From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 14:17:06 +0000 (+0100) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=903f70fa16cf398cb8ffda4249601ada91209e4f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch cpuidle-governors-teo-drop-misguided-target-residency-check.patch f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch intel_th-fix-error-handling-in-intel_th_output_open.patch media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch scsi-target-reset-t_task_cdb-pointer-in-error-case.patch usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch usb-lpc32xx_udc-fix-error-handling-in-probe.patch usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch --- diff --git a/queue-6.6/char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch b/queue-6.6/char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch new file mode 100644 index 0000000000..fe9c2887e3 --- /dev/null +++ b/queue-6.6/char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch @@ -0,0 +1,46 @@ +From 82d12088c297fa1cef670e1718b3d24f414c23f7 Mon Sep 17 00:00:00 2001 +From: Tianchu Chen +Date: Fri, 28 Nov 2025 15:53:23 +0800 +Subject: char: applicom: fix NULL pointer dereference in ac_ioctl + +From: Tianchu Chen + +commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream. + +Discovered by Atuin - Automated Vulnerability Discovery Engine. + +In ac_ioctl, the validation of IndexCard and the check for a valid +RamIO pointer are skipped when cmd is 6. However, the function +unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the +end. + +If cmd is 6, IndexCard may reference a board that does not exist +(where RamIO is NULL), leading to a NULL pointer dereference. + +Fix this by skipping the readb access when cmd is 6, as this +command is a global information query and does not target a specific +board context. + +Signed-off-by: Tianchu Chen +Acked-by: Arnd Bergmann +Cc: stable +Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/applicom.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/char/applicom.c ++++ b/drivers/char/applicom.c +@@ -836,7 +836,10 @@ static long ac_ioctl(struct file *file, + ret = -ENOTTY; + break; + } +- Dummy = readb(apbs[IndexCard].RamIO + VERS); ++ ++ if (cmd != 6) ++ Dummy = readb(apbs[IndexCard].RamIO + VERS); ++ + kfree(adgl); + mutex_unlock(&ac_mutex); + return ret; diff --git a/queue-6.6/cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch b/queue-6.6/cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch new file mode 100644 index 0000000000..26c88b3182 --- /dev/null +++ b/queue-6.6/cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch @@ -0,0 +1,55 @@ +From 9600156bb99852c216a2128cdf9f114eb67c350f Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 23:04:45 +0800 +Subject: cpufreq: nforce2: fix reference count leak in nforce2 + +From: Miaoqian Lin + +commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream. + +There are two reference count leaks in this driver: + +1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count + of the PCI device, but pci_dev_put() is never called to release it, + thus leaking the reference. + +2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the + nforce2_dev which is stored in a global variable, but the reference + is never released when the module is unloaded. + +Fix both by: +- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading + the configuration. +- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the + global device reference. + +Found via static analysis. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq-nforce2.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/cpufreq/cpufreq-nforce2.c ++++ b/drivers/cpufreq/cpufreq-nforce2.c +@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int + pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb); + fsb /= 1000000; + ++ pci_dev_put(nforce2_sub5); ++ + /* Check if PLL register is already set */ + pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp); + +@@ -432,6 +434,7 @@ static int __init nforce2_init(void) + static void __exit nforce2_exit(void) + { + cpufreq_unregister_driver(&nforce2_driver); ++ pci_dev_put(nforce2_dev); + } + + module_init(nforce2_init); diff --git a/queue-6.6/cpuidle-governors-teo-drop-misguided-target-residency-check.patch b/queue-6.6/cpuidle-governors-teo-drop-misguided-target-residency-check.patch new file mode 100644 index 0000000000..98f9e4515a --- /dev/null +++ b/queue-6.6/cpuidle-governors-teo-drop-misguided-target-residency-check.patch @@ -0,0 +1,55 @@ +From a03b2011808ab02ccb7ab6b573b013b77fbb5921 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 13 Nov 2025 14:24:31 +0100 +Subject: cpuidle: governors: teo: Drop misguided target residency check + +From: Rafael J. Wysocki + +commit a03b2011808ab02ccb7ab6b573b013b77fbb5921 upstream. + +When the target residency of the current candidate idle state is +greater than the expected time till the closest timer (the sleep +length), it does not matter whether or not the tick has already been +stopped or if it is going to be stopped. The closest timer will +trigger anyway at its due time, so if an idle state with target +residency above the sleep length is selected, energy will be wasted +and there may be excess latency. + +Of course, if the closest timer were canceled before it could trigger, +a deeper idle state would be more suitable, but this is not expected +to happen (generally speaking, hrtimers are not expected to be +canceled as a rule). + +Accordingly, the teo_state_ok() check done in that case causes energy to +be wasted more often than it allows any energy to be saved (if it allows +any energy to be saved at all), so drop it and let the governor use the +teo_find_shallower_state() return value as the new candidate idle state +index. + +Fixes: 21d28cd2fa5f ("cpuidle: teo: Do not call tick_nohz_get_sleep_length() upfront") +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Tested-by: Christian Loehle +Link: https://patch.msgid.link/5955081.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/governors/teo.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/cpuidle/governors/teo.c ++++ b/drivers/cpuidle/governors/teo.c +@@ -595,11 +595,8 @@ static int teo_select(struct cpuidle_dri + * If the closest expected timer is before the terget residency of the + * candidate state, a shallower one needs to be found. + */ +- if (drv->states[idx].target_residency_ns > duration_ns) { +- i = teo_find_shallower_state(drv, dev, idx, duration_ns, false); +- if (teo_state_ok(i, drv)) +- idx = i; +- } ++ if (drv->states[idx].target_residency_ns > duration_ns) ++ idx = teo_find_shallower_state(drv, dev, idx, duration_ns, false); + + /* + * If the selected state's target residency is below the tick length diff --git a/queue-6.6/f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch b/queue-6.6/f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch new file mode 100644 index 0000000000..84de5ff790 --- /dev/null +++ b/queue-6.6/f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch @@ -0,0 +1,80 @@ +From 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 Mon Sep 17 00:00:00 2001 +From: Jan Prusakowski +Date: Mon, 6 Oct 2025 10:46:15 +0200 +Subject: f2fs: ensure node page reads complete before f2fs_put_super() finishes + +From: Jan Prusakowski + +commit 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 upstream. + +Xfstests generic/335, generic/336 sometimes crash with the following message: + +F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 +------------[ cut here ]------------ +kernel BUG at fs/f2fs/super.c:1939! +Oops: invalid opcode: 0000 [#1] SMP NOPTI +CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) +Tainted: [W]=WARN +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:f2fs_put_super+0x3b3/0x3c0 +Call Trace: + + generic_shutdown_super+0x7e/0x190 + kill_block_super+0x1a/0x40 + kill_f2fs_super+0x9d/0x190 + deactivate_locked_super+0x30/0xb0 + cleanup_mnt+0xba/0x150 + task_work_run+0x5c/0xa0 + exit_to_user_mode_loop+0xb7/0xc0 + do_syscall_64+0x1ae/0x1c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +---[ end trace 0000000000000000 ]--- + +It appears that sometimes it is possible that f2fs_put_super() is called before +all node page reads are completed. +Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem. + +Cc: stable@kernel.org +Fixes: 20872584b8c0b ("f2fs: fix to drop all dirty meta/node pages during umount()") +Signed-off-by: Jan Prusakowski +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1637,14 +1637,6 @@ static void f2fs_put_super(struct super_ + truncate_inode_pages_final(META_MAPPING(sbi)); + } + +- for (i = 0; i < NR_COUNT_TYPE; i++) { +- if (!get_pages(sbi, i)) +- continue; +- f2fs_err(sbi, "detect filesystem reference count leak during " +- "umount, type: %d, count: %lld", i, get_pages(sbi, i)); +- f2fs_bug_on(sbi, 1); +- } +- + f2fs_bug_on(sbi, sbi->fsync_node_num); + + f2fs_destroy_compress_inode(sbi); +@@ -1655,6 +1647,15 @@ static void f2fs_put_super(struct super_ + iput(sbi->meta_inode); + sbi->meta_inode = NULL; + ++ /* Should check the page counts after dropping all node/meta pages */ ++ for (i = 0; i < NR_COUNT_TYPE; i++) { ++ if (!get_pages(sbi, i)) ++ continue; ++ f2fs_err(sbi, "detect filesystem reference count leak during " ++ "umount, type: %d, count: %lld", i, get_pages(sbi, i)); ++ f2fs_bug_on(sbi, 1); ++ } ++ + /* + * iput() can update stat information, if f2fs_write_checkpoint() + * above failed with error. diff --git a/queue-6.6/f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch b/queue-6.6/f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch new file mode 100644 index 0000000000..b19a22ff85 --- /dev/null +++ b/queue-6.6/f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch @@ -0,0 +1,143 @@ +From 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 Mon Sep 17 00:00:00 2001 +From: Xiaole He +Date: Mon, 27 Oct 2025 17:23:41 +0800 +Subject: f2fs: fix age extent cache insertion skip on counter overflow + +From: Xiaole He + +commit 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 upstream. + +The age extent cache uses last_blocks (derived from +allocated_data_blocks) to determine data age. However, there's a +conflict between the deletion +marker (last_blocks=0) and legitimate last_blocks=0 cases when +allocated_data_blocks overflows to 0 after reaching ULLONG_MAX. + +In this case, valid extents are incorrectly skipped due to the +"if (!tei->last_blocks)" check in __update_extent_tree_range(). + +This patch fixes the issue by: +1. Reserving ULLONG_MAX as an invalid/deletion marker +2. Limiting allocated_data_blocks to range [0, ULLONG_MAX-1] +3. Using F2FS_EXTENT_AGE_INVALID for deletion scenarios +4. Adjusting overflow age calculation from ULLONG_MAX to (ULLONG_MAX-1) + +Reproducer (using a patched kernel with allocated_data_blocks +initialized to ULLONG_MAX - 3 for quick testing): + +Step 1: Mount and check initial state + # dd if=/dev/zero of=/tmp/test.img bs=1M count=100 + # mkfs.f2fs -f /tmp/test.img + # mkdir -p /mnt/f2fs_test + # mount -t f2fs -o loop,age_extent_cache /tmp/test.img /mnt/f2fs_test + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551612 # ULLONG_MAX - 3 + Inner Struct Count: tree: 1(0), node: 0 + +Step 2: Create files and write data to trigger overflow + # touch /mnt/f2fs_test/{1,2,3,4}.txt; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551613 # ULLONG_MAX - 2 + Inner Struct Count: tree: 5(0), node: 1 + + # dd if=/dev/urandom of=/mnt/f2fs_test/1.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551614 # ULLONG_MAX - 1 + Inner Struct Count: tree: 5(0), node: 2 + + # dd if=/dev/urandom of=/mnt/f2fs_test/2.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551615 # ULLONG_MAX + Inner Struct Count: tree: 5(0), node: 3 + + # dd if=/dev/urandom of=/mnt/f2fs_test/3.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 0 # Counter overflowed! + Inner Struct Count: tree: 5(0), node: 4 + +Step 3: Trigger the bug - next write should create node but gets skipped + # dd if=/dev/urandom of=/mnt/f2fs_test/4.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 1 + Inner Struct Count: tree: 5(0), node: 4 + + Expected: node: 5 (new extent node for 4.txt) + Actual: node: 4 (extent insertion was incorrectly skipped due to + last_blocks = allocated_data_blocks = 0 in __get_new_block_age) + +After this fix, the extent node is correctly inserted and node count +becomes 5 as expected. + +Fixes: 71644dff4811 ("f2fs: add block_age-based extent cache") +Cc: stable@kernel.org +Signed-off-by: Xiaole He +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 5 +++-- + fs/f2fs/f2fs.h | 6 ++++++ + fs/f2fs/segment.c | 9 +++++++-- + 3 files changed, 16 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -755,7 +755,7 @@ static void __update_extent_tree_range(s + } + goto out_read_extent_cache; + update_age_extent_cache: +- if (!tei->last_blocks) ++ if (tei->last_blocks == F2FS_EXTENT_AGE_INVALID) + goto out_read_extent_cache; + + __set_extent_info(&ei, fofs, len, 0, false, +@@ -859,7 +859,7 @@ static int __get_new_block_age(struct in + cur_age = cur_blocks - tei.last_blocks; + else + /* allocated_data_blocks overflow */ +- cur_age = ULLONG_MAX - tei.last_blocks + cur_blocks; ++ cur_age = (ULLONG_MAX - 1) - tei.last_blocks + cur_blocks; + + if (tei.age) + ei->age = __calculate_block_age(sbi, cur_age, tei.age); +@@ -1063,6 +1063,7 @@ void f2fs_update_age_extent_cache_range( + struct extent_info ei = { + .fofs = fofs, + .len = len, ++ .last_blocks = F2FS_EXTENT_AGE_INVALID, + }; + + if (!__may_extent_tree(dn->inode, EX_BLOCK_AGE)) +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -626,6 +626,12 @@ enum extent_type { + NR_EXTENT_CACHES, + }; + ++/* ++ * Reserved value to mark invalid age extents, hence valid block range ++ * from 0 to ULLONG_MAX-1 ++ */ ++#define F2FS_EXTENT_AGE_INVALID ULLONG_MAX ++ + struct extent_info { + unsigned int fofs; /* start offset in a file */ + unsigned int len; /* length of the extent */ +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -3542,8 +3542,13 @@ skip_new_segment: + locate_dirty_segment(sbi, GET_SEGNO(sbi, old_blkaddr)); + locate_dirty_segment(sbi, GET_SEGNO(sbi, *new_blkaddr)); + +- if (IS_DATASEG(curseg->seg_type)) +- atomic64_inc(&sbi->allocated_data_blocks); ++ if (IS_DATASEG(curseg->seg_type)) { ++ unsigned long long new_val; ++ ++ new_val = atomic64_inc_return(&sbi->allocated_data_blocks); ++ if (unlikely(new_val == ULLONG_MAX)) ++ atomic64_set(&sbi->allocated_data_blocks, 0); ++ } + + up_write(&sit_i->sentry_lock); + diff --git a/queue-6.6/f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch b/queue-6.6/f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch new file mode 100644 index 0000000000..5a77d6c039 --- /dev/null +++ b/queue-6.6/f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch @@ -0,0 +1,80 @@ +From 01fba45deaddcce0d0b01c411435d1acf6feab7b Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 5 Nov 2025 14:50:22 +0800 +Subject: f2fs: fix return value of f2fs_recover_fsync_data() + +From: Chao Yu + +commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream. + +With below scripts, it will trigger panic in f2fs: + +mkfs.f2fs -f /dev/vdd +mount /dev/vdd /mnt/f2fs +touch /mnt/f2fs/foo +sync +echo 111 >> /mnt/f2fs/foo +f2fs_io fsync /mnt/f2fs/foo +f2fs_io shutdown 2 /mnt/f2fs +umount /mnt/f2fs +mount -o ro,norecovery /dev/vdd /mnt/f2fs +or +mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs + +F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 +F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f +F2FS-fs (vdd): Stopped filesystem due to reason: 0 +F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 +Filesystem f2fs get_tree() didn't set fc->root, returned 1 +------------[ cut here ]------------ +kernel BUG at fs/super.c:1761! +Oops: invalid opcode: 0000 [#1] SMP PTI +CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:vfs_get_tree.cold+0x18/0x1a +Call Trace: + + fc_mount+0x13/0xa0 + path_mount+0x34e/0xc50 + __x64_sys_mount+0x121/0x150 + do_syscall_64+0x84/0x800 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7fa6cc126cfe + +The root cause is we missed to handle error number returned from +f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or +ro,disable_roll_forward mount option, result in returning a positive +error number to vfs_get_tree(), fix it. + +Cc: stable@kernel.org +Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4692,11 +4692,15 @@ try_onemore: + } + } else { + err = f2fs_recover_fsync_data(sbi, true); +- +- if (!f2fs_readonly(sb) && err > 0) { +- err = -EINVAL; +- f2fs_err(sbi, "Need to recover fsync data"); +- goto free_meta; ++ if (err > 0) { ++ if (!f2fs_readonly(sb)) { ++ f2fs_err(sbi, "Need to recover fsync data"); ++ err = -EINVAL; ++ goto free_meta; ++ } else { ++ f2fs_info(sbi, "drop all fsynced data"); ++ err = 0; ++ } + } + } + diff --git a/queue-6.6/f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch b/queue-6.6/f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch new file mode 100644 index 0000000000..082dddb095 --- /dev/null +++ b/queue-6.6/f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch @@ -0,0 +1,65 @@ +From 7c37c79510329cd951a4dedf3f7bf7e2b18dccec Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 20 Oct 2025 10:42:12 +0800 +Subject: f2fs: fix to avoid updating zero-sized extent in extent cache + +From: Chao Yu + +commit 7c37c79510329cd951a4dedf3f7bf7e2b18dccec upstream. + +As syzbot reported: + +F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] +------------[ cut here ]------------ +kernel BUG at fs/f2fs/extent_cache.c:678! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678 +Call Trace: + + f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085 + f2fs_do_zero_range fs/f2fs/file.c:1657 [inline] + f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737 + f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030 + vfs_fallocate+0x669/0x7e0 fs/open.c:342 + ioctl_preallocate fs/ioctl.c:289 [inline] + file_ioctl+0x611/0x780 fs/ioctl.c:-1 + do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576 + __do_sys_ioctl fs/ioctl.c:595 [inline] + __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f07bc58eec9 + +In error path of f2fs_zero_range(), it may add a zero-sized extent +into extent cache, it should be avoided. + +Fixes: 6e9619499f53 ("f2fs: support in batch fzero in dnode page") +Cc: stable@kernel.org +Reported-by: syzbot+24124df3170c3638b35f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/68e5d698.050a0220.256323.0032.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1584,8 +1584,11 @@ static int f2fs_do_zero_range(struct dno + f2fs_set_data_blkaddr(dn, NEW_ADDR); + } + +- f2fs_update_read_extent_cache_range(dn, start, 0, index - start); +- f2fs_update_age_extent_cache_range(dn, start, index - start); ++ if (index > start) { ++ f2fs_update_read_extent_cache_range(dn, start, 0, ++ index - start); ++ f2fs_update_age_extent_cache_range(dn, start, index - start); ++ } + + return ret; + } diff --git a/queue-6.6/f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch b/queue-6.6/f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch new file mode 100644 index 0000000000..61ffe38151 --- /dev/null +++ b/queue-6.6/f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch @@ -0,0 +1,91 @@ +From d33f89b34aa313f50f9a512d58dd288999f246b0 Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Mon, 27 Oct 2025 18:36:34 +0530 +Subject: f2fs: invalidate dentry cache on failed whiteout creation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Deepanshu Kartikey + +commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream. + +F2FS can mount filesystems with corrupted directory depth values that +get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT +operations are performed on such directories, f2fs_rename performs +directory modifications (updating target entry and deleting source +entry) before attempting to add the whiteout entry via f2fs_add_link. + +If f2fs_add_link fails due to the corrupted directory structure, the +function returns an error to VFS, but the partial directory +modifications have already been committed to disk. VFS assumes the +entire rename operation failed and does not update the dentry cache, +leaving stale mappings. + +In the error path, VFS does not call d_move() to update the dentry +cache. This results in new_dentry still pointing to the old inode +(new_inode) which has already had its i_nlink decremented to zero. +The stale cache causes subsequent operations to incorrectly reference +the freed inode. + +This causes subsequent operations to use cached dentry information that +no longer matches the on-disk state. When a second rename targets the +same entry, VFS attempts to decrement i_nlink on the stale inode, which +may already have i_nlink=0, triggering a WARNING in drop_nlink(). + +Example sequence: +1. First rename (RENAME_WHITEOUT): file2 → file1 + - f2fs updates file1 entry on disk (points to inode 8) + - f2fs deletes file2 entry on disk + - f2fs_add_link(whiteout) fails (corrupted directory) + - Returns error to VFS + - VFS does not call d_move() due to error + - VFS cache still has: file1 → inode 7 (stale!) + - inode 7 has i_nlink=0 (already decremented) + +2. Second rename: file3 → file1 + - VFS uses stale cache: file1 → inode 7 + - Tries to drop_nlink on inode 7 (i_nlink already 0) + - WARNING in drop_nlink() + +Fix this by explicitly invalidating old_dentry and new_dentry when +f2fs_add_link fails during whiteout creation. This forces VFS to +refresh from disk on subsequent operations, ensuring cache consistency +even when the rename partially succeeds. + +Reproducer: +1. Mount F2FS image with corrupted i_current_depth +2. renameat2(file2, file1, RENAME_WHITEOUT) +3. renameat2(file3, file1, 0) +4. System triggers WARNING in drop_nlink() + +Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT") +Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d +Suggested-by: Chao Yu +Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1] +Cc: stable@vger.kernel.org +Signed-off-by: Deepanshu Kartikey +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/namei.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -1044,9 +1044,11 @@ static int f2fs_rename(struct mnt_idmap + if (whiteout) { + set_inode_flag(whiteout, FI_INC_LINK); + err = f2fs_add_link(old_dentry, whiteout); +- if (err) ++ if (err) { ++ d_invalidate(old_dentry); ++ d_invalidate(new_dentry); + goto put_out_dir; +- ++ } + spin_lock(&whiteout->i_lock); + whiteout->i_state &= ~I_LINKABLE; + spin_unlock(&whiteout->i_lock); diff --git a/queue-6.6/intel_th-fix-error-handling-in-intel_th_output_open.patch b/queue-6.6/intel_th-fix-error-handling-in-intel_th_output_open.patch new file mode 100644 index 0000000000..69401b0e8c --- /dev/null +++ b/queue-6.6/intel_th-fix-error-handling-in-intel_th_output_open.patch @@ -0,0 +1,71 @@ +From 6d5925b667e4ed9e77c8278cc215191d29454a3f Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 12 Nov 2025 17:17:23 +0800 +Subject: intel_th: Fix error handling in intel_th_output_open + +From: Ma Ke + +commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream. + +intel_th_output_open() calls bus_find_device_by_devt() which +internally increments the device reference count via get_device(), but +this reference is not properly released in several error paths. When +device driver is unavailable, file operations cannot be obtained, or +the driver's open method fails, the function returns without calling +put_device(), leading to a permanent device reference count leak. This +prevents the device from being properly released and could cause +resource exhaustion over time. + +Found by code review. + +Cc: stable +Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i + int err; + + dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); +- if (!dev || !dev->driver) +- return -ENODEV; ++ if (!dev || !dev->driver) { ++ err = -ENODEV; ++ goto out_no_device; ++ } + + thdrv = to_intel_th_driver(dev->driver); + fops = fops_get(thdrv->fops); +- if (!fops) +- return -ENODEV; ++ if (!fops) { ++ err = -ENODEV; ++ goto out_put_device; ++ } + + replace_fops(file, fops); + +@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i + + if (file->f_op->open) { + err = file->f_op->open(inode, file); +- return err; ++ if (err) ++ goto out_put_device; + } + + return 0; ++ ++out_put_device: ++ put_device(dev); ++out_no_device: ++ return err; + } + + static const struct file_operations intel_th_output_fops = { diff --git a/queue-6.6/media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch b/queue-6.6/media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch new file mode 100644 index 0000000000..22be61baf6 --- /dev/null +++ b/queue-6.6/media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch @@ -0,0 +1,38 @@ +From b91e6aafe8d356086cc621bc03e35ba2299e4788 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 21 Apr 2025 21:52:44 +0900 +Subject: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() + +From: Jeongjun Park + +commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream. + +rlen value is a user-controlled value, but dtv5100_i2c_msg() does not +check the size of the rlen value. Therefore, if it is set to a value +larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. + +Therefore, we need to add proper range checking to prevent this vuln. + +Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353") +Cc: stable@vger.kernel.org +Signed-off-by: Jeongjun Park +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/usb/dvb-usb/dtv5100.c ++++ b/drivers/media/usb/dvb-usb/dtv5100.c +@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us + } + index = (addr << 8) + wbuf[0]; + ++ if (rlen > sizeof(st->data)) { ++ warn("rlen = %x is too big!\n", rlen); ++ return -EINVAL; ++ } ++ + memcpy(st->data, rbuf, rlen); + msleep(1); /* avoid I2C errors */ + return usb_control_msg(d->udev, pipe, request, diff --git a/queue-6.6/media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch b/queue-6.6/media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch new file mode 100644 index 0000000000..28369e1fe6 --- /dev/null +++ b/queue-6.6/media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch @@ -0,0 +1,34 @@ +From be440980eace19c035a0745fd6b6e42707bc4f49 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 3 Sep 2025 09:44:16 +0100 +Subject: media: pvrusb2: Fix incorrect variable used in trace message + +From: Colin Ian King + +commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream. + +The pvr2_trace message is reporting an error about control read +transfers, however it is using the incorrect variable write_len +instead of read_lean. Fix this by using the correct variable +read_len. + +Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") +Cc: stable@vger.kernel.org +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -3622,7 +3622,7 @@ static int pvr2_send_request_ex(struct p + pvr2_trace( + PVR2_TRACE_ERROR_LEGS, + "Attempted to execute %d byte control-read transfer (limit=%d)", +- write_len,PVR2_CTL_BUFFSIZE); ++ read_len, PVR2_CTL_BUFFSIZE); + return -EINVAL; + } + if ((!write_len) && (!read_len)) { diff --git a/queue-6.6/nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch b/queue-6.6/nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch new file mode 100644 index 0000000000..2aae27f51b --- /dev/null +++ b/queue-6.6/nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch @@ -0,0 +1,34 @@ +From 6f52063db9aabdaabea929b1e998af98c2e8d917 Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Wed, 5 Nov 2025 12:45:54 -0800 +Subject: NFSD: use correct reservation type in nfsd4_scsi_fence_client + +From: Dai Ngo + +commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream. + +The reservation type argument for the pr_preempt call should match the +one used in nfsd4_block_get_device_info_scsi. + +Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support") +Cc: stable@vger.kernel.org +Signed-off-by: Dai Ngo +Reviewed-by: Christoph Hellwig +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/blocklayout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/blocklayout.c ++++ b/fs/nfsd/blocklayout.c +@@ -334,7 +334,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo + struct block_device *bdev = ls->ls_file->nf_file->f_path.mnt->mnt_sb->s_bdev; + + bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY, +- nfsd4_scsi_pr_key(clp), 0, true); ++ nfsd4_scsi_pr_key(clp), ++ PR_EXCLUSIVE_ACCESS_REG_ONLY, true); + } + + const struct nfsd4_layout_ops scsi_layout_ops = { diff --git a/queue-6.6/phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch b/queue-6.6/phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch new file mode 100644 index 0000000000..37856b9970 --- /dev/null +++ b/queue-6.6/phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch @@ -0,0 +1,57 @@ +From 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Oct 2025 07:45:37 +0200 +Subject: phy: broadcom: bcm63xx-usbh: fix section mismatches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream. + +Platform drivers can be probed after their init sections have been +discarded (e.g. on probe deferral or manual rebind through sysfs) so the +probe function and match table must not live in init. + +Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver") +Cc: stable@vger.kernel.org # 5.9 +Cc: Álvaro Fernández Rojas +Signed-off-by: Johan Hovold +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c ++++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c +@@ -375,7 +375,7 @@ static struct phy *bcm63xx_usbh_phy_xlat + return of_phy_simple_xlate(dev, args); + } + +-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev) ++static int bcm63xx_usbh_phy_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct bcm63xx_usbh_phy *usbh; +@@ -432,7 +432,7 @@ static int __init bcm63xx_usbh_phy_probe + return 0; + } + +-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = { ++static const struct of_device_id bcm63xx_usbh_phy_ids[] = { + { .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 }, + { .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 }, + { .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 }, +@@ -443,7 +443,7 @@ static const struct of_device_id bcm63xx + }; + MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids); + +-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = { ++static struct platform_driver bcm63xx_usbh_phy_driver = { + .driver = { + .name = "bcm63xx-usbh-phy", + .of_match_table = bcm63xx_usbh_phy_ids, diff --git a/queue-6.6/scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch b/queue-6.6/scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch new file mode 100644 index 0000000000..c21ba11f26 --- /dev/null +++ b/queue-6.6/scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch @@ -0,0 +1,43 @@ +From f6ab594672d4cba08540919a4e6be2e202b60007 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Wed, 29 Oct 2025 00:29:04 +0800 +Subject: scsi: aic94xx: fix use-after-free in device removal path + +From: Junrui Luo + +commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream. + +The asd_pci_remove() function fails to synchronize with pending tasklets +before freeing the asd_ha structure, leading to a potential +use-after-free vulnerability. + +When a device removal is triggered (via hot-unplug or module unload), +race condition can occur. + +The fix adds tasklet_kill() before freeing the asd_ha structure, +ensuring all scheduled tasklets complete before cleanup proceeds. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aic94xx/aic94xx_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/aic94xx/aic94xx_init.c ++++ b/drivers/scsi/aic94xx/aic94xx_init.c +@@ -896,6 +896,9 @@ static void asd_pci_remove(struct pci_de + + asd_disable_ints(asd_ha); + ++ /* Ensure all scheduled tasklets complete before freeing resources */ ++ tasklet_kill(&asd_ha->seq.dl_tasklet); ++ + asd_remove_dev_attrs(asd_ha); + + /* XXX more here as needed */ diff --git a/queue-6.6/scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch b/queue-6.6/scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch new file mode 100644 index 0000000000..2f4e5edf93 --- /dev/null +++ b/queue-6.6/scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch @@ -0,0 +1,92 @@ +From b57fbc88715b6d18f379463f48a15b560b087ffe Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Mon, 10 Nov 2025 10:47:35 -0500 +Subject: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" + +From: Tony Battersby + +commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream. + +This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. + +The commit being reverted added code to __qla2x00_abort_all_cmds() to +call sp->done() without holding a spinlock. But unlike the older code +below it, this new code failed to check sp->cmd_type and just assumed +TYPE_SRB, which results in a jump to an invalid pointer in target-mode +with TYPE_TGT_CMD: + +qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success + 0000000009f7a79b +qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h + mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. +qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer +qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event + 0x8002 occurred +qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - + ha=0000000058183fda. +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PF: supervisor instruction fetch in kernel mode +PF: error_code(0x0010) - not-present page +PGD 0 P4D 0 +Oops: 0010 [#1] SMP +CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 +Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at 0xffffffffffffffd6. +RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 +RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 +RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 +RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 +R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 +R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 +FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? __die+0x4d/0x8b + ? page_fault_oops+0x91/0x180 + ? trace_buffer_unlock_commit_regs+0x38/0x1a0 + ? exc_page_fault+0x391/0x5e0 + ? asm_exc_page_fault+0x22/0x30 + __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] + qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] + qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] + qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] + qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] + kthread+0xa8/0xd0 + + +Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within +lock") added the spinlock back, because not having the lock caused a +race and a crash. But qla2x00_abort_srb() in the switch below already +checks for qla2x00_chip_is_down() and handles it the same way, so the +code above the switch is now redundant and still buggy in target-mode. +Remove it. + +Cc: stable@vger.kernel.org +Signed-off-by: Tony Battersby +Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1874,12 +1874,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai + for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) { + sp = req->outstanding_cmds[cnt]; + if (sp) { +- if (qla2x00_chip_is_down(vha)) { +- req->outstanding_cmds[cnt] = NULL; +- sp->done(sp, res); +- continue; +- } +- + switch (sp->cmd_type) { + case TYPE_SRB: + qla2x00_abort_srb(qp, sp, res, &flags); diff --git a/queue-6.6/scsi-target-reset-t_task_cdb-pointer-in-error-case.patch b/queue-6.6/scsi-target-reset-t_task_cdb-pointer-in-error-case.patch new file mode 100644 index 0000000000..91f3f0fda7 --- /dev/null +++ b/queue-6.6/scsi-target-reset-t_task_cdb-pointer-in-error-case.patch @@ -0,0 +1,38 @@ +From 5053eab38a4c4543522d0c320c639c56a8b59908 Mon Sep 17 00:00:00 2001 +From: Andrey Vatoropin +Date: Tue, 18 Nov 2025 08:42:31 +0000 +Subject: scsi: target: Reset t_task_cdb pointer in error case + +From: Andrey Vatoropin + +commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream. + +If allocation of cmd->t_task_cdb fails, it remains NULL but is later +dereferenced in the 'err' path. + +In case of error, reset NULL t_task_cdb value to point at the default +fixed-size buffer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference") +Cc: stable@vger.kernel.org +Signed-off-by: Andrey Vatoropin +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_transport.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd, + if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) { + cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp); + if (!cmd->t_task_cdb) { ++ cmd->t_task_cdb = &cmd->__t_task_cdb[0]; + pr_err("Unable to allocate cmd->t_task_cdb" + " %u > sizeof(cmd->__t_task_cdb): %lu ops\n", + scsi_command_size(cdb), diff --git a/queue-6.6/series b/queue-6.6/series index 803e4162e7..9909cbb1d7 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -428,3 +428,26 @@ jbd2-use-a-weaker-annotation-in-journal-handling.patch media-v4l2-mem2mem-fix-outdated-documentation.patch mptcp-schedule-rtx-timer-only-after-pushing-data.patch mptcp-avoid-deadlock-on-fallback-while-reinjecting.patch +usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch +media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch +media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch +phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch +usb-lpc32xx_udc-fix-error-handling-in-probe.patch +usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch +usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch +usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch +usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch +usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch +char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch +intel_th-fix-error-handling-in-intel_th_output_open.patch +cpuidle-governors-teo-drop-misguided-target-residency-check.patch +cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch +scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch +scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch +nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch +scsi-target-reset-t_task_cdb-pointer-in-error-case.patch +f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch +f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch +f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch +f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch +f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch diff --git a/queue-6.6/usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch b/queue-6.6/usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch new file mode 100644 index 0000000000..577dbc2a51 --- /dev/null +++ b/queue-6.6/usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch @@ -0,0 +1,53 @@ +From e1003aa7ec9eccdde4c926bd64ef42816ad55f25 Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Wed, 26 Nov 2025 11:12:21 +0530 +Subject: usb: dwc3: keep susphy enabled during exit to avoid controller faults + +From: Udipto Goswami + +commit e1003aa7ec9eccdde4c926bd64ef42816ad55f25 upstream. + +On some platforms, switching USB roles from host to device can trigger +controller faults due to premature PHY power-down. This occurs when the +PHY is disabled too early during teardown, causing synchronization +issues between the PHY and controller. + +Keep susphy enabled during dwc3_host_exit() and dwc3_gadget_exit() +ensures the PHY remains in a low-power state capable of handling +required commands during role switch. + +Cc: stable +Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") +Suggested-by: Thinh Nguyen +Signed-off-by: Udipto Goswami +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251126054221.120638-1-udipto.goswami@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 2 +- + drivers/usb/dwc3/host.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -4807,7 +4807,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc) + if (!dwc->gadget) + return; + +- dwc3_enable_susphy(dwc, false); ++ dwc3_enable_susphy(dwc, true); + usb_del_gadget(dwc->gadget); + dwc3_gadget_free_endpoints(dwc); + usb_put_gadget(dwc->gadget); +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -168,7 +168,7 @@ void dwc3_host_exit(struct dwc3 *dwc) + if (dwc->sys_wakeup) + device_init_wakeup(&dwc->xhci->dev, false); + +- dwc3_enable_susphy(dwc, false); ++ dwc3_enable_susphy(dwc, true); + platform_device_unregister(dwc->xhci); + dwc->xhci = NULL; + } diff --git a/queue-6.6/usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch b/queue-6.6/usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch new file mode 100644 index 0000000000..d832e43204 --- /dev/null +++ b/queue-6.6/usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch @@ -0,0 +1,56 @@ +From 3b4961313d31e200c9e974bb1536cdea217f78b5 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 11 Dec 2025 10:49:36 +0400 +Subject: usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe + +From: Miaoqian Lin + +commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream. + +When clk_bulk_prepare_enable() fails, the error path jumps to +err_resetc_assert, skipping clk_bulk_put_all() and leaking the +clock references acquired by clk_bulk_get_all(). + +Add err_clk_put_all label to properly release clock resources +in all error paths. + +Found via static analysis and code review. + +Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API") +Cc: stable +Signed-off-by: Miaoqian Lin +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-of-simple.c ++++ b/drivers/usb/dwc3/dwc3-of-simple.c +@@ -71,11 +71,11 @@ static int dwc3_of_simple_probe(struct p + simple->num_clocks = ret; + ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks); + if (ret) +- goto err_resetc_assert; ++ goto err_clk_put_all; + + ret = of_platform_populate(np, NULL, NULL, dev); + if (ret) +- goto err_clk_put; ++ goto err_clk_disable; + + pm_runtime_set_active(dev); + pm_runtime_enable(dev); +@@ -83,8 +83,9 @@ static int dwc3_of_simple_probe(struct p + + return 0; + +-err_clk_put: ++err_clk_disable: + clk_bulk_disable_unprepare(simple->num_clocks, simple->clks); ++err_clk_put_all: + clk_bulk_put_all(simple->num_clocks, simple->clks); + + err_resetc_assert: diff --git a/queue-6.6/usb-lpc32xx_udc-fix-error-handling-in-probe.patch b/queue-6.6/usb-lpc32xx_udc-fix-error-handling-in-probe.patch new file mode 100644 index 0000000000..ba0575ff8d --- /dev/null +++ b/queue-6.6/usb-lpc32xx_udc-fix-error-handling-in-probe.patch @@ -0,0 +1,100 @@ +From c84117912bddd9e5d87e68daf182410c98181407 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Mon, 15 Dec 2025 10:09:31 +0800 +Subject: USB: lpc32xx_udc: Fix error handling in probe + +From: Ma Ke + +commit c84117912bddd9e5d87e68daf182410c98181407 upstream. + +lpc32xx_udc_probe() acquires an i2c_client reference through +isp1301_get_client() but fails to release it in both error handling +paths and the normal removal path. This could result in a reference +count leak for the I2C device, preventing proper cleanup and potentially +leading to resource exhaustion. Add put_device() to release the +reference in the probe failure path and in the remove function. + +Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() -> +i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode() +says, 'The user must call put_device(&client->dev) once done with the +i2c client.' + +Found by code review. + +Cc: stable +Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/usb/gadget/udc/lpc32xx_udc.c ++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c +@@ -3027,7 +3027,7 @@ static int lpc32xx_udc_probe(struct plat + pdev->dev.dma_mask = &lpc32xx_usbd_dmamask; + retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (retval) +- return retval; ++ goto i2c_fail; + + udc->board = &lpc32xx_usbddata; + +@@ -3045,28 +3045,32 @@ static int lpc32xx_udc_probe(struct plat + /* Get IRQs */ + for (i = 0; i < 4; i++) { + udc->udp_irq[i] = platform_get_irq(pdev, i); +- if (udc->udp_irq[i] < 0) +- return udc->udp_irq[i]; ++ if (udc->udp_irq[i] < 0) { ++ retval = udc->udp_irq[i]; ++ goto i2c_fail; ++ } + } + + udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(udc->udp_baseaddr)) { + dev_err(udc->dev, "IO map failure\n"); +- return PTR_ERR(udc->udp_baseaddr); ++ retval = PTR_ERR(udc->udp_baseaddr); ++ goto i2c_fail; + } + + /* Get USB device clock */ + udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(udc->usb_slv_clk)) { + dev_err(udc->dev, "failed to acquire USB device clock\n"); +- return PTR_ERR(udc->usb_slv_clk); ++ retval = PTR_ERR(udc->usb_slv_clk); ++ goto i2c_fail; + } + + /* Enable USB device clock */ + retval = clk_prepare_enable(udc->usb_slv_clk); + if (retval < 0) { + dev_err(udc->dev, "failed to start USB device clock\n"); +- return retval; ++ goto i2c_fail; + } + + /* Setup deferred workqueue data */ +@@ -3168,6 +3172,8 @@ dma_alloc_fail: + dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, + udc->udca_v_base, udc->udca_p_base); + i2c_fail: ++ if (udc->isp1301_i2c_client) ++ put_device(&udc->isp1301_i2c_client->dev); + clk_disable_unprepare(udc->usb_slv_clk); + dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval); + +@@ -3193,6 +3199,9 @@ static int lpc32xx_udc_remove(struct pla + dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, + udc->udca_v_base, udc->udca_p_base); + ++ if (udc->isp1301_i2c_client) ++ put_device(&udc->isp1301_i2c_client->dev); ++ + clk_disable_unprepare(udc->usb_slv_clk); + + return 0; diff --git a/queue-6.6/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch b/queue-6.6/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch new file mode 100644 index 0000000000..ea81e320d1 --- /dev/null +++ b/queue-6.6/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch @@ -0,0 +1,52 @@ +From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 5 Dec 2025 11:48:31 +0800 +Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal + +From: Duoming Zhou + +commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream. + +The delayed work item otg_event is initialized in fsl_otg_conf() and +scheduled under two conditions: +1. When a host controller binds to the OTG controller. +2. When the USB ID pin state changes (cable insertion/removal). + +A race condition occurs when the device is removed via fsl_otg_remove(): +the fsl_otg instance may be freed while the delayed work is still pending +or executing. This leads to use-after-free when the work function +fsl_otg_event() accesses the already freed memory. + +The problematic scenario: + +(detach thread) | (delayed work) +fsl_otg_remove() | + kfree(fsl_otg_dev) //FREE| fsl_otg_event() + | og = container_of(...) //USE + | og-> //USE + +Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() +before deallocating the fsl_otg structure. This ensures the delayed work +is properly canceled and completes execution prior to memory deallocation. + +This bug was identified through static analysis. + +Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver") +Cc: stable +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-fsl-usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/phy/phy-fsl-usb.c ++++ b/drivers/usb/phy/phy-fsl-usb.c +@@ -987,6 +987,7 @@ static void fsl_otg_remove(struct platfo + { + struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev); + ++ disable_delayed_work_sync(&fsl_otg_dev->otg_event); + usb_remove_phy(&fsl_otg_dev->phy); + free_irq(fsl_otg_dev->irq, fsl_otg_dev); + diff --git a/queue-6.6/usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch b/queue-6.6/usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch new file mode 100644 index 0000000000..396937f352 --- /dev/null +++ b/queue-6.6/usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch @@ -0,0 +1,48 @@ +From b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 18 Dec 2025 16:35:16 +0100 +Subject: usb: phy: isp1301: fix non-OF device reference imbalance + +From: Johan Hovold + +commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream. + +A recent change fixing a device reference leak in a UDC driver +introduced a potential use-after-free in the non-OF case as the +isp1301_get_client() helper only increases the reference count for the +returned I2C device in the OF case. + +Increment the reference count also for non-OF so that the caller can +decrement it unconditionally. + +Note that this is inherently racy just as using the returned I2C device +is since nothing is preventing the PHY driver from being unbound while +in use. + +Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe") +Cc: stable@vger.kernel.org +Cc: Ma Ke +Signed-off-by: Johan Hovold +Reviewed-by: Vladimir Zapolskiy +Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-isp1301.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/phy/phy-isp1301.c ++++ b/drivers/usb/phy/phy-isp1301.c +@@ -149,7 +149,12 @@ struct i2c_client *isp1301_get_client(st + return client; + + /* non-DT: only one ISP1301 chip supported */ +- return isp1301_i2c_client; ++ if (isp1301_i2c_client) { ++ get_device(&isp1301_i2c_client->dev); ++ return isp1301_i2c_client; ++ } ++ ++ return NULL; + } + EXPORT_SYMBOL_GPL(isp1301_get_client); + diff --git a/queue-6.6/usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch b/queue-6.6/usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch new file mode 100644 index 0000000000..3166d37602 --- /dev/null +++ b/queue-6.6/usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch @@ -0,0 +1,38 @@ +From 36cc7e09df9e43db21b46519b740145410dd9f4a Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 4 Dec 2025 21:21:29 +0800 +Subject: usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() + +From: Haoxiang Li + +commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream. + +usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths, +usbhsp_put_pipe() is required to clear pipe's flags to prevent +pipe exhaustion. + +Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Cc: stable +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/renesas_usbhs/pipe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/renesas_usbhs/pipe.c ++++ b/drivers/usb/renesas_usbhs/pipe.c +@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str + /* make sure pipe is not busy */ + ret = usbhsp_pipe_barrier(pipe); + if (ret < 0) { ++ usbhsp_put_pipe(pipe); + dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe)); + return NULL; + } + + if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) { ++ usbhsp_put_pipe(pipe); + dev_err(dev, "can't setup pipe\n"); + return NULL; + } diff --git a/queue-6.6/usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch b/queue-6.6/usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch new file mode 100644 index 0000000000..80306115b2 --- /dev/null +++ b/queue-6.6/usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch @@ -0,0 +1,31 @@ +From 0831269b5f71594882accfceb02638124f88955d Mon Sep 17 00:00:00 2001 +From: Chen Changcheng +Date: Thu, 18 Dec 2025 09:23:18 +0800 +Subject: usb: usb-storage: Maintain minimal modifications to the bcdDevice range. + +From: Chen Changcheng + +commit 0831269b5f71594882accfceb02638124f88955d upstream. + +We cannot determine which models require the NO_ATA_1X and +IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device. + +Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.") +Signed-off-by: Chen Changcheng +Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_uas.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01 + US_FL_NO_ATA_1X), + + /* Reported-by: Benjamin Tissoires */ +-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309, ++UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309, + "Initio Corporation", + "INIC-3069", + USB_SC_DEVICE, USB_PR_DEVICE, NULL,