From: Greg Kroah-Hartman Date: Mon, 24 Nov 2025 13:44:11 +0000 (+0100) Subject: 6.17-stable patches X-Git-Tag: v6.6.118~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4e8af2cf6fe0587e2f5d19b21ef97a49ac5d63b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: acpi-apei-einj-fix-einjv2-initialization-and-injection.patch arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch arm64-dts-rockchip-remove-non-functioning-cpu-opps-from-rk3576.patch ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch be2net-pass-wrb_params-in-case-of-os2bmc.patch dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch fs-fix-uninitialized-offp-in-statmount_string.patch hid-amd_sfh-stop-sensor-before-starting.patch hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch input-cros_ec_keyb-fix-an-invalid-memory-access.patch input-goodix-add-support-for-acpi-id-gdix1003.patch input-imx_sc_key-fix-memory-corruption-on-unload.patch input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch io_uring-cmd_net-fix-wrong-argument-types-for-skb_queue_splice.patch isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch kvm-svm-fix-redundant-updates-of-lbr-msr-intercepts.patch lib-test_kho-check-if-kho-is-enabled.patch loongarch-bpf-disable-trampoline-for-kernel-module-function-trace.patch loongarch-don-t-panic-if-no-valid-cache-info-for-pci.patch loongarch-fix-numa-node-parsing-with-numa_memblks.patch mips-malta-fix-eva-soc-it-pci-mmio.patch mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch mptcp-disallow-mptcp-subflows-from-sockmap.patch mptcp-fix-proto-fallback-detection-with-bpf.patch mptcp-fix-race-condition-in-mptcp_schedule_work.patch mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch mtdchar-fix-integer-overflow-in-read-write-ioctls.patch net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch nouveau-firmware-add-missing-kfree-of-nvkm_falcon_fw-boot.patch nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch nvme-nvme-fc-move-tagset-removal-to-nvme_fc_delete_ctrl.patch platform-x86-alienware-wmi-wmax-add-awcc-support-to-alienware-16-aurora.patch platform-x86-alienware-wmi-wmax-add-support-for-the-whole-g-family.patch platform-x86-alienware-wmi-wmax-add-support-for-the-whole-m-family.patch platform-x86-alienware-wmi-wmax-add-support-for-the-whole-x-family.patch platform-x86-alienware-wmi-wmax-fix-alienware-m16-r1-amd-quirk-order.patch pm-sleep-core-fix-runtime-pm-enabling-in-device_resume_early.patch reset-imx8mp-audiomix-fix-bad-mask-values.patch revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch s390-mm-fix-__ptep_rdp-inline-assembly.patch sched_ext-fix-scx_enable-crash-on-helper-kthread-creation-failure.patch scsi-sg-do-not-sleep-in-atomic-context.patch scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch selinux-move-avdcache-to-per-task-security-struct.patch selinux-rename-task_security_struct-to-cred_security_struct.patch shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch smb-client-introduce-close_cached_dir_locked.patch timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch vfat-fix-missing-sb_min_blocksize-return-value-checks.patch wifi-rtw89-hw_scan-don-t-let-the-operating-channel-be-last.patch xfs-check-the-return-value-of-sb_min_blocksize-in-xfs_fs_fill_super.patch --- diff --git a/queue-6.17/acpi-apei-einj-fix-einjv2-initialization-and-injection.patch b/queue-6.17/acpi-apei-einj-fix-einjv2-initialization-and-injection.patch new file mode 100644 index 0000000000..97c700c744 --- /dev/null +++ b/queue-6.17/acpi-apei-einj-fix-einjv2-initialization-and-injection.patch @@ -0,0 +1,158 @@ +From d2932a59c2d4fb364396f21df58431c44918dd47 Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Tue, 18 Nov 2025 17:27:12 -0800 +Subject: ACPI: APEI: EINJ: Fix EINJV2 initialization and injection + +From: Tony Luck + +commit d2932a59c2d4fb364396f21df58431c44918dd47 upstream. + +ACPI 6.6 specification for EINJV2 appends an extra structure to +the end of the existing struct set_error_type_with_address. + +Several issues showed up in testing. + + 1) Initialization was broken by an earlier fix [1] since is_v2 is only + set while performing an injection, not during initialization. + + 2) A buggy BIOS provided invalid "revision" and "length" for the + extension structure. Add several sanity checks. + + 3) When injecting legacy error types on an EINJV2 capable system, + don't copy the component arrays. + +Fixes: 6c7058514991 ("ACPI: APEI: EINJ: Check if user asked for EINJV2 injection") # [1] +Fixes: b47610296d17 ("ACPI: APEI: EINJ: Enable EINJv2 error injections") +Signed-off-by: Tony Luck +[ rjw: Changelog edits ] +Cc: 6.17+ # 6.17+ +Link: https://patch.msgid.link/20251119012712.178715-1-tony.luck@intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/apei/einj-core.c | 64 ++++++++++++++++++++++++++---------------- + 1 file changed, 41 insertions(+), 23 deletions(-) + +--- a/drivers/acpi/apei/einj-core.c ++++ b/drivers/acpi/apei/einj-core.c +@@ -182,6 +182,7 @@ bool einj_initialized __ro_after_init; + + static void __iomem *einj_param; + static u32 v5param_size; ++static u32 v66param_size; + static bool is_v2; + + static void einj_exec_ctx_init(struct apei_exec_context *ctx) +@@ -283,6 +284,24 @@ static void check_vendor_extension(u64 p + acpi_os_unmap_iomem(p, sizeof(v)); + } + ++static u32 einjv2_init(struct einjv2_extension_struct *e) ++{ ++ if (e->revision != 1) { ++ pr_info("Unknown v2 extension revision %u\n", e->revision); ++ return 0; ++ } ++ if (e->length < sizeof(*e) || e->length > PAGE_SIZE) { ++ pr_info(FW_BUG "Bad1 v2 extension length %u\n", e->length); ++ return 0; ++ } ++ if ((e->length - sizeof(*e)) % sizeof(e->component_arr[0])) { ++ pr_info(FW_BUG "Bad2 v2 extension length %u\n", e->length); ++ return 0; ++ } ++ ++ return (e->length - sizeof(*e)) / sizeof(e->component_arr[0]); ++} ++ + static void __iomem *einj_get_parameter_address(void) + { + int i; +@@ -310,28 +329,21 @@ static void __iomem *einj_get_parameter_ + v5param_size = sizeof(v5param); + p = acpi_os_map_iomem(pa_v5, sizeof(*p)); + if (p) { +- int offset, len; +- + memcpy_fromio(&v5param, p, v5param_size); + acpi5 = 1; + check_vendor_extension(pa_v5, &v5param); +- if (is_v2 && available_error_type & ACPI65_EINJV2_SUPP) { +- len = v5param.einjv2_struct.length; +- offset = offsetof(struct einjv2_extension_struct, component_arr); +- max_nr_components = (len - offset) / +- sizeof(v5param.einjv2_struct.component_arr[0]); +- /* +- * The first call to acpi_os_map_iomem above does not include the +- * component array, instead it is used to read and calculate maximum +- * number of components supported by the system. Below, the mapping +- * is expanded to include the component array. +- */ ++ if (available_error_type & ACPI65_EINJV2_SUPP) { ++ struct einjv2_extension_struct *e; ++ ++ e = &v5param.einjv2_struct; ++ max_nr_components = einjv2_init(e); ++ ++ /* remap including einjv2_extension_struct */ + acpi_os_unmap_iomem(p, v5param_size); +- offset = offsetof(struct set_error_type_with_address, einjv2_struct); +- v5param_size = offset + struct_size(&v5param.einjv2_struct, +- component_arr, max_nr_components); +- p = acpi_os_map_iomem(pa_v5, v5param_size); ++ v66param_size = v5param_size - sizeof(*e) + e->length; ++ p = acpi_os_map_iomem(pa_v5, v66param_size); + } ++ + return p; + } + } +@@ -527,6 +539,7 @@ static int __einj_error_inject(u32 type, + u64 param3, u64 param4) + { + struct apei_exec_context ctx; ++ u32 param_size = is_v2 ? v66param_size : v5param_size; + u64 val, trigger_paddr, timeout = FIRMWARE_TIMEOUT; + int i, rc; + +@@ -539,11 +552,11 @@ static int __einj_error_inject(u32 type, + if (acpi5) { + struct set_error_type_with_address *v5param; + +- v5param = kmalloc(v5param_size, GFP_KERNEL); ++ v5param = kmalloc(param_size, GFP_KERNEL); + if (!v5param) + return -ENOMEM; + +- memcpy_fromio(v5param, einj_param, v5param_size); ++ memcpy_fromio(v5param, einj_param, param_size); + v5param->type = type; + if (type & ACPI5_VENDOR_BIT) { + switch (vendor_flags) { +@@ -601,7 +614,7 @@ static int __einj_error_inject(u32 type, + break; + } + } +- memcpy_toio(einj_param, v5param, v5param_size); ++ memcpy_toio(einj_param, v5param, param_size); + kfree(v5param); + } else { + rc = apei_exec_run(&ctx, ACPI_EINJ_SET_ERROR_TYPE); +@@ -1099,9 +1112,14 @@ static void einj_remove(struct faux_devi + struct apei_exec_context ctx; + + if (einj_param) { +- acpi_size size = (acpi5) ? +- v5param_size : +- sizeof(struct einj_parameter); ++ acpi_size size; ++ ++ if (v66param_size) ++ size = v66param_size; ++ else if (acpi5) ++ size = v5param_size; ++ else ++ size = sizeof(struct einj_parameter); + + acpi_os_unmap_iomem(einj_param, size); + if (vendor_errors.size) diff --git a/queue-6.17/arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch b/queue-6.17/arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch new file mode 100644 index 0000000000..d798c29eed --- /dev/null +++ b/queue-6.17/arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch @@ -0,0 +1,59 @@ +From baa18d577cd445145039e731d3de0fa49ca57204 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Wed, 12 Nov 2025 16:01:53 +0100 +Subject: arm64: dts: rockchip: disable HS400 on RK3588 Tiger + +From: Quentin Schulz + +commit baa18d577cd445145039e731d3de0fa49ca57204 upstream. + +We've had reports from the field that some RK3588 Tiger have random +issues with eMMC errors. + +Applying commit a28352cf2d2f ("mmc: sdhci-of-dwcmshc: Change +DLL_STRBIN_TAPNUM_DEFAULT to 0x4") didn't help and seemed to have made +things worse for our board. + +Our HW department checked the eMMC lines and reported that they are too +long and don't look great so signal integrity is probably not the best. + +Note that not all Tigers with the same eMMC chip have errors, so the +suspicion is that we're really on the edge in terms of signal integrity +and only a handful devices are failing. Additionally, we have RK3588 +Jaguars with the same eMMC chip but the layout is different and we also +haven't received reports about those so far. + +Lowering the max-frequency to 150MHz from 200MHz instead of simply +disabling HS400 was briefly tested and seem to work as well. We've +disabled HS400 downstream and haven't received reports since so we'll go +with that instead of lowering the max-frequency. + +Signed-off-by: Quentin Schulz +Fixes: 6173ef24b35b ("arm64: dts: rockchip: add RK3588-Q7 (Tiger) SoM") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251112-tiger-hs200-v1-1-b50adac107c0@cherry.de +[added Fixes tag and stable-cc from 2nd mail] +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3588-tiger.dtsi +@@ -382,14 +382,12 @@ + cap-mmc-highspeed; + mmc-ddr-1_8v; + mmc-hs200-1_8v; +- mmc-hs400-1_8v; +- mmc-hs400-enhanced-strobe; + mmc-pwrseq = <&emmc_pwrseq>; + no-sdio; + no-sd; + non-removable; + pinctrl-names = "default"; +- pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk &emmc_data_strobe>; ++ pinctrl-0 = <&emmc_bus8 &emmc_cmd &emmc_clk>; + vmmc-supply = <&vcc_3v3_s3>; + vqmmc-supply = <&vcc_1v8_s3>; + status = "okay"; diff --git a/queue-6.17/arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch b/queue-6.17/arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch new file mode 100644 index 0000000000..280aef5533 --- /dev/null +++ b/queue-6.17/arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch @@ -0,0 +1,39 @@ +From b5414520793e68d266fdd97a84989d9831156aad Mon Sep 17 00:00:00 2001 +From: Mykola Kvach +Date: Mon, 3 Nov 2025 12:27:40 +0200 +Subject: arm64: dts: rockchip: fix PCIe 3.3V regulator voltage on orangepi-5 + +From: Mykola Kvach + +commit b5414520793e68d266fdd97a84989d9831156aad upstream. + +The vcc3v3_pcie20 fixed regulator powers the PCIe device-side 3.3V rail +for pcie2x1l2 via vpcie3v3-supply. The DTS mistakenly set its +regulator-min/max-microvolt to 1800000 (1.8 V). Correct both to 3300000 +(3.3 V) to match the rail name, the PCIe/M.2 power requirement, and the +actual hardware wiring on Orange Pi 5. + +Fixes: b6bc755d806e ("arm64: dts: rockchip: Add Orange Pi 5") +Cc: stable@vger.kernel.org +Signed-off-by: Mykola Kvach +Reviewed-by: Michael Riesch +Link: https://patch.msgid.link/cf6e08dfdfbf1c540685d12388baab1326f95d2c.1762165324.git.xakep.amatop@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3588s-orangepi-5.dts +@@ -14,8 +14,8 @@ + gpios = <&gpio0 RK_PC5 GPIO_ACTIVE_HIGH>; + regulator-name = "vcc3v3_pcie20"; + regulator-boot-on; +- regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <1800000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + startup-delay-us = <50000>; + vin-supply = <&vcc5v0_sys>; + }; diff --git a/queue-6.17/arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch b/queue-6.17/arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch new file mode 100644 index 0000000000..1861c91333 --- /dev/null +++ b/queue-6.17/arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch @@ -0,0 +1,35 @@ +From 03c7e964a02e388ee168c804add7404eda23908c Mon Sep 17 00:00:00 2001 +From: Diederik de Haas +Date: Mon, 27 Oct 2025 16:54:28 +0100 +Subject: arm64: dts: rockchip: Fix vccio4-supply on rk3566-pinetab2 + +From: Diederik de Haas + +commit 03c7e964a02e388ee168c804add7404eda23908c upstream. + +Page 13 of the PineTab2 v2 schematic dd 20230417 shows VCCIO4's power +source is VCCIO_WL. Page 19 shows that VCCIO_WL is connected to +VCCA1V8_PMU, so fix the PineTab2 dtsi to reflect that. + +Fixes: 1b7e19448f8f ("arm64: dts: rockchip: Add devicetree for Pine64 PineTab2") +Cc: stable@vger.kernel.org +Reviewed-by: Dragan Simic +Signed-off-by: Diederik de Haas +Link: https://patch.msgid.link/20251027155724.138096-1-diederik@cknow-tech.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi +@@ -789,7 +789,7 @@ + vccio1-supply = <&vccio_acodec>; + vccio2-supply = <&vcc_1v8>; + vccio3-supply = <&vccio_sd>; +- vccio4-supply = <&vcc_1v8>; ++ vccio4-supply = <&vcca1v8_pmu>; + vccio5-supply = <&vcc_1v8>; + vccio6-supply = <&vcc1v8_dvp>; + vccio7-supply = <&vcc_3v3>; diff --git a/queue-6.17/arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch b/queue-6.17/arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch new file mode 100644 index 0000000000..2d1ef24625 --- /dev/null +++ b/queue-6.17/arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch @@ -0,0 +1,49 @@ +From 08d70143e3033d267507deb98a5fd187df3e6640 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Wed, 29 Oct 2025 14:50:59 +0100 +Subject: arm64: dts: rockchip: include rk3399-base instead of rk3399 in rk3399-op1 + +From: Quentin Schulz + +commit 08d70143e3033d267507deb98a5fd187df3e6640 upstream. + +In commit 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi +files for SoC variants"), everything shared between variants of RK3399 +was put into rk3399-base.dtsi and the rest in variant-specific DTSI, +such as rk3399-t, rk3399-op1, rk3399, etc. +Therefore, the variant-specific DTSI should include rk3399-base.dtsi and +not another variant's DTSI. + +rk3399-op1 wrongly includes rk3399 (a variant) DTSI instead of +rk3399-base DTSI, let's fix this oversight by including the intended +DTSI. + +Fortunately, this had no impact on the resulting DTB since all nodes +were named the same and all node properties were overridden in +rk3399-op1.dtsi. This was checked by doing a checksum of rk3399-op1 DTBs +before and after this commit. + +No intended change in behavior. + +Fixes: 296602b8e5f7 ("arm64: dts: rockchip: Move RK3399 OPPs to dtsi files for SoC variants") +Cc: stable@vger.kernel.org +Signed-off-by: Quentin Schulz +Reviewed-by: Dragan Simic +Link: https://patch.msgid.link/20251029-rk3399-op1-include-v1-1-2472ee60e7f8@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-op1.dtsi +@@ -3,7 +3,7 @@ + * Copyright (c) 2016-2017 Fuzhou Rockchip Electronics Co., Ltd + */ + +-#include "rk3399.dtsi" ++#include "rk3399-base.dtsi" + + / { + cluster0_opp: opp-table-0 { diff --git a/queue-6.17/arm64-dts-rockchip-remove-non-functioning-cpu-opps-from-rk3576.patch b/queue-6.17/arm64-dts-rockchip-remove-non-functioning-cpu-opps-from-rk3576.patch new file mode 100644 index 0000000000..c0b7be2404 --- /dev/null +++ b/queue-6.17/arm64-dts-rockchip-remove-non-functioning-cpu-opps-from-rk3576.patch @@ -0,0 +1,57 @@ +From 05b80cd1f37db042e074ecc7ee0d39869fed2f52 Mon Sep 17 00:00:00 2001 +From: Alexey Charkov +Date: Thu, 9 Oct 2025 16:34:01 +0400 +Subject: arm64: dts: rockchip: Remove non-functioning CPU OPPs from RK3576 + +From: Alexey Charkov + +commit 05b80cd1f37db042e074ecc7ee0d39869fed2f52 upstream. + +Drop the top-frequency OPPs from both the LITTLE and big CPU clusters on +RK3576, as neither the opensource TF-A [1] nor the recent (after v1.08) +binary BL31 images provided by Rockchip expose those. + +This fixes the problem [2] when the cpufreq governor tries to jump +directly to the highest-frequency OPP, which results in a failed SCMI call +leaving the system stuck at the previous OPP before the attempted change. + +[1] https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/rockchip/rk3576/scmi/rk3576_clk.c#L264-L304 +[2] https://lore.kernel.org/linux-rockchip/CABjd4Yz4NbqzZH4Qsed3ias56gcga9K6CmYA+BLDBxtbG915Ag@mail.gmail.com/ + +Fixes: 57b1ce903966 ("arm64: dts: rockchip: Add rk3576 SoC base DT") +Cc: stable@vger.kernel.org +Signed-off-by: Alexey Charkov +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3576.dtsi | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3576.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3576.dtsi +@@ -269,12 +269,6 @@ + opp-microvolt = <900000 900000 950000>; + clock-latency-ns = <40000>; + }; +- +- opp-2208000000 { +- opp-hz = /bits/ 64 <2208000000>; +- opp-microvolt = <950000 950000 950000>; +- clock-latency-ns = <40000>; +- }; + }; + + cluster1_opp_table: opp-table-cluster1 { +@@ -341,12 +335,6 @@ + opp-microvolt = <925000 925000 950000>; + clock-latency-ns = <40000>; + }; +- +- opp-2304000000 { +- opp-hz = /bits/ 64 <2304000000>; +- opp-microvolt = <950000 950000 950000>; +- clock-latency-ns = <40000>; +- }; + }; + + gpu_opp_table: opp-table-gpu { diff --git a/queue-6.17/ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch b/queue-6.17/ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch new file mode 100644 index 0000000000..21e8ff1aea --- /dev/null +++ b/queue-6.17/ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch @@ -0,0 +1,36 @@ +From b32cc17d607e8ae7af037303fe101368cb4dc44c Mon Sep 17 00:00:00 2001 +From: Yihang Li +Date: Thu, 20 Nov 2025 11:50:23 +0800 +Subject: ata: libata-scsi: Add missing scsi_device_put() in ata_scsi_dev_rescan() + +From: Yihang Li + +commit b32cc17d607e8ae7af037303fe101368cb4dc44c upstream. + +Call scsi_device_put() in ata_scsi_dev_rescan() if the device or its +queue are not running. + +Fixes: 0c76106cb975 ("scsi: sd: Fix TCG OPAL unlock on system resume") +Cc: stable@vger.kernel.org +Signed-off-by: Yihang Li +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4901,8 +4901,10 @@ void ata_scsi_dev_rescan(struct work_str + spin_unlock_irqrestore(ap->lock, flags); + if (do_resume) { + ret = scsi_resume_device(sdev); +- if (ret == -EWOULDBLOCK) ++ if (ret == -EWOULDBLOCK) { ++ scsi_device_put(sdev); + goto unlock_scan; ++ } + dev->flags &= ~ATA_DFLAG_RESUMING; + } + ret = scsi_rescan_device(sdev); diff --git a/queue-6.17/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch b/queue-6.17/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch new file mode 100644 index 0000000000..832c497852 --- /dev/null +++ b/queue-6.17/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch @@ -0,0 +1,76 @@ +From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Wed, 19 Nov 2025 15:13:14 +0100 +Subject: ata: libata-scsi: Fix system suspend for a security locked drive + +From: Niklas Cassel + +commit b11890683380a36b8488229f818d5e76e8204587 upstream. + +Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status +handling") fixed ata_to_sense_error() to properly generate sense key +ABORTED COMMAND (without any additional sense code), instead of the +previous bogus sense key ILLEGAL REQUEST with the additional sense code +UNALIGNED WRITE COMMAND, for a failed command. + +However, this broke suspend for Security locked drives (drives that have +Security enabled, and have not been Security unlocked by boot firmware). + +The reason for this is that the SCSI disk driver, for the Synchronize +Cache command only, treats any sense data with sense key ILLEGAL REQUEST +as a successful command (regardless of ASC / ASCQ). + +After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() +status handling") the code that treats any sense data with sense key +ILLEGAL REQUEST as a successful command is no longer applicable, so the +command fails, which causes the system suspend to be aborted: + + sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5 + sd 1:0:0:0: PM: failed to suspend async: error -5 + PM: Some devices failed to suspend, or early wake event detected + +To make suspend work once again, for a Security locked device only, +return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense +data which a real SCSI device would have returned if locked. +The SCSI disk driver treats this sense data as a successful command. + +Cc: stable@vger.kernel.org +Reported-by: Ilia Baryshnikov +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704 +Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 7 +++++++ + include/linux/ata.h | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -992,6 +992,13 @@ static void ata_gen_ata_sense(struct ata + return; + } + ++ if (ata_id_is_locked(dev->id)) { ++ /* Security locked */ ++ /* LOGICAL UNIT ACCESS NOT AUTHORIZED */ ++ ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71); ++ return; ++ } ++ + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { + ata_dev_dbg(dev, + "Missing result TF: reporting aborted command\n"); +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -566,6 +566,7 @@ struct ata_bmdma_prd { + #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8)) + #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1) + #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7)) ++#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7) + #define ata_id_has_atapi_AN(id) \ + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ diff --git a/queue-6.17/be2net-pass-wrb_params-in-case-of-os2bmc.patch b/queue-6.17/be2net-pass-wrb_params-in-case-of-os2bmc.patch new file mode 100644 index 0000000000..3112c00229 --- /dev/null +++ b/queue-6.17/be2net-pass-wrb_params-in-case-of-os2bmc.patch @@ -0,0 +1,60 @@ +From 7d277a7a58578dd62fd546ddaef459ec24ccae36 Mon Sep 17 00:00:00 2001 +From: Andrey Vatoropin +Date: Wed, 19 Nov 2025 10:51:12 +0000 +Subject: be2net: pass wrb_params in case of OS2BMC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Vatoropin + +commit 7d277a7a58578dd62fd546ddaef459ec24ccae36 upstream. + +be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL +at be_send_pkt_to_bmc() call site.  This may lead to dereferencing a NULL +pointer when processing a workaround for specific packet, as commit +bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 +packet") states. + +The correct way would be to pass the wrb_params from be_xmit(). + +Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.") +Cc: stable@vger.kernel.org +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20251119105015.194501-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1296,7 +1296,8 @@ static void be_xmit_flush(struct be_adap + (adapter->bmc_filt_mask & BMC_FILT_MULTICAST) + + static bool be_send_pkt_to_bmc(struct be_adapter *adapter, +- struct sk_buff **skb) ++ struct sk_buff **skb, ++ struct be_wrb_params *wrb_params) + { + struct ethhdr *eh = (struct ethhdr *)(*skb)->data; + bool os2bmc = false; +@@ -1360,7 +1361,7 @@ done: + * to BMC, asic expects the vlan to be inline in the packet. + */ + if (os2bmc) +- *skb = be_insert_vlan_in_pkt(adapter, *skb, NULL); ++ *skb = be_insert_vlan_in_pkt(adapter, *skb, wrb_params); + + return os2bmc; + } +@@ -1387,7 +1388,7 @@ static netdev_tx_t be_xmit(struct sk_buf + /* if os2bmc is enabled and if the pkt is destined to bmc, + * enqueue the pkt a 2nd time with mgmt bit set. + */ +- if (be_send_pkt_to_bmc(adapter, &skb)) { ++ if (be_send_pkt_to_bmc(adapter, &skb, &wrb_params)) { + BE_WRB_F_SET(wrb_params.features, OS2BMC, 1); + wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params); + if (unlikely(!wrb_cnt)) diff --git a/queue-6.17/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch b/queue-6.17/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch new file mode 100644 index 0000000000..3b1aea65cd --- /dev/null +++ b/queue-6.17/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch @@ -0,0 +1,62 @@ +From 316e361b5d2cdeb8d778983794a1c6eadcb26814 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 22 Oct 2025 15:34:26 +0200 +Subject: dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups + +From: Krzysztof Kozlowski + +commit 316e361b5d2cdeb8d778983794a1c6eadcb26814 upstream. + +The "groups" property can hold multiple entries (e.g. +toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect +type (pinmux-node.yaml schema already defines that as string-array) and +adding constraints for items. This fixes dtbs_check warnings like: + + toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl): + pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long + +Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Acked-by: Conor Dooley +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++++----- + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml ++++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml +@@ -50,18 +50,20 @@ patternProperties: + groups: + description: + Name of the pin group to use for the functions. +- $ref: /schemas/types.yaml#/definitions/string +- enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, +- i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, +- spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, +- spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, +- uart0_grp, uart1_grp, uart2_grp, uart3_grp, +- pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, +- pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, +- pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, +- pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, +- pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, +- pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] ++ items: ++ enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, ++ i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, ++ spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, ++ spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, ++ uart0_grp, uart1_grp, uart2_grp, uart3_grp, ++ pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, ++ pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, ++ pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, ++ pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, ++ pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, ++ pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] ++ minItems: 1 ++ maxItems: 8 + + drive-strength: + enum: [2, 4, 6, 8, 16, 24, 32] diff --git a/queue-6.17/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch b/queue-6.17/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch new file mode 100644 index 0000000000..c6d12d0900 --- /dev/null +++ b/queue-6.17/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch @@ -0,0 +1,37 @@ +From f2c1f631630e01821fe4c3fdf6077bc7a8284f82 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Tue, 4 Nov 2025 20:50:07 +0800 +Subject: exfat: check return value of sb_min_blocksize in exfat_read_boot_sector + +From: Yongpeng Yang + +commit f2c1f631630e01821fe4c3fdf6077bc7a8284f82 upstream. + +sb_min_blocksize() may return 0. Check its return value to avoid +accessing the filesystem super block when sb->s_blocksize is 0. + +Cc: stable@vger.kernel.org # v6.15 +Fixes: 719c1e1829166d ("exfat: add super block operations") +Reviewed-by: Christoph Hellwig +Signed-off-by: Yongpeng Yang +Link: https://patch.msgid.link/20251104125009.2111925-3-yangyongpeng.storage@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/exfat/super.c ++++ b/fs/exfat/super.c +@@ -423,7 +423,10 @@ static int exfat_read_boot_sector(struct + struct exfat_sb_info *sbi = EXFAT_SB(sb); + + /* set block size to read super block */ +- sb_min_blocksize(sb, 512); ++ if (!sb_min_blocksize(sb, 512)) { ++ exfat_err(sb, "unable to set blocksize"); ++ return -EINVAL; ++ } + + /* read boot sector */ + sbi->boot_bh = sb_bread(sb, 0); diff --git a/queue-6.17/fs-fix-uninitialized-offp-in-statmount_string.patch b/queue-6.17/fs-fix-uninitialized-offp-in-statmount_string.patch new file mode 100644 index 0000000000..0ed313fb97 --- /dev/null +++ b/queue-6.17/fs-fix-uninitialized-offp-in-statmount_string.patch @@ -0,0 +1,46 @@ +From 0778ac7df5137d5041783fadfc201f8fd55a1d9b Mon Sep 17 00:00:00 2001 +From: Zhen Ni +Date: Mon, 13 Oct 2025 19:41:51 +0800 +Subject: fs: Fix uninitialized 'offp' in statmount_string() + +From: Zhen Ni + +commit 0778ac7df5137d5041783fadfc201f8fd55a1d9b upstream. + +In statmount_string(), most flags assign an output offset pointer (offp) +which is later updated with the string offset. However, the +STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the +struct fields instead of using offp. This leaves offp uninitialized, +leading to a possible uninitialized dereference when *offp is updated. + +Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code +path consistent. + +Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings") +Fixes: e52e97f09fb6 ("statmount: let unset strings be empty") +Cc: stable@vger.kernel.org +Signed-off-by: Zhen Ni +Link: https://patch.msgid.link/20251013114151.664341-1-zhen.ni@easystack.cn +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -5601,11 +5601,11 @@ static int statmount_string(struct kstat + ret = statmount_sb_source(s, seq); + break; + case STATMOUNT_MNT_UIDMAP: +- sm->mnt_uidmap = start; ++ offp = &sm->mnt_uidmap; + ret = statmount_mnt_uidmap(s, seq); + break; + case STATMOUNT_MNT_GIDMAP: +- sm->mnt_gidmap = start; ++ offp = &sm->mnt_gidmap; + ret = statmount_mnt_gidmap(s, seq); + break; + default: diff --git a/queue-6.17/hid-amd_sfh-stop-sensor-before-starting.patch b/queue-6.17/hid-amd_sfh-stop-sensor-before-starting.patch new file mode 100644 index 0000000000..cd3018599f --- /dev/null +++ b/queue-6.17/hid-amd_sfh-stop-sensor-before-starting.patch @@ -0,0 +1,39 @@ +From 4d3a13afa8b64dc49293b3eab3e7beac11072c12 Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Mon, 20 Oct 2025 10:50:42 -0500 +Subject: HID: amd_sfh: Stop sensor before starting + +From: Mario Limonciello (AMD) + +commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 upstream. + +Titas reports that the accelerometer sensor on their laptop only +works after a warm boot or unloading/reloading the amd-sfh kernel +module. + +Presumably the sensor is in a bad state on cold boot and failing to +start, so explicitly stop it before starting. + +Cc: stable@vger.kernel.org +Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality") +Reported-by: Titas +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670 +Tested-by: Titas +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +@@ -194,6 +194,8 @@ static int amd_sfh1_1_hid_client_init(st + if (rc) + goto cleanup; + ++ mp2_ops->stop(privdata, cl_data->sensor_idx[i]); ++ amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR); + writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0)); + mp2_ops->start(privdata, info); + status = amd_sfh_wait_for_response diff --git a/queue-6.17/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch b/queue-6.17/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch new file mode 100644 index 0000000000..b4dfe2060a --- /dev/null +++ b/queue-6.17/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch @@ -0,0 +1,70 @@ +From beab067dbcff642243291fd528355d64c41dc3b2 Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Fri, 12 Sep 2025 20:38:18 +0800 +Subject: HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 + +From: Zhang Heng + +commit beab067dbcff642243291fd528355d64c41dc3b2 upstream. + +Based on available evidence, the USB ID 4c4a:4155 used by multiple +devices has been attributed to Jieli. The commit 1a8953f4f774 +("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") affected touchscreen +functionality. Added checks for manufacturer and serial number to +maintain microphone compatibility, enabling both devices to function +properly. + +[jkosina@suse.com: edit shortlog] +Fixes: 1a8953f4f774 ("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") +Cc: stable@vger.kernel.org +Tested-by: staffan.melin@oscillator.se +Reviewed-by: Terry Junge +Signed-off-by: Zhang Heng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 4 ++-- + drivers/hid/hid-quirks.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1543,7 +1543,7 @@ + #define USB_VENDOR_ID_SIGNOTEC 0x2133 + #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018 + +-#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a +-#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155 ++#define USB_VENDOR_ID_JIELI_SDK_DEFAULT 0x4c4a ++#define USB_DEVICE_ID_JIELI_SDK_4155 0x4155 + + #endif +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -915,7 +915,6 @@ static const struct hid_device_id hid_ig + #endif + { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) }, +- { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) }, + { } + }; + +@@ -1064,6 +1063,18 @@ bool hid_ignore(struct hid_device *hdev) + strlen(elan_acpi_id[i].id))) + return true; + break; ++ case USB_VENDOR_ID_JIELI_SDK_DEFAULT: ++ /* ++ * Multiple USB devices with identical IDs (mic & touchscreen). ++ * The touch screen requires hid core processing, but the ++ * microphone does not. They can be distinguished by manufacturer ++ * and serial number. ++ */ ++ if (hdev->product == USB_DEVICE_ID_JIELI_SDK_4155 && ++ strncmp(hdev->name, "SmartlinkTechnology", 19) == 0 && ++ strncmp(hdev->uniq, "20201111000001", 14) == 0) ++ return true; ++ break; + } + + if (hdev->type == HID_TYPE_USBMOUSE && diff --git a/queue-6.17/input-cros_ec_keyb-fix-an-invalid-memory-access.patch b/queue-6.17/input-cros_ec_keyb-fix-an-invalid-memory-access.patch new file mode 100644 index 0000000000..2b562d783f --- /dev/null +++ b/queue-6.17/input-cros_ec_keyb-fix-an-invalid-memory-access.patch @@ -0,0 +1,53 @@ +From e08969c4d65ac31297fcb4d31d4808c789152f68 Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Tue, 4 Nov 2025 07:03:10 +0000 +Subject: Input: cros_ec_keyb - fix an invalid memory access + +From: Tzung-Bi Shih + +commit e08969c4d65ac31297fcb4d31d4808c789152f68 upstream. + +If cros_ec_keyb_register_matrix() isn't called (due to +`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains +NULL. An invalid memory access is observed in cros_ec_keyb_process() +when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() +in such case. + + Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 + ... + x3 : 0000000000000000 x2 : 0000000000000000 + x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + input_event + cros_ec_keyb_work + blocking_notifier_call_chain + ec_irq_thread + +It's still unknown about why the kernel receives such malformed event, +in any cases, the kernel shouldn't access `ckdev->idev` and friends if +the driver doesn't intend to initialize them. + +Signed-off-by: Tzung-Bi Shih +Link: https://patch.msgid.link/20251104070310.3212712-1-tzungbi@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/cros_ec_keyb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/input/keyboard/cros_ec_keyb.c ++++ b/drivers/input/keyboard/cros_ec_keyb.c +@@ -261,6 +261,12 @@ static int cros_ec_keyb_work(struct noti + case EC_MKBP_EVENT_KEY_MATRIX: + pm_wakeup_event(ckdev->dev, 0); + ++ if (!ckdev->idev) { ++ dev_warn_once(ckdev->dev, ++ "Unexpected key matrix event\n"); ++ return NOTIFY_OK; ++ } ++ + if (ckdev->ec->event_size != ckdev->cols) { + dev_err(ckdev->dev, + "Discarded incomplete key matrix event.\n"); diff --git a/queue-6.17/input-goodix-add-support-for-acpi-id-gdix1003.patch b/queue-6.17/input-goodix-add-support-for-acpi-id-gdix1003.patch new file mode 100644 index 0000000000..c4f9461ace --- /dev/null +++ b/queue-6.17/input-goodix-add-support-for-acpi-id-gdix1003.patch @@ -0,0 +1,35 @@ +From c6d99e488117201c63efd747ce17b80687c3f5a9 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 13 Oct 2025 09:15:25 -0700 +Subject: Input: goodix - add support for ACPI ID GDIX1003 + +From: Hans de Goede + +commit c6d99e488117201c63efd747ce17b80687c3f5a9 upstream. + +Some newer devices use an ACPI hardware ID of GDIX1003 for their Goodix +touchscreen controller, instead of GDIX1001 / GDIX1002. Add GDIX1003 +to the goodix_acpi_match[] table. + +Reported-by: Weikang Guo +Closes: https://lore.kernel.org/linux-input/20250225024409.1467040-1-guoweikang.kernel@gmail.com/ +Tested-by: Weikang Guo +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20251013121022.44333-1-hansg@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/goodix.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -1557,6 +1557,7 @@ MODULE_DEVICE_TABLE(i2c, goodix_ts_id); + static const struct acpi_device_id goodix_acpi_match[] = { + { "GDIX1001", 0 }, + { "GDIX1002", 0 }, ++ { "GDIX1003", 0 }, + { "GDX9110", 0 }, + { } + }; diff --git a/queue-6.17/input-imx_sc_key-fix-memory-corruption-on-unload.patch b/queue-6.17/input-imx_sc_key-fix-memory-corruption-on-unload.patch new file mode 100644 index 0000000000..a7a864b8e3 --- /dev/null +++ b/queue-6.17/input-imx_sc_key-fix-memory-corruption-on-unload.patch @@ -0,0 +1,36 @@ +From d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 1 Nov 2025 16:25:27 +0300 +Subject: Input: imx_sc_key - fix memory corruption on unload + +From: Dan Carpenter + +commit d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 upstream. + +This is supposed to be "priv" but we accidentally pass "&priv" which is +an address in the stack and so it will lead to memory corruption when +the imx_sc_key_action() function is called. Remove the &. + +Fixes: 768062fd1284 ("Input: imx_sc_key - use devm_add_action_or_reset() to handle all cleanups") +Signed-off-by: Dan Carpenter +Reviewed-by: Peng Fan +Reviewed-by: Frank Li +Link: https://patch.msgid.link/aQYKR75r2VMFJutT@stanley.mountain +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/imx_sc_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/keyboard/imx_sc_key.c ++++ b/drivers/input/keyboard/imx_sc_key.c +@@ -158,7 +158,7 @@ static int imx_sc_key_probe(struct platf + return error; + } + +- error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, &priv); ++ error = devm_add_action_or_reset(&pdev->dev, imx_sc_key_action, priv); + if (error) + return error; + diff --git a/queue-6.17/input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch b/queue-6.17/input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch new file mode 100644 index 0000000000..ff305b219b --- /dev/null +++ b/queue-6.17/input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch @@ -0,0 +1,54 @@ +From 69aeb507312306f73495598a055293fa749d454e Mon Sep 17 00:00:00 2001 +From: Seungjin Bae +Date: Fri, 17 Oct 2025 15:36:31 -0700 +Subject: Input: pegasus-notetaker - fix potential out-of-bounds access + +From: Seungjin Bae + +commit 69aeb507312306f73495598a055293fa749d454e upstream. + +In the pegasus_notetaker driver, the pegasus_probe() function allocates +the URB transfer buffer using the wMaxPacketSize value from +the endpoint descriptor. An attacker can use a malicious USB descriptor +to force the allocation of a very small buffer. + +Subsequently, if the device sends an interrupt packet with a specific +pattern (e.g., where the first byte is 0x80 or 0x42), +the pegasus_parse_packet() function parses the packet without checking +the allocated buffer size. This leads to an out-of-bounds memory access. + +Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") +Signed-off-by: Seungjin Bae +Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/tablet/pegasus_notetaker.c ++++ b/drivers/input/tablet/pegasus_notetaker.c +@@ -63,6 +63,9 @@ + #define BUTTON_PRESSED 0xb5 + #define COMMAND_VERSION 0xa9 + ++/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */ ++#define NOTETAKER_PACKET_SIZE 6 ++ + /* in xy data packet */ + #define BATTERY_NO_REPORT 0x40 + #define BATTERY_LOW 0x41 +@@ -311,6 +314,12 @@ static int pegasus_probe(struct usb_inte + } + + pegasus->data_len = usb_maxpacket(dev, pipe); ++ if (pegasus->data_len < NOTETAKER_PACKET_SIZE) { ++ dev_err(&intf->dev, "packet size is too small (%d)\n", ++ pegasus->data_len); ++ error = -EINVAL; ++ goto err_free_mem; ++ } + + pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, + &pegasus->data_dma); diff --git a/queue-6.17/io_uring-cmd_net-fix-wrong-argument-types-for-skb_queue_splice.patch b/queue-6.17/io_uring-cmd_net-fix-wrong-argument-types-for-skb_queue_splice.patch new file mode 100644 index 0000000000..70c0f32e10 --- /dev/null +++ b/queue-6.17/io_uring-cmd_net-fix-wrong-argument-types-for-skb_queue_splice.patch @@ -0,0 +1,35 @@ +From 46447367a52965e9d35f112f5b26fc8ff8ec443d Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 20 Nov 2025 11:40:15 -0700 +Subject: io_uring/cmd_net: fix wrong argument types for skb_queue_splice() + +From: Jens Axboe + +commit 46447367a52965e9d35f112f5b26fc8ff8ec443d upstream. + +If timestamp retriving needs to be retried and the local list of +SKB's already has entries, then it's spliced back into the socket +queue. However, the arguments for the splice helper are transposed, +causing exactly the wrong direction of splicing into the on-stack +list. Fix that up. + +Cc: stable@vger.kernel.org +Reported-by: Google Big Sleep +Fixes: 9e4ed359b8ef ("io_uring/netcmd: add tx timestamping cmd support") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/cmd_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/io_uring/cmd_net.c ++++ b/io_uring/cmd_net.c +@@ -126,7 +126,7 @@ static int io_uring_cmd_timestamp(struct + + if (!unlikely(skb_queue_empty(&list))) { + scoped_guard(spinlock_irqsave, &q->lock) +- skb_queue_splice(q, &list); ++ skb_queue_splice(&list, q); + } + return -EAGAIN; + } diff --git a/queue-6.17/isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch b/queue-6.17/isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch new file mode 100644 index 0000000000..f79c5c7402 --- /dev/null +++ b/queue-6.17/isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch @@ -0,0 +1,38 @@ +From e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Tue, 4 Nov 2025 20:50:08 +0800 +Subject: isofs: check the return value of sb_min_blocksize() in isofs_fill_super + +From: Yongpeng Yang + +commit e106e269c5cb38315eb0a0e7e38f71e9b20c8c66 upstream. + +sb_min_blocksize() may return 0. Check its return value to avoid +opt->blocksize and sb->s_blocksize is 0. + +Cc: stable@vger.kernel.org # v6.15 +Fixes: 1b17a46c9243e9 ("isofs: convert isofs to use the new mount API") +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Signed-off-by: Yongpeng Yang +Link: https://patch.msgid.link/20251104125009.2111925-4-yangyongpeng.storage@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/inode.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -610,6 +610,11 @@ static int isofs_fill_super(struct super + goto out_freesbi; + } + opt->blocksize = sb_min_blocksize(s, opt->blocksize); ++ if (!opt->blocksize) { ++ printk(KERN_ERR ++ "ISOFS: unable to set blocksize\n"); ++ goto out_freesbi; ++ } + + sbi->s_high_sierra = 0; /* default is iso9660 */ + sbi->s_session = opt->session; diff --git a/queue-6.17/kvm-svm-fix-redundant-updates-of-lbr-msr-intercepts.patch b/queue-6.17/kvm-svm-fix-redundant-updates-of-lbr-msr-intercepts.patch new file mode 100644 index 0000000000..a574e306ca --- /dev/null +++ b/queue-6.17/kvm-svm-fix-redundant-updates-of-lbr-msr-intercepts.patch @@ -0,0 +1,97 @@ +From 3fa05f96fc08dff5e846c2cc283a249c1bf029a1 Mon Sep 17 00:00:00 2001 +From: Yosry Ahmed +Date: Wed, 12 Nov 2025 01:30:17 +0000 +Subject: KVM: SVM: Fix redundant updates of LBR MSR intercepts + +From: Yosry Ahmed + +commit 3fa05f96fc08dff5e846c2cc283a249c1bf029a1 upstream. + +Don't update the LBR MSR intercept bitmaps if they're already up-to-date, +as unconditionally updating the intercepts forces KVM to recalculate the +MSR bitmaps for vmcb02 on every nested VMRUN. The redundant updates are +functionally okay; however, they neuter an optimization in Hyper-V +nested virtualization enlightenments and this manifests as a self-test +failure. + +In particular, Hyper-V lets L1 mark "nested enlightenments" as clean, i.e. +tell KVM that no changes were made to the MSR bitmap since the last VMRUN. +The hyperv_svm_test KVM selftest intentionally changes the MSR bitmap +"without telling KVM about it" to verify that KVM honors the clean hint, +correctly fails because KVM notices the changed bitmap anyway: + + ==== Test Assertion Failure ==== + x86/hyperv_svm_test.c:120: vmcb->control.exit_code == 0x081 + pid=193558 tid=193558 errno=4 - Interrupted system call + 1 0x0000000000411361: assert_on_unhandled_exception at processor.c:659 + 2 0x0000000000406186: _vcpu_run at kvm_util.c:1699 + 3 (inlined by) vcpu_run at kvm_util.c:1710 + 4 0x0000000000401f2a: main at hyperv_svm_test.c:175 + 5 0x000000000041d0d3: __libc_start_call_main at libc-start.o:? + 6 0x000000000041f27c: __libc_start_main_impl at ??:? + 7 0x00000000004021a0: _start at ??:? + vmcb->control.exit_code == SVM_EXIT_VMMCALL + +Do *not* fix this by skipping svm_hv_vmcb_dirty_nested_enlightenments() +when svm_set_intercept_for_msr() performs a no-op change. changes to +the L0 MSR interception bitmap are only triggered by full CPUID updates +and MSR filter updates, both of which should be rare. Changing +svm_set_intercept_for_msr() risks hiding unintended pessimizations +like this one, and is actually more complex than this change. + +Fixes: fbe5e5f030c2 ("KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()") +Cc: stable@vger.kernel.org +Signed-off-by: Yosry Ahmed +Link: https://patch.msgid.link/20251112013017.1836863-1-yosry.ahmed@linux.dev +[Rewritten commit message based on mailing list discussion. - Paolo] +Reviewed-by: Sean Christopherson +Tested-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/svm.c | 9 ++++++++- + arch/x86/kvm/svm/svm.h | 1 + + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -713,7 +713,11 @@ void *svm_alloc_permissions_map(unsigned + + static void svm_recalc_lbr_msr_intercepts(struct kvm_vcpu *vcpu) + { +- bool intercept = !(to_svm(vcpu)->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK); ++ struct vcpu_svm *svm = to_svm(vcpu); ++ bool intercept = !(svm->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK); ++ ++ if (intercept == svm->lbr_msrs_intercepted) ++ return; + + svm_set_intercept_for_msr(vcpu, MSR_IA32_LASTBRANCHFROMIP, MSR_TYPE_RW, intercept); + svm_set_intercept_for_msr(vcpu, MSR_IA32_LASTBRANCHTOIP, MSR_TYPE_RW, intercept); +@@ -722,6 +726,8 @@ static void svm_recalc_lbr_msr_intercept + + if (sev_es_guest(vcpu->kvm)) + svm_set_intercept_for_msr(vcpu, MSR_IA32_DEBUGCTLMSR, MSR_TYPE_RW, intercept); ++ ++ svm->lbr_msrs_intercepted = intercept; + } + + void svm_set_x2apic_msr_interception(struct vcpu_svm *svm, bool intercept) +@@ -1278,6 +1284,7 @@ static int svm_vcpu_create(struct kvm_vc + } + + svm->x2avic_msrs_intercepted = true; ++ svm->lbr_msrs_intercepted = true; + + svm->vmcb01.ptr = page_address(vmcb01_page); + svm->vmcb01.pa = __sme_set(page_to_pfn(vmcb01_page) << PAGE_SHIFT); +--- a/arch/x86/kvm/svm/svm.h ++++ b/arch/x86/kvm/svm/svm.h +@@ -334,6 +334,7 @@ struct vcpu_svm { + bool guest_state_loaded; + + bool x2avic_msrs_intercepted; ++ bool lbr_msrs_intercepted; + + /* Guest GIF value, used when vGIF is not enabled */ + bool guest_gif; diff --git a/queue-6.17/lib-test_kho-check-if-kho-is-enabled.patch b/queue-6.17/lib-test_kho-check-if-kho-is-enabled.patch new file mode 100644 index 0000000000..5eb99b49e2 --- /dev/null +++ b/queue-6.17/lib-test_kho-check-if-kho-is-enabled.patch @@ -0,0 +1,39 @@ +From a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05 Mon Sep 17 00:00:00 2001 +From: Pasha Tatashin +Date: Thu, 6 Nov 2025 17:06:35 -0500 +Subject: lib/test_kho: check if KHO is enabled + +From: Pasha Tatashin + +commit a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05 upstream. + +We must check whether KHO is enabled prior to issuing KHO commands, +otherwise KHO internal data structures are not initialized. + +Link: https://lkml.kernel.org/r/20251106220635.2608494-1-pasha.tatashin@soleen.com +Fixes: b753522bed0b ("kho: add test for kexec handover") +Signed-off-by: Pasha Tatashin +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202511061629.e242724-lkp@intel.com +Reviewed-by: Pratyush Yadav +Reviewed-by: Mike Rapoport (Microsoft) +Cc: Alexander Graf +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_kho.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/lib/test_kho.c ++++ b/lib/test_kho.c +@@ -272,6 +272,9 @@ static int __init kho_test_init(void) + phys_addr_t fdt_phys; + int err; + ++ if (!kho_is_enabled()) ++ return 0; ++ + err = kho_retrieve_subtree(KHO_TEST_FDT, &fdt_phys); + if (!err) + return kho_test_restore(fdt_phys); diff --git a/queue-6.17/loongarch-bpf-disable-trampoline-for-kernel-module-function-trace.patch b/queue-6.17/loongarch-bpf-disable-trampoline-for-kernel-module-function-trace.patch new file mode 100644 index 0000000000..e0eebbfc55 --- /dev/null +++ b/queue-6.17/loongarch-bpf-disable-trampoline-for-kernel-module-function-trace.patch @@ -0,0 +1,65 @@ +From 677e6123e3d24adaa252697dc89740f2ac07664e Mon Sep 17 00:00:00 2001 +From: Vincent Li +Date: Thu, 20 Nov 2025 14:42:05 +0800 +Subject: LoongArch: BPF: Disable trampoline for kernel module function trace + +From: Vincent Li + +commit 677e6123e3d24adaa252697dc89740f2ac07664e upstream. + +The current LoongArch BPF trampoline implementation is incompatible +with tracing functions in kernel modules. This causes several severe +and user-visible problems: + +* The `bpf_selftests/module_attach` test fails consistently. +* Kernel lockup when a BPF program is attached to a module function [1]. +* Critical kernel modules like WireGuard experience traffic disruption + when their functions are traced with fentry [2]. + +Given the severity and the potential for other unknown side-effects, it +is safest to disable the feature entirely for now. This patch prevents +the BPF subsystem from allowing trampoline attachments to kernel module +functions on LoongArch. + +This is a temporary mitigation until the core issues in the trampoline +code for kernel module handling can be identified and fixed. + +[root@fedora bpf]# ./test_progs -a module_attach -v +bpf_testmod.ko is already unloaded. +Loading bpf_testmod.ko... +Successfully loaded bpf_testmod.ko. +test_module_attach:PASS:skel_open 0 nsec +test_module_attach:PASS:set_attach_target 0 nsec +test_module_attach:PASS:set_attach_target_explicit 0 nsec +test_module_attach:PASS:skel_load 0 nsec +libbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP +libbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP +test_module_attach:FAIL:skel_attach skeleton attach failed: -524 +Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED +Successfully unloaded bpf_testmod.ko. + +[1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/ +[2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: f9b6b41f0cf3 ("LoongArch: BPF: Add basic bpf trampoline support") +Acked-by: Hengqi Chen +Signed-off-by: Vincent Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/net/bpf_jit.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/loongarch/net/bpf_jit.c ++++ b/arch/loongarch/net/bpf_jit.c +@@ -1626,6 +1626,9 @@ static int __arch_prepare_bpf_trampoline + /* Direct jump skips 5 NOP instructions */ + else if (is_bpf_text_address((unsigned long)orig_call)) + orig_call += LOONGARCH_BPF_FENTRY_NBYTES; ++ /* Module tracing not supported - cause kernel lockups */ ++ else if (is_module_text_address((unsigned long)orig_call)) ++ return -ENOTSUPP; + + if (flags & BPF_TRAMP_F_CALL_ORIG) { + move_addr(ctx, LOONGARCH_GPR_A0, (const u64)im); diff --git a/queue-6.17/loongarch-don-t-panic-if-no-valid-cache-info-for-pci.patch b/queue-6.17/loongarch-don-t-panic-if-no-valid-cache-info-for-pci.patch new file mode 100644 index 0000000000..a9ae4fe184 --- /dev/null +++ b/queue-6.17/loongarch-don-t-panic-if-no-valid-cache-info-for-pci.patch @@ -0,0 +1,39 @@ +From a6b533adfc05ba15360631e019d3e18275080275 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 20 Nov 2025 14:42:05 +0800 +Subject: LoongArch: Don't panic if no valid cache info for PCI + +From: Huacai Chen + +commit a6b533adfc05ba15360631e019d3e18275080275 upstream. + +If there is no valid cache info detected (may happen in virtual machine) +for pci_dfl_cache_line_size, kernel shouldn't panic. Because in the PCI +core it will be evaluated to (L1_CACHE_BYTES >> 2). + +Cc: +Signed-off-by: Jiaxun Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/pci/pci.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/loongarch/pci/pci.c ++++ b/arch/loongarch/pci/pci.c +@@ -50,11 +50,11 @@ static int __init pcibios_init(void) + */ + lsize = cpu_last_level_cache_line_size(); + +- BUG_ON(!lsize); ++ if (lsize) { ++ pci_dfl_cache_line_size = lsize >> 2; + +- pci_dfl_cache_line_size = lsize >> 2; +- +- pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize); ++ pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize); ++ } + + return 0; + } diff --git a/queue-6.17/loongarch-fix-numa-node-parsing-with-numa_memblks.patch b/queue-6.17/loongarch-fix-numa-node-parsing-with-numa_memblks.patch new file mode 100644 index 0000000000..8d934a8b0d --- /dev/null +++ b/queue-6.17/loongarch-fix-numa-node-parsing-with-numa_memblks.patch @@ -0,0 +1,116 @@ +From acf5de1b23b0275eb69f235c8e9f2cef19fa39a1 Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Thu, 20 Nov 2025 14:42:05 +0800 +Subject: LoongArch: Fix NUMA node parsing with numa_memblks + +From: Bibo Mao + +commit acf5de1b23b0275eb69f235c8e9f2cef19fa39a1 upstream. + +On physical machine, NUMA node id comes from high bit 44:48 of physical +address. However it is not true on virt machine. With general method, it +comes from ACPI SRAT table. + +Here the common function numa_memblks_init() is used to parse NUMA node +information with numa_memblks. + +Cc: +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/numa.c | 60 ++++++++++++------------------------------- + 1 file changed, 18 insertions(+), 42 deletions(-) + +--- a/arch/loongarch/kernel/numa.c ++++ b/arch/loongarch/kernel/numa.c +@@ -158,35 +158,9 @@ static void __init node_mem_init(unsigne + + #ifdef CONFIG_ACPI_NUMA + +-/* +- * add_numamem_region +- * +- * Add a uasable memory region described by BIOS. The +- * routine gets each intersection between BIOS's region +- * and node's region, and adds them into node's memblock +- * pool. +- * +- */ +-static void __init add_numamem_region(u64 start, u64 end, u32 type) +-{ +- u32 node = pa_to_nid(start); +- u64 size = end - start; +- static unsigned long num_physpages; +- +- if (start >= end) { +- pr_debug("Invalid region: %016llx-%016llx\n", start, end); +- return; +- } +- +- num_physpages += (size >> PAGE_SHIFT); +- pr_info("Node%d: mem_type:%d, mem_start:0x%llx, mem_size:0x%llx Bytes\n", +- node, type, start, size); +- pr_info(" start_pfn:0x%llx, end_pfn:0x%llx, num_physpages:0x%lx\n", +- start >> PAGE_SHIFT, end >> PAGE_SHIFT, num_physpages); +- memblock_set_node(start, size, &memblock.memory, node); +-} ++static unsigned long num_physpages; + +-static void __init init_node_memblock(void) ++static void __init info_node_memblock(void) + { + u32 mem_type; + u64 mem_end, mem_start, mem_size; +@@ -206,12 +180,20 @@ static void __init init_node_memblock(vo + case EFI_BOOT_SERVICES_DATA: + case EFI_PERSISTENT_MEMORY: + case EFI_CONVENTIONAL_MEMORY: +- add_numamem_region(mem_start, mem_end, mem_type); ++ num_physpages += (mem_size >> PAGE_SHIFT); ++ pr_info("Node%d: mem_type:%d, mem_start:0x%llx, mem_size:0x%llx Bytes\n", ++ (u32)pa_to_nid(mem_start), mem_type, mem_start, mem_size); ++ pr_info(" start_pfn:0x%llx, end_pfn:0x%llx, num_physpages:0x%lx\n", ++ mem_start >> PAGE_SHIFT, mem_end >> PAGE_SHIFT, num_physpages); + break; + case EFI_PAL_CODE: + case EFI_UNUSABLE_MEMORY: + case EFI_ACPI_RECLAIM_MEMORY: +- add_numamem_region(mem_start, mem_end, mem_type); ++ num_physpages += (mem_size >> PAGE_SHIFT); ++ pr_info("Node%d: mem_type:%d, mem_start:0x%llx, mem_size:0x%llx Bytes\n", ++ (u32)pa_to_nid(mem_start), mem_type, mem_start, mem_size); ++ pr_info(" start_pfn:0x%llx, end_pfn:0x%llx, num_physpages:0x%lx\n", ++ mem_start >> PAGE_SHIFT, mem_end >> PAGE_SHIFT, num_physpages); + fallthrough; + case EFI_RESERVED_TYPE: + case EFI_RUNTIME_SERVICES_CODE: +@@ -249,22 +231,16 @@ int __init init_numa_memory(void) + for (i = 0; i < NR_CPUS; i++) + set_cpuid_to_node(i, NUMA_NO_NODE); + +- numa_reset_distance(); +- nodes_clear(numa_nodes_parsed); +- nodes_clear(node_possible_map); +- nodes_clear(node_online_map); +- WARN_ON(memblock_clear_hotplug(0, PHYS_ADDR_MAX)); +- + /* Parse SRAT and SLIT if provided by firmware. */ +- ret = acpi_disabled ? fake_numa_init() : acpi_numa_init(); ++ if (!acpi_disabled) ++ ret = numa_memblks_init(acpi_numa_init, false); ++ else ++ ret = numa_memblks_init(fake_numa_init, false); ++ + if (ret < 0) + return ret; + +- node_possible_map = numa_nodes_parsed; +- if (WARN_ON(nodes_empty(node_possible_map))) +- return -EINVAL; +- +- init_node_memblock(); ++ info_node_memblock(); + if (!memblock_validate_numa_coverage(SZ_1M)) + return -EINVAL; + diff --git a/queue-6.17/mips-malta-fix-eva-soc-it-pci-mmio.patch b/queue-6.17/mips-malta-fix-eva-soc-it-pci-mmio.patch new file mode 100644 index 0000000000..bc046668ad --- /dev/null +++ b/queue-6.17/mips-malta-fix-eva-soc-it-pci-mmio.patch @@ -0,0 +1,100 @@ +From ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Mon, 20 Oct 2025 02:11:49 +0100 +Subject: MIPS: Malta: Fix !EVA SOC-it PCI MMIO + +From: Maciej W. Rozycki + +commit ebd729fef31620e0bf74cbf8a4c7fda73a2a4e7e upstream. + +Fix a regression that has caused accesses to the PCI MMIO window to +complete unclaimed in non-EVA configurations with the SOC-it family of +system controllers, preventing PCI devices from working that use MMIO. + +In the non-EVA case PHYS_OFFSET is set to 0, meaning that PCI_BAR0 is +set with an empty mask (and PCI_HEAD4 matches addresses starting from 0 +accordingly). Consequently all addresses are matched for incoming DMA +accesses from PCI. This seems to confuse the system controller's logic +and outgoing bus cycles targeting the PCI MMIO window seem not to make +it to the intended devices. + +This happens as well when a wider mask is used with PCI_BAR0, such as +0x80000000 or 0xe0000000, that makes addresses match that overlap with +the PCI MMIO window, which starts at 0x10000000 in our configuration. + +Set the mask in PCI_BAR0 to 0xf0000000 for non-EVA then, covering the +non-EVA maximum 256 MiB of RAM, which is what YAMON does and which used +to work correctly up to the offending commit. Set PCI_P2SCMSKL to match +PCI_BAR0 as required by the system controller's specification, and match +PCI_P2SCMAPL to PCI_HEAD4 for identity mapping. + +Verified with: + +Core board type/revision = 0x0d (Core74K) / 0x01 +System controller/revision = MIPS SOC-it 101 OCP / 1.3 SDR-FW-4:1 +Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x1c +Processor ID/revision = 0x97 (MIPS 74Kf) / 0x4c + +for non-EVA and with: + +Core board type/revision = 0x0c (CoreFPGA-5) / 0x00 +System controller/revision = MIPS ROC-it2 / 0.0 FW-1:1 (CLK_unknown) GIC +Processor Company ID/options = 0x01 (MIPS Technologies, Inc.) / 0x00 +Processor ID/revision = 0xa0 (MIPS interAptiv UP) / 0x20 + +for EVA/non-EVA, fixing: + +defxx 0000:00:12.0: assign IRQ: got 10 +defxx: v1.12 2021/03/10 Lawrence V. Stefani and others +0000:00:12.0: Could not read adapter factory MAC address! + +vs: + +defxx 0000:00:12.0: assign IRQ: got 10 +defxx: v1.12 2021/03/10 Lawrence V. Stefani and others +0000:00:12.0: DEFPA at MMIO addr = 0x10142000, IRQ = 10, Hardware addr = 00-00-f8-xx-xx-xx +0000:00:12.0: registered as fddi0 + +for non-EVA and causing no change for EVA. + +Signed-off-by: Maciej W. Rozycki +Fixes: 422dd256642b ("MIPS: Malta: Allow PCI devices DMA to lower 2GB physical") +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mti-malta/malta-init.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/arch/mips/mti-malta/malta-init.c ++++ b/arch/mips/mti-malta/malta-init.c +@@ -241,16 +241,22 @@ mips_pci_controller: + #endif + + /* +- * Setup the Malta max (2GB) memory for PCI DMA in host bridge +- * in transparent addressing mode. ++ * Set up memory mapping in host bridge for PCI DMA masters, ++ * in transparent addressing mode. For EVA use the Malta ++ * maximum of 2 GiB memory in the alias space at 0x80000000 ++ * as per PHYS_OFFSET. Otherwise use 256 MiB of memory in ++ * the regular space, avoiding mapping the PCI MMIO window ++ * for DMA as it seems to confuse the system controller's ++ * logic, causing PCI MMIO to stop working. + */ +- mask = PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH; +- MSC_WRITE(MSC01_PCI_BAR0, mask); +- MSC_WRITE(MSC01_PCI_HEAD4, mask); ++ mask = PHYS_OFFSET ? PHYS_OFFSET : 0xf0000000; ++ MSC_WRITE(MSC01_PCI_BAR0, ++ mask | PCI_BASE_ADDRESS_MEM_PREFETCH); ++ MSC_WRITE(MSC01_PCI_HEAD4, ++ PHYS_OFFSET | PCI_BASE_ADDRESS_MEM_PREFETCH); + +- mask &= MSC01_PCI_BAR0_SIZE_MSK; + MSC_WRITE(MSC01_PCI_P2SCMSKL, mask); +- MSC_WRITE(MSC01_PCI_P2SCMAPL, mask); ++ MSC_WRITE(MSC01_PCI_P2SCMAPL, PHYS_OFFSET); + + /* Don't handle target retries indefinitely. */ + if ((data & MSC01_PCI_CFG_MAXRTRY_MSK) == diff --git a/queue-6.17/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch b/queue-6.17/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch new file mode 100644 index 0000000000..7dff5ac699 --- /dev/null +++ b/queue-6.17/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch @@ -0,0 +1,174 @@ +From 9f048fa487409e364cf866c957cf0b0d782ca5a3 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Thu, 13 Nov 2025 05:21:10 +0000 +Subject: MIPS: mm: Prevent a TLB shutdown on initial uniquification + +From: Maciej W. Rozycki + +commit 9f048fa487409e364cf866c957cf0b0d782ca5a3 upstream. + +Depending on the particular CPU implementation a TLB shutdown may occur +if multiple matching entries are detected upon the execution of a TLBP +or the TLBWI/TLBWR instructions. Given that we don't know what entries +we have been handed we need to be very careful with the initial TLB +setup and avoid all these instructions. + +Therefore read all the TLB entries one by one with the TLBR instruction, +bypassing the content addressing logic, and truncate any large pages in +place so as to avoid a case in the second step where an incoming entry +for a large page at a lower address overlaps with a replacement entry +chosen at another index. Then preinitialize the TLB using addresses +outside our usual unique range and avoiding clashes with any entries +received, before making the usual call to local_flush_tlb_all(). + +This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB +entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual +address). + +Signed-off-by: Maciej W. Rozycki +Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init") +Cc: stable@vger.kernel.org +Reviewed-by: Jiaxun Yang +Tested-by: Jiaxun Yang # Boston I6400, M5150 sim +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 102 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 64 insertions(+), 38 deletions(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -508,55 +509,79 @@ static int __init set_ntlb(char *str) + + __setup("ntlb=", set_ntlb); + +-/* Initialise all TLB entries with unique values */ ++ ++/* Comparison function for EntryHi VPN fields. */ ++static int r4k_vpn_cmp(const void *a, const void *b) ++{ ++ long v = *(unsigned long *)a - *(unsigned long *)b; ++ int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0; ++ return s ? (v != 0) | v >> s : v; ++} ++ ++/* ++ * Initialise all TLB entries with unique values that do not clash with ++ * what we have been handed over and what we'll be using ourselves. ++ */ + static void r4k_tlb_uniquify(void) + { +- int entry = num_wired_entries(); ++ unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE]; ++ int tlbsize = current_cpu_data.tlbsize; ++ int start = num_wired_entries(); ++ unsigned long vpn_mask; ++ int cnt, ent, idx, i; ++ ++ vpn_mask = GENMASK(cpu_vmbits - 1, 13); ++ vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31; + + htw_stop(); +- write_c0_entrylo0(0); +- write_c0_entrylo1(0); + +- while (entry < current_cpu_data.tlbsize) { +- unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data); +- unsigned long asid = 0; +- int idx; ++ for (i = start, cnt = 0; i < tlbsize; i++, cnt++) { ++ unsigned long vpn; + +- /* Skip wired MMID to make ginvt_mmid work */ +- if (cpu_has_mmid) +- asid = MMID_KERNEL_WIRED + 1; ++ write_c0_index(i); ++ mtc0_tlbr_hazard(); ++ tlb_read(); ++ tlb_read_hazard(); ++ vpn = read_c0_entryhi(); ++ vpn &= vpn_mask & PAGE_MASK; ++ tlb_vpns[cnt] = vpn; + +- /* Check for match before using UNIQUE_ENTRYHI */ +- do { +- if (cpu_has_mmid) { +- write_c0_memorymapid(asid); +- write_c0_entryhi(UNIQUE_ENTRYHI(entry)); +- } else { +- write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid); +- } +- mtc0_tlbw_hazard(); +- tlb_probe(); +- tlb_probe_hazard(); +- idx = read_c0_index(); +- /* No match or match is on current entry */ +- if (idx < 0 || idx == entry) +- break; +- /* +- * If we hit a match, we need to try again with +- * a different ASID. +- */ +- asid++; +- } while (asid < asid_mask); +- +- if (idx >= 0 && idx != entry) +- panic("Unable to uniquify TLB entry %d", idx); +- +- write_c0_index(entry); ++ /* Prevent any large pages from overlapping regular ones. */ ++ write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK); + mtc0_tlbw_hazard(); + tlb_write_indexed(); +- entry++; ++ tlbw_use_hazard(); + } + ++ sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL); ++ ++ write_c0_pagemask(PM_DEFAULT_MASK); ++ write_c0_entrylo0(0); ++ write_c0_entrylo1(0); ++ ++ idx = 0; ++ ent = tlbsize; ++ for (i = start; i < tlbsize; i++) ++ while (1) { ++ unsigned long entryhi, vpn; ++ ++ entryhi = UNIQUE_ENTRYHI(ent); ++ vpn = entryhi & vpn_mask & PAGE_MASK; ++ ++ if (idx >= cnt || vpn < tlb_vpns[idx]) { ++ write_c0_entryhi(entryhi); ++ write_c0_index(i); ++ mtc0_tlbw_hazard(); ++ tlb_write_indexed(); ++ ent++; ++ break; ++ } else if (vpn == tlb_vpns[idx]) { ++ ent++; ++ } else { ++ idx++; ++ } ++ } ++ + tlbw_use_hazard(); + htw_start(); + flush_micro_tlb(); +@@ -602,6 +627,7 @@ static void r4k_tlb_configure(void) + + /* From this point on the ARC firmware is dead. */ + r4k_tlb_uniquify(); ++ local_flush_tlb_all(); + + /* Did I tell you that ARC SUCKS? */ + } diff --git a/queue-6.17/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch b/queue-6.17/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch new file mode 100644 index 0000000000..f2e9b4480a --- /dev/null +++ b/queue-6.17/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch @@ -0,0 +1,106 @@ +From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Thu, 13 Nov 2025 19:54:35 +0100 +Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM + +From: Vlastimil Babka + +commit ec33b59542d96830e3c89845ff833cf7b25ef172 upstream. + +The kernel test has reported: + + BUG: unable to handle page fault for address: fffba000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + *pde = 03171067 *pte = 00000000 + Oops: Oops: 0002 [#1] + CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca + Tainted: [T]=RANDSTRUCT + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) + Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 + EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b + ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 + DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 + CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 + Call Trace: + poison_element (mm/mempool.c:83 mm/mempool.c:102) + mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) + mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) + ? mempool_alloc_pages (mm/mempool.c:640) + bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) + ? mempool_alloc_pages (mm/mempool.c:640) + do_one_initcall (init/main.c:1283) + +Christoph found out this is due to the poisoning code not dealing +properly with CONFIG_HIGHMEM because only the first page is mapped but +then the whole potentially high-order page is accessed. + +We could give up on HIGHMEM here, but it's straightforward to fix this +with a loop that's mapping, poisoning or checking and unmapping +individual pages. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com +Analyzed-by: Christoph Hellwig +Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") +Cc: stable@vger.kernel.org +Tested-by: kernel test robot +Reviewed-by: Christoph Hellwig +Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempool.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/mm/mempool.c ++++ b/mm/mempool.c +@@ -68,10 +68,20 @@ static void check_element(mempool_t *poo + } else if (pool->free == mempool_free_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_local_page((struct page *)element); + +- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_local(addr); ++#ifdef CONFIG_HIGHMEM ++ for (int i = 0; i < (1 << order); i++) { ++ struct page *page = (struct page *)element; ++ void *addr = kmap_local_page(page + i); ++ ++ __check_element(pool, addr, PAGE_SIZE); ++ kunmap_local(addr); ++ } ++#else ++ void *addr = page_address((struct page *)element); ++ ++ __check_element(pool, addr, PAGE_SIZE << order); ++#endif + } + } + +@@ -97,10 +107,20 @@ static void poison_element(mempool_t *po + } else if (pool->alloc == mempool_alloc_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_local_page((struct page *)element); + +- __poison_element(addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_local(addr); ++#ifdef CONFIG_HIGHMEM ++ for (int i = 0; i < (1 << order); i++) { ++ struct page *page = (struct page *)element; ++ void *addr = kmap_local_page(page + i); ++ ++ __poison_element(addr, PAGE_SIZE); ++ kunmap_local(addr); ++ } ++#else ++ void *addr = page_address((struct page *)element); ++ ++ __poison_element(addr, PAGE_SIZE << order); ++#endif + } + } + #else /* CONFIG_SLUB_DEBUG_ON */ diff --git a/queue-6.17/mptcp-disallow-mptcp-subflows-from-sockmap.patch b/queue-6.17/mptcp-disallow-mptcp-subflows-from-sockmap.patch new file mode 100644 index 0000000000..5ed57d1b07 --- /dev/null +++ b/queue-6.17/mptcp-disallow-mptcp-subflows-from-sockmap.patch @@ -0,0 +1,80 @@ +From fbade4bd08ba52cbc74a71c4e86e736f059f99f7 Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Tue, 11 Nov 2025 14:02:50 +0800 +Subject: mptcp: Disallow MPTCP subflows from sockmap + +From: Jiayuan Chen + +commit fbade4bd08ba52cbc74a71c4e86e736f059f99f7 upstream. + +The sockmap feature allows bpf syscall from userspace, or based on bpf +sockops, replacing the sk_prot of sockets during protocol stack processing +with sockmap's custom read/write interfaces. +''' +tcp_rcv_state_process() + subflow_syn_recv_sock() + tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) + bpf_skops_established <== sockops + bpf_sock_map_update(sk) <== call bpf helper + tcp_bpf_update_proto() <== update sk_prot +''' +Consider two scenarios: + +1. When the server has MPTCP enabled and the client also requests MPTCP, + the sk passed to the BPF program is a subflow sk. Since subflows only + handle partial data, replacing their sk_prot is meaningless and will + cause traffic disruption. + +2. When the server has MPTCP enabled but the client sends a TCP SYN + without MPTCP, subflow_syn_recv_sock() performs a fallback on the + subflow, replacing the subflow sk's sk_prot with the native sk_prot. + ''' + subflow_ulp_fallback() + subflow_drop_ctx() + mptcp_subflow_ops_undo_override() + ''' + Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops() + converts the subflow to plain TCP. + +For the first case, we should prevent it from being combined with sockmap +by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by +sockmap's own flow. + +For the second case, since subflow_syn_recv_sock() has already restored +sk_prot to native tcp_prot/tcpv6_prot, no further action is needed. + +Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: Matthieu Baerts (NGI0) +Cc: +Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -2144,6 +2144,10 @@ void __init mptcp_subflow_init(void) + tcp_prot_override = tcp_prot; + tcp_prot_override.release_cb = tcp_release_cb_override; + tcp_prot_override.diag_destroy = tcp_abort_override; ++#ifdef CONFIG_BPF_SYSCALL ++ /* Disable sockmap processing for subflows */ ++ tcp_prot_override.psock_update_sk_prot = NULL; ++#endif + + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + /* In struct mptcp_subflow_request_sock, we assume the TCP request sock +@@ -2180,6 +2184,10 @@ void __init mptcp_subflow_init(void) + tcpv6_prot_override = tcpv6_prot; + tcpv6_prot_override.release_cb = tcp_release_cb_override; + tcpv6_prot_override.diag_destroy = tcp_abort_override; ++#ifdef CONFIG_BPF_SYSCALL ++ /* Disable sockmap processing for subflows */ ++ tcpv6_prot_override.psock_update_sk_prot = NULL; ++#endif + #endif + + mptcp_diag_subflow_init(&subflow_ulp_ops); diff --git a/queue-6.17/mptcp-fix-proto-fallback-detection-with-bpf.patch b/queue-6.17/mptcp-fix-proto-fallback-detection-with-bpf.patch new file mode 100644 index 0000000000..d956e063d6 --- /dev/null +++ b/queue-6.17/mptcp-fix-proto-fallback-detection-with-bpf.patch @@ -0,0 +1,92 @@ +From c77b3b79a92e3345aa1ee296180d1af4e7031f8f Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Tue, 11 Nov 2025 14:02:51 +0800 +Subject: mptcp: Fix proto fallback detection with BPF + +From: Jiayuan Chen + +commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f upstream. + +The sockmap feature allows bpf syscall from userspace, or based +on bpf sockops, replacing the sk_prot of sockets during protocol stack +processing with sockmap's custom read/write interfaces. +''' +tcp_rcv_state_process() + syn_recv_sock()/subflow_syn_recv_sock() + tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) + bpf_skops_established <== sockops + bpf_sock_map_update(sk) <== call bpf helper + tcp_bpf_update_proto() <== update sk_prot +''' + +When the server has MPTCP enabled but the client sends a TCP SYN +without MPTCP, subflow_syn_recv_sock() performs a fallback on the +subflow, replacing the subflow sk's sk_prot with the native sk_prot. +''' +subflow_syn_recv_sock() + subflow_ulp_fallback() + subflow_drop_ctx() + mptcp_subflow_ops_undo_override() +''' + +Then, this subflow can be normally used by sockmap, which replaces the +native sk_prot with sockmap's custom sk_prot. The issue occurs when the +user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). +Here, it uses sk->sk_prot to compare with the native sk_prot, but this +is incorrect when sockmap is used, as we may incorrectly set +sk->sk_socket->ops. + +This fix uses the more generic sk_family for the comparison instead. + +Additionally, this also prevents a WARNING from occurring: + +result from ./scripts/decode_stacktrace.sh: +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ +(net/mptcp/protocol.c:4005) +Modules linked in: +... + +PKRU: 55555554 +Call Trace: + +do_accept (net/socket.c:1989) +__sys_accept4 (net/socket.c:2028 net/socket.c:2057) +__x64_sys_accept (net/socket.c:2067) +x64_sys_call (arch/x86/entry/syscall_64.c:41) +do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +RIP: 0033:0x7f87ac92b83d + +---[ end trace 0000000000000000 ]--- + +Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash") +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: Jakub Sitnicki +Reviewed-by: Matthieu Baerts (NGI0) +Cc: +Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -60,11 +60,13 @@ static u64 mptcp_wnd_end(const struct mp + + static const struct proto_ops *mptcp_fallback_tcp_ops(const struct sock *sk) + { ++ unsigned short family = READ_ONCE(sk->sk_family); ++ + #if IS_ENABLED(CONFIG_MPTCP_IPV6) +- if (sk->sk_prot == &tcpv6_prot) ++ if (family == AF_INET6) + return &inet6_stream_ops; + #endif +- WARN_ON_ONCE(sk->sk_prot != &tcp_prot); ++ WARN_ON_ONCE(family != AF_INET); + return &inet_stream_ops; + } + diff --git a/queue-6.17/mptcp-fix-race-condition-in-mptcp_schedule_work.patch b/queue-6.17/mptcp-fix-race-condition-in-mptcp_schedule_work.patch new file mode 100644 index 0000000000..dd9ade8884 --- /dev/null +++ b/queue-6.17/mptcp-fix-race-condition-in-mptcp_schedule_work.patch @@ -0,0 +1,96 @@ +From 035bca3f017ee9dea3a5a756e77a6f7138cc6eea Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 13 Nov 2025 10:39:24 +0000 +Subject: mptcp: fix race condition in mptcp_schedule_work() + +From: Eric Dumazet + +commit 035bca3f017ee9dea3a5a756e77a6f7138cc6eea upstream. + +syzbot reported use-after-free in mptcp_schedule_work() [1] + +Issue here is that mptcp_schedule_work() schedules a work, +then gets a refcount on sk->sk_refcnt if the work was scheduled. +This refcount will be released by mptcp_worker(). + +[A] if (schedule_work(...)) { +[B] sock_hold(sk); + return true; + } + +Problem is that mptcp_worker() can run immediately and complete before [B] + +We need instead : + + sock_hold(sk); + if (schedule_work(...)) + return true; + sock_put(sk); + +[1] +refcount_t: addition on 0; use-after-free. + WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 +Call Trace: + + __refcount_add include/linux/refcount.h:-1 [inline] + __refcount_inc include/linux/refcount.h:366 [inline] + refcount_inc include/linux/refcount.h:383 [inline] + sock_hold include/net/sock.h:816 [inline] + mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 + mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 + call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 + expire_timers kernel/time/timer.c:1798 [inline] + __run_timers kernel/time/timer.c:2372 [inline] + __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 + run_timer_base kernel/time/timer.c:2393 [inline] + run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 + handle_softirqs+0x22f/0x710 kernel/softirq.c:622 + __do_softirq kernel/softirq.c:656 [inline] + run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 + smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Cc: stable@vger.kernel.org +Fixes: 3b1d6210a957 ("mptcp: implement and use MPTCP-level retransmission") +Reported-by: syzbot+355158e7e301548a1424@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6915b46f.050a0220.3565dc.0028.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251113103924.3737425-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -895,14 +895,19 @@ static void mptcp_reset_rtx_timer(struct + + bool mptcp_schedule_work(struct sock *sk) + { +- if (inet_sk_state_load(sk) != TCP_CLOSE && +- schedule_work(&mptcp_sk(sk)->work)) { +- /* each subflow already holds a reference to the sk, and the +- * workqueue is invoked by a subflow, so sk can't go away here. +- */ +- sock_hold(sk); ++ if (inet_sk_state_load(sk) == TCP_CLOSE) ++ return false; ++ ++ /* Get a reference on this socket, mptcp_worker() will release it. ++ * As mptcp_worker() might complete before us, we can not avoid ++ * a sock_hold()/sock_put() if schedule_work() returns false. ++ */ ++ sock_hold(sk); ++ ++ if (schedule_work(&mptcp_sk(sk)->work)) + return true; +- } ++ ++ sock_put(sk); + return false; + } + diff --git a/queue-6.17/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch b/queue-6.17/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch new file mode 100644 index 0000000000..bf6a7245c4 --- /dev/null +++ b/queue-6.17/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 5c56bf214af85ca042bf97f8584aab2151035840 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Thu, 23 Oct 2025 11:32:01 +0800 +Subject: mtd: rawnand: cadence: fix DMA device NULL pointer dereference + +From: Niravkumar L Rabara + +commit 5c56bf214af85ca042bf97f8584aab2151035840 upstream. + +The DMA device pointer `dma_dev` was being dereferenced before ensuring +that `cdns_ctrl->dmac` is properly initialized. + +Move the assignment of `dma_dev` after successfully acquiring the DMA +channel to ensure the pointer is valid before use. + +Fixes: d76d22b5096c ("mtd: rawnand: cadence: use dma_map_resource for sdma address") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2871,7 +2871,7 @@ cadence_nand_irq_cleanup(int irqnum, str + static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl) + { + dma_cap_mask_t mask; +- struct dma_device *dma_dev = cdns_ctrl->dmac->device; ++ struct dma_device *dma_dev; + int ret; + + cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev, +@@ -2915,6 +2915,7 @@ static int cadence_nand_init(struct cdns + } + } + ++ dma_dev = cdns_ctrl->dmac->device; + cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma, + cdns_ctrl->io.size, + DMA_BIDIRECTIONAL, 0); diff --git a/queue-6.17/mtdchar-fix-integer-overflow-in-read-write-ioctls.patch b/queue-6.17/mtdchar-fix-integer-overflow-in-read-write-ioctls.patch new file mode 100644 index 0000000000..8eafc3a6df --- /dev/null +++ b/queue-6.17/mtdchar-fix-integer-overflow-in-read-write-ioctls.patch @@ -0,0 +1,62 @@ +From e4185bed738da755b191aa3f2e16e8b48450e1b8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 30 Sep 2025 15:32:34 +0300 +Subject: mtdchar: fix integer overflow in read/write ioctls + +From: Dan Carpenter + +commit e4185bed738da755b191aa3f2e16e8b48450e1b8 upstream. + +The "req.start" and "req.len" variables are u64 values that come from the +user at the start of the function. We mask away the high 32 bits of +"req.len" so that's capped at U32_MAX but the "req.start" variable can go +up to U64_MAX which means that the addition can still integer overflow. + +Use check_add_overflow() to fix this bug. + +Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl") +Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdchar.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -599,6 +599,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd + uint8_t *datbuf = NULL, *oobbuf = NULL; + size_t datbuf_len, oobbuf_len; + int ret = 0; ++ u64 end; + + if (copy_from_user(&req, argp, sizeof(req))) + return -EFAULT; +@@ -618,7 +619,7 @@ mtdchar_write_ioctl(struct mtd_info *mtd + req.len &= 0xffffffff; + req.ooblen &= 0xffffffff; + +- if (req.start + req.len > mtd->size) ++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) + return -EINVAL; + + datbuf_len = min_t(size_t, req.len, mtd->erasesize); +@@ -698,6 +699,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, + size_t datbuf_len, oobbuf_len; + size_t orig_len, orig_ooblen; + int ret = 0; ++ u64 end; + + if (copy_from_user(&req, argp, sizeof(req))) + return -EFAULT; +@@ -724,7 +726,7 @@ mtdchar_read_ioctl(struct mtd_info *mtd, + req.len &= 0xffffffff; + req.ooblen &= 0xffffffff; + +- if (req.start + req.len > mtd->size) { ++ if (check_add_overflow(req.start, req.len, &end) || end > mtd->size) { + ret = -EINVAL; + goto out; + } diff --git a/queue-6.17/net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch b/queue-6.17/net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch new file mode 100644 index 0000000000..295ad03ee8 --- /dev/null +++ b/queue-6.17/net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch @@ -0,0 +1,48 @@ +From 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 14 Nov 2025 10:09:51 +0100 +Subject: net: dsa: microchip: lan937x: Fix RGMII delay tuning + +From: Oleksij Rempel + +commit 3ceb6ac2116ecda1c5d779bb73271479e70fccb4 upstream. + +Correct RGMII delay application logic in lan937x_set_tune_adj(). + +The function was missing `data16 &= ~PORT_TUNE_ADJ` before setting the +new delay value. This caused the new value to be bitwise-OR'd with the +existing PORT_TUNE_ADJ field instead of replacing it. + +For example, when setting the RGMII 2 TX delay on port 4, the +intended TUNE_ADJUST value of 0 (RGMII_2_TX_DELAY_2NS) was +incorrectly OR'd with the default 0x1B (from register value 0xDA3), +leaving the delay at the wrong setting. + +This patch adds the missing mask to clear the field, ensuring the +correct delay value is written. Physical measurements on the RGMII TX +lines confirm the fix, showing the delay changing from ~1ns (before +change) to ~2ns. + +While testing on i.MX 8MP showed this was within the platform's timing +tolerance, it did not match the intended hardware-characterized value. + +Fixes: b19ac41faa3f ("net: dsa: microchip: apply rgmii tx and rx delay in phylink mac config") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20251114090951.4057261-1-o.rempel@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/lan937x_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/microchip/lan937x_main.c ++++ b/drivers/net/dsa/microchip/lan937x_main.c +@@ -540,6 +540,7 @@ static void lan937x_set_tune_adj(struct + ksz_pread16(dev, port, reg, &data16); + + /* Update tune Adjust */ ++ data16 &= ~PORT_TUNE_ADJ; + data16 |= FIELD_PREP(PORT_TUNE_ADJ, val); + ksz_pwrite16(dev, port, reg, data16); + diff --git a/queue-6.17/nouveau-firmware-add-missing-kfree-of-nvkm_falcon_fw-boot.patch b/queue-6.17/nouveau-firmware-add-missing-kfree-of-nvkm_falcon_fw-boot.patch new file mode 100644 index 0000000000..294b77b1d3 --- /dev/null +++ b/queue-6.17/nouveau-firmware-add-missing-kfree-of-nvkm_falcon_fw-boot.patch @@ -0,0 +1,36 @@ +From 949f1fd2225baefbea2995afa807dba5cbdb6bd3 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 17 Nov 2025 08:42:31 +0000 +Subject: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot + +From: Nam Cao + +commit 949f1fd2225baefbea2995afa807dba5cbdb6bd3 upstream. + +nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a +kmemleak warning. + +Make sure this data is deallocated. + +Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs") +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Lyude Paul +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251117084231.2910561-1-namcao@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c ++++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c +@@ -159,6 +159,8 @@ nvkm_falcon_fw_dtor(struct nvkm_falcon_f + nvkm_memory_unref(&fw->inst); + nvkm_falcon_fw_dtor_sigs(fw); + nvkm_firmware_dtor(&fw->fw); ++ kfree(fw->boot); ++ fw->boot = NULL; + } + + static const struct nvkm_firmware_func diff --git a/queue-6.17/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch b/queue-6.17/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch new file mode 100644 index 0000000000..47720fe8b9 --- /dev/null +++ b/queue-6.17/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch @@ -0,0 +1,90 @@ +From 0a2c5495b6d1ecb0fa18ef6631450f391a888256 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Mon, 10 Nov 2025 16:20:01 -0500 +Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() + +From: Ewan D. Milne + +commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream. + +nvme_fc_delete_assocation() waits for pending I/O to complete before +returning, and an error can cause ->ioerr_work to be queued after +cancel_work_sync() had been called. Move the call to cancel_work_sync() to +be after nvme_fc_delete_association() to ensure ->ioerr_work is not running +when the nvme_fc_ctrl object is freed. Otherwise the following can occur: + +[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL +[ 1135.917705] ------------[ cut here ]------------ +[ 1135.922336] kernel BUG at lib/list_debug.c:52! +[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI +[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) +[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 +[ 1135.950969] Workqueue: 0x0 (nvme-wq) +[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b +[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 +[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 +[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 +[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 +[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 +[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 +[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 +[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 +[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +[ 1136.055910] PKRU: 55555554 +[ 1136.058623] Call Trace: +[ 1136.061074] +[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 +[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 +[ 1136.071898] ? move_linked_works+0x4a/0xa0 +[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.081744] ? __die_body.cold+0x8/0x12 +[ 1136.085584] ? die+0x2e/0x50 +[ 1136.088469] ? do_trap+0xca/0x110 +[ 1136.091789] ? do_error_trap+0x65/0x80 +[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.101289] ? exc_invalid_op+0x50/0x70 +[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 +[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.120806] move_linked_works+0x4a/0xa0 +[ 1136.124733] worker_thread+0x216/0x3a0 +[ 1136.128485] ? __pfx_worker_thread+0x10/0x10 +[ 1136.132758] kthread+0xfa/0x240 +[ 1136.135904] ? __pfx_kthread+0x10/0x10 +[ 1136.139657] ret_from_fork+0x31/0x50 +[ 1136.143236] ? __pfx_kthread+0x10/0x10 +[ 1136.146988] ret_from_fork_asm+0x1a/0x30 +[ 1136.150915] + +Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context") +Cc: stable@vger.kernel.org +Tested-by: Marco Patalano +Reviewed-by: Justin Tee +Signed-off-by: Ewan D. Milne +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3253,7 +3253,6 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc + { + struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl); + +- cancel_work_sync(&ctrl->ioerr_work); + cancel_delayed_work_sync(&ctrl->connect_work); + + /* +@@ -3261,6 +3260,7 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc + * waiting for io to terminate + */ + nvme_fc_delete_association(ctrl); ++ cancel_work_sync(&ctrl->ioerr_work); + + if (ctrl->ctrl.tagset) + nvme_remove_io_tag_set(&ctrl->ctrl); diff --git a/queue-6.17/nvme-nvme-fc-move-tagset-removal-to-nvme_fc_delete_ctrl.patch b/queue-6.17/nvme-nvme-fc-move-tagset-removal-to-nvme_fc_delete_ctrl.patch new file mode 100644 index 0000000000..e9af758e0a --- /dev/null +++ b/queue-6.17/nvme-nvme-fc-move-tagset-removal-to-nvme_fc_delete_ctrl.patch @@ -0,0 +1,78 @@ +From ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Mon, 10 Nov 2025 16:20:00 -0500 +Subject: nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() + +From: Ewan D. Milne + +commit ea3442efabd0aa3930c5bab73c3901ef38ef6ac3 upstream. + +Now target is removed from nvme_fc_ctrl_free() which is the ctrl->ref +release handler. And even admin queue is unquiesced there, this way +is definitely wrong because the ctr->ref is grabbed when submitting +command. + +And Marco observed that nvme_fc_ctrl_free() can be called from request +completion code path, and trigger kernel warning since request completes +from softirq context. + +Fix the issue by moveing target removal into nvme_fc_delete_ctrl(), +which is also aligned with nvme-tcp and nvme-rdma. + +Patch originally proposed by Ming Lei, then modified to move the tagset +removal down to after nvme_fc_delete_association() after further testing. + +Cc: Marco Patalano +Cc: Ewan Milne +Cc: James Smart +Cc: Sagi Grimberg +Signed-off-by: Ming Lei +Cc: stable@vger.kernel.org +Tested-by: Marco Patalano +Reviewed-by: Justin Tee +Signed-off-by: Ewan D. Milne +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2355,17 +2355,11 @@ nvme_fc_ctrl_free(struct kref *ref) + container_of(ref, struct nvme_fc_ctrl, ref); + unsigned long flags; + +- if (ctrl->ctrl.tagset) +- nvme_remove_io_tag_set(&ctrl->ctrl); +- + /* remove from rport list */ + spin_lock_irqsave(&ctrl->rport->lock, flags); + list_del(&ctrl->ctrl_list); + spin_unlock_irqrestore(&ctrl->rport->lock, flags); + +- nvme_unquiesce_admin_queue(&ctrl->ctrl); +- nvme_remove_admin_tag_set(&ctrl->ctrl); +- + kfree(ctrl->queues); + + put_device(ctrl->dev); +@@ -3261,11 +3255,18 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc + + cancel_work_sync(&ctrl->ioerr_work); + cancel_delayed_work_sync(&ctrl->connect_work); ++ + /* + * kill the association on the link side. this will block + * waiting for io to terminate + */ + nvme_fc_delete_association(ctrl); ++ ++ if (ctrl->ctrl.tagset) ++ nvme_remove_io_tag_set(&ctrl->ctrl); ++ ++ nvme_unquiesce_admin_queue(&ctrl->ctrl); ++ nvme_remove_admin_tag_set(&ctrl->ctrl); + } + + static void diff --git a/queue-6.17/platform-x86-alienware-wmi-wmax-add-awcc-support-to-alienware-16-aurora.patch b/queue-6.17/platform-x86-alienware-wmi-wmax-add-awcc-support-to-alienware-16-aurora.patch new file mode 100644 index 0000000000..03c16d770e --- /dev/null +++ b/queue-6.17/platform-x86-alienware-wmi-wmax-add-awcc-support-to-alienware-16-aurora.patch @@ -0,0 +1,42 @@ +From 6f91ad24c6639220f2edb0ad8edb199b43cc3b22 Mon Sep 17 00:00:00 2001 +From: Anthony Wong +Date: Mon, 17 Nov 2025 02:53:11 +0800 +Subject: platform/x86: alienware-wmi-wmax: Add AWCC support to Alienware 16 Aurora +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anthony Wong + +commit 6f91ad24c6639220f2edb0ad8edb199b43cc3b22 upstream. + +Add AWCC support to Alienware 16 Aurora + +Cc: stable@vger.kernel.org +Signed-off-by: Anthony Wong +Reviewed-by: Kurt Borja +Link: https://patch.msgid.link/20251116185311.18074-1-anthony.wong@canonical.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/alienware-wmi-wmax.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c ++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c +@@ -90,6 +90,14 @@ static struct awcc_quirks empty_quirks; + + static const struct dmi_system_id awcc_dmi_table[] __initconst = { + { ++ .ident = "Alienware 16 Aurora", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware 16 Aurora"), ++ }, ++ .driver_data = &g_series_quirks, ++ }, ++ { + .ident = "Alienware Area-51m", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), diff --git a/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-g-family.patch b/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-g-family.patch new file mode 100644 index 0000000000..359812a5d1 --- /dev/null +++ b/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-g-family.patch @@ -0,0 +1,109 @@ +From a6003d90f02863898babbcb3f55b1cd33f7867c2 Mon Sep 17 00:00:00 2001 +From: Kurt Borja +Date: Mon, 3 Nov 2025 14:01:48 -0500 +Subject: platform/x86: alienware-wmi-wmax: Add support for the whole "G" family +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +commit a6003d90f02863898babbcb3f55b1cd33f7867c2 upstream. + +Add support for the whole "Dell G" laptop family. + +Cc: stable@vger.kernel.org +Signed-off-by: Kurt Borja +Link: https://patch.msgid.link/20251103-family-supp-v1-5-a241075d1787@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/alienware-wmi-wmax.c | 56 +++---------------------- + 1 file changed, 8 insertions(+), 48 deletions(-) + +--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c ++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c +@@ -170,74 +170,34 @@ static const struct dmi_system_id awcc_d + .driver_data = &generic_quirks, + }, + { +- .ident = "Dell Inc. G15 5510", ++ .ident = "Dell Inc. G15", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5510"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15"), + }, + .driver_data = &g_series_quirks, + }, + { +- .ident = "Dell Inc. G15 5511", ++ .ident = "Dell Inc. G16", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5511"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Dell G16"), + }, + .driver_data = &g_series_quirks, + }, + { +- .ident = "Dell Inc. G15 5515", ++ .ident = "Dell Inc. G3", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5515"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "G3"), + }, + .driver_data = &g_series_quirks, + }, + { +- .ident = "Dell Inc. G15 5530", ++ .ident = "Dell Inc. G5", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5530"), +- }, +- .driver_data = &g_series_quirks, +- }, +- { +- .ident = "Dell Inc. G16 7630", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Dell G16 7630"), +- }, +- .driver_data = &g_series_quirks, +- }, +- { +- .ident = "Dell Inc. G3 3500", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "G3 3500"), +- }, +- .driver_data = &g_series_quirks, +- }, +- { +- .ident = "Dell Inc. G3 3590", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "G3 3590"), +- }, +- .driver_data = &g_series_quirks, +- }, +- { +- .ident = "Dell Inc. G5 5500", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "G5 5500"), +- }, +- .driver_data = &g_series_quirks, +- }, +- { +- .ident = "Dell Inc. G5 5505", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "G5 5505"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "G5"), + }, + .driver_data = &g_series_quirks, + }, diff --git a/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-m-family.patch b/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-m-family.patch new file mode 100644 index 0000000000..a595d790aa --- /dev/null +++ b/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-m-family.patch @@ -0,0 +1,70 @@ +From e8c3c875e1017c04c594f0e6127ba82095b1cb87 Mon Sep 17 00:00:00 2001 +From: Kurt Borja +Date: Mon, 3 Nov 2025 14:01:46 -0500 +Subject: platform/x86: alienware-wmi-wmax: Add support for the whole "M" family +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +commit e8c3c875e1017c04c594f0e6127ba82095b1cb87 upstream. + +Add support for the whole "Alienware M" laptop family. + +Cc: stable@vger.kernel.org +Signed-off-by: Kurt Borja +Link: https://patch.msgid.link/20251103-family-supp-v1-3-a241075d1787@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/alienware-wmi-wmax.c | 20 ++++++-------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c ++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c +@@ -106,18 +106,10 @@ static const struct dmi_system_id awcc_d + .driver_data = &generic_quirks, + }, + { +- .ident = "Alienware m15 R5", ++ .ident = "Alienware m15", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15 R5"), +- }, +- .driver_data = &generic_quirks, +- }, +- { +- .ident = "Alienware m15 R7", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15 R7"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15"), + }, + .driver_data = &generic_quirks, + }, +@@ -146,18 +138,18 @@ static const struct dmi_system_id awcc_d + .driver_data = &generic_quirks, + }, + { +- .ident = "Alienware m17 R5", ++ .ident = "Alienware m17", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m17 R5 AMD"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m17"), + }, + .driver_data = &generic_quirks, + }, + { +- .ident = "Alienware m18 R2", ++ .ident = "Alienware m18", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m18 R2"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m18"), + }, + .driver_data = &generic_quirks, + }, diff --git a/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-x-family.patch b/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-x-family.patch new file mode 100644 index 0000000000..eb3e77ef27 --- /dev/null +++ b/queue-6.17/platform-x86-alienware-wmi-wmax-add-support-for-the-whole-x-family.patch @@ -0,0 +1,57 @@ +From 21ebfff1cf4727bc325c89b94ed93741f870744f Mon Sep 17 00:00:00 2001 +From: Kurt Borja +Date: Mon, 3 Nov 2025 14:01:47 -0500 +Subject: platform/x86: alienware-wmi-wmax: Add support for the whole "X" family +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +commit 21ebfff1cf4727bc325c89b94ed93741f870744f upstream. + +Add support for the whole "Alienware X" laptop family. + +Cc: stable@vger.kernel.org +Signed-off-by: Kurt Borja +Link: https://patch.msgid.link/20251103-family-supp-v1-4-a241075d1787@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/alienware-wmi-wmax.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c ++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c +@@ -154,26 +154,18 @@ static const struct dmi_system_id awcc_d + .driver_data = &generic_quirks, + }, + { +- .ident = "Alienware x15 R1", ++ .ident = "Alienware x15", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x15 R1"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x15"), + }, + .driver_data = &generic_quirks, + }, + { +- .ident = "Alienware x15 R2", ++ .ident = "Alienware x17", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x15 R2"), +- }, +- .driver_data = &generic_quirks, +- }, +- { +- .ident = "Alienware x17 R2", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x17 R2"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware x17"), + }, + .driver_data = &generic_quirks, + }, diff --git a/queue-6.17/platform-x86-alienware-wmi-wmax-fix-alienware-m16-r1-amd-quirk-order.patch b/queue-6.17/platform-x86-alienware-wmi-wmax-fix-alienware-m16-r1-amd-quirk-order.patch new file mode 100644 index 0000000000..f5f235fac7 --- /dev/null +++ b/queue-6.17/platform-x86-alienware-wmi-wmax-fix-alienware-m16-r1-amd-quirk-order.patch @@ -0,0 +1,56 @@ +From bd4f9f113dda07293ed4002a17d14f62121d324f Mon Sep 17 00:00:00 2001 +From: Kurt Borja +Date: Mon, 3 Nov 2025 14:01:44 -0500 +Subject: platform/x86: alienware-wmi-wmax: Fix "Alienware m16 R1 AMD" quirk order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +commit bd4f9f113dda07293ed4002a17d14f62121d324f upstream. + +Quirks are matched using dmi_first_match(), therefore move the +"Alienware m16 R1 AMD" entry above other m16 entries. + +Reported-by: Cihan Ozakca +Fixes: e2468dc70074 ("Revert "platform/x86: alienware-wmi-wmax: Add G-Mode support to Alienware m16 R1"") +Cc: stable@vger.kernel.org +Signed-off-by: Kurt Borja +Link: https://patch.msgid.link/20251103-family-supp-v1-1-a241075d1787@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/alienware-wmi-wmax.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c ++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c +@@ -122,20 +122,20 @@ static const struct dmi_system_id awcc_d + .driver_data = &generic_quirks, + }, + { +- .ident = "Alienware m16 R1", ++ .ident = "Alienware m16 R1 AMD", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1 AMD"), + }, +- .driver_data = &g_series_quirks, ++ .driver_data = &generic_quirks, + }, + { +- .ident = "Alienware m16 R1 AMD", ++ .ident = "Alienware m16 R1", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1 AMD"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1"), + }, +- .driver_data = &generic_quirks, ++ .driver_data = &g_series_quirks, + }, + { + .ident = "Alienware m16 R2", diff --git a/queue-6.17/pm-sleep-core-fix-runtime-pm-enabling-in-device_resume_early.patch b/queue-6.17/pm-sleep-core-fix-runtime-pm-enabling-in-device_resume_early.patch new file mode 100644 index 0000000000..ff4e4176ea --- /dev/null +++ b/queue-6.17/pm-sleep-core-fix-runtime-pm-enabling-in-device_resume_early.patch @@ -0,0 +1,117 @@ +From f384497a76ed9539f70f6e8fe81a193441c943d2 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 18 Nov 2025 15:16:04 +0100 +Subject: PM: sleep: core: Fix runtime PM enabling in device_resume_early() + +From: Rafael J. Wysocki + +commit f384497a76ed9539f70f6e8fe81a193441c943d2 upstream. + +Runtime PM should only be enabled in device_resume_early() if it has +been disabled for the given device by device_suspend_late(). Otherwise, +it may cause runtime PM callbacks to run prematurely in some cases +which leads to further functional issues. + +Make two changes to address this problem. + +First, reorder device_suspend_late() to only disable runtime PM for a +device when it is going to look for the device's callback or if the +device is a "syscore" one. In all of the other cases, disabling runtime +PM for the device is not in fact necessary. However, if the device's +callback returns an error and the power.is_late_suspended flag is not +going to be set, enable runtime PM so it only remains disabled when +power.is_late_suspended is set. + +Second, make device_resume_early() only enable runtime PM for the +devices with the power.is_late_suspended flag set. + +Fixes: 443046d1ad66 ("PM: sleep: Make suspend of devices more asynchronous") +Reported-by: Rose Wu +Closes: https://lore.kernel.org/linux-pm/70b25dca6f8c2756d78f076f4a7dee7edaaffc33.camel@mediatek.com/ +Cc: 6.16+ # 6.16+ +Reviewed-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/12784270.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/main.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index e83503bdc1fd..1de1cd72b616 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -888,12 +888,15 @@ static void device_resume_early(struct device *dev, pm_message_t state, bool asy + TRACE_DEVICE(dev); + TRACE_RESUME(0); + +- if (dev->power.syscore || dev->power.direct_complete) ++ if (dev->power.direct_complete) + goto Out; + + if (!dev->power.is_late_suspended) + goto Out; + ++ if (dev->power.syscore) ++ goto Skip; ++ + if (!dpm_wait_for_superior(dev, async)) + goto Out; + +@@ -926,11 +929,11 @@ static void device_resume_early(struct device *dev, pm_message_t state, bool asy + + Skip: + dev->power.is_late_suspended = false; ++ pm_runtime_enable(dev); + + Out: + TRACE_RESUME(error); + +- pm_runtime_enable(dev); + complete_all(&dev->power.completion); + + if (error) { +@@ -1615,12 +1618,6 @@ static void device_suspend_late(struct device *dev, pm_message_t state, bool asy + TRACE_DEVICE(dev); + TRACE_SUSPEND(0); + +- /* +- * Disable runtime PM for the device without checking if there is a +- * pending resume request for it. +- */ +- __pm_runtime_disable(dev, false); +- + dpm_wait_for_subordinate(dev, async); + + if (READ_ONCE(async_error)) +@@ -1631,9 +1628,18 @@ static void device_suspend_late(struct device *dev, pm_message_t state, bool asy + goto Complete; + } + +- if (dev->power.syscore || dev->power.direct_complete) ++ if (dev->power.direct_complete) + goto Complete; + ++ /* ++ * Disable runtime PM for the device without checking if there is a ++ * pending resume request for it. ++ */ ++ __pm_runtime_disable(dev, false); ++ ++ if (dev->power.syscore) ++ goto Skip; ++ + if (dev->pm_domain) { + info = "late power domain "; + callback = pm_late_early_op(&dev->pm_domain->ops, state); +@@ -1664,6 +1670,7 @@ static void device_suspend_late(struct device *dev, pm_message_t state, bool asy + WRITE_ONCE(async_error, error); + dpm_save_failed_dev(dev_name(dev)); + pm_dev_err(dev, state, async ? " async late" : " late", error); ++ pm_runtime_enable(dev); + goto Complete; + } + dpm_propagate_wakeup_to_parent(dev); +-- +2.52.0 + diff --git a/queue-6.17/reset-imx8mp-audiomix-fix-bad-mask-values.patch b/queue-6.17/reset-imx8mp-audiomix-fix-bad-mask-values.patch new file mode 100644 index 0000000000..8b028149f6 --- /dev/null +++ b/queue-6.17/reset-imx8mp-audiomix-fix-bad-mask-values.patch @@ -0,0 +1,49 @@ +From 997c06330fd5c2e220b692f2a358986c6c8fd5a2 Mon Sep 17 00:00:00 2001 +From: Laurentiu Mihalcea +Date: Tue, 4 Nov 2025 04:02:54 -0800 +Subject: reset: imx8mp-audiomix: Fix bad mask values + +From: Laurentiu Mihalcea + +commit 997c06330fd5c2e220b692f2a358986c6c8fd5a2 upstream. + +As per the i.MX8MP TRM, section 14.2 "AUDIO_BLK_CTRL", table 14.2.3.1.1 +"memory map", the definition of the EARC control register shows that the +EARC controller software reset is controlled via bit 0, while the EARC PHY +software reset is controlled via bit 1. + +This means that the current definitions of IMX8MP_AUDIOMIX_EARC_RESET_MASK +and IMX8MP_AUDIOMIX_EARC_PHY_RESET_MASK are wrong since their values would +imply that the EARC controller software reset is controlled via bit 1 and +the EARC PHY software reset is controlled via bit 2. Fix them. + +Fixes: a83bc87cd30a ("reset: imx8mp-audiomix: Prepare the code for more reset bits") +Cc: stable@vger.kernel.org +Reviewed-by: Shengjiu Wang +Reviewed-by: Frank Li +Reviewed-by: Daniel Baluta +Signed-off-by: Laurentiu Mihalcea +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/reset/reset-imx8mp-audiomix.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/reset/reset-imx8mp-audiomix.c b/drivers/reset/reset-imx8mp-audiomix.c +index 6b357adfe646..eceb37ff5dc5 100644 +--- a/drivers/reset/reset-imx8mp-audiomix.c ++++ b/drivers/reset/reset-imx8mp-audiomix.c +@@ -14,8 +14,8 @@ + #include + + #define IMX8MP_AUDIOMIX_EARC_RESET_OFFSET 0x200 +-#define IMX8MP_AUDIOMIX_EARC_RESET_MASK BIT(1) +-#define IMX8MP_AUDIOMIX_EARC_PHY_RESET_MASK BIT(2) ++#define IMX8MP_AUDIOMIX_EARC_RESET_MASK BIT(0) ++#define IMX8MP_AUDIOMIX_EARC_PHY_RESET_MASK BIT(1) + + #define IMX8MP_AUDIOMIX_DSP_RUNSTALL_OFFSET 0x108 + #define IMX8MP_AUDIOMIX_DSP_RUNSTALL_MASK BIT(5) +-- +2.52.0 + diff --git a/queue-6.17/revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch b/queue-6.17/revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch new file mode 100644 index 0000000000..ccc6128cc1 --- /dev/null +++ b/queue-6.17/revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch @@ -0,0 +1,56 @@ +From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001 +From: Diogo Ivo +Date: Mon, 3 Nov 2025 14:14:15 +0000 +Subject: Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" + +From: Diogo Ivo + +commit 660b299bed2a2a55a1f9102d029549d0235f881c upstream. + +Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a +known state") was introduced so that all power domains get initialized +to a known working state when booting and it does this by shutting them +down (including asserting resets and disabling clocks) before registering +each power domain with the genpd framework, leaving it to each driver to +later on power its needed domains. + +This caused the Google Pixel C to hang when booting due to a workaround +in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi: +Clear enable register if powered by bootloader") meant to handle the case +where the bootloader enabled the DSI hardware module. The workaround relies +on reading a hardware register to determine the current status and after +b6bcbce33596 that now happens in a powered down state thus leading to +the boot hang. + +Fix this by reverting b22fd0b9639e since currently we are guaranteed +that the hardware will be fully reset by the time we start enabling the +DSI module. + +Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") +Cc: stable@vger.kernel.org +Signed-off-by: Diogo Ivo +Signed-off-by: Thierry Reding +Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@tecnico.ulisboa.pt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tegra/dsi.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(str + u32 value; + int err; + +- /* If the bootloader enabled DSI it needs to be disabled +- * in order for the panel initialization commands to be +- * properly sent. +- */ +- value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL); +- +- if (value & DSI_POWER_CONTROL_ENABLE) +- tegra_dsi_disable(dsi); +- + err = tegra_dsi_prepare(dsi); + if (err < 0) { + dev_err(dsi->dev, "failed to prepare: %d\n", err); diff --git a/queue-6.17/s390-mm-fix-__ptep_rdp-inline-assembly.patch b/queue-6.17/s390-mm-fix-__ptep_rdp-inline-assembly.patch new file mode 100644 index 0000000000..e3a1f724c5 --- /dev/null +++ b/queue-6.17/s390-mm-fix-__ptep_rdp-inline-assembly.patch @@ -0,0 +1,80 @@ +From 31475b88110c4725b4f9a79c3a0d9bbf97e69e1c Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 13 Nov 2025 13:21:47 +0100 +Subject: s390/mm: Fix __ptep_rdp() inline assembly + +From: Heiko Carstens + +commit 31475b88110c4725b4f9a79c3a0d9bbf97e69e1c upstream. + +When a zero ASCE is passed to the __ptep_rdp() inline assembly, the +generated instruction should have the R3 field of the instruction set to +zero. However the inline assembly is written incorrectly: for such cases a +zero is loaded into a register allocated by the compiler and this register +is then used by the instruction. + +This means that selected TLB entries may not be flushed since the specified +ASCE does not match the one which was used when the selected TLB entries +were created. + +Fix this by removing the asce and opt parameters of __ptep_rdp(), since +all callers always pass zero, and use a hard-coded register zero for +the R3 field. + +Fixes: 0807b856521f ("s390/mm: add support for RDP (Reset DAT-Protection)") +Cc: stable@vger.kernel.org +Reviewed-by: Gerald Schaefer +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/pgtable.h | 12 +++++------- + arch/s390/mm/pgtable.c | 4 ++-- + 2 files changed, 7 insertions(+), 9 deletions(-) + +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -1154,17 +1154,15 @@ static inline pte_t pte_mkhuge(pte_t pte + #define IPTE_NODAT 0x400 + #define IPTE_GUEST_ASCE 0x800 + +-static __always_inline void __ptep_rdp(unsigned long addr, pte_t *ptep, +- unsigned long opt, unsigned long asce, +- int local) ++static __always_inline void __ptep_rdp(unsigned long addr, pte_t *ptep, int local) + { + unsigned long pto; + + pto = __pa(ptep) & ~(PTRS_PER_PTE * sizeof(pte_t) - 1); +- asm volatile(".insn rrf,0xb98b0000,%[r1],%[r2],%[asce],%[m4]" ++ asm volatile(".insn rrf,0xb98b0000,%[r1],%[r2],%%r0,%[m4]" + : "+m" (*ptep) +- : [r1] "a" (pto), [r2] "a" ((addr & PAGE_MASK) | opt), +- [asce] "a" (asce), [m4] "i" (local)); ++ : [r1] "a" (pto), [r2] "a" (addr & PAGE_MASK), ++ [m4] "i" (local)); + } + + static __always_inline void __ptep_ipte(unsigned long address, pte_t *ptep, +@@ -1348,7 +1346,7 @@ static inline void flush_tlb_fix_spuriou + * A local RDP can be used to do the flush. + */ + if (cpu_has_rdp() && !(pte_val(*ptep) & _PAGE_PROTECT)) +- __ptep_rdp(address, ptep, 0, 0, 1); ++ __ptep_rdp(address, ptep, 1); + } + #define flush_tlb_fix_spurious_fault flush_tlb_fix_spurious_fault + +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -274,9 +274,9 @@ void ptep_reset_dat_prot(struct mm_struc + preempt_disable(); + atomic_inc(&mm->context.flush_count); + if (cpumask_equal(mm_cpumask(mm), cpumask_of(smp_processor_id()))) +- __ptep_rdp(addr, ptep, 0, 0, 1); ++ __ptep_rdp(addr, ptep, 1); + else +- __ptep_rdp(addr, ptep, 0, 0, 0); ++ __ptep_rdp(addr, ptep, 0); + /* + * PTE is not invalidated by RDP, only _PAGE_PROTECT is cleared. That + * means it is still valid and active, and must not be changed according diff --git a/queue-6.17/sched_ext-fix-scx_enable-crash-on-helper-kthread-creation-failure.patch b/queue-6.17/sched_ext-fix-scx_enable-crash-on-helper-kthread-creation-failure.patch new file mode 100644 index 0000000000..ae2e0e2ffc --- /dev/null +++ b/queue-6.17/sched_ext-fix-scx_enable-crash-on-helper-kthread-creation-failure.patch @@ -0,0 +1,60 @@ +From 7b6216baae751369195fa3c83d434d23bcda406a Mon Sep 17 00:00:00 2001 +From: Saket Kumar Bhaskar +Date: Wed, 19 Nov 2025 16:07:22 +0530 +Subject: sched_ext: Fix scx_enable() crash on helper kthread creation failure + +From: Saket Kumar Bhaskar + +commit 7b6216baae751369195fa3c83d434d23bcda406a upstream. + +A crash was observed when the sched_ext selftests runner was +terminated with Ctrl+\ while test 15 was running: + +NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0 +LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0 +Call Trace: +scx_enable.constprop.0+0x32c/0x12b0 (unreliable) +bpf_struct_ops_link_create+0x18c/0x22c +__sys_bpf+0x23f8/0x3044 +sys_bpf+0x2c/0x6c +system_call_exception+0x124/0x320 +system_call_vectored_common+0x15c/0x2ec + +kthread_run_worker() returns an ERR_PTR() on failure rather than NULL, +but the current code in scx_alloc_and_add_sched() only checks for a NULL +helper. Incase of failure on SIGQUIT, the error is not handled in +scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an +error pointer. + +Error handling is fixed in scx_alloc_and_add_sched() to propagate +PTR_ERR() into ret, so that scx_enable() jumps to the existing error +path, avoiding random dereference on failure. + +Fixes: bff3b5aec1b7 ("sched_ext: Move disable machinery into scx_sched") +Cc: stable@vger.kernel.org # v6.16+ +Reported-and-tested-by: Samir Mulani +Signed-off-by: Saket Kumar Bhaskar +Reviewed-by: Emil Tsalapatis +Reviewed-by: Andrea Righi +Reviewed-by: Vishal Chourasia +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -4446,8 +4446,11 @@ static struct scx_sched *scx_alloc_and_a + goto err_free_gdsqs; + + sch->helper = kthread_run_worker(0, "sched_ext_helper"); +- if (!sch->helper) ++ if (IS_ERR(sch->helper)) { ++ ret = PTR_ERR(sch->helper); + goto err_free_pcpu; ++ } ++ + sched_set_fifo(sch->helper->task); + + atomic_set(&sch->exit_kind, SCX_EXIT_NONE); diff --git a/queue-6.17/scsi-sg-do-not-sleep-in-atomic-context.patch b/queue-6.17/scsi-sg-do-not-sleep-in-atomic-context.patch new file mode 100644 index 0000000000..ddcea88d5c --- /dev/null +++ b/queue-6.17/scsi-sg-do-not-sleep-in-atomic-context.patch @@ -0,0 +1,47 @@ +From 90449f2d1e1f020835cba5417234636937dd657e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 13 Nov 2025 10:16:43 -0800 +Subject: scsi: sg: Do not sleep in atomic context + +From: Bart Van Assche + +commit 90449f2d1e1f020835cba5417234636937dd657e upstream. + +sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may +sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead +of disabled. + +Reported-by: syzbot+c01f8e6e73f20459912e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google.com/ +Cc: Hannes Reinecke +Cc: stable@vger.kernel.org +Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") +Signed-off-by: Bart Van Assche +Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2209,9 +2209,17 @@ sg_remove_sfp_usercontext(struct work_st + write_lock_irqsave(&sfp->rq_list_lock, iflags); + while (!list_empty(&sfp->rq_list)) { + srp = list_first_entry(&sfp->rq_list, Sg_request, entry); +- sg_finish_rem_req(srp); + list_del(&srp->entry); ++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags); ++ ++ sg_finish_rem_req(srp); ++ /* ++ * sg_rq_end_io() uses srp->parentfp. Hence, only clear ++ * srp->parentfp after blk_mq_free_request() has been called. ++ */ + srp->parentfp = NULL; ++ ++ write_lock_irqsave(&sfp->rq_list_lock, iflags); + } + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + diff --git a/queue-6.17/scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch b/queue-6.17/scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch new file mode 100644 index 0000000000..7299be8205 --- /dev/null +++ b/queue-6.17/scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch @@ -0,0 +1,55 @@ +From e6965188f84a7883e6a0d3448e86b0cf29b24dfc Mon Sep 17 00:00:00 2001 +From: Hamza Mahfooz +Date: Wed, 5 Nov 2025 11:25:46 -0800 +Subject: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() + +From: Hamza Mahfooz + +commit e6965188f84a7883e6a0d3448e86b0cf29b24dfc upstream. + +If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we +attempt to dereference it in tcm_loop_tpg_address_show() we will get a +segfault, see below for an example. So, check tl_hba->sh before +dereferencing it. + + Unable to allocate struct scsi_host + BUG: kernel NULL pointer dereference, address: 0000000000000194 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 + RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] +... + Call Trace: + + configfs_read_iter+0x12d/0x1d0 [configfs] + vfs_read+0x1b5/0x300 + ksys_read+0x6f/0xf0 +... + +Cc: stable@vger.kernel.org +Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs") +Signed-off-by: Hamza Mahfooz +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Allen Pais +Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/loopback/tcm_loop.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/target/loopback/tcm_loop.c ++++ b/drivers/target/loopback/tcm_loop.c +@@ -894,6 +894,9 @@ static ssize_t tcm_loop_tpg_address_show + struct tcm_loop_tpg, tl_se_tpg); + struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba; + ++ if (!tl_hba->sh) ++ return -ENODEV; ++ + return snprintf(page, PAGE_SIZE, "%d:0:%d\n", + tl_hba->sh->host_no, tl_tpg->tl_tpgt); + } diff --git a/queue-6.17/selinux-move-avdcache-to-per-task-security-struct.patch b/queue-6.17/selinux-move-avdcache-to-per-task-security-struct.patch new file mode 100644 index 0000000000..0f8e30233e --- /dev/null +++ b/queue-6.17/selinux-move-avdcache-to-per-task-security-struct.patch @@ -0,0 +1,177 @@ +From dde3a5d0f4dce1d1a6095e6b8eeb59b75d28fb3b Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Thu, 13 Nov 2025 15:23:14 -0500 +Subject: selinux: move avdcache to per-task security struct + +From: Stephen Smalley + +commit dde3a5d0f4dce1d1a6095e6b8eeb59b75d28fb3b upstream. + +The avdcache is meant to be per-task; move it to a new +task_security_struct that is duplicated per-task. + +Cc: stable@vger.kernel.org +Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead") +Signed-off-by: Stephen Smalley +[PM: line length fixes] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 31 ++++++++++++++++++------------- + security/selinux/include/objsec.h | 14 ++++++++++++-- + 2 files changed, 30 insertions(+), 15 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -215,7 +215,7 @@ static void cred_init_security(void) + /* NOTE: the lsm framework zeros out the buffer on allocation */ + + tsec = selinux_cred(unrcu_pointer(current->real_cred)); +- tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL; ++ tsec->osid = tsec->sid = SECINITSID_KERNEL; + } + + /* +@@ -3106,10 +3106,10 @@ static noinline int audit_inode_permissi + * Clear the task's AVD cache in @tsec and reset it to the current policy's + * and task's info. + */ +-static inline void task_avdcache_reset(struct cred_security_struct *tsec) ++static inline void task_avdcache_reset(struct task_security_struct *tsec) + { + memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); +- tsec->avdcache.sid = tsec->sid; ++ tsec->avdcache.sid = current_sid(); + tsec->avdcache.seqno = avc_policy_seqno(); + tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; + } +@@ -3123,7 +3123,7 @@ static inline void task_avdcache_reset(s + * Search @tsec for a AVD cache entry that matches @isec and return it to the + * caller via @avdc. Returns 0 if a match is found, negative values otherwise. + */ +-static inline int task_avdcache_search(struct cred_security_struct *tsec, ++static inline int task_avdcache_search(struct task_security_struct *tsec, + struct inode_security_struct *isec, + struct avdc_entry **avdc) + { +@@ -3133,7 +3133,7 @@ static inline int task_avdcache_search(s + if (isec->sclass != SECCLASS_DIR) + return -ENOENT; + +- if (unlikely(tsec->sid != tsec->avdcache.sid || ++ if (unlikely(current_sid() != tsec->avdcache.sid || + tsec->avdcache.seqno != avc_policy_seqno())) { + task_avdcache_reset(tsec); + return -ENOENT; +@@ -3163,7 +3163,7 @@ static inline int task_avdcache_search(s + * Update the AVD cache in @tsec with the @avdc and @audited info associated + * with @isec. + */ +-static inline void task_avdcache_update(struct cred_security_struct *tsec, ++static inline void task_avdcache_update(struct task_security_struct *tsec, + struct inode_security_struct *isec, + struct av_decision *avd, + u32 audited) +@@ -3197,7 +3197,8 @@ static int selinux_inode_permission(stru + { + int mask; + u32 perms; +- struct cred_security_struct *tsec; ++ u32 sid = current_sid(); ++ struct task_security_struct *tsec; + struct inode_security_struct *isec; + struct avdc_entry *avdc; + int rc, rc2; +@@ -3209,8 +3210,8 @@ static int selinux_inode_permission(stru + if (!mask) + return 0; + +- tsec = selinux_cred(current_cred()); +- if (task_avdcache_permnoaudit(tsec)) ++ tsec = selinux_task(current); ++ if (task_avdcache_permnoaudit(tsec, sid)) + return 0; + + isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); +@@ -3230,7 +3231,7 @@ static int selinux_inode_permission(stru + struct av_decision avd; + + /* Cache miss. */ +- rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass, ++ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, + perms, 0, &avd); + audited = avc_audit_required(perms, &avd, rc, + (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, +@@ -3279,11 +3280,11 @@ static int selinux_inode_setattr(struct + + static int selinux_inode_getattr(const struct path *path) + { +- struct cred_security_struct *tsec; ++ struct task_security_struct *tsec; + +- tsec = selinux_cred(current_cred()); ++ tsec = selinux_task(current); + +- if (task_avdcache_permnoaudit(tsec)) ++ if (task_avdcache_permnoaudit(tsec, current_sid())) + return 0; + + return path_has_perm(current_cred(), path, FILE__GETATTR); +@@ -4147,7 +4148,10 @@ static int selinux_task_alloc(struct tas + unsigned long clone_flags) + { + u32 sid = current_sid(); ++ struct task_security_struct *old_tsec = selinux_task(current); ++ struct task_security_struct *new_tsec = selinux_task(task); + ++ *new_tsec = *old_tsec; + return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); + } + +@@ -7170,6 +7174,7 @@ static void selinux_bpf_token_free(struc + + struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { + .lbs_cred = sizeof(struct cred_security_struct), ++ .lbs_task = sizeof(struct task_security_struct), + .lbs_file = sizeof(struct file_security_struct), + .lbs_inode = sizeof(struct inode_security_struct), + .lbs_ipc = sizeof(struct ipc_security_struct), +--- a/security/selinux/include/objsec.h ++++ b/security/selinux/include/objsec.h +@@ -43,6 +43,9 @@ struct cred_security_struct { + u32 create_sid; /* fscreate SID */ + u32 keycreate_sid; /* keycreate SID */ + u32 sockcreate_sid; /* fscreate SID */ ++} __randomize_layout; ++ ++struct task_security_struct { + #define TSEC_AVDC_DIR_SIZE (1 << 2) + struct { + u32 sid; /* current SID for cached entries */ +@@ -53,10 +56,11 @@ struct cred_security_struct { + } avdcache; + } __randomize_layout; + +-static inline bool task_avdcache_permnoaudit(struct cred_security_struct *tsec) ++static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec, ++ u32 sid) + { + return (tsec->avdcache.permissive_neveraudit && +- tsec->sid == tsec->avdcache.sid && ++ sid == tsec->avdcache.sid && + tsec->avdcache.seqno == avc_policy_seqno()); + } + +@@ -176,6 +180,12 @@ static inline struct cred_security_struc + return cred->security + selinux_blob_sizes.lbs_cred; + } + ++static inline struct task_security_struct * ++selinux_task(const struct task_struct *task) ++{ ++ return task->security + selinux_blob_sizes.lbs_task; ++} ++ + static inline struct file_security_struct *selinux_file(const struct file *file) + { + return file->f_security + selinux_blob_sizes.lbs_file; diff --git a/queue-6.17/selinux-rename-task_security_struct-to-cred_security_struct.patch b/queue-6.17/selinux-rename-task_security_struct-to-cred_security_struct.patch new file mode 100644 index 0000000000..cc6281fd6b --- /dev/null +++ b/queue-6.17/selinux-rename-task_security_struct-to-cred_security_struct.patch @@ -0,0 +1,343 @@ +From 75f72fe289a7f76204a728668edcf20e4a2a6097 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Thu, 13 Nov 2025 15:23:13 -0500 +Subject: selinux: rename task_security_struct to cred_security_struct + +From: Stephen Smalley + +commit 75f72fe289a7f76204a728668edcf20e4a2a6097 upstream. + +Before Linux had cred structures, the SELinux task_security_struct was +per-task and although the structure was switched to being per-cred +long ago, the name was never updated. This change renames it to +cred_security_struct to avoid confusion and pave the way for the +introduction of an actual per-task security structure for SELinux. No +functional change. + +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 68 +++++++++++++++++++------------------- + security/selinux/include/objsec.h | 8 ++-- + 2 files changed, 38 insertions(+), 38 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -210,7 +210,7 @@ static int selinux_lsm_notifier_avc_call + */ + static void cred_init_security(void) + { +- struct task_security_struct *tsec; ++ struct cred_security_struct *tsec; + + /* NOTE: the lsm framework zeros out the buffer on allocation */ + +@@ -223,7 +223,7 @@ static void cred_init_security(void) + */ + static inline u32 cred_sid(const struct cred *cred) + { +- const struct task_security_struct *tsec; ++ const struct cred_security_struct *tsec; + + tsec = selinux_cred(cred); + return tsec->sid; +@@ -437,7 +437,7 @@ static int may_context_mount_sb_relabel( + struct superblock_security_struct *sbsec, + const struct cred *cred) + { +- const struct task_security_struct *tsec = selinux_cred(cred); ++ const struct cred_security_struct *tsec = selinux_cred(cred); + int rc; + + rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, +@@ -454,7 +454,7 @@ static int may_context_mount_inode_relab + struct superblock_security_struct *sbsec, + const struct cred *cred) + { +- const struct task_security_struct *tsec = selinux_cred(cred); ++ const struct cred_security_struct *tsec = selinux_cred(cred); + int rc; + rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, + FILESYSTEM__RELABELFROM, NULL); +@@ -1784,7 +1784,7 @@ out: + * Determine the label for an inode that might be unioned. + */ + static int +-selinux_determine_inode_label(const struct task_security_struct *tsec, ++selinux_determine_inode_label(const struct cred_security_struct *tsec, + struct inode *dir, + const struct qstr *name, u16 tclass, + u32 *_new_isid) +@@ -1813,7 +1813,7 @@ static int may_create(struct inode *dir, + struct dentry *dentry, + u16 tclass) + { +- const struct task_security_struct *tsec = selinux_cred(current_cred()); ++ const struct cred_security_struct *tsec = selinux_cred(current_cred()); + struct inode_security_struct *dsec; + struct superblock_security_struct *sbsec; + u32 sid, newsid; +@@ -2247,8 +2247,8 @@ static u32 ptrace_parent_sid(void) + } + + static int check_nnp_nosuid(const struct linux_binprm *bprm, +- const struct task_security_struct *old_tsec, +- const struct task_security_struct *new_tsec) ++ const struct cred_security_struct *old_tsec, ++ const struct cred_security_struct *new_tsec) + { + int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); + int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); +@@ -2301,8 +2301,8 @@ static int check_nnp_nosuid(const struct + + static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) + { +- const struct task_security_struct *old_tsec; +- struct task_security_struct *new_tsec; ++ const struct cred_security_struct *old_tsec; ++ struct cred_security_struct *new_tsec; + struct inode_security_struct *isec; + struct common_audit_data ad; + struct inode *inode = file_inode(bprm->file); +@@ -2479,7 +2479,7 @@ static inline void flush_unauthorized_fi + */ + static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) + { +- struct task_security_struct *new_tsec; ++ struct cred_security_struct *new_tsec; + struct rlimit *rlim, *initrlim; + int rc, i; + +@@ -2525,7 +2525,7 @@ static void selinux_bprm_committing_cred + */ + static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) + { +- const struct task_security_struct *tsec = selinux_cred(current_cred()); ++ const struct cred_security_struct *tsec = selinux_cred(current_cred()); + u32 osid, sid; + int rc; + +@@ -2907,7 +2907,7 @@ static int selinux_dentry_create_files_a + { + u32 newsid; + int rc; +- struct task_security_struct *tsec; ++ struct cred_security_struct *tsec; + + rc = selinux_determine_inode_label(selinux_cred(old), + d_inode(dentry->d_parent), name, +@@ -2925,7 +2925,7 @@ static int selinux_inode_init_security(s + const struct qstr *qstr, + struct xattr *xattrs, int *xattr_count) + { +- const struct task_security_struct *tsec = selinux_cred(current_cred()); ++ const struct cred_security_struct *tsec = selinux_cred(current_cred()); + struct superblock_security_struct *sbsec; + struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); + u32 newsid, clen; +@@ -3106,7 +3106,7 @@ static noinline int audit_inode_permissi + * Clear the task's AVD cache in @tsec and reset it to the current policy's + * and task's info. + */ +-static inline void task_avdcache_reset(struct task_security_struct *tsec) ++static inline void task_avdcache_reset(struct cred_security_struct *tsec) + { + memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); + tsec->avdcache.sid = tsec->sid; +@@ -3123,7 +3123,7 @@ static inline void task_avdcache_reset(s + * Search @tsec for a AVD cache entry that matches @isec and return it to the + * caller via @avdc. Returns 0 if a match is found, negative values otherwise. + */ +-static inline int task_avdcache_search(struct task_security_struct *tsec, ++static inline int task_avdcache_search(struct cred_security_struct *tsec, + struct inode_security_struct *isec, + struct avdc_entry **avdc) + { +@@ -3163,7 +3163,7 @@ static inline int task_avdcache_search(s + * Update the AVD cache in @tsec with the @avdc and @audited info associated + * with @isec. + */ +-static inline void task_avdcache_update(struct task_security_struct *tsec, ++static inline void task_avdcache_update(struct cred_security_struct *tsec, + struct inode_security_struct *isec, + struct av_decision *avd, + u32 audited) +@@ -3197,7 +3197,7 @@ static int selinux_inode_permission(stru + { + int mask; + u32 perms; +- struct task_security_struct *tsec; ++ struct cred_security_struct *tsec; + struct inode_security_struct *isec; + struct avdc_entry *avdc; + int rc, rc2; +@@ -3279,7 +3279,7 @@ static int selinux_inode_setattr(struct + + static int selinux_inode_getattr(const struct path *path) + { +- struct task_security_struct *tsec; ++ struct cred_security_struct *tsec; + + tsec = selinux_cred(current_cred()); + +@@ -3655,7 +3655,7 @@ static void selinux_inode_getlsmprop(str + static int selinux_inode_copy_up(struct dentry *src, struct cred **new) + { + struct lsm_prop prop; +- struct task_security_struct *tsec; ++ struct cred_security_struct *tsec; + struct cred *new_creds = *new; + + if (new_creds == NULL) { +@@ -3693,7 +3693,7 @@ static int selinux_inode_copy_up_xattr(s + static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, + struct kernfs_node *kn) + { +- const struct task_security_struct *tsec = selinux_cred(current_cred()); ++ const struct cred_security_struct *tsec = selinux_cred(current_cred()); + u32 parent_sid, newsid, clen; + int rc; + char *context; +@@ -4157,8 +4157,8 @@ static int selinux_task_alloc(struct tas + static int selinux_cred_prepare(struct cred *new, const struct cred *old, + gfp_t gfp) + { +- const struct task_security_struct *old_tsec = selinux_cred(old); +- struct task_security_struct *tsec = selinux_cred(new); ++ const struct cred_security_struct *old_tsec = selinux_cred(old); ++ struct cred_security_struct *tsec = selinux_cred(new); + + *tsec = *old_tsec; + return 0; +@@ -4169,8 +4169,8 @@ static int selinux_cred_prepare(struct c + */ + static void selinux_cred_transfer(struct cred *new, const struct cred *old) + { +- const struct task_security_struct *old_tsec = selinux_cred(old); +- struct task_security_struct *tsec = selinux_cred(new); ++ const struct cred_security_struct *old_tsec = selinux_cred(old); ++ struct cred_security_struct *tsec = selinux_cred(new); + + *tsec = *old_tsec; + } +@@ -4191,7 +4191,7 @@ static void selinux_cred_getlsmprop(cons + */ + static int selinux_kernel_act_as(struct cred *new, u32 secid) + { +- struct task_security_struct *tsec = selinux_cred(new); ++ struct cred_security_struct *tsec = selinux_cred(new); + u32 sid = current_sid(); + int ret; + +@@ -4215,7 +4215,7 @@ static int selinux_kernel_act_as(struct + static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) + { + struct inode_security_struct *isec = inode_security(inode); +- struct task_security_struct *tsec = selinux_cred(new); ++ struct cred_security_struct *tsec = selinux_cred(new); + u32 sid = current_sid(); + int ret; + +@@ -4740,7 +4740,7 @@ static int selinux_conn_sid(u32 sk_sid, + + /* socket security operations */ + +-static int socket_sockcreate_sid(const struct task_security_struct *tsec, ++static int socket_sockcreate_sid(const struct cred_security_struct *tsec, + u16 secclass, u32 *socksid) + { + if (tsec->sockcreate_sid > SECSID_NULL) { +@@ -4793,7 +4793,7 @@ static int sock_has_perm(struct sock *sk + static int selinux_socket_create(int family, int type, + int protocol, int kern) + { +- const struct task_security_struct *tsec = selinux_cred(current_cred()); ++ const struct cred_security_struct *tsec = selinux_cred(current_cred()); + u32 newsid; + u16 secclass; + int rc; +@@ -4812,7 +4812,7 @@ static int selinux_socket_create(int fam + static int selinux_socket_post_create(struct socket *sock, int family, + int type, int protocol, int kern) + { +- const struct task_security_struct *tsec = selinux_cred(current_cred()); ++ const struct cred_security_struct *tsec = selinux_cred(current_cred()); + struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); + struct sk_security_struct *sksec; + u16 sclass = socket_type_to_security_class(family, type, protocol); +@@ -6522,7 +6522,7 @@ static void selinux_d_instantiate(struct + static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, + char **value) + { +- const struct task_security_struct *tsec; ++ const struct cred_security_struct *tsec; + int error; + u32 sid; + u32 len; +@@ -6577,7 +6577,7 @@ err_unlock: + + static int selinux_lsm_setattr(u64 attr, void *value, size_t size) + { +- struct task_security_struct *tsec; ++ struct cred_security_struct *tsec; + struct cred *new; + u32 mysid = current_sid(), sid = 0, ptsid; + int error; +@@ -6872,7 +6872,7 @@ static int selinux_inode_getsecctx(struc + static int selinux_key_alloc(struct key *k, const struct cred *cred, + unsigned long flags) + { +- const struct task_security_struct *tsec; ++ const struct cred_security_struct *tsec; + struct key_security_struct *ksec = selinux_key(k); + + tsec = selinux_cred(cred); +@@ -7169,7 +7169,7 @@ static void selinux_bpf_token_free(struc + #endif + + struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { +- .lbs_cred = sizeof(struct task_security_struct), ++ .lbs_cred = sizeof(struct cred_security_struct), + .lbs_file = sizeof(struct file_security_struct), + .lbs_inode = sizeof(struct inode_security_struct), + .lbs_ipc = sizeof(struct ipc_security_struct), +--- a/security/selinux/include/objsec.h ++++ b/security/selinux/include/objsec.h +@@ -36,7 +36,7 @@ struct avdc_entry { + bool permissive; /* AVC permissive flag */ + }; + +-struct task_security_struct { ++struct cred_security_struct { + u32 osid; /* SID prior to last execve */ + u32 sid; /* current SID */ + u32 exec_sid; /* exec SID */ +@@ -53,7 +53,7 @@ struct task_security_struct { + } avdcache; + } __randomize_layout; + +-static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec) ++static inline bool task_avdcache_permnoaudit(struct cred_security_struct *tsec) + { + return (tsec->avdcache.permissive_neveraudit && + tsec->sid == tsec->avdcache.sid && +@@ -171,7 +171,7 @@ struct perf_event_security_struct { + }; + + extern struct lsm_blob_sizes selinux_blob_sizes; +-static inline struct task_security_struct *selinux_cred(const struct cred *cred) ++static inline struct cred_security_struct *selinux_cred(const struct cred *cred) + { + return cred->security + selinux_blob_sizes.lbs_cred; + } +@@ -206,7 +206,7 @@ selinux_ipc(const struct kern_ipc_perm * + */ + static inline u32 current_sid(void) + { +- const struct task_security_struct *tsec = selinux_cred(current_cred()); ++ const struct cred_security_struct *tsec = selinux_cred(current_cred()); + + return tsec->sid; + } diff --git a/queue-6.17/series b/queue-6.17/series index 361fd0455c..eea22f6b2c 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -1 +1,58 @@ kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch +timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch +arm64-dts-rockchip-remove-non-functioning-cpu-opps-from-rk3576.patch +hid-amd_sfh-stop-sensor-before-starting.patch +hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch +arm64-dts-rockchip-fix-vccio4-supply-on-rk3566-pinetab2.patch +arm64-dts-rockchip-fix-pcie-3.3v-regulator-voltage-on-orangepi-5.patch +reset-imx8mp-audiomix-fix-bad-mask-values.patch +arm64-dts-rockchip-include-rk3399-base-instead-of-rk3399-in-rk3399-op1.patch +arm64-dts-rockchip-disable-hs400-on-rk3588-tiger.patch +kvm-svm-fix-redundant-updates-of-lbr-msr-intercepts.patch +vfat-fix-missing-sb_min_blocksize-return-value-checks.patch +mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch +fs-fix-uninitialized-offp-in-statmount_string.patch +mtdchar-fix-integer-overflow-in-read-write-ioctls.patch +xfs-check-the-return-value-of-sb_min_blocksize-in-xfs_fs_fill_super.patch +isofs-check-the-return-value-of-sb_min_blocksize-in-isofs_fill_super.patch +shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch +exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch +mptcp-disallow-mptcp-subflows-from-sockmap.patch +s390-mm-fix-__ptep_rdp-inline-assembly.patch +mptcp-fix-proto-fallback-detection-with-bpf.patch +lib-test_kho-check-if-kho-is-enabled.patch +acpi-apei-einj-fix-einjv2-initialization-and-injection.patch +ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch +mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch +selinux-rename-task_security_struct-to-cred_security_struct.patch +selinux-move-avdcache-to-per-task-security-struct.patch +smb-client-introduce-close_cached_dir_locked.patch +wifi-rtw89-hw_scan-don-t-let-the-operating-channel-be-last.patch +ata-libata-scsi-add-missing-scsi_device_put-in-ata_scsi_dev_rescan.patch +be2net-pass-wrb_params-in-case-of-os2bmc.patch +io_uring-cmd_net-fix-wrong-argument-types-for-skb_queue_splice.patch +net-dsa-microchip-lan937x-fix-rgmii-delay-tuning.patch +revert-drm-tegra-dsi-clear-enable-register-if-powered-by-bootloader.patch +input-cros_ec_keyb-fix-an-invalid-memory-access.patch +input-goodix-add-support-for-acpi-id-gdix1003.patch +input-imx_sc_key-fix-memory-corruption-on-unload.patch +input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch +mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch +nouveau-firmware-add-missing-kfree-of-nvkm_falcon_fw-boot.patch +nvme-nvme-fc-move-tagset-removal-to-nvme_fc_delete_ctrl.patch +nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch +pm-sleep-core-fix-runtime-pm-enabling-in-device_resume_early.patch +sched_ext-fix-scx_enable-crash-on-helper-kthread-creation-failure.patch +scsi-sg-do-not-sleep-in-atomic-context.patch +scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch +mips-malta-fix-eva-soc-it-pci-mmio.patch +dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch +loongarch-bpf-disable-trampoline-for-kernel-module-function-trace.patch +loongarch-don-t-panic-if-no-valid-cache-info-for-pci.patch +loongarch-fix-numa-node-parsing-with-numa_memblks.patch +platform-x86-alienware-wmi-wmax-fix-alienware-m16-r1-amd-quirk-order.patch +platform-x86-alienware-wmi-wmax-add-support-for-the-whole-m-family.patch +platform-x86-alienware-wmi-wmax-add-support-for-the-whole-x-family.patch +platform-x86-alienware-wmi-wmax-add-support-for-the-whole-g-family.patch +platform-x86-alienware-wmi-wmax-add-awcc-support-to-alienware-16-aurora.patch +mptcp-fix-race-condition-in-mptcp_schedule_work.patch diff --git a/queue-6.17/shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch b/queue-6.17/shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch new file mode 100644 index 0000000000..7d873f3238 --- /dev/null +++ b/queue-6.17/shmem-fix-tmpfs-reconfiguration-remount-when-noswap-is-set.patch @@ -0,0 +1,85 @@ +From 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 8 Nov 2025 19:09:47 +0000 +Subject: shmem: fix tmpfs reconfiguration (remount) when noswap is set + +From: Mike Yuan + +commit 3cd1548a278c7d6a9bdef1f1866e7cf66bfd3518 upstream. + +In systemd we're trying to switch the internal credentials setup logic +to new mount API [1], and I noticed fsconfig(FSCONFIG_CMD_RECONFIGURE) +consistently fails on tmpfs with noswap option. This can be trivially +reproduced with the following: + +``` +int fs_fd = fsopen("tmpfs", 0); +fsconfig(fs_fd, FSCONFIG_SET_FLAG, "noswap", NULL, 0); +fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); +fsmount(fs_fd, 0, 0); +fsconfig(fs_fd, FSCONFIG_CMD_RECONFIGURE, NULL, NULL, 0); <------ EINVAL +``` + +After some digging the culprit is shmem_reconfigure() rejecting +!(ctx->seen & SHMEM_SEEN_NOSWAP) && sbinfo->noswap, which is bogus +as ctx->seen serves as a mask for whether certain options are touched +at all. On top of that, noswap option doesn't use fsparam_flag_no, +hence it's not really possible to "reenable" swap to begin with. +Drop the check and redundant SHMEM_SEEN_NOSWAP flag. + +[1] https://github.com/systemd/systemd/pull/39637 + +Fixes: 2c6efe9cf2d7 ("shmem: add support to ignore swap") +Signed-off-by: Mike Yuan +Link: https://patch.msgid.link/20251108190930.440685-1-me@yhndnzj.com +Cc: Luis Chamberlain +Cc: Christian Brauner +Cc: Hugh Dickins +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -131,8 +131,7 @@ struct shmem_options { + #define SHMEM_SEEN_INODES 2 + #define SHMEM_SEEN_HUGE 4 + #define SHMEM_SEEN_INUMS 8 +-#define SHMEM_SEEN_NOSWAP 16 +-#define SHMEM_SEEN_QUOTA 32 ++#define SHMEM_SEEN_QUOTA 16 + }; + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +@@ -4744,7 +4743,6 @@ static int shmem_parse_one(struct fs_con + "Turning off swap in unprivileged tmpfs mounts unsupported"); + } + ctx->noswap = true; +- ctx->seen |= SHMEM_SEEN_NOSWAP; + break; + case Opt_quota: + if (fc->user_ns != &init_user_ns) +@@ -4894,14 +4892,15 @@ static int shmem_reconfigure(struct fs_c + err = "Current inum too high to switch to 32-bit inums"; + goto out; + } +- if ((ctx->seen & SHMEM_SEEN_NOSWAP) && ctx->noswap && !sbinfo->noswap) { ++ ++ /* ++ * "noswap" doesn't use fsparam_flag_no, i.e. there's no "swap" ++ * counterpart for (re-)enabling swap. ++ */ ++ if (ctx->noswap && !sbinfo->noswap) { + err = "Cannot disable swap on remount"; + goto out; + } +- if (!(ctx->seen & SHMEM_SEEN_NOSWAP) && !ctx->noswap && sbinfo->noswap) { +- err = "Cannot enable swap on remount if it was disabled on first mount"; +- goto out; +- } + + if (ctx->seen & SHMEM_SEEN_QUOTA && + !sb_any_quota_loaded(fc->root->d_sb)) { diff --git a/queue-6.17/smb-client-introduce-close_cached_dir_locked.patch b/queue-6.17/smb-client-introduce-close_cached_dir_locked.patch new file mode 100644 index 0000000000..25bdaee81e --- /dev/null +++ b/queue-6.17/smb-client-introduce-close_cached_dir_locked.patch @@ -0,0 +1,100 @@ +From a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Thu, 13 Nov 2025 15:09:13 -0300 +Subject: smb: client: introduce close_cached_dir_locked() + +From: Henrique Carvalho + +commit a9d1f38df7ecd0e21233447c9cc6fa1799eddaf3 upstream. + +Replace close_cached_dir() calls under cfid_list_lock with a new +close_cached_dir_locked() variant that uses kref_put() instead of +kref_put_lock() to avoid recursive locking when dropping references. + +While the existing code works if the refcount >= 2 invariant holds, +this area has proven error-prone. Make deadlocks impossible and WARN +on invariant violations. + +Cc: stable@vger.kernel.org +Reviewed-by: David Howells +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cached_dir.c | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/cached_dir.c ++++ b/fs/smb/client/cached_dir.c +@@ -16,6 +16,7 @@ static struct cached_fid *init_cached_di + static void free_cached_dir(struct cached_fid *cfid); + static void smb2_close_cached_fid(struct kref *ref); + static void cfids_laundromat_worker(struct work_struct *work); ++static void close_cached_dir_locked(struct cached_fid *cfid); + + struct cached_dir_dentry { + struct list_head entry; +@@ -389,7 +390,7 @@ out: + * lease. Release one here, and the second below. + */ + cfid->has_lease = false; +- close_cached_dir(cfid); ++ close_cached_dir_locked(cfid); + } + spin_unlock(&cfids->cfid_list_lock); + +@@ -476,18 +477,52 @@ void drop_cached_dir_by_name(const unsig + spin_lock(&cfid->cfids->cfid_list_lock); + if (cfid->has_lease) { + cfid->has_lease = false; +- close_cached_dir(cfid); ++ close_cached_dir_locked(cfid); + } + spin_unlock(&cfid->cfids->cfid_list_lock); + close_cached_dir(cfid); + } + +- ++/** ++ * close_cached_dir - drop a reference of a cached dir ++ * ++ * The release function will be called with cfid_list_lock held to remove the ++ * cached dirs from the list before any other thread can take another @cfid ++ * ref. Must not be called with cfid_list_lock held; use ++ * close_cached_dir_locked() called instead. ++ * ++ * @cfid: cached dir ++ */ + void close_cached_dir(struct cached_fid *cfid) + { ++ lockdep_assert_not_held(&cfid->cfids->cfid_list_lock); + kref_put_lock(&cfid->refcount, smb2_close_cached_fid, &cfid->cfids->cfid_list_lock); + } + ++/** ++ * close_cached_dir_locked - put a reference of a cached dir with ++ * cfid_list_lock held ++ * ++ * Calling close_cached_dir() with cfid_list_lock held has the potential effect ++ * of causing a deadlock if the invariant of refcount >= 2 is false. ++ * ++ * This function is used in paths that hold cfid_list_lock and expect at least ++ * two references. If that invariant is violated, WARNs and returns without ++ * dropping a reference; the final put must still go through ++ * close_cached_dir(). ++ * ++ * @cfid: cached dir ++ */ ++static void close_cached_dir_locked(struct cached_fid *cfid) ++{ ++ lockdep_assert_held(&cfid->cfids->cfid_list_lock); ++ ++ if (WARN_ON(kref_read(&cfid->refcount) < 2)) ++ return; ++ ++ kref_put(&cfid->refcount, smb2_close_cached_fid); ++} ++ + /* + * Called from cifs_kill_sb when we unmount a share + */ diff --git a/queue-6.17/timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch b/queue-6.17/timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch new file mode 100644 index 0000000000..4dd9164852 --- /dev/null +++ b/queue-6.17/timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch @@ -0,0 +1,88 @@ +From 20739af07383e6eb1ec59dcd70b72ebfa9ac362c Mon Sep 17 00:00:00 2001 +From: Yipeng Zou +Date: Sat, 22 Nov 2025 09:39:42 +0000 +Subject: timers: Fix NULL function pointer race in timer_shutdown_sync() + +From: Yipeng Zou + +commit 20739af07383e6eb1ec59dcd70b72ebfa9ac362c upstream. + +There is a race condition between timer_shutdown_sync() and timer +expiration that can lead to hitting a WARN_ON in expire_timers(). + +The issue occurs when timer_shutdown_sync() clears the timer function +to NULL while the timer is still running on another CPU. The race +scenario looks like this: + +CPU0 CPU1 + + lock_timer_base() + expire_timers() + base->running_timer = timer; + unlock_timer_base() + [call_timer_fn enter] + mod_timer() + ... +timer_shutdown_sync() +lock_timer_base() +// For now, will not detach the timer but only clear its function to NULL +if (base->running_timer != timer) + ret = detach_if_pending(timer, base, true); +if (shutdown) + timer->function = NULL; +unlock_timer_base() + [call_timer_fn exit] + lock_timer_base() + base->running_timer = NULL; + unlock_timer_base() + ... + // Now timer is pending while its function set to NULL. + // next timer trigger + + expire_timers() + WARN_ON_ONCE(!fn) // hit + ... +lock_timer_base() +// Now timer will detach +if (base->running_timer != timer) + ret = detach_if_pending(timer, base, true); +if (shutdown) + timer->function = NULL; +unlock_timer_base() + +The problem is that timer_shutdown_sync() clears the timer function +regardless of whether the timer is currently running. This can leave a +pending timer with a NULL function pointer, which triggers the +WARN_ON_ONCE(!fn) check in expire_timers(). + +Fix this by only clearing the timer function when actually detaching the +timer. If the timer is running, leave the function pointer intact, which is +safe because the timer will be properly detached when it finishes running. + +Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions") +Signed-off-by: Yipeng Zou +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1458,10 +1458,11 @@ static int __try_to_del_timer_sync(struc + + base = lock_timer_base(timer, &flags); + +- if (base->running_timer != timer) ++ if (base->running_timer != timer) { + ret = detach_if_pending(timer, base, true); +- if (shutdown) +- timer->function = NULL; ++ if (shutdown) ++ timer->function = NULL; ++ } + + raw_spin_unlock_irqrestore(&base->lock, flags); + diff --git a/queue-6.17/vfat-fix-missing-sb_min_blocksize-return-value-checks.patch b/queue-6.17/vfat-fix-missing-sb_min_blocksize-return-value-checks.patch new file mode 100644 index 0000000000..a8923ce59d --- /dev/null +++ b/queue-6.17/vfat-fix-missing-sb_min_blocksize-return-value-checks.patch @@ -0,0 +1,141 @@ +From 63b5aa01da0f38cdbd97d021477258e511631497 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Tue, 4 Nov 2025 20:50:06 +0800 +Subject: vfat: fix missing sb_min_blocksize() return value checks + +From: Yongpeng Yang + +commit 63b5aa01da0f38cdbd97d021477258e511631497 upstream. + +When emulating an nvme device on qemu with both logical_block_size and +physical_block_size set to 8 KiB, but without format, a kernel panic +was triggered during the early boot stage while attempting to mount a +vfat filesystem. + +[95553.682035] EXT4-fs (nvme0n1): unable to set blocksize +[95553.684326] EXT4-fs (nvme0n1): unable to set blocksize +[95553.686501] EXT4-fs (nvme0n1): unable to set blocksize +[95553.696448] ISOFS: unsupported/invalid hardware sector size 8192 +[95553.697117] ------------[ cut here ]------------ +[95553.697567] kernel BUG at fs/buffer.c:1582! +[95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI +[95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary) +[95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0 +[95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc <0f> 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f +[95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246 +[95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001 +[95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000 +[95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000 +[95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 +[95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000 +[95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000 +[95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0 +[95553.708439] PKRU: 55555554 +[95553.708734] Call Trace: +[95553.709015] +[95553.709266] __getblk_slow+0xd2/0x230 +[95553.709641] ? find_get_block_common+0x8b/0x530 +[95553.710084] bdev_getblk+0x77/0xa0 +[95553.710449] __bread_gfp+0x22/0x140 +[95553.710810] fat_fill_super+0x23a/0xfc0 +[95553.711216] ? __pfx_setup+0x10/0x10 +[95553.711580] ? __pfx_vfat_fill_super+0x10/0x10 +[95553.712014] vfat_fill_super+0x15/0x30 +[95553.712401] get_tree_bdev_flags+0x141/0x1e0 +[95553.712817] get_tree_bdev+0x10/0x20 +[95553.713177] vfat_get_tree+0x15/0x20 +[95553.713550] vfs_get_tree+0x2a/0x100 +[95553.713910] vfs_cmd_create+0x62/0xf0 +[95553.714273] __do_sys_fsconfig+0x4e7/0x660 +[95553.714669] __x64_sys_fsconfig+0x20/0x40 +[95553.715062] x64_sys_call+0x21ee/0x26a0 +[95553.715453] do_syscall_64+0x80/0x670 +[95553.715816] ? __fs_parse+0x65/0x1e0 +[95553.716172] ? fat_parse_param+0x103/0x4b0 +[95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0 +[95553.717034] ? __do_sys_fsconfig+0x3d9/0x660 +[95553.717548] ? __x64_sys_fsconfig+0x20/0x40 +[95553.717957] ? x64_sys_call+0x21ee/0x26a0 +[95553.718360] ? do_syscall_64+0xb8/0x670 +[95553.718734] ? __x64_sys_fsconfig+0x20/0x40 +[95553.719141] ? x64_sys_call+0x21ee/0x26a0 +[95553.719545] ? do_syscall_64+0xb8/0x670 +[95553.719922] ? x64_sys_call+0x1405/0x26a0 +[95553.720317] ? do_syscall_64+0xb8/0x670 +[95553.720702] ? __x64_sys_close+0x3e/0x90 +[95553.721080] ? x64_sys_call+0x1b5e/0x26a0 +[95553.721478] ? do_syscall_64+0xb8/0x670 +[95553.721841] ? irqentry_exit+0x43/0x50 +[95553.722211] ? exc_page_fault+0x90/0x1b0 +[95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[95553.723166] RIP: 0033:0x72ee774f3afe +[95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48 +[95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af +[95553.725892] RAX: ffffffffffffffda RBX: 00005dcfe53d0080 RCX: 000072ee774f3afe +[95553.726526] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 +[95553.727176] RBP: 00007ffe97148ac0 R08: 0000000000000000 R09: 000072ee775e7ac0 +[95553.727818] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[95553.728459] R13: 00005dcfe53d04b0 R14: 000072ee77670b00 R15: 00005dcfe53d1a28 +[95553.729086] + +The panic occurs as follows: +1. logical_block_size is 8KiB, causing {struct super_block *sb}->s_blocksize +is initialized to 0. +vfat_fill_super + - fat_fill_super + - sb_min_blocksize + - sb_set_blocksize //return 0 when size is 8KiB. +2. __bread_gfp is called with size == 0, causing folio_alloc_buffers() to +compute an offset equal to folio_size(folio), which triggers a BUG_ON. +fat_fill_super + - sb_bread + - __bread_gfp // size == {struct super_block *sb}->s_blocksize == 0 + - bdev_getblk + - __getblk_slow + - grow_buffers + - grow_dev_folio + - folio_alloc_buffers // size == 0 + - folio_set_bh //offset == folio_size(folio) and panic + +To fix this issue, add proper return value checks for +sb_min_blocksize(). + +Cc: stable@vger.kernel.org # v6.15 +Fixes: a64e5a596067bd ("bdev: add back PAGE_SIZE block size validation for sb_set_blocksize()") +Reviewed-by: Matthew Wilcox +Reviewed-by: Darrick J. Wong +Reviewed-by: Jan Kara +Reviewed-by: OGAWA Hirofumi +Reviewed-by: Christoph Hellwig +Signed-off-by: Yongpeng Yang +Link: https://patch.msgid.link/20251104125009.2111925-2-yangyongpeng.storage@gmail.com +Acked-by: OGAWA Hirofumi +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fat/inode.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/fat/inode.c b/fs/fat/inode.c +index 9648ed097816..9cfe20a3daaf 100644 +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -1595,8 +1595,12 @@ int fat_fill_super(struct super_block *sb, struct fs_context *fc, + + setup(sb); /* flavour-specific stuff that needs options */ + ++ error = -EINVAL; ++ if (!sb_min_blocksize(sb, 512)) { ++ fat_msg(sb, KERN_ERR, "unable to set blocksize"); ++ goto out_fail; ++ } + error = -EIO; +- sb_min_blocksize(sb, 512); + bh = sb_bread(sb, 0); + if (bh == NULL) { + fat_msg(sb, KERN_ERR, "unable to read boot sector"); +-- +2.52.0 + diff --git a/queue-6.17/wifi-rtw89-hw_scan-don-t-let-the-operating-channel-be-last.patch b/queue-6.17/wifi-rtw89-hw_scan-don-t-let-the-operating-channel-be-last.patch new file mode 100644 index 0000000000..cf5e53b488 --- /dev/null +++ b/queue-6.17/wifi-rtw89-hw_scan-don-t-let-the-operating-channel-be-last.patch @@ -0,0 +1,65 @@ +From e837b9091b277ae6f309d7e9fc93cb0308cf461f Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Fri, 14 Nov 2025 00:54:48 +0200 +Subject: wifi: rtw89: hw_scan: Don't let the operating channel be last + +From: Bitterblue Smith + +commit e837b9091b277ae6f309d7e9fc93cb0308cf461f upstream. + +Scanning can be offloaded to the firmware. To that end, the driver +prepares a list of channels to scan, including periodic visits back to +the operating channel, and sends the list to the firmware. + +When the channel list is too long to fit in a single H2C message, the +driver splits the list, sends the first part, and tells the firmware to +scan. When the scan is complete, the driver sends the next part of the +list and tells the firmware to scan. + +When the last channel that fit in the H2C message is the operating +channel something seems to go wrong in the firmware. It will +acknowledge receiving the list of channels but apparently it will not +do anything more. The AP can't be pinged anymore. The driver still +receives beacons, though. + +One way to avoid this is to split the list of channels before the +operating channel. + +Affected devices: + +* RTL8851BU with firmware 0.29.41.3 +* RTL8832BU with firmware 0.29.29.8 +* RTL8852BE with firmware 0.29.29.8 + +The commit 57a5fbe39a18 ("wifi: rtw89: refactor flow that hw scan handles channel list") +is found by git blame, but it is actually to refine the scan flow, but not +a culprit, so skip Fixes tag. + +Reported-by: Bitterblue Smith +Closes: https://lore.kernel.org/linux-wireless/0abbda91-c5c2-4007-84c8-215679e652e1@gmail.com/ +Cc: stable@vger.kernel.org # 6.16+ +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/c1e61744-8db4-4646-867f-241b47d30386@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw89/fw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/realtek/rtw89/fw.c ++++ b/drivers/net/wireless/realtek/rtw89/fw.c +@@ -7705,6 +7705,13 @@ int rtw89_hw_scan_add_chan_list_be(struc + INIT_LIST_HEAD(&list); + + list_for_each_entry_safe(ch_info, tmp, &scan_info->chan_list, list) { ++ /* The operating channel (tx_null == true) should ++ * not be last in the list, to avoid breaking ++ * RTL8851BU and RTL8832BU. ++ */ ++ if (list_len + 1 == RTW89_SCAN_LIST_LIMIT_AX && ch_info->tx_null) ++ break; ++ + list_move_tail(&ch_info->list, &list); + + list_len++; diff --git a/queue-6.17/xfs-check-the-return-value-of-sb_min_blocksize-in-xfs_fs_fill_super.patch b/queue-6.17/xfs-check-the-return-value-of-sb_min_blocksize-in-xfs_fs_fill_super.patch new file mode 100644 index 0000000000..0ba52f76a3 --- /dev/null +++ b/queue-6.17/xfs-check-the-return-value-of-sb_min_blocksize-in-xfs_fs_fill_super.patch @@ -0,0 +1,38 @@ +From 124af0868ec6929ba838fb76d25f00c06ba8fc0d Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Tue, 4 Nov 2025 20:50:09 +0800 +Subject: xfs: check the return value of sb_min_blocksize() in xfs_fs_fill_super + +From: Yongpeng Yang + +commit 124af0868ec6929ba838fb76d25f00c06ba8fc0d upstream. + +sb_min_blocksize() may return 0. Check its return value to avoid the +filesystem super block when sb->s_blocksize is 0. + +Cc: stable@vger.kernel.org # v6.15 +Fixes: a64e5a596067bd ("bdev: add back PAGE_SIZE block size validation for sb_set_blocksize()") +Reviewed-by: Christoph Hellwig +Signed-off-by: Yongpeng Yang +Link: https://patch.msgid.link/20251104125009.2111925-5-yangyongpeng.storage@gmail.com +Reviewed-by: Darrick J. Wong +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_super.c ++++ b/fs/xfs/xfs_super.c +@@ -1710,7 +1710,10 @@ xfs_fs_fill_super( + if (error) + return error; + +- sb_min_blocksize(sb, BBSIZE); ++ if (!sb_min_blocksize(sb, BBSIZE)) { ++ xfs_err(mp, "unable to set blocksize"); ++ return -EINVAL; ++ } + sb->s_xattr = xfs_xattr_handlers; + sb->s_export_op = &xfs_export_operations; + #ifdef CONFIG_XFS_QUOTA