->clk_x11k = devm_clk_get(&pdev->dev, "x11k"); +- if (IS_ERR(sai->clk_x11k)) { +- if (PTR_ERR(sai->clk_x11k) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "missing x11k parent clock: %ld\n", +- PTR_ERR(sai->clk_x11k)); +- return PTR_ERR(sai->clk_x11k); +- } ++ if (IS_ERR(sai->clk_x11k)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(sai->clk_x11k), ++ "missing x11k parent clock\n"); + + /* init irqs */ + sai->irq = platform_get_irq(pdev, 0); +@@ -204,12 +195,10 @@ static int stm32_sai_probe(struct platfo + + /* reset */ + rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL); +- if (IS_ERR(rst)) { +- if (PTR_ERR(rst) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Reset controller error %ld\n", +- PTR_ERR(rst)); +- return PTR_ERR(rst); +- } ++ if (IS_ERR(rst)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(rst), ++ "Reset controller error\n"); ++ + reset_control_assert(rst); + udelay(2); + reset_control_deassert(rst); +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -1380,12 +1380,9 @@ static int stm32_sai_sub_parse_of(struct + */ + sai->regmap = devm_regmap_init_mmio(&pdev->dev, base, + sai->regmap_config); +- if (IS_ERR(sai->regmap)) { +- if (PTR_ERR(sai->regmap) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Regmap init error %ld\n", +- PTR_ERR(sai->regmap)); +- return PTR_ERR(sai->regmap); +- } ++ if (IS_ERR(sai->regmap)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(sai->regmap), ++ "Regmap init error\n"); + + /* Get direction property */ + if (of_property_match_string(np, "dma-names", "tx") >= 0) { +@@ -1473,12 +1470,9 @@ static int stm32_sai_sub_parse_of(struct + + of_node_put(args.np); + sai->sai_ck = devm_clk_get(&pdev->dev, "sai_ck"); +- if (IS_ERR(sai->sai_ck)) { +- if (PTR_ERR(sai->sai_ck) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Missing kernel clock sai_ck: %ld\n", +- PTR_ERR(sai->sai_ck)); +- return PTR_ERR(sai->sai_ck); +- } ++ if (IS_ERR(sai->sai_ck)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck), ++ "Missing kernel clock sai_ck\n"); + + ret = clk_prepare(sai->pdata->pclk); + if (ret < 0) +@@ -1552,11 +1546,8 @@ static int stm32_sai_sub_probe(struct pl + conf = &stm32_sai_pcm_config_spdif; + + ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0); +- if (ret) { +- if (ret != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Could not register pcm dma\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n"); + + ret = snd_soc_register_component(&pdev->dev, &stm32_component, + &sai->cpu_dai_drv, 1); +--- a/sound/soc/stm/stm32_spdifrx.c ++++ b/sound/soc/stm/stm32_spdifrx.c +@@ -405,12 +405,9 @@ static int stm32_spdifrx_dma_ctrl_regist + int ret; + + spdifrx->ctrl_chan = dma_request_chan(dev, "rx-ctrl"); +- if (IS_ERR(spdifrx->ctrl_chan)) { +- if (PTR_ERR(spdifrx->ctrl_chan) != -EPROBE_DEFER) +- dev_err(dev, "dma_request_slave_channel error %ld\n", +- PTR_ERR(spdifrx->ctrl_chan)); +- return PTR_ERR(spdifrx->ctrl_chan); +- } ++ if (IS_ERR(spdifrx->ctrl_chan)) ++ return dev_err_probe(dev, PTR_ERR(spdifrx->ctrl_chan), ++ "dma_request_slave_channel error\n"); + + spdifrx->dmab = devm_kzalloc(dev, sizeof(struct snd_dma_buffer), + GFP_KERNEL); +@@ -930,12 +927,9 @@ static int stm32_spdifrx_parse_of(struct + spdifrx->phys_addr = res->start; + + spdifrx->kclk = devm_clk_get(&pdev->dev, "kclk"); +- if (IS_ERR(spdifrx->kclk)) { +- if (PTR_ERR(spdifrx->kclk) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Could not get kclk: %ld\n", +- PTR_ERR(spdifrx->kclk)); +- return PTR_ERR(spdifrx->kclk); +- } ++ if (IS_ERR(spdifrx->kclk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(spdifrx->kclk), ++ "Could not get kclk\n"); + + spdifrx->irq = platform_get_irq(pdev, 0); + if (spdifrx->irq < 0) +@@ -986,12 +980,9 @@ static int stm32_spdifrx_probe(struct pl + spdifrx->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "kclk", + spdifrx->base, + spdifrx->regmap_conf); +- if (IS_ERR(spdifrx->regmap)) { +- if (PTR_ERR(spdifrx->regmap) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Regmap init error %ld\n", +- PTR_ERR(spdifrx->regmap)); +- return PTR_ERR(spdifrx->regmap); +- } ++ if (IS_ERR(spdifrx->regmap)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(spdifrx->regmap), ++ "Regmap init error\n"); + + ret = devm_request_irq(&pdev->dev, spdifrx->irq, stm32_spdifrx_isr, 0, + dev_name(&pdev->dev), spdifrx); +@@ -1001,23 +992,18 @@ static int stm32_spdifrx_probe(struct pl + } + + rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL); +- if (IS_ERR(rst)) { +- if (PTR_ERR(rst) != -EPROBE_DEFER) +- dev_err(&pdev->dev, "Reset controller error %ld\n", +- PTR_ERR(rst)); +- return PTR_ERR(rst); +- } ++ if (IS_ERR(rst)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(rst), ++ "Reset controller error\n"); ++ + reset_control_assert(rst); + udelay(2); + reset_control_deassert(rst); + + pcm_config = &stm32_spdifrx_pcm_config; + ret = snd_dmaengine_pcm_register(&pdev->dev, pcm_config, 0); +- if (ret) { +- if (ret != -EPROBE_DEFER) +- dev_err(&pdev->dev, "PCM DMA register error %d\n", ret); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n"); + + ret = snd_soc_register_component(&pdev->dev, + &stm32_spdifrx_component, diff --git a/queue-5.10/asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch b/queue-5.10/asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch new file mode 100644 index 0000000000..e6396c241e --- /dev/null +++ b/queue-5.10/asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch @@ -0,0 +1,93 @@ +From stable+bounces-204814-greg=kroah.com@vger.kernel.org Mon Jan 5 15:40:55 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 09:36:26 -0500 +Subject: ASoC: stm32: sai: fix clk prepare imbalance on probe failure +To: stable@vger.kernel.org +Cc: Johan Hovold , Olivier Moysan , olivier moysan , Mark Brown , Sasha Levin +Message-ID: <20260105143626.2605607-3-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 312ec2f0d9d1a5656f76d770bbf1d967e9289aa7 ] + +Make sure to unprepare the parent clock also on probe failures (e.g. +probe deferral). + +Fixes: a14bf98c045b ("ASoC: stm32: sai: fix possible circular locking") +Cc: stable@vger.kernel.org # 5.5 +Cc: Olivier Moysan +Signed-off-by: Johan Hovold +Reviewed-by: olivier moysan +Link: https://patch.msgid.link/20251124104908.15754-3-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/stm/stm32_sai_sub.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -1485,14 +1485,21 @@ static int stm32_sai_sub_parse_of(struct + if (of_find_property(np, "#clock-cells", NULL)) { + ret = stm32_sai_add_mclk_provider(sai); + if (ret < 0) +- return ret; ++ goto err_unprepare_pclk; + } else { + sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK"); +- if (IS_ERR(sai->sai_mclk)) +- return PTR_ERR(sai->sai_mclk); ++ if (IS_ERR(sai->sai_mclk)) { ++ ret = PTR_ERR(sai->sai_mclk); ++ goto err_unprepare_pclk; ++ } + } + + return 0; ++ ++err_unprepare_pclk: ++ clk_unprepare(sai->pdata->pclk); ++ ++ return ret; + } + + static int stm32_sai_sub_probe(struct platform_device *pdev) +@@ -1536,26 +1543,33 @@ static int stm32_sai_sub_probe(struct pl + IRQF_SHARED, dev_name(&pdev->dev), sai); + if (ret) { + dev_err(&pdev->dev, "IRQ request returned %d\n", ret); +- return ret; ++ goto err_unprepare_pclk; + } + + if (STM_SAI_PROTOCOL_IS_SPDIF(sai)) + conf = &stm32_sai_pcm_config_spdif; + + ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0); +- if (ret) +- return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n"); ++ if (ret) { ++ ret = dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n"); ++ goto err_unprepare_pclk; ++ } + + ret = snd_soc_register_component(&pdev->dev, &stm32_component, + &sai->cpu_dai_drv, 1); + if (ret) { + snd_dmaengine_pcm_unregister(&pdev->dev); +- return ret; ++ goto err_unprepare_pclk; + } + + pm_runtime_enable(&pdev->dev); + + return 0; ++ ++err_unprepare_pclk: ++ clk_unprepare(sai->pdata->pclk); ++ ++ return ret; + } + + static int stm32_sai_sub_remove(struct platform_device *pdev) diff --git a/queue-5.10/asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch b/queue-5.10/asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch new file mode 100644 index 0000000000..701307eabd --- /dev/null +++ b/queue-5.10/asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch @@ -0,0 +1,43 @@ +From stable+bounces-204813-greg=kroah.com@vger.kernel.org Mon Jan 5 15:36:36 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 09:36:25 -0500 +Subject: ASoC: stm32: sai: Use the devm_clk_get_optional() helper +To: stable@vger.kernel.org +Cc: Christophe JAILLET , Mark Brown , Sasha Levin +Message-ID: <20260105143626.2605607-2-sashal@kernel.org> + +From: Christophe JAILLET + +[ Upstream commit 374628fb668e50b42fe81f2a63af616182415bcd ] + +Use devm_clk_get_optional() instead of hand writing it. +This saves some LoC and improves the semantic. + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/f7987f18dadf77bfa09969fd4c82d5a0f4e4e3b7.1684594838.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Stable-dep-of: 312ec2f0d9d1 ("ASoC: stm32: sai: fix clk prepare imbalance on probe failure") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/stm/stm32_sai_sub.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -1487,12 +1487,9 @@ static int stm32_sai_sub_parse_of(struct + if (ret < 0) + return ret; + } else { +- sai->sai_mclk = devm_clk_get(&pdev->dev, "MCLK"); +- if (IS_ERR(sai->sai_mclk)) { +- if (PTR_ERR(sai->sai_mclk) != -ENOENT) +- return PTR_ERR(sai->sai_mclk); +- sai->sai_mclk = NULL; +- } ++ sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK"); ++ if (IS_ERR(sai->sai_mclk)) ++ return PTR_ERR(sai->sai_mclk); + } + + return 0; diff --git a/queue-5.10/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch b/queue-5.10/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch new file mode 100644 index 0000000000..09e8da46b8 --- /dev/null +++ b/queue-5.10/btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch @@ -0,0 +1,65 @@ +From stable+bounces-203280-greg=kroah.com@vger.kernel.org Tue Dec 23 09:02:55 2025 +From: Keerthana K +Date: Tue, 23 Dec 2025 08:00:41 +0000 +Subject: btrfs: do not clean up repair bio if submit fails +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: clm@fb.com, josef@toxicpanda.com, dsterba@suse.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Boris Burkov , Bin Lan , He Zhe , Keerthana K +Message-ID: <20251223080041.1428811-1-keerthana.kalyanasundaram@broadcom.com> + +From: Josef Bacik + +[ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] + +The submit helper will always run bio_endio() on the bio if it fails to +submit, so cleaning up the bio just leads to a variety of use-after-free +and NULL pointer dereference bugs because we race with the endio +function that is cleaning up the bio. Instead just return BLK_STS_OK as +the repair function has to continue to process the rest of the pages, +and the endio for the repair bio will do the appropriate cleanup for the +page that it was given. + +Reviewed-by: Boris Burkov +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +[Minor context change fixed.] +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +[ Keerthana: Backported the patch to v5.10.y ] +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2655,7 +2655,6 @@ blk_status_t btrfs_submit_read_repair(st + bool need_validation; + struct bio *repair_bio; + struct btrfs_io_bio *repair_io_bio; +- blk_status_t status; + + btrfs_debug(fs_info, + "repair read error: read error at %llu", start); +@@ -2699,13 +2698,13 @@ blk_status_t btrfs_submit_read_repair(st + "repair read error: submitting new read to mirror %d, in_validation=%d", + failrec->this_mirror, failrec->in_validation); + +- status = submit_bio_hook(inode, repair_bio, failrec->this_mirror, +- failrec->bio_flags); +- if (status) { +- free_io_failure(failure_tree, tree, failrec); +- bio_put(repair_bio); +- } +- return status; ++ /* ++ * At this point we have a bio, so any errors from submit_bio_hook() ++ * will be handled by the endio on the repair_bio, so we can't return an ++ * error here. ++ */ ++ submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags); ++ return BLK_STS_OK; + } + + /* lots and lots of room for performance fixes in the end_bio funcs */ diff --git a/queue-5.10/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch b/queue-5.10/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch new file mode 100644 index 0000000000..fda2b03b1a --- /dev/null +++ b/queue-5.10/bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch @@ -0,0 +1,53 @@ +From stable+bounces-203278-greg=kroah.com@vger.kernel.org Tue Dec 23 08:49:27 2025 +From: Keerthana K +Date: Tue, 23 Dec 2025 07:46:25 +0000 +Subject: bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove() +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: stuyoder@gmail.com, laurentiu.tudor@nxp.com, Bharat.Bhushan@nxp.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Shin'ichiro Kawasaki , Keerthana K +Message-ID: <20251223074625.1428715-1-keerthana.kalyanasundaram@broadcom.com> + +From: Shin'ichiro Kawasaki + +commit 928ea98252ad75118950941683893cf904541da9 upstream. + +In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to +fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in +fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io +triggers KASAN use-after-free. To avoid the use-after-free, keep the +reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to +fsl_destroy_mc_io(). + +This patch needs rework to apply to kernels older than v5.15. + +Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Greg Kroah-Hartman +[ Keerthana: Backported the patch to v5.10.y ] +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -1085,14 +1085,14 @@ error_cleanup_mc_io: + static int fsl_mc_bus_remove(struct platform_device *pdev) + { + struct fsl_mc *mc = platform_get_drvdata(pdev); ++ struct fsl_mc_io *mc_io; + + if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev)) + return -EINVAL; + ++ mc_io = mc->root_mc_bus_dev->mc_io; + fsl_mc_device_remove(mc->root_mc_bus_dev); +- +- fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io); +- mc->root_mc_bus_dev->mc_io = NULL; ++ fsl_destroy_mc_io(mc_io); + + return 0; + } diff --git a/queue-5.10/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch b/queue-5.10/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch new file mode 100644 index 0000000000..2fe08239b5 --- /dev/null +++ b/queue-5.10/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch @@ -0,0 +1,53 @@ +From stable+bounces-204627-greg=kroah.com@vger.kernel.org Mon Jan 5 11:19:06 2026 +From: Shivani Agarwal +Date: Mon, 5 Jan 2026 01:57:01 -0800 +Subject: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: sudeep.holla@arm.com, cristian.marussi@arm.com, rafael@kernel.org, viresh.kumar@linaro.org, arm-scmi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Henry Martin , Sasha Levin , Shivani Agarwal +Message-ID: <20260105095701.659420-1-shivani.agarwal@broadcom.com> + +From: Henry Martin + +[ Upstream commit 484d3f15cc6cbaa52541d6259778e715b2c83c54 ] + +cpufreq_cpu_get_raw() can return NULL when the target CPU is not present +in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for +this case, which results in a NULL pointer dereference. + +Add NULL check after cpufreq_cpu_get_raw() to prevent this issue. + +Fixes: 99d6bdf33877 ("cpufreq: add support for CPU DVFS based on SCMI message protocol") +Signed-off-by: Henry Martin +Acked-by: Sudeep Holla +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +[Shivani: Modified to apply on 5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/scmi-cpufreq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/scmi-cpufreq.c ++++ b/drivers/cpufreq/scmi-cpufreq.c +@@ -29,12 +29,18 @@ static const struct scmi_handle *handle; + + static unsigned int scmi_cpufreq_get_rate(unsigned int cpu) + { +- struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu); ++ struct cpufreq_policy *policy; ++ struct scmi_data *priv; + const struct scmi_perf_ops *perf_ops = handle->perf_ops; +- struct scmi_data *priv = policy->driver_data; + unsigned long rate; + int ret; + ++ policy = cpufreq_cpu_get_raw(cpu); ++ if (unlikely(!policy)) ++ return 0; ++ ++ priv = policy->driver_data; ++ + ret = perf_ops->freq_get(handle, priv->domain_id, &rate, false); + if (ret) + return 0; diff --git a/queue-5.10/drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch b/queue-5.10/drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch new file mode 100644 index 0000000000..bc67980eb3 --- /dev/null +++ b/queue-5.10/drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch @@ -0,0 +1,117 @@ +From stable+bounces-206185-greg=kroah.com@vger.kernel.org Wed Jan 7 17:44:01 2026 +From: Sasha Levin +Date: Wed, 7 Jan 2026 11:23:28 -0500 +Subject: drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() +To: stable@vger.kernel.org +Cc: Thomas Zimmermann , Patrik Jakobsson , Stefan Christ , Daniel Vetter , dri-devel@lists.freedesktop.org, Sasha Levin +Message-ID: <20260107162328.4079503-1-sashal@kernel.org> + +From: Thomas Zimmermann + +[ Upstream commit be729f9de6c64240645dc80a24162ac4d3fe00a8 ] + +Remove psb_fbdev_fb_setcolreg(), which hasn't been called in almost +a decade. + +Gma500 commit 4d8d096e9ae8 ("gma500: introduce the framebuffer support +code") added the helper psb_fbdev_fb_setcolreg() for setting the fbdev +palette via fbdev's fb_setcolreg callback. Later +commit 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for +fb_ops") set several default helpers for fbdev emulation, including +fb_setcmap. + +The fbdev subsystem always prefers fb_setcmap over fb_setcolreg. [1] +Hence, the gma500 code is no longer in use and gma500 has been using +drm_fb_helper_setcmap() for several years without issues. + +Fixes: 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops") +Cc: Patrik Jakobsson +Cc: Stefan Christ +Cc: Daniel Vetter +Cc: dri-devel@lists.freedesktop.org +Cc: # v4.10+ +Link: https://elixir.bootlin.com/linux/v6.16.9/source/drivers/video/fbdev/core/fbcmap.c#L246 # [1] +Signed-off-by: Thomas Zimmermann +Acked-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250929082338.18845-1-tzimmermann@suse.de +[ adapted file path from fbdev.c to framebuffer.c and removed fb_setcolreg from three fb_ops structures ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/gma500/framebuffer.c | 44 ----------------------------------- + 1 file changed, 44 deletions(-) + +--- a/drivers/gpu/drm/gma500/framebuffer.c ++++ b/drivers/gpu/drm/gma500/framebuffer.c +@@ -34,47 +34,6 @@ static const struct drm_framebuffer_func + .create_handle = drm_gem_fb_create_handle, + }; + +-#define CMAP_TOHW(_val, _width) ((((_val) << (_width)) + 0x7FFF - (_val)) >> 16) +- +-static int psbfb_setcolreg(unsigned regno, unsigned red, unsigned green, +- unsigned blue, unsigned transp, +- struct fb_info *info) +-{ +- struct drm_fb_helper *fb_helper = info->par; +- struct drm_framebuffer *fb = fb_helper->fb; +- uint32_t v; +- +- if (!fb) +- return -ENOMEM; +- +- if (regno > 255) +- return 1; +- +- red = CMAP_TOHW(red, info->var.red.length); +- blue = CMAP_TOHW(blue, info->var.blue.length); +- green = CMAP_TOHW(green, info->var.green.length); +- transp = CMAP_TOHW(transp, info->var.transp.length); +- +- v = (red << info->var.red.offset) | +- (green << info->var.green.offset) | +- (blue << info->var.blue.offset) | +- (transp << info->var.transp.offset); +- +- if (regno < 16) { +- switch (fb->format->cpp[0] * 8) { +- case 16: +- ((uint32_t *) info->pseudo_palette)[regno] = v; +- break; +- case 24: +- case 32: +- ((uint32_t *) info->pseudo_palette)[regno] = v; +- break; +- } +- } +- +- return 0; +-} +- + static int psbfb_pan(struct fb_var_screeninfo *var, struct fb_info *info) + { + struct drm_fb_helper *fb_helper = info->par; +@@ -167,7 +126,6 @@ static int psbfb_mmap(struct fb_info *in + static const struct fb_ops psbfb_ops = { + .owner = THIS_MODULE, + DRM_FB_HELPER_DEFAULT_OPS, +- .fb_setcolreg = psbfb_setcolreg, + .fb_fillrect = drm_fb_helper_cfb_fillrect, + .fb_copyarea = psbfb_copyarea, + .fb_imageblit = drm_fb_helper_cfb_imageblit, +@@ -178,7 +136,6 @@ static const struct fb_ops psbfb_ops = { + static const struct fb_ops psbfb_roll_ops = { + .owner = THIS_MODULE, + DRM_FB_HELPER_DEFAULT_OPS, +- .fb_setcolreg = psbfb_setcolreg, + .fb_fillrect = drm_fb_helper_cfb_fillrect, + .fb_copyarea = drm_fb_helper_cfb_copyarea, + .fb_imageblit = drm_fb_helper_cfb_imageblit, +@@ -189,7 +146,6 @@ static const struct fb_ops psbfb_roll_op + static const struct fb_ops psbfb_unaccel_ops = { + .owner = THIS_MODULE, + DRM_FB_HELPER_DEFAULT_OPS, +- .fb_setcolreg = psbfb_setcolreg, + .fb_fillrect = drm_fb_helper_cfb_fillrect, + .fb_copyarea = drm_fb_helper_cfb_copyarea, + .fb_imageblit = drm_fb_helper_cfb_imageblit, diff --git a/queue-5.10/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch b/queue-5.10/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch deleted file mode 100644 index 8e6dc718af..0000000000 --- a/queue-5.10/kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch +++ /dev/null @@ -1,58 +0,0 @@ -From justinstitt@google.com Thu Jan 8 16:52:32 2026 -From: Justin Stitt -Date: Thu, 04 Dec 2025 12:44:48 -0800 -Subject: KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning -To: Marc Zyngier , Oliver Upton , Alexandru Elisei , Joey Gouly , Suzuki K Poulose , Catalin Marinas , Zenghui Yu , Will Deacon , Nathan Chancellor , Christopher Covington -Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, stable@vger.kernel.org, Justin Stitt -Message-ID: <20251204-b4-stable-disable-uninit-ptr-warn-5-15-v1-1-41212e2c6409@google.com> - -From: Justin Stitt - -A new warning in Clang 22 [1] complains that @clidr passed to -get_clidr_el1() is an uninitialized const pointer. get_clidr_el1() -doesn't really care since it casts away the const-ness anyways -- it is -a false positive. - -| ../arch/arm64/kvm/sys_regs.c:2838:23: warning: variable 'clidr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] -| 2838 | get_clidr_el1(NULL, &clidr); /* Ugly... */ -| | ^~~~~ - -This patch isn't needed for anything past 6.1 as this code section was -reworked in Commit 7af0c2534f4c ("KVM: arm64: Normalize cache -configuration"). Since there is no upstream equivalent, this patch just -needs to be applied to 5.15. - -Disable this warning for sys_regs.o with an iron fist as it doesn't make -sense to waste maintainer's time or potentially break builds by -backporting large changelists from 6.2+. - -Cc: stable@vger.kernel.org -Fixes: 7c8c5e6a9101e ("arm64: KVM: system register handling") -Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1] -Reviewed-by: Nathan Chancellor -Signed-off-by: Justin Stitt -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kvm/Makefile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arch/arm64/kvm/Makefile b/arch/arm64/kvm/Makefile -index 989bb5dad2c8..109cca425d3e 100644 ---- a/arch/arm64/kvm/Makefile -+++ b/arch/arm64/kvm/Makefile -@@ -25,3 +25,6 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coalesced_mmio.o $(KVM)/eventfd.o \ - vgic/vgic-its.o vgic/vgic-debug.o - - kvm-$(CONFIG_HW_PERF_EVENTS) += pmu-emul.o -+ -+# Work around a false positive Clang 22 -Wuninitialized-const-pointer warning -+CFLAGS_sys_regs.o := $(call cc-disable-warning, uninitialized-const-pointer) - ---- -base-commit: 8bb7eca972ad531c9b149c0a51ab43a417385813 -change-id: 20250728-b4-stable-disable-uninit-ptr-warn-5-15-c0c9db3df206 - -Best regards, --- -Justin Stitt - diff --git a/queue-5.10/leds-leds-lp50xx-enable-chip-before-any-communication.patch b/queue-5.10/leds-leds-lp50xx-enable-chip-before-any-communication.patch new file mode 100644 index 0000000000..109db2fa55 --- /dev/null +++ b/queue-5.10/leds-leds-lp50xx-enable-chip-before-any-communication.patch @@ -0,0 +1,151 @@ +From stable+bounces-204855-greg=kroah.com@vger.kernel.org Mon Jan 5 17:49:33 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 11:48:08 -0500 +Subject: leds: leds-lp50xx: Enable chip before any communication +To: stable@vger.kernel.org +Cc: Christian Hitz , Lee Jones , Sasha Levin +Message-ID: <20260105164808.2675734-4-sashal@kernel.org> + +From: Christian Hitz + +[ Upstream commit 434959618c47efe9e5f2e20f4a850caac4f6b823 ] + +If a GPIO is used to control the chip's enable pin, it needs to be pulled +high before any i2c communication is attempted. + +Currently, the enable GPIO handling is not correct. + +Assume the enable GPIO is low when the probe function is entered. In this +case the device is in SHUTDOWN mode and does not react to i2c commands. + +During probe the following sequence happens: + 1. The call to lp50xx_reset() on line 548 has no effect as i2c is not + possible yet. + 2. Then - on line 552 - lp50xx_enable_disable() is called. As + "priv->enable_gpio“ has not yet been initialized, setting the GPIO has + no effect. Also the i2c enable command is not executed as the device + is still in SHUTDOWN. + 3. On line 556 the call to lp50xx_probe_dt() finally parses the rest of + the DT and the configured priv->enable_gpio is set up. + +As a result the device is still in SHUTDOWN mode and not ready for +operation. + +Split lp50xx_enable_disable() into distinct enable and disable functions +to enforce correct ordering between enable_gpio manipulations and i2c +commands. +Read enable_gpio configuration from DT before attempting to manipulate +enable_gpio. +Add delays to observe correct wait timing after manipulating enable_gpio +and before any i2c communication. + +Cc: stable@vger.kernel.org +Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver") +Signed-off-by: Christian Hitz +Link: https://patch.msgid.link/20251028155141.1603193-1-christian@klarinett.li +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-lp50xx.c | 55 ++++++++++++++++++++++++++++++++------------- + 1 file changed, 40 insertions(+), 15 deletions(-) + +--- a/drivers/leds/leds-lp50xx.c ++++ b/drivers/leds/leds-lp50xx.c +@@ -53,6 +53,12 @@ + + #define LP50XX_SW_RESET 0xff + #define LP50XX_CHIP_EN BIT(6) ++#define LP50XX_CHIP_DISABLE 0x00 ++#define LP50XX_START_TIME_US 500 ++#define LP50XX_RESET_TIME_US 3 ++ ++#define LP50XX_EN_GPIO_LOW 0 ++#define LP50XX_EN_GPIO_HIGH 1 + + /* There are 3 LED outputs per bank */ + #define LP50XX_LEDS_PER_MODULE 3 +@@ -376,19 +382,42 @@ static int lp50xx_reset(struct lp50xx *p + return regmap_write(priv->regmap, priv->chip_info->reset_reg, LP50XX_SW_RESET); + } + +-static int lp50xx_enable_disable(struct lp50xx *priv, int enable_disable) ++static int lp50xx_enable(struct lp50xx *priv) + { + int ret; + +- ret = gpiod_direction_output(priv->enable_gpio, enable_disable); ++ if (priv->enable_gpio) { ++ ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_HIGH); ++ if (ret) ++ return ret; ++ ++ udelay(LP50XX_START_TIME_US); ++ } ++ ++ ret = lp50xx_reset(priv); + if (ret) + return ret; + +- if (enable_disable) +- return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN); +- else +- return regmap_write(priv->regmap, LP50XX_DEV_CFG0, 0); ++ return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN); ++} + ++static int lp50xx_disable(struct lp50xx *priv) ++{ ++ int ret; ++ ++ ret = regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_DISABLE); ++ if (ret) ++ return ret; ++ ++ if (priv->enable_gpio) { ++ ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_LOW); ++ if (ret) ++ return ret; ++ ++ udelay(LP50XX_RESET_TIME_US); ++ } ++ ++ return 0; + } + + static int lp50xx_probe_leds(struct fwnode_handle *child, struct lp50xx *priv, +@@ -458,6 +487,10 @@ static int lp50xx_probe_dt(struct lp50xx + return ret; + } + ++ ret = lp50xx_enable(priv); ++ if (ret) ++ return ret; ++ + priv->regulator = devm_regulator_get(priv->dev, "vled"); + if (IS_ERR(priv->regulator)) + priv->regulator = NULL; +@@ -565,14 +598,6 @@ static int lp50xx_probe(struct i2c_clien + return ret; + } + +- ret = lp50xx_reset(led); +- if (ret) +- return ret; +- +- ret = lp50xx_enable_disable(led, 1); +- if (ret) +- return ret; +- + return lp50xx_probe_dt(led); + } + +@@ -581,7 +606,7 @@ static int lp50xx_remove(struct i2c_clie + struct lp50xx *led = i2c_get_clientdata(client); + int ret; + +- ret = lp50xx_enable_disable(led, 0); ++ ret = lp50xx_disable(led); + if (ret) + dev_err(led->dev, "Failed to disable chip\n"); + diff --git a/queue-5.10/leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch b/queue-5.10/leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch new file mode 100644 index 0000000000..09d70fb516 --- /dev/null +++ b/queue-5.10/leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch @@ -0,0 +1,41 @@ +From stable+bounces-204853-greg=kroah.com@vger.kernel.org Mon Jan 5 17:53:40 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 11:48:06 -0500 +Subject: leds: lp50xx: Get rid of redundant check in lp50xx_enable_disable() +To: stable@vger.kernel.org +Cc: Andy Shevchenko , Pavel Machek , Sasha Levin +Message-ID: <20260105164808.2675734-2-sashal@kernel.org> + +From: Andy Shevchenko + +[ Upstream commit 5d2bfb3fb95b2d448c0fbcaa2c58b215b2fa87fc ] + +Since GPIO is optional the API is NULL aware and will check descriptor anyway. +Remove duplicate redundant check in lp50xx_enable_disable(). + +Signed-off-by: Andy Shevchenko +Signed-off-by: Pavel Machek +Stable-dep-of: 434959618c47 ("leds: leds-lp50xx: Enable chip before any communication") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-lp50xx.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/leds/leds-lp50xx.c ++++ b/drivers/leds/leds-lp50xx.c +@@ -380,11 +380,9 @@ static int lp50xx_enable_disable(struct + { + int ret; + +- if (priv->enable_gpio) { +- ret = gpiod_direction_output(priv->enable_gpio, enable_disable); +- if (ret) +- return ret; +- } ++ ret = gpiod_direction_output(priv->enable_gpio, enable_disable); ++ if (ret) ++ return ret; + + if (enable_disable) + return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN); diff --git a/queue-5.10/leds-lp50xx-reduce-level-of-dereferences.patch b/queue-5.10/leds-lp50xx-reduce-level-of-dereferences.patch new file mode 100644 index 0000000000..2e4598734b --- /dev/null +++ b/queue-5.10/leds-lp50xx-reduce-level-of-dereferences.patch @@ -0,0 +1,126 @@ +From stable+bounces-204852-greg=kroah.com@vger.kernel.org Mon Jan 5 18:06:55 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 11:48:05 -0500 +Subject: leds: lp50xx: Reduce level of dereferences +To: stable@vger.kernel.org +Cc: Andy Shevchenko , Pavel Machek , Sasha Levin +Message-ID: <20260105164808.2675734-1-sashal@kernel.org> + +From: Andy Shevchenko + +[ Upstream commit 556f15fe023ec1d9f9cd2781ba6cd14bda650d22 ] + +The priv->dev is effectively the same as &priv->client->dev. +So, drop the latter for the former. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Pavel Machek +Stable-dep-of: 434959618c47 ("leds: leds-lp50xx: Enable chip before any communication") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-lp50xx.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/drivers/leds/leds-lp50xx.c ++++ b/drivers/leds/leds-lp50xx.c +@@ -322,7 +322,7 @@ static int lp50xx_brightness_set(struct + + ret = regmap_write(led->priv->regmap, reg_val, brightness); + if (ret) { +- dev_err(&led->priv->client->dev, ++ dev_err(led->priv->dev, + "Cannot write brightness value %d\n", ret); + goto out; + } +@@ -338,7 +338,7 @@ static int lp50xx_brightness_set(struct + ret = regmap_write(led->priv->regmap, reg_val, + mc_dev->subled_info[i].intensity); + if (ret) { +- dev_err(&led->priv->client->dev, ++ dev_err(led->priv->dev, + "Cannot write intensity value %d\n", ret); + goto out; + } +@@ -402,7 +402,7 @@ static int lp50xx_probe_leds(struct fwno + + if (num_leds > 1) { + if (num_leds > priv->chip_info->max_modules) { +- dev_err(&priv->client->dev, "reg property is invalid\n"); ++ dev_err(priv->dev, "reg property is invalid\n"); + return -EINVAL; + } + +@@ -410,13 +410,13 @@ static int lp50xx_probe_leds(struct fwno + + ret = fwnode_property_read_u32_array(child, "reg", led_banks, num_leds); + if (ret) { +- dev_err(&priv->client->dev, "reg property is missing\n"); ++ dev_err(priv->dev, "reg property is missing\n"); + return ret; + } + + ret = lp50xx_set_banks(priv, led_banks, num_leds); + if (ret) { +- dev_err(&priv->client->dev, "Cannot setup banked LEDs\n"); ++ dev_err(priv->dev, "Cannot setup banked LEDs\n"); + return ret; + } + +@@ -424,12 +424,12 @@ static int lp50xx_probe_leds(struct fwno + } else { + ret = fwnode_property_read_u32(child, "reg", &led_number); + if (ret) { +- dev_err(&priv->client->dev, "led reg property missing\n"); ++ dev_err(priv->dev, "led reg property missing\n"); + return ret; + } + + if (led_number > priv->chip_info->num_leds) { +- dev_err(&priv->client->dev, "led-sources property is invalid\n"); ++ dev_err(priv->dev, "led-sources property is invalid\n"); + return -EINVAL; + } + +@@ -468,7 +468,7 @@ static int lp50xx_probe_dt(struct lp50xx + led = &priv->leds[i]; + ret = fwnode_property_count_u32(child, "reg"); + if (ret < 0) { +- dev_err(&priv->client->dev, "reg property is invalid\n"); ++ dev_err(priv->dev, "reg property is invalid\n"); + goto child_out; + } + +@@ -518,12 +518,11 @@ static int lp50xx_probe_dt(struct lp50xx + led_cdev = &led->mc_cdev.led_cdev; + led_cdev->brightness_set_blocking = lp50xx_brightness_set; + +- ret = devm_led_classdev_multicolor_register_ext(&priv->client->dev, ++ ret = devm_led_classdev_multicolor_register_ext(priv->dev, + &led->mc_cdev, + &init_data); + if (ret) { +- dev_err(&priv->client->dev, "led register err: %d\n", +- ret); ++ dev_err(priv->dev, "led register err: %d\n", ret); + goto child_out; + } + i++; +@@ -586,15 +585,14 @@ static int lp50xx_remove(struct i2c_clie + + ret = lp50xx_enable_disable(led, 0); + if (ret) { +- dev_err(&led->client->dev, "Failed to disable chip\n"); ++ dev_err(led->dev, "Failed to disable chip\n"); + return ret; + } + + if (led->regulator) { + ret = regulator_disable(led->regulator); + if (ret) +- dev_err(&led->client->dev, +- "Failed to disable regulator\n"); ++ dev_err(led->dev, "Failed to disable regulator\n"); + } + + mutex_destroy(&led->lock); diff --git a/queue-5.10/leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch b/queue-5.10/leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch new file mode 100644 index 0000000000..901e6a6fd9 --- /dev/null +++ b/queue-5.10/leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch @@ -0,0 +1,47 @@ +From stable+bounces-204854-greg=kroah.com@vger.kernel.org Mon Jan 5 18:06:59 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 11:48:07 -0500 +Subject: leds: lp50xx: Remove duplicated error reporting in .remove() +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Pavel Machek" , "Sasha Levin" +Message-ID: <20260105164808.2675734-3-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 73bce575ed90c752eaa4b2b9a70860481d58d240 ] + +Returning an error value from an i2c remove callback results in an error +message being emitted by the i2c core, but otherwise it doesn't make a +difference. The device goes away anyhow and the devm cleanups are +called. + +As stk3310_set_state() already emits an error message on failure and the +additional error message by the i2c core doesn't add any useful +information, don't pass the error value up the stack. Instead continue +to clean up and return 0. + +This patch is a preparation for making i2c remove callbacks return void. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Pavel Machek +Stable-dep-of: 434959618c47 ("leds: leds-lp50xx: Enable chip before any communication") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-lp50xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/leds/leds-lp50xx.c ++++ b/drivers/leds/leds-lp50xx.c +@@ -582,10 +582,8 @@ static int lp50xx_remove(struct i2c_clie + int ret; + + ret = lp50xx_enable_disable(led, 0); +- if (ret) { ++ if (ret) + dev_err(led->dev, "Failed to disable chip\n"); +- return ret; +- } + + if (led->regulator) { + ret = regulator_disable(led->regulator); diff --git a/queue-5.10/lockd-fix-vfs_test_lock-calls.patch b/queue-5.10/lockd-fix-vfs_test_lock-calls.patch new file mode 100644 index 0000000000..80acb58601 --- /dev/null +++ b/queue-5.10/lockd-fix-vfs_test_lock-calls.patch @@ -0,0 +1,182 @@ +From stable+bounces-206058-greg=kroah.com@vger.kernel.org Wed Jan 7 00:58:22 2026 +From: Sasha Levin +Date: Tue, 6 Jan 2026 18:58:16 -0500 +Subject: lockd: fix vfs_test_lock() calls +To: stable@vger.kernel.org +Cc: NeilBrown , Olga Kornievskaia , Jeff Layton , Chuck Lever , Sasha Levin +Message-ID: <20260106235816.3462079-1-sashal@kernel.org> + +From: NeilBrown + +[ Upstream commit a49a2a1baa0c553c3548a1c414b6a3c005a8deba ] + +Usage of vfs_test_lock() is somewhat confused. Documentation suggests +it is given a "lock" but this is not the case. It is given a struct +file_lock which contains some details of the sort of lock it should be +looking for. + +In particular passing a "file_lock" containing fl_lmops or fl_ops is +meaningless and possibly confusing. + +This is particularly problematic in lockd. nlmsvc_testlock() receives +an initialised "file_lock" from xdr-decode, including manager ops and an +owner. It then mistakenly passes this to vfs_test_lock() which might +replace the owner and the ops. This can lead to confusion when freeing +the lock. + +The primary role of the 'struct file_lock' passed to vfs_test_lock() is +to report a conflicting lock that was found, so it makes more sense for +nlmsvc_testlock() to pass "conflock", which it uses for returning the +conflicting lock. + +With this change, freeing of the lock is not confused and code in +__nlm4svc_proc_test() and __nlmsvc_proc_test() can be simplified. + +Documentation for vfs_test_lock() is improved to reflect its real +purpose, and a WARN_ON_ONCE() is added to avoid a similar problem in the +future. + +Reported-by: Olga Kornievskaia +Closes: https://lore.kernel.org/all/20251021130506.45065-1-okorniev@redhat.com +Signed-off-by: NeilBrown +Fixes: 20fa19027286 ("nfs: add export operations") +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +[ adapted c.flc_* field accesses to direct fl_* fields ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/lockd/svc4proc.c | 4 +--- + fs/lockd/svclock.c | 21 ++++++++++++--------- + fs/lockd/svcproc.c | 5 +---- + fs/locks.c | 13 +++++++++++-- + 4 files changed, 25 insertions(+), 18 deletions(-) + +--- a/fs/lockd/svc4proc.c ++++ b/fs/lockd/svc4proc.c +@@ -96,7 +96,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs + struct nlm_args *argp = rqstp->rq_argp; + struct nlm_host *host; + struct nlm_file *file; +- struct nlm_lockowner *test_owner; + __be32 rc = rpc_success; + + dprintk("lockd: TEST4 called\n"); +@@ -106,7 +105,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs + if ((resp->status = nlm4svc_retrieve_args(rqstp, argp, &host, &file))) + return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success; + +- test_owner = argp->lock.fl.fl_owner; + /* Now check for conflicting locks */ + resp->status = nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie); + if (resp->status == nlm_drop_reply) +@@ -114,7 +112,7 @@ __nlm4svc_proc_test(struct svc_rqst *rqs + else + dprintk("lockd: TEST4 status %d\n", ntohl(resp->status)); + +- nlmsvc_put_lockowner(test_owner); ++ nlmsvc_release_lockowner(&argp->lock); + nlmsvc_release_host(host); + nlm_release_file(file); + return rc; +--- a/fs/lockd/svclock.c ++++ b/fs/lockd/svclock.c +@@ -604,7 +604,13 @@ nlmsvc_testlock(struct svc_rqst *rqstp, + } + + mode = lock_to_openmode(&lock->fl); +- error = vfs_test_lock(file->f_file[mode], &lock->fl); ++ locks_init_lock(&conflock->fl); ++ /* vfs_test_lock only uses start, end, and owner, but tests fl_file */ ++ conflock->fl.fl_file = lock->fl.fl_file; ++ conflock->fl.fl_start = lock->fl.fl_start; ++ conflock->fl.fl_end = lock->fl.fl_end; ++ conflock->fl.fl_owner = lock->fl.fl_owner; ++ error = vfs_test_lock(file->f_file[mode], &conflock->fl); + if (error) { + /* We can't currently deal with deferred test requests */ + if (error == FILE_LOCK_DEFERRED) +@@ -614,22 +620,19 @@ nlmsvc_testlock(struct svc_rqst *rqstp, + goto out; + } + +- if (lock->fl.fl_type == F_UNLCK) { ++ if (conflock->fl.fl_type == F_UNLCK) { + ret = nlm_granted; + goto out; + } + + dprintk("lockd: conflicting lock(ty=%d, %Ld-%Ld)\n", +- lock->fl.fl_type, (long long)lock->fl.fl_start, +- (long long)lock->fl.fl_end); ++ conflock->fl.fl_type, (long long)conflock->fl.fl_start, ++ (long long)conflock->fl.fl_end); + conflock->caller = "somehost"; /* FIXME */ + conflock->len = strlen(conflock->caller); + conflock->oh.len = 0; /* don't return OH info */ +- conflock->svid = lock->fl.fl_pid; +- conflock->fl.fl_type = lock->fl.fl_type; +- conflock->fl.fl_start = lock->fl.fl_start; +- conflock->fl.fl_end = lock->fl.fl_end; +- locks_release_private(&lock->fl); ++ conflock->svid = conflock->fl.fl_pid; ++ locks_release_private(&conflock->fl); + + ret = nlm_lck_denied; + out: +--- a/fs/lockd/svcproc.c ++++ b/fs/lockd/svcproc.c +@@ -117,7 +117,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst + struct nlm_args *argp = rqstp->rq_argp; + struct nlm_host *host; + struct nlm_file *file; +- struct nlm_lockowner *test_owner; + __be32 rc = rpc_success; + + dprintk("lockd: TEST called\n"); +@@ -127,8 +126,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst + if ((resp->status = nlmsvc_retrieve_args(rqstp, argp, &host, &file))) + return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success; + +- test_owner = argp->lock.fl.fl_owner; +- + /* Now check for conflicting locks */ + resp->status = cast_status(nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie)); + if (resp->status == nlm_drop_reply) +@@ -137,7 +134,7 @@ __nlmsvc_proc_test(struct svc_rqst *rqst + dprintk("lockd: TEST status %d vers %d\n", + ntohl(resp->status), rqstp->rq_vers); + +- nlmsvc_put_lockowner(test_owner); ++ nlmsvc_release_lockowner(&argp->lock); + nlmsvc_release_host(host); + nlm_release_file(file); + return rc; +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -2325,13 +2325,22 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, + /** + * vfs_test_lock - test file byte range lock + * @filp: The file to test lock for +- * @fl: The lock to test; also used to hold result ++ * @fl: The byte-range in the file to test; also used to hold result + * ++ * On entry, @fl does not contain a lock, but identifies a range (fl_start, fl_end) ++ * in the file (c.flc_file), and an owner (c.flc_owner) for whom existing locks ++ * should be ignored. c.flc_type and c.flc_flags are ignored. ++ * Both fl_lmops and fl_ops in @fl must be NULL. + * Returns -ERRNO on failure. Indicates presence of conflicting lock by +- * setting conf->fl_type to something other than F_UNLCK. ++ * setting fl->fl_type to something other than F_UNLCK. ++ * ++ * If vfs_test_lock() does find a lock and return it, the caller must ++ * use locks_free_lock() or locks_release_private() on the returned lock. + */ + int vfs_test_lock(struct file *filp, struct file_lock *fl) + { ++ WARN_ON_ONCE(fl->fl_ops || fl->fl_lmops); ++ WARN_ON_ONCE(filp != fl->fl_file); + if (filp->f_op->lock) + return filp->f_op->lock(filp, F_GETLK, fl); + posix_test_lock(filp, fl); diff --git a/queue-5.10/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch b/queue-5.10/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch new file mode 100644 index 0000000000..c432e7ec9c --- /dev/null +++ b/queue-5.10/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch @@ -0,0 +1,47 @@ +From stable+bounces-204973-greg=kroah.com@vger.kernel.org Tue Jan 6 01:55:49 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 19:55:31 -0500 +Subject: media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() +To: stable@vger.kernel.org +Cc: Haoxiang Li , AngeloGioacchino Del Regno , Tzung-Bi Shih , Nicolas Dufresne , Hans Verkuil , Sasha Levin +Message-ID: <20260106005531.2866023-1-sashal@kernel.org> + +From: Haoxiang Li + +[ Upstream commit cdd0f118ef87db8a664fb5ea366fd1766d2df1cd ] + +vpu_get_plat_device() increases the reference count of the returned +platform device. However, when devm_kzalloc() fails, the reference +is not released, causing a reference leak. + +Fix this by calling put_device() on fw_pdev->dev before returning +on the error path. + +Fixes: e25a89f743b1 ("media: mtk-vcodec: potential dereference of null pointer") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Tzung-Bi Shih +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +[ adapted file path from common/ subdirectory and adjusted devm_kzalloc target from plat_dev->dev to dev->plat_dev->dev ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c +@@ -94,8 +94,10 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_ + vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_handler, dev, rst_id); + + fw = devm_kzalloc(&dev->plat_dev->dev, sizeof(*fw), GFP_KERNEL); +- if (!fw) ++ if (!fw) { ++ put_device(&fw_pdev->dev); + return ERR_PTR(-ENOMEM); ++ } + fw->type = VPU; + fw->ops = &mtk_vcodec_vpu_msg; + fw->pdev = fw_pdev; diff --git a/queue-5.10/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch b/queue-5.10/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch new file mode 100644 index 0000000000..e2fc34c1ad --- /dev/null +++ b/queue-5.10/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch @@ -0,0 +1,48 @@ +From stable+bounces-204922-greg=kroah.com@vger.kernel.org Mon Jan 5 21:40:56 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 15:40:38 -0500 +Subject: media: samsung: exynos4-is: fix potential ABBA deadlock on init +To: stable@vger.kernel.org +Cc: Marek Szyprowski , Sylwester Nawrocki , Hans Verkuil , Sasha Levin +Message-ID: <20260105204038.2787172-1-sashal@kernel.org> + +From: Marek Szyprowski + +[ Upstream commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b ] + +v4l2_device_register_subdev_nodes() must called without taking +media_dev->graph_mutex to avoid potential AB-BA deadlock on further +subdevice driver initialization. + +Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Acked-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/exynos4-is/media-dev.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1409,12 +1409,14 @@ static int subdev_notifier_complete(stru + mutex_lock(&fmd->media_dev.graph_mutex); + + ret = fimc_md_create_links(fmd); +- if (ret < 0) +- goto unlock; ++ if (ret < 0) { ++ mutex_unlock(&fmd->media_dev.graph_mutex); ++ return ret; ++ } + +- ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev); +-unlock: + mutex_unlock(&fmd->media_dev.graph_mutex); ++ ++ ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev); + if (ret < 0) + return ret; + diff --git a/queue-5.10/media-vpif_capture-fix-section-mismatch.patch b/queue-5.10/media-vpif_capture-fix-section-mismatch.patch new file mode 100644 index 0000000000..166b0c0a35 --- /dev/null +++ b/queue-5.10/media-vpif_capture-fix-section-mismatch.patch @@ -0,0 +1,50 @@ +From stable+bounces-204935-greg=kroah.com@vger.kernel.org Mon Jan 5 22:21:28 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 16:17:47 -0500 +Subject: media: vpif_capture: fix section mismatch +To: stable@vger.kernel.org +Cc: Johan Hovold , Hans Verkuil , Sasha Levin +Message-ID: <20260105211747.2802180-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 0ef841113724166c3c484d0e9ae6db1eb5634fde ] + +Platform drivers can be probed after their init sections have been +discarded (e.g. on probe deferral or manual rebind through sysfs) so the +probe function must not live in init. + +Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section +mismatch warning") incorrectly suppressed the modpost warning. + +Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") +Fixes: 6ffefff5a9e7 ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467") +Cc: stable@vger.kernel.org # 2.6.32 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/davinci/vpif_capture.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/davinci/vpif_capture.c ++++ b/drivers/media/platform/davinci/vpif_capture.c +@@ -1614,7 +1614,7 @@ err_cleanup: + * This creates device entries by register itself to the V4L2 driver and + * initializes fields of each channel objects + */ +-static __init int vpif_probe(struct platform_device *pdev) ++static int vpif_probe(struct platform_device *pdev) + { + struct vpif_subdev_info *subdevdata; + struct i2c_adapter *i2c_adap; +@@ -1817,7 +1817,7 @@ static int vpif_resume(struct device *de + + static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume); + +-static __refdata struct platform_driver vpif_driver = { ++static struct platform_driver vpif_driver = { + .driver = { + .name = VPIF_DRIVER_NAME, + .pm = &vpif_pm_ops, diff --git a/queue-5.10/mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch b/queue-5.10/mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch new file mode 100644 index 0000000000..d4b488aeea --- /dev/null +++ b/queue-5.10/mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch @@ -0,0 +1,225 @@ +From stable+bounces-204903-greg=kroah.com@vger.kernel.org Mon Jan 5 20:41:13 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 14:40:56 -0500 +Subject: mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() +To: stable@vger.kernel.org +Cc: "David Hildenbrand" , "Lorenzo Stoakes" , "Alistair Popple" , "Al Viro" , "Arnd Bergmann" , "Brendan Jackman" , "Byungchul Park" , "Chengming Zhou" , "Christian Brauner" , "Christophe Leroy" , "Eugenio Pé rez" , "Greg Kroah-Hartman" , "Gregory Price" , "Harry Yoo" , "Huang, Ying" , "Jan Kara" , "Jason Gunthorpe" , "Jason Wang" , "Jerrin Shaji George" , "Johannes Weiner" , "John Hubbard" , "Jonathan Corbet" , "Joshua Hahn" , "Liam Howlett" , "Madhavan Srinivasan" , "Mathew Brost" , "Matthew Wilcox (Oracle)" , "Miaohe Lin" , "Michael Ellerman" , "Michael S. Tsirkin" , "Michal Hocko" , "Mike Rapoport" , "Minchan Kim" , "Naoya Horiguchi" , "Nicholas Piggin" , "Oscar Salvador" , "Peter Xu" , "Qi Zheng" , "Rakie Kim" , "Rik van Riel" , "Sergey Senozhatsky" , "Shakeel Butt" , "Suren Baghdasaryan" , "Vlastimil Babka" , "Xuan Zhuo" , "xu xin" , "Zi Yan" , "Andrew Morton" , "Sasha Levin" +Message-ID: <20260105194057.2747929-3-sashal@kernel.org> + +From: David Hildenbrand + +[ Upstream commit 15504b1163007bbfbd9a63460d5c14737c16e96d ] + +Let's move the removal of the page from the balloon list into the single +caller, to remove the dependency on the PG_isolated flag and clarify +locking requirements. + +Note that for now, balloon_page_delete() was used on two paths: + +(1) Removing a page from the balloon for deflation through + balloon_page_list_dequeue() +(2) Removing an isolated page from the balloon for migration in the + per-driver migration handlers. Isolated pages were already removed from + the balloon list during isolation. + +So instead of relying on the flag, we can just distinguish both cases +directly and handle it accordingly in the caller. + +We'll shuffle the operations a bit such that they logically make more +sense (e.g., remove from the list before clearing flags). + +In balloon migration functions we can now move the balloon_page_finalize() +out of the balloon lock and perform the finalization just before dropping +the balloon reference. + +Document that the page lock is currently required when modifying the +movability aspects of a page; hopefully we can soon decouple this from the +page lock. + +Link: https://lkml.kernel.org/r/20250704102524.326966-3-david@redhat.com +Signed-off-by: David Hildenbrand +Reviewed-by: Lorenzo Stoakes +Cc: Alistair Popple +Cc: Al Viro +Cc: Arnd Bergmann +Cc: Brendan Jackman +Cc: Byungchul Park +Cc: Chengming Zhou +Cc: Christian Brauner +Cc: Christophe Leroy +Cc: Eugenio Pé rez +Cc: Greg Kroah-Hartman +Cc: Gregory Price +Cc: Harry Yoo +Cc: "Huang, Ying" +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Wang +Cc: Jerrin Shaji George +Cc: Johannes Weiner +Cc: John Hubbard +Cc: Jonathan Corbet +Cc: Joshua Hahn +Cc: Liam Howlett +Cc: Madhavan Srinivasan +Cc: Mathew Brost +Cc: Matthew Wilcox (Oracle) +Cc: Miaohe Lin +Cc: Michael Ellerman +Cc: "Michael S. Tsirkin" +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Minchan Kim +Cc: Naoya Horiguchi +Cc: Nicholas Piggin +Cc: Oscar Salvador +Cc: Peter Xu +Cc: Qi Zheng +Cc: Rakie Kim +Cc: Rik van Riel +Cc: Sergey Senozhatsky +Cc: Shakeel Butt +Cc: Suren Baghdasaryan +Cc: Vlastimil Babka +Cc: Xuan Zhuo +Cc: xu xin +Cc: Zi Yan +Signed-off-by: Andrew Morton +Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/cmm.c | 2 - + drivers/misc/vmw_balloon.c | 3 -- + drivers/virtio/virtio_balloon.c | 4 --- + include/linux/balloon_compaction.h | 43 +++++++++++++---------------------- + mm/balloon_compaction.c | 3 +- + 5 files changed, 21 insertions(+), 34 deletions(-) + +--- a/arch/powerpc/platforms/pseries/cmm.c ++++ b/arch/powerpc/platforms/pseries/cmm.c +@@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloo + + spin_lock_irqsave(&b_dev_info->pages_lock, flags); + balloon_page_insert(b_dev_info, newpage); +- balloon_page_delete(page); + b_dev_info->isolated_pages--; + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); + +@@ -560,6 +559,7 @@ static int cmm_migratepage(struct balloo + */ + plpar_page_set_active(page); + ++ balloon_page_finalize(page); + /* balloon page list reference */ + put_page(page); + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -1810,8 +1810,7 @@ static int vmballoon_migratepage(struct + * @pages_lock . We keep holding @comm_lock since we will need it in a + * second. + */ +- balloon_page_delete(page); +- ++ balloon_page_finalize(page); + put_page(page); + + /* Inflate */ +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -796,15 +796,13 @@ static int virtballoon_migratepage(struc + tell_host(vb, vb->inflate_vq); + + /* balloon's page migration 2nd step -- deflate "page" */ +- spin_lock_irqsave(&vb_dev_info->pages_lock, flags); +- balloon_page_delete(page); +- spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags); + vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE; + set_page_pfns(vb, vb->pfns, page); + tell_host(vb, vb->deflate_vq); + + mutex_unlock(&vb->balloon_lock); + ++ balloon_page_finalize(page); + put_page(page); /* balloon reference */ + + return MIGRATEPAGE_SUCCESS; +--- a/include/linux/balloon_compaction.h ++++ b/include/linux/balloon_compaction.h +@@ -100,27 +100,6 @@ static inline void balloon_page_insert(s + } + + /* +- * balloon_page_delete - delete a page from balloon's page list and clear +- * the page->private assignement accordingly. +- * @page : page to be released from balloon's page list +- * +- * Caller must ensure the page is locked and the spin_lock protecting balloon +- * pages list is held before deleting a page from the balloon device. +- */ +-static inline void balloon_page_delete(struct page *page) +-{ +- __ClearPageOffline(page); +- __ClearPageMovable(page); +- set_page_private(page, 0); +- /* +- * No touch page.lru field once @page has been isolated +- * because VM is using the field. +- */ +- if (!PageIsolated(page)) +- list_del(&page->lru); +-} +- +-/* + * balloon_page_device - get the b_dev_info descriptor for the balloon device + * that enqueues the given page. + */ +@@ -143,12 +122,6 @@ static inline void balloon_page_insert(s + list_add(&page->lru, &balloon->pages); + } + +-static inline void balloon_page_delete(struct page *page) +-{ +- __ClearPageOffline(page); +- list_del(&page->lru); +-} +- + static inline gfp_t balloon_mapping_gfp_mask(void) + { + return GFP_HIGHUSER; +@@ -157,6 +130,22 @@ static inline gfp_t balloon_mapping_gfp_ + #endif /* CONFIG_BALLOON_COMPACTION */ + + /* ++ * balloon_page_finalize - prepare a balloon page that was removed from the ++ * balloon list for release to the page allocator ++ * @page: page to be released to the page allocator ++ * ++ * Caller must ensure that the page is locked. ++ */ ++static inline void balloon_page_finalize(struct page *page) ++{ ++ if (IS_ENABLED(CONFIG_BALLOON_COMPACTION)) { ++ __ClearPageMovable(page); ++ set_page_private(page, 0); ++ } ++ __ClearPageOffline(page); ++} ++ ++/* + * balloon_page_push - insert a page into a page list. + * @head : pointer to list + * @page : page to be added +--- a/mm/balloon_compaction.c ++++ b/mm/balloon_compaction.c +@@ -93,7 +93,8 @@ size_t balloon_page_list_dequeue(struct + if (!trylock_page(page)) + continue; + +- balloon_page_delete(page); ++ list_del(&page->lru); ++ balloon_page_finalize(page); + __count_vm_event(BALLOON_DEFLATE); + list_add(&page->lru, pages); + unlock_page(page); diff --git a/queue-5.10/mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch b/queue-5.10/mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch new file mode 100644 index 0000000000..a0b0a610d1 --- /dev/null +++ b/queue-5.10/mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch @@ -0,0 +1,96 @@ +From stable+bounces-204901-greg=kroah.com@vger.kernel.org Mon Jan 5 20:41:05 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 14:40:54 -0500 +Subject: mm/balloon_compaction: make balloon page compaction callbacks static +To: stable@vger.kernel.org +Cc: Miaohe Lin , "Michael S. Tsirkin" , Muchun Song , Sasha Levin +Message-ID: <20260105194057.2747929-1-sashal@kernel.org> + +From: Miaohe Lin + +[ Upstream commit 504c1cabe325df65c18ef38365ddd1a41c6b591b ] + +Since commit b1123ea6d3b3 ("mm: balloon: use general non-lru movable page +feature"), these functions are called via balloon_aops callbacks. They're +not called directly outside this file. So make them static and clean up +the relevant code. + +Signed-off-by: Miaohe Lin +Link: https://lore.kernel.org/r/20220125132221.2220-1-linmiaohe@huawei.com +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Muchun Song +Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/balloon_compaction.h | 22 ---------------------- + mm/balloon_compaction.c | 6 +++--- + 2 files changed, 3 insertions(+), 25 deletions(-) + +--- a/include/linux/balloon_compaction.h ++++ b/include/linux/balloon_compaction.h +@@ -80,12 +80,6 @@ static inline void balloon_devinfo_init( + + #ifdef CONFIG_BALLOON_COMPACTION + extern const struct address_space_operations balloon_aops; +-extern bool balloon_page_isolate(struct page *page, +- isolate_mode_t mode); +-extern void balloon_page_putback(struct page *page); +-extern int balloon_page_migrate(struct address_space *mapping, +- struct page *newpage, +- struct page *page, enum migrate_mode mode); + + /* + * balloon_page_insert - insert a page into the balloon's page list and make +@@ -155,22 +149,6 @@ static inline void balloon_page_delete(s + list_del(&page->lru); + } + +-static inline bool balloon_page_isolate(struct page *page) +-{ +- return false; +-} +- +-static inline void balloon_page_putback(struct page *page) +-{ +- return; +-} +- +-static inline int balloon_page_migrate(struct page *newpage, +- struct page *page, enum migrate_mode mode) +-{ +- return 0; +-} +- + static inline gfp_t balloon_mapping_gfp_mask(void) + { + return GFP_HIGHUSER; +--- a/mm/balloon_compaction.c ++++ b/mm/balloon_compaction.c +@@ -203,7 +203,7 @@ EXPORT_SYMBOL_GPL(balloon_page_dequeue); + + #ifdef CONFIG_BALLOON_COMPACTION + +-bool balloon_page_isolate(struct page *page, isolate_mode_t mode) ++static bool balloon_page_isolate(struct page *page, isolate_mode_t mode) + + { + struct balloon_dev_info *b_dev_info = balloon_page_device(page); +@@ -217,7 +217,7 @@ bool balloon_page_isolate(struct page *p + return true; + } + +-void balloon_page_putback(struct page *page) ++static void balloon_page_putback(struct page *page) + { + struct balloon_dev_info *b_dev_info = balloon_page_device(page); + unsigned long flags; +@@ -230,7 +230,7 @@ void balloon_page_putback(struct page *p + + + /* move_to_new_page() counterpart for a ballooned page */ +-int balloon_page_migrate(struct address_space *mapping, ++static int balloon_page_migrate(struct address_space *mapping, + struct page *newpage, struct page *page, + enum migrate_mode mode) + { diff --git a/queue-5.10/mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch b/queue-5.10/mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch new file mode 100644 index 0000000000..7af2af76ce --- /dev/null +++ b/queue-5.10/mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch @@ -0,0 +1,109 @@ +From stable+bounces-204902-greg=kroah.com@vger.kernel.org Mon Jan 5 20:41:10 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 14:40:55 -0500 +Subject: mm/balloon_compaction: we cannot have isolated pages in the balloon list +To: stable@vger.kernel.org +Cc: "David Hildenbrand" , "Zi Yan" , "Lorenzo Stoakes" , "Alistair Popple" , "Al Viro" , "Arnd Bergmann" , "Brendan Jackman" , "Byungchul Park" , "Chengming Zhou" , "Christian Brauner" , "Christophe Leroy" , "Eugenio Pé rez" , "Greg Kroah-Hartman" , "Gregory Price" , "Huang, Ying" , "Jan Kara" , "Jason Gunthorpe" , "Jason Wang" , "Jerrin Shaji George" , "Johannes Weiner" , "John Hubbard" , "Jonathan Corbet" , "Joshua Hahn" , "Liam Howlett" , "Madhavan Srinivasan" , "Mathew Brost" , "Matthew Wilcox (Oracle)" , "Miaohe Lin" , "Michael Ellerman" , "Michael S. Tsirkin" , "Michal Hocko" , "Mike Rapoport" , "Minchan Kim" , "Naoya Horiguchi" , "Nicholas Piggin" , "Oscar Salvador" , "Peter Xu" , "Qi Zheng" , "Rakie Kim" , "Rik van Riel" , "Sergey Senozhatsky" , "Shakeel Butt" , "Suren Baghdasaryan" , "Vlastimil Babka" , "Xuan Zhuo" , "xu xin" , "Harry Yoo" , "Andrew Morton" , "Sasha Levin" +Message-ID: <20260105194057.2747929-2-sashal@kernel.org> + +From: David Hildenbrand + +[ Upstream commit fb05f992b6bbb4702307d96f00703ee637b24dbf ] + +Patch series "mm/migration: rework movable_ops page migration (part 1)", +v2. + +In the future, as we decouple "struct page" from "struct folio", pages +that support "non-lru page migration" -- movable_ops page migration such +as memory balloons and zsmalloc -- will no longer be folios. They will +not have ->mapping, ->lru, and likely no refcount and no page lock. But +they will have a type and flags 🙂 + +This is the first part (other parts not written yet) of decoupling +movable_ops page migration from folio migration. + +In this series, we get rid of the ->mapping usage, and start cleaning up +the code + separating it from folio migration. + +Migration core will have to be further reworked to not treat movable_ops +pages like folios. This is the first step into that direction. + +This patch (of 29): + +The core will set PG_isolated only after mops->isolate_page() was called. +In case of the balloon, that is where we will remove it from the balloon +list. So we cannot have isolated pages in the balloon list. + +Let's drop this unnecessary check. + +Link: https://lkml.kernel.org/r/20250704102524.326966-2-david@redhat.com +Signed-off-by: David Hildenbrand +Acked-by: Zi Yan +Reviewed-by: Lorenzo Stoakes +Cc: Alistair Popple +Cc: Al Viro +Cc: Arnd Bergmann +Cc: Brendan Jackman +Cc: Byungchul Park +Cc: Chengming Zhou +Cc: Christian Brauner +Cc: Christophe Leroy +Cc: Eugenio Pé rez +Cc: Greg Kroah-Hartman +Cc: Gregory Price +Cc: "Huang, Ying" +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Wang +Cc: Jerrin Shaji George +Cc: Johannes Weiner +Cc: John Hubbard +Cc: Jonathan Corbet +Cc: Joshua Hahn +Cc: Liam Howlett +Cc: Madhavan Srinivasan +Cc: Mathew Brost +Cc: Matthew Wilcox (Oracle) +Cc: Miaohe Lin +Cc: Michael Ellerman +Cc: "Michael S. Tsirkin" +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Minchan Kim +Cc: Naoya Horiguchi +Cc: Nicholas Piggin +Cc: Oscar Salvador +Cc: Peter Xu +Cc: Qi Zheng +Cc: Rakie Kim +Cc: Rik van Riel +Cc: Sergey Senozhatsky +Cc: Shakeel Butt +Cc: Suren Baghdasaryan +Cc: Vlastimil Babka +Cc: Xuan Zhuo +Cc: xu xin +Cc: Harry Yoo +Signed-off-by: Andrew Morton +Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/balloon_compaction.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/mm/balloon_compaction.c ++++ b/mm/balloon_compaction.c +@@ -93,12 +93,6 @@ size_t balloon_page_list_dequeue(struct + if (!trylock_page(page)) + continue; + +- if (IS_ENABLED(CONFIG_BALLOON_COMPACTION) && +- PageIsolated(page)) { +- /* raced with isolation */ +- unlock_page(page); +- continue; +- } + balloon_page_delete(page); + __count_vm_event(BALLOON_DEFLATE); + list_add(&page->lru, pages); diff --git a/queue-5.10/mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch b/queue-5.10/mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch new file mode 100644 index 0000000000..1ef8212529 --- /dev/null +++ b/queue-5.10/mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch @@ -0,0 +1,245 @@ +From stable+bounces-206085-greg=kroah.com@vger.kernel.org Wed Jan 7 04:23:10 2026 +From: Harry Yoo +Date: Wed, 7 Jan 2026 12:21:21 +0900 +Subject: mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge() +To: stable@vger.kernel.org +Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, baohua@kernel.org, baolin.wang@linux.alibaba.com, david@kernel.org, dev.jain@arm.com, hughd@google.com, jane.chu@oracle.com, jannh@google.com, kas@kernel.org, lance.yang@linux.dev, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, npache@redhat.com, pfalcato@suse.de, ryan.roberts@arm.com, vbabka@suse.cz, ziy@nvidia.com, "Alistair Popple" , "Anshuman Khandual" , "Axel Rasmussen" , "Christophe Leroy" , "Christoph Hellwig" , "David Hildenbrand" , "Huang, Ying" , "Ira Weiny" , "Jason Gunthorpe" , "Kirill A . Shutemov" , "Lorenzo Stoakes" , "Matthew Wilcox" , "Mel Gorman" , "Miaohe Lin" , "Mike Kravetz" , "Mike Rapoport" , "Minchan Kim" , "Naoya Horiguchi" , "Pavel Tatashin" , "Peter Xu" , "Peter Zijlstra" , "Qi Zheng" , "Ralph Campbell" , "SeongJae Park" , "Song Liu" , "Steven Price" , "Suren Baghdasaryan" , "Thomas Hellström" , "Will Deacon" , "Yang Shi" , "Yu Zhao" , "Zack Rusin" , "Harry Yoo" +Message-ID: <20260107032121.587629-3-harry.yoo@oracle.com> + +From: Hugh Dickins + +commit 670ddd8cdcbd1d07a4571266ae3517f821728c3a upstream. + +change_pmd_range() had special pmd_none_or_clear_bad_unless_trans_huge(), +required to avoid "bad" choices when setting automatic NUMA hinting under +mmap_read_lock(); but most of that is already covered in pte_offset_map() +now. change_pmd_range() just wants a pmd_none() check before wasting time +on MMU notifiers, then checks on the read-once _pmd value to work out +what's needed for huge cases. If change_pte_range() returns -EAGAIN to +retry if pte_offset_map_lock() fails, nothing more special is needed. + +Link: https://lkml.kernel.org/r/725a42a9-91e9-c868-925-e3a5fd40bb4f@google.com +Signed-off-by: Hugh Dickins +Cc: Alistair Popple +Cc: Anshuman Khandual +Cc: Axel Rasmussen +Cc: Christophe Leroy +Cc: Christoph Hellwig +Cc: David Hildenbrand +Cc: "Huang, Ying" +Cc: Ira Weiny +Cc: Jason Gunthorpe +Cc: Kirill A. Shutemov +Cc: Lorenzo Stoakes +Cc: Matthew Wilcox +Cc: Mel Gorman +Cc: Miaohe Lin +Cc: Mike Kravetz +Cc: Mike Rapoport (IBM) +Cc: Minchan Kim +Cc: Naoya Horiguchi +Cc: Pavel Tatashin +Cc: Peter Xu +Cc: Peter Zijlstra +Cc: Qi Zheng +Cc: Ralph Campbell +Cc: Ryan Roberts +Cc: SeongJae Park +Cc: Song Liu +Cc: Steven Price +Cc: Suren Baghdasaryan +Cc: Thomas Hellström +Cc: Will Deacon +Cc: Yang Shi +Cc: Yu Zhao +Cc: Zack Rusin +Signed-off-by: Andrew Morton +[ Background: It was reported that a bad pmd is seen when automatic NUMA + balancing is marking page table entries as prot_numa: + + [2437548.196018] mm/pgtable-generic.c:50: bad pmd 00000000af22fc02(dffffffe71fbfe02) + [2437548.235022] Call Trace: + [2437548.238234] + [2437548.241060] dump_stack_lvl+0x46/0x61 + [2437548.245689] panic+0x106/0x2e5 + [2437548.249497] pmd_clear_bad+0x3c/0x3c + [2437548.253967] change_pmd_range.isra.0+0x34d/0x3a7 + [2437548.259537] change_p4d_range+0x156/0x20e + [2437548.264392] change_protection_range+0x116/0x1a9 + [2437548.269976] change_prot_numa+0x15/0x37 + [2437548.274774] task_numa_work+0x1b8/0x302 + [2437548.279512] task_work_run+0x62/0x95 + [2437548.283882] exit_to_user_mode_loop+0x1a4/0x1a9 + [2437548.289277] exit_to_user_mode_prepare+0xf4/0xfc + [2437548.294751] ? sysvec_apic_timer_interrupt+0x34/0x81 + [2437548.300677] irqentry_exit_to_user_mode+0x5/0x25 + [2437548.306153] asm_sysvec_apic_timer_interrupt+0x16/0x1b + + This is due to a race condition between change_prot_numa() and + THP migration because the kernel doesn't check is_swap_pmd() and + pmd_trans_huge() atomically: + + change_prot_numa() THP migration + ====================================================================== + - change_pmd_range() + -> is_swap_pmd() returns false, + meaning it's not a PMD migration + entry. + - do_huge_pmd_numa_page() + -> migrate_misplaced_page() sets + migration entries for the THP. + - change_pmd_range() + -> pmd_none_or_clear_bad_unless_trans_huge() + -> pmd_none() and pmd_trans_huge() returns false + - pmd_none_or_clear_bad_unless_trans_huge() + -> pmd_bad() returns true for the migration entry! + + The upstream commit 670ddd8cdcbd ("mm/mprotect: delete + pmd_none_or_clear_bad_unless_trans_huge()") closes this race condition + by checking is_swap_pmd() and pmd_trans_huge() atomically. + + Backporting note: + Unlike the mainline, pte_offset_map_lock() does not check if the pmd + entry is a migration entry or a hugepage; acquires PTL unconditionally + instead of returning failure. Therefore, it is necessary to keep the + !is_swap_pmd() && !pmd_trans_huge() && !pmd_devmap() check before + acquiring the PTL. + + After acquiring the lock, open-code the semantics of + pte_offset_map_lock() in the mainline kernel; change_pte_range() fails + if the pmd value has changed. This requires adding one more parameter + (to pass pmd value that is read before calling the function) to + change_pte_range(). ] + +Signed-off-by: Harry Yoo +Acked-by: David Hildenbrand (Red Hat) +Signed-off-by: Greg Kroah-Hartman +--- + mm/mprotect.c | 75 ++++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 42 insertions(+), 33 deletions(-) + +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -36,10 +36,11 @@ + #include "internal.h" + + static long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, +- unsigned long addr, unsigned long end, pgprot_t newprot, +- unsigned long cp_flags) ++ pmd_t pmd_old, unsigned long addr, unsigned long end, ++ pgprot_t newprot, unsigned long cp_flags) + { + pte_t *pte, oldpte; ++ pmd_t _pmd; + spinlock_t *ptl; + long pages = 0; + int target_node = NUMA_NO_NODE; +@@ -48,21 +49,15 @@ static long change_pte_range(struct vm_a + bool uffd_wp = cp_flags & MM_CP_UFFD_WP; + bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE; + +- /* +- * Can be called with only the mmap_lock for reading by +- * prot_numa so we must check the pmd isn't constantly +- * changing from under us from pmd_none to pmd_trans_huge +- * and/or the other way around. +- */ +- if (pmd_trans_unstable(pmd)) +- return 0; +- +- /* +- * The pmd points to a regular pte so the pmd can't change +- * from under us even if the mmap_lock is only hold for +- * reading. +- */ + pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl); ++ /* Make sure pmd didn't change after acquiring ptl */ ++ _pmd = pmd_read_atomic(pmd); ++ /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */ ++ barrier(); ++ if (!pmd_same(pmd_old, _pmd)) { ++ pte_unmap_unlock(pte, ptl); ++ return -EAGAIN; ++ } + + /* Get target node for single threaded private VMAs */ + if (prot_numa && !(vma->vm_flags & VM_SHARED) && +@@ -223,21 +218,33 @@ static inline long change_pmd_range(stru + + pmd = pmd_offset(pud, addr); + do { +- long this_pages; +- ++ long ret; ++ pmd_t _pmd; ++again: + next = pmd_addr_end(addr, end); ++ _pmd = pmd_read_atomic(pmd); ++ /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */ ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ barrier(); ++#endif + + /* + * Automatic NUMA balancing walks the tables with mmap_lock + * held for read. It's possible a parallel update to occur +- * between pmd_trans_huge() and a pmd_none_or_clear_bad() +- * check leading to a false positive and clearing. +- * Hence, it's necessary to atomically read the PMD value +- * for all the checks. ++ * between pmd_trans_huge(), is_swap_pmd(), and ++ * a pmd_none_or_clear_bad() check leading to a false positive ++ * and clearing. Hence, it's necessary to atomically read ++ * the PMD value for all the checks. + */ +- if (!is_swap_pmd(*pmd) && !pmd_devmap(*pmd) && +- pmd_none_or_clear_bad_unless_trans_huge(pmd)) +- goto next; ++ if (!is_swap_pmd(_pmd) && !pmd_devmap(_pmd) && !pmd_trans_huge(_pmd)) { ++ if (pmd_none(_pmd)) ++ goto next; ++ ++ if (pmd_bad(_pmd)) { ++ pmd_clear_bad(pmd); ++ goto next; ++ } ++ } + + /* invoke the mmu notifier if the pmd is populated */ + if (!range.start) { +@@ -247,15 +254,15 @@ static inline long change_pmd_range(stru + mmu_notifier_invalidate_range_start(&range); + } + +- if (is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) { ++ if (is_swap_pmd(_pmd) || pmd_trans_huge(_pmd) || pmd_devmap(_pmd)) { + if (next - addr != HPAGE_PMD_SIZE) { + __split_huge_pmd(vma, pmd, addr, false, NULL); + } else { +- int nr_ptes = change_huge_pmd(vma, pmd, addr, +- newprot, cp_flags); ++ ret = change_huge_pmd(vma, pmd, addr, newprot, ++ cp_flags); + +- if (nr_ptes) { +- if (nr_ptes == HPAGE_PMD_NR) { ++ if (ret) { ++ if (ret == HPAGE_PMD_NR) { + pages += HPAGE_PMD_NR; + nr_huge_updates++; + } +@@ -266,9 +273,11 @@ static inline long change_pmd_range(stru + } + /* fall through, the trans huge pmd just split */ + } +- this_pages = change_pte_range(vma, pmd, addr, next, newprot, +- cp_flags); +- pages += this_pages; ++ ret = change_pte_range(vma, pmd, _pmd, addr, next, newprot, ++ cp_flags); ++ if (ret < 0) ++ goto again; ++ pages += ret; + next: + cond_resched(); + } while (pmd++, addr = next, addr != end); diff --git a/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch b/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch new file mode 100644 index 0000000000..b8b5e38b4f --- /dev/null +++ b/queue-5.10/mm-mprotect-use-long-for-page-accountings-and-retval.patch @@ -0,0 +1,227 @@ +From stable+bounces-206084-greg=kroah.com@vger.kernel.org Wed Jan 7 04:22:20 2026 +From: Harry Yoo +Date: Wed, 7 Jan 2026 12:21:20 +0900 +Subject: mm/mprotect: use long for page accountings and retval +To: stable@vger.kernel.org +Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, baohua@kernel.org, baolin.wang@linux.alibaba.com, david@kernel.org, dev.jain@arm.com, hughd@google.com, jane.chu@oracle.com, jannh@google.com, kas@kernel.org, lance.yang@linux.dev, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, npache@redhat.com, pfalcato@suse.de, ryan.roberts@arm.com, vbabka@suse.cz, ziy@nvidia.com, Peter Xu , Mike Kravetz , James Houghton , Andrea Arcangeli , Axel Rasmussen , David Hildenbrand , Muchun Song , Nadav Amit , Harry Yoo +Message-ID: <20260107032121.587629-2-harry.yoo@oracle.com> + +From: Peter Xu + +commit a79390f5d6a78647fd70856bd42b22d994de0ba2 upstream. + +Switch to use type "long" for page accountings and retval across the whole +procedure of change_protection(). + +The change should have shrinked the possible maximum page number to be +half comparing to previous (ULONG_MAX / 2), but it shouldn't overflow on +any system either because the maximum possible pages touched by change +protection should be ULONG_MAX / PAGE_SIZE. + +Two reasons to switch from "unsigned long" to "long": + + 1. It suites better on count_vm_numa_events(), whose 2nd parameter takes + a long type. + + 2. It paves way for returning negative (error) values in the future. + +Currently the only caller that consumes this retval is change_prot_numa(), +where the unsigned long was converted to an int. Since at it, touching up +the numa code to also take a long, so it'll avoid any possible overflow +too during the int-size convertion. + +Link: https://lkml.kernel.org/r/20230104225207.1066932-3-peterx@redhat.com +Signed-off-by: Peter Xu +Acked-by: Mike Kravetz +Acked-by: James Houghton +Cc: Andrea Arcangeli +Cc: Axel Rasmussen +Cc: David Hildenbrand +Cc: Muchun Song +Cc: Nadav Amit +Signed-off-by: Andrew Morton +[ Adjust context ] +Signed-off-by: Harry Yoo +Acked-by: David Hildenbrand (Red Hat) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb.h | 4 ++-- + include/linux/mm.h | 2 +- + mm/hugetlb.c | 4 ++-- + mm/mempolicy.c | 2 +- + mm/mprotect.c | 34 +++++++++++++++++----------------- + 5 files changed, 23 insertions(+), 23 deletions(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -184,7 +184,7 @@ struct page *follow_huge_pgd(struct mm_s + + int pmd_huge(pmd_t pmd); + int pud_huge(pud_t pud); +-unsigned long hugetlb_change_protection(struct vm_area_struct *vma, ++long hugetlb_change_protection(struct vm_area_struct *vma, + unsigned long address, unsigned long end, pgprot_t newprot); + + bool is_hugetlb_entry_migration(pte_t pte); +@@ -342,7 +342,7 @@ static inline void move_hugetlb_state(st + { + } + +-static inline unsigned long hugetlb_change_protection( ++static inline long hugetlb_change_protection( + struct vm_area_struct *vma, unsigned long address, + unsigned long end, pgprot_t newprot) + { +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1876,7 +1876,7 @@ extern unsigned long move_page_tables(st + #define MM_CP_UFFD_WP_ALL (MM_CP_UFFD_WP | \ + MM_CP_UFFD_WP_RESOLVE) + +-extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, ++extern long change_protection(struct vm_area_struct *vma, unsigned long start, + unsigned long end, pgprot_t newprot, + unsigned long cp_flags); + extern int mprotect_fixup(struct vm_area_struct *vma, +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5051,7 +5051,7 @@ same_page: + #define flush_hugetlb_tlb_range(vma, addr, end) flush_tlb_range(vma, addr, end) + #endif + +-unsigned long hugetlb_change_protection(struct vm_area_struct *vma, ++long hugetlb_change_protection(struct vm_area_struct *vma, + unsigned long address, unsigned long end, pgprot_t newprot) + { + struct mm_struct *mm = vma->vm_mm; +@@ -5059,7 +5059,7 @@ unsigned long hugetlb_change_protection( + pte_t *ptep; + pte_t pte; + struct hstate *h = hstate_vma(vma); +- unsigned long pages = 0; ++ long pages = 0; + bool shared_pmd = false; + struct mmu_notifier_range range; + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -653,7 +653,7 @@ unlock: + unsigned long change_prot_numa(struct vm_area_struct *vma, + unsigned long addr, unsigned long end) + { +- int nr_updated; ++ long nr_updated; + + nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA); + if (nr_updated) +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -35,13 +35,13 @@ + + #include "internal.h" + +-static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, ++static long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, + unsigned long addr, unsigned long end, pgprot_t newprot, + unsigned long cp_flags) + { + pte_t *pte, oldpte; + spinlock_t *ptl; +- unsigned long pages = 0; ++ long pages = 0; + int target_node = NUMA_NO_NODE; + bool dirty_accountable = cp_flags & MM_CP_DIRTY_ACCT; + bool prot_numa = cp_flags & MM_CP_PROT_NUMA; +@@ -209,13 +209,13 @@ static inline int pmd_none_or_clear_bad_ + return 0; + } + +-static inline unsigned long change_pmd_range(struct vm_area_struct *vma, ++static inline long change_pmd_range(struct vm_area_struct *vma, + pud_t *pud, unsigned long addr, unsigned long end, + pgprot_t newprot, unsigned long cp_flags) + { + pmd_t *pmd; + unsigned long next; +- unsigned long pages = 0; ++ long pages = 0; + unsigned long nr_huge_updates = 0; + struct mmu_notifier_range range; + +@@ -223,7 +223,7 @@ static inline unsigned long change_pmd_r + + pmd = pmd_offset(pud, addr); + do { +- unsigned long this_pages; ++ long this_pages; + + next = pmd_addr_end(addr, end); + +@@ -281,13 +281,13 @@ next: + return pages; + } + +-static inline unsigned long change_pud_range(struct vm_area_struct *vma, +- p4d_t *p4d, unsigned long addr, unsigned long end, +- pgprot_t newprot, unsigned long cp_flags) ++static inline long change_pud_range(struct vm_area_struct *vma, p4d_t *p4d, ++ unsigned long addr, unsigned long end, pgprot_t newprot, ++ unsigned long cp_flags) + { + pud_t *pud; + unsigned long next; +- unsigned long pages = 0; ++ long pages = 0; + + pud = pud_offset(p4d, addr); + do { +@@ -301,13 +301,13 @@ static inline unsigned long change_pud_r + return pages; + } + +-static inline unsigned long change_p4d_range(struct vm_area_struct *vma, +- pgd_t *pgd, unsigned long addr, unsigned long end, +- pgprot_t newprot, unsigned long cp_flags) ++static inline long change_p4d_range(struct vm_area_struct *vma, pgd_t *pgd, ++ unsigned long addr, unsigned long end, pgprot_t newprot, ++ unsigned long cp_flags) + { + p4d_t *p4d; + unsigned long next; +- unsigned long pages = 0; ++ long pages = 0; + + p4d = p4d_offset(pgd, addr); + do { +@@ -321,7 +321,7 @@ static inline unsigned long change_p4d_r + return pages; + } + +-static unsigned long change_protection_range(struct vm_area_struct *vma, ++static long change_protection_range(struct vm_area_struct *vma, + unsigned long addr, unsigned long end, pgprot_t newprot, + unsigned long cp_flags) + { +@@ -329,7 +329,7 @@ static unsigned long change_protection_r + pgd_t *pgd; + unsigned long next; + unsigned long start = addr; +- unsigned long pages = 0; ++ long pages = 0; + + BUG_ON(addr >= end); + pgd = pgd_offset(mm, addr); +@@ -351,11 +351,11 @@ static unsigned long change_protection_r + return pages; + } + +-unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, ++long change_protection(struct vm_area_struct *vma, unsigned long start, + unsigned long end, pgprot_t newprot, + unsigned long cp_flags) + { +- unsigned long pages; ++ long pages; + + BUG_ON((cp_flags & MM_CP_UFFD_WP_ALL) == MM_CP_UFFD_WP_ALL); + diff --git a/queue-5.10/nfsd-nfsv4-file-creation-neglects-setting-acl.patch b/queue-5.10/nfsd-nfsv4-file-creation-neglects-setting-acl.patch new file mode 100644 index 0000000000..fb8505eb71 --- /dev/null +++ b/queue-5.10/nfsd-nfsv4-file-creation-neglects-setting-acl.patch @@ -0,0 +1,49 @@ +From stable+bounces-204921-greg=kroah.com@vger.kernel.org Mon Jan 5 21:37:22 2026 +From: Chuck Lever +Date: Mon, 5 Jan 2026 15:36:25 -0500 +Subject: NFSD: NFSv4 file creation neglects setting ACL +To: +Cc: Greg Kroah-Hartman , Sasha Levin , , Chuck Lever , Aurelien Couderc +Message-ID: <20260105203625.3562597-1-cel@kernel.org> + +From: Chuck Lever + +[ Upstream commit 913f7cf77bf14c13cfea70e89bcb6d0b22239562 ] + +An NFSv4 client that sets an ACL with a named principal during file +creation retrieves the ACL afterwards, and finds that it is only a +default ACL (based on the mode bits) and not the ACL that was +requested during file creation. This violates RFC 8881 section +6.4.1.3: "the ACL attribute is set as given". + +The issue occurs in nfsd_create_setattr(). On 6.1.y, the check to +determine whether nfsd_setattr() should be called is simply +"iap->ia_valid", which only accounts for iattr changes. When only +an ACL is present (and no iattr fields are set), nfsd_setattr() is +skipped and the POSIX ACL is never applied to the inode. + +Subsequently, when the client retrieves the ACL, the server finds +no POSIX ACL on the inode and returns one generated from the file's +mode bits rather than returning the originally-specified ACL. + +Reported-by: Aurelien Couderc +Fixes: c0cbe70742f4 ("NFSD: add posix ACLs to struct nfsd_attrs") +Cc: stable@vger.kernel.org +[ cel: Adjust nfsd_create_setattr() instead of nfsd_attrs_valid() ] +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1335,7 +1335,7 @@ nfsd_create_setattr(struct svc_rqst *rqs + * Callers expect new file metadata to be committed even + * if the attributes have not changed. + */ +- if (iap->ia_valid) ++ if (iap->ia_valid || attrs->na_pacl || attrs->na_dpacl) + status = nfsd_setattr(rqstp, resfhp, attrs, 0, (time64_t)0); + else + status = nfserrno(commit_metadata(resfhp)); diff --git a/queue-5.10/ovl-use-buf-flexible-array-for-memcpy-destination.patch b/queue-5.10/ovl-use-buf-flexible-array-for-memcpy-destination.patch new file mode 100644 index 0000000000..998655e3aa --- /dev/null +++ b/queue-5.10/ovl-use-buf-flexible-array-for-memcpy-destination.patch @@ -0,0 +1,55 @@ +From stable+bounces-204333-greg=kroah.com@vger.kernel.org Wed Dec 31 11:28:57 2025 +From: Shivani Agarwal +Date: Wed, 31 Dec 2025 02:08:09 -0800 +Subject: ovl: Use "buf" flexible array for memcpy() destination +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: miklos@szeredi.hu, amir73il@gmail.com, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Kees Cook , syzbot+9d14351a171d0d1c7955@syzkaller.appspotmail.com, "Gustavo A . R . Silva" , Miklos Szeredi , Shivani Agarwal +Message-ID: <20251231100809.642262-1-shivani.agarwal@broadcom.com> + +From: Kees Cook + +commit cf8aa9bf97cadf85745506c6a3e244b22c268d63 upstream. + +The "buf" flexible array needs to be the memcpy() destination to avoid +false positive run-time warning from the recent FORTIFY_SOURCE +hardening: + + memcpy: detected field-spanning write (size 93) of single field "&fh->fb" + at fs/overlayfs/export.c:799 (size 21) + +Reported-by: syzbot+9d14351a171d0d1c7955@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000763a6c05e95a5985@google.com/ +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +[Shivani: Modified to apply on 5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/export.c | 2 +- + fs/overlayfs/overlayfs.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/export.c ++++ b/fs/overlayfs/export.c +@@ -788,7 +788,7 @@ static struct ovl_fh *ovl_fid_to_fh(stru + return ERR_PTR(-ENOMEM); + + /* Copy unaligned inner fh into aligned buffer */ +- memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET); ++ memcpy(fh->buf, fid, buflen - OVL_FH_WIRE_OFFSET); + return fh; + } + +--- a/fs/overlayfs/overlayfs.h ++++ b/fs/overlayfs/overlayfs.h +@@ -104,7 +104,7 @@ struct ovl_fh { + u8 padding[3]; /* make sure fb.fid is 32bit aligned */ + union { + struct ovl_fb fb; +- u8 buf[0]; ++ DECLARE_FLEX_ARRAY(u8, buf); + }; + } __packed; + diff --git a/queue-5.10/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch b/queue-5.10/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch new file mode 100644 index 0000000000..3866ee8d41 --- /dev/null +++ b/queue-5.10/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch @@ -0,0 +1,48 @@ +From stable+bounces-206025-greg=kroah.com@vger.kernel.org Tue Jan 6 20:18:15 2026 +From: Sasha Levin +Date: Tue, 6 Jan 2026 13:26:54 -0500 +Subject: pmdomain: imx: Fix reference count leak in imx_gpc_probe() +To: stable@vger.kernel.org +Cc: Wentao Liang , Frank Li , Ulf Hansson , Sasha Levin +Message-ID: <20260106182656.3115094-3-sashal@kernel.org> + +From: Wentao Liang + +[ Upstream commit 73cb5f6eafb0ac7aea8cdeb8ff12981aa741d8fb ] + +of_get_child_by_name() returns a node pointer with refcount incremented. +Use the __free() attribute to manage the pgc_node reference, ensuring +automatic of_node_put() cleanup when pgc_node goes out of scope. + +This eliminates the need for explicit error handling paths and avoids +reference count leaks. + +Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Wentao Liang +Reviewed-by: Frank Li +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/imx/gpc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/soc/imx/gpc.c ++++ b/drivers/soc/imx/gpc.c +@@ -405,13 +405,12 @@ clk_err: + static int imx_gpc_probe(struct platform_device *pdev) + { + const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev); +- struct device_node *pgc_node; ++ struct device_node *pgc_node __free(device_node) ++ = of_get_child_by_name(pdev->dev.of_node, "pgc"); + struct regmap *regmap; + void __iomem *base; + int ret; + +- pgc_node = of_get_child_by_name(pdev->dev.of_node, "pgc"); +- + /* bail out if DT too old and doesn't provide the necessary info */ + if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") && + !pgc_node) diff --git a/queue-5.10/pmdomain-use-device_get_match_data.patch b/queue-5.10/pmdomain-use-device_get_match_data.patch new file mode 100644 index 0000000000..d7aba502a0 --- /dev/null +++ b/queue-5.10/pmdomain-use-device_get_match_data.patch @@ -0,0 +1,134 @@ +From stable+bounces-206024-greg=kroah.com@vger.kernel.org Tue Jan 6 19:29:58 2026 +From: Sasha Levin +Date: Tue, 6 Jan 2026 13:26:53 -0500 +Subject: pmdomain: Use device_get_match_data() +To: stable@vger.kernel.org +Cc: Rob Herring , Ulf Hansson , Sasha Levin +Message-ID: <20260106182656.3115094-2-sashal@kernel.org> + +From: Rob Herring + +[ Upstream commit 3ba9fdfaa550936837b50b73d6c27ac401fde875 ] + +Use preferred device_get_match_data() instead of of_match_device() to +get the driver match data. With this, adjust the includes to explicitly +include the correct headers. + +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/20231006224614.444488-1-robh@kernel.org +Signed-off-by: Ulf Hansson +Stable-dep-of: 73cb5f6eafb0 ("pmdomain: imx: Fix reference count leak in imx_gpc_probe()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/actions/owl-sps.c | 16 +++++----------- + drivers/soc/imx/gpc.c | 7 +++---- + drivers/soc/rockchip/pm_domains.c | 13 ++++--------- + 3 files changed, 12 insertions(+), 24 deletions(-) + +--- a/drivers/soc/actions/owl-sps.c ++++ b/drivers/soc/actions/owl-sps.c +@@ -8,8 +8,10 @@ + * Copyright (c) 2017 Andreas Färber + */ + ++#include + #include +-#include ++#include ++#include + #include + #include + #include +@@ -96,24 +98,16 @@ static int owl_sps_init_domain(struct ow + + static int owl_sps_probe(struct platform_device *pdev) + { +- const struct of_device_id *match; + const struct owl_sps_info *sps_info; + struct owl_sps *sps; + int i, ret; + +- if (!pdev->dev.of_node) { +- dev_err(&pdev->dev, "no device node\n"); +- return -ENODEV; +- } +- +- match = of_match_device(pdev->dev.driver->of_match_table, &pdev->dev); +- if (!match || !match->data) { ++ sps_info = device_get_match_data(&pdev->dev); ++ if (!sps_info) { + dev_err(&pdev->dev, "unknown compatible or missing data\n"); + return -EINVAL; + } + +- sps_info = match->data; +- + sps = devm_kzalloc(&pdev->dev, + struct_size(sps, domains, sps_info->num_domains), + GFP_KERNEL); +--- a/drivers/soc/imx/gpc.c ++++ b/drivers/soc/imx/gpc.c +@@ -7,9 +7,10 @@ + #include + #include + #include +-#include ++#include + #include + #include ++#include + #include + #include + +@@ -403,9 +404,7 @@ clk_err: + + static int imx_gpc_probe(struct platform_device *pdev) + { +- const struct of_device_id *of_id = +- of_match_device(imx_gpc_dt_ids, &pdev->dev); +- const struct imx_gpc_dt_data *of_id_data = of_id->data; ++ const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev); + struct device_node *pgc_node; + struct regmap *regmap; + void __iomem *base; +--- a/drivers/soc/rockchip/pm_domains.c ++++ b/drivers/soc/rockchip/pm_domains.c +@@ -9,11 +9,13 @@ + #include + #include + #include ++#include + #include + #include ++#include ++#include + #include + #include +-#include + #include + #include + #include +@@ -728,7 +730,6 @@ static int rockchip_pm_domain_probe(stru + struct device_node *node; + struct device *parent; + struct rockchip_pmu *pmu; +- const struct of_device_id *match; + const struct rockchip_pmu_info *pmu_info; + int error; + +@@ -737,13 +738,7 @@ static int rockchip_pm_domain_probe(stru + return -ENODEV; + } + +- match = of_match_device(dev->driver->of_match_table, dev); +- if (!match || !match->data) { +- dev_err(dev, "missing pmu data\n"); +- return -EINVAL; +- } +- +- pmu_info = match->data; ++ pmu_info = device_get_match_data(dev); + + pmu = devm_kzalloc(dev, + struct_size(pmu, domains, pmu_info->num_domains), diff --git a/queue-5.10/powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch b/queue-5.10/powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch new file mode 100644 index 0000000000..2388e85ba5 --- /dev/null +++ b/queue-5.10/powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch @@ -0,0 +1,45 @@ +From stable+bounces-204904-greg=kroah.com@vger.kernel.org Mon Jan 5 20:41:15 2026 +From: Sasha Levin +Date: Mon, 5 Jan 2026 14:40:57 -0500 +Subject: powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages +To: stable@vger.kernel.org +Cc: David Hildenbrand , "Ritesh Harjani (IBM)" , Christophe Leroy , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Andrew Morton , Sasha Levin +Message-ID: <20260105194057.2747929-4-sashal@kernel.org> + +From: David Hildenbrand + +[ Upstream commit 0da2ba35c0d532ca0fe7af698b17d74c4d084b9a ] + +Let's properly adjust BALLOON_MIGRATE like the other drivers. + +Note that the INFLATE/DEFLATE events are triggered from the core when +enqueueing/dequeueing pages. + +This was found by code inspection. + +Link: https://lkml.kernel.org/r/20251021100606.148294-3-david@redhat.com +Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction") +Signed-off-by: David Hildenbrand +Reviewed-by: Ritesh Harjani (IBM) +Cc: Christophe Leroy +Cc: Madhavan Srinivasan +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/cmm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/platforms/pseries/cmm.c ++++ b/arch/powerpc/platforms/pseries/cmm.c +@@ -550,6 +550,7 @@ static int cmm_migratepage(struct balloo + + spin_lock_irqsave(&b_dev_info->pages_lock, flags); + balloon_page_insert(b_dev_info, newpage); ++ __count_vm_event(BALLOON_MIGRATE); + b_dev_info->isolated_pages--; + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); + diff --git a/queue-5.10/scsi-iscsi-move-pool-freeing.patch b/queue-5.10/scsi-iscsi-move-pool-freeing.patch new file mode 100644 index 0000000000..85cd4541be --- /dev/null +++ b/queue-5.10/scsi-iscsi-move-pool-freeing.patch @@ -0,0 +1,42 @@ +From stable+bounces-206249-greg=kroah.com@vger.kernel.org Thu Jan 8 07:46:17 2026 +From: Shivani Agarwal +Date: Wed, 7 Jan 2026 22:22:21 -0800 +Subject: scsi: iscsi: Move pool freeing +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: lduncan@suse.com, cleech@redhat.com, michael.christie@oracle.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Shivani Agarwal +Message-ID: <20260108062222.670715-2-shivani.agarwal@broadcom.com> + +From: Mike Christie + +[ Upstream commit a1f3486b3b095ed2259d7a1fc021a8b6e72a5365 ] + +This doesn't fix any bugs, but it makes more sense to free the pool after +we have removed the session. At that time we know nothing is touching any +of the session fields, because all devices have been removed and scans are +stopped. + +Link: https://lore.kernel.org/r/20210525181821.7617-19-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +[Shivani: Modified to apply on 5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -2902,10 +2902,9 @@ void iscsi_session_teardown(struct iscsi + struct module *owner = cls_session->transport->owner; + struct Scsi_Host *shost = session->host; + +- iscsi_pool_free(&session->cmdpool); +- + iscsi_remove_session(cls_session); + ++ iscsi_pool_free(&session->cmdpool); + kfree(session->password); + kfree(session->password_in); + kfree(session->username); diff --git a/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch b/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch new file mode 100644 index 0000000000..5ecc01b9c5 --- /dev/null +++ b/queue-5.10/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch @@ -0,0 +1,227 @@ +From stable+bounces-206250-greg=kroah.com@vger.kernel.org Thu Jan 8 07:46:57 2026 +From: Shivani Agarwal +Date: Wed, 7 Jan 2026 22:22:22 -0800 +Subject: scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: lduncan@suse.com, cleech@redhat.com, michael.christie@oracle.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Ding Hui , Shivani Agarwal +Message-ID: <20260108062222.670715-3-shivani.agarwal@broadcom.com> + +From: Mike Christie + +[ Upstream commit 6f1d64b13097e85abda0f91b5638000afc5f9a06 ] + +Bug report and analysis from Ding Hui. + +During iSCSI session logout, if another task accesses the shost ipaddress +attr, we can get a KASAN UAF report like this: + +[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 +[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 +[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3 +[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +[ 276.944470] Call Trace: +[ 276.944943] +[ 276.945397] dump_stack_lvl+0x34/0x48 +[ 276.945887] print_address_description.constprop.0+0x86/0x1e7 +[ 276.946421] print_report+0x36/0x4f +[ 276.947358] kasan_report+0xad/0x130 +[ 276.948234] kasan_check_range+0x35/0x1c0 +[ 276.948674] _raw_spin_lock_bh+0x78/0xe0 +[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] +[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi] +[ 276.952185] dev_attr_show+0x3f/0x80 +[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 +[ 276.953401] seq_read_iter+0x402/0x1020 +[ 276.954260] vfs_read+0x532/0x7b0 +[ 276.955113] ksys_read+0xed/0x1c0 +[ 276.955952] do_syscall_64+0x38/0x90 +[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 276.956769] RIP: 0033:0x7f5d3a679222 +[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 +[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222 +[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003 +[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000 +[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000 +[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58 +[ 276.960536] +[ 276.961357] Allocated by task 2209: +[ 276.961756] kasan_save_stack+0x1e/0x40 +[ 276.962170] kasan_set_track+0x21/0x30 +[ 276.962557] __kasan_kmalloc+0x7e/0x90 +[ 276.962923] __kmalloc+0x5b/0x140 +[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] +[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] +[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] +[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi] +[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] +[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] +[ 276.965546] netlink_unicast+0x4d5/0x7b0 +[ 276.965905] netlink_sendmsg+0x78d/0xc30 +[ 276.966236] sock_sendmsg+0xe5/0x120 +[ 276.966576] ____sys_sendmsg+0x5fe/0x860 +[ 276.966923] ___sys_sendmsg+0xe0/0x170 +[ 276.967300] __sys_sendmsg+0xc8/0x170 +[ 276.967666] do_syscall_64+0x38/0x90 +[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 276.968773] Freed by task 2209: +[ 276.969111] kasan_save_stack+0x1e/0x40 +[ 276.969449] kasan_set_track+0x21/0x30 +[ 276.969789] kasan_save_free_info+0x2a/0x50 +[ 276.970146] __kasan_slab_free+0x106/0x190 +[ 276.970470] __kmem_cache_free+0x133/0x270 +[ 276.970816] device_release+0x98/0x210 +[ 276.971145] kobject_cleanup+0x101/0x360 +[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] +[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] +[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] +[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] +[ 276.972808] netlink_unicast+0x4d5/0x7b0 +[ 276.973201] netlink_sendmsg+0x78d/0xc30 +[ 276.973544] sock_sendmsg+0xe5/0x120 +[ 276.973864] ____sys_sendmsg+0x5fe/0x860 +[ 276.974248] ___sys_sendmsg+0xe0/0x170 +[ 276.974583] __sys_sendmsg+0xc8/0x170 +[ 276.974891] do_syscall_64+0x38/0x90 +[ 276.975216] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +We can easily reproduce by two tasks: +1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done +2. while :; do cat \ +/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done + + iscsid | cat +--------------------------------+--------------------------------------- +|- iscsi_sw_tcp_session_destroy | + |- iscsi_session_teardown | + |- device_release | + |- iscsi_session_release ||- dev_attr_show + |- kfree | |- show_host_param_ + | ISCSI_HOST_PARAM_IPADDRESS + | |- iscsi_sw_tcp_host_get_param + | |- r/w tcp_sw_host->session (UAF) + |- iscsi_host_remove | + |- iscsi_host_free | + +Fix the above bug by splitting the session removal into 2 parts: + + 1. removal from iSCSI class which includes sysfs and removal from host + tracking. + + 2. freeing of session. + +During iscsi_tcp host and session removal we can remove the session from +sysfs then remove the host from sysfs. At this point we know userspace is +not accessing the kernel via sysfs so we can free the session and host. + +Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com +Signed-off-by: Mike Christie +Reviewed-by: Lee Duncan +Acked-by: Ding Hui +Signed-off-by: Martin K. Petersen +[Shivani: The false parameter was not passed to iscsi_host_remove() because, + in Linux 5.10.y, the default behavior of iscsi_host_remove() already + assumes false.] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/iscsi_tcp.c | 11 +++++++++-- + drivers/scsi/libiscsi.c | 38 +++++++++++++++++++++++++++++++------- + include/scsi/libiscsi.h | 2 ++ + 3 files changed, 42 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -933,10 +933,17 @@ static void iscsi_sw_tcp_session_destroy + if (WARN_ON_ONCE(session->leadconn)) + return; + ++ iscsi_session_remove(cls_session); ++ /* ++ * Our get_host_param needs to access the session, so remove the ++ * host from sysfs before freeing the session to make sure userspace ++ * is no longer accessing the callout. ++ */ ++ iscsi_host_remove(shost); ++ + iscsi_tcp_r2tpool_free(cls_session->dd_data); +- iscsi_session_teardown(cls_session); + +- iscsi_host_remove(shost); ++ iscsi_session_free(cls_session); + iscsi_host_free(shost); + } + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -2892,17 +2892,32 @@ dec_session_count: + } + EXPORT_SYMBOL_GPL(iscsi_session_setup); + +-/** +- * iscsi_session_teardown - destroy session, host, and cls_session +- * @cls_session: iscsi session ++/* ++ * issi_session_remove - Remove session from iSCSI class. + */ +-void iscsi_session_teardown(struct iscsi_cls_session *cls_session) ++void iscsi_session_remove(struct iscsi_cls_session *cls_session) + { + struct iscsi_session *session = cls_session->dd_data; +- struct module *owner = cls_session->transport->owner; + struct Scsi_Host *shost = session->host; + + iscsi_remove_session(cls_session); ++ /* ++ * host removal only has to wait for its children to be removed from ++ * sysfs, and iscsi_tcp needs to do iscsi_host_remove before freeing ++ * the session, so drop the session count here. ++ */ ++ iscsi_host_dec_session_cnt(shost); ++} ++EXPORT_SYMBOL_GPL(iscsi_session_remove); ++ ++/** ++ * iscsi_session_free - Free iscsi session and it's resources ++ * @cls_session: iscsi session ++ */ ++void iscsi_session_free(struct iscsi_cls_session *cls_session) ++{ ++ struct iscsi_session *session = cls_session->dd_data; ++ struct module *owner = cls_session->transport->owner; + + iscsi_pool_free(&session->cmdpool); + kfree(session->password); +@@ -2920,10 +2935,19 @@ void iscsi_session_teardown(struct iscsi + kfree(session->discovery_parent_type); + + iscsi_free_session(cls_session); +- +- iscsi_host_dec_session_cnt(shost); + module_put(owner); + } ++EXPORT_SYMBOL_GPL(iscsi_session_free); ++ ++/** ++ * iscsi_session_teardown - destroy session and cls_session ++ * @cls_session: iscsi session ++ */ ++void iscsi_session_teardown(struct iscsi_cls_session *cls_session) ++{ ++ iscsi_session_remove(cls_session); ++ iscsi_session_free(cls_session); ++} + EXPORT_SYMBOL_GPL(iscsi_session_teardown); + + /** +--- a/include/scsi/libiscsi.h ++++ b/include/scsi/libiscsi.h +@@ -401,6 +401,8 @@ extern int iscsi_target_alloc(struct scs + extern struct iscsi_cls_session * + iscsi_session_setup(struct iscsi_transport *, struct Scsi_Host *shost, + uint16_t, int, int, uint32_t, unsigned int); ++void iscsi_session_remove(struct iscsi_cls_session *cls_session); ++void iscsi_session_free(struct iscsi_cls_session *cls_session); + extern void iscsi_session_teardown(struct iscsi_cls_session *); + extern void iscsi_session_recovery_timedout(struct iscsi_cls_session *); + extern int iscsi_set_param(struct iscsi_cls_conn *cls_conn, diff --git a/queue-5.10/series b/queue-5.10/series index c45a10a2b1..65a3f6d2f5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -377,4 +377,32 @@ powerpc-64s-slb-fix-slb-multihit-issue-during-slb-preload.patch pci-brcmstb-fix-disabling-l0s-capability.patch powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch -kvm-arm64-sys_regs-disable-wuninitialized-const-pointer-warning.patch +asoc-stm-use-dev_err_probe-helper.patch +asoc-stm32-sai-use-the-devm_clk_get_optional-helper.patch +asoc-stm32-sai-fix-clk-prepare-imbalance-on-probe-failure.patch +mm-balloon_compaction-make-balloon-page-compaction-callbacks-static.patch +mm-balloon_compaction-we-cannot-have-isolated-pages-in-the-balloon-list.patch +mm-balloon_compaction-convert-balloon_page_delete-to-balloon_page_finalize.patch +powerpc-pseries-cmm-adjust-balloon_migrate-when-migrating-pages.patch +media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch +media-vpif_capture-fix-section-mismatch.patch +media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch +soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch +pmdomain-use-device_get_match_data.patch +pmdomain-imx-fix-reference-count-leak-in-imx_gpc_probe.patch +lockd-fix-vfs_test_lock-calls.patch +drm-gma500-remove-unused-helper-psb_fbdev_fb_setcolreg.patch +wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch +nfsd-nfsv4-file-creation-neglects-setting-acl.patch +mm-mprotect-use-long-for-page-accountings-and-retval.patch +mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch +scsi-iscsi-move-pool-freeing.patch +scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch +cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch +ovl-use-buf-flexible-array-for-memcpy-destination.patch +btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch +bus-fsl-mc-bus-fix-kasan-use-after-free-in-fsl_mc_bus_remove.patch +leds-lp50xx-reduce-level-of-dereferences.patch +leds-lp50xx-get-rid-of-redundant-check-in-lp50xx_enable_disable.patch +leds-lp50xx-remove-duplicated-error-reporting-in-.remove.patch +leds-leds-lp50xx-enable-chip-before-any-communication.patch diff --git a/queue-5.10/soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch b/queue-5.10/soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch new file mode 100644 index 0000000000..fda4b0660b --- /dev/null +++ b/queue-5.10/soc-rockchip-power-domain-manage-resource-conflicts-with-firmware.patch @@ -0,0 +1,291 @@ +From stable+bounces-206023-greg=kroah.com@vger.kernel.org Tue Jan 6 20:08:34 2026 +From: Sasha Levin +Date: Tue, 6 Jan 2026 13:26:52 -0500 +Subject: soc: rockchip: power-domain: Manage resource conflicts with firmware +To: stable@vger.kernel.org +Cc: Brian Norris , Peter Geis , Heiko Stuebner , Chanwoo Choi , Sasha Levin +Message-ID: <20260106182656.3115094-1-sashal@kernel.org> + +From: Brian Norris + +[ Upstream commit defec178df76e0caadd4e8ef68f3d655a2088198 ] + +On RK3399 platforms, power domains are managed mostly by the kernel +(drivers/soc/rockchip/pm_domains.c), but there are a few exceptions +where ARM Trusted Firmware has to be involved: + +(1) system suspend/resume +(2) DRAM DVFS (a.k.a., "ddrfreq") + +Exception (1) does not cause much conflict, since the kernel has +quiesced itself by the time we make the relevant PSCI call. + +Exception (2) can cause conflict, because of two actions: + +(a) ARM Trusted Firmware needs to read/modify/write the PMU_BUS_IDLE_REQ + register to idle the memory controller domain; the kernel driver + also has to touch this register for other domains. +(b) ARM Trusted Firmware needs to manage the clocks associated with + these domains. + +To elaborate on (b): idling a power domain has always required ungating +an array of clocks; see this old explanation from Rockchip: +https://lore.kernel.org/linux-arm-kernel/54503C19.9060607@rock-chips.com/ + +Historically, ARM Trusted Firmware has avoided this issue by using a +special PMU_CRU_GATEDIS_CON0 register -- this register ungates all the +necessary clocks -- when idling the memory controller. Unfortunately, +we've found that this register is not 100% sufficient; it does not turn +the relevant PLLs on [0]. + +So it's possible to trigger issues with something like the following: + +1. enable a power domain (e.g., RK3399_PD_VDU) -- kernel will + temporarily enable relevant clocks/PLLs, then turn them back off + 2. a PLL (e.g., PLL_NPLL) is part of the clock tree for + RK3399_PD_VDU's clocks but otherwise unused; NPLL is disabled +3. perform a ddrfreq transition (rk3399_dmcfreq_target() -> ... + drivers/clk/rockchip/clk-ddr.c / ROCKCHIP_SIP_DRAM_FREQ) + 4. ARM Trusted Firmware unagates VDU clocks (via PMU_CRU_GATEDIS_CON0) + 5. ARM Trusted firmware idles the memory controller domain + 6. Step 5 waits on the VDU domain/clocks, but NPLL is still off + +i.e., we hang the system. + +So for (b), we need to at a minimum manage the relevant PLLs on behalf +of firmware. It's easier to simply manage the whole clock tree, in a +similar way we do in rockchip_pd_power(). + +For (a), we need to provide mutual exclusion betwen rockchip_pd_power() +and firmware. To resolve that, we simply grab the PMU mutex and release +it when ddrfreq is done. + +The Chromium OS kernel has been carrying versions of part of this hack +for a while, based on some new custom notifiers [1]. I've rewritten as a +simple function call between the drivers, which is OK because: + + * the PMU driver isn't enabled, and we don't have this problem at all + (the firmware should have left us in an OK state, and there are no + runtime conflicts); or + * the PMU driver is present, and is a single instance. + +And the power-domain driver cannot be removed, so there's no lifetime +management to worry about. + +For completeness, there's a 'dmc_pmu_mutex' to guard (likely +theoretical?) probe()-time races. It's OK for the memory controller +driver to start running before the PMU, because the PMU will avoid any +critical actions during the block() sequence. + +[0] The RK3399 TRM for PMU_CRU_GATEDIS_CON0 only talks about ungating + clocks. Based on experimentation, we've found that it does not power + up the necessary PLLs. + +[1] CHROMIUM: soc: rockchip: power-domain: Add notifier to dmc driver + https://chromium-review.googlesource.com/q/I242dbd706d352f74ff706f5cbf42ebb92f9bcc60 + Notably, the Chromium solution only handled conflict (a), not (b). + In practice, item (b) wasn't a problem in many cases because we + never managed to fully power off PLLs. Now that the (upstream) video + decoder driver performs runtime clock management, we often power off + NPLL. + +Signed-off-by: Brian Norris +Tested-by: Peter Geis +Reviewed-by: Heiko Stuebner +Signed-off-by: Chanwoo Choi +Stable-dep-of: 73cb5f6eafb0 ("pmdomain: imx: Fix reference count leak in imx_gpc_probe()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/rockchip/pm_domains.c | 118 ++++++++++++++++++++++++++++++++++++++ + include/soc/rockchip/pm_domains.h | 25 ++++++++ + 2 files changed, 143 insertions(+) + create mode 100644 include/soc/rockchip/pm_domains.h + +--- a/drivers/soc/rockchip/pm_domains.c ++++ b/drivers/soc/rockchip/pm_domains.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -16,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -131,6 +133,109 @@ struct rockchip_pmu { + #define DOMAIN_RK3399(pwr, status, req, wakeup) \ + DOMAIN(pwr, status, req, req, req, wakeup) + ++/* ++ * Dynamic Memory Controller may need to coordinate with us -- see ++ * rockchip_pmu_block(). ++ * ++ * dmc_pmu_mutex protects registration-time races, so DMC driver doesn't try to ++ * block() while we're initializing the PMU. ++ */ ++static DEFINE_MUTEX(dmc_pmu_mutex); ++static struct rockchip_pmu *dmc_pmu; ++ ++/* ++ * Block PMU transitions and make sure they don't interfere with ARM Trusted ++ * Firmware operations. There are two conflicts, noted in the comments below. ++ * ++ * Caller must unblock PMU transitions via rockchip_pmu_unblock(). ++ */ ++int rockchip_pmu_block(void) ++{ ++ struct rockchip_pmu *pmu; ++ struct generic_pm_domain *genpd; ++ struct rockchip_pm_domain *pd; ++ int i, ret; ++ ++ mutex_lock(&dmc_pmu_mutex); ++ ++ /* No PMU (yet)? Then we just block rockchip_pmu_probe(). */ ++ if (!dmc_pmu) ++ return 0; ++ pmu = dmc_pmu; ++ ++ /* ++ * mutex blocks all idle transitions: we can't touch the ++ * PMU_BUS_IDLE_REQ (our ".idle_offset") register while ARM Trusted ++ * Firmware might be using it. ++ */ ++ mutex_lock(&pmu->mutex); ++ ++ /* ++ * Power domain clocks: Per Rockchip, we *must* keep certain clocks ++ * enabled for the duration of power-domain transitions. Most ++ * transitions are handled by this driver, but some cases (in ++ * particular, DRAM DVFS / memory-controller idle) must be handled by ++ * firmware. Firmware can handle most clock management via a special ++ * "ungate" register (PMU_CRU_GATEDIS_CON0), but unfortunately, this ++ * doesn't handle PLLs. We can assist this transition by doing the ++ * clock management on behalf of firmware. ++ */ ++ for (i = 0; i < pmu->genpd_data.num_domains; i++) { ++ genpd = pmu->genpd_data.domains[i]; ++ if (genpd) { ++ pd = to_rockchip_pd(genpd); ++ ret = clk_bulk_enable(pd->num_clks, pd->clks); ++ if (ret < 0) { ++ dev_err(pmu->dev, ++ "failed to enable clks for domain '%s': %d\n", ++ genpd->name, ret); ++ goto err; ++ } ++ } ++ } ++ ++ return 0; ++ ++err: ++ for (i = i - 1; i >= 0; i--) { ++ genpd = pmu->genpd_data.domains[i]; ++ if (genpd) { ++ pd = to_rockchip_pd(genpd); ++ clk_bulk_disable(pd->num_clks, pd->clks); ++ } ++ } ++ mutex_unlock(&pmu->mutex); ++ mutex_unlock(&dmc_pmu_mutex); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(rockchip_pmu_block); ++ ++/* Unblock PMU transitions. */ ++void rockchip_pmu_unblock(void) ++{ ++ struct rockchip_pmu *pmu; ++ struct generic_pm_domain *genpd; ++ struct rockchip_pm_domain *pd; ++ int i; ++ ++ if (dmc_pmu) { ++ pmu = dmc_pmu; ++ for (i = 0; i < pmu->genpd_data.num_domains; i++) { ++ genpd = pmu->genpd_data.domains[i]; ++ if (genpd) { ++ pd = to_rockchip_pd(genpd); ++ clk_bulk_disable(pd->num_clks, pd->clks); ++ } ++ } ++ ++ mutex_unlock(&pmu->mutex); ++ } ++ ++ mutex_unlock(&dmc_pmu_mutex); ++} ++EXPORT_SYMBOL_GPL(rockchip_pmu_unblock); ++ + static bool rockchip_pmu_domain_is_idle(struct rockchip_pm_domain *pd) + { + struct rockchip_pmu *pmu = pd->pmu; +@@ -679,6 +784,12 @@ static int rockchip_pm_domain_probe(stru + + error = -ENODEV; + ++ /* ++ * Prevent any rockchip_pmu_block() from racing with the remainder of ++ * setup (clocks, register initialization). ++ */ ++ mutex_lock(&dmc_pmu_mutex); ++ + for_each_available_child_of_node(np, node) { + error = rockchip_pm_add_one_domain(pmu, node); + if (error) { +@@ -708,10 +819,17 @@ static int rockchip_pm_domain_probe(stru + goto err_out; + } + ++ /* We only expect one PMU. */ ++ if (!WARN_ON_ONCE(dmc_pmu)) ++ dmc_pmu = pmu; ++ ++ mutex_unlock(&dmc_pmu_mutex); ++ + return 0; + + err_out: + rockchip_pm_domain_cleanup(pmu); ++ mutex_unlock(&dmc_pmu_mutex); + return error; + } + +--- /dev/null ++++ b/include/soc/rockchip/pm_domains.h +@@ -0,0 +1,25 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * Copyright 2022, The Chromium OS Authors. All rights reserved. ++ */ ++ ++#ifndef __SOC_ROCKCHIP_PM_DOMAINS_H__ ++#define __SOC_ROCKCHIP_PM_DOMAINS_H__ ++ ++#ifdef CONFIG_ROCKCHIP_PM_DOMAINS ++ ++int rockchip_pmu_block(void); ++void rockchip_pmu_unblock(void); ++ ++#else /* CONFIG_ROCKCHIP_PM_DOMAINS */ ++ ++static inline int rockchip_pmu_block(void) ++{ ++ return 0; ++} ++ ++static inline void rockchip_pmu_unblock(void) { } ++ ++#endif /* CONFIG_ROCKCHIP_PM_DOMAINS */ ++ ++#endif /* __SOC_ROCKCHIP_PM_DOMAINS_H__ */ diff --git a/queue-5.10/wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch b/queue-5.10/wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch new file mode 100644 index 0000000000..fd7685ed5b --- /dev/null +++ b/queue-5.10/wifi-mac80211-discard-beacon-frames-to-non-broadcast-address.patch @@ -0,0 +1,62 @@ +From stable+bounces-206131-greg=kroah.com@vger.kernel.org Wed Jan 7 12:54:09 2026 +From: Sasha Levin +Date: Wed, 7 Jan 2026 06:53:59 -0500 +Subject: wifi: mac80211: Discard Beacon frames to non-broadcast address +To: stable@vger.kernel.org +Cc: Jouni Malinen , Johannes Berg , Sasha Levin +Message-ID: <20260107115359.3985007-1-sashal@kernel.org> + +From: Jouni Malinen + +[ Upstream commit 193d18f60588e95d62e0f82b6a53893e5f2f19f8 ] + +Beacon frames are required to be sent to the broadcast address, see IEEE +Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame +shall be set to the broadcast address"). A unicast Beacon frame might be +used as a targeted attack to get one of the associated STAs to do +something (e.g., using CSA to move it to another channel). As such, it +is better have strict filtering for this on the received side and +discard all Beacon frames that are sent to an unexpected address. + +This is even more important for cases where beacon protection is used. +The current implementation in mac80211 is correctly discarding unicast +Beacon frames if the Protected Frame bit in the Frame Control field is +set to 0. However, if that bit is set to 1, the logic used for checking +for configured BIGTK(s) does not actually work. If the driver does not +have logic for dropping unicast Beacon frames with Protected Frame bit +1, these frames would be accepted in mac80211 processing as valid Beacon +frames even though they are not protected. This would allow beacon +protection to be bypassed. While the logic for checking beacon +protection could be extended to cover this corner case, a more generic +check for discard all Beacon frames based on A1=unicast address covers +this without needing additional changes. + +Address all these issues by dropping received Beacon frames if they are +sent to a non-broadcast address. + +Cc: stable@vger.kernel.org +Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)") +Signed-off-by: Jouni Malinen +Link: https://patch.msgid.link/20251215151134.104501-1-jouni.malinen@oss.qualcomm.com +Signed-off-by: Johannes Berg +[ adapted RX_DROP return value to RX_DROP_MONITOR ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -3189,6 +3189,11 @@ ieee80211_rx_h_mgmt_check(struct ieee802 + if (!ieee80211_is_mgmt(mgmt->frame_control)) + return RX_DROP_MONITOR; + ++ /* Drop non-broadcast Beacon frames */ ++ if (ieee80211_is_beacon(mgmt->frame_control) && ++ !is_broadcast_ether_addr(mgmt->da)) ++ return RX_DROP_MONITOR; ++ + if (rx->sdata->vif.type == NL80211_IFTYPE_AP && + ieee80211_is_beacon(mgmt->frame_control) && + !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {