From: Greg Kroah-Hartman Date: Fri, 20 Mar 2026 17:18:37 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.1.167~87 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84974e359582eb00d106c387bd6c1266b5ed1fa2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch drm-i915-dsc-add-helper-for-writing-dsc-selective-update-et-parameters.patch drm-i915-dsc-add-selective-update-register-definitions.patch drm-i915-psr-write-dsc-parameters-on-selective-update-in-et-mode.patch kprobes-remove-unneeded-goto.patch kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch ksmbd-unset-conn-binding-on-failed-binding-request.patch ksmbd-use-volume-uuid-in-fs_object_id_information.patch net-macb-introduce-gem_init_rx_ring.patch net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch powerpc64-bpf-fix-kfunc-call-support.patch powerpc64-bpf-fold-bpf_jit_emit_func_call_hlp-into-bpf_jit_emit_func_call_rel.patch s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch smb-client-fix-krb5-mount-with-username-option.patch --- diff --git a/queue-6.12/batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch b/queue-6.12/batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch new file mode 100644 index 0000000000..3f5068850d --- /dev/null +++ b/queue-6.12/batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch @@ -0,0 +1,50 @@ +From stable+bounces-227513-greg=kroah.com@vger.kernel.org Fri Mar 20 11:21:06 2026 +From: Sven Eckelmann +Date: Fri, 20 Mar 2026 11:20:40 +0100 +Subject: batman-adv: avoid OGM aggregation when skb tailroom is insufficient +To: stable@vger.kernel.org +Cc: Yang Yang , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Sven Eckelmann , Simon Wunderlich +Message-ID: <20260320102040.1648972-1-sven@narfation.org> + +From: Yang Yang + +commit 0d4aef630be9d5f9c1227d07669c26c4383b5ad0 upstream. + +When OGM aggregation state is toggled at runtime, an existing forwarded +packet may have been allocated with only packet_len bytes, while a later +packet can still be selected for aggregation. Appending in this case can +hit skb_put overflow conditions. + +Reject aggregation when the target skb tailroom cannot accommodate the new +packet. The caller then falls back to creating a new forward packet +instead of appending. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@vger.kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Ao Zhou +Signed-off-by: Yang Yang +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +[ Adjust context ] +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -464,6 +464,9 @@ batadv_iv_ogm_can_aggregate(const struct + !time_after_eq(aggregation_end_time, forw_packet->send_time)) + return false; + ++ if (skb_tailroom(forw_packet->skb) < packet_len) ++ return false; ++ + if (aggregated_bytes > BATADV_MAX_AGGREGATION_BYTES) + return false; + diff --git a/queue-6.12/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch b/queue-6.12/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch new file mode 100644 index 0000000000..d4b9b0ace7 --- /dev/null +++ b/queue-6.12/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch @@ -0,0 +1,174 @@ +From stable+bounces-227348-greg=kroah.com@vger.kernel.org Thu Mar 19 18:18:47 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 13:04:44 -0400 +Subject: btrfs: fix transaction abort when snapshotting received subvolumes +To: stable@vger.kernel.org +Cc: Filipe Manana , Boris Burkov , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20260319170444.2747784-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit e1b18b959025e6b5dbad668f391f65d34b39595a ] + +Currently a user can trigger a transaction abort by snapshotting a +previously received snapshot a bunch of times until we reach a +BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we +can store in a leaf). This is very likely not common in practice, but +if it happens, it turns the filesystem into RO mode. The snapshot, send +and set_received_subvol and subvol_setflags (used by receive) don't +require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user +could use this to turn a filesystem into RO mode and disrupt a system. + +Reproducer script: + + $ cat test.sh + #!/bin/bash + + DEV=/dev/sdi + MNT=/mnt/sdi + + # Use smallest node size to make the test faster. + mkfs.btrfs -f --nodesize 4K $DEV + mount $DEV $MNT + + # Create a subvolume and set it to RO so that it can be used for send. + btrfs subvolume create $MNT/sv + touch $MNT/sv/foo + btrfs property set $MNT/sv ro true + + # Send and receive the subvolume into snaps/sv. + mkdir $MNT/snaps + btrfs send $MNT/sv | btrfs receive $MNT/snaps + + # Now snapshot the received subvolume, which has a received_uuid, a + # lot of times to trigger the leaf overflow. + total=500 + for ((i = 1; i <= $total; i++)); do + echo -ne "\rCreating snapshot $i/$total" + btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null + done + echo + + umount $MNT + +When running the test: + + $ ./test.sh + (...) + Create subvolume '/mnt/sdi/sv' + At subvol /mnt/sdi/sv + At subvol sv + Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type + Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system + +And in dmesg/syslog: + + $ dmesg + (...) + [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! + [251067.629212] ------------[ cut here ]------------ + [251067.630033] BTRFS: Transaction aborted (error -75) + [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 + [251067.632851] Modules linked in: btrfs dm_zero (...) + [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) + [251067.646165] Tainted: [W]=WARN + [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] + [251067.649984] Code: f0 48 0f (...) + [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 + [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 + [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 + [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 + [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 + [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 + [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 + [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 + [251067.661972] Call Trace: + [251067.662292] + [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] + [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] + [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] + [251067.665238] ? _raw_spin_unlock+0x15/0x30 + [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs] + [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs] + [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs] + [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs] + [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs] + [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs] + [251067.670093] ? count_memcg_events+0x6d/0x180 + [251067.670849] ? handle_mm_fault+0x1a0/0x2a0 + [251067.671652] __x64_sys_ioctl+0x92/0xe0 + [251067.672406] do_syscall_64+0x50/0xf20 + [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [251067.674096] RIP: 0033:0x7f2a495648db + [251067.674812] Code: 00 48 89 (...) + [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db + [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004 + [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 + [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910 + [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006 + [251067.686524] + [251067.686972] ---[ end trace 0000000000000000 ]--- + [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown + [251067.689049] BTRFS info (device sdi state EA): forced readonly + [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction. + [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown + [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda + +Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the +snapshot creation code when attempting to add the +BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical +and we are still able to delete the snapshot, as snapshot/subvolume +deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see +inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do +send/receive operations since it always peeks the first root ID in the +existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all +snapshots have the same content), and even if the key is missing, it +falls back to searching by BTRFS_UUID_KEY_SUBVOL key. + +A test case for fstests will be sent soon. + +Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") +CC: stable@vger.kernel.org # 3.12+ +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ adapted error check condition to omit unlikely() wrapper ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1894,6 +1894,22 @@ static noinline int create_pending_snaps + ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid, + BTRFS_UUID_KEY_RECEIVED_SUBVOL, + objectid); ++ /* ++ * We are creating of lot of snapshots of the same root that was ++ * received (has a received UUID) and reached a leaf's limit for ++ * an item. We can safely ignore this and avoid a transaction ++ * abort. A deletion of this snapshot will still work since we ++ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key ++ * is missing (see btrfs_delete_subvolume()). Send/receive will ++ * work too since it peeks the first root id from the existing ++ * item (it could peek any), and in case it's missing it ++ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys. ++ * Creation of a snapshot does not require CAP_SYS_ADMIN, so ++ * we don't want users triggering transaction aborts, either ++ * intentionally or not. ++ */ ++ if (ret == -EOVERFLOW) ++ ret = 0; + if (ret && ret != -EEXIST) { + btrfs_abort_transaction(trans, ret); + goto fail; diff --git a/queue-6.12/drm-i915-dsc-add-helper-for-writing-dsc-selective-update-et-parameters.patch b/queue-6.12/drm-i915-dsc-add-helper-for-writing-dsc-selective-update-et-parameters.patch new file mode 100644 index 0000000000..2ced66d1c8 --- /dev/null +++ b/queue-6.12/drm-i915-dsc-add-helper-for-writing-dsc-selective-update-et-parameters.patch @@ -0,0 +1,83 @@ +From bb5f1cd10101c2567bff4d0e760b74aee7c42f44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Wed, 4 Mar 2026 13:30:10 +0200 +Subject: drm/i915/dsc: Add helper for writing DSC Selective Update ET parameters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit bb5f1cd10101c2567bff4d0e760b74aee7c42f44 upstream. + +There are slice row per frame and pic height configuration in DSC Selective +Update Parameter Set 1 register. Add helper for configuring these. + +v2: + - Add WARN_ON_ONCE if vdsc instances per pipe > 2 + - instead of checking vdsc instances per pipe being > 1 check == 2 + +Bspec: 71709 +Signed-off-by: Jouni Högander +Reviewed-by: Ankit Nautiyal +Link: https://patch.msgid.link/20260304113011.626542-4-jouni.hogander@intel.com +(cherry picked from commit c8698d61aeb3f70fe33761ee9d3d0e131b5bc2eb) +Signed-off-by: Tvrtko Ursulin +[tursulin: fixup forward declaration conflict] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_vdsc.c | 23 +++++++++++++++++++++++ + drivers/gpu/drm/i915/display/intel_vdsc.h | 3 +++ + 2 files changed, 26 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_vdsc.c ++++ b/drivers/gpu/drm/i915/display/intel_vdsc.c +@@ -723,6 +723,29 @@ void intel_dsc_dp_pps_write(struct intel + sizeof(dp_dsc_pps_sdp)); + } + ++void intel_dsc_su_et_parameters_configure(struct intel_dsb *dsb, struct intel_encoder *encoder, ++ const struct intel_crtc_state *crtc_state, int su_lines) ++{ ++ struct intel_display *display = to_intel_display(crtc_state); ++ struct intel_crtc *crtc = to_intel_crtc(crtc_state->uapi.crtc); ++ const struct drm_dsc_config *vdsc_cfg = &crtc_state->dsc.config; ++ enum pipe pipe = crtc->pipe; ++ int vdsc_instances_per_pipe = intel_dsc_get_vdsc_per_pipe(crtc_state); ++ int slice_row_per_frame = su_lines / vdsc_cfg->slice_height; ++ u32 val; ++ ++ drm_WARN_ON_ONCE(display->drm, su_lines % vdsc_cfg->slice_height); ++ drm_WARN_ON_ONCE(display->drm, vdsc_instances_per_pipe > 2); ++ ++ val = DSC_SUPS0_SU_SLICE_ROW_PER_FRAME(slice_row_per_frame); ++ val |= DSC_SUPS0_SU_PIC_HEIGHT(su_lines); ++ ++ intel_de_write_dsb(display, dsb, LNL_DSC0_SU_PARAMETER_SET_0(pipe), val); ++ ++ if (vdsc_instances_per_pipe == 2) ++ intel_de_write_dsb(display, dsb, LNL_DSC1_SU_PARAMETER_SET_0(pipe), val); ++} ++ + static i915_reg_t dss_ctl1_reg(struct intel_crtc *crtc, enum transcoder cpu_transcoder) + { + return is_pipe_dsc(crtc, cpu_transcoder) ? +--- a/drivers/gpu/drm/i915/display/intel_vdsc.h ++++ b/drivers/gpu/drm/i915/display/intel_vdsc.h +@@ -13,6 +13,7 @@ struct drm_printer; + enum transcoder; + struct intel_crtc; + struct intel_crtc_state; ++struct intel_dsb; + struct intel_encoder; + + bool intel_dsc_source_support(const struct intel_crtc_state *crtc_state); +@@ -29,6 +30,8 @@ void intel_dsc_dsi_pps_write(struct inte + const struct intel_crtc_state *crtc_state); + void intel_dsc_dp_pps_write(struct intel_encoder *encoder, + const struct intel_crtc_state *crtc_state); ++void intel_dsc_su_et_parameters_configure(struct intel_dsb *dsb, struct intel_encoder *encoder, ++ const struct intel_crtc_state *crtc_state, int su_lines); + void intel_vdsc_state_dump(struct drm_printer *p, int indent, + const struct intel_crtc_state *crtc_state); + diff --git a/queue-6.12/drm-i915-dsc-add-selective-update-register-definitions.patch b/queue-6.12/drm-i915-dsc-add-selective-update-register-definitions.patch new file mode 100644 index 0000000000..fdbba8e26c --- /dev/null +++ b/queue-6.12/drm-i915-dsc-add-selective-update-register-definitions.patch @@ -0,0 +1,48 @@ +From c2c79c6d5b939ae8a42ddb884f576bddae685672 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Wed, 4 Mar 2026 13:30:09 +0200 +Subject: drm/i915/dsc: Add Selective Update register definitions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit c2c79c6d5b939ae8a42ddb884f576bddae685672 upstream. + +Add definitions for DSC_SU_PARAMETER_SET_0_DSC0 and +DSC_SU_PARAMETER_SET_0_DSC1 registers. These are for Selective Update Early +Transport configuration. + +Bspec: 71709 +Signed-off-by: Jouni Högander +Reviewed-by: Ankit Nautiyal +Link: https://patch.msgid.link/20260304113011.626542-3-jouni.hogander@intel.com +(cherry picked from commit 24f96d903daf3dcf8fafe84d3d22b80ef47ba493) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_vdsc_regs.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_vdsc_regs.h ++++ b/drivers/gpu/drm/i915/display/intel_vdsc_regs.h +@@ -186,6 +186,18 @@ + #define DSC_PPS18_NSL_BPG_OFFSET(offset) REG_FIELD_PREP(DSC_PPS18_NSL_BPG_OFFSET_MASK, offset) + #define DSC_PPS18_SL_OFFSET_ADJ(offset) REG_FIELD_PREP(DSC_PPS18_SL_OFFSET_ADJ_MASK, offset) + ++#define _LNL_DSC0_SU_PARAMETER_SET_0_PA 0x78064 ++#define _LNL_DSC1_SU_PARAMETER_SET_0_PA 0x78164 ++#define _LNL_DSC0_SU_PARAMETER_SET_0_PB 0x78264 ++#define _LNL_DSC1_SU_PARAMETER_SET_0_PB 0x78364 ++#define LNL_DSC0_SU_PARAMETER_SET_0(pipe) _MMIO_PIPE((pipe), _LNL_DSC0_SU_PARAMETER_SET_0_PA, _LNL_DSC0_SU_PARAMETER_SET_0_PB) ++#define LNL_DSC1_SU_PARAMETER_SET_0(pipe) _MMIO_PIPE((pipe), _LNL_DSC1_SU_PARAMETER_SET_0_PA, _LNL_DSC1_SU_PARAMETER_SET_0_PB) ++ ++#define DSC_SUPS0_SU_SLICE_ROW_PER_FRAME_MASK REG_GENMASK(31, 20) ++#define DSC_SUPS0_SU_SLICE_ROW_PER_FRAME(rows) REG_FIELD_PREP(DSC_SUPS0_SU_SLICE_ROW_PER_FRAME_MASK, (rows)) ++#define DSC_SUPS0_SU_PIC_HEIGHT_MASK REG_GENMASK(15, 0) ++#define DSC_SUPS0_SU_PIC_HEIGHT(h) REG_FIELD_PREP(DSC_SUPS0_SU_PIC_HEIGHT_MASK, (h)) ++ + /* Icelake Rate Control Buffer Threshold Registers */ + #define DSCA_RC_BUF_THRESH_0 _MMIO(0x6B230) + #define DSCA_RC_BUF_THRESH_0_UDW _MMIO(0x6B230 + 4) diff --git a/queue-6.12/drm-i915-psr-write-dsc-parameters-on-selective-update-in-et-mode.patch b/queue-6.12/drm-i915-psr-write-dsc-parameters-on-selective-update-in-et-mode.patch new file mode 100644 index 0000000000..b84d0ed2da --- /dev/null +++ b/queue-6.12/drm-i915-psr-write-dsc-parameters-on-selective-update-in-et-mode.patch @@ -0,0 +1,67 @@ +From 5923a6e0459fdd3edac4ad5abccb24d777d8f1b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Wed, 4 Mar 2026 13:30:11 +0200 +Subject: drm/i915/psr: Write DSC parameters on Selective Update in ET mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit 5923a6e0459fdd3edac4ad5abccb24d777d8f1b6 upstream. + +There are slice row per frame and pic height parameters in DSC that needs +to be configured on every Selective Update in Early Transport mode. Use +helper provided by DSC code to configure these on Selective Update when in +Early Transport mode. Also fill crtc_state->psr2_su_area with full frame +area on full frame update for DSC calculation. + +v2: move psr2_su_area under skip_sel_fetch_set_loop label + +Bspec: 68927, 71709 +Fixes: 467e4e061c44 ("drm/i915/psr: Enable psr2 early transport as possible") +Cc: # v6.9+ +Signed-off-by: Jouni Högander +Reviewed-by: Ankit Nautiyal +Link: https://patch.msgid.link/20260304113011.626542-5-jouni.hogander@intel.com +(cherry picked from commit 3140af2fab505a4cd47d516284529bf1585628be) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_psr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -41,6 +41,7 @@ + #include "intel_psr.h" + #include "intel_psr_regs.h" + #include "intel_snps_phy.h" ++#include "intel_vdsc.h" + #include "skl_universal_plane.h" + + /** +@@ -2312,6 +2313,12 @@ void intel_psr2_program_trans_man_trk_ct + + intel_de_write(display, PIPE_SRCSZ_ERLY_TPT(crtc->pipe), + crtc_state->pipe_srcsz_early_tpt); ++ ++ if (!crtc_state->dsc.compression_enable) ++ return; ++ ++ intel_dsc_su_et_parameters_configure(NULL, encoder, crtc_state, ++ drm_rect_height(&crtc_state->psr2_su_area)); + } + + static void psr2_man_trk_ctl_calc(struct intel_crtc_state *crtc_state, +@@ -2693,6 +2700,10 @@ int intel_psr2_sel_fetch_update(struct i + } + + skip_sel_fetch_set_loop: ++ if (full_update) ++ clip_area_update(&crtc_state->psr2_su_area, &crtc_state->pipe_src, ++ &crtc_state->pipe_src); ++ + psr2_man_trk_ctl_calc(crtc_state, full_update); + crtc_state->pipe_srcsz_early_tpt = + psr2_pipe_srcsz_early_tpt_calc(crtc_state, full_update); diff --git a/queue-6.12/kprobes-remove-unneeded-goto.patch b/queue-6.12/kprobes-remove-unneeded-goto.patch new file mode 100644 index 0000000000..f4572e6eed --- /dev/null +++ b/queue-6.12/kprobes-remove-unneeded-goto.patch @@ -0,0 +1,106 @@ +From stable+bounces-227294-greg=kroah.com@vger.kernel.org Thu Mar 19 14:39:21 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 09:39:12 -0400 +Subject: kprobes: Remove unneeded goto +To: stable@vger.kernel.org +Cc: "Masami Hiramatsu (Google)" , Sasha Levin +Message-ID: <20260319133913.2477768-1-sashal@kernel.org> + +From: "Masami Hiramatsu (Google)" + +[ Upstream commit 5e5b8b49335971b68b54afeb0e7ded004945af07 ] + +Remove unneeded gotos. Since the labels referred by these gotos have +only one reference for each, we can replace those gotos with the +referred code. + +Link: https://lore.kernel.org/all/173371211203.480397.13988907319659165160.stgit@devnote2/ + +Signed-off-by: Masami Hiramatsu (Google) +Stable-dep-of: 5ef268cb7a0a ("kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 45 +++++++++++++++++++++------------------------ + 1 file changed, 21 insertions(+), 24 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1082,20 +1082,18 @@ static int __arm_kprobe_ftrace(struct kp + + if (*cnt == 0) { + ret = register_ftrace_function(ops); +- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) +- goto err_ftrace; ++ if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) { ++ /* ++ * At this point, sinec ops is not registered, we should be sefe from ++ * registering empty filter. ++ */ ++ ftrace_set_filter_ip(ops, (unsigned long)p->addr, 1, 0); ++ return ret; ++ } + } + + (*cnt)++; + return ret; +- +-err_ftrace: +- /* +- * At this point, sinec ops is not registered, we should be sefe from +- * registering empty filter. +- */ +- ftrace_set_filter_ip(ops, (unsigned long)p->addr, 1, 0); +- return ret; + } + + static int arm_kprobe_ftrace(struct kprobe *p) +@@ -1456,7 +1454,7 @@ _kprobe_addr(kprobe_opcode_t *addr, cons + unsigned long offset, bool *on_func_entry) + { + if ((symbol_name && addr) || (!symbol_name && !addr)) +- goto invalid; ++ return ERR_PTR(-EINVAL); + + if (symbol_name) { + /* +@@ -1486,11 +1484,10 @@ _kprobe_addr(kprobe_opcode_t *addr, cons + * at the start of the function. + */ + addr = arch_adjust_kprobe_addr((unsigned long)addr, offset, on_func_entry); +- if (addr) +- return addr; ++ if (!addr) ++ return ERR_PTR(-EINVAL); + +-invalid: +- return ERR_PTR(-EINVAL); ++ return addr; + } + + static kprobe_opcode_t *kprobe_addr(struct kprobe *p) +@@ -1513,15 +1510,15 @@ static struct kprobe *__get_valid_kprobe + if (unlikely(!ap)) + return NULL; + +- if (p != ap) { +- list_for_each_entry(list_p, &ap->list, list) +- if (list_p == p) +- /* kprobe p is a valid probe */ +- goto valid; +- return NULL; +- } +-valid: +- return ap; ++ if (p == ap) ++ return ap; ++ ++ list_for_each_entry(list_p, &ap->list, list) ++ if (list_p == p) ++ /* kprobe p is a valid probe */ ++ return ap; ++ ++ return NULL; + } + + /* diff --git a/queue-6.12/kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch b/queue-6.12/kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch new file mode 100644 index 0000000000..81d688bbad --- /dev/null +++ b/queue-6.12/kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch @@ -0,0 +1,45 @@ +From stable+bounces-227295-greg=kroah.com@vger.kernel.org Thu Mar 19 14:39:20 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 09:39:13 -0400 +Subject: kprobes: Remove unneeded warnings from __arm_kprobe_ftrace() +To: stable@vger.kernel.org +Cc: "Masami Hiramatsu (Google)" , Zw Tang , Sasha Levin +Message-ID: <20260319133913.2477768-2-sashal@kernel.org> + +From: "Masami Hiramatsu (Google)" + +[ Upstream commit 5ef268cb7a0aac55521fd9881f1939fa94a8988e ] + +Remove unneeded warnings for handled errors from __arm_kprobe_ftrace() +because all caller handled the error correctly. + +Link: https://lore.kernel.org/all/177261531182.1312989.8737778408503961141.stgit@mhiramat.tok.corp.google.com/ + +Reported-by: Zw Tang +Closes: https://lore.kernel.org/all/CAPHJ_V+J6YDb_wX2nhXU6kh466Dt_nyDSas-1i_Y8s7tqY-Mzw@mail.gmail.com/ +Fixes: 9c89bb8e3272 ("kprobes: treewide: Cleanup the error messages for kprobes") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1077,12 +1077,12 @@ static int __arm_kprobe_ftrace(struct kp + lockdep_assert_held(&kprobe_mutex); + + ret = ftrace_set_filter_ip(ops, (unsigned long)p->addr, 0, 0); +- if (WARN_ONCE(ret < 0, "Failed to arm kprobe-ftrace at %pS (error %d)\n", p->addr, ret)) ++ if (ret < 0) + return ret; + + if (*cnt == 0) { + ret = register_ftrace_function(ops); +- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) { ++ if (ret < 0) { + /* + * At this point, sinec ops is not registered, we should be sefe from + * registering empty filter. diff --git a/queue-6.12/ksmbd-unset-conn-binding-on-failed-binding-request.patch b/queue-6.12/ksmbd-unset-conn-binding-on-failed-binding-request.patch new file mode 100644 index 0000000000..9d110f9c62 --- /dev/null +++ b/queue-6.12/ksmbd-unset-conn-binding-on-failed-binding-request.patch @@ -0,0 +1,35 @@ +From 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 13 Mar 2026 10:00:58 +0900 +Subject: ksmbd: unset conn->binding on failed binding request + +From: Namjae Jeon + +commit 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 upstream. + +When a multichannel SMB2_SESSION_SETUP request with +SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true +but never clears it on the error path. This leaves the connection in +a binding state where all subsequent ksmbd_session_lookup_all() calls +fall back to the global sessions table. This fix it by clearing +conn->binding = false in the error path. + +Cc: stable@vger.kernel.org +Reported-by: Hyunwoo Kim +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1954,6 +1954,7 @@ out_err: + } + } + smb2_set_err_rsp(work); ++ conn->binding = false; + } else { + unsigned int iov_len; + diff --git a/queue-6.12/ksmbd-use-volume-uuid-in-fs_object_id_information.patch b/queue-6.12/ksmbd-use-volume-uuid-in-fs_object_id_information.patch new file mode 100644 index 0000000000..260bd0eefa --- /dev/null +++ b/queue-6.12/ksmbd-use-volume-uuid-in-fs_object_id_information.patch @@ -0,0 +1,47 @@ +From 3a64125730cabc34fccfbc230c2667c2e14f7308 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 13 Mar 2026 10:01:29 +0900 +Subject: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION + +From: Namjae Jeon + +commit 3a64125730cabc34fccfbc230c2667c2e14f7308 upstream. + +Use sb->s_uuid for a proper volume identifier as the primary choice. +For filesystems that do not provide a UUID, fall back to stfs.f_fsid +obtained from vfs_statfs(). + +Cc: stable@vger.kernel.org +Reported-by: Hyunwoo Kim +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -5438,7 +5438,6 @@ static int smb2_get_info_filesystem(stru + struct smb2_query_info_req *req, + struct smb2_query_info_rsp *rsp) + { +- struct ksmbd_session *sess = work->sess; + struct ksmbd_conn *conn = work->conn; + struct ksmbd_share_config *share = work->tcon->share_conf; + int fsinfoclass = 0; +@@ -5568,10 +5567,11 @@ static int smb2_get_info_filesystem(stru + + info = (struct object_id_info *)(rsp->Buffer); + +- if (!user_guest(sess->user)) +- memcpy(info->objid, user_passkey(sess->user), 16); ++ if (path.mnt->mnt_sb->s_uuid_len == 16) ++ memcpy(info->objid, path.mnt->mnt_sb->s_uuid.b, ++ path.mnt->mnt_sb->s_uuid_len); + else +- memset(info->objid, 0, 16); ++ memcpy(info->objid, &stfs.f_fsid, sizeof(stfs.f_fsid)); + + info->extended_info.magic = cpu_to_le32(EXTENDED_INFO_MAGIC); + info->extended_info.version = cpu_to_le32(1); diff --git a/queue-6.12/media-i2c-ov5647-use-our-own-mutex-for-the-ctrl-lock.patch b/queue-6.12/media-i2c-ov5647-use-our-own-mutex-for-the-ctrl-lock.patch deleted file mode 100644 index 577e07e7ad..0000000000 --- a/queue-6.12/media-i2c-ov5647-use-our-own-mutex-for-the-ctrl-lock.patch +++ /dev/null @@ -1,39 +0,0 @@ -From stable+bounces-222393-greg=kroah.com@vger.kernel.org Sun Mar 1 03:36:28 2026 -From: Xiaolei Wang -Date: Sun, 1 Mar 2026 10:35:32 +0800 -Subject: media: i2c: ov5647: use our own mutex for the ctrl lock -To: sashal@kernel.org, stable@vger.kernel.org -Cc: sakari.ailus@linux.intel.com, hverkuil+cisco@kernel.org, Xiaolei.Wang@windriver.com -Message-ID: <20260301023535.2438766-1-xiaolei.wang@windriver.com> - -From: Xiaolei Wang - -[ Upstream commit 973e42fd5d2b397bff34f0c249014902dbf65912 ] - -__v4l2_ctrl_handler_setup() and __v4l2_ctrl_modify_range() contains an -assertion to verify that the v4l2_ctrl_handler::lock is held, as it should -only be called when the lock has already been acquired. Therefore use our -own mutex for the ctrl lock, otherwise a warning will be reported. - -Fixes: 4974c2f19fd8 ("media: ov5647: Support gain, exposure and AWB controls") -Cc: stable@vger.kernel.org -Signed-off-by: Xiaolei Wang -[Sakari Ailus: Fix a minor conflict.] -Signed-off-by: Sakari Ailus -Signed-off-by: Hans Verkuil -Signed-off-by: Greg Kroah-Hartman ---- - drivers/media/i2c/ov5647.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/media/i2c/ov5647.c -+++ b/drivers/media/i2c/ov5647.c -@@ -1293,6 +1293,8 @@ static int ov5647_init_controls(struct o - - sensor->ctrls.lock = &sensor->lock; - -+ sensor->ctrls.lock = &sensor->lock; -+ - v4l2_ctrl_new_std(&sensor->ctrls, &ov5647_ctrl_ops, - V4L2_CID_AUTOGAIN, 0, 1, 1, 0); - diff --git a/queue-6.12/net-macb-introduce-gem_init_rx_ring.patch b/queue-6.12/net-macb-introduce-gem_init_rx_ring.patch new file mode 100644 index 0000000000..675cf90893 --- /dev/null +++ b/queue-6.12/net-macb-introduce-gem_init_rx_ring.patch @@ -0,0 +1,56 @@ +From stable+bounces-227549-greg=kroah.com@vger.kernel.org Fri Mar 20 15:14:09 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 10:14:00 -0400 +Subject: net: macb: Introduce gem_init_rx_ring() +To: stable@vger.kernel.org +Cc: Kevin Hao , Simon Horman , Jakub Kicinski , Sasha Levin +Message-ID: <20260320141401.4172666-1-sashal@kernel.org> + +From: Kevin Hao + +[ Upstream commit 1a7124ecd655bcaf1845197fe416aa25cff4c3ea ] + +Extract the initialization code for the GEM RX ring into a new function. +This change will be utilized in a subsequent patch. No functional changes +are introduced. + +Signed-off-by: Kevin Hao +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260312-macb-versal-v1-1-467647173fa4@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 718d0766ce4c ("net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -2700,6 +2700,14 @@ static void macb_init_tieoff(struct macb + desc->ctrl = 0; + } + ++static void gem_init_rx_ring(struct macb_queue *queue) ++{ ++ queue->rx_tail = 0; ++ queue->rx_prepared_head = 0; ++ ++ gem_rx_refill(queue); ++} ++ + static void gem_init_rings(struct macb *bp) + { + struct macb_queue *queue; +@@ -2717,10 +2725,7 @@ static void gem_init_rings(struct macb * + queue->tx_head = 0; + queue->tx_tail = 0; + +- queue->rx_tail = 0; +- queue->rx_prepared_head = 0; +- +- gem_rx_refill(queue); ++ gem_init_rx_ring(queue); + } + + macb_init_tieoff(bp); diff --git a/queue-6.12/net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch b/queue-6.12/net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch new file mode 100644 index 0000000000..1e7a27b1dd --- /dev/null +++ b/queue-6.12/net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch @@ -0,0 +1,61 @@ +From stable+bounces-227550-greg=kroah.com@vger.kernel.org Fri Mar 20 15:14:13 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 10:14:01 -0400 +Subject: net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume +To: stable@vger.kernel.org +Cc: Kevin Hao , Quanyang Wang , Simon Horman , Jakub Kicinski , Sasha Levin +Message-ID: <20260320141401.4172666-2-sashal@kernel.org> + +From: Kevin Hao + +[ Upstream commit 718d0766ce4c7634ce62fa78b526ea7263487edd ] + +On certain platforms, such as AMD Versal boards, the tx/rx queue pointer +registers are cleared after suspend, and the rx queue pointer register +is also disabled during suspend if WOL is enabled. Previously, we assumed +that these registers would be restored by macb_mac_link_up(). However, +in commit bf9cf80cab81, macb_init_buffers() was moved from +macb_mac_link_up() to macb_open(). Therefore, we should call +macb_init_buffers() to reinitialize the tx/rx queue pointer registers +during resume. + +Due to the reset of these two registers, we also need to adjust the +tx/rx rings accordingly. The tx ring will be handled by +gem_shuffle_tx_rings() in macb_mac_link_up(), so we only need to +initialize the rx ring here. + +Fixes: bf9cf80cab81 ("net: macb: Fix tx/rx malfunction after phy link down and up") +Reported-by: Quanyang Wang +Signed-off-by: Kevin Hao +Tested-by: Quanyang Wang +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260312-macb-versal-v1-2-467647173fa4@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -5527,8 +5527,18 @@ static int __maybe_unused macb_resume(st + rtnl_unlock(); + } + ++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) ++ macb_init_buffers(bp); ++ + for (q = 0, queue = bp->queues; q < bp->num_queues; + ++q, ++queue) { ++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) { ++ if (macb_is_gem(bp)) ++ gem_init_rx_ring(queue); ++ else ++ macb_init_rx_ring(queue); ++ } ++ + napi_enable(&queue->napi_rx); + napi_enable(&queue->napi_tx); + } diff --git a/queue-6.12/powerpc64-bpf-fix-kfunc-call-support.patch b/queue-6.12/powerpc64-bpf-fix-kfunc-call-support.patch new file mode 100644 index 0000000000..bd4767daf4 --- /dev/null +++ b/queue-6.12/powerpc64-bpf-fix-kfunc-call-support.patch @@ -0,0 +1,171 @@ +From stable+bounces-227285-greg=kroah.com@vger.kernel.org Thu Mar 19 13:55:32 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:51:38 -0400 +Subject: powerpc64/bpf: fix kfunc call support +To: stable@vger.kernel.org +Cc: Hari Bathini , Madhavan Srinivasan , Sasha Levin +Message-ID: <20260319125138.2389388-2-sashal@kernel.org> + +From: Hari Bathini + +[ Upstream commit 01b6ac72729610ae732ca2a66e3a642e23f6cd60 ] + +Commit 61688a82e047 ("powerpc/bpf: enable kfunc call") inadvertently +enabled kfunc call support for 32-bit powerpc but that support will +not be possible until ABI mismatch between 32-bit powerpc and eBPF is +handled in 32-bit powerpc JIT code. Till then, advertise support only +for 64-bit powerpc. Also, in powerpc ABI, caller needs to extend the +arguments properly based on signedness. The JIT code is responsible +for handling this explicitly for kfunc calls as verifier can't handle +this for each architecture-specific ABI needs. But this was not taken +care of while kfunc call support was enabled for powerpc. Fix it by +handling this with bpf_jit_find_kfunc_model() and using zero_extend() +& sign_extend() helper functions. + +Fixes: 61688a82e047 ("powerpc/bpf: enable kfunc call") +Cc: stable@vger.kernel.org +Signed-off-by: Hari Bathini +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260303181031.390073-7-hbathini@linux.ibm.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp.c | 2 + arch/powerpc/net/bpf_jit_comp64.c | 101 ++++++++++++++++++++++++++++++++++---- + 2 files changed, 94 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -362,7 +362,7 @@ void bpf_jit_free(struct bpf_prog *fp) + + bool bpf_jit_supports_kfunc_call(void) + { +- return true; ++ return IS_ENABLED(CONFIG_PPC64); + } + + bool bpf_jit_supports_far_kfunc_call(void) +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -293,6 +293,83 @@ int bpf_jit_emit_func_call_rel(u32 *imag + return 0; + } + ++static int zero_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size) ++{ ++ switch (size) { ++ case 1: ++ /* zero-extend 8 bits into 64 bits */ ++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 56)); ++ return 0; ++ case 2: ++ /* zero-extend 16 bits into 64 bits */ ++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 48)); ++ return 0; ++ case 4: ++ /* zero-extend 32 bits into 64 bits */ ++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 32)); ++ fallthrough; ++ case 8: ++ /* Nothing to do */ ++ return 0; ++ default: ++ return -1; ++ } ++} ++ ++static int sign_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size) ++{ ++ switch (size) { ++ case 1: ++ /* sign-extend 8 bits into 64 bits */ ++ EMIT(PPC_RAW_EXTSB(dst_reg, src_reg)); ++ return 0; ++ case 2: ++ /* sign-extend 16 bits into 64 bits */ ++ EMIT(PPC_RAW_EXTSH(dst_reg, src_reg)); ++ return 0; ++ case 4: ++ /* sign-extend 32 bits into 64 bits */ ++ EMIT(PPC_RAW_EXTSW(dst_reg, src_reg)); ++ fallthrough; ++ case 8: ++ /* Nothing to do */ ++ return 0; ++ default: ++ return -1; ++ } ++} ++ ++/* ++ * Handle powerpc ABI expectations from caller: ++ * - Unsigned arguments are zero-extended. ++ * - Signed arguments are sign-extended. ++ */ ++static int prepare_for_kfunc_call(const struct bpf_prog *fp, u32 *image, ++ struct codegen_context *ctx, ++ const struct bpf_insn *insn) ++{ ++ const struct btf_func_model *m = bpf_jit_find_kfunc_model(fp, insn); ++ int i; ++ ++ if (!m) ++ return -1; ++ ++ for (i = 0; i < m->nr_args; i++) { ++ /* Note that BPF ABI only allows up to 5 args for kfuncs */ ++ u32 reg = bpf_to_ppc(BPF_REG_1 + i), size = m->arg_size[i]; ++ ++ if (!(m->arg_flags[i] & BTF_FMODEL_SIGNED_ARG)) { ++ if (zero_extend(image, ctx, reg, reg, size)) ++ return -1; ++ } else { ++ if (sign_extend(image, ctx, reg, reg, size)) ++ return -1; ++ } ++ } ++ ++ return 0; ++} ++ + static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out) + { + /* +@@ -678,14 +755,16 @@ int bpf_jit_build_body(struct bpf_prog * + /* special mov32 for zext */ + EMIT(PPC_RAW_RLWINM(dst_reg, dst_reg, 0, 0, 31)); + break; +- } else if (off == 8) { +- EMIT(PPC_RAW_EXTSB(dst_reg, src_reg)); +- } else if (off == 16) { +- EMIT(PPC_RAW_EXTSH(dst_reg, src_reg)); +- } else if (off == 32) { +- EMIT(PPC_RAW_EXTSW(dst_reg, src_reg)); +- } else if (dst_reg != src_reg) +- EMIT(PPC_RAW_MR(dst_reg, src_reg)); ++ } ++ if (off == 0) { ++ /* MOV */ ++ if (dst_reg != src_reg) ++ EMIT(PPC_RAW_MR(dst_reg, src_reg)); ++ } else { ++ /* MOVSX: dst = (s8,s16,s32)src (off = 8,16,32) */ ++ if (sign_extend(image, ctx, src_reg, dst_reg, off / 8)) ++ return -1; ++ } + goto bpf_alu32_trunc; + case BPF_ALU | BPF_MOV | BPF_K: /* (u32) dst = imm */ + case BPF_ALU64 | BPF_MOV | BPF_K: /* dst = (s64) imm */ +@@ -1079,6 +1158,12 @@ emit_clear: + if (ret < 0) + return ret; + ++ /* Take care of powerpc ABI requirements before kfunc call */ ++ if (insn[i].src_reg == BPF_PSEUDO_KFUNC_CALL) { ++ if (prepare_for_kfunc_call(fp, image, ctx, &insn[i])) ++ return -1; ++ } ++ + ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr); + if (ret) + return ret; diff --git a/queue-6.12/powerpc64-bpf-fold-bpf_jit_emit_func_call_hlp-into-bpf_jit_emit_func_call_rel.patch b/queue-6.12/powerpc64-bpf-fold-bpf_jit_emit_func_call_hlp-into-bpf_jit_emit_func_call_rel.patch new file mode 100644 index 0000000000..1a256895ed --- /dev/null +++ b/queue-6.12/powerpc64-bpf-fold-bpf_jit_emit_func_call_hlp-into-bpf_jit_emit_func_call_rel.patch @@ -0,0 +1,137 @@ +From stable+bounces-227284-greg=kroah.com@vger.kernel.org Thu Mar 19 13:55:28 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:51:37 -0400 +Subject: powerpc64/bpf: Fold bpf_jit_emit_func_call_hlp() into bpf_jit_emit_func_call_rel() +To: stable@vger.kernel.org +Cc: Naveen N Rao , Michael Ellerman , Sasha Levin +Message-ID: <20260319125138.2389388-1-sashal@kernel.org> + +From: Naveen N Rao + +[ Upstream commit 9670f6d2097c4f97e15c67920dfddc664d7ee91c ] + +Commit 61688a82e047 ("powerpc/bpf: enable kfunc call") enhanced +bpf_jit_emit_func_call_hlp() to handle calls out to module region, where +bpf progs are generated. The only difference now between +bpf_jit_emit_func_call_hlp() and bpf_jit_emit_func_call_rel() is in +handling of the initial pass where target function address is not known. +Fold that logic into bpf_jit_emit_func_call_hlp() and rename it to +bpf_jit_emit_func_call_rel() to simplify bpf function call JIT code. + +We don't actually need to load/restore TOC across a call out to a +different kernel helper or to a different bpf program since they all +work with the kernel TOC. We only need to do it if we have to call out +to a module function. So, guard TOC load/restore with appropriate +conditions. + +Signed-off-by: Naveen N Rao +Signed-off-by: Michael Ellerman +Link: https://patch.msgid.link/20241030070850.1361304-10-hbathini@linux.ibm.com +Stable-dep-of: 01b6ac727296 ("powerpc64/bpf: fix kfunc call support") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp64.c | 61 ++++++++++---------------------------- + 1 file changed, 17 insertions(+), 44 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -202,14 +202,22 @@ void bpf_jit_build_epilogue(u32 *image, + EMIT(PPC_RAW_BLR()); + } + +-static int +-bpf_jit_emit_func_call_hlp(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func) ++int bpf_jit_emit_func_call_rel(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func) + { + unsigned long func_addr = func ? ppc_function_entry((void *)func) : 0; + long reladdr; + +- if (WARN_ON_ONCE(!kernel_text_address(func_addr))) +- return -EINVAL; ++ /* bpf to bpf call, func is not known in the initial pass. Emit 5 nops as a placeholder */ ++ if (!func) { ++ for (int i = 0; i < 5; i++) ++ EMIT(PPC_RAW_NOP()); ++ /* elfv1 needs an additional instruction to load addr from descriptor */ ++ if (IS_ENABLED(CONFIG_PPC64_ELF_ABI_V1)) ++ EMIT(PPC_RAW_NOP()); ++ EMIT(PPC_RAW_MTCTR(_R12)); ++ EMIT(PPC_RAW_BCTRL()); ++ return 0; ++ } + + #ifdef CONFIG_PPC_KERNEL_PCREL + reladdr = func_addr - local_paca->kernelbase; +@@ -266,7 +274,8 @@ bpf_jit_emit_func_call_hlp(u32 *image, u + * We can clobber r2 since we get called through a + * function pointer (so caller will save/restore r2). + */ +- EMIT(PPC_RAW_LD(_R2, bpf_to_ppc(TMP_REG_2), 8)); ++ if (is_module_text_address(func_addr)) ++ EMIT(PPC_RAW_LD(_R2, bpf_to_ppc(TMP_REG_2), 8)); + } else { + PPC_LI64(_R12, func); + EMIT(PPC_RAW_MTCTR(_R12)); +@@ -276,46 +285,14 @@ bpf_jit_emit_func_call_hlp(u32 *image, u + * Load r2 with kernel TOC as kernel TOC is used if function address falls + * within core kernel text. + */ +- EMIT(PPC_RAW_LD(_R2, _R13, offsetof(struct paca_struct, kernel_toc))); ++ if (is_module_text_address(func_addr)) ++ EMIT(PPC_RAW_LD(_R2, _R13, offsetof(struct paca_struct, kernel_toc))); + } + #endif + + return 0; + } + +-int bpf_jit_emit_func_call_rel(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func) +-{ +- unsigned int i, ctx_idx = ctx->idx; +- +- if (WARN_ON_ONCE(func && is_module_text_address(func))) +- return -EINVAL; +- +- /* skip past descriptor if elf v1 */ +- func += FUNCTION_DESCR_SIZE; +- +- /* Load function address into r12 */ +- PPC_LI64(_R12, func); +- +- /* For bpf-to-bpf function calls, the callee's address is unknown +- * until the last extra pass. As seen above, we use PPC_LI64() to +- * load the callee's address, but this may optimize the number of +- * instructions required based on the nature of the address. +- * +- * Since we don't want the number of instructions emitted to increase, +- * we pad the optimized PPC_LI64() call with NOPs to guarantee that +- * we always have a five-instruction sequence, which is the maximum +- * that PPC_LI64() can emit. +- */ +- if (!image) +- for (i = ctx->idx - ctx_idx; i < 5; i++) +- EMIT(PPC_RAW_NOP()); +- +- EMIT(PPC_RAW_MTCTR(_R12)); +- EMIT(PPC_RAW_BCTRL()); +- +- return 0; +-} +- + static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out) + { + /* +@@ -1102,11 +1079,7 @@ emit_clear: + if (ret < 0) + return ret; + +- if (func_addr_fixed) +- ret = bpf_jit_emit_func_call_hlp(image, fimage, ctx, func_addr); +- else +- ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr); +- ++ ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr); + if (ret) + return ret; + diff --git a/queue-6.12/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch b/queue-6.12/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch new file mode 100644 index 0000000000..e8a4a61d97 --- /dev/null +++ b/queue-6.12/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch @@ -0,0 +1,73 @@ +From stable+bounces-227260-greg=kroah.com@vger.kernel.org Thu Mar 19 11:56:09 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 06:50:31 -0400 +Subject: s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute +To: stable@vger.kernel.org +Cc: Harald Freudenberger , Ingo Franzki , Vasily Gorbik , Sasha Levin +Message-ID: <20260319105031.2298863-1-sashal@kernel.org> + +From: Harald Freudenberger + +[ Upstream commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f ] + +The serialnr sysfs attribute for CCA cards when queried always +used the default domain for sending the request down to the card. +If for any reason exactly this default domain is disabled then +the attribute code fails to retrieve the CCA info and the sysfs +entry shows an empty string. Works as designed but the serial +number is a card attribute and thus it does not matter which +domain is used for the query. So if there are other domains on +this card available, these could be used. + +So extend the code to use AUTOSEL_DOM for the domain value to +address any online domain within the card for querying the cca +info and thus show the serialnr as long as there is one domain +usable regardless of the default domain setting. + +Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs") +Suggested-by: Ingo Franzki +Signed-off-by: Harald Freudenberger +Reviewed-by: Ingo Franzki +Cc: stable@vger.kernel.org +Signed-off-by: Vasily Gorbik +[ preserved zc->online as the fourth argument to cca_get_info() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++----- + drivers/s390/crypto/zcrypt_cex4.c | 3 +-- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/s390/crypto/zcrypt_ccamisc.c ++++ b/drivers/s390/crypto/zcrypt_ccamisc.c +@@ -1665,11 +1665,13 @@ static int fetch_cca_info(u16 cardnr, u1 + + memset(ci, 0, sizeof(*ci)); + +- /* get first info from zcrypt device driver about this apqn */ +- rc = zcrypt_device_status_ext(cardnr, domain, &devstat); +- if (rc) +- return rc; +- ci->hwtype = devstat.hwtype; ++ /* if specific domain given, fetch status and hw info for this apqn */ ++ if (domain != AUTOSEL_DOM) { ++ rc = zcrypt_device_status_ext(cardnr, domain, &devstat); ++ if (rc) ++ return rc; ++ ci->hwtype = devstat.hwtype; ++ } + + /* prep page for rule array and var array use */ + pg = (u8 *)__get_free_page(GFP_KERNEL); +--- a/drivers/s390/crypto/zcrypt_cex4.c ++++ b/drivers/s390/crypto/zcrypt_cex4.c +@@ -85,8 +85,7 @@ static ssize_t cca_serialnr_show(struct + + memset(&ci, 0, sizeof(ci)); + +- if (ap_domain_index >= 0) +- cca_get_info(ac->id, ap_domain_index, &ci, zc->online); ++ cca_get_info(ac->id, AUTOSEL_DOM, &ci, zc->online); + + return sysfs_emit(buf, "%s\n", ci.serial); + } diff --git a/queue-6.12/series b/queue-6.12/series index 99fa1e3320..c9963a746d 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -288,7 +288,6 @@ f2fs-compress-fix-uaf-of-f2fs_inode_info-in-f2fs_free_dic.patch f2fs-fix-to-avoid-migrating-empty-section.patch blk-throttle-fix-access-race-during-throttle-policy-activation.patch dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch -media-i2c-ov5647-use-our-own-mutex-for-the-ctrl-lock.patch net-dsa-properly-keep-track-of-conduit-reference.patch binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch xfs-get-rid-of-the-xchk_xfile_-_descr-calls.patch @@ -317,3 +316,18 @@ parisc-flush-correct-cache-in-cacheflush-syscall.patch mac80211-fix-crash-in-ieee80211_chan_bw_change-for-ap_vlan-stations.patch bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch +smb-client-fix-krb5-mount-with-username-option.patch +ksmbd-unset-conn-binding-on-failed-binding-request.patch +ksmbd-use-volume-uuid-in-fs_object_id_information.patch +drm-i915-dsc-add-selective-update-register-definitions.patch +drm-i915-dsc-add-helper-for-writing-dsc-selective-update-et-parameters.patch +drm-i915-psr-write-dsc-parameters-on-selective-update-in-et-mode.patch +s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch +powerpc64-bpf-fold-bpf_jit_emit_func_call_hlp-into-bpf_jit_emit_func_call_rel.patch +powerpc64-bpf-fix-kfunc-call-support.patch +kprobes-remove-unneeded-goto.patch +kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch +btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch +batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch +net-macb-introduce-gem_init_rx_ring.patch +net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch diff --git a/queue-6.12/smb-client-fix-krb5-mount-with-username-option.patch b/queue-6.12/smb-client-fix-krb5-mount-with-username-option.patch new file mode 100644 index 0000000000..64c74a1bfb --- /dev/null +++ b/queue-6.12/smb-client-fix-krb5-mount-with-username-option.patch @@ -0,0 +1,67 @@ +From 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Fri, 13 Mar 2026 00:03:38 -0300 +Subject: smb: client: fix krb5 mount with username option + +From: Paulo Alcantara + +commit 12b4c5d98cd7ca46d5035a57bcd995df614c14e1 upstream. + +Customer reported that some of their krb5 mounts were failing against +a single server as the client was trying to mount the shares with +wrong credentials. It turned out the client was reusing SMB session +from first mount to try mounting the other shares, even though a +different username= option had been specified to the other mounts. + +By using username mount option along with sec=krb5 to search for +principals from keytab is supported by cifs.upcall(8) since +cifs-utils-4.8. So fix this by matching username mount option in +match_session() even with Kerberos. + +For example, the second mount below should fail with -ENOKEY as there +is no 'foobar' principal in keytab (/etc/krb5.keytab). The client +ends up reusing SMB session from first mount to perform the second +one, which is wrong. + +``` +$ ktutil +ktutil: add_entry -password -p testuser -k 1 -e aes256-cts +Password for testuser@ZELDA.TEST: +ktutil: write_kt /etc/krb5.keytab +ktutil: quit +$ klist -ke +Keytab name: FILE:/etc/krb5.keytab +KVNO Principal + ---- ---------------------------------------------------------------- + 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) +$ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser +$ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar +$ mount -t cifs | grep -Po 'username=\K\w+' +testuser +testuser +``` + +Reported-by: Oscar Santos +Signed-off-by: Paulo Alcantara (Red Hat) +Cc: David Howells +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -1906,6 +1906,10 @@ static int match_session(struct cifs_ses + case Kerberos: + if (!uid_eq(ctx->cred_uid, ses->cred_uid)) + return 0; ++ if (strncmp(ses->user_name ?: "", ++ ctx->username ?: "", ++ CIFS_MAX_USERNAME_LEN)) ++ return 0; + break; + case NTLMv2: + case RawNTLMSSP: