From: Sasha Levin Date: Sat, 18 Apr 2026 12:39:22 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79b0358e064ed5a1ccdef5fb786bf12b810c4c81;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch b/queue-5.10/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch new file mode 100644 index 0000000000..1c5daaf4d5 --- /dev/null +++ b/queue-5.10/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch @@ -0,0 +1,75 @@ +From 67ec5f8336fcc7baa1d19422c3a44496af602122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 16:00:14 +0800 +Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock + +From: Jiexun Wang + +[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ] + +Exact UNIX diag lookups hold a reference to the socket, but not to +u->path. Meanwhile, unix_release_sock() clears u->path under +unix_state_lock() and drops the path reference after unlocking. + +Read the inode and device numbers for UNIX_DIAG_VFS while holding +unix_state_lock(), then emit the netlink attribute after dropping the +lock. + +This keeps the VFS data stable while the reply is being built. + +Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 486276a1782ed..699fba7b7591d 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -25,18 +25,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + + static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + { +- struct dentry *dentry = unix_sk(sk)->path.dentry; ++ struct unix_diag_vfs uv; ++ struct dentry *dentry; ++ bool have_vfs = false; + ++ unix_state_lock(sk); ++ dentry = unix_sk(sk)->path.dentry; + if (dentry) { +- struct unix_diag_vfs uv = { +- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, +- .udiag_vfs_dev = dentry->d_sb->s_dev, +- }; +- +- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); ++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino; ++ uv.udiag_vfs_dev = dentry->d_sb->s_dev; ++ have_vfs = true; + } ++ unix_state_unlock(sk); + +- return 0; ++ if (!have_vfs) ++ return 0; ++ ++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); + } + + static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) +-- +2.53.0 + diff --git a/queue-5.10/alsa-asihpi-avoid-write-overflow-check-warning.patch b/queue-5.10/alsa-asihpi-avoid-write-overflow-check-warning.patch new file mode 100644 index 0000000000..631103885f --- /dev/null +++ b/queue-5.10/alsa-asihpi-avoid-write-overflow-check-warning.patch @@ -0,0 +1,55 @@ +From 1435ca34ba65840dfec09bb78183c73a237479fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 13:40:07 +0100 +Subject: ALSA: asihpi: avoid write overflow check warning + +From: Arnd Bergmann + +[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ] + +clang-22 rightfully warns that the memcpy() in adapter_prepare() copies +between different structures, crossing the boundary of nested +structures inside it: + +In file included from sound/pci/asihpi/hpimsgx.c:13: +In file included from include/linux/string.h:386: +include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 569 | __write_overflow_field(p_size_field, size); + +The two structures seem to refer to the same layout, despite the +separate definitions, so the code is in fact correct. + +Avoid the warning by copying the two inner structures separately. +I see the same pattern happens in other functions in the same file, +so there is a chance that this may come back in the future, but +this instance is the only one that I saw in practice, hitting it +multiple times per day in randconfig build. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index 761fc62f68f16..85a354cf082ff 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -586,8 +586,10 @@ static u16 adapter_prepare(u16 adapter) + HPI_ADAPTER_OPEN); + hm.adapter_index = adapter; + hw_entry_point(&hm, &hr); +- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr, +- sizeof(rESP_HPI_ADAPTER_OPEN[0])); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h)); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a)); + if (hr.error) + return hr.error; + +-- +2.53.0 + diff --git a/queue-5.10/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-5.10/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..64b4a9bf47 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,45 @@ +From 3debc275bba22b668d99e624107ebd827ccec156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2026 10:36:03 -0500 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: César Montoya + +[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ] + +The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek +ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The +existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, +but the subsystem ID was missing from the quirk table. + +GPIO pin confirmed via manual hda-verb testing: + hda-verb SET_GPIO_MASK 0x10 + hda-verb SET_GPIO_DIRECTION 0x10 + hda-verb SET_GPIO_DATA 0x10 + +Signed-off-by: César Montoya +Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 7ea036f820f54..d673e8934b775 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9291,6 +9291,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-5.10/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch b/queue-5.10/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch new file mode 100644 index 0000000000..a974bfdce9 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch @@ -0,0 +1,39 @@ +From 7c42efeee061c4952707a5c0763384c6c04b202f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 00:28:28 +0100 +Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency + +From: Sebastian Krzyszkowiak + +[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ] + +According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum +frequency is 400MHz. + +Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node") +Reviewed-by: Frank Li +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Peng Fan +Reviewed-by: Fabio Estevam +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index 8d0d41973ff54..995cbe6cf0a26 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -1137,7 +1137,7 @@ gpu: gpu@38000000 { + <&clk IMX8MQ_GPU_PLL_OUT>, + <&clk IMX8MQ_GPU_PLL>; + assigned-clock-rates = <800000000>, <800000000>, +- <800000000>, <800000000>, <0>; ++ <800000000>, <400000000>, <0>; + power-domains = <&pgc_gpu>; + }; + +-- +2.53.0 + diff --git a/queue-5.10/asoc-soc-core-call-missing-init_list_head-for-card_a.patch b/queue-5.10/asoc-soc-core-call-missing-init_list_head-for-card_a.patch new file mode 100644 index 0000000000..7ea720945f --- /dev/null +++ b/queue-5.10/asoc-soc-core-call-missing-init_list_head-for-card_a.patch @@ -0,0 +1,66 @@ +From daf16002d334c9e44ec40bf0059b3bbca2748fa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 02:43:54 +0000 +Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list + +From: Kuninori Morimoto + +[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ] + +Component has "card_aux_list" which is added/deled in bind/unbind aux dev +function (A), and used in for_each_card_auxs() loop (B). + + static void soc_unbind_aux_dev(...) + { + ... + for_each_card_auxs_safe(...) { + ... +(A) list_del(&component->card_aux_list); + } ^^^^^^^^^^^^^ + } + + static int soc_bind_aux_dev(...) + { + ... + for_each_card_pre_auxs(...) { + ... +(A) list_add(&component->card_aux_list, ...); + } ^^^^^^^^^^^^^ + ... + } + + #define for_each_card_auxs(card, component) \ +(B) list_for_each_entry(component, ..., card_aux_list) + ^^^^^^^^^^^^^ + +But it has been used without calling INIT_LIST_HEAD(). + + > git grep card_aux_list sound/soc + sound/soc/soc-core.c: list_del(&component->card_aux_list); + sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); + +call missing INIT_LIST_HEAD() for it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index e7310642be6a5..de81858dee34a 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2628,6 +2628,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, + INIT_LIST_HEAD(&component->dobj_list); + INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); ++ INIT_LIST_HEAD(&component->card_aux_list); + mutex_init(&component->io_mutex); + + component->name = fmt_single_name(dev, &component->id); +-- +2.53.0 + diff --git a/queue-5.10/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch b/queue-5.10/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch new file mode 100644 index 0000000000..479983b21e --- /dev/null +++ b/queue-5.10/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch @@ -0,0 +1,46 @@ +From f990e2f722bf2bd15d323544c6c87b57ebec20f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:45:26 -0300 +Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ] + +sof_parse_token_sets() accepts array->size values that can be invalid +for a vendor tuple array header. In particular, a zero size does not +advance the parser state and can lead to non-progress parsing on +malformed topology data. + +Validate array->size against the minimum header size and reject values +smaller than sizeof(*array) before parsing. This preserves behavior for +valid topologies and hardens malformed-input handling. + +Signed-off-by: Cássio Gabriel +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index e3aa9fa0f112f..b1682879253f6 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -941,7 +941,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, + asize = le32_to_cpu(array->size); + + /* validate asize */ +- if (asize < 0) { /* FIXME: A zero-size array makes no sense */ ++ if (asize < sizeof(*array)) { + dev_err(scomp->dev, "error: invalid array size 0x%x\n", + asize); + return -EINVAL; +-- +2.53.0 + diff --git a/queue-5.10/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch b/queue-5.10/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch new file mode 100644 index 0000000000..ac64b8c3ab --- /dev/null +++ b/queue-5.10/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch @@ -0,0 +1,64 @@ +From b7648468915f2c0e426c401c81d980fb877cb963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:40:56 +0200 +Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J + +From: Tomasz Merta + +[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ] + +The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A, +DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK +edge when SND_SOC_DAIFMT_NB_NF is used. + +Per ALSA convention, NB_NF requires sampling on the rising BCLK edge. +The STM32MP25 SAI reference manual states that CKSTR=1 is required for +signals received by the SAI to be sampled on the SCK rising edge. +Without setting CKSTR=1, the SAI samples on the falling edge, violating +the NB_NF convention. For comparison, the NXP FSL SAI driver correctly +sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its +I2S handling. + +This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in +stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec. +RIGHT_J (LSB) is not investigated and addressed by this patch. + +Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue +for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified +and is left for a separate investigation. + +Signed-off-by: Tomasz Merta +Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index 1810c43d0833f..962e5606c2c9a 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -671,6 +671,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + break; + /* Left justified */ + case SND_SOC_DAIFMT_MSB: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + /* Right justified */ +@@ -678,9 +679,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + case SND_SOC_DAIFMT_DSP_A: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF; + break; + case SND_SOC_DAIFMT_DSP_B: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL; + break; + default: +-- +2.53.0 + diff --git a/queue-5.10/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch b/queue-5.10/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch new file mode 100644 index 0000000000..5743afb01c --- /dev/null +++ b/queue-5.10/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch @@ -0,0 +1,83 @@ +From b00650d031f1b814c4ce18cd1028190cd5cae554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 15:23:35 -0700 +Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 + +From: Arthur Husband + +[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ] + +The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA +support via the S64A bit in the AHCI CAP register, but their 64-bit DMA +implementation is defective. Under sustained I/O, DMA transfers targeting +addresses above 4GB silently corrupt data -- writes land at incorrect +memory addresses with no errors logged. + +The failure pattern is similar to the ASMedia ASM1061 +(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia +ASM1061 controllers")), which also falsely advertised full 64-bit DMA +support. However, the JMB585 requires a stricter 32-bit DMA mask rather +than 43-bit, as corruption occurs with any address above 4GB. + +On the Minisforum N5 Pro specifically, the combination of the JMB585's +broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes +silent data corruption that is only detectable via checksumming +filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA +space is exhausted and the kernel transparently switches to 64-bit DMA +addresses. + +Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585 +(0x0585) before the generic JMicron class match, using a new board type +that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior) +with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks. + +Signed-off-by: Arthur Husband +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 2bb9555663e75..b3661495906f2 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -61,6 +61,7 @@ enum board_ids { + /* board IDs for specific chipsets in alphabetical order */ + board_ahci_al, + board_ahci_avn, ++ board_ahci_jmb585, + board_ahci_mcp65, + board_ahci_mcp77, + board_ahci_mcp89, +@@ -200,6 +201,15 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_avn_ops, + }, ++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */ ++ [board_ahci_jmb585] = { ++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR | ++ AHCI_HFLAG_32BIT_ONLY), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_mcp65] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP | + AHCI_HFLAG_YES_NCQ), +@@ -436,6 +446,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */ + { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */ + ++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */ ++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 }, ++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 }, ++ + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr }, +-- +2.53.0 + diff --git a/queue-5.10/btrfs-tracepoints-get-correct-superblock-from-dentry.patch b/queue-5.10/btrfs-tracepoints-get-correct-superblock-from-dentry.patch new file mode 100644 index 0000000000..940de20a5a --- /dev/null +++ b/queue-5.10/btrfs-tracepoints-get-correct-superblock-from-dentry.patch @@ -0,0 +1,50 @@ +From 945505901eff36c4c5c50ff3f7be6ea457d16105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 14:11:39 -0400 +Subject: btrfs: tracepoints: get correct superblock from dentry in event + btrfs_sync_file() + +From: Goldwyn Rodrigues + +[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] + +If overlay is used on top of btrfs, dentry->d_sb translates to overlay's +super block and fsid assignment will lead to a crash. + +Use file_inode(file)->i_sb to always get btrfs_sb. + +Reviewed-by: Boris Burkov +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + include/trace/events/btrfs.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index d8aa1d3570243..7e6fcbc6c6c55 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -697,12 +697,15 @@ TRACE_EVENT(btrfs_sync_file, + ), + + TP_fast_assign( +- const struct dentry *dentry = file->f_path.dentry; +- const struct inode *inode = d_inode(dentry); ++ struct dentry *dentry = file_dentry(file); ++ struct inode *inode = file_inode(file); ++ struct dentry *parent = dget_parent(dentry); ++ struct inode *parent_inode = d_inode(parent); + +- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb)); ++ dput(parent); ++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb)); + __entry->ino = btrfs_ino(BTRFS_I(inode)); +- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent))); ++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode)); + __entry->datasync = datasync; + __entry->root_objectid = + BTRFS_I(inode)->root->root_key.objectid; +-- +2.53.0 + diff --git a/queue-5.10/can-mcp251x-add-error-handling-for-power-enable-in-o.patch b/queue-5.10/can-mcp251x-add-error-handling-for-power-enable-in-o.patch new file mode 100644 index 0000000000..d444653633 --- /dev/null +++ b/queue-5.10/can-mcp251x-add-error-handling-for-power-enable-in-o.patch @@ -0,0 +1,90 @@ +From 6b68638680c16b62472e725c6dd73e68f103d910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 00:00:22 +0800 +Subject: can: mcp251x: add error handling for power enable in open and resume + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ] + +Add missing error handling for mcp251x_power_enable() calls in both +mcp251x_open() and mcp251x_can_resume() functions. + +In mcp251x_open(), if power enable fails, jump to error path to close +candev without attempting to disable power again. + +In mcp251x_can_resume(), properly check return values of power enable calls +for both power and transceiver regulators. If any fails, return the error +code to the PM framework and log the failure. + +This ensures the driver properly handles power control failures and +maintains correct device state. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com +[mkl: fix patch description] +[mkl: mcp251x_can_resume(): replace goto by return] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index b06b15debafac..e4d5f60f13f47 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1218,7 +1218,11 @@ static int mcp251x_open(struct net_device *net) + } + + mutex_lock(&priv->mcp_lock); +- mcp251x_power_enable(priv->transceiver, 1); ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); ++ goto out_close_candev; ++ } + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -1267,6 +1271,7 @@ static int mcp251x_open(struct net_device *net) + mcp251x_hw_sleep(spi); + out_close: + mcp251x_power_enable(priv->transceiver, 0); ++out_close_candev: + close_candev(net); + mutex_unlock(&priv->mcp_lock); + if (release_irq) +@@ -1505,11 +1510,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) + { + struct spi_device *spi = to_spi_device(dev); + struct mcp251x_priv *priv = spi_get_drvdata(spi); ++ int ret = 0; + +- if (priv->after_suspend & AFTER_SUSPEND_POWER) +- mcp251x_power_enable(priv->power, 1); +- if (priv->after_suspend & AFTER_SUSPEND_UP) +- mcp251x_power_enable(priv->transceiver, 1); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) { ++ ret = mcp251x_power_enable(priv->power, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); ++ return ret; ++ } ++ } ++ ++ if (priv->after_suspend & AFTER_SUSPEND_UP) { ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) ++ mcp251x_power_enable(priv->power, 0); ++ return ret; ++ } ++ } + + if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) + queue_work(priv->wq, &priv->restart_work); +-- +2.53.0 + diff --git a/queue-5.10/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-5.10/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch new file mode 100644 index 0000000000..9ba54d4e74 --- /dev/null +++ b/queue-5.10/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch @@ -0,0 +1,38 @@ +From 885290a37a84fd51c1466b08b32f9524a46e8087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 13:32:21 +0800 +Subject: crypto: algif_aead - Fix minimum RX size check for decryption + +From: Herbert Xu + +[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] + +The check for the minimum receive buffer size did not take the +tag size into account during decryption. Fix this by adding the +required extra length. + +Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com +Reported-by: Daniel Pouzzner +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index 42493b4d8ce46..cb3959e2c435e 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + if (usedpages < outlen) { + size_t less = outlen - usedpages; + +- if (used < less) { ++ if (used < less + (ctx->enc ? 0 : as)) { + err = -EINVAL; + goto free; + } +-- +2.53.0 + diff --git a/queue-5.10/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch b/queue-5.10/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch new file mode 100644 index 0000000000..b57be67690 --- /dev/null +++ b/queue-5.10/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch @@ -0,0 +1,74 @@ +From 48fcf5b58a76a6b3d0cd10b61832964f4d4655ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:45 -0300 +Subject: drm/vc4: Fix a memory leak in hang state error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ] + +When vc4_save_hang_state() encounters an early return condition, it +returns without freeing the previously allocated `kernel_state`, +leaking memory. + +Add the missing kfree() calls by consolidating the early return paths +into a single place. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 788f64154119b..e4f20b93c33e7 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -166,10 +166,8 @@ vc4_save_hang_state(struct drm_device *dev) + spin_lock_irqsave(&vc4->job_lock, irqflags); + exec[0] = vc4_first_bin_job(vc4); + exec[1] = vc4_first_render_job(vc4); +- if (!exec[0] && !exec[1]) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!exec[0] && !exec[1]) ++ goto err_free_state; + + /* Get the bos from both binner and renderer into hang state. */ + state->bo_count = 0; +@@ -186,10 +184,8 @@ vc4_save_hang_state(struct drm_device *dev) + kernel_state->bo = kcalloc(state->bo_count, + sizeof(*kernel_state->bo), GFP_ATOMIC); + +- if (!kernel_state->bo) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!kernel_state->bo) ++ goto err_free_state; + + k = 0; + for (i = 0; i < 2; i++) { +@@ -281,6 +277,12 @@ vc4_save_hang_state(struct drm_device *dev) + vc4->hang_state = kernel_state; + spin_unlock_irqrestore(&vc4->job_lock, irqflags); + } ++ ++ return; ++ ++err_free_state: ++ spin_unlock_irqrestore(&vc4->job_lock, irqflags); ++ kfree(kernel_state); + } + + static void +-- +2.53.0 + diff --git a/queue-5.10/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch b/queue-5.10/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch new file mode 100644 index 0000000000..67aa835948 --- /dev/null +++ b/queue-5.10/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch @@ -0,0 +1,40 @@ +From 799e41324ae0f0220c4fba8c148fd6eab40af0f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:44 -0300 +Subject: drm/vc4: Fix memory leak of BO array in hang state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ] + +The hang state's BO array is allocated separately with kzalloc() in +vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the +missing kfree() for the BO array before freeing the hang state struct. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index b641252939d87..788f64154119b 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state) + for (i = 0; i < state->user_state.bo_count; i++) + drm_gem_object_put(state->bo[i]); + ++ kfree(state->bo); + kfree(state); + } + +-- +2.53.0 + diff --git a/queue-5.10/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch b/queue-5.10/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch new file mode 100644 index 0000000000..8fc0ef2d5e --- /dev/null +++ b/queue-5.10/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch @@ -0,0 +1,48 @@ +From 502fd10cadd3549fa261c67533e154d7ff1b0296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:46 -0300 +Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ] + +The mmap callback reads bo->madv without holding madv_lock, racing with +concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under +the same lock. Add the missing locking to prevent the data race. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index 9006b9861c90c..437084f7973c6 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -719,12 +719,15 @@ int vc4_mmap(struct file *filp, struct vm_area_struct *vma) + return -EINVAL; + } + ++ mutex_lock(&bo->madv_lock); + if (bo->madv != VC4_MADV_WILLNEED) { + DRM_DEBUG("mmaping of %s BO not allowed\n", + bo->madv == VC4_MADV_DONTNEED ? + "purgeable" : "purged"); ++ mutex_unlock(&bo->madv_lock); + return -EINVAL; + } ++ mutex_unlock(&bo->madv_lock); + + /* + * Clear the VM_PFNMAP flag that was set by drm_gem_mmap(), and set the +-- +2.53.0 + diff --git a/queue-5.10/e1000-check-return-value-of-e1000_read_eeprom.patch b/queue-5.10/e1000-check-return-value-of-e1000_read_eeprom.patch new file mode 100644 index 0000000000..c9aa3fcace --- /dev/null +++ b/queue-5.10/e1000-check-return-value-of-e1000_read_eeprom.patch @@ -0,0 +1,70 @@ +From 33cce7d686405918857da70ccb3fbe6fba9c1fab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 15:05:05 +0300 +Subject: e1000: check return value of e1000_read_eeprom + +From: Agalakov Daniil + +[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ] + +[Why] +e1000_set_eeprom() performs a read-modify-write operation when the write +range is not word-aligned. This requires reading the first and last words +of the range from the EEPROM to preserve the unmodified bytes. + +However, the code does not check the return value of e1000_read_eeprom(). +If the read fails, the operation continues using uninitialized data from +eeprom_buff. This results in corrupted data being written back to the +EEPROM for the boundary words. + +Add the missing error checks and abort the operation if reading fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Iskhakov Daniil +Signed-off-by: Iskhakov Daniil +Signed-off-by: Agalakov Daniil +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index f976e9daa3d88..3a06834e57221 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev, + */ + ret_val = e1000_read_eeprom(hw, first_word, 1, + &eeprom_buff[0]); ++ if (ret_val) ++ goto out; ++ + ptr++; + } +- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) { ++ if ((eeprom->offset + eeprom->len) & 1) { + /* need read/modify/write of last changed EEPROM word + * only the first byte of the word is being modified + */ + ret_val = e1000_read_eeprom(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev, + if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG)) + e1000_update_eeprom_checksum(hw); + ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.53.0 + diff --git a/queue-5.10/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch b/queue-5.10/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch new file mode 100644 index 0000000000..4580746b78 --- /dev/null +++ b/queue-5.10/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch @@ -0,0 +1,52 @@ +From f1139567a514365dced79b1595665c4fd41d3812 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 13:36:59 -0500 +Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 + +From: leo vriska + +[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ] + +According to a mailing list report [1], this controller's predecessor +has the same issue. However, it uses the xpad driver instead of HID, so +this quirk wouldn't apply. + +[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/ + +Signed-off-by: leo vriska +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 4b07b8be5c43e..549675b200b9b 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -22,6 +22,9 @@ + #define USB_DEVICE_ID_3M2256 0x0502 + #define USB_DEVICE_ID_3M3266 0x0506 + ++#define USB_VENDOR_ID_8BITDO 0x2dc8 ++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009 ++ + #define USB_VENDOR_ID_A4TECH 0x09da + #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006 + #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 85d81b07b6d47..84a9c9e761bcd 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -25,6 +25,7 @@ + */ + + static const struct hid_device_id hid_quirks[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, +-- +2.53.0 + diff --git a/queue-5.10/hid-roccat-fix-use-after-free-in-roccat_report_event.patch b/queue-5.10/hid-roccat-fix-use-after-free-in-roccat_report_event.patch new file mode 100644 index 0000000000..e2d8cf094f --- /dev/null +++ b/queue-5.10/hid-roccat-fix-use-after-free-in-roccat_report_event.patch @@ -0,0 +1,50 @@ +From c234cbd17331f74a0ffb15213f54e2fd6cf5b5d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:11:07 +0000 +Subject: HID: roccat: fix use-after-free in roccat_report_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ] + +roccat_report_event() iterates over the device->readers list without +holding the readers_lock. This allows a concurrent roccat_release() to +remove and free a reader while it's still being accessed, leading to a +use-after-free. + +Protect the readers list traversal with the readers_lock mutex. + +Signed-off-by: Benoît Sevens +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 6da80e442fdd1..420e4335c3e83 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->readers_lock); + mutex_lock(&device->cbuf_lock); + + report = &device->cbuf[device->cbuf_end]; +@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data) + } + + mutex_unlock(&device->cbuf_lock); ++ mutex_unlock(&device->readers_lock); + + wake_up_interruptible(&device->wait); + return 0; +-- +2.53.0 + diff --git a/queue-5.10/l2tp-drop-large-packets-with-udp-encap.patch b/queue-5.10/l2tp-drop-large-packets-with-udp-encap.patch new file mode 100644 index 0000000000..e099d7eb68 --- /dev/null +++ b/queue-5.10/l2tp-drop-large-packets-with-udp-encap.patch @@ -0,0 +1,106 @@ +From b8570614ed8baeb0e550bfb78bc68086181c652e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 20:49:49 +0300 +Subject: l2tp: Drop large packets with UDP encap + +From: Alice Mikityanska + +[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ] + +syzbot reported a WARN on my patch series [1]. The actual issue is an +overflow of 16-bit UDP length field, and it exists in the upstream code. +My series added a debug WARN with an overflow check that exposed the +issue, that's why syzbot tripped on my patches, rather than on upstream +code. + +syzbot's repro: + +r0 = socket$pppl2tp(0x18, 0x1, 0x1) +r1 = socket$inet6_udp(0xa, 0x2, 0x0) +connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) +connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) +writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) + +It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP +encapsulation, and l2tp_xmit_core doesn't check for overflows when it +assigns the UDP length field. The value gets trimmed to 16 bites. + +Add an overflow check that drops oversized packets and avoids sending +packets with trimmed UDP length to the wire. + +syzbot's stack trace (with my patch applied): + +len >= 65536u +WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 +Modules linked in: +CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] +RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] +RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 +Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f +RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 +RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 +RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff +RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 +R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 +R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 +FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 +Call Trace: + + pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + sock_write_iter+0x503/0x550 net/socket.c:1195 + do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 + vfs_writev+0x33c/0x990 fs/read_write.c:1059 + do_writev+0x154/0x2e0 fs/read_write.c:1105 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f636479c629 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 +RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 +RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 + + +[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/ +Signed-off-by: Alice Mikityanska +Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 83615f5968dd5..b03de90e3d418 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + uh->source = inet->inet_sport; + uh->dest = inet->inet_dport; + udp_len = uhlen + session->hdr_len + data_len; ++ if (udp_len > U16_MAX) { ++ kfree_skb(skb); ++ ret = NET_XMIT_DROP; ++ goto out_unlock; ++ } + uh->len = htons(udp_len); + + /* Calculate UDP checksum if configured to do so */ +-- +2.53.0 + diff --git a/queue-5.10/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch b/queue-5.10/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch new file mode 100644 index 0000000000..f3f8a0aed2 --- /dev/null +++ b/queue-5.10/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch @@ -0,0 +1,46 @@ +From 353d17604763b2d17d7c5763272247cae0349827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 18:57:23 +0000 +Subject: MIPS: mm: Suppress TLB uniquification on EHINV hardware + +From: Maciej W. Rozycki + +[ Upstream commit 74283cfe216392c7b776ebf6045b5b15ed9dffcd ] + +Hardware that supports the EHINV feature, mandatory for R6 ISA and FTLB +implementation, lets software mark TLB entries invalid, which eliminates +the need to ensure no duplicate matching entries are ever created. This +feature is already used by local_flush_tlb_all(), via the UNIQUE_ENTRYHI +macro, making the preceding call to r4k_tlb_uniquify() superfluous. + +The next change will also modify uniquification code such that it'll +become incompatible with the FTLB and MMID features, as well as MIPSr6 +CPUs that do not implement 4KiB pages. + +Therefore prevent r4k_tlb_uniquify() from being used on EHINV hardware, +as denoted by `cpu_has_tlbinv'. + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/tlb-r4k.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/mm/tlb-r4k.c b/arch/mips/mm/tlb-r4k.c +index d9a5ede8869bd..8a49adfef8b86 100644 +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -616,7 +616,8 @@ static void r4k_tlb_configure(void) + temp_tlb_entry = current_cpu_data.tlbsize - 1; + + /* From this point on the ARC firmware is dead. */ +- r4k_tlb_uniquify(); ++ if (!cpu_has_tlbinv) ++ r4k_tlb_uniquify(); + local_flush_tlb_all(); + + /* Did I tell you that ARC SUCKS? */ +-- +2.53.0 + diff --git a/queue-5.10/net-lapbether-close-the-lapb-device-before-its-under.patch b/queue-5.10/net-lapbether-close-the-lapb-device-before-its-under.patch new file mode 100644 index 0000000000..82b10090d7 --- /dev/null +++ b/queue-5.10/net-lapbether-close-the-lapb-device-before-its-under.patch @@ -0,0 +1,44 @@ +From 6cd7cc6d02ed6dc39814ab39f5dbd4cd1a12e6d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Mar 2021 12:07:47 -0700 +Subject: net: lapbether: Close the LAPB device before its underlying Ethernet + device closes + +From: Xie He + +[ Upstream commit 536e1004d273cf55d0e6c6ab6bfe74dc60464cd2 ] + +When a virtual LAPB device's underlying Ethernet device closes, the LAPB +device is also closed. + +However, currently the LAPB device is closed after the Ethernet device +closes. It would be better to close it before the Ethernet device closes. +This would allow the LAPB device to transmit a last frame to notify the +other side that it is disconnecting. + +Signed-off-by: Xie He +Signed-off-by: David S. Miller +Stable-dep-of: b120e4432f9f ("net: lapbether: handle NETDEV_PRE_TYPE_CHANGE") +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 24c53cc0c112f..1276071f93c04 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -415,8 +415,8 @@ static int lapbeth_device_event(struct notifier_block *this, + if (lapbeth_get_x25_dev(dev) == NULL) + lapbeth_new_device(dev); + break; +- case NETDEV_DOWN: +- /* ethernet device closed -> close LAPB interface */ ++ case NETDEV_GOING_DOWN: ++ /* ethernet device closes -> close LAPB interface */ + lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); +-- +2.53.0 + diff --git a/queue-5.10/net-lapbether-handle-netdev_pre_type_change.patch b/queue-5.10/net-lapbether-handle-netdev_pre_type_change.patch new file mode 100644 index 0000000000..cad8a408a5 --- /dev/null +++ b/queue-5.10/net-lapbether-handle-netdev_pre_type_change.patch @@ -0,0 +1,77 @@ +From c30043982dc0c7f0bd663b07745d99e3ee584ae2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:35:19 +0000 +Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE + +From: Eric Dumazet + +[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ] + +lapbeth_data_transmit() expects the underlying device type +to be ARPHRD_ETHER. + +Returning NOTIFY_BAD from lapbeth_device_event() makes sure +bonding driver can not break this expectation. + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 4f89693313175..dd300179dcc56 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -400,33 +400,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth) + static int lapbeth_device_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +- struct lapbethdev *lapbeth; + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct lapbethdev *lapbeth; + + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) ++ lapbeth = lapbeth_get_x25_dev(dev); ++ if (!dev_is_ethdev(dev) && !lapbeth) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (!lapbeth_get_x25_dev(dev)) ++ if (!lapbeth) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: + /* ethernet device disappears -> remove LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + lapbeth_free_device(lapbeth); + break; ++ case NETDEV_PRE_TYPE_CHANGE: ++ /* Our underlying device type must not change. */ ++ if (lapbeth) ++ return NOTIFY_BAD; + } + + return NOTIFY_DONE; +-- +2.53.0 + diff --git a/queue-5.10/net-lapbether-remove-trailing-whitespaces.patch b/queue-5.10/net-lapbether-remove-trailing-whitespaces.patch new file mode 100644 index 0000000000..1ae95ae9d8 --- /dev/null +++ b/queue-5.10/net-lapbether-remove-trailing-whitespaces.patch @@ -0,0 +1,54 @@ +From 62f0aa622b861dfc343f8df0a26198ae4371dce9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 17:39:50 +0800 +Subject: net: lapbether: remove trailing whitespaces + +From: Peng Li + +[ Upstream commit 2e350780ae4f2be8a2525929b6c69c2dd9591a20 ] + +This patch removes trailing whitespaces. + +Signed-off-by: Peng Li +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Stable-dep-of: b120e4432f9f ("net: lapbether: handle NETDEV_PRE_TYPE_CHANGE") +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 1276071f93c04..f77cd8b69afe1 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -6,7 +6,7 @@ + * + * This is a "pseudo" network driver to allow LAPB over Ethernet. + * +- * This driver can use any ethernet destination address, and can be ++ * This driver can use any ethernet destination address, and can be + * limited to accept frames from one dedicated ethernet card only. + * + * History +@@ -67,7 +67,7 @@ static struct lapbethdev *lapbeth_get_x25_dev(struct net_device *dev) + struct lapbethdev *lapbeth; + + list_for_each_entry_rcu(lapbeth, &lapbeth_devices, node, lockdep_rtnl_is_held()) { +- if (lapbeth->ethdev == dev) ++ if (lapbeth->ethdev == dev) + return lapbeth; + } + return NULL; +@@ -418,7 +418,7 @@ static int lapbeth_device_event(struct notifier_block *this, + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ + lapbeth = lapbeth_get_x25_dev(dev); +- if (lapbeth) ++ if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: +-- +2.53.0 + diff --git a/queue-5.10/net-lapbether-replace-comparison-to-null-with-lapbet.patch b/queue-5.10/net-lapbether-replace-comparison-to-null-with-lapbet.patch new file mode 100644 index 0000000000..b74a97badc --- /dev/null +++ b/queue-5.10/net-lapbether-replace-comparison-to-null-with-lapbet.patch @@ -0,0 +1,36 @@ +From bdfe8d403f877d38c263b5fddeb422de1ee33835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 17:39:53 +0800 +Subject: net: lapbether: replace comparison to NULL with "lapbeth_get_x25_dev" + +From: Peng Li + +[ Upstream commit d49859601d72baef143703c6944a4e41921f7e6e ] + +According to the chackpatch.pl, comparison to NULL could +be written "lapbeth_get_x25_dev". + +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Stable-dep-of: b120e4432f9f ("net: lapbether: handle NETDEV_PRE_TYPE_CHANGE") +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index f77cd8b69afe1..4f89693313175 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -412,7 +412,7 @@ static int lapbeth_device_event(struct notifier_block *this, + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (lapbeth_get_x25_dev(dev) == NULL) ++ if (!lapbeth_get_x25_dev(dev)) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: +-- +2.53.0 + diff --git a/queue-5.10/net-sched-act_csum-validate-nested-vlan-headers.patch b/queue-5.10/net-sched-act_csum-validate-nested-vlan-headers.patch new file mode 100644 index 0000000000..9a7bafab98 --- /dev/null +++ b/queue-5.10/net-sched-act_csum-validate-nested-vlan-headers.patch @@ -0,0 +1,60 @@ +From 7d9cd02537c8c7f57334c57f55bb70e615f6d9b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: net: sched: act_csum: validate nested VLAN headers + +From: Ruide Cao + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_csum.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 4fa4fcb842ba7..107dc690de051 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -602,8 +602,12 @@ static int tcf_csum_act(struct sk_buff *skb, const struct tc_action *a, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.53.0 + diff --git a/queue-5.10/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch b/queue-5.10/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch new file mode 100644 index 0000000000..9709d553db --- /dev/null +++ b/queue-5.10/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch @@ -0,0 +1,51 @@ +From 5b241fdc4cc6aeef14aa448f525e37a8e43d081c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets + +From: Zhengchuan Liang + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6t_eui64.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c2..da69a27e8332c 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.53.0 + diff --git a/queue-5.10/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch b/queue-5.10/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch new file mode 100644 index 0000000000..7acd6210fb --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch @@ -0,0 +1,52 @@ +From 01f0bf1c00c989edeccf4af13684a2e361ae8563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 14:20:57 -0700 +Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE + terminator + +From: Xiang Mei + +[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ] + +When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() +appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via +nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() +helper only zeroes alignment padding after the payload, not the payload +itself, so four bytes of stale kernel heap data are leaked to userspace +in the NLMSG_DONE message body. + +Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes +the nfgenmsg payload via nfnl_fill_hdr(), consistent with how +__build_packet_message() already constructs NFULNL_MSG_PACKET headers. + +Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index d41560d4812d0..8c967bd772ec3 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -346,10 +346,10 @@ static void + __nfulnl_send(struct nfulnl_instance *inst) + { + if (inst->qlen > 1) { +- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, +- NLMSG_DONE, +- sizeof(struct nfgenmsg), +- 0); ++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0, ++ NLMSG_DONE, 0, ++ AF_UNSPEC, NFNETLINK_V0, ++ htons(inst->group_num)); + if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", + inst->skb->len, skb_tailroom(inst->skb))) { + kfree_skb(inst->skb); +-- +2.53.0 + diff --git a/queue-5.10/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch b/queue-5.10/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch new file mode 100644 index 0000000000..577925ebad --- /dev/null +++ b/queue-5.10/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch @@ -0,0 +1,161 @@ +From 1739b7a27f5c2e1455db94544666ea669623be3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:10:55 +0100 +Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on + expiry + +From: Florian Westphal + +[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ] + +New test case fails unexpectedly when avx2 matching functions are used. + +The test first loads a ranomly generated pipapo set +with 'ipv4 . port' key, i.e. nft -f foo. + +This works. Then, it reloads the set after a flush: +(echo flush set t s; cat foo) | nft -f - + +This is expected to work, because its the same set after all and it was +already loaded once. + +But with avx2, this fails: nft reports a clashing element. + +The reported clash is of following form: + + We successfully re-inserted + a . b + c . d + +Then we try to insert a . d + +avx2 finds the already existing a . d, which (due to 'flush set') is marked +as invalid in the new generation. It skips the element and moves to next. + +Due to incorrect masking, the skip-step finds the next matching +element *only considering the first field*, + +i.e. we return the already reinserted "a . b", even though the +last field is different and the entry should not have been matched. + +No such error is reported for the generic c implementation (no avx2) or when +the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. + +Bisection points to +7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") +but that fix merely uncovers this bug. + +Before this commit, the wrong element is returned, but erronously +reported as a full, identical duplicate. + +The root-cause is too early return in the avx2 match functions. +When we process the last field, we should continue to process data +until the entire input size has been consumed to make sure no stale +bits remain in the map. + +Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index 7da371587f9a8..3f01952a3e10b 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -318,7 +318,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -412,7 +412,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -502,7 +502,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -637,7 +637,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -694,7 +694,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -758,7 +758,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -832,7 +832,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -917,7 +917,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -1010,7 +1010,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +-- +2.53.0 + diff --git a/queue-5.10/netfilter-xt_multiport-validate-range-encoding-in-ch.patch b/queue-5.10/netfilter-xt_multiport-validate-range-encoding-in-ch.patch new file mode 100644 index 0000000000..29eea8dbfb --- /dev/null +++ b/queue-5.10/netfilter-xt_multiport-validate-range-encoding-in-ch.patch @@ -0,0 +1,99 @@ +From 1c19f0b48ac7c297c1afe70197c074d497819687 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 23:52:52 +0800 +Subject: netfilter: xt_multiport: validate range encoding in checkentry + +From: Ren Wei + +[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] + +ports_match_v1() treats any non-zero pflags entry as the start of a +port range and unconditionally consumes the next ports[] element as +the range end. + +The checkentry path currently validates protocol, flags and count, but +it does not validate the range encoding itself. As a result, malformed +rules can mark the last slot as a range start or place two range starts +back to back, leaving ports_match_v1() to step past the last valid +ports[] element while interpreting the rule. + +Reject malformed multiport v1 rules in checkentry by validating that +each range start has a following element and that the following element +is not itself marked as another range start. + +Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c +index 44a00f5acde8a..a1691ff405d3c 100644 +--- a/net/netfilter/xt_multiport.c ++++ b/net/netfilter/xt_multiport.c +@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); + } + ++static bool ++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < multiinfo->count; i++) { ++ if (!multiinfo->pflags[i]) ++ continue; ++ ++ if (++i >= multiinfo->count) ++ return false; ++ ++ if (multiinfo->pflags[i]) ++ return false; ++ ++ if (multiinfo->ports[i - 1] > multiinfo->ports[i]) ++ return false; ++ } ++ ++ return true; ++} ++ + static inline bool + check(u_int16_t proto, + u_int8_t ip_invflags, +@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) + const struct ipt_ip *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static int multiport_mt6_check(const struct xt_mtchk_param *par) +@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) + const struct ip6t_ip6 *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static struct xt_match multiport_mt_reg[] __read_mostly = { +-- +2.53.0 + diff --git a/queue-5.10/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch b/queue-5.10/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch new file mode 100644 index 0000000000..e9c201bb2b --- /dev/null +++ b/queue-5.10/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch @@ -0,0 +1,57 @@ +From 4c7fa4d18222c7d76833e8d068e7ae35a11119c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:07:42 -0700 +Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info + +From: Long Li + +[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ] + +When hv_pci_assign_numa_node() processes a device that does not have +HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range +virtual_numa_node, the device NUMA node is left unset. On x86_64, +the uninitialized default happens to be 0, but on ARM64 it is +NUMA_NO_NODE (-1). + +Tests show that when no NUMA information is available from the Hyper-V +host, devices perform best when assigned to node 0. With NUMA_NO_NODE +the kernel may spread work across NUMA nodes, which degrades +performance on Hyper-V, particularly for high-throughput devices like +MANA. + +Always set the device NUMA node to 0 before the conditional NUMA +affinity check, so that devices get a performant default when the host +provides no NUMA information, and behavior is consistent on both +x86_64 and ARM64. + +Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index e41726ec407c6..bb328fe817937 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1901,6 +1901,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus) + if (!hv_dev) + continue; + ++ /* ++ * If the Hyper-V host doesn't provide a NUMA node for the ++ * device, default to node 0. With NUMA_NO_NODE the kernel ++ * may spread work across NUMA nodes, which degrades ++ * performance on Hyper-V. ++ */ ++ set_dev_node(&dev->dev, 0); ++ + if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY && + hv_dev->desc.virtual_numa_node < num_possible_nodes()) + /* +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..4cab65019d --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,36 @@ +alsa-asihpi-avoid-write-overflow-check-warning.patch +asoc-sof-topology-reject-invalid-vendor-array-size-i.patch +can-mcp251x-add-error-handling-for-power-enable-in-o.patch +btrfs-tracepoints-get-correct-superblock-from-dentry.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch +netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch +wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch +asoc-soc-core-call-missing-init_list_head-for-card_a.patch +mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch +hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch +hid-roccat-fix-use-after-free-in-roccat_report_event.patch +ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch +wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch +arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch +pci-hv-set-default-numa-node-to-0-for-devices-withou.patch +drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch +drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch +drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch +net-sched-act_csum-validate-nested-vlan-headers.patch +net-lapbether-close-the-lapb-device-before-its-under.patch +net-lapbether-remove-trailing-whitespaces.patch +net-lapbether-replace-comparison-to-null-with-lapbet.patch +net-lapbether-handle-netdev_pre_type_change.patch +tracing-probe-reject-non-closed-empty-immediate-stri.patch +e1000-check-return-value-of-e1000_read_eeprom.patch +xsk-tighten-umem-headroom-validation-to-account-for-.patch +xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch +xfrm_user-fix-info-leak-in-build_mapping.patch +netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch +netfilter-xt_multiport-validate-range-encoding-in-ch.patch +netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch +af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch +l2tp-drop-large-packets-with-udp-encap.patch +crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch diff --git a/queue-5.10/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch b/queue-5.10/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch new file mode 100644 index 0000000000..c00c846556 --- /dev/null +++ b/queue-5.10/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch @@ -0,0 +1,134 @@ +From 64e2c425983d9dc106dbbb935f6dd6ecd281f8c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 20:14:18 -0400 +Subject: srcu: Use irq_work to start GP in tiny SRCU + +From: Joel Fernandes + +[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ] + +Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), +which acquires the workqueue pool->lock. + +This causes a lockdep splat when call_srcu() is called with a scheduler +lock held, due to: + + call_srcu() [holding pi_lock] + srcu_gp_start_if_needed() + schedule_work() -> pool->lock + + workqueue_init() / create_worker() [holding pool->lock] + wake_up_process() -> try_to_wake_up() -> pi_lock + +Also add irq_work_sync() to cleanup_srcu_struct() to prevent a +use-after-free if a queued irq_work fires after cleanup begins. + +Tested with rcutorture SRCU-T and no lockdep warnings. + +[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work +to start process_srcu()" ] + +Signed-off-by: Joel Fernandes +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/srcutiny.h | 4 ++++ + kernel/rcu/srcutiny.c | 19 ++++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h +index 0e0cf4d6a72a0..0419b3b9664a8 100644 +--- a/include/linux/srcutiny.h ++++ b/include/linux/srcutiny.h +@@ -11,6 +11,7 @@ + #ifndef _LINUX_SRCU_TINY_H + #define _LINUX_SRCU_TINY_H + ++#include + #include + + struct srcu_struct { +@@ -24,18 +25,21 @@ struct srcu_struct { + struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */ + struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */ + struct work_struct srcu_work; /* For driving grace periods. */ ++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + struct lockdep_map dep_map; + #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */ + }; + + void srcu_drive_gp(struct work_struct *wp); ++void srcu_tiny_irq_work(struct irq_work *irq_work); + + #define __SRCU_STRUCT_INIT(name, __ignored) \ + { \ + .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \ + .srcu_cb_tail = &name.srcu_cb_head, \ + .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \ ++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \ + __SRCU_DEP_MAP_INIT(name) \ + } + +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index 26344dc6483b0..427cc2f1c5b02 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp) + ssp->srcu_idx_max = 0; + INIT_WORK(&ssp->srcu_work, srcu_drive_gp); + INIT_LIST_HEAD(&ssp->srcu_work.entry); ++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work); + return 0; + } + +@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct); + void cleanup_srcu_struct(struct srcu_struct *ssp) + { + WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]); ++ irq_work_sync(&ssp->srcu_irq_work); + flush_work(&ssp->srcu_work); + WARN_ON(ssp->srcu_gp_running); + WARN_ON(ssp->srcu_gp_waiting); +@@ -155,6 +158,20 @@ void srcu_drive_gp(struct work_struct *wp) + } + EXPORT_SYMBOL_GPL(srcu_drive_gp); + ++/* ++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue ++ * pool->lock while the caller might hold scheduler locks, causing lockdep ++ * splats due to workqueue_init() doing a wakeup. ++ */ ++void srcu_tiny_irq_work(struct irq_work *irq_work) ++{ ++ struct srcu_struct *ssp; ++ ++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work); ++ schedule_work(&ssp->srcu_work); ++} ++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work); ++ + static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + { + unsigned short cookie; +@@ -165,7 +182,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + WRITE_ONCE(ssp->srcu_idx_max, cookie); + if (!READ_ONCE(ssp->srcu_gp_running)) { + if (likely(srcu_init_done)) +- schedule_work(&ssp->srcu_work); ++ irq_work_queue(&ssp->srcu_irq_work); + else if (list_empty(&ssp->srcu_work.entry)) + list_add(&ssp->srcu_work.entry, &srcu_boot_list); + } +-- +2.53.0 + diff --git a/queue-5.10/tracing-probe-reject-non-closed-empty-immediate-stri.patch b/queue-5.10/tracing-probe-reject-non-closed-empty-immediate-stri.patch new file mode 100644 index 0000000000..3c106ca99a --- /dev/null +++ b/queue-5.10/tracing-probe-reject-non-closed-empty-immediate-stri.patch @@ -0,0 +1,43 @@ +From 5d1af8065fe927c415acabd23a93f75b0e2c5e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 00:03:15 +0800 +Subject: tracing/probe: reject non-closed empty immediate strings + +From: Pengpeng Hou + +[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ] + +parse_probe_arg() accepts quoted immediate strings and passes the body +after the opening quote to __parse_imm_string(). That helper currently +computes strlen(str) and immediately dereferences str[len - 1], which +underflows when the body is empty and not closed with double-quotation. + +Reject empty non-closed immediate strings before checking for the closing quote. + +Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ + +Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support") +Signed-off-by: Pengpeng Hou +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 1893fe5460acb..698eb997b37ea 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -341,7 +341,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs) + { + size_t len = strlen(str); + +- if (str[len - 1] != '"') { ++ if (!len || str[len - 1] != '"') { + trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE); + return -EINVAL; + } +-- +2.53.0 + diff --git a/queue-5.10/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/queue-5.10/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 0000000000..50201f6936 --- /dev/null +++ b/queue-5.10/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,45 @@ +From 933da6bc467773fc8c71cf6fa789a6ba330884e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: wifi: brcmfmac: validate bsscfg indices in IF events + +From: Pengpeng Hou + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index 1285d3685c4f5..51260a0c8e0a7 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.53.0 + diff --git a/queue-5.10/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch b/queue-5.10/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch new file mode 100644 index 0000000000..a930f47d72 --- /dev/null +++ b/queue-5.10/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch @@ -0,0 +1,51 @@ +From 9e788f09b6a8c87fb2a36c5786b5f6d9b8f23d55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:08:45 +0800 +Subject: wifi: wl1251: validate packet IDs before indexing tx_frames + +From: Pengpeng Hou + +[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ] + +wl1251_tx_packet_cb() uses the firmware completion ID directly to index +the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the +completion block, and the callback does not currently verify that it +fits the array before dereferencing it. + +Reject completion IDs that fall outside wl->tx_frames[] and keep the +existing NULL check in the same guard. This keeps the fix local to the +trust boundary and avoids touching the rest of the completion flow. + +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c +index 5771f61392efb..7f406c086ca56 100644 +--- a/drivers/net/wireless/ti/wl1251/tx.c ++++ b/drivers/net/wireless/ti/wl1251/tx.c +@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, + int hdrlen; + u8 *frame; + +- skb = wl->tx_frames[result->id]; +- if (skb == NULL) { +- wl1251_error("SKB for packet %d is NULL", result->id); ++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) || ++ wl->tx_frames[result->id] == NULL)) { ++ wl1251_error("invalid packet id %u", result->id); + return; + } + ++ skb = wl->tx_frames[result->id]; ++ + info = IEEE80211_SKB_CB(skb); + + if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && +-- +2.53.0 + diff --git a/queue-5.10/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch b/queue-5.10/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch new file mode 100644 index 0000000000..39ac1eeb00 --- /dev/null +++ b/queue-5.10/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch @@ -0,0 +1,43 @@ +From a827b545eb118d6c950519f79aeaa66b34aa97c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 13:31:04 +0200 +Subject: xfrm: Wait for RCU readers during policy netns exit + +From: Steffen Klassert + +[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ] + +xfrm_policy_fini() frees the policy_bydst hash tables after flushing the +policy work items and deleting all policies, but it does not wait for +concurrent RCU readers to leave their read-side critical sections first. + +The policy_bydst tables are published via rcu_assign_pointer() and are +looked up through rcu_dereference_check(), so netns teardown must also +wait for an RCU grace period before freeing the table memory. + +Fix this by adding synchronize_rcu() before freeing the policy hash tables. + +Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") +Signed-off-by: Steffen Klassert +Reviewed-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index c4ebfaa0b2ed0..56956abd38180 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4166,6 +4166,8 @@ static void xfrm_policy_fini(struct net *net) + #endif + xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + ++ synchronize_rcu(); ++ + WARN_ON(!list_empty(&net->xfrm.policy_all)); + + for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { +-- +2.53.0 + diff --git a/queue-5.10/xfrm_user-fix-info-leak-in-build_mapping.patch b/queue-5.10/xfrm_user-fix-info-leak-in-build_mapping.patch new file mode 100644 index 0000000000..ddba3c0144 --- /dev/null +++ b/queue-5.10/xfrm_user-fix-info-leak-in-build_mapping.patch @@ -0,0 +1,45 @@ +From 561fbfb27849c7fe9ac8122a0ab4abdd6675b346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 17:33:03 +0200 +Subject: xfrm_user: fix info leak in build_mapping() + +From: Greg Kroah-Hartman + +[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ] + +struct xfrm_usersa_id has a one-byte padding hole after the proto +field, which ends up never getting set to zero before copying out to +userspace. Fix that up by zeroing out the whole structure before +setting individual variables. + +Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index a55f8fe3e052f..ab79a739b3638 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3493,6 +3493,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, + + um = nlmsg_data(nlh); + ++ memset(&um->id, 0, sizeof(um->id)); + memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); + um->id.spi = x->id.spi; + um->id.family = x->props.family; +-- +2.53.0 + diff --git a/queue-5.10/xsk-tighten-umem-headroom-validation-to-account-for-.patch b/queue-5.10/xsk-tighten-umem-headroom-validation-to-account-for-.patch new file mode 100644 index 0000000000..943ce33aa5 --- /dev/null +++ b/queue-5.10/xsk-tighten-umem-headroom-validation-to-account-for-.patch @@ -0,0 +1,53 @@ +From ed2bdf6c4b022e76c5cfdb0fa34a0da02814344c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:51 +0200 +Subject: xsk: tighten UMEM headroom validation to account for tailroom and min + frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ] + +The current headroom validation in xdp_umem_reg() could leave us with +insufficient space dedicated to even receive minimum-sized ethernet +frame. Furthermore if multi-buffer would come to play then +skb_shared_info stored at the end of XSK frame would be corrupted. + +HW typically works with 128-aligned sizes so let us provide this value +as bare minimum. + +Multi-buffer setting is known later in the configuration process so +besides accounting for 128 bytes, let us also take care of tailroom space +upfront. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 42b19feb2b6e5..79df583b6ce06 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -199,7 +199,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (!unaligned_chunks && chunks_rem) + return -EINVAL; + +- if (headroom >= chunk_size - XDP_PACKET_HEADROOM) ++ if (headroom > chunk_size - XDP_PACKET_HEADROOM - ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128) + return -EINVAL; + + umem->size = size; +-- +2.53.0 + diff --git a/queue-5.15/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch b/queue-5.15/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch new file mode 100644 index 0000000000..5cfe23b348 --- /dev/null +++ b/queue-5.15/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch @@ -0,0 +1,75 @@ +From 41726aca6fa6c382d0edf668d52935117c5df488 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 16:00:14 +0800 +Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock + +From: Jiexun Wang + +[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ] + +Exact UNIX diag lookups hold a reference to the socket, but not to +u->path. Meanwhile, unix_release_sock() clears u->path under +unix_state_lock() and drops the path reference after unlocking. + +Read the inode and device numbers for UNIX_DIAG_VFS while holding +unix_state_lock(), then emit the netlink attribute after dropping the +lock. + +This keeps the VFS data stable while the reply is being built. + +Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 486276a1782ed..699fba7b7591d 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -25,18 +25,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + + static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + { +- struct dentry *dentry = unix_sk(sk)->path.dentry; ++ struct unix_diag_vfs uv; ++ struct dentry *dentry; ++ bool have_vfs = false; + ++ unix_state_lock(sk); ++ dentry = unix_sk(sk)->path.dentry; + if (dentry) { +- struct unix_diag_vfs uv = { +- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, +- .udiag_vfs_dev = dentry->d_sb->s_dev, +- }; +- +- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); ++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino; ++ uv.udiag_vfs_dev = dentry->d_sb->s_dev; ++ have_vfs = true; + } ++ unix_state_unlock(sk); + +- return 0; ++ if (!have_vfs) ++ return 0; ++ ++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); + } + + static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) +-- +2.53.0 + diff --git a/queue-5.15/alsa-asihpi-avoid-write-overflow-check-warning.patch b/queue-5.15/alsa-asihpi-avoid-write-overflow-check-warning.patch new file mode 100644 index 0000000000..3002b222b9 --- /dev/null +++ b/queue-5.15/alsa-asihpi-avoid-write-overflow-check-warning.patch @@ -0,0 +1,55 @@ +From a7b16cede35533d4156a7468a5d365accaac758b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 13:40:07 +0100 +Subject: ALSA: asihpi: avoid write overflow check warning + +From: Arnd Bergmann + +[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ] + +clang-22 rightfully warns that the memcpy() in adapter_prepare() copies +between different structures, crossing the boundary of nested +structures inside it: + +In file included from sound/pci/asihpi/hpimsgx.c:13: +In file included from include/linux/string.h:386: +include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 569 | __write_overflow_field(p_size_field, size); + +The two structures seem to refer to the same layout, despite the +separate definitions, so the code is in fact correct. + +Avoid the warning by copying the two inner structures separately. +I see the same pattern happens in other functions in the same file, +so there is a chance that this may come back in the future, but +this instance is the only one that I saw in practice, hitting it +multiple times per day in randconfig build. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index 761fc62f68f16..85a354cf082ff 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -586,8 +586,10 @@ static u16 adapter_prepare(u16 adapter) + HPI_ADAPTER_OPEN); + hm.adapter_index = adapter; + hw_entry_point(&hm, &hr); +- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr, +- sizeof(rESP_HPI_ADAPTER_OPEN[0])); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h)); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a)); + if (hr.error) + return hr.error; + +-- +2.53.0 + diff --git a/queue-5.15/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-5.15/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..c303d3d79c --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,45 @@ +From e7127073e935fa029ddc6903fc8955308d589d23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2026 10:36:03 -0500 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: César Montoya + +[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ] + +The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek +ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The +existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, +but the subsystem ID was missing from the quirk table. + +GPIO pin confirmed via manual hda-verb testing: + hda-verb SET_GPIO_MASK 0x10 + hda-verb SET_GPIO_DIRECTION 0x10 + hda-verb SET_GPIO_DATA 0x10 + +Signed-off-by: César Montoya +Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 38fda5dbd75ba..9cb5705577f72 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9354,6 +9354,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-5.15/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch b/queue-5.15/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch new file mode 100644 index 0000000000..b80cb62072 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch @@ -0,0 +1,41 @@ +From ac53a895cf692922363981193a1dc2ff1876d562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2026 08:07:34 +0000 +Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex + +From: Phil Willoughby + +[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ] + +The NeuralDSP Quad Cortex does not support DSD playback. We need +this product-specific entry with zero quirks because otherwise it +falls through to the vendor-specific entry which marks it as +supporting DSD playback. + +Cc: Yue Wang +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Signed-off-by: Phil Willoughby +Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 33a1a35485721..4cf2f48b401ee 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1863,6 +1863,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */ + QUIRK_FLAG_IGNORE_CTL_ERROR), ++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */ ++ 0), /* Doesn't have the vendor quirk which would otherwise apply */ + DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */ + QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY), + DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */ +-- +2.53.0 + diff --git a/queue-5.15/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch b/queue-5.15/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch new file mode 100644 index 0000000000..1a99a4d1c7 --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch @@ -0,0 +1,39 @@ +From 9b85c052c3a55d146df32aecabd2231626c1bae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 00:28:28 +0100 +Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency + +From: Sebastian Krzyszkowiak + +[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ] + +According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum +frequency is 400MHz. + +Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node") +Reviewed-by: Frank Li +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Peng Fan +Reviewed-by: Fabio Estevam +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index e41e1c553bd37..12a33ac9e7543 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -1362,7 +1362,7 @@ gpu: gpu@38000000 { + <&clk IMX8MQ_GPU_PLL_OUT>, + <&clk IMX8MQ_GPU_PLL>; + assigned-clock-rates = <800000000>, <800000000>, +- <800000000>, <800000000>, <0>; ++ <800000000>, <400000000>, <0>; + power-domains = <&pgc_gpu>; + }; + +-- +2.53.0 + diff --git a/queue-5.15/asoc-soc-core-call-missing-init_list_head-for-card_a.patch b/queue-5.15/asoc-soc-core-call-missing-init_list_head-for-card_a.patch new file mode 100644 index 0000000000..7e99f2e5ab --- /dev/null +++ b/queue-5.15/asoc-soc-core-call-missing-init_list_head-for-card_a.patch @@ -0,0 +1,66 @@ +From 7351941f449a908d9df11c8072525b3ee762c012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 02:43:54 +0000 +Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list + +From: Kuninori Morimoto + +[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ] + +Component has "card_aux_list" which is added/deled in bind/unbind aux dev +function (A), and used in for_each_card_auxs() loop (B). + + static void soc_unbind_aux_dev(...) + { + ... + for_each_card_auxs_safe(...) { + ... +(A) list_del(&component->card_aux_list); + } ^^^^^^^^^^^^^ + } + + static int soc_bind_aux_dev(...) + { + ... + for_each_card_pre_auxs(...) { + ... +(A) list_add(&component->card_aux_list, ...); + } ^^^^^^^^^^^^^ + ... + } + + #define for_each_card_auxs(card, component) \ +(B) list_for_each_entry(component, ..., card_aux_list) + ^^^^^^^^^^^^^ + +But it has been used without calling INIT_LIST_HEAD(). + + > git grep card_aux_list sound/soc + sound/soc/soc-core.c: list_del(&component->card_aux_list); + sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); + +call missing INIT_LIST_HEAD() for it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index af8554e96035f..da652f2f09b61 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2646,6 +2646,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, + INIT_LIST_HEAD(&component->dobj_list); + INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); ++ INIT_LIST_HEAD(&component->card_aux_list); + mutex_init(&component->io_mutex); + + component->name = fmt_single_name(dev, &component->id); +-- +2.53.0 + diff --git a/queue-5.15/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch b/queue-5.15/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch new file mode 100644 index 0000000000..18a55bbb0d --- /dev/null +++ b/queue-5.15/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch @@ -0,0 +1,46 @@ +From 4f8916e8b21927a009d69184ca5cd1b9bf54157e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:45:26 -0300 +Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ] + +sof_parse_token_sets() accepts array->size values that can be invalid +for a vendor tuple array header. In particular, a zero size does not +advance the parser state and can lead to non-progress parsing on +malformed topology data. + +Validate array->size against the minimum header size and reject values +smaller than sizeof(*array) before parsing. This preserves behavior for +valid topologies and hardens malformed-input handling. + +Signed-off-by: Cássio Gabriel +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index 1bb2dcf37ffe9..16feb5d268022 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -941,7 +941,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, + asize = le32_to_cpu(array->size); + + /* validate asize */ +- if (asize < 0) { /* FIXME: A zero-size array makes no sense */ ++ if (asize < sizeof(*array)) { + dev_err(scomp->dev, "error: invalid array size 0x%x\n", + asize); + return -EINVAL; +-- +2.53.0 + diff --git a/queue-5.15/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch b/queue-5.15/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch new file mode 100644 index 0000000000..618079f18a --- /dev/null +++ b/queue-5.15/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch @@ -0,0 +1,64 @@ +From f1a67f2a53e77786a1ca183e6b1ac9cb3056638d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:40:56 +0200 +Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J + +From: Tomasz Merta + +[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ] + +The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A, +DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK +edge when SND_SOC_DAIFMT_NB_NF is used. + +Per ALSA convention, NB_NF requires sampling on the rising BCLK edge. +The STM32MP25 SAI reference manual states that CKSTR=1 is required for +signals received by the SAI to be sampled on the SCK rising edge. +Without setting CKSTR=1, the SAI samples on the falling edge, violating +the NB_NF convention. For comparison, the NXP FSL SAI driver correctly +sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its +I2S handling. + +This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in +stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec. +RIGHT_J (LSB) is not investigated and addressed by this patch. + +Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue +for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified +and is left for a separate investigation. + +Signed-off-by: Tomasz Merta +Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index 5a4551f1a40dd..fa6f06f1d3842 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -671,6 +671,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + break; + /* Left justified */ + case SND_SOC_DAIFMT_MSB: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + /* Right justified */ +@@ -678,9 +679,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + case SND_SOC_DAIFMT_DSP_A: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF; + break; + case SND_SOC_DAIFMT_DSP_B: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL; + break; + default: +-- +2.53.0 + diff --git a/queue-5.15/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch b/queue-5.15/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch new file mode 100644 index 0000000000..ba5633ebd4 --- /dev/null +++ b/queue-5.15/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch @@ -0,0 +1,83 @@ +From 739bef3f229620180dda42259f905795cdc5fb9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 15:23:35 -0700 +Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 + +From: Arthur Husband + +[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ] + +The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA +support via the S64A bit in the AHCI CAP register, but their 64-bit DMA +implementation is defective. Under sustained I/O, DMA transfers targeting +addresses above 4GB silently corrupt data -- writes land at incorrect +memory addresses with no errors logged. + +The failure pattern is similar to the ASMedia ASM1061 +(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia +ASM1061 controllers")), which also falsely advertised full 64-bit DMA +support. However, the JMB585 requires a stricter 32-bit DMA mask rather +than 43-bit, as corruption occurs with any address above 4GB. + +On the Minisforum N5 Pro specifically, the combination of the JMB585's +broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes +silent data corruption that is only detectable via checksumming +filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA +space is exhausted and the kernel transparently switches to 64-bit DMA +addresses. + +Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585 +(0x0585) before the generic JMicron class match, using a new board type +that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior) +with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks. + +Signed-off-by: Arthur Husband +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 408a25956f6e0..d87b0da31dc25 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -61,6 +61,7 @@ enum board_ids { + /* board IDs for specific chipsets in alphabetical order */ + board_ahci_al, + board_ahci_avn, ++ board_ahci_jmb585, + board_ahci_mcp65, + board_ahci_mcp77, + board_ahci_mcp89, +@@ -200,6 +201,15 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_avn_ops, + }, ++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */ ++ [board_ahci_jmb585] = { ++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR | ++ AHCI_HFLAG_32BIT_ONLY), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_mcp65] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP | + AHCI_HFLAG_YES_NCQ), +@@ -436,6 +446,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */ + { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */ + ++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */ ++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 }, ++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 }, ++ + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr }, +-- +2.53.0 + diff --git a/queue-5.15/btrfs-tracepoints-get-correct-superblock-from-dentry.patch b/queue-5.15/btrfs-tracepoints-get-correct-superblock-from-dentry.patch new file mode 100644 index 0000000000..45a61f1492 --- /dev/null +++ b/queue-5.15/btrfs-tracepoints-get-correct-superblock-from-dentry.patch @@ -0,0 +1,50 @@ +From 5b9206cde6bb8d76554ae77de1104a707c98d3c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 14:11:39 -0400 +Subject: btrfs: tracepoints: get correct superblock from dentry in event + btrfs_sync_file() + +From: Goldwyn Rodrigues + +[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] + +If overlay is used on top of btrfs, dentry->d_sb translates to overlay's +super block and fsid assignment will lead to a crash. + +Use file_inode(file)->i_sb to always get btrfs_sb. + +Reviewed-by: Boris Burkov +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + include/trace/events/btrfs.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index a5f77b685c55f..058c85534f3f1 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -695,12 +695,15 @@ TRACE_EVENT(btrfs_sync_file, + ), + + TP_fast_assign( +- const struct dentry *dentry = file->f_path.dentry; +- const struct inode *inode = d_inode(dentry); ++ struct dentry *dentry = file_dentry(file); ++ struct inode *inode = file_inode(file); ++ struct dentry *parent = dget_parent(dentry); ++ struct inode *parent_inode = d_inode(parent); + +- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb)); ++ dput(parent); ++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb)); + __entry->ino = btrfs_ino(BTRFS_I(inode)); +- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent))); ++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode)); + __entry->datasync = datasync; + __entry->root_objectid = + BTRFS_I(inode)->root->root_key.objectid; +-- +2.53.0 + diff --git a/queue-5.15/can-mcp251x-add-error-handling-for-power-enable-in-o.patch b/queue-5.15/can-mcp251x-add-error-handling-for-power-enable-in-o.patch new file mode 100644 index 0000000000..4b4a5658f4 --- /dev/null +++ b/queue-5.15/can-mcp251x-add-error-handling-for-power-enable-in-o.patch @@ -0,0 +1,90 @@ +From dfa586a93b502f18bcf60cf611c6d28ce544c5e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 00:00:22 +0800 +Subject: can: mcp251x: add error handling for power enable in open and resume + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ] + +Add missing error handling for mcp251x_power_enable() calls in both +mcp251x_open() and mcp251x_can_resume() functions. + +In mcp251x_open(), if power enable fails, jump to error path to close +candev without attempting to disable power again. + +In mcp251x_can_resume(), properly check return values of power enable calls +for both power and transceiver regulators. If any fails, return the error +code to the PM framework and log the failure. + +This ensures the driver properly handles power control failures and +maintains correct device state. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com +[mkl: fix patch description] +[mkl: mcp251x_can_resume(): replace goto by return] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index e71edca7afbb2..2810583b818a3 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1218,7 +1218,11 @@ static int mcp251x_open(struct net_device *net) + } + + mutex_lock(&priv->mcp_lock); +- mcp251x_power_enable(priv->transceiver, 1); ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); ++ goto out_close_candev; ++ } + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -1267,6 +1271,7 @@ static int mcp251x_open(struct net_device *net) + mcp251x_hw_sleep(spi); + out_close: + mcp251x_power_enable(priv->transceiver, 0); ++out_close_candev: + close_candev(net); + mutex_unlock(&priv->mcp_lock); + if (release_irq) +@@ -1505,11 +1510,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) + { + struct spi_device *spi = to_spi_device(dev); + struct mcp251x_priv *priv = spi_get_drvdata(spi); ++ int ret = 0; + +- if (priv->after_suspend & AFTER_SUSPEND_POWER) +- mcp251x_power_enable(priv->power, 1); +- if (priv->after_suspend & AFTER_SUSPEND_UP) +- mcp251x_power_enable(priv->transceiver, 1); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) { ++ ret = mcp251x_power_enable(priv->power, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); ++ return ret; ++ } ++ } ++ ++ if (priv->after_suspend & AFTER_SUSPEND_UP) { ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) ++ mcp251x_power_enable(priv->power, 0); ++ return ret; ++ } ++ } + + if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) + queue_work(priv->wq, &priv->restart_work); +-- +2.53.0 + diff --git a/queue-5.15/clockevents-prevent-timer-interrupt-starvation.patch b/queue-5.15/clockevents-prevent-timer-interrupt-starvation.patch new file mode 100644 index 0000000000..01ffd7f692 --- /dev/null +++ b/queue-5.15/clockevents-prevent-timer-interrupt-starvation.patch @@ -0,0 +1,218 @@ +From 4b95adf98f5c5c0219c6eba726aa9626cdb3a351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:17 +0200 +Subject: clockevents: Prevent timer interrupt starvation + +From: Thomas Gleixner + +[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ] + +Calvin reported an odd NMI watchdog lockup which claims that the CPU locked +up in user space. He provided a reproducer, which sets up a timerfd based +timer and then rearms it in a loop with an absolute expiry time of 1ns. + +As the expiry time is in the past, the timer ends up as the first expiring +timer in the per CPU hrtimer base and the clockevent device is programmed +with the minimum delta value. If the machine is fast enough, this ends up +in a endless loop of programming the delta value to the minimum value +defined by the clock event device, before the timer interrupt can fire, +which starves the interrupt and consequently triggers the lockup detector +because the hrtimer callback of the lockup mechanism is never invoked. + +As a first step to prevent this, avoid reprogramming the clock event device +when: + - a forced minimum delta event is pending + - the new expiry delta is less then or equal to the minimum delta + +Thanks to Calvin for providing the reproducer and to Borislav for testing +and providing data from his Zen5 machine. + +The problem is not limited to Zen5, but depending on the underlying +clock event device (e.g. TSC deadline timer on Intel) and the CPU speed +not necessarily observable. + +This change serves only as the last resort and further changes will be made +to prevent this scenario earlier in the call chain as far as possible. + +[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and + fixed up the tick-broadcast handlers as pointed out by Borislav ] + +Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality") +Reported-by: Calvin Owens +Signed-off-by: Thomas Gleixner +Tested-by: Calvin Owens +Tested-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/ +Link: https://patch.msgid.link/20260407083247.562657657@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/clockchips.h | 2 ++ + kernel/time/clockevents.c | 27 +++++++++++++++++++-------- + kernel/time/hrtimer.c | 1 + + kernel/time/tick-broadcast.c | 8 +++++++- + kernel/time/tick-common.c | 1 + + kernel/time/tick-sched.c | 1 + + 6 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h +index 8ae9a95ebf5b5..046c6d8d91a69 100644 +--- a/include/linux/clockchips.h ++++ b/include/linux/clockchips.h +@@ -80,6 +80,7 @@ enum clock_event_state { + * @shift: nanoseconds to cycles divisor (power of two) + * @state_use_accessors:current state of the device, assigned by the core code + * @features: features ++ * @next_event_forced: True if the last programming was a forced event + * @retries: number of forced programming retries + * @set_state_periodic: switch state to periodic + * @set_state_oneshot: switch state to oneshot +@@ -108,6 +109,7 @@ struct clock_event_device { + u32 shift; + enum clock_event_state state_use_accessors; + unsigned int features; ++ unsigned int next_event_forced; + unsigned long retries; + + int (*set_state_periodic)(struct clock_event_device *); +diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c +index 003ccf338d201..a41701ae38126 100644 +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev) + { + clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN); + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + } + + /** +@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + { + unsigned long long clc; + int64_t delta; +- int rc; + + if (WARN_ON_ONCE(expires < 0)) + return -ETIME; +@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + return dev->set_next_ktime(expires, dev); + + delta = ktime_to_ns(ktime_sub(expires, ktime_get())); +- if (delta <= 0) +- return force ? clockevents_program_min_delta(dev) : -ETIME; + +- delta = min(delta, (int64_t) dev->max_delta_ns); +- delta = max(delta, (int64_t) dev->min_delta_ns); ++ /* Required for tick_periodic() during early boot */ ++ if (delta <= 0 && !force) ++ return -ETIME; ++ ++ if (delta > (int64_t)dev->min_delta_ns) { ++ delta = min(delta, (int64_t) dev->max_delta_ns); ++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift; ++ if (!dev->set_next_event((unsigned long) clc, dev)) ++ return 0; ++ } + +- clc = ((unsigned long long) delta * dev->mult) >> dev->shift; +- rc = dev->set_next_event((unsigned long) clc, dev); ++ if (dev->next_event_forced) ++ return 0; + +- return (rc && force) ? clockevents_program_min_delta(dev) : rc; ++ if (dev->set_next_event(dev->min_delta_ticks, dev)) { ++ if (!force || clockevents_program_min_delta(dev)) ++ return -ETIME; ++ } ++ dev->next_event_forced = 1; ++ return 0; + } + + /* +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 0246b32e907d2..459bd5ab95101 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1788,6 +1788,7 @@ void hrtimer_interrupt(struct clock_event_device *dev) + BUG_ON(!cpu_base->hres_active); + cpu_base->nr_events++; + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + raw_spin_lock_irqsave(&cpu_base->lock, flags); + entry_time = now = hrtimer_update_base(cpu_base); +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index 13a71a894cc16..369f7e52b5e51 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu) + */ + static void tick_broadcast_start_periodic(struct clock_event_device *bc) + { +- if (bc) ++ if (bc) { ++ bc->next_event_forced = 0; + tick_setup_periodic(bc, 1); ++ } + } + + /* +@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev) + bool bc_local; + + raw_spin_lock(&tick_broadcast_lock); ++ tick_broadcast_device.evtdev->next_event_forced = 0; + + /* Handle spurious interrupts gracefully */ + if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) { +@@ -692,6 +695,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + + raw_spin_lock(&tick_broadcast_lock); + dev->next_event = KTIME_MAX; ++ tick_broadcast_device.evtdev->next_event_forced = 0; + next_event = KTIME_MAX; + cpumask_clear(tmpmask); + now = ktime_get(); +@@ -1057,6 +1061,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, + + + bc->event_handler = tick_handle_oneshot_broadcast; ++ bc->next_event_forced = 0; + bc->next_event = KTIME_MAX; + + /* +@@ -1169,6 +1174,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) + } + + /* This moves the broadcast assignment to this CPU: */ ++ bc->next_event_forced = 0; + clockevents_program_event(bc, bc->next_event, 1); + } + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index 7f2b17fc8ce40..79ae1adf635bd 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -109,6 +109,7 @@ void tick_handle_periodic(struct clock_event_device *dev) + int cpu = smp_processor_id(); + ktime_t next = dev->next_event; + ++ dev->next_event_forced = 0; + tick_periodic(cpu); + + #if defined(CONFIG_HIGH_RES_TIMERS) || defined(CONFIG_NO_HZ_COMMON) +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index ae1b207c64479..6a3d0c0c8ffaf 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1354,6 +1354,7 @@ static void tick_nohz_handler(struct clock_event_device *dev) + ktime_t now = ktime_get(); + + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + tick_sched_do_timer(ts, now); + tick_sched_handle(ts, regs); +-- +2.53.0 + diff --git a/queue-5.15/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-5.15/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch new file mode 100644 index 0000000000..554c66d69f --- /dev/null +++ b/queue-5.15/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch @@ -0,0 +1,38 @@ +From f6ae8b47a19b534a5ee12a0eda3717f2cf48635d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 13:32:21 +0800 +Subject: crypto: algif_aead - Fix minimum RX size check for decryption + +From: Herbert Xu + +[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] + +The check for the minimum receive buffer size did not take the +tag size into account during decryption. Fix this by adding the +required extra length. + +Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com +Reported-by: Daniel Pouzzner +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index 42493b4d8ce46..cb3959e2c435e 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + if (usedpages < outlen) { + size_t less = outlen - usedpages; + +- if (used < less) { ++ if (used < less + (ctx->enc ? 0 : as)) { + err = -EINVAL; + goto free; + } +-- +2.53.0 + diff --git a/queue-5.15/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch b/queue-5.15/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch new file mode 100644 index 0000000000..43e0c754c6 --- /dev/null +++ b/queue-5.15/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch @@ -0,0 +1,74 @@ +From 83f37f7d4764bb9f3e340e592a4df8ee8cb95535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:45 -0300 +Subject: drm/vc4: Fix a memory leak in hang state error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ] + +When vc4_save_hang_state() encounters an early return condition, it +returns without freeing the previously allocated `kernel_state`, +leaking memory. + +Add the missing kfree() calls by consolidating the early return paths +into a single place. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 87900248d9f8d..a52736cf1f7a3 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -166,10 +166,8 @@ vc4_save_hang_state(struct drm_device *dev) + spin_lock_irqsave(&vc4->job_lock, irqflags); + exec[0] = vc4_first_bin_job(vc4); + exec[1] = vc4_first_render_job(vc4); +- if (!exec[0] && !exec[1]) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!exec[0] && !exec[1]) ++ goto err_free_state; + + /* Get the bos from both binner and renderer into hang state. */ + state->bo_count = 0; +@@ -186,10 +184,8 @@ vc4_save_hang_state(struct drm_device *dev) + kernel_state->bo = kcalloc(state->bo_count, + sizeof(*kernel_state->bo), GFP_ATOMIC); + +- if (!kernel_state->bo) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!kernel_state->bo) ++ goto err_free_state; + + k = 0; + for (i = 0; i < 2; i++) { +@@ -281,6 +277,12 @@ vc4_save_hang_state(struct drm_device *dev) + vc4->hang_state = kernel_state; + spin_unlock_irqrestore(&vc4->job_lock, irqflags); + } ++ ++ return; ++ ++err_free_state: ++ spin_unlock_irqrestore(&vc4->job_lock, irqflags); ++ kfree(kernel_state); + } + + static void +-- +2.53.0 + diff --git a/queue-5.15/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch b/queue-5.15/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch new file mode 100644 index 0000000000..18657c964d --- /dev/null +++ b/queue-5.15/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch @@ -0,0 +1,40 @@ +From 1e72262eb3cd103f7f47bb8d0f246f80a60abea9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:44 -0300 +Subject: drm/vc4: Fix memory leak of BO array in hang state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ] + +The hang state's BO array is allocated separately with kzalloc() in +vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the +missing kfree() for the BO array before freeing the hang state struct. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 445d3bab89e0a..87900248d9f8d 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state) + for (i = 0; i < state->user_state.bo_count; i++) + drm_gem_object_put(state->bo[i]); + ++ kfree(state->bo); + kfree(state); + } + +-- +2.53.0 + diff --git a/queue-5.15/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch b/queue-5.15/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch new file mode 100644 index 0000000000..85e6518bb0 --- /dev/null +++ b/queue-5.15/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch @@ -0,0 +1,48 @@ +From d2c1b97f009898d30094fe91e165f64c86c742fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:46 -0300 +Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ] + +The mmap callback reads bo->madv without holding madv_lock, racing with +concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under +the same lock. Add the missing locking to prevent the data race. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index f642bd6e71ff4..4703f180cde60 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -713,12 +713,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct + return -EINVAL; + } + ++ mutex_lock(&bo->madv_lock); + if (bo->madv != VC4_MADV_WILLNEED) { + DRM_DEBUG("mmaping of %s BO not allowed\n", + bo->madv == VC4_MADV_DONTNEED ? + "purgeable" : "purged"); ++ mutex_unlock(&bo->madv_lock); + return -EINVAL; + } ++ mutex_unlock(&bo->madv_lock); + + return drm_gem_cma_mmap(obj, vma); + } +-- +2.53.0 + diff --git a/queue-5.15/e1000-check-return-value-of-e1000_read_eeprom.patch b/queue-5.15/e1000-check-return-value-of-e1000_read_eeprom.patch new file mode 100644 index 0000000000..cccb32d331 --- /dev/null +++ b/queue-5.15/e1000-check-return-value-of-e1000_read_eeprom.patch @@ -0,0 +1,70 @@ +From d7d8eb37dbdcee8ce8cfb6be7be5e22538e74595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 15:05:05 +0300 +Subject: e1000: check return value of e1000_read_eeprom + +From: Agalakov Daniil + +[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ] + +[Why] +e1000_set_eeprom() performs a read-modify-write operation when the write +range is not word-aligned. This requires reading the first and last words +of the range from the EEPROM to preserve the unmodified bytes. + +However, the code does not check the return value of e1000_read_eeprom(). +If the read fails, the operation continues using uninitialized data from +eeprom_buff. This results in corrupted data being written back to the +EEPROM for the boundary words. + +Add the missing error checks and abort the operation if reading fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Iskhakov Daniil +Signed-off-by: Iskhakov Daniil +Signed-off-by: Agalakov Daniil +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index 0a57172dfcbc4..631165b895b61 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev, + */ + ret_val = e1000_read_eeprom(hw, first_word, 1, + &eeprom_buff[0]); ++ if (ret_val) ++ goto out; ++ + ptr++; + } +- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) { ++ if ((eeprom->offset + eeprom->len) & 1) { + /* need read/modify/write of last changed EEPROM word + * only the first byte of the word is being modified + */ + ret_val = e1000_read_eeprom(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev, + if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG)) + e1000_update_eeprom_checksum(hw); + ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.53.0 + diff --git a/queue-5.15/epoll-use-refcount-to-reduce-ep_mutex-contention.patch b/queue-5.15/epoll-use-refcount-to-reduce-ep_mutex-contention.patch new file mode 100644 index 0000000000..85a1c07fba --- /dev/null +++ b/queue-5.15/epoll-use-refcount-to-reduce-ep_mutex-contention.patch @@ -0,0 +1,436 @@ +From 11f9a062e665f6c98c98f4265993f29b9082565e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 17:57:02 +0100 +Subject: epoll: use refcount to reduce ep_mutex contention + +From: Paolo Abeni + +[ Upstream commit 58c9b016e12855286370dfb704c08498edbc857a ] + +We are observing huge contention on the epmutex during an http +connection/rate test: + + 83.17% 0.25% nginx [kernel.kallsyms] [k] entry_SYSCALL_64_after_hwframe +[...] + |--66.96%--__fput + |--60.04%--eventpoll_release_file + |--58.41%--__mutex_lock.isra.6 + |--56.56%--osq_lock + +The application is multi-threaded, creates a new epoll entry for +each incoming connection, and does not delete it before the +connection shutdown - that is, before the connection's fd close(). + +Many different threads compete frequently for the epmutex lock, +affecting the overall performance. + +To reduce the contention this patch introduces explicit reference counting +for the eventpoll struct. Each registered event acquires a reference, +and references are released at ep_remove() time. + +The eventpoll struct is released by whoever - among EP file close() and +and the monitored file close() drops its last reference. + +Additionally, this introduces a new 'dying' flag to prevent races between +the EP file close() and the monitored file close(). +ep_eventpoll_release() marks, under f_lock spinlock, each epitem as dying +before removing it, while EP file close() does not touch dying epitems. + +The above is needed as both close operations could run concurrently and +drop the EP reference acquired via the epitem entry. Without the above +flag, the monitored file close() could reach the EP struct via the epitem +list while the epitem is still listed and then try to put it after its +disposal. + +An alternative could be avoiding touching the references acquired via +the epitems at EP file close() time, but that could leave the EP struct +alive for potentially unlimited time after EP file close(), with nasty +side effects. + +With all the above in place, we can drop the epmutex usage at disposal time. + +Overall this produces a significant performance improvement in the +mentioned connection/rate scenario: the mutex operations disappear from +the topmost offenders in the perf report, and the measured connections/rate +grows by ~60%. + +To make the change more readable this additionally renames ep_free() to +ep_clear_and_put(), and moves the actual memory cleanup in a separate +ep_free() helper. + +Link: https://lkml.kernel.org/r/4a57788dcaf28f5eb4f8dfddcc3a8b172a7357bb.1679504153.git.pabeni@redhat.com +Signed-off-by: Paolo Abeni +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Tested-by: Xiumei Mu +Acked-by: Soheil Hassas Yeganeh +Reviewed-by: Davidlohr Bueso +Cc: Alexander Viro +Cc: Carlos Maiolino +Cc: Christian Brauner +Cc: Eric Biggers +Cc: Jacob Keller +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Stable-dep-of: 07712db80857 ("eventpoll: defer struct eventpoll free to RCU grace period") +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 195 +++++++++++++++++++++++++++++++------------------ + 1 file changed, 123 insertions(+), 72 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index fb5e2af47f02d..217b8016a6b50 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -57,13 +57,7 @@ + * we need a lock that will allow us to sleep. This lock is a + * mutex (ep->mtx). It is acquired during the event transfer loop, + * during epoll_ctl(EPOLL_CTL_DEL) and during eventpoll_release_file(). +- * Then we also need a global mutex to serialize eventpoll_release_file() +- * and ep_free(). +- * This mutex is acquired by ep_free() during the epoll file +- * cleanup path and it is also acquired by eventpoll_release_file() +- * if a file has been pushed inside an epoll set and it is then +- * close()d without a previous call to epoll_ctl(EPOLL_CTL_DEL). +- * It is also acquired when inserting an epoll fd onto another epoll ++ * The epmutex is acquired when inserting an epoll fd onto another epoll + * fd. We do this so that we walk the epoll tree and ensure that this + * insertion does not create a cycle of epoll file descriptors, which + * could lead to deadlock. We need a global mutex to prevent two +@@ -153,6 +147,13 @@ struct epitem { + /* The file descriptor information this item refers to */ + struct epoll_filefd ffd; + ++ /* ++ * Protected by file->f_lock, true for to-be-released epitem already ++ * removed from the "struct file" items list; together with ++ * eventpoll->refcount orchestrates "struct eventpoll" disposal ++ */ ++ bool dying; ++ + /* List containing poll wait queues */ + struct eppoll_entry *pwqlist; + +@@ -218,6 +219,12 @@ struct eventpoll { + struct hlist_head refs; + u8 loop_check_depth; + ++ /* ++ * usage count, used together with epitem->dying to ++ * orchestrate the disposal of this struct ++ */ ++ refcount_t refcount; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -241,9 +248,7 @@ struct ep_pqueue { + /* Maximum number of epoll watched descriptors, per user */ + static long max_user_watches __read_mostly; + +-/* +- * This mutex is used to serialize ep_free() and eventpoll_release_file(). +- */ ++/* Used for cycles detection */ + static DEFINE_MUTEX(epmutex); + + static u64 loop_check_gen = 0; +@@ -551,8 +556,7 @@ static void ep_remove_wait_queue(struct eppoll_entry *pwq) + + /* + * This function unregisters poll callbacks from the associated file +- * descriptor. Must be called with "mtx" held (or "epmutex" if called from +- * ep_free). ++ * descriptor. Must be called with "mtx" held. + */ + static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi) + { +@@ -675,11 +679,40 @@ static void epi_rcu_free(struct rcu_head *head) + kmem_cache_free(epi_cache, epi); + } + ++static void ep_get(struct eventpoll *ep) ++{ ++ refcount_inc(&ep->refcount); ++} ++ ++/* ++ * Returns true if the event poll can be disposed ++ */ ++static bool ep_refcount_dec_and_test(struct eventpoll *ep) ++{ ++ if (!refcount_dec_and_test(&ep->refcount)) ++ return false; ++ ++ WARN_ON_ONCE(!RB_EMPTY_ROOT(&ep->rbr.rb_root)); ++ return true; ++} ++ ++static void ep_free(struct eventpoll *ep) ++{ ++ mutex_destroy(&ep->mtx); ++ free_uid(ep->user); ++ wakeup_source_unregister(ep->ws); ++ kfree(ep); ++} ++ + /* + * Removes a "struct epitem" from the eventpoll RB tree and deallocates + * all the associated resources. Must be called with "mtx" held. ++ * If the dying flag is set, do the removal only if force is true. ++ * This prevents ep_clear_and_put() from dropping all the ep references ++ * while running concurrently with eventpoll_release_file(). ++ * Returns true if the eventpoll can be disposed. + */ +-static int ep_remove(struct eventpoll *ep, struct epitem *epi) ++static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force) + { + struct file *file = epi->ffd.file; + struct epitems_head *to_free; +@@ -694,6 +727,11 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi) + + /* Remove the current item from the list of epoll hooks */ + spin_lock(&file->f_lock); ++ if (epi->dying && !force) { ++ spin_unlock(&file->f_lock); ++ return false; ++ } ++ + to_free = NULL; + head = file->f_ep; + if (head->first == &epi->fllink && !epi->fllink.next) { +@@ -728,28 +766,28 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi) + call_rcu(&epi->rcu, epi_rcu_free); + + percpu_counter_dec(&ep->user->epoll_watches); ++ return ep_refcount_dec_and_test(ep); ++} + +- return 0; ++/* ++ * ep_remove variant for callers owing an additional reference to the ep ++ */ ++static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi) ++{ ++ WARN_ON_ONCE(__ep_remove(ep, epi, false)); + } + +-static void ep_free(struct eventpoll *ep) ++static void ep_clear_and_put(struct eventpoll *ep) + { +- struct rb_node *rbp; ++ struct rb_node *rbp, *next; + struct epitem *epi; ++ bool dispose; + + /* We need to release all tasks waiting for these file */ + if (waitqueue_active(&ep->poll_wait)) + ep_poll_safewake(ep, NULL, 0); + +- /* +- * We need to lock this because we could be hit by +- * eventpoll_release_file() while we're freeing the "struct eventpoll". +- * We do not need to hold "ep->mtx" here because the epoll file +- * is on the way to be removed and no one has references to it +- * anymore. The only hit might come from eventpoll_release_file() but +- * holding "epmutex" is sufficient here. +- */ +- mutex_lock(&epmutex); ++ mutex_lock(&ep->mtx); + + /* + * Walks through the whole tree by unregistering poll callbacks. +@@ -762,26 +800,25 @@ static void ep_free(struct eventpoll *ep) + } + + /* +- * Walks through the whole tree by freeing each "struct epitem". At this +- * point we are sure no poll callbacks will be lingering around, and also by +- * holding "epmutex" we can be sure that no file cleanup code will hit +- * us during this operation. So we can avoid the lock on "ep->lock". +- * We do not need to lock ep->mtx, either, we only do it to prevent +- * a lockdep warning. ++ * Walks through the whole tree and try to free each "struct epitem". ++ * Note that ep_remove_safe() will not remove the epitem in case of a ++ * racing eventpoll_release_file(); the latter will do the removal. ++ * At this point we are sure no poll callbacks will be lingering around. ++ * Since we still own a reference to the eventpoll struct, the loop can't ++ * dispose it. + */ +- mutex_lock(&ep->mtx); +- while ((rbp = rb_first_cached(&ep->rbr)) != NULL) { ++ for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = next) { ++ next = rb_next(rbp); + epi = rb_entry(rbp, struct epitem, rbn); +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + cond_resched(); + } ++ ++ dispose = ep_refcount_dec_and_test(ep); + mutex_unlock(&ep->mtx); + +- mutex_unlock(&epmutex); +- mutex_destroy(&ep->mtx); +- free_uid(ep->user); +- wakeup_source_unregister(ep->ws); +- kfree(ep); ++ if (dispose) ++ ep_free(ep); + } + + static int ep_eventpoll_release(struct inode *inode, struct file *file) +@@ -789,7 +826,7 @@ static int ep_eventpoll_release(struct inode *inode, struct file *file) + struct eventpoll *ep = file->private_data; + + if (ep) +- ep_free(ep); ++ ep_clear_and_put(ep); + + return 0; + } +@@ -937,33 +974,34 @@ void eventpoll_release_file(struct file *file) + { + struct eventpoll *ep; + struct epitem *epi; +- struct hlist_node *next; ++ bool dispose; + + /* +- * We don't want to get "file->f_lock" because it is not +- * necessary. It is not necessary because we're in the "struct file" +- * cleanup path, and this means that no one is using this file anymore. +- * So, for example, epoll_ctl() cannot hit here since if we reach this +- * point, the file counter already went to zero and fget() would fail. +- * The only hit might come from ep_free() but by holding the mutex +- * will correctly serialize the operation. We do need to acquire +- * "ep->mtx" after "epmutex" because ep_remove() requires it when called +- * from anywhere but ep_free(). +- * +- * Besides, ep_remove() acquires the lock, so we can't hold it here. ++ * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from ++ * touching the epitems list before eventpoll_release_file() can access ++ * the ep->mtx. + */ +- mutex_lock(&epmutex); +- if (unlikely(!file->f_ep)) { +- mutex_unlock(&epmutex); +- return; +- } +- hlist_for_each_entry_safe(epi, next, file->f_ep, fllink) { ++again: ++ spin_lock(&file->f_lock); ++ if (file->f_ep && file->f_ep->first) { ++ epi = hlist_entry(file->f_ep->first, struct epitem, fllink); ++ epi->dying = true; ++ spin_unlock(&file->f_lock); ++ ++ /* ++ * ep access is safe as we still own a reference to the ep ++ * struct ++ */ + ep = epi->ep; +- mutex_lock_nested(&ep->mtx, 0); +- ep_remove(ep, epi); ++ mutex_lock(&ep->mtx); ++ dispose = __ep_remove(ep, epi, true); + mutex_unlock(&ep->mtx); ++ ++ if (dispose) ++ ep_free(ep); ++ goto again; + } +- mutex_unlock(&epmutex); ++ spin_unlock(&file->f_lock); + } + + static int ep_alloc(struct eventpoll **pep) +@@ -986,6 +1024,7 @@ static int ep_alloc(struct eventpoll **pep) + ep->rbr = RB_ROOT_CACHED; + ep->ovflist = EP_UNACTIVE_PTR; + ep->user = user; ++ refcount_set(&ep->refcount, 1); + + *pep = ep; + +@@ -1257,10 +1296,10 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v + */ + list_del_init(&wait->entry); + /* +- * ->whead != NULL protects us from the race with ep_free() +- * or ep_remove(), ep_remove_wait_queue() takes whead->lock +- * held by the caller. Once we nullify it, nothing protects +- * ep/epi or even wait. ++ * ->whead != NULL protects us from the race with ++ * ep_clear_and_put() or ep_remove(), ep_remove_wait_queue() ++ * takes whead->lock held by the caller. Once we nullify it, ++ * nothing protects ep/epi or even wait. + */ + smp_store_release(&ep_pwq_from_wait(wait)->whead, NULL); + } +@@ -1531,16 +1570,22 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, + if (tep) + mutex_unlock(&tep->mtx); + ++ /* ++ * ep_remove_safe() calls in the later error paths can't lead to ++ * ep_free() as the ep file itself still holds an ep reference. ++ */ ++ ep_get(ep); ++ + /* now check if we've created too many backpaths */ + if (unlikely(full_check && reverse_path_check())) { +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + return -EINVAL; + } + + if (epi->event.events & EPOLLWAKEUP) { + error = ep_create_wakeup_source(epi); + if (error) { +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + return error; + } + } +@@ -1564,7 +1609,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, + * high memory pressure. + */ + if (unlikely(!epq.epi)) { +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + return -ENOMEM; + } + +@@ -2096,7 +2141,7 @@ static int do_epoll_create(int flags) + out_free_fd: + put_unused_fd(fd); + out_free_ep: +- ep_free(ep); ++ ep_clear_and_put(ep); + return error; + } + +@@ -2238,10 +2283,16 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds, + error = -EEXIST; + break; + case EPOLL_CTL_DEL: +- if (epi) +- error = ep_remove(ep, epi); +- else ++ if (epi) { ++ /* ++ * The eventpoll itself is still alive: the refcount ++ * can't go to zero here. ++ */ ++ ep_remove_safe(ep, epi); ++ error = 0; ++ } else { + error = -ENOENT; ++ } + break; + case EPOLL_CTL_MOD: + if (epi) { +-- +2.53.0 + diff --git a/queue-5.15/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch b/queue-5.15/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch new file mode 100644 index 0000000000..1398782be9 --- /dev/null +++ b/queue-5.15/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch @@ -0,0 +1,48 @@ +From 952d100093f9eb3cccc3e48c3ecb7f056742eb0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 15:25:32 +0200 +Subject: eventpoll: defer struct eventpoll free to RCU grace period + +From: Nicholas Carlini + +[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ] + +In certain situations, ep_free() in eventpoll.c will kfree the epi->ep +eventpoll struct while it still being used by another concurrent thread. +Defer the kfree() to an RCU callback to prevent UAF. + +Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") +Signed-off-by: Nicholas Carlini +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 217b8016a6b50..8762d09086376 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -225,6 +225,9 @@ struct eventpoll { + */ + refcount_t refcount; + ++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */ ++ struct rcu_head rcu; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -701,7 +704,8 @@ static void ep_free(struct eventpoll *ep) + mutex_destroy(&ep->mtx); + free_uid(ep->user); + wakeup_source_unregister(ep->ws); +- kfree(ep); ++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */ ++ kfree_rcu(ep, rcu); + } + + /* +-- +2.53.0 + diff --git a/queue-5.15/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch b/queue-5.15/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch new file mode 100644 index 0000000000..0e5a67a4b9 --- /dev/null +++ b/queue-5.15/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch @@ -0,0 +1,47 @@ +From b985751edf7e15f06d3cd34c24817e6c77d61582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 13:11:27 -0700 +Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath + +From: Fredric Cover + +[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ] + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c +index c3a71c69d3395..0336580062067 100644 +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -450,6 +450,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + +-- +2.53.0 + diff --git a/queue-5.15/gpio-tegra-fix-irq_release_resources-calling-enable-.patch b/queue-5.15/gpio-tegra-fix-irq_release_resources-calling-enable-.patch new file mode 100644 index 0000000000..452d2d7056 --- /dev/null +++ b/queue-5.15/gpio-tegra-fix-irq_release_resources-calling-enable-.patch @@ -0,0 +1,41 @@ +From 25411dde85bad46d56d8a92b2f1653a411f10d13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 14:02:47 -0700 +Subject: gpio: tegra: fix irq_release_resources calling enable instead of + disable + +From: Samasth Norway Ananda + +[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ] + +tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable() +instead of tegra_gpio_disable(). When IRQ resources are released, the +GPIO configuration bit (CNF) should be cleared to deconfigure the pin as +a GPIO. Leaving it enabled wastes power and can cause unexpected behavior +if the pin is later reused for an alternate function via pinctrl. + +Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip") +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c +index 7f5bc10a64792..ae769a29bf169 100644 +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -598,7 +598,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d) + struct tegra_gpio_info *tgi = gpiochip_get_data(chip); + + gpiochip_relres_irq(chip, d->hwirq); +- tegra_gpio_enable(tgi, d->hwirq); ++ tegra_gpio_disable(tgi, d->hwirq); + } + + #ifdef CONFIG_DEBUG_FS +-- +2.53.0 + diff --git a/queue-5.15/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch b/queue-5.15/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch new file mode 100644 index 0000000000..a9b857277d --- /dev/null +++ b/queue-5.15/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch @@ -0,0 +1,52 @@ +From 7e7328b83ae13aa068f5bbda21af5f38d72601f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 13:36:59 -0500 +Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 + +From: leo vriska + +[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ] + +According to a mailing list report [1], this controller's predecessor +has the same issue. However, it uses the xpad driver instead of HID, so +this quirk wouldn't apply. + +[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/ + +Signed-off-by: leo vriska +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 37beb969268c3..66df53c20ed08 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -22,6 +22,9 @@ + #define USB_DEVICE_ID_3M2256 0x0502 + #define USB_DEVICE_ID_3M3266 0x0506 + ++#define USB_VENDOR_ID_8BITDO 0x2dc8 ++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009 ++ + #define USB_VENDOR_ID_A4TECH 0x09da + #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006 + #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 2a07db02ad932..9eb4d02cc6d77 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -25,6 +25,7 @@ + */ + + static const struct hid_device_id hid_quirks[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, +-- +2.53.0 + diff --git a/queue-5.15/hid-roccat-fix-use-after-free-in-roccat_report_event.patch b/queue-5.15/hid-roccat-fix-use-after-free-in-roccat_report_event.patch new file mode 100644 index 0000000000..95fa236f42 --- /dev/null +++ b/queue-5.15/hid-roccat-fix-use-after-free-in-roccat_report_event.patch @@ -0,0 +1,50 @@ +From c149171d6c01d513dec50f7a9b8df8fba22094d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:11:07 +0000 +Subject: HID: roccat: fix use-after-free in roccat_report_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ] + +roccat_report_event() iterates over the device->readers list without +holding the readers_lock. This allows a concurrent roccat_release() to +remove and free a reader while it's still being accessed, leading to a +use-after-free. + +Protect the readers list traversal with the readers_lock mutex. + +Signed-off-by: Benoît Sevens +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 6da80e442fdd1..420e4335c3e83 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->readers_lock); + mutex_lock(&device->cbuf_lock); + + report = &device->cbuf[device->cbuf_end]; +@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data) + } + + mutex_unlock(&device->cbuf_lock); ++ mutex_unlock(&device->readers_lock); + + wake_up_interruptible(&device->wait); + return 0; +-- +2.53.0 + diff --git a/queue-5.15/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch b/queue-5.15/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch new file mode 100644 index 0000000000..76ac203ba7 --- /dev/null +++ b/queue-5.15/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch @@ -0,0 +1,50 @@ +From 0c37268918a9021e57e97a2a26afbd525c6ba1e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 15:04:19 +0800 +Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() + +From: Yiqi Sun + +[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ] + +ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the +IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing +this error pointer to dev_hold() will cause a kernel crash with +null-ptr-deref. + +Instead, silently discard the request. RFC 8335 does not appear to +define a specific response for the case where an IPv6 interface +identifier is syntactically valid but the implementation cannot perform +the lookup at runtime, and silently dropping the request may safer than +misreporting "No Such Interface". + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Signed-off-by: Yiqi Sun +Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 0215e2510670a..4dae803fc7c71 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -1108,6 +1108,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr) + if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr)) + goto send_mal_query; + dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev); ++ /* ++ * If IPv6 identifier lookup is unavailable, silently ++ * discard the request instead of misreporting NO_IF. ++ */ ++ if (IS_ERR(dev)) ++ return false; ++ + dev_hold(dev); + break; + #endif +-- +2.53.0 + diff --git a/queue-5.15/l2tp-drop-large-packets-with-udp-encap.patch b/queue-5.15/l2tp-drop-large-packets-with-udp-encap.patch new file mode 100644 index 0000000000..2f084a38dc --- /dev/null +++ b/queue-5.15/l2tp-drop-large-packets-with-udp-encap.patch @@ -0,0 +1,106 @@ +From 5f531db0aeb3381ab65e67ac08b6fe317bf2b56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 20:49:49 +0300 +Subject: l2tp: Drop large packets with UDP encap + +From: Alice Mikityanska + +[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ] + +syzbot reported a WARN on my patch series [1]. The actual issue is an +overflow of 16-bit UDP length field, and it exists in the upstream code. +My series added a debug WARN with an overflow check that exposed the +issue, that's why syzbot tripped on my patches, rather than on upstream +code. + +syzbot's repro: + +r0 = socket$pppl2tp(0x18, 0x1, 0x1) +r1 = socket$inet6_udp(0xa, 0x2, 0x0) +connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) +connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) +writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) + +It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP +encapsulation, and l2tp_xmit_core doesn't check for overflows when it +assigns the UDP length field. The value gets trimmed to 16 bites. + +Add an overflow check that drops oversized packets and avoids sending +packets with trimmed UDP length to the wire. + +syzbot's stack trace (with my patch applied): + +len >= 65536u +WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 +Modules linked in: +CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] +RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] +RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 +Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f +RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 +RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 +RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff +RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 +R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 +R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 +FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 +Call Trace: + + pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + sock_write_iter+0x503/0x550 net/socket.c:1195 + do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 + vfs_writev+0x33c/0x990 fs/read_write.c:1059 + do_writev+0x154/0x2e0 fs/read_write.c:1105 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f636479c629 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 +RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 +RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 + + +[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/ +Signed-off-by: Alice Mikityanska +Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 7e242ebac664a..e429a0749ffea 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + uh->source = inet->inet_sport; + uh->dest = inet->inet_dport; + udp_len = uhlen + session->hdr_len + data_len; ++ if (udp_len > U16_MAX) { ++ kfree_skb(skb); ++ ret = NET_XMIT_DROP; ++ goto out_unlock; ++ } + uh->len = htons(udp_len); + + /* Calculate UDP checksum if configured to do so */ +-- +2.53.0 + diff --git a/queue-5.15/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch b/queue-5.15/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch new file mode 100644 index 0000000000..1a057a6248 --- /dev/null +++ b/queue-5.15/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch @@ -0,0 +1,46 @@ +From 27961de2993d658472010c56bb7b02321685d08f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 18:57:23 +0000 +Subject: MIPS: mm: Suppress TLB uniquification on EHINV hardware + +From: Maciej W. Rozycki + +[ Upstream commit 74283cfe216392c7b776ebf6045b5b15ed9dffcd ] + +Hardware that supports the EHINV feature, mandatory for R6 ISA and FTLB +implementation, lets software mark TLB entries invalid, which eliminates +the need to ensure no duplicate matching entries are ever created. This +feature is already used by local_flush_tlb_all(), via the UNIQUE_ENTRYHI +macro, making the preceding call to r4k_tlb_uniquify() superfluous. + +The next change will also modify uniquification code such that it'll +become incompatible with the FTLB and MMID features, as well as MIPSr6 +CPUs that do not implement 4KiB pages. + +Therefore prevent r4k_tlb_uniquify() from being used on EHINV hardware, +as denoted by `cpu_has_tlbinv'. + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/tlb-r4k.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/mm/tlb-r4k.c b/arch/mips/mm/tlb-r4k.c +index d9a5ede8869bd..8a49adfef8b86 100644 +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -616,7 +616,8 @@ static void r4k_tlb_configure(void) + temp_tlb_entry = current_cpu_data.tlbsize - 1; + + /* From this point on the ARC firmware is dead. */ +- r4k_tlb_uniquify(); ++ if (!cpu_has_tlbinv) ++ r4k_tlb_uniquify(); + local_flush_tlb_all(); + + /* Did I tell you that ARC SUCKS? */ +-- +2.53.0 + diff --git a/queue-5.15/net-lapbether-handle-netdev_pre_type_change.patch b/queue-5.15/net-lapbether-handle-netdev_pre_type_change.patch new file mode 100644 index 0000000000..d54e327a19 --- /dev/null +++ b/queue-5.15/net-lapbether-handle-netdev_pre_type_change.patch @@ -0,0 +1,77 @@ +From e0e03a01aafd44f5c25ef23079c13ceada6f791e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:35:19 +0000 +Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE + +From: Eric Dumazet + +[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ] + +lapbeth_data_transmit() expects the underlying device type +to be ARPHRD_ETHER. + +Returning NOTIFY_BAD from lapbeth_device_event() makes sure +bonding driver can not break this expectation. + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 75613ac26641f..033d8cdde38a3 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth) + static int lapbeth_device_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +- struct lapbethdev *lapbeth; + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct lapbethdev *lapbeth; + + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) ++ lapbeth = lapbeth_get_x25_dev(dev); ++ if (!dev_is_ethdev(dev) && !lapbeth) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (!lapbeth_get_x25_dev(dev)) ++ if (!lapbeth) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: + /* ethernet device disappears -> remove LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + lapbeth_free_device(lapbeth); + break; ++ case NETDEV_PRE_TYPE_CHANGE: ++ /* Our underlying device type must not change. */ ++ if (lapbeth) ++ return NOTIFY_BAD; + } + + return NOTIFY_DONE; +-- +2.53.0 + diff --git a/queue-5.15/net-sched-act_csum-validate-nested-vlan-headers.patch b/queue-5.15/net-sched-act_csum-validate-nested-vlan-headers.patch new file mode 100644 index 0000000000..99a6973b93 --- /dev/null +++ b/queue-5.15/net-sched-act_csum-validate-nested-vlan-headers.patch @@ -0,0 +1,60 @@ +From ce41107db21766e0495431272d12975e2e2f4680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: net: sched: act_csum: validate nested VLAN headers + +From: Ruide Cao + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_csum.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 2f2fb0f7cc714..277f6a93cc66e 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -602,8 +602,12 @@ static int tcf_csum_act(struct sk_buff *skb, const struct tc_action *a, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.53.0 + diff --git a/queue-5.15/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch b/queue-5.15/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch new file mode 100644 index 0000000000..160201524b --- /dev/null +++ b/queue-5.15/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch @@ -0,0 +1,51 @@ +From 428b47191c254eedcb0621284df3067696475bb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets + +From: Zhengchuan Liang + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6t_eui64.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c2..da69a27e8332c 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.53.0 + diff --git a/queue-5.15/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch b/queue-5.15/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch new file mode 100644 index 0000000000..3ac060c4e2 --- /dev/null +++ b/queue-5.15/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch @@ -0,0 +1,52 @@ +From c27d8e60e781dbe32a9a5622f0d60f259ee3824e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 14:20:57 -0700 +Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE + terminator + +From: Xiang Mei + +[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ] + +When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() +appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via +nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() +helper only zeroes alignment padding after the payload, not the payload +itself, so four bytes of stale kernel heap data are leaked to userspace +in the NLMSG_DONE message body. + +Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes +the nfgenmsg payload via nfnl_fill_hdr(), consistent with how +__build_packet_message() already constructs NFULNL_MSG_PACKET headers. + +Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 37d10c3d19b60..db309c4167427 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -350,10 +350,10 @@ static void + __nfulnl_send(struct nfulnl_instance *inst) + { + if (inst->qlen > 1) { +- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, +- NLMSG_DONE, +- sizeof(struct nfgenmsg), +- 0); ++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0, ++ NLMSG_DONE, 0, ++ AF_UNSPEC, NFNETLINK_V0, ++ htons(inst->group_num)); + if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", + inst->skb->len, skb_tailroom(inst->skb))) { + kfree_skb(inst->skb); +-- +2.53.0 + diff --git a/queue-5.15/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch b/queue-5.15/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch new file mode 100644 index 0000000000..bd789f3f8b --- /dev/null +++ b/queue-5.15/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch @@ -0,0 +1,161 @@ +From 038b423fc3a65ecb408155e447660bc537708d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:10:55 +0100 +Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on + expiry + +From: Florian Westphal + +[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ] + +New test case fails unexpectedly when avx2 matching functions are used. + +The test first loads a ranomly generated pipapo set +with 'ipv4 . port' key, i.e. nft -f foo. + +This works. Then, it reloads the set after a flush: +(echo flush set t s; cat foo) | nft -f - + +This is expected to work, because its the same set after all and it was +already loaded once. + +But with avx2, this fails: nft reports a clashing element. + +The reported clash is of following form: + + We successfully re-inserted + a . b + c . d + +Then we try to insert a . d + +avx2 finds the already existing a . d, which (due to 'flush set') is marked +as invalid in the new generation. It skips the element and moves to next. + +Due to incorrect masking, the skip-step finds the next matching +element *only considering the first field*, + +i.e. we return the already reinserted "a . b", even though the +last field is different and the entry should not have been matched. + +No such error is reported for the generic c implementation (no avx2) or when +the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. + +Bisection points to +7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") +but that fix merely uncovers this bug. + +Before this commit, the wrong element is returned, but erronously +reported as a full, identical duplicate. + +The root-cause is too early return in the avx2 match functions. +When we process the last field, we should continue to process data +until the entire input size has been consumed to make sure no stale +bits remain in the map. + +Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index cf5683afaf833..650bb3a457073 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +-- +2.53.0 + diff --git a/queue-5.15/netfilter-xt_multiport-validate-range-encoding-in-ch.patch b/queue-5.15/netfilter-xt_multiport-validate-range-encoding-in-ch.patch new file mode 100644 index 0000000000..4731b80c58 --- /dev/null +++ b/queue-5.15/netfilter-xt_multiport-validate-range-encoding-in-ch.patch @@ -0,0 +1,99 @@ +From d4d7dff4e05f9109541353edc67fba70ee236330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 23:52:52 +0800 +Subject: netfilter: xt_multiport: validate range encoding in checkentry + +From: Ren Wei + +[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] + +ports_match_v1() treats any non-zero pflags entry as the start of a +port range and unconditionally consumes the next ports[] element as +the range end. + +The checkentry path currently validates protocol, flags and count, but +it does not validate the range encoding itself. As a result, malformed +rules can mark the last slot as a range start or place two range starts +back to back, leaving ports_match_v1() to step past the last valid +ports[] element while interpreting the rule. + +Reject malformed multiport v1 rules in checkentry by validating that +each range start has a following element and that the following element +is not itself marked as another range start. + +Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c +index 44a00f5acde8a..a1691ff405d3c 100644 +--- a/net/netfilter/xt_multiport.c ++++ b/net/netfilter/xt_multiport.c +@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); + } + ++static bool ++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < multiinfo->count; i++) { ++ if (!multiinfo->pflags[i]) ++ continue; ++ ++ if (++i >= multiinfo->count) ++ return false; ++ ++ if (multiinfo->pflags[i]) ++ return false; ++ ++ if (multiinfo->ports[i - 1] > multiinfo->ports[i]) ++ return false; ++ } ++ ++ return true; ++} ++ + static inline bool + check(u_int16_t proto, + u_int8_t ip_invflags, +@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) + const struct ipt_ip *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static int multiport_mt6_check(const struct xt_mtchk_param *par) +@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) + const struct ip6t_ip6 *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static struct xt_match multiport_mt_reg[] __read_mostly = { +-- +2.53.0 + diff --git a/queue-5.15/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch b/queue-5.15/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..09231e548b --- /dev/null +++ b/queue-5.15/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,61 @@ +From 4a4ed5811c8553b53f3279215a618d3a15fcf109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 12:21:48 +0800 +Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ] + +s3fwrn82_uart_read() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already +deliver a complete frame before allocating a fresh receive buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface") +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/uart.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c +index 82ea35d748a5d..dde1a87ed1e47 100644 +--- a/drivers/nfc/s3fwrn5/uart.c ++++ b/drivers/nfc/s3fwrn5/uart.c +@@ -59,6 +59,12 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev, + size_t i; + + for (i = 0; i < count; i++) { ++ if (!phy->recv_skb) { ++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); ++ if (!phy->recv_skb) ++ return i; ++ } ++ + skb_put_u8(phy->recv_skb, *data++); + + if (phy->recv_skb->len < S3FWRN82_NCI_HEADER) +@@ -70,9 +76,7 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev, + + s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb, + phy->common.mode); +- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); +- if (!phy->recv_skb) +- return 0; ++ phy->recv_skb = NULL; + } + + return i; +-- +2.53.0 + diff --git a/queue-5.15/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch b/queue-5.15/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch new file mode 100644 index 0000000000..6d15cccb5a --- /dev/null +++ b/queue-5.15/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch @@ -0,0 +1,57 @@ +From 5ec726c1e1de34ff794e72175b7acfc43d322069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:07:42 -0700 +Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info + +From: Long Li + +[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ] + +When hv_pci_assign_numa_node() processes a device that does not have +HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range +virtual_numa_node, the device NUMA node is left unset. On x86_64, +the uninitialized default happens to be 0, but on ARM64 it is +NUMA_NO_NODE (-1). + +Tests show that when no NUMA information is available from the Hyper-V +host, devices perform best when assigned to node 0. With NUMA_NO_NODE +the kernel may spread work across NUMA nodes, which degrades +performance on Hyper-V, particularly for high-throughput devices like +MANA. + +Always set the device NUMA node to 0 before the conditional NUMA +affinity check, so that devices get a performant default when the host +provides no NUMA information, and behavior is consistent on both +x86_64 and ARM64. + +Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index ac47a6ee2e93b..7917ed426f6a7 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -1963,6 +1963,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus) + if (!hv_dev) + continue; + ++ /* ++ * If the Hyper-V host doesn't provide a NUMA node for the ++ * device, default to node 0. With NUMA_NO_NODE the kernel ++ * may spread work across NUMA nodes, which degrades ++ * performance on Hyper-V. ++ */ ++ set_dev_node(&dev->dev, 0); ++ + if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY && + hv_dev->desc.virtual_numa_node < num_possible_nodes()) + /* +-- +2.53.0 + diff --git a/queue-5.15/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch b/queue-5.15/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch new file mode 100644 index 0000000000..23b46c8a5d --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch @@ -0,0 +1,47 @@ +From be4787f999f6cf06abe132f53b308492930919f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:40:48 -0700 +Subject: perf/x86/intel/uncore: Skip discovery table for offline dies + +From: Zide Chen + +[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ] + +This warning can be triggered if NUMA is disabled and the system +boots with fewer CPUs than the number of CPUs in die 0. + +WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] + +Currently, the discovery table continues to be parsed even if all CPUs +in the associated die are offline. This can lead to an array overflow +at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may +trigger the warning above or cause other issues. + +Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables") +Reported-by: Steve Wahl +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Tested-by: Steve Wahl +Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c +index c8e1f9f0b466d..be7a63808462e 100644 +--- a/arch/x86/events/intel/uncore_discovery.c ++++ b/arch/x86/events/intel/uncore_discovery.c +@@ -303,7 +303,7 @@ bool intel_uncore_has_discovery_tables(void) + (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP; + + die = get_device_die_id(dev); +- if (die < 0) ++ if ((die < 0) || (die >= uncore_max_dies())) + continue; + + parse_discovery_table(dev, die, bar_offset, &parsed); +-- +2.53.0 + diff --git a/queue-5.15/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch b/queue-5.15/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch new file mode 100644 index 0000000000..bea2504c00 --- /dev/null +++ b/queue-5.15/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch @@ -0,0 +1,35 @@ +From 586954e30002594980059a3e273c175c7568fd7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 18:14:04 +0100 +Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW + debouncer) + +From: Andy Shevchenko + +[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ] + +The 1kOhm pull down and hardware debouncer are features of the revision 0.92 +of the Chassis specification. Fix that in the code accordingly. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index cc64eda155f57..3854600329628 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1532,7 +1532,7 @@ static int intel_pinctrl_probe(struct platform_device *pdev, + value = readl(regs + REVID); + if (value == ~0u) + return -ENODEV; +- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) { ++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) { + community->features |= PINCTRL_FEATURE_DEBOUNCE; + community->features |= PINCTRL_FEATURE_1K_PD; + } +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 0000000000..7e869f8acb --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,44 @@ +alsa-asihpi-avoid-write-overflow-check-warning.patch +asoc-sof-topology-reject-invalid-vendor-array-size-i.patch +can-mcp251x-add-error-handling-for-power-enable-in-o.patch +btrfs-tracepoints-get-correct-superblock-from-dentry.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch +netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch +wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch +asoc-soc-core-call-missing-init_list_head-for-card_a.patch +alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch +fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch +mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch +pinctrl-intel-fix-the-revision-for-new-features-1koh.patch +hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch +hid-roccat-fix-use-after-free-in-roccat_report_event.patch +ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch +wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch +soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch +arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch +pci-hv-set-default-numa-node-to-0-for-devices-withou.patch +drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch +drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch +drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch +epoll-use-refcount-to-reduce-ep_mutex-contention.patch +eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch +net-sched-act_csum-validate-nested-vlan-headers.patch +net-lapbether-handle-netdev_pre_type_change.patch +ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch +nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch +tracing-probe-reject-non-closed-empty-immediate-stri.patch +e1000-check-return-value-of-e1000_read_eeprom.patch +xsk-tighten-umem-headroom-validation-to-account-for-.patch +xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch +xfrm_user-fix-info-leak-in-build_mapping.patch +netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch +netfilter-xt_multiport-validate-range-encoding-in-ch.patch +netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch +af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch +l2tp-drop-large-packets-with-udp-encap.patch +gpio-tegra-fix-irq_release_resources-calling-enable-.patch +perf-x86-intel-uncore-skip-discovery-table-for-offli.patch +clockevents-prevent-timer-interrupt-starvation.patch +crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch diff --git a/queue-5.15/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch b/queue-5.15/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch new file mode 100644 index 0000000000..e1ed4bbb87 --- /dev/null +++ b/queue-5.15/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch @@ -0,0 +1,46 @@ +From 102ef67d71ca0adc4a0d72757b68b7b73c0dde5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:37:56 +0800 +Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching + +From: Potin Lai + +[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ] + +The siliconid_to_name() function currently masks the input silicon ID +with 0xff00ffff, but compares it against unmasked table entries. This +causes matching to fail if the table entries contain non-zero values in +the bits covered by the mask (bits 16-23). + +Update the logic to apply the 0xff00ffff mask to the table entries +during comparison. This ensures that only the relevant model and +revision bits are considered, providing a consistent match across +different manufacturing batches. + +[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference] + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Potin Lai +Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 67e9ac3d08ecc..a90b100f4d101 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid) + unsigned int i; + + for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) { +- if (rev_table[i].id == id) ++ if ((rev_table[i].id & 0xff00ffff) == id) + return rev_table[i].name; + } + +-- +2.53.0 + diff --git a/queue-5.15/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch b/queue-5.15/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch new file mode 100644 index 0000000000..b9376091ef --- /dev/null +++ b/queue-5.15/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch @@ -0,0 +1,134 @@ +From 5efe1d8f2b1319e92136ce32ebcf1ad65ed65431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 20:14:18 -0400 +Subject: srcu: Use irq_work to start GP in tiny SRCU + +From: Joel Fernandes + +[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ] + +Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), +which acquires the workqueue pool->lock. + +This causes a lockdep splat when call_srcu() is called with a scheduler +lock held, due to: + + call_srcu() [holding pi_lock] + srcu_gp_start_if_needed() + schedule_work() -> pool->lock + + workqueue_init() / create_worker() [holding pool->lock] + wake_up_process() -> try_to_wake_up() -> pi_lock + +Also add irq_work_sync() to cleanup_srcu_struct() to prevent a +use-after-free if a queued irq_work fires after cleanup begins. + +Tested with rcutorture SRCU-T and no lockdep warnings. + +[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work +to start process_srcu()" ] + +Signed-off-by: Joel Fernandes +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/srcutiny.h | 4 ++++ + kernel/rcu/srcutiny.c | 19 ++++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h +index 6cfaa0a9a9b96..db649b742fad5 100644 +--- a/include/linux/srcutiny.h ++++ b/include/linux/srcutiny.h +@@ -11,6 +11,7 @@ + #ifndef _LINUX_SRCU_TINY_H + #define _LINUX_SRCU_TINY_H + ++#include + #include + + struct srcu_struct { +@@ -24,18 +25,21 @@ struct srcu_struct { + struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */ + struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */ + struct work_struct srcu_work; /* For driving grace periods. */ ++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + struct lockdep_map dep_map; + #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */ + }; + + void srcu_drive_gp(struct work_struct *wp); ++void srcu_tiny_irq_work(struct irq_work *irq_work); + + #define __SRCU_STRUCT_INIT(name, __ignored) \ + { \ + .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \ + .srcu_cb_tail = &name.srcu_cb_head, \ + .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \ ++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \ + __SRCU_DEP_MAP_INIT(name) \ + } + +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index a0ba2ed49bc61..f51436aab1951 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp) + ssp->srcu_idx_max = 0; + INIT_WORK(&ssp->srcu_work, srcu_drive_gp); + INIT_LIST_HEAD(&ssp->srcu_work.entry); ++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work); + return 0; + } + +@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct); + void cleanup_srcu_struct(struct srcu_struct *ssp) + { + WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]); ++ irq_work_sync(&ssp->srcu_irq_work); + flush_work(&ssp->srcu_work); + WARN_ON(ssp->srcu_gp_running); + WARN_ON(ssp->srcu_gp_waiting); +@@ -155,6 +158,20 @@ void srcu_drive_gp(struct work_struct *wp) + } + EXPORT_SYMBOL_GPL(srcu_drive_gp); + ++/* ++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue ++ * pool->lock while the caller might hold scheduler locks, causing lockdep ++ * splats due to workqueue_init() doing a wakeup. ++ */ ++void srcu_tiny_irq_work(struct irq_work *irq_work) ++{ ++ struct srcu_struct *ssp; ++ ++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work); ++ schedule_work(&ssp->srcu_work); ++} ++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work); ++ + static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + { + unsigned short cookie; +@@ -165,7 +182,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + WRITE_ONCE(ssp->srcu_idx_max, cookie); + if (!READ_ONCE(ssp->srcu_gp_running)) { + if (likely(srcu_init_done)) +- schedule_work(&ssp->srcu_work); ++ irq_work_queue(&ssp->srcu_irq_work); + else if (list_empty(&ssp->srcu_work.entry)) + list_add(&ssp->srcu_work.entry, &srcu_boot_list); + } +-- +2.53.0 + diff --git a/queue-5.15/tracing-probe-reject-non-closed-empty-immediate-stri.patch b/queue-5.15/tracing-probe-reject-non-closed-empty-immediate-stri.patch new file mode 100644 index 0000000000..5e0edbe6cc --- /dev/null +++ b/queue-5.15/tracing-probe-reject-non-closed-empty-immediate-stri.patch @@ -0,0 +1,43 @@ +From cca9b160402aaf65fd9cf8ab88c25e85567d3209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 00:03:15 +0800 +Subject: tracing/probe: reject non-closed empty immediate strings + +From: Pengpeng Hou + +[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ] + +parse_probe_arg() accepts quoted immediate strings and passes the body +after the opening quote to __parse_imm_string(). That helper currently +computes strlen(str) and immediately dereferences str[len - 1], which +underflows when the body is empty and not closed with double-quotation. + +Reject empty non-closed immediate strings before checking for the closing quote. + +Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ + +Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support") +Signed-off-by: Pengpeng Hou +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 38fa6cc118daf..47044927a7269 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -362,7 +362,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs) + { + size_t len = strlen(str); + +- if (str[len - 1] != '"') { ++ if (!len || str[len - 1] != '"') { + trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE); + return -EINVAL; + } +-- +2.53.0 + diff --git a/queue-5.15/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/queue-5.15/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 0000000000..96dea4afa4 --- /dev/null +++ b/queue-5.15/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,45 @@ +From 0712bb2e79d8cf23f0cecf6bb40e610329358b34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: wifi: brcmfmac: validate bsscfg indices in IF events + +From: Pengpeng Hou + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index dac7eb77799bd..e6be192dc0af2 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.53.0 + diff --git a/queue-5.15/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch b/queue-5.15/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch new file mode 100644 index 0000000000..3f3e0260c1 --- /dev/null +++ b/queue-5.15/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch @@ -0,0 +1,51 @@ +From 6ed77c1e8cfbd45427c5473798413356704a6240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:08:45 +0800 +Subject: wifi: wl1251: validate packet IDs before indexing tx_frames + +From: Pengpeng Hou + +[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ] + +wl1251_tx_packet_cb() uses the firmware completion ID directly to index +the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the +completion block, and the callback does not currently verify that it +fits the array before dereferencing it. + +Reject completion IDs that fall outside wl->tx_frames[] and keep the +existing NULL check in the same guard. This keeps the fix local to the +trust boundary and avoids touching the rest of the completion flow. + +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c +index 5771f61392efb..7f406c086ca56 100644 +--- a/drivers/net/wireless/ti/wl1251/tx.c ++++ b/drivers/net/wireless/ti/wl1251/tx.c +@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, + int hdrlen; + u8 *frame; + +- skb = wl->tx_frames[result->id]; +- if (skb == NULL) { +- wl1251_error("SKB for packet %d is NULL", result->id); ++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) || ++ wl->tx_frames[result->id] == NULL)) { ++ wl1251_error("invalid packet id %u", result->id); + return; + } + ++ skb = wl->tx_frames[result->id]; ++ + info = IEEE80211_SKB_CB(skb); + + if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && +-- +2.53.0 + diff --git a/queue-5.15/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch b/queue-5.15/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch new file mode 100644 index 0000000000..2513957247 --- /dev/null +++ b/queue-5.15/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch @@ -0,0 +1,43 @@ +From 826fc42aff385f6259f9aa52e996dafe873e0abc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 13:31:04 +0200 +Subject: xfrm: Wait for RCU readers during policy netns exit + +From: Steffen Klassert + +[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ] + +xfrm_policy_fini() frees the policy_bydst hash tables after flushing the +policy work items and deleting all policies, but it does not wait for +concurrent RCU readers to leave their read-side critical sections first. + +The policy_bydst tables are published via rcu_assign_pointer() and are +looked up through rcu_dereference_check(), so netns teardown must also +wait for an RCU grace period before freeing the table memory. + +Fix this by adding synchronize_rcu() before freeing the policy hash tables. + +Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") +Signed-off-by: Steffen Klassert +Reviewed-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 851029a5383a2..29b3db09e19cf 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4125,6 +4125,8 @@ static void xfrm_policy_fini(struct net *net) + #endif + xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + ++ synchronize_rcu(); ++ + WARN_ON(!list_empty(&net->xfrm.policy_all)); + + for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { +-- +2.53.0 + diff --git a/queue-5.15/xfrm_user-fix-info-leak-in-build_mapping.patch b/queue-5.15/xfrm_user-fix-info-leak-in-build_mapping.patch new file mode 100644 index 0000000000..458009431e --- /dev/null +++ b/queue-5.15/xfrm_user-fix-info-leak-in-build_mapping.patch @@ -0,0 +1,45 @@ +From a4c27a1f999d9dfd5be1a7462f9674025b196237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 17:33:03 +0200 +Subject: xfrm_user: fix info leak in build_mapping() + +From: Greg Kroah-Hartman + +[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ] + +struct xfrm_usersa_id has a one-byte padding hole after the proto +field, which ends up never getting set to zero before copying out to +userspace. Fix that up by zeroing out the whole structure before +setting individual variables. + +Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index dcf433894951d..7e09ab9c34af8 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3592,6 +3592,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, + + um = nlmsg_data(nlh); + ++ memset(&um->id, 0, sizeof(um->id)); + memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); + um->id.spi = x->id.spi; + um->id.family = x->props.family; +-- +2.53.0 + diff --git a/queue-5.15/xsk-tighten-umem-headroom-validation-to-account-for-.patch b/queue-5.15/xsk-tighten-umem-headroom-validation-to-account-for-.patch new file mode 100644 index 0000000000..2e9d5c31f8 --- /dev/null +++ b/queue-5.15/xsk-tighten-umem-headroom-validation-to-account-for-.patch @@ -0,0 +1,53 @@ +From 5537170f675b1c81f40dde7ad15afe1516836d24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:51 +0200 +Subject: xsk: tighten UMEM headroom validation to account for tailroom and min + frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ] + +The current headroom validation in xdp_umem_reg() could leave us with +insufficient space dedicated to even receive minimum-sized ethernet +frame. Furthermore if multi-buffer would come to play then +skb_shared_info stored at the end of XSK frame would be corrupted. + +HW typically works with 128-aligned sizes so let us provide this value +as bare minimum. + +Multi-buffer setting is known later in the configuration process so +besides accounting for 128 bytes, let us also take care of tailroom space +upfront. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 65f918d29531d..f247fc4de9e10 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -198,7 +198,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (!unaligned_chunks && chunks_rem) + return -EINVAL; + +- if (headroom >= chunk_size - XDP_PACKET_HEADROOM) ++ if (headroom > chunk_size - XDP_PACKET_HEADROOM - ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128) + return -EINVAL; + + umem->size = size; +-- +2.53.0 + diff --git a/queue-6.1/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch b/queue-6.1/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch new file mode 100644 index 0000000000..3900258454 --- /dev/null +++ b/queue-6.1/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch @@ -0,0 +1,75 @@ +From 3a4774206b7a25022ad87be5b14297ef9adb261b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 16:00:14 +0800 +Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock + +From: Jiexun Wang + +[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ] + +Exact UNIX diag lookups hold a reference to the socket, but not to +u->path. Meanwhile, unix_release_sock() clears u->path under +unix_state_lock() and drops the path reference after unlocking. + +Read the inode and device numbers for UNIX_DIAG_VFS while holding +unix_state_lock(), then emit the netlink attribute after dropping the +lock. + +This keeps the VFS data stable while the reply is being built. + +Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index a6bd861314df0..169d068064bba 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -26,18 +26,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + + static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + { +- struct dentry *dentry = unix_sk(sk)->path.dentry; ++ struct unix_diag_vfs uv; ++ struct dentry *dentry; ++ bool have_vfs = false; + ++ unix_state_lock(sk); ++ dentry = unix_sk(sk)->path.dentry; + if (dentry) { +- struct unix_diag_vfs uv = { +- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, +- .udiag_vfs_dev = dentry->d_sb->s_dev, +- }; +- +- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); ++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino; ++ uv.udiag_vfs_dev = dentry->d_sb->s_dev; ++ have_vfs = true; + } ++ unix_state_unlock(sk); + +- return 0; ++ if (!have_vfs) ++ return 0; ++ ++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); + } + + static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) +-- +2.53.0 + diff --git a/queue-6.1/alsa-asihpi-avoid-write-overflow-check-warning.patch b/queue-6.1/alsa-asihpi-avoid-write-overflow-check-warning.patch new file mode 100644 index 0000000000..fd3740d432 --- /dev/null +++ b/queue-6.1/alsa-asihpi-avoid-write-overflow-check-warning.patch @@ -0,0 +1,55 @@ +From 3ecb98935171b8ca25ad11e553994bb75b5f532d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 13:40:07 +0100 +Subject: ALSA: asihpi: avoid write overflow check warning + +From: Arnd Bergmann + +[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ] + +clang-22 rightfully warns that the memcpy() in adapter_prepare() copies +between different structures, crossing the boundary of nested +structures inside it: + +In file included from sound/pci/asihpi/hpimsgx.c:13: +In file included from include/linux/string.h:386: +include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 569 | __write_overflow_field(p_size_field, size); + +The two structures seem to refer to the same layout, despite the +separate definitions, so the code is in fact correct. + +Avoid the warning by copying the two inner structures separately. +I see the same pattern happens in other functions in the same file, +so there is a chance that this may come back in the future, but +this instance is the only one that I saw in practice, hitting it +multiple times per day in randconfig build. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index b68e6bfbbfbab..ed1c7b7744361 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter) + HPI_ADAPTER_OPEN); + hm.adapter_index = adapter; + hw_entry_point(&hm, &hr); +- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr, +- sizeof(rESP_HPI_ADAPTER_OPEN[0])); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h)); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a)); + if (hr.error) + return hr.error; + +-- +2.53.0 + diff --git a/queue-6.1/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch b/queue-6.1/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch new file mode 100644 index 0000000000..408c6b1f85 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch @@ -0,0 +1,36 @@ +From e728f6a1dc55b5edbad647409104edb4759ab905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 01:08:51 +0000 +Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk + +From: Andrii Kovalchuk + +[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ] + +Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756) +to enable proper mute LED and mic mute behavior using the +ALC245_FIXUP_HP_X360_MUTE_LEDS fixup. + +Signed-off-by: Andrii Kovalchuk +Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 9d6b3a6b8ed26..6048ad6319e3b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9938,6 +9938,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), +-- +2.53.0 + diff --git a/queue-6.1/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-6.1/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..3b0d04dbba --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,45 @@ +From e825d39b6b4ecf452902e372fb01757a4e5d38e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2026 10:36:03 -0500 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: César Montoya + +[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ] + +The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek +ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The +existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, +but the subsystem ID was missing from the quirk table. + +GPIO pin confirmed via manual hda-verb testing: + hda-verb SET_GPIO_MASK 0x10 + hda-verb SET_GPIO_DIRECTION 0x10 + hda-verb SET_GPIO_DATA 0x10 + +Signed-off-by: César Montoya +Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6048ad6319e3b..6bffce599c961 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9952,6 +9952,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch new file mode 100644 index 0000000000..74c24e14e7 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch @@ -0,0 +1,38 @@ +From 6e850e01ca1e7cdf9db9ae9fb718e03691dba0e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 10:54:40 -0500 +Subject: ALSA: hda/realtek: add quirk for Framework F111:000F + +From: Dustin L. Howett + +[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ] + +Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for +Framework F111:000C") and previous quirks for Framework systems with +Realtek codecs. + +000F is another new platform with an ALC285 which needs the same quirk. + +Signed-off-by: Dustin L. Howett +Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6bffce599c961..82de15e176746 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10474,6 +10474,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 + /* Below is a quirk table taken from the old code. +-- +2.53.0 + diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch new file mode 100644 index 0000000000..a5f0712877 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch @@ -0,0 +1,41 @@ +From 28a06398ea01ee5445cfd17a5b966f2e9e54328f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 09:26:51 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 + +From: songxiebing + +[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ] + +The bass speakers are not working, and add the following entry +in /etc/modprobe.d/snd.conf: +options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin +Fixes the bass speakers. + +So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here. + +Reported-by: Fernando Garcia Corona +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317 +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 82de15e176746..0889dfd80fa44 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10396,6 +10396,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3869, "Lenovo Yoga7 14IAL7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), +-- +2.53.0 + diff --git a/queue-6.1/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch b/queue-6.1/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch new file mode 100644 index 0000000000..0f7738ffc6 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch @@ -0,0 +1,41 @@ +From 83c28432042805f2c1524d38b53d2ab833a218b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2026 08:07:34 +0000 +Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex + +From: Phil Willoughby + +[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ] + +The NeuralDSP Quad Cortex does not support DSD playback. We need +this product-specific entry with zero quirks because otherwise it +falls through to the vendor-specific entry which marks it as +supporting DSD playback. + +Cc: Yue Wang +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Signed-off-by: Phil Willoughby +Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 74828de545e22..23361e78189d0 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2177,6 +2177,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */ + QUIRK_FLAG_IGNORE_CTL_ERROR), ++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */ ++ 0), /* Doesn't have the vendor quirk which would otherwise apply */ + DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */ + QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY), + DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */ +-- +2.53.0 + diff --git a/queue-6.1/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch b/queue-6.1/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch new file mode 100644 index 0000000000..cdfc0e63e5 --- /dev/null +++ b/queue-6.1/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch @@ -0,0 +1,39 @@ +From 5d4920ace48fb96e599e34938bc9126b9cb1e444 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 00:28:28 +0100 +Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency + +From: Sebastian Krzyszkowiak + +[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ] + +According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum +frequency is 400MHz. + +Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node") +Reviewed-by: Frank Li +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Peng Fan +Reviewed-by: Fabio Estevam +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index e642cb7d54d77..25b0017eb7363 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -1411,7 +1411,7 @@ gpu: gpu@38000000 { + <&clk IMX8MQ_GPU_PLL_OUT>, + <&clk IMX8MQ_GPU_PLL>; + assigned-clock-rates = <800000000>, <800000000>, +- <800000000>, <800000000>, <0>; ++ <800000000>, <400000000>, <0>; + power-domains = <&pgc_gpu>; + }; + +-- +2.53.0 + diff --git a/queue-6.1/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch b/queue-6.1/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch new file mode 100644 index 0000000000..6f2d4da511 --- /dev/null +++ b/queue-6.1/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch @@ -0,0 +1,47 @@ +From 2ff3acbaf1bfe7cb7597d3967f6fe2b9a1132121 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 02:43:48 +0100 +Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gilson Marquato Júnior + +[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ] + +The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal +DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk +entry so the internal microphone is properly detected on this model. + +Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9). + +Signed-off-by: Gilson Marquato Júnior +Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index d650091d3f302..c9bc2289d3661 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = { + }; + + static const struct dmi_system_id yc_acp_quirk_table[] = { ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.53.0 + diff --git a/queue-6.1/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch b/queue-6.1/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch new file mode 100644 index 0000000000..e851b92ef3 --- /dev/null +++ b/queue-6.1/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch @@ -0,0 +1,43 @@ +From 5c52fb28d1af9084560ef6ca5a682ee9d5ed7f2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 21:25:12 +0700 +Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA + +From: Vee Satayamas + +[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ] + +Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the +internal microphone not being detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236 +Signed-off-by: Vee Satayamas +Reviewed-by: Zhang Heng +Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 991f8777cc859..be510328c5a0c 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -563,6 +563,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.1/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch b/queue-6.1/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch new file mode 100644 index 0000000000..5f7a8b4cad --- /dev/null +++ b/queue-6.1/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch @@ -0,0 +1,42 @@ +From fdaced64edc35e45e3233dc1b387e081be994256 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 16:02:18 +0800 +Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF + +From: Zhang Heng + +[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ] + +Add a DMI quirk for the Thin A15 B7VF fixing the issue where +the internal microphone was not detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833 +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index be510328c5a0c..d650091d3f302 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -570,6 +570,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.1/asoc-soc-core-call-missing-init_list_head-for-card_a.patch b/queue-6.1/asoc-soc-core-call-missing-init_list_head-for-card_a.patch new file mode 100644 index 0000000000..320d3675ca --- /dev/null +++ b/queue-6.1/asoc-soc-core-call-missing-init_list_head-for-card_a.patch @@ -0,0 +1,66 @@ +From fefb8e3c00bb11f2133f960c283c429cc9b306c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 02:43:54 +0000 +Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list + +From: Kuninori Morimoto + +[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ] + +Component has "card_aux_list" which is added/deled in bind/unbind aux dev +function (A), and used in for_each_card_auxs() loop (B). + + static void soc_unbind_aux_dev(...) + { + ... + for_each_card_auxs_safe(...) { + ... +(A) list_del(&component->card_aux_list); + } ^^^^^^^^^^^^^ + } + + static int soc_bind_aux_dev(...) + { + ... + for_each_card_pre_auxs(...) { + ... +(A) list_add(&component->card_aux_list, ...); + } ^^^^^^^^^^^^^ + ... + } + + #define for_each_card_auxs(card, component) \ +(B) list_for_each_entry(component, ..., card_aux_list) + ^^^^^^^^^^^^^ + +But it has been used without calling INIT_LIST_HEAD(). + + > git grep card_aux_list sound/soc + sound/soc/soc-core.c: list_del(&component->card_aux_list); + sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); + +call missing INIT_LIST_HEAD() for it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index dfd58d9db7c1f..33c991e578629 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2618,6 +2618,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, + INIT_LIST_HEAD(&component->dobj_list); + INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); ++ INIT_LIST_HEAD(&component->card_aux_list); + mutex_init(&component->io_mutex); + + component->name = fmt_single_name(dev, &component->id); +-- +2.53.0 + diff --git a/queue-6.1/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch b/queue-6.1/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch new file mode 100644 index 0000000000..f89080d88d --- /dev/null +++ b/queue-6.1/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch @@ -0,0 +1,46 @@ +From 2604ef8eef5f29edb873a2b178923e253b7aa20e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:45:26 -0300 +Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ] + +sof_parse_token_sets() accepts array->size values that can be invalid +for a vendor tuple array header. In particular, a zero size does not +advance the parser state and can lead to non-progress parsing on +malformed topology data. + +Validate array->size against the minimum header size and reject values +smaller than sizeof(*array) before parsing. This preserves behavior for +valid topologies and hardens malformed-input handling. + +Signed-off-by: Cássio Gabriel +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index 374c8b1d69584..d803111e36385 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -678,7 +678,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, + asize = le32_to_cpu(array->size); + + /* validate asize */ +- if (asize < 0) { /* FIXME: A zero-size array makes no sense */ ++ if (asize < sizeof(*array)) { + dev_err(scomp->dev, "error: invalid array size 0x%x\n", + asize); + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.1/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch b/queue-6.1/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch new file mode 100644 index 0000000000..9728f9c081 --- /dev/null +++ b/queue-6.1/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch @@ -0,0 +1,64 @@ +From 15f47f178f95b693e0bcf87874ff98f03169948f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:40:56 +0200 +Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J + +From: Tomasz Merta + +[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ] + +The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A, +DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK +edge when SND_SOC_DAIFMT_NB_NF is used. + +Per ALSA convention, NB_NF requires sampling on the rising BCLK edge. +The STM32MP25 SAI reference manual states that CKSTR=1 is required for +signals received by the SAI to be sampled on the SCK rising edge. +Without setting CKSTR=1, the SAI samples on the falling edge, violating +the NB_NF convention. For comparison, the NXP FSL SAI driver correctly +sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its +I2S handling. + +This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in +stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec. +RIGHT_J (LSB) is not investigated and addressed by this patch. + +Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue +for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified +and is left for a separate investigation. + +Signed-off-by: Tomasz Merta +Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index 8653be3c206ea..927834b4123f5 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -669,6 +669,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + break; + /* Left justified */ + case SND_SOC_DAIFMT_MSB: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + /* Right justified */ +@@ -676,9 +677,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + case SND_SOC_DAIFMT_DSP_A: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF; + break; + case SND_SOC_DAIFMT_DSP_B: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL; + break; + default: +-- +2.53.0 + diff --git a/queue-6.1/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch b/queue-6.1/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch new file mode 100644 index 0000000000..b19e3ac330 --- /dev/null +++ b/queue-6.1/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch @@ -0,0 +1,83 @@ +From 25381bbb67f1ca782c5c5d1ee132af06c7abaa32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 15:23:35 -0700 +Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 + +From: Arthur Husband + +[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ] + +The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA +support via the S64A bit in the AHCI CAP register, but their 64-bit DMA +implementation is defective. Under sustained I/O, DMA transfers targeting +addresses above 4GB silently corrupt data -- writes land at incorrect +memory addresses with no errors logged. + +The failure pattern is similar to the ASMedia ASM1061 +(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia +ASM1061 controllers")), which also falsely advertised full 64-bit DMA +support. However, the JMB585 requires a stricter 32-bit DMA mask rather +than 43-bit, as corruption occurs with any address above 4GB. + +On the Minisforum N5 Pro specifically, the combination of the JMB585's +broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes +silent data corruption that is only detectable via checksumming +filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA +space is exhausted and the kernel transparently switches to 64-bit DMA +addresses. + +Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585 +(0x0585) before the generic JMicron class match, using a new board type +that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior) +with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks. + +Signed-off-by: Arthur Husband +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index a4b0a499b67d4..c9fbf824901e2 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -61,6 +61,7 @@ enum board_ids { + /* board IDs for specific chipsets in alphabetical order */ + board_ahci_al, + board_ahci_avn, ++ board_ahci_jmb585, + board_ahci_mcp65, + board_ahci_mcp77, + board_ahci_mcp89, +@@ -200,6 +201,15 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_avn_ops, + }, ++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */ ++ [board_ahci_jmb585] = { ++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR | ++ AHCI_HFLAG_32BIT_ONLY), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_mcp65] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP | + AHCI_HFLAG_YES_NCQ), +@@ -433,6 +443,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */ + { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */ + ++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */ ++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 }, ++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 }, ++ + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr }, +-- +2.53.0 + diff --git a/queue-6.1/btrfs-tracepoints-get-correct-superblock-from-dentry.patch b/queue-6.1/btrfs-tracepoints-get-correct-superblock-from-dentry.patch new file mode 100644 index 0000000000..33efe383a6 --- /dev/null +++ b/queue-6.1/btrfs-tracepoints-get-correct-superblock-from-dentry.patch @@ -0,0 +1,50 @@ +From f3a677a3c1a7ba1fb2e4dcb2ae37274216f111b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 14:11:39 -0400 +Subject: btrfs: tracepoints: get correct superblock from dentry in event + btrfs_sync_file() + +From: Goldwyn Rodrigues + +[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] + +If overlay is used on top of btrfs, dentry->d_sb translates to overlay's +super block and fsid assignment will lead to a crash. + +Use file_inode(file)->i_sb to always get btrfs_sb. + +Reviewed-by: Boris Burkov +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + include/trace/events/btrfs.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index 31847ccae4936..8054ce54807de 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -760,12 +760,15 @@ TRACE_EVENT(btrfs_sync_file, + ), + + TP_fast_assign( +- const struct dentry *dentry = file->f_path.dentry; +- const struct inode *inode = d_inode(dentry); ++ struct dentry *dentry = file_dentry(file); ++ struct inode *inode = file_inode(file); ++ struct dentry *parent = dget_parent(dentry); ++ struct inode *parent_inode = d_inode(parent); + +- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb)); ++ dput(parent); ++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb)); + __entry->ino = btrfs_ino(BTRFS_I(inode)); +- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent))); ++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode)); + __entry->datasync = datasync; + __entry->root_objectid = + BTRFS_I(inode)->root->root_key.objectid; +-- +2.53.0 + diff --git a/queue-6.1/can-mcp251x-add-error-handling-for-power-enable-in-o.patch b/queue-6.1/can-mcp251x-add-error-handling-for-power-enable-in-o.patch new file mode 100644 index 0000000000..621dddb57b --- /dev/null +++ b/queue-6.1/can-mcp251x-add-error-handling-for-power-enable-in-o.patch @@ -0,0 +1,90 @@ +From fe3d1989616ccc738401b4ac5d8b0c532136ef41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 00:00:22 +0800 +Subject: can: mcp251x: add error handling for power enable in open and resume + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ] + +Add missing error handling for mcp251x_power_enable() calls in both +mcp251x_open() and mcp251x_can_resume() functions. + +In mcp251x_open(), if power enable fails, jump to error path to close +candev without attempting to disable power again. + +In mcp251x_can_resume(), properly check return values of power enable calls +for both power and transceiver regulators. If any fails, return the error +code to the PM framework and log the failure. + +This ensures the driver properly handles power control failures and +maintains correct device state. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com +[mkl: fix patch description] +[mkl: mcp251x_can_resume(): replace goto by return] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index 72ae17b2313ec..d3ffab297b77b 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1213,7 +1213,11 @@ static int mcp251x_open(struct net_device *net) + } + + mutex_lock(&priv->mcp_lock); +- mcp251x_power_enable(priv->transceiver, 1); ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); ++ goto out_close_candev; ++ } + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -1260,6 +1264,7 @@ static int mcp251x_open(struct net_device *net) + mcp251x_hw_sleep(spi); + out_close: + mcp251x_power_enable(priv->transceiver, 0); ++out_close_candev: + close_candev(net); + mutex_unlock(&priv->mcp_lock); + if (release_irq) +@@ -1499,11 +1504,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) + { + struct spi_device *spi = to_spi_device(dev); + struct mcp251x_priv *priv = spi_get_drvdata(spi); ++ int ret = 0; + +- if (priv->after_suspend & AFTER_SUSPEND_POWER) +- mcp251x_power_enable(priv->power, 1); +- if (priv->after_suspend & AFTER_SUSPEND_UP) +- mcp251x_power_enable(priv->transceiver, 1); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) { ++ ret = mcp251x_power_enable(priv->power, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); ++ return ret; ++ } ++ } ++ ++ if (priv->after_suspend & AFTER_SUSPEND_UP) { ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) ++ mcp251x_power_enable(priv->power, 0); ++ return ret; ++ } ++ } + + if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) + queue_work(priv->wq, &priv->restart_work); +-- +2.53.0 + diff --git a/queue-6.1/clockevents-prevent-timer-interrupt-starvation.patch b/queue-6.1/clockevents-prevent-timer-interrupt-starvation.patch new file mode 100644 index 0000000000..add1136b61 --- /dev/null +++ b/queue-6.1/clockevents-prevent-timer-interrupt-starvation.patch @@ -0,0 +1,218 @@ +From a53e2c11e05c64e57807aea194c2c4819d1369dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:17 +0200 +Subject: clockevents: Prevent timer interrupt starvation + +From: Thomas Gleixner + +[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ] + +Calvin reported an odd NMI watchdog lockup which claims that the CPU locked +up in user space. He provided a reproducer, which sets up a timerfd based +timer and then rearms it in a loop with an absolute expiry time of 1ns. + +As the expiry time is in the past, the timer ends up as the first expiring +timer in the per CPU hrtimer base and the clockevent device is programmed +with the minimum delta value. If the machine is fast enough, this ends up +in a endless loop of programming the delta value to the minimum value +defined by the clock event device, before the timer interrupt can fire, +which starves the interrupt and consequently triggers the lockup detector +because the hrtimer callback of the lockup mechanism is never invoked. + +As a first step to prevent this, avoid reprogramming the clock event device +when: + - a forced minimum delta event is pending + - the new expiry delta is less then or equal to the minimum delta + +Thanks to Calvin for providing the reproducer and to Borislav for testing +and providing data from his Zen5 machine. + +The problem is not limited to Zen5, but depending on the underlying +clock event device (e.g. TSC deadline timer on Intel) and the CPU speed +not necessarily observable. + +This change serves only as the last resort and further changes will be made +to prevent this scenario earlier in the call chain as far as possible. + +[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and + fixed up the tick-broadcast handlers as pointed out by Borislav ] + +Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality") +Reported-by: Calvin Owens +Signed-off-by: Thomas Gleixner +Tested-by: Calvin Owens +Tested-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/ +Link: https://patch.msgid.link/20260407083247.562657657@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/clockchips.h | 2 ++ + kernel/time/clockevents.c | 27 +++++++++++++++++++-------- + kernel/time/hrtimer.c | 1 + + kernel/time/tick-broadcast.c | 8 +++++++- + kernel/time/tick-common.c | 1 + + kernel/time/tick-sched.c | 1 + + 6 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h +index 8ae9a95ebf5b5..046c6d8d91a69 100644 +--- a/include/linux/clockchips.h ++++ b/include/linux/clockchips.h +@@ -80,6 +80,7 @@ enum clock_event_state { + * @shift: nanoseconds to cycles divisor (power of two) + * @state_use_accessors:current state of the device, assigned by the core code + * @features: features ++ * @next_event_forced: True if the last programming was a forced event + * @retries: number of forced programming retries + * @set_state_periodic: switch state to periodic + * @set_state_oneshot: switch state to oneshot +@@ -108,6 +109,7 @@ struct clock_event_device { + u32 shift; + enum clock_event_state state_use_accessors; + unsigned int features; ++ unsigned int next_event_forced; + unsigned long retries; + + int (*set_state_periodic)(struct clock_event_device *); +diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c +index 5d85014d59b5f..78cd81a99ea03 100644 +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev) + { + clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN); + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + } + + /** +@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + { + unsigned long long clc; + int64_t delta; +- int rc; + + if (WARN_ON_ONCE(expires < 0)) + return -ETIME; +@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + return dev->set_next_ktime(expires, dev); + + delta = ktime_to_ns(ktime_sub(expires, ktime_get())); +- if (delta <= 0) +- return force ? clockevents_program_min_delta(dev) : -ETIME; + +- delta = min(delta, (int64_t) dev->max_delta_ns); +- delta = max(delta, (int64_t) dev->min_delta_ns); ++ /* Required for tick_periodic() during early boot */ ++ if (delta <= 0 && !force) ++ return -ETIME; ++ ++ if (delta > (int64_t)dev->min_delta_ns) { ++ delta = min(delta, (int64_t) dev->max_delta_ns); ++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift; ++ if (!dev->set_next_event((unsigned long) clc, dev)) ++ return 0; ++ } + +- clc = ((unsigned long long) delta * dev->mult) >> dev->shift; +- rc = dev->set_next_event((unsigned long) clc, dev); ++ if (dev->next_event_forced) ++ return 0; + +- return (rc && force) ? clockevents_program_min_delta(dev) : rc; ++ if (dev->set_next_event(dev->min_delta_ticks, dev)) { ++ if (!force || clockevents_program_min_delta(dev)) ++ return -ETIME; ++ } ++ dev->next_event_forced = 1; ++ return 0; + } + + /* +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 002b29e566cb3..d5bb051d6e167 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1850,6 +1850,7 @@ void hrtimer_interrupt(struct clock_event_device *dev) + BUG_ON(!cpu_base->hres_active); + cpu_base->nr_events++; + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + raw_spin_lock_irqsave(&cpu_base->lock, flags); + entry_time = now = hrtimer_update_base(cpu_base); +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index 13a71a894cc16..369f7e52b5e51 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu) + */ + static void tick_broadcast_start_periodic(struct clock_event_device *bc) + { +- if (bc) ++ if (bc) { ++ bc->next_event_forced = 0; + tick_setup_periodic(bc, 1); ++ } + } + + /* +@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev) + bool bc_local; + + raw_spin_lock(&tick_broadcast_lock); ++ tick_broadcast_device.evtdev->next_event_forced = 0; + + /* Handle spurious interrupts gracefully */ + if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) { +@@ -692,6 +695,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + + raw_spin_lock(&tick_broadcast_lock); + dev->next_event = KTIME_MAX; ++ tick_broadcast_device.evtdev->next_event_forced = 0; + next_event = KTIME_MAX; + cpumask_clear(tmpmask); + now = ktime_get(); +@@ -1057,6 +1061,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, + + + bc->event_handler = tick_handle_oneshot_broadcast; ++ bc->next_event_forced = 0; + bc->next_event = KTIME_MAX; + + /* +@@ -1169,6 +1174,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) + } + + /* This moves the broadcast assignment to this CPU: */ ++ bc->next_event_forced = 0; + clockevents_program_event(bc, bc->next_event, 1); + } + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index 7f2b17fc8ce40..79ae1adf635bd 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -109,6 +109,7 @@ void tick_handle_periodic(struct clock_event_device *dev) + int cpu = smp_processor_id(); + ktime_t next = dev->next_event; + ++ dev->next_event_forced = 0; + tick_periodic(cpu); + + #if defined(CONFIG_HIGH_RES_TIMERS) || defined(CONFIG_NO_HZ_COMMON) +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 8cfdc6b978d76..3a017b5555250 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1382,6 +1382,7 @@ static void tick_nohz_handler(struct clock_event_device *dev) + ktime_t now = ktime_get(); + + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + tick_sched_do_timer(ts, now); + tick_sched_handle(ts, regs); +-- +2.53.0 + diff --git a/queue-6.1/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-6.1/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch new file mode 100644 index 0000000000..0f620ebd80 --- /dev/null +++ b/queue-6.1/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch @@ -0,0 +1,38 @@ +From dbc10c174fbadb68b2d3e5fd7e4b2c432576b643 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 13:32:21 +0800 +Subject: crypto: algif_aead - Fix minimum RX size check for decryption + +From: Herbert Xu + +[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] + +The check for the minimum receive buffer size did not take the +tag size into account during decryption. Fix this by adding the +required extra length. + +Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com +Reported-by: Daniel Pouzzner +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index 42493b4d8ce46..cb3959e2c435e 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + if (usedpages < outlen) { + size_t less = outlen - usedpages; + +- if (used < less) { ++ if (used < less + (ctx->enc ? 0 : as)) { + err = -EINVAL; + goto free; + } +-- +2.53.0 + diff --git a/queue-6.1/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch b/queue-6.1/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch new file mode 100644 index 0000000000..b4322b68bd --- /dev/null +++ b/queue-6.1/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch @@ -0,0 +1,74 @@ +From 22d8ef1ee196aa0c1f2edbf95fe34deff6895909 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:45 -0300 +Subject: drm/vc4: Fix a memory leak in hang state error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ] + +When vc4_save_hang_state() encounters an early return condition, it +returns without freeing the previously allocated `kernel_state`, +leaking memory. + +Add the missing kfree() calls by consolidating the early return paths +into a single place. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index c446684a72183..0d88226b17deb 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -169,10 +169,8 @@ vc4_save_hang_state(struct drm_device *dev) + spin_lock_irqsave(&vc4->job_lock, irqflags); + exec[0] = vc4_first_bin_job(vc4); + exec[1] = vc4_first_render_job(vc4); +- if (!exec[0] && !exec[1]) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!exec[0] && !exec[1]) ++ goto err_free_state; + + /* Get the bos from both binner and renderer into hang state. */ + state->bo_count = 0; +@@ -189,10 +187,8 @@ vc4_save_hang_state(struct drm_device *dev) + kernel_state->bo = kcalloc(state->bo_count, + sizeof(*kernel_state->bo), GFP_ATOMIC); + +- if (!kernel_state->bo) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!kernel_state->bo) ++ goto err_free_state; + + k = 0; + for (i = 0; i < 2; i++) { +@@ -284,6 +280,12 @@ vc4_save_hang_state(struct drm_device *dev) + vc4->hang_state = kernel_state; + spin_unlock_irqrestore(&vc4->job_lock, irqflags); + } ++ ++ return; ++ ++err_free_state: ++ spin_unlock_irqrestore(&vc4->job_lock, irqflags); ++ kfree(kernel_state); + } + + static void +-- +2.53.0 + diff --git a/queue-6.1/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch b/queue-6.1/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch new file mode 100644 index 0000000000..5f4f894340 --- /dev/null +++ b/queue-6.1/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch @@ -0,0 +1,40 @@ +From f56aa71a2c7dd36fb5ac7dcd9c44449e1e183b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:44 -0300 +Subject: drm/vc4: Fix memory leak of BO array in hang state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ] + +The hang state's BO array is allocated separately with kzalloc() in +vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the +missing kfree() for the BO array before freeing the hang state struct. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 628d40ff3aa1c..c446684a72183 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state) + for (i = 0; i < state->user_state.bo_count; i++) + drm_gem_object_put(state->bo[i]); + ++ kfree(state->bo); + kfree(state); + } + +-- +2.53.0 + diff --git a/queue-6.1/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch b/queue-6.1/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch new file mode 100644 index 0000000000..3595bc4c3e --- /dev/null +++ b/queue-6.1/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch @@ -0,0 +1,48 @@ +From ea81f45c8776f596adb593e4423b2bbfffc68f11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:46 -0300 +Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ] + +The mmap callback reads bo->madv without holding madv_lock, racing with +concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under +the same lock. Add the missing locking to prevent the data race. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index ce0ea446bd707..9028a56dd12b8 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct + return -EINVAL; + } + ++ mutex_lock(&bo->madv_lock); + if (bo->madv != VC4_MADV_WILLNEED) { + DRM_DEBUG("mmaping of %s BO not allowed\n", + bo->madv == VC4_MADV_DONTNEED ? + "purgeable" : "purged"); ++ mutex_unlock(&bo->madv_lock); + return -EINVAL; + } ++ mutex_unlock(&bo->madv_lock); + + return drm_gem_dma_mmap(&bo->base, vma); + } +-- +2.53.0 + diff --git a/queue-6.1/drm-vc4-release-runtime-pm-reference-after-binding-v.patch b/queue-6.1/drm-vc4-release-runtime-pm-reference-after-binding-v.patch new file mode 100644 index 0000000000..97a274285b --- /dev/null +++ b/queue-6.1/drm-vc4-release-runtime-pm-reference-after-binding-v.patch @@ -0,0 +1,46 @@ +From 2730ba8883f7301f785b7508e935a42f5084e993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:43 -0300 +Subject: drm/vc4: Release runtime PM reference after binding V3D +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ] + +The vc4_v3d_bind() function acquires a runtime PM reference via +pm_runtime_resume_and_get() to access V3D registers during setup. +However, this reference is never released after a successful bind. +This prevents the device from ever runtime suspending, since the +reference count never reaches zero. + +Release the runtime PM reference by adding pm_runtime_put_autosuspend() +after autosuspend is configured, allowing the device to runtime suspend +after the delay. + +Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_v3d.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c +index 56abb0d6bc39b..a39e6f8eff0a6 100644 +--- a/drivers/gpu/drm/vc4/vc4_v3d.c ++++ b/drivers/gpu/drm/vc4/vc4_v3d.c +@@ -497,6 +497,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data) + + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */ ++ pm_runtime_put_autosuspend(dev); + + return 0; + +-- +2.53.0 + diff --git a/queue-6.1/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch b/queue-6.1/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch new file mode 100644 index 0000000000..00563c17b8 --- /dev/null +++ b/queue-6.1/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch @@ -0,0 +1,59 @@ +From 19032ab7747740ea3330db0d110e23d65855af5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:40 +0100 +Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock + +From: Jon Hunter + +[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ] + +The PTP clock for the Tegra234 MGBE device is incorrectly named +'ptp-ref' and should be 'ptp_ref'. This is causing the following +warning to be observed on Tegra234 platforms that use this device: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +Although this constitutes an ABI breakage in the binding for this +device, PTP support has clearly never worked and so fix this now +so we can correct the device-tree for this device. Note that the +MGBE driver still supports the legacy 'ptp-ref' clock name and so +older/existing device-trees will still work, but given that this +is not the correct name, there is no point to advertise this in the +binding. + +Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE") +Signed-off-by: Jon Hunter +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +index 2bd3efff2485e..215f14d1897d2 100644 +--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml ++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +@@ -42,7 +42,7 @@ properties: + - const: mgbe + - const: mac + - const: mac-divider +- - const: ptp-ref ++ - const: ptp_ref + - const: rx-input-m + - const: rx-input + - const: tx +@@ -133,7 +133,7 @@ examples: + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>, + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>, + <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>; +- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m", ++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m", + "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m", + "rx-pcs", "tx-pcs"; + resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>, +-- +2.53.0 + diff --git a/queue-6.1/e1000-check-return-value-of-e1000_read_eeprom.patch b/queue-6.1/e1000-check-return-value-of-e1000_read_eeprom.patch new file mode 100644 index 0000000000..03d839d3e2 --- /dev/null +++ b/queue-6.1/e1000-check-return-value-of-e1000_read_eeprom.patch @@ -0,0 +1,70 @@ +From 1167851e947f983b2a374e7637c50e954b255713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 15:05:05 +0300 +Subject: e1000: check return value of e1000_read_eeprom + +From: Agalakov Daniil + +[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ] + +[Why] +e1000_set_eeprom() performs a read-modify-write operation when the write +range is not word-aligned. This requires reading the first and last words +of the range from the EEPROM to preserve the unmodified bytes. + +However, the code does not check the return value of e1000_read_eeprom(). +If the read fails, the operation continues using uninitialized data from +eeprom_buff. This results in corrupted data being written back to the +EEPROM for the boundary words. + +Add the missing error checks and abort the operation if reading fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Iskhakov Daniil +Signed-off-by: Iskhakov Daniil +Signed-off-by: Agalakov Daniil +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index d06d29c6c0370..c7b50059663d9 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev, + */ + ret_val = e1000_read_eeprom(hw, first_word, 1, + &eeprom_buff[0]); ++ if (ret_val) ++ goto out; ++ + ptr++; + } +- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) { ++ if ((eeprom->offset + eeprom->len) & 1) { + /* need read/modify/write of last changed EEPROM word + * only the first byte of the word is being modified + */ + ret_val = e1000_read_eeprom(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev, + if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG)) + e1000_update_eeprom_checksum(hw); + ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.53.0 + diff --git a/queue-6.1/epoll-use-refcount-to-reduce-ep_mutex-contention.patch b/queue-6.1/epoll-use-refcount-to-reduce-ep_mutex-contention.patch new file mode 100644 index 0000000000..a1d473330e --- /dev/null +++ b/queue-6.1/epoll-use-refcount-to-reduce-ep_mutex-contention.patch @@ -0,0 +1,436 @@ +From ac1197ebab173f3518a8ee3bcb3b9f07e86b9a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 17:57:02 +0100 +Subject: epoll: use refcount to reduce ep_mutex contention + +From: Paolo Abeni + +[ Upstream commit 58c9b016e12855286370dfb704c08498edbc857a ] + +We are observing huge contention on the epmutex during an http +connection/rate test: + + 83.17% 0.25% nginx [kernel.kallsyms] [k] entry_SYSCALL_64_after_hwframe +[...] + |--66.96%--__fput + |--60.04%--eventpoll_release_file + |--58.41%--__mutex_lock.isra.6 + |--56.56%--osq_lock + +The application is multi-threaded, creates a new epoll entry for +each incoming connection, and does not delete it before the +connection shutdown - that is, before the connection's fd close(). + +Many different threads compete frequently for the epmutex lock, +affecting the overall performance. + +To reduce the contention this patch introduces explicit reference counting +for the eventpoll struct. Each registered event acquires a reference, +and references are released at ep_remove() time. + +The eventpoll struct is released by whoever - among EP file close() and +and the monitored file close() drops its last reference. + +Additionally, this introduces a new 'dying' flag to prevent races between +the EP file close() and the monitored file close(). +ep_eventpoll_release() marks, under f_lock spinlock, each epitem as dying +before removing it, while EP file close() does not touch dying epitems. + +The above is needed as both close operations could run concurrently and +drop the EP reference acquired via the epitem entry. Without the above +flag, the monitored file close() could reach the EP struct via the epitem +list while the epitem is still listed and then try to put it after its +disposal. + +An alternative could be avoiding touching the references acquired via +the epitems at EP file close() time, but that could leave the EP struct +alive for potentially unlimited time after EP file close(), with nasty +side effects. + +With all the above in place, we can drop the epmutex usage at disposal time. + +Overall this produces a significant performance improvement in the +mentioned connection/rate scenario: the mutex operations disappear from +the topmost offenders in the perf report, and the measured connections/rate +grows by ~60%. + +To make the change more readable this additionally renames ep_free() to +ep_clear_and_put(), and moves the actual memory cleanup in a separate +ep_free() helper. + +Link: https://lkml.kernel.org/r/4a57788dcaf28f5eb4f8dfddcc3a8b172a7357bb.1679504153.git.pabeni@redhat.com +Signed-off-by: Paolo Abeni +Co-developed-by: Eric Dumazet +Signed-off-by: Eric Dumazet +Tested-by: Xiumei Mu +Acked-by: Soheil Hassas Yeganeh +Reviewed-by: Davidlohr Bueso +Cc: Alexander Viro +Cc: Carlos Maiolino +Cc: Christian Brauner +Cc: Eric Biggers +Cc: Jacob Keller +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Stable-dep-of: 07712db80857 ("eventpoll: defer struct eventpoll free to RCU grace period") +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 195 +++++++++++++++++++++++++++++++------------------ + 1 file changed, 123 insertions(+), 72 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 4c590e988d4a2..f20a35775cf66 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -57,13 +57,7 @@ + * we need a lock that will allow us to sleep. This lock is a + * mutex (ep->mtx). It is acquired during the event transfer loop, + * during epoll_ctl(EPOLL_CTL_DEL) and during eventpoll_release_file(). +- * Then we also need a global mutex to serialize eventpoll_release_file() +- * and ep_free(). +- * This mutex is acquired by ep_free() during the epoll file +- * cleanup path and it is also acquired by eventpoll_release_file() +- * if a file has been pushed inside an epoll set and it is then +- * close()d without a previous call to epoll_ctl(EPOLL_CTL_DEL). +- * It is also acquired when inserting an epoll fd onto another epoll ++ * The epmutex is acquired when inserting an epoll fd onto another epoll + * fd. We do this so that we walk the epoll tree and ensure that this + * insertion does not create a cycle of epoll file descriptors, which + * could lead to deadlock. We need a global mutex to prevent two +@@ -153,6 +147,13 @@ struct epitem { + /* The file descriptor information this item refers to */ + struct epoll_filefd ffd; + ++ /* ++ * Protected by file->f_lock, true for to-be-released epitem already ++ * removed from the "struct file" items list; together with ++ * eventpoll->refcount orchestrates "struct eventpoll" disposal ++ */ ++ bool dying; ++ + /* List containing poll wait queues */ + struct eppoll_entry *pwqlist; + +@@ -218,6 +219,12 @@ struct eventpoll { + struct hlist_head refs; + u8 loop_check_depth; + ++ /* ++ * usage count, used together with epitem->dying to ++ * orchestrate the disposal of this struct ++ */ ++ refcount_t refcount; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -241,9 +248,7 @@ struct ep_pqueue { + /* Maximum number of epoll watched descriptors, per user */ + static long max_user_watches __read_mostly; + +-/* +- * This mutex is used to serialize ep_free() and eventpoll_release_file(). +- */ ++/* Used for cycles detection */ + static DEFINE_MUTEX(epmutex); + + static u64 loop_check_gen = 0; +@@ -558,8 +563,7 @@ static void ep_remove_wait_queue(struct eppoll_entry *pwq) + + /* + * This function unregisters poll callbacks from the associated file +- * descriptor. Must be called with "mtx" held (or "epmutex" if called from +- * ep_free). ++ * descriptor. Must be called with "mtx" held. + */ + static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi) + { +@@ -682,11 +686,40 @@ static void epi_rcu_free(struct rcu_head *head) + kmem_cache_free(epi_cache, epi); + } + ++static void ep_get(struct eventpoll *ep) ++{ ++ refcount_inc(&ep->refcount); ++} ++ ++/* ++ * Returns true if the event poll can be disposed ++ */ ++static bool ep_refcount_dec_and_test(struct eventpoll *ep) ++{ ++ if (!refcount_dec_and_test(&ep->refcount)) ++ return false; ++ ++ WARN_ON_ONCE(!RB_EMPTY_ROOT(&ep->rbr.rb_root)); ++ return true; ++} ++ ++static void ep_free(struct eventpoll *ep) ++{ ++ mutex_destroy(&ep->mtx); ++ free_uid(ep->user); ++ wakeup_source_unregister(ep->ws); ++ kfree(ep); ++} ++ + /* + * Removes a "struct epitem" from the eventpoll RB tree and deallocates + * all the associated resources. Must be called with "mtx" held. ++ * If the dying flag is set, do the removal only if force is true. ++ * This prevents ep_clear_and_put() from dropping all the ep references ++ * while running concurrently with eventpoll_release_file(). ++ * Returns true if the eventpoll can be disposed. + */ +-static int ep_remove(struct eventpoll *ep, struct epitem *epi) ++static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force) + { + struct file *file = epi->ffd.file; + struct epitems_head *to_free; +@@ -701,6 +734,11 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi) + + /* Remove the current item from the list of epoll hooks */ + spin_lock(&file->f_lock); ++ if (epi->dying && !force) { ++ spin_unlock(&file->f_lock); ++ return false; ++ } ++ + to_free = NULL; + head = file->f_ep; + if (head->first == &epi->fllink && !epi->fllink.next) { +@@ -735,28 +773,28 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi) + call_rcu(&epi->rcu, epi_rcu_free); + + percpu_counter_dec(&ep->user->epoll_watches); ++ return ep_refcount_dec_and_test(ep); ++} + +- return 0; ++/* ++ * ep_remove variant for callers owing an additional reference to the ep ++ */ ++static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi) ++{ ++ WARN_ON_ONCE(__ep_remove(ep, epi, false)); + } + +-static void ep_free(struct eventpoll *ep) ++static void ep_clear_and_put(struct eventpoll *ep) + { +- struct rb_node *rbp; ++ struct rb_node *rbp, *next; + struct epitem *epi; ++ bool dispose; + + /* We need to release all tasks waiting for these file */ + if (waitqueue_active(&ep->poll_wait)) + ep_poll_safewake(ep, NULL, 0); + +- /* +- * We need to lock this because we could be hit by +- * eventpoll_release_file() while we're freeing the "struct eventpoll". +- * We do not need to hold "ep->mtx" here because the epoll file +- * is on the way to be removed and no one has references to it +- * anymore. The only hit might come from eventpoll_release_file() but +- * holding "epmutex" is sufficient here. +- */ +- mutex_lock(&epmutex); ++ mutex_lock(&ep->mtx); + + /* + * Walks through the whole tree by unregistering poll callbacks. +@@ -769,26 +807,25 @@ static void ep_free(struct eventpoll *ep) + } + + /* +- * Walks through the whole tree by freeing each "struct epitem". At this +- * point we are sure no poll callbacks will be lingering around, and also by +- * holding "epmutex" we can be sure that no file cleanup code will hit +- * us during this operation. So we can avoid the lock on "ep->lock". +- * We do not need to lock ep->mtx, either, we only do it to prevent +- * a lockdep warning. ++ * Walks through the whole tree and try to free each "struct epitem". ++ * Note that ep_remove_safe() will not remove the epitem in case of a ++ * racing eventpoll_release_file(); the latter will do the removal. ++ * At this point we are sure no poll callbacks will be lingering around. ++ * Since we still own a reference to the eventpoll struct, the loop can't ++ * dispose it. + */ +- mutex_lock(&ep->mtx); +- while ((rbp = rb_first_cached(&ep->rbr)) != NULL) { ++ for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = next) { ++ next = rb_next(rbp); + epi = rb_entry(rbp, struct epitem, rbn); +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + cond_resched(); + } ++ ++ dispose = ep_refcount_dec_and_test(ep); + mutex_unlock(&ep->mtx); + +- mutex_unlock(&epmutex); +- mutex_destroy(&ep->mtx); +- free_uid(ep->user); +- wakeup_source_unregister(ep->ws); +- kfree(ep); ++ if (dispose) ++ ep_free(ep); + } + + static int ep_eventpoll_release(struct inode *inode, struct file *file) +@@ -796,7 +833,7 @@ static int ep_eventpoll_release(struct inode *inode, struct file *file) + struct eventpoll *ep = file->private_data; + + if (ep) +- ep_free(ep); ++ ep_clear_and_put(ep); + + return 0; + } +@@ -944,33 +981,34 @@ void eventpoll_release_file(struct file *file) + { + struct eventpoll *ep; + struct epitem *epi; +- struct hlist_node *next; ++ bool dispose; + + /* +- * We don't want to get "file->f_lock" because it is not +- * necessary. It is not necessary because we're in the "struct file" +- * cleanup path, and this means that no one is using this file anymore. +- * So, for example, epoll_ctl() cannot hit here since if we reach this +- * point, the file counter already went to zero and fget() would fail. +- * The only hit might come from ep_free() but by holding the mutex +- * will correctly serialize the operation. We do need to acquire +- * "ep->mtx" after "epmutex" because ep_remove() requires it when called +- * from anywhere but ep_free(). +- * +- * Besides, ep_remove() acquires the lock, so we can't hold it here. ++ * Use the 'dying' flag to prevent a concurrent ep_clear_and_put() from ++ * touching the epitems list before eventpoll_release_file() can access ++ * the ep->mtx. + */ +- mutex_lock(&epmutex); +- if (unlikely(!file->f_ep)) { +- mutex_unlock(&epmutex); +- return; +- } +- hlist_for_each_entry_safe(epi, next, file->f_ep, fllink) { ++again: ++ spin_lock(&file->f_lock); ++ if (file->f_ep && file->f_ep->first) { ++ epi = hlist_entry(file->f_ep->first, struct epitem, fllink); ++ epi->dying = true; ++ spin_unlock(&file->f_lock); ++ ++ /* ++ * ep access is safe as we still own a reference to the ep ++ * struct ++ */ + ep = epi->ep; +- mutex_lock_nested(&ep->mtx, 0); +- ep_remove(ep, epi); ++ mutex_lock(&ep->mtx); ++ dispose = __ep_remove(ep, epi, true); + mutex_unlock(&ep->mtx); ++ ++ if (dispose) ++ ep_free(ep); ++ goto again; + } +- mutex_unlock(&epmutex); ++ spin_unlock(&file->f_lock); + } + + static int ep_alloc(struct eventpoll **pep) +@@ -993,6 +1031,7 @@ static int ep_alloc(struct eventpoll **pep) + ep->rbr = RB_ROOT_CACHED; + ep->ovflist = EP_UNACTIVE_PTR; + ep->user = user; ++ refcount_set(&ep->refcount, 1); + + *pep = ep; + +@@ -1177,10 +1216,10 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v + */ + list_del_init(&wait->entry); + /* +- * ->whead != NULL protects us from the race with ep_free() +- * or ep_remove(), ep_remove_wait_queue() takes whead->lock +- * held by the caller. Once we nullify it, nothing protects +- * ep/epi or even wait. ++ * ->whead != NULL protects us from the race with ++ * ep_clear_and_put() or ep_remove(), ep_remove_wait_queue() ++ * takes whead->lock held by the caller. Once we nullify it, ++ * nothing protects ep/epi or even wait. + */ + smp_store_release(&ep_pwq_from_wait(wait)->whead, NULL); + } +@@ -1451,16 +1490,22 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, + if (tep) + mutex_unlock(&tep->mtx); + ++ /* ++ * ep_remove_safe() calls in the later error paths can't lead to ++ * ep_free() as the ep file itself still holds an ep reference. ++ */ ++ ep_get(ep); ++ + /* now check if we've created too many backpaths */ + if (unlikely(full_check && reverse_path_check())) { +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + return -EINVAL; + } + + if (epi->event.events & EPOLLWAKEUP) { + error = ep_create_wakeup_source(epi); + if (error) { +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + return error; + } + } +@@ -1484,7 +1529,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, + * high memory pressure. + */ + if (unlikely(!epq.epi)) { +- ep_remove(ep, epi); ++ ep_remove_safe(ep, epi); + return -ENOMEM; + } + +@@ -2016,7 +2061,7 @@ static int do_epoll_create(int flags) + out_free_fd: + put_unused_fd(fd); + out_free_ep: +- ep_free(ep); ++ ep_clear_and_put(ep); + return error; + } + +@@ -2158,10 +2203,16 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds, + error = -EEXIST; + break; + case EPOLL_CTL_DEL: +- if (epi) +- error = ep_remove(ep, epi); +- else ++ if (epi) { ++ /* ++ * The eventpoll itself is still alive: the refcount ++ * can't go to zero here. ++ */ ++ ep_remove_safe(ep, epi); ++ error = 0; ++ } else { + error = -ENOENT; ++ } + break; + case EPOLL_CTL_MOD: + if (epi) { +-- +2.53.0 + diff --git a/queue-6.1/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch b/queue-6.1/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch new file mode 100644 index 0000000000..05a8bdf704 --- /dev/null +++ b/queue-6.1/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch @@ -0,0 +1,48 @@ +From c76e0b4ef3c9d32282c7ddac04b1747d7beaa05d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 15:25:32 +0200 +Subject: eventpoll: defer struct eventpoll free to RCU grace period + +From: Nicholas Carlini + +[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ] + +In certain situations, ep_free() in eventpoll.c will kfree the epi->ep +eventpoll struct while it still being used by another concurrent thread. +Defer the kfree() to an RCU callback to prevent UAF. + +Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") +Signed-off-by: Nicholas Carlini +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index f20a35775cf66..f6038819fe79f 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -225,6 +225,9 @@ struct eventpoll { + */ + refcount_t refcount; + ++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */ ++ struct rcu_head rcu; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -708,7 +711,8 @@ static void ep_free(struct eventpoll *ep) + mutex_destroy(&ep->mtx); + free_uid(ep->user); + wakeup_source_unregister(ep->ws); +- kfree(ep); ++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */ ++ kfree_rcu(ep, rcu); + } + + /* +-- +2.53.0 + diff --git a/queue-6.1/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch b/queue-6.1/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch new file mode 100644 index 0000000000..e52a9bbad2 --- /dev/null +++ b/queue-6.1/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch @@ -0,0 +1,47 @@ +From a9cfbd642e7583c0e01d6b6917ec55816747c080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 13:11:27 -0700 +Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath + +From: Fredric Cover + +[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ] + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index 9000299e98cb4..35f2c94aafd14 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -454,6 +454,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + +-- +2.53.0 + diff --git a/queue-6.1/gpio-tegra-fix-irq_release_resources-calling-enable-.patch b/queue-6.1/gpio-tegra-fix-irq_release_resources-calling-enable-.patch new file mode 100644 index 0000000000..545b944adb --- /dev/null +++ b/queue-6.1/gpio-tegra-fix-irq_release_resources-calling-enable-.patch @@ -0,0 +1,41 @@ +From 53f07053b7e3540577eb6e9d857c4e150cc97ba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 14:02:47 -0700 +Subject: gpio: tegra: fix irq_release_resources calling enable instead of + disable + +From: Samasth Norway Ananda + +[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ] + +tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable() +instead of tegra_gpio_disable(). When IRQ resources are released, the +GPIO configuration bit (CNF) should be cleared to deconfigure the pin as +a GPIO. Leaving it enabled wastes power and can cause unexpected behavior +if the pin is later reused for an alternate function via pinctrl. + +Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip") +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c +index 5b265a6fd3c18..49ff77c3ad198 100644 +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -597,7 +597,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d) + struct tegra_gpio_info *tgi = gpiochip_get_data(chip); + + gpiochip_relres_irq(chip, d->hwirq); +- tegra_gpio_enable(tgi, d->hwirq); ++ tegra_gpio_disable(tgi, d->hwirq); + } + + static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s) +-- +2.53.0 + diff --git a/queue-6.1/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch b/queue-6.1/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch new file mode 100644 index 0000000000..7e3d4c8bb3 --- /dev/null +++ b/queue-6.1/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch @@ -0,0 +1,52 @@ +From 2cba1ec91ac654e8e04227c541d76f08bc182100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 13:36:59 -0500 +Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 + +From: leo vriska + +[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ] + +According to a mailing list report [1], this controller's predecessor +has the same issue. However, it uses the xpad driver instead of HID, so +this quirk wouldn't apply. + +[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/ + +Signed-off-by: leo vriska +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index fd3198d4b7c5b..23adda52f6ef5 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -22,6 +22,9 @@ + #define USB_DEVICE_ID_3M2256 0x0502 + #define USB_DEVICE_ID_3M3266 0x0506 + ++#define USB_VENDOR_ID_8BITDO 0x2dc8 ++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009 ++ + #define USB_VENDOR_ID_A4TECH 0x09da + #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006 + #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 030ad260e7566..99fca77d16641 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -25,6 +25,7 @@ + */ + + static const struct hid_device_id hid_quirks[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, +-- +2.53.0 + diff --git a/queue-6.1/hid-roccat-fix-use-after-free-in-roccat_report_event.patch b/queue-6.1/hid-roccat-fix-use-after-free-in-roccat_report_event.patch new file mode 100644 index 0000000000..40ea82dcbd --- /dev/null +++ b/queue-6.1/hid-roccat-fix-use-after-free-in-roccat_report_event.patch @@ -0,0 +1,50 @@ +From 2aa978de0e72acb4e4e21bdf2100b0e2ab47a7fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:11:07 +0000 +Subject: HID: roccat: fix use-after-free in roccat_report_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ] + +roccat_report_event() iterates over the device->readers list without +holding the readers_lock. This allows a concurrent roccat_release() to +remove and free a reader while it's still being accessed, leading to a +use-after-free. + +Protect the readers list traversal with the readers_lock mutex. + +Signed-off-by: Benoît Sevens +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 6da80e442fdd1..420e4335c3e83 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->readers_lock); + mutex_lock(&device->cbuf_lock); + + report = &device->cbuf[device->cbuf_end]; +@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data) + } + + mutex_unlock(&device->cbuf_lock); ++ mutex_unlock(&device->readers_lock); + + wake_up_interruptible(&device->wait); + return 0; +-- +2.53.0 + diff --git a/queue-6.1/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch b/queue-6.1/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch new file mode 100644 index 0000000000..39c2e45d34 --- /dev/null +++ b/queue-6.1/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch @@ -0,0 +1,50 @@ +From 580209ddd3675b147c951e9a14dffdaf1dde1681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 15:04:19 +0800 +Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() + +From: Yiqi Sun + +[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ] + +ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the +IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing +this error pointer to dev_hold() will cause a kernel crash with +null-ptr-deref. + +Instead, silently discard the request. RFC 8335 does not appear to +define a specific response for the case where an IPv6 interface +identifier is syntactically valid but the implementation cannot perform +the lookup at runtime, and silently dropping the request may safer than +misreporting "No Such Interface". + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Signed-off-by: Yiqi Sun +Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 309d22f2858cc..7a6e4853cf98d 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -1130,6 +1130,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr) + if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr)) + goto send_mal_query; + dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev); ++ /* ++ * If IPv6 identifier lookup is unavailable, silently ++ * discard the request instead of misreporting NO_IF. ++ */ ++ if (IS_ERR(dev)) ++ return false; ++ + dev_hold(dev); + break; + #endif +-- +2.53.0 + diff --git a/queue-6.1/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch b/queue-6.1/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch new file mode 100644 index 0000000000..9d100d6561 --- /dev/null +++ b/queue-6.1/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch @@ -0,0 +1,78 @@ +From b2be2946e0927b629bfd8a2d18f27d52e4afe5d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 09:22:29 +0100 +Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table + +From: Michal Schmidt + +[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ] + +Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by +negotiating supported features") added the .negotiate_features callback +to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot +to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL +on Hyper-V VMs. + +During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), +which unconditionally dereferences hw->mac.ops.negotiate_features(). +On Hyper-V this results in a NULL pointer dereference: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] + Workqueue: events work_for_cpu_fn + RIP: 0010:0x0 + [...] + Call Trace: + ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] + ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] + ixgbevf_probe+0x20f/0x4a0 [ixgbevf] + local_pci_probe+0x50/0xa0 + work_for_cpu_fn+0x1a/0x30 + [...] + +Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and +wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP +gracefully. + +Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") +Reported-by: Xiaoqiang Xiong +Closes: https://issues.redhat.com/browse/RHEL-155455 +Assisted-by: Claude:claude-4.6-opus-high Cursor +Tested-by: Xiaoqiang Xiong +Signed-off-by: Michal Schmidt +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c +index 708d5dd921acc..70dfda13b7885 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/vf.c ++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c +@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) + return err; + } + ++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw, ++ u32 *pf_features) ++{ ++ return -EOPNOTSUPP; ++} ++ + /** + * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address + * @hw: pointer to the HW structure +@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = { + .setup_link = ixgbevf_setup_mac_link_vf, + .check_link = ixgbevf_hv_check_mac_link_vf, + .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf, ++ .negotiate_features = ixgbevf_hv_negotiate_features_vf, + .set_rar = ixgbevf_hv_set_rar_vf, + .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf, + .update_xcast_mode = ixgbevf_hv_update_xcast_mode, +-- +2.53.0 + diff --git a/queue-6.1/l2tp-drop-large-packets-with-udp-encap.patch b/queue-6.1/l2tp-drop-large-packets-with-udp-encap.patch new file mode 100644 index 0000000000..2e11b34ad1 --- /dev/null +++ b/queue-6.1/l2tp-drop-large-packets-with-udp-encap.patch @@ -0,0 +1,106 @@ +From 92a2551b38958b6812e8cd15081c8bf94b867ad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 20:49:49 +0300 +Subject: l2tp: Drop large packets with UDP encap + +From: Alice Mikityanska + +[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ] + +syzbot reported a WARN on my patch series [1]. The actual issue is an +overflow of 16-bit UDP length field, and it exists in the upstream code. +My series added a debug WARN with an overflow check that exposed the +issue, that's why syzbot tripped on my patches, rather than on upstream +code. + +syzbot's repro: + +r0 = socket$pppl2tp(0x18, 0x1, 0x1) +r1 = socket$inet6_udp(0xa, 0x2, 0x0) +connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) +connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) +writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) + +It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP +encapsulation, and l2tp_xmit_core doesn't check for overflows when it +assigns the UDP length field. The value gets trimmed to 16 bites. + +Add an overflow check that drops oversized packets and avoids sending +packets with trimmed UDP length to the wire. + +syzbot's stack trace (with my patch applied): + +len >= 65536u +WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 +Modules linked in: +CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] +RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] +RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 +Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f +RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 +RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 +RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff +RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 +R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 +R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 +FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 +Call Trace: + + pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + sock_write_iter+0x503/0x550 net/socket.c:1195 + do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 + vfs_writev+0x33c/0x990 fs/read_write.c:1059 + do_writev+0x154/0x2e0 fs/read_write.c:1105 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f636479c629 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 +RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 +RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 + + +[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/ +Signed-off-by: Alice Mikityanska +Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index e0ca08ebd16a9..3c701795fa100 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + uh->source = inet->inet_sport; + uh->dest = inet->inet_dport; + udp_len = uhlen + session->hdr_len + data_len; ++ if (udp_len > U16_MAX) { ++ kfree_skb(skb); ++ ret = NET_XMIT_DROP; ++ goto out_unlock; ++ } + uh->len = htons(udp_len); + + /* Calculate UDP checksum if configured to do so */ +-- +2.53.0 + diff --git a/queue-6.1/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch b/queue-6.1/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch new file mode 100644 index 0000000000..0867949b83 --- /dev/null +++ b/queue-6.1/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch @@ -0,0 +1,49 @@ +From 7dae2792d097c3dc0fe60e08e07a47ccb505fc44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 10:47:51 +0100 +Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() + +From: Arnd Bergmann + +[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ] + +The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot +of registers, so when the clang register allocator runs out, it ends up +spilling countless temporaries to the stack: + +drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than] + +Marking this function as noinline_for_stack keeps it out of +rkvdec_vp9_start(), giving the compiler more room for optimization. + +The resulting code is good enough that both the total stack usage +and the loop get enough better to stay under the warning limit, +though it's still slow, and would need a larger rework if this +function ends up being called in a fast path. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c +index cfae99b40ccb4..dc3e6354c7974 100644 +--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c ++++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c +@@ -924,7 +924,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx, + update_ctx_last_info(vp9_ctx); + } + +-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) ++static noinline_for_stack void ++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) + { + struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv; + struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu; +-- +2.53.0 + diff --git a/queue-6.1/net-lapbether-handle-netdev_pre_type_change.patch b/queue-6.1/net-lapbether-handle-netdev_pre_type_change.patch new file mode 100644 index 0000000000..2a5c24956a --- /dev/null +++ b/queue-6.1/net-lapbether-handle-netdev_pre_type_change.patch @@ -0,0 +1,77 @@ +From 8751d140d1bc9ed87f5fb6c446cd19b2e219bee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:35:19 +0000 +Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE + +From: Eric Dumazet + +[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ] + +lapbeth_data_transmit() expects the underlying device type +to be ARPHRD_ETHER. + +Returning NOTIFY_BAD from lapbeth_device_event() makes sure +bonding driver can not break this expectation. + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 56326f38fe8a3..da61716a66c46 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth) + static int lapbeth_device_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +- struct lapbethdev *lapbeth; + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct lapbethdev *lapbeth; + + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) ++ lapbeth = lapbeth_get_x25_dev(dev); ++ if (!dev_is_ethdev(dev) && !lapbeth) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (!lapbeth_get_x25_dev(dev)) ++ if (!lapbeth) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: + /* ethernet device disappears -> remove LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + lapbeth_free_device(lapbeth); + break; ++ case NETDEV_PRE_TYPE_CHANGE: ++ /* Our underlying device type must not change. */ ++ if (lapbeth) ++ return NOTIFY_BAD; + } + + return NOTIFY_DONE; +-- +2.53.0 + diff --git a/queue-6.1/net-sched-act_csum-validate-nested-vlan-headers.patch b/queue-6.1/net-sched-act_csum-validate-nested-vlan-headers.patch new file mode 100644 index 0000000000..bef9f3e29e --- /dev/null +++ b/queue-6.1/net-sched-act_csum-validate-nested-vlan-headers.patch @@ -0,0 +1,60 @@ +From 91fe9d47a09c5872bfb8210556109127a65c1378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: net: sched: act_csum: validate nested VLAN headers + +From: Ruide Cao + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_csum.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 1366adf9b9091..bcef42a3ad645 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -602,8 +602,12 @@ static int tcf_csum_act(struct sk_buff *skb, const struct tc_action *a, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.53.0 + diff --git a/queue-6.1/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch b/queue-6.1/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch new file mode 100644 index 0000000000..0ed1b709a3 --- /dev/null +++ b/queue-6.1/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch @@ -0,0 +1,51 @@ +From 1e3192760ea32ffeb5533a6851aa7af5066f55e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets + +From: Zhengchuan Liang + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6t_eui64.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c2..da69a27e8332c 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.53.0 + diff --git a/queue-6.1/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch b/queue-6.1/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch new file mode 100644 index 0000000000..8f62c0892f --- /dev/null +++ b/queue-6.1/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch @@ -0,0 +1,52 @@ +From 16486484502ba8b84d62ff6772a2503b6e3c3bc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 14:20:57 -0700 +Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE + terminator + +From: Xiang Mei + +[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ] + +When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() +appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via +nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() +helper only zeroes alignment padding after the payload, not the payload +itself, so four bytes of stale kernel heap data are leaked to userspace +in the NLMSG_DONE message body. + +Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes +the nfgenmsg payload via nfnl_fill_hdr(), consistent with how +__build_packet_message() already constructs NFULNL_MSG_PACKET headers. + +Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 6bf7d7bea1fc2..b7528fa74f3af 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -351,10 +351,10 @@ static void + __nfulnl_send(struct nfulnl_instance *inst) + { + if (inst->qlen > 1) { +- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, +- NLMSG_DONE, +- sizeof(struct nfgenmsg), +- 0); ++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0, ++ NLMSG_DONE, 0, ++ AF_UNSPEC, NFNETLINK_V0, ++ htons(inst->group_num)); + if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", + inst->skb->len, skb_tailroom(inst->skb))) { + kfree_skb(inst->skb); +-- +2.53.0 + diff --git a/queue-6.1/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch b/queue-6.1/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch new file mode 100644 index 0000000000..bfe60457d1 --- /dev/null +++ b/queue-6.1/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch @@ -0,0 +1,161 @@ +From 34b19fa4cae1bf0b844d8229e36aeb3de2c96784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:10:55 +0100 +Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on + expiry + +From: Florian Westphal + +[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ] + +New test case fails unexpectedly when avx2 matching functions are used. + +The test first loads a ranomly generated pipapo set +with 'ipv4 . port' key, i.e. nft -f foo. + +This works. Then, it reloads the set after a flush: +(echo flush set t s; cat foo) | nft -f - + +This is expected to work, because its the same set after all and it was +already loaded once. + +But with avx2, this fails: nft reports a clashing element. + +The reported clash is of following form: + + We successfully re-inserted + a . b + c . d + +Then we try to insert a . d + +avx2 finds the already existing a . d, which (due to 'flush set') is marked +as invalid in the new generation. It skips the element and moves to next. + +Due to incorrect masking, the skip-step finds the next matching +element *only considering the first field*, + +i.e. we return the already reinserted "a . b", even though the +last field is different and the entry should not have been matched. + +No such error is reported for the generic c implementation (no avx2) or when +the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. + +Bisection points to +7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") +but that fix merely uncovers this bug. + +Before this commit, the wrong element is returned, but erronously +reported as a full, identical duplicate. + +The root-cause is too early return in the avx2 match functions. +When we process the last field, we should continue to process data +until the entire input size has been consumed to make sure no stale +bits remain in the map. + +Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index be7c16c79f711..2a761a644d4da 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +-- +2.53.0 + diff --git a/queue-6.1/netfilter-xt_multiport-validate-range-encoding-in-ch.patch b/queue-6.1/netfilter-xt_multiport-validate-range-encoding-in-ch.patch new file mode 100644 index 0000000000..38764b4bc2 --- /dev/null +++ b/queue-6.1/netfilter-xt_multiport-validate-range-encoding-in-ch.patch @@ -0,0 +1,99 @@ +From 7e8f06155482ee318c1a48ace915c360e4d53b9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 23:52:52 +0800 +Subject: netfilter: xt_multiport: validate range encoding in checkentry + +From: Ren Wei + +[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] + +ports_match_v1() treats any non-zero pflags entry as the start of a +port range and unconditionally consumes the next ports[] element as +the range end. + +The checkentry path currently validates protocol, flags and count, but +it does not validate the range encoding itself. As a result, malformed +rules can mark the last slot as a range start or place two range starts +back to back, leaving ports_match_v1() to step past the last valid +ports[] element while interpreting the rule. + +Reject malformed multiport v1 rules in checkentry by validating that +each range start has a following element and that the following element +is not itself marked as another range start. + +Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c +index 44a00f5acde8a..a1691ff405d3c 100644 +--- a/net/netfilter/xt_multiport.c ++++ b/net/netfilter/xt_multiport.c +@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); + } + ++static bool ++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < multiinfo->count; i++) { ++ if (!multiinfo->pflags[i]) ++ continue; ++ ++ if (++i >= multiinfo->count) ++ return false; ++ ++ if (multiinfo->pflags[i]) ++ return false; ++ ++ if (multiinfo->ports[i - 1] > multiinfo->ports[i]) ++ return false; ++ } ++ ++ return true; ++} ++ + static inline bool + check(u_int16_t proto, + u_int8_t ip_invflags, +@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) + const struct ipt_ip *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static int multiport_mt6_check(const struct xt_mtchk_param *par) +@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) + const struct ip6t_ip6 *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static struct xt_match multiport_mt_reg[] __read_mostly = { +-- +2.53.0 + diff --git a/queue-6.1/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch b/queue-6.1/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..9c7de54a9b --- /dev/null +++ b/queue-6.1/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,61 @@ +From ece5aa912830392813a1a13a7c2771c1eb388958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 12:21:48 +0800 +Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ] + +s3fwrn82_uart_read() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already +deliver a complete frame before allocating a fresh receive buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface") +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/uart.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c +index 82ea35d748a5d..dde1a87ed1e47 100644 +--- a/drivers/nfc/s3fwrn5/uart.c ++++ b/drivers/nfc/s3fwrn5/uart.c +@@ -59,6 +59,12 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev, + size_t i; + + for (i = 0; i < count; i++) { ++ if (!phy->recv_skb) { ++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); ++ if (!phy->recv_skb) ++ return i; ++ } ++ + skb_put_u8(phy->recv_skb, *data++); + + if (phy->recv_skb->len < S3FWRN82_NCI_HEADER) +@@ -70,9 +76,7 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev, + + s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb, + phy->common.mode); +- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); +- if (!phy->recv_skb) +- return 0; ++ phy->recv_skb = NULL; + } + + return i; +-- +2.53.0 + diff --git a/queue-6.1/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch b/queue-6.1/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch new file mode 100644 index 0000000000..2ee5a21941 --- /dev/null +++ b/queue-6.1/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch @@ -0,0 +1,57 @@ +From 70bde1e8781dbac58888d0c2440e498ccf58abf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:07:42 -0700 +Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info + +From: Long Li + +[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ] + +When hv_pci_assign_numa_node() processes a device that does not have +HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range +virtual_numa_node, the device NUMA node is left unset. On x86_64, +the uninitialized default happens to be 0, but on ARM64 it is +NUMA_NO_NODE (-1). + +Tests show that when no NUMA information is available from the Hyper-V +host, devices perform best when assigned to node 0. With NUMA_NO_NODE +the kernel may spread work across NUMA nodes, which degrades +performance on Hyper-V, particularly for high-throughput devices like +MANA. + +Always set the device NUMA node to 0 before the conditional NUMA +affinity check, so that devices get a performant default when the host +provides no NUMA information, and behavior is consistent on both +x86_64 and ARM64. + +Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index 09491d06589ee..58430ca37bbdf 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -2291,6 +2291,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus) + if (!hv_dev) + continue; + ++ /* ++ * If the Hyper-V host doesn't provide a NUMA node for the ++ * device, default to node 0. With NUMA_NO_NODE the kernel ++ * may spread work across NUMA nodes, which degrades ++ * performance on Hyper-V. ++ */ ++ set_dev_node(&dev->dev, 0); ++ + if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY && + hv_dev->desc.virtual_numa_node < num_possible_nodes()) + /* +-- +2.53.0 + diff --git a/queue-6.1/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch b/queue-6.1/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch new file mode 100644 index 0000000000..fab532e61b --- /dev/null +++ b/queue-6.1/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch @@ -0,0 +1,47 @@ +From 2a16b37b9cd34b9aa5c9226d340f12781a4e96cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:40:48 -0700 +Subject: perf/x86/intel/uncore: Skip discovery table for offline dies + +From: Zide Chen + +[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ] + +This warning can be triggered if NUMA is disabled and the system +boots with fewer CPUs than the number of CPUs in die 0. + +WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] + +Currently, the discovery table continues to be parsed even if all CPUs +in the associated die are offline. This can lead to an array overflow +at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may +trigger the warning above or cause other issues. + +Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables") +Reported-by: Steve Wahl +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Tested-by: Steve Wahl +Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c +index 7d454141433c8..a78899a27dcb4 100644 +--- a/arch/x86/events/intel/uncore_discovery.c ++++ b/arch/x86/events/intel/uncore_discovery.c +@@ -311,7 +311,7 @@ bool intel_uncore_has_discovery_tables(void) + (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP; + + die = get_device_die_id(dev); +- if (die < 0) ++ if ((die < 0) || (die >= uncore_max_dies())) + continue; + + parse_discovery_table(dev, die, bar_offset, &parsed); +-- +2.53.0 + diff --git a/queue-6.1/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch b/queue-6.1/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch new file mode 100644 index 0000000000..a4bc57bfdd --- /dev/null +++ b/queue-6.1/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch @@ -0,0 +1,35 @@ +From 3e1188fa84d4c71f8c5f5767bc32584d9a06a3b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 18:14:04 +0100 +Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW + debouncer) + +From: Andy Shevchenko + +[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ] + +The 1kOhm pull down and hardware debouncer are features of the revision 0.92 +of the Chassis specification. Fix that in the code accordingly. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index 8542053d4d6d0..2c357a69e0345 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1547,7 +1547,7 @@ static int intel_pinctrl_probe(struct platform_device *pdev, + value = readl(regs + REVID); + if (value == ~0u) + return -ENODEV; +- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) { ++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) { + community->features |= PINCTRL_FEATURE_DEBOUNCE; + community->features |= PINCTRL_FEATURE_1K_PD; + } +-- +2.53.0 + diff --git a/queue-6.1/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch b/queue-6.1/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch new file mode 100644 index 0000000000..5f00a62a85 --- /dev/null +++ b/queue-6.1/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch @@ -0,0 +1,45 @@ +From 9a7aa012563bbff7078eebb4631b1388d65acc19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 22:29:19 +0100 +Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check + +From: Daniel Golle + +[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ] + +The querier-interval test adds h1 (currently a slave of the VRF created +by simple_if_init) to a temporary bridge br1 acting as an outside IGMP +querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev() +on every slave add and remove, toggling the interface admin-down then up. +Phylink takes the PHY down during the admin-down half of that cycle. +Since h1 and swp1 are cable-connected, swp1 also loses its link may need +several seconds to re-negotiate. + +Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the +test can rely on the link being back up at this point. + +Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests") +Signed-off-by: Daniel Golle +Reviewed-by: Alexander Sverdlin +Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +index 8748d1b1d95b7..cc0a6e46457d9 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +@@ -411,6 +411,7 @@ vlmc_querier_intvl_test() + bridge vlan add vid 10 dev br1 self pvid untagged + ip link set dev $h1 master br1 + ip link set dev br1 up ++ setup_wait_dev $h1 0 + bridge vlan add vid 10 dev $h1 master + bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1 + sleep 2 +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..fcd599d422 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,54 @@ +asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch +alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch +media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch +alsa-asihpi-avoid-write-overflow-check-warning.patch +asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch +asoc-sof-topology-reject-invalid-vendor-array-size-i.patch +can-mcp251x-add-error-handling-for-power-enable-in-o.patch +btrfs-tracepoints-get-correct-superblock-from-dentry.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch +netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch +alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch +wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch +asoc-soc-core-call-missing-init_list_head-for-card_a.patch +alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch +fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch +asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch +pinctrl-intel-fix-the-revision-for-new-features-1koh.patch +hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch +hid-roccat-fix-use-after-free-in-roccat_report_event.patch +ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch +wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch +soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch +arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch +pci-hv-set-default-numa-node-to-0-for-devices-withou.patch +drm-vc4-release-runtime-pm-reference-after-binding-v.patch +drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch +drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch +drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch +epoll-use-refcount-to-reduce-ep_mutex-contention.patch +eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch +net-sched-act_csum-validate-nested-vlan-headers.patch +net-lapbether-handle-netdev_pre_type_change.patch +ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch +nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch +dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch +tracing-probe-reject-non-closed-empty-immediate-stri.patch +ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch +e1000-check-return-value-of-e1000_read_eeprom.patch +xsk-tighten-umem-headroom-validation-to-account-for-.patch +xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch +xfrm_user-fix-info-leak-in-build_mapping.patch +selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch +netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch +netfilter-xt_multiport-validate-range-encoding-in-ch.patch +netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch +af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch +l2tp-drop-large-packets-with-udp-encap.patch +gpio-tegra-fix-irq_release_resources-calling-enable-.patch +perf-x86-intel-uncore-skip-discovery-table-for-offli.patch +clockevents-prevent-timer-interrupt-starvation.patch +crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch diff --git a/queue-6.1/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch b/queue-6.1/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch new file mode 100644 index 0000000000..36087074f8 --- /dev/null +++ b/queue-6.1/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch @@ -0,0 +1,46 @@ +From 7c571ce36b7d86dad67087efa36a81649e153ad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:37:56 +0800 +Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching + +From: Potin Lai + +[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ] + +The siliconid_to_name() function currently masks the input silicon ID +with 0xff00ffff, but compares it against unmasked table entries. This +causes matching to fail if the table entries contain non-zero values in +the bits covered by the mask (bits 16-23). + +Update the logic to apply the 0xff00ffff mask to the table entries +during comparison. This ensures that only the relevant model and +revision bits are considered, providing a consistent match across +different manufacturing batches. + +[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference] + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Potin Lai +Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 67e9ac3d08ecc..a90b100f4d101 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid) + unsigned int i; + + for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) { +- if (rev_table[i].id == id) ++ if ((rev_table[i].id & 0xff00ffff) == id) + return rev_table[i].name; + } + +-- +2.53.0 + diff --git a/queue-6.1/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch b/queue-6.1/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch new file mode 100644 index 0000000000..c79f57684e --- /dev/null +++ b/queue-6.1/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch @@ -0,0 +1,134 @@ +From 23a2bb06dfb4a8f3ed5996cb57df6f5eb7aa53e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 20:14:18 -0400 +Subject: srcu: Use irq_work to start GP in tiny SRCU + +From: Joel Fernandes + +[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ] + +Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), +which acquires the workqueue pool->lock. + +This causes a lockdep splat when call_srcu() is called with a scheduler +lock held, due to: + + call_srcu() [holding pi_lock] + srcu_gp_start_if_needed() + schedule_work() -> pool->lock + + workqueue_init() / create_worker() [holding pool->lock] + wake_up_process() -> try_to_wake_up() -> pi_lock + +Also add irq_work_sync() to cleanup_srcu_struct() to prevent a +use-after-free if a queued irq_work fires after cleanup begins. + +Tested with rcutorture SRCU-T and no lockdep warnings. + +[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work +to start process_srcu()" ] + +Signed-off-by: Joel Fernandes +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/srcutiny.h | 4 ++++ + kernel/rcu/srcutiny.c | 19 ++++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h +index 5aa5e0faf6a12..a351d0a365c4b 100644 +--- a/include/linux/srcutiny.h ++++ b/include/linux/srcutiny.h +@@ -11,6 +11,7 @@ + #ifndef _LINUX_SRCU_TINY_H + #define _LINUX_SRCU_TINY_H + ++#include + #include + + struct srcu_struct { +@@ -24,18 +25,21 @@ struct srcu_struct { + struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */ + struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */ + struct work_struct srcu_work; /* For driving grace periods. */ ++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + struct lockdep_map dep_map; + #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */ + }; + + void srcu_drive_gp(struct work_struct *wp); ++void srcu_tiny_irq_work(struct irq_work *irq_work); + + #define __SRCU_STRUCT_INIT(name, __ignored) \ + { \ + .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \ + .srcu_cb_tail = &name.srcu_cb_head, \ + .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \ ++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \ + __SRCU_DEP_MAP_INIT(name) \ + } + +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index 5e7f336baa06a..9c416bfe6cc80 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp) + ssp->srcu_idx_max = 0; + INIT_WORK(&ssp->srcu_work, srcu_drive_gp); + INIT_LIST_HEAD(&ssp->srcu_work.entry); ++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work); + return 0; + } + +@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct); + void cleanup_srcu_struct(struct srcu_struct *ssp) + { + WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]); ++ irq_work_sync(&ssp->srcu_irq_work); + flush_work(&ssp->srcu_work); + WARN_ON(ssp->srcu_gp_running); + WARN_ON(ssp->srcu_gp_waiting); +@@ -156,6 +159,20 @@ void srcu_drive_gp(struct work_struct *wp) + } + EXPORT_SYMBOL_GPL(srcu_drive_gp); + ++/* ++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue ++ * pool->lock while the caller might hold scheduler locks, causing lockdep ++ * splats due to workqueue_init() doing a wakeup. ++ */ ++void srcu_tiny_irq_work(struct irq_work *irq_work) ++{ ++ struct srcu_struct *ssp; ++ ++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work); ++ schedule_work(&ssp->srcu_work); ++} ++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work); ++ + static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + { + unsigned long cookie; +@@ -166,7 +183,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + WRITE_ONCE(ssp->srcu_idx_max, cookie); + if (!READ_ONCE(ssp->srcu_gp_running)) { + if (likely(srcu_init_done)) +- schedule_work(&ssp->srcu_work); ++ irq_work_queue(&ssp->srcu_irq_work); + else if (list_empty(&ssp->srcu_work.entry)) + list_add(&ssp->srcu_work.entry, &srcu_boot_list); + } +-- +2.53.0 + diff --git a/queue-6.1/tracing-probe-reject-non-closed-empty-immediate-stri.patch b/queue-6.1/tracing-probe-reject-non-closed-empty-immediate-stri.patch new file mode 100644 index 0000000000..dc04ca0145 --- /dev/null +++ b/queue-6.1/tracing-probe-reject-non-closed-empty-immediate-stri.patch @@ -0,0 +1,43 @@ +From 8cc5bdf18e358afbb90cfc26ed73edb725a5df09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 00:03:15 +0800 +Subject: tracing/probe: reject non-closed empty immediate strings + +From: Pengpeng Hou + +[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ] + +parse_probe_arg() accepts quoted immediate strings and passes the body +after the opening quote to __parse_imm_string(). That helper currently +computes strlen(str) and immediately dereferences str[len - 1], which +underflows when the body is empty and not closed with double-quotation. + +Reject empty non-closed immediate strings before checking for the closing quote. + +Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ + +Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support") +Signed-off-by: Pengpeng Hou +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 3888a59c9dfe9..280e3d0f61b29 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -366,7 +366,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs) + { + size_t len = strlen(str); + +- if (str[len - 1] != '"') { ++ if (!len || str[len - 1] != '"') { + trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE); + return -EINVAL; + } +-- +2.53.0 + diff --git a/queue-6.1/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/queue-6.1/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 0000000000..40d6efe98d --- /dev/null +++ b/queue-6.1/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,45 @@ +From f979d6958c1b6e91b82427f8db3263fcec7a760b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: wifi: brcmfmac: validate bsscfg indices in IF events + +From: Pengpeng Hou + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index dac7eb77799bd..e6be192dc0af2 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.53.0 + diff --git a/queue-6.1/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch b/queue-6.1/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch new file mode 100644 index 0000000000..02fc63567a --- /dev/null +++ b/queue-6.1/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch @@ -0,0 +1,51 @@ +From 988fd9cfa7fa215876975f07d7c4afea7e2574c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:08:45 +0800 +Subject: wifi: wl1251: validate packet IDs before indexing tx_frames + +From: Pengpeng Hou + +[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ] + +wl1251_tx_packet_cb() uses the firmware completion ID directly to index +the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the +completion block, and the callback does not currently verify that it +fits the array before dereferencing it. + +Reject completion IDs that fall outside wl->tx_frames[] and keep the +existing NULL check in the same guard. This keeps the fix local to the +trust boundary and avoids touching the rest of the completion flow. + +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c +index 06dc74cc6cb52..2b316c78eefc9 100644 +--- a/drivers/net/wireless/ti/wl1251/tx.c ++++ b/drivers/net/wireless/ti/wl1251/tx.c +@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, + int hdrlen; + u8 *frame; + +- skb = wl->tx_frames[result->id]; +- if (skb == NULL) { +- wl1251_error("SKB for packet %d is NULL", result->id); ++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) || ++ wl->tx_frames[result->id] == NULL)) { ++ wl1251_error("invalid packet id %u", result->id); + return; + } + ++ skb = wl->tx_frames[result->id]; ++ + info = IEEE80211_SKB_CB(skb); + + if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && +-- +2.53.0 + diff --git a/queue-6.1/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch b/queue-6.1/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch new file mode 100644 index 0000000000..c635524125 --- /dev/null +++ b/queue-6.1/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch @@ -0,0 +1,43 @@ +From e62b6de563ec799c4b8321961dd7628c12bc529d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 13:31:04 +0200 +Subject: xfrm: Wait for RCU readers during policy netns exit + +From: Steffen Klassert + +[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ] + +xfrm_policy_fini() frees the policy_bydst hash tables after flushing the +policy work items and deleting all policies, but it does not wait for +concurrent RCU readers to leave their read-side critical sections first. + +The policy_bydst tables are published via rcu_assign_pointer() and are +looked up through rcu_dereference_check(), so netns teardown must also +wait for an RCU grace period before freeing the table memory. + +Fix this by adding synchronize_rcu() before freeing the policy hash tables. + +Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") +Signed-off-by: Steffen Klassert +Reviewed-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index cd534803a0e42..7b9151f4eccfd 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4129,6 +4129,8 @@ static void xfrm_policy_fini(struct net *net) + #endif + xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + ++ synchronize_rcu(); ++ + WARN_ON(!list_empty(&net->xfrm.policy_all)); + + for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { +-- +2.53.0 + diff --git a/queue-6.1/xfrm_user-fix-info-leak-in-build_mapping.patch b/queue-6.1/xfrm_user-fix-info-leak-in-build_mapping.patch new file mode 100644 index 0000000000..0765dc4bb0 --- /dev/null +++ b/queue-6.1/xfrm_user-fix-info-leak-in-build_mapping.patch @@ -0,0 +1,45 @@ +From 35c261ca8985403264d9a5e705c720c9c674a4d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 17:33:03 +0200 +Subject: xfrm_user: fix info leak in build_mapping() + +From: Greg Kroah-Hartman + +[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ] + +struct xfrm_usersa_id has a one-byte padding hole after the proto +field, which ends up never getting set to zero before copying out to +userspace. Fix that up by zeroing out the whole structure before +setting individual variables. + +Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 64137facd128e..9d22a7753f080 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3729,6 +3729,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, + + um = nlmsg_data(nlh); + ++ memset(&um->id, 0, sizeof(um->id)); + memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); + um->id.spi = x->id.spi; + um->id.family = x->props.family; +-- +2.53.0 + diff --git a/queue-6.1/xsk-tighten-umem-headroom-validation-to-account-for-.patch b/queue-6.1/xsk-tighten-umem-headroom-validation-to-account-for-.patch new file mode 100644 index 0000000000..3788cc47a4 --- /dev/null +++ b/queue-6.1/xsk-tighten-umem-headroom-validation-to-account-for-.patch @@ -0,0 +1,53 @@ +From c074c246194446b4afb0b3afb24a418a06fada2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:51 +0200 +Subject: xsk: tighten UMEM headroom validation to account for tailroom and min + frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ] + +The current headroom validation in xdp_umem_reg() could leave us with +insufficient space dedicated to even receive minimum-sized ethernet +frame. Furthermore if multi-buffer would come to play then +skb_shared_info stored at the end of XSK frame would be corrupted. + +HW typically works with 128-aligned sizes so let us provide this value +as bare minimum. + +Multi-buffer setting is known later in the configuration process so +besides accounting for 128 bytes, let us also take care of tailroom space +upfront. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 02207e852d796..561290f9e68b5 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -196,7 +196,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (!unaligned_chunks && chunks_rem) + return -EINVAL; + +- if (headroom >= chunk_size - XDP_PACKET_HEADROOM) ++ if (headroom > chunk_size - XDP_PACKET_HEADROOM - ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128) + return -EINVAL; + + umem->size = size; +-- +2.53.0 + diff --git a/queue-6.12/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch b/queue-6.12/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch new file mode 100644 index 0000000000..6a2ee84557 --- /dev/null +++ b/queue-6.12/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch @@ -0,0 +1,75 @@ +From f18995fcfbb9e2639f0d302ca2cd8216e118ef07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 16:00:14 +0800 +Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock + +From: Jiexun Wang + +[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ] + +Exact UNIX diag lookups hold a reference to the socket, but not to +u->path. Meanwhile, unix_release_sock() clears u->path under +unix_state_lock() and drops the path reference after unlocking. + +Read the inode and device numbers for UNIX_DIAG_VFS while holding +unix_state_lock(), then emit the netlink attribute after dropping the +lock. + +This keeps the VFS data stable while the reply is being built. + +Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 9138af8b465e0..6a06a251a2348 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -26,18 +26,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + + static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + { +- struct dentry *dentry = unix_sk(sk)->path.dentry; ++ struct unix_diag_vfs uv; ++ struct dentry *dentry; ++ bool have_vfs = false; + ++ unix_state_lock(sk); ++ dentry = unix_sk(sk)->path.dentry; + if (dentry) { +- struct unix_diag_vfs uv = { +- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, +- .udiag_vfs_dev = dentry->d_sb->s_dev, +- }; +- +- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); ++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino; ++ uv.udiag_vfs_dev = dentry->d_sb->s_dev; ++ have_vfs = true; + } ++ unix_state_unlock(sk); + +- return 0; ++ if (!have_vfs) ++ return 0; ++ ++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); + } + + static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) +-- +2.53.0 + diff --git a/queue-6.12/alsa-asihpi-avoid-write-overflow-check-warning.patch b/queue-6.12/alsa-asihpi-avoid-write-overflow-check-warning.patch new file mode 100644 index 0000000000..ca38049d9f --- /dev/null +++ b/queue-6.12/alsa-asihpi-avoid-write-overflow-check-warning.patch @@ -0,0 +1,55 @@ +From bf1fbcc3bb22597b036bf6203ded9535e8da8eb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 13:40:07 +0100 +Subject: ALSA: asihpi: avoid write overflow check warning + +From: Arnd Bergmann + +[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ] + +clang-22 rightfully warns that the memcpy() in adapter_prepare() copies +between different structures, crossing the boundary of nested +structures inside it: + +In file included from sound/pci/asihpi/hpimsgx.c:13: +In file included from include/linux/string.h:386: +include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 569 | __write_overflow_field(p_size_field, size); + +The two structures seem to refer to the same layout, despite the +separate definitions, so the code is in fact correct. + +Avoid the warning by copying the two inner structures separately. +I see the same pattern happens in other functions in the same file, +so there is a chance that this may come back in the future, but +this instance is the only one that I saw in practice, hitting it +multiple times per day in randconfig build. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index b68e6bfbbfbab..ed1c7b7744361 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter) + HPI_ADAPTER_OPEN); + hm.adapter_index = adapter; + hw_entry_point(&hm, &hr); +- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr, +- sizeof(rESP_HPI_ADAPTER_OPEN[0])); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h)); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a)); + if (hr.error) + return hr.error; + +-- +2.53.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch b/queue-6.12/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch new file mode 100644 index 0000000000..c85df1d365 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch @@ -0,0 +1,36 @@ +From 0c8ced7b198d47919f77e8b44a1e1fb3ed845804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 01:08:51 +0000 +Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk + +From: Andrii Kovalchuk + +[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ] + +Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756) +to enable proper mute LED and mic mute behavior using the +ALC245_FIXUP_HP_X360_MUTE_LEDS fixup. + +Signed-off-by: Andrii Kovalchuk +Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index fad159187f445..0dd789119f96b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10895,6 +10895,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), +-- +2.53.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-6.12/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..1a70515da8 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,45 @@ +From a0362a43f1f2fb4fcb8990839d6aeedbf94fc17f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2026 10:36:03 -0500 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: César Montoya + +[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ] + +The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek +ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The +existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, +but the subsystem ID was missing from the quirk table. + +GPIO pin confirmed via manual hda-verb testing: + hda-verb SET_GPIO_MASK 0x10 + hda-verb SET_GPIO_DIRECTION 0x10 + hda-verb SET_GPIO_DATA 0x10 + +Signed-off-by: César Montoya +Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 96df0d12b68dc..440ec4e1528ae 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10909,6 +10909,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch b/queue-6.12/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch new file mode 100644 index 0000000000..5a947c100f --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch @@ -0,0 +1,35 @@ +From 14bc5c1f22a357f6988133a271dd4dfd422b2974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:25:03 -0700 +Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC + +From: Matthew Schwartz + +[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ] + +Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model, +similar to the ASUS ROG Flow Z13 GZ302EA. + +Signed-off-by: Matthew Schwartz +Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 0dd789119f96b..96df0d12b68dc 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11197,6 +11197,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC), +-- +2.53.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch b/queue-6.12/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch new file mode 100644 index 0000000000..dc525eb55e --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch @@ -0,0 +1,38 @@ +From 023b4ea94fc10754c8bb23ba4003b489e234d3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 10:54:40 -0500 +Subject: ALSA: hda/realtek: add quirk for Framework F111:000F + +From: Dustin L. Howett + +[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ] + +Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for +Framework F111:000C") and previous quirks for Framework systems with +Realtek codecs. + +000F is another new platform with an ALC285 which needs the same quirk. + +Signed-off-by: Dustin L. Howett +Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 440ec4e1528ae..2a32e1ead5e86 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11671,6 +11671,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 + /* Below is a quirk table taken from the old code. +-- +2.53.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch b/queue-6.12/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch new file mode 100644 index 0000000000..68d68c838e --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch @@ -0,0 +1,58 @@ +From 552931f0e407ed3caba6cf1a51de67d4e8a3e121 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 11:29:28 +0300 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9 + +From: Alexander Savenko + +[ Upstream commit 217d5bc9f96272316ac5a3215c7cc32a5127bbf3 ] + +The Lenovo Yoga Pro 7 14IMH9 (DMI: 83E2) shares PCI SSID 17aa:3847 +with the Legion 7 16ACHG6, but has a different codec subsystem ID +(17aa:38cf). The existing SND_PCI_QUIRK for 17aa:3847 applies +ALC287_FIXUP_LEGION_16ACHG6, which attempts to initialize an external +I2C amplifier (CLSA0100) that is not present on the Yoga Pro 7 14IMH9. + +As a result, pin 0x17 (bass speakers) is connected to DAC 0x06 which +has no volume control, making hardware volume adjustment completely +non-functional. Audio is either silent or at maximum volume regardless +of the slider position. + +Add a HDA_CODEC_QUIRK entry using the codec subsystem ID (17aa:38cf) +to correctly identify the Yoga Pro 7 14IMH9 and apply +ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN, which redirects pin 0x17 to +DAC 0x02 and restores proper volume control. The existing Legion entry +is preserved unchanged. + +This follows the same pattern used for 17aa:386e, where Legion Y9000X +and Yoga Pro 7 14ARP8 share a PCI SSID but are distinguished via +HDA_CODEC_QUIRK. + +Link: https://github.com/nomad4tech/lenovo-yoga-pro-7-linux +Tested-by: Alexander Savenko +Signed-off-by: Alexander Savenko +Link: https://patch.msgid.link/20260331082929.44890-1-alex.sav4387@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 04e10da997b53..b73c2741f8ae7 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11524,6 +11524,10 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I), ++ /* Yoga Pro 7 14IMH9 shares PCI SSID 17aa:3847 with Legion 7 16ACHG6; ++ * use codec SSID to distinguish them ++ */ ++ HDA_CODEC_QUIRK(0x17aa, 0x38cf, "Lenovo Yoga Pro 7 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6), + SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), +-- +2.53.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-5945 b/queue-6.12/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-5945 new file mode 100644 index 0000000000..a7f6d4dd15 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-5945 @@ -0,0 +1,41 @@ +From 6b358c6c1a89f075ed34024e5f9bb2baef4714b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 09:26:51 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 + +From: songxiebing + +[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ] + +The bass speakers are not working, and add the following entry +in /etc/modprobe.d/snd.conf: +options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin +Fixes the bass speakers. + +So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here. + +Reported-by: Fernando Garcia Corona +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317 +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index b73c2741f8ae7..4cab9696fdab0 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11587,6 +11587,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38fd, "ThinkBook plus Gen5 Hybrid", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), + SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3920, "Yoga S990-16 pro Quad VECO Quad", ALC287_FIXUP_TAS2781_I2C), +-- +2.53.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch b/queue-6.12/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch new file mode 100644 index 0000000000..083a6acabb --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch @@ -0,0 +1,36 @@ +From dbee0af6d8e358aeec021a64130630242403240d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 18:22:20 +0200 +Subject: ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED) + +From: Takashi Iwai + +[ Upstream commit ea31be8a2c8c99eac198f3b7f2dc770111f2b182 ] + +There is another Book2 Pro model (NP950QED) that seems equipped with +the same speaker module as the non-360 model, which requires +ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS quirk. + +Reported-by: Throw +Link: https://patch.msgid.link/20260330162249.147665-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 2a32e1ead5e86..04e10da997b53 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11335,6 +11335,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1ac, "Samsung Galaxy Book2 Pro 360 (NP950QED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP), +-- +2.53.0 + diff --git a/queue-6.12/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch b/queue-6.12/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch new file mode 100644 index 0000000000..c8438a10d3 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch @@ -0,0 +1,41 @@ +From 8519c8a9b1fbdef3be0d7cccebbb41dad5cbef9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2026 08:07:34 +0000 +Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex + +From: Phil Willoughby + +[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ] + +The NeuralDSP Quad Cortex does not support DSD playback. We need +this product-specific entry with zero quirks because otherwise it +falls through to the vendor-specific entry which marks it as +supporting DSD playback. + +Cc: Yue Wang +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Signed-off-by: Phil Willoughby +Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 5c3a97ea46e04..fb81dcd6ca2ac 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2285,6 +2285,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */ + QUIRK_FLAG_IGNORE_CTL_ERROR), ++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */ ++ 0), /* Doesn't have the vendor quirk which would otherwise apply */ + DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */ + QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY), + DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */ +-- +2.53.0 + diff --git a/queue-6.12/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch b/queue-6.12/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch new file mode 100644 index 0000000000..c3c1c6e83f --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch @@ -0,0 +1,39 @@ +From 2ff8c8e667a15b7ae3d6eea1f616099f92472a2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 00:28:28 +0100 +Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency + +From: Sebastian Krzyszkowiak + +[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ] + +According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum +frequency is 400MHz. + +Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node") +Reviewed-by: Frank Li +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Peng Fan +Reviewed-by: Fabio Estevam +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index e03186bbc4152..c4395de0df762 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -1636,7 +1636,7 @@ gpu: gpu@38000000 { + <&clk IMX8MQ_GPU_PLL_OUT>, + <&clk IMX8MQ_GPU_PLL>; + assigned-clock-rates = <800000000>, <800000000>, +- <800000000>, <800000000>, <0>; ++ <800000000>, <400000000>, <0>; + power-domains = <&pgc_gpu>; + }; + +-- +2.53.0 + diff --git a/queue-6.12/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch b/queue-6.12/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch new file mode 100644 index 0000000000..8d3b621c54 --- /dev/null +++ b/queue-6.12/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch @@ -0,0 +1,56 @@ +From a60666dea5bb69d4fcdd2218aab05620606dd0d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:23:08 +0800 +Subject: arm64: dts: imx93-9x9-qsb: change usdhc tuning step for eMMC and SD + +From: Luke Wang + +[ Upstream commit 08903184553def7ba1ad6ba4fa8afe1ba2ee0a21 ] + +During system resume, the following errors occurred: + + [ 430.638625] mmc1: error -84 writing Cache Enable bit + [ 430.643618] mmc1: error -84 doing runtime resume + +For eMMC and SD, there are two tuning pass windows and the gap between +those two windows may only have one cell. If tuning step > 1, the gap may +just be skipped and host assumes those two windows as a continuous +windows. This will cause a wrong delay cell near the gap to be selected. + +Set the tuning step to 1 to avoid selecting the wrong delay cell. + +For SDIO, the gap is sufficiently large, so the default tuning step does +not cause this issue. + +Fixes: 0565d20cd8c2 ("arm64: dts: freescale: Support i.MX93 9x9 Quick Start Board") +Signed-off-by: Luke Wang +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts +index f8a73612fa051..8856835834a04 100644 +--- a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts ++++ b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts +@@ -311,6 +311,7 @@ &usdhc1 { + pinctrl-2 = <&pinctrl_usdhc1_200mhz>; + bus-width = <8>; + non-removable; ++ fsl,tuning-step = <1>; + status = "okay"; + }; + +@@ -323,6 +324,7 @@ &usdhc2 { + vmmc-supply = <®_usdhc2_vmmc>; + bus-width = <4>; + no-mmc; ++ fsl,tuning-step = <1>; + status = "okay"; + }; + +-- +2.53.0 + diff --git a/queue-6.12/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch b/queue-6.12/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch new file mode 100644 index 0000000000..c61b57a337 --- /dev/null +++ b/queue-6.12/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch @@ -0,0 +1,67 @@ +From b221bcfd91dc2c03cf34bc07eabf2d1a60c46df2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 16:50:14 +0100 +Subject: arm64: dts: imx93-tqma9352: improve eMMC pad configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Niebel + +[ Upstream commit b6c94c71f349479b76fcc0ef0dc7147f3f326dff ] + +Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve +stability and detection at low temperatures under -25°C. + +Fixes: 0b5fdfaa8e45 ("arm64: dts: freescale: imx93-tqma9352: set SION for cmd and data pad of USDHC") +Signed-off-by: Markus Niebel +Signed-off-by: Alexander Stein +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + .../boot/dts/freescale/imx93-tqma9352.dtsi | 26 +++++++++---------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +index 09385b058664c..f189685370cc8 100644 +--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +@@ -273,21 +273,21 @@ MX93_PAD_SD2_RESET_B__GPIO3_IO07 0x106 + /* enable SION for data and cmd pad due to ERR052021 */ + pinctrl_usdhc1: usdhc1grp { + fsl,pins = < +- /* PD | FSEL 3 | DSE X5 */ +- MX93_PAD_SD1_CLK__USDHC1_CLK 0x5be ++ /* PD | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_CLK__USDHC1_CLK 0x59e + /* HYS | FSEL 0 | no drive */ + MX93_PAD_SD1_STROBE__USDHC1_STROBE 0x1000 +- /* HYS | FSEL 3 | X5 */ +- MX93_PAD_SD1_CMD__USDHC1_CMD 0x400011be +- /* HYS | FSEL 3 | X4 */ +- MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e +- MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e +- MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e +- MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e +- MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e +- MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e +- MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e +- MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e ++ /* HYS | PU | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_CMD__USDHC1_CMD 0x4000139e ++ /* HYS | PU | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e ++ MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e ++ MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e ++ MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e ++ MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e ++ MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e ++ MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e ++ MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e + >; + }; + +-- +2.53.0 + diff --git a/queue-6.12/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch b/queue-6.12/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch new file mode 100644 index 0000000000..f981f5cda9 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch @@ -0,0 +1,49 @@ +From c134611700e7b77a5cff6cc0e5f800308f12bddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Feb 2026 20:44:58 +0800 +Subject: arm64: dts: qcom: hamoa/x1: fix idle exit latency + +From: Daniel J Blueman + +[ Upstream commit 3ecea84d2b90bbf934d5ca75514fa902fd71e03f ] + +Designs based on the Qualcomm X1 Hamoa reference platform report: +driver: Idle state 1 target residency too low + +This is because the declared X1 idle entry plus exit latency of 680us +exceeds the declared minimum 600us residency time: + entry-latency-us = <180>; + exit-latency-us = <500>; + min-residency-us = <600>; + +Fix this to be 320us so the sum of the entry and exit latencies matches +the downstream 500us exit latency, as directed by Maulik. + +Tested on a Lenovo Yoga Slim 7x with Qualcomm X1E-80-100. + +Fixes: 2e65616ef07f ("arm64: dts: qcom: x1e80100: Update C4/C5 residency/exit numbers") +Signed-off-by: Daniel J Blueman +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20260220124626.8611-1-daniel@quora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +index 6eef89ccdd121..8843dac449000 100644 +--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi ++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +@@ -280,7 +280,7 @@ CLUSTER_C4: cpu-sleep-0 { + idle-state-name = "ret"; + arm,psci-suspend-param = <0x00000004>; + entry-latency-us = <180>; +- exit-latency-us = <500>; ++ exit-latency-us = <320>; + min-residency-us = <600>; + }; + }; +-- +2.53.0 + diff --git a/queue-6.12/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch b/queue-6.12/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch new file mode 100644 index 0000000000..74cf9d9f5e --- /dev/null +++ b/queue-6.12/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch @@ -0,0 +1,47 @@ +From 8fa8c62ccb1eb7ffc3e7244cf6500046329472f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 02:43:48 +0100 +Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gilson Marquato Júnior + +[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ] + +The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal +DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk +entry so the internal microphone is properly detected on this model. + +Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9). + +Signed-off-by: Gilson Marquato Júnior +Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 2414c1bba0789..6e41d14e5f3af 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = { + }; + + static const struct dmi_system_id yc_acp_quirk_table[] = { ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.53.0 + diff --git a/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch new file mode 100644 index 0000000000..2df5389848 --- /dev/null +++ b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch @@ -0,0 +1,43 @@ +From 0c15e43ff97cde54d83aff19cf33a28dd1e99c6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 21:25:12 +0700 +Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA + +From: Vee Satayamas + +[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ] + +Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the +internal microphone not being detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236 +Signed-off-by: Vee Satayamas +Reviewed-by: Zhang Heng +Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 51a0de248497e..b8a957602b0a0 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -710,6 +710,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch new file mode 100644 index 0000000000..4e8d6c3c3d --- /dev/null +++ b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch @@ -0,0 +1,42 @@ +From c631d36b8efd23785a96a40112de404f951432cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 16:02:18 +0800 +Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF + +From: Zhang Heng + +[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ] + +Add a DMI quirk for the Thin A15 B7VF fixing the issue where +the internal microphone was not detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833 +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index b8a957602b0a0..2414c1bba0789 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.12/asoc-soc-core-call-missing-init_list_head-for-card_a.patch b/queue-6.12/asoc-soc-core-call-missing-init_list_head-for-card_a.patch new file mode 100644 index 0000000000..61056d0ec2 --- /dev/null +++ b/queue-6.12/asoc-soc-core-call-missing-init_list_head-for-card_a.patch @@ -0,0 +1,66 @@ +From 5f383d949ecafe059603b7fe61d531fe66374cbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 02:43:54 +0000 +Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list + +From: Kuninori Morimoto + +[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ] + +Component has "card_aux_list" which is added/deled in bind/unbind aux dev +function (A), and used in for_each_card_auxs() loop (B). + + static void soc_unbind_aux_dev(...) + { + ... + for_each_card_auxs_safe(...) { + ... +(A) list_del(&component->card_aux_list); + } ^^^^^^^^^^^^^ + } + + static int soc_bind_aux_dev(...) + { + ... + for_each_card_pre_auxs(...) { + ... +(A) list_add(&component->card_aux_list, ...); + } ^^^^^^^^^^^^^ + ... + } + + #define for_each_card_auxs(card, component) \ +(B) list_for_each_entry(component, ..., card_aux_list) + ^^^^^^^^^^^^^ + +But it has been used without calling INIT_LIST_HEAD(). + + > git grep card_aux_list sound/soc + sound/soc/soc-core.c: list_del(&component->card_aux_list); + sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); + +call missing INIT_LIST_HEAD() for it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index a1e3829914268..5097b287b889a 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2801,6 +2801,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, + INIT_LIST_HEAD(&component->dobj_list); + INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); ++ INIT_LIST_HEAD(&component->card_aux_list); + mutex_init(&component->io_mutex); + + if (!component->name) { +-- +2.53.0 + diff --git a/queue-6.12/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch b/queue-6.12/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch new file mode 100644 index 0000000000..620dedea30 --- /dev/null +++ b/queue-6.12/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch @@ -0,0 +1,46 @@ +From 5835b0fa06b12ceff761d94e3ae02e71eab9b9d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:45:26 -0300 +Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ] + +sof_parse_token_sets() accepts array->size values that can be invalid +for a vendor tuple array header. In particular, a zero size does not +advance the parser state and can lead to non-progress parsing on +malformed topology data. + +Validate array->size against the minimum header size and reject values +smaller than sizeof(*array) before parsing. This preserves behavior for +valid topologies and hardens malformed-input handling. + +Signed-off-by: Cássio Gabriel +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index 0104257df930e..cdf8e56fd8a02 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -724,7 +724,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, + asize = le32_to_cpu(array->size); + + /* validate asize */ +- if (asize < 0) { /* FIXME: A zero-size array makes no sense */ ++ if (asize < sizeof(*array)) { + dev_err(scomp->dev, "error: invalid array size 0x%x\n", + asize); + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.12/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch b/queue-6.12/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch new file mode 100644 index 0000000000..3014fd4b38 --- /dev/null +++ b/queue-6.12/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch @@ -0,0 +1,64 @@ +From 51decec6f6ea528bdd4bce47b0f1f942db84514e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:40:56 +0200 +Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J + +From: Tomasz Merta + +[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ] + +The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A, +DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK +edge when SND_SOC_DAIFMT_NB_NF is used. + +Per ALSA convention, NB_NF requires sampling on the rising BCLK edge. +The STM32MP25 SAI reference manual states that CKSTR=1 is required for +signals received by the SAI to be sampled on the SCK rising edge. +Without setting CKSTR=1, the SAI samples on the falling edge, violating +the NB_NF convention. For comparison, the NXP FSL SAI driver correctly +sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its +I2S handling. + +This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in +stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec. +RIGHT_J (LSB) is not investigated and addressed by this patch. + +Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue +for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified +and is left for a separate investigation. + +Signed-off-by: Tomasz Merta +Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index fb1bd9844b550..f4f751b19429a 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -677,6 +677,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + break; + /* Left justified */ + case SND_SOC_DAIFMT_MSB: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + /* Right justified */ +@@ -684,9 +685,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + case SND_SOC_DAIFMT_DSP_A: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF; + break; + case SND_SOC_DAIFMT_DSP_B: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL; + break; + default: +-- +2.53.0 + diff --git a/queue-6.12/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch b/queue-6.12/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch new file mode 100644 index 0000000000..5cade8f5ca --- /dev/null +++ b/queue-6.12/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch @@ -0,0 +1,83 @@ +From 6eb9b059d50050beda1c0898e097d1a9becebb64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 15:23:35 -0700 +Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 + +From: Arthur Husband + +[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ] + +The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA +support via the S64A bit in the AHCI CAP register, but their 64-bit DMA +implementation is defective. Under sustained I/O, DMA transfers targeting +addresses above 4GB silently corrupt data -- writes land at incorrect +memory addresses with no errors logged. + +The failure pattern is similar to the ASMedia ASM1061 +(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia +ASM1061 controllers")), which also falsely advertised full 64-bit DMA +support. However, the JMB585 requires a stricter 32-bit DMA mask rather +than 43-bit, as corruption occurs with any address above 4GB. + +On the Minisforum N5 Pro specifically, the combination of the JMB585's +broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes +silent data corruption that is only detectable via checksumming +filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA +space is exhausted and the kernel transparently switches to 64-bit DMA +addresses. + +Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585 +(0x0585) before the generic JMicron class match, using a new board type +that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior) +with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks. + +Signed-off-by: Arthur Husband +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index e78b97fe81708..57a7a2b68aaab 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -68,6 +68,7 @@ enum board_ids { + /* board IDs for specific chipsets in alphabetical order */ + board_ahci_al, + board_ahci_avn, ++ board_ahci_jmb585, + board_ahci_mcp65, + board_ahci_mcp77, + board_ahci_mcp89, +@@ -212,6 +213,15 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_avn_ops, + }, ++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */ ++ [board_ahci_jmb585] = { ++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR | ++ AHCI_HFLAG_32BIT_ONLY), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_mcp65] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP | + AHCI_HFLAG_YES_NCQ), +@@ -439,6 +449,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */ + { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_pcs_quirk }, /* Elkhart Lake AHCI */ + ++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */ ++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 }, ++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 }, ++ + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr }, +-- +2.53.0 + diff --git a/queue-6.12/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch b/queue-6.12/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch new file mode 100644 index 0000000000..2a353cc836 --- /dev/null +++ b/queue-6.12/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch @@ -0,0 +1,147 @@ +From ef04a0123f943287ac4aa597386e0c756b7db05a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 20:07:26 +0800 +Subject: Bluetooth: hci_sync: annotate data-races around hdev->req_status + +From: Cen Zhang + +[ Upstream commit b6807cfc195ef99e1ac37b2e1e60df40295daa8c ] + +__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: + + hdev->req_status = HCI_REQ_PEND; + +However, several other functions read or write hdev->req_status without +holding any lock: + + - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) + - hci_cmd_sync_complete() reads/writes from HCI event completion + - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write + - hci_abort_conn() reads in connection abort path + +Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while +hci_send_cmd_sync() runs on hdev->workqueue, these are different +workqueues that can execute concurrently on different CPUs. The plain +C accesses constitute a data race. + +Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses +to hdev->req_status to prevent potential compiler optimizations that +could affect correctness (e.g., load fusing in the wait_event +condition or store reordering). + +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 2 +- + net/bluetooth/hci_core.c | 2 +- + net/bluetooth/hci_sync.c | 20 ++++++++++---------- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index b36fa056e8796..bf1c39be05211 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -2887,7 +2887,7 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) + * hci_connect_le serializes the connection attempts so only one + * connection can be in BT_CONNECT at time. + */ +- if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { ++ if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + switch (hci_skb_event(hdev->sent_cmd)) { + case HCI_EV_CONN_COMPLETE: + case HCI_EV_LE_CONN_COMPLETE: +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index ba01d0fa07193..677f51edb2775 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4103,7 +4103,7 @@ static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) + kfree_skb(skb); + } + +- if (hdev->req_status == HCI_REQ_PEND && ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND && + !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) { + kfree_skb(hdev->req_skb); + hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 7339c36d58582..fbcb3bbfef4fd 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -25,11 +25,11 @@ static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode, + { + bt_dev_dbg(hdev, "result 0x%2.2x", result); + +- if (hdev->req_status != HCI_REQ_PEND) ++ if (READ_ONCE(hdev->req_status) != HCI_REQ_PEND) + return; + + hdev->req_result = result; +- hdev->req_status = HCI_REQ_DONE; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_DONE); + + /* Free the request command so it is not used as response */ + kfree_skb(hdev->req_skb); +@@ -167,20 +167,20 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + + hci_cmd_sync_add(&req, opcode, plen, param, event, sk); + +- hdev->req_status = HCI_REQ_PEND; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_PEND); + + err = hci_req_sync_run(&req); + if (err < 0) + return ERR_PTR(err); + + err = wait_event_interruptible_timeout(hdev->req_wait_q, +- hdev->req_status != HCI_REQ_PEND, ++ READ_ONCE(hdev->req_status) != HCI_REQ_PEND, + timeout); + + if (err == -ERESTARTSYS) + return ERR_PTR(-EINTR); + +- switch (hdev->req_status) { ++ switch (READ_ONCE(hdev->req_status)) { + case HCI_REQ_DONE: + err = -bt_to_errno(hdev->req_result); + break; +@@ -194,7 +194,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + break; + } + +- hdev->req_status = 0; ++ WRITE_ONCE(hdev->req_status, 0); + hdev->req_result = 0; + skb = hdev->req_rsp; + hdev->req_rsp = NULL; +@@ -665,9 +665,9 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err) + { + bt_dev_dbg(hdev, "err 0x%2.2x", err); + +- if (hdev->req_status == HCI_REQ_PEND) { ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + hdev->req_result = err; +- hdev->req_status = HCI_REQ_CANCELED; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); + + queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work); + } +@@ -683,12 +683,12 @@ void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err) + { + bt_dev_dbg(hdev, "err 0x%2.2x", err); + +- if (hdev->req_status == HCI_REQ_PEND) { ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + /* req_result is __u32 so error must be positive to be properly + * propagated. + */ + hdev->req_result = err < 0 ? -err : err; +- hdev->req_status = HCI_REQ_CANCELED; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); + + wake_up_interruptible(&hdev->req_wait_q); + } +-- +2.53.0 + diff --git a/queue-6.12/btrfs-tracepoints-get-correct-superblock-from-dentry.patch b/queue-6.12/btrfs-tracepoints-get-correct-superblock-from-dentry.patch new file mode 100644 index 0000000000..ccd75f61f4 --- /dev/null +++ b/queue-6.12/btrfs-tracepoints-get-correct-superblock-from-dentry.patch @@ -0,0 +1,50 @@ +From f8eb9a3649e18c7242a8636fc407a88be0425f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 14:11:39 -0400 +Subject: btrfs: tracepoints: get correct superblock from dentry in event + btrfs_sync_file() + +From: Goldwyn Rodrigues + +[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] + +If overlay is used on top of btrfs, dentry->d_sb translates to overlay's +super block and fsid assignment will lead to a crash. + +Use file_inode(file)->i_sb to always get btrfs_sb. + +Reviewed-by: Boris Burkov +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + include/trace/events/btrfs.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index 0ca86909ce5bd..b964cba4169c2 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -771,12 +771,15 @@ TRACE_EVENT(btrfs_sync_file, + ), + + TP_fast_assign( +- const struct dentry *dentry = file->f_path.dentry; +- const struct inode *inode = d_inode(dentry); ++ struct dentry *dentry = file_dentry(file); ++ struct inode *inode = file_inode(file); ++ struct dentry *parent = dget_parent(dentry); ++ struct inode *parent_inode = d_inode(parent); + +- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb)); ++ dput(parent); ++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb)); + __entry->ino = btrfs_ino(BTRFS_I(inode)); +- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent))); ++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode)); + __entry->datasync = datasync; + __entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root); + ), +-- +2.53.0 + diff --git a/queue-6.12/can-mcp251x-add-error-handling-for-power-enable-in-o.patch b/queue-6.12/can-mcp251x-add-error-handling-for-power-enable-in-o.patch new file mode 100644 index 0000000000..ce2d791302 --- /dev/null +++ b/queue-6.12/can-mcp251x-add-error-handling-for-power-enable-in-o.patch @@ -0,0 +1,90 @@ +From 3ac2cee7766bf2786d7a8968fa50ef93591775c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 00:00:22 +0800 +Subject: can: mcp251x: add error handling for power enable in open and resume + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ] + +Add missing error handling for mcp251x_power_enable() calls in both +mcp251x_open() and mcp251x_can_resume() functions. + +In mcp251x_open(), if power enable fails, jump to error path to close +candev without attempting to disable power again. + +In mcp251x_can_resume(), properly check return values of power enable calls +for both power and transceiver regulators. If any fails, return the error +code to the PM framework and log the failure. + +This ensures the driver properly handles power control failures and +maintains correct device state. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com +[mkl: fix patch description] +[mkl: mcp251x_can_resume(): replace goto by return] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index 74906aa98be3e..b241953d2ef61 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1212,7 +1212,11 @@ static int mcp251x_open(struct net_device *net) + } + + mutex_lock(&priv->mcp_lock); +- mcp251x_power_enable(priv->transceiver, 1); ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); ++ goto out_close_candev; ++ } + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -1259,6 +1263,7 @@ static int mcp251x_open(struct net_device *net) + mcp251x_hw_sleep(spi); + out_close: + mcp251x_power_enable(priv->transceiver, 0); ++out_close_candev: + close_candev(net); + mutex_unlock(&priv->mcp_lock); + if (release_irq) +@@ -1494,11 +1499,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) + { + struct spi_device *spi = to_spi_device(dev); + struct mcp251x_priv *priv = spi_get_drvdata(spi); ++ int ret = 0; + +- if (priv->after_suspend & AFTER_SUSPEND_POWER) +- mcp251x_power_enable(priv->power, 1); +- if (priv->after_suspend & AFTER_SUSPEND_UP) +- mcp251x_power_enable(priv->transceiver, 1); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) { ++ ret = mcp251x_power_enable(priv->power, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); ++ return ret; ++ } ++ } ++ ++ if (priv->after_suspend & AFTER_SUSPEND_UP) { ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) ++ mcp251x_power_enable(priv->power, 0); ++ return ret; ++ } ++ } + + if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) + queue_work(priv->wq, &priv->restart_work); +-- +2.53.0 + diff --git a/queue-6.12/clockevents-prevent-timer-interrupt-starvation.patch b/queue-6.12/clockevents-prevent-timer-interrupt-starvation.patch new file mode 100644 index 0000000000..1430415187 --- /dev/null +++ b/queue-6.12/clockevents-prevent-timer-interrupt-starvation.patch @@ -0,0 +1,218 @@ +From f0aa641eb7fe25dd725ef6835dde2dd178fc55e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:17 +0200 +Subject: clockevents: Prevent timer interrupt starvation + +From: Thomas Gleixner + +[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ] + +Calvin reported an odd NMI watchdog lockup which claims that the CPU locked +up in user space. He provided a reproducer, which sets up a timerfd based +timer and then rearms it in a loop with an absolute expiry time of 1ns. + +As the expiry time is in the past, the timer ends up as the first expiring +timer in the per CPU hrtimer base and the clockevent device is programmed +with the minimum delta value. If the machine is fast enough, this ends up +in a endless loop of programming the delta value to the minimum value +defined by the clock event device, before the timer interrupt can fire, +which starves the interrupt and consequently triggers the lockup detector +because the hrtimer callback of the lockup mechanism is never invoked. + +As a first step to prevent this, avoid reprogramming the clock event device +when: + - a forced minimum delta event is pending + - the new expiry delta is less then or equal to the minimum delta + +Thanks to Calvin for providing the reproducer and to Borislav for testing +and providing data from his Zen5 machine. + +The problem is not limited to Zen5, but depending on the underlying +clock event device (e.g. TSC deadline timer on Intel) and the CPU speed +not necessarily observable. + +This change serves only as the last resort and further changes will be made +to prevent this scenario earlier in the call chain as far as possible. + +[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and + fixed up the tick-broadcast handlers as pointed out by Borislav ] + +Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality") +Reported-by: Calvin Owens +Signed-off-by: Thomas Gleixner +Tested-by: Calvin Owens +Tested-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/ +Link: https://patch.msgid.link/20260407083247.562657657@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/clockchips.h | 2 ++ + kernel/time/clockevents.c | 27 +++++++++++++++++++-------- + kernel/time/hrtimer.c | 1 + + kernel/time/tick-broadcast.c | 8 +++++++- + kernel/time/tick-common.c | 1 + + kernel/time/tick-sched.c | 1 + + 6 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h +index b0df28ddd394b..50cdc9da8d32a 100644 +--- a/include/linux/clockchips.h ++++ b/include/linux/clockchips.h +@@ -80,6 +80,7 @@ enum clock_event_state { + * @shift: nanoseconds to cycles divisor (power of two) + * @state_use_accessors:current state of the device, assigned by the core code + * @features: features ++ * @next_event_forced: True if the last programming was a forced event + * @retries: number of forced programming retries + * @set_state_periodic: switch state to periodic + * @set_state_oneshot: switch state to oneshot +@@ -108,6 +109,7 @@ struct clock_event_device { + u32 shift; + enum clock_event_state state_use_accessors; + unsigned int features; ++ unsigned int next_event_forced; + unsigned long retries; + + int (*set_state_periodic)(struct clock_event_device *); +diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c +index 78c7bd64d0ddf..6f4257e63bba8 100644 +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev) + { + clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN); + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + } + + /** +@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + { + unsigned long long clc; + int64_t delta; +- int rc; + + if (WARN_ON_ONCE(expires < 0)) + return -ETIME; +@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + return dev->set_next_ktime(expires, dev); + + delta = ktime_to_ns(ktime_sub(expires, ktime_get())); +- if (delta <= 0) +- return force ? clockevents_program_min_delta(dev) : -ETIME; + +- delta = min(delta, (int64_t) dev->max_delta_ns); +- delta = max(delta, (int64_t) dev->min_delta_ns); ++ /* Required for tick_periodic() during early boot */ ++ if (delta <= 0 && !force) ++ return -ETIME; ++ ++ if (delta > (int64_t)dev->min_delta_ns) { ++ delta = min(delta, (int64_t) dev->max_delta_ns); ++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift; ++ if (!dev->set_next_event((unsigned long) clc, dev)) ++ return 0; ++ } + +- clc = ((unsigned long long) delta * dev->mult) >> dev->shift; +- rc = dev->set_next_event((unsigned long) clc, dev); ++ if (dev->next_event_forced) ++ return 0; + +- return (rc && force) ? clockevents_program_min_delta(dev) : rc; ++ if (dev->set_next_event(dev->min_delta_ticks, dev)) { ++ if (!force || clockevents_program_min_delta(dev)) ++ return -ETIME; ++ } ++ dev->next_event_forced = 1; ++ return 0; + } + + /* +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 640d2ea4bd1fa..7c57fe7d20d9a 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1852,6 +1852,7 @@ void hrtimer_interrupt(struct clock_event_device *dev) + BUG_ON(!cpu_base->hres_active); + cpu_base->nr_events++; + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + raw_spin_lock_irqsave(&cpu_base->lock, flags); + entry_time = now = hrtimer_update_base(cpu_base); +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index ed58eebb4e8f4..99d2978ef9b98 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu) + */ + static void tick_broadcast_start_periodic(struct clock_event_device *bc) + { +- if (bc) ++ if (bc) { ++ bc->next_event_forced = 0; + tick_setup_periodic(bc, 1); ++ } + } + + /* +@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev) + bool bc_local; + + raw_spin_lock(&tick_broadcast_lock); ++ tick_broadcast_device.evtdev->next_event_forced = 0; + + /* Handle spurious interrupts gracefully */ + if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) { +@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + + raw_spin_lock(&tick_broadcast_lock); + dev->next_event = KTIME_MAX; ++ tick_broadcast_device.evtdev->next_event_forced = 0; + next_event = KTIME_MAX; + cpumask_clear(tmpmask); + now = ktime_get(); +@@ -1061,6 +1065,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, + + + bc->event_handler = tick_handle_oneshot_broadcast; ++ bc->next_event_forced = 0; + bc->next_event = KTIME_MAX; + + /* +@@ -1173,6 +1178,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) + } + + /* This moves the broadcast assignment to this CPU: */ ++ bc->next_event_forced = 0; + clockevents_program_event(bc, bc->next_event, 1); + } + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index 9a3859443c042..4b5a42192afa2 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -110,6 +110,7 @@ void tick_handle_periodic(struct clock_event_device *dev) + int cpu = smp_processor_id(); + ktime_t next = dev->next_event; + ++ dev->next_event_forced = 0; + tick_periodic(cpu); + + /* +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index f203f000da1ad..e385555b456e8 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1488,6 +1488,7 @@ static void tick_nohz_lowres_handler(struct clock_event_device *dev) + struct tick_sched *ts = this_cpu_ptr(&tick_cpu_sched); + + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + if (likely(tick_nohz_handler(&ts->sched_timer) == HRTIMER_RESTART)) + tick_program_event(hrtimer_get_expires(&ts->sched_timer), 1); +-- +2.53.0 + diff --git a/queue-6.12/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch b/queue-6.12/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch new file mode 100644 index 0000000000..9ad073ba5c --- /dev/null +++ b/queue-6.12/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch @@ -0,0 +1,68 @@ +From f7892d41a9f107d8bdacbf96e34c5ebc27b71efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 23:34:55 +0800 +Subject: crypto: af_alg - limit RX SG extraction by receive buffer budget + +From: Douya Le + +[ Upstream commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170 ] + +Make af_alg_get_rsgl() limit each RX scatterlist extraction to the +remaining receive buffer budget. + +af_alg_get_rsgl() currently uses af_alg_readable() only as a gate +before extracting data into the RX scatterlist. Limit each extraction +to the remaining af_alg_rcvbuf(sk) budget so that receive-side +accounting matches the amount of data attached to the request. + +If skcipher cannot obtain enough RX space for at least one chunk while +more data remains to be processed, reject the recvmsg call instead of +rounding the request length down to zero. + +Fixes: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a ("crypto: algif_skcipher - overhaul memory management") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Signed-off-by: Douya Le +Signed-off-by: Ren Wei +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 2 ++ + crypto/algif_skcipher.c | 5 +++++ + 2 files changed, 7 insertions(+) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 78e995dddf879..0530dc85e4f87 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1258,6 +1258,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags, + + seglen = min_t(size_t, (maxsize - len), + msg_data_left(msg)); ++ /* Never pin more pages than the remaining RX accounting budget. */ ++ seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk)); + + if (list_empty(&areq->rsgl_list)) { + rsgl = &areq->first_rsgl; +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index 125d395c5e009..3549ad1cc42e6 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -130,6 +130,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, + * full block size buffers. + */ + if (ctx->more || len < ctx->used) { ++ if (len < bs) { ++ err = -EINVAL; ++ goto free; ++ } ++ + len -= len % bs; + cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL; + } +-- +2.53.0 + diff --git a/queue-6.12/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-6.12/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch new file mode 100644 index 0000000000..86debe51fd --- /dev/null +++ b/queue-6.12/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch @@ -0,0 +1,38 @@ +From d0f962563be16d2357490d671ef0f90b647c91b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 13:32:21 +0800 +Subject: crypto: algif_aead - Fix minimum RX size check for decryption + +From: Herbert Xu + +[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] + +The check for the minimum receive buffer size did not take the +tag size into account during decryption. Fix this by adding the +required extra length. + +Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com +Reported-by: Daniel Pouzzner +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index 7d58cbbce4af2..481e66f8708bb 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + if (usedpages < outlen) { + size_t less = outlen - usedpages; + +- if (used < less) { ++ if (used < less + (ctx->enc ? 0 : as)) { + err = -EINVAL; + goto free; + } +-- +2.53.0 + diff --git a/queue-6.12/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch b/queue-6.12/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch new file mode 100644 index 0000000000..d2e484474e --- /dev/null +++ b/queue-6.12/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch @@ -0,0 +1,69 @@ +From 1d9b437a1c5bb8800fcf334297d03f9328d7c4ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 09:58:36 +0530 +Subject: drm/amdgpu: Handle GPU page faults correctly on non-4K page systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Donet Tom + +[ Upstream commit 4e9597f22a3cb8600c72fc266eaac57981d834c8 ] + +During a GPU page fault, the driver restores the SVM range and then maps it +into the GPU page tables. The current implementation passes a GPU-page-size +(4K-based) PFN to svm_range_restore_pages() to restore the range. + +SVM ranges are tracked using system-page-size PFNs. On systems where the +system page size is larger than 4K, using GPU-page-size PFNs to restore the +range causes two problems: + +Range lookup fails: +Because the restore function receives PFNs in GPU (4K) units, the SVM +range lookup does not find the existing range. This will result in a +duplicate SVM range being created. + +VMA lookup failure: +The restore function also tries to locate the VMA for the faulting address. +It converts the GPU-page-size PFN into an address using the system page +size, which results in an incorrect address on non-4K page-size systems. +As a result, the VMA lookup fails with the message: "address 0xxxx VMA is +removed". + +This patch passes the system-page-size PFN to svm_range_restore_pages() so +that the SVM range is restored correctly on non-4K page systems. + +Acked-by: Christian König +Signed-off-by: Donet Tom +Signed-off-by: Alex Deucher +(cherry picked from commit 074fe395fb13247b057f60004c7ebcca9f38ef46) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index 13252c27cf55e..a29d01202b5b3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2806,14 +2806,14 @@ bool amdgpu_vm_handle_fault(struct amdgpu_device *adev, u32 pasid, + if (!root) + return false; + +- addr /= AMDGPU_GPU_PAGE_SIZE; +- + if (is_compute_context && !svm_range_restore_pages(adev, pasid, vmid, +- node_id, addr, ts, write_fault)) { ++ node_id, addr >> PAGE_SHIFT, ts, write_fault)) { + amdgpu_bo_unref(&root); + return true; + } + ++ addr /= AMDGPU_GPU_PAGE_SIZE; ++ + r = amdgpu_bo_reserve(root, true); + if (r) + goto error_unref; +-- +2.53.0 + diff --git a/queue-6.12/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch b/queue-6.12/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch new file mode 100644 index 0000000000..a95200cdc8 --- /dev/null +++ b/queue-6.12/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch @@ -0,0 +1,74 @@ +From 55c757d61491f95df70e7e2db84a257259df4b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:45 -0300 +Subject: drm/vc4: Fix a memory leak in hang state error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ] + +When vc4_save_hang_state() encounters an early return condition, it +returns without freeing the previously allocated `kernel_state`, +leaking memory. + +Add the missing kfree() calls by consolidating the early return paths +into a single place. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 373d310c7b6a5..62d19601ef356 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -169,10 +169,8 @@ vc4_save_hang_state(struct drm_device *dev) + spin_lock_irqsave(&vc4->job_lock, irqflags); + exec[0] = vc4_first_bin_job(vc4); + exec[1] = vc4_first_render_job(vc4); +- if (!exec[0] && !exec[1]) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!exec[0] && !exec[1]) ++ goto err_free_state; + + /* Get the bos from both binner and renderer into hang state. */ + state->bo_count = 0; +@@ -189,10 +187,8 @@ vc4_save_hang_state(struct drm_device *dev) + kernel_state->bo = kcalloc(state->bo_count, + sizeof(*kernel_state->bo), GFP_ATOMIC); + +- if (!kernel_state->bo) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!kernel_state->bo) ++ goto err_free_state; + + k = 0; + for (i = 0; i < 2; i++) { +@@ -284,6 +280,12 @@ vc4_save_hang_state(struct drm_device *dev) + vc4->hang_state = kernel_state; + spin_unlock_irqrestore(&vc4->job_lock, irqflags); + } ++ ++ return; ++ ++err_free_state: ++ spin_unlock_irqrestore(&vc4->job_lock, irqflags); ++ kfree(kernel_state); + } + + static void +-- +2.53.0 + diff --git a/queue-6.12/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch b/queue-6.12/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch new file mode 100644 index 0000000000..89d564dda2 --- /dev/null +++ b/queue-6.12/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch @@ -0,0 +1,40 @@ +From b1a2057c737d5f6078ddbf5daf923bb9942a1fad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:44 -0300 +Subject: drm/vc4: Fix memory leak of BO array in hang state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ] + +The hang state's BO array is allocated separately with kzalloc() in +vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the +missing kfree() for the BO array before freeing the hang state struct. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index be9c0b72ebe86..373d310c7b6a5 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state) + for (i = 0; i < state->user_state.bo_count; i++) + drm_gem_object_put(state->bo[i]); + ++ kfree(state->bo); + kfree(state); + } + +-- +2.53.0 + diff --git a/queue-6.12/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch b/queue-6.12/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch new file mode 100644 index 0000000000..1e980df1ec --- /dev/null +++ b/queue-6.12/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch @@ -0,0 +1,48 @@ +From c46999896580fd7317f5fda9e5ba860553794cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:46 -0300 +Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ] + +The mmap callback reads bo->madv without holding madv_lock, racing with +concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under +the same lock. Add the missing locking to prevent the data race. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index 2a85d08b19852..3740e0552960d 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct + return -EINVAL; + } + ++ mutex_lock(&bo->madv_lock); + if (bo->madv != VC4_MADV_WILLNEED) { + DRM_DEBUG("mmapping of %s BO not allowed\n", + bo->madv == VC4_MADV_DONTNEED ? + "purgeable" : "purged"); ++ mutex_unlock(&bo->madv_lock); + return -EINVAL; + } ++ mutex_unlock(&bo->madv_lock); + + return drm_gem_dma_mmap(&bo->base, vma); + } +-- +2.53.0 + diff --git a/queue-6.12/drm-vc4-release-runtime-pm-reference-after-binding-v.patch b/queue-6.12/drm-vc4-release-runtime-pm-reference-after-binding-v.patch new file mode 100644 index 0000000000..679b38b0f9 --- /dev/null +++ b/queue-6.12/drm-vc4-release-runtime-pm-reference-after-binding-v.patch @@ -0,0 +1,46 @@ +From 011ba73738857a14d7a33bdd3fecd50230b53d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:43 -0300 +Subject: drm/vc4: Release runtime PM reference after binding V3D +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ] + +The vc4_v3d_bind() function acquires a runtime PM reference via +pm_runtime_resume_and_get() to access V3D registers during setup. +However, this reference is never released after a successful bind. +This prevents the device from ever runtime suspending, since the +reference count never reaches zero. + +Release the runtime PM reference by adding pm_runtime_put_autosuspend() +after autosuspend is configured, allowing the device to runtime suspend +after the delay. + +Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_v3d.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c +index 43f69d74e8761..334d2cfe3433b 100644 +--- a/drivers/gpu/drm/vc4/vc4_v3d.c ++++ b/drivers/gpu/drm/vc4/vc4_v3d.c +@@ -479,6 +479,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data) + + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */ ++ pm_runtime_put_autosuspend(dev); + + return 0; + +-- +2.53.0 + diff --git a/queue-6.12/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch b/queue-6.12/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch new file mode 100644 index 0000000000..2472fa5594 --- /dev/null +++ b/queue-6.12/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch @@ -0,0 +1,59 @@ +From 36aa077fc0ea5cc98f14b5f187f6a24f57edc7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:40 +0100 +Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock + +From: Jon Hunter + +[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ] + +The PTP clock for the Tegra234 MGBE device is incorrectly named +'ptp-ref' and should be 'ptp_ref'. This is causing the following +warning to be observed on Tegra234 platforms that use this device: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +Although this constitutes an ABI breakage in the binding for this +device, PTP support has clearly never worked and so fix this now +so we can correct the device-tree for this device. Note that the +MGBE driver still supports the legacy 'ptp-ref' clock name and so +older/existing device-trees will still work, but given that this +is not the correct name, there is no point to advertise this in the +binding. + +Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE") +Signed-off-by: Jon Hunter +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +index 2bd3efff2485e..215f14d1897d2 100644 +--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml ++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +@@ -42,7 +42,7 @@ properties: + - const: mgbe + - const: mac + - const: mac-divider +- - const: ptp-ref ++ - const: ptp_ref + - const: rx-input-m + - const: rx-input + - const: tx +@@ -133,7 +133,7 @@ examples: + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>, + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>, + <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>; +- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m", ++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m", + "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m", + "rx-pcs", "tx-pcs"; + resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>, +-- +2.53.0 + diff --git a/queue-6.12/e1000-check-return-value-of-e1000_read_eeprom.patch b/queue-6.12/e1000-check-return-value-of-e1000_read_eeprom.patch new file mode 100644 index 0000000000..7ef3c7b71e --- /dev/null +++ b/queue-6.12/e1000-check-return-value-of-e1000_read_eeprom.patch @@ -0,0 +1,70 @@ +From 1201f4de5a1813393c7677a33016486956b55712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 15:05:05 +0300 +Subject: e1000: check return value of e1000_read_eeprom + +From: Agalakov Daniil + +[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ] + +[Why] +e1000_set_eeprom() performs a read-modify-write operation when the write +range is not word-aligned. This requires reading the first and last words +of the range from the EEPROM to preserve the unmodified bytes. + +However, the code does not check the return value of e1000_read_eeprom(). +If the read fails, the operation continues using uninitialized data from +eeprom_buff. This results in corrupted data being written back to the +EEPROM for the boundary words. + +Add the missing error checks and abort the operation if reading fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Iskhakov Daniil +Signed-off-by: Iskhakov Daniil +Signed-off-by: Agalakov Daniil +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index d06d29c6c0370..c7b50059663d9 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev, + */ + ret_val = e1000_read_eeprom(hw, first_word, 1, + &eeprom_buff[0]); ++ if (ret_val) ++ goto out; ++ + ptr++; + } +- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) { ++ if ((eeprom->offset + eeprom->len) & 1) { + /* need read/modify/write of last changed EEPROM word + * only the first byte of the word is being modified + */ + ret_val = e1000_read_eeprom(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev, + if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG)) + e1000_update_eeprom_checksum(hw); + ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.53.0 + diff --git a/queue-6.12/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch b/queue-6.12/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch new file mode 100644 index 0000000000..d2f16ab297 --- /dev/null +++ b/queue-6.12/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch @@ -0,0 +1,48 @@ +From db4d28310bb76fce8a90df7e67a2b605293fd3e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 15:25:32 +0200 +Subject: eventpoll: defer struct eventpoll free to RCU grace period + +From: Nicholas Carlini + +[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ] + +In certain situations, ep_free() in eventpoll.c will kfree the epi->ep +eventpoll struct while it still being used by another concurrent thread. +Defer the kfree() to an RCU callback to prevent UAF. + +Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") +Signed-off-by: Nicholas Carlini +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index aa4318271eee4..075aa8793aaa9 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -226,6 +226,9 @@ struct eventpoll { + */ + refcount_t refcount; + ++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */ ++ struct rcu_head rcu; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -790,7 +793,8 @@ static void ep_free(struct eventpoll *ep) + mutex_destroy(&ep->mtx); + free_uid(ep->user); + wakeup_source_unregister(ep->ws); +- kfree(ep); ++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */ ++ kfree_rcu(ep, rcu); + } + + /* +-- +2.53.0 + diff --git a/queue-6.12/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch b/queue-6.12/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch new file mode 100644 index 0000000000..366bbc81e9 --- /dev/null +++ b/queue-6.12/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch @@ -0,0 +1,47 @@ +From ff66b12b7424379480989edab832f76774df801b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 13:11:27 -0700 +Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath + +From: Fredric Cover + +[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ] + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index 39e48e86b9b4f..769380020d41a 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -527,6 +527,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + +-- +2.53.0 + diff --git a/queue-6.12/gpio-tegra-fix-irq_release_resources-calling-enable-.patch b/queue-6.12/gpio-tegra-fix-irq_release_resources-calling-enable-.patch new file mode 100644 index 0000000000..e85a0bda87 --- /dev/null +++ b/queue-6.12/gpio-tegra-fix-irq_release_resources-calling-enable-.patch @@ -0,0 +1,41 @@ +From b994d518f5f408f062108e1a57a19017ae5741e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 14:02:47 -0700 +Subject: gpio: tegra: fix irq_release_resources calling enable instead of + disable + +From: Samasth Norway Ananda + +[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ] + +tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable() +instead of tegra_gpio_disable(). When IRQ resources are released, the +GPIO configuration bit (CNF) should be cleared to deconfigure the pin as +a GPIO. Leaving it enabled wastes power and can cause unexpected behavior +if the pin is later reused for an alternate function via pinctrl. + +Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip") +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c +index 6d3a39a03f58e..cc7435ecada80 100644 +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -593,7 +593,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d) + struct tegra_gpio_info *tgi = gpiochip_get_data(chip); + + gpiochip_relres_irq(chip, d->hwirq); +- tegra_gpio_enable(tgi, d->hwirq); ++ tegra_gpio_disable(tgi, d->hwirq); + } + + static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s) +-- +2.53.0 + diff --git a/queue-6.12/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch b/queue-6.12/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch new file mode 100644 index 0000000000..c56d59f3d5 --- /dev/null +++ b/queue-6.12/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch @@ -0,0 +1,46 @@ +From 46a44f84062b11c440f81a66b52c814aaf630601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 09:25:22 +0100 +Subject: HID: amd_sfh: don't log error when device discovery fails with + -EOPNOTSUPP + +From: Maximilian Pezzullo + +[ Upstream commit 743677a8cb30b09f16a7f167f497c2c927891b5a ] + +When sensor discovery fails on systems without AMD SFH sensors, the +code already emits a warning via dev_warn() in amd_sfh_hid_client_init(). +The subsequent dev_err() in sfh_init_work() for the same -EOPNOTSUPP +return value is redundant and causes unnecessary alarm. + +Suppress the dev_err() for -EOPNOTSUPP to avoid confusing users who +have no AMD SFH sensors. + +Fixes: 2105e8e00da4 ("HID: amd_sfh: Improve boot time when SFH is available") +Reported-by: Casey Croy +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221099 +Signed-off-by: Maximilian Pezzullo +Acked-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +index 9739f66e925c0..33ba9af1a249f 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +@@ -352,7 +352,8 @@ static void sfh_init_work(struct work_struct *work) + rc = amd_sfh_hid_client_init(mp2); + if (rc) { + amd_sfh_clear_intr(mp2); +- dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc); ++ if (rc != -EOPNOTSUPP) ++ dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc); + return; + } + +-- +2.53.0 + diff --git a/queue-6.12/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch b/queue-6.12/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch new file mode 100644 index 0000000000..c112516dbe --- /dev/null +++ b/queue-6.12/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch @@ -0,0 +1,52 @@ +From 7ab5f82aca54d05d8d75d60a698113f8e8e14090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 13:36:59 -0500 +Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 + +From: leo vriska + +[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ] + +According to a mailing list report [1], this controller's predecessor +has the same issue. However, it uses the xpad driver instead of HID, so +this quirk wouldn't apply. + +[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/ + +Signed-off-by: leo vriska +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 25eb5cc7de70e..475e6eb4702af 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -22,6 +22,9 @@ + #define USB_DEVICE_ID_3M2256 0x0502 + #define USB_DEVICE_ID_3M3266 0x0506 + ++#define USB_VENDOR_ID_8BITDO 0x2dc8 ++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009 ++ + #define USB_VENDOR_ID_A4TECH 0x09da + #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006 + #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 7a3e0675d9ba2..d9e33dde89899 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -25,6 +25,7 @@ + */ + + static const struct hid_device_id hid_quirks[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, +-- +2.53.0 + diff --git a/queue-6.12/hid-roccat-fix-use-after-free-in-roccat_report_event.patch b/queue-6.12/hid-roccat-fix-use-after-free-in-roccat_report_event.patch new file mode 100644 index 0000000000..c345590060 --- /dev/null +++ b/queue-6.12/hid-roccat-fix-use-after-free-in-roccat_report_event.patch @@ -0,0 +1,50 @@ +From 3b0afaee719616d33677c683db33841ba7cc0753 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:11:07 +0000 +Subject: HID: roccat: fix use-after-free in roccat_report_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ] + +roccat_report_event() iterates over the device->readers list without +holding the readers_lock. This allows a concurrent roccat_release() to +remove and free a reader while it's still being accessed, leading to a +use-after-free. + +Protect the readers list traversal with the readers_lock mutex. + +Signed-off-by: Benoît Sevens +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index c7f7562e22e56..e413662f75082 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->readers_lock); + mutex_lock(&device->cbuf_lock); + + report = &device->cbuf[device->cbuf_end]; +@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data) + } + + mutex_unlock(&device->cbuf_lock); ++ mutex_unlock(&device->readers_lock); + + wake_up_interruptible(&device->wait); + return 0; +-- +2.53.0 + diff --git a/queue-6.12/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch b/queue-6.12/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch new file mode 100644 index 0000000000..2c9d54c27a --- /dev/null +++ b/queue-6.12/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch @@ -0,0 +1,50 @@ +From 6feb22341f212d14befd1be770a22ab6017753e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 15:04:19 +0800 +Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() + +From: Yiqi Sun + +[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ] + +ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the +IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing +this error pointer to dev_hold() will cause a kernel crash with +null-ptr-deref. + +Instead, silently discard the request. RFC 8335 does not appear to +define a specific response for the case where an IPv6 interface +identifier is syntactically valid but the implementation cannot perform +the lookup at runtime, and silently dropping the request may safer than +misreporting "No Such Interface". + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Signed-off-by: Yiqi Sun +Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 58feb21ff967d..8e53b595a4194 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -1143,6 +1143,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr) + if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr)) + goto send_mal_query; + dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev); ++ /* ++ * If IPv6 identifier lookup is unavailable, silently ++ * discard the request instead of misreporting NO_IF. ++ */ ++ if (IS_ERR(dev)) ++ return false; ++ + dev_hold(dev); + break; + #endif +-- +2.53.0 + diff --git a/queue-6.12/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch b/queue-6.12/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch new file mode 100644 index 0000000000..b97ea444e3 --- /dev/null +++ b/queue-6.12/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch @@ -0,0 +1,147 @@ +From 6b5a087e916dceceb8aa505cc2f1af89dca4c53f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 09:26:13 +0200 +Subject: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop() + +From: Fernando Fernandez Mancera + +[ Upstream commit 14cf0cd35361f4e94824bf8a42f72713d7702a73 ] + +When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently +allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for +single nexthops and small Equal-Cost Multi-Path groups, this fixed +allocation fails for large nexthop groups like 512 nexthops. + +This results in the following warning splat: + + WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608 + [...] + RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395) + [...] + Call Trace: + + rtnetlink_rcv_msg (net/core/rtnetlink.c:6989) + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585) + ___sys_sendmsg (net/socket.c:2641) + __sys_sendmsg (net/socket.c:2671) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + +Fix this by allocating the size dynamically using nh_nlmsg_size() and +using nlmsg_new(), this is consistent with nexthop_notify() behavior. In +addition, adjust nh_nlmsg_size_grp() so it calculates the size needed +based on flags passed. While at it, also add the size of NHA_FDB for +nexthop group size calculation as it was missing too. + +This cannot be reproduced via iproute2 as the group size is currently +limited and the command fails as follows: + +addattr_l ERROR: message exceeded bound of 1048 + +Fixes: 430a049190de ("nexthop: Add support for nexthop groups") +Reported-by: Yiming Qian +Closes: https://lore.kernel.org/netdev/CAL_bE8Li2h4KO+AQFXW4S6Yb_u5X4oSKnkywW+LPFjuErhqELA@mail.gmail.com/ +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260402072613.25262-2-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 38 +++++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index fe4ebafb7da14..f1d499a3e2748 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -1006,16 +1006,32 @@ static size_t nh_nlmsg_size_grp_res(struct nh_group *nhg) + nla_total_size_64bit(8);/* NHA_RES_GROUP_UNBALANCED_TIME */ + } + +-static size_t nh_nlmsg_size_grp(struct nexthop *nh) ++static size_t nh_nlmsg_size_grp(struct nexthop *nh, u32 op_flags) + { + struct nh_group *nhg = rtnl_dereference(nh->nh_grp); + size_t sz = sizeof(struct nexthop_grp) * nhg->num_nh; + size_t tot = nla_total_size(sz) + +- nla_total_size(2); /* NHA_GROUP_TYPE */ ++ nla_total_size(2) + /* NHA_GROUP_TYPE */ ++ nla_total_size(0); /* NHA_FDB */ + + if (nhg->resilient) + tot += nh_nlmsg_size_grp_res(nhg); + ++ if (op_flags & NHA_OP_FLAG_DUMP_STATS) { ++ tot += nla_total_size(0) + /* NHA_GROUP_STATS */ ++ nla_total_size(4); /* NHA_HW_STATS_ENABLE */ ++ tot += nhg->num_nh * ++ (nla_total_size(0) + /* NHA_GROUP_STATS_ENTRY */ ++ nla_total_size(4) + /* NHA_GROUP_STATS_ENTRY_ID */ ++ nla_total_size_64bit(8)); /* NHA_GROUP_STATS_ENTRY_PACKETS */ ++ ++ if (op_flags & NHA_OP_FLAG_DUMP_HW_STATS) { ++ tot += nhg->num_nh * ++ nla_total_size_64bit(8); /* NHA_GROUP_STATS_ENTRY_PACKETS_HW */ ++ tot += nla_total_size(4); /* NHA_HW_STATS_USED */ ++ } ++ } ++ + return tot; + } + +@@ -1050,14 +1066,14 @@ static size_t nh_nlmsg_size_single(struct nexthop *nh) + return sz; + } + +-static size_t nh_nlmsg_size(struct nexthop *nh) ++static size_t nh_nlmsg_size(struct nexthop *nh, u32 op_flags) + { + size_t sz = NLMSG_ALIGN(sizeof(struct nhmsg)); + + sz += nla_total_size(4); /* NHA_ID */ + + if (nh->is_group) +- sz += nh_nlmsg_size_grp(nh) + ++ sz += nh_nlmsg_size_grp(nh, op_flags) + + nla_total_size(4) + /* NHA_OP_FLAGS */ + 0; + else +@@ -1073,7 +1089,7 @@ static void nexthop_notify(int event, struct nexthop *nh, struct nl_info *info) + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(nh_nlmsg_size(nh), gfp_any()); ++ skb = nlmsg_new(nh_nlmsg_size(nh, 0), gfp_any()); + if (!skb) + goto errout; + +@@ -3333,15 +3349,15 @@ static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh, + if (err) + return err; + +- err = -ENOBUFS; +- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); +- if (!skb) +- goto out; +- + err = -ENOENT; + nh = nexthop_find_by_id(net, id); + if (!nh) +- goto errout_free; ++ goto out; ++ ++ err = -ENOBUFS; ++ skb = nlmsg_new(nh_nlmsg_size(nh, op_flags), GFP_KERNEL); ++ if (!skb) ++ goto out; + + err = nh_fill_node(skb, nh, RTM_NEWNEXTHOP, NETLINK_CB(in_skb).portid, + nlh->nlmsg_seq, 0, op_flags); +-- +2.53.0 + diff --git a/queue-6.12/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch b/queue-6.12/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch new file mode 100644 index 0000000000..63fca79a64 --- /dev/null +++ b/queue-6.12/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch @@ -0,0 +1,43 @@ +From c675e7f4761813137480fe484cd5e50e8261e9b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 09:26:12 +0200 +Subject: ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group + dump + +From: Fernando Fernandez Mancera + +[ Upstream commit 06aaf04ca815f7a1f17762fd847b7bc14b8833fb ] + +Currently NHA_HW_STATS_ENABLE is included twice everytime a dump of +nexthop group is performed with NHA_OP_FLAG_DUMP_STATS. As all the stats +querying were moved to nla_put_nh_group_stats(), leave only that +instance of the attribute querying. + +Fixes: 5072ae00aea4 ("net: nexthop: Expose nexthop group HW stats to user space") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260402072613.25262-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index e3e3f3ee9a5be..fe4ebafb7da14 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -904,8 +904,7 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nexthop *nh, + goto nla_put_failure; + + if (op_flags & NHA_OP_FLAG_DUMP_STATS && +- (nla_put_u32(skb, NHA_HW_STATS_ENABLE, nhg->hw_stats) || +- nla_put_nh_group_stats(skb, nh, op_flags))) ++ nla_put_nh_group_stats(skb, nh, op_flags)) + goto nla_put_failure; + + return 0; +-- +2.53.0 + diff --git a/queue-6.12/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch b/queue-6.12/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch new file mode 100644 index 0000000000..f43ac3cc1d --- /dev/null +++ b/queue-6.12/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch @@ -0,0 +1,62 @@ +From 0d47f7d9163eab3cbd4be1ab1a8256984b714ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 15:58:01 +0800 +Subject: ipvs: fix NULL deref in ip_vs_add_service error path + +From: Weiming Shi + +[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ] + +When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local +variable sched is set to NULL. If ip_vs_start_estimator() subsequently +fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) +with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL +check (because svc->scheduler was set by the successful bind) but then +dereferences the NULL sched parameter at sched->done_service, causing a +kernel panic at offset 0x30 from NULL. + + Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] + RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) + Call Trace: + + ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) + do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) + nf_setsockopt (net/netfilter/nf_sockopt.c:102) + [..] + +Fix by simply not clearing the local sched variable after a successful +bind. ip_vs_unbind_scheduler() already detects whether a scheduler is +installed via svc->scheduler, and keeping sched non-NULL ensures the +error path passes the correct pointer to both ip_vs_unbind_scheduler() +and ip_vs_scheduler_put(). + +While the bug is older, the problem popups in more recent kernels (6.2), +when the new error path is taken after the ip_vs_start_estimator() call. + +Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Acked-by: Simon Horman +Acked-by: Julian Anastasov +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 3219338feca4d..efa845ce616d9 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1452,7 +1452,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ret = ip_vs_bind_scheduler(svc, sched); + if (ret) + goto out_err; +- sched = NULL; + } + + ret = ip_vs_start_estimator(ipvs, &svc->stats); +-- +2.53.0 + diff --git a/queue-6.12/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch b/queue-6.12/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch new file mode 100644 index 0000000000..182994f068 --- /dev/null +++ b/queue-6.12/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch @@ -0,0 +1,78 @@ +From 42d5de90e4cb707a605cce59a9473f9a500d3e8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 09:22:29 +0100 +Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table + +From: Michal Schmidt + +[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ] + +Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by +negotiating supported features") added the .negotiate_features callback +to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot +to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL +on Hyper-V VMs. + +During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), +which unconditionally dereferences hw->mac.ops.negotiate_features(). +On Hyper-V this results in a NULL pointer dereference: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] + Workqueue: events work_for_cpu_fn + RIP: 0010:0x0 + [...] + Call Trace: + ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] + ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] + ixgbevf_probe+0x20f/0x4a0 [ixgbevf] + local_pci_probe+0x50/0xa0 + work_for_cpu_fn+0x1a/0x30 + [...] + +Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and +wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP +gracefully. + +Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") +Reported-by: Xiaoqiang Xiong +Closes: https://issues.redhat.com/browse/RHEL-155455 +Assisted-by: Claude:claude-4.6-opus-high Cursor +Tested-by: Xiaoqiang Xiong +Signed-off-by: Michal Schmidt +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c +index 708d5dd921acc..70dfda13b7885 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/vf.c ++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c +@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) + return err; + } + ++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw, ++ u32 *pf_features) ++{ ++ return -EOPNOTSUPP; ++} ++ + /** + * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address + * @hw: pointer to the HW structure +@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = { + .setup_link = ixgbevf_setup_mac_link_vf, + .check_link = ixgbevf_hv_check_mac_link_vf, + .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf, ++ .negotiate_features = ixgbevf_hv_negotiate_features_vf, + .set_rar = ixgbevf_hv_set_rar_vf, + .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf, + .update_xcast_mode = ixgbevf_hv_update_xcast_mode, +-- +2.53.0 + diff --git a/queue-6.12/l2tp-drop-large-packets-with-udp-encap.patch b/queue-6.12/l2tp-drop-large-packets-with-udp-encap.patch new file mode 100644 index 0000000000..5f2b368efe --- /dev/null +++ b/queue-6.12/l2tp-drop-large-packets-with-udp-encap.patch @@ -0,0 +1,106 @@ +From d88bd53a44e6031d331d455f51a35bd9f1940baf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 20:49:49 +0300 +Subject: l2tp: Drop large packets with UDP encap + +From: Alice Mikityanska + +[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ] + +syzbot reported a WARN on my patch series [1]. The actual issue is an +overflow of 16-bit UDP length field, and it exists in the upstream code. +My series added a debug WARN with an overflow check that exposed the +issue, that's why syzbot tripped on my patches, rather than on upstream +code. + +syzbot's repro: + +r0 = socket$pppl2tp(0x18, 0x1, 0x1) +r1 = socket$inet6_udp(0xa, 0x2, 0x0) +connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) +connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) +writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) + +It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP +encapsulation, and l2tp_xmit_core doesn't check for overflows when it +assigns the UDP length field. The value gets trimmed to 16 bites. + +Add an overflow check that drops oversized packets and avoids sending +packets with trimmed UDP length to the wire. + +syzbot's stack trace (with my patch applied): + +len >= 65536u +WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 +Modules linked in: +CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] +RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] +RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 +Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f +RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 +RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 +RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff +RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 +R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 +R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 +FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 +Call Trace: + + pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + sock_write_iter+0x503/0x550 net/socket.c:1195 + do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 + vfs_writev+0x33c/0x990 fs/read_write.c:1059 + do_writev+0x154/0x2e0 fs/read_write.c:1105 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f636479c629 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 +RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 +RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 + + +[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/ +Signed-off-by: Alice Mikityanska +Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 95060ff7adc5f..87f29ebed5887 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1290,6 +1290,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + uh->source = inet->inet_sport; + uh->dest = inet->inet_dport; + udp_len = uhlen + session->hdr_len + data_len; ++ if (udp_len > U16_MAX) { ++ kfree_skb(skb); ++ ret = NET_XMIT_DROP; ++ goto out_unlock; ++ } + uh->len = htons(udp_len); + + /* Calculate UDP checksum if configured to do so */ +-- +2.53.0 + diff --git a/queue-6.12/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch b/queue-6.12/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch new file mode 100644 index 0000000000..325be1c9d2 --- /dev/null +++ b/queue-6.12/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch @@ -0,0 +1,49 @@ +From cb3eb535ddf27af85a56d19a609ce360bc05cb63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 10:47:51 +0100 +Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() + +From: Arnd Bergmann + +[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ] + +The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot +of registers, so when the clang register allocator runs out, it ends up +spilling countless temporaries to the stack: + +drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than] + +Marking this function as noinline_for_stack keeps it out of +rkvdec_vp9_start(), giving the compiler more room for optimization. + +The resulting code is good enough that both the total stack usage +and the loop get enough better to stay under the warning limit, +though it's still slow, and would need a larger rework if this +function ends up being called in a fast path. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c +index 0e7e16f20eeb0..bc74d2d824ef2 100644 +--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c ++++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c +@@ -923,7 +923,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx, + update_ctx_last_info(vp9_ctx); + } + +-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) ++static noinline_for_stack void ++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) + { + struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv; + struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu; +-- +2.53.0 + diff --git a/queue-6.12/net-increase-ip_tunnel_recursion_limit-to-5.patch b/queue-6.12/net-increase-ip_tunnel_recursion_limit-to-5.patch new file mode 100644 index 0000000000..c19bc7d350 --- /dev/null +++ b/queue-6.12/net-increase-ip_tunnel_recursion_limit-to-5.patch @@ -0,0 +1,42 @@ +From 00588c308e3683942e641c20dec52469b4cd6448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:23:16 -0500 +Subject: net: increase IP_TUNNEL_RECURSION_LIMIT to 5 + +From: Chris J Arges + +[ Upstream commit 77facb35227c421467cdb49268de433168c2dcef ] + +In configurations with multiple tunnel layers and MPLS lwtunnel routing, a +single tunnel hop can increment the counter beyond this limit. This causes +packets to be dropped with the "Dead loop on virtual device" message even +when a routing loop doesn't exist. + +Increase IP_TUNNEL_RECURSION_LIMIT from 4 to 5 to handle this use-case. + +Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Link: https://lore.kernel.org/netdev/88deb91b-ef1b-403c-8eeb-0f971f27e34f@redhat.com/ +Signed-off-by: Chris J Arges +Link: https://patch.msgid.link/20260402222401.3408368-1-carges@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 0a5556ef16729..583fd1afd2387 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -29,7 +29,7 @@ + * recursion involves route lookups and full IP output, consuming much + * more stack per level, so a lower limit is needed. + */ +-#define IP_TUNNEL_RECURSION_LIMIT 4 ++#define IP_TUNNEL_RECURSION_LIMIT 5 + + /* Keep error state on tunnel for 30 sec */ + #define IPTUNNEL_ERR_TIMEO (30*HZ) +-- +2.53.0 + diff --git a/queue-6.12/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch b/queue-6.12/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch new file mode 100644 index 0000000000..996f1c7035 --- /dev/null +++ b/queue-6.12/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch @@ -0,0 +1,49 @@ +From e5a6a474e1c4e94f006fa0a9ef6918fa8801725a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:48 +0200 +Subject: net: ipa: fix event ring index not programmed for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ] + +For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to +CH_C_CNTXT_1. The v5.0 register definition intended to define this +field in the CH_C_CNTXT_1 fmask array but used the old identifier of +ERINDEX instead of CH_ERINDEX. + +Without a valid event ring, GSI channels could never signal transfer +completions. This caused gsi_channel_trans_quiesce() to block +forever in wait_for_completion(). + +At least for IPA v5.2 this resolves an issue seen where runtime +suspend, system suspend, and remoteproc stop all hanged forever. It +also meant the IPA data path was completely non functional. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index 3334d8e20ad28..6c4a7fbe4de94 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -30,7 +30,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0, + + static const u32 reg_ch_c_cntxt_1_fmask[] = { + [CH_R_LENGTH] = GENMASK(23, 0), +- [ERINDEX] = GENMASK(31, 24), ++ [CH_ERINDEX] = GENMASK(31, 24), + }; + + REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1, +-- +2.53.0 + diff --git a/queue-6.12/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch b/queue-6.12/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch new file mode 100644 index 0000000000..c3f15de767 --- /dev/null +++ b/queue-6.12/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch @@ -0,0 +1,47 @@ +From 03fc6a5113872e897ed075b344d9a7f1fdbbb574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:47 +0200 +Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ] + +Fix the field masks to match the hardware layout documented in +downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*). + +Notably this fixes a WARN I was seeing when I tried to send "stop" +to the MPSS remoteproc while IPA was up. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index 36d1e65df71bb..3334d8e20ad28 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -156,9 +156,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP); + + static const u32 reg_generic_cmd_fmask[] = { + [GENERIC_OPCODE] = GENMASK(4, 0), +- [GENERIC_CHID] = GENMASK(9, 5), +- [GENERIC_EE] = GENMASK(13, 10), +- /* Bits 14-31 reserved */ ++ [GENERIC_CHID] = GENMASK(12, 5), ++ [GENERIC_EE] = GENMASK(16, 13), ++ /* Bits 17-23 reserved */ ++ [GENERIC_PARAMS] = GENMASK(31, 24), + }; + + REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP); +-- +2.53.0 + diff --git a/queue-6.12/net-lapbether-handle-netdev_pre_type_change.patch b/queue-6.12/net-lapbether-handle-netdev_pre_type_change.patch new file mode 100644 index 0000000000..adaa97374d --- /dev/null +++ b/queue-6.12/net-lapbether-handle-netdev_pre_type_change.patch @@ -0,0 +1,77 @@ +From e02b2bab129ca3810fea3c7fe48e7bfb9025c35b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:35:19 +0000 +Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE + +From: Eric Dumazet + +[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ] + +lapbeth_data_transmit() expects the underlying device type +to be ARPHRD_ETHER. + +Returning NOTIFY_BAD from lapbeth_device_event() makes sure +bonding driver can not break this expectation. + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 56326f38fe8a3..da61716a66c46 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth) + static int lapbeth_device_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +- struct lapbethdev *lapbeth; + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct lapbethdev *lapbeth; + + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) ++ lapbeth = lapbeth_get_x25_dev(dev); ++ if (!dev_is_ethdev(dev) && !lapbeth) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (!lapbeth_get_x25_dev(dev)) ++ if (!lapbeth) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: + /* ethernet device disappears -> remove LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + lapbeth_free_device(lapbeth); + break; ++ case NETDEV_PRE_TYPE_CHANGE: ++ /* Our underlying device type must not change. */ ++ if (lapbeth) ++ return NOTIFY_BAD; + } + + return NOTIFY_DONE; +-- +2.53.0 + diff --git a/queue-6.12/net-sched-act_csum-validate-nested-vlan-headers.patch b/queue-6.12/net-sched-act_csum-validate-nested-vlan-headers.patch new file mode 100644 index 0000000000..c3ba5339b4 --- /dev/null +++ b/queue-6.12/net-sched-act_csum-validate-nested-vlan-headers.patch @@ -0,0 +1,60 @@ +From 12cb5488f2a5a8f85ce8e10b31869a1175edac96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: net: sched: act_csum: validate nested VLAN headers + +From: Ruide Cao + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_csum.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 5cc8e407e7911..8ea37c2c3c549 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -603,8 +603,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.53.0 + diff --git a/queue-6.12/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch b/queue-6.12/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch new file mode 100644 index 0000000000..1adb9bac3d --- /dev/null +++ b/queue-6.12/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch @@ -0,0 +1,65 @@ +From 0630bb99c61e90c2a85eeb131cfc7b57c0f93742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 13:23:33 +0000 +Subject: net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules + +From: John Pavlick + +[ Upstream commit 95aca8602ef70ffd3d971675751c81826e124f90 ] + +Several GPON ONT SFP sticks based on Realtek RTL960x report +1000BASE-LX at 1300MBd in their EEPROM but can operate at 2500base-X. +On hosts capable of 2500base-X (e.g. Banana Pi R3 / MT7986), the +kernel negotiates only 1G because it trusts the incorrect EEPROM data. + +Add quirks for: +- Hisense-Leox LXT-010S-H +- Hisense ZNID-GPON-2311NA +- HSGQ HSGQ-XPON-Stick + +Each quirk advertises 2500base-X and ignores TX_FAULT during the +module's ~40s Linux boot time. + +Tested on Banana Pi R3 (MT7986) with OpenWrt 25.12.1, confirmed +2.5Gbps link and full throughput with flow offloading. + +Reviewed-by: Russell King (Oracle) +Suggested-by: Marcin Nita +Signed-off-by: John Pavlick +Link: https://patch.msgid.link/20260406132321.72563-1-jspavlick@posteo.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 9d9c1779da900..90ffba8f79520 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -536,6 +536,22 @@ static const struct sfp_quirk sfp_quirks[] = { + SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex, + sfp_fixup_ignore_tx_fault_and_los), + ++ // Hisense LXT-010S-H is a GPON ONT SFP (sold as LEOX LXT-010S-H) that ++ // can operate at 2500base-X, but reports 1000BASE-LX / 1300MBd in its ++ // EEPROM ++ SFP_QUIRK("Hisense-Leox", "LXT-010S-H", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ ++ // Hisense ZNID-GPON-2311NA can operate at 2500base-X, but reports ++ // 1000BASE-LX / 1300MBd in its EEPROM ++ SFP_QUIRK("Hisense", "ZNID-GPON-2311NA", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ ++ // HSGQ HSGQ-XPON-Stick can operate at 2500base-X, but reports ++ // 1000BASE-LX / 1300MBd in its EEPROM ++ SFP_QUIRK("HSGQ", "HSGQ-XPON-Stick", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ + // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but + // incorrectly report 2500MBd NRZ in their EEPROM. + // Some 8330-265D modules have inverted LOS, while all of them report +-- +2.53.0 + diff --git a/queue-6.12/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch b/queue-6.12/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch new file mode 100644 index 0000000000..973ac0bce8 --- /dev/null +++ b/queue-6.12/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch @@ -0,0 +1,83 @@ +From 395d3e862d7c47c263527f7eb326c66a9f0547f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:39 +0100 +Subject: net: stmmac: Fix PTP ref clock for Tegra234 + +From: Jon Hunter + +[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ] + +Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not +0 before configuring timestamping") was added the following error is +observed on Tegra234: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +It turns out that the Tegra234 device-tree binding defines the PTP ref +clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now +exposes this and that the PTP clock is not configured correctly. + +In order to update device-tree to use the correct 'ptp_ref' name, update +the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using +'ptp-ref' if this clock name is present. + +Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") +Signed-off-by: Jon Hunter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +index 2996bcdea9a28..1e28ac9344771 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +@@ -9,7 +9,7 @@ + #include "stmmac_platform.h" + + static const char *const mgbe_clks[] = { +- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac" ++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac" + }; + + struct tegra_mgbe { +@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + { + struct plat_stmmacenet_data *plat; + struct stmmac_resources res; ++ bool use_legacy_ptp = false; + struct tegra_mgbe *mgbe; + int irq, err, i; + u32 value; +@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + if (!mgbe->clks) + return -ENOMEM; + +- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) ++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'. ++ * Fall back when the legacy name is present. ++ */ ++ if (of_property_match_string(pdev->dev.of_node, "clock-names", ++ "ptp-ref") >= 0) ++ use_legacy_ptp = true; ++ ++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) { + mgbe->clks[i].id = mgbe_clks[i]; + ++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) { ++ dev_warn(mgbe->dev, ++ "Device-tree update needed for PTP clock!\n"); ++ mgbe->clks[i].id = "ptp-ref"; ++ } ++ } ++ + err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks); + if (err < 0) + return err; +-- +2.53.0 + diff --git a/queue-6.12/net-txgbe-leave-space-for-null-terminators-on-proper.patch b/queue-6.12/net-txgbe-leave-space-for-null-terminators-on-proper.patch new file mode 100644 index 0000000000..05921dceb7 --- /dev/null +++ b/queue-6.12/net-txgbe-leave-space-for-null-terminators-on-proper.patch @@ -0,0 +1,48 @@ +From 69a25f1e4133f816ff17461f2502b6fb99bad78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 23:20:13 +0100 +Subject: net: txgbe: leave space for null terminators on property_entry + +From: Fabio Baltieri + +[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ] + +Lists of struct property_entry are supposed to be terminated with an +empty property, this driver currently seems to be allocating exactly the +amount of entry used. + +Change the struct definition to leave an extra element for all +property_entry. + +Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink") +Signed-off-by: Fabio Baltieri +Tested-by: Jiawen Wu +Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +index 5fe415f3f2ca9..27f8db89a5c7e 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +@@ -295,10 +295,10 @@ struct txgbe_nodes { + char i2c_name[32]; + char sfp_name[32]; + char phylink_name[32]; +- struct property_entry gpio_props[1]; +- struct property_entry i2c_props[3]; +- struct property_entry sfp_props[8]; +- struct property_entry phylink_props[2]; ++ struct property_entry gpio_props[2]; ++ struct property_entry i2c_props[4]; ++ struct property_entry sfp_props[9]; ++ struct property_entry phylink_props[3]; + struct software_node_ref_args i2c_ref[1]; + struct software_node_ref_args gpio0_ref[1]; + struct software_node_ref_args gpio1_ref[1]; +-- +2.53.0 + diff --git a/queue-6.12/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch b/queue-6.12/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch new file mode 100644 index 0000000000..c8f609f7af --- /dev/null +++ b/queue-6.12/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch @@ -0,0 +1,51 @@ +From 0910f5d215de89acf8c15ec047a92c76a6379ed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets + +From: Zhengchuan Liang + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6t_eui64.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c2..da69a27e8332c 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.53.0 + diff --git a/queue-6.12/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch b/queue-6.12/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch new file mode 100644 index 0000000000..9aaa6fe4bf --- /dev/null +++ b/queue-6.12/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch @@ -0,0 +1,52 @@ +From 6b88de03c5c7964bd768d951f4ee486cff01ad97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 14:20:57 -0700 +Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE + terminator + +From: Xiang Mei + +[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ] + +When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() +appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via +nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() +helper only zeroes alignment padding after the payload, not the payload +itself, so four bytes of stale kernel heap data are leaked to userspace +in the NLMSG_DONE message body. + +Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes +the nfgenmsg payload via nfnl_fill_hdr(), consistent with how +__build_packet_message() already constructs NFULNL_MSG_PACKET headers. + +Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index f96421ad14afb..3da32d2f68e09 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -361,10 +361,10 @@ static void + __nfulnl_send(struct nfulnl_instance *inst) + { + if (inst->qlen > 1) { +- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, +- NLMSG_DONE, +- sizeof(struct nfgenmsg), +- 0); ++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0, ++ NLMSG_DONE, 0, ++ AF_UNSPEC, NFNETLINK_V0, ++ htons(inst->group_num)); + if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", + inst->skb->len, skb_tailroom(inst->skb))) { + kfree_skb(inst->skb); +-- +2.53.0 + diff --git a/queue-6.12/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch b/queue-6.12/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch new file mode 100644 index 0000000000..eac1fe3754 --- /dev/null +++ b/queue-6.12/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch @@ -0,0 +1,314 @@ +From b5d33c89d512a5aa10d68fb6dc8e12009d212e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 17:00:01 +0200 +Subject: netfilter: nfnetlink_queue: make hash table per queue + +From: Florian Westphal + +[ Upstream commit 936206e3f6ff411581e615e930263d6f8b78df9d ] + +Sharing a global hash table among all queues is tempting, but +it can cause crash: + +BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] +[..] + nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] + nfnetlink_rcv_msg+0x46a/0x930 + kmem_cache_alloc_node_noprof+0x11e/0x450 + +struct nf_queue_entry is freed via kfree, but parallel cpu can still +encounter such an nf_queue_entry when walking the list. + +Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, +but as we have to alloc/free for each skb this will cause more mem +pressure. + +Cc: Scott Mitchell +Fixes: e19079adcd26 ("netfilter: nfnetlink_queue: optimize verdict lookup with hash table") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_queue.h | 1 - + net/netfilter/nfnetlink_queue.c | 139 +++++++++++-------------------- + 2 files changed, 49 insertions(+), 91 deletions(-) + +diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h +index 45eb26b2e95b3..d17035d14d96c 100644 +--- a/include/net/netfilter/nf_queue.h ++++ b/include/net/netfilter/nf_queue.h +@@ -23,7 +23,6 @@ struct nf_queue_entry { + struct nf_hook_state state; + bool nf_ct_is_unconfirmed; + u16 size; /* sizeof(entry) + saved route keys */ +- u16 queue_num; + + /* extra space to store route keys */ + }; +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 5ab750556e992..cc52ff7b7bcfc 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -49,8 +49,8 @@ + #endif + + #define NFQNL_QMAX_DEFAULT 1024 +-#define NFQNL_HASH_MIN 1024 +-#define NFQNL_HASH_MAX 1048576 ++#define NFQNL_HASH_MIN 8 ++#define NFQNL_HASH_MAX 32768 + + /* We're using struct nlattr which has 16bit nla_len. Note that nla_len + * includes the header length. Thus, the maximum packet length that we +@@ -60,29 +60,10 @@ + */ + #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN) + +-/* Composite key for packet lookup: (net, queue_num, packet_id) */ +-struct nfqnl_packet_key { +- possible_net_t net; +- u32 packet_id; +- u16 queue_num; +-} __aligned(sizeof(u32)); /* jhash2 requires 32-bit alignment */ +- +-/* Global rhashtable - one for entire system, all netns */ +-static struct rhashtable nfqnl_packet_map __read_mostly; +- +-/* Helper to initialize composite key */ +-static inline void nfqnl_init_key(struct nfqnl_packet_key *key, +- struct net *net, u32 packet_id, u16 queue_num) +-{ +- memset(key, 0, sizeof(*key)); +- write_pnet(&key->net, net); +- key->packet_id = packet_id; +- key->queue_num = queue_num; +-} +- + struct nfqnl_instance { + struct hlist_node hlist; /* global list of queues */ +- struct rcu_head rcu; ++ struct rhashtable nfqnl_packet_map; ++ struct rcu_work rwork; + + u32 peer_portid; + unsigned int queue_maxlen; +@@ -106,6 +87,7 @@ struct nfqnl_instance { + + typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long); + ++static struct workqueue_struct *nfq_cleanup_wq __read_mostly; + static unsigned int nfnl_queue_net_id __read_mostly; + + #define INSTANCE_BUCKETS 16 +@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num) + return ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS; + } + +-/* Extract composite key from nf_queue_entry for hashing */ +-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed) +-{ +- const struct nf_queue_entry *entry = data; +- struct nfqnl_packet_key key; +- +- nfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num); +- +- return jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed); +-} +- +-/* Compare stack-allocated key against entry */ +-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg, +- const void *obj) +-{ +- const struct nfqnl_packet_key *key = arg->key; +- const struct nf_queue_entry *entry = obj; +- +- return !net_eq(entry->state.net, read_pnet(&key->net)) || +- entry->queue_num != key->queue_num || +- entry->id != key->packet_id; +-} +- + static const struct rhashtable_params nfqnl_rhashtable_params = { + .head_offset = offsetof(struct nf_queue_entry, hash_node), +- .key_len = sizeof(struct nfqnl_packet_key), +- .obj_hashfn = nfqnl_packet_obj_hashfn, +- .obj_cmpfn = nfqnl_packet_obj_cmpfn, ++ .key_offset = offsetof(struct nf_queue_entry, id), ++ .key_len = sizeof(u32), + .automatic_shrinking = true, + .min_size = NFQNL_HASH_MIN, + .max_size = NFQNL_HASH_MAX, +@@ -190,6 +148,10 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + spin_lock_init(&inst->lock); + INIT_LIST_HEAD(&inst->queue_list); + ++ err = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params); ++ if (err < 0) ++ goto out_free; ++ + spin_lock(&q->instances_lock); + if (instance_lookup(q, queue_num)) { + err = -EEXIST; +@@ -210,6 +172,8 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + + out_unlock: + spin_unlock(&q->instances_lock); ++ rhashtable_destroy(&inst->nfqnl_packet_map); ++out_free: + kfree(inst); + return ERR_PTR(err); + } +@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, + unsigned long data); + +-static void +-instance_destroy_rcu(struct rcu_head *head) ++static void instance_destroy_work(struct work_struct *work) + { +- struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance, +- rcu); ++ struct nfqnl_instance *inst; + ++ inst = container_of(to_rcu_work(work), struct nfqnl_instance, ++ rwork); + rcu_read_lock(); + nfqnl_flush(inst, NULL, 0); + rcu_read_unlock(); ++ ++ rhashtable_destroy(&inst->nfqnl_packet_map); ++ + kfree(inst); + module_put(THIS_MODULE); + } +@@ -234,7 +201,9 @@ static void + __instance_destroy(struct nfqnl_instance *inst) + { + hlist_del_rcu(&inst->hlist); +- call_rcu(&inst->rcu, instance_destroy_rcu); ++ ++ INIT_RCU_WORK(&inst->rwork, instance_destroy_work); ++ queue_rcu_work(nfq_cleanup_wq, &inst->rwork); + } + + static void +@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + { + int err; + +- entry->queue_num = queue->queue_num; +- +- err = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node, ++ err = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node, + nfqnl_rhashtable_params); + if (unlikely(err)) + return err; +@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + static void + __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + { +- rhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node, ++ rhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node, + nfqnl_rhashtable_params); + list_del(&entry->list); + queue->queue_total--; + } + + static struct nf_queue_entry * +-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id, +- struct net *net) ++find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id) + { +- struct nfqnl_packet_key key; + struct nf_queue_entry *entry; + +- nfqnl_init_key(&key, net, id, queue->queue_num); +- + spin_lock_bh(&queue->lock); +- entry = rhashtable_lookup_fast(&nfqnl_packet_map, &key, ++ entry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id, + nfqnl_rhashtable_params); + + if (entry) +@@ -1529,7 +1492,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + verdict = ntohl(vhdr->verdict); + +- entry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net); ++ entry = find_dequeue_entry(queue, ntohl(vhdr->id)); + if (entry == NULL) + return -ENOENT; + +@@ -1878,40 +1841,38 @@ static int __init nfnetlink_queue_init(void) + { + int status; + +- status = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params); +- if (status < 0) +- return status; ++ nfq_cleanup_wq = alloc_ordered_workqueue("nfq_workqueue", 0); ++ if (!nfq_cleanup_wq) ++ return -ENOMEM; + + status = register_pernet_subsys(&nfnl_queue_net_ops); +- if (status < 0) { +- pr_err("failed to register pernet ops\n"); +- goto cleanup_rhashtable; +- } ++ if (status < 0) ++ goto cleanup_pernet_subsys; + +- netlink_register_notifier(&nfqnl_rtnl_notifier); +- status = nfnetlink_subsys_register(&nfqnl_subsys); +- if (status < 0) { +- pr_err("failed to create netlink socket\n"); +- goto cleanup_netlink_notifier; +- } ++ status = netlink_register_notifier(&nfqnl_rtnl_notifier); ++ if (status < 0) ++ goto cleanup_rtnl_notifier; + + status = register_netdevice_notifier(&nfqnl_dev_notifier); +- if (status < 0) { +- pr_err("failed to register netdevice notifier\n"); +- goto cleanup_netlink_subsys; +- } ++ if (status < 0) ++ goto cleanup_dev_notifier; ++ ++ status = nfnetlink_subsys_register(&nfqnl_subsys); ++ if (status < 0) ++ goto cleanup_nfqnl_subsys; + + nf_register_queue_handler(&nfqh); + + return status; + +-cleanup_netlink_subsys: +- nfnetlink_subsys_unregister(&nfqnl_subsys); +-cleanup_netlink_notifier: ++cleanup_nfqnl_subsys: ++ unregister_netdevice_notifier(&nfqnl_dev_notifier); ++cleanup_dev_notifier: + netlink_unregister_notifier(&nfqnl_rtnl_notifier); ++cleanup_rtnl_notifier: + unregister_pernet_subsys(&nfnl_queue_net_ops); +-cleanup_rhashtable: +- rhashtable_destroy(&nfqnl_packet_map); ++cleanup_pernet_subsys: ++ destroy_workqueue(nfq_cleanup_wq); + return status; + } + +@@ -1922,9 +1883,7 @@ static void __exit nfnetlink_queue_fini(void) + nfnetlink_subsys_unregister(&nfqnl_subsys); + netlink_unregister_notifier(&nfqnl_rtnl_notifier); + unregister_pernet_subsys(&nfnl_queue_net_ops); +- +- rhashtable_destroy(&nfqnl_packet_map); +- ++ destroy_workqueue(nfq_cleanup_wq); + rcu_barrier(); /* Wait for completion of call_rcu()'s */ + } + +-- +2.53.0 + diff --git a/queue-6.12/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch b/queue-6.12/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch new file mode 100644 index 0000000000..23dc0ae839 --- /dev/null +++ b/queue-6.12/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch @@ -0,0 +1,176 @@ +From 9a80bd4b2e47dc47267455d475171a2a7e6c27f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jan 2026 09:32:30 -0800 +Subject: netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> + GFP_KERNEL_ACCOUNT allocation + +From: Scott Mitchell + +[ Upstream commit a4400a5b343d1bc4aa8f685608515413238e7ee2 ] + +Currently, instance_create() uses GFP_ATOMIC because it's called while +holding instances_lock spinlock. This makes allocation more likely to +fail under memory pressure. + +Refactor nfqnl_recv_config() to drop RCU lock after instance_lookup() +and peer_portid verification. A socket cannot simultaneously send a +message and close, so the queue owned by the sending socket cannot be +destroyed while processing its CONFIG message. This allows +instance_create() to allocate with GFP_KERNEL_ACCOUNT before taking +the spinlock. + +Suggested-by: Florian Westphal +Signed-off-by: Scott Mitchell +Signed-off-by: Florian Westphal +Stable-dep-of: 936206e3f6ff ("netfilter: nfnetlink_queue: make hash table per queue") +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 75 +++++++++++++++------------------ + 1 file changed, 34 insertions(+), 41 deletions(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index df0232cf24ce2..5ab750556e992 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -178,17 +178,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + unsigned int h; + int err; + +- spin_lock(&q->instances_lock); +- if (instance_lookup(q, queue_num)) { +- err = -EEXIST; +- goto out_unlock; +- } +- +- inst = kzalloc(sizeof(*inst), GFP_ATOMIC); +- if (!inst) { +- err = -ENOMEM; +- goto out_unlock; +- } ++ inst = kzalloc(sizeof(*inst), GFP_KERNEL_ACCOUNT); ++ if (!inst) ++ return ERR_PTR(-ENOMEM); + + inst->queue_num = queue_num; + inst->peer_portid = portid; +@@ -198,9 +190,15 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + spin_lock_init(&inst->lock); + INIT_LIST_HEAD(&inst->queue_list); + ++ spin_lock(&q->instances_lock); ++ if (instance_lookup(q, queue_num)) { ++ err = -EEXIST; ++ goto out_unlock; ++ } ++ + if (!try_module_get(THIS_MODULE)) { + err = -EAGAIN; +- goto out_free; ++ goto out_unlock; + } + + h = instance_hashfn(queue_num); +@@ -210,10 +208,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + + return inst; + +-out_free: +- kfree(inst); + out_unlock: + spin_unlock(&q->instances_lock); ++ kfree(inst); + return ERR_PTR(err); + } + +@@ -1602,7 +1599,8 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + struct nfqnl_msg_config_cmd *cmd = NULL; + struct nfqnl_instance *queue; + __u32 flags = 0, mask = 0; +- int ret = 0; ++ ++ WARN_ON_ONCE(!lockdep_nfnl_is_held(NFNL_SUBSYS_QUEUE)); + + if (nfqa[NFQA_CFG_CMD]) { + cmd = nla_data(nfqa[NFQA_CFG_CMD]); +@@ -1648,47 +1646,44 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + } + } + ++ /* Lookup queue under RCU. After peer_portid check (or for new queue ++ * in BIND case), the queue is owned by the socket sending this message. ++ * A socket cannot simultaneously send a message and close, so while ++ * processing this CONFIG message, nfqnl_rcv_nl_event() (triggered by ++ * socket close) cannot destroy this queue. Safe to use without RCU. ++ */ + rcu_read_lock(); + queue = instance_lookup(q, queue_num); + if (queue && queue->peer_portid != NETLINK_CB(skb).portid) { +- ret = -EPERM; +- goto err_out_unlock; ++ rcu_read_unlock(); ++ return -EPERM; + } ++ rcu_read_unlock(); + + if (cmd != NULL) { + switch (cmd->command) { + case NFQNL_CFG_CMD_BIND: +- if (queue) { +- ret = -EBUSY; +- goto err_out_unlock; +- } +- queue = instance_create(q, queue_num, +- NETLINK_CB(skb).portid); +- if (IS_ERR(queue)) { +- ret = PTR_ERR(queue); +- goto err_out_unlock; +- } ++ if (queue) ++ return -EBUSY; ++ queue = instance_create(q, queue_num, NETLINK_CB(skb).portid); ++ if (IS_ERR(queue)) ++ return PTR_ERR(queue); + break; + case NFQNL_CFG_CMD_UNBIND: +- if (!queue) { +- ret = -ENODEV; +- goto err_out_unlock; +- } ++ if (!queue) ++ return -ENODEV; + instance_destroy(q, queue); +- goto err_out_unlock; ++ return 0; + case NFQNL_CFG_CMD_PF_BIND: + case NFQNL_CFG_CMD_PF_UNBIND: + break; + default: +- ret = -ENOTSUPP; +- goto err_out_unlock; ++ return -EOPNOTSUPP; + } + } + +- if (!queue) { +- ret = -ENODEV; +- goto err_out_unlock; +- } ++ if (!queue) ++ return -ENODEV; + + if (nfqa[NFQA_CFG_PARAMS]) { + struct nfqnl_msg_config_params *params = +@@ -1713,9 +1708,7 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + spin_unlock_bh(&queue->lock); + } + +-err_out_unlock: +- rcu_read_unlock(); +- return ret; ++ return 0; + } + + static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = { +-- +2.53.0 + diff --git a/queue-6.12/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch b/queue-6.12/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch new file mode 100644 index 0000000000..c14c8eab24 --- /dev/null +++ b/queue-6.12/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch @@ -0,0 +1,161 @@ +From d95d7c8dcd9e00e31095fdbba1fb96878bb520a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:10:55 +0100 +Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on + expiry + +From: Florian Westphal + +[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ] + +New test case fails unexpectedly when avx2 matching functions are used. + +The test first loads a ranomly generated pipapo set +with 'ipv4 . port' key, i.e. nft -f foo. + +This works. Then, it reloads the set after a flush: +(echo flush set t s; cat foo) | nft -f - + +This is expected to work, because its the same set after all and it was +already loaded once. + +But with avx2, this fails: nft reports a clashing element. + +The reported clash is of following form: + + We successfully re-inserted + a . b + c . d + +Then we try to insert a . d + +avx2 finds the already existing a . d, which (due to 'flush set') is marked +as invalid in the new generation. It skips the element and moves to next. + +Due to incorrect masking, the skip-step finds the next matching +element *only considering the first field*, + +i.e. we return the already reinserted "a . b", even though the +last field is different and the entry should not have been matched. + +No such error is reported for the generic c implementation (no avx2) or when +the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. + +Bisection points to +7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") +but that fix merely uncovers this bug. + +Before this commit, the wrong element is returned, but erronously +reported as a full, identical duplicate. + +The root-cause is too early return in the avx2 match functions. +When we process the last field, we should continue to process data +until the entire input size has been consumed to make sure no stale +bits remain in the map. + +Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index 39e356c9687a9..9d5ada57aa6fe 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +-- +2.53.0 + diff --git a/queue-6.12/netfilter-xt_multiport-validate-range-encoding-in-ch.patch b/queue-6.12/netfilter-xt_multiport-validate-range-encoding-in-ch.patch new file mode 100644 index 0000000000..4ab52ce211 --- /dev/null +++ b/queue-6.12/netfilter-xt_multiport-validate-range-encoding-in-ch.patch @@ -0,0 +1,99 @@ +From 964b0fcd7be43fb526d8f148f4049dd942d0f7d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 23:52:52 +0800 +Subject: netfilter: xt_multiport: validate range encoding in checkentry + +From: Ren Wei + +[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] + +ports_match_v1() treats any non-zero pflags entry as the start of a +port range and unconditionally consumes the next ports[] element as +the range end. + +The checkentry path currently validates protocol, flags and count, but +it does not validate the range encoding itself. As a result, malformed +rules can mark the last slot as a range start or place two range starts +back to back, leaving ports_match_v1() to step past the last valid +ports[] element while interpreting the rule. + +Reject malformed multiport v1 rules in checkentry by validating that +each range start has a following element and that the following element +is not itself marked as another range start. + +Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c +index 44a00f5acde8a..a1691ff405d3c 100644 +--- a/net/netfilter/xt_multiport.c ++++ b/net/netfilter/xt_multiport.c +@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); + } + ++static bool ++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < multiinfo->count; i++) { ++ if (!multiinfo->pflags[i]) ++ continue; ++ ++ if (++i >= multiinfo->count) ++ return false; ++ ++ if (multiinfo->pflags[i]) ++ return false; ++ ++ if (multiinfo->ports[i - 1] > multiinfo->ports[i]) ++ return false; ++ } ++ ++ return true; ++} ++ + static inline bool + check(u_int16_t proto, + u_int8_t ip_invflags, +@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) + const struct ipt_ip *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static int multiport_mt6_check(const struct xt_mtchk_param *par) +@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) + const struct ip6t_ip6 *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static struct xt_match multiport_mt_reg[] __read_mostly = { +-- +2.53.0 + diff --git a/queue-6.12/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch b/queue-6.12/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..fe37efa32c --- /dev/null +++ b/queue-6.12/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,61 @@ +From b5a32b46055a43cc823e3f3529942c7db8802c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 12:21:48 +0800 +Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ] + +s3fwrn82_uart_read() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already +deliver a complete frame before allocating a fresh receive buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface") +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/uart.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c +index 9c09c10c2a464..4ee481bd7e965 100644 +--- a/drivers/nfc/s3fwrn5/uart.c ++++ b/drivers/nfc/s3fwrn5/uart.c +@@ -58,6 +58,12 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev, + size_t i; + + for (i = 0; i < count; i++) { ++ if (!phy->recv_skb) { ++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); ++ if (!phy->recv_skb) ++ return i; ++ } ++ + skb_put_u8(phy->recv_skb, *data++); + + if (phy->recv_skb->len < S3FWRN82_NCI_HEADER) +@@ -69,9 +75,7 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev, + + s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb, + phy->common.mode); +- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); +- if (!phy->recv_skb) +- return 0; ++ phy->recv_skb = NULL; + } + + return i; +-- +2.53.0 + diff --git a/queue-6.12/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch b/queue-6.12/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch new file mode 100644 index 0000000000..390d7b7255 --- /dev/null +++ b/queue-6.12/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch @@ -0,0 +1,57 @@ +From c7cf1c792550296a7c59d0d2879e5f017075ac66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:07:42 -0700 +Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info + +From: Long Li + +[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ] + +When hv_pci_assign_numa_node() processes a device that does not have +HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range +virtual_numa_node, the device NUMA node is left unset. On x86_64, +the uninitialized default happens to be 0, but on ARM64 it is +NUMA_NO_NODE (-1). + +Tests show that when no NUMA information is available from the Hyper-V +host, devices perform best when assigned to node 0. With NUMA_NO_NODE +the kernel may spread work across NUMA nodes, which degrades +performance on Hyper-V, particularly for high-throughput devices like +MANA. + +Always set the device NUMA node to 0 before the conditional NUMA +affinity check, so that devices get a performant default when the host +provides no NUMA information, and behavior is consistent on both +x86_64 and ARM64. + +Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index cdd5be16021dd..e87e54acff4b0 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -2364,6 +2364,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus) + if (!hv_dev) + continue; + ++ /* ++ * If the Hyper-V host doesn't provide a NUMA node for the ++ * device, default to node 0. With NUMA_NO_NODE the kernel ++ * may spread work across NUMA nodes, which degrades ++ * performance on Hyper-V. ++ */ ++ set_dev_node(&dev->dev, 0); ++ + if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY && + hv_dev->desc.virtual_numa_node < num_possible_nodes()) + /* +-- +2.53.0 + diff --git a/queue-6.12/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch b/queue-6.12/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch new file mode 100644 index 0000000000..867fb28bf3 --- /dev/null +++ b/queue-6.12/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch @@ -0,0 +1,47 @@ +From 7c04f1c79a469467c39e85f9e30a81f0d4ea25ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:40:48 -0700 +Subject: perf/x86/intel/uncore: Skip discovery table for offline dies + +From: Zide Chen + +[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ] + +This warning can be triggered if NUMA is disabled and the system +boots with fewer CPUs than the number of CPUs in die 0. + +WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] + +Currently, the discovery table continues to be parsed even if all CPUs +in the associated die are offline. This can lead to an array overflow +at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may +trigger the warning above or cause other issues. + +Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables") +Reported-by: Steve Wahl +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Tested-by: Steve Wahl +Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c +index 571e44b496910..aad35190ccf64 100644 +--- a/arch/x86/events/intel/uncore_discovery.c ++++ b/arch/x86/events/intel/uncore_discovery.c +@@ -374,7 +374,7 @@ bool intel_uncore_has_discovery_tables(int *ignore) + (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP; + + die = get_device_die_id(dev); +- if (die < 0) ++ if ((die < 0) || (die >= uncore_max_dies())) + continue; + + parse_discovery_table(dev, die, bar_offset, &parsed, ignore); +-- +2.53.0 + diff --git a/queue-6.12/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch b/queue-6.12/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch new file mode 100644 index 0000000000..91c3c2b0ce --- /dev/null +++ b/queue-6.12/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch @@ -0,0 +1,35 @@ +From ffdf32a806bf489767abf7fdb1773e175cc6d263 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 18:14:04 +0100 +Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW + debouncer) + +From: Andy Shevchenko + +[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ] + +The 1kOhm pull down and hardware debouncer are features of the revision 0.92 +of the Chassis specification. Fix that in the code accordingly. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index f8abc69a39d16..5d147a3a49389 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1588,7 +1588,7 @@ int intel_pinctrl_probe(struct platform_device *pdev, + value = readl(regs + REVID); + if (value == ~0u) + return -ENODEV; +- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) { ++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) { + community->features |= PINCTRL_FEATURE_DEBOUNCE; + community->features |= PINCTRL_FEATURE_1K_PD; + } +-- +2.53.0 + diff --git a/queue-6.12/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch b/queue-6.12/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch new file mode 100644 index 0000000000..9908b0d5cb --- /dev/null +++ b/queue-6.12/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch @@ -0,0 +1,52 @@ +From 8b28f6f2d623c4f1537a2d8aed2e81f095db11f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2026 16:16:41 -0500 +Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ] + +This platform is a similar vintage of platforms that had a BIOS bug +leading to a 10s delay at resume from s0i3. + +Add a quirk for it. + +Reported-by: Imrane +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273 +Tested-by: Imrane +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c +index a6006b4ec2cc0..a3921f8106c12 100644 +--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c ++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c +@@ -197,6 +197,15 @@ static const struct dmi_system_id fwbug_list[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"), + } + }, ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */ ++ { ++ .ident = "Thinkpad L14 Gen3", ++ .driver_data = &quirk_s2idle_bug, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"), ++ } ++ }, + /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */ + { + .ident = "Lenovo Yoga 6 13ALC6", +-- +2.53.0 + diff --git a/queue-6.12/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch b/queue-6.12/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch new file mode 100644 index 0000000000..1ecd056e6a --- /dev/null +++ b/queue-6.12/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch @@ -0,0 +1,45 @@ +From 6c1b424f1480f5407a9d73cb6b6c15233f215b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:22:46 -0700 +Subject: platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP + GZ302EAC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Schwartz + +[ Upstream commit 0198d2743207d67f995cd6df89e267e1b9f5e1f1 ] + +The ASUS ROG Flow Z13-KJP GZ302EAC model uses sys_vendor name ASUS +rather than ASUSTeK COMPUTER INC., but it needs the same folio quirk as +the other ROG Flow Z13. To keep things simple, just match on sys_vendor +ASUS since it covers both. + +Signed-off-by: Matthew Schwartz +Reviewed-by: Mario Limonciello (AMD) +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20260312212246.1608080-1-matthew.schwartz@linux.dev +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index 1955495ea95f4..10bdb1a431819 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -547,7 +547,7 @@ static const struct dmi_system_id asus_quirks[] = { + .callback = dmi_matched, + .ident = "ASUS ROG Z13", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUS"), + DMI_MATCH(DMI_PRODUCT_NAME, "ROG Flow Z13"), + }, + .driver_data = &quirk_asus_z13, +-- +2.53.0 + diff --git a/queue-6.12/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch b/queue-6.12/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch new file mode 100644 index 0000000000..83a3b653f6 --- /dev/null +++ b/queue-6.12/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch @@ -0,0 +1,44 @@ +From 01acaa5e2e0eeb324e1f4e2023313be706d4f942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:27:43 +0000 +Subject: RDMA/irdma: Fix double free related to rereg_user_mr + +From: Jacob Moroni + +[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ] + +If IB_MR_REREG_TRANS is set during rereg_user_mr, the +umem will be released and a new one will be allocated +in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans +fails after the new umem is allocated, it releases the umem, +but does not set iwmr->region to NULL. The problem is that +this failure is propagated to the user, who will then call +ibv_dereg_mr (as they should). Then, the dereg_mr path will +see a non-NULL umem and attempt to call ib_umem_release again. + +Fix this by setting iwmr->region to NULL after ib_umem_release. + +Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region") +Signed-off-by: Jacob Moroni +Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 1f267dea6460e..0b9cf175ed73b 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3210,6 +3210,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len, + + err: + ib_umem_release(region); ++ iwmr->region = NULL; + return err; + } + +-- +2.53.0 + diff --git a/queue-6.12/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch b/queue-6.12/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch new file mode 100644 index 0000000000..9fe3a258bc --- /dev/null +++ b/queue-6.12/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch @@ -0,0 +1,51 @@ +From b97ef761d8d543a392f0a6b782f294bcba2326b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 12:22:44 +0200 +Subject: sched/deadline: Use revised wakeup rule for dl_server + +From: Peter Zijlstra + +[ Upstream commit 14a857056466be9d3d907a94e92a704ac1be149b ] + +John noted that commit 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +unfixed the issue from commit a3a70caf7906 ("sched/deadline: Fix dl_server +behaviour"). + +The issue in commit 115135422562 was for wakeups of the server after the +deadline; in which case you *have* to start a new period. The case for +a3a70caf7906 is wakeups before the deadline. + +Now, because the server is effectively running a least-laxity policy, it means +that any wakeup during the runnable phase means dl_entity_overflow() will be +true. This means we need to adjust the runtime to allow it to still run until +the existing deadline expires. + +Use the revised wakeup rule for dl_defer entities. + +Fixes: 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +Reported-by: John Stultz +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Tested-by: John Stultz +Link: https://patch.msgid.link/20260404102244.GB22575@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 8acdd97538546..1ef891f8e3f2f 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1079,7 +1079,7 @@ static void update_dl_entity(struct sched_dl_entity *dl_se) + if (dl_time_before(dl_se->deadline, rq_clock(rq)) || + dl_entity_overflow(dl_se, rq_clock(rq))) { + +- if (unlikely(!dl_is_implicit(dl_se) && ++ if (unlikely((!dl_is_implicit(dl_se) || dl_se->dl_defer) && + !dl_time_before(dl_se->deadline, rq_clock(rq)) && + !is_dl_boosted(dl_se))) { + update_dl_revised_wakeup(dl_se, rq); +-- +2.53.0 + diff --git a/queue-6.12/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch b/queue-6.12/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch new file mode 100644 index 0000000000..a4e46af561 --- /dev/null +++ b/queue-6.12/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch @@ -0,0 +1,45 @@ +From 87cd701c21dca17e347b386181e869e72c2fdf80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 22:29:19 +0100 +Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check + +From: Daniel Golle + +[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ] + +The querier-interval test adds h1 (currently a slave of the VRF created +by simple_if_init) to a temporary bridge br1 acting as an outside IGMP +querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev() +on every slave add and remove, toggling the interface admin-down then up. +Phylink takes the PHY down during the admin-down half of that cycle. +Since h1 and swp1 are cable-connected, swp1 also loses its link may need +several seconds to re-negotiate. + +Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the +test can rely on the link being back up at this point. + +Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests") +Signed-off-by: Daniel Golle +Reviewed-by: Alexander Sverdlin +Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +index 72dfbeaf56b92..e8031f68200ad 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +@@ -414,6 +414,7 @@ vlmc_querier_intvl_test() + bridge vlan add vid 10 dev br1 self pvid untagged + ip link set dev $h1 master br1 + ip link set dev br1 up ++ setup_wait_dev $h1 0 + bridge vlan add vid 10 dev $h1 master + bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1 + sleep 2 +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..e507095046 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,85 @@ +rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch +asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch +alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch +alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch +media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch +alsa-asihpi-avoid-write-overflow-check-warning.patch +bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch +asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch +asoc-sof-topology-reject-invalid-vendor-array-size-i.patch +can-mcp251x-add-error-handling-for-power-enable-in-o.patch +platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch +btrfs-tracepoints-get-correct-superblock-from-dentry.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch +srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch +netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch +alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch +wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch +asoc-soc-core-call-missing-init_list_head-for-card_a.patch +alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch +alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch +fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch +asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch +pinctrl-intel-fix-the-revision-for-new-features-1koh.patch +platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch +hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-5945 +hid-roccat-fix-use-after-free-in-roccat_report_event.patch +ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch +wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch +asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch +soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch +arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch +arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch +arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch +arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch +soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch +tools-power-turbostat-fix-microcode-patch-level-outp.patch +pci-hv-set-default-numa-node-to-0-for-devices-withou.patch +hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch +xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch +drm-vc4-release-runtime-pm-reference-after-binding-v.patch +drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch +drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch +drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch +eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch +net-sched-act_csum-validate-nested-vlan-headers.patch +net-lapbether-handle-netdev_pre_type_change.patch +ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch +ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch +ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch +net-increase-ip_tunnel_recursion_limit-to-5.patch +nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch +net-stmmac-fix-ptp-ref-clock-for-tegra234.patch +dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch +tracing-probe-reject-non-closed-empty-immediate-stri.patch +ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch +e1000-check-return-value-of-e1000_read_eeprom.patch +xsk-tighten-umem-headroom-validation-to-account-for-.patch +xsk-respect-tailroom-for-zc-setups.patch +xsk-fix-xdp_umem_sg_flag-issues.patch +xsk-validate-mtu-against-usable-frame-size-on-bind.patch +xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch +xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch +xfrm_user-fix-info-leak-in-build_mapping.patch +selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch +ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch +netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch +netfilter-xt_multiport-validate-range-encoding-in-ch.patch +netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch +netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch +netfilter-nfnetlink_queue-make-hash-table-per-queue.patch +net-txgbe-leave-space-for-null-terminators-on-proper.patch +af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch +net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch +net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch +l2tp-drop-large-packets-with-udp-encap.patch +gpio-tegra-fix-irq_release_resources-calling-enable-.patch +crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch +perf-x86-intel-uncore-skip-discovery-table-for-offli.patch +sched-deadline-use-revised-wakeup-rule-for-dl_server.patch +clockevents-prevent-timer-interrupt-starvation.patch +crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch diff --git a/queue-6.12/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch b/queue-6.12/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch new file mode 100644 index 0000000000..61f35cfbbe --- /dev/null +++ b/queue-6.12/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch @@ -0,0 +1,46 @@ +From 6bfe47b12319df64f77d1a8b0887c66dd2cd3199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:37:56 +0800 +Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching + +From: Potin Lai + +[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ] + +The siliconid_to_name() function currently masks the input silicon ID +with 0xff00ffff, but compares it against unmasked table entries. This +causes matching to fail if the table entries contain non-zero values in +the bits covered by the mask (bits 16-23). + +Update the logic to apply the 0xff00ffff mask to the table entries +during comparison. This ensures that only the relevant model and +revision bits are considered, providing a consistent match across +different manufacturing batches. + +[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference] + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Potin Lai +Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 67e9ac3d08ecc..a90b100f4d101 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid) + unsigned int i; + + for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) { +- if (rev_table[i].id == id) ++ if ((rev_table[i].id & 0xff00ffff) == id) + return rev_table[i].name; + } + +-- +2.53.0 + diff --git a/queue-6.12/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch b/queue-6.12/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch new file mode 100644 index 0000000000..7ea607caf9 --- /dev/null +++ b/queue-6.12/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch @@ -0,0 +1,71 @@ +From 072b856a00bd7eb44ba3dd98cfcafb750eeeea57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:53:20 +0530 +Subject: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei + +From: Mukesh Ojha + +[ Upstream commit 641f6fda143b879da1515f821ee475073678cf2a ] + +It looks element length declared in servreg_loc_pfr_req_ei for reason +not matching servreg_loc_pfr_req's reason field due which we could +observe decoding error on PD crash. + + qmi_decode_string_elem: String len 81 >= Max Len 65 + +Fix this by matching with servreg_loc_pfr_req's reason field. + +Fixes: 1ebcde047c54 ("soc: qcom: add pd-mapper implementation") +Signed-off-by: Mukesh Ojha +Reviewed-by: Dmitry Baryshkov +Tested-by: Nikita Travkin +Link: https://lore.kernel.org/r/20260129152320.3658053-2-mukesh.ojha@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pdr_internal.h | 2 +- + drivers/soc/qcom/qcom_pdr_msg.c | 2 +- + include/linux/soc/qcom/pdr.h | 1 + + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/pdr_internal.h b/drivers/soc/qcom/pdr_internal.h +index 8d17f7fb79e78..f5499663e5887 100644 +--- a/drivers/soc/qcom/pdr_internal.h ++++ b/drivers/soc/qcom/pdr_internal.h +@@ -84,7 +84,7 @@ struct servreg_set_ack_resp { + + struct servreg_loc_pfr_req { + char service[SERVREG_NAME_LENGTH + 1]; +- char reason[257]; ++ char reason[SERVREG_PFR_LENGTH + 1]; + }; + + struct servreg_loc_pfr_resp { +diff --git a/drivers/soc/qcom/qcom_pdr_msg.c b/drivers/soc/qcom/qcom_pdr_msg.c +index bf3e4a47165e3..6e65f1e9f5ec9 100644 +--- a/drivers/soc/qcom/qcom_pdr_msg.c ++++ b/drivers/soc/qcom/qcom_pdr_msg.c +@@ -326,7 +326,7 @@ const struct qmi_elem_info servreg_loc_pfr_req_ei[] = { + }, + { + .data_type = QMI_STRING, +- .elem_len = SERVREG_NAME_LENGTH + 1, ++ .elem_len = SERVREG_PFR_LENGTH + 1, + .elem_size = sizeof(char), + .array_type = VAR_LEN_ARRAY, + .tlv_type = 0x02, +diff --git a/include/linux/soc/qcom/pdr.h b/include/linux/soc/qcom/pdr.h +index 83a8ea612e69a..2b7691e47c2a9 100644 +--- a/include/linux/soc/qcom/pdr.h ++++ b/include/linux/soc/qcom/pdr.h +@@ -5,6 +5,7 @@ + #include + + #define SERVREG_NAME_LENGTH 64 ++#define SERVREG_PFR_LENGTH 256 + + struct pdr_service; + struct pdr_handle; +-- +2.53.0 + diff --git a/queue-6.12/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch b/queue-6.12/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch new file mode 100644 index 0000000000..2be7d35288 --- /dev/null +++ b/queue-6.12/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch @@ -0,0 +1,134 @@ +From a5f2a6e457ca8fe205976269d9d835b398a03f94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 20:14:18 -0400 +Subject: srcu: Use irq_work to start GP in tiny SRCU + +From: Joel Fernandes + +[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ] + +Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), +which acquires the workqueue pool->lock. + +This causes a lockdep splat when call_srcu() is called with a scheduler +lock held, due to: + + call_srcu() [holding pi_lock] + srcu_gp_start_if_needed() + schedule_work() -> pool->lock + + workqueue_init() / create_worker() [holding pool->lock] + wake_up_process() -> try_to_wake_up() -> pi_lock + +Also add irq_work_sync() to cleanup_srcu_struct() to prevent a +use-after-free if a queued irq_work fires after cleanup begins. + +Tested with rcutorture SRCU-T and no lockdep warnings. + +[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work +to start process_srcu()" ] + +Signed-off-by: Joel Fernandes +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/srcutiny.h | 4 ++++ + kernel/rcu/srcutiny.c | 19 ++++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h +index 4d96bbdb45f08..6f39d3d8ef879 100644 +--- a/include/linux/srcutiny.h ++++ b/include/linux/srcutiny.h +@@ -11,6 +11,7 @@ + #ifndef _LINUX_SRCU_TINY_H + #define _LINUX_SRCU_TINY_H + ++#include + #include + + struct srcu_struct { +@@ -24,18 +25,21 @@ struct srcu_struct { + struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */ + struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */ + struct work_struct srcu_work; /* For driving grace periods. */ ++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + struct lockdep_map dep_map; + #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */ + }; + + void srcu_drive_gp(struct work_struct *wp); ++void srcu_tiny_irq_work(struct irq_work *irq_work); + + #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored) \ + { \ + .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \ + .srcu_cb_tail = &name.srcu_cb_head, \ + .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \ ++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \ + __SRCU_DEP_MAP_INIT(name) \ + } + +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index 4dcbf8aa80ff7..ddea40b68e5f6 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp) + ssp->srcu_idx_max = 0; + INIT_WORK(&ssp->srcu_work, srcu_drive_gp); + INIT_LIST_HEAD(&ssp->srcu_work.entry); ++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work); + return 0; + } + +@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct); + void cleanup_srcu_struct(struct srcu_struct *ssp) + { + WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]); ++ irq_work_sync(&ssp->srcu_irq_work); + flush_work(&ssp->srcu_work); + WARN_ON(ssp->srcu_gp_running); + WARN_ON(ssp->srcu_gp_waiting); +@@ -168,6 +171,20 @@ void srcu_drive_gp(struct work_struct *wp) + } + EXPORT_SYMBOL_GPL(srcu_drive_gp); + ++/* ++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue ++ * pool->lock while the caller might hold scheduler locks, causing lockdep ++ * splats due to workqueue_init() doing a wakeup. ++ */ ++void srcu_tiny_irq_work(struct irq_work *irq_work) ++{ ++ struct srcu_struct *ssp; ++ ++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work); ++ schedule_work(&ssp->srcu_work); ++} ++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work); ++ + static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + { + unsigned long cookie; +@@ -181,7 +198,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + WRITE_ONCE(ssp->srcu_idx_max, cookie); + if (!READ_ONCE(ssp->srcu_gp_running)) { + if (likely(srcu_init_done)) +- schedule_work(&ssp->srcu_work); ++ irq_work_queue(&ssp->srcu_irq_work); + else if (list_empty(&ssp->srcu_work.entry)) + list_add(&ssp->srcu_work.entry, &srcu_boot_list); + } +-- +2.53.0 + diff --git a/queue-6.12/tools-power-turbostat-fix-microcode-patch-level-outp.patch b/queue-6.12/tools-power-turbostat-fix-microcode-patch-level-outp.patch new file mode 100644 index 0000000000..490a744259 --- /dev/null +++ b/queue-6.12/tools-power-turbostat-fix-microcode-patch-level-outp.patch @@ -0,0 +1,58 @@ +From feedb06ba6fa11416fa6dc46adc398b9439a5801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:16:03 -0500 +Subject: tools/power/turbostat: Fix microcode patch level output for AMD/Hygon + +From: Serhii Pievniev + +[ Upstream commit a444083286434ec1fd127c5da11a3091e6013008 ] + +turbostat always used the same logic to read the microcode patch level, +which is correct for Intel but not for AMD/Hygon. +While Intel stores the patch level in the upper 32 bits of MSR, AMD +stores it in the lower 32 bits, which causes turbostat to report the +microcode version as 0x0 on AMD/Hygon. + +Fix by shifting right by 32 for non-AMD/Hygon, preserving the existing +behavior for Intel and unknown vendors. + +Fixes: 3e4048466c39 ("tools/power turbostat: Add --no-msr option") +Signed-off-by: Serhii Pievniev +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 86ffe7e06a146..fb1c65f6ff9de 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -8058,10 +8058,13 @@ void process_cpuid() + edx_flags = edx; + + if (!no_msr) { +- if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) ++ if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) { + warnx("get_msr(UCODE)"); +- else ++ } else { + ucode_patch_valid = true; ++ if (!authentic_amd && !hygon_genuine) ++ ucode_patch >>= 32; ++ } + } + + /* +@@ -8076,7 +8079,7 @@ void process_cpuid() + fprintf(outf, "CPUID(1): family:model:stepping 0x%x:%x:%x (%d:%d:%d)", + family, model, stepping, family, model, stepping); + if (ucode_patch_valid) +- fprintf(outf, " microcode 0x%x", (unsigned int)((ucode_patch >> 32) & 0xFFFFFFFF)); ++ fprintf(outf, " microcode 0x%x", (unsigned int)ucode_patch); + fputc('\n', outf); + + fprintf(outf, "CPUID(0x80000000): max_extended_levels: 0x%x\n", max_extended_level); +-- +2.53.0 + diff --git a/queue-6.12/tracing-probe-reject-non-closed-empty-immediate-stri.patch b/queue-6.12/tracing-probe-reject-non-closed-empty-immediate-stri.patch new file mode 100644 index 0000000000..ec2a3de0fe --- /dev/null +++ b/queue-6.12/tracing-probe-reject-non-closed-empty-immediate-stri.patch @@ -0,0 +1,43 @@ +From 27c53eb9c2f574425c43f5bd55c0a648de8db3d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 00:03:15 +0800 +Subject: tracing/probe: reject non-closed empty immediate strings + +From: Pengpeng Hou + +[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ] + +parse_probe_arg() accepts quoted immediate strings and passes the body +after the opening quote to __parse_imm_string(). That helper currently +computes strlen(str) and immediately dereferences str[len - 1], which +underflows when the body is empty and not closed with double-quotation. + +Reject empty non-closed immediate strings before checking for the closing quote. + +Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ + +Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support") +Signed-off-by: Pengpeng Hou +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 055f5164bd96f..1b937923d118b 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -1040,7 +1040,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs) + { + size_t len = strlen(str); + +- if (str[len - 1] != '"') { ++ if (!len || str[len - 1] != '"') { + trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE); + return -EINVAL; + } +-- +2.53.0 + diff --git a/queue-6.12/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/queue-6.12/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 0000000000..8257121514 --- /dev/null +++ b/queue-6.12/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,45 @@ +From 77ba8a7d10526752d6d123aaf9be517982c7ef2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: wifi: brcmfmac: validate bsscfg indices in IF events + +From: Pengpeng Hou + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index f0b6a7607f160..0e44615964669 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -152,6 +152,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.53.0 + diff --git a/queue-6.12/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch b/queue-6.12/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch new file mode 100644 index 0000000000..d4c33203e1 --- /dev/null +++ b/queue-6.12/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch @@ -0,0 +1,51 @@ +From 7c766f48d0299e80efec9ca07d6f6025118b37d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:08:45 +0800 +Subject: wifi: wl1251: validate packet IDs before indexing tx_frames + +From: Pengpeng Hou + +[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ] + +wl1251_tx_packet_cb() uses the firmware completion ID directly to index +the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the +completion block, and the callback does not currently verify that it +fits the array before dereferencing it. + +Reject completion IDs that fall outside wl->tx_frames[] and keep the +existing NULL check in the same guard. This keeps the fix local to the +trust boundary and avoids touching the rest of the completion flow. + +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c +index adb4840b04893..c264d83e71d9c 100644 +--- a/drivers/net/wireless/ti/wl1251/tx.c ++++ b/drivers/net/wireless/ti/wl1251/tx.c +@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, + int hdrlen; + u8 *frame; + +- skb = wl->tx_frames[result->id]; +- if (skb == NULL) { +- wl1251_error("SKB for packet %d is NULL", result->id); ++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) || ++ wl->tx_frames[result->id] == NULL)) { ++ wl1251_error("invalid packet id %u", result->id); + return; + } + ++ skb = wl->tx_frames[result->id]; ++ + info = IEEE80211_SKB_CB(skb); + + if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && +-- +2.53.0 + diff --git a/queue-6.12/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch b/queue-6.12/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch new file mode 100644 index 0000000000..899a56607b --- /dev/null +++ b/queue-6.12/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch @@ -0,0 +1,61 @@ +From 4492f9bdfc073c091a4b9fa88c1ff60123f46626 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2026 20:36:39 +0800 +Subject: xfrm: account XFRMA_IF_ID in aevent size calculation + +From: Keenan Dong + +[ Upstream commit 7081d46d32312f1a31f0e0e99c6835a394037599 ] + +xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then +build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is +set. + +xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states +with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) +in xfrm_get_ae(), turning a malformed netlink interaction into a kernel +panic. + +Account XFRMA_IF_ID in the size calculation unconditionally and replace +the BUG_ON with normal error unwinding. + +Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.") +Reported-by: Keenan Dong +Signed-off-by: Keenan Dong +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 6aed7ae900130..9516655e92f19 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2601,7 +2601,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x) + + nla_total_size(4) /* XFRM_AE_RTHR */ + + nla_total_size(4) /* XFRM_AE_ETHR */ + + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ +- + nla_total_size(4); /* XFRMA_SA_PCPU */ ++ + nla_total_size(4) /* XFRMA_SA_PCPU */ ++ + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */ + } + + static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) +@@ -2713,7 +2714,12 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, + c.portid = nlh->nlmsg_pid; + + err = build_aevent(r_skb, x, &c); +- BUG_ON(err < 0); ++ if (err < 0) { ++ spin_unlock_bh(&x->lock); ++ xfrm_state_put(x); ++ kfree_skb(r_skb); ++ return err; ++ } + + err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); + spin_unlock_bh(&x->lock); +-- +2.53.0 + diff --git a/queue-6.12/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch b/queue-6.12/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch new file mode 100644 index 0000000000..215706511e --- /dev/null +++ b/queue-6.12/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch @@ -0,0 +1,52 @@ +From 1720bcc7e3f03267a28799a1d760ea80d2974d25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 12:05:20 +0300 +Subject: xfrm: fix refcount leak in xfrm_migrate_policy_find + +From: Kotlyarov Mihail + +[ Upstream commit 83317cce60a032c49480dcdabe146435bd689d03 ] + +syzkaller reported a memory leak in xfrm_policy_alloc: + + BUG: memory leak + unreferenced object 0xffff888114d79000 (size 1024): + comm "syz.1.17", pid 931 + ... + xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 + +The root cause is a double call to xfrm_pol_hold_rcu() in +xfrm_migrate_policy_find(). The lookup function already returns +a policy with held reference, making the second call redundant. + +Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount +imbalance and prevent the memory leak. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 563d5ca93e88 ("xfrm: switch migrate to xfrm_policy_lookup_bytype") +Signed-off-by: Kotlyarov Mihail +Reviewed-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 5fa648a5abe96..fca07f8e60749 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4516,9 +4516,6 @@ static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector * + pol = xfrm_policy_lookup_bytype(net, type, &fl, sel->family, dir, if_id); + if (IS_ERR_OR_NULL(pol)) + goto out_unlock; +- +- if (!xfrm_pol_hold_rcu(pol)) +- pol = NULL; + out_unlock: + rcu_read_unlock(); + return pol; +-- +2.53.0 + diff --git a/queue-6.12/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch b/queue-6.12/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch new file mode 100644 index 0000000000..169a175116 --- /dev/null +++ b/queue-6.12/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch @@ -0,0 +1,43 @@ +From 4f1b431c0d202fd57fdc675540f55cbb548ee62e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 13:31:04 +0200 +Subject: xfrm: Wait for RCU readers during policy netns exit + +From: Steffen Klassert + +[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ] + +xfrm_policy_fini() frees the policy_bydst hash tables after flushing the +policy work items and deleting all policies, but it does not wait for +concurrent RCU readers to leave their read-side critical sections first. + +The policy_bydst tables are published via rcu_assign_pointer() and are +looked up through rcu_dereference_check(), so netns teardown must also +wait for an RCU grace period before freeing the table memory. + +Fix this by adding synchronize_rcu() before freeing the policy hash tables. + +Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") +Signed-off-by: Steffen Klassert +Reviewed-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index f4713ab7996f2..5fa648a5abe96 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4278,6 +4278,8 @@ static void xfrm_policy_fini(struct net *net) + #endif + xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + ++ synchronize_rcu(); ++ + WARN_ON(!list_empty(&net->xfrm.policy_all)); + + for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { +-- +2.53.0 + diff --git a/queue-6.12/xfrm_user-fix-info-leak-in-build_mapping.patch b/queue-6.12/xfrm_user-fix-info-leak-in-build_mapping.patch new file mode 100644 index 0000000000..03909ad691 --- /dev/null +++ b/queue-6.12/xfrm_user-fix-info-leak-in-build_mapping.patch @@ -0,0 +1,45 @@ +From 300dd8c40477ada8a0b80d03a3a890f8bae2e45e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 17:33:03 +0200 +Subject: xfrm_user: fix info leak in build_mapping() + +From: Greg Kroah-Hartman + +[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ] + +struct xfrm_usersa_id has a one-byte padding hole after the proto +field, which ends up never getting set to zero before copying out to +userspace. Fix that up by zeroing out the whole structure before +setting individual variables. + +Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 9516655e92f19..c00c33c39f20c 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -4062,6 +4062,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, + + um = nlmsg_data(nlh); + ++ memset(&um->id, 0, sizeof(um->id)); + memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); + um->id.spi = x->id.spi; + um->id.family = x->props.family; +-- +2.53.0 + diff --git a/queue-6.12/xsk-fix-xdp_umem_sg_flag-issues.patch b/queue-6.12/xsk-fix-xdp_umem_sg_flag-issues.patch new file mode 100644 index 0000000000..772a4e7474 --- /dev/null +++ b/queue-6.12/xsk-fix-xdp_umem_sg_flag-issues.patch @@ -0,0 +1,62 @@ +From 4acc23285a0156590944fa692cab1816d1914e19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:53 +0200 +Subject: xsk: fix XDP_UMEM_SG_FLAG issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ] + +Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated +to flags so set it in order to preserve mtu check that is supposed to be +done only when no multi-buffer setup is in picture. + +Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could +get unexpected SG setups for software Tx checksums. Since csum flag is +UAPI, modify value of XDP_UMEM_SG_FLAG. + +Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock.h | 2 +- + net/xdp/xsk_buff_pool.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h +index df3f5f07bc7c2..98491d774d826 100644 +--- a/include/net/xdp_sock.h ++++ b/include/net/xdp_sock.h +@@ -14,7 +14,7 @@ + #include + #include + +-#define XDP_UMEM_SG_FLAG (1 << 1) ++#define XDP_UMEM_SG_FLAG BIT(3) + + struct net_device; + struct xsk_queue; +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 9db08365fcb00..a9d8aa83f8000 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -255,6 +255,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs, + return -EINVAL; + + flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY; ++ ++ if (umem->flags & XDP_UMEM_SG_FLAG) ++ flags |= XDP_USE_SG; ++ + if (umem_xs->pool->uses_need_wakeup) + flags |= XDP_USE_NEED_WAKEUP; + +-- +2.53.0 + diff --git a/queue-6.12/xsk-respect-tailroom-for-zc-setups.patch b/queue-6.12/xsk-respect-tailroom-for-zc-setups.patch new file mode 100644 index 0000000000..ed53228c13 --- /dev/null +++ b/queue-6.12/xsk-respect-tailroom-for-zc-setups.patch @@ -0,0 +1,123 @@ +From 582408a91c38d360f86de8b5308f8321fba90479 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:52 +0200 +Subject: xsk: respect tailroom for ZC setups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ] + +Multi-buffer XDP stores information about frags in skb_shared_info that +sits at the tailroom of a packet. The storage space is reserved via +xdp_data_hard_end(): + + ((xdp)->data_hard_start + (xdp)->frame_sz - \ + SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) + +and then we refer to it via macro below: + +static inline struct skb_shared_info * +xdp_get_shared_info_from_buff(const struct xdp_buff *xdp) +{ + return (struct skb_shared_info *)xdp_data_hard_end(xdp); +} + +Currently we do not respect this tailroom space in multi-buffer AF_XDP +ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use +it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to +configure length of HW Rx buffer. + +Typically drivers on Rx Hw buffers side work on 128 byte alignment so +let us align the value returned by xsk_pool_get_rx_frame_size() in order +to avoid addressing this on driver's side. This addresses the fact that +idpf uses mentioned function *before* pool->dev being set so we were at +risk that after subtracting tailroom we would not provide 128-byte +aligned value to HW. + +Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check() +and __xsk_rcv(), add a variant of this routine that will not include 128 +byte alignment and therefore old behavior is preserved. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++- + net/xdp/xsk.c | 4 ++-- + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h +index 997e28dd38963..075bc09046463 100644 +--- a/include/net/xdp_sock_drv.h ++++ b/include/net/xdp_sock_drv.h +@@ -37,16 +37,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool) + return XDP_PACKET_HEADROOM + pool->headroom; + } + ++static inline u32 xsk_pool_get_tailroom(bool mbuf) ++{ ++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0; ++} ++ + static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool) + { + return pool->chunk_size; + } + +-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) + { + return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool); + } + ++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++{ ++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool); ++ struct xdp_umem *umem = pool->umem; ++ bool mbuf; ++ ++ /* Reserve tailroom only for zero-copy pools that opted into ++ * multi-buffer. The reserved area is used for skb_shared_info, ++ * matching the XDP core's xdp_data_hard_end() layout. ++ */ ++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG); ++ frame_size -= xsk_pool_get_tailroom(mbuf); ++ ++ return ALIGN_DOWN(frame_size, 128); ++} ++ + static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool) + { + return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool); +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index ed1aeaded9be7..da7e11e3bfad2 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -231,7 +231,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len, + + static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + { +- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool); ++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool); + void *copy_from = xsk_copy_xdp_start(xdp), *copy_to; + u32 from_len, meta_len, rem, num_desc; + struct xdp_buff_xsk *xskb; +@@ -323,7 +323,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) + return -EINVAL; + +- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { ++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { + xs->rx_dropped++; + return -ENOSPC; + } +-- +2.53.0 + diff --git a/queue-6.12/xsk-tighten-umem-headroom-validation-to-account-for-.patch b/queue-6.12/xsk-tighten-umem-headroom-validation-to-account-for-.patch new file mode 100644 index 0000000000..ff6a1a9dad --- /dev/null +++ b/queue-6.12/xsk-tighten-umem-headroom-validation-to-account-for-.patch @@ -0,0 +1,53 @@ +From 9ab9f9f12a971916fc2a6df5824cad1c932bfc09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:51 +0200 +Subject: xsk: tighten UMEM headroom validation to account for tailroom and min + frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ] + +The current headroom validation in xdp_umem_reg() could leave us with +insufficient space dedicated to even receive minimum-sized ethernet +frame. Furthermore if multi-buffer would come to play then +skb_shared_info stored at the end of XSK frame would be corrupted. + +HW typically works with 128-aligned sizes so let us provide this value +as bare minimum. + +Multi-buffer setting is known later in the configuration process so +besides accounting for 128 bytes, let us also take care of tailroom space +upfront. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 9f76ca591d54f..9ec7bd948acc7 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -202,7 +202,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (!unaligned_chunks && chunks_rem) + return -EINVAL; + +- if (headroom >= chunk_size - XDP_PACKET_HEADROOM) ++ if (headroom > chunk_size - XDP_PACKET_HEADROOM - ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128) + return -EINVAL; + + if (mr->flags & XDP_UMEM_TX_METADATA_LEN) { +-- +2.53.0 + diff --git a/queue-6.12/xsk-validate-mtu-against-usable-frame-size-on-bind.patch b/queue-6.12/xsk-validate-mtu-against-usable-frame-size-on-bind.patch new file mode 100644 index 0000000000..4943e25dfb --- /dev/null +++ b/queue-6.12/xsk-validate-mtu-against-usable-frame-size-on-bind.patch @@ -0,0 +1,99 @@ +From 02f86df8900c5858454003a0883f1168d8e4c05f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:54 +0200 +Subject: xsk: validate MTU against usable frame size on bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ] + +AF_XDP bind currently accepts zero-copy pool configurations without +verifying that the device MTU fits into the usable frame space provided +by the UMEM chunk. + +This becomes a problem since we started to respect tailroom which is +subtracted from chunk_size (among with headroom). 2k chunk size might +not provide enough space for standard 1500 MTU, so let us catch such +settings at bind time. Furthermore, validate whether underlying HW will +be able to satisfy configured MTU wrt XSK's frame size multiplied by +supported Rx buffer chain length (that is exposed via +net_device::xdp_zc_max_segs). + +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index a9d8aa83f8000..04fe499f76782 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -8,6 +8,8 @@ + #include "xdp_umem.h" + #include "xsk.h" + ++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN) ++ + void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs) + { + unsigned long flags; +@@ -163,8 +165,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool) + int xp_assign_dev(struct xsk_buff_pool *pool, + struct net_device *netdev, u16 queue_id, u16 flags) + { ++ u32 needed = netdev->mtu + ETH_PAD_LEN; ++ u32 segs = netdev->xdp_zc_max_segs; ++ bool mbuf = flags & XDP_USE_SG; + bool force_zc, force_copy; + struct netdev_bpf bpf; ++ u32 frame_size; + int err = 0; + + ASSERT_RTNL(); +@@ -184,7 +190,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + if (err) + return err; + +- if (flags & XDP_USE_SG) ++ if (mbuf) + pool->umem->flags |= XDP_UMEM_SG_FLAG; + + if (flags & XDP_USE_NEED_WAKEUP) +@@ -206,8 +212,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + goto err_unreg_pool; + } + +- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) { +- err = -EOPNOTSUPP; ++ if (mbuf) { ++ if (segs == 1) { ++ err = -EOPNOTSUPP; ++ goto err_unreg_pool; ++ } ++ } else { ++ segs = 1; ++ } ++ ++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not ++ * set yet at this point; we are before getting down to driver ++ */ ++ frame_size = __xsk_pool_get_rx_frame_size(pool) - ++ xsk_pool_get_tailroom(mbuf); ++ frame_size = ALIGN_DOWN(frame_size, 128); ++ ++ if (needed > frame_size * segs) { ++ err = -EINVAL; + goto err_unreg_pool; + } + +-- +2.53.0 + diff --git a/queue-6.18/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch b/queue-6.18/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch new file mode 100644 index 0000000000..de29767df3 --- /dev/null +++ b/queue-6.18/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch @@ -0,0 +1,75 @@ +From 12d9c81e785f361326ff4b188955594440f9479f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 16:00:14 +0800 +Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock + +From: Jiexun Wang + +[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ] + +Exact UNIX diag lookups hold a reference to the socket, but not to +u->path. Meanwhile, unix_release_sock() clears u->path under +unix_state_lock() and drops the path reference after unlocking. + +Read the inode and device numbers for UNIX_DIAG_VFS while holding +unix_state_lock(), then emit the netlink attribute after dropping the +lock. + +This keeps the VFS data stable while the reply is being built. + +Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index ca34730261510..c9c1e51c44196 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -28,18 +28,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + + static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + { +- struct dentry *dentry = unix_sk(sk)->path.dentry; ++ struct unix_diag_vfs uv; ++ struct dentry *dentry; ++ bool have_vfs = false; + ++ unix_state_lock(sk); ++ dentry = unix_sk(sk)->path.dentry; + if (dentry) { +- struct unix_diag_vfs uv = { +- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, +- .udiag_vfs_dev = dentry->d_sb->s_dev, +- }; +- +- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); ++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino; ++ uv.udiag_vfs_dev = dentry->d_sb->s_dev; ++ have_vfs = true; + } ++ unix_state_unlock(sk); + +- return 0; ++ if (!have_vfs) ++ return 0; ++ ++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); + } + + static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) +-- +2.53.0 + diff --git a/queue-6.18/alsa-asihpi-avoid-write-overflow-check-warning.patch b/queue-6.18/alsa-asihpi-avoid-write-overflow-check-warning.patch new file mode 100644 index 0000000000..ab12e9d616 --- /dev/null +++ b/queue-6.18/alsa-asihpi-avoid-write-overflow-check-warning.patch @@ -0,0 +1,55 @@ +From f04ce8fa1f356b8a39da64962b55424a0ffb5a22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 13:40:07 +0100 +Subject: ALSA: asihpi: avoid write overflow check warning + +From: Arnd Bergmann + +[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ] + +clang-22 rightfully warns that the memcpy() in adapter_prepare() copies +between different structures, crossing the boundary of nested +structures inside it: + +In file included from sound/pci/asihpi/hpimsgx.c:13: +In file included from include/linux/string.h:386: +include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 569 | __write_overflow_field(p_size_field, size); + +The two structures seem to refer to the same layout, despite the +separate definitions, so the code is in fact correct. + +Avoid the warning by copying the two inner structures separately. +I see the same pattern happens in other functions in the same file, +so there is a chance that this may come back in the future, but +this instance is the only one that I saw in practice, hitting it +multiple times per day in randconfig build. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index b68e6bfbbfbab..ed1c7b7744361 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter) + HPI_ADAPTER_OPEN); + hm.adapter_index = adapter; + hw_entry_point(&hm, &hr); +- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr, +- sizeof(rESP_HPI_ADAPTER_OPEN[0])); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h)); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a)); + if (hr.error) + return hr.error; + +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch b/queue-6.18/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch new file mode 100644 index 0000000000..23ddccf55d --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch @@ -0,0 +1,36 @@ +From b7e3c0f957c5ad2dd74904eba92c55b23a2c3da6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 01:08:51 +0000 +Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk + +From: Andrii Kovalchuk + +[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ] + +Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756) +to enable proper mute LED and mic mute behavior using the +ALC245_FIXUP_HP_X360_MUTE_LEDS fixup. + +Signed-off-by: Andrii Kovalchuk +Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 0654850687447..1b64292220ac8 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6732,6 +6732,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch b/queue-6.18/alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch new file mode 100644 index 0000000000..cef43f92e1 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch @@ -0,0 +1,38 @@ +From 67ee51e8abc5aa81a531daafd73e4254c7e46b5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 22:07:50 +0530 +Subject: ALSA: hda/realtek: add HP Laptop 15-fd0xxx mute LED quirk + +From: Kshamendra Kumar Mishra + +[ Upstream commit faceb5cf5d7a08f4a40335d22d833bb75f05d99e ] + +HP Laptop 15-fd0xxx with ALC236 codec does not handle the toggling of +the mute LED. +This patch adds a quirk entry for subsystem ID 0x8dd7 using +ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 fixup, enabling correct mute LED +behavior. + +Signed-off-by: Kshamendra Kumar Mishra +Link: https://patch.msgid.link/DHAB51ISUM96.2K9SZIABIDEQ0@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index c782a35f9239d..0c975005793e7 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6977,6 +6977,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8da7, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8da8, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8dd4, "HP EliteStudio 8 AIO", ALC274_FIXUP_HP_AIO_BIND_DACS), ++ SND_PCI_QUIRK(0x103c, 0x8dd7, "HP Laptop 15-fd0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8de8, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2), + SND_PCI_QUIRK(0x103c, 0x8de9, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2), + SND_PCI_QUIRK(0x103c, 0x8dec, "HP EliteBook 640 G12", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-6.18/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..d6ea783959 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,45 @@ +From 8435a302b6fb251a01424c6767b23d6ce649dfa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2026 10:36:03 -0500 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: César Montoya + +[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ] + +The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek +ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The +existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, +but the subsystem ID was missing from the quirk table. + +GPIO pin confirmed via manual hda-verb testing: + hda-verb SET_GPIO_MASK 0x10 + hda-verb SET_GPIO_DIRECTION 0x10 + hda-verb SET_GPIO_DATA 0x10 + +Signed-off-by: César Montoya +Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 1959adb6c5189..c782a35f9239d 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6746,6 +6746,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch new file mode 100644 index 0000000000..b0c320efd8 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch @@ -0,0 +1,35 @@ +From e79bf418cd60d375877382f8e5b1a22b3e10b340 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:25:03 -0700 +Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC + +From: Matthew Schwartz + +[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ] + +Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model, +similar to the ASUS ROG Flow Z13 GZ302EA. + +Signed-off-by: Matthew Schwartz +Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 4b06cb48252e2..1959adb6c5189 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7065,6 +7065,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch new file mode 100644 index 0000000000..e0553af1e9 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch @@ -0,0 +1,38 @@ +From e2e4b930d22053f2e81ce192e74ed775f75c835f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 10:54:40 -0500 +Subject: ALSA: hda/realtek: add quirk for Framework F111:000F + +From: Dustin L. Howett + +[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ] + +Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for +Framework F111:000C") and previous quirks for Framework systems with +Realtek codecs. + +000F is another new platform with an ALC285 which needs the same quirk. + +Signed-off-by: Dustin L. Howett +Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 0c975005793e7..e7f7b148b40e5 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7555,6 +7555,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 + /* Below is a quirk table taken from the old code. +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch new file mode 100644 index 0000000000..29e53dd15e --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch @@ -0,0 +1,38 @@ +From 1b6852fd108dc6bbfc5c95c416278b3f46cec6a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:06:24 +0800 +Subject: ALSA: hda/realtek: add quirk for Lenovo Yoga 7 2-in-1 16AKP10 + +From: Zhang Heng + +[ Upstream commit 7bae956cac0433c4d41aac9f1d04e42694e0b706 ] + +This machine is equipped with ALC287 and requires the quirk +ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN to fix the issue +where the bass speakers are not configured and the speaker +volume cannot be controlled. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221210 +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260313080624.1395362-1-zhangheng@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 1b64292220ac8..4b06cb48252e2 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7429,6 +7429,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38ab, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), + SND_PCI_QUIRK(0x17aa, 0x38b4, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2), + HDA_CODEC_QUIRK(0x17aa, 0x391c, "Lenovo Yoga 7 2-in-1 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ HDA_CODEC_QUIRK(0x17aa, 0x391d, "Lenovo Yoga 7 2-in-1 16AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x38b5, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b6, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b7, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch new file mode 100644 index 0000000000..ea89363c3b --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch @@ -0,0 +1,58 @@ +From 805b9d5a2e440d9bc204648edda1d4e61a387aad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 11:29:28 +0300 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9 + +From: Alexander Savenko + +[ Upstream commit 217d5bc9f96272316ac5a3215c7cc32a5127bbf3 ] + +The Lenovo Yoga Pro 7 14IMH9 (DMI: 83E2) shares PCI SSID 17aa:3847 +with the Legion 7 16ACHG6, but has a different codec subsystem ID +(17aa:38cf). The existing SND_PCI_QUIRK for 17aa:3847 applies +ALC287_FIXUP_LEGION_16ACHG6, which attempts to initialize an external +I2C amplifier (CLSA0100) that is not present on the Yoga Pro 7 14IMH9. + +As a result, pin 0x17 (bass speakers) is connected to DAC 0x06 which +has no volume control, making hardware volume adjustment completely +non-functional. Audio is either silent or at maximum volume regardless +of the slider position. + +Add a HDA_CODEC_QUIRK entry using the codec subsystem ID (17aa:38cf) +to correctly identify the Yoga Pro 7 14IMH9 and apply +ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN, which redirects pin 0x17 to +DAC 0x02 and restores proper volume control. The existing Legion entry +is preserved unchanged. + +This follows the same pattern used for 17aa:386e, where Legion Y9000X +and Yoga Pro 7 14ARP8 share a PCI SSID but are distinguished via +HDA_CODEC_QUIRK. + +Link: https://github.com/nomad4tech/lenovo-yoga-pro-7-linux +Tested-by: Alexander Savenko +Signed-off-by: Alexander Savenko +Link: https://patch.msgid.link/20260331082929.44890-1-alex.sav4387@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 1c8ee8263ab3a..2e89528e5cec1 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7402,6 +7402,10 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I), ++ /* Yoga Pro 7 14IMH9 shares PCI SSID 17aa:3847 with Legion 7 16ACHG6; ++ * use codec SSID to distinguish them ++ */ ++ HDA_CODEC_QUIRK(0x17aa, 0x38cf, "Lenovo Yoga Pro 7 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6), + SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-29200 b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-29200 new file mode 100644 index 0000000000..63ad591ebf --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-29200 @@ -0,0 +1,41 @@ +From ef4114428cbef327ace57b82d7ec6c989369c599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 09:26:51 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 + +From: songxiebing + +[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ] + +The bass speakers are not working, and add the following entry +in /etc/modprobe.d/snd.conf: +options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin +Fixes the bass speakers. + +So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here. + +Reported-by: Fernando Garcia Corona +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317 +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 2e89528e5cec1..6b53a7d90932d 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7467,6 +7467,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38fd, "ThinkBook plus Gen5 Hybrid", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), + SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch new file mode 100644 index 0000000000..cc5d542f70 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch @@ -0,0 +1,42 @@ +From b20c2a5c5955bf805d93b331fff1fba7b9d663ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 11:36:50 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Slim 7 14AKP10 + +From: songxiebing + +[ Upstream commit e6c888202297eca21860b669edb74fc600e679d9 ] + +The Pin Complex 0x17 (bass/woofer speakers) is incorrectly reported as +unconnected in the BIOS (pin default 0x411111f0 = N/A). This causes the +kernel to configure speaker_outs=0, meaning only the tweeters (pin 0x14) +are used. The result is very low, tinny audio with no bass. + +The existing quirk ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN (already present +in patch_realtek.c for SSID 0x17aa3801) fixes the issue completely. + +Reported-by: Garcicasti +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221298 +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20260331033650.285601-1-songxiebing@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index c76d339009a9b..1c8ee8263ab3a 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7464,6 +7464,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), ++ SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3920, "Yoga S990-16 pro Quad VECO Quad", ALC287_FIXUP_TXNW2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3929, "Thinkbook 13x Gen 5", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), +-- +2.53.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch new file mode 100644 index 0000000000..433e56b38f --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch @@ -0,0 +1,36 @@ +From 9d4938f47251385da140a190b120eb238337b668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 18:22:20 +0200 +Subject: ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED) + +From: Takashi Iwai + +[ Upstream commit ea31be8a2c8c99eac198f3b7f2dc770111f2b182 ] + +There is another Book2 Pro model (NP950QED) that seems equipped with +the same speaker module as the non-360 model, which requires +ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS quirk. + +Reported-by: Throw +Link: https://patch.msgid.link/20260330162249.147665-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index e7f7b148b40e5..c76d339009a9b 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7211,6 +7211,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x144d, 0xc188, "Samsung Galaxy Book Flex (NT950QCT-A38A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1ac, "Samsung Galaxy Book2 Pro 360 (NP950QED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP), +-- +2.53.0 + diff --git a/queue-6.18/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch b/queue-6.18/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch new file mode 100644 index 0000000000..428cb19a87 --- /dev/null +++ b/queue-6.18/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch @@ -0,0 +1,41 @@ +From 593c6ff74e60ea4ef4636a119ef8cca524e16835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2026 08:07:34 +0000 +Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex + +From: Phil Willoughby + +[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ] + +The NeuralDSP Quad Cortex does not support DSD playback. We need +this product-specific entry with zero quirks because otherwise it +falls through to the vendor-specific entry which marks it as +supporting DSD playback. + +Cc: Yue Wang +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Signed-off-by: Phil Willoughby +Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 9f585dbc770cb..a2c039a1b3cd6 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2296,6 +2296,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */ + QUIRK_FLAG_IGNORE_CTL_ERROR), ++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */ ++ 0), /* Doesn't have the vendor quirk which would otherwise apply */ + DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */ + QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY), + DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */ +-- +2.53.0 + diff --git a/queue-6.18/alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch b/queue-6.18/alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch new file mode 100644 index 0000000000..2759c19b27 --- /dev/null +++ b/queue-6.18/alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch @@ -0,0 +1,41 @@ +From f29aa13ab21e63c211bf26168e1634e410500e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 18:25:27 +0800 +Subject: ALSA:usb:qcom: add AUXILIARY_BUS to Kconfig dependencies + +From: Frank Zhang + +[ Upstream commit b8bee48e38f2ddbdba5e58bc54ef54bb7d8d341b ] + +The build can fail with: + +ERROR: modpost: "__auxiliary_driver_register" +[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined! +ERROR: modpost: "auxiliary_driver_unregister" +[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined! + +Select AUXILIARY_BUS when SND_USB_AUDIO_QMI is enabled. + +Signed-off-by: Frank Zhang +Link: https://patch.msgid.link/20260317102527.556248-1-rmxpzlb@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/usb/Kconfig b/sound/usb/Kconfig +index 9b890abd96d34..b4588915efa11 100644 +--- a/sound/usb/Kconfig ++++ b/sound/usb/Kconfig +@@ -192,6 +192,7 @@ config SND_USB_AUDIO_QMI + tristate "Qualcomm Audio Offload driver" + depends on QCOM_QMI_HELPERS && SND_USB_AUDIO && SND_SOC_USB + depends on USB_XHCI_HCD && USB_XHCI_SIDEBAND ++ select AUXILIARY_BUS + help + Say Y here to enable the Qualcomm USB audio offloading feature. + +-- +2.53.0 + diff --git a/queue-6.18/arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch b/queue-6.18/arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch new file mode 100644 index 0000000000..31c077fe50 --- /dev/null +++ b/queue-6.18/arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch @@ -0,0 +1,40 @@ +From f498641478cca5c9295b43699a4ee9c68ee43aef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 11:07:35 +0200 +Subject: ARM: dts: microchip: sam9x7: fix gpio-lines count for pioB + +From: Mihai Sain + +[ Upstream commit 907150bbe566e23714a25d7bcb910f236c3c44c0 ] + +The pioB controller on the SAM9X7 SoC actually supports 27 GPIO lines. +The previous value of 26 was incorrect, leading to the last pin being +unavailable for use by the GPIO subsystem. +Update the #gpio-lines property to reflect +the correct hardware specification. + +Fixes: 41af45af8bc3 ("ARM: dts: at91: sam9x7: add device tree for SoC") +Signed-off-by: Mihai Sain +Link: https://lore.kernel.org/r/20260209090735.2016-1-mihai.sain@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/sam9x7.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/microchip/sam9x7.dtsi b/arch/arm/boot/dts/microchip/sam9x7.dtsi +index 46dacbbd201dd..d242d7a934d0f 100644 +--- a/arch/arm/boot/dts/microchip/sam9x7.dtsi ++++ b/arch/arm/boot/dts/microchip/sam9x7.dtsi +@@ -1226,7 +1226,7 @@ pioB: gpio@fffff600 { + interrupt-controller; + #gpio-cells = <2>; + gpio-controller; +- #gpio-lines = <26>; ++ #gpio-lines = <27>; + clocks = <&pmc PMC_TYPE_PERIPHERAL 3>; + }; + +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch b/queue-6.18/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch new file mode 100644 index 0000000000..9f7c599de3 --- /dev/null +++ b/queue-6.18/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch @@ -0,0 +1,39 @@ +From 5e4df537ce5fd4bf7e6860f0220b3a5ab335e7d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 00:28:28 +0100 +Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency + +From: Sebastian Krzyszkowiak + +[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ] + +According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum +frequency is 400MHz. + +Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node") +Reviewed-by: Frank Li +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Peng Fan +Reviewed-by: Fabio Estevam +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index 607962f807beb..6a25e219832ce 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -1632,7 +1632,7 @@ gpu: gpu@38000000 { + <&clk IMX8MQ_GPU_PLL_OUT>, + <&clk IMX8MQ_GPU_PLL>; + assigned-clock-rates = <800000000>, <800000000>, +- <800000000>, <800000000>, <0>; ++ <800000000>, <400000000>, <0>; + power-domains = <&pgc_gpu>; + }; + +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch b/queue-6.18/arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch new file mode 100644 index 0000000000..26c6e56196 --- /dev/null +++ b/queue-6.18/arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch @@ -0,0 +1,63 @@ +From e6e3c7388452aeb188bf0a690831725022ba71ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 16:50:13 +0100 +Subject: arm64: dts: imx91-tqma9131: improve eMMC pad configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Niebel + +[ Upstream commit 44db7bc66eb38e85bb32777c5fd3a4e7baa84147 ] + +Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve +stability and detection at low temperatures under -25°C. + +Fixes: e71db39f0c7c ("arm64: dts: freescale: add initial device tree for TQMa91xx/MBa91xxCA") +Signed-off-by: Markus Niebel +Signed-off-by: Alexander Stein +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + .../boot/dts/freescale/imx91-tqma9131.dtsi | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi +index 5792952b7a8e1..c99d7bc168483 100644 +--- a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi +@@ -272,20 +272,20 @@ pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp { + /* enable SION for data and cmd pad due to ERR052021 */ + pinctrl_usdhc1: usdhc1grp { + fsl,pins = /* PD | FSEL 3 | DSE X5 */ +- , ++ , + /* HYS | FSEL 0 | no drive */ + , + /* HYS | FSEL 3 | X5 */ +- , ++ , + /* HYS | FSEL 3 | X4 */ +- , +- , +- , +- , +- , +- , +- , +- ; ++ , ++ , ++ , ++ , ++ , ++ , ++ , ++ ; + }; + + pinctrl_wdog: wdoggrp { +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch b/queue-6.18/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch new file mode 100644 index 0000000000..900696008f --- /dev/null +++ b/queue-6.18/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch @@ -0,0 +1,56 @@ +From 9ff76109b059383d0a1b500bc605b7b36f574f2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:23:08 +0800 +Subject: arm64: dts: imx93-9x9-qsb: change usdhc tuning step for eMMC and SD + +From: Luke Wang + +[ Upstream commit 08903184553def7ba1ad6ba4fa8afe1ba2ee0a21 ] + +During system resume, the following errors occurred: + + [ 430.638625] mmc1: error -84 writing Cache Enable bit + [ 430.643618] mmc1: error -84 doing runtime resume + +For eMMC and SD, there are two tuning pass windows and the gap between +those two windows may only have one cell. If tuning step > 1, the gap may +just be skipped and host assumes those two windows as a continuous +windows. This will cause a wrong delay cell near the gap to be selected. + +Set the tuning step to 1 to avoid selecting the wrong delay cell. + +For SDIO, the gap is sufficiently large, so the default tuning step does +not cause this issue. + +Fixes: 0565d20cd8c2 ("arm64: dts: freescale: Support i.MX93 9x9 Quick Start Board") +Signed-off-by: Luke Wang +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts +index 0852067eab2cb..197c8f8b7f669 100644 +--- a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts ++++ b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts +@@ -507,6 +507,7 @@ &usdhc1 { + pinctrl-2 = <&pinctrl_usdhc1_200mhz>; + bus-width = <8>; + non-removable; ++ fsl,tuning-step = <1>; + status = "okay"; + }; + +@@ -519,6 +520,7 @@ &usdhc2 { + vmmc-supply = <®_usdhc2_vmmc>; + bus-width = <4>; + no-mmc; ++ fsl,tuning-step = <1>; + status = "okay"; + }; + +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch b/queue-6.18/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch new file mode 100644 index 0000000000..8ff4eadcff --- /dev/null +++ b/queue-6.18/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch @@ -0,0 +1,67 @@ +From 1668c8b9ef5b91d8f3c6a10b93e94b8adadfa4f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 16:50:14 +0100 +Subject: arm64: dts: imx93-tqma9352: improve eMMC pad configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Niebel + +[ Upstream commit b6c94c71f349479b76fcc0ef0dc7147f3f326dff ] + +Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve +stability and detection at low temperatures under -25°C. + +Fixes: 0b5fdfaa8e45 ("arm64: dts: freescale: imx93-tqma9352: set SION for cmd and data pad of USDHC") +Signed-off-by: Markus Niebel +Signed-off-by: Alexander Stein +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + .../boot/dts/freescale/imx93-tqma9352.dtsi | 26 +++++++++---------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +index 82914ca148d3a..c095d7f115c21 100644 +--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +@@ -270,21 +270,21 @@ MX93_PAD_SD2_RESET_B__GPIO3_IO07 0x106 + /* enable SION for data and cmd pad due to ERR052021 */ + pinctrl_usdhc1: usdhc1grp { + fsl,pins = < +- /* PD | FSEL 3 | DSE X5 */ +- MX93_PAD_SD1_CLK__USDHC1_CLK 0x5be ++ /* PD | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_CLK__USDHC1_CLK 0x59e + /* HYS | FSEL 0 | no drive */ + MX93_PAD_SD1_STROBE__USDHC1_STROBE 0x1000 +- /* HYS | FSEL 3 | X5 */ +- MX93_PAD_SD1_CMD__USDHC1_CMD 0x400011be +- /* HYS | FSEL 3 | X4 */ +- MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e +- MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e +- MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e +- MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e +- MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e +- MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e +- MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e +- MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e ++ /* HYS | PU | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_CMD__USDHC1_CMD 0x4000139e ++ /* HYS | PU | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e ++ MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e ++ MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e ++ MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e ++ MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e ++ MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e ++ MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e ++ MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e + >; + }; + +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch b/queue-6.18/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch new file mode 100644 index 0000000000..d9c3626d78 --- /dev/null +++ b/queue-6.18/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch @@ -0,0 +1,49 @@ +From f82cca5bd54138636f2dbe127d6675f75f09b66e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Feb 2026 20:44:58 +0800 +Subject: arm64: dts: qcom: hamoa/x1: fix idle exit latency + +From: Daniel J Blueman + +[ Upstream commit 3ecea84d2b90bbf934d5ca75514fa902fd71e03f ] + +Designs based on the Qualcomm X1 Hamoa reference platform report: +driver: Idle state 1 target residency too low + +This is because the declared X1 idle entry plus exit latency of 680us +exceeds the declared minimum 600us residency time: + entry-latency-us = <180>; + exit-latency-us = <500>; + min-residency-us = <600>; + +Fix this to be 320us so the sum of the entry and exit latencies matches +the downstream 500us exit latency, as directed by Maulik. + +Tested on a Lenovo Yoga Slim 7x with Qualcomm X1E-80-100. + +Fixes: 2e65616ef07f ("arm64: dts: qcom: x1e80100: Update C4/C5 residency/exit numbers") +Signed-off-by: Daniel J Blueman +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20260220124626.8611-1-daniel@quora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +index 6d97329995fe7..efe8d5e7079fe 100644 +--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi ++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +@@ -281,7 +281,7 @@ cluster_c4: cpu-sleep-0 { + idle-state-name = "ret"; + arm,psci-suspend-param = <0x00000004>; + entry-latency-us = <180>; +- exit-latency-us = <500>; ++ exit-latency-us = <320>; + min-residency-us = <600>; + }; + }; +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-qcom-monaco-fix-uart10-pinconf.patch b/queue-6.18/arm64-dts-qcom-monaco-fix-uart10-pinconf.patch new file mode 100644 index 0000000000..b03aa0749f --- /dev/null +++ b/queue-6.18/arm64-dts-qcom-monaco-fix-uart10-pinconf.patch @@ -0,0 +1,46 @@ +From 9422f6a6cf06049ff08871d8fad3c31df04c898b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 16:56:11 +0100 +Subject: arm64: dts: qcom: monaco: Fix UART10 pinconf + +From: Loic Poulain + +[ Upstream commit 5b2a16ab0dbd090dc545c05ee79a077cc7a9c1e0 ] + +UART10 RTS and TX pins were incorrectly mapped to gpio84 and gpio85. +Correct them to gpio85 (RTS) and gpio86 (TX) to match the hardware +I/O mapping. + +Fixes: 467284a3097f ("arm64: dts: qcom: qcs8300: Add QUPv3 configuration") +Signed-off-by: Loic Poulain +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20260202155611.1568-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcs8300.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/qcs8300.dtsi b/arch/arm64/boot/dts/qcom/qcs8300.dtsi +index 8d78ccac411e4..b8d4a75baee22 100644 +--- a/arch/arm64/boot/dts/qcom/qcs8300.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs8300.dtsi +@@ -5430,12 +5430,12 @@ qup_uart10_cts: qup-uart10-cts-state { + }; + + qup_uart10_rts: qup-uart10-rts-state { +- pins = "gpio84"; ++ pins = "gpio85"; + function = "qup1_se2"; + }; + + qup_uart10_tx: qup-uart10-tx-state { +- pins = "gpio85"; ++ pins = "gpio86"; + function = "qup1_se2"; + }; + +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch b/queue-6.18/arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch new file mode 100644 index 0000000000..f8693e1d68 --- /dev/null +++ b/queue-6.18/arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch @@ -0,0 +1,70 @@ +From 2ff8fdefdd03db98a3b4ad54ae40b6673667801c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 15:26:03 +0100 +Subject: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Loic Poulain + +[ Upstream commit 85d98669fa7f1d3041d962515e45ee6e392db6f8 ] + +We observe spurious "Synchronous External Abort" exceptions +(ESR=0x96000010) and kernel crashes on Monaco-based platforms. +These faults are caused by the kernel inadvertently accessing +hypervisor-owned memory that is not properly marked as reserved. + +>From boot log, The Qualcomm hypervisor reports the memory range +at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: +qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0 + +However, the EFI memory map provided by firmware only reserves the +subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion +(0x91a88000–0x91afffff) is incorrectly reported as conventional +memory (from efi debug): +efi: 0x000091a40000-0x000091a87fff [Reserved...] +efi: 0x000091a88000-0x0000938fffff [Conventional...] + +As a result, the allocator may hand out PFNs inside the hypervisor +owned region, causing fatal aborts when the kernel accesses those +addresses. + +Add a reserved-memory carveout for the Gunyah hypervisor metadata +at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not +map or allocate from this area. + +For the record: +Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC) +UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1 + +Fixes: 7be190e4bdd2 ("arm64: dts: qcom: add QCS8300 platform") +Signed-off-by: Loic Poulain +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20260302142603.1113355-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcs8300.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/qcs8300.dtsi b/arch/arm64/boot/dts/qcom/qcs8300.dtsi +index b8d4a75baee22..7a4c3e872d8ee 100644 +--- a/arch/arm64/boot/dts/qcom/qcs8300.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs8300.dtsi +@@ -756,6 +756,11 @@ smem_mem: smem@90900000 { + hwlocks = <&tcsr_mutex 3>; + }; + ++ gunyah_md_mem: gunyah-md-region@91a80000 { ++ reg = <0x0 0x91a80000 0x0 0x80000>; ++ no-map; ++ }; ++ + lpass_machine_learning_mem: lpass-machine-learning-region@93b00000 { + reg = <0x0 0x93b00000 0x0 0xf00000>; + no-map; +-- +2.53.0 + diff --git a/queue-6.18/arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch b/queue-6.18/arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch new file mode 100644 index 0000000000..1e4bcbc59f --- /dev/null +++ b/queue-6.18/arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch @@ -0,0 +1,44 @@ +From 22be70afcd2666bf52c17f0de37a7e609b624415 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Feb 2026 14:32:20 +0530 +Subject: arm64: dts: qcom: qcm6490-idp: Fix WCD9370 reset GPIO polarity + +From: Ravi Hothi + +[ Upstream commit b7df21c59739cceb7b866c6c5e8a6ba03875ab71 ] + +The WCD9370 audio codec reset line on QCM6490 IDP should be active-low, but +the device tree described it as active-high. As a result, the codec is +kept in reset and fails to reset the SoundWire, leading to timeouts +and ASoC card probe failure (-ETIMEDOUT). + +Fix the reset GPIO polarity to GPIO_ACTIVE_LOW so the codec can properly +initialize. + +Fixes: aa04c298619f ("arm64: dts: qcom: qcm6490-idp: Add WSA8830 speakers and WCD9370 headset codec") +Signed-off-by: Ravi Hothi +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20260220090220.2992193-1-ravi.hothi@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcm6490-idp.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts +index 73fce639370cd..214671b462770 100644 +--- a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts ++++ b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts +@@ -177,7 +177,7 @@ wcd9370: audio-codec-0 { + pinctrl-0 = <&wcd_default>; + pinctrl-names = "default"; + +- reset-gpios = <&tlmm 83 GPIO_ACTIVE_HIGH>; ++ reset-gpios = <&tlmm 83 GPIO_ACTIVE_LOW>; + + vdd-buck-supply = <&vreg_l17b_1p7>; + vdd-rxtx-supply = <&vreg_l18b_1p8>; +-- +2.53.0 + diff --git a/queue-6.18/asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch b/queue-6.18/asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch new file mode 100644 index 0000000000..ec61c3b45f --- /dev/null +++ b/queue-6.18/asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch @@ -0,0 +1,45 @@ +From 2c26b75e9231766d2edf3737ef8dc57ccadbc663 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Mar 2026 01:33:21 +0900 +Subject: ASoC: amd: acp: add ASUS HN7306EA quirk for legacy SDW machine + +From: Hasun Park + +[ Upstream commit 2594196f4e3bd70782e7cf1e22e3e398cdb74f78 ] + +Add a DMI quirk entry for ASUS HN7306EA in the ACP SoundWire legacy +machine driver. + +Set driver_data to ASOC_SDW_ACP_DMIC for this board so the +platform-specific DMIC quirk path is selected. + +Signed-off-by: Hasun Park +Link: https://patch.msgid.link/20260319163321.30326-1-hasunpark@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +index 86c534d827448..504b700200660 100644 +--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c ++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +@@ -111,6 +111,14 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = { + }, + .driver_data = (void *)(ASOC_SDW_CODEC_SPKR), + }, ++ { ++ .callback = soc_sdw_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HN7306EA"), ++ }, ++ .driver_data = (void *)(ASOC_SDW_ACP_DMIC), ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.18/asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch b/queue-6.18/asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch new file mode 100644 index 0000000000..66590cc831 --- /dev/null +++ b/queue-6.18/asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch @@ -0,0 +1,59 @@ +From f1eb46012983e27704805c0059e0c844a03c4fe0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 19:00:06 +0530 +Subject: ASoC: amd: acp: update DMI quirk and add ACP DMIC for Lenovo + platforms + +From: Syed Saba Kareem + +[ Upstream commit 6b6f7263d626886a96fce6352f94dfab7a24c339 ] + +Replace DMI_EXACT_MATCH with DMI_MATCH for Lenovo SKU entries (21YW, +21YX) so the quirk applies to all variants of these models, not just +exact SKU matches. + +Add ASOC_SDW_ACP_DMIC flag alongside ASOC_SDW_CODEC_SPKR in driver_data +for these Lenovo platform entries, as these platforms use ACP PDM DMIC +instead of SoundWire DMIC for digital microphone support. + +Fixes: 3acf517e1ae0 ("ASoC: amd: amd_sdw: add machine driver quirk for Lenovo models") +Tested-by: Mark Pearson +Reviewed-by: Mark Pearson +Signed-off-by: Syed Saba Kareem +Reviewed-by: Vijendar Mukunda +Link: https://patch.msgid.link/20260408133029.1368317-1-syed.sabakareem@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +index 504b700200660..2b2910b1856d5 100644 +--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c ++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +@@ -99,17 +99,17 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = { + .callback = soc_sdw_quirk_cb, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YW"), ++ DMI_MATCH(DMI_PRODUCT_SKU, "21YW"), + }, +- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR), ++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)), + }, + { + .callback = soc_sdw_quirk_cb, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YX"), ++ DMI_MATCH(DMI_PRODUCT_SKU, "21YX"), + }, +- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR), ++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)), + }, + { + .callback = soc_sdw_quirk_cb, +-- +2.53.0 + diff --git a/queue-6.18/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch b/queue-6.18/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch new file mode 100644 index 0000000000..f91afd6c8b --- /dev/null +++ b/queue-6.18/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch @@ -0,0 +1,47 @@ +From bc35732e6ce0921f37eff4b2990fc4736c639a2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 02:43:48 +0100 +Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gilson Marquato Júnior + +[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ] + +The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal +DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk +entry so the internal microphone is properly detected on this model. + +Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9). + +Signed-off-by: Gilson Marquato Júnior +Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 6f1c105ca77e3..4c0acdad13ea1 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = { + }; + + static const struct dmi_system_id yc_acp_quirk_table[] = { ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.53.0 + diff --git a/queue-6.18/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch b/queue-6.18/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch new file mode 100644 index 0000000000..70833a5bd0 --- /dev/null +++ b/queue-6.18/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch @@ -0,0 +1,43 @@ +From b9d17e80fec87207528cd80076356cbab60b7d86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 21:25:12 +0700 +Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA + +From: Vee Satayamas + +[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ] + +Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the +internal microphone not being detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236 +Signed-off-by: Vee Satayamas +Reviewed-by: Zhang Heng +Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 1324543b42d72..c536de1bb94ad 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.18/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch b/queue-6.18/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch new file mode 100644 index 0000000000..e9f65cd910 --- /dev/null +++ b/queue-6.18/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch @@ -0,0 +1,42 @@ +From 5d7f93620dfaacc9b6bcd7e8bf86f143cc3bc7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 16:02:18 +0800 +Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF + +From: Zhang Heng + +[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ] + +Add a DMI quirk for the Thin A15 B7VF fixing the issue where +the internal microphone was not detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833 +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index c536de1bb94ad..6f1c105ca77e3 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -724,6 +724,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.18/asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch b/queue-6.18/asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch new file mode 100644 index 0000000000..ef15b9aede --- /dev/null +++ b/queue-6.18/asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch @@ -0,0 +1,56 @@ +From 3e2067bb57aa9fb05f7c2d13861465c5f333c0d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:58 +0200 +Subject: ASoC: Intel: avs: Fix memory leak in avs_register_i2s_test_boards() + +From: Cezary Rojewski + +[ Upstream commit c5408d818316061d6063c11a4f47f1ba25a3a708 ] + +Caller is responsible for freeing array allocated with +parse_int_array(). + +Found out by Coverity. + +Fixes: 7d859189de13 ("ASoC: Intel: avs: Allow to specify custom configurations with i2s_test") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20260407085459.400628-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/board_selection.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/intel/avs/board_selection.c b/sound/soc/intel/avs/board_selection.c +index 52e6266a7cb86..96dc637ccb20c 100644 +--- a/sound/soc/intel/avs/board_selection.c ++++ b/sound/soc/intel/avs/board_selection.c +@@ -520,7 +520,8 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev) + if (num_elems > max_ssps) { + dev_err(adev->dev, "board supports only %d SSP, %d specified\n", + max_ssps, num_elems); +- return -EINVAL; ++ ret = -EINVAL; ++ goto exit; + } + + for (ssp_port = 0; ssp_port < num_elems; ssp_port++) { +@@ -528,11 +529,13 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev) + for_each_set_bit(tdm_slot, &tdm_slots, 16) { + ret = avs_register_i2s_test_board(adev, ssp_port, tdm_slot); + if (ret) +- return ret; ++ goto exit; + } + } + +- return 0; ++exit: ++ kfree(array); ++ return ret; + } + + static int avs_register_i2s_board(struct avs_dev *adev, struct snd_soc_acpi_mach *mach) +-- +2.53.0 + diff --git a/queue-6.18/asoc-sdca-fix-overwritten-var-within-for-loop.patch b/queue-6.18/asoc-sdca-fix-overwritten-var-within-for-loop.patch new file mode 100644 index 0000000000..d60314bd90 --- /dev/null +++ b/queue-6.18/asoc-sdca-fix-overwritten-var-within-for-loop.patch @@ -0,0 +1,40 @@ +From 8a55328359182556b81c8bb826c2cf66b514ae45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:38:31 +0100 +Subject: ASoC: SDCA: Fix overwritten var within for loop + +From: Maciej Strozek + +[ Upstream commit 23e0cbe55736de222ed975863cf06baf29bee5fe ] + +mask variable should not be overwritten within the for loop or it will +skip certain bits. Change to using BIT() macro. + +Fixes: b9ab3b618241 ("ASoC: SDCA: Add some initial IRQ handlers") +Signed-off-by: Maciej Strozek +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20260408093835.2881486-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sdca/sdca_interrupts.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c +index f83413587da5a..4189efdfe2747 100644 +--- a/sound/soc/sdca/sdca_interrupts.c ++++ b/sound/soc/sdca/sdca_interrupts.c +@@ -104,9 +104,7 @@ static irqreturn_t function_status_handler(int irq, void *data) + + status = val; + for_each_set_bit(mask, &status, BITS_PER_BYTE) { +- mask = 1 << mask; +- +- switch (mask) { ++ switch (BIT(mask)) { + case SDCA_CTL_ENTITY_0_FUNCTION_NEEDS_INITIALIZATION: + //FIXME: Add init writes + break; +-- +2.53.0 + diff --git a/queue-6.18/asoc-soc-core-call-missing-init_list_head-for-card_a.patch b/queue-6.18/asoc-soc-core-call-missing-init_list_head-for-card_a.patch new file mode 100644 index 0000000000..49234e5187 --- /dev/null +++ b/queue-6.18/asoc-soc-core-call-missing-init_list_head-for-card_a.patch @@ -0,0 +1,66 @@ +From b36cc64b5cdc98aea8612e4cbe2d75b4e8154e32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 02:43:54 +0000 +Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list + +From: Kuninori Morimoto + +[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ] + +Component has "card_aux_list" which is added/deled in bind/unbind aux dev +function (A), and used in for_each_card_auxs() loop (B). + + static void soc_unbind_aux_dev(...) + { + ... + for_each_card_auxs_safe(...) { + ... +(A) list_del(&component->card_aux_list); + } ^^^^^^^^^^^^^ + } + + static int soc_bind_aux_dev(...) + { + ... + for_each_card_pre_auxs(...) { + ... +(A) list_add(&component->card_aux_list, ...); + } ^^^^^^^^^^^^^ + ... + } + + #define for_each_card_auxs(card, component) \ +(B) list_for_each_entry(component, ..., card_aux_list) + ^^^^^^^^^^^^^ + +But it has been used without calling INIT_LIST_HEAD(). + + > git grep card_aux_list sound/soc + sound/soc/soc-core.c: list_del(&component->card_aux_list); + sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); + +call missing INIT_LIST_HEAD() for it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 7a6b4ec3a6990..feecf3e4e38b4 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2845,6 +2845,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, + INIT_LIST_HEAD(&component->dobj_list); + INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); ++ INIT_LIST_HEAD(&component->card_aux_list); + mutex_init(&component->io_mutex); + + if (!component->name) { +-- +2.53.0 + diff --git a/queue-6.18/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch b/queue-6.18/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch new file mode 100644 index 0000000000..defed8e12e --- /dev/null +++ b/queue-6.18/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch @@ -0,0 +1,46 @@ +From 331f261d30b1b8dd431b2cd68f993eff93b933e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:45:26 -0300 +Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ] + +sof_parse_token_sets() accepts array->size values that can be invalid +for a vendor tuple array header. In particular, a zero size does not +advance the parser state and can lead to non-progress parsing on +malformed topology data. + +Validate array->size against the minimum header size and reject values +smaller than sizeof(*array) before parsing. This preserves behavior for +valid topologies and hardens malformed-input handling. + +Signed-off-by: Cássio Gabriel +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index b6d5c8024f8cf..4c8dba285408a 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, + asize = le32_to_cpu(array->size); + + /* validate asize */ +- if (asize < 0) { /* FIXME: A zero-size array makes no sense */ ++ if (asize < sizeof(*array)) { + dev_err(scomp->dev, "error: invalid array size 0x%x\n", + asize); + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.18/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch b/queue-6.18/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch new file mode 100644 index 0000000000..99a9293239 --- /dev/null +++ b/queue-6.18/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch @@ -0,0 +1,64 @@ +From e846d7fbd1ce7db29c5f8c26286e2a0fde483336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:40:56 +0200 +Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J + +From: Tomasz Merta + +[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ] + +The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A, +DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK +edge when SND_SOC_DAIFMT_NB_NF is used. + +Per ALSA convention, NB_NF requires sampling on the rising BCLK edge. +The STM32MP25 SAI reference manual states that CKSTR=1 is required for +signals received by the SAI to be sampled on the SCK rising edge. +Without setting CKSTR=1, the SAI samples on the falling edge, violating +the NB_NF convention. For comparison, the NXP FSL SAI driver correctly +sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its +I2S handling. + +This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in +stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec. +RIGHT_J (LSB) is not investigated and addressed by this patch. + +Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue +for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified +and is left for a separate investigation. + +Signed-off-by: Tomasz Merta +Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index 5ae4d2577f28b..c2540383ab86f 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -802,6 +802,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + break; + /* Left justified */ + case SND_SOC_DAIFMT_MSB: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + /* Right justified */ +@@ -809,9 +810,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + case SND_SOC_DAIFMT_DSP_A: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF; + break; + case SND_SOC_DAIFMT_DSP_B: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL; + break; + default: +-- +2.53.0 + diff --git a/queue-6.18/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch b/queue-6.18/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch new file mode 100644 index 0000000000..e96598ba9d --- /dev/null +++ b/queue-6.18/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch @@ -0,0 +1,83 @@ +From 4dd444c34b682cdecd550e9a274a3f36b086a28e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 15:23:35 -0700 +Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 + +From: Arthur Husband + +[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ] + +The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA +support via the S64A bit in the AHCI CAP register, but their 64-bit DMA +implementation is defective. Under sustained I/O, DMA transfers targeting +addresses above 4GB silently corrupt data -- writes land at incorrect +memory addresses with no errors logged. + +The failure pattern is similar to the ASMedia ASM1061 +(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia +ASM1061 controllers")), which also falsely advertised full 64-bit DMA +support. However, the JMB585 requires a stricter 32-bit DMA mask rather +than 43-bit, as corruption occurs with any address above 4GB. + +On the Minisforum N5 Pro specifically, the combination of the JMB585's +broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes +silent data corruption that is only detectable via checksumming +filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA +space is exhausted and the kernel transparently switches to 64-bit DMA +addresses. + +Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585 +(0x0585) before the generic JMicron class match, using a new board type +that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior) +with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks. + +Signed-off-by: Arthur Husband +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 931d0081169b9..1d73a53370cf3 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -68,6 +68,7 @@ enum board_ids { + /* board IDs for specific chipsets in alphabetical order */ + board_ahci_al, + board_ahci_avn, ++ board_ahci_jmb585, + board_ahci_mcp65, + board_ahci_mcp77, + board_ahci_mcp89, +@@ -212,6 +213,15 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_avn_ops, + }, ++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */ ++ [board_ahci_jmb585] = { ++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR | ++ AHCI_HFLAG_32BIT_ONLY), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_mcp65] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP | + AHCI_HFLAG_YES_NCQ), +@@ -439,6 +449,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */ + { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_pcs_quirk }, /* Elkhart Lake AHCI */ + ++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */ ++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 }, ++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 }, ++ + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr }, +-- +2.53.0 + diff --git a/queue-6.18/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch b/queue-6.18/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch new file mode 100644 index 0000000000..a7849ec088 --- /dev/null +++ b/queue-6.18/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch @@ -0,0 +1,147 @@ +From 000f04ac77588ec2f0eda8a5331b2a113552a0d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 20:07:26 +0800 +Subject: Bluetooth: hci_sync: annotate data-races around hdev->req_status + +From: Cen Zhang + +[ Upstream commit b6807cfc195ef99e1ac37b2e1e60df40295daa8c ] + +__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: + + hdev->req_status = HCI_REQ_PEND; + +However, several other functions read or write hdev->req_status without +holding any lock: + + - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) + - hci_cmd_sync_complete() reads/writes from HCI event completion + - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write + - hci_abort_conn() reads in connection abort path + +Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while +hci_send_cmd_sync() runs on hdev->workqueue, these are different +workqueues that can execute concurrently on different CPUs. The plain +C accesses constitute a data race. + +Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses +to hdev->req_status to prevent potential compiler optimizations that +could affect correctness (e.g., load fusing in the wait_event +condition or store reordering). + +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 2 +- + net/bluetooth/hci_core.c | 2 +- + net/bluetooth/hci_sync.c | 20 ++++++++++---------- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 24b71ec8897ff..71a24be2a6d67 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -2967,7 +2967,7 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) + * hci_connect_le serializes the connection attempts so only one + * connection can be in BT_CONNECT at time. + */ +- if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { ++ if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + switch (hci_skb_event(hdev->sent_cmd)) { + case HCI_EV_CONN_COMPLETE: + case HCI_EV_LE_CONN_COMPLETE: +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 8ccec73dce45c..0f86b81b39730 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4125,7 +4125,7 @@ static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) + kfree_skb(skb); + } + +- if (hdev->req_status == HCI_REQ_PEND && ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND && + !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) { + kfree_skb(hdev->req_skb); + hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 9a7bd4a4b14c4..f498ab28f1aa0 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -25,11 +25,11 @@ static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode, + { + bt_dev_dbg(hdev, "result 0x%2.2x", result); + +- if (hdev->req_status != HCI_REQ_PEND) ++ if (READ_ONCE(hdev->req_status) != HCI_REQ_PEND) + return; + + hdev->req_result = result; +- hdev->req_status = HCI_REQ_DONE; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_DONE); + + /* Free the request command so it is not used as response */ + kfree_skb(hdev->req_skb); +@@ -167,20 +167,20 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + + hci_cmd_sync_add(&req, opcode, plen, param, event, sk); + +- hdev->req_status = HCI_REQ_PEND; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_PEND); + + err = hci_req_sync_run(&req); + if (err < 0) + return ERR_PTR(err); + + err = wait_event_interruptible_timeout(hdev->req_wait_q, +- hdev->req_status != HCI_REQ_PEND, ++ READ_ONCE(hdev->req_status) != HCI_REQ_PEND, + timeout); + + if (err == -ERESTARTSYS) + return ERR_PTR(-EINTR); + +- switch (hdev->req_status) { ++ switch (READ_ONCE(hdev->req_status)) { + case HCI_REQ_DONE: + err = -bt_to_errno(hdev->req_result); + break; +@@ -194,7 +194,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + break; + } + +- hdev->req_status = 0; ++ WRITE_ONCE(hdev->req_status, 0); + hdev->req_result = 0; + skb = hdev->req_rsp; + hdev->req_rsp = NULL; +@@ -665,9 +665,9 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err) + { + bt_dev_dbg(hdev, "err 0x%2.2x", err); + +- if (hdev->req_status == HCI_REQ_PEND) { ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + hdev->req_result = err; +- hdev->req_status = HCI_REQ_CANCELED; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); + + queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work); + } +@@ -683,12 +683,12 @@ void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err) + { + bt_dev_dbg(hdev, "err 0x%2.2x", err); + +- if (hdev->req_status == HCI_REQ_PEND) { ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + /* req_result is __u32 so error must be positive to be properly + * propagated. + */ + hdev->req_result = err < 0 ? -err : err; +- hdev->req_status = HCI_REQ_CANCELED; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); + + wake_up_interruptible(&hdev->req_wait_q); + } +-- +2.53.0 + diff --git a/queue-6.18/bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch b/queue-6.18/bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch new file mode 100644 index 0000000000..3a8ee81269 --- /dev/null +++ b/queue-6.18/bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch @@ -0,0 +1,74 @@ +From e648e5e6a5587e49fd47872c4010f629cfef0b50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 07:01:53 -0700 +Subject: bridge: guard local VLAN-0 FDB helpers against NULL vlan group + +From: Zijing Yin + +[ Upstream commit 1979645e1842cb7017525a61a0e0e0beb924d02a ] + +When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and +nbp_vlan_group() return NULL (br_private.h stub definitions). The +BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and +reaches br_fdb_delete_locals_per_vlan_port() and +br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer +is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). + +The observed crash is in the delete path, triggered when creating a +bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 +via RTM_NEWLINK. The insert helper has the same bug pattern. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI + KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] + RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 + Call Trace: + br_fdb_toggle_local_vlan_0+0x452/0x4c0 + br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 + br_boolopt_toggle net/bridge/br.c:313 + br_boolopt_multi_toggle net/bridge/br.c:364 + br_changelink net/bridge/br_netlink.c:1542 + br_dev_newlink net/bridge/br_netlink.c:1575 + +Add NULL checks for the vlan group pointer in both helpers, returning +early when there are no VLANs to iterate. This matches the existing +pattern used by other bridge FDB functions such as br_fdb_add() and +br_fdb_delete(). + +Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0") +Signed-off-by: Zijing Yin +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260402140153.3925663-1-yzjaurora@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 0501ffcb8a3dd..e2c17f620f009 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -597,6 +597,9 @@ static void br_fdb_delete_locals_per_vlan_port(struct net_bridge *br, + dev = br->dev; + } + ++ if (!vg) ++ return; ++ + list_for_each_entry(v, &vg->vlan_list, vlist) + br_fdb_find_delete_local(br, p, dev->dev_addr, v->vid); + } +@@ -630,6 +633,9 @@ static int br_fdb_insert_locals_per_vlan_port(struct net_bridge *br, + dev = br->dev; + } + ++ if (!vg) ++ return 0; ++ + list_for_each_entry(v, &vg->vlan_list, vlist) { + if (!br_vlan_should_use(v)) + continue; +-- +2.53.0 + diff --git a/queue-6.18/btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch b/queue-6.18/btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch new file mode 100644 index 0000000000..b6088753dc --- /dev/null +++ b/queue-6.18/btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch @@ -0,0 +1,218 @@ +From 90707f34107f80b4591ad8564b674a5876d39d1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 14:46:50 +0000 +Subject: btrfs: fix zero size inode with non-zero size after log replay + +From: Filipe Manana + +[ Upstream commit 5254d4181add9dfaa5e3519edd71cc8f752b2f85 ] + +When logging that an inode exists, as part of logging a new name or +logging new dir entries for a directory, we always set the generation of +the logged inode item to 0. This is to signal during log replay (in +overwrite_item()), that we should not set the i_size since we only logged +that an inode exists, so the i_size of the inode in the subvolume tree +must be preserved (as when we log new names or that an inode exists, we +don't log extents). + +This works fine except when we have already logged an inode in full mode +or it's the first time we are logging an inode created in a past +transaction, that inode has a new i_size of 0 and then we log a new name +for the inode (due to a new hardlink or a rename), in which case we log +an i_size of 0 for the inode and a generation of 0, which causes the log +replay code to not update the inode's i_size to 0 (in overwrite_item()). + +An example scenario: + + mkdir /mnt/dir + xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo + + sync + + xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo + + ln /mnt/dir/foo /mnt/dir/bar + + xfs_io -c "fsync" /mnt/dir + + + +After log replay the file remains with a size of 64K. This is because when +we first log the inode, when we fsync file foo, we log its current i_size +of 0, and then when we create a hard link we log again the inode in exists +mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we +add to the log tree, so during log replay overwrite_item() sees that the +generation is 0 and i_size is 0 so we skip updating the inode's i_size +from 64K to 0. + +Fix this by making sure at fill_inode_item() we always log the real +generation of the inode if it was logged in the current transaction with +the i_size we logged before. Also if an inode created in a previous +transaction is logged in exists mode only, make sure we log the i_size +stored in the inode item located from the commit root, so that if we log +multiple times that the inode exists we get the correct i_size. + +A test case for fstests will follow soon. + +Reported-by: Vyacheslav Kovalevsky +Link: https://lore.kernel.org/linux-btrfs/af8c15fa-4e41-4bb2-885c-0bc4e97532a6@gmail.com/ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 98 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 65 insertions(+), 33 deletions(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 7505a87522fd7..c45c5112c0350 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4608,21 +4608,32 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, + struct inode *inode, bool log_inode_only, + u64 logged_isize) + { ++ u64 gen = BTRFS_I(inode)->generation; + u64 flags; + + if (log_inode_only) { +- /* set the generation to zero so the recover code +- * can tell the difference between an logging +- * just to say 'this inode exists' and a logging +- * to say 'update this inode with these values' ++ /* ++ * Set the generation to zero so the recover code can tell the ++ * difference between a logging just to say 'this inode exists' ++ * and a logging to say 'update this inode with these values'. ++ * But only if the inode was not already logged before. ++ * We access ->logged_trans directly since it was already set ++ * up in the call chain by btrfs_log_inode(), and data_race() ++ * to avoid false alerts from KCSAN and since it was set already ++ * and one can set it to 0 since that only happens on eviction ++ * and we are holding a ref on the inode. + */ +- btrfs_set_inode_generation(leaf, item, 0); ++ ASSERT(data_race(BTRFS_I(inode)->logged_trans) > 0); ++ if (data_race(BTRFS_I(inode)->logged_trans) < trans->transid) ++ gen = 0; ++ + btrfs_set_inode_size(leaf, item, logged_isize); + } else { +- btrfs_set_inode_generation(leaf, item, BTRFS_I(inode)->generation); + btrfs_set_inode_size(leaf, item, inode->i_size); + } + ++ btrfs_set_inode_generation(leaf, item, gen); ++ + btrfs_set_inode_uid(leaf, item, i_uid_read(inode)); + btrfs_set_inode_gid(leaf, item, i_gid_read(inode)); + btrfs_set_inode_mode(leaf, item, inode->i_mode); +@@ -5428,42 +5439,63 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, + return 0; + } + +-static int logged_inode_size(struct btrfs_root *log, struct btrfs_inode *inode, +- struct btrfs_path *path, u64 *size_ret) ++static int get_inode_size_to_log(struct btrfs_trans_handle *trans, ++ struct btrfs_inode *inode, ++ struct btrfs_path *path, u64 *size_ret) + { + struct btrfs_key key; ++ struct btrfs_inode_item *item; + int ret; + + key.objectid = btrfs_ino(inode); + key.type = BTRFS_INODE_ITEM_KEY; + key.offset = 0; + +- ret = btrfs_search_slot(NULL, log, &key, path, 0, 0); +- if (ret < 0) { +- return ret; +- } else if (ret > 0) { +- *size_ret = 0; +- } else { +- struct btrfs_inode_item *item; ++ /* ++ * Our caller called inode_logged(), so logged_trans is up to date. ++ * Use data_race() to silence any warning from KCSAN. Once logged_trans ++ * is set, it can only be reset to 0 after inode eviction. ++ */ ++ if (data_race(inode->logged_trans) == trans->transid) { ++ ret = btrfs_search_slot(NULL, inode->root->log_root, &key, path, 0, 0); ++ } else if (inode->generation < trans->transid) { ++ path->search_commit_root = true; ++ path->skip_locking = true; ++ ret = btrfs_search_slot(NULL, inode->root, &key, path, 0, 0); ++ path->search_commit_root = false; ++ path->skip_locking = false; + +- item = btrfs_item_ptr(path->nodes[0], path->slots[0], +- struct btrfs_inode_item); +- *size_ret = btrfs_inode_size(path->nodes[0], item); +- /* +- * If the in-memory inode's i_size is smaller then the inode +- * size stored in the btree, return the inode's i_size, so +- * that we get a correct inode size after replaying the log +- * when before a power failure we had a shrinking truncate +- * followed by addition of a new name (rename / new hard link). +- * Otherwise return the inode size from the btree, to avoid +- * data loss when replaying a log due to previously doing a +- * write that expands the inode's size and logging a new name +- * immediately after. +- */ +- if (*size_ret > inode->vfs_inode.i_size) +- *size_ret = inode->vfs_inode.i_size; ++ } else { ++ *size_ret = 0; ++ return 0; + } + ++ /* ++ * If the inode was logged before or is from a past transaction, then ++ * its inode item must exist in the log root or in the commit root. ++ */ ++ ASSERT(ret <= 0); ++ if (WARN_ON_ONCE(ret > 0)) ++ ret = -ENOENT; ++ ++ if (ret < 0) ++ return ret; ++ ++ item = btrfs_item_ptr(path->nodes[0], path->slots[0], ++ struct btrfs_inode_item); ++ *size_ret = btrfs_inode_size(path->nodes[0], item); ++ /* ++ * If the in-memory inode's i_size is smaller then the inode size stored ++ * in the btree, return the inode's i_size, so that we get a correct ++ * inode size after replaying the log when before a power failure we had ++ * a shrinking truncate followed by addition of a new name (rename / new ++ * hard link). Otherwise return the inode size from the btree, to avoid ++ * data loss when replaying a log due to previously doing a write that ++ * expands the inode's size and logging a new name immediately after. ++ */ ++ if (*size_ret > inode->vfs_inode.i_size) ++ *size_ret = inode->vfs_inode.i_size; ++ + btrfs_release_path(path); + return 0; + } +@@ -6978,7 +7010,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans, + ret = drop_inode_items(trans, log, path, inode, + BTRFS_XATTR_ITEM_KEY); + } else { +- if (inode_only == LOG_INODE_EXISTS && ctx->logged_before) { ++ if (inode_only == LOG_INODE_EXISTS) { + /* + * Make sure the new inode item we write to the log has + * the same isize as the current one (if it exists). +@@ -6992,7 +7024,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans, + * (zeroes), as if an expanding truncate happened, + * instead of getting a file of 4Kb only. + */ +- ret = logged_inode_size(log, inode, path, &logged_isize); ++ ret = get_inode_size_to_log(trans, inode, path, &logged_isize); + if (ret) + goto out_unlock; + } +-- +2.53.0 + diff --git a/queue-6.18/btrfs-tracepoints-get-correct-superblock-from-dentry.patch b/queue-6.18/btrfs-tracepoints-get-correct-superblock-from-dentry.patch new file mode 100644 index 0000000000..82257ddbf7 --- /dev/null +++ b/queue-6.18/btrfs-tracepoints-get-correct-superblock-from-dentry.patch @@ -0,0 +1,50 @@ +From ed296a905d6164291593d3b472ad451b4cfeca50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 14:11:39 -0400 +Subject: btrfs: tracepoints: get correct superblock from dentry in event + btrfs_sync_file() + +From: Goldwyn Rodrigues + +[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] + +If overlay is used on top of btrfs, dentry->d_sb translates to overlay's +super block and fsid assignment will lead to a crash. + +Use file_inode(file)->i_sb to always get btrfs_sb. + +Reviewed-by: Boris Burkov +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + include/trace/events/btrfs.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index 125bdc166bfed..0864700f76e0a 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -769,12 +769,15 @@ TRACE_EVENT(btrfs_sync_file, + ), + + TP_fast_assign( +- const struct dentry *dentry = file->f_path.dentry; +- const struct inode *inode = d_inode(dentry); ++ struct dentry *dentry = file_dentry(file); ++ struct inode *inode = file_inode(file); ++ struct dentry *parent = dget_parent(dentry); ++ struct inode *parent_inode = d_inode(parent); + +- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb)); ++ dput(parent); ++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb)); + __entry->ino = btrfs_ino(BTRFS_I(inode)); +- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent))); ++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode)); + __entry->datasync = datasync; + __entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root); + ), +-- +2.53.0 + diff --git a/queue-6.18/can-mcp251x-add-error-handling-for-power-enable-in-o.patch b/queue-6.18/can-mcp251x-add-error-handling-for-power-enable-in-o.patch new file mode 100644 index 0000000000..86c2558f47 --- /dev/null +++ b/queue-6.18/can-mcp251x-add-error-handling-for-power-enable-in-o.patch @@ -0,0 +1,90 @@ +From 8cb85856e3aaceae2ecc39c245fac5a74a47f511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 00:00:22 +0800 +Subject: can: mcp251x: add error handling for power enable in open and resume + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ] + +Add missing error handling for mcp251x_power_enable() calls in both +mcp251x_open() and mcp251x_can_resume() functions. + +In mcp251x_open(), if power enable fails, jump to error path to close +candev without attempting to disable power again. + +In mcp251x_can_resume(), properly check return values of power enable calls +for both power and transceiver regulators. If any fails, return the error +code to the PM framework and log the failure. + +This ensures the driver properly handles power control failures and +maintains correct device state. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com +[mkl: fix patch description] +[mkl: mcp251x_can_resume(): replace goto by return] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index b46262e791301..5a7aa02092c7e 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1225,7 +1225,11 @@ static int mcp251x_open(struct net_device *net) + } + + mutex_lock(&priv->mcp_lock); +- mcp251x_power_enable(priv->transceiver, 1); ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); ++ goto out_close_candev; ++ } + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -1272,6 +1276,7 @@ static int mcp251x_open(struct net_device *net) + mcp251x_hw_sleep(spi); + out_close: + mcp251x_power_enable(priv->transceiver, 0); ++out_close_candev: + close_candev(net); + mutex_unlock(&priv->mcp_lock); + if (release_irq) +@@ -1508,11 +1513,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) + { + struct spi_device *spi = to_spi_device(dev); + struct mcp251x_priv *priv = spi_get_drvdata(spi); ++ int ret = 0; + +- if (priv->after_suspend & AFTER_SUSPEND_POWER) +- mcp251x_power_enable(priv->power, 1); +- if (priv->after_suspend & AFTER_SUSPEND_UP) +- mcp251x_power_enable(priv->transceiver, 1); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) { ++ ret = mcp251x_power_enable(priv->power, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); ++ return ret; ++ } ++ } ++ ++ if (priv->after_suspend & AFTER_SUSPEND_UP) { ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) ++ mcp251x_power_enable(priv->power, 0); ++ return ret; ++ } ++ } + + if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) + queue_work(priv->wq, &priv->restart_work); +-- +2.53.0 + diff --git a/queue-6.18/clockevents-prevent-timer-interrupt-starvation.patch b/queue-6.18/clockevents-prevent-timer-interrupt-starvation.patch new file mode 100644 index 0000000000..fb0798fd6d --- /dev/null +++ b/queue-6.18/clockevents-prevent-timer-interrupt-starvation.patch @@ -0,0 +1,218 @@ +From ff3638ff00c87218340038cfcb28b7446240b4bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:17 +0200 +Subject: clockevents: Prevent timer interrupt starvation + +From: Thomas Gleixner + +[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ] + +Calvin reported an odd NMI watchdog lockup which claims that the CPU locked +up in user space. He provided a reproducer, which sets up a timerfd based +timer and then rearms it in a loop with an absolute expiry time of 1ns. + +As the expiry time is in the past, the timer ends up as the first expiring +timer in the per CPU hrtimer base and the clockevent device is programmed +with the minimum delta value. If the machine is fast enough, this ends up +in a endless loop of programming the delta value to the minimum value +defined by the clock event device, before the timer interrupt can fire, +which starves the interrupt and consequently triggers the lockup detector +because the hrtimer callback of the lockup mechanism is never invoked. + +As a first step to prevent this, avoid reprogramming the clock event device +when: + - a forced minimum delta event is pending + - the new expiry delta is less then or equal to the minimum delta + +Thanks to Calvin for providing the reproducer and to Borislav for testing +and providing data from his Zen5 machine. + +The problem is not limited to Zen5, but depending on the underlying +clock event device (e.g. TSC deadline timer on Intel) and the CPU speed +not necessarily observable. + +This change serves only as the last resort and further changes will be made +to prevent this scenario earlier in the call chain as far as possible. + +[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and + fixed up the tick-broadcast handlers as pointed out by Borislav ] + +Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality") +Reported-by: Calvin Owens +Signed-off-by: Thomas Gleixner +Tested-by: Calvin Owens +Tested-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/ +Link: https://patch.msgid.link/20260407083247.562657657@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/clockchips.h | 2 ++ + kernel/time/clockevents.c | 27 +++++++++++++++++++-------- + kernel/time/hrtimer.c | 1 + + kernel/time/tick-broadcast.c | 8 +++++++- + kernel/time/tick-common.c | 1 + + kernel/time/tick-sched.c | 1 + + 6 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h +index b0df28ddd394b..50cdc9da8d32a 100644 +--- a/include/linux/clockchips.h ++++ b/include/linux/clockchips.h +@@ -80,6 +80,7 @@ enum clock_event_state { + * @shift: nanoseconds to cycles divisor (power of two) + * @state_use_accessors:current state of the device, assigned by the core code + * @features: features ++ * @next_event_forced: True if the last programming was a forced event + * @retries: number of forced programming retries + * @set_state_periodic: switch state to periodic + * @set_state_oneshot: switch state to oneshot +@@ -108,6 +109,7 @@ struct clock_event_device { + u32 shift; + enum clock_event_state state_use_accessors; + unsigned int features; ++ unsigned int next_event_forced; + unsigned long retries; + + int (*set_state_periodic)(struct clock_event_device *); +diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c +index a59bc75ab7c5b..e7b0163eeeb44 100644 +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev) + { + clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN); + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + } + + /** +@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + { + unsigned long long clc; + int64_t delta; +- int rc; + + if (WARN_ON_ONCE(expires < 0)) + return -ETIME; +@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + return dev->set_next_ktime(expires, dev); + + delta = ktime_to_ns(ktime_sub(expires, ktime_get())); +- if (delta <= 0) +- return force ? clockevents_program_min_delta(dev) : -ETIME; + +- delta = min(delta, (int64_t) dev->max_delta_ns); +- delta = max(delta, (int64_t) dev->min_delta_ns); ++ /* Required for tick_periodic() during early boot */ ++ if (delta <= 0 && !force) ++ return -ETIME; ++ ++ if (delta > (int64_t)dev->min_delta_ns) { ++ delta = min(delta, (int64_t) dev->max_delta_ns); ++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift; ++ if (!dev->set_next_event((unsigned long) clc, dev)) ++ return 0; ++ } + +- clc = ((unsigned long long) delta * dev->mult) >> dev->shift; +- rc = dev->set_next_event((unsigned long) clc, dev); ++ if (dev->next_event_forced) ++ return 0; + +- return (rc && force) ? clockevents_program_min_delta(dev) : rc; ++ if (dev->set_next_event(dev->min_delta_ticks, dev)) { ++ if (!force || clockevents_program_min_delta(dev)) ++ return -ETIME; ++ } ++ dev->next_event_forced = 1; ++ return 0; + } + + /* +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 21b6d93401480..fde64bfed98fe 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1880,6 +1880,7 @@ void hrtimer_interrupt(struct clock_event_device *dev) + BUG_ON(!cpu_base->hres_active); + cpu_base->nr_events++; + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + raw_spin_lock_irqsave(&cpu_base->lock, flags); + entry_time = now = hrtimer_update_base(cpu_base); +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index 0207868c8b4d2..e411a378db949 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu) + */ + static void tick_broadcast_start_periodic(struct clock_event_device *bc) + { +- if (bc) ++ if (bc) { ++ bc->next_event_forced = 0; + tick_setup_periodic(bc, 1); ++ } + } + + /* +@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev) + bool bc_local; + + raw_spin_lock(&tick_broadcast_lock); ++ tick_broadcast_device.evtdev->next_event_forced = 0; + + /* Handle spurious interrupts gracefully */ + if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) { +@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + + raw_spin_lock(&tick_broadcast_lock); + dev->next_event = KTIME_MAX; ++ tick_broadcast_device.evtdev->next_event_forced = 0; + next_event = KTIME_MAX; + cpumask_clear(tmpmask); + now = ktime_get(); +@@ -1063,6 +1067,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, + + + bc->event_handler = tick_handle_oneshot_broadcast; ++ bc->next_event_forced = 0; + bc->next_event = KTIME_MAX; + + /* +@@ -1175,6 +1180,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) + } + + /* This moves the broadcast assignment to this CPU: */ ++ bc->next_event_forced = 0; + clockevents_program_event(bc, bc->next_event, 1); + } + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index 7e33d3f2e889b..b0c669a7745a7 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -110,6 +110,7 @@ void tick_handle_periodic(struct clock_event_device *dev) + int cpu = smp_processor_id(); + ktime_t next = dev->next_event; + ++ dev->next_event_forced = 0; + tick_periodic(cpu); + + /* +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 466e083c82721..36f27a8ae6c03 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1482,6 +1482,7 @@ static void tick_nohz_lowres_handler(struct clock_event_device *dev) + struct tick_sched *ts = this_cpu_ptr(&tick_cpu_sched); + + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + if (likely(tick_nohz_handler(&ts->sched_timer) == HRTIMER_RESTART)) + tick_program_event(hrtimer_get_expires(&ts->sched_timer), 1); +-- +2.53.0 + diff --git a/queue-6.18/crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch b/queue-6.18/crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch new file mode 100644 index 0000000000..bfb8731304 --- /dev/null +++ b/queue-6.18/crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch @@ -0,0 +1,44 @@ +From e9da25e29b3905023b0dfb5ffc4882a73fb12320 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 08:29:58 +0800 +Subject: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl + +From: Herbert Xu + +[ Upstream commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef ] + +When page reassignment was added to af_alg_pull_tsgl the original +loop wasn't updated so it may try to reassign one more page than +necessary. + +Add the check to the reassignment so that this does not happen. + +Also update the comment which still refers to the obsolete offset +argument. + +Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com +Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 6867d177f2a2d..b61c3ba126ed1 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -705,8 +705,8 @@ void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst) + * Assumption: caller created af_alg_count_tsgl(len) + * SG entries in dst. + */ +- if (dst) { +- /* reassign page to dst after offset */ ++ if (dst && plen) { ++ /* reassign page to dst */ + get_page(page); + sg_set_page(dst + j, page, plen, sg[i].offset); + j++; +-- +2.53.0 + diff --git a/queue-6.18/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch b/queue-6.18/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch new file mode 100644 index 0000000000..c5e45bc5e6 --- /dev/null +++ b/queue-6.18/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch @@ -0,0 +1,68 @@ +From c2b477593ad2b19d860ceb7c6b0cd2f3beacd327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 23:34:55 +0800 +Subject: crypto: af_alg - limit RX SG extraction by receive buffer budget + +From: Douya Le + +[ Upstream commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170 ] + +Make af_alg_get_rsgl() limit each RX scatterlist extraction to the +remaining receive buffer budget. + +af_alg_get_rsgl() currently uses af_alg_readable() only as a gate +before extracting data into the RX scatterlist. Limit each extraction +to the remaining af_alg_rcvbuf(sk) budget so that receive-side +accounting matches the amount of data attached to the request. + +If skcipher cannot obtain enough RX space for at least one chunk while +more data remains to be processed, reject the recvmsg call instead of +rounding the request length down to zero. + +Fixes: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a ("crypto: algif_skcipher - overhaul memory management") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Signed-off-by: Douya Le +Signed-off-by: Ren Wei +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 2 ++ + crypto/algif_skcipher.c | 5 +++++ + 2 files changed, 7 insertions(+) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 3236601aa6dc0..6867d177f2a2d 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1229,6 +1229,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags, + + seglen = min_t(size_t, (maxsize - len), + msg_data_left(msg)); ++ /* Never pin more pages than the remaining RX accounting budget. */ ++ seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk)); + + if (list_empty(&areq->rsgl_list)) { + rsgl = &areq->first_rsgl; +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index 82735e51be108..ba0a17fd95aca 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -130,6 +130,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, + * full block size buffers. + */ + if (ctx->more || len < ctx->used) { ++ if (len < bs) { ++ err = -EINVAL; ++ goto free; ++ } ++ + len -= len % bs; + cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL; + } +-- +2.53.0 + diff --git a/queue-6.18/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-6.18/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch new file mode 100644 index 0000000000..5c40d3bd94 --- /dev/null +++ b/queue-6.18/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch @@ -0,0 +1,38 @@ +From 17e74a9c0e1b5ee289a241477800a8ce2c1c5108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 13:32:21 +0800 +Subject: crypto: algif_aead - Fix minimum RX size check for decryption + +From: Herbert Xu + +[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] + +The check for the minimum receive buffer size did not take the +tag size into account during decryption. Fix this by adding the +required extra length. + +Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com +Reported-by: Daniel Pouzzner +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index dda15bb05e892..f8bd45f7dc839 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -144,7 +144,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + if (usedpages < outlen) { + size_t less = outlen - usedpages; + +- if (used < less) { ++ if (used < less + (ctx->enc ? 0 : as)) { + err = -EINVAL; + goto free; + } +-- +2.53.0 + diff --git a/queue-6.18/devlink-fix-incorrect-skb-socket-family-dumping.patch b/queue-6.18/devlink-fix-incorrect-skb-socket-family-dumping.patch new file mode 100644 index 0000000000..702da9cc39 --- /dev/null +++ b/queue-6.18/devlink-fix-incorrect-skb-socket-family-dumping.patch @@ -0,0 +1,40 @@ +From 9f813313e8457f4a4c60fa0a36da4ca8a5fe2bdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 22:27:30 -0400 +Subject: devlink: Fix incorrect skb socket family dumping + +From: Li RongQing + +[ Upstream commit 0006c6f1091bbeea88b8a88a6548b9fb2f803c74 ] + +The devlink_fmsg_dump_skb function was incorrectly using the socket +type (sk->sk_type) instead of the socket family (sk->sk_family) +when filling the "family" field in the fast message dump. + +This patch fixes this to properly display the socket family. + +Fixes: 3dbfde7f6bc7b8 ("devlink: add devlink_fmsg_dump_skb() function") +Signed-off-by: Li RongQing +Link: https://patch.msgid.link/20260407022730.2393-1-lirongqing@baidu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/health.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/devlink/health.c b/net/devlink/health.c +index 136a67c36a20d..0798c82096bdc 100644 +--- a/net/devlink/health.c ++++ b/net/devlink/health.c +@@ -1327,7 +1327,7 @@ void devlink_fmsg_dump_skb(struct devlink_fmsg *fmsg, const struct sk_buff *skb) + if (sk) { + devlink_fmsg_pair_nest_start(fmsg, "sk"); + devlink_fmsg_obj_nest_start(fmsg); +- devlink_fmsg_put(fmsg, "family", sk->sk_type); ++ devlink_fmsg_put(fmsg, "family", sk->sk_family); + devlink_fmsg_put(fmsg, "type", sk->sk_type); + devlink_fmsg_put(fmsg, "proto", sk->sk_protocol); + devlink_fmsg_obj_nest_end(fmsg); +-- +2.53.0 + diff --git a/queue-6.18/dma-debug-suppress-cacheline-overlap-warning-when-ar.patch b/queue-6.18/dma-debug-suppress-cacheline-overlap-warning-when-ar.patch new file mode 100644 index 0000000000..05024ad5d4 --- /dev/null +++ b/queue-6.18/dma-debug-suppress-cacheline-overlap-warning-when-ar.patch @@ -0,0 +1,67 @@ +From de0e66f68ed8e905b62cfaaa8b9ee1f5528e5f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 17:41:56 +0500 +Subject: dma-debug: suppress cacheline overlap warning when arch has no DMA + alignment requirement + +From: Mikhail Gavrilov + +[ Upstream commit 3d48c9fd78dd0b1809669ec49c4d0997b8127512 ] + +When CONFIG_DMA_API_DEBUG is enabled, the DMA debug infrastructure +tracks active mappings per cacheline and warns if two different DMA +mappings share the same cacheline ("cacheline tracking EEXIST, +overlapping mappings aren't supported"). + +On x86_64, ARCH_KMALLOC_MINALIGN defaults to 8, so small kmalloc +allocations (e.g. the 8-byte hub->buffer and hub->status in the USB +hub driver) frequently land in the same 64-byte cacheline. When both +are DMA-mapped, this triggers a false positive warning. + +This has been reported repeatedly since v5.14 (when the EEXIST check +was added) across various USB host controllers and devices including +xhci_hcd with USB hubs, USB audio devices, and USB ethernet adapters. + +The cacheline overlap is only a real concern on architectures that +require DMA buffer alignment to cacheline boundaries (i.e. where +ARCH_DMA_MINALIGN >= L1_CACHE_BYTES). On architectures like x86_64 +where dma_get_cache_alignment() returns 1, the hardware is +cache-coherent and overlapping cacheline mappings are harmless. + +Suppress the EEXIST warning when dma_get_cache_alignment() is less +than L1_CACHE_BYTES, indicating the architecture does not require +cacheline-aligned DMA buffers. + +Verified with a kernel module reproducer that performs two kmalloc(8) +allocations back-to-back and DMA-maps both: + + Before: allocations share a cacheline, EEXIST fires within ~50 pairs + After: same cacheline pair found, but no warning emitted + +Fixes: 2b4bbc6231d7 ("dma-debug: report -EEXIST errors in add_dma_entry") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215740 +Suggested-by: Harry Yoo +Tested-by: Mikhail Gavrilov +Signed-off-by: Mikhail Gavrilov +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260327124156.24820-1-mikhail.v.gavrilov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 43d6a996d7a78..596ea7abbda15 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -614,6 +614,7 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs) + } else if (rc == -EEXIST && + !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && + !(entry->is_cache_clean && overlap_cache_clean) && ++ dma_get_cache_alignment() >= L1_CACHE_BYTES && + !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && + is_swiotlb_active(entry->dev))) { + err_printk(entry->dev, entry, +-- +2.53.0 + diff --git a/queue-6.18/dma-debug-track-cache-clean-flag-in-entries.patch b/queue-6.18/dma-debug-track-cache-clean-flag-in-entries.patch new file mode 100644 index 0000000000..2dc81ccb62 --- /dev/null +++ b/queue-6.18/dma-debug-track-cache-clean-flag-in-entries.patch @@ -0,0 +1,111 @@ +From f6af8c4088b3693fd09b166fc071f52f5dc5a54f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 14:38:31 -0500 +Subject: dma-debug: track cache clean flag in entries + +From: Michael S. Tsirkin + +[ Upstream commit d5d846513128c1a3bc2f2d371f6e903177dea443 ] + +If a driver is buggy and has 2 overlapping mappings but only +sets cache clean flag on the 1st one of them, we warn. +But if it only does it for the 2nd one, we don't. + +Fix by tracking cache clean flag in the entry. + +Message-ID: <0ffb3513d18614539c108b4548cdfbc64274a7d1.1767601130.git.mst@redhat.com> +Reviewed-by: Petr Tesarik +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement") +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 7e66d863d573f..43d6a996d7a78 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -63,6 +63,7 @@ enum map_err_types { + * @sg_mapped_ents: 'mapped_ents' from dma_map_sg + * @paddr: physical start address of the mapping + * @map_err_type: track whether dma_mapping_error() was checked ++ * @is_cache_clean: driver promises not to write to buffer while mapped + * @stack_len: number of backtrace entries in @stack_entries + * @stack_entries: stack of backtrace history + */ +@@ -76,7 +77,8 @@ struct dma_debug_entry { + int sg_call_ents; + int sg_mapped_ents; + phys_addr_t paddr; +- enum map_err_types map_err_type; ++ enum map_err_types map_err_type; ++ bool is_cache_clean; + #ifdef CONFIG_STACKTRACE + unsigned int stack_len; + unsigned long stack_entries[DMA_DEBUG_STACKTRACE_ENTRIES]; +@@ -472,12 +474,15 @@ static int active_cacheline_dec_overlap(phys_addr_t cln) + return active_cacheline_set_overlap(cln, --overlap); + } + +-static int active_cacheline_insert(struct dma_debug_entry *entry) ++static int active_cacheline_insert(struct dma_debug_entry *entry, ++ bool *overlap_cache_clean) + { + phys_addr_t cln = to_cacheline_number(entry); + unsigned long flags; + int rc; + ++ *overlap_cache_clean = false; ++ + /* If the device is not writing memory then we don't have any + * concerns about the cpu consuming stale data. This mitigates + * legitimate usages of overlapping mappings. +@@ -487,8 +492,16 @@ static int active_cacheline_insert(struct dma_debug_entry *entry) + + spin_lock_irqsave(&radix_lock, flags); + rc = radix_tree_insert(&dma_active_cacheline, cln, entry); +- if (rc == -EEXIST) ++ if (rc == -EEXIST) { ++ struct dma_debug_entry *existing; ++ + active_cacheline_inc_overlap(cln); ++ existing = radix_tree_lookup(&dma_active_cacheline, cln); ++ /* A lookup failure here after we got -EEXIST is unexpected. */ ++ WARN_ON(!existing); ++ if (existing) ++ *overlap_cache_clean = existing->is_cache_clean; ++ } + spin_unlock_irqrestore(&radix_lock, flags); + + return rc; +@@ -583,20 +596,24 @@ DEFINE_SHOW_ATTRIBUTE(dump); + */ + static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs) + { ++ bool overlap_cache_clean; + struct hash_bucket *bucket; + unsigned long flags; + int rc; + ++ entry->is_cache_clean = !!(attrs & DMA_ATTR_CPU_CACHE_CLEAN); ++ + bucket = get_hash_bucket(entry, &flags); + hash_bucket_add(bucket, entry); + put_hash_bucket(bucket, flags); + +- rc = active_cacheline_insert(entry); ++ rc = active_cacheline_insert(entry, &overlap_cache_clean); + if (rc == -ENOMEM) { + pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n"); + global_disable = true; + } else if (rc == -EEXIST && +- !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) && ++ !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && ++ !(entry->is_cache_clean && overlap_cache_clean) && + !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && + is_swiotlb_active(entry->dev))) { + err_printk(entry->dev, entry, +-- +2.53.0 + diff --git a/queue-6.18/dma-mapping-add-dma_attr_cpu_cache_clean.patch b/queue-6.18/dma-mapping-add-dma_attr_cpu_cache_clean.patch new file mode 100644 index 0000000000..6fe3e72737 --- /dev/null +++ b/queue-6.18/dma-mapping-add-dma_attr_cpu_cache_clean.patch @@ -0,0 +1,65 @@ +From 74bb2d846875e2b9dcafe45e8a3b68cee4136ee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 07:28:43 -0500 +Subject: dma-mapping: add DMA_ATTR_CPU_CACHE_CLEAN + +From: Michael S. Tsirkin + +[ Upstream commit 61868dc55a119a5e4b912d458fc2c48ba80a35fe ] + +When multiple small DMA_FROM_DEVICE or DMA_BIDIRECTIONAL buffers share a +cacheline, and DMA_API_DEBUG is enabled, we get this warning: + cacheline tracking EEXIST, overlapping mappings aren't supported. + +This is because when one of the mappings is removed, while another one +is active, CPU might write into the buffer. + +Add an attribute for the driver to promise not to do this, making the +overlapping safe, and suppressing the warning. + +Message-ID: <2d5d091f9d84b68ea96abd545b365dd1d00bbf48.1767601130.git.mst@redhat.com> +Reviewed-by: Petr Tesarik +Acked-by: Marek Szyprowski +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement") +Signed-off-by: Sasha Levin +--- + include/linux/dma-mapping.h | 7 +++++++ + kernel/dma/debug.c | 3 ++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h +index 190eab9f5e8c2..3e63046b899bc 100644 +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -78,6 +78,13 @@ + */ + #define DMA_ATTR_MMIO (1UL << 10) + ++/* ++ * DMA_ATTR_CPU_CACHE_CLEAN: Indicates the CPU will not dirty any cacheline ++ * overlapping this buffer while it is mapped for DMA. All mappings sharing ++ * a cacheline must have this attribute for this to be considered safe. ++ */ ++#define DMA_ATTR_CPU_CACHE_CLEAN (1UL << 11) ++ + /* + * A dma_addr_t can hold any valid DMA or bus address for the platform. It can + * be given to a device to use as a DMA source or target. It is specific to a +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 138ede653de40..7e66d863d573f 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -595,7 +595,8 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs) + if (rc == -ENOMEM) { + pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n"); + global_disable = true; +- } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && ++ } else if (rc == -EEXIST && ++ !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) && + !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && + is_swiotlb_active(entry->dev))) { + err_printk(entry->dev, entry, +-- +2.53.0 + diff --git a/queue-6.18/dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch b/queue-6.18/dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch new file mode 100644 index 0000000000..34165e58f7 --- /dev/null +++ b/queue-6.18/dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch @@ -0,0 +1,92 @@ +From a1c936ee5c8b5f3518acea807d8468a81b996d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:34:27 -0800 +Subject: dmaengine: idxd: Fix lockdep warnings when calling + idxd_device_config() + +From: Vinicius Costa Gomes + +[ Upstream commit caf91cdf2de8b7134749d32cd4ae5520b108abb7 ] + +Move the check for IDXD_FLAG_CONFIGURABLE and the locking to "inside" +idxd_device_config(), as this is common to all callers, and the one +that wasn't holding the lock was an error (that was causing the +lockdep warning). + +Suggested-by: Dave Jiang +Reviewed-by: Dave Jiang +Signed-off-by: Vinicius Costa Gomes +Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-1-7ed70658a9d1@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 17 +++++++---------- + drivers/dma/idxd/init.c | 10 ++++------ + 2 files changed, 11 insertions(+), 16 deletions(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index 646d7f767afa3..746d9edbba164 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -1106,7 +1106,11 @@ int idxd_device_config(struct idxd_device *idxd) + { + int rc; + +- lockdep_assert_held(&idxd->dev_lock); ++ guard(spinlock)(&idxd->dev_lock); ++ ++ if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) ++ return 0; ++ + rc = idxd_wqs_setup(idxd); + if (rc < 0) + return rc; +@@ -1433,11 +1437,7 @@ int idxd_drv_enable_wq(struct idxd_wq *wq) + } + } + +- rc = 0; +- spin_lock(&idxd->dev_lock); +- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) +- rc = idxd_device_config(idxd); +- spin_unlock(&idxd->dev_lock); ++ rc = idxd_device_config(idxd); + if (rc < 0) { + dev_dbg(dev, "Writing wq %d config failed: %d\n", wq->id, rc); + goto err; +@@ -1532,10 +1532,7 @@ int idxd_device_drv_probe(struct idxd_dev *idxd_dev) + } + + /* Device configuration */ +- spin_lock(&idxd->dev_lock); +- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) +- rc = idxd_device_config(idxd); +- spin_unlock(&idxd->dev_lock); ++ rc = idxd_device_config(idxd); + if (rc < 0) + return -ENXIO; + +diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c +index f2b37c63a964c..afba88f9c3e43 100644 +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -1094,12 +1094,10 @@ static void idxd_reset_done(struct pci_dev *pdev) + idxd_device_config_restore(idxd, idxd->idxd_saved); + + /* Re-configure IDXD device if allowed. */ +- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) { +- rc = idxd_device_config(idxd); +- if (rc < 0) { +- dev_err(dev, "HALT: %s config fails\n", idxd_name); +- goto out; +- } ++ rc = idxd_device_config(idxd); ++ if (rc < 0) { ++ dev_err(dev, "HALT: %s config fails\n", idxd_name); ++ goto out; + } + + /* Bind IDXD device to driver. */ +-- +2.53.0 + diff --git a/queue-6.18/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch b/queue-6.18/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch new file mode 100644 index 0000000000..fa30fab3a0 --- /dev/null +++ b/queue-6.18/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch @@ -0,0 +1,69 @@ +From dcd9a3b712c68c132d4b915d72e6a585017f0b21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 09:58:36 +0530 +Subject: drm/amdgpu: Handle GPU page faults correctly on non-4K page systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Donet Tom + +[ Upstream commit 4e9597f22a3cb8600c72fc266eaac57981d834c8 ] + +During a GPU page fault, the driver restores the SVM range and then maps it +into the GPU page tables. The current implementation passes a GPU-page-size +(4K-based) PFN to svm_range_restore_pages() to restore the range. + +SVM ranges are tracked using system-page-size PFNs. On systems where the +system page size is larger than 4K, using GPU-page-size PFNs to restore the +range causes two problems: + +Range lookup fails: +Because the restore function receives PFNs in GPU (4K) units, the SVM +range lookup does not find the existing range. This will result in a +duplicate SVM range being created. + +VMA lookup failure: +The restore function also tries to locate the VMA for the faulting address. +It converts the GPU-page-size PFN into an address using the system page +size, which results in an incorrect address on non-4K page-size systems. +As a result, the VMA lookup fails with the message: "address 0xxxx VMA is +removed". + +This patch passes the system-page-size PFN to svm_range_restore_pages() so +that the SVM range is restored correctly on non-4K page systems. + +Acked-by: Christian König +Signed-off-by: Donet Tom +Signed-off-by: Alex Deucher +(cherry picked from commit 074fe395fb13247b057f60004c7ebcca9f38ef46) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index f2e00f408156c..69080e3734891 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2960,14 +2960,14 @@ bool amdgpu_vm_handle_fault(struct amdgpu_device *adev, u32 pasid, + if (!root) + return false; + +- addr /= AMDGPU_GPU_PAGE_SIZE; +- + if (is_compute_context && !svm_range_restore_pages(adev, pasid, vmid, +- node_id, addr, ts, write_fault)) { ++ node_id, addr >> PAGE_SHIFT, ts, write_fault)) { + amdgpu_bo_unref(&root); + return true; + } + ++ addr /= AMDGPU_GPU_PAGE_SIZE; ++ + r = amdgpu_bo_reserve(root, true); + if (r) + goto error_unref; +-- +2.53.0 + diff --git a/queue-6.18/drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch b/queue-6.18/drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch new file mode 100644 index 0000000000..cfb0af99e2 --- /dev/null +++ b/queue-6.18/drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch @@ -0,0 +1,77 @@ +From 817481b1f6844dbe154d5c1f9a47efa5f1d62e0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 09:58:39 +0530 +Subject: drm/amdkfd: Fix queue preemption/eviction failures by aligning + control stack size to GPU page size + +From: Donet Tom + +[ Upstream commit 78746a474e92fc7aaed12219bec7c78ae1bd6156 ] + +The control stack size is calculated based on the number of CUs and +waves, and is then aligned to PAGE_SIZE. When the resulting control +stack size is aligned to 64 KB, GPU hangs and queue preemption +failures are observed while running RCCL unit tests on systems with +more than two GPUs. + +amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with +doorbell_id: 80030008 +amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues +amdgpu 0048:0f:00.0: amdgpu: GPU reset begin!. Source: 4 +amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with +doorbell_id: 80030008 +amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues +amdgpu 0048:0f:00.0: amdgpu: Failed to restore process queues + +This issue is observed on both 4 KB and 64 KB system page-size +configurations. + +This patch fixes the issue by aligning the control stack size to +AMDGPU_GPU_PAGE_SIZE instead of PAGE_SIZE, so the control stack size +will not be 64 KB on systems with a 64 KB page size and queue +preemption works correctly. + +Additionally, In the current code, wg_data_size is aligned to PAGE_SIZE, +which can waste memory if the system page size is large. In this patch, +wg_data_size is aligned to AMDGPU_GPU_PAGE_SIZE. The cwsr_size, calculated +from wg_data_size and the control stack size, is aligned to PAGE_SIZE. + +Reviewed-by: Felix Kuehling +Signed-off-by: Donet Tom +Signed-off-by: Alex Deucher +(cherry picked from commit a3e14436304392fbada359edd0f1d1659850c9b7) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c +index 2822c90bd7be4..b97f4a51db6e3 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c +@@ -444,10 +444,11 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev) + min(cu_num * 40, props->array_count / props->simd_arrays_per_engine * 512) + : cu_num * 32; + +- wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props), PAGE_SIZE); ++ wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props), ++ AMDGPU_GPU_PAGE_SIZE); + ctl_stack_size = wave_num * CNTL_STACK_BYTES_PER_WAVE(gfxv) + 8; + ctl_stack_size = ALIGN(SIZEOF_HSA_USER_CONTEXT_SAVE_AREA_HEADER + ctl_stack_size, +- PAGE_SIZE); ++ AMDGPU_GPU_PAGE_SIZE); + + if ((gfxv / 10000 * 10000) == 100000) { + /* HW design limits control stack size to 0x7000. +@@ -459,7 +460,7 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev) + + props->ctl_stack_size = ctl_stack_size; + props->debug_memory_size = ALIGN(wave_num * DEBUGGER_BYTES_PER_WAVE, DEBUGGER_BYTES_ALIGN); +- props->cwsr_size = ctl_stack_size + wg_data_size; ++ props->cwsr_size = ALIGN(ctl_stack_size + wg_data_size, PAGE_SIZE); + + if (gfxv == 80002) /* GFX_VERSION_TONGA */ + props->eop_buffer_size = 0x8000; +-- +2.53.0 + diff --git a/queue-6.18/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch b/queue-6.18/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch new file mode 100644 index 0000000000..0d13e9aadd --- /dev/null +++ b/queue-6.18/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch @@ -0,0 +1,74 @@ +From 49126120cf4942cb01fff5b4c7d9dab1b0e40efe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:45 -0300 +Subject: drm/vc4: Fix a memory leak in hang state error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ] + +When vc4_save_hang_state() encounters an early return condition, it +returns without freeing the previously allocated `kernel_state`, +leaking memory. + +Add the missing kfree() calls by consolidating the early return paths +into a single place. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 6238630e46793..6887631f2d8be 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -170,10 +170,8 @@ vc4_save_hang_state(struct drm_device *dev) + spin_lock_irqsave(&vc4->job_lock, irqflags); + exec[0] = vc4_first_bin_job(vc4); + exec[1] = vc4_first_render_job(vc4); +- if (!exec[0] && !exec[1]) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!exec[0] && !exec[1]) ++ goto err_free_state; + + /* Get the bos from both binner and renderer into hang state. */ + state->bo_count = 0; +@@ -190,10 +188,8 @@ vc4_save_hang_state(struct drm_device *dev) + kernel_state->bo = kcalloc(state->bo_count, + sizeof(*kernel_state->bo), GFP_ATOMIC); + +- if (!kernel_state->bo) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!kernel_state->bo) ++ goto err_free_state; + + k = 0; + for (i = 0; i < 2; i++) { +@@ -285,6 +281,12 @@ vc4_save_hang_state(struct drm_device *dev) + vc4->hang_state = kernel_state; + spin_unlock_irqrestore(&vc4->job_lock, irqflags); + } ++ ++ return; ++ ++err_free_state: ++ spin_unlock_irqrestore(&vc4->job_lock, irqflags); ++ kfree(kernel_state); + } + + static void +-- +2.53.0 + diff --git a/queue-6.18/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch b/queue-6.18/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch new file mode 100644 index 0000000000..7532a7bef9 --- /dev/null +++ b/queue-6.18/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch @@ -0,0 +1,40 @@ +From a66901f5a898555c3ae9abf82cdcfc389b211fd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:44 -0300 +Subject: drm/vc4: Fix memory leak of BO array in hang state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ] + +The hang state's BO array is allocated separately with kzalloc() in +vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the +missing kfree() for the BO array before freeing the hang state struct. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 255e5817618e3..6238630e46793 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -61,6 +61,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state) + for (i = 0; i < state->user_state.bo_count; i++) + drm_gem_object_put(state->bo[i]); + ++ kfree(state->bo); + kfree(state); + } + +-- +2.53.0 + diff --git a/queue-6.18/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch b/queue-6.18/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch new file mode 100644 index 0000000000..5e8590268e --- /dev/null +++ b/queue-6.18/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch @@ -0,0 +1,48 @@ +From 62c9e80de5fefcf8811368f918a54532712cfbf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:46 -0300 +Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ] + +The mmap callback reads bo->madv without holding madv_lock, racing with +concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under +the same lock. Add the missing locking to prevent the data race. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index 4aaa587be3a5e..a1efda9c39f92 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct + return -EINVAL; + } + ++ mutex_lock(&bo->madv_lock); + if (bo->madv != VC4_MADV_WILLNEED) { + DRM_DEBUG("mmapping of %s BO not allowed\n", + bo->madv == VC4_MADV_DONTNEED ? + "purgeable" : "purged"); ++ mutex_unlock(&bo->madv_lock); + return -EINVAL; + } ++ mutex_unlock(&bo->madv_lock); + + return drm_gem_dma_mmap(&bo->base, vma); + } +-- +2.53.0 + diff --git a/queue-6.18/drm-vc4-release-runtime-pm-reference-after-binding-v.patch b/queue-6.18/drm-vc4-release-runtime-pm-reference-after-binding-v.patch new file mode 100644 index 0000000000..b5cb30f22f --- /dev/null +++ b/queue-6.18/drm-vc4-release-runtime-pm-reference-after-binding-v.patch @@ -0,0 +1,46 @@ +From 649bf7adec8fe0c3131ac4c9739bfb4206468c28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:43 -0300 +Subject: drm/vc4: Release runtime PM reference after binding V3D +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ] + +The vc4_v3d_bind() function acquires a runtime PM reference via +pm_runtime_resume_and_get() to access V3D registers during setup. +However, this reference is never released after a successful bind. +This prevents the device from ever runtime suspending, since the +reference count never reaches zero. + +Release the runtime PM reference by adding pm_runtime_put_autosuspend() +after autosuspend is configured, allowing the device to runtime suspend +after the delay. + +Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_v3d.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c +index bb09df5000bda..e470412851cc8 100644 +--- a/drivers/gpu/drm/vc4/vc4_v3d.c ++++ b/drivers/gpu/drm/vc4/vc4_v3d.c +@@ -479,6 +479,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data) + + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */ ++ pm_runtime_put_autosuspend(dev); + + return 0; + +-- +2.53.0 + diff --git a/queue-6.18/drm-xe-fix-bug-in-idledly-unit-conversion.patch b/queue-6.18/drm-xe-fix-bug-in-idledly-unit-conversion.patch new file mode 100644 index 0000000000..c75b560169 --- /dev/null +++ b/queue-6.18/drm-xe-fix-bug-in-idledly-unit-conversion.patch @@ -0,0 +1,41 @@ +From e95fa168d91d6a3eb85e407fdc4be4398ce88255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 18:27:10 -0700 +Subject: drm/xe: Fix bug in idledly unit conversion + +From: Vinay Belgaumkar + +[ Upstream commit 7596459f3c93d8d45a1bf12d4d7526b50c15baa2 ] + +We only need to convert to picosecond units before writing to RING_IDLEDLY. + +Fixes: 7c53ff050ba8 ("drm/xe: Apply Wa_16023105232") +Cc: Tangudu Tilak Tirumalesh +Acked-by: Tangudu Tilak Tirumalesh +Signed-off-by: Vinay Belgaumkar +Link: https://patch.msgid.link/20260401012710.4165547-1-vinay.belgaumkar@intel.com +(cherry picked from commit 13743bd628bc9d9a0e2fe53488b2891aedf7cc74) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_hw_engine.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_hw_engine.c b/drivers/gpu/drm/xe/xe_hw_engine.c +index 1cf623b4a5bcc..d8f16e25b817d 100644 +--- a/drivers/gpu/drm/xe/xe_hw_engine.c ++++ b/drivers/gpu/drm/xe/xe_hw_engine.c +@@ -587,9 +587,8 @@ static void adjust_idledly(struct xe_hw_engine *hwe) + maxcnt *= maxcnt_units_ns; + + if (xe_gt_WARN_ON(gt, idledly >= maxcnt || inhibit_switch)) { +- idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * maxcnt_units_ns), ++ idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * 1000), + idledly_units_ps); +- idledly = DIV_ROUND_CLOSEST(idledly, 1000); + xe_mmio_write32(>->mmio, RING_IDLEDLY(hwe->mmio_base), idledly); + } + } +-- +2.53.0 + diff --git a/queue-6.18/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch b/queue-6.18/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch new file mode 100644 index 0000000000..bf9b55fa40 --- /dev/null +++ b/queue-6.18/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch @@ -0,0 +1,59 @@ +From 5c43566c87068194b6194a6de35bee6b742022fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:40 +0100 +Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock + +From: Jon Hunter + +[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ] + +The PTP clock for the Tegra234 MGBE device is incorrectly named +'ptp-ref' and should be 'ptp_ref'. This is causing the following +warning to be observed on Tegra234 platforms that use this device: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +Although this constitutes an ABI breakage in the binding for this +device, PTP support has clearly never worked and so fix this now +so we can correct the device-tree for this device. Note that the +MGBE driver still supports the legacy 'ptp-ref' clock name and so +older/existing device-trees will still work, but given that this +is not the correct name, there is no point to advertise this in the +binding. + +Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE") +Signed-off-by: Jon Hunter +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +index 2bd3efff2485e..215f14d1897d2 100644 +--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml ++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +@@ -42,7 +42,7 @@ properties: + - const: mgbe + - const: mac + - const: mac-divider +- - const: ptp-ref ++ - const: ptp_ref + - const: rx-input-m + - const: rx-input + - const: tx +@@ -133,7 +133,7 @@ examples: + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>, + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>, + <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>; +- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m", ++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m", + "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m", + "rx-pcs", "tx-pcs"; + resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>, +-- +2.53.0 + diff --git a/queue-6.18/e1000-check-return-value-of-e1000_read_eeprom.patch b/queue-6.18/e1000-check-return-value-of-e1000_read_eeprom.patch new file mode 100644 index 0000000000..49bd83a710 --- /dev/null +++ b/queue-6.18/e1000-check-return-value-of-e1000_read_eeprom.patch @@ -0,0 +1,70 @@ +From dac8de542335da59fbbb53e384d27515183b6f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 15:05:05 +0300 +Subject: e1000: check return value of e1000_read_eeprom + +From: Agalakov Daniil + +[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ] + +[Why] +e1000_set_eeprom() performs a read-modify-write operation when the write +range is not word-aligned. This requires reading the first and last words +of the range from the EEPROM to preserve the unmodified bytes. + +However, the code does not check the return value of e1000_read_eeprom(). +If the read fails, the operation continues using uninitialized data from +eeprom_buff. This results in corrupted data being written back to the +EEPROM for the boundary words. + +Add the missing error checks and abort the operation if reading fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Iskhakov Daniil +Signed-off-by: Iskhakov Daniil +Signed-off-by: Agalakov Daniil +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index 726365c567ef3..75d0bfa7530b4 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev, + */ + ret_val = e1000_read_eeprom(hw, first_word, 1, + &eeprom_buff[0]); ++ if (ret_val) ++ goto out; ++ + ptr++; + } +- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) { ++ if ((eeprom->offset + eeprom->len) & 1) { + /* need read/modify/write of last changed EEPROM word + * only the first byte of the word is being modified + */ + ret_val = e1000_read_eeprom(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev, + if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG)) + e1000_update_eeprom_checksum(hw); + ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.53.0 + diff --git a/queue-6.18/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch b/queue-6.18/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch new file mode 100644 index 0000000000..497f551ae4 --- /dev/null +++ b/queue-6.18/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch @@ -0,0 +1,48 @@ +From 4c5e6901ccd81a18553e461c3d444a2b3c1e0f9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 15:25:32 +0200 +Subject: eventpoll: defer struct eventpoll free to RCU grace period + +From: Nicholas Carlini + +[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ] + +In certain situations, ep_free() in eventpoll.c will kfree the epi->ep +eventpoll struct while it still being used by another concurrent thread. +Defer the kfree() to an RCU callback to prevent UAF. + +Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") +Signed-off-by: Nicholas Carlini +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index bcc7dcbefc419..a8e30414d996c 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -226,6 +226,9 @@ struct eventpoll { + */ + refcount_t refcount; + ++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */ ++ struct rcu_head rcu; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -819,7 +822,8 @@ static void ep_free(struct eventpoll *ep) + mutex_destroy(&ep->mtx); + free_uid(ep->user); + wakeup_source_unregister(ep->ws); +- kfree(ep); ++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */ ++ kfree_rcu(ep, rcu); + } + + /* +-- +2.53.0 + diff --git a/queue-6.18/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch b/queue-6.18/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch new file mode 100644 index 0000000000..3fc821ae54 --- /dev/null +++ b/queue-6.18/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch @@ -0,0 +1,47 @@ +From 682b8078d32c929836669424d62155d4255fe583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 13:11:27 -0700 +Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath + +From: Fredric Cover + +[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ] + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index be82acacc41d6..f207c7cef0467 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -589,6 +589,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + +-- +2.53.0 + diff --git a/queue-6.18/gpio-tegra-fix-irq_release_resources-calling-enable-.patch b/queue-6.18/gpio-tegra-fix-irq_release_resources-calling-enable-.patch new file mode 100644 index 0000000000..d621f85f48 --- /dev/null +++ b/queue-6.18/gpio-tegra-fix-irq_release_resources-calling-enable-.patch @@ -0,0 +1,41 @@ +From 3bed58f496cfd4a5c319f8efe50f95701c8770be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 14:02:47 -0700 +Subject: gpio: tegra: fix irq_release_resources calling enable instead of + disable + +From: Samasth Norway Ananda + +[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ] + +tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable() +instead of tegra_gpio_disable(). When IRQ resources are released, the +GPIO configuration bit (CNF) should be cleared to deconfigure the pin as +a GPIO. Leaving it enabled wastes power and can cause unexpected behavior +if the pin is later reused for an alternate function via pinctrl. + +Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip") +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c +index 15a5762a82c25..b14052fe64ac6 100644 +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -595,7 +595,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d) + struct tegra_gpio_info *tgi = gpiochip_get_data(chip); + + gpiochip_relres_irq(chip, d->hwirq); +- tegra_gpio_enable(tgi, d->hwirq); ++ tegra_gpio_disable(tgi, d->hwirq); + } + + static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s) +-- +2.53.0 + diff --git a/queue-6.18/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch b/queue-6.18/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch new file mode 100644 index 0000000000..2c4caee2cb --- /dev/null +++ b/queue-6.18/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch @@ -0,0 +1,46 @@ +From 57b0ce35d582d6184dbcb5e1ce7e271297f4dbb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 09:25:22 +0100 +Subject: HID: amd_sfh: don't log error when device discovery fails with + -EOPNOTSUPP + +From: Maximilian Pezzullo + +[ Upstream commit 743677a8cb30b09f16a7f167f497c2c927891b5a ] + +When sensor discovery fails on systems without AMD SFH sensors, the +code already emits a warning via dev_warn() in amd_sfh_hid_client_init(). +The subsequent dev_err() in sfh_init_work() for the same -EOPNOTSUPP +return value is redundant and causes unnecessary alarm. + +Suppress the dev_err() for -EOPNOTSUPP to avoid confusing users who +have no AMD SFH sensors. + +Fixes: 2105e8e00da4 ("HID: amd_sfh: Improve boot time when SFH is available") +Reported-by: Casey Croy +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221099 +Signed-off-by: Maximilian Pezzullo +Acked-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +index 1d9f955573aa4..4b81cebdc3359 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +@@ -413,7 +413,8 @@ static void sfh_init_work(struct work_struct *work) + rc = amd_sfh_hid_client_init(mp2); + if (rc) { + amd_sfh_clear_intr(mp2); +- dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc); ++ if (rc != -EOPNOTSUPP) ++ dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc); + return; + } + +-- +2.53.0 + diff --git a/queue-6.18/hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch b/queue-6.18/hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch new file mode 100644 index 0000000000..f96c861adb --- /dev/null +++ b/queue-6.18/hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch @@ -0,0 +1,59 @@ +From b5f6a57342ecd64ffd1f10fa18ab26cf6d646956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 13:56:29 +0800 +Subject: HID: Intel-thc-hid: Intel-quickspi: Add NVL Device IDs + +From: Even Xu + +[ Upstream commit 48e91af0cbe942d50ef6257d850accdca1d01378 ] + +Add Nova Lake THC QuickSPI device IDs to support list. + +Signed-off-by: Even Xu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c | 6 ++++++ + drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c +index 14cabd5dc6ddb..f0830a56d556b 100644 +--- a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c ++++ b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c +@@ -37,6 +37,10 @@ struct quickspi_driver_data arl = { + .max_packet_size_value = MAX_PACKET_SIZE_VALUE_MTL, + }; + ++struct quickspi_driver_data nvl = { ++ .max_packet_size_value = MAX_PACKET_SIZE_VALUE_LNL, ++}; ++ + /* THC QuickSPI ACPI method to get device properties */ + /* HIDSPI Method: {6e2ac436-0fcf-41af-a265-b32a220dcfab} */ + static guid_t hidspi_guid = +@@ -984,6 +988,8 @@ static const struct pci_device_id quickspi_pci_tbl[] = { + {PCI_DEVICE_DATA(INTEL, THC_WCL_DEVICE_ID_SPI_PORT2, &ptl), }, + {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT1, &arl), }, + {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT2, &arl), }, ++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT1, &nvl), }, ++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT2, &nvl), }, + {} + }; + MODULE_DEVICE_TABLE(pci, quickspi_pci_tbl); +diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h +index c30e1a42eb098..bf5e18f5a5f42 100644 +--- a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h ++++ b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h +@@ -23,6 +23,8 @@ + #define PCI_DEVICE_ID_INTEL_THC_WCL_DEVICE_ID_SPI_PORT2 0x4D4B + #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT1 0x7749 + #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT2 0x774B ++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT1 0xD349 ++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT2 0xD34B + + /* HIDSPI special ACPI parameters DSM methods */ + #define ACPI_QUICKSPI_REVISION_NUM 2 +-- +2.53.0 + diff --git a/queue-6.18/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch b/queue-6.18/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch new file mode 100644 index 0000000000..2c998324cf --- /dev/null +++ b/queue-6.18/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch @@ -0,0 +1,52 @@ +From 1bbca9c339985242e26bd1835f49e306c75df4de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 13:36:59 -0500 +Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 + +From: leo vriska + +[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ] + +According to a mailing list report [1], this controller's predecessor +has the same issue. However, it uses the xpad driver instead of HID, so +this quirk wouldn't apply. + +[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/ + +Signed-off-by: leo vriska +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index d9d354f1b8847..a245928933454 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -22,6 +22,9 @@ + #define USB_DEVICE_ID_3M2256 0x0502 + #define USB_DEVICE_ID_3M3266 0x0506 + ++#define USB_VENDOR_ID_8BITDO 0x2dc8 ++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009 ++ + #define USB_VENDOR_ID_A4TECH 0x09da + #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006 + #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 3217e436c052c..f6be3ffee0232 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -25,6 +25,7 @@ + */ + + static const struct hid_device_id hid_quirks[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, +-- +2.53.0 + diff --git a/queue-6.18/hid-roccat-fix-use-after-free-in-roccat_report_event.patch b/queue-6.18/hid-roccat-fix-use-after-free-in-roccat_report_event.patch new file mode 100644 index 0000000000..1d2b35eab7 --- /dev/null +++ b/queue-6.18/hid-roccat-fix-use-after-free-in-roccat_report_event.patch @@ -0,0 +1,50 @@ +From 45beeb7b08a18ed28f0cb24ffb93c61ca414418f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:11:07 +0000 +Subject: HID: roccat: fix use-after-free in roccat_report_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ] + +roccat_report_event() iterates over the device->readers list without +holding the readers_lock. This allows a concurrent roccat_release() to +remove and free a reader while it's still being accessed, leading to a +use-after-free. + +Protect the readers list traversal with the readers_lock mutex. + +Signed-off-by: Benoît Sevens +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index c7f7562e22e56..e413662f75082 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->readers_lock); + mutex_lock(&device->cbuf_lock); + + report = &device->cbuf[device->cbuf_end]; +@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data) + } + + mutex_unlock(&device->cbuf_lock); ++ mutex_unlock(&device->readers_lock); + + wake_up_interruptible(&device->wait); + return 0; +-- +2.53.0 + diff --git a/queue-6.18/ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch b/queue-6.18/ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch new file mode 100644 index 0000000000..d893676b65 --- /dev/null +++ b/queue-6.18/ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch @@ -0,0 +1,48 @@ +From 4f63f6f4d88c80916e43964b4ed3cbc12ed948b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Feb 2026 14:14:00 +0000 +Subject: ice: ptp: don't WARN when controlling PF is unavailable + +From: Kohei Enju + +[ Upstream commit bb3f21edc7056cdf44a7f7bd7ba65af40741838c ] + +In VFIO passthrough setups, it is possible to pass through only a PF +which doesn't own the source timer. In that case the PTP controlling PF +(adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() +returns NULL and triggers WARN_ON() in ice_ptp_setup_pf(). + +Since this is an expected behavior in that configuration, replace +WARN_ON() with an informational message and return -EOPNOTSUPP. + +Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index df38345b12d72..02517772fb5f4 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -3041,7 +3041,13 @@ static int ice_ptp_setup_pf(struct ice_pf *pf) + struct ice_ptp *ctrl_ptp = ice_get_ctrl_ptp(pf); + struct ice_ptp *ptp = &pf->ptp; + +- if (WARN_ON(!ctrl_ptp) || pf->hw.mac_type == ICE_MAC_UNKNOWN) ++ if (!ctrl_ptp) { ++ dev_info(ice_pf_to_dev(pf), ++ "PTP unavailable: no controlling PF\n"); ++ return -EOPNOTSUPP; ++ } ++ ++ if (pf->hw.mac_type == ICE_MAC_UNKNOWN) + return -ENODEV; + + INIT_LIST_HEAD(&ptp->port.list_node); +-- +2.53.0 + diff --git a/queue-6.18/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch b/queue-6.18/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch new file mode 100644 index 0000000000..7875d5a1ae --- /dev/null +++ b/queue-6.18/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch @@ -0,0 +1,50 @@ +From c6f79824b3dbb49f6009d721362db6cdf9a39826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 15:04:19 +0800 +Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() + +From: Yiqi Sun + +[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ] + +ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the +IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing +this error pointer to dev_hold() will cause a kernel crash with +null-ptr-deref. + +Instead, silently discard the request. RFC 8335 does not appear to +define a specific response for the case where an IPv6 interface +identifier is syntactically valid but the implementation cannot perform +the lookup at runtime, and silently dropping the request may safer than +misreporting "No Such Interface". + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Signed-off-by: Yiqi Sun +Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index b39176b620785..980aa17f3534d 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -1145,6 +1145,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr) + if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr)) + goto send_mal_query; + dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev); ++ /* ++ * If IPv6 identifier lookup is unavailable, silently ++ * discard the request instead of misreporting NO_IF. ++ */ ++ if (IS_ERR(dev)) ++ return false; ++ + dev_hold(dev); + break; + #endif +-- +2.53.0 + diff --git a/queue-6.18/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch b/queue-6.18/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch new file mode 100644 index 0000000000..b430989890 --- /dev/null +++ b/queue-6.18/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch @@ -0,0 +1,147 @@ +From 7a05584d016359e566d12d5090132ec0ee005762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 09:26:13 +0200 +Subject: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop() + +From: Fernando Fernandez Mancera + +[ Upstream commit 14cf0cd35361f4e94824bf8a42f72713d7702a73 ] + +When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently +allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for +single nexthops and small Equal-Cost Multi-Path groups, this fixed +allocation fails for large nexthop groups like 512 nexthops. + +This results in the following warning splat: + + WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608 + [...] + RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395) + [...] + Call Trace: + + rtnetlink_rcv_msg (net/core/rtnetlink.c:6989) + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585) + ___sys_sendmsg (net/socket.c:2641) + __sys_sendmsg (net/socket.c:2671) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + +Fix this by allocating the size dynamically using nh_nlmsg_size() and +using nlmsg_new(), this is consistent with nexthop_notify() behavior. In +addition, adjust nh_nlmsg_size_grp() so it calculates the size needed +based on flags passed. While at it, also add the size of NHA_FDB for +nexthop group size calculation as it was missing too. + +This cannot be reproduced via iproute2 as the group size is currently +limited and the command fails as follows: + +addattr_l ERROR: message exceeded bound of 1048 + +Fixes: 430a049190de ("nexthop: Add support for nexthop groups") +Reported-by: Yiming Qian +Closes: https://lore.kernel.org/netdev/CAL_bE8Li2h4KO+AQFXW4S6Yb_u5X4oSKnkywW+LPFjuErhqELA@mail.gmail.com/ +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260402072613.25262-2-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 38 +++++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index aa53a74ac2389..c958b8edfe540 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -1006,16 +1006,32 @@ static size_t nh_nlmsg_size_grp_res(struct nh_group *nhg) + nla_total_size_64bit(8);/* NHA_RES_GROUP_UNBALANCED_TIME */ + } + +-static size_t nh_nlmsg_size_grp(struct nexthop *nh) ++static size_t nh_nlmsg_size_grp(struct nexthop *nh, u32 op_flags) + { + struct nh_group *nhg = rtnl_dereference(nh->nh_grp); + size_t sz = sizeof(struct nexthop_grp) * nhg->num_nh; + size_t tot = nla_total_size(sz) + +- nla_total_size(2); /* NHA_GROUP_TYPE */ ++ nla_total_size(2) + /* NHA_GROUP_TYPE */ ++ nla_total_size(0); /* NHA_FDB */ + + if (nhg->resilient) + tot += nh_nlmsg_size_grp_res(nhg); + ++ if (op_flags & NHA_OP_FLAG_DUMP_STATS) { ++ tot += nla_total_size(0) + /* NHA_GROUP_STATS */ ++ nla_total_size(4); /* NHA_HW_STATS_ENABLE */ ++ tot += nhg->num_nh * ++ (nla_total_size(0) + /* NHA_GROUP_STATS_ENTRY */ ++ nla_total_size(4) + /* NHA_GROUP_STATS_ENTRY_ID */ ++ nla_total_size_64bit(8)); /* NHA_GROUP_STATS_ENTRY_PACKETS */ ++ ++ if (op_flags & NHA_OP_FLAG_DUMP_HW_STATS) { ++ tot += nhg->num_nh * ++ nla_total_size_64bit(8); /* NHA_GROUP_STATS_ENTRY_PACKETS_HW */ ++ tot += nla_total_size(4); /* NHA_HW_STATS_USED */ ++ } ++ } ++ + return tot; + } + +@@ -1050,14 +1066,14 @@ static size_t nh_nlmsg_size_single(struct nexthop *nh) + return sz; + } + +-static size_t nh_nlmsg_size(struct nexthop *nh) ++static size_t nh_nlmsg_size(struct nexthop *nh, u32 op_flags) + { + size_t sz = NLMSG_ALIGN(sizeof(struct nhmsg)); + + sz += nla_total_size(4); /* NHA_ID */ + + if (nh->is_group) +- sz += nh_nlmsg_size_grp(nh) + ++ sz += nh_nlmsg_size_grp(nh, op_flags) + + nla_total_size(4) + /* NHA_OP_FLAGS */ + 0; + else +@@ -1073,7 +1089,7 @@ static void nexthop_notify(int event, struct nexthop *nh, struct nl_info *info) + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(nh_nlmsg_size(nh), gfp_any()); ++ skb = nlmsg_new(nh_nlmsg_size(nh, 0), gfp_any()); + if (!skb) + goto errout; + +@@ -3379,15 +3395,15 @@ static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh, + if (err) + return err; + +- err = -ENOBUFS; +- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); +- if (!skb) +- goto out; +- + err = -ENOENT; + nh = nexthop_find_by_id(net, id); + if (!nh) +- goto errout_free; ++ goto out; ++ ++ err = -ENOBUFS; ++ skb = nlmsg_new(nh_nlmsg_size(nh, op_flags), GFP_KERNEL); ++ if (!skb) ++ goto out; + + err = nh_fill_node(skb, nh, RTM_NEWNEXTHOP, NETLINK_CB(in_skb).portid, + nlh->nlmsg_seq, 0, op_flags); +-- +2.53.0 + diff --git a/queue-6.18/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch b/queue-6.18/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch new file mode 100644 index 0000000000..886cc8cc30 --- /dev/null +++ b/queue-6.18/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch @@ -0,0 +1,43 @@ +From 168ce12028dca60686aeddcd8f04e623962d3713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 09:26:12 +0200 +Subject: ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group + dump + +From: Fernando Fernandez Mancera + +[ Upstream commit 06aaf04ca815f7a1f17762fd847b7bc14b8833fb ] + +Currently NHA_HW_STATS_ENABLE is included twice everytime a dump of +nexthop group is performed with NHA_OP_FLAG_DUMP_STATS. As all the stats +querying were moved to nla_put_nh_group_stats(), leave only that +instance of the attribute querying. + +Fixes: 5072ae00aea4 ("net: nexthop: Expose nexthop group HW stats to user space") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260402072613.25262-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index 427c201175949..aa53a74ac2389 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -905,8 +905,7 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nexthop *nh, + goto nla_put_failure; + + if (op_flags & NHA_OP_FLAG_DUMP_STATS && +- (nla_put_u32(skb, NHA_HW_STATS_ENABLE, nhg->hw_stats) || +- nla_put_nh_group_stats(skb, nh, op_flags))) ++ nla_put_nh_group_stats(skb, nh, op_flags)) + goto nla_put_failure; + + return 0; +-- +2.53.0 + diff --git a/queue-6.18/ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch b/queue-6.18/ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch new file mode 100644 index 0000000000..eb6a1612c3 --- /dev/null +++ b/queue-6.18/ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch @@ -0,0 +1,120 @@ +From 7d76d2cb8f87b50808ae8c1ebda321ccd0f4ca71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:17:32 +0000 +Subject: ipv6: ioam: fix potential NULL dereferences in + __ioam6_fill_trace_data() + +From: Eric Dumazet + +[ Upstream commit 4e65a8b8daa18d63255ec58964dd192c7fdd9f8b ] + +We need to check __in6_dev_get() for possible NULL value, as +suggested by Yiming Qian. + +Also add skb_dst_dev_rcu() instead of skb_dst_dev(), +and two missing READ_ONCE(). + +Note that @dev can't be NULL. + +Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace") +Reported-by: Yiming Qian +Signed-off-by: Eric Dumazet +Reviewed-by: Justin Iurman +Link: https://patch.msgid.link/20260402101732.1188059-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ioam6.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c +index 8db7f965696aa..12350e1e18bde 100644 +--- a/net/ipv6/ioam6.c ++++ b/net/ipv6/ioam6.c +@@ -710,7 +710,9 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + struct ioam6_schema *sc, + unsigned int sclen, bool is_input) + { +- struct net_device *dev = skb_dst_dev(skb); ++ /* Note: skb_dst_dev_rcu() can't be NULL at this point. */ ++ struct net_device *dev = skb_dst_dev_rcu(skb); ++ struct inet6_dev *i_skb_dev, *idev; + struct timespec64 ts; + ktime_t tstamp; + u64 raw64; +@@ -721,13 +723,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + + data = trace->data + trace->remlen * 4 - trace->nodelen * 4 - sclen * 4; + ++ i_skb_dev = skb->dev ? __in6_dev_get(skb->dev) : NULL; ++ idev = __in6_dev_get(dev); ++ + /* hop_lim and node_id */ + if (trace->type.bit0) { + byte = ipv6_hdr(skb)->hop_limit; + if (is_input) + byte--; + +- raw32 = dev_net(dev)->ipv6.sysctl.ioam6_id; ++ raw32 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id); + + *(__be32 *)data = cpu_to_be32((byte << 24) | raw32); + data += sizeof(__be32); +@@ -735,18 +740,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + + /* ingress_if_id and egress_if_id */ + if (trace->type.bit1) { +- if (!skb->dev) ++ if (!i_skb_dev) + raw16 = IOAM6_U16_UNAVAILABLE; + else +- raw16 = (__force u16)READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id); ++ raw16 = (__force u16)READ_ONCE(i_skb_dev->cnf.ioam6_id); + + *(__be16 *)data = cpu_to_be16(raw16); + data += sizeof(__be16); + +- if (dev->flags & IFF_LOOPBACK) ++ if ((dev->flags & IFF_LOOPBACK) || !idev) + raw16 = IOAM6_U16_UNAVAILABLE; + else +- raw16 = (__force u16)READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id); ++ raw16 = (__force u16)READ_ONCE(idev->cnf.ioam6_id); + + *(__be16 *)data = cpu_to_be16(raw16); + data += sizeof(__be16); +@@ -822,7 +827,7 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + if (is_input) + byte--; + +- raw64 = dev_net(dev)->ipv6.sysctl.ioam6_id_wide; ++ raw64 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id_wide); + + *(__be64 *)data = cpu_to_be64(((u64)byte << 56) | raw64); + data += sizeof(__be64); +@@ -830,18 +835,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + + /* ingress_if_id and egress_if_id (wide) */ + if (trace->type.bit9) { +- if (!skb->dev) ++ if (!i_skb_dev) + raw32 = IOAM6_U32_UNAVAILABLE; + else +- raw32 = READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id_wide); ++ raw32 = READ_ONCE(i_skb_dev->cnf.ioam6_id_wide); + + *(__be32 *)data = cpu_to_be32(raw32); + data += sizeof(__be32); + +- if (dev->flags & IFF_LOOPBACK) ++ if ((dev->flags & IFF_LOOPBACK) || !idev) + raw32 = IOAM6_U32_UNAVAILABLE; + else +- raw32 = READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id_wide); ++ raw32 = READ_ONCE(idev->cnf.ioam6_id_wide); + + *(__be32 *)data = cpu_to_be32(raw32); + data += sizeof(__be32); +-- +2.53.0 + diff --git a/queue-6.18/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch b/queue-6.18/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch new file mode 100644 index 0000000000..ff119c250c --- /dev/null +++ b/queue-6.18/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch @@ -0,0 +1,62 @@ +From fbc4d7fa213b120a7695924fd04dcfb4a7a5e7ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 15:58:01 +0800 +Subject: ipvs: fix NULL deref in ip_vs_add_service error path + +From: Weiming Shi + +[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ] + +When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local +variable sched is set to NULL. If ip_vs_start_estimator() subsequently +fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) +with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL +check (because svc->scheduler was set by the successful bind) but then +dereferences the NULL sched parameter at sched->done_service, causing a +kernel panic at offset 0x30 from NULL. + + Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] + RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) + Call Trace: + + ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) + do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) + nf_setsockopt (net/netfilter/nf_sockopt.c:102) + [..] + +Fix by simply not clearing the local sched variable after a successful +bind. ip_vs_unbind_scheduler() already detects whether a scheduler is +installed via svc->scheduler, and keeping sched non-NULL ensures the +error path passes the correct pointer to both ip_vs_unbind_scheduler() +and ip_vs_scheduler_put(). + +While the bug is older, the problem popups in more recent kernels (6.2), +when the new error path is taken after the ip_vs_start_estimator() call. + +Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Acked-by: Simon Horman +Acked-by: Julian Anastasov +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 4c8fa22be88ad..e442ba6033d5f 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1453,7 +1453,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ret = ip_vs_bind_scheduler(svc, sched); + if (ret) + goto out_err; +- sched = NULL; + } + + ret = ip_vs_start_estimator(ipvs, &svc->stats); +-- +2.53.0 + diff --git a/queue-6.18/ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch b/queue-6.18/ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch new file mode 100644 index 0000000000..35585f83fd --- /dev/null +++ b/queue-6.18/ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch @@ -0,0 +1,139 @@ +From d30bea4fd78e7d459c9418448fff740eed6ac40d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 09:42:32 +0100 +Subject: ixgbe: stop re-reading flash on every get_drvinfo for e610 + +From: Aleksandr Loktionov + +[ Upstream commit d8ae40dc20cbd7bb6e6b36a928e2db2296060ad2 ] + +ixgbe_get_drvinfo() calls ixgbe_refresh_fw_version() on every ethtool +query for e610 adapters. That ends up in ixgbe_discover_flash_size(), +which bisects the full 16 MB NVM space issuing one ACI command per +step (~20 ms each, ~24 steps total = ~500 ms). + +Profiling on an idle E610-XAT2 system with telegraf scraping ethtool +stats every 10 seconds: + + kretprobe:ixgbe_get_drvinfo took 527603 us + kretprobe:ixgbe_get_drvinfo took 523978 us + kretprobe:ixgbe_get_drvinfo took 552975 us + kretprobe:ice_get_drvinfo took 3 us + kretprobe:igb_get_drvinfo took 2 us + kretprobe:i40e_get_drvinfo took 5 us + +The half-second stall happens under the RTNL lock, causing visible +latency on ip-link and friends. + +The FW version can only change after an EMPR reset. All flash data is +already populated at probe time and the cached adapter->eeprom_id is +what get_drvinfo should be returning. The only place that needs to +trigger a re-read is ixgbe_devlink_reload_empr_finish(), right after +the EMPR completes and new firmware is running. Additionally, refresh +the FW version in ixgbe_reinit_locked() so that any PF that undergoes a +reinit after an EMPR (e.g. triggered by another PF's devlink reload) +also picks up the new version in adapter->eeprom_id. + +ixgbe_devlink_info_get() keeps its refresh call for explicit +"devlink dev info" queries, which is fine given those are user-initiated. + +Fixes: c9e563cae19e ("ixgbe: add support for devlink reload") +Co-developed-by: Jedrzej Jagielski +Signed-off-by: Jedrzej Jagielski +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/devlink/devlink.c | 2 +- + drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 +- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 13 +++++++------ + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 10 ++++++++++ + 4 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c +index d227f4d2a2d17..f32e640ef4ac0 100644 +--- a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c ++++ b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c +@@ -474,7 +474,7 @@ static int ixgbe_devlink_reload_empr_finish(struct devlink *devlink, + adapter->flags2 &= ~(IXGBE_FLAG2_API_MISMATCH | + IXGBE_FLAG2_FW_ROLLBACK); + +- return 0; ++ return ixgbe_refresh_fw_version(adapter); + } + + static const struct devlink_ops ixgbe_devlink_ops = { +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h +index dce4936708eb4..047f04045585a 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h +@@ -973,7 +973,7 @@ int ixgbe_init_interrupt_scheme(struct ixgbe_adapter *adapter); + bool ixgbe_wol_supported(struct ixgbe_adapter *adapter, u16 device_id, + u16 subdevice_id); + void ixgbe_set_fw_version_e610(struct ixgbe_adapter *adapter); +-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter); ++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter); + #ifdef CONFIG_PCI_IOV + void ixgbe_full_sync_mac_table(struct ixgbe_adapter *adapter); + #endif +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index 2d660e9edb80a..0c8f310689776 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -1153,12 +1153,17 @@ static int ixgbe_set_eeprom(struct net_device *netdev, + return ret_val; + } + +-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter) ++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter) + { + struct ixgbe_hw *hw = &adapter->hw; ++ int err; ++ ++ err = ixgbe_get_flash_data(hw); ++ if (err) ++ return err; + +- ixgbe_get_flash_data(hw); + ixgbe_set_fw_version_e610(adapter); ++ return 0; + } + + static void ixgbe_get_drvinfo(struct net_device *netdev, +@@ -1166,10 +1171,6 @@ static void ixgbe_get_drvinfo(struct net_device *netdev, + { + struct ixgbe_adapter *adapter = ixgbe_from_netdev(netdev); + +- /* need to refresh info for e610 in case fw reloads in runtime */ +- if (adapter->hw.mac.type == ixgbe_mac_e610) +- ixgbe_refresh_fw_version(adapter); +- + strscpy(drvinfo->driver, ixgbe_driver_name, sizeof(drvinfo->driver)); + + strscpy(drvinfo->fw_version, adapter->eeprom_id, +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 501216970e611..240f7cc3f213f 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -6289,6 +6289,16 @@ void ixgbe_reinit_locked(struct ixgbe_adapter *adapter) + if (adapter->flags & IXGBE_FLAG_SRIOV_ENABLED) + msleep(2000); + ixgbe_up(adapter); ++ ++ /* E610 has no FW event to notify all PFs of an EMPR reset, so ++ * refresh the FW version here to pick up any new FW version after ++ * a hardware reset (e.g. EMPR triggered by another PF's devlink ++ * reload). ixgbe_refresh_fw_version() updates both hw->flash and ++ * adapter->eeprom_id so ethtool -i reports the correct string. ++ */ ++ if (adapter->hw.mac.type == ixgbe_mac_e610) ++ (void)ixgbe_refresh_fw_version(adapter); ++ + clear_bit(__IXGBE_RESETTING, &adapter->state); + } + +-- +2.53.0 + diff --git a/queue-6.18/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch b/queue-6.18/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch new file mode 100644 index 0000000000..05be1840ba --- /dev/null +++ b/queue-6.18/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch @@ -0,0 +1,78 @@ +From f5898d3e87e7fb2e244bf491f1ab324e984b9d23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 09:22:29 +0100 +Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table + +From: Michal Schmidt + +[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ] + +Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by +negotiating supported features") added the .negotiate_features callback +to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot +to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL +on Hyper-V VMs. + +During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), +which unconditionally dereferences hw->mac.ops.negotiate_features(). +On Hyper-V this results in a NULL pointer dereference: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] + Workqueue: events work_for_cpu_fn + RIP: 0010:0x0 + [...] + Call Trace: + ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] + ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] + ixgbevf_probe+0x20f/0x4a0 [ixgbevf] + local_pci_probe+0x50/0xa0 + work_for_cpu_fn+0x1a/0x30 + [...] + +Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and +wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP +gracefully. + +Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") +Reported-by: Xiaoqiang Xiong +Closes: https://issues.redhat.com/browse/RHEL-155455 +Assisted-by: Claude:claude-4.6-opus-high Cursor +Tested-by: Xiaoqiang Xiong +Signed-off-by: Michal Schmidt +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c +index b67b580f7f1c9..f6df86d124b9e 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/vf.c ++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c +@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) + return err; + } + ++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw, ++ u32 *pf_features) ++{ ++ return -EOPNOTSUPP; ++} ++ + /** + * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address + * @hw: pointer to the HW structure +@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = { + .setup_link = ixgbevf_setup_mac_link_vf, + .check_link = ixgbevf_hv_check_mac_link_vf, + .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf, ++ .negotiate_features = ixgbevf_hv_negotiate_features_vf, + .set_rar = ixgbevf_hv_set_rar_vf, + .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf, + .update_xcast_mode = ixgbevf_hv_update_xcast_mode, +-- +2.53.0 + diff --git a/queue-6.18/l2tp-drop-large-packets-with-udp-encap.patch b/queue-6.18/l2tp-drop-large-packets-with-udp-encap.patch new file mode 100644 index 0000000000..603978a8c1 --- /dev/null +++ b/queue-6.18/l2tp-drop-large-packets-with-udp-encap.patch @@ -0,0 +1,106 @@ +From 21c5f7aa70bcb080b998a37eeb1237fbfcc0d1bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 20:49:49 +0300 +Subject: l2tp: Drop large packets with UDP encap + +From: Alice Mikityanska + +[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ] + +syzbot reported a WARN on my patch series [1]. The actual issue is an +overflow of 16-bit UDP length field, and it exists in the upstream code. +My series added a debug WARN with an overflow check that exposed the +issue, that's why syzbot tripped on my patches, rather than on upstream +code. + +syzbot's repro: + +r0 = socket$pppl2tp(0x18, 0x1, 0x1) +r1 = socket$inet6_udp(0xa, 0x2, 0x0) +connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) +connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) +writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) + +It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP +encapsulation, and l2tp_xmit_core doesn't check for overflows when it +assigns the UDP length field. The value gets trimmed to 16 bites. + +Add an overflow check that drops oversized packets and avoids sending +packets with trimmed UDP length to the wire. + +syzbot's stack trace (with my patch applied): + +len >= 65536u +WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 +Modules linked in: +CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] +RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] +RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 +Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f +RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 +RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 +RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff +RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 +R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 +R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 +FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 +Call Trace: + + pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + sock_write_iter+0x503/0x550 net/socket.c:1195 + do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 + vfs_writev+0x33c/0x990 fs/read_write.c:1059 + do_writev+0x154/0x2e0 fs/read_write.c:1105 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f636479c629 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 +RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 +RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 + + +[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/ +Signed-off-by: Alice Mikityanska +Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index a0682e63fc637..9156a937334ae 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1290,6 +1290,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + uh->source = inet->inet_sport; + uh->dest = inet->inet_dport; + udp_len = uhlen + session->hdr_len + data_len; ++ if (udp_len > U16_MAX) { ++ kfree_skb(skb); ++ ret = NET_XMIT_DROP; ++ goto out_unlock; ++ } + uh->len = htons(udp_len); + + /* Calculate UDP checksum if configured to do so */ +-- +2.53.0 + diff --git a/queue-6.18/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch b/queue-6.18/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch new file mode 100644 index 0000000000..a01045aec8 --- /dev/null +++ b/queue-6.18/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch @@ -0,0 +1,49 @@ +From b6b021e762fa638b8f45a632f0222bc000aadd0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 10:47:51 +0100 +Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() + +From: Arnd Bergmann + +[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ] + +The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot +of registers, so when the clang register allocator runs out, it ends up +spilling countless temporaries to the stack: + +drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than] + +Marking this function as noinline_for_stack keeps it out of +rkvdec_vp9_start(), giving the compiler more room for optimization. + +The resulting code is good enough that both the total stack usage +and the loop get enough better to stay under the warning limit, +though it's still slow, and would need a larger rework if this +function ends up being called in a fast path. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c +index 0e7e16f20eeb0..bc74d2d824ef2 100644 +--- a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c ++++ b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c +@@ -923,7 +923,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx, + update_ctx_last_info(vp9_ctx); + } + +-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) ++static noinline_for_stack void ++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) + { + struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv; + struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu; +-- +2.53.0 + diff --git a/queue-6.18/net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch b/queue-6.18/net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch new file mode 100644 index 0000000000..4d7b669639 --- /dev/null +++ b/queue-6.18/net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch @@ -0,0 +1,47 @@ +From 482e39081a9352c1aa482263483c1fa4cb5fa022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 14:57:10 +0200 +Subject: net: airoha: Fix memory leak in airoha_qdma_rx_process() + +From: Lorenzo Bianconi + +[ Upstream commit 285fa6b1e03cff78ead0383e1b259c44b95faf90 ] + +If an error occurs on the subsequents buffers belonging to the +non-linear part of the skb (e.g. due to an error in the payload length +reported by the NIC or if we consumed all the available fragments for +the skb), the page_pool fragment will not be linked to the skb so it will +not return to the pool in the airoha_qdma_rx_process() error path. Fix the +memory leak partially reverting commit 'd6d2b0e1538d ("net: airoha: Fix +page recycling in airoha_qdma_rx_process()")' and always running +page_pool_put_full_page routine in the airoha_qdma_rx_process() error +path. + +Fixes: d6d2b0e1538d ("net: airoha: Fix page recycling in airoha_qdma_rx_process()") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402-airoha_qdma_rx_process-mem-leak-fix-v1-1-b5706f402d3c@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_eth.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c +index 4fc6bd282b465..bdf600fea9508 100644 +--- a/drivers/net/ethernet/airoha/airoha_eth.c ++++ b/drivers/net/ethernet/airoha/airoha_eth.c +@@ -709,9 +709,8 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget) + if (q->skb) { + dev_kfree_skb(q->skb); + q->skb = NULL; +- } else { +- page_pool_put_full_page(q->page_pool, page, true); + } ++ page_pool_put_full_page(q->page_pool, page, true); + } + airoha_qdma_fill_rx_queue(q); + +-- +2.53.0 + diff --git a/queue-6.18/net-increase-ip_tunnel_recursion_limit-to-5.patch b/queue-6.18/net-increase-ip_tunnel_recursion_limit-to-5.patch new file mode 100644 index 0000000000..9030b03daf --- /dev/null +++ b/queue-6.18/net-increase-ip_tunnel_recursion_limit-to-5.patch @@ -0,0 +1,42 @@ +From 6d04ed26ece1a914496456c6be4f4bfa5399c622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:23:16 -0500 +Subject: net: increase IP_TUNNEL_RECURSION_LIMIT to 5 + +From: Chris J Arges + +[ Upstream commit 77facb35227c421467cdb49268de433168c2dcef ] + +In configurations with multiple tunnel layers and MPLS lwtunnel routing, a +single tunnel hop can increment the counter beyond this limit. This causes +packets to be dropped with the "Dead loop on virtual device" message even +when a routing loop doesn't exist. + +Increase IP_TUNNEL_RECURSION_LIMIT from 4 to 5 to handle this use-case. + +Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Link: https://lore.kernel.org/netdev/88deb91b-ef1b-403c-8eeb-0f971f27e34f@redhat.com/ +Signed-off-by: Chris J Arges +Link: https://patch.msgid.link/20260402222401.3408368-1-carges@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 80662f8120803..253ed3930f6ef 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -32,7 +32,7 @@ + * recursion involves route lookups and full IP output, consuming much + * more stack per level, so a lower limit is needed. + */ +-#define IP_TUNNEL_RECURSION_LIMIT 4 ++#define IP_TUNNEL_RECURSION_LIMIT 5 + + /* Keep error state on tunnel for 30 sec */ + #define IPTUNNEL_ERR_TIMEO (30*HZ) +-- +2.53.0 + diff --git a/queue-6.18/net-ioam6-fix-oob-and-missing-lock.patch b/queue-6.18/net-ioam6-fix-oob-and-missing-lock.patch new file mode 100644 index 0000000000..a72bb106d0 --- /dev/null +++ b/queue-6.18/net-ioam6-fix-oob-and-missing-lock.patch @@ -0,0 +1,65 @@ +From b9714440953068cd3abb1f5651a65d2d39d0d82c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 15:41:37 +0200 +Subject: net: ioam6: fix OOB and missing lock + +From: Justin Iurman + +[ Upstream commit b30b1675aa2bcf0491fd3830b051df4e08a7c8ca ] + +When trace->type.bit6 is set: + + if (trace->type.bit6) { + ... + queue = skb_get_tx_queue(dev, skb); + qdisc = rcu_dereference(queue->qdisc); + +This code can lead to an out-of-bounds access of the dev->_tx[] array +when is_input is true. In such a case, the packet is on the RX path and +skb->queue_mapping contains the RX queue index of the ingress device. If +the ingress device has more RX queues than the egress device (dev) has +TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. +Add a check to avoid this situation since skb_get_tx_queue() does not +clamp the index. This issue has also revealed that per queue visibility +cannot be accurate and will be replaced later as a new feature. + +While at it, add missing lock around qdisc_qstats_qlen_backlog(). The +function __ioam6_fill_trace_data() is called from both softirq and +process contexts, hence the use of spin_lock_bh() here. + +Fixes: b63c5478e9cb ("ipv6: ioam: Support for Queue depth data field") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/netdev/20260403214418.2233266-2-kuba@kernel.org/ +Signed-off-by: Justin Iurman +Link: https://patch.msgid.link/20260404134137.24553-1-justin.iurman@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ioam6.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c +index 12350e1e18bde..b91de51ffa9ea 100644 +--- a/net/ipv6/ioam6.c ++++ b/net/ipv6/ioam6.c +@@ -803,12 +803,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + struct Qdisc *qdisc; + __u32 qlen, backlog; + +- if (dev->flags & IFF_LOOPBACK) { ++ if (dev->flags & IFF_LOOPBACK || ++ skb_get_queue_mapping(skb) >= dev->num_tx_queues) { + *(__be32 *)data = cpu_to_be32(IOAM6_U32_UNAVAILABLE); + } else { + queue = skb_get_tx_queue(dev, skb); + qdisc = rcu_dereference(queue->qdisc); ++ ++ spin_lock_bh(qdisc_lock(qdisc)); + qdisc_qstats_qlen_backlog(qdisc, &qlen, &backlog); ++ spin_unlock_bh(qdisc_lock(qdisc)); + + *(__be32 *)data = cpu_to_be32(backlog); + } +-- +2.53.0 + diff --git a/queue-6.18/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch b/queue-6.18/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch new file mode 100644 index 0000000000..b001736a96 --- /dev/null +++ b/queue-6.18/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch @@ -0,0 +1,49 @@ +From b5759c525ff976a3339213e33351bc8440966e4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:48 +0200 +Subject: net: ipa: fix event ring index not programmed for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ] + +For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to +CH_C_CNTXT_1. The v5.0 register definition intended to define this +field in the CH_C_CNTXT_1 fmask array but used the old identifier of +ERINDEX instead of CH_ERINDEX. + +Without a valid event ring, GSI channels could never signal transfer +completions. This caused gsi_channel_trans_quiesce() to block +forever in wait_for_completion(). + +At least for IPA v5.2 this resolves an issue seen where runtime +suspend, system suspend, and remoteproc stop all hanged forever. It +also meant the IPA data path was completely non functional. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index 3334d8e20ad28..6c4a7fbe4de94 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -30,7 +30,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0, + + static const u32 reg_ch_c_cntxt_1_fmask[] = { + [CH_R_LENGTH] = GENMASK(23, 0), +- [ERINDEX] = GENMASK(31, 24), ++ [CH_ERINDEX] = GENMASK(31, 24), + }; + + REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1, +-- +2.53.0 + diff --git a/queue-6.18/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch b/queue-6.18/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch new file mode 100644 index 0000000000..81baffad71 --- /dev/null +++ b/queue-6.18/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch @@ -0,0 +1,47 @@ +From d121da637fe9f5dda8bfc1470a847651c3d9ba6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:47 +0200 +Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ] + +Fix the field masks to match the hardware layout documented in +downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*). + +Notably this fixes a WARN I was seeing when I tried to send "stop" +to the MPSS remoteproc while IPA was up. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index 36d1e65df71bb..3334d8e20ad28 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -156,9 +156,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP); + + static const u32 reg_generic_cmd_fmask[] = { + [GENERIC_OPCODE] = GENMASK(4, 0), +- [GENERIC_CHID] = GENMASK(9, 5), +- [GENERIC_EE] = GENMASK(13, 10), +- /* Bits 14-31 reserved */ ++ [GENERIC_CHID] = GENMASK(12, 5), ++ [GENERIC_EE] = GENMASK(16, 13), ++ /* Bits 17-23 reserved */ ++ [GENERIC_PARAMS] = GENMASK(31, 24), + }; + + REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP); +-- +2.53.0 + diff --git a/queue-6.18/net-lapbether-handle-netdev_pre_type_change.patch b/queue-6.18/net-lapbether-handle-netdev_pre_type_change.patch new file mode 100644 index 0000000000..21181fc7c2 --- /dev/null +++ b/queue-6.18/net-lapbether-handle-netdev_pre_type_change.patch @@ -0,0 +1,77 @@ +From ce4b11d2dec827adefe401d6416389e2fd672dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:35:19 +0000 +Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE + +From: Eric Dumazet + +[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ] + +lapbeth_data_transmit() expects the underlying device type +to be ARPHRD_ETHER. + +Returning NOTIFY_BAD from lapbeth_device_event() makes sure +bonding driver can not break this expectation. + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index f357a7ac70ac4..9861c99ea56c4 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -446,33 +446,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth) + static int lapbeth_device_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +- struct lapbethdev *lapbeth; + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct lapbethdev *lapbeth; + + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) ++ lapbeth = lapbeth_get_x25_dev(dev); ++ if (!dev_is_ethdev(dev) && !lapbeth) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (!lapbeth_get_x25_dev(dev)) ++ if (!lapbeth) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: + /* ethernet device disappears -> remove LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + lapbeth_free_device(lapbeth); + break; ++ case NETDEV_PRE_TYPE_CHANGE: ++ /* Our underlying device type must not change. */ ++ if (lapbeth) ++ return NOTIFY_BAD; + } + + return NOTIFY_DONE; +-- +2.53.0 + diff --git a/queue-6.18/net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch b/queue-6.18/net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch new file mode 100644 index 0000000000..806af8a898 --- /dev/null +++ b/queue-6.18/net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch @@ -0,0 +1,47 @@ +From 0bc691e839c75bb13b70fb95849fc6780df6036b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 14:51:52 +0800 +Subject: net: mdio: realtek-rtl9300: use scoped device_for_each_child_node + loop + +From: Felix Gu + +[ Upstream commit c09ea768bdb975e828f8e17293c397c3d14ad85d ] + +Switch to device_for_each_child_node_scoped() to auto-release fwnode +references on early exit. + +Fixes: 24e31e474769 ("net: mdio: Add RTL9300 MDIO driver") +Signed-off-by: Felix Gu +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260405-rtl9300-v1-1-08e4499cf944@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-realtek-rtl9300.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/mdio/mdio-realtek-rtl9300.c b/drivers/net/mdio/mdio-realtek-rtl9300.c +index 405a07075dd11..8d5fb014ca06c 100644 +--- a/drivers/net/mdio/mdio-realtek-rtl9300.c ++++ b/drivers/net/mdio/mdio-realtek-rtl9300.c +@@ -466,7 +466,6 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct rtl9300_mdio_priv *priv; +- struct fwnode_handle *child; + int err; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); +@@ -487,7 +486,7 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev) + if (err) + return err; + +- device_for_each_child_node(dev, child) { ++ device_for_each_child_node_scoped(dev, child) { + err = rtl9300_mdiobus_probe_one(dev, priv, child); + if (err) + return err; +-- +2.53.0 + diff --git a/queue-6.18/net-sched-act_csum-validate-nested-vlan-headers.patch b/queue-6.18/net-sched-act_csum-validate-nested-vlan-headers.patch new file mode 100644 index 0000000000..8dc7693327 --- /dev/null +++ b/queue-6.18/net-sched-act_csum-validate-nested-vlan-headers.patch @@ -0,0 +1,60 @@ +From 85a85dd605536b2b9ddc01cfc2257d4bcac37a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: net: sched: act_csum: validate nested VLAN headers + +From: Ruide Cao + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_csum.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 0939e6b2ba4d1..3a377604ad343 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -604,8 +604,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.53.0 + diff --git a/queue-6.18/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch b/queue-6.18/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch new file mode 100644 index 0000000000..9c8899eb7f --- /dev/null +++ b/queue-6.18/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch @@ -0,0 +1,65 @@ +From 6022e4cb680c39b20bf5d0c15faf5471d936cbb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 13:23:33 +0000 +Subject: net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules + +From: John Pavlick + +[ Upstream commit 95aca8602ef70ffd3d971675751c81826e124f90 ] + +Several GPON ONT SFP sticks based on Realtek RTL960x report +1000BASE-LX at 1300MBd in their EEPROM but can operate at 2500base-X. +On hosts capable of 2500base-X (e.g. Banana Pi R3 / MT7986), the +kernel negotiates only 1G because it trusts the incorrect EEPROM data. + +Add quirks for: +- Hisense-Leox LXT-010S-H +- Hisense ZNID-GPON-2311NA +- HSGQ HSGQ-XPON-Stick + +Each quirk advertises 2500base-X and ignores TX_FAULT during the +module's ~40s Linux boot time. + +Tested on Banana Pi R3 (MT7986) with OpenWrt 25.12.1, confirmed +2.5Gbps link and full throughput with flow offloading. + +Reviewed-by: Russell King (Oracle) +Suggested-by: Marcin Nita +Signed-off-by: John Pavlick +Link: https://patch.msgid.link/20260406132321.72563-1-jspavlick@posteo.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 7a85b758fb1e6..c62e3f364ea73 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -543,6 +543,22 @@ static const struct sfp_quirk sfp_quirks[] = { + SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex, + sfp_fixup_ignore_tx_fault_and_los), + ++ // Hisense LXT-010S-H is a GPON ONT SFP (sold as LEOX LXT-010S-H) that ++ // can operate at 2500base-X, but reports 1000BASE-LX / 1300MBd in its ++ // EEPROM ++ SFP_QUIRK("Hisense-Leox", "LXT-010S-H", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ ++ // Hisense ZNID-GPON-2311NA can operate at 2500base-X, but reports ++ // 1000BASE-LX / 1300MBd in its EEPROM ++ SFP_QUIRK("Hisense", "ZNID-GPON-2311NA", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ ++ // HSGQ HSGQ-XPON-Stick can operate at 2500base-X, but reports ++ // 1000BASE-LX / 1300MBd in its EEPROM ++ SFP_QUIRK("HSGQ", "HSGQ-XPON-Stick", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ + // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but + // incorrectly report 2500MBd NRZ in their EEPROM. + // Some 8330-265D modules have inverted LOS, while all of them report +-- +2.53.0 + diff --git a/queue-6.18/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch b/queue-6.18/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch new file mode 100644 index 0000000000..cff7954336 --- /dev/null +++ b/queue-6.18/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch @@ -0,0 +1,83 @@ +From 9f65df779c80334679d06a6d2ae214e0a7b62507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:39 +0100 +Subject: net: stmmac: Fix PTP ref clock for Tegra234 + +From: Jon Hunter + +[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ] + +Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not +0 before configuring timestamping") was added the following error is +observed on Tegra234: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +It turns out that the Tegra234 device-tree binding defines the PTP ref +clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now +exposes this and that the PTP clock is not configured correctly. + +In order to update device-tree to use the correct 'ptp_ref' name, update +the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using +'ptp-ref' if this clock name is present. + +Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") +Signed-off-by: Jon Hunter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +index d765acbe37548..21a0a11fc0118 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +@@ -9,7 +9,7 @@ + #include "stmmac_platform.h" + + static const char *const mgbe_clks[] = { +- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac" ++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac" + }; + + struct tegra_mgbe { +@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + { + struct plat_stmmacenet_data *plat; + struct stmmac_resources res; ++ bool use_legacy_ptp = false; + struct tegra_mgbe *mgbe; + int irq, err, i; + u32 value; +@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + if (!mgbe->clks) + return -ENOMEM; + +- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) ++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'. ++ * Fall back when the legacy name is present. ++ */ ++ if (of_property_match_string(pdev->dev.of_node, "clock-names", ++ "ptp-ref") >= 0) ++ use_legacy_ptp = true; ++ ++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) { + mgbe->clks[i].id = mgbe_clks[i]; + ++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) { ++ dev_warn(mgbe->dev, ++ "Device-tree update needed for PTP clock!\n"); ++ mgbe->clks[i].id = "ptp-ref"; ++ } ++ } ++ + err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks); + if (err < 0) + return err; +-- +2.53.0 + diff --git a/queue-6.18/net-txgbe-leave-space-for-null-terminators-on-proper.patch b/queue-6.18/net-txgbe-leave-space-for-null-terminators-on-proper.patch new file mode 100644 index 0000000000..f5e5c232f9 --- /dev/null +++ b/queue-6.18/net-txgbe-leave-space-for-null-terminators-on-proper.patch @@ -0,0 +1,48 @@ +From a8d6335e6e29a65fa86ee6f79821a49526c4f674 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 23:20:13 +0100 +Subject: net: txgbe: leave space for null terminators on property_entry + +From: Fabio Baltieri + +[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ] + +Lists of struct property_entry are supposed to be terminated with an +empty property, this driver currently seems to be allocating exactly the +amount of entry used. + +Change the struct definition to leave an extra element for all +property_entry. + +Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink") +Signed-off-by: Fabio Baltieri +Tested-by: Jiawen Wu +Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +index 41915d7dd372a..be78f8f61a795 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +@@ -399,10 +399,10 @@ struct txgbe_nodes { + char i2c_name[32]; + char sfp_name[32]; + char phylink_name[32]; +- struct property_entry gpio_props[1]; +- struct property_entry i2c_props[3]; +- struct property_entry sfp_props[8]; +- struct property_entry phylink_props[2]; ++ struct property_entry gpio_props[2]; ++ struct property_entry i2c_props[4]; ++ struct property_entry sfp_props[9]; ++ struct property_entry phylink_props[3]; + struct software_node_ref_args i2c_ref[1]; + struct software_node_ref_args gpio0_ref[1]; + struct software_node_ref_args gpio1_ref[1]; +-- +2.53.0 + diff --git a/queue-6.18/netfilter-ctnetlink-ensure-safe-access-to-master-con.patch b/queue-6.18/netfilter-ctnetlink-ensure-safe-access-to-master-con.patch new file mode 100644 index 0000000000..d17dff7e28 --- /dev/null +++ b/queue-6.18/netfilter-ctnetlink-ensure-safe-access-to-master-con.patch @@ -0,0 +1,218 @@ +From a803c76b7cc7c1fa4a45766bc624a6e1ed137ae7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:11:04 +0100 +Subject: netfilter: ctnetlink: ensure safe access to master conntrack + +From: Pablo Neira Ayuso + +[ Upstream commit bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 ] + +Holding reference on the expectation is not sufficient, the master +conntrack object can just go away, making exp->master invalid. + +To access exp->master safely: + +- Grab the nf_conntrack_expect_lock, this gets serialized with + clean_from_lists() which also holds this lock when the master + conntrack goes away. + +- Hold reference on master conntrack via nf_conntrack_find_get(). + Not so easy since the master tuple to look up for the master conntrack + is not available in the existing problematic paths. + +This patch goes for extending the nf_conntrack_expect_lock section +to address this issue for simplicity, in the cases that are described +below this is just slightly extending the lock section. + +The add expectation command already holds a reference to the master +conntrack from ctnetlink_create_expect(). + +However, the delete expectation command needs to grab the spinlock +before looking up for the expectation. Expand the existing spinlock +section to address this to cover the expectation lookup. Note that, +the nf_ct_expect_iterate_net() calls already grabs the spinlock while +iterating over the expectation table, which is correct. + +The get expectation command needs to grab the spinlock to ensure master +conntrack does not go away. This also expands the existing spinlock +section to cover the expectation lookup too. I needed to move the +netlink skb allocation out of the spinlock to keep it GFP_KERNEL. + +For the expectation events, the IPEXP_DESTROY event is already delivered +under the spinlock, just move the delivery of IPEXP_NEW under the +spinlock too because the master conntrack event cache is reached through +exp->master. + +While at it, add lockdep notations to help identify what codepaths need +to grab the spinlock. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack_core.h | 5 ++++ + net/netfilter/nf_conntrack_ecache.c | 2 ++ + net/netfilter/nf_conntrack_expect.c | 10 +++++++- + net/netfilter/nf_conntrack_netlink.c | 28 +++++++++++++++-------- + 4 files changed, 35 insertions(+), 10 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h +index 3384859a89210..8883575adcc1e 100644 +--- a/include/net/netfilter/nf_conntrack_core.h ++++ b/include/net/netfilter/nf_conntrack_core.h +@@ -83,6 +83,11 @@ void nf_conntrack_lock(spinlock_t *lock); + + extern spinlock_t nf_conntrack_expect_lock; + ++static inline void lockdep_nfct_expect_lock_held(void) ++{ ++ lockdep_assert_held(&nf_conntrack_expect_lock); ++} ++ + /* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */ + + static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout) +diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c +index 81baf20826046..9df159448b897 100644 +--- a/net/netfilter/nf_conntrack_ecache.c ++++ b/net/netfilter/nf_conntrack_ecache.c +@@ -247,6 +247,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event, + struct nf_ct_event_notifier *notify; + struct nf_conntrack_ecache *e; + ++ lockdep_nfct_expect_lock_held(); ++ + rcu_read_lock(); + notify = rcu_dereference(net->ct.nf_conntrack_event_cb); + if (!notify) +diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c +index 2234c444a320e..24d0576d84b7f 100644 +--- a/net/netfilter/nf_conntrack_expect.c ++++ b/net/netfilter/nf_conntrack_expect.c +@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp, + struct net *net = nf_ct_exp_net(exp); + struct nf_conntrack_net *cnet; + ++ lockdep_nfct_expect_lock_held(); + WARN_ON(!master_help); + WARN_ON(timer_pending(&exp->timeout)); + +@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple, + + bool nf_ct_remove_expect(struct nf_conntrack_expect *exp) + { ++ lockdep_nfct_expect_lock_held(); ++ + if (timer_delete(&exp->timeout)) { + nf_ct_unlink_expect(exp); + nf_ct_expect_put(exp); +@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net, + struct nf_conntrack_expect *i, *exp = NULL; + unsigned int h; + ++ lockdep_nfct_expect_lock_held(); ++ + if (!cnet->expect_count) + return NULL; + +@@ -459,6 +464,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect, + unsigned int h; + int ret = 0; + ++ lockdep_nfct_expect_lock_held(); ++ + if (!master_help) { + ret = -ESHUTDOWN; + goto out; +@@ -515,8 +522,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, + + nf_ct_expect_insert(expect); + +- spin_unlock_bh(&nf_conntrack_expect_lock); + nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ + return 0; + out: + spin_unlock_bh(&nf_conntrack_expect_lock); +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 879413b9fa06a..becffc15e7579 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3337,31 +3337,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + if (err < 0) + return err; + ++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ if (!skb2) ++ return -ENOMEM; ++ ++ spin_lock_bh(&nf_conntrack_expect_lock); + exp = nf_ct_expect_find_get(info->net, &zone, &tuple); +- if (!exp) ++ if (!exp) { ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ kfree_skb(skb2); + return -ENOENT; ++ } + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); + + if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ kfree_skb(skb2); + return -ENOENT; + } + } + +- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); +- if (!skb2) { +- nf_ct_expect_put(exp); +- return -ENOMEM; +- } +- + rcu_read_lock(); + err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, + info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, + exp); + rcu_read_unlock(); + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ + if (err <= 0) { + kfree_skb(skb2); + return -ENOMEM; +@@ -3408,22 +3414,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb, + if (err < 0) + return err; + ++ spin_lock_bh(&nf_conntrack_expect_lock); ++ + /* bump usage count to 2 */ + exp = nf_ct_expect_find_get(info->net, &zone, &tuple); +- if (!exp) ++ if (!exp) { ++ spin_unlock_bh(&nf_conntrack_expect_lock); + return -ENOENT; ++ } + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); + + if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); + return -ENOENT; + } + } + + /* after list removal, usage count == 1 */ +- spin_lock_bh(&nf_conntrack_expect_lock); + if (timer_delete(&exp->timeout)) { + nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, + nlmsg_report(info->nlh)); +-- +2.53.0 + diff --git a/queue-6.18/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch b/queue-6.18/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch new file mode 100644 index 0000000000..81d0f3c0ba --- /dev/null +++ b/queue-6.18/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch @@ -0,0 +1,51 @@ +From b5c7cddbb6233330aef646e6b1106f648f5b69e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets + +From: Zhengchuan Liang + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6t_eui64.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c2..da69a27e8332c 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.53.0 + diff --git a/queue-6.18/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch b/queue-6.18/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch new file mode 100644 index 0000000000..1ed0047f2f --- /dev/null +++ b/queue-6.18/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch @@ -0,0 +1,52 @@ +From afbbe800b0768e68982da75c60b2dabbceae3ea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 14:20:57 -0700 +Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE + terminator + +From: Xiang Mei + +[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ] + +When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() +appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via +nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() +helper only zeroes alignment padding after the payload, not the payload +itself, so four bytes of stale kernel heap data are leaked to userspace +in the NLMSG_DONE message body. + +Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes +the nfgenmsg payload via nfnl_fill_hdr(), consistent with how +__build_packet_message() already constructs NFULNL_MSG_PACKET headers. + +Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index dcd2493a9a404..b1f3eda85989c 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -361,10 +361,10 @@ static void + __nfulnl_send(struct nfulnl_instance *inst) + { + if (inst->qlen > 1) { +- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, +- NLMSG_DONE, +- sizeof(struct nfgenmsg), +- 0); ++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0, ++ NLMSG_DONE, 0, ++ AF_UNSPEC, NFNETLINK_V0, ++ htons(inst->group_num)); + if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", + inst->skb->len, skb_tailroom(inst->skb))) { + kfree_skb(inst->skb); +-- +2.53.0 + diff --git a/queue-6.18/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch b/queue-6.18/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch new file mode 100644 index 0000000000..7cf07c4850 --- /dev/null +++ b/queue-6.18/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch @@ -0,0 +1,314 @@ +From 86351c47a837a6a1bd32531828cb06dbc71f55c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 17:00:01 +0200 +Subject: netfilter: nfnetlink_queue: make hash table per queue + +From: Florian Westphal + +[ Upstream commit 936206e3f6ff411581e615e930263d6f8b78df9d ] + +Sharing a global hash table among all queues is tempting, but +it can cause crash: + +BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] +[..] + nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] + nfnetlink_rcv_msg+0x46a/0x930 + kmem_cache_alloc_node_noprof+0x11e/0x450 + +struct nf_queue_entry is freed via kfree, but parallel cpu can still +encounter such an nf_queue_entry when walking the list. + +Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, +but as we have to alloc/free for each skb this will cause more mem +pressure. + +Cc: Scott Mitchell +Fixes: e19079adcd26 ("netfilter: nfnetlink_queue: optimize verdict lookup with hash table") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_queue.h | 1 - + net/netfilter/nfnetlink_queue.c | 139 +++++++++++-------------------- + 2 files changed, 49 insertions(+), 91 deletions(-) + +diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h +index 45eb26b2e95b3..d17035d14d96c 100644 +--- a/include/net/netfilter/nf_queue.h ++++ b/include/net/netfilter/nf_queue.h +@@ -23,7 +23,6 @@ struct nf_queue_entry { + struct nf_hook_state state; + bool nf_ct_is_unconfirmed; + u16 size; /* sizeof(entry) + saved route keys */ +- u16 queue_num; + + /* extra space to store route keys */ + }; +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index a39d3b989063c..fe5942535245d 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -49,8 +49,8 @@ + #endif + + #define NFQNL_QMAX_DEFAULT 1024 +-#define NFQNL_HASH_MIN 1024 +-#define NFQNL_HASH_MAX 1048576 ++#define NFQNL_HASH_MIN 8 ++#define NFQNL_HASH_MAX 32768 + + /* We're using struct nlattr which has 16bit nla_len. Note that nla_len + * includes the header length. Thus, the maximum packet length that we +@@ -60,29 +60,10 @@ + */ + #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN) + +-/* Composite key for packet lookup: (net, queue_num, packet_id) */ +-struct nfqnl_packet_key { +- possible_net_t net; +- u32 packet_id; +- u16 queue_num; +-} __aligned(sizeof(u32)); /* jhash2 requires 32-bit alignment */ +- +-/* Global rhashtable - one for entire system, all netns */ +-static struct rhashtable nfqnl_packet_map __read_mostly; +- +-/* Helper to initialize composite key */ +-static inline void nfqnl_init_key(struct nfqnl_packet_key *key, +- struct net *net, u32 packet_id, u16 queue_num) +-{ +- memset(key, 0, sizeof(*key)); +- write_pnet(&key->net, net); +- key->packet_id = packet_id; +- key->queue_num = queue_num; +-} +- + struct nfqnl_instance { + struct hlist_node hlist; /* global list of queues */ +- struct rcu_head rcu; ++ struct rhashtable nfqnl_packet_map; ++ struct rcu_work rwork; + + u32 peer_portid; + unsigned int queue_maxlen; +@@ -106,6 +87,7 @@ struct nfqnl_instance { + + typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long); + ++static struct workqueue_struct *nfq_cleanup_wq __read_mostly; + static unsigned int nfnl_queue_net_id __read_mostly; + + #define INSTANCE_BUCKETS 16 +@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num) + return ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS; + } + +-/* Extract composite key from nf_queue_entry for hashing */ +-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed) +-{ +- const struct nf_queue_entry *entry = data; +- struct nfqnl_packet_key key; +- +- nfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num); +- +- return jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed); +-} +- +-/* Compare stack-allocated key against entry */ +-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg, +- const void *obj) +-{ +- const struct nfqnl_packet_key *key = arg->key; +- const struct nf_queue_entry *entry = obj; +- +- return !net_eq(entry->state.net, read_pnet(&key->net)) || +- entry->queue_num != key->queue_num || +- entry->id != key->packet_id; +-} +- + static const struct rhashtable_params nfqnl_rhashtable_params = { + .head_offset = offsetof(struct nf_queue_entry, hash_node), +- .key_len = sizeof(struct nfqnl_packet_key), +- .obj_hashfn = nfqnl_packet_obj_hashfn, +- .obj_cmpfn = nfqnl_packet_obj_cmpfn, ++ .key_offset = offsetof(struct nf_queue_entry, id), ++ .key_len = sizeof(u32), + .automatic_shrinking = true, + .min_size = NFQNL_HASH_MIN, + .max_size = NFQNL_HASH_MAX, +@@ -190,6 +148,10 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + spin_lock_init(&inst->lock); + INIT_LIST_HEAD(&inst->queue_list); + ++ err = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params); ++ if (err < 0) ++ goto out_free; ++ + spin_lock(&q->instances_lock); + if (instance_lookup(q, queue_num)) { + err = -EEXIST; +@@ -210,6 +172,8 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + + out_unlock: + spin_unlock(&q->instances_lock); ++ rhashtable_destroy(&inst->nfqnl_packet_map); ++out_free: + kfree(inst); + return ERR_PTR(err); + } +@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, + unsigned long data); + +-static void +-instance_destroy_rcu(struct rcu_head *head) ++static void instance_destroy_work(struct work_struct *work) + { +- struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance, +- rcu); ++ struct nfqnl_instance *inst; + ++ inst = container_of(to_rcu_work(work), struct nfqnl_instance, ++ rwork); + rcu_read_lock(); + nfqnl_flush(inst, NULL, 0); + rcu_read_unlock(); ++ ++ rhashtable_destroy(&inst->nfqnl_packet_map); ++ + kfree(inst); + module_put(THIS_MODULE); + } +@@ -234,7 +201,9 @@ static void + __instance_destroy(struct nfqnl_instance *inst) + { + hlist_del_rcu(&inst->hlist); +- call_rcu(&inst->rcu, instance_destroy_rcu); ++ ++ INIT_RCU_WORK(&inst->rwork, instance_destroy_work); ++ queue_rcu_work(nfq_cleanup_wq, &inst->rwork); + } + + static void +@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + { + int err; + +- entry->queue_num = queue->queue_num; +- +- err = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node, ++ err = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node, + nfqnl_rhashtable_params); + if (unlikely(err)) + return err; +@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + static void + __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + { +- rhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node, ++ rhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node, + nfqnl_rhashtable_params); + list_del(&entry->list); + queue->queue_total--; + } + + static struct nf_queue_entry * +-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id, +- struct net *net) ++find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id) + { +- struct nfqnl_packet_key key; + struct nf_queue_entry *entry; + +- nfqnl_init_key(&key, net, id, queue->queue_num); +- + spin_lock_bh(&queue->lock); +- entry = rhashtable_lookup_fast(&nfqnl_packet_map, &key, ++ entry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id, + nfqnl_rhashtable_params); + + if (entry) +@@ -1531,7 +1494,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + verdict = ntohl(vhdr->verdict); + +- entry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net); ++ entry = find_dequeue_entry(queue, ntohl(vhdr->id)); + if (entry == NULL) + return -ENOENT; + +@@ -1880,40 +1843,38 @@ static int __init nfnetlink_queue_init(void) + { + int status; + +- status = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params); +- if (status < 0) +- return status; ++ nfq_cleanup_wq = alloc_ordered_workqueue("nfq_workqueue", 0); ++ if (!nfq_cleanup_wq) ++ return -ENOMEM; + + status = register_pernet_subsys(&nfnl_queue_net_ops); +- if (status < 0) { +- pr_err("failed to register pernet ops\n"); +- goto cleanup_rhashtable; +- } ++ if (status < 0) ++ goto cleanup_pernet_subsys; + +- netlink_register_notifier(&nfqnl_rtnl_notifier); +- status = nfnetlink_subsys_register(&nfqnl_subsys); +- if (status < 0) { +- pr_err("failed to create netlink socket\n"); +- goto cleanup_netlink_notifier; +- } ++ status = netlink_register_notifier(&nfqnl_rtnl_notifier); ++ if (status < 0) ++ goto cleanup_rtnl_notifier; + + status = register_netdevice_notifier(&nfqnl_dev_notifier); +- if (status < 0) { +- pr_err("failed to register netdevice notifier\n"); +- goto cleanup_netlink_subsys; +- } ++ if (status < 0) ++ goto cleanup_dev_notifier; ++ ++ status = nfnetlink_subsys_register(&nfqnl_subsys); ++ if (status < 0) ++ goto cleanup_nfqnl_subsys; + + nf_register_queue_handler(&nfqh); + + return status; + +-cleanup_netlink_subsys: +- nfnetlink_subsys_unregister(&nfqnl_subsys); +-cleanup_netlink_notifier: ++cleanup_nfqnl_subsys: ++ unregister_netdevice_notifier(&nfqnl_dev_notifier); ++cleanup_dev_notifier: + netlink_unregister_notifier(&nfqnl_rtnl_notifier); ++cleanup_rtnl_notifier: + unregister_pernet_subsys(&nfnl_queue_net_ops); +-cleanup_rhashtable: +- rhashtable_destroy(&nfqnl_packet_map); ++cleanup_pernet_subsys: ++ destroy_workqueue(nfq_cleanup_wq); + return status; + } + +@@ -1924,9 +1885,7 @@ static void __exit nfnetlink_queue_fini(void) + nfnetlink_subsys_unregister(&nfqnl_subsys); + netlink_unregister_notifier(&nfqnl_rtnl_notifier); + unregister_pernet_subsys(&nfnl_queue_net_ops); +- +- rhashtable_destroy(&nfqnl_packet_map); +- ++ destroy_workqueue(nfq_cleanup_wq); + rcu_barrier(); /* Wait for completion of call_rcu()'s */ + } + +-- +2.53.0 + diff --git a/queue-6.18/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch b/queue-6.18/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch new file mode 100644 index 0000000000..e09633f2f5 --- /dev/null +++ b/queue-6.18/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch @@ -0,0 +1,176 @@ +From d2c4a9f596b4efff543deedcd12c54bacb9d6f8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jan 2026 09:32:30 -0800 +Subject: netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> + GFP_KERNEL_ACCOUNT allocation + +From: Scott Mitchell + +[ Upstream commit a4400a5b343d1bc4aa8f685608515413238e7ee2 ] + +Currently, instance_create() uses GFP_ATOMIC because it's called while +holding instances_lock spinlock. This makes allocation more likely to +fail under memory pressure. + +Refactor nfqnl_recv_config() to drop RCU lock after instance_lookup() +and peer_portid verification. A socket cannot simultaneously send a +message and close, so the queue owned by the sending socket cannot be +destroyed while processing its CONFIG message. This allows +instance_create() to allocate with GFP_KERNEL_ACCOUNT before taking +the spinlock. + +Suggested-by: Florian Westphal +Signed-off-by: Scott Mitchell +Signed-off-by: Florian Westphal +Stable-dep-of: 936206e3f6ff ("netfilter: nfnetlink_queue: make hash table per queue") +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 75 +++++++++++++++------------------ + 1 file changed, 34 insertions(+), 41 deletions(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 0b96d20bacb73..a39d3b989063c 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -178,17 +178,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + unsigned int h; + int err; + +- spin_lock(&q->instances_lock); +- if (instance_lookup(q, queue_num)) { +- err = -EEXIST; +- goto out_unlock; +- } +- +- inst = kzalloc(sizeof(*inst), GFP_ATOMIC); +- if (!inst) { +- err = -ENOMEM; +- goto out_unlock; +- } ++ inst = kzalloc(sizeof(*inst), GFP_KERNEL_ACCOUNT); ++ if (!inst) ++ return ERR_PTR(-ENOMEM); + + inst->queue_num = queue_num; + inst->peer_portid = portid; +@@ -198,9 +190,15 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + spin_lock_init(&inst->lock); + INIT_LIST_HEAD(&inst->queue_list); + ++ spin_lock(&q->instances_lock); ++ if (instance_lookup(q, queue_num)) { ++ err = -EEXIST; ++ goto out_unlock; ++ } ++ + if (!try_module_get(THIS_MODULE)) { + err = -EAGAIN; +- goto out_free; ++ goto out_unlock; + } + + h = instance_hashfn(queue_num); +@@ -210,10 +208,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + + return inst; + +-out_free: +- kfree(inst); + out_unlock: + spin_unlock(&q->instances_lock); ++ kfree(inst); + return ERR_PTR(err); + } + +@@ -1604,7 +1601,8 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + struct nfqnl_msg_config_cmd *cmd = NULL; + struct nfqnl_instance *queue; + __u32 flags = 0, mask = 0; +- int ret = 0; ++ ++ WARN_ON_ONCE(!lockdep_nfnl_is_held(NFNL_SUBSYS_QUEUE)); + + if (nfqa[NFQA_CFG_CMD]) { + cmd = nla_data(nfqa[NFQA_CFG_CMD]); +@@ -1650,47 +1648,44 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + } + } + ++ /* Lookup queue under RCU. After peer_portid check (or for new queue ++ * in BIND case), the queue is owned by the socket sending this message. ++ * A socket cannot simultaneously send a message and close, so while ++ * processing this CONFIG message, nfqnl_rcv_nl_event() (triggered by ++ * socket close) cannot destroy this queue. Safe to use without RCU. ++ */ + rcu_read_lock(); + queue = instance_lookup(q, queue_num); + if (queue && queue->peer_portid != NETLINK_CB(skb).portid) { +- ret = -EPERM; +- goto err_out_unlock; ++ rcu_read_unlock(); ++ return -EPERM; + } ++ rcu_read_unlock(); + + if (cmd != NULL) { + switch (cmd->command) { + case NFQNL_CFG_CMD_BIND: +- if (queue) { +- ret = -EBUSY; +- goto err_out_unlock; +- } +- queue = instance_create(q, queue_num, +- NETLINK_CB(skb).portid); +- if (IS_ERR(queue)) { +- ret = PTR_ERR(queue); +- goto err_out_unlock; +- } ++ if (queue) ++ return -EBUSY; ++ queue = instance_create(q, queue_num, NETLINK_CB(skb).portid); ++ if (IS_ERR(queue)) ++ return PTR_ERR(queue); + break; + case NFQNL_CFG_CMD_UNBIND: +- if (!queue) { +- ret = -ENODEV; +- goto err_out_unlock; +- } ++ if (!queue) ++ return -ENODEV; + instance_destroy(q, queue); +- goto err_out_unlock; ++ return 0; + case NFQNL_CFG_CMD_PF_BIND: + case NFQNL_CFG_CMD_PF_UNBIND: + break; + default: +- ret = -ENOTSUPP; +- goto err_out_unlock; ++ return -EOPNOTSUPP; + } + } + +- if (!queue) { +- ret = -ENODEV; +- goto err_out_unlock; +- } ++ if (!queue) ++ return -ENODEV; + + if (nfqa[NFQA_CFG_PARAMS]) { + struct nfqnl_msg_config_params *params = +@@ -1715,9 +1710,7 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + spin_unlock_bh(&queue->lock); + } + +-err_out_unlock: +- rcu_read_unlock(); +- return ret; ++ return 0; + } + + static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = { +-- +2.53.0 + diff --git a/queue-6.18/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch b/queue-6.18/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch new file mode 100644 index 0000000000..c9dcb91ec2 --- /dev/null +++ b/queue-6.18/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch @@ -0,0 +1,161 @@ +From 0baffed0c792c7638ffc89977667645240cdcaed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:10:55 +0100 +Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on + expiry + +From: Florian Westphal + +[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ] + +New test case fails unexpectedly when avx2 matching functions are used. + +The test first loads a ranomly generated pipapo set +with 'ipv4 . port' key, i.e. nft -f foo. + +This works. Then, it reloads the set after a flush: +(echo flush set t s; cat foo) | nft -f - + +This is expected to work, because its the same set after all and it was +already loaded once. + +But with avx2, this fails: nft reports a clashing element. + +The reported clash is of following form: + + We successfully re-inserted + a . b + c . d + +Then we try to insert a . d + +avx2 finds the already existing a . d, which (due to 'flush set') is marked +as invalid in the new generation. It skips the element and moves to next. + +Due to incorrect masking, the skip-step finds the next matching +element *only considering the first field*, + +i.e. we return the already reinserted "a . b", even though the +last field is different and the entry should not have been matched. + +No such error is reported for the generic c implementation (no avx2) or when +the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. + +Bisection points to +7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") +but that fix merely uncovers this bug. + +Before this commit, the wrong element is returned, but erronously +reported as a full, identical duplicate. + +The root-cause is too early return in the avx2 match functions. +When we process the last field, we should continue to process data +until the entire input size has been consumed to make sure no stale +bits remain in the map. + +Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index 7ff90325c97fa..6395982e4d95c 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +-- +2.53.0 + diff --git a/queue-6.18/netfilter-xt_multiport-validate-range-encoding-in-ch.patch b/queue-6.18/netfilter-xt_multiport-validate-range-encoding-in-ch.patch new file mode 100644 index 0000000000..1dfbfb4a27 --- /dev/null +++ b/queue-6.18/netfilter-xt_multiport-validate-range-encoding-in-ch.patch @@ -0,0 +1,99 @@ +From 0f424e8857b35f4f52917964e5714d8afe1d73ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 23:52:52 +0800 +Subject: netfilter: xt_multiport: validate range encoding in checkentry + +From: Ren Wei + +[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] + +ports_match_v1() treats any non-zero pflags entry as the start of a +port range and unconditionally consumes the next ports[] element as +the range end. + +The checkentry path currently validates protocol, flags and count, but +it does not validate the range encoding itself. As a result, malformed +rules can mark the last slot as a range start or place two range starts +back to back, leaving ports_match_v1() to step past the last valid +ports[] element while interpreting the rule. + +Reject malformed multiport v1 rules in checkentry by validating that +each range start has a following element and that the following element +is not itself marked as another range start. + +Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c +index 44a00f5acde8a..a1691ff405d3c 100644 +--- a/net/netfilter/xt_multiport.c ++++ b/net/netfilter/xt_multiport.c +@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); + } + ++static bool ++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < multiinfo->count; i++) { ++ if (!multiinfo->pflags[i]) ++ continue; ++ ++ if (++i >= multiinfo->count) ++ return false; ++ ++ if (multiinfo->pflags[i]) ++ return false; ++ ++ if (multiinfo->ports[i - 1] > multiinfo->ports[i]) ++ return false; ++ } ++ ++ return true; ++} ++ + static inline bool + check(u_int16_t proto, + u_int8_t ip_invflags, +@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) + const struct ipt_ip *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static int multiport_mt6_check(const struct xt_mtchk_param *par) +@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) + const struct ip6t_ip6 *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static struct xt_match multiport_mt_reg[] __read_mostly = { +-- +2.53.0 + diff --git a/queue-6.18/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch b/queue-6.18/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..e5dc836d2c --- /dev/null +++ b/queue-6.18/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,61 @@ +From 1788495453b55fa2bbb9482071a5daac594cba42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 12:21:48 +0800 +Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ] + +s3fwrn82_uart_read() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already +deliver a complete frame before allocating a fresh receive buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface") +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/uart.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c +index 9c09c10c2a464..4ee481bd7e965 100644 +--- a/drivers/nfc/s3fwrn5/uart.c ++++ b/drivers/nfc/s3fwrn5/uart.c +@@ -58,6 +58,12 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev, + size_t i; + + for (i = 0; i < count; i++) { ++ if (!phy->recv_skb) { ++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); ++ if (!phy->recv_skb) ++ return i; ++ } ++ + skb_put_u8(phy->recv_skb, *data++); + + if (phy->recv_skb->len < S3FWRN82_NCI_HEADER) +@@ -69,9 +75,7 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev, + + s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb, + phy->common.mode); +- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); +- if (!phy->recv_skb) +- return 0; ++ phy->recv_skb = NULL; + } + + return i; +-- +2.53.0 + diff --git a/queue-6.18/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch b/queue-6.18/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch new file mode 100644 index 0000000000..2e39a1754a --- /dev/null +++ b/queue-6.18/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch @@ -0,0 +1,57 @@ +From 95f2e0541c75caffda049e9338b0a725c59fd4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:07:42 -0700 +Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info + +From: Long Li + +[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ] + +When hv_pci_assign_numa_node() processes a device that does not have +HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range +virtual_numa_node, the device NUMA node is left unset. On x86_64, +the uninitialized default happens to be 0, but on ARM64 it is +NUMA_NO_NODE (-1). + +Tests show that when no NUMA information is available from the Hyper-V +host, devices perform best when assigned to node 0. With NUMA_NO_NODE +the kernel may spread work across NUMA nodes, which degrades +performance on Hyper-V, particularly for high-throughput devices like +MANA. + +Always set the device NUMA node to 0 before the conditional NUMA +affinity check, so that devices get a performant default when the host +provides no NUMA information, and behavior is consistent on both +x86_64 and ARM64. + +Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index 146b43981b278..28b1572974879 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -2486,6 +2486,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus) + if (!hv_dev) + continue; + ++ /* ++ * If the Hyper-V host doesn't provide a NUMA node for the ++ * device, default to node 0. With NUMA_NO_NODE the kernel ++ * may spread work across NUMA nodes, which degrades ++ * performance on Hyper-V. ++ */ ++ set_dev_node(&dev->dev, 0); ++ + if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY && + hv_dev->desc.virtual_numa_node < num_possible_nodes()) + /* +-- +2.53.0 + diff --git a/queue-6.18/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch b/queue-6.18/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch new file mode 100644 index 0000000000..f9cc30de1f --- /dev/null +++ b/queue-6.18/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch @@ -0,0 +1,47 @@ +From 17d7c44d20eac7289b7422b01e3d3bc5cc928dce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:40:48 -0700 +Subject: perf/x86/intel/uncore: Skip discovery table for offline dies + +From: Zide Chen + +[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ] + +This warning can be triggered if NUMA is disabled and the system +boots with fewer CPUs than the number of CPUs in die 0. + +WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] + +Currently, the discovery table continues to be parsed even if all CPUs +in the associated die are offline. This can lead to an array overflow +at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may +trigger the warning above or cause other issues. + +Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables") +Reported-by: Steve Wahl +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Tested-by: Steve Wahl +Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c +index 7d57ce706feb1..c5adbe4409047 100644 +--- a/arch/x86/events/intel/uncore_discovery.c ++++ b/arch/x86/events/intel/uncore_discovery.c +@@ -383,7 +383,7 @@ static bool intel_uncore_has_discovery_tables_pci(int *ignore) + (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP; + + die = get_device_die_id(dev); +- if (die < 0) ++ if ((die < 0) || (die >= uncore_max_dies())) + continue; + + parse_discovery_table(dev, die, bar_offset, &parsed, ignore); +-- +2.53.0 + diff --git a/queue-6.18/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch b/queue-6.18/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch new file mode 100644 index 0000000000..691d1169f4 --- /dev/null +++ b/queue-6.18/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch @@ -0,0 +1,35 @@ +From c35554032152e5804df8cb615f38c7ef29a61f8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 18:14:04 +0100 +Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW + debouncer) + +From: Andy Shevchenko + +[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ] + +The 1kOhm pull down and hardware debouncer are features of the revision 0.92 +of the Chassis specification. Fix that in the code accordingly. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index d68cef4ec52ac..103eccc742a53 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1606,7 +1606,7 @@ int intel_pinctrl_probe(struct platform_device *pdev, + value = readl(regs + REVID); + if (value == ~0u) + return -ENODEV; +- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) { ++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) { + community->features |= PINCTRL_FEATURE_DEBOUNCE; + community->features |= PINCTRL_FEATURE_1K_PD; + } +-- +2.53.0 + diff --git a/queue-6.18/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch b/queue-6.18/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch new file mode 100644 index 0000000000..00afb7163c --- /dev/null +++ b/queue-6.18/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch @@ -0,0 +1,52 @@ +From d00709c687b6e4f93eac438706f670c82d138155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2026 16:16:41 -0500 +Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ] + +This platform is a similar vintage of platforms that had a BIOS bug +leading to a 10s delay at resume from s0i3. + +Add a quirk for it. + +Reported-by: Imrane +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273 +Tested-by: Imrane +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c +index ed285afaf9b0d..24506e3429430 100644 +--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c ++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c +@@ -203,6 +203,15 @@ static const struct dmi_system_id fwbug_list[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"), + } + }, ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */ ++ { ++ .ident = "Thinkpad L14 Gen3", ++ .driver_data = &quirk_s2idle_bug, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"), ++ } ++ }, + /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */ + { + .ident = "Lenovo Yoga 6 13ALC6", +-- +2.53.0 + diff --git a/queue-6.18/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch b/queue-6.18/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch new file mode 100644 index 0000000000..b7e415d5bb --- /dev/null +++ b/queue-6.18/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch @@ -0,0 +1,45 @@ +From 8d23dc93864c6547452562138504aa6c51d480ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:22:46 -0700 +Subject: platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP + GZ302EAC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Schwartz + +[ Upstream commit 0198d2743207d67f995cd6df89e267e1b9f5e1f1 ] + +The ASUS ROG Flow Z13-KJP GZ302EAC model uses sys_vendor name ASUS +rather than ASUSTeK COMPUTER INC., but it needs the same folio quirk as +the other ROG Flow Z13. To keep things simple, just match on sys_vendor +ASUS since it covers both. + +Signed-off-by: Matthew Schwartz +Reviewed-by: Mario Limonciello (AMD) +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20260312212246.1608080-1-matthew.schwartz@linux.dev +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index 6a62bc5b02fda..8dad7bdb8f612 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -548,7 +548,7 @@ static const struct dmi_system_id asus_quirks[] = { + .callback = dmi_matched, + .ident = "ASUS ROG Z13", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUS"), + DMI_MATCH(DMI_PRODUCT_NAME, "ROG Flow Z13"), + }, + .driver_data = &quirk_asus_z13, +-- +2.53.0 + diff --git a/queue-6.18/platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch b/queue-6.18/platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch new file mode 100644 index 0000000000..1e5b0386bd --- /dev/null +++ b/queue-6.18/platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch @@ -0,0 +1,52 @@ +From 8f4fe7a4756e4c3d4d2babb8b93008570fbb0ede Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 21:11:06 +0530 +Subject: platform/x86: hp-wmi: Add support for Omen 16-wf1xxx (8C76) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krishna Chomal + +[ Upstream commit 84d29bfd1929d08f092851162a3d055a2134d043 ] + +The HP Omen 16-wf1xxx (board ID: 8C76) has the same WMI interface as +other Victus S boards, but requires quirks for correctly switching +thermal profile (similar to board 8C78). + +Add the DMI board name to victus_s_thermal_profile_boards[] table and +map it to omen_v1_thermal_params. + +Testing on board 8C76 confirmed that platform profile is registered +successfully and fan RPMs are readable and controllable. + +Tested-by: WJ Enderlava +Reported-by: WJ Enderlava +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221149 +Signed-off-by: Krishna Chomal +Link: https://patch.msgid.link/20260227154106.226809-1-krishna.chomal108@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c +index 008f3364230e2..31d099bd8db43 100644 +--- a/drivers/platform/x86/hp/hp-wmi.c ++++ b/drivers/platform/x86/hp/hp-wmi.c +@@ -174,6 +174,10 @@ static const struct dmi_system_id victus_s_thermal_profile_boards[] __initconst + .matches = { DMI_MATCH(DMI_BOARD_NAME, "8BD5") }, + .driver_data = (void *)&victus_s_thermal_params, + }, ++ { ++ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C76") }, ++ .driver_data = (void *)&omen_v1_thermal_params, ++ }, + { + .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C78") }, + .driver_data = (void *)&omen_v1_thermal_params, +-- +2.53.0 + diff --git a/queue-6.18/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch b/queue-6.18/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch new file mode 100644 index 0000000000..174ffedf19 --- /dev/null +++ b/queue-6.18/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch @@ -0,0 +1,44 @@ +From 3f9e8864286a212749ed08b2b4a8dfcc77037024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:27:43 +0000 +Subject: RDMA/irdma: Fix double free related to rereg_user_mr + +From: Jacob Moroni + +[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ] + +If IB_MR_REREG_TRANS is set during rereg_user_mr, the +umem will be released and a new one will be allocated +in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans +fails after the new umem is allocated, it releases the umem, +but does not set iwmr->region to NULL. The problem is that +this failure is propagated to the user, who will then call +ibv_dereg_mr (as they should). Then, the dereg_mr path will +see a non-NULL umem and attempt to call ib_umem_release again. + +Fix this by setting iwmr->region to NULL after ib_umem_release. + +Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region") +Signed-off-by: Jacob Moroni +Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index c77d6d0eafdec..c399aa07bcae8 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3714,6 +3714,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len, + + err: + ib_umem_release(region); ++ iwmr->region = NULL; + return err; + } + +-- +2.53.0 + diff --git a/queue-6.18/rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch b/queue-6.18/rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch new file mode 100644 index 0000000000..f1c673f937 --- /dev/null +++ b/queue-6.18/rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch @@ -0,0 +1,99 @@ +From 19d8e730b72249916165ed111d4f1adaf99ada45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 20:14:32 +0200 +Subject: rtnetlink: add missing netlink_ns_capable() check for peer netns + +From: Nikolaos Gkarlis + +[ Upstream commit 7b735ef81286007794a227ce2539419479c02a5f ] + +rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer +network namespace when creating paired devices (veth, vxcan, +netkit). This allows an unprivileged user with a user namespace +to create interfaces in arbitrary network namespaces, including +init_net. + +Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer +namespace before allowing device creation to proceed. + +Fixes: 81adee47dfb6 ("net: Support specifying the network namespace upon device creation.") +Signed-off-by: Nikolaos Gkarlis +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260402181432.4126920-1-nickgarlis@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 40 +++++++++++++++++++++++++++------------- + 1 file changed, 27 insertions(+), 13 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index f3b22d5526fe6..f4ed60bd9a256 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3887,28 +3887,42 @@ static int rtnl_newlink_create(struct sk_buff *skb, struct ifinfomsg *ifm, + goto out; + } + +-static struct net *rtnl_get_peer_net(const struct rtnl_link_ops *ops, ++static struct net *rtnl_get_peer_net(struct sk_buff *skb, ++ const struct rtnl_link_ops *ops, + struct nlattr *tbp[], + struct nlattr *data[], + struct netlink_ext_ack *extack) + { +- struct nlattr *tb[IFLA_MAX + 1]; ++ struct nlattr *tb[IFLA_MAX + 1], **attrs; ++ struct net *net; + int err; + +- if (!data || !data[ops->peer_type]) +- return rtnl_link_get_net_ifla(tbp); +- +- err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack); +- if (err < 0) +- return ERR_PTR(err); +- +- if (ops->validate) { +- err = ops->validate(tb, NULL, extack); ++ if (!data || !data[ops->peer_type]) { ++ attrs = tbp; ++ } else { ++ err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack); + if (err < 0) + return ERR_PTR(err); ++ ++ if (ops->validate) { ++ err = ops->validate(tb, NULL, extack); ++ if (err < 0) ++ return ERR_PTR(err); ++ } ++ ++ attrs = tb; + } + +- return rtnl_link_get_net_ifla(tb); ++ net = rtnl_link_get_net_ifla(attrs); ++ if (IS_ERR_OR_NULL(net)) ++ return net; ++ ++ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) { ++ put_net(net); ++ return ERR_PTR(-EPERM); ++ } ++ ++ return net; + } + + static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -4047,7 +4061,7 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, + } + + if (ops->peer_type) { +- peer_net = rtnl_get_peer_net(ops, tb, data, extack); ++ peer_net = rtnl_get_peer_net(skb, ops, tb, data, extack); + if (IS_ERR(peer_net)) { + ret = PTR_ERR(peer_net); + goto put_ops; +-- +2.53.0 + diff --git a/queue-6.18/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch b/queue-6.18/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch new file mode 100644 index 0000000000..61b605eddf --- /dev/null +++ b/queue-6.18/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch @@ -0,0 +1,51 @@ +From a3495685a4bfd42cf22dd171139b4ee78afe0f0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 12:22:44 +0200 +Subject: sched/deadline: Use revised wakeup rule for dl_server + +From: Peter Zijlstra + +[ Upstream commit 14a857056466be9d3d907a94e92a704ac1be149b ] + +John noted that commit 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +unfixed the issue from commit a3a70caf7906 ("sched/deadline: Fix dl_server +behaviour"). + +The issue in commit 115135422562 was for wakeups of the server after the +deadline; in which case you *have* to start a new period. The case for +a3a70caf7906 is wakeups before the deadline. + +Now, because the server is effectively running a least-laxity policy, it means +that any wakeup during the runnable phase means dl_entity_overflow() will be +true. This means we need to adjust the runtime to allow it to still run until +the existing deadline expires. + +Use the revised wakeup rule for dl_defer entities. + +Fixes: 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +Reported-by: John Stultz +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Tested-by: John Stultz +Link: https://patch.msgid.link/20260404102244.GB22575@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 72499cf2a1db5..d5052f238adf7 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1036,7 +1036,7 @@ static void update_dl_entity(struct sched_dl_entity *dl_se) + if (dl_time_before(dl_se->deadline, rq_clock(rq)) || + dl_entity_overflow(dl_se, rq_clock(rq))) { + +- if (unlikely(!dl_is_implicit(dl_se) && ++ if (unlikely((!dl_is_implicit(dl_se) || dl_se->dl_defer) && + !dl_time_before(dl_se->deadline, rq_clock(rq)) && + !is_dl_boosted(dl_se))) { + update_dl_revised_wakeup(dl_se, rq); +-- +2.53.0 + diff --git a/queue-6.18/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch b/queue-6.18/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch new file mode 100644 index 0000000000..2554463d1a --- /dev/null +++ b/queue-6.18/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch @@ -0,0 +1,45 @@ +From 74d2ba9a4ddf6822c8c39ffdb1dceadb3104e8c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 22:29:19 +0100 +Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check + +From: Daniel Golle + +[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ] + +The querier-interval test adds h1 (currently a slave of the VRF created +by simple_if_init) to a temporary bridge br1 acting as an outside IGMP +querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev() +on every slave add and remove, toggling the interface admin-down then up. +Phylink takes the PHY down during the admin-down half of that cycle. +Since h1 and swp1 are cable-connected, swp1 also loses its link may need +several seconds to re-negotiate. + +Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the +test can rely on the link being back up at this point. + +Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests") +Signed-off-by: Daniel Golle +Reviewed-by: Alexander Sverdlin +Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +index 72dfbeaf56b92..e8031f68200ad 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +@@ -414,6 +414,7 @@ vlmc_querier_intvl_test() + bridge vlan add vid 10 dev br1 self pvid untagged + ip link set dev $h1 master br1 + ip link set dev br1 up ++ setup_wait_dev $h1 0 + bridge vlan add vid 10 dev $h1 master + bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1 + sleep 2 +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series new file mode 100644 index 0000000000..bb2108899c --- /dev/null +++ b/queue-6.18/series @@ -0,0 +1,120 @@ +dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch +rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch +asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch +alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch +alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch +media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch +alsa-asihpi-avoid-write-overflow-check-warning.patch +bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch +asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch +asoc-sof-topology-reject-invalid-vendor-array-size-i.patch +can-mcp251x-add-error-handling-for-power-enable-in-o.patch +asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch +alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch +platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch +btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch +platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch +btrfs-tracepoints-get-correct-superblock-from-dentry.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +netfilter-ctnetlink-ensure-safe-access-to-master-con.patch +drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch +srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch +alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch +netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch +alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch +wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch +asoc-soc-core-call-missing-init_list_head-for-card_a.patch +alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch +alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch +drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch +fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch +asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch +pinctrl-intel-fix-the-revision-for-new-features-1koh.patch +platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch +hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch +hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-29200 +hid-roccat-fix-use-after-free-in-roccat_report_event.patch +ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch +wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch +x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch +asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch +soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch +arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch +arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch +arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch +arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch +arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch +arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch +arm64-dts-qcom-monaco-fix-uart10-pinconf.patch +soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch +tools-power-turbostat-fix-microcode-patch-level-outp.patch +tools-power-turbostat-fix-show-hide-for-individual-c.patch +arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch +arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch +pci-hv-set-default-numa-node-to-0-for-devices-withou.patch +hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch +xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch +dma-mapping-add-dma_attr_cpu_cache_clean.patch +dma-debug-track-cache-clean-flag-in-entries.patch +dma-debug-suppress-cacheline-overlap-warning-when-ar.patch +drm-vc4-release-runtime-pm-reference-after-binding-v.patch +drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch +drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch +drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch +eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch +net-sched-act_csum-validate-nested-vlan-headers.patch +net-lapbether-handle-netdev_pre_type_change.patch +net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch +ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch +bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch +rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch +ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch +ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch +ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch +net-increase-ip_tunnel_recursion_limit-to-5.patch +nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch +net-stmmac-fix-ptp-ref-clock-for-tegra234.patch +dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch +tracing-probe-reject-non-closed-empty-immediate-stri.patch +ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch +ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch +ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch +e1000-check-return-value-of-e1000_read_eeprom.patch +xsk-tighten-umem-headroom-validation-to-account-for-.patch +xsk-respect-tailroom-for-zc-setups.patch +xsk-fix-xdp_umem_sg_flag-issues.patch +xsk-validate-mtu-against-usable-frame-size-on-bind.patch +xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch +xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch +xfrm_user-fix-info-leak-in-build_mapping.patch +asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch +drm-xe-fix-bug-in-idledly-unit-conversion.patch +selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch +ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch +netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch +netfilter-xt_multiport-validate-range-encoding-in-ch.patch +netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch +netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch +netfilter-nfnetlink_queue-make-hash-table-per-queue.patch +asoc-sdca-fix-overwritten-var-within-for-loop.patch +asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch +net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch +net-ioam6-fix-oob-and-missing-lock.patch +net-txgbe-leave-space-for-null-terminators-on-proper.patch +af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch +devlink-fix-incorrect-skb-socket-family-dumping.patch +net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch +net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch +l2tp-drop-large-packets-with-udp-encap.patch +gpio-tegra-fix-irq_release_resources-calling-enable-.patch +crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch +perf-x86-intel-uncore-skip-discovery-table-for-offli.patch +sched-deadline-use-revised-wakeup-rule-for-dl_server.patch +clockevents-prevent-timer-interrupt-starvation.patch +crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch +crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch diff --git a/queue-6.18/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch b/queue-6.18/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch new file mode 100644 index 0000000000..d45641a715 --- /dev/null +++ b/queue-6.18/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch @@ -0,0 +1,46 @@ +From f391bba7f30f8d2341617f24b18dcf8e6c45a560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:37:56 +0800 +Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching + +From: Potin Lai + +[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ] + +The siliconid_to_name() function currently masks the input silicon ID +with 0xff00ffff, but compares it against unmasked table entries. This +causes matching to fail if the table entries contain non-zero values in +the bits covered by the mask (bits 16-23). + +Update the logic to apply the 0xff00ffff mask to the table entries +during comparison. This ensures that only the relevant model and +revision bits are considered, providing a consistent match across +different manufacturing batches. + +[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference] + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Potin Lai +Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 67e9ac3d08ecc..a90b100f4d101 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid) + unsigned int i; + + for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) { +- if (rev_table[i].id == id) ++ if ((rev_table[i].id & 0xff00ffff) == id) + return rev_table[i].name; + } + +-- +2.53.0 + diff --git a/queue-6.18/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch b/queue-6.18/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch new file mode 100644 index 0000000000..52bc2ec738 --- /dev/null +++ b/queue-6.18/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch @@ -0,0 +1,71 @@ +From f64e0344f7efb2d328238bebf3acbf8f9547394b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:53:20 +0530 +Subject: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei + +From: Mukesh Ojha + +[ Upstream commit 641f6fda143b879da1515f821ee475073678cf2a ] + +It looks element length declared in servreg_loc_pfr_req_ei for reason +not matching servreg_loc_pfr_req's reason field due which we could +observe decoding error on PD crash. + + qmi_decode_string_elem: String len 81 >= Max Len 65 + +Fix this by matching with servreg_loc_pfr_req's reason field. + +Fixes: 1ebcde047c54 ("soc: qcom: add pd-mapper implementation") +Signed-off-by: Mukesh Ojha +Reviewed-by: Dmitry Baryshkov +Tested-by: Nikita Travkin +Link: https://lore.kernel.org/r/20260129152320.3658053-2-mukesh.ojha@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pdr_internal.h | 2 +- + drivers/soc/qcom/qcom_pdr_msg.c | 2 +- + include/linux/soc/qcom/pdr.h | 1 + + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/pdr_internal.h b/drivers/soc/qcom/pdr_internal.h +index 039508c1bbf7d..047c0160b6178 100644 +--- a/drivers/soc/qcom/pdr_internal.h ++++ b/drivers/soc/qcom/pdr_internal.h +@@ -84,7 +84,7 @@ struct servreg_set_ack_resp { + + struct servreg_loc_pfr_req { + char service[SERVREG_NAME_LENGTH + 1]; +- char reason[257]; ++ char reason[SERVREG_PFR_LENGTH + 1]; + }; + + struct servreg_loc_pfr_resp { +diff --git a/drivers/soc/qcom/qcom_pdr_msg.c b/drivers/soc/qcom/qcom_pdr_msg.c +index ca98932140d87..02022b11ecf05 100644 +--- a/drivers/soc/qcom/qcom_pdr_msg.c ++++ b/drivers/soc/qcom/qcom_pdr_msg.c +@@ -325,7 +325,7 @@ const struct qmi_elem_info servreg_loc_pfr_req_ei[] = { + }, + { + .data_type = QMI_STRING, +- .elem_len = SERVREG_NAME_LENGTH + 1, ++ .elem_len = SERVREG_PFR_LENGTH + 1, + .elem_size = sizeof(char), + .array_type = VAR_LEN_ARRAY, + .tlv_type = 0x02, +diff --git a/include/linux/soc/qcom/pdr.h b/include/linux/soc/qcom/pdr.h +index 83a8ea612e69a..2b7691e47c2a9 100644 +--- a/include/linux/soc/qcom/pdr.h ++++ b/include/linux/soc/qcom/pdr.h +@@ -5,6 +5,7 @@ + #include + + #define SERVREG_NAME_LENGTH 64 ++#define SERVREG_PFR_LENGTH 256 + + struct pdr_service; + struct pdr_handle; +-- +2.53.0 + diff --git a/queue-6.18/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch b/queue-6.18/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch new file mode 100644 index 0000000000..e5ea288dd9 --- /dev/null +++ b/queue-6.18/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch @@ -0,0 +1,134 @@ +From f68f47e5fae690168594593de043d7b16c8b235c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 20:14:18 -0400 +Subject: srcu: Use irq_work to start GP in tiny SRCU + +From: Joel Fernandes + +[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ] + +Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), +which acquires the workqueue pool->lock. + +This causes a lockdep splat when call_srcu() is called with a scheduler +lock held, due to: + + call_srcu() [holding pi_lock] + srcu_gp_start_if_needed() + schedule_work() -> pool->lock + + workqueue_init() / create_worker() [holding pool->lock] + wake_up_process() -> try_to_wake_up() -> pi_lock + +Also add irq_work_sync() to cleanup_srcu_struct() to prevent a +use-after-free if a queued irq_work fires after cleanup begins. + +Tested with rcutorture SRCU-T and no lockdep warnings. + +[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work +to start process_srcu()" ] + +Signed-off-by: Joel Fernandes +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/srcutiny.h | 4 ++++ + kernel/rcu/srcutiny.c | 19 ++++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h +index 51ce25f07930e..1f9a226e6fd81 100644 +--- a/include/linux/srcutiny.h ++++ b/include/linux/srcutiny.h +@@ -11,6 +11,7 @@ + #ifndef _LINUX_SRCU_TINY_H + #define _LINUX_SRCU_TINY_H + ++#include + #include + + struct srcu_struct { +@@ -24,18 +25,21 @@ struct srcu_struct { + struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */ + struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */ + struct work_struct srcu_work; /* For driving grace periods. */ ++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + struct lockdep_map dep_map; + #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */ + }; + + void srcu_drive_gp(struct work_struct *wp); ++void srcu_tiny_irq_work(struct irq_work *irq_work); + + #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored) \ + { \ + .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \ + .srcu_cb_tail = &name.srcu_cb_head, \ + .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \ ++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \ + __SRCU_DEP_MAP_INIT(name) \ + } + +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index e3b64a5e0ec7e..d9c11d5f0ea45 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -41,6 +42,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp) + ssp->srcu_idx_max = 0; + INIT_WORK(&ssp->srcu_work, srcu_drive_gp); + INIT_LIST_HEAD(&ssp->srcu_work.entry); ++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work); + return 0; + } + +@@ -84,6 +86,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct); + void cleanup_srcu_struct(struct srcu_struct *ssp) + { + WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]); ++ irq_work_sync(&ssp->srcu_irq_work); + flush_work(&ssp->srcu_work); + WARN_ON(ssp->srcu_gp_running); + WARN_ON(ssp->srcu_gp_waiting); +@@ -172,6 +175,20 @@ void srcu_drive_gp(struct work_struct *wp) + } + EXPORT_SYMBOL_GPL(srcu_drive_gp); + ++/* ++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue ++ * pool->lock while the caller might hold scheduler locks, causing lockdep ++ * splats due to workqueue_init() doing a wakeup. ++ */ ++void srcu_tiny_irq_work(struct irq_work *irq_work) ++{ ++ struct srcu_struct *ssp; ++ ++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work); ++ schedule_work(&ssp->srcu_work); ++} ++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work); ++ + static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + { + unsigned long cookie; +@@ -184,7 +201,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + WRITE_ONCE(ssp->srcu_idx_max, cookie); + if (!READ_ONCE(ssp->srcu_gp_running)) { + if (likely(srcu_init_done)) +- schedule_work(&ssp->srcu_work); ++ irq_work_queue(&ssp->srcu_irq_work); + else if (list_empty(&ssp->srcu_work.entry)) + list_add(&ssp->srcu_work.entry, &srcu_boot_list); + } +-- +2.53.0 + diff --git a/queue-6.18/tools-power-turbostat-fix-microcode-patch-level-outp.patch b/queue-6.18/tools-power-turbostat-fix-microcode-patch-level-outp.patch new file mode 100644 index 0000000000..8dbfd255a5 --- /dev/null +++ b/queue-6.18/tools-power-turbostat-fix-microcode-patch-level-outp.patch @@ -0,0 +1,58 @@ +From 2f0dca17b48905a034565a7404846ee76904e920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:16:03 -0500 +Subject: tools/power/turbostat: Fix microcode patch level output for AMD/Hygon + +From: Serhii Pievniev + +[ Upstream commit a444083286434ec1fd127c5da11a3091e6013008 ] + +turbostat always used the same logic to read the microcode patch level, +which is correct for Intel but not for AMD/Hygon. +While Intel stores the patch level in the upper 32 bits of MSR, AMD +stores it in the lower 32 bits, which causes turbostat to report the +microcode version as 0x0 on AMD/Hygon. + +Fix by shifting right by 32 for non-AMD/Hygon, preserving the existing +behavior for Intel and unknown vendors. + +Fixes: 3e4048466c39 ("tools/power turbostat: Add --no-msr option") +Signed-off-by: Serhii Pievniev +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 1b5ca2f4e92ff..67dfd3eaad014 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -8842,10 +8842,13 @@ void process_cpuid() + edx_flags = edx; + + if (!no_msr) { +- if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) ++ if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) { + warnx("get_msr(UCODE)"); +- else ++ } else { + ucode_patch_valid = true; ++ if (!authentic_amd && !hygon_genuine) ++ ucode_patch >>= 32; ++ } + } + + /* +@@ -8860,7 +8863,7 @@ void process_cpuid() + fprintf(outf, "CPUID(1): family:model:stepping 0x%x:%x:%x (%d:%d:%d)", + family, model, stepping, family, model, stepping); + if (ucode_patch_valid) +- fprintf(outf, " microcode 0x%x", (unsigned int)((ucode_patch >> 32) & 0xFFFFFFFF)); ++ fprintf(outf, " microcode 0x%x", (unsigned int)ucode_patch); + fputc('\n', outf); + + fprintf(outf, "CPUID(0x80000000): max_extended_levels: 0x%x\n", max_extended_level); +-- +2.53.0 + diff --git a/queue-6.18/tools-power-turbostat-fix-show-hide-for-individual-c.patch b/queue-6.18/tools-power-turbostat-fix-show-hide-for-individual-c.patch new file mode 100644 index 0000000000..0422b3e253 --- /dev/null +++ b/queue-6.18/tools-power-turbostat-fix-show-hide-for-individual-c.patch @@ -0,0 +1,118 @@ +From 844df2ffb4b4fc5a86791ee47d0d54459bfc3158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 11:00:33 +0200 +Subject: tools/power turbostat: Fix --show/--hide for individual cpuidle + counters + +From: Artem Bityutskiy + +[ Upstream commit b6398bc2ef3a78f1be37ba01ae0a5eedaee47803 ] + +Problem: individual swidle counter names (C1, C1+, C1-, etc.) cannot be +selected via --show/--hide due to two bugs in probe_cpuidle_counts(): +1. The function returns immediately when BIC_cpuidle is not enabled, + without checking deferred_add_index. +2. The deferred name check runs against name_buf before the trailing + newline is stripped, so is_deferred_add("C1\n") never matches "C1". + +Fix: +1. Relax the early return to pass through when deferred names are + queued. +2. Strip the trailing newline from name_buf before performing deferred + name checks. +3. Check each suffixed variant (C1+, C1, C1-) individually so that + e.g. "--show C1+" enables only the requested metric. + +In addition, introduce a helper function to avoid repeating the +condition (readability cleanup). + +Fixes: ec4acd3166d8 ("tools/power turbostat: disable "cpuidle" invocation counters, by default") +Signed-off-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 35 ++++++++++++++++----------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 67dfd3eaad014..48677f1846347 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -10890,6 +10890,14 @@ void probe_cpuidle_residency(void) + } + } + ++static bool cpuidle_counter_wanted(char *name) ++{ ++ if (is_deferred_skip(name)) ++ return false; ++ ++ return DO_BIC(BIC_cpuidle) || is_deferred_add(name); ++} ++ + void probe_cpuidle_counts(void) + { + char path[64]; +@@ -10899,7 +10907,7 @@ void probe_cpuidle_counts(void) + int min_state = 1024, max_state = 0; + char *sp; + +- if (!DO_BIC(BIC_cpuidle)) ++ if (!DO_BIC(BIC_cpuidle) && !deferred_add_index) + return; + + for (state = 10; state >= 0; --state) { +@@ -10914,12 +10922,6 @@ void probe_cpuidle_counts(void) + + remove_underbar(name_buf); + +- if (!DO_BIC(BIC_cpuidle) && !is_deferred_add(name_buf)) +- continue; +- +- if (is_deferred_skip(name_buf)) +- continue; +- + /* truncate "C1-HSW\n" to "C1", or truncate "C1\n" to "C1" */ + sp = strchr(name_buf, '-'); + if (!sp) +@@ -10934,16 +10936,19 @@ void probe_cpuidle_counts(void) + * Add 'C1+' for C1, and so on. The 'below' sysfs file always contains 0 for + * the last state, so do not add it. + */ +- + *sp = '+'; + *(sp + 1) = '\0'; +- sprintf(path, "cpuidle/state%d/below", state); +- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ if (cpuidle_counter_wanted(name_buf)) { ++ sprintf(path, "cpuidle/state%d/below", state); ++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ } + } + + *sp = '\0'; +- sprintf(path, "cpuidle/state%d/usage", state); +- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ if (cpuidle_counter_wanted(name_buf)) { ++ sprintf(path, "cpuidle/state%d/usage", state); ++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ } + + /* + * The 'above' sysfs file always contains 0 for the shallowest state (smallest +@@ -10952,8 +10957,10 @@ void probe_cpuidle_counts(void) + if (state != min_state) { + *sp = '-'; + *(sp + 1) = '\0'; +- sprintf(path, "cpuidle/state%d/above", state); +- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ if (cpuidle_counter_wanted(name_buf)) { ++ sprintf(path, "cpuidle/state%d/above", state); ++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ } + } + } + } +-- +2.53.0 + diff --git a/queue-6.18/tracing-probe-reject-non-closed-empty-immediate-stri.patch b/queue-6.18/tracing-probe-reject-non-closed-empty-immediate-stri.patch new file mode 100644 index 0000000000..99dce8cb3d --- /dev/null +++ b/queue-6.18/tracing-probe-reject-non-closed-empty-immediate-stri.patch @@ -0,0 +1,43 @@ +From 819881db484fdc719eee2574f91f1842794e62bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 00:03:15 +0800 +Subject: tracing/probe: reject non-closed empty immediate strings + +From: Pengpeng Hou + +[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ] + +parse_probe_arg() accepts quoted immediate strings and passes the body +after the opening quote to __parse_imm_string(). That helper currently +computes strlen(str) and immediately dereferences str[len - 1], which +underflows when the body is empty and not closed with double-quotation. + +Reject empty non-closed immediate strings before checking for the closing quote. + +Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ + +Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support") +Signed-off-by: Pengpeng Hou +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 5cbdc423afebc..d7adbf1536c8b 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -1068,7 +1068,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs) + { + size_t len = strlen(str); + +- if (str[len - 1] != '"') { ++ if (!len || str[len - 1] != '"') { + trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE); + return -EINVAL; + } +-- +2.53.0 + diff --git a/queue-6.18/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/queue-6.18/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 0000000000..4571779f5b --- /dev/null +++ b/queue-6.18/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,45 @@ +From 780bf332be71de220ad68d60fd50c64fd7eb1de5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: wifi: brcmfmac: validate bsscfg indices in IF events + +From: Pengpeng Hou + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index c2d98ee6652f3..1d25dc9ebca8b 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.53.0 + diff --git a/queue-6.18/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch b/queue-6.18/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch new file mode 100644 index 0000000000..244cad26b5 --- /dev/null +++ b/queue-6.18/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch @@ -0,0 +1,51 @@ +From 35b22fbdb6a981f2841b03c1fee05b4e3de4012d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:08:45 +0800 +Subject: wifi: wl1251: validate packet IDs before indexing tx_frames + +From: Pengpeng Hou + +[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ] + +wl1251_tx_packet_cb() uses the firmware completion ID directly to index +the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the +completion block, and the callback does not currently verify that it +fits the array before dereferencing it. + +Reject completion IDs that fall outside wl->tx_frames[] and keep the +existing NULL check in the same guard. This keeps the fix local to the +trust boundary and avoids touching the rest of the completion flow. + +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c +index adb4840b04893..c264d83e71d9c 100644 +--- a/drivers/net/wireless/ti/wl1251/tx.c ++++ b/drivers/net/wireless/ti/wl1251/tx.c +@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, + int hdrlen; + u8 *frame; + +- skb = wl->tx_frames[result->id]; +- if (skb == NULL) { +- wl1251_error("SKB for packet %d is NULL", result->id); ++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) || ++ wl->tx_frames[result->id] == NULL)) { ++ wl1251_error("invalid packet id %u", result->id); + return; + } + ++ skb = wl->tx_frames[result->id]; ++ + info = IEEE80211_SKB_CB(skb); + + if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && +-- +2.53.0 + diff --git a/queue-6.18/x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch b/queue-6.18/x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch new file mode 100644 index 0000000000..49164febf3 --- /dev/null +++ b/queue-6.18/x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch @@ -0,0 +1,78 @@ +From 84722120c966e93bae5f32025a118626e226c65b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 13:18:57 -0700 +Subject: x86: shadow stacks: proper error handling for mmap lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit 52f657e34d7b21b47434d9d8b26fa7f6778b63a0 ] + +김영민 reports that shstk_pop_sigframe() doesn't check for errors from +mmap_read_lock_killable(), which is a silly oversight, and also shows +that we haven't marked those functions with "__must_check", which would +have immediately caught it. + +So let's fix both issues. + +Reported-by: 김영민 +Acked-by: Oleg Nesterov +Acked-by: Dave Hansen +Acked-by: Rick Edgecombe +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/shstk.c | 3 ++- + include/linux/mmap_lock.h | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c +index 978232b6d48d7..ff8edea8511b4 100644 +--- a/arch/x86/kernel/shstk.c ++++ b/arch/x86/kernel/shstk.c +@@ -351,7 +351,8 @@ static int shstk_pop_sigframe(unsigned long *ssp) + need_to_check_vma = PAGE_ALIGN(*ssp) == *ssp; + + if (need_to_check_vma) +- mmap_read_lock_killable(current->mm); ++ if (mmap_read_lock_killable(current->mm)) ++ return -EINTR; + + err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp); + if (unlikely(err)) +diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h +index 2c9fffa58714f..95ee1f224c492 100644 +--- a/include/linux/mmap_lock.h ++++ b/include/linux/mmap_lock.h +@@ -322,7 +322,7 @@ static inline void mmap_write_lock_nested(struct mm_struct *mm, int subclass) + __mmap_lock_trace_acquire_returned(mm, true, true); + } + +-static inline int mmap_write_lock_killable(struct mm_struct *mm) ++static inline int __must_check mmap_write_lock_killable(struct mm_struct *mm) + { + int ret; + +@@ -369,7 +369,7 @@ static inline void mmap_read_lock(struct mm_struct *mm) + __mmap_lock_trace_acquire_returned(mm, false, true); + } + +-static inline int mmap_read_lock_killable(struct mm_struct *mm) ++static inline int __must_check mmap_read_lock_killable(struct mm_struct *mm) + { + int ret; + +@@ -379,7 +379,7 @@ static inline int mmap_read_lock_killable(struct mm_struct *mm) + return ret; + } + +-static inline bool mmap_read_trylock(struct mm_struct *mm) ++static inline bool __must_check mmap_read_trylock(struct mm_struct *mm) + { + bool ret; + +-- +2.53.0 + diff --git a/queue-6.18/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch b/queue-6.18/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch new file mode 100644 index 0000000000..f285a9f95e --- /dev/null +++ b/queue-6.18/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch @@ -0,0 +1,61 @@ +From f9068404e3ff49c73caa9a491f859289b47caf61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2026 20:36:39 +0800 +Subject: xfrm: account XFRMA_IF_ID in aevent size calculation + +From: Keenan Dong + +[ Upstream commit 7081d46d32312f1a31f0e0e99c6835a394037599 ] + +xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then +build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is +set. + +xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states +with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) +in xfrm_get_ae(), turning a malformed netlink interaction into a kernel +panic. + +Account XFRMA_IF_ID in the size calculation unconditionally and replace +the BUG_ON with normal error unwinding. + +Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.") +Reported-by: Keenan Dong +Signed-off-by: Keenan Dong +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 306e4f65ce264..1ddcf2a1eff7a 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2668,7 +2668,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x) + + nla_total_size(4) /* XFRM_AE_RTHR */ + + nla_total_size(4) /* XFRM_AE_ETHR */ + + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ +- + nla_total_size(4); /* XFRMA_SA_PCPU */ ++ + nla_total_size(4) /* XFRMA_SA_PCPU */ ++ + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */ + } + + static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) +@@ -2780,7 +2781,12 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, + c.portid = nlh->nlmsg_pid; + + err = build_aevent(r_skb, x, &c); +- BUG_ON(err < 0); ++ if (err < 0) { ++ spin_unlock_bh(&x->lock); ++ xfrm_state_put(x); ++ kfree_skb(r_skb); ++ return err; ++ } + + err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); + spin_unlock_bh(&x->lock); +-- +2.53.0 + diff --git a/queue-6.18/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch b/queue-6.18/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch new file mode 100644 index 0000000000..3a5c565611 --- /dev/null +++ b/queue-6.18/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch @@ -0,0 +1,52 @@ +From 65e5fcb78d57265a2aba49b74eb7e65edd961810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 12:05:20 +0300 +Subject: xfrm: fix refcount leak in xfrm_migrate_policy_find + +From: Kotlyarov Mihail + +[ Upstream commit 83317cce60a032c49480dcdabe146435bd689d03 ] + +syzkaller reported a memory leak in xfrm_policy_alloc: + + BUG: memory leak + unreferenced object 0xffff888114d79000 (size 1024): + comm "syz.1.17", pid 931 + ... + xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 + +The root cause is a double call to xfrm_pol_hold_rcu() in +xfrm_migrate_policy_find(). The lookup function already returns +a policy with held reference, making the second call redundant. + +Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount +imbalance and prevent the memory leak. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 563d5ca93e88 ("xfrm: switch migrate to xfrm_policy_lookup_bytype") +Signed-off-by: Kotlyarov Mihail +Reviewed-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 4526c9078b136..29c94ee0ceb25 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4528,9 +4528,6 @@ static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector * + pol = xfrm_policy_lookup_bytype(net, type, &fl, sel->family, dir, if_id); + if (IS_ERR_OR_NULL(pol)) + goto out_unlock; +- +- if (!xfrm_pol_hold_rcu(pol)) +- pol = NULL; + out_unlock: + rcu_read_unlock(); + return pol; +-- +2.53.0 + diff --git a/queue-6.18/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch b/queue-6.18/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch new file mode 100644 index 0000000000..0ab56dfb34 --- /dev/null +++ b/queue-6.18/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch @@ -0,0 +1,43 @@ +From 3d73d3a790d62294288c597540de45598950bade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 13:31:04 +0200 +Subject: xfrm: Wait for RCU readers during policy netns exit + +From: Steffen Klassert + +[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ] + +xfrm_policy_fini() frees the policy_bydst hash tables after flushing the +policy work items and deleting all policies, but it does not wait for +concurrent RCU readers to leave their read-side critical sections first. + +The policy_bydst tables are published via rcu_assign_pointer() and are +looked up through rcu_dereference_check(), so netns teardown must also +wait for an RCU grace period before freeing the table memory. + +Fix this by adding synchronize_rcu() before freeing the policy hash tables. + +Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") +Signed-off-by: Steffen Klassert +Reviewed-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index c32d34c441ee0..4526c9078b136 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4290,6 +4290,8 @@ static void xfrm_policy_fini(struct net *net) + #endif + xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + ++ synchronize_rcu(); ++ + WARN_ON(!list_empty(&net->xfrm.policy_all)); + + for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { +-- +2.53.0 + diff --git a/queue-6.18/xfrm_user-fix-info-leak-in-build_mapping.patch b/queue-6.18/xfrm_user-fix-info-leak-in-build_mapping.patch new file mode 100644 index 0000000000..c8780a4ca8 --- /dev/null +++ b/queue-6.18/xfrm_user-fix-info-leak-in-build_mapping.patch @@ -0,0 +1,45 @@ +From e1be3e8b05ab4cacbe8529323b34f31c13087d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 17:33:03 +0200 +Subject: xfrm_user: fix info leak in build_mapping() + +From: Greg Kroah-Hartman + +[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ] + +struct xfrm_usersa_id has a one-byte padding hole after the proto +field, which ends up never getting set to zero before copying out to +userspace. Fix that up by zeroing out the whole structure before +setting individual variables. + +Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 1ddcf2a1eff7a..b3f69c0760d4c 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -4164,6 +4164,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, + + um = nlmsg_data(nlh); + ++ memset(&um->id, 0, sizeof(um->id)); + memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); + um->id.spi = x->id.spi; + um->id.family = x->props.family; +-- +2.53.0 + diff --git a/queue-6.18/xsk-fix-xdp_umem_sg_flag-issues.patch b/queue-6.18/xsk-fix-xdp_umem_sg_flag-issues.patch new file mode 100644 index 0000000000..a1c02a1c4d --- /dev/null +++ b/queue-6.18/xsk-fix-xdp_umem_sg_flag-issues.patch @@ -0,0 +1,62 @@ +From 7f925409e6ad12695469eafc2b399b0241c554f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:53 +0200 +Subject: xsk: fix XDP_UMEM_SG_FLAG issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ] + +Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated +to flags so set it in order to preserve mtu check that is supposed to be +done only when no multi-buffer setup is in picture. + +Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could +get unexpected SG setups for software Tx checksums. Since csum flag is +UAPI, modify value of XDP_UMEM_SG_FLAG. + +Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock.h | 2 +- + net/xdp/xsk_buff_pool.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h +index ce587a2256618..7c2bc46c67050 100644 +--- a/include/net/xdp_sock.h ++++ b/include/net/xdp_sock.h +@@ -14,7 +14,7 @@ + #include + #include + +-#define XDP_UMEM_SG_FLAG (1 << 1) ++#define XDP_UMEM_SG_FLAG BIT(3) + + struct net_device; + struct xsk_queue; +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index aa9788f20d0db..677c7d00f8c32 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -259,6 +259,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs, + return -EINVAL; + + flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY; ++ ++ if (umem->flags & XDP_UMEM_SG_FLAG) ++ flags |= XDP_USE_SG; ++ + if (umem_xs->pool->uses_need_wakeup) + flags |= XDP_USE_NEED_WAKEUP; + +-- +2.53.0 + diff --git a/queue-6.18/xsk-respect-tailroom-for-zc-setups.patch b/queue-6.18/xsk-respect-tailroom-for-zc-setups.patch new file mode 100644 index 0000000000..e7f1407f92 --- /dev/null +++ b/queue-6.18/xsk-respect-tailroom-for-zc-setups.patch @@ -0,0 +1,123 @@ +From 99f84c314d103d6ea1745c694f826b18eba7042f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:52 +0200 +Subject: xsk: respect tailroom for ZC setups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ] + +Multi-buffer XDP stores information about frags in skb_shared_info that +sits at the tailroom of a packet. The storage space is reserved via +xdp_data_hard_end(): + + ((xdp)->data_hard_start + (xdp)->frame_sz - \ + SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) + +and then we refer to it via macro below: + +static inline struct skb_shared_info * +xdp_get_shared_info_from_buff(const struct xdp_buff *xdp) +{ + return (struct skb_shared_info *)xdp_data_hard_end(xdp); +} + +Currently we do not respect this tailroom space in multi-buffer AF_XDP +ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use +it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to +configure length of HW Rx buffer. + +Typically drivers on Rx Hw buffers side work on 128 byte alignment so +let us align the value returned by xsk_pool_get_rx_frame_size() in order +to avoid addressing this on driver's side. This addresses the fact that +idpf uses mentioned function *before* pool->dev being set so we were at +risk that after subtracting tailroom we would not provide 128-byte +aligned value to HW. + +Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check() +and __xsk_rcv(), add a variant of this routine that will not include 128 +byte alignment and therefore old behavior is preserved. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++- + net/xdp/xsk.c | 4 ++-- + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h +index 33e072768de9d..dd1d3a6e1b780 100644 +--- a/include/net/xdp_sock_drv.h ++++ b/include/net/xdp_sock_drv.h +@@ -37,16 +37,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool) + return XDP_PACKET_HEADROOM + pool->headroom; + } + ++static inline u32 xsk_pool_get_tailroom(bool mbuf) ++{ ++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0; ++} ++ + static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool) + { + return pool->chunk_size; + } + +-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) + { + return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool); + } + ++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++{ ++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool); ++ struct xdp_umem *umem = pool->umem; ++ bool mbuf; ++ ++ /* Reserve tailroom only for zero-copy pools that opted into ++ * multi-buffer. The reserved area is used for skb_shared_info, ++ * matching the XDP core's xdp_data_hard_end() layout. ++ */ ++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG); ++ frame_size -= xsk_pool_get_tailroom(mbuf); ++ ++ return ALIGN_DOWN(frame_size, 128); ++} ++ + static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool) + { + return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool); +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index a78cdc3356937..259ad9a3abcc4 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -239,7 +239,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len, + + static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + { +- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool); ++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool); + void *copy_from = xsk_copy_xdp_start(xdp), *copy_to; + u32 from_len, meta_len, rem, num_desc; + struct xdp_buff_xsk *xskb; +@@ -338,7 +338,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) + return -EINVAL; + +- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { ++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { + xs->rx_dropped++; + return -ENOSPC; + } +-- +2.53.0 + diff --git a/queue-6.18/xsk-tighten-umem-headroom-validation-to-account-for-.patch b/queue-6.18/xsk-tighten-umem-headroom-validation-to-account-for-.patch new file mode 100644 index 0000000000..9cbb29cc7f --- /dev/null +++ b/queue-6.18/xsk-tighten-umem-headroom-validation-to-account-for-.patch @@ -0,0 +1,53 @@ +From 65816e29943d79ec0d4308f8e14290f16589b8c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:51 +0200 +Subject: xsk: tighten UMEM headroom validation to account for tailroom and min + frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ] + +The current headroom validation in xdp_umem_reg() could leave us with +insufficient space dedicated to even receive minimum-sized ethernet +frame. Furthermore if multi-buffer would come to play then +skb_shared_info stored at the end of XSK frame would be corrupted. + +HW typically works with 128-aligned sizes so let us provide this value +as bare minimum. + +Multi-buffer setting is known later in the configuration process so +besides accounting for 128 bytes, let us also take care of tailroom space +upfront. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 9f76ca591d54f..9ec7bd948acc7 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -202,7 +202,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (!unaligned_chunks && chunks_rem) + return -EINVAL; + +- if (headroom >= chunk_size - XDP_PACKET_HEADROOM) ++ if (headroom > chunk_size - XDP_PACKET_HEADROOM - ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128) + return -EINVAL; + + if (mr->flags & XDP_UMEM_TX_METADATA_LEN) { +-- +2.53.0 + diff --git a/queue-6.18/xsk-validate-mtu-against-usable-frame-size-on-bind.patch b/queue-6.18/xsk-validate-mtu-against-usable-frame-size-on-bind.patch new file mode 100644 index 0000000000..c210c28283 --- /dev/null +++ b/queue-6.18/xsk-validate-mtu-against-usable-frame-size-on-bind.patch @@ -0,0 +1,99 @@ +From e76fd8d1b687d6f3b3475f2bf5ee669fe6b498e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:54 +0200 +Subject: xsk: validate MTU against usable frame size on bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ] + +AF_XDP bind currently accepts zero-copy pool configurations without +verifying that the device MTU fits into the usable frame space provided +by the UMEM chunk. + +This becomes a problem since we started to respect tailroom which is +subtracted from chunk_size (among with headroom). 2k chunk size might +not provide enough space for standard 1500 MTU, so let us catch such +settings at bind time. Furthermore, validate whether underlying HW will +be able to satisfy configured MTU wrt XSK's frame size multiplied by +supported Rx buffer chain length (that is exposed via +net_device::xdp_zc_max_segs). + +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 677c7d00f8c32..a129ce6f1c25f 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -10,6 +10,8 @@ + #include "xdp_umem.h" + #include "xsk.h" + ++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN) ++ + void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs) + { + unsigned long flags; +@@ -165,8 +167,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool) + int xp_assign_dev(struct xsk_buff_pool *pool, + struct net_device *netdev, u16 queue_id, u16 flags) + { ++ u32 needed = netdev->mtu + ETH_PAD_LEN; ++ u32 segs = netdev->xdp_zc_max_segs; ++ bool mbuf = flags & XDP_USE_SG; + bool force_zc, force_copy; + struct netdev_bpf bpf; ++ u32 frame_size; + int err = 0; + + ASSERT_RTNL(); +@@ -186,7 +192,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + if (err) + return err; + +- if (flags & XDP_USE_SG) ++ if (mbuf) + pool->umem->flags |= XDP_UMEM_SG_FLAG; + + if (flags & XDP_USE_NEED_WAKEUP) +@@ -208,8 +214,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + goto err_unreg_pool; + } + +- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) { +- err = -EOPNOTSUPP; ++ if (mbuf) { ++ if (segs == 1) { ++ err = -EOPNOTSUPP; ++ goto err_unreg_pool; ++ } ++ } else { ++ segs = 1; ++ } ++ ++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not ++ * set yet at this point; we are before getting down to driver ++ */ ++ frame_size = __xsk_pool_get_rx_frame_size(pool) - ++ xsk_pool_get_tailroom(mbuf); ++ frame_size = ALIGN_DOWN(frame_size, 128); ++ ++ if (needed > frame_size * segs) { ++ err = -EINVAL; + goto err_unreg_pool; + } + +-- +2.53.0 + diff --git a/queue-6.19/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch b/queue-6.19/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch new file mode 100644 index 0000000000..7b909ccd3f --- /dev/null +++ b/queue-6.19/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch @@ -0,0 +1,75 @@ +From 024e9d9a45af1fc9282fa5a7a3cbfba7296131ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 16:00:14 +0800 +Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock + +From: Jiexun Wang + +[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ] + +Exact UNIX diag lookups hold a reference to the socket, but not to +u->path. Meanwhile, unix_release_sock() clears u->path under +unix_state_lock() and drops the path reference after unlocking. + +Read the inode and device numbers for UNIX_DIAG_VFS while holding +unix_state_lock(), then emit the netlink attribute after dropping the +lock. + +This keeps the VFS data stable while the reply is being built. + +Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index ca34730261510..c9c1e51c44196 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -28,18 +28,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + + static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + { +- struct dentry *dentry = unix_sk(sk)->path.dentry; ++ struct unix_diag_vfs uv; ++ struct dentry *dentry; ++ bool have_vfs = false; + ++ unix_state_lock(sk); ++ dentry = unix_sk(sk)->path.dentry; + if (dentry) { +- struct unix_diag_vfs uv = { +- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, +- .udiag_vfs_dev = dentry->d_sb->s_dev, +- }; +- +- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); ++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino; ++ uv.udiag_vfs_dev = dentry->d_sb->s_dev; ++ have_vfs = true; + } ++ unix_state_unlock(sk); + +- return 0; ++ if (!have_vfs) ++ return 0; ++ ++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); + } + + static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) +-- +2.53.0 + diff --git a/queue-6.19/alsa-asihpi-avoid-write-overflow-check-warning.patch b/queue-6.19/alsa-asihpi-avoid-write-overflow-check-warning.patch new file mode 100644 index 0000000000..7abbb7725a --- /dev/null +++ b/queue-6.19/alsa-asihpi-avoid-write-overflow-check-warning.patch @@ -0,0 +1,55 @@ +From 2ff0998f9ce7c19dd4d9198683c2a83c377f8636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 13:40:07 +0100 +Subject: ALSA: asihpi: avoid write overflow check warning + +From: Arnd Bergmann + +[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ] + +clang-22 rightfully warns that the memcpy() in adapter_prepare() copies +between different structures, crossing the boundary of nested +structures inside it: + +In file included from sound/pci/asihpi/hpimsgx.c:13: +In file included from include/linux/string.h:386: +include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 569 | __write_overflow_field(p_size_field, size); + +The two structures seem to refer to the same layout, despite the +separate definitions, so the code is in fact correct. + +Avoid the warning by copying the two inner structures separately. +I see the same pattern happens in other functions in the same file, +so there is a chance that this may come back in the future, but +this instance is the only one that I saw in practice, hitting it +multiple times per day in randconfig build. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index b68e6bfbbfbab..ed1c7b7744361 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter) + HPI_ADAPTER_OPEN); + hm.adapter_index = adapter; + hw_entry_point(&hm, &hr); +- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr, +- sizeof(rESP_HPI_ADAPTER_OPEN[0])); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h)); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a)); + if (hr.error) + return hr.error; + +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch b/queue-6.19/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch new file mode 100644 index 0000000000..c2025a22c9 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch @@ -0,0 +1,36 @@ +From 874941e4a61832a8e6dc87e607e7a07550bb2be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 01:08:51 +0000 +Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk + +From: Andrii Kovalchuk + +[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ] + +Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756) +to enable proper mute LED and mic mute behavior using the +ALC245_FIXUP_HP_X360_MUTE_LEDS fixup. + +Signed-off-by: Andrii Kovalchuk +Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index cb39054bfe79c..cbe4bbf9b1171 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6888,6 +6888,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch b/queue-6.19/alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch new file mode 100644 index 0000000000..14aa0d9f25 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch @@ -0,0 +1,38 @@ +From 7b8e1eee8083c98f8f0b579f935912d8c5f0c20b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 22:07:50 +0530 +Subject: ALSA: hda/realtek: add HP Laptop 15-fd0xxx mute LED quirk + +From: Kshamendra Kumar Mishra + +[ Upstream commit faceb5cf5d7a08f4a40335d22d833bb75f05d99e ] + +HP Laptop 15-fd0xxx with ALC236 codec does not handle the toggling of +the mute LED. +This patch adds a quirk entry for subsystem ID 0x8dd7 using +ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 fixup, enabling correct mute LED +behavior. + +Signed-off-by: Kshamendra Kumar Mishra +Link: https://patch.msgid.link/DHAB51ISUM96.2K9SZIABIDEQ0@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 504edaf14d39a..8733f57c4aafe 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7135,6 +7135,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8da7, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8da8, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8dd4, "HP EliteStudio 8 AIO", ALC274_FIXUP_HP_AIO_BIND_DACS), ++ SND_PCI_QUIRK(0x103c, 0x8dd7, "HP Laptop 15-fd0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8de8, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2), + SND_PCI_QUIRK(0x103c, 0x8de9, "HP Gemtree", ALC245_FIXUP_TAS2781_SPI_2), + SND_PCI_QUIRK(0x103c, 0x8dec, "HP EliteBook 640 G12", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-6.19/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..c7b447d92e --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,45 @@ +From 378c61dd2819660868628664d9586b9a1f9c4201 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2026 10:36:03 -0500 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: César Montoya + +[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ] + +The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek +ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The +existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, +but the subsystem ID was missing from the quirk table. + +GPIO pin confirmed via manual hda-verb testing: + hda-verb SET_GPIO_MASK 0x10 + hda-verb SET_GPIO_DIRECTION 0x10 + hda-verb SET_GPIO_DATA 0x10 + +Signed-off-by: César Montoya +Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 26e2e7befd60d..504edaf14d39a 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6902,6 +6902,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch new file mode 100644 index 0000000000..9de4f101d4 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch @@ -0,0 +1,35 @@ +From 0d443741ddbe44b17e205b44745ba30ed4974dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:25:03 -0700 +Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC + +From: Matthew Schwartz + +[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ] + +Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model, +similar to the ASUS ROG Flow Z13 GZ302EA. + +Signed-off-by: Matthew Schwartz +Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index ce9cb7614bec7..26e2e7befd60d 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7243,6 +7243,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch new file mode 100644 index 0000000000..6d9b04e25c --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch @@ -0,0 +1,38 @@ +From 33a18fd8f58e8a242bdd507f4e7cc4f0acfdccc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 10:54:40 -0500 +Subject: ALSA: hda/realtek: add quirk for Framework F111:000F + +From: Dustin L. Howett + +[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ] + +Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for +Framework F111:000C") and previous quirks for Framework systems with +Realtek codecs. + +000F is another new platform with an ALC285 which needs the same quirk. + +Signed-off-by: Dustin L. Howett +Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 1791ed0f3b4df..e3277293dac6a 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7760,6 +7760,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 + /* Below is a quirk table taken from the old code. +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch new file mode 100644 index 0000000000..1e8eff1ca2 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch @@ -0,0 +1,38 @@ +From e5302f0eb733db1dea156070e5002c9d16c9edaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 16:06:24 +0800 +Subject: ALSA: hda/realtek: add quirk for Lenovo Yoga 7 2-in-1 16AKP10 + +From: Zhang Heng + +[ Upstream commit 7bae956cac0433c4d41aac9f1d04e42694e0b706 ] + +This machine is equipped with ALC287 and requires the quirk +ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN to fix the issue +where the bass speakers are not configured and the speaker +volume cannot be controlled. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221210 +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260313080624.1395362-1-zhangheng@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index cbe4bbf9b1171..ce9cb7614bec7 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7613,6 +7613,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38ab, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), + SND_PCI_QUIRK(0x17aa, 0x38b4, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2), + HDA_CODEC_QUIRK(0x17aa, 0x391c, "Lenovo Yoga 7 2-in-1 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ HDA_CODEC_QUIRK(0x17aa, 0x391d, "Lenovo Yoga 7 2-in-1 16AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x38b5, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b6, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b7, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch new file mode 100644 index 0000000000..5a42e0e431 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch @@ -0,0 +1,58 @@ +From c81ae8bd4ad62c829fd8561f77e84a3b1523b262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 11:29:28 +0300 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9 + +From: Alexander Savenko + +[ Upstream commit 217d5bc9f96272316ac5a3215c7cc32a5127bbf3 ] + +The Lenovo Yoga Pro 7 14IMH9 (DMI: 83E2) shares PCI SSID 17aa:3847 +with the Legion 7 16ACHG6, but has a different codec subsystem ID +(17aa:38cf). The existing SND_PCI_QUIRK for 17aa:3847 applies +ALC287_FIXUP_LEGION_16ACHG6, which attempts to initialize an external +I2C amplifier (CLSA0100) that is not present on the Yoga Pro 7 14IMH9. + +As a result, pin 0x17 (bass speakers) is connected to DAC 0x06 which +has no volume control, making hardware volume adjustment completely +non-functional. Audio is either silent or at maximum volume regardless +of the slider position. + +Add a HDA_CODEC_QUIRK entry using the codec subsystem ID (17aa:38cf) +to correctly identify the Yoga Pro 7 14IMH9 and apply +ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN, which redirects pin 0x17 to +DAC 0x02 and restores proper volume control. The existing Legion entry +is preserved unchanged. + +This follows the same pattern used for 17aa:386e, where Legion Y9000X +and Yoga Pro 7 14ARP8 share a PCI SSID but are distinguished via +HDA_CODEC_QUIRK. + +Link: https://github.com/nomad4tech/lenovo-yoga-pro-7-linux +Tested-by: Alexander Savenko +Signed-off-by: Alexander Savenko +Link: https://patch.msgid.link/20260331082929.44890-1-alex.sav4387@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index edbac69d3d99d..26bf942f0afb0 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7606,6 +7606,10 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I), ++ /* Yoga Pro 7 14IMH9 shares PCI SSID 17aa:3847 with Legion 7 16ACHG6; ++ * use codec SSID to distinguish them ++ */ ++ HDA_CODEC_QUIRK(0x17aa, 0x38cf, "Lenovo Yoga Pro 7 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6), + SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-618 b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-618 new file mode 100644 index 0000000000..d9ecbc21d8 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-618 @@ -0,0 +1,41 @@ +From 22a38adf356262222cf0e720c5c33fe8f4ab946a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 09:26:51 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 + +From: songxiebing + +[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ] + +The bass speakers are not working, and add the following entry +in /etc/modprobe.d/snd.conf: +options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin +Fixes the bass speakers. + +So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here. + +Reported-by: Fernando Garcia Corona +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317 +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 26bf942f0afb0..d954de3fd225e 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7671,6 +7671,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38fd, "ThinkBook plus Gen5 Hybrid", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), + SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch new file mode 100644 index 0000000000..5759172206 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch @@ -0,0 +1,42 @@ +From b94400dd85bbb6424efebb45c1b1b2ab538bd6ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 11:36:50 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Slim 7 14AKP10 + +From: songxiebing + +[ Upstream commit e6c888202297eca21860b669edb74fc600e679d9 ] + +The Pin Complex 0x17 (bass/woofer speakers) is incorrectly reported as +unconnected in the BIOS (pin default 0x411111f0 = N/A). This causes the +kernel to configure speaker_outs=0, meaning only the tweeters (pin 0x14) +are used. The result is very low, tinny audio with no bass. + +The existing quirk ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN (already present +in patch_realtek.c for SSID 0x17aa3801) fixes the issue completely. + +Reported-by: Garcicasti +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221298 +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20260331033650.285601-1-songxiebing@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 61ca80ff3757b..edbac69d3d99d 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7668,6 +7668,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), ++ SND_PCI_QUIRK(0x17aa, 0x391a, "Lenovo Yoga Slim 7 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TXNW2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3920, "Yoga S990-16 pro Quad VECO Quad", ALC287_FIXUP_TXNW2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3929, "Thinkbook 13x Gen 5", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch new file mode 100644 index 0000000000..a27f3c968f --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch @@ -0,0 +1,36 @@ +From c5dfc7cc7aedda14cd074e9faae29cd7ad6070c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 18:22:20 +0200 +Subject: ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED) + +From: Takashi Iwai + +[ Upstream commit ea31be8a2c8c99eac198f3b7f2dc770111f2b182 ] + +There is another Book2 Pro model (NP950QED) that seems equipped with +the same speaker module as the non-360 model, which requires +ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS quirk. + +Reported-by: Throw +Link: https://patch.msgid.link/20260330162249.147665-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index e3277293dac6a..61ca80ff3757b 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7410,6 +7410,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x144d, 0xc188, "Samsung Galaxy Book Flex (NT950QCT-A38A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc1ac, "Samsung Galaxy Book2 Pro 360 (NP950QED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a6, "Samsung Galaxy Book Pro 360 (NP930QBD)", ALC298_FIXUP_SAMSUNG_AMP), +-- +2.53.0 + diff --git a/queue-6.19/alsa-hda-realtek-fixed-speaker-mute-led-for-hp-elite.patch b/queue-6.19/alsa-hda-realtek-fixed-speaker-mute-led-for-hp-elite.patch new file mode 100644 index 0000000000..1db321954d --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-fixed-speaker-mute-led-for-hp-elite.patch @@ -0,0 +1,76 @@ +From 3efe2344bd164e720f4708bb93a4009e42f2c2ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 15:49:46 +0800 +Subject: ALSA: hda/realtek - Fixed Speaker Mute LED for HP EliteBoard G1a + platform + +From: Kailang Yang + +[ Upstream commit d3be95efc6a1e03230ef646b498050152efe2888 ] + +On the HP EliteBoard G1a platform (models without a headphone jack). +the speaker mute LED failed to function. The Sysfs ctl-led info showed +empty values because the standard LED registration couldn't correctly +bind to the master switch. +Adding this patch will fix and enable the speaker mute LED feature. + +Tested-by: Chris Chiu +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/279e929e884849df84687dbd67f20037@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 8733f57c4aafe..1791ed0f3b4df 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -3725,22 +3725,42 @@ static void alc245_tas2781_spi_hp_fixup_muteled(struct hda_codec *codec, + alc_fixup_hp_gpio_led(codec, action, 0x04, 0x0); + alc285_fixup_hp_coef_micmute_led(codec, fix, action); + } ++ ++static void alc245_hp_spk_mute_led_update(void *private_data, int enabled) ++{ ++ struct hda_codec *codec = private_data; ++ unsigned int val; ++ ++ val = enabled ? 0x08 : 0x04; /* 0x08 led on, 0x04 led off */ ++ alc_update_coef_idx(codec, 0x0b, 0x0c, val); ++} ++ + /* JD2: mute led GPIO3: micmute led */ + static void alc245_tas2781_i2c_hp_fixup_muteled(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { + struct alc_spec *spec = codec->spec; ++ hda_nid_t hp_pin = alc_get_hp_pin(spec); + static const hda_nid_t conn[] = { 0x02 }; + + switch (action) { + case HDA_FIXUP_ACT_PRE_PROBE: ++ if (!hp_pin) { ++ spec->gen.vmaster_mute.hook = alc245_hp_spk_mute_led_update; ++ spec->gen.vmaster_mute_led = 1; ++ } + spec->gen.auto_mute_via_amp = 1; + snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn); + break; ++ case HDA_FIXUP_ACT_INIT: ++ if (!hp_pin) ++ alc245_hp_spk_mute_led_update(codec, !spec->gen.master_mute); ++ break; + } + + tas2781_fixup_txnw_i2c(codec, fix, action); +- alc245_fixup_hp_mute_led_coefbit(codec, fix, action); ++ if (hp_pin) ++ alc245_fixup_hp_mute_led_coefbit(codec, fix, action); + alc285_fixup_hp_coef_micmute_led(codec, fix, action); + } + /* +-- +2.53.0 + diff --git a/queue-6.19/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch b/queue-6.19/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch new file mode 100644 index 0000000000..6bd4a046f7 --- /dev/null +++ b/queue-6.19/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch @@ -0,0 +1,41 @@ +From 3ce4e45298664247a0555e4fa0015e7ca0d1e898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2026 08:07:34 +0000 +Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex + +From: Phil Willoughby + +[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ] + +The NeuralDSP Quad Cortex does not support DSD playback. We need +this product-specific entry with zero quirks because otherwise it +falls through to the vendor-specific entry which marks it as +supporting DSD playback. + +Cc: Yue Wang +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Signed-off-by: Phil Willoughby +Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index a56fb8ef987ea..1686022db0adf 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2299,6 +2299,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */ + QUIRK_FLAG_IGNORE_CTL_ERROR), ++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */ ++ 0), /* Doesn't have the vendor quirk which would otherwise apply */ + DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */ + QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY), + DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */ +-- +2.53.0 + diff --git a/queue-6.19/alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch b/queue-6.19/alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch new file mode 100644 index 0000000000..472aeef9c2 --- /dev/null +++ b/queue-6.19/alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch @@ -0,0 +1,41 @@ +From d699e8c9bb887593fee4d232233952ec36ae28a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 18:25:27 +0800 +Subject: ALSA:usb:qcom: add AUXILIARY_BUS to Kconfig dependencies + +From: Frank Zhang + +[ Upstream commit b8bee48e38f2ddbdba5e58bc54ef54bb7d8d341b ] + +The build can fail with: + +ERROR: modpost: "__auxiliary_driver_register" +[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined! +ERROR: modpost: "auxiliary_driver_unregister" +[sound/usb/qcom/snd-usb-audio-qmi.ko] undefined! + +Select AUXILIARY_BUS when SND_USB_AUDIO_QMI is enabled. + +Signed-off-by: Frank Zhang +Link: https://patch.msgid.link/20260317102527.556248-1-rmxpzlb@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/usb/Kconfig b/sound/usb/Kconfig +index 9b890abd96d34..b4588915efa11 100644 +--- a/sound/usb/Kconfig ++++ b/sound/usb/Kconfig +@@ -192,6 +192,7 @@ config SND_USB_AUDIO_QMI + tristate "Qualcomm Audio Offload driver" + depends on QCOM_QMI_HELPERS && SND_USB_AUDIO && SND_SOC_USB + depends on USB_XHCI_HCD && USB_XHCI_SIDEBAND ++ select AUXILIARY_BUS + help + Say Y here to enable the Qualcomm USB audio offloading feature. + +-- +2.53.0 + diff --git a/queue-6.19/arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch b/queue-6.19/arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch new file mode 100644 index 0000000000..d71e8169ea --- /dev/null +++ b/queue-6.19/arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch @@ -0,0 +1,40 @@ +From 0084c20c7b7994d9861a5618271a0c231f4d005f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 11:07:35 +0200 +Subject: ARM: dts: microchip: sam9x7: fix gpio-lines count for pioB + +From: Mihai Sain + +[ Upstream commit 907150bbe566e23714a25d7bcb910f236c3c44c0 ] + +The pioB controller on the SAM9X7 SoC actually supports 27 GPIO lines. +The previous value of 26 was incorrect, leading to the last pin being +unavailable for use by the GPIO subsystem. +Update the #gpio-lines property to reflect +the correct hardware specification. + +Fixes: 41af45af8bc3 ("ARM: dts: at91: sam9x7: add device tree for SoC") +Signed-off-by: Mihai Sain +Link: https://lore.kernel.org/r/20260209090735.2016-1-mihai.sain@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/sam9x7.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/microchip/sam9x7.dtsi b/arch/arm/boot/dts/microchip/sam9x7.dtsi +index 46dacbbd201dd..d242d7a934d0f 100644 +--- a/arch/arm/boot/dts/microchip/sam9x7.dtsi ++++ b/arch/arm/boot/dts/microchip/sam9x7.dtsi +@@ -1226,7 +1226,7 @@ pioB: gpio@fffff600 { + interrupt-controller; + #gpio-cells = <2>; + gpio-controller; +- #gpio-lines = <26>; ++ #gpio-lines = <27>; + clocks = <&pmc PMC_TYPE_PERIPHERAL 3>; + }; + +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch b/queue-6.19/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch new file mode 100644 index 0000000000..dcd43d24af --- /dev/null +++ b/queue-6.19/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch @@ -0,0 +1,39 @@ +From 97053d550e131c6277b191714c9bcf3312fdb06a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 00:28:28 +0100 +Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency + +From: Sebastian Krzyszkowiak + +[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ] + +According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum +frequency is 400MHz. + +Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node") +Reviewed-by: Frank Li +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Peng Fan +Reviewed-by: Fabio Estevam +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index 607962f807beb..6a25e219832ce 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -1632,7 +1632,7 @@ gpu: gpu@38000000 { + <&clk IMX8MQ_GPU_PLL_OUT>, + <&clk IMX8MQ_GPU_PLL>; + assigned-clock-rates = <800000000>, <800000000>, +- <800000000>, <800000000>, <0>; ++ <800000000>, <400000000>, <0>; + power-domains = <&pgc_gpu>; + }; + +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch b/queue-6.19/arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch new file mode 100644 index 0000000000..3a59e8a631 --- /dev/null +++ b/queue-6.19/arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch @@ -0,0 +1,63 @@ +From a2e5551a4dc8733e73d8dcb4192fcaf78d9c8784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 16:50:13 +0100 +Subject: arm64: dts: imx91-tqma9131: improve eMMC pad configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Niebel + +[ Upstream commit 44db7bc66eb38e85bb32777c5fd3a4e7baa84147 ] + +Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve +stability and detection at low temperatures under -25°C. + +Fixes: e71db39f0c7c ("arm64: dts: freescale: add initial device tree for TQMa91xx/MBa91xxCA") +Signed-off-by: Markus Niebel +Signed-off-by: Alexander Stein +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + .../boot/dts/freescale/imx91-tqma9131.dtsi | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi +index 5792952b7a8e1..c99d7bc168483 100644 +--- a/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx91-tqma9131.dtsi +@@ -272,20 +272,20 @@ pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp { + /* enable SION for data and cmd pad due to ERR052021 */ + pinctrl_usdhc1: usdhc1grp { + fsl,pins = /* PD | FSEL 3 | DSE X5 */ +- , ++ , + /* HYS | FSEL 0 | no drive */ + , + /* HYS | FSEL 3 | X5 */ +- , ++ , + /* HYS | FSEL 3 | X4 */ +- , +- , +- , +- , +- , +- , +- , +- ; ++ , ++ , ++ , ++ , ++ , ++ , ++ , ++ ; + }; + + pinctrl_wdog: wdoggrp { +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch b/queue-6.19/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch new file mode 100644 index 0000000000..e00c366940 --- /dev/null +++ b/queue-6.19/arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch @@ -0,0 +1,56 @@ +From 2dcf28e0a81ab21a613794825f0c358c73f18745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:23:08 +0800 +Subject: arm64: dts: imx93-9x9-qsb: change usdhc tuning step for eMMC and SD + +From: Luke Wang + +[ Upstream commit 08903184553def7ba1ad6ba4fa8afe1ba2ee0a21 ] + +During system resume, the following errors occurred: + + [ 430.638625] mmc1: error -84 writing Cache Enable bit + [ 430.643618] mmc1: error -84 doing runtime resume + +For eMMC and SD, there are two tuning pass windows and the gap between +those two windows may only have one cell. If tuning step > 1, the gap may +just be skipped and host assumes those two windows as a continuous +windows. This will cause a wrong delay cell near the gap to be selected. + +Set the tuning step to 1 to avoid selecting the wrong delay cell. + +For SDIO, the gap is sufficiently large, so the default tuning step does +not cause this issue. + +Fixes: 0565d20cd8c2 ("arm64: dts: freescale: Support i.MX93 9x9 Quick Start Board") +Signed-off-by: Luke Wang +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts +index 0852067eab2cb..197c8f8b7f669 100644 +--- a/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts ++++ b/arch/arm64/boot/dts/freescale/imx93-9x9-qsb.dts +@@ -507,6 +507,7 @@ &usdhc1 { + pinctrl-2 = <&pinctrl_usdhc1_200mhz>; + bus-width = <8>; + non-removable; ++ fsl,tuning-step = <1>; + status = "okay"; + }; + +@@ -519,6 +520,7 @@ &usdhc2 { + vmmc-supply = <®_usdhc2_vmmc>; + bus-width = <4>; + no-mmc; ++ fsl,tuning-step = <1>; + status = "okay"; + }; + +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch b/queue-6.19/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch new file mode 100644 index 0000000000..564dbd5638 --- /dev/null +++ b/queue-6.19/arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch @@ -0,0 +1,67 @@ +From 0e8f1ab308fa1b5288750befad0686ad5d4b4c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 16:50:14 +0100 +Subject: arm64: dts: imx93-tqma9352: improve eMMC pad configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Niebel + +[ Upstream commit b6c94c71f349479b76fcc0ef0dc7147f3f326dff ] + +Use DSE x4 an PullUp for CMD an DAT, DSE x4 and PullDown for CLK to improve +stability and detection at low temperatures under -25°C. + +Fixes: 0b5fdfaa8e45 ("arm64: dts: freescale: imx93-tqma9352: set SION for cmd and data pad of USDHC") +Signed-off-by: Markus Niebel +Signed-off-by: Alexander Stein +Reviewed-by: Frank Li +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + .../boot/dts/freescale/imx93-tqma9352.dtsi | 26 +++++++++---------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +index 3a23e2eb9febe..ce34a296495c4 100644 +--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi +@@ -271,21 +271,21 @@ MX93_PAD_SD2_RESET_B__GPIO3_IO07 0x106 + /* enable SION for data and cmd pad due to ERR052021 */ + pinctrl_usdhc1: usdhc1grp { + fsl,pins = < +- /* PD | FSEL 3 | DSE X5 */ +- MX93_PAD_SD1_CLK__USDHC1_CLK 0x5be ++ /* PD | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_CLK__USDHC1_CLK 0x59e + /* HYS | FSEL 0 | no drive */ + MX93_PAD_SD1_STROBE__USDHC1_STROBE 0x1000 +- /* HYS | FSEL 3 | X5 */ +- MX93_PAD_SD1_CMD__USDHC1_CMD 0x400011be +- /* HYS | FSEL 3 | X4 */ +- MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000119e +- MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000119e +- MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000119e +- MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000119e +- MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000119e +- MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000119e +- MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000119e +- MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000119e ++ /* HYS | PU | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_CMD__USDHC1_CMD 0x4000139e ++ /* HYS | PU | FSEL 3 | DSE X4 */ ++ MX93_PAD_SD1_DATA0__USDHC1_DATA0 0x4000139e ++ MX93_PAD_SD1_DATA1__USDHC1_DATA1 0x4000139e ++ MX93_PAD_SD1_DATA2__USDHC1_DATA2 0x4000139e ++ MX93_PAD_SD1_DATA3__USDHC1_DATA3 0x4000139e ++ MX93_PAD_SD1_DATA4__USDHC1_DATA4 0x4000139e ++ MX93_PAD_SD1_DATA5__USDHC1_DATA5 0x4000139e ++ MX93_PAD_SD1_DATA6__USDHC1_DATA6 0x4000139e ++ MX93_PAD_SD1_DATA7__USDHC1_DATA7 0x4000139e + >; + }; + +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch b/queue-6.19/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch new file mode 100644 index 0000000000..6e6b19f9f7 --- /dev/null +++ b/queue-6.19/arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch @@ -0,0 +1,49 @@ +From 2847d8e6fb20429a445db8e73548f2c012d7da1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Feb 2026 20:44:58 +0800 +Subject: arm64: dts: qcom: hamoa/x1: fix idle exit latency + +From: Daniel J Blueman + +[ Upstream commit 3ecea84d2b90bbf934d5ca75514fa902fd71e03f ] + +Designs based on the Qualcomm X1 Hamoa reference platform report: +driver: Idle state 1 target residency too low + +This is because the declared X1 idle entry plus exit latency of 680us +exceeds the declared minimum 600us residency time: + entry-latency-us = <180>; + exit-latency-us = <500>; + min-residency-us = <600>; + +Fix this to be 320us so the sum of the entry and exit latencies matches +the downstream 500us exit latency, as directed by Maulik. + +Tested on a Lenovo Yoga Slim 7x with Qualcomm X1E-80-100. + +Fixes: 2e65616ef07f ("arm64: dts: qcom: x1e80100: Update C4/C5 residency/exit numbers") +Signed-off-by: Daniel J Blueman +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20260220124626.8611-1-daniel@quora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/hamoa.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/hamoa.dtsi b/arch/arm64/boot/dts/qcom/hamoa.dtsi +index 9e0934b302c3e..f1ebb99d94241 100644 +--- a/arch/arm64/boot/dts/qcom/hamoa.dtsi ++++ b/arch/arm64/boot/dts/qcom/hamoa.dtsi +@@ -269,7 +269,7 @@ cluster_c4: cpu-sleep-0 { + idle-state-name = "ret"; + arm,psci-suspend-param = <0x00000004>; + entry-latency-us = <180>; +- exit-latency-us = <500>; ++ exit-latency-us = <320>; + min-residency-us = <600>; + }; + }; +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-qcom-monaco-fix-uart10-pinconf.patch b/queue-6.19/arm64-dts-qcom-monaco-fix-uart10-pinconf.patch new file mode 100644 index 0000000000..3092a2679f --- /dev/null +++ b/queue-6.19/arm64-dts-qcom-monaco-fix-uart10-pinconf.patch @@ -0,0 +1,46 @@ +From eb238addb7a241cf77b682bddb4e048ab22a10cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 16:56:11 +0100 +Subject: arm64: dts: qcom: monaco: Fix UART10 pinconf + +From: Loic Poulain + +[ Upstream commit 5b2a16ab0dbd090dc545c05ee79a077cc7a9c1e0 ] + +UART10 RTS and TX pins were incorrectly mapped to gpio84 and gpio85. +Correct them to gpio85 (RTS) and gpio86 (TX) to match the hardware +I/O mapping. + +Fixes: 467284a3097f ("arm64: dts: qcom: qcs8300: Add QUPv3 configuration") +Signed-off-by: Loic Poulain +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20260202155611.1568-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/monaco.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/monaco.dtsi b/arch/arm64/boot/dts/qcom/monaco.dtsi +index 816fa2af8a9a6..f74045be62420 100644 +--- a/arch/arm64/boot/dts/qcom/monaco.dtsi ++++ b/arch/arm64/boot/dts/qcom/monaco.dtsi +@@ -5437,12 +5437,12 @@ qup_uart10_cts: qup-uart10-cts-state { + }; + + qup_uart10_rts: qup-uart10-rts-state { +- pins = "gpio84"; ++ pins = "gpio85"; + function = "qup1_se2"; + }; + + qup_uart10_tx: qup-uart10-tx-state { +- pins = "gpio85"; ++ pins = "gpio86"; + function = "qup1_se2"; + }; + +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch b/queue-6.19/arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch new file mode 100644 index 0000000000..10637d48c6 --- /dev/null +++ b/queue-6.19/arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch @@ -0,0 +1,70 @@ +From 0453e536daf7161baa773fd5e79041e345634714 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 15:26:03 +0100 +Subject: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Loic Poulain + +[ Upstream commit 85d98669fa7f1d3041d962515e45ee6e392db6f8 ] + +We observe spurious "Synchronous External Abort" exceptions +(ESR=0x96000010) and kernel crashes on Monaco-based platforms. +These faults are caused by the kernel inadvertently accessing +hypervisor-owned memory that is not properly marked as reserved. + +>From boot log, The Qualcomm hypervisor reports the memory range +at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: +qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0 + +However, the EFI memory map provided by firmware only reserves the +subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion +(0x91a88000–0x91afffff) is incorrectly reported as conventional +memory (from efi debug): +efi: 0x000091a40000-0x000091a87fff [Reserved...] +efi: 0x000091a88000-0x0000938fffff [Conventional...] + +As a result, the allocator may hand out PFNs inside the hypervisor +owned region, causing fatal aborts when the kernel accesses those +addresses. + +Add a reserved-memory carveout for the Gunyah hypervisor metadata +at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not +map or allocate from this area. + +For the record: +Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC) +UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1 + +Fixes: 7be190e4bdd2 ("arm64: dts: qcom: add QCS8300 platform") +Signed-off-by: Loic Poulain +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20260302142603.1113355-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/monaco.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/monaco.dtsi b/arch/arm64/boot/dts/qcom/monaco.dtsi +index f74045be62420..a407f80bc5e1f 100644 +--- a/arch/arm64/boot/dts/qcom/monaco.dtsi ++++ b/arch/arm64/boot/dts/qcom/monaco.dtsi +@@ -757,6 +757,11 @@ smem_mem: smem@90900000 { + hwlocks = <&tcsr_mutex 3>; + }; + ++ gunyah_md_mem: gunyah-md-region@91a80000 { ++ reg = <0x0 0x91a80000 0x0 0x80000>; ++ no-map; ++ }; ++ + lpass_machine_learning_mem: lpass-machine-learning-region@93b00000 { + reg = <0x0 0x93b00000 0x0 0xf00000>; + no-map; +-- +2.53.0 + diff --git a/queue-6.19/arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch b/queue-6.19/arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch new file mode 100644 index 0000000000..e2d470946e --- /dev/null +++ b/queue-6.19/arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch @@ -0,0 +1,44 @@ +From 2edd24bc6a2b022d2c7aad63c28ebd203e1282b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Feb 2026 14:32:20 +0530 +Subject: arm64: dts: qcom: qcm6490-idp: Fix WCD9370 reset GPIO polarity + +From: Ravi Hothi + +[ Upstream commit b7df21c59739cceb7b866c6c5e8a6ba03875ab71 ] + +The WCD9370 audio codec reset line on QCM6490 IDP should be active-low, but +the device tree described it as active-high. As a result, the codec is +kept in reset and fails to reset the SoundWire, leading to timeouts +and ASoC card probe failure (-ETIMEDOUT). + +Fix the reset GPIO polarity to GPIO_ACTIVE_LOW so the codec can properly +initialize. + +Fixes: aa04c298619f ("arm64: dts: qcom: qcm6490-idp: Add WSA8830 speakers and WCD9370 headset codec") +Signed-off-by: Ravi Hothi +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20260220090220.2992193-1-ravi.hothi@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcm6490-idp.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts +index 089a027c57d5c..b2f00e107643d 100644 +--- a/arch/arm64/boot/dts/qcom/qcm6490-idp.dts ++++ b/arch/arm64/boot/dts/qcom/qcm6490-idp.dts +@@ -177,7 +177,7 @@ wcd9370: audio-codec-0 { + pinctrl-0 = <&wcd_default>; + pinctrl-names = "default"; + +- reset-gpios = <&tlmm 83 GPIO_ACTIVE_HIGH>; ++ reset-gpios = <&tlmm 83 GPIO_ACTIVE_LOW>; + + vdd-buck-supply = <&vreg_l17b_1p7>; + vdd-rxtx-supply = <&vreg_l18b_1p8>; +-- +2.53.0 + diff --git a/queue-6.19/asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch b/queue-6.19/asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch new file mode 100644 index 0000000000..7d523e71be --- /dev/null +++ b/queue-6.19/asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch @@ -0,0 +1,45 @@ +From 85b64988db22a6c1d12c2d4ddb832bb765ee64e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Mar 2026 01:33:21 +0900 +Subject: ASoC: amd: acp: add ASUS HN7306EA quirk for legacy SDW machine + +From: Hasun Park + +[ Upstream commit 2594196f4e3bd70782e7cf1e22e3e398cdb74f78 ] + +Add a DMI quirk entry for ASUS HN7306EA in the ACP SoundWire legacy +machine driver. + +Set driver_data to ASOC_SDW_ACP_DMIC for this board so the +platform-specific DMIC quirk path is selected. + +Signed-off-by: Hasun Park +Link: https://patch.msgid.link/20260319163321.30326-1-hasunpark@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +index 4f92de33a71a0..2e0f751afe250 100644 +--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c ++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +@@ -111,6 +111,14 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = { + }, + .driver_data = (void *)(ASOC_SDW_CODEC_SPKR), + }, ++ { ++ .callback = soc_sdw_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HN7306EA"), ++ }, ++ .driver_data = (void *)(ASOC_SDW_ACP_DMIC), ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.19/asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch b/queue-6.19/asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch new file mode 100644 index 0000000000..3486ef4121 --- /dev/null +++ b/queue-6.19/asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch @@ -0,0 +1,59 @@ +From e4593b60f9f4cc820675a8326fcf1f22a1f43a27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 19:00:06 +0530 +Subject: ASoC: amd: acp: update DMI quirk and add ACP DMIC for Lenovo + platforms + +From: Syed Saba Kareem + +[ Upstream commit 6b6f7263d626886a96fce6352f94dfab7a24c339 ] + +Replace DMI_EXACT_MATCH with DMI_MATCH for Lenovo SKU entries (21YW, +21YX) so the quirk applies to all variants of these models, not just +exact SKU matches. + +Add ASOC_SDW_ACP_DMIC flag alongside ASOC_SDW_CODEC_SPKR in driver_data +for these Lenovo platform entries, as these platforms use ACP PDM DMIC +instead of SoundWire DMIC for digital microphone support. + +Fixes: 3acf517e1ae0 ("ASoC: amd: amd_sdw: add machine driver quirk for Lenovo models") +Tested-by: Mark Pearson +Reviewed-by: Mark Pearson +Signed-off-by: Syed Saba Kareem +Reviewed-by: Vijendar Mukunda +Link: https://patch.msgid.link/20260408133029.1368317-1-syed.sabakareem@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-sdw-legacy-mach.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +index 2e0f751afe250..9d67443672768 100644 +--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c ++++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c +@@ -99,17 +99,17 @@ static const struct dmi_system_id soc_sdw_quirk_table[] = { + .callback = soc_sdw_quirk_cb, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YW"), ++ DMI_MATCH(DMI_PRODUCT_SKU, "21YW"), + }, +- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR), ++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)), + }, + { + .callback = soc_sdw_quirk_cb, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "21YX"), ++ DMI_MATCH(DMI_PRODUCT_SKU, "21YX"), + }, +- .driver_data = (void *)(ASOC_SDW_CODEC_SPKR), ++ .driver_data = (void *)((ASOC_SDW_CODEC_SPKR) | (ASOC_SDW_ACP_DMIC)), + }, + { + .callback = soc_sdw_quirk_cb, +-- +2.53.0 + diff --git a/queue-6.19/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch b/queue-6.19/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch new file mode 100644 index 0000000000..509f369301 --- /dev/null +++ b/queue-6.19/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch @@ -0,0 +1,47 @@ +From 87f2a043abb61674f5c64f4f1aa1a54d26e083a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 02:43:48 +0100 +Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gilson Marquato Júnior + +[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ] + +The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal +DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk +entry so the internal microphone is properly detected on this model. + +Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9). + +Signed-off-by: Gilson Marquato Júnior +Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 6f1c105ca77e3..4c0acdad13ea1 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = { + }; + + static const struct dmi_system_id yc_acp_quirk_table[] = { ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.53.0 + diff --git a/queue-6.19/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch b/queue-6.19/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch new file mode 100644 index 0000000000..7c740ef1b4 --- /dev/null +++ b/queue-6.19/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch @@ -0,0 +1,43 @@ +From f8ed14adef73d4f431d5da54b0f3939abfc100a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 21:25:12 +0700 +Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA + +From: Vee Satayamas + +[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ] + +Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the +internal microphone not being detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236 +Signed-off-by: Vee Satayamas +Reviewed-by: Zhang Heng +Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 1324543b42d72..c536de1bb94ad 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.19/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch b/queue-6.19/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch new file mode 100644 index 0000000000..1874b537bc --- /dev/null +++ b/queue-6.19/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch @@ -0,0 +1,42 @@ +From 1c9db30cd2bd699d67f29e2e25c957462c2cb049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 16:02:18 +0800 +Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF + +From: Zhang Heng + +[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ] + +Add a DMI quirk for the Thin A15 B7VF fixing the issue where +the internal microphone was not detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833 +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index c536de1bb94ad..6f1c105ca77e3 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -724,6 +724,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.19/asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch b/queue-6.19/asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch new file mode 100644 index 0000000000..5ce591391f --- /dev/null +++ b/queue-6.19/asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch @@ -0,0 +1,56 @@ +From 2e0bbea1525c7fc77fee4acaf92bc98659f09e74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:58 +0200 +Subject: ASoC: Intel: avs: Fix memory leak in avs_register_i2s_test_boards() + +From: Cezary Rojewski + +[ Upstream commit c5408d818316061d6063c11a4f47f1ba25a3a708 ] + +Caller is responsible for freeing array allocated with +parse_int_array(). + +Found out by Coverity. + +Fixes: 7d859189de13 ("ASoC: Intel: avs: Allow to specify custom configurations with i2s_test") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20260407085459.400628-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/board_selection.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/intel/avs/board_selection.c b/sound/soc/intel/avs/board_selection.c +index 52e6266a7cb86..96dc637ccb20c 100644 +--- a/sound/soc/intel/avs/board_selection.c ++++ b/sound/soc/intel/avs/board_selection.c +@@ -520,7 +520,8 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev) + if (num_elems > max_ssps) { + dev_err(adev->dev, "board supports only %d SSP, %d specified\n", + max_ssps, num_elems); +- return -EINVAL; ++ ret = -EINVAL; ++ goto exit; + } + + for (ssp_port = 0; ssp_port < num_elems; ssp_port++) { +@@ -528,11 +529,13 @@ static int avs_register_i2s_test_boards(struct avs_dev *adev) + for_each_set_bit(tdm_slot, &tdm_slots, 16) { + ret = avs_register_i2s_test_board(adev, ssp_port, tdm_slot); + if (ret) +- return ret; ++ goto exit; + } + } + +- return 0; ++exit: ++ kfree(array); ++ return ret; + } + + static int avs_register_i2s_board(struct avs_dev *adev, struct snd_soc_acpi_mach *mach) +-- +2.53.0 + diff --git a/queue-6.19/asoc-sdca-add-asoc-jack-hookup-in-class-driver.patch b/queue-6.19/asoc-sdca-add-asoc-jack-hookup-in-class-driver.patch new file mode 100644 index 0000000000..365c250afe --- /dev/null +++ b/queue-6.19/asoc-sdca-add-asoc-jack-hookup-in-class-driver.patch @@ -0,0 +1,63 @@ +From 396b7eacf9e178392860b90f285bc47ec154d3e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 15:36:49 +0000 +Subject: ASoC: SDCA: Add ASoC jack hookup in class driver + +From: Charles Keepax + +[ Upstream commit 99a3ef1e81cd1775bc1f8cc2ad188b1fc755d5cd ] + +Add the necessary calls to the class driver to connect the ASoC jack +from the machine driver. + +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20251215153650.3913117-4-ckeepax@opensource.cirrus.com +Reviewed-by: Bard Liao +Signed-off-by: Mark Brown +Stable-dep-of: 4e53116437e9 ("ASoC: SDCA: Fix errors in IRQ cleanup") +Signed-off-by: Sasha Levin +--- + sound/soc/sdca/sdca_class_function.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/sound/soc/sdca/sdca_class_function.c b/sound/soc/sdca/sdca_class_function.c +index 0028482a1e752..416948cfb5cb9 100644 +--- a/sound/soc/sdca/sdca_class_function.c ++++ b/sound/soc/sdca/sdca_class_function.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -195,6 +196,15 @@ static int class_function_component_probe(struct snd_soc_component *component) + return sdca_irq_populate(drv->function, component, core->irq_info); + } + ++static int class_function_set_jack(struct snd_soc_component *component, ++ struct snd_soc_jack *jack, void *d) ++{ ++ struct class_function_drv *drv = snd_soc_component_get_drvdata(component); ++ struct sdca_class_drv *core = drv->core; ++ ++ return sdca_jack_set_jack(core->irq_info, jack); ++} ++ + static const struct snd_soc_component_driver class_function_component_drv = { + .probe = class_function_component_probe, + .endianness = 1, +@@ -351,6 +361,9 @@ static int class_function_probe(struct auxiliary_device *auxdev, + return dev_err_probe(dev, PTR_ERR(drv->regmap), + "failed to create regmap"); + ++ if (desc->type == SDCA_FUNCTION_TYPE_UAJ) ++ cmp_drv->set_jack = class_function_set_jack; ++ + ret = sdca_asoc_populate_component(dev, drv->function, cmp_drv, + &dais, &num_dais, + &class_function_sdw_ops); +-- +2.53.0 + diff --git a/queue-6.19/asoc-sdca-fix-errors-in-irq-cleanup.patch b/queue-6.19/asoc-sdca-fix-errors-in-irq-cleanup.patch new file mode 100644 index 0000000000..f75a1c0191 --- /dev/null +++ b/queue-6.19/asoc-sdca-fix-errors-in-irq-cleanup.patch @@ -0,0 +1,204 @@ +From e32810cf7d569dc690ee9d2e0a99baefdec1542e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:14:49 +0000 +Subject: ASoC: SDCA: Fix errors in IRQ cleanup + +From: Charles Keepax + +[ Upstream commit 4e53116437e919c4b9a9d95fb73ae14fe0cfc8f9 ] + +IRQs are enabled through sdca_irq_populate() from component probe +using devm_request_threaded_irq(), this however means the IRQs can +persist if the sound card is torn down. Some of the IRQ handlers +store references to the card and the kcontrols which can then +fail. Some detail of the crash was explained in [1]. + +Generally it is not advised to use devm outside of bus probe, so +the code is updated to not use devm. The IRQ requests are not moved +to bus probe time as it makes passing the snd_soc_component into +the IRQs very awkward and would the require a second step once the +component is available, so it is simpler to just register the IRQs +at this point, even though that necessitates some manual cleanup. + +Link: https://lore.kernel.org/linux-sound/20260310183829.2907805-1-gaggery.tsai@intel.com/ [1] +Fixes: b126394d9ec6 ("ASoC: SDCA: Generic interrupt support") +Reported-by: Gaggery Tsai +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20260316141449.2950215-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/sdca_interrupts.h | 5 ++ + sound/soc/sdca/sdca_class_function.c | 9 ++++ + sound/soc/sdca/sdca_interrupts.c | 77 ++++++++++++++++++++++++++-- + 3 files changed, 87 insertions(+), 4 deletions(-) + +diff --git a/include/sound/sdca_interrupts.h b/include/sound/sdca_interrupts.h +index 8f13417d129ab..90651fea5b212 100644 +--- a/include/sound/sdca_interrupts.h ++++ b/include/sound/sdca_interrupts.h +@@ -69,6 +69,8 @@ struct sdca_interrupt_info { + int sdca_irq_request(struct device *dev, struct sdca_interrupt_info *interrupt_info, + int sdca_irq, const char *name, irq_handler_t handler, + void *data); ++void sdca_irq_free(struct device *dev, struct sdca_interrupt_info *interrupt_info, ++ int sdca_irq, const char *name, void *data); + int sdca_irq_data_populate(struct device *dev, struct regmap *function_regmap, + struct snd_soc_component *component, + struct sdca_function_data *function, +@@ -81,6 +83,9 @@ int sdca_irq_populate_early(struct device *dev, struct regmap *function_regmap, + int sdca_irq_populate(struct sdca_function_data *function, + struct snd_soc_component *component, + struct sdca_interrupt_info *info); ++void sdca_irq_cleanup(struct sdca_function_data *function, ++ struct snd_soc_component *component, ++ struct sdca_interrupt_info *info); + struct sdca_interrupt_info *sdca_irq_allocate(struct device *dev, + struct regmap *regmap, int irq); + +diff --git a/sound/soc/sdca/sdca_class_function.c b/sound/soc/sdca/sdca_class_function.c +index 416948cfb5cb9..8b6b4ca998272 100644 +--- a/sound/soc/sdca/sdca_class_function.c ++++ b/sound/soc/sdca/sdca_class_function.c +@@ -196,6 +196,14 @@ static int class_function_component_probe(struct snd_soc_component *component) + return sdca_irq_populate(drv->function, component, core->irq_info); + } + ++static void class_function_component_remove(struct snd_soc_component *component) ++{ ++ struct class_function_drv *drv = snd_soc_component_get_drvdata(component); ++ struct sdca_class_drv *core = drv->core; ++ ++ sdca_irq_cleanup(drv->function, component, core->irq_info); ++} ++ + static int class_function_set_jack(struct snd_soc_component *component, + struct snd_soc_jack *jack, void *d) + { +@@ -207,6 +215,7 @@ static int class_function_set_jack(struct snd_soc_component *component, + + static const struct snd_soc_component_driver class_function_component_drv = { + .probe = class_function_component_probe, ++ .remove = class_function_component_remove, + .endianness = 1, + }; + +diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c +index 49b675e601433..be269f204d623 100644 +--- a/sound/soc/sdca/sdca_interrupts.c ++++ b/sound/soc/sdca/sdca_interrupts.c +@@ -233,8 +233,7 @@ static int sdca_irq_request_locked(struct device *dev, + if (irq < 0) + return irq; + +- ret = devm_request_threaded_irq(dev, irq, NULL, handler, +- IRQF_ONESHOT, name, data); ++ ret = request_threaded_irq(irq, NULL, handler, IRQF_ONESHOT, name, data); + if (ret) + return ret; + +@@ -245,6 +244,22 @@ static int sdca_irq_request_locked(struct device *dev, + return 0; + } + ++static void sdca_irq_free_locked(struct device *dev, struct sdca_interrupt_info *info, ++ int sdca_irq, const char *name, void *data) ++{ ++ int irq; ++ ++ irq = regmap_irq_get_virq(info->irq_data, sdca_irq); ++ if (irq < 0) ++ return; ++ ++ free_irq(irq, data); ++ ++ info->irqs[sdca_irq].irq = 0; ++ ++ dev_dbg(dev, "freed irq %d for %s\n", irq, name); ++} ++ + /** + * sdca_irq_request - request an individual SDCA interrupt + * @dev: Pointer to the struct device against which things should be allocated. +@@ -283,6 +298,30 @@ int sdca_irq_request(struct device *dev, struct sdca_interrupt_info *info, + } + EXPORT_SYMBOL_NS_GPL(sdca_irq_request, "SND_SOC_SDCA"); + ++/** ++ * sdca_irq_free - free an individual SDCA interrupt ++ * @dev: Pointer to the struct device. ++ * @info: Pointer to the interrupt information structure. ++ * @sdca_irq: SDCA interrupt position. ++ * @name: Name to be given to the IRQ. ++ * @data: Private data pointer that will be passed to the handler. ++ * ++ * Typically this is handled internally by sdca_irq_cleanup, however if ++ * a device requires custom IRQ handling this can be called manually before ++ * calling sdca_irq_cleanup, which will then skip that IRQ whilst processing. ++ */ ++void sdca_irq_free(struct device *dev, struct sdca_interrupt_info *info, ++ int sdca_irq, const char *name, void *data) ++{ ++ if (sdca_irq < 0 || sdca_irq >= SDCA_MAX_INTERRUPTS) ++ return; ++ ++ guard(mutex)(&info->irq_lock); ++ ++ sdca_irq_free_locked(dev, info, sdca_irq, name, data); ++} ++EXPORT_SYMBOL_NS_GPL(sdca_irq_free, "SND_SOC_SDCA"); ++ + /** + * sdca_irq_data_populate - Populate common interrupt data + * @dev: Pointer to the Function device. +@@ -309,8 +348,8 @@ int sdca_irq_data_populate(struct device *dev, struct regmap *regmap, + if (!dev) + return -ENODEV; + +- name = devm_kasprintf(dev, GFP_KERNEL, "%s %s %s", function->desc->name, +- entity->label, control->label); ++ name = kasprintf(GFP_KERNEL, "%s %s %s", function->desc->name, ++ entity->label, control->label); + if (!name) + return -ENOMEM; + +@@ -497,6 +536,36 @@ int sdca_irq_populate(struct sdca_function_data *function, + } + EXPORT_SYMBOL_NS_GPL(sdca_irq_populate, "SND_SOC_SDCA"); + ++/** ++ * sdca_irq_cleanup - Free all the individual IRQs for an SDCA Function ++ * @function: Pointer to the SDCA Function. ++ * @component: Pointer to the ASoC component for the Function. ++ * @info: Pointer to the SDCA interrupt info for this device. ++ * ++ * Typically this would be called from the driver for a single SDCA Function. ++ */ ++void sdca_irq_cleanup(struct sdca_function_data *function, ++ struct snd_soc_component *component, ++ struct sdca_interrupt_info *info) ++{ ++ struct device *dev = component->dev; ++ int i; ++ ++ guard(mutex)(&info->irq_lock); ++ ++ for (i = 0; i < SDCA_MAX_INTERRUPTS; i++) { ++ struct sdca_interrupt *interrupt = &info->irqs[i]; ++ ++ if (interrupt->function != function || !interrupt->irq) ++ continue; ++ ++ sdca_irq_free_locked(dev, info, i, interrupt->name, interrupt); ++ ++ kfree(interrupt->name); ++ } ++} ++EXPORT_SYMBOL_NS_GPL(sdca_irq_cleanup, "SND_SOC_SDCA"); ++ + /** + * sdca_irq_allocate - allocate an SDCA interrupt structure for a device + * @sdev: Device pointer against which things should be allocated. +-- +2.53.0 + diff --git a/queue-6.19/asoc-sdca-fix-overwritten-var-within-for-loop.patch b/queue-6.19/asoc-sdca-fix-overwritten-var-within-for-loop.patch new file mode 100644 index 0000000000..68d41760b4 --- /dev/null +++ b/queue-6.19/asoc-sdca-fix-overwritten-var-within-for-loop.patch @@ -0,0 +1,40 @@ +From ca0e8a369d6c7003b86c7411d43cdb1c7f27af87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:38:31 +0100 +Subject: ASoC: SDCA: Fix overwritten var within for loop + +From: Maciej Strozek + +[ Upstream commit 23e0cbe55736de222ed975863cf06baf29bee5fe ] + +mask variable should not be overwritten within the for loop or it will +skip certain bits. Change to using BIT() macro. + +Fixes: b9ab3b618241 ("ASoC: SDCA: Add some initial IRQ handlers") +Signed-off-by: Maciej Strozek +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20260408093835.2881486-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sdca/sdca_interrupts.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c +index be269f204d623..4739fabb75f23 100644 +--- a/sound/soc/sdca/sdca_interrupts.c ++++ b/sound/soc/sdca/sdca_interrupts.c +@@ -117,9 +117,7 @@ static irqreturn_t function_status_handler(int irq, void *data) + + status = val; + for_each_set_bit(mask, &status, BITS_PER_BYTE) { +- mask = 1 << mask; +- +- switch (mask) { ++ switch (BIT(mask)) { + case SDCA_CTL_ENTITY_0_FUNCTION_NEEDS_INITIALIZATION: + //FIXME: Add init writes + break; +-- +2.53.0 + diff --git a/queue-6.19/asoc-sdca-unregister-irq-handlers-on-module-remove.patch b/queue-6.19/asoc-sdca-unregister-irq-handlers-on-module-remove.patch new file mode 100644 index 0000000000..8b6126f41a --- /dev/null +++ b/queue-6.19/asoc-sdca-unregister-irq-handlers-on-module-remove.patch @@ -0,0 +1,108 @@ +From 98095437f7bf05cba1ee011a486b585c4f44ee62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:38:34 +0100 +Subject: ASoC: SDCA: Unregister IRQ handlers on module remove + +From: Richard Fitzgerald + +[ Upstream commit 0b8757b220f94421bd4ff50cce03886387c4e71c ] + +Ensure that all interrupt handlers are unregistered before the parent +regmap_irq is unregistered. + +sdca_irq_cleanup() was only called from the component_remove(). If the +module was loaded and removed without ever being component probed the +FDL interrupts would not be unregistered and this would hit a WARN +when devm called regmap_del_irq_chip() during the removal of the +parent IRQ. + +Fixes: 4e53116437e9 ("ASoC: SDCA: Fix errors in IRQ cleanup") +Signed-off-by: Richard Fitzgerald +Signed-off-by: Charles Keepax +Link: https://patch.msgid.link/20260408093835.2881486-5-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/sdca_interrupts.h | 4 ++-- + sound/soc/sdca/sdca_class_function.c | 10 +++++++++- + sound/soc/sdca/sdca_interrupts.c | 7 +++---- + 3 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/include/sound/sdca_interrupts.h b/include/sound/sdca_interrupts.h +index 90651fea5b212..109e7826ce38c 100644 +--- a/include/sound/sdca_interrupts.h ++++ b/include/sound/sdca_interrupts.h +@@ -83,8 +83,8 @@ int sdca_irq_populate_early(struct device *dev, struct regmap *function_regmap, + int sdca_irq_populate(struct sdca_function_data *function, + struct snd_soc_component *component, + struct sdca_interrupt_info *info); +-void sdca_irq_cleanup(struct sdca_function_data *function, +- struct snd_soc_component *component, ++void sdca_irq_cleanup(struct device *dev, ++ struct sdca_function_data *function, + struct sdca_interrupt_info *info); + struct sdca_interrupt_info *sdca_irq_allocate(struct device *dev, + struct regmap *regmap, int irq); +diff --git a/sound/soc/sdca/sdca_class_function.c b/sound/soc/sdca/sdca_class_function.c +index 8b6b4ca998272..92600f419db43 100644 +--- a/sound/soc/sdca/sdca_class_function.c ++++ b/sound/soc/sdca/sdca_class_function.c +@@ -201,7 +201,7 @@ static void class_function_component_remove(struct snd_soc_component *component) + struct class_function_drv *drv = snd_soc_component_get_drvdata(component); + struct sdca_class_drv *core = drv->core; + +- sdca_irq_cleanup(drv->function, component, core->irq_info); ++ sdca_irq_cleanup(component->dev, drv->function, core->irq_info); + } + + static int class_function_set_jack(struct snd_soc_component *component, +@@ -402,6 +402,13 @@ static int class_function_probe(struct auxiliary_device *auxdev, + return 0; + } + ++static void class_function_remove(struct auxiliary_device *auxdev) ++{ ++ struct class_function_drv *drv = auxiliary_get_drvdata(auxdev); ++ ++ sdca_irq_cleanup(drv->dev, drv->function, drv->core->irq_info); ++} ++ + static int class_function_runtime_suspend(struct device *dev) + { + struct auxiliary_device *auxdev = to_auxiliary_dev(dev); +@@ -473,6 +480,7 @@ static struct auxiliary_driver class_function_drv = { + }, + + .probe = class_function_probe, ++ .remove = class_function_remove, + .id_table = class_function_id_table + }; + module_auxiliary_driver(class_function_drv); +diff --git a/sound/soc/sdca/sdca_interrupts.c b/sound/soc/sdca/sdca_interrupts.c +index 4739fabb75f23..76f50a0f6b0ef 100644 +--- a/sound/soc/sdca/sdca_interrupts.c ++++ b/sound/soc/sdca/sdca_interrupts.c +@@ -536,17 +536,16 @@ EXPORT_SYMBOL_NS_GPL(sdca_irq_populate, "SND_SOC_SDCA"); + + /** + * sdca_irq_cleanup - Free all the individual IRQs for an SDCA Function ++ * @sdev: Device pointer against which the sdca_interrupt_info was allocated. + * @function: Pointer to the SDCA Function. +- * @component: Pointer to the ASoC component for the Function. + * @info: Pointer to the SDCA interrupt info for this device. + * + * Typically this would be called from the driver for a single SDCA Function. + */ +-void sdca_irq_cleanup(struct sdca_function_data *function, +- struct snd_soc_component *component, ++void sdca_irq_cleanup(struct device *dev, ++ struct sdca_function_data *function, + struct sdca_interrupt_info *info) + { +- struct device *dev = component->dev; + int i; + + guard(mutex)(&info->irq_lock); +-- +2.53.0 + diff --git a/queue-6.19/asoc-soc-core-call-missing-init_list_head-for-card_a.patch b/queue-6.19/asoc-soc-core-call-missing-init_list_head-for-card_a.patch new file mode 100644 index 0000000000..49d3f7b8db --- /dev/null +++ b/queue-6.19/asoc-soc-core-call-missing-init_list_head-for-card_a.patch @@ -0,0 +1,66 @@ +From 6ec9ec9ed137e7452506588e7d2526213131db23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 02:43:54 +0000 +Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list + +From: Kuninori Morimoto + +[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ] + +Component has "card_aux_list" which is added/deled in bind/unbind aux dev +function (A), and used in for_each_card_auxs() loop (B). + + static void soc_unbind_aux_dev(...) + { + ... + for_each_card_auxs_safe(...) { + ... +(A) list_del(&component->card_aux_list); + } ^^^^^^^^^^^^^ + } + + static int soc_bind_aux_dev(...) + { + ... + for_each_card_pre_auxs(...) { + ... +(A) list_add(&component->card_aux_list, ...); + } ^^^^^^^^^^^^^ + ... + } + + #define for_each_card_auxs(card, component) \ +(B) list_for_each_entry(component, ..., card_aux_list) + ^^^^^^^^^^^^^ + +But it has been used without calling INIT_LIST_HEAD(). + + > git grep card_aux_list sound/soc + sound/soc/soc-core.c: list_del(&component->card_aux_list); + sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); + +call missing INIT_LIST_HEAD() for it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 23ba821cd759d..c9a6471661ad7 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2849,6 +2849,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, + INIT_LIST_HEAD(&component->dobj_list); + INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); ++ INIT_LIST_HEAD(&component->card_aux_list); + mutex_init(&component->io_mutex); + + if (!component->name) { +-- +2.53.0 + diff --git a/queue-6.19/asoc-sof-intel-fix-endpoint-index-if-endpoints-are-m.patch b/queue-6.19/asoc-sof-intel-fix-endpoint-index-if-endpoints-are-m.patch new file mode 100644 index 0000000000..3bcf807766 --- /dev/null +++ b/queue-6.19/asoc-sof-intel-fix-endpoint-index-if-endpoints-are-m.patch @@ -0,0 +1,38 @@ +From 3ec708ca49b113ab670673cc4b6c77f1a0201779 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 14:45:30 +0800 +Subject: ASoC: SOF: Intel: Fix endpoint index if endpoints are missing + +From: Maciej Strozek + +[ Upstream commit 86facd80a2a37536937f06de637abf9e8cabdb4b ] + +In case of missing endpoints, the sequential numbering will cause wrong +mapping. Instead, assign the original DAI index from codec_info_list. + +Fixes: 5226d19d4cae ("ASoC: SOF: Intel: use sof_sdw as default SDW machine driver") +Signed-off-by: Maciej Strozek +Signed-off-by: Bard Liao +Link: https://patch.msgid.link/20260402064531.2287261-2-yung-chuan.liao@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c +index 686ecc040867a..882198308319e 100644 +--- a/sound/soc/sof/intel/hda.c ++++ b/sound/soc/sof/intel/hda.c +@@ -1197,7 +1197,7 @@ static struct snd_soc_acpi_adr_device *find_acpi_adr_device(struct device *dev, + codec_info_list[i].dais[j].dai_type)) + continue; + +- endpoints[ep_index].num = ep_index; ++ endpoints[ep_index].num = j; + if (codec_info_list[i].dais[j].dai_type == SOC_SDW_DAI_TYPE_AMP) { + /* Assume all amp are aggregated */ + endpoints[ep_index].aggregated = 1; +-- +2.53.0 + diff --git a/queue-6.19/asoc-sof-intel-fix-iteration-in-is_endpoint_present.patch b/queue-6.19/asoc-sof-intel-fix-iteration-in-is_endpoint_present.patch new file mode 100644 index 0000000000..2425e9fb1a --- /dev/null +++ b/queue-6.19/asoc-sof-intel-fix-iteration-in-is_endpoint_present.patch @@ -0,0 +1,57 @@ +From bac89407d9aa202a573164c14036e91b77606302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 14:45:31 +0800 +Subject: ASoC: SOF: Intel: fix iteration in is_endpoint_present() + +From: Maciej Strozek + +[ Upstream commit 1de6ddcddc954a69f96b1c23205e03ddd603e3c8 ] + +is_endpoint_present() iterates over sdca_data.num_functions, but checks +the dai_type according to codec info list, which will cause problems if +not all endpoints from the codec info list are present. Make sure the +type of actually present functions is compared against target dai_type. + +Fixes: 5226d19d4cae ("ASoC: SOF: Intel: use sof_sdw as default SDW machine driver") +Signed-off-by: Maciej Strozek +Signed-off-by: Bard Liao +Link: https://patch.msgid.link/20260402064531.2287261-3-yung-chuan.liao@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c +index 882198308319e..b039306454da2 100644 +--- a/sound/soc/sof/intel/hda.c ++++ b/sound/soc/sof/intel/hda.c +@@ -1133,13 +1133,12 @@ static void hda_generic_machine_select(struct snd_sof_dev *sdev, + + #if IS_ENABLED(CONFIG_SND_SOC_SOF_INTEL_SOUNDWIRE) + +-static bool is_endpoint_present(struct sdw_slave *sdw_device, +- struct asoc_sdw_codec_info *dai_info, int dai_type) ++static bool is_endpoint_present(struct sdw_slave *sdw_device, int dai_type) + { + int i; + + for (i = 0; i < sdw_device->sdca_data.num_functions; i++) { +- if (dai_type == dai_info->dais[i].dai_type) ++ if (dai_type == asoc_sdw_get_dai_type(sdw_device->sdca_data.function[i].type)) + return true; + } + dev_dbg(&sdw_device->dev, "Endpoint DAI type %d not found\n", dai_type); +@@ -1193,8 +1192,7 @@ static struct snd_soc_acpi_adr_device *find_acpi_adr_device(struct device *dev, + } + for (j = 0; j < codec_info_list[i].dai_num; j++) { + /* Check if the endpoint is present by the SDCA DisCo table */ +- if (!is_endpoint_present(sdw_device, &codec_info_list[i], +- codec_info_list[i].dais[j].dai_type)) ++ if (!is_endpoint_present(sdw_device, codec_info_list[i].dais[j].dai_type)) + continue; + + endpoints[ep_index].num = j; +-- +2.53.0 + diff --git a/queue-6.19/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch b/queue-6.19/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch new file mode 100644 index 0000000000..6b81c8fd6f --- /dev/null +++ b/queue-6.19/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch @@ -0,0 +1,46 @@ +From 959f73247d66f3577fa23fc815b765f9772f31fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:45:26 -0300 +Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ] + +sof_parse_token_sets() accepts array->size values that can be invalid +for a vendor tuple array header. In particular, a zero size does not +advance the parser state and can lead to non-progress parsing on +malformed topology data. + +Validate array->size against the minimum header size and reject values +smaller than sizeof(*array) before parsing. This preserves behavior for +valid topologies and hardens malformed-input handling. + +Signed-off-by: Cássio Gabriel +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index 9bf8ab610a7ea..8880ac5d8d6ff 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, + asize = le32_to_cpu(array->size); + + /* validate asize */ +- if (asize < 0) { /* FIXME: A zero-size array makes no sense */ ++ if (asize < sizeof(*array)) { + dev_err(scomp->dev, "error: invalid array size 0x%x\n", + asize); + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.19/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch b/queue-6.19/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch new file mode 100644 index 0000000000..0717119db5 --- /dev/null +++ b/queue-6.19/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch @@ -0,0 +1,64 @@ +From f6e9ece807f030e4a2b7ec7f4dbaf057b69797db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:40:56 +0200 +Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J + +From: Tomasz Merta + +[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ] + +The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A, +DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK +edge when SND_SOC_DAIFMT_NB_NF is used. + +Per ALSA convention, NB_NF requires sampling on the rising BCLK edge. +The STM32MP25 SAI reference manual states that CKSTR=1 is required for +signals received by the SAI to be sampled on the SCK rising edge. +Without setting CKSTR=1, the SAI samples on the falling edge, violating +the NB_NF convention. For comparison, the NXP FSL SAI driver correctly +sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its +I2S handling. + +This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in +stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec. +RIGHT_J (LSB) is not investigated and addressed by this patch. + +Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue +for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified +and is left for a separate investigation. + +Signed-off-by: Tomasz Merta +Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index 450e1585edeee..3e82fa90e719a 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -802,6 +802,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + break; + /* Left justified */ + case SND_SOC_DAIFMT_MSB: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + /* Right justified */ +@@ -809,9 +810,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + case SND_SOC_DAIFMT_DSP_A: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF; + break; + case SND_SOC_DAIFMT_DSP_B: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL; + break; + default: +-- +2.53.0 + diff --git a/queue-6.19/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch b/queue-6.19/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch new file mode 100644 index 0000000000..6af86ef1a1 --- /dev/null +++ b/queue-6.19/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch @@ -0,0 +1,83 @@ +From 7ae0ba794dc1950c282bdf174a87d10fef8962be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 15:23:35 -0700 +Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 + +From: Arthur Husband + +[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ] + +The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA +support via the S64A bit in the AHCI CAP register, but their 64-bit DMA +implementation is defective. Under sustained I/O, DMA transfers targeting +addresses above 4GB silently corrupt data -- writes land at incorrect +memory addresses with no errors logged. + +The failure pattern is similar to the ASMedia ASM1061 +(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia +ASM1061 controllers")), which also falsely advertised full 64-bit DMA +support. However, the JMB585 requires a stricter 32-bit DMA mask rather +than 43-bit, as corruption occurs with any address above 4GB. + +On the Minisforum N5 Pro specifically, the combination of the JMB585's +broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes +silent data corruption that is only detectable via checksumming +filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA +space is exhausted and the kernel transparently switches to 64-bit DMA +addresses. + +Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585 +(0x0585) before the generic JMicron class match, using a new board type +that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior) +with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks. + +Signed-off-by: Arthur Husband +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 931d0081169b9..1d73a53370cf3 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -68,6 +68,7 @@ enum board_ids { + /* board IDs for specific chipsets in alphabetical order */ + board_ahci_al, + board_ahci_avn, ++ board_ahci_jmb585, + board_ahci_mcp65, + board_ahci_mcp77, + board_ahci_mcp89, +@@ -212,6 +213,15 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_avn_ops, + }, ++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */ ++ [board_ahci_jmb585] = { ++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR | ++ AHCI_HFLAG_32BIT_ONLY), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_mcp65] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP | + AHCI_HFLAG_YES_NCQ), +@@ -439,6 +449,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */ + { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_pcs_quirk }, /* Elkhart Lake AHCI */ + ++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */ ++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 }, ++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 }, ++ + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr }, +-- +2.53.0 + diff --git a/queue-6.19/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch b/queue-6.19/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch new file mode 100644 index 0000000000..34b7335d5e --- /dev/null +++ b/queue-6.19/bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch @@ -0,0 +1,147 @@ +From 57764c090df583af15ba2cc5b088fa33f06e8c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 20:07:26 +0800 +Subject: Bluetooth: hci_sync: annotate data-races around hdev->req_status + +From: Cen Zhang + +[ Upstream commit b6807cfc195ef99e1ac37b2e1e60df40295daa8c ] + +__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: + + hdev->req_status = HCI_REQ_PEND; + +However, several other functions read or write hdev->req_status without +holding any lock: + + - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) + - hci_cmd_sync_complete() reads/writes from HCI event completion + - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write + - hci_abort_conn() reads in connection abort path + +Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while +hci_send_cmd_sync() runs on hdev->workqueue, these are different +workqueues that can execute concurrently on different CPUs. The plain +C accesses constitute a data race. + +Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses +to hdev->req_status to prevent potential compiler optimizations that +could affect correctness (e.g., load fusing in the wait_event +condition or store reordering). + +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 2 +- + net/bluetooth/hci_core.c | 2 +- + net/bluetooth/hci_sync.c | 20 ++++++++++---------- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index a966d36d0e798..92dcd9d21b7c9 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -3100,7 +3100,7 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) + * hci_connect_le serializes the connection attempts so only one + * connection can be in BT_CONNECT at time. + */ +- if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) { ++ if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + switch (hci_skb_event(hdev->sent_cmd)) { + case HCI_EV_CONN_COMPLETE: + case HCI_EV_LE_CONN_COMPLETE: +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 8ccec73dce45c..0f86b81b39730 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4125,7 +4125,7 @@ static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) + kfree_skb(skb); + } + +- if (hdev->req_status == HCI_REQ_PEND && ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND && + !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) { + kfree_skb(hdev->req_skb); + hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index d638e62f30021..74339358d5994 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -25,11 +25,11 @@ static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode, + { + bt_dev_dbg(hdev, "result 0x%2.2x", result); + +- if (hdev->req_status != HCI_REQ_PEND) ++ if (READ_ONCE(hdev->req_status) != HCI_REQ_PEND) + return; + + hdev->req_result = result; +- hdev->req_status = HCI_REQ_DONE; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_DONE); + + /* Free the request command so it is not used as response */ + kfree_skb(hdev->req_skb); +@@ -167,20 +167,20 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + + hci_cmd_sync_add(&req, opcode, plen, param, event, sk); + +- hdev->req_status = HCI_REQ_PEND; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_PEND); + + err = hci_req_sync_run(&req); + if (err < 0) + return ERR_PTR(err); + + err = wait_event_interruptible_timeout(hdev->req_wait_q, +- hdev->req_status != HCI_REQ_PEND, ++ READ_ONCE(hdev->req_status) != HCI_REQ_PEND, + timeout); + + if (err == -ERESTARTSYS) + return ERR_PTR(-EINTR); + +- switch (hdev->req_status) { ++ switch (READ_ONCE(hdev->req_status)) { + case HCI_REQ_DONE: + err = -bt_to_errno(hdev->req_result); + break; +@@ -194,7 +194,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + break; + } + +- hdev->req_status = 0; ++ WRITE_ONCE(hdev->req_status, 0); + hdev->req_result = 0; + skb = hdev->req_rsp; + hdev->req_rsp = NULL; +@@ -665,9 +665,9 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err) + { + bt_dev_dbg(hdev, "err 0x%2.2x", err); + +- if (hdev->req_status == HCI_REQ_PEND) { ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + hdev->req_result = err; +- hdev->req_status = HCI_REQ_CANCELED; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); + + queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work); + } +@@ -683,12 +683,12 @@ void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err) + { + bt_dev_dbg(hdev, "err 0x%2.2x", err); + +- if (hdev->req_status == HCI_REQ_PEND) { ++ if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND) { + /* req_result is __u32 so error must be positive to be properly + * propagated. + */ + hdev->req_result = err < 0 ? -err : err; +- hdev->req_status = HCI_REQ_CANCELED; ++ WRITE_ONCE(hdev->req_status, HCI_REQ_CANCELED); + + wake_up_interruptible(&hdev->req_wait_q); + } +-- +2.53.0 + diff --git a/queue-6.19/bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch b/queue-6.19/bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch new file mode 100644 index 0000000000..76fc55d0ac --- /dev/null +++ b/queue-6.19/bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch @@ -0,0 +1,74 @@ +From e12e269146db0470612afa5143994c3b686ba820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 07:01:53 -0700 +Subject: bridge: guard local VLAN-0 FDB helpers against NULL vlan group + +From: Zijing Yin + +[ Upstream commit 1979645e1842cb7017525a61a0e0e0beb924d02a ] + +When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and +nbp_vlan_group() return NULL (br_private.h stub definitions). The +BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and +reaches br_fdb_delete_locals_per_vlan_port() and +br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer +is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). + +The observed crash is in the delete path, triggered when creating a +bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 +via RTM_NEWLINK. The insert helper has the same bug pattern. + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI + KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] + RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 + Call Trace: + br_fdb_toggle_local_vlan_0+0x452/0x4c0 + br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 + br_boolopt_toggle net/bridge/br.c:313 + br_boolopt_multi_toggle net/bridge/br.c:364 + br_changelink net/bridge/br_netlink.c:1542 + br_dev_newlink net/bridge/br_netlink.c:1575 + +Add NULL checks for the vlan group pointer in both helpers, returning +early when there are no VLANs to iterate. This matches the existing +pattern used by other bridge FDB functions such as br_fdb_add() and +br_fdb_delete(). + +Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0") +Signed-off-by: Zijing Yin +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260402140153.3925663-1-yzjaurora@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 0501ffcb8a3dd..e2c17f620f009 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -597,6 +597,9 @@ static void br_fdb_delete_locals_per_vlan_port(struct net_bridge *br, + dev = br->dev; + } + ++ if (!vg) ++ return; ++ + list_for_each_entry(v, &vg->vlan_list, vlist) + br_fdb_find_delete_local(br, p, dev->dev_addr, v->vid); + } +@@ -630,6 +633,9 @@ static int br_fdb_insert_locals_per_vlan_port(struct net_bridge *br, + dev = br->dev; + } + ++ if (!vg) ++ return 0; ++ + list_for_each_entry(v, &vg->vlan_list, vlist) { + if (!br_vlan_should_use(v)) + continue; +-- +2.53.0 + diff --git a/queue-6.19/btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch b/queue-6.19/btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch new file mode 100644 index 0000000000..120940727f --- /dev/null +++ b/queue-6.19/btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch @@ -0,0 +1,218 @@ +From b82a549b4e9cb8d91cbf2da7e540b1b61391f9ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 14:46:50 +0000 +Subject: btrfs: fix zero size inode with non-zero size after log replay + +From: Filipe Manana + +[ Upstream commit 5254d4181add9dfaa5e3519edd71cc8f752b2f85 ] + +When logging that an inode exists, as part of logging a new name or +logging new dir entries for a directory, we always set the generation of +the logged inode item to 0. This is to signal during log replay (in +overwrite_item()), that we should not set the i_size since we only logged +that an inode exists, so the i_size of the inode in the subvolume tree +must be preserved (as when we log new names or that an inode exists, we +don't log extents). + +This works fine except when we have already logged an inode in full mode +or it's the first time we are logging an inode created in a past +transaction, that inode has a new i_size of 0 and then we log a new name +for the inode (due to a new hardlink or a rename), in which case we log +an i_size of 0 for the inode and a generation of 0, which causes the log +replay code to not update the inode's i_size to 0 (in overwrite_item()). + +An example scenario: + + mkdir /mnt/dir + xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo + + sync + + xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo + + ln /mnt/dir/foo /mnt/dir/bar + + xfs_io -c "fsync" /mnt/dir + + + +After log replay the file remains with a size of 64K. This is because when +we first log the inode, when we fsync file foo, we log its current i_size +of 0, and then when we create a hard link we log again the inode in exists +mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we +add to the log tree, so during log replay overwrite_item() sees that the +generation is 0 and i_size is 0 so we skip updating the inode's i_size +from 64K to 0. + +Fix this by making sure at fill_inode_item() we always log the real +generation of the inode if it was logged in the current transaction with +the i_size we logged before. Also if an inode created in a previous +transaction is logged in exists mode only, make sure we log the i_size +stored in the inode item located from the commit root, so that if we log +multiple times that the inode exists we get the correct i_size. + +A test case for fstests will follow soon. + +Reported-by: Vyacheslav Kovalevsky +Link: https://lore.kernel.org/linux-btrfs/af8c15fa-4e41-4bb2-885c-0bc4e97532a6@gmail.com/ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 98 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 65 insertions(+), 33 deletions(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 6c40f48cc194d..4cea0489f121c 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4609,21 +4609,32 @@ static void fill_inode_item(struct btrfs_trans_handle *trans, + struct inode *inode, bool log_inode_only, + u64 logged_isize) + { ++ u64 gen = BTRFS_I(inode)->generation; + u64 flags; + + if (log_inode_only) { +- /* set the generation to zero so the recover code +- * can tell the difference between an logging +- * just to say 'this inode exists' and a logging +- * to say 'update this inode with these values' ++ /* ++ * Set the generation to zero so the recover code can tell the ++ * difference between a logging just to say 'this inode exists' ++ * and a logging to say 'update this inode with these values'. ++ * But only if the inode was not already logged before. ++ * We access ->logged_trans directly since it was already set ++ * up in the call chain by btrfs_log_inode(), and data_race() ++ * to avoid false alerts from KCSAN and since it was set already ++ * and one can set it to 0 since that only happens on eviction ++ * and we are holding a ref on the inode. + */ +- btrfs_set_inode_generation(leaf, item, 0); ++ ASSERT(data_race(BTRFS_I(inode)->logged_trans) > 0); ++ if (data_race(BTRFS_I(inode)->logged_trans) < trans->transid) ++ gen = 0; ++ + btrfs_set_inode_size(leaf, item, logged_isize); + } else { +- btrfs_set_inode_generation(leaf, item, BTRFS_I(inode)->generation); + btrfs_set_inode_size(leaf, item, inode->i_size); + } + ++ btrfs_set_inode_generation(leaf, item, gen); ++ + btrfs_set_inode_uid(leaf, item, i_uid_read(inode)); + btrfs_set_inode_gid(leaf, item, i_gid_read(inode)); + btrfs_set_inode_mode(leaf, item, inode->i_mode); +@@ -5427,42 +5438,63 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, + return 0; + } + +-static int logged_inode_size(struct btrfs_root *log, struct btrfs_inode *inode, +- struct btrfs_path *path, u64 *size_ret) ++static int get_inode_size_to_log(struct btrfs_trans_handle *trans, ++ struct btrfs_inode *inode, ++ struct btrfs_path *path, u64 *size_ret) + { + struct btrfs_key key; ++ struct btrfs_inode_item *item; + int ret; + + key.objectid = btrfs_ino(inode); + key.type = BTRFS_INODE_ITEM_KEY; + key.offset = 0; + +- ret = btrfs_search_slot(NULL, log, &key, path, 0, 0); +- if (ret < 0) { +- return ret; +- } else if (ret > 0) { +- *size_ret = 0; +- } else { +- struct btrfs_inode_item *item; ++ /* ++ * Our caller called inode_logged(), so logged_trans is up to date. ++ * Use data_race() to silence any warning from KCSAN. Once logged_trans ++ * is set, it can only be reset to 0 after inode eviction. ++ */ ++ if (data_race(inode->logged_trans) == trans->transid) { ++ ret = btrfs_search_slot(NULL, inode->root->log_root, &key, path, 0, 0); ++ } else if (inode->generation < trans->transid) { ++ path->search_commit_root = true; ++ path->skip_locking = true; ++ ret = btrfs_search_slot(NULL, inode->root, &key, path, 0, 0); ++ path->search_commit_root = false; ++ path->skip_locking = false; + +- item = btrfs_item_ptr(path->nodes[0], path->slots[0], +- struct btrfs_inode_item); +- *size_ret = btrfs_inode_size(path->nodes[0], item); +- /* +- * If the in-memory inode's i_size is smaller then the inode +- * size stored in the btree, return the inode's i_size, so +- * that we get a correct inode size after replaying the log +- * when before a power failure we had a shrinking truncate +- * followed by addition of a new name (rename / new hard link). +- * Otherwise return the inode size from the btree, to avoid +- * data loss when replaying a log due to previously doing a +- * write that expands the inode's size and logging a new name +- * immediately after. +- */ +- if (*size_ret > inode->vfs_inode.i_size) +- *size_ret = inode->vfs_inode.i_size; ++ } else { ++ *size_ret = 0; ++ return 0; + } + ++ /* ++ * If the inode was logged before or is from a past transaction, then ++ * its inode item must exist in the log root or in the commit root. ++ */ ++ ASSERT(ret <= 0); ++ if (WARN_ON_ONCE(ret > 0)) ++ ret = -ENOENT; ++ ++ if (ret < 0) ++ return ret; ++ ++ item = btrfs_item_ptr(path->nodes[0], path->slots[0], ++ struct btrfs_inode_item); ++ *size_ret = btrfs_inode_size(path->nodes[0], item); ++ /* ++ * If the in-memory inode's i_size is smaller then the inode size stored ++ * in the btree, return the inode's i_size, so that we get a correct ++ * inode size after replaying the log when before a power failure we had ++ * a shrinking truncate followed by addition of a new name (rename / new ++ * hard link). Otherwise return the inode size from the btree, to avoid ++ * data loss when replaying a log due to previously doing a write that ++ * expands the inode's size and logging a new name immediately after. ++ */ ++ if (*size_ret > inode->vfs_inode.i_size) ++ *size_ret = inode->vfs_inode.i_size; ++ + btrfs_release_path(path); + return 0; + } +@@ -6975,7 +7007,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans, + ret = drop_inode_items(trans, log, path, inode, + BTRFS_XATTR_ITEM_KEY); + } else { +- if (inode_only == LOG_INODE_EXISTS && ctx->logged_before) { ++ if (inode_only == LOG_INODE_EXISTS) { + /* + * Make sure the new inode item we write to the log has + * the same isize as the current one (if it exists). +@@ -6989,7 +7021,7 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans, + * (zeroes), as if an expanding truncate happened, + * instead of getting a file of 4Kb only. + */ +- ret = logged_inode_size(log, inode, path, &logged_isize); ++ ret = get_inode_size_to_log(trans, inode, path, &logged_isize); + if (ret) + goto out_unlock; + } +-- +2.53.0 + diff --git a/queue-6.19/btrfs-tracepoints-get-correct-superblock-from-dentry.patch b/queue-6.19/btrfs-tracepoints-get-correct-superblock-from-dentry.patch new file mode 100644 index 0000000000..30540d794b --- /dev/null +++ b/queue-6.19/btrfs-tracepoints-get-correct-superblock-from-dentry.patch @@ -0,0 +1,50 @@ +From e79df36782150b3ef87edea7f6dcdba4d92fc635 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 14:11:39 -0400 +Subject: btrfs: tracepoints: get correct superblock from dentry in event + btrfs_sync_file() + +From: Goldwyn Rodrigues + +[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] + +If overlay is used on top of btrfs, dentry->d_sb translates to overlay's +super block and fsid assignment will lead to a crash. + +Use file_inode(file)->i_sb to always get btrfs_sb. + +Reviewed-by: Boris Burkov +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + include/trace/events/btrfs.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index 125bdc166bfed..0864700f76e0a 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -769,12 +769,15 @@ TRACE_EVENT(btrfs_sync_file, + ), + + TP_fast_assign( +- const struct dentry *dentry = file->f_path.dentry; +- const struct inode *inode = d_inode(dentry); ++ struct dentry *dentry = file_dentry(file); ++ struct inode *inode = file_inode(file); ++ struct dentry *parent = dget_parent(dentry); ++ struct inode *parent_inode = d_inode(parent); + +- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb)); ++ dput(parent); ++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb)); + __entry->ino = btrfs_ino(BTRFS_I(inode)); +- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent))); ++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode)); + __entry->datasync = datasync; + __entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root); + ), +-- +2.53.0 + diff --git a/queue-6.19/cachefiles-fix-incorrect-dentry-refcount-in-cachefil.patch b/queue-6.19/cachefiles-fix-incorrect-dentry-refcount-in-cachefil.patch new file mode 100644 index 0000000000..6a1da4903a --- /dev/null +++ b/queue-6.19/cachefiles-fix-incorrect-dentry-refcount-in-cachefil.patch @@ -0,0 +1,54 @@ +From 97a511bc79af0ba1b40800b3ecb08b5de51e1b80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 09:18:21 +1100 +Subject: cachefiles: fix incorrect dentry refcount in cachefiles_cull() + +From: NeilBrown + +[ Upstream commit 1635c2acdde86c4f555b627aec873c8677c421ed ] + +The patch mentioned below changed cachefiles_bury_object() to expect 2 +references to the 'rep' dentry. Three of the callers were changed to +use start_removing_dentry() which takes an extra reference so in those +cases the call gets the expected references. + +However there is another call to cachefiles_bury_object() in +cachefiles_cull() which did not need to be changed to use +start_removing_dentry() and so was not properly considered. +It still passed the dentry with just one reference so the net result is +that a reference is lost. + +To meet the expectations of cachefiles_bury_object(), cachefiles_cull() +must take an extra reference before the call. It will be dropped by +cachefiles_bury_object(). + +Reported-by: Marc Dionne +Fixes: 7bb1eb45e43c ("VFS: introduce start_removing_dentry()") +Signed-off-by: NeilBrown +Link: https://patch.msgid.link/177456350181.1851489.16359967086642190170@noble.neil.brown.name +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/cachefiles/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c +index e5ec90dccc27f..eb9eb7683e3cc 100644 +--- a/fs/cachefiles/namei.c ++++ b/fs/cachefiles/namei.c +@@ -810,6 +810,11 @@ int cachefiles_cull(struct cachefiles_cache *cache, struct dentry *dir, + if (ret < 0) + goto error_unlock; + ++ /* ++ * cachefiles_bury_object() expects 2 references to 'victim', ++ * and drops one. ++ */ ++ dget(victim); + ret = cachefiles_bury_object(cache, NULL, dir, victim, + FSCACHE_OBJECT_WAS_CULLED); + dput(victim); +-- +2.53.0 + diff --git a/queue-6.19/can-mcp251x-add-error-handling-for-power-enable-in-o.patch b/queue-6.19/can-mcp251x-add-error-handling-for-power-enable-in-o.patch new file mode 100644 index 0000000000..65ea9e88a1 --- /dev/null +++ b/queue-6.19/can-mcp251x-add-error-handling-for-power-enable-in-o.patch @@ -0,0 +1,90 @@ +From f1b4cac5af861b0a4f7ac050f40e81caa88149d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 00:00:22 +0800 +Subject: can: mcp251x: add error handling for power enable in open and resume + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ] + +Add missing error handling for mcp251x_power_enable() calls in both +mcp251x_open() and mcp251x_can_resume() functions. + +In mcp251x_open(), if power enable fails, jump to error path to close +candev without attempting to disable power again. + +In mcp251x_can_resume(), properly check return values of power enable calls +for both power and transceiver regulators. If any fails, return the error +code to the PM framework and log the failure. + +This ensures the driver properly handles power control failures and +maintains correct device state. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com +[mkl: fix patch description] +[mkl: mcp251x_can_resume(): replace goto by return] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index bb7782582f401..0d0190ae094a1 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1225,7 +1225,11 @@ static int mcp251x_open(struct net_device *net) + } + + mutex_lock(&priv->mcp_lock); +- mcp251x_power_enable(priv->transceiver, 1); ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); ++ goto out_close_candev; ++ } + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -1272,6 +1276,7 @@ static int mcp251x_open(struct net_device *net) + mcp251x_hw_sleep(spi); + out_close: + mcp251x_power_enable(priv->transceiver, 0); ++out_close_candev: + close_candev(net); + mutex_unlock(&priv->mcp_lock); + if (release_irq) +@@ -1516,11 +1521,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) + { + struct spi_device *spi = to_spi_device(dev); + struct mcp251x_priv *priv = spi_get_drvdata(spi); ++ int ret = 0; + +- if (priv->after_suspend & AFTER_SUSPEND_POWER) +- mcp251x_power_enable(priv->power, 1); +- if (priv->after_suspend & AFTER_SUSPEND_UP) +- mcp251x_power_enable(priv->transceiver, 1); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) { ++ ret = mcp251x_power_enable(priv->power, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); ++ return ret; ++ } ++ } ++ ++ if (priv->after_suspend & AFTER_SUSPEND_UP) { ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) ++ mcp251x_power_enable(priv->power, 0); ++ return ret; ++ } ++ } + + if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) + queue_work(priv->wq, &priv->restart_work); +-- +2.53.0 + diff --git a/queue-6.19/clockevents-prevent-timer-interrupt-starvation.patch b/queue-6.19/clockevents-prevent-timer-interrupt-starvation.patch new file mode 100644 index 0000000000..27be2ec51a --- /dev/null +++ b/queue-6.19/clockevents-prevent-timer-interrupt-starvation.patch @@ -0,0 +1,218 @@ +From 8c7a391b93a21a2bbf1e6e8f6e685affdf59b886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:17 +0200 +Subject: clockevents: Prevent timer interrupt starvation + +From: Thomas Gleixner + +[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ] + +Calvin reported an odd NMI watchdog lockup which claims that the CPU locked +up in user space. He provided a reproducer, which sets up a timerfd based +timer and then rearms it in a loop with an absolute expiry time of 1ns. + +As the expiry time is in the past, the timer ends up as the first expiring +timer in the per CPU hrtimer base and the clockevent device is programmed +with the minimum delta value. If the machine is fast enough, this ends up +in a endless loop of programming the delta value to the minimum value +defined by the clock event device, before the timer interrupt can fire, +which starves the interrupt and consequently triggers the lockup detector +because the hrtimer callback of the lockup mechanism is never invoked. + +As a first step to prevent this, avoid reprogramming the clock event device +when: + - a forced minimum delta event is pending + - the new expiry delta is less then or equal to the minimum delta + +Thanks to Calvin for providing the reproducer and to Borislav for testing +and providing data from his Zen5 machine. + +The problem is not limited to Zen5, but depending on the underlying +clock event device (e.g. TSC deadline timer on Intel) and the CPU speed +not necessarily observable. + +This change serves only as the last resort and further changes will be made +to prevent this scenario earlier in the call chain as far as possible. + +[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and + fixed up the tick-broadcast handlers as pointed out by Borislav ] + +Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality") +Reported-by: Calvin Owens +Signed-off-by: Thomas Gleixner +Tested-by: Calvin Owens +Tested-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/ +Link: https://patch.msgid.link/20260407083247.562657657@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/clockchips.h | 2 ++ + kernel/time/clockevents.c | 27 +++++++++++++++++++-------- + kernel/time/hrtimer.c | 1 + + kernel/time/tick-broadcast.c | 8 +++++++- + kernel/time/tick-common.c | 1 + + kernel/time/tick-sched.c | 1 + + 6 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h +index b0df28ddd394b..50cdc9da8d32a 100644 +--- a/include/linux/clockchips.h ++++ b/include/linux/clockchips.h +@@ -80,6 +80,7 @@ enum clock_event_state { + * @shift: nanoseconds to cycles divisor (power of two) + * @state_use_accessors:current state of the device, assigned by the core code + * @features: features ++ * @next_event_forced: True if the last programming was a forced event + * @retries: number of forced programming retries + * @set_state_periodic: switch state to periodic + * @set_state_oneshot: switch state to oneshot +@@ -108,6 +109,7 @@ struct clock_event_device { + u32 shift; + enum clock_event_state state_use_accessors; + unsigned int features; ++ unsigned int next_event_forced; + unsigned long retries; + + int (*set_state_periodic)(struct clock_event_device *); +diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c +index eaae1ce9f0600..38570998a19b8 100644 +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev) + { + clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN); + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + } + + /** +@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + { + unsigned long long clc; + int64_t delta; +- int rc; + + if (WARN_ON_ONCE(expires < 0)) + return -ETIME; +@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + return dev->set_next_ktime(expires, dev); + + delta = ktime_to_ns(ktime_sub(expires, ktime_get())); +- if (delta <= 0) +- return force ? clockevents_program_min_delta(dev) : -ETIME; + +- delta = min(delta, (int64_t) dev->max_delta_ns); +- delta = max(delta, (int64_t) dev->min_delta_ns); ++ /* Required for tick_periodic() during early boot */ ++ if (delta <= 0 && !force) ++ return -ETIME; ++ ++ if (delta > (int64_t)dev->min_delta_ns) { ++ delta = min(delta, (int64_t) dev->max_delta_ns); ++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift; ++ if (!dev->set_next_event((unsigned long) clc, dev)) ++ return 0; ++ } + +- clc = ((unsigned long long) delta * dev->mult) >> dev->shift; +- rc = dev->set_next_event((unsigned long) clc, dev); ++ if (dev->next_event_forced) ++ return 0; + +- return (rc && force) ? clockevents_program_min_delta(dev) : rc; ++ if (dev->set_next_event(dev->min_delta_ticks, dev)) { ++ if (!force || clockevents_program_min_delta(dev)) ++ return -ETIME; ++ } ++ dev->next_event_forced = 1; ++ return 0; + } + + /* +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 84c8ab2a0cebf..141b2beac63a4 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1880,6 +1880,7 @@ void hrtimer_interrupt(struct clock_event_device *dev) + BUG_ON(!cpu_base->hres_active); + cpu_base->nr_events++; + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + raw_spin_lock_irqsave(&cpu_base->lock, flags); + entry_time = now = hrtimer_update_base(cpu_base); +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index f63c65881364d..7e57fa31ee26f 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu) + */ + static void tick_broadcast_start_periodic(struct clock_event_device *bc) + { +- if (bc) ++ if (bc) { ++ bc->next_event_forced = 0; + tick_setup_periodic(bc, 1); ++ } + } + + /* +@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev) + bool bc_local; + + raw_spin_lock(&tick_broadcast_lock); ++ tick_broadcast_device.evtdev->next_event_forced = 0; + + /* Handle spurious interrupts gracefully */ + if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) { +@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + + raw_spin_lock(&tick_broadcast_lock); + dev->next_event = KTIME_MAX; ++ tick_broadcast_device.evtdev->next_event_forced = 0; + next_event = KTIME_MAX; + cpumask_clear(tmpmask); + now = ktime_get(); +@@ -1063,6 +1067,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, + + + bc->event_handler = tick_handle_oneshot_broadcast; ++ bc->next_event_forced = 0; + bc->next_event = KTIME_MAX; + + /* +@@ -1175,6 +1180,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) + } + + /* This moves the broadcast assignment to this CPU: */ ++ bc->next_event_forced = 0; + clockevents_program_event(bc, bc->next_event, 1); + } + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index d305d85218961..6a9198a4279b5 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -110,6 +110,7 @@ void tick_handle_periodic(struct clock_event_device *dev) + int cpu = smp_processor_id(); + ktime_t next = dev->next_event; + ++ dev->next_event_forced = 0; + tick_periodic(cpu); + + /* +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 2f8a7923fa279..6e2f239a4813f 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1504,6 +1504,7 @@ static void tick_nohz_lowres_handler(struct clock_event_device *dev) + struct tick_sched *ts = this_cpu_ptr(&tick_cpu_sched); + + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + if (likely(tick_nohz_handler(&ts->sched_timer) == HRTIMER_RESTART)) + tick_program_event(hrtimer_get_expires(&ts->sched_timer), 1); +-- +2.53.0 + diff --git a/queue-6.19/crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch b/queue-6.19/crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch new file mode 100644 index 0000000000..1552b4b4ea --- /dev/null +++ b/queue-6.19/crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch @@ -0,0 +1,44 @@ +From a0a0bffedd06ee07b3206f5f5448c5a30983ab6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 08:29:58 +0800 +Subject: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl + +From: Herbert Xu + +[ Upstream commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef ] + +When page reassignment was added to af_alg_pull_tsgl the original +loop wasn't updated so it may try to reassign one more page than +necessary. + +Add the check to the reassignment so that this does not happen. + +Also update the comment which still refers to the obsolete offset +argument. + +Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com +Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 7373f7dd8f417..8953e2ffd55ce 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -705,8 +705,8 @@ void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst) + * Assumption: caller created af_alg_count_tsgl(len) + * SG entries in dst. + */ +- if (dst) { +- /* reassign page to dst after offset */ ++ if (dst && plen) { ++ /* reassign page to dst */ + get_page(page); + sg_set_page(dst + j, page, plen, sg[i].offset); + j++; +-- +2.53.0 + diff --git a/queue-6.19/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch b/queue-6.19/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch new file mode 100644 index 0000000000..42ce8e9250 --- /dev/null +++ b/queue-6.19/crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch @@ -0,0 +1,68 @@ +From 5f2b6622c2f910ce24c250cd4a4cabe72bf1fee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 23:34:55 +0800 +Subject: crypto: af_alg - limit RX SG extraction by receive buffer budget + +From: Douya Le + +[ Upstream commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170 ] + +Make af_alg_get_rsgl() limit each RX scatterlist extraction to the +remaining receive buffer budget. + +af_alg_get_rsgl() currently uses af_alg_readable() only as a gate +before extracting data into the RX scatterlist. Limit each extraction +to the remaining af_alg_rcvbuf(sk) budget so that receive-side +accounting matches the amount of data attached to the request. + +If skcipher cannot obtain enough RX space for at least one chunk while +more data remains to be processed, reject the recvmsg call instead of +rounding the request length down to zero. + +Fixes: e870456d8e7c8d57c059ea479b5aadbb55ff4c3a ("crypto: algif_skcipher - overhaul memory management") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Signed-off-by: Douya Le +Signed-off-by: Ren Wei +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 2 ++ + crypto/algif_skcipher.c | 5 +++++ + 2 files changed, 7 insertions(+) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index bc78c915eabc4..7373f7dd8f417 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1229,6 +1229,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags, + + seglen = min_t(size_t, (maxsize - len), + msg_data_left(msg)); ++ /* Never pin more pages than the remaining RX accounting budget. */ ++ seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk)); + + if (list_empty(&areq->rsgl_list)) { + rsgl = &areq->first_rsgl; +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index 82735e51be108..ba0a17fd95aca 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -130,6 +130,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, + * full block size buffers. + */ + if (ctx->more || len < ctx->used) { ++ if (len < bs) { ++ err = -EINVAL; ++ goto free; ++ } ++ + len -= len % bs; + cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL; + } +-- +2.53.0 + diff --git a/queue-6.19/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-6.19/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch new file mode 100644 index 0000000000..f644403a38 --- /dev/null +++ b/queue-6.19/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch @@ -0,0 +1,38 @@ +From 122a4bf016d606745e600a162445a99ecef17728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 13:32:21 +0800 +Subject: crypto: algif_aead - Fix minimum RX size check for decryption + +From: Herbert Xu + +[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] + +The check for the minimum receive buffer size did not take the +tag size into account during decryption. Fix this by adding the +required extra length. + +Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com +Reported-by: Daniel Pouzzner +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index dda15bb05e892..f8bd45f7dc839 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -144,7 +144,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + if (usedpages < outlen) { + size_t less = outlen - usedpages; + +- if (used < less) { ++ if (used < less + (ctx->enc ? 0 : as)) { + err = -EINVAL; + goto free; + } +-- +2.53.0 + diff --git a/queue-6.19/devlink-fix-incorrect-skb-socket-family-dumping.patch b/queue-6.19/devlink-fix-incorrect-skb-socket-family-dumping.patch new file mode 100644 index 0000000000..2bddbbc16e --- /dev/null +++ b/queue-6.19/devlink-fix-incorrect-skb-socket-family-dumping.patch @@ -0,0 +1,40 @@ +From 9f3da6e62c499c77560df650281b010552f96a1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 22:27:30 -0400 +Subject: devlink: Fix incorrect skb socket family dumping + +From: Li RongQing + +[ Upstream commit 0006c6f1091bbeea88b8a88a6548b9fb2f803c74 ] + +The devlink_fmsg_dump_skb function was incorrectly using the socket +type (sk->sk_type) instead of the socket family (sk->sk_family) +when filling the "family" field in the fast message dump. + +This patch fixes this to properly display the socket family. + +Fixes: 3dbfde7f6bc7b8 ("devlink: add devlink_fmsg_dump_skb() function") +Signed-off-by: Li RongQing +Link: https://patch.msgid.link/20260407022730.2393-1-lirongqing@baidu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/health.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/devlink/health.c b/net/devlink/health.c +index 136a67c36a20d..0798c82096bdc 100644 +--- a/net/devlink/health.c ++++ b/net/devlink/health.c +@@ -1327,7 +1327,7 @@ void devlink_fmsg_dump_skb(struct devlink_fmsg *fmsg, const struct sk_buff *skb) + if (sk) { + devlink_fmsg_pair_nest_start(fmsg, "sk"); + devlink_fmsg_obj_nest_start(fmsg); +- devlink_fmsg_put(fmsg, "family", sk->sk_type); ++ devlink_fmsg_put(fmsg, "family", sk->sk_family); + devlink_fmsg_put(fmsg, "type", sk->sk_type); + devlink_fmsg_put(fmsg, "proto", sk->sk_protocol); + devlink_fmsg_obj_nest_end(fmsg); +-- +2.53.0 + diff --git a/queue-6.19/dma-debug-suppress-cacheline-overlap-warning-when-ar.patch b/queue-6.19/dma-debug-suppress-cacheline-overlap-warning-when-ar.patch new file mode 100644 index 0000000000..dc737724e9 --- /dev/null +++ b/queue-6.19/dma-debug-suppress-cacheline-overlap-warning-when-ar.patch @@ -0,0 +1,67 @@ +From 4d66ef8d1e5726f887067f4f7283ad12b0c049f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 17:41:56 +0500 +Subject: dma-debug: suppress cacheline overlap warning when arch has no DMA + alignment requirement + +From: Mikhail Gavrilov + +[ Upstream commit 3d48c9fd78dd0b1809669ec49c4d0997b8127512 ] + +When CONFIG_DMA_API_DEBUG is enabled, the DMA debug infrastructure +tracks active mappings per cacheline and warns if two different DMA +mappings share the same cacheline ("cacheline tracking EEXIST, +overlapping mappings aren't supported"). + +On x86_64, ARCH_KMALLOC_MINALIGN defaults to 8, so small kmalloc +allocations (e.g. the 8-byte hub->buffer and hub->status in the USB +hub driver) frequently land in the same 64-byte cacheline. When both +are DMA-mapped, this triggers a false positive warning. + +This has been reported repeatedly since v5.14 (when the EEXIST check +was added) across various USB host controllers and devices including +xhci_hcd with USB hubs, USB audio devices, and USB ethernet adapters. + +The cacheline overlap is only a real concern on architectures that +require DMA buffer alignment to cacheline boundaries (i.e. where +ARCH_DMA_MINALIGN >= L1_CACHE_BYTES). On architectures like x86_64 +where dma_get_cache_alignment() returns 1, the hardware is +cache-coherent and overlapping cacheline mappings are harmless. + +Suppress the EEXIST warning when dma_get_cache_alignment() is less +than L1_CACHE_BYTES, indicating the architecture does not require +cacheline-aligned DMA buffers. + +Verified with a kernel module reproducer that performs two kmalloc(8) +allocations back-to-back and DMA-maps both: + + Before: allocations share a cacheline, EEXIST fires within ~50 pairs + After: same cacheline pair found, but no warning emitted + +Fixes: 2b4bbc6231d7 ("dma-debug: report -EEXIST errors in add_dma_entry") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215740 +Suggested-by: Harry Yoo +Tested-by: Mikhail Gavrilov +Signed-off-by: Mikhail Gavrilov +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260327124156.24820-1-mikhail.v.gavrilov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 43d6a996d7a78..596ea7abbda15 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -614,6 +614,7 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs) + } else if (rc == -EEXIST && + !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && + !(entry->is_cache_clean && overlap_cache_clean) && ++ dma_get_cache_alignment() >= L1_CACHE_BYTES && + !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && + is_swiotlb_active(entry->dev))) { + err_printk(entry->dev, entry, +-- +2.53.0 + diff --git a/queue-6.19/dma-debug-track-cache-clean-flag-in-entries.patch b/queue-6.19/dma-debug-track-cache-clean-flag-in-entries.patch new file mode 100644 index 0000000000..39db252747 --- /dev/null +++ b/queue-6.19/dma-debug-track-cache-clean-flag-in-entries.patch @@ -0,0 +1,111 @@ +From f05e3ada76e06a6f62480631d621e4f1f2990d33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 14:38:31 -0500 +Subject: dma-debug: track cache clean flag in entries + +From: Michael S. Tsirkin + +[ Upstream commit d5d846513128c1a3bc2f2d371f6e903177dea443 ] + +If a driver is buggy and has 2 overlapping mappings but only +sets cache clean flag on the 1st one of them, we warn. +But if it only does it for the 2nd one, we don't. + +Fix by tracking cache clean flag in the entry. + +Message-ID: <0ffb3513d18614539c108b4548cdfbc64274a7d1.1767601130.git.mst@redhat.com> +Reviewed-by: Petr Tesarik +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement") +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 7e66d863d573f..43d6a996d7a78 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -63,6 +63,7 @@ enum map_err_types { + * @sg_mapped_ents: 'mapped_ents' from dma_map_sg + * @paddr: physical start address of the mapping + * @map_err_type: track whether dma_mapping_error() was checked ++ * @is_cache_clean: driver promises not to write to buffer while mapped + * @stack_len: number of backtrace entries in @stack_entries + * @stack_entries: stack of backtrace history + */ +@@ -76,7 +77,8 @@ struct dma_debug_entry { + int sg_call_ents; + int sg_mapped_ents; + phys_addr_t paddr; +- enum map_err_types map_err_type; ++ enum map_err_types map_err_type; ++ bool is_cache_clean; + #ifdef CONFIG_STACKTRACE + unsigned int stack_len; + unsigned long stack_entries[DMA_DEBUG_STACKTRACE_ENTRIES]; +@@ -472,12 +474,15 @@ static int active_cacheline_dec_overlap(phys_addr_t cln) + return active_cacheline_set_overlap(cln, --overlap); + } + +-static int active_cacheline_insert(struct dma_debug_entry *entry) ++static int active_cacheline_insert(struct dma_debug_entry *entry, ++ bool *overlap_cache_clean) + { + phys_addr_t cln = to_cacheline_number(entry); + unsigned long flags; + int rc; + ++ *overlap_cache_clean = false; ++ + /* If the device is not writing memory then we don't have any + * concerns about the cpu consuming stale data. This mitigates + * legitimate usages of overlapping mappings. +@@ -487,8 +492,16 @@ static int active_cacheline_insert(struct dma_debug_entry *entry) + + spin_lock_irqsave(&radix_lock, flags); + rc = radix_tree_insert(&dma_active_cacheline, cln, entry); +- if (rc == -EEXIST) ++ if (rc == -EEXIST) { ++ struct dma_debug_entry *existing; ++ + active_cacheline_inc_overlap(cln); ++ existing = radix_tree_lookup(&dma_active_cacheline, cln); ++ /* A lookup failure here after we got -EEXIST is unexpected. */ ++ WARN_ON(!existing); ++ if (existing) ++ *overlap_cache_clean = existing->is_cache_clean; ++ } + spin_unlock_irqrestore(&radix_lock, flags); + + return rc; +@@ -583,20 +596,24 @@ DEFINE_SHOW_ATTRIBUTE(dump); + */ + static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs) + { ++ bool overlap_cache_clean; + struct hash_bucket *bucket; + unsigned long flags; + int rc; + ++ entry->is_cache_clean = !!(attrs & DMA_ATTR_CPU_CACHE_CLEAN); ++ + bucket = get_hash_bucket(entry, &flags); + hash_bucket_add(bucket, entry); + put_hash_bucket(bucket, flags); + +- rc = active_cacheline_insert(entry); ++ rc = active_cacheline_insert(entry, &overlap_cache_clean); + if (rc == -ENOMEM) { + pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n"); + global_disable = true; + } else if (rc == -EEXIST && +- !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) && ++ !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && ++ !(entry->is_cache_clean && overlap_cache_clean) && + !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && + is_swiotlb_active(entry->dev))) { + err_printk(entry->dev, entry, +-- +2.53.0 + diff --git a/queue-6.19/dma-mapping-add-dma_attr_cpu_cache_clean.patch b/queue-6.19/dma-mapping-add-dma_attr_cpu_cache_clean.patch new file mode 100644 index 0000000000..b124c235be --- /dev/null +++ b/queue-6.19/dma-mapping-add-dma_attr_cpu_cache_clean.patch @@ -0,0 +1,65 @@ +From 5263d7c05b46b41d239e5ef334c435535e6fc1d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 07:28:43 -0500 +Subject: dma-mapping: add DMA_ATTR_CPU_CACHE_CLEAN + +From: Michael S. Tsirkin + +[ Upstream commit 61868dc55a119a5e4b912d458fc2c48ba80a35fe ] + +When multiple small DMA_FROM_DEVICE or DMA_BIDIRECTIONAL buffers share a +cacheline, and DMA_API_DEBUG is enabled, we get this warning: + cacheline tracking EEXIST, overlapping mappings aren't supported. + +This is because when one of the mappings is removed, while another one +is active, CPU might write into the buffer. + +Add an attribute for the driver to promise not to do this, making the +overlapping safe, and suppressing the warning. + +Message-ID: <2d5d091f9d84b68ea96abd545b365dd1d00bbf48.1767601130.git.mst@redhat.com> +Reviewed-by: Petr Tesarik +Acked-by: Marek Szyprowski +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: 3d48c9fd78dd ("dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement") +Signed-off-by: Sasha Levin +--- + include/linux/dma-mapping.h | 7 +++++++ + kernel/dma/debug.c | 3 ++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h +index 190eab9f5e8c2..3e63046b899bc 100644 +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -78,6 +78,13 @@ + */ + #define DMA_ATTR_MMIO (1UL << 10) + ++/* ++ * DMA_ATTR_CPU_CACHE_CLEAN: Indicates the CPU will not dirty any cacheline ++ * overlapping this buffer while it is mapped for DMA. All mappings sharing ++ * a cacheline must have this attribute for this to be considered safe. ++ */ ++#define DMA_ATTR_CPU_CACHE_CLEAN (1UL << 11) ++ + /* + * A dma_addr_t can hold any valid DMA or bus address for the platform. It can + * be given to a device to use as a DMA source or target. It is specific to a +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 138ede653de40..7e66d863d573f 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -595,7 +595,8 @@ static void add_dma_entry(struct dma_debug_entry *entry, unsigned long attrs) + if (rc == -ENOMEM) { + pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n"); + global_disable = true; +- } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && ++ } else if (rc == -EEXIST && ++ !(attrs & (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_CPU_CACHE_CLEAN)) && + !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && + is_swiotlb_active(entry->dev))) { + err_printk(entry->dev, entry, +-- +2.53.0 + diff --git a/queue-6.19/dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch b/queue-6.19/dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch new file mode 100644 index 0000000000..7e28a03cd4 --- /dev/null +++ b/queue-6.19/dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch @@ -0,0 +1,92 @@ +From 4b0deec15c9c716733af6685cc6ac2593fda62f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:34:27 -0800 +Subject: dmaengine: idxd: Fix lockdep warnings when calling + idxd_device_config() + +From: Vinicius Costa Gomes + +[ Upstream commit caf91cdf2de8b7134749d32cd4ae5520b108abb7 ] + +Move the check for IDXD_FLAG_CONFIGURABLE and the locking to "inside" +idxd_device_config(), as this is common to all callers, and the one +that wasn't holding the lock was an error (that was causing the +lockdep warning). + +Suggested-by: Dave Jiang +Reviewed-by: Dave Jiang +Signed-off-by: Vinicius Costa Gomes +Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-1-7ed70658a9d1@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 17 +++++++---------- + drivers/dma/idxd/init.c | 10 ++++------ + 2 files changed, 11 insertions(+), 16 deletions(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index 4013f970cb3b2..f4b134c865163 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -1121,7 +1121,11 @@ int idxd_device_config(struct idxd_device *idxd) + { + int rc; + +- lockdep_assert_held(&idxd->dev_lock); ++ guard(spinlock)(&idxd->dev_lock); ++ ++ if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) ++ return 0; ++ + rc = idxd_wqs_setup(idxd); + if (rc < 0) + return rc; +@@ -1448,11 +1452,7 @@ int idxd_drv_enable_wq(struct idxd_wq *wq) + } + } + +- rc = 0; +- spin_lock(&idxd->dev_lock); +- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) +- rc = idxd_device_config(idxd); +- spin_unlock(&idxd->dev_lock); ++ rc = idxd_device_config(idxd); + if (rc < 0) { + dev_dbg(dev, "Writing wq %d config failed: %d\n", wq->id, rc); + goto err; +@@ -1547,10 +1547,7 @@ int idxd_device_drv_probe(struct idxd_dev *idxd_dev) + } + + /* Device configuration */ +- spin_lock(&idxd->dev_lock); +- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) +- rc = idxd_device_config(idxd); +- spin_unlock(&idxd->dev_lock); ++ rc = idxd_device_config(idxd); + if (rc < 0) + return -ENXIO; + +diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c +index f2b37c63a964c..afba88f9c3e43 100644 +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -1094,12 +1094,10 @@ static void idxd_reset_done(struct pci_dev *pdev) + idxd_device_config_restore(idxd, idxd->idxd_saved); + + /* Re-configure IDXD device if allowed. */ +- if (test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) { +- rc = idxd_device_config(idxd); +- if (rc < 0) { +- dev_err(dev, "HALT: %s config fails\n", idxd_name); +- goto out; +- } ++ rc = idxd_device_config(idxd); ++ if (rc < 0) { ++ dev_err(dev, "HALT: %s config fails\n", idxd_name); ++ goto out; + } + + /* Bind IDXD device to driver. */ +-- +2.53.0 + diff --git a/queue-6.19/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch b/queue-6.19/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch new file mode 100644 index 0000000000..4ac8589791 --- /dev/null +++ b/queue-6.19/drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch @@ -0,0 +1,69 @@ +From 971034b8e3be32d68ec7c6f29858f76bf18f8f6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 09:58:36 +0530 +Subject: drm/amdgpu: Handle GPU page faults correctly on non-4K page systems +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Donet Tom + +[ Upstream commit 4e9597f22a3cb8600c72fc266eaac57981d834c8 ] + +During a GPU page fault, the driver restores the SVM range and then maps it +into the GPU page tables. The current implementation passes a GPU-page-size +(4K-based) PFN to svm_range_restore_pages() to restore the range. + +SVM ranges are tracked using system-page-size PFNs. On systems where the +system page size is larger than 4K, using GPU-page-size PFNs to restore the +range causes two problems: + +Range lookup fails: +Because the restore function receives PFNs in GPU (4K) units, the SVM +range lookup does not find the existing range. This will result in a +duplicate SVM range being created. + +VMA lookup failure: +The restore function also tries to locate the VMA for the faulting address. +It converts the GPU-page-size PFN into an address using the system page +size, which results in an incorrect address on non-4K page-size systems. +As a result, the VMA lookup fails with the message: "address 0xxxx VMA is +removed". + +This patch passes the system-page-size PFN to svm_range_restore_pages() so +that the SVM range is restored correctly on non-4K page systems. + +Acked-by: Christian König +Signed-off-by: Donet Tom +Signed-off-by: Alex Deucher +(cherry picked from commit 074fe395fb13247b057f60004c7ebcca9f38ef46) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index 7df6e75bd7014..636a0cbbb1447 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2974,14 +2974,14 @@ bool amdgpu_vm_handle_fault(struct amdgpu_device *adev, u32 pasid, + if (!root) + return false; + +- addr /= AMDGPU_GPU_PAGE_SIZE; +- + if (is_compute_context && !svm_range_restore_pages(adev, pasid, vmid, +- node_id, addr, ts, write_fault)) { ++ node_id, addr >> PAGE_SHIFT, ts, write_fault)) { + amdgpu_bo_unref(&root); + return true; + } + ++ addr /= AMDGPU_GPU_PAGE_SIZE; ++ + r = amdgpu_bo_reserve(root, true); + if (r) + goto error_unref; +-- +2.53.0 + diff --git a/queue-6.19/drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch b/queue-6.19/drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch new file mode 100644 index 0000000000..49971ff603 --- /dev/null +++ b/queue-6.19/drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch @@ -0,0 +1,77 @@ +From 4ad13e18c46d5bd04eeb797db53c276375ef6446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 09:58:39 +0530 +Subject: drm/amdkfd: Fix queue preemption/eviction failures by aligning + control stack size to GPU page size + +From: Donet Tom + +[ Upstream commit 78746a474e92fc7aaed12219bec7c78ae1bd6156 ] + +The control stack size is calculated based on the number of CUs and +waves, and is then aligned to PAGE_SIZE. When the resulting control +stack size is aligned to 64 KB, GPU hangs and queue preemption +failures are observed while running RCCL unit tests on systems with +more than two GPUs. + +amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with +doorbell_id: 80030008 +amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues +amdgpu 0048:0f:00.0: amdgpu: GPU reset begin!. Source: 4 +amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with +doorbell_id: 80030008 +amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues +amdgpu 0048:0f:00.0: amdgpu: Failed to restore process queues + +This issue is observed on both 4 KB and 64 KB system page-size +configurations. + +This patch fixes the issue by aligning the control stack size to +AMDGPU_GPU_PAGE_SIZE instead of PAGE_SIZE, so the control stack size +will not be 64 KB on systems with a 64 KB page size and queue +preemption works correctly. + +Additionally, In the current code, wg_data_size is aligned to PAGE_SIZE, +which can waste memory if the system page size is large. In this patch, +wg_data_size is aligned to AMDGPU_GPU_PAGE_SIZE. The cwsr_size, calculated +from wg_data_size and the control stack size, is aligned to PAGE_SIZE. + +Reviewed-by: Felix Kuehling +Signed-off-by: Donet Tom +Signed-off-by: Alex Deucher +(cherry picked from commit a3e14436304392fbada359edd0f1d1659850c9b7) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c +index 2822c90bd7be4..b97f4a51db6e3 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c +@@ -444,10 +444,11 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev) + min(cu_num * 40, props->array_count / props->simd_arrays_per_engine * 512) + : cu_num * 32; + +- wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props), PAGE_SIZE); ++ wg_data_size = ALIGN(cu_num * WG_CONTEXT_DATA_SIZE_PER_CU(gfxv, props), ++ AMDGPU_GPU_PAGE_SIZE); + ctl_stack_size = wave_num * CNTL_STACK_BYTES_PER_WAVE(gfxv) + 8; + ctl_stack_size = ALIGN(SIZEOF_HSA_USER_CONTEXT_SAVE_AREA_HEADER + ctl_stack_size, +- PAGE_SIZE); ++ AMDGPU_GPU_PAGE_SIZE); + + if ((gfxv / 10000 * 10000) == 100000) { + /* HW design limits control stack size to 0x7000. +@@ -459,7 +460,7 @@ void kfd_queue_ctx_save_restore_size(struct kfd_topology_device *dev) + + props->ctl_stack_size = ctl_stack_size; + props->debug_memory_size = ALIGN(wave_num * DEBUGGER_BYTES_PER_WAVE, DEBUGGER_BYTES_ALIGN); +- props->cwsr_size = ctl_stack_size + wg_data_size; ++ props->cwsr_size = ALIGN(ctl_stack_size + wg_data_size, PAGE_SIZE); + + if (gfxv == 80002) /* GFX_VERSION_TONGA */ + props->eop_buffer_size = 0x8000; +-- +2.53.0 + diff --git a/queue-6.19/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch b/queue-6.19/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch new file mode 100644 index 0000000000..2c1e2a7d27 --- /dev/null +++ b/queue-6.19/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch @@ -0,0 +1,74 @@ +From a2c22694466379f5759850e16fbe4a86380cd690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:45 -0300 +Subject: drm/vc4: Fix a memory leak in hang state error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ] + +When vc4_save_hang_state() encounters an early return condition, it +returns without freeing the previously allocated `kernel_state`, +leaking memory. + +Add the missing kfree() calls by consolidating the early return paths +into a single place. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 0562f78e28357..840aadb14b518 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -171,10 +171,8 @@ vc4_save_hang_state(struct drm_device *dev) + spin_lock_irqsave(&vc4->job_lock, irqflags); + exec[0] = vc4_first_bin_job(vc4); + exec[1] = vc4_first_render_job(vc4); +- if (!exec[0] && !exec[1]) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!exec[0] && !exec[1]) ++ goto err_free_state; + + /* Get the bos from both binner and renderer into hang state. */ + state->bo_count = 0; +@@ -191,10 +189,8 @@ vc4_save_hang_state(struct drm_device *dev) + kernel_state->bo = kcalloc(state->bo_count, + sizeof(*kernel_state->bo), GFP_ATOMIC); + +- if (!kernel_state->bo) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!kernel_state->bo) ++ goto err_free_state; + + k = 0; + for (i = 0; i < 2; i++) { +@@ -286,6 +282,12 @@ vc4_save_hang_state(struct drm_device *dev) + vc4->hang_state = kernel_state; + spin_unlock_irqrestore(&vc4->job_lock, irqflags); + } ++ ++ return; ++ ++err_free_state: ++ spin_unlock_irqrestore(&vc4->job_lock, irqflags); ++ kfree(kernel_state); + } + + static void +-- +2.53.0 + diff --git a/queue-6.19/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch b/queue-6.19/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch new file mode 100644 index 0000000000..7a6aab7c77 --- /dev/null +++ b/queue-6.19/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch @@ -0,0 +1,40 @@ +From 899fcf293c6734d6908adf821b941e3cc6a61354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:44 -0300 +Subject: drm/vc4: Fix memory leak of BO array in hang state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ] + +The hang state's BO array is allocated separately with kzalloc() in +vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the +missing kfree() for the BO array before freeing the hang state struct. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index ab16164b5edaf..0562f78e28357 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -62,6 +62,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state) + for (i = 0; i < state->user_state.bo_count; i++) + drm_gem_object_put(state->bo[i]); + ++ kfree(state->bo); + kfree(state); + } + +-- +2.53.0 + diff --git a/queue-6.19/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch b/queue-6.19/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch new file mode 100644 index 0000000000..60b59b09d9 --- /dev/null +++ b/queue-6.19/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch @@ -0,0 +1,48 @@ +From 40f1e210198bb70ae33e9d9ea5791ba8bb32f63d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:46 -0300 +Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ] + +The mmap callback reads bo->madv without holding madv_lock, racing with +concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under +the same lock. Add the missing locking to prevent the data race. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index 46b4474ac41d4..44b1f2b00f9b0 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -739,12 +739,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct + return -EINVAL; + } + ++ mutex_lock(&bo->madv_lock); + if (bo->madv != VC4_MADV_WILLNEED) { + DRM_DEBUG("mmapping of %s BO not allowed\n", + bo->madv == VC4_MADV_DONTNEED ? + "purgeable" : "purged"); ++ mutex_unlock(&bo->madv_lock); + return -EINVAL; + } ++ mutex_unlock(&bo->madv_lock); + + return drm_gem_dma_mmap(&bo->base, vma); + } +-- +2.53.0 + diff --git a/queue-6.19/drm-vc4-release-runtime-pm-reference-after-binding-v.patch b/queue-6.19/drm-vc4-release-runtime-pm-reference-after-binding-v.patch new file mode 100644 index 0000000000..7ee0178f6f --- /dev/null +++ b/queue-6.19/drm-vc4-release-runtime-pm-reference-after-binding-v.patch @@ -0,0 +1,46 @@ +From db9fd831e6819d561182311e395ca6325b2163d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:43 -0300 +Subject: drm/vc4: Release runtime PM reference after binding V3D +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ] + +The vc4_v3d_bind() function acquires a runtime PM reference via +pm_runtime_resume_and_get() to access V3D registers during setup. +However, this reference is never released after a successful bind. +This prevents the device from ever runtime suspending, since the +reference count never reaches zero. + +Release the runtime PM reference by adding pm_runtime_put_autosuspend() +after autosuspend is configured, allowing the device to runtime suspend +after the delay. + +Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_v3d.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c +index 3ffe09bc89d27..d31b906cb8e78 100644 +--- a/drivers/gpu/drm/vc4/vc4_v3d.c ++++ b/drivers/gpu/drm/vc4/vc4_v3d.c +@@ -481,6 +481,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data) + + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */ ++ pm_runtime_put_autosuspend(dev); + + return 0; + +-- +2.53.0 + diff --git a/queue-6.19/drm-xe-fix-bug-in-idledly-unit-conversion.patch b/queue-6.19/drm-xe-fix-bug-in-idledly-unit-conversion.patch new file mode 100644 index 0000000000..2e9f92e753 --- /dev/null +++ b/queue-6.19/drm-xe-fix-bug-in-idledly-unit-conversion.patch @@ -0,0 +1,41 @@ +From 6e609e4a00ae03e6437d3337715b03b75ce26046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 18:27:10 -0700 +Subject: drm/xe: Fix bug in idledly unit conversion + +From: Vinay Belgaumkar + +[ Upstream commit 7596459f3c93d8d45a1bf12d4d7526b50c15baa2 ] + +We only need to convert to picosecond units before writing to RING_IDLEDLY. + +Fixes: 7c53ff050ba8 ("drm/xe: Apply Wa_16023105232") +Cc: Tangudu Tilak Tirumalesh +Acked-by: Tangudu Tilak Tirumalesh +Signed-off-by: Vinay Belgaumkar +Link: https://patch.msgid.link/20260401012710.4165547-1-vinay.belgaumkar@intel.com +(cherry picked from commit 13743bd628bc9d9a0e2fe53488b2891aedf7cc74) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_hw_engine.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_hw_engine.c b/drivers/gpu/drm/xe/xe_hw_engine.c +index 6a9e2a4272dde..3e928b6c098f2 100644 +--- a/drivers/gpu/drm/xe/xe_hw_engine.c ++++ b/drivers/gpu/drm/xe/xe_hw_engine.c +@@ -596,9 +596,8 @@ static void adjust_idledly(struct xe_hw_engine *hwe) + maxcnt *= maxcnt_units_ns; + + if (xe_gt_WARN_ON(gt, idledly >= maxcnt || inhibit_switch)) { +- idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * maxcnt_units_ns), ++ idledly = DIV_ROUND_CLOSEST(((maxcnt - 1) * 1000), + idledly_units_ps); +- idledly = DIV_ROUND_CLOSEST(idledly, 1000); + xe_mmio_write32(>->mmio, RING_IDLEDLY(hwe->mmio_base), idledly); + } + } +-- +2.53.0 + diff --git a/queue-6.19/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch b/queue-6.19/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch new file mode 100644 index 0000000000..abcb9e744b --- /dev/null +++ b/queue-6.19/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch @@ -0,0 +1,59 @@ +From 394afacea24a50c368006d81f9d0d609c4bda5bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:40 +0100 +Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock + +From: Jon Hunter + +[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ] + +The PTP clock for the Tegra234 MGBE device is incorrectly named +'ptp-ref' and should be 'ptp_ref'. This is causing the following +warning to be observed on Tegra234 platforms that use this device: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +Although this constitutes an ABI breakage in the binding for this +device, PTP support has clearly never worked and so fix this now +so we can correct the device-tree for this device. Note that the +MGBE driver still supports the legacy 'ptp-ref' clock name and so +older/existing device-trees will still work, but given that this +is not the correct name, there is no point to advertise this in the +binding. + +Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE") +Signed-off-by: Jon Hunter +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +index 2bd3efff2485e..215f14d1897d2 100644 +--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml ++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +@@ -42,7 +42,7 @@ properties: + - const: mgbe + - const: mac + - const: mac-divider +- - const: ptp-ref ++ - const: ptp_ref + - const: rx-input-m + - const: rx-input + - const: tx +@@ -133,7 +133,7 @@ examples: + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>, + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>, + <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>; +- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m", ++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m", + "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m", + "rx-pcs", "tx-pcs"; + resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>, +-- +2.53.0 + diff --git a/queue-6.19/e1000-check-return-value-of-e1000_read_eeprom.patch b/queue-6.19/e1000-check-return-value-of-e1000_read_eeprom.patch new file mode 100644 index 0000000000..5118ecaa34 --- /dev/null +++ b/queue-6.19/e1000-check-return-value-of-e1000_read_eeprom.patch @@ -0,0 +1,70 @@ +From e777a6a0994741b1a63a709836591bae54afbccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 15:05:05 +0300 +Subject: e1000: check return value of e1000_read_eeprom + +From: Agalakov Daniil + +[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ] + +[Why] +e1000_set_eeprom() performs a read-modify-write operation when the write +range is not word-aligned. This requires reading the first and last words +of the range from the EEPROM to preserve the unmodified bytes. + +However, the code does not check the return value of e1000_read_eeprom(). +If the read fails, the operation continues using uninitialized data from +eeprom_buff. This results in corrupted data being written back to the +EEPROM for the boundary words. + +Add the missing error checks and abort the operation if reading fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Iskhakov Daniil +Signed-off-by: Iskhakov Daniil +Signed-off-by: Agalakov Daniil +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index 726365c567ef3..75d0bfa7530b4 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev, + */ + ret_val = e1000_read_eeprom(hw, first_word, 1, + &eeprom_buff[0]); ++ if (ret_val) ++ goto out; ++ + ptr++; + } +- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) { ++ if ((eeprom->offset + eeprom->len) & 1) { + /* need read/modify/write of last changed EEPROM word + * only the first byte of the word is being modified + */ + ret_val = e1000_read_eeprom(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev, + if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG)) + e1000_update_eeprom_checksum(hw); + ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.53.0 + diff --git a/queue-6.19/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch b/queue-6.19/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch new file mode 100644 index 0000000000..9248c98355 --- /dev/null +++ b/queue-6.19/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch @@ -0,0 +1,48 @@ +From 3f743b874e182838e8c56c0288964f8116d3982c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 15:25:32 +0200 +Subject: eventpoll: defer struct eventpoll free to RCU grace period + +From: Nicholas Carlini + +[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ] + +In certain situations, ep_free() in eventpoll.c will kfree the epi->ep +eventpoll struct while it still being used by another concurrent thread. +Defer the kfree() to an RCU callback to prevent UAF. + +Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") +Signed-off-by: Nicholas Carlini +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index d20917b03161b..3bdbaf202d4db 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -226,6 +226,9 @@ struct eventpoll { + */ + refcount_t refcount; + ++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */ ++ struct rcu_head rcu; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -819,7 +822,8 @@ static void ep_free(struct eventpoll *ep) + mutex_destroy(&ep->mtx); + free_uid(ep->user); + wakeup_source_unregister(ep->ws); +- kfree(ep); ++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */ ++ kfree_rcu(ep, rcu); + } + + /* +-- +2.53.0 + diff --git a/queue-6.19/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch b/queue-6.19/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch new file mode 100644 index 0000000000..27ada61477 --- /dev/null +++ b/queue-6.19/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch @@ -0,0 +1,47 @@ +From a21cf07f9d62a86e60159f1d5a09bfdccf654ca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 13:11:27 -0700 +Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath + +From: Fredric Cover + +[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ] + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index e0d2cd78c82f1..e61bb6ac1d111 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -589,6 +589,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + +-- +2.53.0 + diff --git a/queue-6.19/gpio-tegra-fix-irq_release_resources-calling-enable-.patch b/queue-6.19/gpio-tegra-fix-irq_release_resources-calling-enable-.patch new file mode 100644 index 0000000000..d10e05e9d5 --- /dev/null +++ b/queue-6.19/gpio-tegra-fix-irq_release_resources-calling-enable-.patch @@ -0,0 +1,41 @@ +From 7433cfd6721430e68cb3a274ea501820659d9915 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 14:02:47 -0700 +Subject: gpio: tegra: fix irq_release_resources calling enable instead of + disable + +From: Samasth Norway Ananda + +[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ] + +tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable() +instead of tegra_gpio_disable(). When IRQ resources are released, the +GPIO configuration bit (CNF) should be cleared to deconfigure the pin as +a GPIO. Leaving it enabled wastes power and can cause unexpected behavior +if the pin is later reused for an alternate function via pinctrl. + +Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip") +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c +index 15a5762a82c25..b14052fe64ac6 100644 +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -595,7 +595,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d) + struct tegra_gpio_info *tgi = gpiochip_get_data(chip); + + gpiochip_relres_irq(chip, d->hwirq); +- tegra_gpio_enable(tgi, d->hwirq); ++ tegra_gpio_disable(tgi, d->hwirq); + } + + static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s) +-- +2.53.0 + diff --git a/queue-6.19/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch b/queue-6.19/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch new file mode 100644 index 0000000000..4a0c17429c --- /dev/null +++ b/queue-6.19/hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch @@ -0,0 +1,46 @@ +From 4b743865db1a1b638a77bfeef36ea79e47217dc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 09:25:22 +0100 +Subject: HID: amd_sfh: don't log error when device discovery fails with + -EOPNOTSUPP + +From: Maximilian Pezzullo + +[ Upstream commit 743677a8cb30b09f16a7f167f497c2c927891b5a ] + +When sensor discovery fails on systems without AMD SFH sensors, the +code already emits a warning via dev_warn() in amd_sfh_hid_client_init(). +The subsequent dev_err() in sfh_init_work() for the same -EOPNOTSUPP +return value is redundant and causes unnecessary alarm. + +Suppress the dev_err() for -EOPNOTSUPP to avoid confusing users who +have no AMD SFH sensors. + +Fixes: 2105e8e00da4 ("HID: amd_sfh: Improve boot time when SFH is available") +Reported-by: Casey Croy +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221099 +Signed-off-by: Maximilian Pezzullo +Acked-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +index 1d9f955573aa4..4b81cebdc3359 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_pcie.c +@@ -413,7 +413,8 @@ static void sfh_init_work(struct work_struct *work) + rc = amd_sfh_hid_client_init(mp2); + if (rc) { + amd_sfh_clear_intr(mp2); +- dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc); ++ if (rc != -EOPNOTSUPP) ++ dev_err(&pdev->dev, "amd_sfh_hid_client_init failed err %d\n", rc); + return; + } + +-- +2.53.0 + diff --git a/queue-6.19/hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch b/queue-6.19/hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch new file mode 100644 index 0000000000..2ce597c4b4 --- /dev/null +++ b/queue-6.19/hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch @@ -0,0 +1,59 @@ +From 0e065385ce4181d3ee13acabebf6af496a31ea4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2026 13:56:29 +0800 +Subject: HID: Intel-thc-hid: Intel-quickspi: Add NVL Device IDs + +From: Even Xu + +[ Upstream commit 48e91af0cbe942d50ef6257d850accdca1d01378 ] + +Add Nova Lake THC QuickSPI device IDs to support list. + +Signed-off-by: Even Xu +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c | 6 ++++++ + drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c +index ad6bd59963b28..b6a69995692cb 100644 +--- a/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c ++++ b/drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c +@@ -37,6 +37,10 @@ struct quickspi_driver_data arl = { + .max_packet_size_value = MAX_PACKET_SIZE_VALUE_MTL, + }; + ++struct quickspi_driver_data nvl = { ++ .max_packet_size_value = MAX_PACKET_SIZE_VALUE_LNL, ++}; ++ + /* THC QuickSPI ACPI method to get device properties */ + /* HIDSPI Method: {6e2ac436-0fcf-41af-a265-b32a220dcfab} */ + static guid_t hidspi_guid = +@@ -982,6 +986,8 @@ static const struct pci_device_id quickspi_pci_tbl[] = { + {PCI_DEVICE_DATA(INTEL, THC_WCL_DEVICE_ID_SPI_PORT2, &ptl), }, + {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT1, &arl), }, + {PCI_DEVICE_DATA(INTEL, THC_ARL_DEVICE_ID_SPI_PORT2, &arl), }, ++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT1, &nvl), }, ++ {PCI_DEVICE_DATA(INTEL, THC_NVL_H_DEVICE_ID_SPI_PORT2, &nvl), }, + {} + }; + MODULE_DEVICE_TABLE(pci, quickspi_pci_tbl); +diff --git a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h +index c30e1a42eb098..bf5e18f5a5f42 100644 +--- a/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h ++++ b/drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h +@@ -23,6 +23,8 @@ + #define PCI_DEVICE_ID_INTEL_THC_WCL_DEVICE_ID_SPI_PORT2 0x4D4B + #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT1 0x7749 + #define PCI_DEVICE_ID_INTEL_THC_ARL_DEVICE_ID_SPI_PORT2 0x774B ++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT1 0xD349 ++#define PCI_DEVICE_ID_INTEL_THC_NVL_H_DEVICE_ID_SPI_PORT2 0xD34B + + /* HIDSPI special ACPI parameters DSM methods */ + #define ACPI_QUICKSPI_REVISION_NUM 2 +-- +2.53.0 + diff --git a/queue-6.19/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch b/queue-6.19/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch new file mode 100644 index 0000000000..ca94f49fcc --- /dev/null +++ b/queue-6.19/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch @@ -0,0 +1,52 @@ +From 92bb5f880484c68834a7ae5d0c926698d9723e29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 13:36:59 -0500 +Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 + +From: leo vriska + +[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ] + +According to a mailing list report [1], this controller's predecessor +has the same issue. However, it uses the xpad driver instead of HID, so +this quirk wouldn't apply. + +[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/ + +Signed-off-by: leo vriska +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 7fd67745ee010..666ce30c83b42 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -22,6 +22,9 @@ + #define USB_DEVICE_ID_3M2256 0x0502 + #define USB_DEVICE_ID_3M3266 0x0506 + ++#define USB_VENDOR_ID_8BITDO 0x2dc8 ++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009 ++ + #define USB_VENDOR_ID_A4TECH 0x09da + #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006 + #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 3217e436c052c..f6be3ffee0232 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -25,6 +25,7 @@ + */ + + static const struct hid_device_id hid_quirks[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, +-- +2.53.0 + diff --git a/queue-6.19/hid-roccat-fix-use-after-free-in-roccat_report_event.patch b/queue-6.19/hid-roccat-fix-use-after-free-in-roccat_report_event.patch new file mode 100644 index 0000000000..a6263aa006 --- /dev/null +++ b/queue-6.19/hid-roccat-fix-use-after-free-in-roccat_report_event.patch @@ -0,0 +1,50 @@ +From 54452139742ae35e2cecb33f236fb748cd32e0b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:11:07 +0000 +Subject: HID: roccat: fix use-after-free in roccat_report_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ] + +roccat_report_event() iterates over the device->readers list without +holding the readers_lock. This allows a concurrent roccat_release() to +remove and free a reader while it's still being accessed, leading to a +use-after-free. + +Protect the readers list traversal with the readers_lock mutex. + +Signed-off-by: Benoît Sevens +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index c7f7562e22e56..e413662f75082 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->readers_lock); + mutex_lock(&device->cbuf_lock); + + report = &device->cbuf[device->cbuf_end]; +@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data) + } + + mutex_unlock(&device->cbuf_lock); ++ mutex_unlock(&device->readers_lock); + + wake_up_interruptible(&device->wait); + return 0; +-- +2.53.0 + diff --git a/queue-6.19/ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch b/queue-6.19/ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch new file mode 100644 index 0000000000..cc58313bf6 --- /dev/null +++ b/queue-6.19/ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch @@ -0,0 +1,48 @@ +From bf7d2b5d11748d2604b825c4786a0a5f0165473d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Feb 2026 14:14:00 +0000 +Subject: ice: ptp: don't WARN when controlling PF is unavailable + +From: Kohei Enju + +[ Upstream commit bb3f21edc7056cdf44a7f7bd7ba65af40741838c ] + +In VFIO passthrough setups, it is possible to pass through only a PF +which doesn't own the source timer. In that case the PTP controlling PF +(adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() +returns NULL and triggers WARN_ON() in ice_ptp_setup_pf(). + +Since this is an expected behavior in that configuration, replace +WARN_ON() with an informational message and return -EOPNOTSUPP. + +Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index 2726830014762..082313023024c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -3048,7 +3048,13 @@ static int ice_ptp_setup_pf(struct ice_pf *pf) + struct ice_ptp *ctrl_ptp = ice_get_ctrl_ptp(pf); + struct ice_ptp *ptp = &pf->ptp; + +- if (WARN_ON(!ctrl_ptp) || pf->hw.mac_type == ICE_MAC_UNKNOWN) ++ if (!ctrl_ptp) { ++ dev_info(ice_pf_to_dev(pf), ++ "PTP unavailable: no controlling PF\n"); ++ return -EOPNOTSUPP; ++ } ++ ++ if (pf->hw.mac_type == ICE_MAC_UNKNOWN) + return -ENODEV; + + INIT_LIST_HEAD(&ptp->port.list_node); +-- +2.53.0 + diff --git a/queue-6.19/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch b/queue-6.19/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch new file mode 100644 index 0000000000..5d839510e9 --- /dev/null +++ b/queue-6.19/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch @@ -0,0 +1,50 @@ +From 26e0aff7d4ce21bd23d39af00510dce2149992b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 15:04:19 +0800 +Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() + +From: Yiqi Sun + +[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ] + +ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the +IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing +this error pointer to dev_hold() will cause a kernel crash with +null-ptr-deref. + +Instead, silently discard the request. RFC 8335 does not appear to +define a specific response for the case where an IPv6 interface +identifier is syntactically valid but the implementation cannot perform +the lookup at runtime, and silently dropping the request may safer than +misreporting "No Such Interface". + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Signed-off-by: Yiqi Sun +Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index e619b73f5063e..11bda6c9eaa44 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -1333,6 +1333,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr) + if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr)) + goto send_mal_query; + dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev); ++ /* ++ * If IPv6 identifier lookup is unavailable, silently ++ * discard the request instead of misreporting NO_IF. ++ */ ++ if (IS_ERR(dev)) ++ return false; ++ + dev_hold(dev); + break; + #endif +-- +2.53.0 + diff --git a/queue-6.19/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch b/queue-6.19/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch new file mode 100644 index 0000000000..04516c8fb2 --- /dev/null +++ b/queue-6.19/ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch @@ -0,0 +1,147 @@ +From 164399a145ba91af66d32e4334fe5145b472abe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 09:26:13 +0200 +Subject: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop() + +From: Fernando Fernandez Mancera + +[ Upstream commit 14cf0cd35361f4e94824bf8a42f72713d7702a73 ] + +When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently +allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for +single nexthops and small Equal-Cost Multi-Path groups, this fixed +allocation fails for large nexthop groups like 512 nexthops. + +This results in the following warning splat: + + WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20: rep/4608 + [...] + RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395) + [...] + Call Trace: + + rtnetlink_rcv_msg (net/core/rtnetlink.c:6989) + netlink_rcv_skb (net/netlink/af_netlink.c:2550) + netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) + netlink_sendmsg (net/netlink/af_netlink.c:1894) + ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585) + ___sys_sendmsg (net/socket.c:2641) + __sys_sendmsg (net/socket.c:2671) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + +Fix this by allocating the size dynamically using nh_nlmsg_size() and +using nlmsg_new(), this is consistent with nexthop_notify() behavior. In +addition, adjust nh_nlmsg_size_grp() so it calculates the size needed +based on flags passed. While at it, also add the size of NHA_FDB for +nexthop group size calculation as it was missing too. + +This cannot be reproduced via iproute2 as the group size is currently +limited and the command fails as follows: + +addattr_l ERROR: message exceeded bound of 1048 + +Fixes: 430a049190de ("nexthop: Add support for nexthop groups") +Reported-by: Yiming Qian +Closes: https://lore.kernel.org/netdev/CAL_bE8Li2h4KO+AQFXW4S6Yb_u5X4oSKnkywW+LPFjuErhqELA@mail.gmail.com/ +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260402072613.25262-2-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 38 +++++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index aa53a74ac2389..c958b8edfe540 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -1006,16 +1006,32 @@ static size_t nh_nlmsg_size_grp_res(struct nh_group *nhg) + nla_total_size_64bit(8);/* NHA_RES_GROUP_UNBALANCED_TIME */ + } + +-static size_t nh_nlmsg_size_grp(struct nexthop *nh) ++static size_t nh_nlmsg_size_grp(struct nexthop *nh, u32 op_flags) + { + struct nh_group *nhg = rtnl_dereference(nh->nh_grp); + size_t sz = sizeof(struct nexthop_grp) * nhg->num_nh; + size_t tot = nla_total_size(sz) + +- nla_total_size(2); /* NHA_GROUP_TYPE */ ++ nla_total_size(2) + /* NHA_GROUP_TYPE */ ++ nla_total_size(0); /* NHA_FDB */ + + if (nhg->resilient) + tot += nh_nlmsg_size_grp_res(nhg); + ++ if (op_flags & NHA_OP_FLAG_DUMP_STATS) { ++ tot += nla_total_size(0) + /* NHA_GROUP_STATS */ ++ nla_total_size(4); /* NHA_HW_STATS_ENABLE */ ++ tot += nhg->num_nh * ++ (nla_total_size(0) + /* NHA_GROUP_STATS_ENTRY */ ++ nla_total_size(4) + /* NHA_GROUP_STATS_ENTRY_ID */ ++ nla_total_size_64bit(8)); /* NHA_GROUP_STATS_ENTRY_PACKETS */ ++ ++ if (op_flags & NHA_OP_FLAG_DUMP_HW_STATS) { ++ tot += nhg->num_nh * ++ nla_total_size_64bit(8); /* NHA_GROUP_STATS_ENTRY_PACKETS_HW */ ++ tot += nla_total_size(4); /* NHA_HW_STATS_USED */ ++ } ++ } ++ + return tot; + } + +@@ -1050,14 +1066,14 @@ static size_t nh_nlmsg_size_single(struct nexthop *nh) + return sz; + } + +-static size_t nh_nlmsg_size(struct nexthop *nh) ++static size_t nh_nlmsg_size(struct nexthop *nh, u32 op_flags) + { + size_t sz = NLMSG_ALIGN(sizeof(struct nhmsg)); + + sz += nla_total_size(4); /* NHA_ID */ + + if (nh->is_group) +- sz += nh_nlmsg_size_grp(nh) + ++ sz += nh_nlmsg_size_grp(nh, op_flags) + + nla_total_size(4) + /* NHA_OP_FLAGS */ + 0; + else +@@ -1073,7 +1089,7 @@ static void nexthop_notify(int event, struct nexthop *nh, struct nl_info *info) + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(nh_nlmsg_size(nh), gfp_any()); ++ skb = nlmsg_new(nh_nlmsg_size(nh, 0), gfp_any()); + if (!skb) + goto errout; + +@@ -3379,15 +3395,15 @@ static int rtm_get_nexthop(struct sk_buff *in_skb, struct nlmsghdr *nlh, + if (err) + return err; + +- err = -ENOBUFS; +- skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); +- if (!skb) +- goto out; +- + err = -ENOENT; + nh = nexthop_find_by_id(net, id); + if (!nh) +- goto errout_free; ++ goto out; ++ ++ err = -ENOBUFS; ++ skb = nlmsg_new(nh_nlmsg_size(nh, op_flags), GFP_KERNEL); ++ if (!skb) ++ goto out; + + err = nh_fill_node(skb, nh, RTM_NEWNEXTHOP, NETLINK_CB(in_skb).portid, + nlh->nlmsg_seq, 0, op_flags); +-- +2.53.0 + diff --git a/queue-6.19/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch b/queue-6.19/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch new file mode 100644 index 0000000000..41ed75b1e1 --- /dev/null +++ b/queue-6.19/ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch @@ -0,0 +1,43 @@ +From 0f0320480e227bef2a32de6529436d700b4409a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 09:26:12 +0200 +Subject: ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group + dump + +From: Fernando Fernandez Mancera + +[ Upstream commit 06aaf04ca815f7a1f17762fd847b7bc14b8833fb ] + +Currently NHA_HW_STATS_ENABLE is included twice everytime a dump of +nexthop group is performed with NHA_OP_FLAG_DUMP_STATS. As all the stats +querying were moved to nla_put_nh_group_stats(), leave only that +instance of the attribute querying. + +Fixes: 5072ae00aea4 ("net: nexthop: Expose nexthop group HW stats to user space") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260402072613.25262-1-fmancera@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/nexthop.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c +index 427c201175949..aa53a74ac2389 100644 +--- a/net/ipv4/nexthop.c ++++ b/net/ipv4/nexthop.c +@@ -905,8 +905,7 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nexthop *nh, + goto nla_put_failure; + + if (op_flags & NHA_OP_FLAG_DUMP_STATS && +- (nla_put_u32(skb, NHA_HW_STATS_ENABLE, nhg->hw_stats) || +- nla_put_nh_group_stats(skb, nh, op_flags))) ++ nla_put_nh_group_stats(skb, nh, op_flags)) + goto nla_put_failure; + + return 0; +-- +2.53.0 + diff --git a/queue-6.19/ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch b/queue-6.19/ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch new file mode 100644 index 0000000000..050f259001 --- /dev/null +++ b/queue-6.19/ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch @@ -0,0 +1,120 @@ +From 12d7039ab78b8f4351648a89e5c1050649869405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:17:32 +0000 +Subject: ipv6: ioam: fix potential NULL dereferences in + __ioam6_fill_trace_data() + +From: Eric Dumazet + +[ Upstream commit 4e65a8b8daa18d63255ec58964dd192c7fdd9f8b ] + +We need to check __in6_dev_get() for possible NULL value, as +suggested by Yiming Qian. + +Also add skb_dst_dev_rcu() instead of skb_dst_dev(), +and two missing READ_ONCE(). + +Note that @dev can't be NULL. + +Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace") +Reported-by: Yiming Qian +Signed-off-by: Eric Dumazet +Reviewed-by: Justin Iurman +Link: https://patch.msgid.link/20260402101732.1188059-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ioam6.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c +index 8db7f965696aa..12350e1e18bde 100644 +--- a/net/ipv6/ioam6.c ++++ b/net/ipv6/ioam6.c +@@ -710,7 +710,9 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + struct ioam6_schema *sc, + unsigned int sclen, bool is_input) + { +- struct net_device *dev = skb_dst_dev(skb); ++ /* Note: skb_dst_dev_rcu() can't be NULL at this point. */ ++ struct net_device *dev = skb_dst_dev_rcu(skb); ++ struct inet6_dev *i_skb_dev, *idev; + struct timespec64 ts; + ktime_t tstamp; + u64 raw64; +@@ -721,13 +723,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + + data = trace->data + trace->remlen * 4 - trace->nodelen * 4 - sclen * 4; + ++ i_skb_dev = skb->dev ? __in6_dev_get(skb->dev) : NULL; ++ idev = __in6_dev_get(dev); ++ + /* hop_lim and node_id */ + if (trace->type.bit0) { + byte = ipv6_hdr(skb)->hop_limit; + if (is_input) + byte--; + +- raw32 = dev_net(dev)->ipv6.sysctl.ioam6_id; ++ raw32 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id); + + *(__be32 *)data = cpu_to_be32((byte << 24) | raw32); + data += sizeof(__be32); +@@ -735,18 +740,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + + /* ingress_if_id and egress_if_id */ + if (trace->type.bit1) { +- if (!skb->dev) ++ if (!i_skb_dev) + raw16 = IOAM6_U16_UNAVAILABLE; + else +- raw16 = (__force u16)READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id); ++ raw16 = (__force u16)READ_ONCE(i_skb_dev->cnf.ioam6_id); + + *(__be16 *)data = cpu_to_be16(raw16); + data += sizeof(__be16); + +- if (dev->flags & IFF_LOOPBACK) ++ if ((dev->flags & IFF_LOOPBACK) || !idev) + raw16 = IOAM6_U16_UNAVAILABLE; + else +- raw16 = (__force u16)READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id); ++ raw16 = (__force u16)READ_ONCE(idev->cnf.ioam6_id); + + *(__be16 *)data = cpu_to_be16(raw16); + data += sizeof(__be16); +@@ -822,7 +827,7 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + if (is_input) + byte--; + +- raw64 = dev_net(dev)->ipv6.sysctl.ioam6_id_wide; ++ raw64 = READ_ONCE(dev_net(dev)->ipv6.sysctl.ioam6_id_wide); + + *(__be64 *)data = cpu_to_be64(((u64)byte << 56) | raw64); + data += sizeof(__be64); +@@ -830,18 +835,18 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + + /* ingress_if_id and egress_if_id (wide) */ + if (trace->type.bit9) { +- if (!skb->dev) ++ if (!i_skb_dev) + raw32 = IOAM6_U32_UNAVAILABLE; + else +- raw32 = READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id_wide); ++ raw32 = READ_ONCE(i_skb_dev->cnf.ioam6_id_wide); + + *(__be32 *)data = cpu_to_be32(raw32); + data += sizeof(__be32); + +- if (dev->flags & IFF_LOOPBACK) ++ if ((dev->flags & IFF_LOOPBACK) || !idev) + raw32 = IOAM6_U32_UNAVAILABLE; + else +- raw32 = READ_ONCE(__in6_dev_get(dev)->cnf.ioam6_id_wide); ++ raw32 = READ_ONCE(idev->cnf.ioam6_id_wide); + + *(__be32 *)data = cpu_to_be32(raw32); + data += sizeof(__be32); +-- +2.53.0 + diff --git a/queue-6.19/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch b/queue-6.19/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch new file mode 100644 index 0000000000..7c8b80393c --- /dev/null +++ b/queue-6.19/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch @@ -0,0 +1,62 @@ +From c5a02ad6953eb2d0cbfa6dc2e3e4f9178a77758b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 15:58:01 +0800 +Subject: ipvs: fix NULL deref in ip_vs_add_service error path + +From: Weiming Shi + +[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ] + +When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local +variable sched is set to NULL. If ip_vs_start_estimator() subsequently +fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) +with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL +check (because svc->scheduler was set by the successful bind) but then +dereferences the NULL sched parameter at sched->done_service, causing a +kernel panic at offset 0x30 from NULL. + + Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] + RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) + Call Trace: + + ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) + do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) + nf_setsockopt (net/netfilter/nf_sockopt.c:102) + [..] + +Fix by simply not clearing the local sched variable after a successful +bind. ip_vs_unbind_scheduler() already detects whether a scheduler is +installed via svc->scheduler, and keeping sched non-NULL ensures the +error path passes the correct pointer to both ip_vs_unbind_scheduler() +and ip_vs_scheduler_put(). + +While the bug is older, the problem popups in more recent kernels (6.2), +when the new error path is taken after the ip_vs_start_estimator() call. + +Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Acked-by: Simon Horman +Acked-by: Julian Anastasov +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 0687028943774..ce217a25a6af7 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1452,7 +1452,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ret = ip_vs_bind_scheduler(svc, sched); + if (ret) + goto out_err; +- sched = NULL; + } + + ret = ip_vs_start_estimator(ipvs, &svc->stats); +-- +2.53.0 + diff --git a/queue-6.19/ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch b/queue-6.19/ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch new file mode 100644 index 0000000000..484bd3b8e1 --- /dev/null +++ b/queue-6.19/ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch @@ -0,0 +1,139 @@ +From de1d089f822f5b5096d80693973577c25c69e6d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 09:42:32 +0100 +Subject: ixgbe: stop re-reading flash on every get_drvinfo for e610 + +From: Aleksandr Loktionov + +[ Upstream commit d8ae40dc20cbd7bb6e6b36a928e2db2296060ad2 ] + +ixgbe_get_drvinfo() calls ixgbe_refresh_fw_version() on every ethtool +query for e610 adapters. That ends up in ixgbe_discover_flash_size(), +which bisects the full 16 MB NVM space issuing one ACI command per +step (~20 ms each, ~24 steps total = ~500 ms). + +Profiling on an idle E610-XAT2 system with telegraf scraping ethtool +stats every 10 seconds: + + kretprobe:ixgbe_get_drvinfo took 527603 us + kretprobe:ixgbe_get_drvinfo took 523978 us + kretprobe:ixgbe_get_drvinfo took 552975 us + kretprobe:ice_get_drvinfo took 3 us + kretprobe:igb_get_drvinfo took 2 us + kretprobe:i40e_get_drvinfo took 5 us + +The half-second stall happens under the RTNL lock, causing visible +latency on ip-link and friends. + +The FW version can only change after an EMPR reset. All flash data is +already populated at probe time and the cached adapter->eeprom_id is +what get_drvinfo should be returning. The only place that needs to +trigger a re-read is ixgbe_devlink_reload_empr_finish(), right after +the EMPR completes and new firmware is running. Additionally, refresh +the FW version in ixgbe_reinit_locked() so that any PF that undergoes a +reinit after an EMPR (e.g. triggered by another PF's devlink reload) +also picks up the new version in adapter->eeprom_id. + +ixgbe_devlink_info_get() keeps its refresh call for explicit +"devlink dev info" queries, which is fine given those are user-initiated. + +Fixes: c9e563cae19e ("ixgbe: add support for devlink reload") +Co-developed-by: Jedrzej Jagielski +Signed-off-by: Jedrzej Jagielski +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/devlink/devlink.c | 2 +- + drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 +- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 13 +++++++------ + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 10 ++++++++++ + 4 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c +index d227f4d2a2d17..f32e640ef4ac0 100644 +--- a/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c ++++ b/drivers/net/ethernet/intel/ixgbe/devlink/devlink.c +@@ -474,7 +474,7 @@ static int ixgbe_devlink_reload_empr_finish(struct devlink *devlink, + adapter->flags2 &= ~(IXGBE_FLAG2_API_MISMATCH | + IXGBE_FLAG2_FW_ROLLBACK); + +- return 0; ++ return ixgbe_refresh_fw_version(adapter); + } + + static const struct devlink_ops ixgbe_devlink_ops = { +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h +index dce4936708eb4..047f04045585a 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h +@@ -973,7 +973,7 @@ int ixgbe_init_interrupt_scheme(struct ixgbe_adapter *adapter); + bool ixgbe_wol_supported(struct ixgbe_adapter *adapter, u16 device_id, + u16 subdevice_id); + void ixgbe_set_fw_version_e610(struct ixgbe_adapter *adapter); +-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter); ++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter); + #ifdef CONFIG_PCI_IOV + void ixgbe_full_sync_mac_table(struct ixgbe_adapter *adapter); + #endif +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index 2ad81f687a844..d82c51f673ec8 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -1153,12 +1153,17 @@ static int ixgbe_set_eeprom(struct net_device *netdev, + return ret_val; + } + +-void ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter) ++int ixgbe_refresh_fw_version(struct ixgbe_adapter *adapter) + { + struct ixgbe_hw *hw = &adapter->hw; ++ int err; ++ ++ err = ixgbe_get_flash_data(hw); ++ if (err) ++ return err; + +- ixgbe_get_flash_data(hw); + ixgbe_set_fw_version_e610(adapter); ++ return 0; + } + + static void ixgbe_get_drvinfo(struct net_device *netdev, +@@ -1166,10 +1171,6 @@ static void ixgbe_get_drvinfo(struct net_device *netdev, + { + struct ixgbe_adapter *adapter = ixgbe_from_netdev(netdev); + +- /* need to refresh info for e610 in case fw reloads in runtime */ +- if (adapter->hw.mac.type == ixgbe_mac_e610) +- ixgbe_refresh_fw_version(adapter); +- + strscpy(drvinfo->driver, ixgbe_driver_name, sizeof(drvinfo->driver)); + + strscpy(drvinfo->fw_version, adapter->eeprom_id, +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index c58051e4350be..60eadef423ca7 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -6289,6 +6289,16 @@ void ixgbe_reinit_locked(struct ixgbe_adapter *adapter) + if (adapter->flags & IXGBE_FLAG_SRIOV_ENABLED) + msleep(2000); + ixgbe_up(adapter); ++ ++ /* E610 has no FW event to notify all PFs of an EMPR reset, so ++ * refresh the FW version here to pick up any new FW version after ++ * a hardware reset (e.g. EMPR triggered by another PF's devlink ++ * reload). ixgbe_refresh_fw_version() updates both hw->flash and ++ * adapter->eeprom_id so ethtool -i reports the correct string. ++ */ ++ if (adapter->hw.mac.type == ixgbe_mac_e610) ++ (void)ixgbe_refresh_fw_version(adapter); ++ + clear_bit(__IXGBE_RESETTING, &adapter->state); + } + +-- +2.53.0 + diff --git a/queue-6.19/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch b/queue-6.19/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch new file mode 100644 index 0000000000..f9b5e6c562 --- /dev/null +++ b/queue-6.19/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch @@ -0,0 +1,78 @@ +From 7b56272396efc7f59ca26646d48c0101a6118567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 09:22:29 +0100 +Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table + +From: Michal Schmidt + +[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ] + +Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by +negotiating supported features") added the .negotiate_features callback +to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot +to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL +on Hyper-V VMs. + +During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), +which unconditionally dereferences hw->mac.ops.negotiate_features(). +On Hyper-V this results in a NULL pointer dereference: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] + Workqueue: events work_for_cpu_fn + RIP: 0010:0x0 + [...] + Call Trace: + ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] + ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] + ixgbevf_probe+0x20f/0x4a0 [ixgbevf] + local_pci_probe+0x50/0xa0 + work_for_cpu_fn+0x1a/0x30 + [...] + +Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and +wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP +gracefully. + +Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") +Reported-by: Xiaoqiang Xiong +Closes: https://issues.redhat.com/browse/RHEL-155455 +Assisted-by: Claude:claude-4.6-opus-high Cursor +Tested-by: Xiaoqiang Xiong +Signed-off-by: Michal Schmidt +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c +index b67b580f7f1c9..f6df86d124b9e 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/vf.c ++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c +@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) + return err; + } + ++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw, ++ u32 *pf_features) ++{ ++ return -EOPNOTSUPP; ++} ++ + /** + * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address + * @hw: pointer to the HW structure +@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = { + .setup_link = ixgbevf_setup_mac_link_vf, + .check_link = ixgbevf_hv_check_mac_link_vf, + .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf, ++ .negotiate_features = ixgbevf_hv_negotiate_features_vf, + .set_rar = ixgbevf_hv_set_rar_vf, + .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf, + .update_xcast_mode = ixgbevf_hv_update_xcast_mode, +-- +2.53.0 + diff --git a/queue-6.19/l2tp-drop-large-packets-with-udp-encap.patch b/queue-6.19/l2tp-drop-large-packets-with-udp-encap.patch new file mode 100644 index 0000000000..69136a874d --- /dev/null +++ b/queue-6.19/l2tp-drop-large-packets-with-udp-encap.patch @@ -0,0 +1,106 @@ +From af6e134c7089b25908fa0aefbe44e83fbd03b63a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 20:49:49 +0300 +Subject: l2tp: Drop large packets with UDP encap + +From: Alice Mikityanska + +[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ] + +syzbot reported a WARN on my patch series [1]. The actual issue is an +overflow of 16-bit UDP length field, and it exists in the upstream code. +My series added a debug WARN with an overflow check that exposed the +issue, that's why syzbot tripped on my patches, rather than on upstream +code. + +syzbot's repro: + +r0 = socket$pppl2tp(0x18, 0x1, 0x1) +r1 = socket$inet6_udp(0xa, 0x2, 0x0) +connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) +connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) +writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) + +It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP +encapsulation, and l2tp_xmit_core doesn't check for overflows when it +assigns the UDP length field. The value gets trimmed to 16 bites. + +Add an overflow check that drops oversized packets and avoids sending +packets with trimmed UDP length to the wire. + +syzbot's stack trace (with my patch applied): + +len >= 65536u +WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 +Modules linked in: +CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] +RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] +RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 +Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f +RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 +RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 +RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff +RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 +R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 +R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 +FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 +Call Trace: + + pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + sock_write_iter+0x503/0x550 net/socket.c:1195 + do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 + vfs_writev+0x33c/0x990 fs/read_write.c:1059 + do_writev+0x154/0x2e0 fs/read_write.c:1105 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f636479c629 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 +RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 +RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 + + +[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/ +Signed-off-by: Alice Mikityanska +Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index f9b0f666600f1..336e447897bd6 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1290,6 +1290,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + uh->source = inet->inet_sport; + uh->dest = inet->inet_dport; + udp_len = uhlen + session->hdr_len + data_len; ++ if (udp_len > U16_MAX) { ++ kfree_skb(skb); ++ ret = NET_XMIT_DROP; ++ goto out_unlock; ++ } + uh->len = htons(udp_len); + + /* Calculate UDP checksum if configured to do so */ +-- +2.53.0 + diff --git a/queue-6.19/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch b/queue-6.19/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch new file mode 100644 index 0000000000..36dc30e939 --- /dev/null +++ b/queue-6.19/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch @@ -0,0 +1,49 @@ +From 6924b14636d40f3730f4cd1457a7930e889c9b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 10:47:51 +0100 +Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() + +From: Arnd Bergmann + +[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ] + +The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot +of registers, so when the clang register allocator runs out, it ends up +spilling countless temporaries to the stack: + +drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than] + +Marking this function as noinline_for_stack keeps it out of +rkvdec_vp9_start(), giving the compiler more room for optimization. + +The resulting code is good enough that both the total stack usage +and the loop get enough better to stay under the warning limit, +though it's still slow, and would need a larger rework if this +function ends up being called in a fast path. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c +index b4bf01e839eff..8fb6a1624a14f 100644 +--- a/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c ++++ b/drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c +@@ -927,7 +927,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx, + update_ctx_last_info(vp9_ctx); + } + +-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) ++static noinline_for_stack void ++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) + { + struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv; + struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu; +-- +2.53.0 + diff --git a/queue-6.19/mshv-fix-infinite-fault-loop-on-permission-denied-gp.patch b/queue-6.19/mshv-fix-infinite-fault-loop-on-permission-denied-gp.patch new file mode 100644 index 0000000000..8db212405b --- /dev/null +++ b/queue-6.19/mshv-fix-infinite-fault-loop-on-permission-denied-gp.patch @@ -0,0 +1,119 @@ +From 90d802d8712ac8431a1649979dd047df3fe96a37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2026 23:57:40 +0000 +Subject: mshv: Fix infinite fault loop on permission-denied GPA intercepts + +From: Stanislav Kinsburskii + +[ Upstream commit 16cbec24897624051b324aa3a85859c38ca65fde ] + +Prevent infinite fault loops when guests access memory regions without +proper permissions. Currently, mshv_handle_gpa_intercept() attempts to +remap pages for all faults on movable memory regions, regardless of +whether the access type is permitted. When a guest writes to a read-only +region, the remap succeeds but the region remains read-only, causing +immediate re-fault and spinning the vCPU indefinitely. + +Validate intercept access type against region permissions before +attempting remaps. Reject writes to non-writable regions and executes to +non-executable regions early, returning false to let the VMM handle the +intercept appropriately. + +This also closes a potential DoS vector where malicious guests could +intentionally trigger these fault loops to consume host resources. + +Fixes: b9a66cd5ccbb ("mshv: Add support for movable memory regions") +Signed-off-by: Stanislav Kinsburskii +Reviewed-by: Anirudh Rayabharam (Microsoft) +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/mshv_root_main.c | 15 ++++++++++++--- + include/hyperv/hvgdk_mini.h | 6 ++++++ + include/hyperv/hvhdk.h | 4 ++-- + 3 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c +index 45cf086ad430d..5611be36f6a8e 100644 +--- a/drivers/hv/mshv_root_main.c ++++ b/drivers/hv/mshv_root_main.c +@@ -642,7 +642,7 @@ static bool mshv_handle_gpa_intercept(struct mshv_vp *vp) + { + struct mshv_partition *p = vp->vp_partition; + struct mshv_mem_region *region; +- bool ret; ++ bool ret = false; + u64 gfn; + #if defined(CONFIG_X86_64) + struct hv_x64_memory_intercept_message *msg = +@@ -653,6 +653,8 @@ static bool mshv_handle_gpa_intercept(struct mshv_vp *vp) + (struct hv_arm64_memory_intercept_message *) + vp->vp_intercept_msg_page->u.payload; + #endif ++ enum hv_intercept_access_type access_type = ++ msg->header.intercept_access_type; + + gfn = HVPFN_DOWN(msg->guest_physical_address); + +@@ -660,12 +662,19 @@ static bool mshv_handle_gpa_intercept(struct mshv_vp *vp) + if (!region) + return false; + ++ if (access_type == HV_INTERCEPT_ACCESS_WRITE && ++ !(region->hv_map_flags & HV_MAP_GPA_WRITABLE)) ++ goto put_region; ++ ++ if (access_type == HV_INTERCEPT_ACCESS_EXECUTE && ++ !(region->hv_map_flags & HV_MAP_GPA_EXECUTABLE)) ++ goto put_region; ++ + /* Only movable memory ranges are supported for GPA intercepts */ + if (region->type == MSHV_REGION_TYPE_MEM_MOVABLE) + ret = mshv_region_handle_gfn_fault(region, gfn); +- else +- ret = false; + ++put_region: + mshv_region_put(region); + + return ret; +diff --git a/include/hyperv/hvgdk_mini.h b/include/hyperv/hvgdk_mini.h +index 30fbbde81c5c4..9c523ee57a358 100644 +--- a/include/hyperv/hvgdk_mini.h ++++ b/include/hyperv/hvgdk_mini.h +@@ -1528,4 +1528,10 @@ struct hv_mmio_write_input { + u8 data[HV_HYPERCALL_MMIO_MAX_DATA_LENGTH]; + } __packed; + ++enum hv_intercept_access_type { ++ HV_INTERCEPT_ACCESS_READ = 0, ++ HV_INTERCEPT_ACCESS_WRITE = 1, ++ HV_INTERCEPT_ACCESS_EXECUTE = 2 ++}; ++ + #endif /* _HV_HVGDK_MINI_H */ +diff --git a/include/hyperv/hvhdk.h b/include/hyperv/hvhdk.h +index 08965970c17df..84ebe56f1f8db 100644 +--- a/include/hyperv/hvhdk.h ++++ b/include/hyperv/hvhdk.h +@@ -770,7 +770,7 @@ struct hv_x64_intercept_message_header { + u32 vp_index; + u8 instruction_length:4; + u8 cr8:4; /* Only set for exo partitions */ +- u8 intercept_access_type; ++ u8 intercept_access_type; /* enum hv_intercept_access_type */ + union hv_x64_vp_execution_state execution_state; + struct hv_x64_segment_register cs_segment; + u64 rip; +@@ -816,7 +816,7 @@ union hv_arm64_vp_execution_state { + struct hv_arm64_intercept_message_header { + u32 vp_index; + u8 instruction_length; +- u8 intercept_access_type; ++ u8 intercept_access_type; /* enum hv_intercept_access_type */ + union hv_arm64_vp_execution_state execution_state; + u64 pc; + u64 cpsr; +-- +2.53.0 + diff --git a/queue-6.19/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch b/queue-6.19/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch new file mode 100644 index 0000000000..38f14248cd --- /dev/null +++ b/queue-6.19/net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch @@ -0,0 +1,145 @@ +From b6a87ee52cb9a6217970ecf9368640e90d1b5cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2026 11:46:08 -0700 +Subject: net: af_key: zero aligned sockaddr tail in PF_KEY exports + +From: Zhengchuan Liang + +[ Upstream commit 426c355742f02cf743b347d9d7dbdc1bfbfa31ef ] + +PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr +payload space, so IPv6 addresses occupy 32 bytes on the wire. However, +`pfkey_sockaddr_fill()` initializes only the first 28 bytes of +`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. + +Not every PF_KEY message is affected. The state and policy dump builders +already zero the whole message buffer before filling the sockaddr +payloads. Keep the fix to the export paths that still append aligned +sockaddr payloads with plain `skb_put()`: + + - `SADB_ACQUIRE` + - `SADB_X_NAT_T_NEW_MAPPING` + - `SADB_X_MIGRATE` + +Fix those paths by clearing only the aligned sockaddr tail after +`pfkey_sockaddr_fill()`. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Xiao Liu +Signed-off-by: Zhengchuan Liang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 52 +++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 18 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index bc91aeeb74bbf..a6a9a40717ee8 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -757,6 +757,22 @@ static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port + return 0; + } + ++static unsigned int pfkey_sockaddr_fill_zero_tail(const xfrm_address_t *xaddr, ++ __be16 port, ++ struct sockaddr *sa, ++ unsigned short family) ++{ ++ unsigned int prefixlen; ++ int sockaddr_len = pfkey_sockaddr_len(family); ++ int sockaddr_size = pfkey_sockaddr_size(family); ++ ++ prefixlen = pfkey_sockaddr_fill(xaddr, port, sa, family); ++ if (sockaddr_size > sockaddr_len) ++ memset((u8 *)sa + sockaddr_len, 0, sockaddr_size - sockaddr_len); ++ ++ return prefixlen; ++} ++ + static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x, + int add_keys, int hsc) + { +@@ -3206,9 +3222,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->props.saddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3221,9 +3237,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->id.daddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->id.daddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3421,9 +3437,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(&x->props.saddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3443,9 +3459,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, + addr->sadb_address_proto = 0; + addr->sadb_address_reserved = 0; + addr->sadb_address_prefixlen = +- pfkey_sockaddr_fill(ipaddr, 0, +- (struct sockaddr *) (addr + 1), +- x->props.family); ++ pfkey_sockaddr_fill_zero_tail(ipaddr, 0, ++ (struct sockaddr *)(addr + 1), ++ x->props.family); + if (!addr->sadb_address_prefixlen) + BUG(); + +@@ -3474,15 +3490,15 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type, + switch (type) { + case SADB_EXT_ADDRESS_SRC: + addr->sadb_address_prefixlen = sel->prefixlen_s; +- pfkey_sockaddr_fill(&sel->saddr, 0, +- (struct sockaddr *)(addr + 1), +- sel->family); ++ pfkey_sockaddr_fill_zero_tail(&sel->saddr, 0, ++ (struct sockaddr *)(addr + 1), ++ sel->family); + break; + case SADB_EXT_ADDRESS_DST: + addr->sadb_address_prefixlen = sel->prefixlen_d; +- pfkey_sockaddr_fill(&sel->daddr, 0, +- (struct sockaddr *)(addr + 1), +- sel->family); ++ pfkey_sockaddr_fill_zero_tail(&sel->daddr, 0, ++ (struct sockaddr *)(addr + 1), ++ sel->family); + break; + default: + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.19/net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch b/queue-6.19/net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch new file mode 100644 index 0000000000..ee426eb82b --- /dev/null +++ b/queue-6.19/net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch @@ -0,0 +1,47 @@ +From eebbefa3e84819f9302262aba615bd27b807553b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 14:57:10 +0200 +Subject: net: airoha: Fix memory leak in airoha_qdma_rx_process() + +From: Lorenzo Bianconi + +[ Upstream commit 285fa6b1e03cff78ead0383e1b259c44b95faf90 ] + +If an error occurs on the subsequents buffers belonging to the +non-linear part of the skb (e.g. due to an error in the payload length +reported by the NIC or if we consumed all the available fragments for +the skb), the page_pool fragment will not be linked to the skb so it will +not return to the pool in the airoha_qdma_rx_process() error path. Fix the +memory leak partially reverting commit 'd6d2b0e1538d ("net: airoha: Fix +page recycling in airoha_qdma_rx_process()")' and always running +page_pool_put_full_page routine in the airoha_qdma_rx_process() error +path. + +Fixes: d6d2b0e1538d ("net: airoha: Fix page recycling in airoha_qdma_rx_process()") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402-airoha_qdma_rx_process-mem-leak-fix-v1-1-b5706f402d3c@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_eth.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c +index 454d7dcf198d9..fee5b2eddebb0 100644 +--- a/drivers/net/ethernet/airoha/airoha_eth.c ++++ b/drivers/net/ethernet/airoha/airoha_eth.c +@@ -697,9 +697,8 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget) + if (q->skb) { + dev_kfree_skb(q->skb); + q->skb = NULL; +- } else { +- page_pool_put_full_page(q->page_pool, page, true); + } ++ page_pool_put_full_page(q->page_pool, page, true); + } + airoha_qdma_fill_rx_queue(q); + +-- +2.53.0 + diff --git a/queue-6.19/net-fec-make-fixed_phy-dependency-unconditional.patch b/queue-6.19/net-fec-make-fixed_phy-dependency-unconditional.patch new file mode 100644 index 0000000000..1b6fc40191 --- /dev/null +++ b/queue-6.19/net-fec-make-fixed_phy-dependency-unconditional.patch @@ -0,0 +1,52 @@ +From 1c9fff8f4e93cad1bdcabceeed64cab651be0b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 16:10:40 +0200 +Subject: net: fec: make FIXED_PHY dependency unconditional + +From: Arnd Bergmann + +[ Upstream commit e16a0d36777b572196de4944aaa196adf828eb8e ] + +When CONFIG_FIXED_PHY is in a loadable module, the fec driver cannot be +built-in any more: + +x86_64-linux-ld: vmlinux.o: in function `fec_enet_mii_probe': +fec_main.c:(.text+0xc4f367): undefined reference to `fixed_phy_unregister' +x86_64-linux-ld: vmlinux.o: in function `fec_enet_close': +fec_main.c:(.text+0xc59591): undefined reference to `fixed_phy_unregister' +x86_64-linux-ld: vmlinux.o: in function `fec_enet_mii_probe.cold': + +Select the fixed phy support on all targets to make this build +correctly, not just on coldfire. + +Notat that Essentially the stub helpers in include/linux/phy_fixed.h +cannot be used correctly because of this build time dependency, +and we could just remove them to hit the build failure more often +when a driver uses them without the 'select FIXED_PHY'. + +Fixes: dc86b621e1b4 ("net: fec: register a fixed phy using fixed_phy_register_100fd if needed") +Signed-off-by: Arnd Bergmann +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402141048.2713445-1-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/Kconfig b/drivers/net/ethernet/freescale/Kconfig +index e2a591cf9601f..11edbb46a1180 100644 +--- a/drivers/net/ethernet/freescale/Kconfig ++++ b/drivers/net/ethernet/freescale/Kconfig +@@ -28,7 +28,7 @@ config FEC + depends on PTP_1588_CLOCK_OPTIONAL + select CRC32 + select PHYLIB +- select FIXED_PHY if M5272 ++ select FIXED_PHY + select PAGE_POOL + imply PAGE_POOL_STATS + imply NET_SELFTESTS +-- +2.53.0 + diff --git a/queue-6.19/net-increase-ip_tunnel_recursion_limit-to-5.patch b/queue-6.19/net-increase-ip_tunnel_recursion_limit-to-5.patch new file mode 100644 index 0000000000..71e16cb970 --- /dev/null +++ b/queue-6.19/net-increase-ip_tunnel_recursion_limit-to-5.patch @@ -0,0 +1,42 @@ +From 3e1066ba497a12b498b90265dafee8b169bafc01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:23:16 -0500 +Subject: net: increase IP_TUNNEL_RECURSION_LIMIT to 5 + +From: Chris J Arges + +[ Upstream commit 77facb35227c421467cdb49268de433168c2dcef ] + +In configurations with multiple tunnel layers and MPLS lwtunnel routing, a +single tunnel hop can increment the counter beyond this limit. This causes +packets to be dropped with the "Dead loop on virtual device" message even +when a routing loop doesn't exist. + +Increase IP_TUNNEL_RECURSION_LIMIT from 4 to 5 to handle this use-case. + +Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Link: https://lore.kernel.org/netdev/88deb91b-ef1b-403c-8eeb-0f971f27e34f@redhat.com/ +Signed-off-by: Chris J Arges +Link: https://patch.msgid.link/20260402222401.3408368-1-carges@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 1f577a4f8ce9b..d708b66e55cda 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -32,7 +32,7 @@ + * recursion involves route lookups and full IP output, consuming much + * more stack per level, so a lower limit is needed. + */ +-#define IP_TUNNEL_RECURSION_LIMIT 4 ++#define IP_TUNNEL_RECURSION_LIMIT 5 + + /* Keep error state on tunnel for 30 sec */ + #define IPTUNNEL_ERR_TIMEO (30*HZ) +-- +2.53.0 + diff --git a/queue-6.19/net-ioam6-fix-oob-and-missing-lock.patch b/queue-6.19/net-ioam6-fix-oob-and-missing-lock.patch new file mode 100644 index 0000000000..498f803435 --- /dev/null +++ b/queue-6.19/net-ioam6-fix-oob-and-missing-lock.patch @@ -0,0 +1,65 @@ +From 78fe94343403f29815932a6524742c6f2ab4b8f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 15:41:37 +0200 +Subject: net: ioam6: fix OOB and missing lock + +From: Justin Iurman + +[ Upstream commit b30b1675aa2bcf0491fd3830b051df4e08a7c8ca ] + +When trace->type.bit6 is set: + + if (trace->type.bit6) { + ... + queue = skb_get_tx_queue(dev, skb); + qdisc = rcu_dereference(queue->qdisc); + +This code can lead to an out-of-bounds access of the dev->_tx[] array +when is_input is true. In such a case, the packet is on the RX path and +skb->queue_mapping contains the RX queue index of the ingress device. If +the ingress device has more RX queues than the egress device (dev) has +TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. +Add a check to avoid this situation since skb_get_tx_queue() does not +clamp the index. This issue has also revealed that per queue visibility +cannot be accurate and will be replaced later as a new feature. + +While at it, add missing lock around qdisc_qstats_qlen_backlog(). The +function __ioam6_fill_trace_data() is called from both softirq and +process contexts, hence the use of spin_lock_bh() here. + +Fixes: b63c5478e9cb ("ipv6: ioam: Support for Queue depth data field") +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/netdev/20260403214418.2233266-2-kuba@kernel.org/ +Signed-off-by: Justin Iurman +Link: https://patch.msgid.link/20260404134137.24553-1-justin.iurman@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ioam6.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ioam6.c b/net/ipv6/ioam6.c +index 12350e1e18bde..b91de51ffa9ea 100644 +--- a/net/ipv6/ioam6.c ++++ b/net/ipv6/ioam6.c +@@ -803,12 +803,16 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb, + struct Qdisc *qdisc; + __u32 qlen, backlog; + +- if (dev->flags & IFF_LOOPBACK) { ++ if (dev->flags & IFF_LOOPBACK || ++ skb_get_queue_mapping(skb) >= dev->num_tx_queues) { + *(__be32 *)data = cpu_to_be32(IOAM6_U32_UNAVAILABLE); + } else { + queue = skb_get_tx_queue(dev, skb); + qdisc = rcu_dereference(queue->qdisc); ++ ++ spin_lock_bh(qdisc_lock(qdisc)); + qdisc_qstats_qlen_backlog(qdisc, &qlen, &backlog); ++ spin_unlock_bh(qdisc_lock(qdisc)); + + *(__be32 *)data = cpu_to_be32(backlog); + } +-- +2.53.0 + diff --git a/queue-6.19/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch b/queue-6.19/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch new file mode 100644 index 0000000000..ca4b00696b --- /dev/null +++ b/queue-6.19/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch @@ -0,0 +1,49 @@ +From 2ef4b658da1dddc1b1f434ee06102777b5c99679 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:48 +0200 +Subject: net: ipa: fix event ring index not programmed for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ] + +For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to +CH_C_CNTXT_1. The v5.0 register definition intended to define this +field in the CH_C_CNTXT_1 fmask array but used the old identifier of +ERINDEX instead of CH_ERINDEX. + +Without a valid event ring, GSI channels could never signal transfer +completions. This caused gsi_channel_trans_quiesce() to block +forever in wait_for_completion(). + +At least for IPA v5.2 this resolves an issue seen where runtime +suspend, system suspend, and remoteproc stop all hanged forever. It +also meant the IPA data path was completely non functional. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index 3334d8e20ad28..6c4a7fbe4de94 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -30,7 +30,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0, + + static const u32 reg_ch_c_cntxt_1_fmask[] = { + [CH_R_LENGTH] = GENMASK(23, 0), +- [ERINDEX] = GENMASK(31, 24), ++ [CH_ERINDEX] = GENMASK(31, 24), + }; + + REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1, +-- +2.53.0 + diff --git a/queue-6.19/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch b/queue-6.19/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch new file mode 100644 index 0000000000..37b5ff61c1 --- /dev/null +++ b/queue-6.19/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch @@ -0,0 +1,47 @@ +From 2446346ef97f41b180aa3c03fd7c33943f3baf63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:47 +0200 +Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ] + +Fix the field masks to match the hardware layout documented in +downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*). + +Notably this fixes a WARN I was seeing when I tried to send "stop" +to the MPSS remoteproc while IPA was up. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index 36d1e65df71bb..3334d8e20ad28 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -156,9 +156,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP); + + static const u32 reg_generic_cmd_fmask[] = { + [GENERIC_OPCODE] = GENMASK(4, 0), +- [GENERIC_CHID] = GENMASK(9, 5), +- [GENERIC_EE] = GENMASK(13, 10), +- /* Bits 14-31 reserved */ ++ [GENERIC_CHID] = GENMASK(12, 5), ++ [GENERIC_EE] = GENMASK(16, 13), ++ /* Bits 17-23 reserved */ ++ [GENERIC_PARAMS] = GENMASK(31, 24), + }; + + REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP); +-- +2.53.0 + diff --git a/queue-6.19/net-lapbether-handle-netdev_pre_type_change.patch b/queue-6.19/net-lapbether-handle-netdev_pre_type_change.patch new file mode 100644 index 0000000000..9f36b34f88 --- /dev/null +++ b/queue-6.19/net-lapbether-handle-netdev_pre_type_change.patch @@ -0,0 +1,77 @@ +From fe6393127881535693110587d8944f71d5acdf4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:35:19 +0000 +Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE + +From: Eric Dumazet + +[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ] + +lapbeth_data_transmit() expects the underlying device type +to be ARPHRD_ETHER. + +Returning NOTIFY_BAD from lapbeth_device_event() makes sure +bonding driver can not break this expectation. + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index f357a7ac70ac4..9861c99ea56c4 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -446,33 +446,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth) + static int lapbeth_device_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +- struct lapbethdev *lapbeth; + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct lapbethdev *lapbeth; + + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) ++ lapbeth = lapbeth_get_x25_dev(dev); ++ if (!dev_is_ethdev(dev) && !lapbeth) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (!lapbeth_get_x25_dev(dev)) ++ if (!lapbeth) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: + /* ethernet device disappears -> remove LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + lapbeth_free_device(lapbeth); + break; ++ case NETDEV_PRE_TYPE_CHANGE: ++ /* Our underlying device type must not change. */ ++ if (lapbeth) ++ return NOTIFY_BAD; + } + + return NOTIFY_DONE; +-- +2.53.0 + diff --git a/queue-6.19/net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch b/queue-6.19/net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch new file mode 100644 index 0000000000..bda4c59dbe --- /dev/null +++ b/queue-6.19/net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch @@ -0,0 +1,47 @@ +From 9f726d533fbe09370bcd59170e4d2206883c6529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 14:51:52 +0800 +Subject: net: mdio: realtek-rtl9300: use scoped device_for_each_child_node + loop + +From: Felix Gu + +[ Upstream commit c09ea768bdb975e828f8e17293c397c3d14ad85d ] + +Switch to device_for_each_child_node_scoped() to auto-release fwnode +references on early exit. + +Fixes: 24e31e474769 ("net: mdio: Add RTL9300 MDIO driver") +Signed-off-by: Felix Gu +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260405-rtl9300-v1-1-08e4499cf944@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-realtek-rtl9300.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/mdio/mdio-realtek-rtl9300.c b/drivers/net/mdio/mdio-realtek-rtl9300.c +index 405a07075dd11..8d5fb014ca06c 100644 +--- a/drivers/net/mdio/mdio-realtek-rtl9300.c ++++ b/drivers/net/mdio/mdio-realtek-rtl9300.c +@@ -466,7 +466,6 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct rtl9300_mdio_priv *priv; +- struct fwnode_handle *child; + int err; + + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); +@@ -487,7 +486,7 @@ static int rtl9300_mdiobus_probe(struct platform_device *pdev) + if (err) + return err; + +- device_for_each_child_node(dev, child) { ++ device_for_each_child_node_scoped(dev, child) { + err = rtl9300_mdiobus_probe_one(dev, priv, child); + if (err) + return err; +-- +2.53.0 + diff --git a/queue-6.19/net-sched-act_csum-validate-nested-vlan-headers.patch b/queue-6.19/net-sched-act_csum-validate-nested-vlan-headers.patch new file mode 100644 index 0000000000..db2aa5ccc5 --- /dev/null +++ b/queue-6.19/net-sched-act_csum-validate-nested-vlan-headers.patch @@ -0,0 +1,60 @@ +From 5f165fe478c6f7878b96162f2d1efff72bff4dcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: net: sched: act_csum: validate nested VLAN headers + +From: Ruide Cao + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_csum.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 0939e6b2ba4d1..3a377604ad343 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -604,8 +604,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.53.0 + diff --git a/queue-6.19/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch b/queue-6.19/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch new file mode 100644 index 0000000000..09e8e823a4 --- /dev/null +++ b/queue-6.19/net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch @@ -0,0 +1,65 @@ +From 7288dd98472a1745b97789f43840f61887fe747a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 13:23:33 +0000 +Subject: net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules + +From: John Pavlick + +[ Upstream commit 95aca8602ef70ffd3d971675751c81826e124f90 ] + +Several GPON ONT SFP sticks based on Realtek RTL960x report +1000BASE-LX at 1300MBd in their EEPROM but can operate at 2500base-X. +On hosts capable of 2500base-X (e.g. Banana Pi R3 / MT7986), the +kernel negotiates only 1G because it trusts the incorrect EEPROM data. + +Add quirks for: +- Hisense-Leox LXT-010S-H +- Hisense ZNID-GPON-2311NA +- HSGQ HSGQ-XPON-Stick + +Each quirk advertises 2500base-X and ignores TX_FAULT during the +module's ~40s Linux boot time. + +Tested on Banana Pi R3 (MT7986) with OpenWrt 25.12.1, confirmed +2.5Gbps link and full throughput with flow offloading. + +Reviewed-by: Russell King (Oracle) +Suggested-by: Marcin Nita +Signed-off-by: John Pavlick +Link: https://patch.msgid.link/20260406132321.72563-1-jspavlick@posteo.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 7a85b758fb1e6..c62e3f364ea73 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -543,6 +543,22 @@ static const struct sfp_quirk sfp_quirks[] = { + SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex, + sfp_fixup_ignore_tx_fault_and_los), + ++ // Hisense LXT-010S-H is a GPON ONT SFP (sold as LEOX LXT-010S-H) that ++ // can operate at 2500base-X, but reports 1000BASE-LX / 1300MBd in its ++ // EEPROM ++ SFP_QUIRK("Hisense-Leox", "LXT-010S-H", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ ++ // Hisense ZNID-GPON-2311NA can operate at 2500base-X, but reports ++ // 1000BASE-LX / 1300MBd in its EEPROM ++ SFP_QUIRK("Hisense", "ZNID-GPON-2311NA", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ ++ // HSGQ HSGQ-XPON-Stick can operate at 2500base-X, but reports ++ // 1000BASE-LX / 1300MBd in its EEPROM ++ SFP_QUIRK("HSGQ", "HSGQ-XPON-Stick", sfp_quirk_2500basex, ++ sfp_fixup_ignore_tx_fault), ++ + // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but + // incorrectly report 2500MBd NRZ in their EEPROM. + // Some 8330-265D modules have inverted LOS, while all of them report +-- +2.53.0 + diff --git a/queue-6.19/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch b/queue-6.19/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch new file mode 100644 index 0000000000..cb70144a1b --- /dev/null +++ b/queue-6.19/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch @@ -0,0 +1,83 @@ +From f654d55052d7e9fd1bbdf876d14cf97d8388c188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:39 +0100 +Subject: net: stmmac: Fix PTP ref clock for Tegra234 + +From: Jon Hunter + +[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ] + +Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not +0 before configuring timestamping") was added the following error is +observed on Tegra234: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +It turns out that the Tegra234 device-tree binding defines the PTP ref +clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now +exposes this and that the PTP clock is not configured correctly. + +In order to update device-tree to use the correct 'ptp_ref' name, update +the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using +'ptp-ref' if this clock name is present. + +Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") +Signed-off-by: Jon Hunter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +index d765acbe37548..21a0a11fc0118 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +@@ -9,7 +9,7 @@ + #include "stmmac_platform.h" + + static const char *const mgbe_clks[] = { +- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac" ++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac" + }; + + struct tegra_mgbe { +@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + { + struct plat_stmmacenet_data *plat; + struct stmmac_resources res; ++ bool use_legacy_ptp = false; + struct tegra_mgbe *mgbe; + int irq, err, i; + u32 value; +@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + if (!mgbe->clks) + return -ENOMEM; + +- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) ++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'. ++ * Fall back when the legacy name is present. ++ */ ++ if (of_property_match_string(pdev->dev.of_node, "clock-names", ++ "ptp-ref") >= 0) ++ use_legacy_ptp = true; ++ ++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) { + mgbe->clks[i].id = mgbe_clks[i]; + ++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) { ++ dev_warn(mgbe->dev, ++ "Device-tree update needed for PTP clock!\n"); ++ mgbe->clks[i].id = "ptp-ref"; ++ } ++ } ++ + err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks); + if (err < 0) + return err; +-- +2.53.0 + diff --git a/queue-6.19/net-txgbe-leave-space-for-null-terminators-on-proper.patch b/queue-6.19/net-txgbe-leave-space-for-null-terminators-on-proper.patch new file mode 100644 index 0000000000..3e59d88fe5 --- /dev/null +++ b/queue-6.19/net-txgbe-leave-space-for-null-terminators-on-proper.patch @@ -0,0 +1,48 @@ +From 07e75b1fd869b5fa38bc83510133dd15c263e230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 23:20:13 +0100 +Subject: net: txgbe: leave space for null terminators on property_entry + +From: Fabio Baltieri + +[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ] + +Lists of struct property_entry are supposed to be terminated with an +empty property, this driver currently seems to be allocating exactly the +amount of entry used. + +Change the struct definition to leave an extra element for all +property_entry. + +Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink") +Signed-off-by: Fabio Baltieri +Tested-by: Jiawen Wu +Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +index 82433e9cb0e33..6b05f32b4a010 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +@@ -424,10 +424,10 @@ struct txgbe_nodes { + char i2c_name[32]; + char sfp_name[32]; + char phylink_name[32]; +- struct property_entry gpio_props[1]; +- struct property_entry i2c_props[3]; +- struct property_entry sfp_props[8]; +- struct property_entry phylink_props[2]; ++ struct property_entry gpio_props[2]; ++ struct property_entry i2c_props[4]; ++ struct property_entry sfp_props[9]; ++ struct property_entry phylink_props[3]; + struct software_node_ref_args i2c_ref[1]; + struct software_node_ref_args gpio0_ref[1]; + struct software_node_ref_args gpio1_ref[1]; +-- +2.53.0 + diff --git a/queue-6.19/netfilter-ctnetlink-ensure-safe-access-to-master-con.patch b/queue-6.19/netfilter-ctnetlink-ensure-safe-access-to-master-con.patch new file mode 100644 index 0000000000..45c6e8ff8f --- /dev/null +++ b/queue-6.19/netfilter-ctnetlink-ensure-safe-access-to-master-con.patch @@ -0,0 +1,218 @@ +From 4d8b583750990b4e72ba0a3467313e004329e3e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:11:04 +0100 +Subject: netfilter: ctnetlink: ensure safe access to master conntrack + +From: Pablo Neira Ayuso + +[ Upstream commit bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 ] + +Holding reference on the expectation is not sufficient, the master +conntrack object can just go away, making exp->master invalid. + +To access exp->master safely: + +- Grab the nf_conntrack_expect_lock, this gets serialized with + clean_from_lists() which also holds this lock when the master + conntrack goes away. + +- Hold reference on master conntrack via nf_conntrack_find_get(). + Not so easy since the master tuple to look up for the master conntrack + is not available in the existing problematic paths. + +This patch goes for extending the nf_conntrack_expect_lock section +to address this issue for simplicity, in the cases that are described +below this is just slightly extending the lock section. + +The add expectation command already holds a reference to the master +conntrack from ctnetlink_create_expect(). + +However, the delete expectation command needs to grab the spinlock +before looking up for the expectation. Expand the existing spinlock +section to address this to cover the expectation lookup. Note that, +the nf_ct_expect_iterate_net() calls already grabs the spinlock while +iterating over the expectation table, which is correct. + +The get expectation command needs to grab the spinlock to ensure master +conntrack does not go away. This also expands the existing spinlock +section to cover the expectation lookup too. I needed to move the +netlink skb allocation out of the spinlock to keep it GFP_KERNEL. + +For the expectation events, the IPEXP_DESTROY event is already delivered +under the spinlock, just move the delivery of IPEXP_NEW under the +spinlock too because the master conntrack event cache is reached through +exp->master. + +While at it, add lockdep notations to help identify what codepaths need +to grab the spinlock. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_conntrack_core.h | 5 ++++ + net/netfilter/nf_conntrack_ecache.c | 2 ++ + net/netfilter/nf_conntrack_expect.c | 10 +++++++- + net/netfilter/nf_conntrack_netlink.c | 28 +++++++++++++++-------- + 4 files changed, 35 insertions(+), 10 deletions(-) + +diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h +index 3384859a89210..8883575adcc1e 100644 +--- a/include/net/netfilter/nf_conntrack_core.h ++++ b/include/net/netfilter/nf_conntrack_core.h +@@ -83,6 +83,11 @@ void nf_conntrack_lock(spinlock_t *lock); + + extern spinlock_t nf_conntrack_expect_lock; + ++static inline void lockdep_nfct_expect_lock_held(void) ++{ ++ lockdep_assert_held(&nf_conntrack_expect_lock); ++} ++ + /* ctnetlink code shared by both ctnetlink and nf_conntrack_bpf */ + + static inline void __nf_ct_set_timeout(struct nf_conn *ct, u64 timeout) +diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c +index 81baf20826046..9df159448b897 100644 +--- a/net/netfilter/nf_conntrack_ecache.c ++++ b/net/netfilter/nf_conntrack_ecache.c +@@ -247,6 +247,8 @@ void nf_ct_expect_event_report(enum ip_conntrack_expect_events event, + struct nf_ct_event_notifier *notify; + struct nf_conntrack_ecache *e; + ++ lockdep_nfct_expect_lock_held(); ++ + rcu_read_lock(); + notify = rcu_dereference(net->ct.nf_conntrack_event_cb); + if (!notify) +diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c +index 2234c444a320e..24d0576d84b7f 100644 +--- a/net/netfilter/nf_conntrack_expect.c ++++ b/net/netfilter/nf_conntrack_expect.c +@@ -51,6 +51,7 @@ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp, + struct net *net = nf_ct_exp_net(exp); + struct nf_conntrack_net *cnet; + ++ lockdep_nfct_expect_lock_held(); + WARN_ON(!master_help); + WARN_ON(timer_pending(&exp->timeout)); + +@@ -118,6 +119,8 @@ nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple, + + bool nf_ct_remove_expect(struct nf_conntrack_expect *exp) + { ++ lockdep_nfct_expect_lock_held(); ++ + if (timer_delete(&exp->timeout)) { + nf_ct_unlink_expect(exp); + nf_ct_expect_put(exp); +@@ -177,6 +180,8 @@ nf_ct_find_expectation(struct net *net, + struct nf_conntrack_expect *i, *exp = NULL; + unsigned int h; + ++ lockdep_nfct_expect_lock_held(); ++ + if (!cnet->expect_count) + return NULL; + +@@ -459,6 +464,8 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect, + unsigned int h; + int ret = 0; + ++ lockdep_nfct_expect_lock_held(); ++ + if (!master_help) { + ret = -ESHUTDOWN; + goto out; +@@ -515,8 +522,9 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, + + nf_ct_expect_insert(expect); + +- spin_unlock_bh(&nf_conntrack_expect_lock); + nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ + return 0; + out: + spin_unlock_bh(&nf_conntrack_expect_lock); +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 2bb9eb2d25fb0..fbe9e3f1036f8 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3337,31 +3337,37 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + if (err < 0) + return err; + ++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ if (!skb2) ++ return -ENOMEM; ++ ++ spin_lock_bh(&nf_conntrack_expect_lock); + exp = nf_ct_expect_find_get(info->net, &zone, &tuple); +- if (!exp) ++ if (!exp) { ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ kfree_skb(skb2); + return -ENOENT; ++ } + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); + + if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ kfree_skb(skb2); + return -ENOENT; + } + } + +- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); +- if (!skb2) { +- nf_ct_expect_put(exp); +- return -ENOMEM; +- } +- + rcu_read_lock(); + err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, + info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, + exp); + rcu_read_unlock(); + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); ++ + if (err <= 0) { + kfree_skb(skb2); + return -ENOMEM; +@@ -3408,22 +3414,26 @@ static int ctnetlink_del_expect(struct sk_buff *skb, + if (err < 0) + return err; + ++ spin_lock_bh(&nf_conntrack_expect_lock); ++ + /* bump usage count to 2 */ + exp = nf_ct_expect_find_get(info->net, &zone, &tuple); +- if (!exp) ++ if (!exp) { ++ spin_unlock_bh(&nf_conntrack_expect_lock); + return -ENOENT; ++ } + + if (cda[CTA_EXPECT_ID]) { + __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); + + if (id != nf_expect_get_id(exp)) { + nf_ct_expect_put(exp); ++ spin_unlock_bh(&nf_conntrack_expect_lock); + return -ENOENT; + } + } + + /* after list removal, usage count == 1 */ +- spin_lock_bh(&nf_conntrack_expect_lock); + if (timer_delete(&exp->timeout)) { + nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, + nlmsg_report(info->nlh)); +-- +2.53.0 + diff --git a/queue-6.19/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch b/queue-6.19/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch new file mode 100644 index 0000000000..d3833ca9c0 --- /dev/null +++ b/queue-6.19/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch @@ -0,0 +1,51 @@ +From ed006728aa46e6329e606fcfbb18c882ea59aa6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets + +From: Zhengchuan Liang + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6t_eui64.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c2..da69a27e8332c 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.53.0 + diff --git a/queue-6.19/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch b/queue-6.19/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch new file mode 100644 index 0000000000..f75da20a51 --- /dev/null +++ b/queue-6.19/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch @@ -0,0 +1,52 @@ +From bf93972a4caa53ade35b6e39e2dbe13558fb5c17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 14:20:57 -0700 +Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE + terminator + +From: Xiang Mei + +[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ] + +When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() +appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via +nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() +helper only zeroes alignment padding after the payload, not the payload +itself, so four bytes of stale kernel heap data are leaked to userspace +in the NLMSG_DONE message body. + +Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes +the nfgenmsg payload via nfnl_fill_hdr(), consistent with how +__build_packet_message() already constructs NFULNL_MSG_PACKET headers. + +Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index dcd2493a9a404..b1f3eda85989c 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -361,10 +361,10 @@ static void + __nfulnl_send(struct nfulnl_instance *inst) + { + if (inst->qlen > 1) { +- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, +- NLMSG_DONE, +- sizeof(struct nfgenmsg), +- 0); ++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0, ++ NLMSG_DONE, 0, ++ AF_UNSPEC, NFNETLINK_V0, ++ htons(inst->group_num)); + if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", + inst->skb->len, skb_tailroom(inst->skb))) { + kfree_skb(inst->skb); +-- +2.53.0 + diff --git a/queue-6.19/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch b/queue-6.19/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch new file mode 100644 index 0000000000..c9cd3f1115 --- /dev/null +++ b/queue-6.19/netfilter-nfnetlink_queue-make-hash-table-per-queue.patch @@ -0,0 +1,314 @@ +From 7f9b88f1b756f1386a9c0b50d7412f00c8ab9cb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 17:00:01 +0200 +Subject: netfilter: nfnetlink_queue: make hash table per queue + +From: Florian Westphal + +[ Upstream commit 936206e3f6ff411581e615e930263d6f8b78df9d ] + +Sharing a global hash table among all queues is tempting, but +it can cause crash: + +BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] +[..] + nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] + nfnetlink_rcv_msg+0x46a/0x930 + kmem_cache_alloc_node_noprof+0x11e/0x450 + +struct nf_queue_entry is freed via kfree, but parallel cpu can still +encounter such an nf_queue_entry when walking the list. + +Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, +but as we have to alloc/free for each skb this will cause more mem +pressure. + +Cc: Scott Mitchell +Fixes: e19079adcd26 ("netfilter: nfnetlink_queue: optimize verdict lookup with hash table") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_queue.h | 1 - + net/netfilter/nfnetlink_queue.c | 139 +++++++++++-------------------- + 2 files changed, 49 insertions(+), 91 deletions(-) + +diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h +index 45eb26b2e95b3..d17035d14d96c 100644 +--- a/include/net/netfilter/nf_queue.h ++++ b/include/net/netfilter/nf_queue.h +@@ -23,7 +23,6 @@ struct nf_queue_entry { + struct nf_hook_state state; + bool nf_ct_is_unconfirmed; + u16 size; /* sizeof(entry) + saved route keys */ +- u16 queue_num; + + /* extra space to store route keys */ + }; +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index a39d3b989063c..fe5942535245d 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -49,8 +49,8 @@ + #endif + + #define NFQNL_QMAX_DEFAULT 1024 +-#define NFQNL_HASH_MIN 1024 +-#define NFQNL_HASH_MAX 1048576 ++#define NFQNL_HASH_MIN 8 ++#define NFQNL_HASH_MAX 32768 + + /* We're using struct nlattr which has 16bit nla_len. Note that nla_len + * includes the header length. Thus, the maximum packet length that we +@@ -60,29 +60,10 @@ + */ + #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN) + +-/* Composite key for packet lookup: (net, queue_num, packet_id) */ +-struct nfqnl_packet_key { +- possible_net_t net; +- u32 packet_id; +- u16 queue_num; +-} __aligned(sizeof(u32)); /* jhash2 requires 32-bit alignment */ +- +-/* Global rhashtable - one for entire system, all netns */ +-static struct rhashtable nfqnl_packet_map __read_mostly; +- +-/* Helper to initialize composite key */ +-static inline void nfqnl_init_key(struct nfqnl_packet_key *key, +- struct net *net, u32 packet_id, u16 queue_num) +-{ +- memset(key, 0, sizeof(*key)); +- write_pnet(&key->net, net); +- key->packet_id = packet_id; +- key->queue_num = queue_num; +-} +- + struct nfqnl_instance { + struct hlist_node hlist; /* global list of queues */ +- struct rcu_head rcu; ++ struct rhashtable nfqnl_packet_map; ++ struct rcu_work rwork; + + u32 peer_portid; + unsigned int queue_maxlen; +@@ -106,6 +87,7 @@ struct nfqnl_instance { + + typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long); + ++static struct workqueue_struct *nfq_cleanup_wq __read_mostly; + static unsigned int nfnl_queue_net_id __read_mostly; + + #define INSTANCE_BUCKETS 16 +@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num) + return ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS; + } + +-/* Extract composite key from nf_queue_entry for hashing */ +-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed) +-{ +- const struct nf_queue_entry *entry = data; +- struct nfqnl_packet_key key; +- +- nfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num); +- +- return jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed); +-} +- +-/* Compare stack-allocated key against entry */ +-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg, +- const void *obj) +-{ +- const struct nfqnl_packet_key *key = arg->key; +- const struct nf_queue_entry *entry = obj; +- +- return !net_eq(entry->state.net, read_pnet(&key->net)) || +- entry->queue_num != key->queue_num || +- entry->id != key->packet_id; +-} +- + static const struct rhashtable_params nfqnl_rhashtable_params = { + .head_offset = offsetof(struct nf_queue_entry, hash_node), +- .key_len = sizeof(struct nfqnl_packet_key), +- .obj_hashfn = nfqnl_packet_obj_hashfn, +- .obj_cmpfn = nfqnl_packet_obj_cmpfn, ++ .key_offset = offsetof(struct nf_queue_entry, id), ++ .key_len = sizeof(u32), + .automatic_shrinking = true, + .min_size = NFQNL_HASH_MIN, + .max_size = NFQNL_HASH_MAX, +@@ -190,6 +148,10 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + spin_lock_init(&inst->lock); + INIT_LIST_HEAD(&inst->queue_list); + ++ err = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params); ++ if (err < 0) ++ goto out_free; ++ + spin_lock(&q->instances_lock); + if (instance_lookup(q, queue_num)) { + err = -EEXIST; +@@ -210,6 +172,8 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + + out_unlock: + spin_unlock(&q->instances_lock); ++ rhashtable_destroy(&inst->nfqnl_packet_map); ++out_free: + kfree(inst); + return ERR_PTR(err); + } +@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, + unsigned long data); + +-static void +-instance_destroy_rcu(struct rcu_head *head) ++static void instance_destroy_work(struct work_struct *work) + { +- struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance, +- rcu); ++ struct nfqnl_instance *inst; + ++ inst = container_of(to_rcu_work(work), struct nfqnl_instance, ++ rwork); + rcu_read_lock(); + nfqnl_flush(inst, NULL, 0); + rcu_read_unlock(); ++ ++ rhashtable_destroy(&inst->nfqnl_packet_map); ++ + kfree(inst); + module_put(THIS_MODULE); + } +@@ -234,7 +201,9 @@ static void + __instance_destroy(struct nfqnl_instance *inst) + { + hlist_del_rcu(&inst->hlist); +- call_rcu(&inst->rcu, instance_destroy_rcu); ++ ++ INIT_RCU_WORK(&inst->rwork, instance_destroy_work); ++ queue_rcu_work(nfq_cleanup_wq, &inst->rwork); + } + + static void +@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + { + int err; + +- entry->queue_num = queue->queue_num; +- +- err = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node, ++ err = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node, + nfqnl_rhashtable_params); + if (unlikely(err)) + return err; +@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + static void + __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry) + { +- rhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node, ++ rhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node, + nfqnl_rhashtable_params); + list_del(&entry->list); + queue->queue_total--; + } + + static struct nf_queue_entry * +-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id, +- struct net *net) ++find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id) + { +- struct nfqnl_packet_key key; + struct nf_queue_entry *entry; + +- nfqnl_init_key(&key, net, id, queue->queue_num); +- + spin_lock_bh(&queue->lock); +- entry = rhashtable_lookup_fast(&nfqnl_packet_map, &key, ++ entry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id, + nfqnl_rhashtable_params); + + if (entry) +@@ -1531,7 +1494,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + verdict = ntohl(vhdr->verdict); + +- entry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net); ++ entry = find_dequeue_entry(queue, ntohl(vhdr->id)); + if (entry == NULL) + return -ENOENT; + +@@ -1880,40 +1843,38 @@ static int __init nfnetlink_queue_init(void) + { + int status; + +- status = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params); +- if (status < 0) +- return status; ++ nfq_cleanup_wq = alloc_ordered_workqueue("nfq_workqueue", 0); ++ if (!nfq_cleanup_wq) ++ return -ENOMEM; + + status = register_pernet_subsys(&nfnl_queue_net_ops); +- if (status < 0) { +- pr_err("failed to register pernet ops\n"); +- goto cleanup_rhashtable; +- } ++ if (status < 0) ++ goto cleanup_pernet_subsys; + +- netlink_register_notifier(&nfqnl_rtnl_notifier); +- status = nfnetlink_subsys_register(&nfqnl_subsys); +- if (status < 0) { +- pr_err("failed to create netlink socket\n"); +- goto cleanup_netlink_notifier; +- } ++ status = netlink_register_notifier(&nfqnl_rtnl_notifier); ++ if (status < 0) ++ goto cleanup_rtnl_notifier; + + status = register_netdevice_notifier(&nfqnl_dev_notifier); +- if (status < 0) { +- pr_err("failed to register netdevice notifier\n"); +- goto cleanup_netlink_subsys; +- } ++ if (status < 0) ++ goto cleanup_dev_notifier; ++ ++ status = nfnetlink_subsys_register(&nfqnl_subsys); ++ if (status < 0) ++ goto cleanup_nfqnl_subsys; + + nf_register_queue_handler(&nfqh); + + return status; + +-cleanup_netlink_subsys: +- nfnetlink_subsys_unregister(&nfqnl_subsys); +-cleanup_netlink_notifier: ++cleanup_nfqnl_subsys: ++ unregister_netdevice_notifier(&nfqnl_dev_notifier); ++cleanup_dev_notifier: + netlink_unregister_notifier(&nfqnl_rtnl_notifier); ++cleanup_rtnl_notifier: + unregister_pernet_subsys(&nfnl_queue_net_ops); +-cleanup_rhashtable: +- rhashtable_destroy(&nfqnl_packet_map); ++cleanup_pernet_subsys: ++ destroy_workqueue(nfq_cleanup_wq); + return status; + } + +@@ -1924,9 +1885,7 @@ static void __exit nfnetlink_queue_fini(void) + nfnetlink_subsys_unregister(&nfqnl_subsys); + netlink_unregister_notifier(&nfqnl_rtnl_notifier); + unregister_pernet_subsys(&nfnl_queue_net_ops); +- +- rhashtable_destroy(&nfqnl_packet_map); +- ++ destroy_workqueue(nfq_cleanup_wq); + rcu_barrier(); /* Wait for completion of call_rcu()'s */ + } + +-- +2.53.0 + diff --git a/queue-6.19/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch b/queue-6.19/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch new file mode 100644 index 0000000000..30cdf2f2f1 --- /dev/null +++ b/queue-6.19/netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch @@ -0,0 +1,176 @@ +From e0f0b59cf3706c5e775b613fbd2ef329dde228cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jan 2026 09:32:30 -0800 +Subject: netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> + GFP_KERNEL_ACCOUNT allocation + +From: Scott Mitchell + +[ Upstream commit a4400a5b343d1bc4aa8f685608515413238e7ee2 ] + +Currently, instance_create() uses GFP_ATOMIC because it's called while +holding instances_lock spinlock. This makes allocation more likely to +fail under memory pressure. + +Refactor nfqnl_recv_config() to drop RCU lock after instance_lookup() +and peer_portid verification. A socket cannot simultaneously send a +message and close, so the queue owned by the sending socket cannot be +destroyed while processing its CONFIG message. This allows +instance_create() to allocate with GFP_KERNEL_ACCOUNT before taking +the spinlock. + +Suggested-by: Florian Westphal +Signed-off-by: Scott Mitchell +Signed-off-by: Florian Westphal +Stable-dep-of: 936206e3f6ff ("netfilter: nfnetlink_queue: make hash table per queue") +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 75 +++++++++++++++------------------ + 1 file changed, 34 insertions(+), 41 deletions(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 0b96d20bacb73..a39d3b989063c 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -178,17 +178,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + unsigned int h; + int err; + +- spin_lock(&q->instances_lock); +- if (instance_lookup(q, queue_num)) { +- err = -EEXIST; +- goto out_unlock; +- } +- +- inst = kzalloc(sizeof(*inst), GFP_ATOMIC); +- if (!inst) { +- err = -ENOMEM; +- goto out_unlock; +- } ++ inst = kzalloc(sizeof(*inst), GFP_KERNEL_ACCOUNT); ++ if (!inst) ++ return ERR_PTR(-ENOMEM); + + inst->queue_num = queue_num; + inst->peer_portid = portid; +@@ -198,9 +190,15 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + spin_lock_init(&inst->lock); + INIT_LIST_HEAD(&inst->queue_list); + ++ spin_lock(&q->instances_lock); ++ if (instance_lookup(q, queue_num)) { ++ err = -EEXIST; ++ goto out_unlock; ++ } ++ + if (!try_module_get(THIS_MODULE)) { + err = -EAGAIN; +- goto out_free; ++ goto out_unlock; + } + + h = instance_hashfn(queue_num); +@@ -210,10 +208,9 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid) + + return inst; + +-out_free: +- kfree(inst); + out_unlock: + spin_unlock(&q->instances_lock); ++ kfree(inst); + return ERR_PTR(err); + } + +@@ -1604,7 +1601,8 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + struct nfqnl_msg_config_cmd *cmd = NULL; + struct nfqnl_instance *queue; + __u32 flags = 0, mask = 0; +- int ret = 0; ++ ++ WARN_ON_ONCE(!lockdep_nfnl_is_held(NFNL_SUBSYS_QUEUE)); + + if (nfqa[NFQA_CFG_CMD]) { + cmd = nla_data(nfqa[NFQA_CFG_CMD]); +@@ -1650,47 +1648,44 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + } + } + ++ /* Lookup queue under RCU. After peer_portid check (or for new queue ++ * in BIND case), the queue is owned by the socket sending this message. ++ * A socket cannot simultaneously send a message and close, so while ++ * processing this CONFIG message, nfqnl_rcv_nl_event() (triggered by ++ * socket close) cannot destroy this queue. Safe to use without RCU. ++ */ + rcu_read_lock(); + queue = instance_lookup(q, queue_num); + if (queue && queue->peer_portid != NETLINK_CB(skb).portid) { +- ret = -EPERM; +- goto err_out_unlock; ++ rcu_read_unlock(); ++ return -EPERM; + } ++ rcu_read_unlock(); + + if (cmd != NULL) { + switch (cmd->command) { + case NFQNL_CFG_CMD_BIND: +- if (queue) { +- ret = -EBUSY; +- goto err_out_unlock; +- } +- queue = instance_create(q, queue_num, +- NETLINK_CB(skb).portid); +- if (IS_ERR(queue)) { +- ret = PTR_ERR(queue); +- goto err_out_unlock; +- } ++ if (queue) ++ return -EBUSY; ++ queue = instance_create(q, queue_num, NETLINK_CB(skb).portid); ++ if (IS_ERR(queue)) ++ return PTR_ERR(queue); + break; + case NFQNL_CFG_CMD_UNBIND: +- if (!queue) { +- ret = -ENODEV; +- goto err_out_unlock; +- } ++ if (!queue) ++ return -ENODEV; + instance_destroy(q, queue); +- goto err_out_unlock; ++ return 0; + case NFQNL_CFG_CMD_PF_BIND: + case NFQNL_CFG_CMD_PF_UNBIND: + break; + default: +- ret = -ENOTSUPP; +- goto err_out_unlock; ++ return -EOPNOTSUPP; + } + } + +- if (!queue) { +- ret = -ENODEV; +- goto err_out_unlock; +- } ++ if (!queue) ++ return -ENODEV; + + if (nfqa[NFQA_CFG_PARAMS]) { + struct nfqnl_msg_config_params *params = +@@ -1715,9 +1710,7 @@ static int nfqnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info, + spin_unlock_bh(&queue->lock); + } + +-err_out_unlock: +- rcu_read_unlock(); +- return ret; ++ return 0; + } + + static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = { +-- +2.53.0 + diff --git a/queue-6.19/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch b/queue-6.19/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch new file mode 100644 index 0000000000..e423087b16 --- /dev/null +++ b/queue-6.19/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch @@ -0,0 +1,161 @@ +From 468b9012e2cef4e9b72362571136004ebbb3c71d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:10:55 +0100 +Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on + expiry + +From: Florian Westphal + +[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ] + +New test case fails unexpectedly when avx2 matching functions are used. + +The test first loads a ranomly generated pipapo set +with 'ipv4 . port' key, i.e. nft -f foo. + +This works. Then, it reloads the set after a flush: +(echo flush set t s; cat foo) | nft -f - + +This is expected to work, because its the same set after all and it was +already loaded once. + +But with avx2, this fails: nft reports a clashing element. + +The reported clash is of following form: + + We successfully re-inserted + a . b + c . d + +Then we try to insert a . d + +avx2 finds the already existing a . d, which (due to 'flush set') is marked +as invalid in the new generation. It skips the element and moves to next. + +Due to incorrect masking, the skip-step finds the next matching +element *only considering the first field*, + +i.e. we return the already reinserted "a . b", even though the +last field is different and the entry should not have been matched. + +No such error is reported for the generic c implementation (no avx2) or when +the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. + +Bisection points to +7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") +but that fix merely uncovers this bug. + +Before this commit, the wrong element is returned, but erronously +reported as a full, identical duplicate. + +The root-cause is too early return in the avx2 match functions. +When we process the last field, we should continue to process data +until the entire input size has been consumed to make sure no stale +bits remain in the map. + +Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index 7ff90325c97fa..6395982e4d95c 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +-- +2.53.0 + diff --git a/queue-6.19/netfilter-xt_multiport-validate-range-encoding-in-ch.patch b/queue-6.19/netfilter-xt_multiport-validate-range-encoding-in-ch.patch new file mode 100644 index 0000000000..a0eefb9933 --- /dev/null +++ b/queue-6.19/netfilter-xt_multiport-validate-range-encoding-in-ch.patch @@ -0,0 +1,99 @@ +From 8e7f4f01b63b5aa8f5944db69bada7887d1a322e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 23:52:52 +0800 +Subject: netfilter: xt_multiport: validate range encoding in checkentry + +From: Ren Wei + +[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] + +ports_match_v1() treats any non-zero pflags entry as the start of a +port range and unconditionally consumes the next ports[] element as +the range end. + +The checkentry path currently validates protocol, flags and count, but +it does not validate the range encoding itself. As a result, malformed +rules can mark the last slot as a range start or place two range starts +back to back, leaving ports_match_v1() to step past the last valid +ports[] element while interpreting the rule. + +Reject malformed multiport v1 rules in checkentry by validating that +each range start has a following element and that the following element +is not itself marked as another range start. + +Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c +index 44a00f5acde8a..a1691ff405d3c 100644 +--- a/net/netfilter/xt_multiport.c ++++ b/net/netfilter/xt_multiport.c +@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); + } + ++static bool ++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < multiinfo->count; i++) { ++ if (!multiinfo->pflags[i]) ++ continue; ++ ++ if (++i >= multiinfo->count) ++ return false; ++ ++ if (multiinfo->pflags[i]) ++ return false; ++ ++ if (multiinfo->ports[i - 1] > multiinfo->ports[i]) ++ return false; ++ } ++ ++ return true; ++} ++ + static inline bool + check(u_int16_t proto, + u_int8_t ip_invflags, +@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) + const struct ipt_ip *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static int multiport_mt6_check(const struct xt_mtchk_param *par) +@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) + const struct ip6t_ip6 *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static struct xt_match multiport_mt_reg[] __read_mostly = { +-- +2.53.0 + diff --git a/queue-6.19/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch b/queue-6.19/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..d80b1bf5ce --- /dev/null +++ b/queue-6.19/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,61 @@ +From 8ad8a869572014a5cdd3e61ef6ed9f904e926979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 12:21:48 +0800 +Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ] + +s3fwrn82_uart_read() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already +deliver a complete frame before allocating a fresh receive buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface") +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/uart.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c +index 9c09c10c2a464..4ee481bd7e965 100644 +--- a/drivers/nfc/s3fwrn5/uart.c ++++ b/drivers/nfc/s3fwrn5/uart.c +@@ -58,6 +58,12 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev, + size_t i; + + for (i = 0; i < count; i++) { ++ if (!phy->recv_skb) { ++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); ++ if (!phy->recv_skb) ++ return i; ++ } ++ + skb_put_u8(phy->recv_skb, *data++); + + if (phy->recv_skb->len < S3FWRN82_NCI_HEADER) +@@ -69,9 +75,7 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev, + + s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb, + phy->common.mode); +- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); +- if (!phy->recv_skb) +- return 0; ++ phy->recv_skb = NULL; + } + + return i; +-- +2.53.0 + diff --git a/queue-6.19/pci-hv-fix-double-ida_free-in-hv_pci_probe-error-pat.patch b/queue-6.19/pci-hv-fix-double-ida_free-in-hv_pci_probe-error-pat.patch new file mode 100644 index 0000000000..762eeaa3df --- /dev/null +++ b/queue-6.19/pci-hv-fix-double-ida_free-in-hv_pci_probe-error-pat.patch @@ -0,0 +1,67 @@ +From 770fb0d409602b48dd81bf87bca7283213d475bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 05:09:29 -0700 +Subject: PCI: hv: Fix double ida_free in hv_pci_probe error path + +From: Sahil Chandna + +[ Upstream commit b6422dff0e518245019233432b6bccfc30b73e2f ] + +If hv_pci_probe() fails after storing the domain number in +hbus->bridge->domain_nr, there is a call to free this domain_nr via +pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge +release callback pci_release_host_bridge_dev() also frees the domain_nr +causing ida_free to be called on same ID twice and triggering following +warning: + + ida_free called for id=28971 which is not allocated. + WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 + Call Trace: + pci_bus_release_emul_domain_nr+0x17/0x20 + pci_release_host_bridge_dev+0x4b/0x60 + device_release+0x3b/0xa0 + kobject_put+0x8e/0x220 + devm_pci_alloc_host_bridge_release+0xe/0x20 + devres_release_all+0x9a/0xd0 + device_unbind_cleanup+0x12/0xa0 + really_probe+0x1c5/0x3f0 + vmbus_add_channel_work+0x135/0x1a0 + +Fix this by letting pci core handle the free domain_nr and remove +the explicit free called in pci-hyperv driver. + +Fixes: bcce8c74f1ce ("PCI: Enable host bridge emulation for PCI_DOMAINS_GENERIC platforms") +Signed-off-by: Sahil Chandna +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Saurabh Sengar +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index 85631c9794db6..7f1c1a2e5c69d 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -3789,7 +3789,7 @@ static int hv_pci_probe(struct hv_device *hdev, + hbus->bridge->domain_nr); + if (!hbus->wq) { + ret = -ENOMEM; +- goto free_dom; ++ goto free_bus; + } + + hdev->channel->next_request_id_callback = vmbus_next_request_id; +@@ -3885,8 +3885,6 @@ static int hv_pci_probe(struct hv_device *hdev, + vmbus_close(hdev->channel); + destroy_wq: + destroy_workqueue(hbus->wq); +-free_dom: +- pci_bus_release_emul_domain_nr(hbus->bridge->domain_nr); + free_bus: + kfree(hbus); + return ret; +-- +2.53.0 + diff --git a/queue-6.19/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch b/queue-6.19/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch new file mode 100644 index 0000000000..d0d2096222 --- /dev/null +++ b/queue-6.19/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch @@ -0,0 +1,57 @@ +From 59ae8cb64a74274dcc27a6f7224fbfdf4866b858 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:07:42 -0700 +Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info + +From: Long Li + +[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ] + +When hv_pci_assign_numa_node() processes a device that does not have +HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range +virtual_numa_node, the device NUMA node is left unset. On x86_64, +the uninitialized default happens to be 0, but on ARM64 it is +NUMA_NO_NODE (-1). + +Tests show that when no NUMA information is available from the Hyper-V +host, devices perform best when assigned to node 0. With NUMA_NO_NODE +the kernel may spread work across NUMA nodes, which degrades +performance on Hyper-V, particularly for high-throughput devices like +MANA. + +Always set the device NUMA node to 0 before the conditional NUMA +affinity check, so that devices get a performant default when the host +provides no NUMA information, and behavior is consistent on both +x86_64 and ARM64. + +Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index 1e237d3538f9c..85631c9794db6 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -2486,6 +2486,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus) + if (!hv_dev) + continue; + ++ /* ++ * If the Hyper-V host doesn't provide a NUMA node for the ++ * device, default to node 0. With NUMA_NO_NODE the kernel ++ * may spread work across NUMA nodes, which degrades ++ * performance on Hyper-V. ++ */ ++ set_dev_node(&dev->dev, 0); ++ + if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY && + hv_dev->desc.virtual_numa_node < num_possible_nodes()) + /* +-- +2.53.0 + diff --git a/queue-6.19/perf-x86-intel-uncore-fix-die-id-init-and-look-up-bu.patch b/queue-6.19/perf-x86-intel-uncore-fix-die-id-init-and-look-up-bu.patch new file mode 100644 index 0000000000..89c13e9600 --- /dev/null +++ b/queue-6.19/perf-x86-intel-uncore-fix-die-id-init-and-look-up-bu.patch @@ -0,0 +1,103 @@ +From 92dff9344e865b2333a4402eb9bdd505646bcb0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:40:49 -0700 +Subject: perf/x86/intel/uncore: Fix die ID init and look up bugs + +From: Zide Chen + +[ Upstream commit a16d1ec4dd0cdcf689f324adde6067083bce9099 ] + +In snbep_pci2phy_map_init(), in the nr_node_ids > 8 path, +uncore_device_to_die() may return -1 when all CPUs associated +with the UBOX device are offline. + +Remove the WARN_ON_ONCE(die_id == -1) check for two reasons: + +- The current code breaks out of the loop. This is incorrect because + pci_get_device() does not guarantee iteration in domain or bus order, + so additional UBOX devices may be skipped during the scan. + +- Returning -EINVAL is incorrect, since marking offline buses with + die_id == -1 is expected and should not be treated as an error. + +Separately, when NUMA is disabled on a NUMA-capable platform, +pcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die() +to return -1 for all PCI devices. As a result, +spr_update_device_location(), used on Intel SPR and EMR, ignores the +corresponding PMON units and does not add them to the RB tree. + +Fix this by using uncore_pcibus_to_dieid(), which retrieves topology +from the UBOX GIDNIDMAP register and works regardless of whether NUMA +is enabled in Linux. This requires snbep_pci2phy_map_init() to be +added in spr_uncore_pci_init(). + +Keep uncore_device_to_die() only for the nr_node_ids > 8 case, where +NUMA is expected to be enabled. + +Fixes: 9a7832ce3d92 ("perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info") +Fixes: 65248a9a9ee1 ("perf/x86/uncore: Add a quirk for UPI on SPR") +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Tested-by: Steve Wahl +Link: https://patch.msgid.link/20260313174050.171704-4-zide.chen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore.c | 1 + + arch/x86/events/intel/uncore_snbep.c | 13 ++++++------- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c +index e228e564b15ea..8301a589d9a61 100644 +--- a/arch/x86/events/intel/uncore.c ++++ b/arch/x86/events/intel/uncore.c +@@ -67,6 +67,7 @@ int uncore_die_to_segment(int die) + return bus ? pci_domain_nr(bus) : -EINVAL; + } + ++/* Note: This API can only be used when NUMA information is available. */ + int uncore_device_to_die(struct pci_dev *dev) + { + int node = pcibus_to_node(dev->bus); +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index a338ee01bb242..0182785cad1fe 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -1475,13 +1475,7 @@ static int snbep_pci2phy_map_init(int devid, int nodeid_loc, int idmap_loc, bool + } + + map->pbus_to_dieid[bus] = die_id = uncore_device_to_die(ubox_dev); +- + raw_spin_unlock(&pci2phy_map_lock); +- +- if (WARN_ON_ONCE(die_id == -1)) { +- err = -EINVAL; +- break; +- } + } + } + +@@ -6533,7 +6527,7 @@ static void spr_update_device_location(int type_id) + + while ((dev = pci_get_device(PCI_VENDOR_ID_INTEL, device, dev)) != NULL) { + +- die = uncore_device_to_die(dev); ++ die = uncore_pcibus_to_dieid(dev->bus); + if (die < 0) + continue; + +@@ -6557,6 +6551,11 @@ static void spr_update_device_location(int type_id) + + int spr_uncore_pci_init(void) + { ++ int ret = snbep_pci2phy_map_init(0x3250, SKX_CPUNODEID, SKX_GIDNIDMAP, true); ++ ++ if (ret) ++ return ret; ++ + /* + * The discovery table of UPI on some SPR variant is broken, + * which impacts the detection of both UPI and M3UPI uncore PMON. +-- +2.53.0 + diff --git a/queue-6.19/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch b/queue-6.19/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch new file mode 100644 index 0000000000..2c8d5227ab --- /dev/null +++ b/queue-6.19/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch @@ -0,0 +1,47 @@ +From 7c04f7f99e97eb06d92b78dc31a3a9868c90661d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:40:48 -0700 +Subject: perf/x86/intel/uncore: Skip discovery table for offline dies + +From: Zide Chen + +[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ] + +This warning can be triggered if NUMA is disabled and the system +boots with fewer CPUs than the number of CPUs in die 0. + +WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] + +Currently, the discovery table continues to be parsed even if all CPUs +in the associated die are offline. This can lead to an array overflow +at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may +trigger the warning above or cause other issues. + +Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables") +Reported-by: Steve Wahl +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Tested-by: Steve Wahl +Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c +index 7d57ce706feb1..c5adbe4409047 100644 +--- a/arch/x86/events/intel/uncore_discovery.c ++++ b/arch/x86/events/intel/uncore_discovery.c +@@ -383,7 +383,7 @@ static bool intel_uncore_has_discovery_tables_pci(int *ignore) + (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP; + + die = get_device_die_id(dev); +- if (die < 0) ++ if ((die < 0) || (die >= uncore_max_dies())) + continue; + + parse_discovery_table(dev, die, bar_offset, &parsed, ignore); +-- +2.53.0 + diff --git a/queue-6.19/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch b/queue-6.19/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch new file mode 100644 index 0000000000..039b9aaef5 --- /dev/null +++ b/queue-6.19/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch @@ -0,0 +1,35 @@ +From c696b1616e4b45cb54c80b8cb5cc9858a01a29d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 18:14:04 +0100 +Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW + debouncer) + +From: Andy Shevchenko + +[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ] + +The 1kOhm pull down and hardware debouncer are features of the revision 0.92 +of the Chassis specification. Fix that in the code accordingly. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index cf9db8ac0f42e..106835b5ee5a5 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1610,7 +1610,7 @@ int intel_pinctrl_probe(struct platform_device *pdev, + value = readl(regs + REVID); + if (value == ~0u) + return -ENODEV; +- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) { ++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) { + community->features |= PINCTRL_FEATURE_DEBOUNCE; + community->features |= PINCTRL_FEATURE_1K_PD; + } +-- +2.53.0 + diff --git a/queue-6.19/pinctrl-mcp23s08-disable-all-pin-interrupts-during-p.patch b/queue-6.19/pinctrl-mcp23s08-disable-all-pin-interrupts-during-p.patch new file mode 100644 index 0000000000..cbcc8e590a --- /dev/null +++ b/queue-6.19/pinctrl-mcp23s08-disable-all-pin-interrupts-during-p.patch @@ -0,0 +1,96 @@ +From 14b5b2790c6b4828d93fc6a6af8d0b82d75842e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 18:19:14 +0200 +Subject: pinctrl: mcp23s08: Disable all pin interrupts during probe + +From: Francesco Lavra + +[ Upstream commit db5b8cecbdf479ad13156af750377e5b43853fab ] + +A chip being probed may have the interrupt-on-change feature enabled on +some of its pins, for example after a reboot. This can cause the chip to +generate interrupts for pins that don't have a registered nested handler, +which leads to a kernel crash such as below: + +[ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac +[ 7.932314] Mem abort info: +[ 7.935081] ESR = 0x0000000096000004 +[ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits +[ 7.944094] SET = 0, FnV = 0 +[ 7.947127] EA = 0, S1PTW = 0 +[ 7.950247] FSC = 0x04: level 0 translation fault +[ 7.955101] Data abort info: +[ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +[ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000 +[ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000 +[ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP +[ 7.992545] Modules linked in: +[ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199 +[ 8.073689] Hardware name: Khadas VIM3 (DT) +[ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80 +[ 8.098970] lr : handle_nested_irq+0x2c/0x168 +[ 8.098979] sp : ffff800082b2bd20 +[ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88 +[ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00 +[ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e +[ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000 +[ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000 +[ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c +[ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00 +[ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001 +[ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac +[ 8.170560] Call trace: +[ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P) +[ 8.184443] mcp23s08_irq+0x248/0x358 +[ 8.184462] irq_thread_fn+0x34/0xb8 +[ 8.184470] irq_thread+0x1a4/0x310 +[ 8.195093] kthread+0x13c/0x150 +[ 8.198309] ret_from_fork+0x10/0x20 +[ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01) +[ 8.207931] ---[ end trace 0000000000000000 ]--- + +This issue has always been present, but has been latent until commit +"f9f4fda15e72" ("pinctrl: mcp23s08: init reg_defaults from HW at probe and +switch cache type"), which correctly removed reg_defaults from the regmap +and as a side effect changed the behavior of the interrupt handler so that +the real value of the MCP_GPINTEN register is now being read from the chip +instead of using a bogus 0 default value; a non-zero value for this +register can trigger the invocation of a nested handler which may not exist +(yet). +Fix this issue by disabling all pin interrupts during initialization. + +Fixes: f9f4fda15e72 ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type") +Signed-off-by: Francesco Lavra +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 586f2f67c6177..b89b3169e8be5 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -664,6 +664,15 @@ int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev, + if (mcp->irq && mcp->irq_controller) { + struct gpio_irq_chip *girq = &mcp->chip.irq; + ++ /* ++ * Disable all pin interrupts, to prevent the interrupt handler from ++ * calling nested handlers for any currently-enabled interrupts that ++ * do not (yet) have an actual handler. ++ */ ++ ret = mcp_write(mcp, MCP_GPINTEN, 0); ++ if (ret < 0) ++ return dev_err_probe(dev, ret, "can't disable interrupts\n"); ++ + gpio_irq_chip_set_chip(girq, &mcp23s08_irq_chip); + /* This will let us handle the parent IRQ in the driver */ + girq->parent_handler = NULL; +-- +2.53.0 + diff --git a/queue-6.19/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch b/queue-6.19/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch new file mode 100644 index 0000000000..e3c9fdc8ed --- /dev/null +++ b/queue-6.19/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch @@ -0,0 +1,52 @@ +From 6e6ded743279a77961fcd1e078801ee520d73f19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2026 16:16:41 -0500 +Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ] + +This platform is a similar vintage of platforms that had a BIOS bug +leading to a 10s delay at resume from s0i3. + +Add a quirk for it. + +Reported-by: Imrane +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273 +Tested-by: Imrane +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c +index ed285afaf9b0d..24506e3429430 100644 +--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c ++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c +@@ -203,6 +203,15 @@ static const struct dmi_system_id fwbug_list[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"), + } + }, ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */ ++ { ++ .ident = "Thinkpad L14 Gen3", ++ .driver_data = &quirk_s2idle_bug, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"), ++ } ++ }, + /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */ + { + .ident = "Lenovo Yoga 6 13ALC6", +-- +2.53.0 + diff --git a/queue-6.19/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch b/queue-6.19/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch new file mode 100644 index 0000000000..3a744d449e --- /dev/null +++ b/queue-6.19/platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch @@ -0,0 +1,45 @@ +From af91f5fa506dc54b512ff0ba096d10ad919a1127 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 14:22:46 -0700 +Subject: platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP + GZ302EAC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Schwartz + +[ Upstream commit 0198d2743207d67f995cd6df89e267e1b9f5e1f1 ] + +The ASUS ROG Flow Z13-KJP GZ302EAC model uses sys_vendor name ASUS +rather than ASUSTeK COMPUTER INC., but it needs the same folio quirk as +the other ROG Flow Z13. To keep things simple, just match on sys_vendor +ASUS since it covers both. + +Signed-off-by: Matthew Schwartz +Reviewed-by: Mario Limonciello (AMD) +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20260312212246.1608080-1-matthew.schwartz@linux.dev +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index a38a65f5c550d..b4677c5bba5b4 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -548,7 +548,7 @@ static const struct dmi_system_id asus_quirks[] = { + .callback = dmi_matched, + .ident = "ASUS ROG Z13", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUS"), + DMI_MATCH(DMI_PRODUCT_NAME, "ROG Flow Z13"), + }, + .driver_data = &quirk_asus_z13, +-- +2.53.0 + diff --git a/queue-6.19/platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch b/queue-6.19/platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch new file mode 100644 index 0000000000..c526d9173a --- /dev/null +++ b/queue-6.19/platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch @@ -0,0 +1,52 @@ +From 8f13ac4d35d05423ac92b5043c3ae1d1e380d34a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 21:11:06 +0530 +Subject: platform/x86: hp-wmi: Add support for Omen 16-wf1xxx (8C76) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krishna Chomal + +[ Upstream commit 84d29bfd1929d08f092851162a3d055a2134d043 ] + +The HP Omen 16-wf1xxx (board ID: 8C76) has the same WMI interface as +other Victus S boards, but requires quirks for correctly switching +thermal profile (similar to board 8C78). + +Add the DMI board name to victus_s_thermal_profile_boards[] table and +map it to omen_v1_thermal_params. + +Testing on board 8C76 confirmed that platform profile is registered +successfully and fan RPMs are readable and controllable. + +Tested-by: WJ Enderlava +Reported-by: WJ Enderlava +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221149 +Signed-off-by: Krishna Chomal +Link: https://patch.msgid.link/20260227154106.226809-1-krishna.chomal108@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/platform/x86/hp/hp-wmi.c b/drivers/platform/x86/hp/hp-wmi.c +index e3a7ac2485d68..7d03903cf221a 100644 +--- a/drivers/platform/x86/hp/hp-wmi.c ++++ b/drivers/platform/x86/hp/hp-wmi.c +@@ -182,6 +182,10 @@ static const struct dmi_system_id victus_s_thermal_profile_boards[] __initconst + .matches = { DMI_MATCH(DMI_BOARD_NAME, "8BD5") }, + .driver_data = (void *)&victus_s_thermal_params, + }, ++ { ++ .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C76") }, ++ .driver_data = (void *)&omen_v1_thermal_params, ++ }, + { + .matches = { DMI_MATCH(DMI_BOARD_NAME, "8C78") }, + .driver_data = (void *)&omen_v1_thermal_params, +-- +2.53.0 + diff --git a/queue-6.19/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch b/queue-6.19/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch new file mode 100644 index 0000000000..3af7488eb9 --- /dev/null +++ b/queue-6.19/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch @@ -0,0 +1,44 @@ +From 678f7e2adb2795c43d06bb2e98e6c2769c98377a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:27:43 +0000 +Subject: RDMA/irdma: Fix double free related to rereg_user_mr + +From: Jacob Moroni + +[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ] + +If IB_MR_REREG_TRANS is set during rereg_user_mr, the +umem will be released and a new one will be allocated +in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans +fails after the new umem is allocated, it releases the umem, +but does not set iwmr->region to NULL. The problem is that +this failure is propagated to the user, who will then call +ibv_dereg_mr (as they should). Then, the dereg_mr path will +see a non-NULL umem and attempt to call ib_umem_release again. + +Fix this by setting iwmr->region to NULL after ib_umem_release. + +Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region") +Signed-off-by: Jacob Moroni +Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index c454a006c78e0..496d3fedaa9e6 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3721,6 +3721,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len, + + err: + ib_umem_release(region); ++ iwmr->region = NULL; + return err; + } + +-- +2.53.0 + diff --git a/queue-6.19/rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch b/queue-6.19/rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch new file mode 100644 index 0000000000..dce8229929 --- /dev/null +++ b/queue-6.19/rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch @@ -0,0 +1,99 @@ +From 214752a2826fdfd22ae24d58c35ebe17e82877b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 20:14:32 +0200 +Subject: rtnetlink: add missing netlink_ns_capable() check for peer netns + +From: Nikolaos Gkarlis + +[ Upstream commit 7b735ef81286007794a227ce2539419479c02a5f ] + +rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer +network namespace when creating paired devices (veth, vxcan, +netkit). This allows an unprivileged user with a user namespace +to create interfaces in arbitrary network namespaces, including +init_net. + +Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer +namespace before allowing device creation to proceed. + +Fixes: 81adee47dfb6 ("net: Support specifying the network namespace upon device creation.") +Signed-off-by: Nikolaos Gkarlis +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260402181432.4126920-1-nickgarlis@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 40 +++++++++++++++++++++++++++------------- + 1 file changed, 27 insertions(+), 13 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 11cdad3972ad8..c2ada5107dff0 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3894,28 +3894,42 @@ static int rtnl_newlink_create(struct sk_buff *skb, struct ifinfomsg *ifm, + goto out; + } + +-static struct net *rtnl_get_peer_net(const struct rtnl_link_ops *ops, ++static struct net *rtnl_get_peer_net(struct sk_buff *skb, ++ const struct rtnl_link_ops *ops, + struct nlattr *tbp[], + struct nlattr *data[], + struct netlink_ext_ack *extack) + { +- struct nlattr *tb[IFLA_MAX + 1]; ++ struct nlattr *tb[IFLA_MAX + 1], **attrs; ++ struct net *net; + int err; + +- if (!data || !data[ops->peer_type]) +- return rtnl_link_get_net_ifla(tbp); +- +- err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack); +- if (err < 0) +- return ERR_PTR(err); +- +- if (ops->validate) { +- err = ops->validate(tb, NULL, extack); ++ if (!data || !data[ops->peer_type]) { ++ attrs = tbp; ++ } else { ++ err = rtnl_nla_parse_ifinfomsg(tb, data[ops->peer_type], extack); + if (err < 0) + return ERR_PTR(err); ++ ++ if (ops->validate) { ++ err = ops->validate(tb, NULL, extack); ++ if (err < 0) ++ return ERR_PTR(err); ++ } ++ ++ attrs = tb; + } + +- return rtnl_link_get_net_ifla(tb); ++ net = rtnl_link_get_net_ifla(attrs); ++ if (IS_ERR_OR_NULL(net)) ++ return net; ++ ++ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) { ++ put_net(net); ++ return ERR_PTR(-EPERM); ++ } ++ ++ return net; + } + + static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, +@@ -4054,7 +4068,7 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, + } + + if (ops->peer_type) { +- peer_net = rtnl_get_peer_net(ops, tb, data, extack); ++ peer_net = rtnl_get_peer_net(skb, ops, tb, data, extack); + if (IS_ERR(peer_net)) { + ret = PTR_ERR(peer_net); + goto put_ops; +-- +2.53.0 + diff --git a/queue-6.19/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch b/queue-6.19/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch new file mode 100644 index 0000000000..744e5e12e9 --- /dev/null +++ b/queue-6.19/sched-deadline-use-revised-wakeup-rule-for-dl_server.patch @@ -0,0 +1,51 @@ +From bf6aba498cab8e2f01fa1b4799d78e7195ea2afc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 12:22:44 +0200 +Subject: sched/deadline: Use revised wakeup rule for dl_server + +From: Peter Zijlstra + +[ Upstream commit 14a857056466be9d3d907a94e92a704ac1be149b ] + +John noted that commit 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +unfixed the issue from commit a3a70caf7906 ("sched/deadline: Fix dl_server +behaviour"). + +The issue in commit 115135422562 was for wakeups of the server after the +deadline; in which case you *have* to start a new period. The case for +a3a70caf7906 is wakeups before the deadline. + +Now, because the server is effectively running a least-laxity policy, it means +that any wakeup during the runnable phase means dl_entity_overflow() will be +true. This means we need to adjust the runtime to allow it to still run until +the existing deadline expires. + +Use the revised wakeup rule for dl_defer entities. + +Fixes: 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +Reported-by: John Stultz +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Tested-by: John Stultz +Link: https://patch.msgid.link/20260404102244.GB22575@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index e3a6b8ed1d6db..3f80411972067 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1027,7 +1027,7 @@ static void update_dl_entity(struct sched_dl_entity *dl_se) + if (dl_time_before(dl_se->deadline, rq_clock(rq)) || + dl_entity_overflow(dl_se, rq_clock(rq))) { + +- if (unlikely(!dl_is_implicit(dl_se) && ++ if (unlikely((!dl_is_implicit(dl_se) || dl_se->dl_defer) && + !dl_time_before(dl_se->deadline, rq_clock(rq)) && + !is_dl_boosted(dl_se))) { + update_dl_revised_wakeup(dl_se, rq); +-- +2.53.0 + diff --git a/queue-6.19/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch b/queue-6.19/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch new file mode 100644 index 0000000000..890c14d2e7 --- /dev/null +++ b/queue-6.19/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch @@ -0,0 +1,45 @@ +From 3247b4adfaf2ff16be3c377de970d09424943752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 22:29:19 +0100 +Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check + +From: Daniel Golle + +[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ] + +The querier-interval test adds h1 (currently a slave of the VRF created +by simple_if_init) to a temporary bridge br1 acting as an outside IGMP +querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev() +on every slave add and remove, toggling the interface admin-down then up. +Phylink takes the PHY down during the admin-down half of that cycle. +Since h1 and swp1 are cable-connected, swp1 also loses its link may need +several seconds to re-negotiate. + +Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the +test can rely on the link being back up at this point. + +Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests") +Signed-off-by: Daniel Golle +Reviewed-by: Alexander Sverdlin +Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +index 72dfbeaf56b92..e8031f68200ad 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +@@ -414,6 +414,7 @@ vlmc_querier_intvl_test() + bridge vlan add vid 10 dev br1 self pvid untagged + ip link set dev $h1 master br1 + ip link set dev br1 up ++ setup_wait_dev $h1 0 + bridge vlan add vid 10 dev $h1 master + bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1 + sleep 2 +-- +2.53.0 + diff --git a/queue-6.19/series b/queue-6.19/series new file mode 100644 index 0000000000..742a3486ed --- /dev/null +++ b/queue-6.19/series @@ -0,0 +1,139 @@ +dmaengine-idxd-fix-lockdep-warnings-when-calling-idx.patch +rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch +asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch +alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch +alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch +media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch +alsa-asihpi-avoid-write-overflow-check-warning.patch +bluetooth-hci_sync-annotate-data-races-around-hdev-r.patch +asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch +asoc-sof-topology-reject-invalid-vendor-array-size-i.patch +can-mcp251x-add-error-handling-for-power-enable-in-o.patch +asoc-amd-acp-add-asus-hn7306ea-quirk-for-legacy-sdw-.patch +alsa-usb-qcom-add-auxiliary_bus-to-kconfig-dependenc.patch +platform-x86-asus-nb-wmi-add-dmi-quirk-for-asus-rog-.patch +btrfs-fix-zero-size-inode-with-non-zero-size-after-l.patch +platform-x86-hp-wmi-add-support-for-omen-16-wf1xxx-8.patch +btrfs-tracepoints-get-correct-superblock-from-dentry.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +netfilter-ctnetlink-ensure-safe-access-to-master-con.patch +drm-amdgpu-handle-gpu-page-faults-correctly-on-non-4.patch +srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch +alsa-hda-realtek-add-hp-laptop-15-fd0xxx-mute-led-qu.patch +netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch +alsa-hda-realtek-fixed-speaker-mute-led-for-hp-elite.patch +alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch +wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch +asoc-soc-core-call-missing-init_list_head-for-card_a.patch +alsa-hda-realtek-add-quirk-for-samsung-book2-pro-360.patch +alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-slim-7-14.patch +drm-amdkfd-fix-queue-preemption-eviction-failures-by.patch +fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch +asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch +pinctrl-intel-fix-the-revision-for-new-features-1koh.patch +platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch +hid-intel-thc-hid-intel-quickspi-add-nvl-device-ids.patch +hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch-618 +hid-roccat-fix-use-after-free-in-roccat_report_event.patch +ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch +wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +net-sfp-add-quirks-for-hisense-and-hsgq-gpon-ont-sfp.patch +x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch +asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch +soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch +arm64-dts-qcom-hamoa-x1-fix-idle-exit-latency.patch +arm64-dts-qcom-qcm6490-idp-fix-wcd9370-reset-gpio-po.patch +arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch +arm64-dts-imx93-9x9-qsb-change-usdhc-tuning-step-for.patch +arm64-dts-imx91-tqma9131-improve-emmc-pad-configurat.patch +arm64-dts-imx93-tqma9352-improve-emmc-pad-configurat.patch +arm64-dts-qcom-monaco-fix-uart10-pinconf.patch +soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch +tools-power-turbostat-fix-swidle-header-vs-data-disp.patch +tools-power-turbostat-fix-microcode-patch-level-outp.patch +tools-power-turbostat-fix-incorrect-format-variable.patch +tools-power-turbostat-fix-show-hide-for-individual-c.patch +arm64-dts-qcom-monaco-reserve-full-gunyah-metadata-r.patch +tools-power-turbostat-fix-delimiter-bug-in-print-fun.patch +soc-microchip-mpfs-control-scb-fix-resource-leak-on-.patch +soc-microchip-mpfs-mss-top-sysreg-fix-resource-leak-.patch +arm-dts-microchip-sam9x7-fix-gpio-lines-count-for-pi.patch +pci-hv-set-default-numa-node-to-0-for-devices-withou.patch +hid-amd_sfh-don-t-log-error-when-device-discovery-fa.patch +xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch +dma-mapping-add-dma_attr_cpu_cache_clean.patch +dma-debug-track-cache-clean-flag-in-entries.patch +dma-debug-suppress-cacheline-overlap-warning-when-ar.patch +cachefiles-fix-incorrect-dentry-refcount-in-cachefil.patch +drm-vc4-release-runtime-pm-reference-after-binding-v.patch +drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch +drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch +drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch +eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch +net-sched-act_csum-validate-nested-vlan-headers.patch +net-fec-make-fixed_phy-dependency-unconditional.patch +net-lapbether-handle-netdev_pre_type_change.patch +net-airoha-fix-memory-leak-in-airoha_qdma_rx_process.patch +ipv6-ioam-fix-potential-null-dereferences-in-__ioam6.patch +bridge-guard-local-vlan-0-fdb-helpers-against-null-v.patch +rtnetlink-add-missing-netlink_ns_capable-check-for-p.patch +ipv4-nexthop-avoid-duplicate-nha_hw_stats_enable-on-.patch +ipv4-nexthop-allocate-skb-dynamically-in-rtm_get_nex.patch +ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch +net-increase-ip_tunnel_recursion_limit-to-5.patch +nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch +net-stmmac-fix-ptp-ref-clock-for-tegra234.patch +dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch +pci-hv-fix-double-ida_free-in-hv_pci_probe-error-pat.patch +mshv-fix-infinite-fault-loop-on-permission-denied-gp.patch +tracing-probe-reject-non-closed-empty-immediate-stri.patch +asoc-sdca-add-asoc-jack-hookup-in-class-driver.patch +asoc-sdca-fix-errors-in-irq-cleanup.patch +asoc-sof-intel-fix-endpoint-index-if-endpoints-are-m.patch +asoc-sof-intel-fix-iteration-in-is_endpoint_present.patch +ice-ptp-don-t-warn-when-controlling-pf-is-unavailabl.patch +ixgbe-stop-re-reading-flash-on-every-get_drvinfo-for.patch +ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch +e1000-check-return-value-of-e1000_read_eeprom.patch +xsk-tighten-umem-headroom-validation-to-account-for-.patch +xsk-respect-tailroom-for-zc-setups.patch +xsk-fix-xdp_umem_sg_flag-issues.patch +xsk-validate-mtu-against-usable-frame-size-on-bind.patch +vsock-test-fix-send_buf-recv_buf-eintr-handling.patch +xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch +xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch +xfrm_user-fix-info-leak-in-build_mapping.patch +net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch +pinctrl-mcp23s08-disable-all-pin-interrupts-during-p.patch +asoc-intel-avs-fix-memory-leak-in-avs_register_i2s_t.patch +drm-xe-fix-bug-in-idledly-unit-conversion.patch +selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch +ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch +netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch +netfilter-xt_multiport-validate-range-encoding-in-ch.patch +netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch +netfilter-nfnetlink_queue-nfqnl_instance-gfp_atomic-.patch +netfilter-nfnetlink_queue-make-hash-table-per-queue.patch +asoc-sdca-fix-overwritten-var-within-for-loop.patch +asoc-sdca-unregister-irq-handlers-on-module-remove.patch +asoc-amd-acp-update-dmi-quirk-and-add-acp-dmic-for-l.patch +net-mdio-realtek-rtl9300-use-scoped-device_for_each_.patch +net-ioam6-fix-oob-and-missing-lock.patch +net-txgbe-leave-space-for-null-terminators-on-proper.patch +af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch +devlink-fix-incorrect-skb-socket-family-dumping.patch +net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch +net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch +l2tp-drop-large-packets-with-udp-encap.patch +gpio-tegra-fix-irq_release_resources-calling-enable-.patch +crypto-af_alg-limit-rx-sg-extraction-by-receive-buff.patch +perf-x86-intel-uncore-skip-discovery-table-for-offli.patch +perf-x86-intel-uncore-fix-die-id-init-and-look-up-bu.patch +sched-deadline-use-revised-wakeup-rule-for-dl_server.patch +clockevents-prevent-timer-interrupt-starvation.patch +crypto-af_alg-fix-page-reassignment-overflow-in-af_a.patch +crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch diff --git a/queue-6.19/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch b/queue-6.19/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch new file mode 100644 index 0000000000..6ab2b5a447 --- /dev/null +++ b/queue-6.19/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch @@ -0,0 +1,46 @@ +From 44713a93d79751961f2ed1671c30a5c41494003c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:37:56 +0800 +Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching + +From: Potin Lai + +[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ] + +The siliconid_to_name() function currently masks the input silicon ID +with 0xff00ffff, but compares it against unmasked table entries. This +causes matching to fail if the table entries contain non-zero values in +the bits covered by the mask (bits 16-23). + +Update the logic to apply the 0xff00ffff mask to the table entries +during comparison. This ensures that only the relevant model and +revision bits are considered, providing a consistent match across +different manufacturing batches. + +[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference] + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Potin Lai +Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 67e9ac3d08ecc..a90b100f4d101 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid) + unsigned int i; + + for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) { +- if (rev_table[i].id == id) ++ if ((rev_table[i].id & 0xff00ffff) == id) + return rev_table[i].name; + } + +-- +2.53.0 + diff --git a/queue-6.19/soc-microchip-mpfs-control-scb-fix-resource-leak-on-.patch b/queue-6.19/soc-microchip-mpfs-control-scb-fix-resource-leak-on-.patch new file mode 100644 index 0000000000..a5b4fb4237 --- /dev/null +++ b/queue-6.19/soc-microchip-mpfs-control-scb-fix-resource-leak-on-.patch @@ -0,0 +1,40 @@ +From afcddd1974dc9c49317d0afab8e396bb58d2b9f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 20:16:14 +0800 +Subject: soc: microchip: mpfs-control-scb: Fix resource leak on driver unbind + +From: Felix Gu + +[ Upstream commit 27459f86a43792d5c29f267a41dbd387601e772b ] + +Use devm_mfd_add_devices() instead of mfd_add_devices() to ensure +child devices are properly removed when the driver unbinds. + +Fixes: 4aac11c9a6e7 ("soc: microchip: add mfd drivers for two syscon regions on PolarFire SoC") +Signed-off-by: Felix Gu +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/soc/microchip/mpfs-control-scb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/microchip/mpfs-control-scb.c b/drivers/soc/microchip/mpfs-control-scb.c +index f0b84b1f49cbc..8dda5704a389f 100644 +--- a/drivers/soc/microchip/mpfs-control-scb.c ++++ b/drivers/soc/microchip/mpfs-control-scb.c +@@ -14,8 +14,10 @@ static int mpfs_control_scb_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + +- return mfd_add_devices(dev, PLATFORM_DEVID_NONE, mpfs_control_scb_devs, +- ARRAY_SIZE(mpfs_control_scb_devs), NULL, 0, NULL); ++ return devm_mfd_add_devices(dev, PLATFORM_DEVID_NONE, ++ mpfs_control_scb_devs, ++ ARRAY_SIZE(mpfs_control_scb_devs), NULL, 0, ++ NULL); + } + + static const struct of_device_id mpfs_control_scb_of_match[] = { +-- +2.53.0 + diff --git a/queue-6.19/soc-microchip-mpfs-mss-top-sysreg-fix-resource-leak-.patch b/queue-6.19/soc-microchip-mpfs-mss-top-sysreg-fix-resource-leak-.patch new file mode 100644 index 0000000000..d1c388a8a0 --- /dev/null +++ b/queue-6.19/soc-microchip-mpfs-mss-top-sysreg-fix-resource-leak-.patch @@ -0,0 +1,41 @@ +From e8f85fc751a4e37773c91d08e76cd15c54911aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 20:16:15 +0800 +Subject: soc: microchip: mpfs-mss-top-sysreg: Fix resource leak on driver + unbind + +From: Felix Gu + +[ Upstream commit 3bfc213d4675736567a4e263c51c25144d565949 ] + +Use devm_mfd_add_devices() instead of mfd_add_devices() to ensure +child devices are properly removed when the driver unbinds. + +Fixes: 4aac11c9a6e7 ("soc: microchip: add mfd drivers for two syscon regions on PolarFire SoC") +Signed-off-by: Felix Gu +Signed-off-by: Conor Dooley +Signed-off-by: Sasha Levin +--- + drivers/soc/microchip/mpfs-mss-top-sysreg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/microchip/mpfs-mss-top-sysreg.c b/drivers/soc/microchip/mpfs-mss-top-sysreg.c +index b2244e44ff0fa..b0f42b8dd3ed6 100644 +--- a/drivers/soc/microchip/mpfs-mss-top-sysreg.c ++++ b/drivers/soc/microchip/mpfs-mss-top-sysreg.c +@@ -16,8 +16,10 @@ static int mpfs_mss_top_sysreg_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + int ret; + +- ret = mfd_add_devices(dev, PLATFORM_DEVID_NONE, mpfs_mss_top_sysreg_devs, +- ARRAY_SIZE(mpfs_mss_top_sysreg_devs) , NULL, 0, NULL); ++ ret = devm_mfd_add_devices(dev, PLATFORM_DEVID_NONE, ++ mpfs_mss_top_sysreg_devs, ++ ARRAY_SIZE(mpfs_mss_top_sysreg_devs), NULL, ++ 0, NULL); + if (ret) + return ret; + +-- +2.53.0 + diff --git a/queue-6.19/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch b/queue-6.19/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch new file mode 100644 index 0000000000..f7531dc114 --- /dev/null +++ b/queue-6.19/soc-qcom-pd-mapper-fix-element-length-in-servreg_loc.patch @@ -0,0 +1,71 @@ +From 9a55c6886842347ce29dc5927928ce41e72b0c3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:53:20 +0530 +Subject: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei + +From: Mukesh Ojha + +[ Upstream commit 641f6fda143b879da1515f821ee475073678cf2a ] + +It looks element length declared in servreg_loc_pfr_req_ei for reason +not matching servreg_loc_pfr_req's reason field due which we could +observe decoding error on PD crash. + + qmi_decode_string_elem: String len 81 >= Max Len 65 + +Fix this by matching with servreg_loc_pfr_req's reason field. + +Fixes: 1ebcde047c54 ("soc: qcom: add pd-mapper implementation") +Signed-off-by: Mukesh Ojha +Reviewed-by: Dmitry Baryshkov +Tested-by: Nikita Travkin +Link: https://lore.kernel.org/r/20260129152320.3658053-2-mukesh.ojha@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/pdr_internal.h | 2 +- + drivers/soc/qcom/qcom_pdr_msg.c | 2 +- + include/linux/soc/qcom/pdr.h | 1 + + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/pdr_internal.h b/drivers/soc/qcom/pdr_internal.h +index 039508c1bbf7d..047c0160b6178 100644 +--- a/drivers/soc/qcom/pdr_internal.h ++++ b/drivers/soc/qcom/pdr_internal.h +@@ -84,7 +84,7 @@ struct servreg_set_ack_resp { + + struct servreg_loc_pfr_req { + char service[SERVREG_NAME_LENGTH + 1]; +- char reason[257]; ++ char reason[SERVREG_PFR_LENGTH + 1]; + }; + + struct servreg_loc_pfr_resp { +diff --git a/drivers/soc/qcom/qcom_pdr_msg.c b/drivers/soc/qcom/qcom_pdr_msg.c +index ca98932140d87..02022b11ecf05 100644 +--- a/drivers/soc/qcom/qcom_pdr_msg.c ++++ b/drivers/soc/qcom/qcom_pdr_msg.c +@@ -325,7 +325,7 @@ const struct qmi_elem_info servreg_loc_pfr_req_ei[] = { + }, + { + .data_type = QMI_STRING, +- .elem_len = SERVREG_NAME_LENGTH + 1, ++ .elem_len = SERVREG_PFR_LENGTH + 1, + .elem_size = sizeof(char), + .array_type = VAR_LEN_ARRAY, + .tlv_type = 0x02, +diff --git a/include/linux/soc/qcom/pdr.h b/include/linux/soc/qcom/pdr.h +index 83a8ea612e69a..2b7691e47c2a9 100644 +--- a/include/linux/soc/qcom/pdr.h ++++ b/include/linux/soc/qcom/pdr.h +@@ -5,6 +5,7 @@ + #include + + #define SERVREG_NAME_LENGTH 64 ++#define SERVREG_PFR_LENGTH 256 + + struct pdr_service; + struct pdr_handle; +-- +2.53.0 + diff --git a/queue-6.19/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch b/queue-6.19/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch new file mode 100644 index 0000000000..e3f57f26de --- /dev/null +++ b/queue-6.19/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch @@ -0,0 +1,134 @@ +From c713f03911e727720f671be2f88a4bc2624d8376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 20:14:18 -0400 +Subject: srcu: Use irq_work to start GP in tiny SRCU + +From: Joel Fernandes + +[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ] + +Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), +which acquires the workqueue pool->lock. + +This causes a lockdep splat when call_srcu() is called with a scheduler +lock held, due to: + + call_srcu() [holding pi_lock] + srcu_gp_start_if_needed() + schedule_work() -> pool->lock + + workqueue_init() / create_worker() [holding pool->lock] + wake_up_process() -> try_to_wake_up() -> pi_lock + +Also add irq_work_sync() to cleanup_srcu_struct() to prevent a +use-after-free if a queued irq_work fires after cleanup begins. + +Tested with rcutorture SRCU-T and no lockdep warnings. + +[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work +to start process_srcu()" ] + +Signed-off-by: Joel Fernandes +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/srcutiny.h | 4 ++++ + kernel/rcu/srcutiny.c | 19 ++++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h +index e0698024667a7..313a0e17f22fe 100644 +--- a/include/linux/srcutiny.h ++++ b/include/linux/srcutiny.h +@@ -11,6 +11,7 @@ + #ifndef _LINUX_SRCU_TINY_H + #define _LINUX_SRCU_TINY_H + ++#include + #include + + struct srcu_struct { +@@ -24,18 +25,21 @@ struct srcu_struct { + struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */ + struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */ + struct work_struct srcu_work; /* For driving grace periods. */ ++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + struct lockdep_map dep_map; + #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */ + }; + + void srcu_drive_gp(struct work_struct *wp); ++void srcu_tiny_irq_work(struct irq_work *irq_work); + + #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored, ____ignored) \ + { \ + .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \ + .srcu_cb_tail = &name.srcu_cb_head, \ + .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \ ++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \ + __SRCU_DEP_MAP_INIT(name) \ + } + +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index 3450c3751ef7a..a2e2d516e51b9 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -41,6 +42,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp) + ssp->srcu_idx_max = 0; + INIT_WORK(&ssp->srcu_work, srcu_drive_gp); + INIT_LIST_HEAD(&ssp->srcu_work.entry); ++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work); + return 0; + } + +@@ -84,6 +86,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct); + void cleanup_srcu_struct(struct srcu_struct *ssp) + { + WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]); ++ irq_work_sync(&ssp->srcu_irq_work); + flush_work(&ssp->srcu_work); + WARN_ON(ssp->srcu_gp_running); + WARN_ON(ssp->srcu_gp_waiting); +@@ -177,6 +180,20 @@ void srcu_drive_gp(struct work_struct *wp) + } + EXPORT_SYMBOL_GPL(srcu_drive_gp); + ++/* ++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue ++ * pool->lock while the caller might hold scheduler locks, causing lockdep ++ * splats due to workqueue_init() doing a wakeup. ++ */ ++void srcu_tiny_irq_work(struct irq_work *irq_work) ++{ ++ struct srcu_struct *ssp; ++ ++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work); ++ schedule_work(&ssp->srcu_work); ++} ++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work); ++ + static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + { + unsigned long cookie; +@@ -189,7 +206,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + WRITE_ONCE(ssp->srcu_idx_max, cookie); + if (!READ_ONCE(ssp->srcu_gp_running)) { + if (likely(srcu_init_done)) +- schedule_work(&ssp->srcu_work); ++ irq_work_queue(&ssp->srcu_irq_work); + else if (list_empty(&ssp->srcu_work.entry)) + list_add(&ssp->srcu_work.entry, &srcu_boot_list); + } +-- +2.53.0 + diff --git a/queue-6.19/tools-power-turbostat-fix-delimiter-bug-in-print-fun.patch b/queue-6.19/tools-power-turbostat-fix-delimiter-bug-in-print-fun.patch new file mode 100644 index 0000000000..1a2cb18eff --- /dev/null +++ b/queue-6.19/tools-power-turbostat-fix-delimiter-bug-in-print-fun.patch @@ -0,0 +1,69 @@ +From 686d1407479119a315087e7689f661e948b34cc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 11:00:34 +0200 +Subject: tools/power turbostat: Fix delimiter bug in print functions + +From: Artem Bityutskiy + +[ Upstream commit cdbefe9d4029d4834d404f7ba13a960b38a69e88 ] + +Commands that add counters, such as 'turbostat --show C1,C1+' +display merged columns without a delimiter. + +This is caused by the bad syntax: '(*printed++ ? delim : "")', shared by +print_name()/print_hex_value()/print_decimal_value()/print_float_value() + +Use '((*printed)++ ? delim : "")' to correctly increment the value at *printed. + +[lenb: fix code and commit message typo, re-word] +Fixes: 56dbb878507b ("tools/power turbostat: Refactor added column header printing") +Signed-off-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index b01a905bd24a7..c6060f65eaaf1 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -2732,29 +2732,29 @@ static inline int print_name(int width, int *printed, char *delim, char *name, e + UNUSED(type); + + if (format == FORMAT_RAW && width >= 64) +- return (sprintf(outp, "%s%-8s", (*printed++ ? delim : ""), name)); ++ return (sprintf(outp, "%s%-8s", ((*printed)++ ? delim : ""), name)); + else +- return (sprintf(outp, "%s%s", (*printed++ ? delim : ""), name)); ++ return (sprintf(outp, "%s%s", ((*printed)++ ? delim : ""), name)); + } + + static inline int print_hex_value(int width, int *printed, char *delim, unsigned long long value) + { + if (width <= 32) +- return (sprintf(outp, "%s%08x", (*printed++ ? delim : ""), (unsigned int)value)); ++ return (sprintf(outp, "%s%08x", ((*printed)++ ? delim : ""), (unsigned int)value)); + else +- return (sprintf(outp, "%s%016llx", (*printed++ ? delim : ""), value)); ++ return (sprintf(outp, "%s%016llx", ((*printed)++ ? delim : ""), value)); + } + + static inline int print_decimal_value(int width, int *printed, char *delim, unsigned long long value) + { + UNUSED(width); + +- return (sprintf(outp, "%s%lld", (*printed++ ? delim : ""), value)); ++ return (sprintf(outp, "%s%lld", ((*printed)++ ? delim : ""), value)); + } + + static inline int print_float_value(int *printed, char *delim, double value) + { +- return (sprintf(outp, "%s%0.2f", (*printed++ ? delim : ""), value)); ++ return (sprintf(outp, "%s%0.2f", ((*printed)++ ? delim : ""), value)); + } + + void print_header(char *delim) +-- +2.53.0 + diff --git a/queue-6.19/tools-power-turbostat-fix-incorrect-format-variable.patch b/queue-6.19/tools-power-turbostat-fix-incorrect-format-variable.patch new file mode 100644 index 0000000000..20327ab7cf --- /dev/null +++ b/queue-6.19/tools-power-turbostat-fix-incorrect-format-variable.patch @@ -0,0 +1,55 @@ +From 29cf5f506e9e8ec7302dc319365d0ce84190b708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 11:00:32 +0200 +Subject: tools/power turbostat: Fix incorrect format variable + +From: Artem Bityutskiy + +[ Upstream commit 23cb4f5c81766e70e5f32ed0987ee8fb5ab2e00a ] + +In the perf thread, core, and package counter loops, an incorrect +'mp->format' variable is used instead of 'pp->format'. + +[lenb: edit commit message] +Fixes: 696d15cbd8c2 ("tools/power turbostat: Refactor floating point printout code") +Signed-off-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 83a90f413f976..603651e74dacf 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -3330,7 +3330,7 @@ int format_counters(PER_THREAD_PARAMS) + for (i = 0, pp = sys.perf_tp; pp; ++i, pp = pp->next) { + if (pp->format == FORMAT_RAW) + outp += print_hex_value(pp->width, &printed, delim, t->perf_counter[i]); +- else if (pp->format == FORMAT_DELTA || mp->format == FORMAT_AVERAGE) ++ else if (pp->format == FORMAT_DELTA || pp->format == FORMAT_AVERAGE) + outp += print_decimal_value(pp->width, &printed, delim, t->perf_counter[i]); + else if (pp->format == FORMAT_PERCENT) { + if (pp->type == COUNTER_USEC) +@@ -3400,7 +3400,7 @@ int format_counters(PER_THREAD_PARAMS) + for (i = 0, pp = sys.perf_cp; pp; i++, pp = pp->next) { + if (pp->format == FORMAT_RAW) + outp += print_hex_value(pp->width, &printed, delim, c->perf_counter[i]); +- else if (pp->format == FORMAT_DELTA || mp->format == FORMAT_AVERAGE) ++ else if (pp->format == FORMAT_DELTA || pp->format == FORMAT_AVERAGE) + outp += print_decimal_value(pp->width, &printed, delim, c->perf_counter[i]); + else if (pp->format == FORMAT_PERCENT) + outp += print_float_value(&printed, delim, pct(c->perf_counter[i], tsc)); +@@ -3558,7 +3558,7 @@ int format_counters(PER_THREAD_PARAMS) + outp += print_hex_value(pp->width, &printed, delim, p->perf_counter[i]); + else if (pp->type == COUNTER_K2M) + outp += sprintf(outp, "%s%d", (printed++ ? delim : ""), (unsigned int)p->perf_counter[i] / 1000); +- else if (pp->format == FORMAT_DELTA || mp->format == FORMAT_AVERAGE) ++ else if (pp->format == FORMAT_DELTA || pp->format == FORMAT_AVERAGE) + outp += print_decimal_value(pp->width, &printed, delim, p->perf_counter[i]); + else if (pp->format == FORMAT_PERCENT) + outp += print_float_value(&printed, delim, pct(p->perf_counter[i], tsc)); +-- +2.53.0 + diff --git a/queue-6.19/tools-power-turbostat-fix-microcode-patch-level-outp.patch b/queue-6.19/tools-power-turbostat-fix-microcode-patch-level-outp.patch new file mode 100644 index 0000000000..836ed10b69 --- /dev/null +++ b/queue-6.19/tools-power-turbostat-fix-microcode-patch-level-outp.patch @@ -0,0 +1,58 @@ +From cfd11b0b28f93407dad7926043942935b1f73406 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:16:03 -0500 +Subject: tools/power/turbostat: Fix microcode patch level output for AMD/Hygon + +From: Serhii Pievniev + +[ Upstream commit a444083286434ec1fd127c5da11a3091e6013008 ] + +turbostat always used the same logic to read the microcode patch level, +which is correct for Intel but not for AMD/Hygon. +While Intel stores the patch level in the upper 32 bits of MSR, AMD +stores it in the lower 32 bits, which causes turbostat to report the +microcode version as 0x0 on AMD/Hygon. + +Fix by shifting right by 32 for non-AMD/Hygon, preserving the existing +behavior for Intel and unknown vendors. + +Fixes: 3e4048466c39 ("tools/power turbostat: Add --no-msr option") +Signed-off-by: Serhii Pievniev +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 903943d30f713..83a90f413f976 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -8812,10 +8812,13 @@ void process_cpuid() + edx_flags = edx; + + if (!no_msr) { +- if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) ++ if (get_msr(sched_getcpu(), MSR_IA32_UCODE_REV, &ucode_patch)) { + warnx("get_msr(UCODE)"); +- else ++ } else { + ucode_patch_valid = true; ++ if (!authentic_amd && !hygon_genuine) ++ ucode_patch >>= 32; ++ } + } + + /* +@@ -8829,7 +8832,7 @@ void process_cpuid() + if (!quiet) { + fprintf(outf, "CPUID(1): family:model:stepping 0x%x:%x:%x (%d:%d:%d)", family, model, stepping, family, model, stepping); + if (ucode_patch_valid) +- fprintf(outf, " microcode 0x%x", (unsigned int)((ucode_patch >> 32) & 0xFFFFFFFF)); ++ fprintf(outf, " microcode 0x%x", (unsigned int)ucode_patch); + fputc('\n', outf); + + fprintf(outf, "CPUID(0x80000000): max_extended_levels: 0x%x\n", max_extended_level); +-- +2.53.0 + diff --git a/queue-6.19/tools-power-turbostat-fix-show-hide-for-individual-c.patch b/queue-6.19/tools-power-turbostat-fix-show-hide-for-individual-c.patch new file mode 100644 index 0000000000..2e6df39374 --- /dev/null +++ b/queue-6.19/tools-power-turbostat-fix-show-hide-for-individual-c.patch @@ -0,0 +1,118 @@ +From 59e31b96beae32393335336db64b8869d048fabd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 11:00:33 +0200 +Subject: tools/power turbostat: Fix --show/--hide for individual cpuidle + counters + +From: Artem Bityutskiy + +[ Upstream commit b6398bc2ef3a78f1be37ba01ae0a5eedaee47803 ] + +Problem: individual swidle counter names (C1, C1+, C1-, etc.) cannot be +selected via --show/--hide due to two bugs in probe_cpuidle_counts(): +1. The function returns immediately when BIC_cpuidle is not enabled, + without checking deferred_add_index. +2. The deferred name check runs against name_buf before the trailing + newline is stripped, so is_deferred_add("C1\n") never matches "C1". + +Fix: +1. Relax the early return to pass through when deferred names are + queued. +2. Strip the trailing newline from name_buf before performing deferred + name checks. +3. Check each suffixed variant (C1+, C1, C1-) individually so that + e.g. "--show C1+" enables only the requested metric. + +In addition, introduce a helper function to avoid repeating the +condition (readability cleanup). + +Fixes: ec4acd3166d8 ("tools/power turbostat: disable "cpuidle" invocation counters, by default") +Signed-off-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 35 ++++++++++++++++----------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 603651e74dacf..b01a905bd24a7 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -10908,6 +10908,14 @@ void probe_cpuidle_residency(void) + } + } + ++static bool cpuidle_counter_wanted(char *name) ++{ ++ if (is_deferred_skip(name)) ++ return false; ++ ++ return DO_BIC(BIC_cpuidle) || is_deferred_add(name); ++} ++ + void probe_cpuidle_counts(void) + { + char path[64]; +@@ -10917,7 +10925,7 @@ void probe_cpuidle_counts(void) + int min_state = 1024, max_state = 0; + char *sp; + +- if (!DO_BIC(BIC_cpuidle)) ++ if (!DO_BIC(BIC_cpuidle) && !deferred_add_index) + return; + + for (state = 10; state >= 0; --state) { +@@ -10932,12 +10940,6 @@ void probe_cpuidle_counts(void) + + remove_underbar(name_buf); + +- if (!DO_BIC(BIC_cpuidle) && !is_deferred_add(name_buf)) +- continue; +- +- if (is_deferred_skip(name_buf)) +- continue; +- + /* truncate "C1-HSW\n" to "C1", or truncate "C1\n" to "C1" */ + sp = strchr(name_buf, '-'); + if (!sp) +@@ -10952,16 +10954,19 @@ void probe_cpuidle_counts(void) + * Add 'C1+' for C1, and so on. The 'below' sysfs file always contains 0 for + * the last state, so do not add it. + */ +- + *sp = '+'; + *(sp + 1) = '\0'; +- sprintf(path, "cpuidle/state%d/below", state); +- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ if (cpuidle_counter_wanted(name_buf)) { ++ sprintf(path, "cpuidle/state%d/below", state); ++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ } + } + + *sp = '\0'; +- sprintf(path, "cpuidle/state%d/usage", state); +- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ if (cpuidle_counter_wanted(name_buf)) { ++ sprintf(path, "cpuidle/state%d/usage", state); ++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ } + + /* + * The 'above' sysfs file always contains 0 for the shallowest state (smallest +@@ -10970,8 +10975,10 @@ void probe_cpuidle_counts(void) + if (state != min_state) { + *sp = '-'; + *(sp + 1) = '\0'; +- sprintf(path, "cpuidle/state%d/above", state); +- add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ if (cpuidle_counter_wanted(name_buf)) { ++ sprintf(path, "cpuidle/state%d/above", state); ++ add_counter(0, path, name_buf, 64, SCOPE_CPU, COUNTER_ITEMS, FORMAT_DELTA, SYSFS_PERCPU, 0); ++ } + } + } + } +-- +2.53.0 + diff --git a/queue-6.19/tools-power-turbostat-fix-swidle-header-vs-data-disp.patch b/queue-6.19/tools-power-turbostat-fix-swidle-header-vs-data-disp.patch new file mode 100644 index 0000000000..2788056858 --- /dev/null +++ b/queue-6.19/tools-power-turbostat-fix-swidle-header-vs-data-disp.patch @@ -0,0 +1,51 @@ +From ab69ffa670f74ffaa6adee39a18d56ad245bb1d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 21:43:11 -0500 +Subject: tools/power turbostat: Fix swidle header vs data display + +From: Len Brown + +[ Upstream commit b8ead30e2b2c7f32c8d2782e805160b110766592 ] + +I changed my mind about displaying swidle statistics, +which are "added counters". Recently I reverted the +column headers to 8-columns, but kept print_decimal_value() +padding out to 16-columns for all 64-bit counters. + +Simplify by keeping print_decimial_value() at %lld -- which +will often fit into 8-columns, and live with the fact +that it can overflow and shift the other columns, +which continue to tab-delimited. + +This is a better compromise than inserting a bunch +of space characters that most users don't like. + +Fixes: 1a23ba6a1ba2 ("tools/power turbostat: Print wide names only for RAW 64-bit columns") +Reported-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 1b26d94c373fb..903943d30f713 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -2747,10 +2747,9 @@ static inline int print_hex_value(int width, int *printed, char *delim, unsigned + + static inline int print_decimal_value(int width, int *printed, char *delim, unsigned long long value) + { +- if (width <= 32) +- return (sprintf(outp, "%s%d", (*printed++ ? delim : ""), (unsigned int)value)); +- else +- return (sprintf(outp, "%s%-8lld", (*printed++ ? delim : ""), value)); ++ UNUSED(width); ++ ++ return (sprintf(outp, "%s%lld", (*printed++ ? delim : ""), value)); + } + + static inline int print_float_value(int *printed, char *delim, double value) +-- +2.53.0 + diff --git a/queue-6.19/tracing-probe-reject-non-closed-empty-immediate-stri.patch b/queue-6.19/tracing-probe-reject-non-closed-empty-immediate-stri.patch new file mode 100644 index 0000000000..66f56a3d00 --- /dev/null +++ b/queue-6.19/tracing-probe-reject-non-closed-empty-immediate-stri.patch @@ -0,0 +1,43 @@ +From caae6d3890e222727907066bc461c1109ae71047 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 00:03:15 +0800 +Subject: tracing/probe: reject non-closed empty immediate strings + +From: Pengpeng Hou + +[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ] + +parse_probe_arg() accepts quoted immediate strings and passes the body +after the opening quote to __parse_imm_string(). That helper currently +computes strlen(str) and immediately dereferences str[len - 1], which +underflows when the body is empty and not closed with double-quotation. + +Reject empty non-closed immediate strings before checking for the closing quote. + +Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ + +Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support") +Signed-off-by: Pengpeng Hou +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 2f571083ce9ec..8dc495561c3f9 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -1069,7 +1069,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs) + { + size_t len = strlen(str); + +- if (str[len - 1] != '"') { ++ if (!len || str[len - 1] != '"') { + trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE); + return -EINVAL; + } +-- +2.53.0 + diff --git a/queue-6.19/vsock-test-fix-send_buf-recv_buf-eintr-handling.patch b/queue-6.19/vsock-test-fix-send_buf-recv_buf-eintr-handling.patch new file mode 100644 index 0000000000..cbb0375a85 --- /dev/null +++ b/queue-6.19/vsock-test-fix-send_buf-recv_buf-eintr-handling.patch @@ -0,0 +1,56 @@ +From 9b4f7fa19e62896ae0536d8bdca894592913c070 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 11:32:51 +0200 +Subject: vsock/test: fix send_buf()/recv_buf() EINTR handling + +From: Stefano Garzarella + +[ Upstream commit 24ad7ff668896325591fa0b570f2cca6c55f136f ] + +When send() or recv() returns -1 with errno == EINTR, the code skips +the break but still adds the return value to nwritten/nread, making it +decrease by 1. This leads to wrong buffer offsets and wrong bytes count. + +Fix it by explicitly continuing the loop on EINTR, so the return value +is only added when it is positive. + +Fixes: a8ed71a27ef5 ("vsock/test: add recv_buf() utility function") +Fixes: 12329bd51fdc ("vsock/test: add send_buf() utility function") +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260403093251.30662-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c +index 9430ef5b8bc3e..1fe1338c79cd1 100644 +--- a/tools/testing/vsock/util.c ++++ b/tools/testing/vsock/util.c +@@ -344,7 +344,9 @@ void send_buf(int fd, const void *buf, size_t len, int flags, + ret = send(fd, buf + nwritten, len - nwritten, flags); + timeout_check("send"); + +- if (ret == 0 || (ret < 0 && errno != EINTR)) ++ if (ret < 0 && errno == EINTR) ++ continue; ++ if (ret <= 0) + break; + + nwritten += ret; +@@ -396,7 +398,9 @@ void recv_buf(int fd, void *buf, size_t len, int flags, ssize_t expected_ret) + ret = recv(fd, buf + nread, len - nread, flags); + timeout_check("recv"); + +- if (ret == 0 || (ret < 0 && errno != EINTR)) ++ if (ret < 0 && errno == EINTR) ++ continue; ++ if (ret <= 0) + break; + + nread += ret; +-- +2.53.0 + diff --git a/queue-6.19/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/queue-6.19/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 0000000000..ef55906bd3 --- /dev/null +++ b/queue-6.19/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,45 @@ +From 39b293eabbfac892122b7338c62691dc01c90f8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: wifi: brcmfmac: validate bsscfg indices in IF events + +From: Pengpeng Hou + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index c2d98ee6652f3..1d25dc9ebca8b 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.53.0 + diff --git a/queue-6.19/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch b/queue-6.19/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch new file mode 100644 index 0000000000..1fc8e44abc --- /dev/null +++ b/queue-6.19/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch @@ -0,0 +1,51 @@ +From e9b2c82320e90476df22245d09588e1636d84748 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:08:45 +0800 +Subject: wifi: wl1251: validate packet IDs before indexing tx_frames + +From: Pengpeng Hou + +[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ] + +wl1251_tx_packet_cb() uses the firmware completion ID directly to index +the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the +completion block, and the callback does not currently verify that it +fits the array before dereferencing it. + +Reject completion IDs that fall outside wl->tx_frames[] and keep the +existing NULL check in the same guard. This keeps the fix local to the +trust boundary and avoids touching the rest of the completion flow. + +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c +index adb4840b04893..c264d83e71d9c 100644 +--- a/drivers/net/wireless/ti/wl1251/tx.c ++++ b/drivers/net/wireless/ti/wl1251/tx.c +@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, + int hdrlen; + u8 *frame; + +- skb = wl->tx_frames[result->id]; +- if (skb == NULL) { +- wl1251_error("SKB for packet %d is NULL", result->id); ++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) || ++ wl->tx_frames[result->id] == NULL)) { ++ wl1251_error("invalid packet id %u", result->id); + return; + } + ++ skb = wl->tx_frames[result->id]; ++ + info = IEEE80211_SKB_CB(skb); + + if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && +-- +2.53.0 + diff --git a/queue-6.19/x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch b/queue-6.19/x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch new file mode 100644 index 0000000000..ffce0bce55 --- /dev/null +++ b/queue-6.19/x86-shadow-stacks-proper-error-handling-for-mmap-loc.patch @@ -0,0 +1,78 @@ +From 96ecbd19c3a2cf3e6a23924f41170968a5abd30c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 13:18:57 -0700 +Subject: x86: shadow stacks: proper error handling for mmap lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit 52f657e34d7b21b47434d9d8b26fa7f6778b63a0 ] + +김영민 reports that shstk_pop_sigframe() doesn't check for errors from +mmap_read_lock_killable(), which is a silly oversight, and also shows +that we haven't marked those functions with "__must_check", which would +have immediately caught it. + +So let's fix both issues. + +Reported-by: 김영민 +Acked-by: Oleg Nesterov +Acked-by: Dave Hansen +Acked-by: Rick Edgecombe +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/shstk.c | 3 ++- + include/linux/mmap_lock.h | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c +index 978232b6d48d7..ff8edea8511b4 100644 +--- a/arch/x86/kernel/shstk.c ++++ b/arch/x86/kernel/shstk.c +@@ -351,7 +351,8 @@ static int shstk_pop_sigframe(unsigned long *ssp) + need_to_check_vma = PAGE_ALIGN(*ssp) == *ssp; + + if (need_to_check_vma) +- mmap_read_lock_killable(current->mm); ++ if (mmap_read_lock_killable(current->mm)) ++ return -EINTR; + + err = get_shstk_data(&token_addr, (unsigned long __user *)*ssp); + if (unlikely(err)) +diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h +index d53f72dba7fee..81fcfde3563dd 100644 +--- a/include/linux/mmap_lock.h ++++ b/include/linux/mmap_lock.h +@@ -345,7 +345,7 @@ static inline void mmap_write_lock_nested(struct mm_struct *mm, int subclass) + __mmap_lock_trace_acquire_returned(mm, true, true); + } + +-static inline int mmap_write_lock_killable(struct mm_struct *mm) ++static inline int __must_check mmap_write_lock_killable(struct mm_struct *mm) + { + int ret; + +@@ -392,7 +392,7 @@ static inline void mmap_read_lock(struct mm_struct *mm) + __mmap_lock_trace_acquire_returned(mm, false, true); + } + +-static inline int mmap_read_lock_killable(struct mm_struct *mm) ++static inline int __must_check mmap_read_lock_killable(struct mm_struct *mm) + { + int ret; + +@@ -402,7 +402,7 @@ static inline int mmap_read_lock_killable(struct mm_struct *mm) + return ret; + } + +-static inline bool mmap_read_trylock(struct mm_struct *mm) ++static inline bool __must_check mmap_read_trylock(struct mm_struct *mm) + { + bool ret; + +-- +2.53.0 + diff --git a/queue-6.19/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch b/queue-6.19/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch new file mode 100644 index 0000000000..f6bf42fc78 --- /dev/null +++ b/queue-6.19/xfrm-account-xfrma_if_id-in-aevent-size-calculation.patch @@ -0,0 +1,61 @@ +From 3326b3300786c9a56be544aeea3577768e188035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2026 20:36:39 +0800 +Subject: xfrm: account XFRMA_IF_ID in aevent size calculation + +From: Keenan Dong + +[ Upstream commit 7081d46d32312f1a31f0e0e99c6835a394037599 ] + +xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then +build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is +set. + +xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states +with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) +in xfrm_get_ae(), turning a malformed netlink interaction into a kernel +panic. + +Account XFRMA_IF_ID in the size calculation unconditionally and replace +the BUG_ON with normal error unwinding. + +Fixes: 7e6526404ade ("xfrm: Add a new lookup key to match xfrm interfaces.") +Reported-by: Keenan Dong +Signed-off-by: Keenan Dong +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 306e4f65ce264..1ddcf2a1eff7a 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2668,7 +2668,8 @@ static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x) + + nla_total_size(4) /* XFRM_AE_RTHR */ + + nla_total_size(4) /* XFRM_AE_ETHR */ + + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */ +- + nla_total_size(4); /* XFRMA_SA_PCPU */ ++ + nla_total_size(4) /* XFRMA_SA_PCPU */ ++ + nla_total_size(sizeof(x->if_id)); /* XFRMA_IF_ID */ + } + + static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) +@@ -2780,7 +2781,12 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, + c.portid = nlh->nlmsg_pid; + + err = build_aevent(r_skb, x, &c); +- BUG_ON(err < 0); ++ if (err < 0) { ++ spin_unlock_bh(&x->lock); ++ xfrm_state_put(x); ++ kfree_skb(r_skb); ++ return err; ++ } + + err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); + spin_unlock_bh(&x->lock); +-- +2.53.0 + diff --git a/queue-6.19/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch b/queue-6.19/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch new file mode 100644 index 0000000000..cfaa601e78 --- /dev/null +++ b/queue-6.19/xfrm-fix-refcount-leak-in-xfrm_migrate_policy_find.patch @@ -0,0 +1,52 @@ +From 35422b8e72bb7fde4be3fecb66265d4e52750f8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 12:05:20 +0300 +Subject: xfrm: fix refcount leak in xfrm_migrate_policy_find + +From: Kotlyarov Mihail + +[ Upstream commit 83317cce60a032c49480dcdabe146435bd689d03 ] + +syzkaller reported a memory leak in xfrm_policy_alloc: + + BUG: memory leak + unreferenced object 0xffff888114d79000 (size 1024): + comm "syz.1.17", pid 931 + ... + xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 + +The root cause is a double call to xfrm_pol_hold_rcu() in +xfrm_migrate_policy_find(). The lookup function already returns +a policy with held reference, making the second call redundant. + +Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount +imbalance and prevent the memory leak. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 563d5ca93e88 ("xfrm: switch migrate to xfrm_policy_lookup_bytype") +Signed-off-by: Kotlyarov Mihail +Reviewed-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 4526c9078b136..29c94ee0ceb25 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4528,9 +4528,6 @@ static struct xfrm_policy *xfrm_migrate_policy_find(const struct xfrm_selector * + pol = xfrm_policy_lookup_bytype(net, type, &fl, sel->family, dir, if_id); + if (IS_ERR_OR_NULL(pol)) + goto out_unlock; +- +- if (!xfrm_pol_hold_rcu(pol)) +- pol = NULL; + out_unlock: + rcu_read_unlock(); + return pol; +-- +2.53.0 + diff --git a/queue-6.19/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch b/queue-6.19/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch new file mode 100644 index 0000000000..2bd2456c76 --- /dev/null +++ b/queue-6.19/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch @@ -0,0 +1,43 @@ +From d31214db4618bca6ec785e5fb3c437781922c37a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 13:31:04 +0200 +Subject: xfrm: Wait for RCU readers during policy netns exit + +From: Steffen Klassert + +[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ] + +xfrm_policy_fini() frees the policy_bydst hash tables after flushing the +policy work items and deleting all policies, but it does not wait for +concurrent RCU readers to leave their read-side critical sections first. + +The policy_bydst tables are published via rcu_assign_pointer() and are +looked up through rcu_dereference_check(), so netns teardown must also +wait for an RCU grace period before freeing the table memory. + +Fix this by adding synchronize_rcu() before freeing the policy hash tables. + +Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") +Signed-off-by: Steffen Klassert +Reviewed-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index c32d34c441ee0..4526c9078b136 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4290,6 +4290,8 @@ static void xfrm_policy_fini(struct net *net) + #endif + xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + ++ synchronize_rcu(); ++ + WARN_ON(!list_empty(&net->xfrm.policy_all)); + + for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { +-- +2.53.0 + diff --git a/queue-6.19/xfrm_user-fix-info-leak-in-build_mapping.patch b/queue-6.19/xfrm_user-fix-info-leak-in-build_mapping.patch new file mode 100644 index 0000000000..7298a5c326 --- /dev/null +++ b/queue-6.19/xfrm_user-fix-info-leak-in-build_mapping.patch @@ -0,0 +1,45 @@ +From 7aab604abce60829f34bae46d556521766081e5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 17:33:03 +0200 +Subject: xfrm_user: fix info leak in build_mapping() + +From: Greg Kroah-Hartman + +[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ] + +struct xfrm_usersa_id has a one-byte padding hole after the proto +field, which ends up never getting set to zero before copying out to +userspace. Fix that up by zeroing out the whole structure before +setting individual variables. + +Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 1ddcf2a1eff7a..b3f69c0760d4c 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -4164,6 +4164,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, + + um = nlmsg_data(nlh); + ++ memset(&um->id, 0, sizeof(um->id)); + memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); + um->id.spi = x->id.spi; + um->id.family = x->props.family; +-- +2.53.0 + diff --git a/queue-6.19/xsk-fix-xdp_umem_sg_flag-issues.patch b/queue-6.19/xsk-fix-xdp_umem_sg_flag-issues.patch new file mode 100644 index 0000000000..5df7ea7ea4 --- /dev/null +++ b/queue-6.19/xsk-fix-xdp_umem_sg_flag-issues.patch @@ -0,0 +1,62 @@ +From 82da6c071f88345a24356ce4b39f2dd58732acb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:53 +0200 +Subject: xsk: fix XDP_UMEM_SG_FLAG issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ] + +Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated +to flags so set it in order to preserve mtu check that is supposed to be +done only when no multi-buffer setup is in picture. + +Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could +get unexpected SG setups for software Tx checksums. Since csum flag is +UAPI, modify value of XDP_UMEM_SG_FLAG. + +Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock.h | 2 +- + net/xdp/xsk_buff_pool.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h +index 23e8861e8b25e..ebac60a3d8a17 100644 +--- a/include/net/xdp_sock.h ++++ b/include/net/xdp_sock.h +@@ -14,7 +14,7 @@ + #include + #include + +-#define XDP_UMEM_SG_FLAG (1 << 1) ++#define XDP_UMEM_SG_FLAG BIT(3) + + struct net_device; + struct xsk_queue; +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 51526034c42ac..6799ab6672f3e 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -252,6 +252,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs, + return -EINVAL; + + flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY; ++ ++ if (umem->flags & XDP_UMEM_SG_FLAG) ++ flags |= XDP_USE_SG; ++ + if (umem_xs->pool->uses_need_wakeup) + flags |= XDP_USE_NEED_WAKEUP; + +-- +2.53.0 + diff --git a/queue-6.19/xsk-respect-tailroom-for-zc-setups.patch b/queue-6.19/xsk-respect-tailroom-for-zc-setups.patch new file mode 100644 index 0000000000..3892f5bcbe --- /dev/null +++ b/queue-6.19/xsk-respect-tailroom-for-zc-setups.patch @@ -0,0 +1,123 @@ +From 6b954ec914c8b821ba6c0dc996801bfd5b43c46b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:52 +0200 +Subject: xsk: respect tailroom for ZC setups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ] + +Multi-buffer XDP stores information about frags in skb_shared_info that +sits at the tailroom of a packet. The storage space is reserved via +xdp_data_hard_end(): + + ((xdp)->data_hard_start + (xdp)->frame_sz - \ + SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) + +and then we refer to it via macro below: + +static inline struct skb_shared_info * +xdp_get_shared_info_from_buff(const struct xdp_buff *xdp) +{ + return (struct skb_shared_info *)xdp_data_hard_end(xdp); +} + +Currently we do not respect this tailroom space in multi-buffer AF_XDP +ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use +it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to +configure length of HW Rx buffer. + +Typically drivers on Rx Hw buffers side work on 128 byte alignment so +let us align the value returned by xsk_pool_get_rx_frame_size() in order +to avoid addressing this on driver's side. This addresses the fact that +idpf uses mentioned function *before* pool->dev being set so we were at +risk that after subtracting tailroom we would not provide 128-byte +aligned value to HW. + +Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check() +and __xsk_rcv(), add a variant of this routine that will not include 128 +byte alignment and therefore old behavior is preserved. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++- + net/xdp/xsk.c | 4 ++-- + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h +index 6b9ebae2dc952..46797645a0c24 100644 +--- a/include/net/xdp_sock_drv.h ++++ b/include/net/xdp_sock_drv.h +@@ -41,16 +41,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool) + return XDP_PACKET_HEADROOM + pool->headroom; + } + ++static inline u32 xsk_pool_get_tailroom(bool mbuf) ++{ ++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0; ++} ++ + static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool) + { + return pool->chunk_size; + } + +-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) + { + return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool); + } + ++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++{ ++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool); ++ struct xdp_umem *umem = pool->umem; ++ bool mbuf; ++ ++ /* Reserve tailroom only for zero-copy pools that opted into ++ * multi-buffer. The reserved area is used for skb_shared_info, ++ * matching the XDP core's xdp_data_hard_end() layout. ++ */ ++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG); ++ frame_size -= xsk_pool_get_tailroom(mbuf); ++ ++ return ALIGN_DOWN(frame_size, 128); ++} ++ + static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool) + { + return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool); +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index a6d3938154f21..4a1cc44ab305a 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -239,7 +239,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len, + + static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + { +- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool); ++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool); + void *copy_from = xsk_copy_xdp_start(xdp), *copy_to; + u32 from_len, meta_len, rem, num_desc; + struct xdp_buff_xsk *xskb; +@@ -338,7 +338,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) + return -EINVAL; + +- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { ++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { + xs->rx_dropped++; + return -ENOSPC; + } +-- +2.53.0 + diff --git a/queue-6.19/xsk-tighten-umem-headroom-validation-to-account-for-.patch b/queue-6.19/xsk-tighten-umem-headroom-validation-to-account-for-.patch new file mode 100644 index 0000000000..5721932bb8 --- /dev/null +++ b/queue-6.19/xsk-tighten-umem-headroom-validation-to-account-for-.patch @@ -0,0 +1,53 @@ +From e8458741a7764754f6ddc5afad82b605f31e9c0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:51 +0200 +Subject: xsk: tighten UMEM headroom validation to account for tailroom and min + frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ] + +The current headroom validation in xdp_umem_reg() could leave us with +insufficient space dedicated to even receive minimum-sized ethernet +frame. Furthermore if multi-buffer would come to play then +skb_shared_info stored at the end of XSK frame would be corrupted. + +HW typically works with 128-aligned sizes so let us provide this value +as bare minimum. + +Multi-buffer setting is known later in the configuration process so +besides accounting for 128 bytes, let us also take care of tailroom space +upfront. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 9f76ca591d54f..9ec7bd948acc7 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -202,7 +202,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (!unaligned_chunks && chunks_rem) + return -EINVAL; + +- if (headroom >= chunk_size - XDP_PACKET_HEADROOM) ++ if (headroom > chunk_size - XDP_PACKET_HEADROOM - ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128) + return -EINVAL; + + if (mr->flags & XDP_UMEM_TX_METADATA_LEN) { +-- +2.53.0 + diff --git a/queue-6.19/xsk-validate-mtu-against-usable-frame-size-on-bind.patch b/queue-6.19/xsk-validate-mtu-against-usable-frame-size-on-bind.patch new file mode 100644 index 0000000000..61b9affd9c --- /dev/null +++ b/queue-6.19/xsk-validate-mtu-against-usable-frame-size-on-bind.patch @@ -0,0 +1,99 @@ +From fc7b026274c6e6b02c40209ea802b0dd8e0652ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:54 +0200 +Subject: xsk: validate MTU against usable frame size on bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ] + +AF_XDP bind currently accepts zero-copy pool configurations without +verifying that the device MTU fits into the usable frame space provided +by the UMEM chunk. + +This becomes a problem since we started to respect tailroom which is +subtracted from chunk_size (among with headroom). 2k chunk size might +not provide enough space for standard 1500 MTU, so let us catch such +settings at bind time. Furthermore, validate whether underlying HW will +be able to satisfy configured MTU wrt XSK's frame size multiplied by +supported Rx buffer chain length (that is exposed via +net_device::xdp_zc_max_segs). + +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 6799ab6672f3e..1f96bdf1e7a60 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -10,6 +10,8 @@ + #include "xdp_umem.h" + #include "xsk.h" + ++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN) ++ + void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs) + { + if (!xs->tx) +@@ -158,8 +160,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool) + int xp_assign_dev(struct xsk_buff_pool *pool, + struct net_device *netdev, u16 queue_id, u16 flags) + { ++ u32 needed = netdev->mtu + ETH_PAD_LEN; ++ u32 segs = netdev->xdp_zc_max_segs; ++ bool mbuf = flags & XDP_USE_SG; + bool force_zc, force_copy; + struct netdev_bpf bpf; ++ u32 frame_size; + int err = 0; + + ASSERT_RTNL(); +@@ -179,7 +185,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + if (err) + return err; + +- if (flags & XDP_USE_SG) ++ if (mbuf) + pool->umem->flags |= XDP_UMEM_SG_FLAG; + + if (flags & XDP_USE_NEED_WAKEUP) +@@ -201,8 +207,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + goto err_unreg_pool; + } + +- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) { +- err = -EOPNOTSUPP; ++ if (mbuf) { ++ if (segs == 1) { ++ err = -EOPNOTSUPP; ++ goto err_unreg_pool; ++ } ++ } else { ++ segs = 1; ++ } ++ ++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not ++ * set yet at this point; we are before getting down to driver ++ */ ++ frame_size = __xsk_pool_get_rx_frame_size(pool) - ++ xsk_pool_get_tailroom(mbuf); ++ frame_size = ALIGN_DOWN(frame_size, 128); ++ ++ if (needed > frame_size * segs) { ++ err = -EINVAL; + goto err_unreg_pool; + } + +-- +2.53.0 + diff --git a/queue-6.6/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch b/queue-6.6/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch new file mode 100644 index 0000000000..cde4381c2f --- /dev/null +++ b/queue-6.6/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch @@ -0,0 +1,75 @@ +From 7362c2e79c9845b282bf05ca36f1b7b8d8f06212 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 16:00:14 +0800 +Subject: af_unix: read UNIX_DIAG_VFS data under unix_state_lock + +From: Jiexun Wang + +[ Upstream commit 39897df386376912d561d4946499379effa1e7ef ] + +Exact UNIX diag lookups hold a reference to the socket, but not to +u->path. Meanwhile, unix_release_sock() clears u->path under +unix_state_lock() and drops the path reference after unlocking. + +Read the inode and device numbers for UNIX_DIAG_VFS while holding +unix_state_lock(), then emit the netlink attribute after dropping the +lock. + +This keeps the VFS data stable while the reply is being built. + +Fixes: 5f7b0569460b ("unix_diag: Unix inode info NLA") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/diag.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index a6bd861314df0..169d068064bba 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -26,18 +26,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + + static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) + { +- struct dentry *dentry = unix_sk(sk)->path.dentry; ++ struct unix_diag_vfs uv; ++ struct dentry *dentry; ++ bool have_vfs = false; + ++ unix_state_lock(sk); ++ dentry = unix_sk(sk)->path.dentry; + if (dentry) { +- struct unix_diag_vfs uv = { +- .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, +- .udiag_vfs_dev = dentry->d_sb->s_dev, +- }; +- +- return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); ++ uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino; ++ uv.udiag_vfs_dev = dentry->d_sb->s_dev; ++ have_vfs = true; + } ++ unix_state_unlock(sk); + +- return 0; ++ if (!have_vfs) ++ return 0; ++ ++ return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); + } + + static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) +-- +2.53.0 + diff --git a/queue-6.6/alsa-asihpi-avoid-write-overflow-check-warning.patch b/queue-6.6/alsa-asihpi-avoid-write-overflow-check-warning.patch new file mode 100644 index 0000000000..6d31c10c4a --- /dev/null +++ b/queue-6.6/alsa-asihpi-avoid-write-overflow-check-warning.patch @@ -0,0 +1,55 @@ +From 8a469cd1b986eb4128216318ffa7209e7cf2e304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 13:40:07 +0100 +Subject: ALSA: asihpi: avoid write overflow check warning + +From: Arnd Bergmann + +[ Upstream commit 591721223be9e28f83489a59289579493b8e3d83 ] + +clang-22 rightfully warns that the memcpy() in adapter_prepare() copies +between different structures, crossing the boundary of nested +structures inside it: + +In file included from sound/pci/asihpi/hpimsgx.c:13: +In file included from include/linux/string.h:386: +include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] + 569 | __write_overflow_field(p_size_field, size); + +The two structures seem to refer to the same layout, despite the +separate definitions, so the code is in fact correct. + +Avoid the warning by copying the two inner structures separately. +I see the same pattern happens in other functions in the same file, +so there is a chance that this may come back in the future, but +this instance is the only one that I saw in practice, hitting it +multiple times per day in randconfig build. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpimsgx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c +index b68e6bfbbfbab..ed1c7b7744361 100644 +--- a/sound/pci/asihpi/hpimsgx.c ++++ b/sound/pci/asihpi/hpimsgx.c +@@ -581,8 +581,10 @@ static u16 adapter_prepare(u16 adapter) + HPI_ADAPTER_OPEN); + hm.adapter_index = adapter; + hw_entry_point(&hm, &hr); +- memcpy(&rESP_HPI_ADAPTER_OPEN[adapter], &hr, +- sizeof(rESP_HPI_ADAPTER_OPEN[0])); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].h, &hr, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].h)); ++ memcpy(&rESP_HPI_ADAPTER_OPEN[adapter].a, &hr.u.ax.info, ++ sizeof(rESP_HPI_ADAPTER_OPEN[adapter].a)); + if (hr.error) + return hr.error; + +-- +2.53.0 + diff --git a/queue-6.6/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch b/queue-6.6/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch new file mode 100644 index 0000000000..931ff5be1d --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch @@ -0,0 +1,36 @@ +From f45164da3a483a99b9c892b40a36bc2d62a25c7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 01:08:51 +0000 +Subject: ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk + +From: Andrii Kovalchuk + +[ Upstream commit 793b008cd39516385791a1d1d223d817e947a471 ] + +Add a PCI quirk for HP ENVY Laptop 13-ba0xxx (PCI device ID 0x8756) +to enable proper mute LED and mic mute behavior using the +ALC245_FIXUP_HP_X360_MUTE_LEDS fixup. + +Signed-off-by: Andrii Kovalchuk +Link: https://patch.msgid.link/u0s-uRVegF9BN0t-4JnOUwsIAR-mVc4U4FJfJHdEHX7ro_laErHD9y35NebWybcN16gVaVHPJo1ap3AoJ1a2gqJImPvThgeNt_SYVY1KaDw=@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 1a5e2fb0c842b..a3def674103b3 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10094,6 +10094,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x8756, "HP ENVY Laptop 13-ba0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x8760, "HP EliteBook 8{4,5}5 G7", ALC285_FIXUP_HP_BEEP_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x876e, "HP ENVY x360 Convertible 13-ay0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), +-- +2.53.0 + diff --git a/queue-6.6/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-6.6/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..c7d32334c9 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,45 @@ +From aa2c2caec454650a7c3e0dc45e979ea15d3b4b50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Mar 2026 10:36:03 -0500 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: César Montoya + +[ Upstream commit 2f388b4e8fdd6b0f27cafd281658daacfd85807e ] + +The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek +ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The +existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, +but the subsystem ID was missing from the quirk table. + +GPIO pin confirmed via manual hda-verb testing: + hda-verb SET_GPIO_MASK 0x10 + hda-verb SET_GPIO_DIRECTION 0x10 + hda-verb SET_GPIO_DATA 0x10 + +Signed-off-by: César Montoya +Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index cd30f749c79b4..0efc2b8aedb4a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10108,6 +10108,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cb, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.53.0 + diff --git a/queue-6.6/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch b/queue-6.6/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch new file mode 100644 index 0000000000..8be7859f98 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch @@ -0,0 +1,35 @@ +From 3c85ef7dcb3c9f6eab824a8ed6aeec0164100d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:25:03 -0700 +Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC + +From: Matthew Schwartz + +[ Upstream commit 59f68dc1d8df3142cb58fd2568966a9bb7b0ed8a ] + +Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model, +similar to the ASUS ROG Flow Z13 GZ302EA. + +Signed-off-by: Matthew Schwartz +Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index a3def674103b3..cd30f749c79b4 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10290,6 +10290,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x1514, "ASUS ROG Flow Z13 GZ302EAC", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC), +-- +2.53.0 + diff --git a/queue-6.6/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch b/queue-6.6/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch new file mode 100644 index 0000000000..e4210f65b5 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch @@ -0,0 +1,38 @@ +From 09dfd8e381ca8998425996b302d9a9287ca37965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 10:54:40 -0500 +Subject: ALSA: hda/realtek: add quirk for Framework F111:000F + +From: Dustin L. Howett + +[ Upstream commit bac1e57adf08c9ee33e95fb09cd032f330294e70 ] + +Similar to commit 7b509910b3ad ("ALSA hda/realtek: Add quirk for +Framework F111:000C") and previous quirks for Framework systems with +Realtek codecs. + +000F is another new platform with an ALC285 which needs the same quirk. + +Signed-off-by: Dustin L. Howett +Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 0efc2b8aedb4a..0ac8846326abe 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10671,6 +10671,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x000f, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 + /* Below is a quirk table taken from the old code. +-- +2.53.0 + diff --git a/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch b/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch new file mode 100644 index 0000000000..b0d51eab74 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch @@ -0,0 +1,41 @@ +From 2eb20359b3fc939d946c1de9068c8751e4c9ceb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 09:26:51 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 + +From: songxiebing + +[ Upstream commit f0541edb2e7333f320642c7b491a67912c1f65db ] + +The bass speakers are not working, and add the following entry +in /etc/modprobe.d/snd.conf: +options snd-sof-intel-hda-generic hda_model=alc287-yoga9-bass-spk-pin +Fixes the bass speakers. + +So add the quick ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN here. + +Reported-by: Fernando Garcia Corona +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221317 +Signed-off-by: songxiebing +Link: https://patch.msgid.link/20260405012651.133838-1-songxiebing@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 0ac8846326abe..6ef859f59f8d1 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10593,6 +10593,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38fa, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x390d, "Lenovo Yoga Pro 7 14ASP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x3911, "Lenovo Yoga Pro 7 14IAH10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), +-- +2.53.0 + diff --git a/queue-6.6/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch b/queue-6.6/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch new file mode 100644 index 0000000000..f37b56e642 --- /dev/null +++ b/queue-6.6/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch @@ -0,0 +1,41 @@ +From 890e9056410a4c18542c38e6a1ba1d1647b56aa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2026 08:07:34 +0000 +Subject: ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex + +From: Phil Willoughby + +[ Upstream commit bc5b4e5ae1a67700a618328217b6a3bd0f296e97 ] + +The NeuralDSP Quad Cortex does not support DSD playback. We need +this product-specific entry with zero quirks because otherwise it +falls through to the vendor-specific entry which marks it as +supporting DSD playback. + +Cc: Yue Wang +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Signed-off-by: Phil Willoughby +Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 04896ab01f372..847878438b8b7 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2185,6 +2185,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x13e5, 0x0001, /* Serato Phono */ + QUIRK_FLAG_IGNORE_CTL_ERROR), ++ DEVICE_FLG(0x152a, 0x880a, /* NeuralDSP Quad Cortex */ ++ 0), /* Doesn't have the vendor quirk which would otherwise apply */ + DEVICE_FLG(0x154e, 0x1002, /* Denon DCD-1500RE */ + QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY), + DEVICE_FLG(0x154e, 0x1003, /* Denon DA-300USB */ +-- +2.53.0 + diff --git a/queue-6.6/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch b/queue-6.6/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch new file mode 100644 index 0000000000..72e016e1a7 --- /dev/null +++ b/queue-6.6/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch @@ -0,0 +1,39 @@ +From 32bdb341a41495f8c9eaab682bb776f19d9425d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 00:28:28 +0100 +Subject: arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency + +From: Sebastian Krzyszkowiak + +[ Upstream commit 1f99b5d93d99ca17d50b386a674d0ce1f20932d8 ] + +According to i.MX 8M Quad Reference Manual, GPU_AHB_CLK_ROOT's maximum +frequency is 400MHz. + +Fixes: 45d2c84eb3a2 ("arm64: dts: imx8mq: add GPU node") +Reviewed-by: Frank Li +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Peng Fan +Reviewed-by: Fabio Estevam +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +index 052ba9baa400f..6b93fff5e97d0 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi +@@ -1629,7 +1629,7 @@ gpu: gpu@38000000 { + <&clk IMX8MQ_GPU_PLL_OUT>, + <&clk IMX8MQ_GPU_PLL>; + assigned-clock-rates = <800000000>, <800000000>, +- <800000000>, <800000000>, <0>; ++ <800000000>, <400000000>, <0>; + power-domains = <&pgc_gpu>; + }; + +-- +2.53.0 + diff --git a/queue-6.6/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch b/queue-6.6/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch new file mode 100644 index 0000000000..2cfdb5bd5a --- /dev/null +++ b/queue-6.6/asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch @@ -0,0 +1,47 @@ +From 02eba3509425ff3d9b863956778d2ea9e3346ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 02:43:48 +0100 +Subject: ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gilson Marquato Júnior + +[ Upstream commit 8ec017cf31299c4b6287ebe27afe81c986aeef88 ] + +The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal +DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk +entry so the internal microphone is properly detected on this model. + +Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9). + +Signed-off-by: Gilson Marquato Júnior +Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 05aff73408d51..aaa0f44ef9e01 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -45,6 +45,13 @@ static struct snd_soc_card acp6x_card = { + }; + + static const struct dmi_system_id yc_acp_quirk_table[] = { ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Laptop 15-fc0xxx"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.53.0 + diff --git a/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch b/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch new file mode 100644 index 0000000000..3e12e895a1 --- /dev/null +++ b/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch @@ -0,0 +1,43 @@ +From 8fd6cdf05cc9928a66d0a60c5ed65f539ccdb598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 21:25:12 +0700 +Subject: ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA + +From: Vee Satayamas + +[ Upstream commit f200b2f9a810c440c6750b56fc647b73337749a1 ] + +Add a DMI quirk for the Asus Expertbook BM1403CDA to resolve the issue of the +internal microphone not being detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221236 +Signed-off-by: Vee Satayamas +Reviewed-by: Zhang Heng +Link: https://patch.msgid.link/20260315142511.66029-2-vsatayamas@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index ab75349d1063d..8a666989a8f3d 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -710,6 +710,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "PM1503CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch b/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch new file mode 100644 index 0000000000..71b181180f --- /dev/null +++ b/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch @@ -0,0 +1,42 @@ +From 017b8657119f037c727f15ffbaa8d21747757ef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 16:02:18 +0800 +Subject: ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF + +From: Zhang Heng + +[ Upstream commit 1f182ec9d7084db7dfdb2372d453c28f0e5c3f0a ] + +Add a DMI quirk for the Thin A15 B7VF fixing the issue where +the internal microphone was not detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833 +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 8a666989a8f3d..05aff73408d51 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -717,6 +717,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "BM1403CDA"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Thin A15 B7VE"), ++ } ++ }, + {} + }; + +-- +2.53.0 + diff --git a/queue-6.6/asoc-soc-core-call-missing-init_list_head-for-card_a.patch b/queue-6.6/asoc-soc-core-call-missing-init_list_head-for-card_a.patch new file mode 100644 index 0000000000..45d138c99f --- /dev/null +++ b/queue-6.6/asoc-soc-core-call-missing-init_list_head-for-card_a.patch @@ -0,0 +1,66 @@ +From 4958d26a95f2b7704f171f9a1fe75e59a7f7d2eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 02:43:54 +0000 +Subject: ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list + +From: Kuninori Morimoto + +[ Upstream commit b9eff9732cb0f86a68c9d1592a98ceab47c01e95 ] + +Component has "card_aux_list" which is added/deled in bind/unbind aux dev +function (A), and used in for_each_card_auxs() loop (B). + + static void soc_unbind_aux_dev(...) + { + ... + for_each_card_auxs_safe(...) { + ... +(A) list_del(&component->card_aux_list); + } ^^^^^^^^^^^^^ + } + + static int soc_bind_aux_dev(...) + { + ... + for_each_card_pre_auxs(...) { + ... +(A) list_add(&component->card_aux_list, ...); + } ^^^^^^^^^^^^^ + ... + } + + #define for_each_card_auxs(card, component) \ +(B) list_for_each_entry(component, ..., card_aux_list) + ^^^^^^^^^^^^^ + +But it has been used without calling INIT_LIST_HEAD(). + + > git grep card_aux_list sound/soc + sound/soc/soc-core.c: list_del(&component->card_aux_list); + sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); + +call missing INIT_LIST_HEAD() for it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 696f5501a27bc..9cebe0ff9c07d 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2681,6 +2681,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, + INIT_LIST_HEAD(&component->dobj_list); + INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); ++ INIT_LIST_HEAD(&component->card_aux_list); + mutex_init(&component->io_mutex); + + component->name = fmt_single_name(dev, &component->id); +-- +2.53.0 + diff --git a/queue-6.6/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch b/queue-6.6/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch new file mode 100644 index 0000000000..5705271635 --- /dev/null +++ b/queue-6.6/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch @@ -0,0 +1,46 @@ +From 851ef5a373c4a6970c53d6e6dcbd4a8c78d02e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:45:26 -0300 +Subject: ASoC: SOF: topology: reject invalid vendor array size in token parser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +[ Upstream commit 215e5fe75881a7e2425df04aeeed47a903d5cd5d ] + +sof_parse_token_sets() accepts array->size values that can be invalid +for a vendor tuple array header. In particular, a zero size does not +advance the parser state and can lead to non-progress parsing on +malformed topology data. + +Validate array->size against the minimum header size and reject values +smaller than sizeof(*array) before parsing. This preserves behavior for +valid topologies and hardens malformed-input handling. + +Signed-off-by: Cássio Gabriel +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index c18a1fdd40ee3..51a29d2de5ed4 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -722,7 +722,7 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp, + asize = le32_to_cpu(array->size); + + /* validate asize */ +- if (asize < 0) { /* FIXME: A zero-size array makes no sense */ ++ if (asize < sizeof(*array)) { + dev_err(scomp->dev, "error: invalid array size 0x%x\n", + asize); + return -EINVAL; +-- +2.53.0 + diff --git a/queue-6.6/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch b/queue-6.6/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch new file mode 100644 index 0000000000..c70b1a0e62 --- /dev/null +++ b/queue-6.6/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch @@ -0,0 +1,64 @@ +From 74d1c44e17a65601c07662c0180c3e2107885edd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:40:56 +0200 +Subject: ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J + +From: Tomasz Merta + +[ Upstream commit 0669631dbccd41cf3ca7aa70213fcd8bb41c4b38 ] + +The STM32 SAI driver do not set the clock strobing bit (CKSTR) for DSP_A, +DSP_B and LEFT_J formats, causing data to be sampled on the wrong BCLK +edge when SND_SOC_DAIFMT_NB_NF is used. + +Per ALSA convention, NB_NF requires sampling on the rising BCLK edge. +The STM32MP25 SAI reference manual states that CKSTR=1 is required for +signals received by the SAI to be sampled on the SCK rising edge. +Without setting CKSTR=1, the SAI samples on the falling edge, violating +the NB_NF convention. For comparison, the NXP FSL SAI driver correctly +sets FSL_SAI_CR2_BCP for DSP_A, DSP_B and LEFT_J, consistent with its +I2S handling. + +This patch adds SAI_XCR1_CKSTR for DSP_A, DSP_B and LEFT_J in +stm32_sai_set_dai_fmt which was verified empirically with a cs47l35 codec. +RIGHT_J (LSB) is not investigated and addressed by this patch. + +Note: the STM32 I2S driver (stm32_i2s_set_dai_fmt) may have the same issue +for DSP_A mode, as I2S_CGFR_CKPOL is not set. This has not been verified +and is left for a separate investigation. + +Signed-off-by: Tomasz Merta +Link: https://patch.msgid.link/20260408084056.20588-1-tommerta@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_sai_sub.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c +index c47f23634e957..03788bd869197 100644 +--- a/sound/soc/stm/stm32_sai_sub.c ++++ b/sound/soc/stm/stm32_sai_sub.c +@@ -677,6 +677,7 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + break; + /* Left justified */ + case SND_SOC_DAIFMT_MSB: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + /* Right justified */ +@@ -684,9 +685,11 @@ static int stm32_sai_set_dai_fmt(struct snd_soc_dai *cpu_dai, unsigned int fmt) + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSDEF; + break; + case SND_SOC_DAIFMT_DSP_A: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL | SAI_XFRCR_FSOFF; + break; + case SND_SOC_DAIFMT_DSP_B: ++ cr1 |= SAI_XCR1_CKSTR; + frcr |= SAI_XFRCR_FSPOL; + break; + default: +-- +2.53.0 + diff --git a/queue-6.6/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch b/queue-6.6/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch new file mode 100644 index 0000000000..b031be82d4 --- /dev/null +++ b/queue-6.6/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch @@ -0,0 +1,83 @@ +From 5be7985089c3cd4ccc42f09126ea663c6af2ade6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 15:23:35 -0700 +Subject: ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 + +From: Arthur Husband + +[ Upstream commit 105c42566a550e2d05fc14f763216a8765ee5d0e ] + +The JMicron JMB585 (and JMB582) SATA controllers advertise 64-bit DMA +support via the S64A bit in the AHCI CAP register, but their 64-bit DMA +implementation is defective. Under sustained I/O, DMA transfers targeting +addresses above 4GB silently corrupt data -- writes land at incorrect +memory addresses with no errors logged. + +The failure pattern is similar to the ASMedia ASM1061 +(commit 20730e9b2778 ("ahci: add 43-bit DMA address quirk for ASMedia +ASM1061 controllers")), which also falsely advertised full 64-bit DMA +support. However, the JMB585 requires a stricter 32-bit DMA mask rather +than 43-bit, as corruption occurs with any address above 4GB. + +On the Minisforum N5 Pro specifically, the combination of the JMB585's +broken 64-bit DMA with the AMD Family 1Ah (Strix Point) IOMMU causes +silent data corruption that is only detectable via checksumming +filesystems (BTRFS/ZFS scrub). The corruption occurs when 32-bit IOVA +space is exhausted and the kernel transparently switches to 64-bit DMA +addresses. + +Add device-specific PCI ID entries for the JMB582 (0x0582) and JMB585 +(0x0585) before the generic JMicron class match, using a new board type +that combines AHCI_HFLAG_IGN_IRQ_IF_ERR (preserving existing behavior) +with AHCI_HFLAG_32BIT_ONLY to force 32-bit DMA masks. + +Signed-off-by: Arthur Husband +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 98104d0b842bd..9d59e6e2d63ba 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -60,6 +60,7 @@ enum board_ids { + /* board IDs for specific chipsets in alphabetical order */ + board_ahci_al, + board_ahci_avn, ++ board_ahci_jmb585, + board_ahci_mcp65, + board_ahci_mcp77, + board_ahci_mcp89, +@@ -199,6 +200,15 @@ static const struct ata_port_info ahci_port_info[] = { + .udma_mask = ATA_UDMA6, + .port_ops = &ahci_avn_ops, + }, ++ /* JMicron JMB582/585: 64-bit DMA is broken, force 32-bit */ ++ [board_ahci_jmb585] = { ++ AHCI_HFLAGS (AHCI_HFLAG_IGN_IRQ_IF_ERR | ++ AHCI_HFLAG_32BIT_ONLY), ++ .flags = AHCI_FLAG_COMMON, ++ .pio_mask = ATA_PIO4, ++ .udma_mask = ATA_UDMA6, ++ .port_ops = &ahci_ops, ++ }, + [board_ahci_mcp65] = { + AHCI_HFLAGS (AHCI_HFLAG_NO_FPDMA_AA | AHCI_HFLAG_NO_PMP | + AHCI_HFLAG_YES_NCQ), +@@ -432,6 +442,10 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* Elkhart Lake IDs 0x4b60 & 0x4b62 https://sata-io.org/product/8803 not tested yet */ + { PCI_VDEVICE(INTEL, 0x4b63), board_ahci_low_power }, /* Elkhart Lake AHCI */ + ++ /* JMicron JMB582/585: force 32-bit DMA (broken 64-bit implementation) */ ++ { PCI_VDEVICE(JMICRON, 0x0582), board_ahci_jmb585 }, ++ { PCI_VDEVICE(JMICRON, 0x0585), board_ahci_jmb585 }, ++ + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci_ign_iferr }, +-- +2.53.0 + diff --git a/queue-6.6/btrfs-tracepoints-get-correct-superblock-from-dentry.patch b/queue-6.6/btrfs-tracepoints-get-correct-superblock-from-dentry.patch new file mode 100644 index 0000000000..891060c596 --- /dev/null +++ b/queue-6.6/btrfs-tracepoints-get-correct-superblock-from-dentry.patch @@ -0,0 +1,50 @@ +From d2cf643aca2bf95f0e96e0f94164d094db2eed7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 14:11:39 -0400 +Subject: btrfs: tracepoints: get correct superblock from dentry in event + btrfs_sync_file() + +From: Goldwyn Rodrigues + +[ Upstream commit a85b46db143fda5869e7d8df8f258ccef5fa1719 ] + +If overlay is used on top of btrfs, dentry->d_sb translates to overlay's +super block and fsid assignment will lead to a crash. + +Use file_inode(file)->i_sb to always get btrfs_sb. + +Reviewed-by: Boris Burkov +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + include/trace/events/btrfs.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h +index eb762cc7bec53..2364c68df76c4 100644 +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -789,12 +789,15 @@ TRACE_EVENT(btrfs_sync_file, + ), + + TP_fast_assign( +- const struct dentry *dentry = file->f_path.dentry; +- const struct inode *inode = d_inode(dentry); ++ struct dentry *dentry = file_dentry(file); ++ struct inode *inode = file_inode(file); ++ struct dentry *parent = dget_parent(dentry); ++ struct inode *parent_inode = d_inode(parent); + +- TP_fast_assign_fsid(btrfs_sb(file->f_path.dentry->d_sb)); ++ dput(parent); ++ TP_fast_assign_fsid(btrfs_sb(inode->i_sb)); + __entry->ino = btrfs_ino(BTRFS_I(inode)); +- __entry->parent = btrfs_ino(BTRFS_I(d_inode(dentry->d_parent))); ++ __entry->parent = btrfs_ino(BTRFS_I(parent_inode)); + __entry->datasync = datasync; + __entry->root_objectid = + BTRFS_I(inode)->root->root_key.objectid; +-- +2.53.0 + diff --git a/queue-6.6/can-mcp251x-add-error-handling-for-power-enable-in-o.patch b/queue-6.6/can-mcp251x-add-error-handling-for-power-enable-in-o.patch new file mode 100644 index 0000000000..e5fb0011d0 --- /dev/null +++ b/queue-6.6/can-mcp251x-add-error-handling-for-power-enable-in-o.patch @@ -0,0 +1,90 @@ +From 0e28d94e3e38631b8cb89e6154388e1042cc1062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 00:00:22 +0800 +Subject: can: mcp251x: add error handling for power enable in open and resume + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 7a57354756c7df223abe2c33774235ad70cb4231 ] + +Add missing error handling for mcp251x_power_enable() calls in both +mcp251x_open() and mcp251x_can_resume() functions. + +In mcp251x_open(), if power enable fails, jump to error path to close +candev without attempting to disable power again. + +In mcp251x_can_resume(), properly check return values of power enable calls +for both power and transceiver regulators. If any fails, return the error +code to the PM framework and log the failure. + +This ensures the driver properly handles power control failures and +maintains correct device state. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com +[mkl: fix patch description] +[mkl: mcp251x_can_resume(): replace goto by return] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index 72ae17b2313ec..d3ffab297b77b 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1213,7 +1213,11 @@ static int mcp251x_open(struct net_device *net) + } + + mutex_lock(&priv->mcp_lock); +- mcp251x_power_enable(priv->transceiver, 1); ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(&spi->dev, "failed to enable transceiver power: %pe\n", ERR_PTR(ret)); ++ goto out_close_candev; ++ } + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -1260,6 +1264,7 @@ static int mcp251x_open(struct net_device *net) + mcp251x_hw_sleep(spi); + out_close: + mcp251x_power_enable(priv->transceiver, 0); ++out_close_candev: + close_candev(net); + mutex_unlock(&priv->mcp_lock); + if (release_irq) +@@ -1499,11 +1504,25 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev) + { + struct spi_device *spi = to_spi_device(dev); + struct mcp251x_priv *priv = spi_get_drvdata(spi); ++ int ret = 0; + +- if (priv->after_suspend & AFTER_SUSPEND_POWER) +- mcp251x_power_enable(priv->power, 1); +- if (priv->after_suspend & AFTER_SUSPEND_UP) +- mcp251x_power_enable(priv->transceiver, 1); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) { ++ ret = mcp251x_power_enable(priv->power, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore power: %pe\n", ERR_PTR(ret)); ++ return ret; ++ } ++ } ++ ++ if (priv->after_suspend & AFTER_SUSPEND_UP) { ++ ret = mcp251x_power_enable(priv->transceiver, 1); ++ if (ret) { ++ dev_err(dev, "failed to restore transceiver power: %pe\n", ERR_PTR(ret)); ++ if (priv->after_suspend & AFTER_SUSPEND_POWER) ++ mcp251x_power_enable(priv->power, 0); ++ return ret; ++ } ++ } + + if (priv->after_suspend & (AFTER_SUSPEND_POWER | AFTER_SUSPEND_UP)) + queue_work(priv->wq, &priv->restart_work); +-- +2.53.0 + diff --git a/queue-6.6/clockevents-prevent-timer-interrupt-starvation.patch b/queue-6.6/clockevents-prevent-timer-interrupt-starvation.patch new file mode 100644 index 0000000000..af4259eaab --- /dev/null +++ b/queue-6.6/clockevents-prevent-timer-interrupt-starvation.patch @@ -0,0 +1,218 @@ +From 051fea00173d929d0ed32c7ffa323fbe431d8242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 10:54:17 +0200 +Subject: clockevents: Prevent timer interrupt starvation + +From: Thomas Gleixner + +[ Upstream commit d6e152d905bdb1f32f9d99775e2f453350399a6a ] + +Calvin reported an odd NMI watchdog lockup which claims that the CPU locked +up in user space. He provided a reproducer, which sets up a timerfd based +timer and then rearms it in a loop with an absolute expiry time of 1ns. + +As the expiry time is in the past, the timer ends up as the first expiring +timer in the per CPU hrtimer base and the clockevent device is programmed +with the minimum delta value. If the machine is fast enough, this ends up +in a endless loop of programming the delta value to the minimum value +defined by the clock event device, before the timer interrupt can fire, +which starves the interrupt and consequently triggers the lockup detector +because the hrtimer callback of the lockup mechanism is never invoked. + +As a first step to prevent this, avoid reprogramming the clock event device +when: + - a forced minimum delta event is pending + - the new expiry delta is less then or equal to the minimum delta + +Thanks to Calvin for providing the reproducer and to Borislav for testing +and providing data from his Zen5 machine. + +The problem is not limited to Zen5, but depending on the underlying +clock event device (e.g. TSC deadline timer on Intel) and the CPU speed +not necessarily observable. + +This change serves only as the last resort and further changes will be made +to prevent this scenario earlier in the call chain as far as possible. + +[ tglx: Updated to restore the old behaviour vs. !force and delta <= 0 and + fixed up the tick-broadcast handlers as pointed out by Borislav ] + +Fixes: d316c57ff6bf ("[PATCH] clockevents: add core functionality") +Reported-by: Calvin Owens +Signed-off-by: Thomas Gleixner +Tested-by: Calvin Owens +Tested-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/acMe-QZUel-bBYUh@mozart.vkv.me/ +Link: https://patch.msgid.link/20260407083247.562657657@kernel.org +Signed-off-by: Sasha Levin +--- + include/linux/clockchips.h | 2 ++ + kernel/time/clockevents.c | 27 +++++++++++++++++++-------- + kernel/time/hrtimer.c | 1 + + kernel/time/tick-broadcast.c | 8 +++++++- + kernel/time/tick-common.c | 1 + + kernel/time/tick-sched.c | 1 + + 6 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/include/linux/clockchips.h b/include/linux/clockchips.h +index 9aac31d856f39..c0d767b8f4bd5 100644 +--- a/include/linux/clockchips.h ++++ b/include/linux/clockchips.h +@@ -80,6 +80,7 @@ enum clock_event_state { + * @shift: nanoseconds to cycles divisor (power of two) + * @state_use_accessors:current state of the device, assigned by the core code + * @features: features ++ * @next_event_forced: True if the last programming was a forced event + * @retries: number of forced programming retries + * @set_state_periodic: switch state to periodic + * @set_state_oneshot: switch state to oneshot +@@ -108,6 +109,7 @@ struct clock_event_device { + u32 shift; + enum clock_event_state state_use_accessors; + unsigned int features; ++ unsigned int next_event_forced; + unsigned long retries; + + int (*set_state_periodic)(struct clock_event_device *); +diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c +index 960143b183cdb..0869b3902605e 100644 +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -172,6 +172,7 @@ void clockevents_shutdown(struct clock_event_device *dev) + { + clockevents_switch_state(dev, CLOCK_EVT_STATE_SHUTDOWN); + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + } + + /** +@@ -305,7 +306,6 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + { + unsigned long long clc; + int64_t delta; +- int rc; + + if (WARN_ON_ONCE(expires < 0)) + return -ETIME; +@@ -324,16 +324,27 @@ int clockevents_program_event(struct clock_event_device *dev, ktime_t expires, + return dev->set_next_ktime(expires, dev); + + delta = ktime_to_ns(ktime_sub(expires, ktime_get())); +- if (delta <= 0) +- return force ? clockevents_program_min_delta(dev) : -ETIME; + +- delta = min(delta, (int64_t) dev->max_delta_ns); +- delta = max(delta, (int64_t) dev->min_delta_ns); ++ /* Required for tick_periodic() during early boot */ ++ if (delta <= 0 && !force) ++ return -ETIME; ++ ++ if (delta > (int64_t)dev->min_delta_ns) { ++ delta = min(delta, (int64_t) dev->max_delta_ns); ++ clc = ((unsigned long long) delta * dev->mult) >> dev->shift; ++ if (!dev->set_next_event((unsigned long) clc, dev)) ++ return 0; ++ } + +- clc = ((unsigned long long) delta * dev->mult) >> dev->shift; +- rc = dev->set_next_event((unsigned long) clc, dev); ++ if (dev->next_event_forced) ++ return 0; + +- return (rc && force) ? clockevents_program_min_delta(dev) : rc; ++ if (dev->set_next_event(dev->min_delta_ticks, dev)) { ++ if (!force || clockevents_program_min_delta(dev)) ++ return -ETIME; ++ } ++ dev->next_event_forced = 1; ++ return 0; + } + + /* +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 03f488f93cddf..9a8a2d36b9db6 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1853,6 +1853,7 @@ void hrtimer_interrupt(struct clock_event_device *dev) + BUG_ON(!cpu_base->hres_active); + cpu_base->nr_events++; + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + raw_spin_lock_irqsave(&cpu_base->lock, flags); + entry_time = now = hrtimer_update_base(cpu_base); +diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c +index ed58eebb4e8f4..99d2978ef9b98 100644 +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -76,8 +76,10 @@ const struct clock_event_device *tick_get_wakeup_device(int cpu) + */ + static void tick_broadcast_start_periodic(struct clock_event_device *bc) + { +- if (bc) ++ if (bc) { ++ bc->next_event_forced = 0; + tick_setup_periodic(bc, 1); ++ } + } + + /* +@@ -403,6 +405,7 @@ static void tick_handle_periodic_broadcast(struct clock_event_device *dev) + bool bc_local; + + raw_spin_lock(&tick_broadcast_lock); ++ tick_broadcast_device.evtdev->next_event_forced = 0; + + /* Handle spurious interrupts gracefully */ + if (clockevent_state_shutdown(tick_broadcast_device.evtdev)) { +@@ -696,6 +699,7 @@ static void tick_handle_oneshot_broadcast(struct clock_event_device *dev) + + raw_spin_lock(&tick_broadcast_lock); + dev->next_event = KTIME_MAX; ++ tick_broadcast_device.evtdev->next_event_forced = 0; + next_event = KTIME_MAX; + cpumask_clear(tmpmask); + now = ktime_get(); +@@ -1061,6 +1065,7 @@ static void tick_broadcast_setup_oneshot(struct clock_event_device *bc, + + + bc->event_handler = tick_handle_oneshot_broadcast; ++ bc->next_event_forced = 0; + bc->next_event = KTIME_MAX; + + /* +@@ -1173,6 +1178,7 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) + } + + /* This moves the broadcast assignment to this CPU: */ ++ bc->next_event_forced = 0; + clockevents_program_event(bc, bc->next_event, 1); + } + raw_spin_unlock_irqrestore(&tick_broadcast_lock, flags); +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index ecdb8c2b2cab2..d5c9af9c6c333 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -109,6 +109,7 @@ void tick_handle_periodic(struct clock_event_device *dev) + int cpu = smp_processor_id(); + ktime_t next = dev->next_event; + ++ dev->next_event_forced = 0; + tick_periodic(cpu); + + #if defined(CONFIG_HIGH_RES_TIMERS) || defined(CONFIG_NO_HZ_COMMON) +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 55cbc49f70d14..bf3ff0dbf2a28 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1373,6 +1373,7 @@ static void tick_nohz_handler(struct clock_event_device *dev) + ktime_t now = ktime_get(); + + dev->next_event = KTIME_MAX; ++ dev->next_event_forced = 0; + + tick_sched_do_timer(ts, now); + tick_sched_handle(ts, regs); +-- +2.53.0 + diff --git a/queue-6.6/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-6.6/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch new file mode 100644 index 0000000000..983de50373 --- /dev/null +++ b/queue-6.6/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch @@ -0,0 +1,38 @@ +From 43dd663b11e9cceed1ad3a53895b06b2879b1f54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 13:32:21 +0800 +Subject: crypto: algif_aead - Fix minimum RX size check for decryption + +From: Herbert Xu + +[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] + +The check for the minimum receive buffer size did not take the +tag size into account during decryption. Fix this by adding the +required extra length. + +Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com +Reported-by: Daniel Pouzzner +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_aead.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c +index 7d58cbbce4af2..481e66f8708bb 100644 +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + if (usedpages < outlen) { + size_t less = outlen - usedpages; + +- if (used < less) { ++ if (used < less + (ctx->enc ? 0 : as)) { + err = -EINVAL; + goto free; + } +-- +2.53.0 + diff --git a/queue-6.6/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch b/queue-6.6/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch new file mode 100644 index 0000000000..13e59e6870 --- /dev/null +++ b/queue-6.6/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch @@ -0,0 +1,74 @@ +From 1794f1c289a7ab31c938b58aed5345e494d1db6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:45 -0300 +Subject: drm/vc4: Fix a memory leak in hang state error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 9525d169e5fd481538cf8c663cc5839e54f2e481 ] + +When vc4_save_hang_state() encounters an early return condition, it +returns without freeing the previously allocated `kernel_state`, +leaking memory. + +Add the missing kfree() calls by consolidating the early return paths +into a single place. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-3-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index fe535c6fc95a8..cede3bf3d722a 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -169,10 +169,8 @@ vc4_save_hang_state(struct drm_device *dev) + spin_lock_irqsave(&vc4->job_lock, irqflags); + exec[0] = vc4_first_bin_job(vc4); + exec[1] = vc4_first_render_job(vc4); +- if (!exec[0] && !exec[1]) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!exec[0] && !exec[1]) ++ goto err_free_state; + + /* Get the bos from both binner and renderer into hang state. */ + state->bo_count = 0; +@@ -189,10 +187,8 @@ vc4_save_hang_state(struct drm_device *dev) + kernel_state->bo = kcalloc(state->bo_count, + sizeof(*kernel_state->bo), GFP_ATOMIC); + +- if (!kernel_state->bo) { +- spin_unlock_irqrestore(&vc4->job_lock, irqflags); +- return; +- } ++ if (!kernel_state->bo) ++ goto err_free_state; + + k = 0; + for (i = 0; i < 2; i++) { +@@ -284,6 +280,12 @@ vc4_save_hang_state(struct drm_device *dev) + vc4->hang_state = kernel_state; + spin_unlock_irqrestore(&vc4->job_lock, irqflags); + } ++ ++ return; ++ ++err_free_state: ++ spin_unlock_irqrestore(&vc4->job_lock, irqflags); ++ kfree(kernel_state); + } + + static void +-- +2.53.0 + diff --git a/queue-6.6/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch b/queue-6.6/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch new file mode 100644 index 0000000000..0a884c8ba6 --- /dev/null +++ b/queue-6.6/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch @@ -0,0 +1,40 @@ +From 7eb9c21da83c91588df1cae6005d68bc1e521142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:44 -0300 +Subject: drm/vc4: Fix memory leak of BO array in hang state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit f4dfd6847b3e5d24e336bca6057485116d17aea4 ] + +The hang state's BO array is allocated separately with kzalloc() in +vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the +missing kfree() for the BO array before freeing the hang state struct. + +Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-2-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_gem.c b/drivers/gpu/drm/vc4/vc4_gem.c +index 03648f954985e..fe535c6fc95a8 100644 +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -60,6 +60,7 @@ vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state) + for (i = 0; i < state->user_state.bo_count; i++) + drm_gem_object_put(state->bo[i]); + ++ kfree(state->bo); + kfree(state); + } + +-- +2.53.0 + diff --git a/queue-6.6/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch b/queue-6.6/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch new file mode 100644 index 0000000000..9d090bfa81 --- /dev/null +++ b/queue-6.6/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch @@ -0,0 +1,48 @@ +From f04bb49418754f02a05092177a1f4f096777de1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:46 -0300 +Subject: drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 338c56050d8e892604da97f67bfa8cc4015a955f ] + +The mmap callback reads bo->madv without holding madv_lock, racing with +concurrent DRM_IOCTL_VC4_GEM_MADVISE calls that modify the field under +the same lock. Add the missing locking to prevent the data race. + +Fixes: b9f19259b84d ("drm/vc4: Add the DRM_IOCTL_VC4_GEM_MADVISE ioctl") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-4-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_bo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c +index 86d629e45307d..84ad6a952b5d3 100644 +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -738,12 +738,15 @@ static int vc4_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct + return -EINVAL; + } + ++ mutex_lock(&bo->madv_lock); + if (bo->madv != VC4_MADV_WILLNEED) { + DRM_DEBUG("mmapping of %s BO not allowed\n", + bo->madv == VC4_MADV_DONTNEED ? + "purgeable" : "purged"); ++ mutex_unlock(&bo->madv_lock); + return -EINVAL; + } ++ mutex_unlock(&bo->madv_lock); + + return drm_gem_dma_mmap(&bo->base, vma); + } +-- +2.53.0 + diff --git a/queue-6.6/drm-vc4-release-runtime-pm-reference-after-binding-v.patch b/queue-6.6/drm-vc4-release-runtime-pm-reference-after-binding-v.patch new file mode 100644 index 0000000000..dedb8d6ea5 --- /dev/null +++ b/queue-6.6/drm-vc4-release-runtime-pm-reference-after-binding-v.patch @@ -0,0 +1,46 @@ +From 7e96c10a1cc3f97e1984a388ae6002092d6575f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 14:51:43 -0300 +Subject: drm/vc4: Release runtime PM reference after binding V3D +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit aaefbdde9abdc43699e110679c0e10972a5e1c59 ] + +The vc4_v3d_bind() function acquires a runtime PM reference via +pm_runtime_resume_and_get() to access V3D registers during setup. +However, this reference is never released after a successful bind. +This prevents the device from ever runtime suspending, since the +reference count never reaches zero. + +Release the runtime PM reference by adding pm_runtime_put_autosuspend() +after autosuspend is configured, allowing the device to runtime suspend +after the delay. + +Fixes: 266cff37d7fc ("drm/vc4: v3d: Rework the runtime_pm setup") +Reviewed-by: Melissa Wen +Link: https://patch.msgid.link/20260330-vc4-misc-fixes-v1-1-92defc940a29@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_v3d.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c +index 04ac7805e6d5f..b1de828e2f90e 100644 +--- a/drivers/gpu/drm/vc4/vc4_v3d.c ++++ b/drivers/gpu/drm/vc4/vc4_v3d.c +@@ -491,6 +491,7 @@ static int vc4_v3d_bind(struct device *dev, struct device *master, void *data) + + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, 40); /* a little over 2 frames. */ ++ pm_runtime_put_autosuspend(dev); + + return 0; + +-- +2.53.0 + diff --git a/queue-6.6/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch b/queue-6.6/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch new file mode 100644 index 0000000000..d8e247dea8 --- /dev/null +++ b/queue-6.6/dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch @@ -0,0 +1,59 @@ +From eead08648ad3c2949035c7cbb76d9faa00ed7de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:40 +0100 +Subject: dt-bindings: net: Fix Tegra234 MGBE PTP clock + +From: Jon Hunter + +[ Upstream commit fb22b1fc5bca3c0aad95388933497ceb30f1fb26 ] + +The PTP clock for the Tegra234 MGBE device is incorrectly named +'ptp-ref' and should be 'ptp_ref'. This is causing the following +warning to be observed on Tegra234 platforms that use this device: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +Although this constitutes an ABI breakage in the binding for this +device, PTP support has clearly never worked and so fix this now +so we can correct the device-tree for this device. Note that the +MGBE driver still supports the legacy 'ptp-ref' clock name and so +older/existing device-trees will still work, but given that this +is not the correct name, there is no point to advertise this in the +binding. + +Fixes: 189c2e5c7669 ("dt-bindings: net: Add Tegra234 MGBE") +Signed-off-by: Jon Hunter +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20260401102941.17466-3-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/net/nvidia,tegra234-mgbe.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +index 2bd3efff2485e..215f14d1897d2 100644 +--- a/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml ++++ b/Documentation/devicetree/bindings/net/nvidia,tegra234-mgbe.yaml +@@ -42,7 +42,7 @@ properties: + - const: mgbe + - const: mac + - const: mac-divider +- - const: ptp-ref ++ - const: ptp_ref + - const: rx-input-m + - const: rx-input + - const: tx +@@ -133,7 +133,7 @@ examples: + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS_M>, + <&bpmp TEGRA234_CLK_MGBE0_RX_PCS>, + <&bpmp TEGRA234_CLK_MGBE0_TX_PCS>; +- clock-names = "mgbe", "mac", "mac-divider", "ptp-ref", "rx-input-m", ++ clock-names = "mgbe", "mac", "mac-divider", "ptp_ref", "rx-input-m", + "rx-input", "tx", "eee-pcs", "rx-pcs-input", "rx-pcs-m", + "rx-pcs", "tx-pcs"; + resets = <&bpmp TEGRA234_RESET_MGBE0_MAC>, +-- +2.53.0 + diff --git a/queue-6.6/e1000-check-return-value-of-e1000_read_eeprom.patch b/queue-6.6/e1000-check-return-value-of-e1000_read_eeprom.patch new file mode 100644 index 0000000000..d79e81ba29 --- /dev/null +++ b/queue-6.6/e1000-check-return-value-of-e1000_read_eeprom.patch @@ -0,0 +1,70 @@ +From 172029b1b4b8bb4321d44a306589f65d6aeed05b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 15:05:05 +0300 +Subject: e1000: check return value of e1000_read_eeprom + +From: Agalakov Daniil + +[ Upstream commit d3baa34a470771399c1495bc04b1e26ac15d598e ] + +[Why] +e1000_set_eeprom() performs a read-modify-write operation when the write +range is not word-aligned. This requires reading the first and last words +of the range from the EEPROM to preserve the unmodified bytes. + +However, the code does not check the return value of e1000_read_eeprom(). +If the read fails, the operation continues using uninitialized data from +eeprom_buff. This results in corrupted data being written back to the +EEPROM for the boundary words. + +Add the missing error checks and abort the operation if reading fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-developed-by: Iskhakov Daniil +Signed-off-by: Iskhakov Daniil +Signed-off-by: Agalakov Daniil +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index d06d29c6c0370..c7b50059663d9 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -496,14 +496,19 @@ static int e1000_set_eeprom(struct net_device *netdev, + */ + ret_val = e1000_read_eeprom(hw, first_word, 1, + &eeprom_buff[0]); ++ if (ret_val) ++ goto out; ++ + ptr++; + } +- if (((eeprom->offset + eeprom->len) & 1) && (ret_val == 0)) { ++ if ((eeprom->offset + eeprom->len) & 1) { + /* need read/modify/write of last changed EEPROM word + * only the first byte of the word is being modified + */ + ret_val = e1000_read_eeprom(hw, last_word, 1, + &eeprom_buff[last_word - first_word]); ++ if (ret_val) ++ goto out; + } + + /* Device's eeprom is always little-endian, word addressable */ +@@ -522,6 +527,7 @@ static int e1000_set_eeprom(struct net_device *netdev, + if ((ret_val == 0) && (first_word <= EEPROM_CHECKSUM_REG)) + e1000_update_eeprom_checksum(hw); + ++out: + kfree(eeprom_buff); + return ret_val; + } +-- +2.53.0 + diff --git a/queue-6.6/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch b/queue-6.6/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch new file mode 100644 index 0000000000..2ca8212f84 --- /dev/null +++ b/queue-6.6/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch @@ -0,0 +1,48 @@ +From 258e04ce524c8bcfeb510d80c9b417dad80b24db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2026 15:25:32 +0200 +Subject: eventpoll: defer struct eventpoll free to RCU grace period + +From: Nicholas Carlini + +[ Upstream commit 07712db80857d5d09ae08f3df85a708ecfc3b61f ] + +In certain situations, ep_free() in eventpoll.c will kfree the epi->ep +eventpoll struct while it still being used by another concurrent thread. +Defer the kfree() to an RCU callback to prevent UAF. + +Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") +Signed-off-by: Nicholas Carlini +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 3c6c646fb3c49..8a556560a5b2f 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -225,6 +225,9 @@ struct eventpoll { + */ + refcount_t refcount; + ++ /* used to defer freeing past ep_get_upwards_depth_proc() RCU walk */ ++ struct rcu_head rcu; ++ + #ifdef CONFIG_NET_RX_BUSY_POLL + /* used to track busy poll napi_id */ + unsigned int napi_id; +@@ -708,7 +711,8 @@ static void ep_free(struct eventpoll *ep) + mutex_destroy(&ep->mtx); + free_uid(ep->user); + wakeup_source_unregister(ep->ws); +- kfree(ep); ++ /* ep_get_upwards_depth_proc() may still hold epi->ep under RCU */ ++ kfree_rcu(ep, rcu); + } + + /* +-- +2.53.0 + diff --git a/queue-6.6/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch b/queue-6.6/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch new file mode 100644 index 0000000000..4edf57baeb --- /dev/null +++ b/queue-6.6/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch @@ -0,0 +1,47 @@ +From b4ba0d74aa7996739d6dc9963221e477bc8f7edb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2026 13:11:27 -0700 +Subject: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath + +From: Fredric Cover + +[ Upstream commit 78ec5bf2f589ec7fd8f169394bfeca541b077317 ] + +When cifs_sanitize_prepath is called with an empty string or a string +containing only delimiters (e.g., "/"), the current logic attempts to +check *(cursor2 - 1) before cursor2 has advanced. This results in an +out-of-bounds read. + +This patch adds an early exit check after stripping prepended +delimiters. If no path content remains, the function returns NULL. + +The bug was identified via manual audit and verified using a +standalone test case compiled with AddressSanitizer, which +triggered a SEGV on affected inputs. + +Signed-off-by: Fredric Cover +Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index 930f9c17a8d6d..0812af0014173 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -495,6 +495,10 @@ char *cifs_sanitize_prepath(char *prepath, gfp_t gfp) + while (IS_DELIM(*cursor1)) + cursor1++; + ++ /* exit in case of only delimiters */ ++ if (!*cursor1) ++ return NULL; ++ + /* copy the first letter */ + *cursor2 = *cursor1; + +-- +2.53.0 + diff --git a/queue-6.6/gpio-tegra-fix-irq_release_resources-calling-enable-.patch b/queue-6.6/gpio-tegra-fix-irq_release_resources-calling-enable-.patch new file mode 100644 index 0000000000..fab72b876d --- /dev/null +++ b/queue-6.6/gpio-tegra-fix-irq_release_resources-calling-enable-.patch @@ -0,0 +1,41 @@ +From b284585d68168723f3b2e7a2768ffb64fab593e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2026 14:02:47 -0700 +Subject: gpio: tegra: fix irq_release_resources calling enable instead of + disable + +From: Samasth Norway Ananda + +[ Upstream commit 1561d96f5f55c1bca9ff047ace5813f4f244eea6 ] + +tegra_gpio_irq_release_resources() erroneously calls tegra_gpio_enable() +instead of tegra_gpio_disable(). When IRQ resources are released, the +GPIO configuration bit (CNF) should be cleared to deconfigure the pin as +a GPIO. Leaving it enabled wastes power and can cause unexpected behavior +if the pin is later reused for an alternate function via pinctrl. + +Fixes: 66fecef5bde0 ("gpio: tegra: Convert to gpio_irq_chip") +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260407210247.1737938-1-samasth.norway.ananda@oracle.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c +index ea715582bcf34..dc2a4d3d56a10 100644 +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -597,7 +597,7 @@ static void tegra_gpio_irq_release_resources(struct irq_data *d) + struct tegra_gpio_info *tgi = gpiochip_get_data(chip); + + gpiochip_relres_irq(chip, d->hwirq); +- tegra_gpio_enable(tgi, d->hwirq); ++ tegra_gpio_disable(tgi, d->hwirq); + } + + static void tegra_gpio_irq_print_chip(struct irq_data *d, struct seq_file *s) +-- +2.53.0 + diff --git a/queue-6.6/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch b/queue-6.6/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch new file mode 100644 index 0000000000..bc04def9c6 --- /dev/null +++ b/queue-6.6/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch @@ -0,0 +1,52 @@ +From 446bc132bb794875734662f44228c2b5980b7b73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 13:36:59 -0500 +Subject: HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 + +From: leo vriska + +[ Upstream commit 532743944324a873bbaf8620fcabcd0e69e30c36 ] + +According to a mailing list report [1], this controller's predecessor +has the same issue. However, it uses the xpad driver instead of HID, so +this quirk wouldn't apply. + +[1]: https://lore.kernel.org/linux-input/unufo3$det$1@ciao.gmane.io/ + +Signed-off-by: leo vriska +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 2057546b26823..2565a7425442a 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -22,6 +22,9 @@ + #define USB_DEVICE_ID_3M2256 0x0502 + #define USB_DEVICE_ID_3M3266 0x0506 + ++#define USB_VENDOR_ID_8BITDO 0x2dc8 ++#define USB_DEVICE_ID_8BITDO_PRO_3 0x6009 ++ + #define USB_VENDOR_ID_A4TECH 0x09da + #define USB_DEVICE_ID_A4TECH_WCP32PU 0x0006 + #define USB_DEVICE_ID_A4TECH_X5_005D 0x000a +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 7a3e0675d9ba2..d9e33dde89899 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -25,6 +25,7 @@ + */ + + static const struct hid_device_id hid_quirks[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_8BITDO, USB_DEVICE_ID_8BITDO_PRO_3), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_AASHIMA, USB_DEVICE_ID_AASHIMA_PREDATOR), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_ADATA_XPG, USB_VENDOR_ID_ADATA_XPG_WL_GAMING_MOUSE), HID_QUIRK_ALWAYS_POLL }, +-- +2.53.0 + diff --git a/queue-6.6/hid-roccat-fix-use-after-free-in-roccat_report_event.patch b/queue-6.6/hid-roccat-fix-use-after-free-in-roccat_report_event.patch new file mode 100644 index 0000000000..b3650da495 --- /dev/null +++ b/queue-6.6/hid-roccat-fix-use-after-free-in-roccat_report_event.patch @@ -0,0 +1,50 @@ +From 6613606eb60cf5ab7e864c9380432b6249ea1c84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:11:07 +0000 +Subject: HID: roccat: fix use-after-free in roccat_report_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +[ Upstream commit d802d848308b35220f21a8025352f0c0aba15c12 ] + +roccat_report_event() iterates over the device->readers list without +holding the readers_lock. This allows a concurrent roccat_release() to +remove and free a reader while it's still being accessed, leading to a +use-after-free. + +Protect the readers list traversal with the readers_lock mutex. + +Signed-off-by: Benoît Sevens +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index c7f7562e22e56..e413662f75082 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,7 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->readers_lock); + mutex_lock(&device->cbuf_lock); + + report = &device->cbuf[device->cbuf_end]; +@@ -279,6 +280,7 @@ int roccat_report_event(int minor, u8 const *data) + } + + mutex_unlock(&device->cbuf_lock); ++ mutex_unlock(&device->readers_lock); + + wake_up_interruptible(&device->wait); + return 0; +-- +2.53.0 + diff --git a/queue-6.6/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch b/queue-6.6/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch new file mode 100644 index 0000000000..5df53360fb --- /dev/null +++ b/queue-6.6/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch @@ -0,0 +1,50 @@ +From a0112cc3b03db1092c9080f8105af8d42af759d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 15:04:19 +0800 +Subject: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() + +From: Yiqi Sun + +[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ] + +ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the +IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing +this error pointer to dev_hold() will cause a kernel crash with +null-ptr-deref. + +Instead, silently discard the request. RFC 8335 does not appear to +define a specific response for the case where an IPv6 interface +identifier is syntactically valid but the implementation cannot perform +the lookup at runtime, and silently dropping the request may safer than +misreporting "No Such Interface". + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Signed-off-by: Yiqi Sun +Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/icmp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 64a0bc633a3eb..3171392c8c066 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -1136,6 +1136,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr) + if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr)) + goto send_mal_query; + dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev); ++ /* ++ * If IPv6 identifier lookup is unavailable, silently ++ * discard the request instead of misreporting NO_IF. ++ */ ++ if (IS_ERR(dev)) ++ return false; ++ + dev_hold(dev); + break; + #endif +-- +2.53.0 + diff --git a/queue-6.6/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch b/queue-6.6/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch new file mode 100644 index 0000000000..86144decb2 --- /dev/null +++ b/queue-6.6/ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch @@ -0,0 +1,62 @@ +From 23acde06184fa5700c04ce81df795482e0667921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 15:58:01 +0800 +Subject: ipvs: fix NULL deref in ip_vs_add_service error path + +From: Weiming Shi + +[ Upstream commit 9a91797e61d286805ae10a92cc48959c30800556 ] + +When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local +variable sched is set to NULL. If ip_vs_start_estimator() subsequently +fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) +with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL +check (because svc->scheduler was set by the successful bind) but then +dereferences the NULL sched parameter at sched->done_service, causing a +kernel panic at offset 0x30 from NULL. + + Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] + RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) + Call Trace: + + ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) + do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) + nf_setsockopt (net/netfilter/nf_sockopt.c:102) + [..] + +Fix by simply not clearing the local sched variable after a successful +bind. ip_vs_unbind_scheduler() already detects whether a scheduler is +installed via svc->scheduler, and keeping sched non-NULL ensures the +error path passes the correct pointer to both ip_vs_unbind_scheduler() +and ip_vs_scheduler_put(). + +While the bug is older, the problem popups in more recent kernels (6.2), +when the new error path is taken after the ip_vs_start_estimator() call. + +Fixes: 705dd3444081 ("ipvs: use kthreads for stats estimation") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Acked-by: Simon Horman +Acked-by: Julian Anastasov +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index c82dcbb4dabce..25f586fab2bcc 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1452,7 +1452,6 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ret = ip_vs_bind_scheduler(svc, sched); + if (ret) + goto out_err; +- sched = NULL; + } + + ret = ip_vs_start_estimator(ipvs, &svc->stats); +-- +2.53.0 + diff --git a/queue-6.6/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch b/queue-6.6/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch new file mode 100644 index 0000000000..759a613a5b --- /dev/null +++ b/queue-6.6/ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch @@ -0,0 +1,78 @@ +From a0cee186e298ba7b99d85512d9c3c9e483202d66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 09:22:29 +0100 +Subject: ixgbevf: add missing negotiate_features op to Hyper-V ops table + +From: Michal Schmidt + +[ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ] + +Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by +negotiating supported features") added the .negotiate_features callback +to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot +to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL +on Hyper-V VMs. + +During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), +which unconditionally dereferences hw->mac.ops.negotiate_features(). +On Hyper-V this results in a NULL pointer dereference: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] + Workqueue: events work_for_cpu_fn + RIP: 0010:0x0 + [...] + Call Trace: + ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] + ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] + ixgbevf_probe+0x20f/0x4a0 [ixgbevf] + local_pci_probe+0x50/0xa0 + work_for_cpu_fn+0x1a/0x30 + [...] + +Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and +wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP +gracefully. + +Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") +Reported-by: Xiaoqiang Xiong +Closes: https://issues.redhat.com/browse/RHEL-155455 +Assisted-by: Claude:claude-4.6-opus-high Cursor +Tested-by: Xiaoqiang Xiong +Signed-off-by: Michal Schmidt +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c +index 708d5dd921acc..70dfda13b7885 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/vf.c ++++ b/drivers/net/ethernet/intel/ixgbevf/vf.c +@@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) + return err; + } + ++static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw, ++ u32 *pf_features) ++{ ++ return -EOPNOTSUPP; ++} ++ + /** + * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address + * @hw: pointer to the HW structure +@@ -1142,6 +1148,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = { + .setup_link = ixgbevf_setup_mac_link_vf, + .check_link = ixgbevf_hv_check_mac_link_vf, + .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf, ++ .negotiate_features = ixgbevf_hv_negotiate_features_vf, + .set_rar = ixgbevf_hv_set_rar_vf, + .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf, + .update_xcast_mode = ixgbevf_hv_update_xcast_mode, +-- +2.53.0 + diff --git a/queue-6.6/l2tp-drop-large-packets-with-udp-encap.patch b/queue-6.6/l2tp-drop-large-packets-with-udp-encap.patch new file mode 100644 index 0000000000..e87ce8a233 --- /dev/null +++ b/queue-6.6/l2tp-drop-large-packets-with-udp-encap.patch @@ -0,0 +1,106 @@ +From a606cf2f531f2eb71566e9b9291816ddbc1067c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 20:49:49 +0300 +Subject: l2tp: Drop large packets with UDP encap + +From: Alice Mikityanska + +[ Upstream commit ebe560ea5f54134279356703e73b7f867c89db13 ] + +syzbot reported a WARN on my patch series [1]. The actual issue is an +overflow of 16-bit UDP length field, and it exists in the upstream code. +My series added a debug WARN with an overflow check that exposed the +issue, that's why syzbot tripped on my patches, rather than on upstream +code. + +syzbot's repro: + +r0 = socket$pppl2tp(0x18, 0x1, 0x1) +r1 = socket$inet6_udp(0xa, 0x2, 0x0) +connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) +connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) +writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) + +It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP +encapsulation, and l2tp_xmit_core doesn't check for overflows when it +assigns the UDP length field. The value gets trimmed to 16 bites. + +Add an overflow check that drops oversized packets and avoids sending +packets with trimmed UDP length to the wire. + +syzbot's stack trace (with my patch applied): + +len >= 65536u +WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 +WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 +Modules linked in: +CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] +RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] +RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 +Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f +RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 +RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 +RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff +RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 +R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 +R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 +FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 +Call Trace: + + pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + sock_write_iter+0x503/0x550 net/socket.c:1195 + do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 + vfs_writev+0x33c/0x990 fs/read_write.c:1059 + do_writev+0x154/0x2e0 fs/read_write.c:1105 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f636479c629 +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 +RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 +RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 + + +[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ + +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: syzbot+ci3edea60a44225dec@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69a1dfba.050a0220.3a55be.0026.GAE@google.com/ +Signed-off-by: Alice Mikityanska +Link: https://patch.msgid.link/20260403174949.843941-1-alice.kernel@fastmail.im +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index e0ca08ebd16a9..3c701795fa100 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1083,6 +1083,11 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + uh->source = inet->inet_sport; + uh->dest = inet->inet_dport; + udp_len = uhlen + session->hdr_len + data_len; ++ if (udp_len > U16_MAX) { ++ kfree_skb(skb); ++ ret = NET_XMIT_DROP; ++ goto out_unlock; ++ } + uh->len = htons(udp_len); + + /* Calculate UDP checksum if configured to do so */ +-- +2.53.0 + diff --git a/queue-6.6/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch b/queue-6.6/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch new file mode 100644 index 0000000000..9f6c671c84 --- /dev/null +++ b/queue-6.6/media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch @@ -0,0 +1,49 @@ +From ee72d650606a76cd191ca62accd1a9128e3467dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 10:47:51 +0100 +Subject: media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() + +From: Arnd Bergmann + +[ Upstream commit c03b7dec3c4ddc97872fa12bfca75bae9cb46510 ] + +The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot +of registers, so when the clang register allocator runs out, it ends up +spilling countless temporaries to the stack: + +drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than] + +Marking this function as noinline_for_stack keeps it out of +rkvdec_vp9_start(), giving the compiler more room for optimization. + +The resulting code is good enough that both the total stack usage +and the loop get enough better to stay under the warning limit, +though it's still slow, and would need a larger rework if this +function ends up being called in a fast path. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec-vp9.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec-vp9.c b/drivers/staging/media/rkvdec/rkvdec-vp9.c +index 0e7e16f20eeb0..bc74d2d824ef2 100644 +--- a/drivers/staging/media/rkvdec/rkvdec-vp9.c ++++ b/drivers/staging/media/rkvdec/rkvdec-vp9.c +@@ -923,7 +923,8 @@ static void rkvdec_vp9_done(struct rkvdec_ctx *ctx, + update_ctx_last_info(vp9_ctx); + } + +-static void rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) ++static noinline_for_stack void ++rkvdec_init_v4l2_vp9_count_tbl(struct rkvdec_ctx *ctx) + { + struct rkvdec_vp9_ctx *vp9_ctx = ctx->priv; + struct rkvdec_vp9_intra_frame_symbol_counts *intra_cnts = vp9_ctx->count_tbl.cpu; +-- +2.53.0 + diff --git a/queue-6.6/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch b/queue-6.6/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch new file mode 100644 index 0000000000..ea6cb07576 --- /dev/null +++ b/queue-6.6/net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch @@ -0,0 +1,49 @@ +From c4012f6d0405114974db3e7d3449940776918476 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:48 +0200 +Subject: net: ipa: fix event ring index not programmed for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 56007972c0b1e783ca714d6f1f4d6e66e531d21f ] + +For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to +CH_C_CNTXT_1. The v5.0 register definition intended to define this +field in the CH_C_CNTXT_1 fmask array but used the old identifier of +ERINDEX instead of CH_ERINDEX. + +Without a valid event ring, GSI channels could never signal transfer +completions. This caused gsi_channel_trans_quiesce() to block +forever in wait_for_completion(). + +At least for IPA v5.2 this resolves an issue seen where runtime +suspend, system suspend, and remoteproc stop all hanged forever. It +also meant the IPA data path was completely non functional. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-2-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index eac3913297c27..cbc7cd5b34f31 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -28,7 +28,7 @@ REG_STRIDE_FIELDS(CH_C_CNTXT_0, ch_c_cntxt_0, + + static const u32 reg_ch_c_cntxt_1_fmask[] = { + [CH_R_LENGTH] = GENMASK(23, 0), +- [ERINDEX] = GENMASK(31, 24), ++ [CH_ERINDEX] = GENMASK(31, 24), + }; + + REG_STRIDE_FIELDS(CH_C_CNTXT_1, ch_c_cntxt_1, +-- +2.53.0 + diff --git a/queue-6.6/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch b/queue-6.6/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch new file mode 100644 index 0000000000..7a18a1476a --- /dev/null +++ b/queue-6.6/net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch @@ -0,0 +1,47 @@ +From 23583a43e3a82e2bd5cc6d6d2895b89a84d91821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 18:43:47 +0200 +Subject: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ + +From: Alexander Koskovich + +[ Upstream commit 9709b56d908acc120fe8b4ae250b3c9d749ea832 ] + +Fix the field masks to match the hardware layout documented in +downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*). + +Notably this fixes a WARN I was seeing when I tried to send "stop" +to the MPSS remoteproc while IPA was up. + +Fixes: faf0678ec8a0 ("net: ipa: add IPA v5.0 GSI register definitions") +Signed-off-by: Alexander Koskovich +Signed-off-by: Luca Weiss +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260403-milos-ipa-v1-1-01e9e4e03d3e@fairphone.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipa/reg/gsi_reg-v5.0.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipa/reg/gsi_reg-v5.0.c b/drivers/net/ipa/reg/gsi_reg-v5.0.c +index 145eb0bd096d6..eac3913297c27 100644 +--- a/drivers/net/ipa/reg/gsi_reg-v5.0.c ++++ b/drivers/net/ipa/reg/gsi_reg-v5.0.c +@@ -154,9 +154,10 @@ REG_FIELDS(EV_CH_CMD, ev_ch_cmd, 0x00025010 + 0x12000 * GSI_EE_AP); + + static const u32 reg_generic_cmd_fmask[] = { + [GENERIC_OPCODE] = GENMASK(4, 0), +- [GENERIC_CHID] = GENMASK(9, 5), +- [GENERIC_EE] = GENMASK(13, 10), +- /* Bits 14-31 reserved */ ++ [GENERIC_CHID] = GENMASK(12, 5), ++ [GENERIC_EE] = GENMASK(16, 13), ++ /* Bits 17-23 reserved */ ++ [GENERIC_PARAMS] = GENMASK(31, 24), + }; + + REG_FIELDS(GENERIC_CMD, generic_cmd, 0x00025018 + 0x12000 * GSI_EE_AP); +-- +2.53.0 + diff --git a/queue-6.6/net-lapbether-handle-netdev_pre_type_change.patch b/queue-6.6/net-lapbether-handle-netdev_pre_type_change.patch new file mode 100644 index 0000000000..f86ccaaa10 --- /dev/null +++ b/queue-6.6/net-lapbether-handle-netdev_pre_type_change.patch @@ -0,0 +1,77 @@ +From eb69d1334041509d6491a2f46222a016c61a510f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 10:35:19 +0000 +Subject: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE + +From: Eric Dumazet + +[ Upstream commit b120e4432f9f56c7103133d6a11245e617695adb ] + +lapbeth_data_transmit() expects the underlying device type +to be ARPHRD_ETHER. + +Returning NOTIFY_BAD from lapbeth_device_event() makes sure +bonding driver can not break this expectation. + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+d8c285748fa7292580a9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69cd22a1.050a0220.70c3a.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin Schiller +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260402103519.1201565-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/lapbether.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c +index 56326f38fe8a3..da61716a66c46 100644 +--- a/drivers/net/wan/lapbether.c ++++ b/drivers/net/wan/lapbether.c +@@ -444,33 +444,36 @@ static void lapbeth_free_device(struct lapbethdev *lapbeth) + static int lapbeth_device_event(struct notifier_block *this, + unsigned long event, void *ptr) + { +- struct lapbethdev *lapbeth; + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct lapbethdev *lapbeth; + + if (dev_net(dev) != &init_net) + return NOTIFY_DONE; + +- if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev)) ++ lapbeth = lapbeth_get_x25_dev(dev); ++ if (!dev_is_ethdev(dev) && !lapbeth) + return NOTIFY_DONE; + + switch (event) { + case NETDEV_UP: + /* New ethernet device -> new LAPB interface */ +- if (!lapbeth_get_x25_dev(dev)) ++ if (!lapbeth) + lapbeth_new_device(dev); + break; + case NETDEV_GOING_DOWN: + /* ethernet device closes -> close LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + dev_close(lapbeth->axdev); + break; + case NETDEV_UNREGISTER: + /* ethernet device disappears -> remove LAPB interface */ +- lapbeth = lapbeth_get_x25_dev(dev); + if (lapbeth) + lapbeth_free_device(lapbeth); + break; ++ case NETDEV_PRE_TYPE_CHANGE: ++ /* Our underlying device type must not change. */ ++ if (lapbeth) ++ return NOTIFY_BAD; + } + + return NOTIFY_DONE; +-- +2.53.0 + diff --git a/queue-6.6/net-sched-act_csum-validate-nested-vlan-headers.patch b/queue-6.6/net-sched-act_csum-validate-nested-vlan-headers.patch new file mode 100644 index 0000000000..ab148b685c --- /dev/null +++ b/queue-6.6/net-sched-act_csum-validate-nested-vlan-headers.patch @@ -0,0 +1,60 @@ +From 32c82ac9255805b719b41dc37338fa979c0f0731 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 22:46:20 +0800 +Subject: net: sched: act_csum: validate nested VLAN headers + +From: Ruide Cao + +[ Upstream commit c842743d073bdd683606cb414eb0ca84465dd834 ] + +tcf_csum_act() walks nested VLAN headers directly from skb->data when an +skb still carries in-payload VLAN tags. The current code reads +vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without +first ensuring that the full VLAN header is present in the linear area. + +If only part of an inner VLAN header is linearized, accessing +h_vlan_encapsulated_proto reads past the linear area, and the following +skb_pull(VLAN_HLEN) may violate skb invariants. + +Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and +pulling each nested VLAN header. If the header still is not fully +available, drop the packet through the existing error path. + +Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_csum.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c +index 8ed285023a40a..e8583dc721b6a 100644 +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -603,8 +603,12 @@ TC_INDIRECT_SCOPE int tcf_csum_act(struct sk_buff *skb, + protocol = skb->protocol; + orig_vlan_tag_present = true; + } else { +- struct vlan_hdr *vlan = (struct vlan_hdr *)skb->data; ++ struct vlan_hdr *vlan; + ++ if (!pskb_may_pull(skb, VLAN_HLEN)) ++ goto drop; ++ ++ vlan = (struct vlan_hdr *)skb->data; + protocol = vlan->h_vlan_encapsulated_proto; + skb_pull(skb, VLAN_HLEN); + skb_reset_network_header(skb); +-- +2.53.0 + diff --git a/queue-6.6/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch b/queue-6.6/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch new file mode 100644 index 0000000000..fdfc18bb5e --- /dev/null +++ b/queue-6.6/net-stmmac-fix-ptp-ref-clock-for-tegra234.patch @@ -0,0 +1,83 @@ +From 017cfd493b44fe81be5e8fc8894072398aa992a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 11:29:39 +0100 +Subject: net: stmmac: Fix PTP ref clock for Tegra234 + +From: Jon Hunter + +[ Upstream commit 1345e9f4e3f3bc7d8a0a2138ae29e205a857a555 ] + +Since commit 030ce919e114 ("net: stmmac: make sure that ptp_rate is not +0 before configuring timestamping") was added the following error is +observed on Tegra234: + + ERR KERN tegra-mgbe 6800000.ethernet eth0: Invalid PTP clock rate + WARNING KERN tegra-mgbe 6800000.ethernet eth0: PTP init failed + +It turns out that the Tegra234 device-tree binding defines the PTP ref +clock name as 'ptp-ref' and not 'ptp_ref' and the above commit now +exposes this and that the PTP clock is not configured correctly. + +In order to update device-tree to use the correct 'ptp_ref' name, update +the Tegra MGBE driver to use 'ptp_ref' by default and fallback to using +'ptp-ref' if this clock name is present. + +Fixes: d8ca113724e7 ("net: stmmac: tegra: Add MGBE support") +Signed-off-by: Jon Hunter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260401102941.17466-2-jonathanh@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac-tegra.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +index 760405b805f40..e950016d10914 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-tegra.c +@@ -9,7 +9,7 @@ + #include "stmmac_platform.h" + + static const char *const mgbe_clks[] = { +- "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp-ref", "mac" ++ "rx-pcs", "tx", "tx-pcs", "mac-divider", "mac", "mgbe", "ptp_ref", "mac" + }; + + struct tegra_mgbe { +@@ -215,6 +215,7 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + { + struct plat_stmmacenet_data *plat; + struct stmmac_resources res; ++ bool use_legacy_ptp = false; + struct tegra_mgbe *mgbe; + int irq, err, i; + u32 value; +@@ -257,9 +258,23 @@ static int tegra_mgbe_probe(struct platform_device *pdev) + if (!mgbe->clks) + return -ENOMEM; + +- for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) ++ /* Older device-trees use 'ptp-ref' rather than 'ptp_ref'. ++ * Fall back when the legacy name is present. ++ */ ++ if (of_property_match_string(pdev->dev.of_node, "clock-names", ++ "ptp-ref") >= 0) ++ use_legacy_ptp = true; ++ ++ for (i = 0; i < ARRAY_SIZE(mgbe_clks); i++) { + mgbe->clks[i].id = mgbe_clks[i]; + ++ if (use_legacy_ptp && !strcmp(mgbe_clks[i], "ptp_ref")) { ++ dev_warn(mgbe->dev, ++ "Device-tree update needed for PTP clock!\n"); ++ mgbe->clks[i].id = "ptp-ref"; ++ } ++ } ++ + err = devm_clk_bulk_get(mgbe->dev, ARRAY_SIZE(mgbe_clks), mgbe->clks); + if (err < 0) + return err; +-- +2.53.0 + diff --git a/queue-6.6/net-txgbe-leave-space-for-null-terminators-on-proper.patch b/queue-6.6/net-txgbe-leave-space-for-null-terminators-on-proper.patch new file mode 100644 index 0000000000..8348ffa977 --- /dev/null +++ b/queue-6.6/net-txgbe-leave-space-for-null-terminators-on-proper.patch @@ -0,0 +1,48 @@ +From 86cda283fb3ab8ed37ad64a53c13994474df9a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 23:20:13 +0100 +Subject: net: txgbe: leave space for null terminators on property_entry + +From: Fabio Baltieri + +[ Upstream commit 5a37d228799b0ec2c277459c83c814a59d310bc3 ] + +Lists of struct property_entry are supposed to be terminated with an +empty property, this driver currently seems to be allocating exactly the +amount of entry used. + +Change the struct definition to leave an extra element for all +property_entry. + +Fixes: c3e382ad6d15 ("net: txgbe: Add software nodes to support phylink") +Signed-off-by: Fabio Baltieri +Tested-by: Jiawen Wu +Link: https://patch.msgid.link/20260405222013.5347-1-fabio.baltieri@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +index 51199c355f95c..b0554c8f25213 100644 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +@@ -161,10 +161,10 @@ struct txgbe_nodes { + char i2c_name[32]; + char sfp_name[32]; + char phylink_name[32]; +- struct property_entry gpio_props[1]; +- struct property_entry i2c_props[3]; +- struct property_entry sfp_props[8]; +- struct property_entry phylink_props[2]; ++ struct property_entry gpio_props[2]; ++ struct property_entry i2c_props[4]; ++ struct property_entry sfp_props[9]; ++ struct property_entry phylink_props[3]; + struct software_node_ref_args i2c_ref[1]; + struct software_node_ref_args gpio0_ref[1]; + struct software_node_ref_args gpio1_ref[1]; +-- +2.53.0 + diff --git a/queue-6.6/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch b/queue-6.6/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch new file mode 100644 index 0000000000..80f6837cfa --- /dev/null +++ b/queue-6.6/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch @@ -0,0 +1,51 @@ +From a24c33df38e899cdb72a3e7f97117d85a480091b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2026 17:39:47 +0800 +Subject: netfilter: ip6t_eui64: reject invalid MAC header for all packets + +From: Zhengchuan Liang + +[ Upstream commit fdce0b3590f724540795b874b4c8850c90e6b0a8 ] + +`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address +and compares it with the low 64 bits of the IPv6 source address. + +The existing guard only rejects an invalid MAC header when +`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` +can still reach `eth_hdr(skb)` even when the MAC header is not valid. + +Fix this by removing the `par->fragoff != 0` condition so that packets +with an invalid MAC header are rejected before accessing `eth_hdr(skb)`. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/ip6t_eui64.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c +index d704f7ed300c2..da69a27e8332c 100644 +--- a/net/ipv6/netfilter/ip6t_eui64.c ++++ b/net/ipv6/netfilter/ip6t_eui64.c +@@ -22,8 +22,7 @@ eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par) + unsigned char eui64[8]; + + if (!(skb_mac_header(skb) >= skb->head && +- skb_mac_header(skb) + ETH_HLEN <= skb->data) && +- par->fragoff != 0) { ++ skb_mac_header(skb) + ETH_HLEN <= skb->data)) { + par->hotdrop = true; + return false; + } +-- +2.53.0 + diff --git a/queue-6.6/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch b/queue-6.6/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch new file mode 100644 index 0000000000..be3f195331 --- /dev/null +++ b/queue-6.6/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch @@ -0,0 +1,52 @@ +From fc289a653867b35723ec6a10eab48e8c80b51ed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2026 14:20:57 -0700 +Subject: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE + terminator + +From: Xiang Mei + +[ Upstream commit 1f3083aec8836213da441270cdb1ab612dd82cf4 ] + +When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() +appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via +nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() +helper only zeroes alignment padding after the payload, not the payload +itself, so four bytes of stale kernel heap data are leaked to userspace +in the NLMSG_DONE message body. + +Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes +the nfgenmsg payload via nfnl_fill_hdr(), consistent with how +__build_packet_message() already constructs NFULNL_MSG_PACKET headers. + +Fixes: 29c5d4afba51 ("[NETFILTER]: nfnetlink_log: fix sending of multipart messages") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_log.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index f96421ad14afb..3da32d2f68e09 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -361,10 +361,10 @@ static void + __nfulnl_send(struct nfulnl_instance *inst) + { + if (inst->qlen > 1) { +- struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0, +- NLMSG_DONE, +- sizeof(struct nfgenmsg), +- 0); ++ struct nlmsghdr *nlh = nfnl_msg_put(inst->skb, 0, 0, ++ NLMSG_DONE, 0, ++ AF_UNSPEC, NFNETLINK_V0, ++ htons(inst->group_num)); + if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n", + inst->skb->len, skb_tailroom(inst->skb))) { + kfree_skb(inst->skb); +-- +2.53.0 + diff --git a/queue-6.6/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch b/queue-6.6/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch new file mode 100644 index 0000000000..4ecaa75b6e --- /dev/null +++ b/queue-6.6/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch @@ -0,0 +1,161 @@ +From 9eaead2c0dc37ead34f9792540b9a62f955bf291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Mar 2026 14:10:55 +0100 +Subject: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on + expiry + +From: Florian Westphal + +[ Upstream commit d3c0037ffe1273fa1961e779ff6906234d6cf53c ] + +New test case fails unexpectedly when avx2 matching functions are used. + +The test first loads a ranomly generated pipapo set +with 'ipv4 . port' key, i.e. nft -f foo. + +This works. Then, it reloads the set after a flush: +(echo flush set t s; cat foo) | nft -f - + +This is expected to work, because its the same set after all and it was +already loaded once. + +But with avx2, this fails: nft reports a clashing element. + +The reported clash is of following form: + + We successfully re-inserted + a . b + c . d + +Then we try to insert a . d + +avx2 finds the already existing a . d, which (due to 'flush set') is marked +as invalid in the new generation. It skips the element and moves to next. + +Due to incorrect masking, the skip-step finds the next matching +element *only considering the first field*, + +i.e. we return the already reinserted "a . b", even though the +last field is different and the entry should not have been matched. + +No such error is reported for the generic c implementation (no avx2) or when +the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. + +Bisection points to +7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") +but that fix merely uncovers this bug. + +Before this commit, the wrong element is returned, but erronously +reported as a full, identical duplicate. + +The root-cause is too early return in the avx2 match functions. +When we process the last field, we should continue to process data +until the entire input size has been consumed to make sure no stale +bits remain in the map. + +Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index be7c16c79f711..2a761a644d4da 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -242,7 +242,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -319,7 +319,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -414,7 +414,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -505,7 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -641,7 +641,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -699,7 +699,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -764,7 +764,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -839,7 +839,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -925,7 +925,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +@@ -1019,7 +1019,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, + + b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); + if (last) +- return b; ++ ret = b; + + if (unlikely(ret == -1)) + ret = b / XSAVE_YMM_SIZE; +-- +2.53.0 + diff --git a/queue-6.6/netfilter-xt_multiport-validate-range-encoding-in-ch.patch b/queue-6.6/netfilter-xt_multiport-validate-range-encoding-in-ch.patch new file mode 100644 index 0000000000..880fbe6183 --- /dev/null +++ b/queue-6.6/netfilter-xt_multiport-validate-range-encoding-in-ch.patch @@ -0,0 +1,99 @@ +From bc3d2c62a6577b2c64e956738b78dfe2234606b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2026 23:52:52 +0800 +Subject: netfilter: xt_multiport: validate range encoding in checkentry + +From: Ren Wei + +[ Upstream commit ff64c5bfef12461df8450e0f50bb693b5269c720 ] + +ports_match_v1() treats any non-zero pflags entry as the start of a +port range and unconditionally consumes the next ports[] element as +the range end. + +The checkentry path currently validates protocol, flags and count, but +it does not validate the range encoding itself. As a result, malformed +rules can mark the last slot as a range start or place two range starts +back to back, leaving ports_match_v1() to step past the last valid +ports[] element while interpreting the rule. + +Reject malformed multiport v1 rules in checkentry by validating that +each range start has a following element and that the following element +is not itself marked as another range start. + +Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Signed-off-by: Ren Wei +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_multiport.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c +index 44a00f5acde8a..a1691ff405d3c 100644 +--- a/net/netfilter/xt_multiport.c ++++ b/net/netfilter/xt_multiport.c +@@ -105,6 +105,28 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par) + return ports_match_v1(multiinfo, ntohs(pptr[0]), ntohs(pptr[1])); + } + ++static bool ++multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < multiinfo->count; i++) { ++ if (!multiinfo->pflags[i]) ++ continue; ++ ++ if (++i >= multiinfo->count) ++ return false; ++ ++ if (multiinfo->pflags[i]) ++ return false; ++ ++ if (multiinfo->ports[i - 1] > multiinfo->ports[i]) ++ return false; ++ } ++ ++ return true; ++} ++ + static inline bool + check(u_int16_t proto, + u_int8_t ip_invflags, +@@ -127,8 +149,10 @@ static int multiport_mt_check(const struct xt_mtchk_param *par) + const struct ipt_ip *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static int multiport_mt6_check(const struct xt_mtchk_param *par) +@@ -136,8 +160,10 @@ static int multiport_mt6_check(const struct xt_mtchk_param *par) + const struct ip6t_ip6 *ip = par->entryinfo; + const struct xt_multiport_v1 *multiinfo = par->matchinfo; + +- return check(ip->proto, ip->invflags, multiinfo->flags, +- multiinfo->count) ? 0 : -EINVAL; ++ if (!check(ip->proto, ip->invflags, multiinfo->flags, multiinfo->count)) ++ return -EINVAL; ++ ++ return multiport_valid_ranges(multiinfo) ? 0 : -EINVAL; + } + + static struct xt_match multiport_mt_reg[] __read_mostly = { +-- +2.53.0 + diff --git a/queue-6.6/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch b/queue-6.6/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch new file mode 100644 index 0000000000..b795dae8a3 --- /dev/null +++ b/queue-6.6/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch @@ -0,0 +1,61 @@ +From 0c4c63e8ef5dbb9c27e740ee227b69cb3a7b8f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 12:21:48 +0800 +Subject: nfc: s3fwrn5: allocate rx skb before consuming bytes + +From: Pengpeng Hou + +[ Upstream commit 5c14a19d5b1645cce1cb1252833d70b23635b632 ] + +s3fwrn82_uart_read() reports the number of accepted bytes to the serdev +core. The current code consumes bytes into recv_skb and may already +deliver a complete frame before allocating a fresh receive buffer. + +If that alloc_skb() fails, the callback returns 0 even though it has +already consumed bytes, and it leaves recv_skb as NULL for the next +receive callback. That breaks the receive_buf() accounting contract and +can also lead to a NULL dereference on the next skb_put_u8(). + +Allocate the receive skb lazily before consuming the next byte instead. +If allocation fails, return the number of bytes already accepted. + +Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface") +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/s3fwrn5/uart.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c +index 82ea35d748a5d..dde1a87ed1e47 100644 +--- a/drivers/nfc/s3fwrn5/uart.c ++++ b/drivers/nfc/s3fwrn5/uart.c +@@ -59,6 +59,12 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev, + size_t i; + + for (i = 0; i < count; i++) { ++ if (!phy->recv_skb) { ++ phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); ++ if (!phy->recv_skb) ++ return i; ++ } ++ + skb_put_u8(phy->recv_skb, *data++); + + if (phy->recv_skb->len < S3FWRN82_NCI_HEADER) +@@ -70,9 +76,7 @@ static int s3fwrn82_uart_read(struct serdev_device *serdev, + + s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb, + phy->common.mode); +- phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL); +- if (!phy->recv_skb) +- return 0; ++ phy->recv_skb = NULL; + } + + return i; +-- +2.53.0 + diff --git a/queue-6.6/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch b/queue-6.6/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch new file mode 100644 index 0000000000..b9cd1e0904 --- /dev/null +++ b/queue-6.6/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch @@ -0,0 +1,57 @@ +From 86ad5e3fb263118c591e51b345d7c78e5d294544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 14:07:42 -0700 +Subject: PCI: hv: Set default NUMA node to 0 for devices without affinity info + +From: Long Li + +[ Upstream commit 7b3b1e5a87b2f5e35c52b5386d7c327be869454f ] + +When hv_pci_assign_numa_node() processes a device that does not have +HV_PCI_DEVICE_FLAG_NUMA_AFFINITY set or has an out-of-range +virtual_numa_node, the device NUMA node is left unset. On x86_64, +the uninitialized default happens to be 0, but on ARM64 it is +NUMA_NO_NODE (-1). + +Tests show that when no NUMA information is available from the Hyper-V +host, devices perform best when assigned to node 0. With NUMA_NO_NODE +the kernel may spread work across NUMA nodes, which degrades +performance on Hyper-V, particularly for high-throughput devices like +MANA. + +Always set the device NUMA node to 0 before the conditional NUMA +affinity check, so that devices get a performant default when the host +provides no NUMA information, and behavior is consistent on both +x86_64 and ARM64. + +Fixes: 999dd956d838 ("PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2") +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index 4c34909810d8e..e379ed9b5d2eb 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -2371,6 +2371,14 @@ static void hv_pci_assign_numa_node(struct hv_pcibus_device *hbus) + if (!hv_dev) + continue; + ++ /* ++ * If the Hyper-V host doesn't provide a NUMA node for the ++ * device, default to node 0. With NUMA_NO_NODE the kernel ++ * may spread work across NUMA nodes, which degrades ++ * performance on Hyper-V. ++ */ ++ set_dev_node(&dev->dev, 0); ++ + if (hv_dev->desc.flags & HV_PCI_DEVICE_FLAG_NUMA_AFFINITY && + hv_dev->desc.virtual_numa_node < num_possible_nodes()) + /* +-- +2.53.0 + diff --git a/queue-6.6/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch b/queue-6.6/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch new file mode 100644 index 0000000000..d7891d4257 --- /dev/null +++ b/queue-6.6/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch @@ -0,0 +1,47 @@ +From 5e5719666771b068452a01360c45bb88b5e97689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2026 10:40:48 -0700 +Subject: perf/x86/intel/uncore: Skip discovery table for offline dies + +From: Zide Chen + +[ Upstream commit 7b568e9eba2fad89a696f22f0413d44cf4a1f892 ] + +This warning can be triggered if NUMA is disabled and the system +boots with fewer CPUs than the number of CPUs in die 0. + +WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] + +Currently, the discovery table continues to be parsed even if all CPUs +in the associated die are offline. This can lead to an array overflow +at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may +trigger the warning above or cause other issues. + +Fixes: edae1f06c2cd ("perf/x86/intel/uncore: Parse uncore discovery tables") +Reported-by: Steve Wahl +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Tested-by: Steve Wahl +Link: https://patch.msgid.link/20260313174050.171704-3-zide.chen@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/uncore_discovery.c b/arch/x86/events/intel/uncore_discovery.c +index cb488e41807c7..3f6b20fa14eeb 100644 +--- a/arch/x86/events/intel/uncore_discovery.c ++++ b/arch/x86/events/intel/uncore_discovery.c +@@ -319,7 +319,7 @@ bool intel_uncore_has_discovery_tables(int *ignore) + (val & UNCORE_DISCOVERY_DVSEC2_BIR_MASK) * UNCORE_DISCOVERY_BIR_STEP; + + die = get_device_die_id(dev); +- if (die < 0) ++ if ((die < 0) || (die >= uncore_max_dies())) + continue; + + parse_discovery_table(dev, die, bar_offset, &parsed, ignore); +-- +2.53.0 + diff --git a/queue-6.6/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch b/queue-6.6/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch new file mode 100644 index 0000000000..10d654c388 --- /dev/null +++ b/queue-6.6/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch @@ -0,0 +1,35 @@ +From 4795fa30ffa75d0f9247ce8c0a2f1430d968c5fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 18:14:04 +0100 +Subject: pinctrl: intel: Fix the revision for new features (1kOhm PD, HW + debouncer) + +From: Andy Shevchenko + +[ Upstream commit a4337a24d13e9e3b98a113e71d6b80dc5ed5f8c4 ] + +The 1kOhm pull down and hardware debouncer are features of the revision 0.92 +of the Chassis specification. Fix that in the code accordingly. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index 9775f6be1c1e6..b1ce3daae8e85 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1581,7 +1581,7 @@ static int intel_pinctrl_probe(struct platform_device *pdev, + value = readl(regs + REVID); + if (value == ~0u) + return -ENODEV; +- if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) { ++ if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x92) { + community->features |= PINCTRL_FEATURE_DEBOUNCE; + community->features |= PINCTRL_FEATURE_1K_PD; + } +-- +2.53.0 + diff --git a/queue-6.6/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch b/queue-6.6/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch new file mode 100644 index 0000000000..769462270a --- /dev/null +++ b/queue-6.6/platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch @@ -0,0 +1,52 @@ +From 83af31bb4773558b5949cc56efe335a62c1bbfd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2026 16:16:41 -0500 +Subject: platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 1a9452c428a6b76f0b797bae21daa454fccef1a2 ] + +This platform is a similar vintage of platforms that had a BIOS bug +leading to a 10s delay at resume from s0i3. + +Add a quirk for it. + +Reported-by: Imrane +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221273 +Tested-by: Imrane +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260324211647.357924-1-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c +index a6006b4ec2cc0..a3921f8106c12 100644 +--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c ++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c +@@ -197,6 +197,15 @@ static const struct dmi_system_id fwbug_list[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"), + } + }, ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=221273 */ ++ { ++ .ident = "Thinkpad L14 Gen3", ++ .driver_data = &quirk_s2idle_bug, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21C6"), ++ } ++ }, + /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */ + { + .ident = "Lenovo Yoga 6 13ALC6", +-- +2.53.0 + diff --git a/queue-6.6/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch b/queue-6.6/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch new file mode 100644 index 0000000000..d0189fb420 --- /dev/null +++ b/queue-6.6/rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch @@ -0,0 +1,44 @@ +From 739c4ca8dadbc030f3c4aff8b4b11116f0febef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 15:27:43 +0000 +Subject: RDMA/irdma: Fix double free related to rereg_user_mr + +From: Jacob Moroni + +[ Upstream commit 29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 ] + +If IB_MR_REREG_TRANS is set during rereg_user_mr, the +umem will be released and a new one will be allocated +in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans +fails after the new umem is allocated, it releases the umem, +but does not set iwmr->region to NULL. The problem is that +this failure is propagated to the user, who will then call +ibv_dereg_mr (as they should). Then, the dereg_mr path will +see a non-NULL umem and attempt to call ib_umem_release again. + +Fix this by setting iwmr->region to NULL after ib_umem_release. + +Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region") +Signed-off-by: Jacob Moroni +Link: https://patch.msgid.link/20260227152743.1183388-1-jmoroni@google.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 532b36b25e919..a18b249fe550e 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3209,6 +3209,7 @@ static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len, + + err: + ib_umem_release(region); ++ iwmr->region = NULL; + return err; + } + +-- +2.53.0 + diff --git a/queue-6.6/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch b/queue-6.6/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch new file mode 100644 index 0000000000..4f7b00b60a --- /dev/null +++ b/queue-6.6/selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch @@ -0,0 +1,45 @@ +From 1e0f8a254f8bbd35ea4b893828a0d5f22b7c1f4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Apr 2026 22:29:19 +0100 +Subject: selftests: net: bridge_vlan_mcast: wait for h1 before querier check + +From: Daniel Golle + +[ Upstream commit efaa71faf212324ecbf6d5339e9717fe53254f58 ] + +The querier-interval test adds h1 (currently a slave of the VRF created +by simple_if_init) to a temporary bridge br1 acting as an outside IGMP +querier. The kernel VRF driver (drivers/net/vrf.c) calls cycle_netdev() +on every slave add and remove, toggling the interface admin-down then up. +Phylink takes the PHY down during the admin-down half of that cycle. +Since h1 and swp1 are cable-connected, swp1 also loses its link may need +several seconds to re-negotiate. + +Use setup_wait_dev $h1 0 which waits for h1 to return to UP state, so the +test can rely on the link being back up at this point. + +Fixes: 4d8610ee8bd77 ("selftests: net: bridge: add vlan mcast_querier_interval tests") +Signed-off-by: Daniel Golle +Reviewed-by: Alexander Sverdlin +Link: https://patch.msgid.link/c830f130860fd2efae08bfb9e5b25fd028e58ce5.1775424423.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +index 72dfbeaf56b92..e8031f68200ad 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_vlan_mcast.sh +@@ -414,6 +414,7 @@ vlmc_querier_intvl_test() + bridge vlan add vid 10 dev br1 self pvid untagged + ip link set dev $h1 master br1 + ip link set dev br1 up ++ setup_wait_dev $h1 0 + bridge vlan add vid 10 dev $h1 master + bridge vlan global set vid 10 dev br1 mcast_snooping 1 mcast_querier 1 + sleep 2 +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..473200324e --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,64 @@ +rdma-irdma-fix-double-free-related-to-rereg_user_mr.patch +asoc-amd-yc-add-dmi-quirk-for-asus-expertbook-bm1403.patch +alsa-hda-realtek-add-hp-envy-laptop-13-ba0xxx-quirk.patch +alsa-hda-realtek-add-quirk-for-asus-rog-flow-z13-kjp.patch +media-rkvdec-reduce-stack-usage-in-rkvdec_init_v4l2_.patch +alsa-asihpi-avoid-write-overflow-check-warning.patch +asoc-amd-yc-add-dmi-quirk-for-thin-a15-b7vf.patch +asoc-sof-topology-reject-invalid-vendor-array-size-i.patch +can-mcp251x-add-error-handling-for-power-enable-in-o.patch +btrfs-tracepoints-get-correct-superblock-from-dentry.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch +netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch +alsa-hda-realtek-add-quirk-for-framework-f111-000f.patch +wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch +asoc-soc-core-call-missing-init_list_head-for-card_a.patch +alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch +fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch +asoc-amd-yc-add-dmi-entry-for-hp-laptop-15-fc0xxx.patch +pinctrl-intel-fix-the-revision-for-new-features-1koh.patch +platform-x86-amd-pmc-add-thinkpad-l14-gen3-to-quirk_.patch +hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14i.patch +hid-roccat-fix-use-after-free-in-roccat_report_event.patch +ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch +wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch +asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch +soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch +arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch +pci-hv-set-default-numa-node-to-0-for-devices-withou.patch +drm-vc4-release-runtime-pm-reference-after-binding-v.patch +drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch +drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch +drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch +eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch +net-sched-act_csum-validate-nested-vlan-headers.patch +net-lapbether-handle-netdev_pre_type_change.patch +ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch +nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch +net-stmmac-fix-ptp-ref-clock-for-tegra234.patch +dt-bindings-net-fix-tegra234-mgbe-ptp-clock.patch +tracing-probe-reject-non-closed-empty-immediate-stri.patch +ixgbevf-add-missing-negotiate_features-op-to-hyper-v.patch +e1000-check-return-value-of-e1000_read_eeprom.patch +xsk-tighten-umem-headroom-validation-to-account-for-.patch +xsk-respect-tailroom-for-zc-setups.patch +xsk-fix-xdp_umem_sg_flag-issues.patch +xsk-validate-mtu-against-usable-frame-size-on-bind.patch +xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch +xfrm_user-fix-info-leak-in-build_mapping.patch +selftests-net-bridge_vlan_mcast-wait-for-h1-before-q.patch +ipvs-fix-null-deref-in-ip_vs_add_service-error-path.patch +netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch +netfilter-xt_multiport-validate-range-encoding-in-ch.patch +netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch +net-txgbe-leave-space-for-null-terminators-on-proper.patch +af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch +net-ipa-fix-generic_cmd-register-field-masks-for-ipa.patch +net-ipa-fix-event-ring-index-not-programmed-for-ipa-.patch +l2tp-drop-large-packets-with-udp-encap.patch +gpio-tegra-fix-irq_release_resources-calling-enable-.patch +perf-x86-intel-uncore-skip-discovery-table-for-offli.patch +clockevents-prevent-timer-interrupt-starvation.patch +crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch diff --git a/queue-6.6/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch b/queue-6.6/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch new file mode 100644 index 0000000000..8e8f00b28f --- /dev/null +++ b/queue-6.6/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch @@ -0,0 +1,46 @@ +From ab8a9d1e5bb2ae8315948def4b74b9638b7dad68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:37:56 +0800 +Subject: soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching + +From: Potin Lai + +[ Upstream commit 7ec1bd3d9be671d04325b9e06149b8813f6a4836 ] + +The siliconid_to_name() function currently masks the input silicon ID +with 0xff00ffff, but compares it against unmasked table entries. This +causes matching to fail if the table entries contain non-zero values in +the bits covered by the mask (bits 16-23). + +Update the logic to apply the 0xff00ffff mask to the table entries +during comparison. This ensures that only the relevant model and +revision bits are considered, providing a consistent match across +different manufacturing batches. + +[arj: Add Fixes: tag, fix 'soninfo' typo, clarify function reference] + +Fixes: e0218dca5787 ("soc: aspeed: Add soc info driver") +Signed-off-by: Potin Lai +Link: https://patch.msgid.link/20260122-soc_aspeed_name_fix-v1-1-33a847f2581c@gmail.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c +index 67e9ac3d08ecc..a90b100f4d101 100644 +--- a/drivers/soc/aspeed/aspeed-socinfo.c ++++ b/drivers/soc/aspeed/aspeed-socinfo.c +@@ -39,7 +39,7 @@ static const char *siliconid_to_name(u32 siliconid) + unsigned int i; + + for (i = 0 ; i < ARRAY_SIZE(rev_table) ; ++i) { +- if (rev_table[i].id == id) ++ if ((rev_table[i].id & 0xff00ffff) == id) + return rev_table[i].name; + } + +-- +2.53.0 + diff --git a/queue-6.6/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch b/queue-6.6/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch new file mode 100644 index 0000000000..33a2e84df8 --- /dev/null +++ b/queue-6.6/srcu-use-irq_work-to-start-gp-in-tiny-srcu.patch @@ -0,0 +1,134 @@ +From 0f6bb6e1c79ff359ace8bc2b5ab20a92133cbd6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 20:14:18 -0400 +Subject: srcu: Use irq_work to start GP in tiny SRCU + +From: Joel Fernandes + +[ Upstream commit a6fc88b22bc8d12ad52e8412c667ec0f5bf055af ] + +Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), +which acquires the workqueue pool->lock. + +This causes a lockdep splat when call_srcu() is called with a scheduler +lock held, due to: + + call_srcu() [holding pi_lock] + srcu_gp_start_if_needed() + schedule_work() -> pool->lock + + workqueue_init() / create_worker() [holding pool->lock] + wake_up_process() -> try_to_wake_up() -> pi_lock + +Also add irq_work_sync() to cleanup_srcu_struct() to prevent a +use-after-free if a queued irq_work fires after cleanup begins. + +Tested with rcutorture SRCU-T and no lockdep warnings. + +[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work +to start process_srcu()" ] + +Signed-off-by: Joel Fernandes +Reviewed-by: Paul E. McKenney +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/srcutiny.h | 4 ++++ + kernel/rcu/srcutiny.c | 19 ++++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/include/linux/srcutiny.h b/include/linux/srcutiny.h +index 447133171d95f..bad5fd0f1ddb6 100644 +--- a/include/linux/srcutiny.h ++++ b/include/linux/srcutiny.h +@@ -11,6 +11,7 @@ + #ifndef _LINUX_SRCU_TINY_H + #define _LINUX_SRCU_TINY_H + ++#include + #include + + struct srcu_struct { +@@ -24,18 +25,21 @@ struct srcu_struct { + struct rcu_head *srcu_cb_head; /* Pending callbacks: Head. */ + struct rcu_head **srcu_cb_tail; /* Pending callbacks: Tail. */ + struct work_struct srcu_work; /* For driving grace periods. */ ++ struct irq_work srcu_irq_work; /* Defer schedule_work() to irq work. */ + #ifdef CONFIG_DEBUG_LOCK_ALLOC + struct lockdep_map dep_map; + #endif /* #ifdef CONFIG_DEBUG_LOCK_ALLOC */ + }; + + void srcu_drive_gp(struct work_struct *wp); ++void srcu_tiny_irq_work(struct irq_work *irq_work); + + #define __SRCU_STRUCT_INIT(name, __ignored, ___ignored) \ + { \ + .srcu_wq = __SWAIT_QUEUE_HEAD_INITIALIZER(name.srcu_wq), \ + .srcu_cb_tail = &name.srcu_cb_head, \ + .srcu_work = __WORK_INITIALIZER(name.srcu_work, srcu_drive_gp), \ ++ .srcu_irq_work = { .func = srcu_tiny_irq_work }, \ + __SRCU_DEP_MAP_INIT(name) \ + } + +diff --git a/kernel/rcu/srcutiny.c b/kernel/rcu/srcutiny.c +index c38e5933a5d69..24aa302b3269a 100644 +--- a/kernel/rcu/srcutiny.c ++++ b/kernel/rcu/srcutiny.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -37,6 +38,7 @@ static int init_srcu_struct_fields(struct srcu_struct *ssp) + ssp->srcu_idx_max = 0; + INIT_WORK(&ssp->srcu_work, srcu_drive_gp); + INIT_LIST_HEAD(&ssp->srcu_work.entry); ++ init_irq_work(&ssp->srcu_irq_work, srcu_tiny_irq_work); + return 0; + } + +@@ -80,6 +82,7 @@ EXPORT_SYMBOL_GPL(init_srcu_struct); + void cleanup_srcu_struct(struct srcu_struct *ssp) + { + WARN_ON(ssp->srcu_lock_nesting[0] || ssp->srcu_lock_nesting[1]); ++ irq_work_sync(&ssp->srcu_irq_work); + flush_work(&ssp->srcu_work); + WARN_ON(ssp->srcu_gp_running); + WARN_ON(ssp->srcu_gp_waiting); +@@ -156,6 +159,20 @@ void srcu_drive_gp(struct work_struct *wp) + } + EXPORT_SYMBOL_GPL(srcu_drive_gp); + ++/* ++ * Use an irq_work to defer schedule_work() to avoid acquiring the workqueue ++ * pool->lock while the caller might hold scheduler locks, causing lockdep ++ * splats due to workqueue_init() doing a wakeup. ++ */ ++void srcu_tiny_irq_work(struct irq_work *irq_work) ++{ ++ struct srcu_struct *ssp; ++ ++ ssp = container_of(irq_work, struct srcu_struct, srcu_irq_work); ++ schedule_work(&ssp->srcu_work); ++} ++EXPORT_SYMBOL_GPL(srcu_tiny_irq_work); ++ + static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + { + unsigned long cookie; +@@ -166,7 +183,7 @@ static void srcu_gp_start_if_needed(struct srcu_struct *ssp) + WRITE_ONCE(ssp->srcu_idx_max, cookie); + if (!READ_ONCE(ssp->srcu_gp_running)) { + if (likely(srcu_init_done)) +- schedule_work(&ssp->srcu_work); ++ irq_work_queue(&ssp->srcu_irq_work); + else if (list_empty(&ssp->srcu_work.entry)) + list_add(&ssp->srcu_work.entry, &srcu_boot_list); + } +-- +2.53.0 + diff --git a/queue-6.6/tracing-probe-reject-non-closed-empty-immediate-stri.patch b/queue-6.6/tracing-probe-reject-non-closed-empty-immediate-stri.patch new file mode 100644 index 0000000000..1f67550cd4 --- /dev/null +++ b/queue-6.6/tracing-probe-reject-non-closed-empty-immediate-stri.patch @@ -0,0 +1,43 @@ +From e48ef72d3c5a4b6ea66a59068bade75711005b82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 00:03:15 +0800 +Subject: tracing/probe: reject non-closed empty immediate strings + +From: Pengpeng Hou + +[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ] + +parse_probe_arg() accepts quoted immediate strings and passes the body +after the opening quote to __parse_imm_string(). That helper currently +computes strlen(str) and immediately dereferences str[len - 1], which +underflows when the body is empty and not closed with double-quotation. + +Reject empty non-closed immediate strings before checking for the closing quote. + +Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ + +Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support") +Signed-off-by: Pengpeng Hou +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 187b1fc403c13..d46a1033ba5b3 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -1039,7 +1039,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs) + { + size_t len = strlen(str); + +- if (str[len - 1] != '"') { ++ if (!len || str[len - 1] != '"') { + trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE); + return -EINVAL; + } +-- +2.53.0 + diff --git a/queue-6.6/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch b/queue-6.6/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch new file mode 100644 index 0000000000..3c67b0c70b --- /dev/null +++ b/queue-6.6/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch @@ -0,0 +1,45 @@ +From 28afb338e08f3eb15850495ee53067a9f004cf4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 15:45:51 +0800 +Subject: wifi: brcmfmac: validate bsscfg indices in IF events + +From: Pengpeng Hou + +[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ] + +brcmf_fweh_handle_if_event() validates the firmware-provided interface +index before it touches drvr->iflist[], but it still uses the raw +bsscfgidx field as an array index without a matching range check. + +Reject IF events whose bsscfg index does not fit in drvr->iflist[] +before indexing the interface array. + +Signed-off-by: Pengpeng Hou +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn +[add missing wifi prefix] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index dac7eb77799bd..e6be192dc0af2 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -151,6 +151,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr, + bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx); + return; + } ++ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) { ++ bphy_err(drvr, "invalid bsscfg index: %u\n", ++ ifevent->bsscfgidx); ++ return; ++ } + + ifp = drvr->iflist[ifevent->bsscfgidx]; + +-- +2.53.0 + diff --git a/queue-6.6/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch b/queue-6.6/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch new file mode 100644 index 0000000000..54c391c82c --- /dev/null +++ b/queue-6.6/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch @@ -0,0 +1,51 @@ +From 9280e6eab1b6fb95348025543fc20ead048df420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2026 16:08:45 +0800 +Subject: wifi: wl1251: validate packet IDs before indexing tx_frames + +From: Pengpeng Hou + +[ Upstream commit 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 ] + +wl1251_tx_packet_cb() uses the firmware completion ID directly to index +the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the +completion block, and the callback does not currently verify that it +fits the array before dereferencing it. + +Reject completion IDs that fall outside wl->tx_frames[] and keep the +existing NULL check in the same guard. This keeps the fix local to the +trust boundary and avoids touching the rest of the completion flow. + +Signed-off-by: Pengpeng Hou +Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c +index 06dc74cc6cb52..2b316c78eefc9 100644 +--- a/drivers/net/wireless/ti/wl1251/tx.c ++++ b/drivers/net/wireless/ti/wl1251/tx.c +@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, + int hdrlen; + u8 *frame; + +- skb = wl->tx_frames[result->id]; +- if (skb == NULL) { +- wl1251_error("SKB for packet %d is NULL", result->id); ++ if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) || ++ wl->tx_frames[result->id] == NULL)) { ++ wl1251_error("invalid packet id %u", result->id); + return; + } + ++ skb = wl->tx_frames[result->id]; ++ + info = IEEE80211_SKB_CB(skb); + + if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && +-- +2.53.0 + diff --git a/queue-6.6/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch b/queue-6.6/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch new file mode 100644 index 0000000000..d3b6f10b10 --- /dev/null +++ b/queue-6.6/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch @@ -0,0 +1,43 @@ +From 8c03c101d25c0dc91011a41f81356f7c602a59b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 13:31:04 +0200 +Subject: xfrm: Wait for RCU readers during policy netns exit + +From: Steffen Klassert + +[ Upstream commit 069daad4f2ae9c5c108131995529d5f02392c446 ] + +xfrm_policy_fini() frees the policy_bydst hash tables after flushing the +policy work items and deleting all policies, but it does not wait for +concurrent RCU readers to leave their read-side critical sections first. + +The policy_bydst tables are published via rcu_assign_pointer() and are +looked up through rcu_dereference_check(), so netns teardown must also +wait for an RCU grace period before freeing the table memory. + +Fix this by adding synchronize_rcu() before freeing the policy hash tables. + +Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") +Signed-off-by: Steffen Klassert +Reviewed-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 45851f822ec4a..82854aa258ea6 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -4215,6 +4215,8 @@ static void xfrm_policy_fini(struct net *net) + #endif + xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + ++ synchronize_rcu(); ++ + WARN_ON(!list_empty(&net->xfrm.policy_all)); + + for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { +-- +2.53.0 + diff --git a/queue-6.6/xfrm_user-fix-info-leak-in-build_mapping.patch b/queue-6.6/xfrm_user-fix-info-leak-in-build_mapping.patch new file mode 100644 index 0000000000..dded73aab4 --- /dev/null +++ b/queue-6.6/xfrm_user-fix-info-leak-in-build_mapping.patch @@ -0,0 +1,45 @@ +From 61209c82bd16f21b976b51726dae0cab2d5b2d0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2026 17:33:03 +0200 +Subject: xfrm_user: fix info leak in build_mapping() + +From: Greg Kroah-Hartman + +[ Upstream commit 1beb76b2053b68c491b78370794b8ff63c8f8c02 ] + +struct xfrm_usersa_id has a one-byte padding hole after the proto +field, which ends up never getting set to zero before copying out to +userspace. Fix that up by zeroing out the whole structure before +setting individual variables. + +Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 74bee718573db..fd6330984f881 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3790,6 +3790,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, + + um = nlmsg_data(nlh); + ++ memset(&um->id, 0, sizeof(um->id)); + memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); + um->id.spi = x->id.spi; + um->id.family = x->props.family; +-- +2.53.0 + diff --git a/queue-6.6/xsk-fix-xdp_umem_sg_flag-issues.patch b/queue-6.6/xsk-fix-xdp_umem_sg_flag-issues.patch new file mode 100644 index 0000000000..d057fed392 --- /dev/null +++ b/queue-6.6/xsk-fix-xdp_umem_sg_flag-issues.patch @@ -0,0 +1,62 @@ +From 8fa72989bfc3d57e2afcd575e95086ba7e688cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:53 +0200 +Subject: xsk: fix XDP_UMEM_SG_FLAG issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 93e84fe45b752d17a5a46b306ed78f0133bbc719 ] + +Currently xp_assign_dev_shared() is missing XDP_USE_SG being propagated +to flags so set it in order to preserve mtu check that is supposed to be +done only when no multi-buffer setup is in picture. + +Also, this flag has the same value as XDP_UMEM_TX_SW_CSUM so we could +get unexpected SG setups for software Tx checksums. Since csum flag is +UAPI, modify value of XDP_UMEM_SG_FLAG. + +Fixes: d609f3d228a8 ("xsk: add multi-buffer support for sockets sharing umem") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-4-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock.h | 2 +- + net/xdp/xsk_buff_pool.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h +index 660c22521a292..84ff9bb4bfae4 100644 +--- a/include/net/xdp_sock.h ++++ b/include/net/xdp_sock.h +@@ -14,7 +14,7 @@ + #include + #include + +-#define XDP_UMEM_SG_FLAG (1 << 1) ++#define XDP_UMEM_SG_FLAG BIT(3) + + struct net_device; + struct xsk_queue; +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 6789d99fd99e0..52c4204bc224e 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -236,6 +236,10 @@ int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs, + return -EINVAL; + + flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY; ++ ++ if (umem->flags & XDP_UMEM_SG_FLAG) ++ flags |= XDP_USE_SG; ++ + if (umem_xs->pool->uses_need_wakeup) + flags |= XDP_USE_NEED_WAKEUP; + +-- +2.53.0 + diff --git a/queue-6.6/xsk-respect-tailroom-for-zc-setups.patch b/queue-6.6/xsk-respect-tailroom-for-zc-setups.patch new file mode 100644 index 0000000000..c0f7daad4c --- /dev/null +++ b/queue-6.6/xsk-respect-tailroom-for-zc-setups.patch @@ -0,0 +1,123 @@ +From 946b41e1c0a6d277041fdcdfe3e8fa1fcdc88c28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:52 +0200 +Subject: xsk: respect tailroom for ZC setups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 1ee1605138fc94cc8f8f273321dd2471c64977f9 ] + +Multi-buffer XDP stores information about frags in skb_shared_info that +sits at the tailroom of a packet. The storage space is reserved via +xdp_data_hard_end(): + + ((xdp)->data_hard_start + (xdp)->frame_sz - \ + SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) + +and then we refer to it via macro below: + +static inline struct skb_shared_info * +xdp_get_shared_info_from_buff(const struct xdp_buff *xdp) +{ + return (struct skb_shared_info *)xdp_data_hard_end(xdp); +} + +Currently we do not respect this tailroom space in multi-buffer AF_XDP +ZC scenario. To address this, introduce xsk_pool_get_tailroom() and use +it within xsk_pool_get_rx_frame_size() which is used in ZC drivers to +configure length of HW Rx buffer. + +Typically drivers on Rx Hw buffers side work on 128 byte alignment so +let us align the value returned by xsk_pool_get_rx_frame_size() in order +to avoid addressing this on driver's side. This addresses the fact that +idpf uses mentioned function *before* pool->dev being set so we were at +risk that after subtracting tailroom we would not provide 128-byte +aligned value to HW. + +Since xsk_pool_get_rx_frame_size() is actively used in xsk_rcv_check() +and __xsk_rcv(), add a variant of this routine that will not include 128 +byte alignment and therefore old behavior is preserved. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-3-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/xdp_sock_drv.h | 23 ++++++++++++++++++++++- + net/xdp/xsk.c | 4 ++-- + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/include/net/xdp_sock_drv.h b/include/net/xdp_sock_drv.h +index 7dc08a4646242..f7c0ee03d4fa1 100644 +--- a/include/net/xdp_sock_drv.h ++++ b/include/net/xdp_sock_drv.h +@@ -31,16 +31,37 @@ static inline u32 xsk_pool_get_headroom(struct xsk_buff_pool *pool) + return XDP_PACKET_HEADROOM + pool->headroom; + } + ++static inline u32 xsk_pool_get_tailroom(bool mbuf) ++{ ++ return mbuf ? SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : 0; ++} ++ + static inline u32 xsk_pool_get_chunk_size(struct xsk_buff_pool *pool) + { + return pool->chunk_size; + } + +-static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++static inline u32 __xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) + { + return xsk_pool_get_chunk_size(pool) - xsk_pool_get_headroom(pool); + } + ++static inline u32 xsk_pool_get_rx_frame_size(struct xsk_buff_pool *pool) ++{ ++ u32 frame_size = __xsk_pool_get_rx_frame_size(pool); ++ struct xdp_umem *umem = pool->umem; ++ bool mbuf; ++ ++ /* Reserve tailroom only for zero-copy pools that opted into ++ * multi-buffer. The reserved area is used for skb_shared_info, ++ * matching the XDP core's xdp_data_hard_end() layout. ++ */ ++ mbuf = pool->dev && (umem->flags & XDP_UMEM_SG_FLAG); ++ frame_size -= xsk_pool_get_tailroom(mbuf); ++ ++ return ALIGN_DOWN(frame_size, 128); ++} ++ + static inline u32 xsk_pool_get_rx_frag_step(struct xsk_buff_pool *pool) + { + return pool->unaligned ? 0 : xsk_pool_get_chunk_size(pool); +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 9e1ac917f9708..aed8338d591de 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -232,7 +232,7 @@ static u32 xsk_copy_xdp(void *to, void **from, u32 to_len, + + static int __xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + { +- u32 frame_size = xsk_pool_get_rx_frame_size(xs->pool); ++ u32 frame_size = __xsk_pool_get_rx_frame_size(xs->pool); + void *copy_from = xsk_copy_xdp_start(xdp), *copy_to; + u32 from_len, meta_len, rem, num_desc; + struct xdp_buff_xsk *xskb; +@@ -324,7 +324,7 @@ static int xsk_rcv_check(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) + if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) + return -EINVAL; + +- if (len > xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { ++ if (len > __xsk_pool_get_rx_frame_size(xs->pool) && !xs->sg) { + xs->rx_dropped++; + return -ENOSPC; + } +-- +2.53.0 + diff --git a/queue-6.6/xsk-tighten-umem-headroom-validation-to-account-for-.patch b/queue-6.6/xsk-tighten-umem-headroom-validation-to-account-for-.patch new file mode 100644 index 0000000000..e27e01266f --- /dev/null +++ b/queue-6.6/xsk-tighten-umem-headroom-validation-to-account-for-.patch @@ -0,0 +1,53 @@ +From df8382b47353d192dfb3425d09a9852f991bf7b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:51 +0200 +Subject: xsk: tighten UMEM headroom validation to account for tailroom and min + frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit a315e022a72d95ef5f1d4e58e903cb492b0ad931 ] + +The current headroom validation in xdp_umem_reg() could leave us with +insufficient space dedicated to even receive minimum-sized ethernet +frame. Furthermore if multi-buffer would come to play then +skb_shared_info stored at the end of XSK frame would be corrupted. + +HW typically works with 128-aligned sizes so let us provide this value +as bare minimum. + +Multi-buffer setting is known later in the configuration process so +besides accounting for 128 bytes, let us also take care of tailroom space +upfront. + +Reviewed-by: Björn Töpel +Acked-by: Stanislav Fomichev +Fixes: 99e3a236dd43 ("xsk: Add missing check on user supplied headroom size") +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-2-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 06cead2b8e349..e3c3bab76a5d0 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -196,7 +196,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + if (!unaligned_chunks && chunks_rem) + return -EINVAL; + +- if (headroom >= chunk_size - XDP_PACKET_HEADROOM) ++ if (headroom > chunk_size - XDP_PACKET_HEADROOM - ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - 128) + return -EINVAL; + + umem->size = size; +-- +2.53.0 + diff --git a/queue-6.6/xsk-validate-mtu-against-usable-frame-size-on-bind.patch b/queue-6.6/xsk-validate-mtu-against-usable-frame-size-on-bind.patch new file mode 100644 index 0000000000..4a86725e11 --- /dev/null +++ b/queue-6.6/xsk-validate-mtu-against-usable-frame-size-on-bind.patch @@ -0,0 +1,99 @@ +From 4ae892de6cccaa13e21ee66b3cacd213ba54ab67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2026 17:49:54 +0200 +Subject: xsk: validate MTU against usable frame size on bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 36ee60b569ba0dfb6f961333b90d19ab5b323fa9 ] + +AF_XDP bind currently accepts zero-copy pool configurations without +verifying that the device MTU fits into the usable frame space provided +by the UMEM chunk. + +This becomes a problem since we started to respect tailroom which is +subtracted from chunk_size (among with headroom). 2k chunk size might +not provide enough space for standard 1500 MTU, so let us catch such +settings at bind time. Furthermore, validate whether underlying HW will +be able to satisfy configured MTU wrt XSK's frame size multiplied by +supported Rx buffer chain length (that is exposed via +net_device::xdp_zc_max_segs). + +Fixes: 24ea50127ecf ("xsk: support mbuf on ZC RX") +Reviewed-by: Björn Töpel +Signed-off-by: Maciej Fijalkowski +Link: https://patch.msgid.link/20260402154958.562179-5-maciej.fijalkowski@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_buff_pool.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 52c4204bc224e..bb9dfbe419e7c 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -8,6 +8,8 @@ + #include "xdp_umem.h" + #include "xsk.h" + ++#define ETH_PAD_LEN (ETH_HLEN + 2 * VLAN_HLEN + ETH_FCS_LEN) ++ + void xp_add_xsk(struct xsk_buff_pool *pool, struct xdp_sock *xs) + { + unsigned long flags; +@@ -149,8 +151,12 @@ static void xp_disable_drv_zc(struct xsk_buff_pool *pool) + int xp_assign_dev(struct xsk_buff_pool *pool, + struct net_device *netdev, u16 queue_id, u16 flags) + { ++ u32 needed = netdev->mtu + ETH_PAD_LEN; ++ u32 segs = netdev->xdp_zc_max_segs; ++ bool mbuf = flags & XDP_USE_SG; + bool force_zc, force_copy; + struct netdev_bpf bpf; ++ u32 frame_size; + int err = 0; + + ASSERT_RTNL(); +@@ -170,7 +176,7 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + if (err) + return err; + +- if (flags & XDP_USE_SG) ++ if (mbuf) + pool->umem->flags |= XDP_UMEM_SG_FLAG; + + if (flags & XDP_USE_NEED_WAKEUP) +@@ -192,8 +198,24 @@ int xp_assign_dev(struct xsk_buff_pool *pool, + goto err_unreg_pool; + } + +- if (netdev->xdp_zc_max_segs == 1 && (flags & XDP_USE_SG)) { +- err = -EOPNOTSUPP; ++ if (mbuf) { ++ if (segs == 1) { ++ err = -EOPNOTSUPP; ++ goto err_unreg_pool; ++ } ++ } else { ++ segs = 1; ++ } ++ ++ /* open-code xsk_pool_get_rx_frame_size() as pool->dev is not ++ * set yet at this point; we are before getting down to driver ++ */ ++ frame_size = __xsk_pool_get_rx_frame_size(pool) - ++ xsk_pool_get_tailroom(mbuf); ++ frame_size = ALIGN_DOWN(frame_size, 128); ++ ++ if (needed > frame_size * segs) { ++ err = -EINVAL; + goto err_unreg_pool; + } + +-- +2.53.0 +