From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 14:17:29 +0000 (+0100) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8149ad457ccb0843a5ddcb1e4a5ed7b8e8de9ae;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch cpuidle-governors-teo-drop-misguided-target-residency-check.patch dt-bindings-slimbus-fix-warning-from-example.patch f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch f2fs-fix-to-avoid-potential-deadlock.patch f2fs-fix-to-avoid-updating-compression-context-during-writeback.patch f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch f2fs-fix-to-detect-recoverable-inode-during-dryrun-of-find_fsync_dnodes.patch f2fs-fix-to-not-account-invalid-blocks-in-get_left_section_blocks.patch f2fs-fix-to-propagate-error-from-f2fs_enable_checkpoint.patch f2fs-fix-uninitialized-one_time_gc-in-victim_sel_policy.patch f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch f2fs-use-global-inline_xattr_slab-instead-of-per-sb-slab-cache.patch intel_th-fix-error-handling-in-intel_th_output_open.patch media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch mei-fix-error-handling-in-mei_register.patch mei-gsc-add-dependency-on-xe-driver.patch nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch scsi-mpi3mr-read-missing-iocfacts-flag-for-reply-queue-full-overflow.patch scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch scsi-target-reset-t_task_cdb-pointer-in-error-case.patch scsi-ufs-core-add-ufshcd_update_evt_hist-for-ufs-suspend-error.patch serial-core-fix-serial-device-initialization.patch serial-core-restore-sysfs-fwnode-information.patch serial-sh-sci-check-that-the-dma-cookie-is-valid.patch serial-xilinx_uartps-fix-rs485-delay_rts_after_send.patch usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch usb-lpc32xx_udc-fix-error-handling-in-probe.patch usb-ohci-nxp-fix-device-leak-on-probe-failure.patch usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch usb-typec-altmodes-displayport-drop-the-device-reference-in-dp_altmode_probe.patch usb-typec-ucsi-huawei-gaokin-add-drm-dependency.patch usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch xhci-dbgtty-fix-device-unregister-fixup.patch --- diff --git a/queue-6.18/char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch b/queue-6.18/char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch new file mode 100644 index 0000000000..b065a40cdc --- /dev/null +++ b/queue-6.18/char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch @@ -0,0 +1,46 @@ +From 82d12088c297fa1cef670e1718b3d24f414c23f7 Mon Sep 17 00:00:00 2001 +From: Tianchu Chen +Date: Fri, 28 Nov 2025 15:53:23 +0800 +Subject: char: applicom: fix NULL pointer dereference in ac_ioctl + +From: Tianchu Chen + +commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream. + +Discovered by Atuin - Automated Vulnerability Discovery Engine. + +In ac_ioctl, the validation of IndexCard and the check for a valid +RamIO pointer are skipped when cmd is 6. However, the function +unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the +end. + +If cmd is 6, IndexCard may reference a board that does not exist +(where RamIO is NULL), leading to a NULL pointer dereference. + +Fix this by skipping the readb access when cmd is 6, as this +command is a global information query and does not target a specific +board context. + +Signed-off-by: Tianchu Chen +Acked-by: Arnd Bergmann +Cc: stable +Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/applicom.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/char/applicom.c ++++ b/drivers/char/applicom.c +@@ -835,7 +835,10 @@ static long ac_ioctl(struct file *file, + ret = -ENOTTY; + break; + } +- Dummy = readb(apbs[IndexCard].RamIO + VERS); ++ ++ if (cmd != 6) ++ Dummy = readb(apbs[IndexCard].RamIO + VERS); ++ + kfree(adgl); + mutex_unlock(&ac_mutex); + return ret; diff --git a/queue-6.18/cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch b/queue-6.18/cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch new file mode 100644 index 0000000000..836b416c11 --- /dev/null +++ b/queue-6.18/cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch @@ -0,0 +1,55 @@ +From 9600156bb99852c216a2128cdf9f114eb67c350f Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 23:04:45 +0800 +Subject: cpufreq: nforce2: fix reference count leak in nforce2 + +From: Miaoqian Lin + +commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream. + +There are two reference count leaks in this driver: + +1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count + of the PCI device, but pci_dev_put() is never called to release it, + thus leaking the reference. + +2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the + nforce2_dev which is stored in a global variable, but the reference + is never released when the module is unloaded. + +Fix both by: +- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading + the configuration. +- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the + global device reference. + +Found via static analysis. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq-nforce2.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/cpufreq/cpufreq-nforce2.c ++++ b/drivers/cpufreq/cpufreq-nforce2.c +@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int + pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb); + fsb /= 1000000; + ++ pci_dev_put(nforce2_sub5); ++ + /* Check if PLL register is already set */ + pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp); + +@@ -426,6 +428,7 @@ static int __init nforce2_init(void) + static void __exit nforce2_exit(void) + { + cpufreq_unregister_driver(&nforce2_driver); ++ pci_dev_put(nforce2_dev); + } + + module_init(nforce2_init); diff --git a/queue-6.18/cpuidle-governors-teo-drop-misguided-target-residency-check.patch b/queue-6.18/cpuidle-governors-teo-drop-misguided-target-residency-check.patch new file mode 100644 index 0000000000..258eeaadcf --- /dev/null +++ b/queue-6.18/cpuidle-governors-teo-drop-misguided-target-residency-check.patch @@ -0,0 +1,55 @@ +From a03b2011808ab02ccb7ab6b573b013b77fbb5921 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 13 Nov 2025 14:24:31 +0100 +Subject: cpuidle: governors: teo: Drop misguided target residency check + +From: Rafael J. Wysocki + +commit a03b2011808ab02ccb7ab6b573b013b77fbb5921 upstream. + +When the target residency of the current candidate idle state is +greater than the expected time till the closest timer (the sleep +length), it does not matter whether or not the tick has already been +stopped or if it is going to be stopped. The closest timer will +trigger anyway at its due time, so if an idle state with target +residency above the sleep length is selected, energy will be wasted +and there may be excess latency. + +Of course, if the closest timer were canceled before it could trigger, +a deeper idle state would be more suitable, but this is not expected +to happen (generally speaking, hrtimers are not expected to be +canceled as a rule). + +Accordingly, the teo_state_ok() check done in that case causes energy to +be wasted more often than it allows any energy to be saved (if it allows +any energy to be saved at all), so drop it and let the governor use the +teo_find_shallower_state() return value as the new candidate idle state +index. + +Fixes: 21d28cd2fa5f ("cpuidle: teo: Do not call tick_nohz_get_sleep_length() upfront") +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Tested-by: Christian Loehle +Link: https://patch.msgid.link/5955081.DvuYhMxLoT@rafael.j.wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/governors/teo.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/cpuidle/governors/teo.c ++++ b/drivers/cpuidle/governors/teo.c +@@ -458,11 +458,8 @@ static int teo_select(struct cpuidle_dri + * If the closest expected timer is before the target residency of the + * candidate state, a shallower one needs to be found. + */ +- if (drv->states[idx].target_residency_ns > duration_ns) { +- i = teo_find_shallower_state(drv, dev, idx, duration_ns, false); +- if (teo_state_ok(i, drv)) +- idx = i; +- } ++ if (drv->states[idx].target_residency_ns > duration_ns) ++ idx = teo_find_shallower_state(drv, dev, idx, duration_ns, false); + + /* + * If the selected state's target residency is below the tick length diff --git a/queue-6.18/dt-bindings-slimbus-fix-warning-from-example.patch b/queue-6.18/dt-bindings-slimbus-fix-warning-from-example.patch new file mode 100644 index 0000000000..3df832cf0f --- /dev/null +++ b/queue-6.18/dt-bindings-slimbus-fix-warning-from-example.patch @@ -0,0 +1,78 @@ +From 4d4e746aa9f0f07261dcb41e4f51edb98723dcaa Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 14 Nov 2025 11:05:05 +0000 +Subject: dt-bindings: slimbus: fix warning from example + +From: Srinivas Kandagatla + +commit 4d4e746aa9f0f07261dcb41e4f51edb98723dcaa upstream. + +Fix below warnings generated dt_bindings_check for examples in the +bindings. + +Documentation/devicetree/bindings/slimbus/slimbus.example.dtb: +slim@28080000 (qcom,slim-ngd-v1.5.0): 'audio-codec@1,0' does not match +any of the regexes: '^pinctrl-[0-9]+$', '^slim@[0-9a-f]+$' + from schema $id: +http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml# +Documentation/devicetree/bindings/slimbus/slimbus.example.dtb: +slim@28080000 (qcom,slim-ngd-v1.5.0): #address-cells: 1 was expected + from schema $id: +http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml# +Documentation/devicetree/bindings/slimbus/slimbus.example.dtb: +slim@28080000 (qcom,slim-ngd-v1.5.0): 'dmas' is a required property + from schema $id: +http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml# +Documentation/devicetree/bindings/slimbus/slimbus.example.dtb: +slim@28080000 (qcom,slim-ngd-v1.5.0): 'dma-names' is a required +property + from schema $id: +http://devicetree.org/schemas/slimbus/qcom,slim-ngd.yaml# + +Fixes: 7cbba32a2d62 ("slimbus: qcom: remove unused qcom controller driver") +Cc: stable +Reported-by: Rob Herring +Signed-off-by: Srinivas Kandagatla +Acked-by: Rob Herring (Arm) +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20251114110505.143105-1-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + .../devicetree/bindings/slimbus/slimbus.yaml | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/Documentation/devicetree/bindings/slimbus/slimbus.yaml b/Documentation/devicetree/bindings/slimbus/slimbus.yaml +index 89017d9cda10..5a941610ce4e 100644 +--- a/Documentation/devicetree/bindings/slimbus/slimbus.yaml ++++ b/Documentation/devicetree/bindings/slimbus/slimbus.yaml +@@ -75,16 +75,22 @@ examples: + #size-cells = <1>; + ranges; + +- slim@28080000 { ++ controller@28080000 { + compatible = "qcom,slim-ngd-v1.5.0"; + reg = <0x091c0000 0x2c000>; + interrupts = ; +- #address-cells = <2>; ++ dmas = <&slimbam 3>, <&slimbam 4>; ++ dma-names = "rx", "tx"; ++ #address-cells = <1>; + #size-cells = <0>; +- +- audio-codec@1,0 { ++ slim@1 { ++ reg = <1>; ++ #address-cells = <2>; ++ #size-cells = <0>; ++ codec@1,0 { + compatible = "slim217,1a0"; + reg = <1 0>; ++ }; + }; ++ }; + }; +- }; +-- +2.52.0 + diff --git a/queue-6.18/f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch b/queue-6.18/f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch new file mode 100644 index 0000000000..b8e908f7c2 --- /dev/null +++ b/queue-6.18/f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch @@ -0,0 +1,80 @@ +From 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 Mon Sep 17 00:00:00 2001 +From: Jan Prusakowski +Date: Mon, 6 Oct 2025 10:46:15 +0200 +Subject: f2fs: ensure node page reads complete before f2fs_put_super() finishes + +From: Jan Prusakowski + +commit 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 upstream. + +Xfstests generic/335, generic/336 sometimes crash with the following message: + +F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 +------------[ cut here ]------------ +kernel BUG at fs/f2fs/super.c:1939! +Oops: invalid opcode: 0000 [#1] SMP NOPTI +CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) +Tainted: [W]=WARN +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:f2fs_put_super+0x3b3/0x3c0 +Call Trace: + + generic_shutdown_super+0x7e/0x190 + kill_block_super+0x1a/0x40 + kill_f2fs_super+0x9d/0x190 + deactivate_locked_super+0x30/0xb0 + cleanup_mnt+0xba/0x150 + task_work_run+0x5c/0xa0 + exit_to_user_mode_loop+0xb7/0xc0 + do_syscall_64+0x1ae/0x1c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +---[ end trace 0000000000000000 ]--- + +It appears that sometimes it is possible that f2fs_put_super() is called before +all node page reads are completed. +Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem. + +Cc: stable@kernel.org +Fixes: 20872584b8c0b ("f2fs: fix to drop all dirty meta/node pages during umount()") +Signed-off-by: Jan Prusakowski +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1988,14 +1988,6 @@ static void f2fs_put_super(struct super_ + truncate_inode_pages_final(META_MAPPING(sbi)); + } + +- for (i = 0; i < NR_COUNT_TYPE; i++) { +- if (!get_pages(sbi, i)) +- continue; +- f2fs_err(sbi, "detect filesystem reference count leak during " +- "umount, type: %d, count: %lld", i, get_pages(sbi, i)); +- f2fs_bug_on(sbi, 1); +- } +- + f2fs_bug_on(sbi, sbi->fsync_node_num); + + f2fs_destroy_compress_inode(sbi); +@@ -2006,6 +1998,15 @@ static void f2fs_put_super(struct super_ + iput(sbi->meta_inode); + sbi->meta_inode = NULL; + ++ /* Should check the page counts after dropping all node/meta pages */ ++ for (i = 0; i < NR_COUNT_TYPE; i++) { ++ if (!get_pages(sbi, i)) ++ continue; ++ f2fs_err(sbi, "detect filesystem reference count leak during " ++ "umount, type: %d, count: %lld", i, get_pages(sbi, i)); ++ f2fs_bug_on(sbi, 1); ++ } ++ + /* + * iput() can update stat information, if f2fs_write_checkpoint() + * above failed with error. diff --git a/queue-6.18/f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch b/queue-6.18/f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch new file mode 100644 index 0000000000..536853db5b --- /dev/null +++ b/queue-6.18/f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch @@ -0,0 +1,143 @@ +From 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 Mon Sep 17 00:00:00 2001 +From: Xiaole He +Date: Mon, 27 Oct 2025 17:23:41 +0800 +Subject: f2fs: fix age extent cache insertion skip on counter overflow + +From: Xiaole He + +commit 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 upstream. + +The age extent cache uses last_blocks (derived from +allocated_data_blocks) to determine data age. However, there's a +conflict between the deletion +marker (last_blocks=0) and legitimate last_blocks=0 cases when +allocated_data_blocks overflows to 0 after reaching ULLONG_MAX. + +In this case, valid extents are incorrectly skipped due to the +"if (!tei->last_blocks)" check in __update_extent_tree_range(). + +This patch fixes the issue by: +1. Reserving ULLONG_MAX as an invalid/deletion marker +2. Limiting allocated_data_blocks to range [0, ULLONG_MAX-1] +3. Using F2FS_EXTENT_AGE_INVALID for deletion scenarios +4. Adjusting overflow age calculation from ULLONG_MAX to (ULLONG_MAX-1) + +Reproducer (using a patched kernel with allocated_data_blocks +initialized to ULLONG_MAX - 3 for quick testing): + +Step 1: Mount and check initial state + # dd if=/dev/zero of=/tmp/test.img bs=1M count=100 + # mkfs.f2fs -f /tmp/test.img + # mkdir -p /mnt/f2fs_test + # mount -t f2fs -o loop,age_extent_cache /tmp/test.img /mnt/f2fs_test + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551612 # ULLONG_MAX - 3 + Inner Struct Count: tree: 1(0), node: 0 + +Step 2: Create files and write data to trigger overflow + # touch /mnt/f2fs_test/{1,2,3,4}.txt; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551613 # ULLONG_MAX - 2 + Inner Struct Count: tree: 5(0), node: 1 + + # dd if=/dev/urandom of=/mnt/f2fs_test/1.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551614 # ULLONG_MAX - 1 + Inner Struct Count: tree: 5(0), node: 2 + + # dd if=/dev/urandom of=/mnt/f2fs_test/2.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 18446744073709551615 # ULLONG_MAX + Inner Struct Count: tree: 5(0), node: 3 + + # dd if=/dev/urandom of=/mnt/f2fs_test/3.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 0 # Counter overflowed! + Inner Struct Count: tree: 5(0), node: 4 + +Step 3: Trigger the bug - next write should create node but gets skipped + # dd if=/dev/urandom of=/mnt/f2fs_test/4.txt bs=4K count=1; sync + # cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age" + Allocated Data Blocks: 1 + Inner Struct Count: tree: 5(0), node: 4 + + Expected: node: 5 (new extent node for 4.txt) + Actual: node: 4 (extent insertion was incorrectly skipped due to + last_blocks = allocated_data_blocks = 0 in __get_new_block_age) + +After this fix, the extent node is correctly inserted and node count +becomes 5 as expected. + +Fixes: 71644dff4811 ("f2fs: add block_age-based extent cache") +Cc: stable@kernel.org +Signed-off-by: Xiaole He +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 5 +++-- + fs/f2fs/f2fs.h | 6 ++++++ + fs/f2fs/segment.c | 9 +++++++-- + 3 files changed, 16 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -808,7 +808,7 @@ static void __update_extent_tree_range(s + } + goto out_read_extent_cache; + update_age_extent_cache: +- if (!tei->last_blocks) ++ if (tei->last_blocks == F2FS_EXTENT_AGE_INVALID) + goto out_read_extent_cache; + + __set_extent_info(&ei, fofs, len, 0, false, +@@ -912,7 +912,7 @@ static int __get_new_block_age(struct in + cur_age = cur_blocks - tei.last_blocks; + else + /* allocated_data_blocks overflow */ +- cur_age = ULLONG_MAX - tei.last_blocks + cur_blocks; ++ cur_age = (ULLONG_MAX - 1) - tei.last_blocks + cur_blocks; + + if (tei.age) + ei->age = __calculate_block_age(sbi, cur_age, tei.age); +@@ -1114,6 +1114,7 @@ void f2fs_update_age_extent_cache_range( + struct extent_info ei = { + .fofs = fofs, + .len = len, ++ .last_blocks = F2FS_EXTENT_AGE_INVALID, + }; + + if (!__may_extent_tree(dn->inode, EX_BLOCK_AGE)) +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -708,6 +708,12 @@ enum extent_type { + NR_EXTENT_CACHES, + }; + ++/* ++ * Reserved value to mark invalid age extents, hence valid block range ++ * from 0 to ULLONG_MAX-1 ++ */ ++#define F2FS_EXTENT_AGE_INVALID ULLONG_MAX ++ + struct extent_info { + unsigned int fofs; /* start offset in a file */ + unsigned int len; /* length of the extent */ +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -3881,8 +3881,13 @@ skip_new_segment: + locate_dirty_segment(sbi, GET_SEGNO(sbi, old_blkaddr)); + locate_dirty_segment(sbi, GET_SEGNO(sbi, *new_blkaddr)); + +- if (IS_DATASEG(curseg->seg_type)) +- atomic64_inc(&sbi->allocated_data_blocks); ++ if (IS_DATASEG(curseg->seg_type)) { ++ unsigned long long new_val; ++ ++ new_val = atomic64_inc_return(&sbi->allocated_data_blocks); ++ if (unlikely(new_val == ULLONG_MAX)) ++ atomic64_set(&sbi->allocated_data_blocks, 0); ++ } + + up_write(&sit_i->sentry_lock); + diff --git a/queue-6.18/f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch b/queue-6.18/f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch new file mode 100644 index 0000000000..e197869133 --- /dev/null +++ b/queue-6.18/f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch @@ -0,0 +1,80 @@ +From 01fba45deaddcce0d0b01c411435d1acf6feab7b Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 5 Nov 2025 14:50:22 +0800 +Subject: f2fs: fix return value of f2fs_recover_fsync_data() + +From: Chao Yu + +commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream. + +With below scripts, it will trigger panic in f2fs: + +mkfs.f2fs -f /dev/vdd +mount /dev/vdd /mnt/f2fs +touch /mnt/f2fs/foo +sync +echo 111 >> /mnt/f2fs/foo +f2fs_io fsync /mnt/f2fs/foo +f2fs_io shutdown 2 /mnt/f2fs +umount /mnt/f2fs +mount -o ro,norecovery /dev/vdd /mnt/f2fs +or +mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs + +F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 +F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f +F2FS-fs (vdd): Stopped filesystem due to reason: 0 +F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 +Filesystem f2fs get_tree() didn't set fc->root, returned 1 +------------[ cut here ]------------ +kernel BUG at fs/super.c:1761! +Oops: invalid opcode: 0000 [#1] SMP PTI +CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:vfs_get_tree.cold+0x18/0x1a +Call Trace: + + fc_mount+0x13/0xa0 + path_mount+0x34e/0xc50 + __x64_sys_mount+0x121/0x150 + do_syscall_64+0x84/0x800 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7fa6cc126cfe + +The root cause is we missed to handle error number returned from +f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or +ro,disable_roll_forward mount option, result in returning a positive +error number to vfs_get_tree(), fix it. + +Cc: stable@kernel.org +Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -5203,11 +5203,15 @@ try_onemore: + } + } else { + err = f2fs_recover_fsync_data(sbi, true); +- +- if (!f2fs_readonly(sb) && err > 0) { +- err = -EINVAL; +- f2fs_err(sbi, "Need to recover fsync data"); +- goto free_meta; ++ if (err > 0) { ++ if (!f2fs_readonly(sb)) { ++ f2fs_err(sbi, "Need to recover fsync data"); ++ err = -EINVAL; ++ goto free_meta; ++ } else { ++ f2fs_info(sbi, "drop all fsynced data"); ++ err = 0; ++ } + } + } + diff --git a/queue-6.18/f2fs-fix-to-avoid-potential-deadlock.patch b/queue-6.18/f2fs-fix-to-avoid-potential-deadlock.patch new file mode 100644 index 0000000000..3824687676 --- /dev/null +++ b/queue-6.18/f2fs-fix-to-avoid-potential-deadlock.patch @@ -0,0 +1,217 @@ +From ca8b201f28547e28343a6f00a6e91fa8c09572fe Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 14 Oct 2025 19:47:35 +0800 +Subject: f2fs: fix to avoid potential deadlock + +From: Chao Yu + +commit ca8b201f28547e28343a6f00a6e91fa8c09572fe upstream. + +As Jiaming Zhang and syzbot reported, there is potential deadlock in +f2fs as below: + +Chain exists of: + &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + rlock(sb_internal#2); + lock(fs_reclaim); + lock(sb_internal#2); + rlock(&sbi->cp_rwsem); + + *** DEADLOCK *** + +3 locks held by kswapd0/73: + #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline] + #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389 + #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline] + #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197 + #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890 + +stack backtrace: +CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043 + check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175 + check_prev_add kernel/locking/lockdep.c:3165 [inline] + check_prevs_add kernel/locking/lockdep.c:3284 [inline] + validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908 + __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237 + lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 + down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537 + f2fs_down_read fs/f2fs/f2fs.h:2278 [inline] + f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline] + f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791 + f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867 + f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925 + f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897 + evict+0x504/0x9c0 fs/inode.c:810 + f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853 + evict+0x504/0x9c0 fs/inode.c:810 + dispose_list fs/inode.c:852 [inline] + prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000 + super_cache_scan+0x39b/0x4b0 fs/super.c:224 + do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437 + shrink_slab_memcg mm/shrinker.c:550 [inline] + shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628 + shrink_one+0x28a/0x7c0 mm/vmscan.c:4955 + shrink_many mm/vmscan.c:5016 [inline] + lru_gen_shrink_node mm/vmscan.c:5094 [inline] + shrink_node+0x315d/0x3780 mm/vmscan.c:6081 + kswapd_shrink_node mm/vmscan.c:6941 [inline] + balance_pgdat mm/vmscan.c:7124 [inline] + kswapd+0x147c/0x2800 mm/vmscan.c:7389 + kthread+0x70e/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + +The root cause is deadlock among four locks as below: + +kswapd +- fs_reclaim --- Lock A + - shrink_one + - evict + - f2fs_evict_inode + - sb_start_intwrite --- Lock B + +- iput + - evict + - f2fs_evict_inode + - sb_start_intwrite --- Lock B + - f2fs_truncate + - f2fs_truncate_blocks + - f2fs_do_truncate_blocks + - f2fs_lock_op --- Lock C + +ioctl +- f2fs_ioc_commit_atomic_write + - f2fs_lock_op --- Lock C + - __f2fs_commit_atomic_write + - __replace_atomic_write_block + - f2fs_get_dnode_of_data + - __get_node_folio + - f2fs_check_nid_range + - f2fs_handle_error + - f2fs_record_errors + - f2fs_down_write --- Lock D + +open +- do_open + - do_truncate + - security_inode_need_killpriv + - f2fs_getxattr + - lookup_all_xattrs + - f2fs_handle_error + - f2fs_record_errors + - f2fs_down_write --- Lock D + - f2fs_commit_super + - read_mapping_folio + - filemap_alloc_folio_noprof + - prepare_alloc_pages + - fs_reclaim_acquire --- Lock A + +In order to avoid such deadlock, we need to avoid grabbing sb_lock in +f2fs_handle_error(), so, let's use asynchronous method instead: +- remove f2fs_handle_error() implementation +- rename f2fs_handle_error_async() to f2fs_handle_error() +- spread f2fs_handle_error() + +Fixes: 95fa90c9e5a7 ("f2fs: support recording errors into superblock") +Cc: stable@kernel.org +Reported-by: syzbot+14b90e1156b9f6fc1266@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/68eae49b.050a0220.ac43.0001.GAE@google.com +Reported-by: Jiaming Zhang +Closes: https://lore.kernel.org/lkml/CANypQFa-Gy9sD-N35o3PC+FystOWkNuN8pv6S75HLT0ga-Tzgw@mail.gmail.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/compress.c | 5 +---- + fs/f2fs/f2fs.h | 1 - + fs/f2fs/super.c | 41 ----------------------------------------- + 3 files changed, 1 insertion(+), 46 deletions(-) + +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -759,10 +759,7 @@ void f2fs_decompress_cluster(struct deco + ret = -EFSCORRUPTED; + + /* Avoid f2fs_commit_super in irq context */ +- if (!in_task) +- f2fs_handle_error_async(sbi, ERROR_FAIL_DECOMPRESSION); +- else +- f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION); ++ f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION); + goto out_release; + } + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3812,7 +3812,6 @@ void f2fs_quota_off_umount(struct super_ + void f2fs_save_errors(struct f2fs_sb_info *sbi, unsigned char flag); + void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason); + void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error); +-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error); + int f2fs_commit_super(struct f2fs_sb_info *sbi, bool recover); + int f2fs_sync_fs(struct super_block *sb, int sync); + int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi); +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4560,50 +4560,9 @@ void f2fs_save_errors(struct f2fs_sb_inf + spin_unlock_irqrestore(&sbi->error_lock, flags); + } + +-static bool f2fs_update_errors(struct f2fs_sb_info *sbi) +-{ +- unsigned long flags; +- bool need_update = false; +- +- spin_lock_irqsave(&sbi->error_lock, flags); +- if (sbi->error_dirty) { +- memcpy(F2FS_RAW_SUPER(sbi)->s_errors, sbi->errors, +- MAX_F2FS_ERRORS); +- sbi->error_dirty = false; +- need_update = true; +- } +- spin_unlock_irqrestore(&sbi->error_lock, flags); +- +- return need_update; +-} +- +-static void f2fs_record_errors(struct f2fs_sb_info *sbi, unsigned char error) +-{ +- int err; +- +- f2fs_down_write(&sbi->sb_lock); +- +- if (!f2fs_update_errors(sbi)) +- goto out_unlock; +- +- err = f2fs_commit_super(sbi, false); +- if (err) +- f2fs_err_ratelimited(sbi, +- "f2fs_commit_super fails to record errors:%u, err:%d", +- error, err); +-out_unlock: +- f2fs_up_write(&sbi->sb_lock); +-} +- + void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error) + { + f2fs_save_errors(sbi, error); +- f2fs_record_errors(sbi, error); +-} +- +-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error) +-{ +- f2fs_save_errors(sbi, error); + + if (!sbi->error_dirty) + return; diff --git a/queue-6.18/f2fs-fix-to-avoid-updating-compression-context-during-writeback.patch b/queue-6.18/f2fs-fix-to-avoid-updating-compression-context-during-writeback.patch new file mode 100644 index 0000000000..25fc6eaa75 --- /dev/null +++ b/queue-6.18/f2fs-fix-to-avoid-updating-compression-context-during-writeback.patch @@ -0,0 +1,159 @@ +From 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 22 Oct 2025 11:06:36 +0800 +Subject: f2fs: fix to avoid updating compression context during writeback + +From: Chao Yu + +commit 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 upstream. + +Bai, Shuangpeng reported a bug as below: + +Oops: divide error: 0000 [#1] SMP KASAN PTI +CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 +Call Trace: + + f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] + __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] + f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 + do_writepages+0x38e/0x640 mm/page-writeback.c:2634 + filemap_fdatawrite_wbc mm/filemap.c:386 [inline] + __filemap_fdatawrite_range mm/filemap.c:419 [inline] + file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 + f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 + generic_write_sync include/linux/fs.h:3043 [inline] + f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x7e9/0xe00 fs/read_write.c:686 + ksys_write+0x19d/0x2d0 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The bug was triggered w/ below race condition: + +fsync setattr ioctl +- f2fs_do_sync_file + - file_write_and_wait_range + - f2fs_write_cache_pages + : inode is non-compressed + : cc.cluster_size = + F2FS_I(inode)->i_cluster_size = 0 + - tag_pages_for_writeback + - f2fs_setattr + - truncate_setsize + - f2fs_truncate + - f2fs_fileattr_set + - f2fs_setflags_common + - set_compress_context + : F2FS_I(inode)->i_cluster_size = 4 + : set_inode_flag(inode, FI_COMPRESSED_FILE) + - f2fs_compressed_file + : return true + - f2fs_all_cluster_page_ready + : "pgidx % cc->cluster_size" trigger dividing 0 issue + +Let's change as below to fix this issue: +- introduce a new atomic type variable .writeback in structure f2fs_inode_info +to track the number of threads which calling f2fs_write_cache_pages(). +- use .i_sem lock to protect .writeback update. +- check .writeback before update compression context in f2fs_setflags_common() +to avoid race w/ ->writepages. + +Fixes: 4c8ff7095bef ("f2fs: support data compression") +Cc: stable@kernel.org +Reported-by: Bai, Shuangpeng +Tested-by: Bai, Shuangpeng +Closes: https://lore.kernel.org/lkml/44D8F7B3-68AD-425F-9915-65D27591F93F@psu.edu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 17 +++++++++++++++++ + fs/f2fs/f2fs.h | 3 ++- + fs/f2fs/file.c | 5 +++-- + fs/f2fs/super.c | 1 + + 4 files changed, 23 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -3224,6 +3224,19 @@ static inline bool __should_serialize_io + return false; + } + ++static inline void account_writeback(struct inode *inode, bool inc) ++{ ++ if (!f2fs_sb_has_compression(F2FS_I_SB(inode))) ++ return; ++ ++ f2fs_down_read(&F2FS_I(inode)->i_sem); ++ if (inc) ++ atomic_inc(&F2FS_I(inode)->writeback); ++ else ++ atomic_dec(&F2FS_I(inode)->writeback); ++ f2fs_up_read(&F2FS_I(inode)->i_sem); ++} ++ + static int __f2fs_write_data_pages(struct address_space *mapping, + struct writeback_control *wbc, + enum iostat_type io_type) +@@ -3269,10 +3282,14 @@ static int __f2fs_write_data_pages(struc + locked = true; + } + ++ account_writeback(inode, true); ++ + blk_start_plug(&plug); + ret = f2fs_write_cache_pages(mapping, wbc, io_type); + blk_finish_plug(&plug); + ++ account_writeback(inode, false); ++ + if (locked) + mutex_unlock(&sbi->writepages); + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -948,6 +948,7 @@ struct f2fs_inode_info { + unsigned char i_compress_level; /* compress level (lz4hc,zstd) */ + unsigned char i_compress_flag; /* compress flag */ + unsigned int i_cluster_size; /* cluster size */ ++ atomic_t writeback; /* count # of writeback thread */ + + unsigned int atomic_write_cnt; + loff_t original_i_size; /* original i_size before atomic write */ +@@ -4675,7 +4676,7 @@ static inline bool f2fs_disable_compress + f2fs_up_write(&fi->i_sem); + return true; + } +- if (f2fs_is_mmap_file(inode) || ++ if (f2fs_is_mmap_file(inode) || atomic_read(&fi->writeback) || + (S_ISREG(inode->i_mode) && F2FS_HAS_BLOCKS(inode))) { + f2fs_up_write(&fi->i_sem); + return false; +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2125,8 +2125,9 @@ static int f2fs_setflags_common(struct i + + f2fs_down_write(&fi->i_sem); + if (!f2fs_may_compress(inode) || +- (S_ISREG(inode->i_mode) && +- F2FS_HAS_BLOCKS(inode))) { ++ atomic_read(&fi->writeback) || ++ (S_ISREG(inode->i_mode) && ++ F2FS_HAS_BLOCKS(inode))) { + f2fs_up_write(&fi->i_sem); + return -EINVAL; + } +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1759,6 +1759,7 @@ static struct inode *f2fs_alloc_inode(st + atomic_set(&fi->dirty_pages, 0); + atomic_set(&fi->i_compr_blocks, 0); + atomic_set(&fi->open_count, 0); ++ atomic_set(&fi->writeback, 0); + init_f2fs_rwsem(&fi->i_sem); + spin_lock_init(&fi->i_size_lock); + INIT_LIST_HEAD(&fi->dirty_list); diff --git a/queue-6.18/f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch b/queue-6.18/f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch new file mode 100644 index 0000000000..97ff4b9776 --- /dev/null +++ b/queue-6.18/f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch @@ -0,0 +1,65 @@ +From 7c37c79510329cd951a4dedf3f7bf7e2b18dccec Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 20 Oct 2025 10:42:12 +0800 +Subject: f2fs: fix to avoid updating zero-sized extent in extent cache + +From: Chao Yu + +commit 7c37c79510329cd951a4dedf3f7bf7e2b18dccec upstream. + +As syzbot reported: + +F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] +------------[ cut here ]------------ +kernel BUG at fs/f2fs/extent_cache.c:678! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678 +Call Trace: + + f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085 + f2fs_do_zero_range fs/f2fs/file.c:1657 [inline] + f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737 + f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030 + vfs_fallocate+0x669/0x7e0 fs/open.c:342 + ioctl_preallocate fs/ioctl.c:289 [inline] + file_ioctl+0x611/0x780 fs/ioctl.c:-1 + do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576 + __do_sys_ioctl fs/ioctl.c:595 [inline] + __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f07bc58eec9 + +In error path of f2fs_zero_range(), it may add a zero-sized extent +into extent cache, it should be avoided. + +Fixes: 6e9619499f53 ("f2fs: support in batch fzero in dnode page") +Cc: stable@kernel.org +Reported-by: syzbot+24124df3170c3638b35f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/68e5d698.050a0220.256323.0032.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1654,8 +1654,11 @@ static int f2fs_do_zero_range(struct dno + f2fs_set_data_blkaddr(dn, NEW_ADDR); + } + +- f2fs_update_read_extent_cache_range(dn, start, 0, index - start); +- f2fs_update_age_extent_cache_range(dn, start, index - start); ++ if (index > start) { ++ f2fs_update_read_extent_cache_range(dn, start, 0, ++ index - start); ++ f2fs_update_age_extent_cache_range(dn, start, index - start); ++ } + + return ret; + } diff --git a/queue-6.18/f2fs-fix-to-detect-recoverable-inode-during-dryrun-of-find_fsync_dnodes.patch b/queue-6.18/f2fs-fix-to-detect-recoverable-inode-during-dryrun-of-find_fsync_dnodes.patch new file mode 100644 index 0000000000..82172a8b88 --- /dev/null +++ b/queue-6.18/f2fs-fix-to-detect-recoverable-inode-during-dryrun-of-find_fsync_dnodes.patch @@ -0,0 +1,104 @@ +From 68d05693f8c031257a0822464366e1c2a239a512 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 5 Nov 2025 14:50:23 +0800 +Subject: f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() + +From: Chao Yu + +commit 68d05693f8c031257a0822464366e1c2a239a512 upstream. + +mkfs.f2fs -f /dev/vdd +mount /dev/vdd /mnt/f2fs +touch /mnt/f2fs/foo +sync # avoid CP_UMOUNT_FLAG in last f2fs_checkpoint.ckpt_flags +touch /mnt/f2fs/bar +f2fs_io fsync /mnt/f2fs/bar +f2fs_io shutdown 2 /mnt/f2fs +umount /mnt/f2fs +blockdev --setro /dev/vdd +mount /dev/vdd /mnt/f2fs +mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only. + +For the case if we create and fsync a new inode before sudden power-cut, +without norecovery or disable_roll_forward mount option, the following +mount will succeed w/o recovering last fsynced inode. + +The problem here is that we only check inode_list list after +find_fsync_dnodes() in f2fs_recover_fsync_data() to find out whether +there is recoverable data in the iamge, but there is a missed case, if +last fsynced inode is not existing in last checkpoint, then, we will +fail to get its inode due to nat of inode node is not existing in last +checkpoint, so the inode won't be linked in inode_list. + +Let's detect such case in dyrun mode to fix this issue. + +After this change, mount will fail as expected below: +mount: /mnt/f2fs: cannot mount /dev/vdd read-only. + dmesg(1) may have more information after failed mount system call. +demsg: +F2FS-fs (vdd): Need to recover fsync data, but write access unavailable, please try mount w/ disable_roll_forward or norecovery + +Cc: stable@kernel.org +Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/recovery.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -399,7 +399,7 @@ static int sanity_check_node_chain(struc + } + + static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head, +- bool check_only) ++ bool check_only, bool *new_inode) + { + struct curseg_info *curseg; + block_t blkaddr, blkaddr_fast; +@@ -447,16 +447,19 @@ static int find_fsync_dnodes(struct f2fs + quota_inode = true; + } + +- /* +- * CP | dnode(F) | inode(DF) +- * For this case, we should not give up now. +- */ + entry = add_fsync_inode(sbi, head, ino_of_node(folio), + quota_inode); + if (IS_ERR(entry)) { + err = PTR_ERR(entry); +- if (err == -ENOENT) ++ /* ++ * CP | dnode(F) | inode(DF) ++ * For this case, we should not give up now. ++ */ ++ if (err == -ENOENT) { ++ if (check_only) ++ *new_inode = true; + goto next; ++ } + f2fs_folio_put(folio, true); + break; + } +@@ -875,6 +878,7 @@ int f2fs_recover_fsync_data(struct f2fs_ + int ret = 0; + unsigned long s_flags = sbi->sb->s_flags; + bool need_writecp = false; ++ bool new_inode = false; + + f2fs_notice(sbi, "f2fs_recover_fsync_data: recovery fsync data, " + "check_only: %d", check_only); +@@ -890,8 +894,8 @@ int f2fs_recover_fsync_data(struct f2fs_ + f2fs_down_write(&sbi->cp_global_sem); + + /* step #1: find fsynced inode numbers */ +- err = find_fsync_dnodes(sbi, &inode_list, check_only); +- if (err || list_empty(&inode_list)) ++ err = find_fsync_dnodes(sbi, &inode_list, check_only, &new_inode); ++ if (err < 0 || (list_empty(&inode_list) && (!check_only || !new_inode))) + goto skip; + + if (check_only) { diff --git a/queue-6.18/f2fs-fix-to-not-account-invalid-blocks-in-get_left_section_blocks.patch b/queue-6.18/f2fs-fix-to-not-account-invalid-blocks-in-get_left_section_blocks.patch new file mode 100644 index 0000000000..ebe742addf --- /dev/null +++ b/queue-6.18/f2fs-fix-to-not-account-invalid-blocks-in-get_left_section_blocks.patch @@ -0,0 +1,42 @@ +From 37345eae9deaa2e4f372eeb98f6594cd0ee0916e Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 28 Nov 2025 17:25:07 +0800 +Subject: f2fs: fix to not account invalid blocks in get_left_section_blocks() + +From: Chao Yu + +commit 37345eae9deaa2e4f372eeb98f6594cd0ee0916e upstream. + +w/ LFS mode, in get_left_section_blocks(), we should not account the +blocks which were used before and now are invalided, otherwise those +blocks will be counted as freed one in has_curseg_enough_space(), result +in missing to trigger GC in time. + +Cc: stable@kernel.org +Fixes: 249ad438e1d9 ("f2fs: add a method for calculating the remaining blocks in the current segment in LFS mode.") +Fixes: bf34c93d2645 ("f2fs: check curseg space before foreground GC") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/segment.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -607,10 +607,12 @@ static inline int reserved_sections(stru + static inline unsigned int get_left_section_blocks(struct f2fs_sb_info *sbi, + enum log_type type, unsigned int segno) + { +- if (f2fs_lfs_mode(sbi) && __is_large_section(sbi)) +- return CAP_BLKS_PER_SEC(sbi) - SEGS_TO_BLKS(sbi, +- (segno - GET_START_SEG_FROM_SEC(sbi, segno))) - ++ if (f2fs_lfs_mode(sbi)) { ++ unsigned int used_blocks = __is_large_section(sbi) ? SEGS_TO_BLKS(sbi, ++ (segno - GET_START_SEG_FROM_SEC(sbi, segno))) : 0; ++ return CAP_BLKS_PER_SEC(sbi) - used_blocks - + CURSEG_I(sbi, type)->next_blkoff; ++ } + return CAP_BLKS_PER_SEC(sbi) - get_ckpt_valid_blocks(sbi, segno, true); + } + diff --git a/queue-6.18/f2fs-fix-to-propagate-error-from-f2fs_enable_checkpoint.patch b/queue-6.18/f2fs-fix-to-propagate-error-from-f2fs_enable_checkpoint.patch new file mode 100644 index 0000000000..3953949376 --- /dev/null +++ b/queue-6.18/f2fs-fix-to-propagate-error-from-f2fs_enable_checkpoint.patch @@ -0,0 +1,95 @@ +From be112e7449a6e1b54aa9feac618825d154b3a5c7 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 27 Oct 2025 14:35:33 +0800 +Subject: f2fs: fix to propagate error from f2fs_enable_checkpoint() + +From: Chao Yu + +commit be112e7449a6e1b54aa9feac618825d154b3a5c7 upstream. + +In order to let userspace detect such error rather than suffering +silent failure. + +Fixes: 4354994f097d ("f2fs: checkpoint disabling") +Cc: stable@kernel.org +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2634,10 +2634,11 @@ restore_flag: + return err; + } + +-static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi) ++static int f2fs_enable_checkpoint(struct f2fs_sb_info *sbi) + { + unsigned int nr_pages = get_pages(sbi, F2FS_DIRTY_DATA) / 16; + long long start, writeback, end; ++ int ret; + + f2fs_info(sbi, "f2fs_enable_checkpoint() starts, meta: %lld, node: %lld, data: %lld", + get_pages(sbi, F2FS_DIRTY_META), +@@ -2671,7 +2672,9 @@ static void f2fs_enable_checkpoint(struc + set_sbi_flag(sbi, SBI_IS_DIRTY); + f2fs_up_write(&sbi->gc_lock); + +- f2fs_sync_fs(sbi->sb, 1); ++ ret = f2fs_sync_fs(sbi->sb, 1); ++ if (ret) ++ f2fs_err(sbi, "%s sync_fs failed, ret: %d", __func__, ret); + + /* Let's ensure there's no pending checkpoint anymore */ + f2fs_flush_ckpt_thread(sbi); +@@ -2681,6 +2684,7 @@ static void f2fs_enable_checkpoint(struc + f2fs_info(sbi, "f2fs_enable_checkpoint() finishes, writeback:%llu, sync:%llu", + ktime_ms_delta(writeback, start), + ktime_ms_delta(end, writeback)); ++ return ret; + } + + static int __f2fs_remount(struct fs_context *fc, struct super_block *sb) +@@ -2894,7 +2898,9 @@ static int __f2fs_remount(struct fs_cont + goto restore_discard; + need_enable_checkpoint = true; + } else { +- f2fs_enable_checkpoint(sbi); ++ err = f2fs_enable_checkpoint(sbi); ++ if (err) ++ goto restore_discard; + need_disable_checkpoint = true; + } + } +@@ -2937,7 +2943,8 @@ skip: + return 0; + restore_checkpoint: + if (need_enable_checkpoint) { +- f2fs_enable_checkpoint(sbi); ++ if (f2fs_enable_checkpoint(sbi)) ++ f2fs_warn(sbi, "checkpoint has not been enabled"); + } else if (need_disable_checkpoint) { + if (f2fs_disable_checkpoint(sbi)) + f2fs_warn(sbi, "checkpoint has not been disabled"); +@@ -5232,13 +5239,12 @@ reset_checkpoint: + if (err) + goto sync_free_meta; + +- if (test_opt(sbi, DISABLE_CHECKPOINT)) { ++ if (test_opt(sbi, DISABLE_CHECKPOINT)) + err = f2fs_disable_checkpoint(sbi); +- if (err) +- goto sync_free_meta; +- } else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)) { +- f2fs_enable_checkpoint(sbi); +- } ++ else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)) ++ err = f2fs_enable_checkpoint(sbi); ++ if (err) ++ goto sync_free_meta; + + /* + * If filesystem is not mounted as read-only then diff --git a/queue-6.18/f2fs-fix-uninitialized-one_time_gc-in-victim_sel_policy.patch b/queue-6.18/f2fs-fix-uninitialized-one_time_gc-in-victim_sel_policy.patch new file mode 100644 index 0000000000..f282ce3421 --- /dev/null +++ b/queue-6.18/f2fs-fix-uninitialized-one_time_gc-in-victim_sel_policy.patch @@ -0,0 +1,106 @@ +From 392711ef18bff524a873b9c239a73148c5432262 Mon Sep 17 00:00:00 2001 +From: Xiaole He +Date: Wed, 29 Oct 2025 13:18:07 +0800 +Subject: f2fs: fix uninitialized one_time_gc in victim_sel_policy + +From: Xiaole He + +commit 392711ef18bff524a873b9c239a73148c5432262 upstream. + +The one_time_gc field in struct victim_sel_policy is conditionally +initialized but unconditionally read, leading to undefined behavior +that triggers UBSAN warnings. + +In f2fs_get_victim() at fs/f2fs/gc.c:774, the victim_sel_policy +structure is declared without initialization: + + struct victim_sel_policy p; + +The field p.one_time_gc is only assigned when the 'one_time' parameter +is true (line 789): + + if (one_time) { + p.one_time_gc = one_time; + ... + } + +However, this field is unconditionally read in subsequent get_gc_cost() +at line 395: + + if (p->one_time_gc && (valid_thresh_ratio < 100) && ...) + +When one_time is false, p.one_time_gc contains uninitialized stack +memory. Hence p.one_time_gc is an invalid bool value. + +UBSAN detects this invalid bool value: + + UBSAN: invalid-load in fs/f2fs/gc.c:395:7 + load of value 77 is not a valid value for type '_Bool' + CPU: 3 UID: 0 PID: 1297 Comm: f2fs_gc-252:16 Not tainted 6.18.0-rc3 + #5 PREEMPT(voluntary) + Hardware name: OpenStack Foundation OpenStack Nova, + BIOS 1.13.0-1ubuntu1.1 04/01/2014 + Call Trace: + + dump_stack_lvl+0x70/0x90 + dump_stack+0x14/0x20 + __ubsan_handle_load_invalid_value+0xb3/0xf0 + ? dl_server_update+0x2e/0x40 + ? update_curr+0x147/0x170 + f2fs_get_victim.cold+0x66/0x134 [f2fs] + ? sched_balance_newidle+0x2ca/0x470 + ? finish_task_switch.isra.0+0x8d/0x2a0 + f2fs_gc+0x2ba/0x8e0 [f2fs] + ? _raw_spin_unlock_irqrestore+0x12/0x40 + ? __timer_delete_sync+0x80/0xe0 + ? timer_delete_sync+0x14/0x20 + ? schedule_timeout+0x82/0x100 + gc_thread_func+0x38b/0x860 [f2fs] + ? gc_thread_func+0x38b/0x860 [f2fs] + ? __pfx_autoremove_wake_function+0x10/0x10 + kthread+0x10b/0x220 + ? __pfx_gc_thread_func+0x10/0x10 [f2fs] + ? _raw_spin_unlock_irq+0x12/0x40 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x11a/0x160 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + + +This issue is reliably reproducible with the following steps on a +100GB SSD /dev/vdb: + + mkfs.f2fs -f /dev/vdb + mount /dev/vdb /mnt/f2fs_test + fio --name=gc --directory=/mnt/f2fs_test --rw=randwrite \ + --bs=4k --size=8G --numjobs=12 --fsync=4 --runtime=10 \ + --time_based + echo 1 > /sys/fs/f2fs/vdb/gc_urgent + +The uninitialized value causes incorrect GC victim selection, leading +to unpredictable garbage collection behavior. + +Fix by zero-initializing the entire victim_sel_policy structure to +ensure all fields have defined values. + +Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC") +Cc: stable@kernel.org +Signed-off-by: Xiaole He +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -774,7 +774,7 @@ int f2fs_get_victim(struct f2fs_sb_info + { + struct dirty_seglist_info *dirty_i = DIRTY_I(sbi); + struct sit_info *sm = SIT_I(sbi); +- struct victim_sel_policy p; ++ struct victim_sel_policy p = {0}; + unsigned int secno, last_victim; + unsigned int last_segment; + unsigned int nsearched; diff --git a/queue-6.18/f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch b/queue-6.18/f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch new file mode 100644 index 0000000000..d39e0b45cd --- /dev/null +++ b/queue-6.18/f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch @@ -0,0 +1,91 @@ +From d33f89b34aa313f50f9a512d58dd288999f246b0 Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Mon, 27 Oct 2025 18:36:34 +0530 +Subject: f2fs: invalidate dentry cache on failed whiteout creation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Deepanshu Kartikey + +commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream. + +F2FS can mount filesystems with corrupted directory depth values that +get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT +operations are performed on such directories, f2fs_rename performs +directory modifications (updating target entry and deleting source +entry) before attempting to add the whiteout entry via f2fs_add_link. + +If f2fs_add_link fails due to the corrupted directory structure, the +function returns an error to VFS, but the partial directory +modifications have already been committed to disk. VFS assumes the +entire rename operation failed and does not update the dentry cache, +leaving stale mappings. + +In the error path, VFS does not call d_move() to update the dentry +cache. This results in new_dentry still pointing to the old inode +(new_inode) which has already had its i_nlink decremented to zero. +The stale cache causes subsequent operations to incorrectly reference +the freed inode. + +This causes subsequent operations to use cached dentry information that +no longer matches the on-disk state. When a second rename targets the +same entry, VFS attempts to decrement i_nlink on the stale inode, which +may already have i_nlink=0, triggering a WARNING in drop_nlink(). + +Example sequence: +1. First rename (RENAME_WHITEOUT): file2 → file1 + - f2fs updates file1 entry on disk (points to inode 8) + - f2fs deletes file2 entry on disk + - f2fs_add_link(whiteout) fails (corrupted directory) + - Returns error to VFS + - VFS does not call d_move() due to error + - VFS cache still has: file1 → inode 7 (stale!) + - inode 7 has i_nlink=0 (already decremented) + +2. Second rename: file3 → file1 + - VFS uses stale cache: file1 → inode 7 + - Tries to drop_nlink on inode 7 (i_nlink already 0) + - WARNING in drop_nlink() + +Fix this by explicitly invalidating old_dentry and new_dentry when +f2fs_add_link fails during whiteout creation. This forces VFS to +refresh from disk on subsequent operations, ensuring cache consistency +even when the rename partially succeeds. + +Reproducer: +1. Mount F2FS image with corrupted i_current_depth +2. renameat2(file2, file1, RENAME_WHITEOUT) +3. renameat2(file3, file1, 0) +4. System triggers WARNING in drop_nlink() + +Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT") +Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d +Suggested-by: Chao Yu +Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1] +Cc: stable@vger.kernel.org +Signed-off-by: Deepanshu Kartikey +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/namei.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -1053,9 +1053,11 @@ static int f2fs_rename(struct mnt_idmap + if (whiteout) { + set_inode_flag(whiteout, FI_INC_LINK); + err = f2fs_add_link(old_dentry, whiteout); +- if (err) ++ if (err) { ++ d_invalidate(old_dentry); ++ d_invalidate(new_dentry); + goto put_out_dir; +- ++ } + spin_lock(&whiteout->i_lock); + whiteout->i_state &= ~I_LINKABLE; + spin_unlock(&whiteout->i_lock); diff --git a/queue-6.18/f2fs-use-global-inline_xattr_slab-instead-of-per-sb-slab-cache.patch b/queue-6.18/f2fs-use-global-inline_xattr_slab-instead-of-per-sb-slab-cache.patch new file mode 100644 index 0000000000..5a906752e4 --- /dev/null +++ b/queue-6.18/f2fs-use-global-inline_xattr_slab-instead-of-per-sb-slab-cache.patch @@ -0,0 +1,239 @@ +From 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 21 Oct 2025 11:48:56 +0800 +Subject: f2fs: use global inline_xattr_slab instead of per-sb slab cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chao Yu + +commit 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 upstream. + +As Hong Yun reported in mailing list: + +loop7: detected capacity change from 0 to 131072 +------------[ cut here ]------------ +kmem_cache of name 'f2fs_xattr_entry-7:7' already exists +WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] +WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 +CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] +RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 +Call Trace: + __kmem_cache_create include/linux/slab.h:353 [inline] + f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline] + f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843 + f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918 + get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692 + vfs_get_tree+0x43/0x140 fs/super.c:1815 + do_new_mount+0x201/0x550 fs/namespace.c:3808 + do_mount fs/namespace.c:4136 [inline] + __do_sys_mount fs/namespace.c:4347 [inline] + __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The bug can be reproduced w/ below scripts: +- mount /dev/vdb /mnt1 +- mount /dev/vdc /mnt2 +- umount /mnt1 +- mounnt /dev/vdb /mnt1 + +The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 +and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, +slab system will only create one slab cache core structure which has +slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same +structure and cache address. + +So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will +decrease reference count of slab cache, rather than release slab cache +entirely, since there is one more user has referenced the cache. + +Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, +slab system will find that there is existed cache which has the same name +and trigger the warning. + +Let's changes to use global inline_xattr_slab instead of per-sb slab cache +for fixing. + +Fixes: a999150f4fe3 ("f2fs: use kmem_cache pool during inline xattr lookups") +Cc: stable@kernel.org +Reported-by: Hong Yun +Tested-by: Hong Yun +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 3 --- + fs/f2fs/super.c | 17 ++++++++--------- + fs/f2fs/xattr.c | 32 +++++++++++--------------------- + fs/f2fs/xattr.h | 10 ++++++---- + 4 files changed, 25 insertions(+), 37 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1886,9 +1886,6 @@ struct f2fs_sb_info { + spinlock_t error_lock; /* protect errors/stop_reason array */ + bool error_dirty; /* errors of sb is dirty */ + +- struct kmem_cache *inline_xattr_slab; /* inline xattr entry */ +- unsigned int inline_xattr_slab_size; /* default inline xattr slab size */ +- + /* For reclaimed segs statistics per each GC mode */ + unsigned int gc_segment_mode; /* GC state for reclaimed segments */ + unsigned int gc_reclaimed_segs[MAX_GC_MODE]; /* Reclaimed segs for each mode */ +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2028,7 +2028,6 @@ static void f2fs_put_super(struct super_ + kfree(sbi->raw_super); + + f2fs_destroy_page_array_cache(sbi); +- f2fs_destroy_xattr_caches(sbi); + #ifdef CONFIG_QUOTA + for (i = 0; i < MAXQUOTAS; i++) + kfree(F2FS_OPTION(sbi).s_qf_names[i]); +@@ -4997,13 +4996,9 @@ try_onemore: + if (err) + goto free_iostat; + +- /* init per sbi slab cache */ +- err = f2fs_init_xattr_caches(sbi); +- if (err) +- goto free_percpu; + err = f2fs_init_page_array_cache(sbi); + if (err) +- goto free_xattr_cache; ++ goto free_percpu; + + /* get an inode for meta space */ + sbi->meta_inode = f2fs_iget(sb, F2FS_META_INO(sbi)); +@@ -5331,8 +5326,6 @@ free_meta_inode: + sbi->meta_inode = NULL; + free_page_array_cache: + f2fs_destroy_page_array_cache(sbi); +-free_xattr_cache: +- f2fs_destroy_xattr_caches(sbi); + free_percpu: + destroy_percpu_info(sbi); + free_iostat: +@@ -5535,10 +5528,15 @@ static int __init init_f2fs_fs(void) + err = f2fs_create_casefold_cache(); + if (err) + goto free_compress_cache; +- err = register_filesystem(&f2fs_fs_type); ++ err = f2fs_init_xattr_cache(); + if (err) + goto free_casefold_cache; ++ err = register_filesystem(&f2fs_fs_type); ++ if (err) ++ goto free_xattr_cache; + return 0; ++free_xattr_cache: ++ f2fs_destroy_xattr_cache(); + free_casefold_cache: + f2fs_destroy_casefold_cache(); + free_compress_cache: +@@ -5579,6 +5577,7 @@ fail: + static void __exit exit_f2fs_fs(void) + { + unregister_filesystem(&f2fs_fs_type); ++ f2fs_destroy_xattr_cache(); + f2fs_destroy_casefold_cache(); + f2fs_destroy_compress_cache(); + f2fs_destroy_compress_mempool(); +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -23,11 +23,12 @@ + #include "xattr.h" + #include "segment.h" + ++static struct kmem_cache *inline_xattr_slab; + static void *xattr_alloc(struct f2fs_sb_info *sbi, int size, bool *is_inline) + { +- if (likely(size == sbi->inline_xattr_slab_size)) { ++ if (likely(size == DEFAULT_XATTR_SLAB_SIZE)) { + *is_inline = true; +- return f2fs_kmem_cache_alloc(sbi->inline_xattr_slab, ++ return f2fs_kmem_cache_alloc(inline_xattr_slab, + GFP_F2FS_ZERO, false, sbi); + } + *is_inline = false; +@@ -38,7 +39,7 @@ static void xattr_free(struct f2fs_sb_in + bool is_inline) + { + if (is_inline) +- kmem_cache_free(sbi->inline_xattr_slab, xattr_addr); ++ kmem_cache_free(inline_xattr_slab, xattr_addr); + else + kfree(xattr_addr); + } +@@ -830,25 +831,14 @@ int f2fs_setxattr(struct inode *inode, i + return err; + } + +-int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) ++int __init f2fs_init_xattr_cache(void) + { +- dev_t dev = sbi->sb->s_bdev->bd_dev; +- char slab_name[32]; +- +- sprintf(slab_name, "f2fs_xattr_entry-%u:%u", MAJOR(dev), MINOR(dev)); +- +- sbi->inline_xattr_slab_size = F2FS_OPTION(sbi).inline_xattr_size * +- sizeof(__le32) + XATTR_PADDING_SIZE; +- +- sbi->inline_xattr_slab = f2fs_kmem_cache_create(slab_name, +- sbi->inline_xattr_slab_size); +- if (!sbi->inline_xattr_slab) +- return -ENOMEM; +- +- return 0; ++ inline_xattr_slab = f2fs_kmem_cache_create("f2fs_xattr_entry", ++ DEFAULT_XATTR_SLAB_SIZE); ++ return inline_xattr_slab ? 0 : -ENOMEM; + } + +-void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) ++void f2fs_destroy_xattr_cache(void) + { +- kmem_cache_destroy(sbi->inline_xattr_slab); +-} ++ kmem_cache_destroy(inline_xattr_slab); ++} +\ No newline at end of file +--- a/fs/f2fs/xattr.h ++++ b/fs/f2fs/xattr.h +@@ -89,6 +89,8 @@ struct f2fs_xattr_entry { + F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - \ + DEF_INLINE_RESERVED_SIZE - \ + MIN_INLINE_DENTRY_SIZE / sizeof(__le32)) ++#define DEFAULT_XATTR_SLAB_SIZE (DEFAULT_INLINE_XATTR_ADDRS * \ ++ sizeof(__le32) + XATTR_PADDING_SIZE) + + /* + * On-disk structure of f2fs_xattr +@@ -132,8 +134,8 @@ int f2fs_setxattr(struct inode *, int, c + int f2fs_getxattr(struct inode *, int, const char *, void *, + size_t, struct folio *); + ssize_t f2fs_listxattr(struct dentry *, char *, size_t); +-int f2fs_init_xattr_caches(struct f2fs_sb_info *); +-void f2fs_destroy_xattr_caches(struct f2fs_sb_info *); ++int __init f2fs_init_xattr_cache(void); ++void f2fs_destroy_xattr_cache(void); + #else + + #define f2fs_xattr_handlers NULL +@@ -150,8 +152,8 @@ static inline int f2fs_getxattr(struct i + { + return -EOPNOTSUPP; + } +-static inline int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) { return 0; } +-static inline void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) { } ++static inline int __init f2fs_init_xattr_cache(void) { return 0; } ++static inline void f2fs_destroy_xattr_cache(void) { } + #endif + + #ifdef CONFIG_F2FS_FS_SECURITY diff --git a/queue-6.18/intel_th-fix-error-handling-in-intel_th_output_open.patch b/queue-6.18/intel_th-fix-error-handling-in-intel_th_output_open.patch new file mode 100644 index 0000000000..69401b0e8c --- /dev/null +++ b/queue-6.18/intel_th-fix-error-handling-in-intel_th_output_open.patch @@ -0,0 +1,71 @@ +From 6d5925b667e4ed9e77c8278cc215191d29454a3f Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 12 Nov 2025 17:17:23 +0800 +Subject: intel_th: Fix error handling in intel_th_output_open + +From: Ma Ke + +commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream. + +intel_th_output_open() calls bus_find_device_by_devt() which +internally increments the device reference count via get_device(), but +this reference is not properly released in several error paths. When +device driver is unavailable, file operations cannot be obtained, or +the driver's open method fails, the function returns without calling +put_device(), leading to a permanent device reference count leak. This +prevents the device from being properly released and could cause +resource exhaustion over time. + +Found by code review. + +Cc: stable +Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i + int err; + + dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); +- if (!dev || !dev->driver) +- return -ENODEV; ++ if (!dev || !dev->driver) { ++ err = -ENODEV; ++ goto out_no_device; ++ } + + thdrv = to_intel_th_driver(dev->driver); + fops = fops_get(thdrv->fops); +- if (!fops) +- return -ENODEV; ++ if (!fops) { ++ err = -ENODEV; ++ goto out_put_device; ++ } + + replace_fops(file, fops); + +@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i + + if (file->f_op->open) { + err = file->f_op->open(inode, file); +- return err; ++ if (err) ++ goto out_put_device; + } + + return 0; ++ ++out_put_device: ++ put_device(dev); ++out_no_device: ++ return err; + } + + static const struct file_operations intel_th_output_fops = { diff --git a/queue-6.18/media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch b/queue-6.18/media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch new file mode 100644 index 0000000000..22be61baf6 --- /dev/null +++ b/queue-6.18/media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch @@ -0,0 +1,38 @@ +From b91e6aafe8d356086cc621bc03e35ba2299e4788 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 21 Apr 2025 21:52:44 +0900 +Subject: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() + +From: Jeongjun Park + +commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream. + +rlen value is a user-controlled value, but dtv5100_i2c_msg() does not +check the size of the rlen value. Therefore, if it is set to a value +larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. + +Therefore, we need to add proper range checking to prevent this vuln. + +Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353") +Cc: stable@vger.kernel.org +Signed-off-by: Jeongjun Park +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/usb/dvb-usb/dtv5100.c ++++ b/drivers/media/usb/dvb-usb/dtv5100.c +@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us + } + index = (addr << 8) + wbuf[0]; + ++ if (rlen > sizeof(st->data)) { ++ warn("rlen = %x is too big!\n", rlen); ++ return -EINVAL; ++ } ++ + memcpy(st->data, rbuf, rlen); + msleep(1); /* avoid I2C errors */ + return usb_control_msg(d->udev, pipe, request, diff --git a/queue-6.18/media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch b/queue-6.18/media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch new file mode 100644 index 0000000000..28369e1fe6 --- /dev/null +++ b/queue-6.18/media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch @@ -0,0 +1,34 @@ +From be440980eace19c035a0745fd6b6e42707bc4f49 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 3 Sep 2025 09:44:16 +0100 +Subject: media: pvrusb2: Fix incorrect variable used in trace message + +From: Colin Ian King + +commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream. + +The pvr2_trace message is reporting an error about control read +transfers, however it is using the incorrect variable write_len +instead of read_lean. Fix this by using the correct variable +read_len. + +Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") +Cc: stable@vger.kernel.org +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -3622,7 +3622,7 @@ static int pvr2_send_request_ex(struct p + pvr2_trace( + PVR2_TRACE_ERROR_LEGS, + "Attempted to execute %d byte control-read transfer (limit=%d)", +- write_len,PVR2_CTL_BUFFSIZE); ++ read_len, PVR2_CTL_BUFFSIZE); + return -EINVAL; + } + if ((!write_len) && (!read_len)) { diff --git a/queue-6.18/mei-fix-error-handling-in-mei_register.patch b/queue-6.18/mei-fix-error-handling-in-mei_register.patch new file mode 100644 index 0000000000..6567337f90 --- /dev/null +++ b/queue-6.18/mei-fix-error-handling-in-mei_register.patch @@ -0,0 +1,45 @@ +From a6dab2f61d23c1eb32f1d08fa7b4919a2478950b Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 4 Nov 2025 10:01:33 +0800 +Subject: mei: Fix error handling in mei_register + +From: Ma Ke + +commit a6dab2f61d23c1eb32f1d08fa7b4919a2478950b upstream. + +mei_register() fails to release the device reference in error paths +after device_initialize(). During normal device registration, the +reference is properly handled through mei_deregister() which calls +device_destroy(). However, in error handling paths (such as cdev_alloc +failure, cdev_add failure, etc.), missing put_device() calls cause +reference count leaks, preventing the device's release function +(mei_device_release) from being called and resulting in memory leaks +of mei_device. + +Found by code review. + +Cc: stable +Fixes: 7704e6be4ed2 ("mei: hook mei_device on class device") +Signed-off-by: Ma Ke +Acked-by: Alexander Usyskin +Link: https://patch.msgid.link/20251104020133.5017-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c +index 86a73684a373..6f26d5160788 100644 +--- a/drivers/misc/mei/main.c ++++ b/drivers/misc/mei/main.c +@@ -1307,6 +1307,7 @@ int mei_register(struct mei_device *dev, struct device *parent) + err_del_cdev: + cdev_del(dev->cdev); + err: ++ put_device(&dev->dev); + mei_minor_free(minor); + return ret; + } +-- +2.52.0 + diff --git a/queue-6.18/mei-gsc-add-dependency-on-xe-driver.patch b/queue-6.18/mei-gsc-add-dependency-on-xe-driver.patch new file mode 100644 index 0000000000..8a8b7d2d63 --- /dev/null +++ b/queue-6.18/mei-gsc-add-dependency-on-xe-driver.patch @@ -0,0 +1,34 @@ +From 5d92c3b41f0bddfa416130c6e1b424414f3d2acf Mon Sep 17 00:00:00 2001 +From: Junxiao Chang +Date: Sun, 9 Nov 2025 17:35:33 +0200 +Subject: mei: gsc: add dependency on Xe driver + +From: Junxiao Chang + +commit 5d92c3b41f0bddfa416130c6e1b424414f3d2acf upstream. + +INTEL_MEI_GSC depends on either i915 or Xe +and can be present when either of above is present. + +Cc: stable +Fixes: 87a4c85d3a3e ("drm/xe/gsc: add gsc device support") +Tested-by: Baoli Zhang +Signed-off-by: Junxiao Chang +Signed-off-by: Alexander Usyskin +Link: https://patch.msgid.link/20251109153533.3179787-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mei/Kconfig ++++ b/drivers/misc/mei/Kconfig +@@ -49,7 +49,7 @@ config INTEL_MEI_TXE + config INTEL_MEI_GSC + tristate "Intel MEI GSC embedded device" + depends on INTEL_MEI_ME +- depends on DRM_I915 ++ depends on DRM_I915 || DRM_XE + help + Intel auxiliary driver for GSC devices embedded in Intel graphics devices. + diff --git a/queue-6.18/nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch b/queue-6.18/nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch new file mode 100644 index 0000000000..4c7f63b9c4 --- /dev/null +++ b/queue-6.18/nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch @@ -0,0 +1,34 @@ +From 6f52063db9aabdaabea929b1e998af98c2e8d917 Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Wed, 5 Nov 2025 12:45:54 -0800 +Subject: NFSD: use correct reservation type in nfsd4_scsi_fence_client + +From: Dai Ngo + +commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream. + +The reservation type argument for the pr_preempt call should match the +one used in nfsd4_block_get_device_info_scsi. + +Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support") +Cc: stable@vger.kernel.org +Signed-off-by: Dai Ngo +Reviewed-by: Christoph Hellwig +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/blocklayout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/blocklayout.c ++++ b/fs/nfsd/blocklayout.c +@@ -344,7 +344,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo + struct block_device *bdev = file->nf_file->f_path.mnt->mnt_sb->s_bdev; + + bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY, +- nfsd4_scsi_pr_key(clp), 0, true); ++ nfsd4_scsi_pr_key(clp), ++ PR_EXCLUSIVE_ACCESS_REG_ONLY, true); + } + + const struct nfsd4_layout_ops scsi_layout_ops = { diff --git a/queue-6.18/phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch b/queue-6.18/phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch new file mode 100644 index 0000000000..37856b9970 --- /dev/null +++ b/queue-6.18/phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch @@ -0,0 +1,57 @@ +From 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Oct 2025 07:45:37 +0200 +Subject: phy: broadcom: bcm63xx-usbh: fix section mismatches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream. + +Platform drivers can be probed after their init sections have been +discarded (e.g. on probe deferral or manual rebind through sysfs) so the +probe function and match table must not live in init. + +Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver") +Cc: stable@vger.kernel.org # 5.9 +Cc: Álvaro Fernández Rojas +Signed-off-by: Johan Hovold +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c ++++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c +@@ -375,7 +375,7 @@ static struct phy *bcm63xx_usbh_phy_xlat + return of_phy_simple_xlate(dev, args); + } + +-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev) ++static int bcm63xx_usbh_phy_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct bcm63xx_usbh_phy *usbh; +@@ -432,7 +432,7 @@ static int __init bcm63xx_usbh_phy_probe + return 0; + } + +-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = { ++static const struct of_device_id bcm63xx_usbh_phy_ids[] = { + { .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 }, + { .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 }, + { .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 }, +@@ -443,7 +443,7 @@ static const struct of_device_id bcm63xx + }; + MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids); + +-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = { ++static struct platform_driver bcm63xx_usbh_phy_driver = { + .driver = { + .name = "bcm63xx-usbh-phy", + .of_match_table = bcm63xx_usbh_phy_ids, diff --git a/queue-6.18/scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch b/queue-6.18/scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch new file mode 100644 index 0000000000..77af2a8bcb --- /dev/null +++ b/queue-6.18/scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch @@ -0,0 +1,43 @@ +From f6ab594672d4cba08540919a4e6be2e202b60007 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Wed, 29 Oct 2025 00:29:04 +0800 +Subject: scsi: aic94xx: fix use-after-free in device removal path + +From: Junrui Luo + +commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream. + +The asd_pci_remove() function fails to synchronize with pending tasklets +before freeing the asd_ha structure, leading to a potential +use-after-free vulnerability. + +When a device removal is triggered (via hot-unplug or module unload), +race condition can occur. + +The fix adds tasklet_kill() before freeing the asd_ha structure, +ensuring all scheduled tasklets complete before cleanup proceeds. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aic94xx/aic94xx_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/aic94xx/aic94xx_init.c ++++ b/drivers/scsi/aic94xx/aic94xx_init.c +@@ -882,6 +882,9 @@ static void asd_pci_remove(struct pci_de + + asd_disable_ints(asd_ha); + ++ /* Ensure all scheduled tasklets complete before freeing resources */ ++ tasklet_kill(&asd_ha->seq.dl_tasklet); ++ + asd_remove_dev_attrs(asd_ha); + + /* XXX more here as needed */ diff --git a/queue-6.18/scsi-mpi3mr-read-missing-iocfacts-flag-for-reply-queue-full-overflow.patch b/queue-6.18/scsi-mpi3mr-read-missing-iocfacts-flag-for-reply-queue-full-overflow.patch new file mode 100644 index 0000000000..bd6445c746 --- /dev/null +++ b/queue-6.18/scsi-mpi3mr-read-missing-iocfacts-flag-for-reply-queue-full-overflow.patch @@ -0,0 +1,46 @@ +From d373163194982f43b92c552c138c29d9f0b79553 Mon Sep 17 00:00:00 2001 +From: Chandrakanth Patil +Date: Thu, 11 Dec 2025 05:59:29 +0530 +Subject: scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow + +From: Chandrakanth Patil + +commit d373163194982f43b92c552c138c29d9f0b79553 upstream. + +The driver was not reading the MAX_REQ_PER_REPLY_QUEUE_LIMIT IOCFacts +flag, so the reply-queue-full handling was never enabled, even on +firmware that supports it. Reading this flag enables the feature and +prevents reply queue overflow. + +Fixes: f08b24d82749 ("scsi: mpi3mr: Avoid reply queue full condition") +Cc: stable@vger.kernel.org +Signed-off-by: Chandrakanth Patil +Link: https://patch.msgid.link/20251211002929.22071-1-chandrakanth.patil@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpi3mr/mpi/mpi30_ioc.h | 1 + + drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/scsi/mpi3mr/mpi/mpi30_ioc.h ++++ b/drivers/scsi/mpi3mr/mpi/mpi30_ioc.h +@@ -166,6 +166,7 @@ struct mpi3_ioc_facts_data { + #define MPI3_IOCFACTS_FLAGS_SIGNED_NVDATA_REQUIRED (0x00010000) + #define MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK (0x0000ff00) + #define MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT (8) ++#define MPI3_IOCFACTS_FLAGS_MAX_REQ_PER_REPLY_QUEUE_LIMIT (0x00000040) + #define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_MASK (0x00000030) + #define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_SHIFT (4) + #define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_NOT_STARTED (0x00000000) +--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c +@@ -3158,6 +3158,8 @@ static void mpi3mr_process_factsdata(str + mrioc->facts.dma_mask = (facts_flags & + MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK) >> + MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT; ++ mrioc->facts.max_req_limit = (facts_flags & ++ MPI3_IOCFACTS_FLAGS_MAX_REQ_PER_REPLY_QUEUE_LIMIT); + mrioc->facts.protocol_flags = facts_data->protocol_flags; + mrioc->facts.mpi_version = le32_to_cpu(facts_data->mpi_version.word); + mrioc->facts.max_reqs = le16_to_cpu(facts_data->max_outstanding_requests); diff --git a/queue-6.18/scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch b/queue-6.18/scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch new file mode 100644 index 0000000000..b9c9892130 --- /dev/null +++ b/queue-6.18/scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch @@ -0,0 +1,92 @@ +From b57fbc88715b6d18f379463f48a15b560b087ffe Mon Sep 17 00:00:00 2001 +From: Tony Battersby +Date: Mon, 10 Nov 2025 10:47:35 -0500 +Subject: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" + +From: Tony Battersby + +commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream. + +This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. + +The commit being reverted added code to __qla2x00_abort_all_cmds() to +call sp->done() without holding a spinlock. But unlike the older code +below it, this new code failed to check sp->cmd_type and just assumed +TYPE_SRB, which results in a jump to an invalid pointer in target-mode +with TYPE_TGT_CMD: + +qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success + 0000000009f7a79b +qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h + mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. +qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer +qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event + 0x8002 occurred +qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - + ha=0000000058183fda. +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PF: supervisor instruction fetch in kernel mode +PF: error_code(0x0010) - not-present page +PGD 0 P4D 0 +Oops: 0010 [#1] SMP +CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 +Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at 0xffffffffffffffd6. +RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 +RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 +RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 +RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 +R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 +R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 +FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? __die+0x4d/0x8b + ? page_fault_oops+0x91/0x180 + ? trace_buffer_unlock_commit_regs+0x38/0x1a0 + ? exc_page_fault+0x391/0x5e0 + ? asm_exc_page_fault+0x22/0x30 + __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] + qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] + qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] + qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] + qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] + kthread+0xa8/0xd0 + + +Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within +lock") added the spinlock back, because not having the lock caused a +race and a crash. But qla2x00_abort_srb() in the switch below already +checks for qla2x00_chip_is_down() and handles it the same way, so the +code above the switch is now redundant and still buggy in target-mode. +Remove it. + +Cc: stable@vger.kernel.org +Signed-off-by: Tony Battersby +Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1862,12 +1862,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai + for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) { + sp = req->outstanding_cmds[cnt]; + if (sp) { +- if (qla2x00_chip_is_down(vha)) { +- req->outstanding_cmds[cnt] = NULL; +- sp->done(sp, res); +- continue; +- } +- + switch (sp->cmd_type) { + case TYPE_SRB: + qla2x00_abort_srb(qp, sp, res, &flags); diff --git a/queue-6.18/scsi-target-reset-t_task_cdb-pointer-in-error-case.patch b/queue-6.18/scsi-target-reset-t_task_cdb-pointer-in-error-case.patch new file mode 100644 index 0000000000..91f3f0fda7 --- /dev/null +++ b/queue-6.18/scsi-target-reset-t_task_cdb-pointer-in-error-case.patch @@ -0,0 +1,38 @@ +From 5053eab38a4c4543522d0c320c639c56a8b59908 Mon Sep 17 00:00:00 2001 +From: Andrey Vatoropin +Date: Tue, 18 Nov 2025 08:42:31 +0000 +Subject: scsi: target: Reset t_task_cdb pointer in error case + +From: Andrey Vatoropin + +commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream. + +If allocation of cmd->t_task_cdb fails, it remains NULL but is later +dereferenced in the 'err' path. + +In case of error, reset NULL t_task_cdb value to point at the default +fixed-size buffer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference") +Cc: stable@vger.kernel.org +Signed-off-by: Andrey Vatoropin +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_transport.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd, + if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) { + cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp); + if (!cmd->t_task_cdb) { ++ cmd->t_task_cdb = &cmd->__t_task_cdb[0]; + pr_err("Unable to allocate cmd->t_task_cdb" + " %u > sizeof(cmd->__t_task_cdb): %lu ops\n", + scsi_command_size(cdb), diff --git a/queue-6.18/scsi-ufs-core-add-ufshcd_update_evt_hist-for-ufs-suspend-error.patch b/queue-6.18/scsi-ufs-core-add-ufshcd_update_evt_hist-for-ufs-suspend-error.patch new file mode 100644 index 0000000000..46c45c954d --- /dev/null +++ b/queue-6.18/scsi-ufs-core-add-ufshcd_update_evt_hist-for-ufs-suspend-error.patch @@ -0,0 +1,45 @@ +From c9f36f04a8a2725172cdf2b5e32363e4addcb14c Mon Sep 17 00:00:00 2001 +From: Seunghwan Baek +Date: Wed, 10 Dec 2025 15:38:54 +0900 +Subject: scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error + +From: Seunghwan Baek + +commit c9f36f04a8a2725172cdf2b5e32363e4addcb14c upstream. + +If UFS resume fails, the event history is updated in ufshcd_resume(), but +there is no code anywhere to record UFS suspend. Therefore, add code to +record UFS suspend error event history. + +Fixes: dd11376b9f1b ("scsi: ufs: Split the drivers/scsi/ufs directory") +Cc: stable@vger.kernel.org +Signed-off-by: Seunghwan Baek +Reviewed-by: Peter Wang +Link: https://patch.msgid.link/20251210063854.1483899-2-sh8267.baek@samsung.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10223,7 +10223,7 @@ static int ufshcd_suspend(struct ufs_hba + ret = ufshcd_setup_clocks(hba, false); + if (ret) { + ufshcd_enable_irq(hba); +- return ret; ++ goto out; + } + if (ufshcd_is_clkgating_allowed(hba)) { + hba->clk_gating.state = CLKS_OFF; +@@ -10235,6 +10235,9 @@ static int ufshcd_suspend(struct ufs_hba + /* Put the host controller in low power mode if possible */ + ufshcd_hba_vreg_set_lpm(hba); + ufshcd_pm_qos_update(hba, false); ++out: ++ if (ret) ++ ufshcd_update_evt_hist(hba, UFS_EVT_SUSPEND_ERR, (u32)ret); + return ret; + } + diff --git a/queue-6.18/serial-core-fix-serial-device-initialization.patch b/queue-6.18/serial-core-fix-serial-device-initialization.patch new file mode 100644 index 0000000000..ee7028e25e --- /dev/null +++ b/queue-6.18/serial-core-fix-serial-device-initialization.patch @@ -0,0 +1,36 @@ +From f54151148b969fb4b62bec8093d255306d20df30 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Fri, 19 Dec 2025 16:28:12 +0100 +Subject: serial: core: Fix serial device initialization + +From: Alexander Stein + +commit f54151148b969fb4b62bec8093d255306d20df30 upstream. + +During restoring sysfs fwnode information the information of_node_reused +was dropped. This was previously set by device_set_of_node_from_dev(). +Add it back manually + +Fixes: 24ec03cc5512 ("serial: core: Restore sysfs fwnode information") +Cc: stable +Suggested-by: Cosmin Tanislav +Signed-off-by: Alexander Stein +Tested-by: Michael Walle +Tested-by: Marek Szyprowski +Tested-by: Cosmin Tanislav +Link: https://patch.msgid.link/20251219152813.1893982-1-alexander.stein@ew.tq-group.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_base_bus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/serial_base_bus.c ++++ b/drivers/tty/serial/serial_base_bus.c +@@ -74,6 +74,7 @@ static int serial_base_device_init(struc + dev->parent = parent_dev; + dev->bus = &serial_base_bus_type; + dev->release = release; ++ dev->of_node_reused = true; + + device_set_node(dev, fwnode_handle_get(dev_fwnode(parent_dev))); + diff --git a/queue-6.18/serial-core-restore-sysfs-fwnode-information.patch b/queue-6.18/serial-core-restore-sysfs-fwnode-information.patch new file mode 100644 index 0000000000..61d211daf3 --- /dev/null +++ b/queue-6.18/serial-core-restore-sysfs-fwnode-information.patch @@ -0,0 +1,68 @@ +From 24ec03cc55126b7b3adf102f4b3d9f716532b329 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Thu, 27 Nov 2025 17:36:50 +0100 +Subject: serial: core: Restore sysfs fwnode information + +From: Andy Shevchenko + +commit 24ec03cc55126b7b3adf102f4b3d9f716532b329 upstream. + +The change that restores sysfs fwnode information does it only for OF cases. +Update the fix to cover all possible types of fwnodes. + +Fixes: d36f0e9a0002 ("serial: core: restore of_node information in sysfs") +Cc: stable +Signed-off-by: Andy Shevchenko +Link: https://patch.msgid.link/20251127163650.2942075-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_base_bus.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/serial_base_bus.c ++++ b/drivers/tty/serial/serial_base_bus.c +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -60,6 +60,7 @@ void serial_base_driver_unregister(struc + driver_unregister(driver); + } + ++/* On failure the caller must put device @dev with put_device() */ + static int serial_base_device_init(struct uart_port *port, + struct device *dev, + struct device *parent_dev, +@@ -73,7 +74,8 @@ static int serial_base_device_init(struc + dev->parent = parent_dev; + dev->bus = &serial_base_bus_type; + dev->release = release; +- device_set_of_node_from_dev(dev, parent_dev); ++ ++ device_set_node(dev, fwnode_handle_get(dev_fwnode(parent_dev))); + + if (!serial_base_initialized) { + dev_dbg(port->dev, "uart_add_one_port() called before arch_initcall()?\n"); +@@ -94,7 +96,7 @@ static void serial_base_ctrl_release(str + { + struct serial_ctrl_device *ctrl_dev = to_serial_base_ctrl_device(dev); + +- of_node_put(dev->of_node); ++ fwnode_handle_put(dev_fwnode(dev)); + kfree(ctrl_dev); + } + +@@ -142,7 +144,7 @@ static void serial_base_port_release(str + { + struct serial_port_device *port_dev = to_serial_base_port_device(dev); + +- of_node_put(dev->of_node); ++ fwnode_handle_put(dev_fwnode(dev)); + kfree(port_dev); + } + diff --git a/queue-6.18/serial-sh-sci-check-that-the-dma-cookie-is-valid.patch b/queue-6.18/serial-sh-sci-check-that-the-dma-cookie-is-valid.patch new file mode 100644 index 0000000000..43048c3c1a --- /dev/null +++ b/queue-6.18/serial-sh-sci-check-that-the-dma-cookie-is-valid.patch @@ -0,0 +1,44 @@ +From c3ca8a0aac832fe8047608bb2ae2cca314c6d717 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 17 Dec 2025 15:57:59 +0200 +Subject: serial: sh-sci: Check that the DMA cookie is valid + +From: Claudiu Beznea + +commit c3ca8a0aac832fe8047608bb2ae2cca314c6d717 upstream. + +The driver updates struct sci_port::tx_cookie to zero right before the TX +work is scheduled, or to -EINVAL when DMA is disabled. +dma_async_is_complete(), called through dma_cookie_status() (and possibly +through dmaengine_tx_status()), considers cookies valid only if they have +values greater than or equal to 1. + +Passing zero or -EINVAL to dmaengine_tx_status() before any TX DMA +transfer has started leads to an incorrect TX status being reported, as the +cookie is invalid for the DMA subsystem. This may cause long wait times +when the serial device is opened for configuration before any TX activity +has occurred. + +Check that the TX cookie is valid before passing it to +dmaengine_tx_status(). + +Fixes: 7cc0e0a43a91 ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") +Cc: stable +Signed-off-by: Claudiu Beznea +Link: https://patch.msgid.link/20251217135759.402015-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1740,7 +1740,7 @@ static void sci_dma_check_tx_occurred(st + struct dma_tx_state state; + enum dma_status status; + +- if (!s->chan_tx) ++ if (!s->chan_tx || s->cookie_tx <= 0) + return; + + status = dmaengine_tx_status(s->chan_tx, s->cookie_tx, &state); diff --git a/queue-6.18/serial-xilinx_uartps-fix-rs485-delay_rts_after_send.patch b/queue-6.18/serial-xilinx_uartps-fix-rs485-delay_rts_after_send.patch new file mode 100644 index 0000000000..e2a53a0bd5 --- /dev/null +++ b/queue-6.18/serial-xilinx_uartps-fix-rs485-delay_rts_after_send.patch @@ -0,0 +1,63 @@ +From 267ee93c417e685d9f8e079e41c70ba6ee4df5a5 Mon Sep 17 00:00:00 2001 +From: "j.turek" +Date: Sun, 21 Dec 2025 11:32:21 +0100 +Subject: serial: xilinx_uartps: fix rs485 delay_rts_after_send + +From: j.turek + +commit 267ee93c417e685d9f8e079e41c70ba6ee4df5a5 upstream. + +RTS line control with delay should be triggered when there is no more +bytes in kfifo and hardware buffer is empty. Without this patch RTS +control is scheduled right after feeding hardware buffer and this is too +early. + +RTS line may change state before hardware buffer is empty. + +With this patch delayed RTS state change is triggered when function +cdns_uart_handle_tx is called from cdns_uart_isr on +CDNS_UART_IXR_TXEMPTY exactly when hardware completed transmission + +Fixes: fccc9d9233f9 ("tty: serial: uartps: Add rs485 support to uartps driver") +Cc: stable +Link: https://patch.msgid.link/20251221103221.1971125-1-jakub.turek@elsta.tech +Signed-off-by: Jakub Turek +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/xilinx_uartps.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -430,10 +430,17 @@ static void cdns_uart_handle_tx(void *de + struct tty_port *tport = &port->state->port; + unsigned int numbytes; + unsigned char ch; ++ ktime_t rts_delay; + + if (kfifo_is_empty(&tport->xmit_fifo) || uart_tx_stopped(port)) { + /* Disable the TX Empty interrupt */ + writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_IDR); ++ /* Set RTS line after delay */ ++ if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED) { ++ cdns_uart->tx_timer.function = &cdns_rs485_rx_callback; ++ rts_delay = ns_to_ktime(cdns_calc_after_tx_delay(cdns_uart)); ++ hrtimer_start(&cdns_uart->tx_timer, rts_delay, HRTIMER_MODE_REL); ++ } + return; + } + +@@ -450,13 +457,6 @@ static void cdns_uart_handle_tx(void *de + + /* Enable the TX Empty interrupt */ + writel(CDNS_UART_IXR_TXEMPTY, cdns_uart->port->membase + CDNS_UART_IER); +- +- if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED && +- (kfifo_is_empty(&tport->xmit_fifo) || uart_tx_stopped(port))) { +- hrtimer_update_function(&cdns_uart->tx_timer, cdns_rs485_rx_callback); +- hrtimer_start(&cdns_uart->tx_timer, +- ns_to_ktime(cdns_calc_after_tx_delay(cdns_uart)), HRTIMER_MODE_REL); +- } + } + + /** diff --git a/queue-6.18/series b/queue-6.18/series index 0186ad59e5..e2f0ea6f6c 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -277,3 +277,47 @@ mptcp-pm-ignore-unknown-endpoint-flags.patch selftests-mptcp-pm-ensure-unknown-flags-are-ignored.patch mptcp-schedule-rtx-timer-only-after-pushing-data.patch mptcp-avoid-deadlock-on-fallback-while-reinjecting.patch +usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch +media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch +media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch +phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch +usb-ohci-nxp-fix-device-leak-on-probe-failure.patch +usb-typec-ucsi-huawei-gaokin-add-drm-dependency.patch +usb-typec-altmodes-displayport-drop-the-device-reference-in-dp_altmode_probe.patch +usb-lpc32xx_udc-fix-error-handling-in-probe.patch +usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch +usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch +usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch +usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch +usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch +usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch +xhci-dbgtty-fix-device-unregister-fixup.patch +char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch +dt-bindings-slimbus-fix-warning-from-example.patch +intel_th-fix-error-handling-in-intel_th_output_open.patch +mei-fix-error-handling-in-mei_register.patch +mei-gsc-add-dependency-on-xe-driver.patch +serial-core-restore-sysfs-fwnode-information.patch +serial-core-fix-serial-device-initialization.patch +serial-xilinx_uartps-fix-rs485-delay_rts_after_send.patch +serial-sh-sci-check-that-the-dma-cookie-is-valid.patch +cpuidle-governors-teo-drop-misguided-target-residency-check.patch +cpufreq-nforce2-fix-reference-count-leak-in-nforce2.patch +scsi-revert-scsi-qla2xxx-perform-lockless-command-completion-in-abort-path.patch +scsi-aic94xx-fix-use-after-free-in-device-removal-path.patch +nfsd-use-correct-reservation-type-in-nfsd4_scsi_fence_client.patch +scsi-target-reset-t_task_cdb-pointer-in-error-case.patch +scsi-mpi3mr-read-missing-iocfacts-flag-for-reply-queue-full-overflow.patch +scsi-ufs-core-add-ufshcd_update_evt_hist-for-ufs-suspend-error.patch +f2fs-ensure-node-page-reads-complete-before-f2fs_put_super-finishes.patch +f2fs-fix-to-avoid-updating-compression-context-during-writeback.patch +f2fs-fix-to-avoid-potential-deadlock.patch +f2fs-fix-to-propagate-error-from-f2fs_enable_checkpoint.patch +f2fs-fix-to-avoid-updating-zero-sized-extent-in-extent-cache.patch +f2fs-invalidate-dentry-cache-on-failed-whiteout-creation.patch +f2fs-use-global-inline_xattr_slab-instead-of-per-sb-slab-cache.patch +f2fs-fix-age-extent-cache-insertion-skip-on-counter-overflow.patch +f2fs-fix-uninitialized-one_time_gc-in-victim_sel_policy.patch +f2fs-fix-to-detect-recoverable-inode-during-dryrun-of-find_fsync_dnodes.patch +f2fs-fix-to-not-account-invalid-blocks-in-get_left_section_blocks.patch +f2fs-fix-return-value-of-f2fs_recover_fsync_data.patch diff --git a/queue-6.18/usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch b/queue-6.18/usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch new file mode 100644 index 0000000000..b855fb90db --- /dev/null +++ b/queue-6.18/usb-dwc3-keep-susphy-enabled-during-exit-to-avoid-controller-faults.patch @@ -0,0 +1,53 @@ +From e1003aa7ec9eccdde4c926bd64ef42816ad55f25 Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Wed, 26 Nov 2025 11:12:21 +0530 +Subject: usb: dwc3: keep susphy enabled during exit to avoid controller faults + +From: Udipto Goswami + +commit e1003aa7ec9eccdde4c926bd64ef42816ad55f25 upstream. + +On some platforms, switching USB roles from host to device can trigger +controller faults due to premature PHY power-down. This occurs when the +PHY is disabled too early during teardown, causing synchronization +issues between the PHY and controller. + +Keep susphy enabled during dwc3_host_exit() and dwc3_gadget_exit() +ensures the PHY remains in a low-power state capable of handling +required commands during role switch. + +Cc: stable +Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") +Suggested-by: Thinh Nguyen +Signed-off-by: Udipto Goswami +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251126054221.120638-1-udipto.goswami@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 2 +- + drivers/usb/dwc3/host.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -4825,7 +4825,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc) + if (!dwc->gadget) + return; + +- dwc3_enable_susphy(dwc, false); ++ dwc3_enable_susphy(dwc, true); + usb_del_gadget(dwc->gadget); + dwc3_gadget_free_endpoints(dwc); + usb_put_gadget(dwc->gadget); +--- a/drivers/usb/dwc3/host.c ++++ b/drivers/usb/dwc3/host.c +@@ -226,7 +226,7 @@ void dwc3_host_exit(struct dwc3 *dwc) + if (dwc->sys_wakeup) + device_init_wakeup(&dwc->xhci->dev, false); + +- dwc3_enable_susphy(dwc, false); ++ dwc3_enable_susphy(dwc, true); + platform_device_unregister(dwc->xhci); + dwc->xhci = NULL; + } diff --git a/queue-6.18/usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch b/queue-6.18/usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch new file mode 100644 index 0000000000..b858928acf --- /dev/null +++ b/queue-6.18/usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch @@ -0,0 +1,56 @@ +From 3b4961313d31e200c9e974bb1536cdea217f78b5 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 11 Dec 2025 10:49:36 +0400 +Subject: usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe + +From: Miaoqian Lin + +commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream. + +When clk_bulk_prepare_enable() fails, the error path jumps to +err_resetc_assert, skipping clk_bulk_put_all() and leaking the +clock references acquired by clk_bulk_get_all(). + +Add err_clk_put_all label to properly release clock resources +in all error paths. + +Found via static analysis and code review. + +Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API") +Cc: stable +Signed-off-by: Miaoqian Lin +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-of-simple.c ++++ b/drivers/usb/dwc3/dwc3-of-simple.c +@@ -70,11 +70,11 @@ static int dwc3_of_simple_probe(struct p + simple->num_clocks = ret; + ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks); + if (ret) +- goto err_resetc_assert; ++ goto err_clk_put_all; + + ret = of_platform_populate(np, NULL, NULL, dev); + if (ret) +- goto err_clk_put; ++ goto err_clk_disable; + + pm_runtime_set_active(dev); + pm_runtime_enable(dev); +@@ -82,8 +82,9 @@ static int dwc3_of_simple_probe(struct p + + return 0; + +-err_clk_put: ++err_clk_disable: + clk_bulk_disable_unprepare(simple->num_clocks, simple->clks); ++err_clk_put_all: + clk_bulk_put_all(simple->num_clocks, simple->clks); + + err_resetc_assert: diff --git a/queue-6.18/usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch b/queue-6.18/usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch new file mode 100644 index 0000000000..9b4fd01adb --- /dev/null +++ b/queue-6.18/usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch @@ -0,0 +1,102 @@ +From 782be79e4551550d7a82b1957fc0f7347e6d461f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 18 Dec 2025 16:35:15 +0100 +Subject: usb: gadget: lpc32xx_udc: fix clock imbalance in error path + +From: Johan Hovold + +commit 782be79e4551550d7a82b1957fc0f7347e6d461f upstream. + +A recent change fixing a device reference leak introduced a clock +imbalance by reusing an error path so that the clock may be disabled +before having been enabled. + +Note that the clock framework allows for passing in NULL clocks so there +is no risk for a NULL pointer dereference. + +Also drop the bogus I2C client NULL check added by the offending commit +as the pointer has already been verified to be non-NULL. + +Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe") +Cc: stable@vger.kernel.org +Cc: Ma Ke +Signed-off-by: Johan Hovold +Reviewed-by: Vladimir Zapolskiy +Link: https://patch.msgid.link/20251218153519.19453-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/lpc32xx_udc.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/udc/lpc32xx_udc.c ++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c +@@ -3020,7 +3020,7 @@ static int lpc32xx_udc_probe(struct plat + pdev->dev.dma_mask = &lpc32xx_usbd_dmamask; + retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (retval) +- goto i2c_fail; ++ goto err_put_client; + + udc->board = &lpc32xx_usbddata; + +@@ -3040,7 +3040,7 @@ static int lpc32xx_udc_probe(struct plat + udc->udp_irq[i] = platform_get_irq(pdev, i); + if (udc->udp_irq[i] < 0) { + retval = udc->udp_irq[i]; +- goto i2c_fail; ++ goto err_put_client; + } + } + +@@ -3048,7 +3048,7 @@ static int lpc32xx_udc_probe(struct plat + if (IS_ERR(udc->udp_baseaddr)) { + dev_err(udc->dev, "IO map failure\n"); + retval = PTR_ERR(udc->udp_baseaddr); +- goto i2c_fail; ++ goto err_put_client; + } + + /* Get USB device clock */ +@@ -3056,14 +3056,14 @@ static int lpc32xx_udc_probe(struct plat + if (IS_ERR(udc->usb_slv_clk)) { + dev_err(udc->dev, "failed to acquire USB device clock\n"); + retval = PTR_ERR(udc->usb_slv_clk); +- goto i2c_fail; ++ goto err_put_client; + } + + /* Enable USB device clock */ + retval = clk_prepare_enable(udc->usb_slv_clk); + if (retval < 0) { + dev_err(udc->dev, "failed to start USB device clock\n"); +- goto i2c_fail; ++ goto err_put_client; + } + + /* Setup deferred workqueue data */ +@@ -3165,9 +3165,10 @@ dma_alloc_fail: + dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, + udc->udca_v_base, udc->udca_p_base); + i2c_fail: +- if (udc->isp1301_i2c_client) +- put_device(&udc->isp1301_i2c_client->dev); + clk_disable_unprepare(udc->usb_slv_clk); ++err_put_client: ++ put_device(&udc->isp1301_i2c_client->dev); ++ + dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval); + + return retval; +@@ -3195,10 +3196,9 @@ static void lpc32xx_udc_remove(struct pl + dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, + udc->udca_v_base, udc->udca_p_base); + +- if (udc->isp1301_i2c_client) +- put_device(&udc->isp1301_i2c_client->dev); +- + clk_disable_unprepare(udc->usb_slv_clk); ++ ++ put_device(&udc->isp1301_i2c_client->dev); + } + + #ifdef CONFIG_PM diff --git a/queue-6.18/usb-lpc32xx_udc-fix-error-handling-in-probe.patch b/queue-6.18/usb-lpc32xx_udc-fix-error-handling-in-probe.patch new file mode 100644 index 0000000000..c20bafe44f --- /dev/null +++ b/queue-6.18/usb-lpc32xx_udc-fix-error-handling-in-probe.patch @@ -0,0 +1,100 @@ +From c84117912bddd9e5d87e68daf182410c98181407 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Mon, 15 Dec 2025 10:09:31 +0800 +Subject: USB: lpc32xx_udc: Fix error handling in probe + +From: Ma Ke + +commit c84117912bddd9e5d87e68daf182410c98181407 upstream. + +lpc32xx_udc_probe() acquires an i2c_client reference through +isp1301_get_client() but fails to release it in both error handling +paths and the normal removal path. This could result in a reference +count leak for the I2C device, preventing proper cleanup and potentially +leading to resource exhaustion. Add put_device() to release the +reference in the probe failure path and in the remove function. + +Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() -> +i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode() +says, 'The user must call put_device(&client->dev) once done with the +i2c client.' + +Found by code review. + +Cc: stable +Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/usb/gadget/udc/lpc32xx_udc.c ++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c +@@ -3020,7 +3020,7 @@ static int lpc32xx_udc_probe(struct plat + pdev->dev.dma_mask = &lpc32xx_usbd_dmamask; + retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (retval) +- return retval; ++ goto i2c_fail; + + udc->board = &lpc32xx_usbddata; + +@@ -3038,28 +3038,32 @@ static int lpc32xx_udc_probe(struct plat + /* Get IRQs */ + for (i = 0; i < 4; i++) { + udc->udp_irq[i] = platform_get_irq(pdev, i); +- if (udc->udp_irq[i] < 0) +- return udc->udp_irq[i]; ++ if (udc->udp_irq[i] < 0) { ++ retval = udc->udp_irq[i]; ++ goto i2c_fail; ++ } + } + + udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(udc->udp_baseaddr)) { + dev_err(udc->dev, "IO map failure\n"); +- return PTR_ERR(udc->udp_baseaddr); ++ retval = PTR_ERR(udc->udp_baseaddr); ++ goto i2c_fail; + } + + /* Get USB device clock */ + udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(udc->usb_slv_clk)) { + dev_err(udc->dev, "failed to acquire USB device clock\n"); +- return PTR_ERR(udc->usb_slv_clk); ++ retval = PTR_ERR(udc->usb_slv_clk); ++ goto i2c_fail; + } + + /* Enable USB device clock */ + retval = clk_prepare_enable(udc->usb_slv_clk); + if (retval < 0) { + dev_err(udc->dev, "failed to start USB device clock\n"); +- return retval; ++ goto i2c_fail; + } + + /* Setup deferred workqueue data */ +@@ -3161,6 +3165,8 @@ dma_alloc_fail: + dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, + udc->udca_v_base, udc->udca_p_base); + i2c_fail: ++ if (udc->isp1301_i2c_client) ++ put_device(&udc->isp1301_i2c_client->dev); + clk_disable_unprepare(udc->usb_slv_clk); + dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval); + +@@ -3189,6 +3195,9 @@ static void lpc32xx_udc_remove(struct pl + dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, + udc->udca_v_base, udc->udca_p_base); + ++ if (udc->isp1301_i2c_client) ++ put_device(&udc->isp1301_i2c_client->dev); ++ + clk_disable_unprepare(udc->usb_slv_clk); + } + diff --git a/queue-6.18/usb-ohci-nxp-fix-device-leak-on-probe-failure.patch b/queue-6.18/usb-ohci-nxp-fix-device-leak-on-probe-failure.patch new file mode 100644 index 0000000000..f803064f54 --- /dev/null +++ b/queue-6.18/usb-ohci-nxp-fix-device-leak-on-probe-failure.patch @@ -0,0 +1,44 @@ +From b4c61e542faf8c9131d69ecfc3ad6de96d1b2ab8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 18 Dec 2025 16:35:17 +0100 +Subject: usb: ohci-nxp: fix device leak on probe failure + +From: Johan Hovold + +commit b4c61e542faf8c9131d69ecfc3ad6de96d1b2ab8 upstream. + +Make sure to drop the reference taken when looking up the PHY I2C device +during probe on probe failure (e.g. probe deferral) and on driver +unbind. + +Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver") +Cc: stable@vger.kernel.org # 3.5 +Reported-by: Ma Ke +Link: https://lore.kernel.org/lkml/20251117013428.21840-1-make24@iscas.ac.cn/ +Signed-off-by: Johan Hovold +Acked-by: Alan Stern +Reviewed-by: Vladimir Zapolskiy +Link: https://patch.msgid.link/20251218153519.19453-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ohci-nxp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/ohci-nxp.c ++++ b/drivers/usb/host/ohci-nxp.c +@@ -223,6 +223,7 @@ static int ohci_hcd_nxp_probe(struct pla + fail_resource: + usb_put_hcd(hcd); + fail_disable: ++ put_device(&isp1301_i2c_client->dev); + isp1301_i2c_client = NULL; + return ret; + } +@@ -234,6 +235,7 @@ static void ohci_hcd_nxp_remove(struct p + usb_remove_hcd(hcd); + ohci_nxp_stop_hc(); + usb_put_hcd(hcd); ++ put_device(&isp1301_i2c_client->dev); + isp1301_i2c_client = NULL; + } + diff --git a/queue-6.18/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch b/queue-6.18/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch new file mode 100644 index 0000000000..c222e2a45b --- /dev/null +++ b/queue-6.18/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch @@ -0,0 +1,52 @@ +From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 5 Dec 2025 11:48:31 +0800 +Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal + +From: Duoming Zhou + +commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream. + +The delayed work item otg_event is initialized in fsl_otg_conf() and +scheduled under two conditions: +1. When a host controller binds to the OTG controller. +2. When the USB ID pin state changes (cable insertion/removal). + +A race condition occurs when the device is removed via fsl_otg_remove(): +the fsl_otg instance may be freed while the delayed work is still pending +or executing. This leads to use-after-free when the work function +fsl_otg_event() accesses the already freed memory. + +The problematic scenario: + +(detach thread) | (delayed work) +fsl_otg_remove() | + kfree(fsl_otg_dev) //FREE| fsl_otg_event() + | og = container_of(...) //USE + | og-> //USE + +Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() +before deallocating the fsl_otg structure. This ensures the delayed work +is properly canceled and completes execution prior to memory deallocation. + +This bug was identified through static analysis. + +Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver") +Cc: stable +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-fsl-usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/phy/phy-fsl-usb.c ++++ b/drivers/usb/phy/phy-fsl-usb.c +@@ -988,6 +988,7 @@ static void fsl_otg_remove(struct platfo + { + struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev); + ++ disable_delayed_work_sync(&fsl_otg_dev->otg_event); + usb_remove_phy(&fsl_otg_dev->phy); + free_irq(fsl_otg_dev->irq, fsl_otg_dev); + diff --git a/queue-6.18/usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch b/queue-6.18/usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch new file mode 100644 index 0000000000..396937f352 --- /dev/null +++ b/queue-6.18/usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch @@ -0,0 +1,48 @@ +From b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 18 Dec 2025 16:35:16 +0100 +Subject: usb: phy: isp1301: fix non-OF device reference imbalance + +From: Johan Hovold + +commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream. + +A recent change fixing a device reference leak in a UDC driver +introduced a potential use-after-free in the non-OF case as the +isp1301_get_client() helper only increases the reference count for the +returned I2C device in the OF case. + +Increment the reference count also for non-OF so that the caller can +decrement it unconditionally. + +Note that this is inherently racy just as using the returned I2C device +is since nothing is preventing the PHY driver from being unbound while +in use. + +Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe") +Cc: stable@vger.kernel.org +Cc: Ma Ke +Signed-off-by: Johan Hovold +Reviewed-by: Vladimir Zapolskiy +Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-isp1301.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/phy/phy-isp1301.c ++++ b/drivers/usb/phy/phy-isp1301.c +@@ -149,7 +149,12 @@ struct i2c_client *isp1301_get_client(st + return client; + + /* non-DT: only one ISP1301 chip supported */ +- return isp1301_i2c_client; ++ if (isp1301_i2c_client) { ++ get_device(&isp1301_i2c_client->dev); ++ return isp1301_i2c_client; ++ } ++ ++ return NULL; + } + EXPORT_SYMBOL_GPL(isp1301_get_client); + diff --git a/queue-6.18/usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch b/queue-6.18/usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch new file mode 100644 index 0000000000..3166d37602 --- /dev/null +++ b/queue-6.18/usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch @@ -0,0 +1,38 @@ +From 36cc7e09df9e43db21b46519b740145410dd9f4a Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 4 Dec 2025 21:21:29 +0800 +Subject: usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() + +From: Haoxiang Li + +commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream. + +usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths, +usbhsp_put_pipe() is required to clear pipe's flags to prevent +pipe exhaustion. + +Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Cc: stable +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/renesas_usbhs/pipe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/renesas_usbhs/pipe.c ++++ b/drivers/usb/renesas_usbhs/pipe.c +@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str + /* make sure pipe is not busy */ + ret = usbhsp_pipe_barrier(pipe); + if (ret < 0) { ++ usbhsp_put_pipe(pipe); + dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe)); + return NULL; + } + + if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) { ++ usbhsp_put_pipe(pipe); + dev_err(dev, "can't setup pipe\n"); + return NULL; + } diff --git a/queue-6.18/usb-typec-altmodes-displayport-drop-the-device-reference-in-dp_altmode_probe.patch b/queue-6.18/usb-typec-altmodes-displayport-drop-the-device-reference-in-dp_altmode_probe.patch new file mode 100644 index 0000000000..6b5868185d --- /dev/null +++ b/queue-6.18/usb-typec-altmodes-displayport-drop-the-device-reference-in-dp_altmode_probe.patch @@ -0,0 +1,43 @@ +From 128bb7fab342546352603bde8b49ff54e3af0529 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Sat, 6 Dec 2025 15:04:45 +0800 +Subject: usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe() + +From: Haoxiang Li + +commit 128bb7fab342546352603bde8b49ff54e3af0529 upstream. + +In error paths, call typec_altmode_put_plug() to drop the device reference +obtained by typec_altmode_get_plug(). + +Fixes: 71ba4fe56656 ("usb: typec: altmodes/displayport: add SOP' support") +Cc: stable +Signed-off-by: Haoxiang Li +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/20251206070445.190770-1-lihaoxiang@isrc.iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -764,12 +764,16 @@ int dp_altmode_probe(struct typec_altmod + if (!(DP_CAP_PIN_ASSIGN_DFP_D(port->vdo) & + DP_CAP_PIN_ASSIGN_UFP_D(alt->vdo)) && + !(DP_CAP_PIN_ASSIGN_UFP_D(port->vdo) & +- DP_CAP_PIN_ASSIGN_DFP_D(alt->vdo))) ++ DP_CAP_PIN_ASSIGN_DFP_D(alt->vdo))) { ++ typec_altmode_put_plug(plug); + return -ENODEV; ++ } + + dp = devm_kzalloc(&alt->dev, sizeof(*dp), GFP_KERNEL); +- if (!dp) ++ if (!dp) { ++ typec_altmode_put_plug(plug); + return -ENOMEM; ++ } + + INIT_WORK(&dp->work, dp_altmode_work); + mutex_init(&dp->lock); diff --git a/queue-6.18/usb-typec-ucsi-huawei-gaokin-add-drm-dependency.patch b/queue-6.18/usb-typec-ucsi-huawei-gaokin-add-drm-dependency.patch new file mode 100644 index 0000000000..dea2f217b5 --- /dev/null +++ b/queue-6.18/usb-typec-ucsi-huawei-gaokin-add-drm-dependency.patch @@ -0,0 +1,39 @@ +From d14cd998e67ba8f1cca52a260a1ce1a60954fd8b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 4 Dec 2025 11:11:07 +0100 +Subject: usb: typec: ucsi: huawei-gaokin: add DRM dependency + +From: Arnd Bergmann + +commit d14cd998e67ba8f1cca52a260a1ce1a60954fd8b upstream. + +Selecting DRM_AUX_HPD_BRIDGE is not possible from a built-in driver when +CONFIG_DRM=m: + +WARNING: unmet direct dependencies detected for DRM_AUX_HPD_BRIDGE + Depends on [m]: HAS_IOMEM [=y] && DRM [=m] && DRM_BRIDGE [=y] && OF [=y] + Selected by [y]: + - UCSI_HUAWEI_GAOKUN [=y] && USB_SUPPORT [=y] && TYPEC [=y] && TYPEC_UCSI [=y] && EC_HUAWEI_GAOKUN [=y] && DRM_BRIDGE [=y] && OF [=y] + +Add the same dependency we have in similar drivers to work around this. + +Fixes: 00327d7f2c8c ("usb: typec: ucsi: add Huawei Matebook E Go ucsi driver") +Cc: stable +Signed-off-by: Arnd Bergmann +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/20251204101111.1035975-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/Kconfig ++++ b/drivers/usb/typec/ucsi/Kconfig +@@ -96,6 +96,7 @@ config UCSI_LENOVO_YOGA_C630 + config UCSI_HUAWEI_GAOKUN + tristate "UCSI Interface Driver for Huawei Matebook E Go" + depends on EC_HUAWEI_GAOKUN ++ depends on DRM || !DRM + select DRM_AUX_HPD_BRIDGE if DRM_BRIDGE && OF + help + This driver enables UCSI support on the Huawei Matebook E Go tablet, diff --git a/queue-6.18/usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch b/queue-6.18/usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch new file mode 100644 index 0000000000..80306115b2 --- /dev/null +++ b/queue-6.18/usb-usb-storage-maintain-minimal-modifications-to-the-bcddevice-range.patch @@ -0,0 +1,31 @@ +From 0831269b5f71594882accfceb02638124f88955d Mon Sep 17 00:00:00 2001 +From: Chen Changcheng +Date: Thu, 18 Dec 2025 09:23:18 +0800 +Subject: usb: usb-storage: Maintain minimal modifications to the bcdDevice range. + +From: Chen Changcheng + +commit 0831269b5f71594882accfceb02638124f88955d upstream. + +We cannot determine which models require the NO_ATA_1X and +IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device. + +Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.") +Signed-off-by: Chen Changcheng +Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_uas.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01 + US_FL_NO_ATA_1X), + + /* Reported-by: Benjamin Tissoires */ +-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309, ++UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309, + "Initio Corporation", + "INIC-3069", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, diff --git a/queue-6.18/xhci-dbgtty-fix-device-unregister-fixup.patch b/queue-6.18/xhci-dbgtty-fix-device-unregister-fixup.patch new file mode 100644 index 0000000000..96faf3765a --- /dev/null +++ b/queue-6.18/xhci-dbgtty-fix-device-unregister-fixup.patch @@ -0,0 +1,38 @@ +From 74098cc06e753d3ffd8398b040a3a1dfb65260c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Bartosik?= +Date: Thu, 27 Nov 2025 11:16:44 +0000 +Subject: xhci: dbgtty: fix device unregister: fixup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Bartosik + +commit 74098cc06e753d3ffd8398b040a3a1dfb65260c0 upstream. + +This fixup replaces tty_vhangup() call with call to +tty_port_tty_vhangup(). Both calls hangup tty device +synchronously however tty_port_tty_vhangup() increases +reference count during the hangup operation using +scoped_guard(tty_port_tty). + +Cc: stable +Fixes: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister") +Signed-off-by: Łukasz Bartosik +Link: https://patch.msgid.link/20251127111644.3161386-1-ukaszb@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgtty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -554,7 +554,7 @@ static void xhci_dbc_tty_unregister_devi + * Hang up the TTY. This wakes up any blocked + * writers and causes subsequent writes to fail. + */ +- tty_vhangup(port->port.tty); ++ tty_port_tty_vhangup(&port->port); + + tty_unregister_device(dbc_tty_driver, port->minor); + xhci_dbc_tty_exit_port(port);