From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 13:28:35 +0000 (+0100) Subject: 6.19-stable patches X-Git-Tag: v6.18.19~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad664dac2e0f8b6c71273374094ae7ebadbec079;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch btrfs-add-missing-rcu-unlock-in-error-path-in-try_release_subpage_extent_buffer.patch btrfs-fix-transaction-abort-on-file-creation-due-to-name-hash-collision.patch btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch can-dev-keep-the-max-bitrate-error-at-5.patch cifs-make-default-value-of-retrans-as-zero.patch drm-amd-fix-a-few-more-null-pointer-dereference-in-device-cleanup.patch drm-amd-fix-null-pointer-dereference-in-device-cleanup.patch drm-amd-pm-remove-invalid-gpu_metrics.energy_accumulator-on-smu-v13.0.x.patch drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch drm-bridge-ti-sn65dsi83-halve-horizontal-syncs-for-dual-lvds-output.patch drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch drm-i915-psr-repeat-selective-update-area-alignment.patch drm-i915-vrr-configure-vrr-timings-after-enabling-trans_ddi_func_ctl.patch drm-msm-dpu-correct-the-sa8775p-intr_underrun-intr_underrun-index.patch drm-msm-fix-dma_free_attrs-buffer-size.patch dt-bindings-display-msm-fix-reg-ranges-and-clocks-on-glymur.patch iio-buffer-fix-wait_queue-not-being-removed.patch iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch iio-dac-ds4424-reject-128-raw-value.patch iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch iio-imu-adis-fix-null-pointer-dereference-in-adis_init.patch iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch iio-imu-inv_icm45600-fix-int1-drive-bit-inverted.patch iio-imu-inv_icm45600-fix-regulator-put-warning-when-probe-fails.patch iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch iio-magnetometer-tlv493d-remove-erroneous-shift-in-x-axis-data.patch iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch iio-proximity-hx9023s-fix-assignment-order-for-__counted_by.patch iio-proximity-hx9023s-protect-against-division-by-zero-in-set_samp_freq.patch io_uring-kbuf-check-if-target-buffer-list-is-still-legacy-on-recycle.patch kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch net-shapers-don-t-free-reply-skb-after-genlmsg_reply.patch powerpc-pseries-correct-msi-allocation-tracking.patch powerpc64-bpf-fix-kfunc-call-support.patch powerpc64-bpf-fix-the-address-returned-by-bpf_get_func_ip.patch qmi_wwan-allow-max_mtu-above-hard_mtu-to-control-rx_urb_size.patch s390-dasd-copy-detected-format-information-to-secondary-device.patch s390-dasd-move-quiesce-state-with-pprc-swap.patch s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch sched_ext-fix-enqueue_task_scx-truncation-of-upper-enqueue-flags.patch scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch smb-client-fix-atomic-open-with-o_direct-o_sync.patch smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch tracing-fix-enabling-multiple-events-on-the-kernel-command-line-and-bootconfig.patch tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch ublk-fix-null-pointer-dereference-in-ublk_ctrl_set_size.patch x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch xfs-fix-returned-valued-from-xfs_defer_can_append.patch xfs-fix-undersized-l_iclog_roundoff-values.patch --- diff --git a/queue-6.19/btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch b/queue-6.19/btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch new file mode 100644 index 0000000000..5509390e2c --- /dev/null +++ b/queue-6.19/btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch @@ -0,0 +1,36 @@ +From 0f475ee0ebce5c9492b260027cd95270191675fa Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 27 Feb 2026 00:02:33 +0000 +Subject: btrfs: abort transaction on failure to update root in the received subvol ioctl + +From: Filipe Manana + +commit 0f475ee0ebce5c9492b260027cd95270191675fa upstream. + +If we failed to update the root we don't abort the transaction, which is +wrong since we already used the transaction to remove an item from the +uuid tree. + +Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") +CC: stable@vger.kernel.org # 3.12+ +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3987,7 +3987,8 @@ static long _btrfs_ioctl_set_received_su + + ret = btrfs_update_root(trans, fs_info->tree_root, + &root->root_key, &root->root_item); +- if (ret < 0) { ++ if (unlikely(ret < 0)) { ++ btrfs_abort_transaction(trans, ret); + btrfs_end_transaction(trans); + goto out; + } diff --git a/queue-6.19/btrfs-add-missing-rcu-unlock-in-error-path-in-try_release_subpage_extent_buffer.patch b/queue-6.19/btrfs-add-missing-rcu-unlock-in-error-path-in-try_release_subpage_extent_buffer.patch new file mode 100644 index 0000000000..ec12985626 --- /dev/null +++ b/queue-6.19/btrfs-add-missing-rcu-unlock-in-error-path-in-try_release_subpage_extent_buffer.patch @@ -0,0 +1,37 @@ +From b2840e33127ce0eea880504b7f133e780f567a9b Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 25 Feb 2026 11:59:58 -0800 +Subject: btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() + +From: Bart Van Assche + +commit b2840e33127ce0eea880504b7f133e780f567a9b upstream. + +Call rcu_read_lock() before exiting the loop in +try_release_subpage_extent_buffer() because there is a rcu_read_unlock() +call past the loop. + +This has been detected by the Clang thread-safety analyzer. + +Fixes: ad580dfa388f ("btrfs: fix subpage deadlock in try_release_subpage_extent_buffer()") +CC: stable@vger.kernel.org # 6.18+ +Reviewed-by: Qu Wenruo +Reviewed-by: Boris Burkov +Signed-off-by: Bart Van Assche +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4475,6 +4475,7 @@ static int try_release_subpage_extent_bu + */ + if (!test_and_clear_bit(EXTENT_BUFFER_TREE_REF, &eb->bflags)) { + spin_unlock(&eb->refs_lock); ++ rcu_read_lock(); + break; + } + diff --git a/queue-6.19/btrfs-fix-transaction-abort-on-file-creation-due-to-name-hash-collision.patch b/queue-6.19/btrfs-fix-transaction-abort-on-file-creation-due-to-name-hash-collision.patch new file mode 100644 index 0000000000..d4f39d47a7 --- /dev/null +++ b/queue-6.19/btrfs-fix-transaction-abort-on-file-creation-due-to-name-hash-collision.patch @@ -0,0 +1,189 @@ +From 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 26 Feb 2026 11:05:43 +0000 +Subject: btrfs: fix transaction abort on file creation due to name hash collision + +From: Filipe Manana + +commit 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 upstream. + +If we attempt to create several files with names that result in the same +hash, we have to pack them in same dir item and that has a limit inherent +to the leaf size. However if we reach that limit, we trigger a transaction +abort and turns the filesystem into RO mode. This allows for a malicious +user to disrupt a system, without the need to have administration +privileges/capabilities. + +Reproducer: + + $ cat exploit-hash-collisions.sh + #!/bin/bash + + DEV=/dev/sdi + MNT=/mnt/sdi + + # Use smallest node size to make the test faster and require fewer file + # names that result in hash collision. + mkfs.btrfs -f --nodesize 4K $DEV + mount $DEV $MNT + + # List of names that result in the same crc32c hash for btrfs. + declare -a names=( + 'foobar' + '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC' + 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z' + 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4' + 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:' + 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO' + 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us' + 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY' + 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO' + 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU' + 'Ono7avN5GjC:_6dBJ_' + 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am' + 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k' + 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2' + 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd' + 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm' + 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ' + 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky' + 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS' + 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz' + 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu' + 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN' + 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=' + 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn' + 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C' + 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW' + '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc' + 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mCaaKGxb990jzaagRktDTyp' + '9hD2ApKa_t_7x-a@GCG28kY:7$M@5udI1myQ$x5udtggvagmCQcq9QXWRC5hoB0o-_zHQUqZI5rMcz_kbMgvN5jr63LeYA4Cj-c6F5Ugmx6DgVf@2Jqm%MafecpgooqreJ53P-QTS' + ) + + # Now create files with all those names in the same parent directory. + # It should not fail since a 4K leaf has enough space for them. + for name in "${names[@]}"; do + touch $MNT/$name + done + + # Now add one more file name that causes a crc32c hash collision. + # This should fail, but it should not turn the filesystem into RO mode + # (which could be exploited by malicious users) due to a transaction + # abort. + touch $MNT/'W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt' + + # Check that we are able to create another file, with a name that does not cause + # a crc32c hash collision. + echo -n "hello world" > $MNT/baz + + # Unmount and mount again, verify file baz exists and with the right content. + umount $MNT + mount $DEV $MNT + echo "File baz content: $(cat $MNT/baz)" + + umount $MNT + +When running the reproducer: + + $ ./exploit-hash-collisions.sh + (...) + touch: cannot touch '/mnt/sdi/W6tIm-VK2@BGC@IBfcgg6j_p:pxp_QUqtWpGD5Ok_GmijKOJJt': Value too large for defined data type + ./exploit-hash-collisions.sh: line 57: /mnt/sdi/baz: Read-only file system + cat: /mnt/sdi/baz: No such file or directory + File baz content: + +And the transaction abort stack trace in dmesg/syslog: + + $ dmesg + (...) + [758240.509761] ------------[ cut here ]------------ + [758240.510668] BTRFS: Transaction aborted (error -75) + [758240.511577] WARNING: fs/btrfs/inode.c:6854 at btrfs_create_new_inode+0x805/0xb50 [btrfs], CPU#6: touch/888644 + [758240.513513] Modules linked in: btrfs dm_zero (...) + [758240.523221] CPU: 6 UID: 0 PID: 888644 Comm: touch Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) + [758240.524621] Tainted: [W]=WARN + [758240.525037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [758240.526331] RIP: 0010:btrfs_create_new_inode+0x80b/0xb50 [btrfs] + [758240.527093] Code: 0f 82 cf (...) + [758240.529211] RSP: 0018:ffffce64418fbb48 EFLAGS: 00010292 + [758240.529935] RAX: 00000000ffffffd3 RBX: 0000000000000000 RCX: 00000000ffffffb5 + [758240.531040] RDX: 0000000d04f33e06 RSI: 00000000ffffffb5 RDI: ffffffffc0919dd0 + [758240.531920] RBP: ffffce64418fbc10 R08: 0000000000000000 R09: 00000000ffffffb5 + [758240.532928] R10: 0000000000000000 R11: ffff8e52c0000000 R12: ffff8e53eee7d0f0 + [758240.533818] R13: ffff8e57f70932a0 R14: ffff8e5417629568 R15: 0000000000000000 + [758240.534664] FS: 00007f1959a2a740(0000) GS:ffff8e5b27cae000(0000) knlGS:0000000000000000 + [758240.535821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [758240.536644] CR2: 00007f1959b10ce0 CR3: 000000012a2cc005 CR4: 0000000000370ef0 + [758240.537517] Call Trace: + [758240.537828] + [758240.538099] btrfs_create_common+0xbf/0x140 [btrfs] + [758240.538760] path_openat+0x111a/0x15b0 + [758240.539252] do_filp_open+0xc2/0x170 + [758240.539699] ? preempt_count_add+0x47/0xa0 + [758240.540200] ? __virt_addr_valid+0xe4/0x1a0 + [758240.540800] ? __check_object_size+0x1b3/0x230 + [758240.541661] ? alloc_fd+0x118/0x180 + [758240.542315] do_sys_openat2+0x70/0xd0 + [758240.543012] __x64_sys_openat+0x50/0xa0 + [758240.543723] do_syscall_64+0x50/0xf20 + [758240.544462] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [758240.545397] RIP: 0033:0x7f1959abc687 + [758240.546019] Code: 48 89 fa (...) + [758240.548522] RSP: 002b:00007ffe16ff8690 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 + [758240.566278] RAX: ffffffffffffffda RBX: 00007f1959a2a740 RCX: 00007f1959abc687 + [758240.567068] RDX: 0000000000000941 RSI: 00007ffe16ffa333 RDI: ffffffffffffff9c + [758240.567860] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + [758240.568707] R10: 00000000000001b6 R11: 0000000000000202 R12: 0000561eec7c4b90 + [758240.569712] R13: 0000561eec7c311f R14: 00007ffe16ffa333 R15: 0000000000000000 + [758240.570758] + [758240.571040] ---[ end trace 0000000000000000 ]--- + [758240.571681] BTRFS: error (device sdi state A) in btrfs_create_new_inode:6854: errno=-75 unknown + [758240.572899] BTRFS info (device sdi state EA): forced readonly + +Fix this by checking for hash collision, and if the adding a new name is +possible, early in btrfs_create_new_inode() before we do any tree updates, +so that we don't need to abort the transaction if we cannot add the new +name due to the leaf size limit. + +A test case for fstests will be sent soon. + +Fixes: caae78e03234 ("btrfs: move common inode creation code into btrfs_create_new_inode()") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -6542,6 +6542,25 @@ int btrfs_create_new_inode(struct btrfs_ + int ret; + bool xa_reserved = false; + ++ if (!args->orphan && !args->subvol) { ++ /* ++ * Before anything else, check if we can add the name to the ++ * parent directory. We want to avoid a dir item overflow in ++ * case we have an existing dir item due to existing name ++ * hash collisions. We do this check here before we call ++ * btrfs_add_link() down below so that we can avoid a ++ * transaction abort (which could be exploited by malicious ++ * users). ++ * ++ * For subvolumes we already do this in btrfs_mksubvol(). ++ */ ++ ret = btrfs_check_dir_item_collision(BTRFS_I(dir)->root, ++ btrfs_ino(BTRFS_I(dir)), ++ name); ++ if (ret < 0) ++ return ret; ++ } ++ + path = btrfs_alloc_path(); + if (!path) + return -ENOMEM; diff --git a/queue-6.19/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch b/queue-6.19/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch new file mode 100644 index 0000000000..76963f5d81 --- /dev/null +++ b/queue-6.19/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch @@ -0,0 +1,133 @@ +From 87f2c46003fce4d739138aab4af1942b1afdadac Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 26 Feb 2026 23:41:07 +0000 +Subject: btrfs: fix transaction abort on set received ioctl due to item overflow + +From: Filipe Manana + +commit 87f2c46003fce4d739138aab4af1942b1afdadac upstream. + +If the set received ioctl fails due to an item overflow when attempting to +add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction +since we did some metadata updates before. + +This means that if a user calls this ioctl with the same received UUID +field for a lot of subvolumes, we will hit the overflow, trigger the +transaction abort and turn the filesystem into RO mode. A malicious user +could exploit this, and this ioctl does not even requires that a user +has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. + +Fix this by doing an early check for item overflow before starting a +transaction. This is also race safe because we are holding the subvol_sem +semaphore in exclusive (write) mode. + +A test case for fstests will follow soon. + +Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") +CC: stable@vger.kernel.org # 3.12+ +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 21 +++++++++++++++++++-- + fs/btrfs/uuid-tree.c | 38 ++++++++++++++++++++++++++++++++++++++ + fs/btrfs/uuid-tree.h | 2 ++ + 3 files changed, 59 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3932,6 +3932,25 @@ static long _btrfs_ioctl_set_received_su + goto out; + } + ++ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, ++ BTRFS_UUID_SIZE); ++ ++ /* ++ * Before we attempt to add the new received uuid, check if we have room ++ * for it in case there's already an item. If the size of the existing ++ * item plus this root's ID (u64) exceeds the maximum item size, we can ++ * return here without the need to abort a transaction. If we don't do ++ * this check, the btrfs_uuid_tree_add() call below would fail with ++ * -EOVERFLOW and result in a transaction abort. Malicious users could ++ * exploit this to turn the fs into RO mode. ++ */ ++ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) { ++ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid, ++ BTRFS_UUID_KEY_RECEIVED_SUBVOL); ++ if (ret < 0) ++ goto out; ++ } ++ + /* + * 1 - root item + * 2 - uuid items (received uuid + subvol uuid) +@@ -3947,8 +3966,6 @@ static long _btrfs_ioctl_set_received_su + sa->rtime.sec = ct.tv_sec; + sa->rtime.nsec = ct.tv_nsec; + +- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, +- BTRFS_UUID_SIZE); + if (received_uuid_changed && + !btrfs_is_empty_uuid(root_item->received_uuid)) { + ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid, +--- a/fs/btrfs/uuid-tree.c ++++ b/fs/btrfs/uuid-tree.c +@@ -199,6 +199,44 @@ int btrfs_uuid_tree_remove(struct btrfs_ + return 0; + } + ++/* ++ * Check if we can add one root ID to a UUID key. ++ * If the key does not yet exists, we can, otherwise only if extended item does ++ * not exceeds the maximum item size permitted by the leaf size. ++ * ++ * Returns 0 on success, negative value on error. ++ */ ++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, ++ const u8 *uuid, u8 type) ++{ ++ BTRFS_PATH_AUTO_FREE(path); ++ int ret; ++ u32 item_size; ++ struct btrfs_key key; ++ ++ if (WARN_ON_ONCE(!fs_info->uuid_root)) ++ return -EINVAL; ++ ++ path = btrfs_alloc_path(); ++ if (!path) ++ return -ENOMEM; ++ ++ btrfs_uuid_to_key(uuid, type, &key); ++ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0); ++ if (ret < 0) ++ return ret; ++ if (ret > 0) ++ return 0; ++ ++ item_size = btrfs_item_size(path->nodes[0], path->slots[0]); ++ ++ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) > ++ BTRFS_LEAF_DATA_SIZE(fs_info)) ++ return -EOVERFLOW; ++ ++ return 0; ++} ++ + static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type, + u64 subid) + { +--- a/fs/btrfs/uuid-tree.h ++++ b/fs/btrfs/uuid-tree.h +@@ -12,6 +12,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra + u64 subid); + int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, const u8 *uuid, u8 type, + u64 subid); ++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, ++ const u8 *uuid, u8 type); + int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info); + int btrfs_create_uuid_tree(struct btrfs_fs_info *fs_info); + int btrfs_uuid_scan_kthread(void *data); diff --git a/queue-6.19/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch b/queue-6.19/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch new file mode 100644 index 0000000000..88bbf822a7 --- /dev/null +++ b/queue-6.19/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch @@ -0,0 +1,169 @@ +From e1b18b959025e6b5dbad668f391f65d34b39595a Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 23 Feb 2026 16:19:31 +0000 +Subject: btrfs: fix transaction abort when snapshotting received subvolumes + +From: Filipe Manana + +commit e1b18b959025e6b5dbad668f391f65d34b39595a upstream. + +Currently a user can trigger a transaction abort by snapshotting a +previously received snapshot a bunch of times until we reach a +BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we +can store in a leaf). This is very likely not common in practice, but +if it happens, it turns the filesystem into RO mode. The snapshot, send +and set_received_subvol and subvol_setflags (used by receive) don't +require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user +could use this to turn a filesystem into RO mode and disrupt a system. + +Reproducer script: + + $ cat test.sh + #!/bin/bash + + DEV=/dev/sdi + MNT=/mnt/sdi + + # Use smallest node size to make the test faster. + mkfs.btrfs -f --nodesize 4K $DEV + mount $DEV $MNT + + # Create a subvolume and set it to RO so that it can be used for send. + btrfs subvolume create $MNT/sv + touch $MNT/sv/foo + btrfs property set $MNT/sv ro true + + # Send and receive the subvolume into snaps/sv. + mkdir $MNT/snaps + btrfs send $MNT/sv | btrfs receive $MNT/snaps + + # Now snapshot the received subvolume, which has a received_uuid, a + # lot of times to trigger the leaf overflow. + total=500 + for ((i = 1; i <= $total; i++)); do + echo -ne "\rCreating snapshot $i/$total" + btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null + done + echo + + umount $MNT + +When running the test: + + $ ./test.sh + (...) + Create subvolume '/mnt/sdi/sv' + At subvol /mnt/sdi/sv + At subvol sv + Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type + Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system + +And in dmesg/syslog: + + $ dmesg + (...) + [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! + [251067.629212] ------------[ cut here ]------------ + [251067.630033] BTRFS: Transaction aborted (error -75) + [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 + [251067.632851] Modules linked in: btrfs dm_zero (...) + [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) + [251067.646165] Tainted: [W]=WARN + [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] + [251067.649984] Code: f0 48 0f (...) + [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 + [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 + [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 + [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 + [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 + [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 + [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 + [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 + [251067.661972] Call Trace: + [251067.662292] + [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] + [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] + [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] + [251067.665238] ? _raw_spin_unlock+0x15/0x30 + [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs] + [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs] + [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs] + [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs] + [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs] + [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs] + [251067.670093] ? count_memcg_events+0x6d/0x180 + [251067.670849] ? handle_mm_fault+0x1a0/0x2a0 + [251067.671652] __x64_sys_ioctl+0x92/0xe0 + [251067.672406] do_syscall_64+0x50/0xf20 + [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [251067.674096] RIP: 0033:0x7f2a495648db + [251067.674812] Code: 00 48 89 (...) + [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db + [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004 + [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 + [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910 + [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006 + [251067.686524] + [251067.686972] ---[ end trace 0000000000000000 ]--- + [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown + [251067.689049] BTRFS info (device sdi state EA): forced readonly + [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction. + [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown + [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda + +Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the +snapshot creation code when attempting to add the +BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical +and we are still able to delete the snapshot, as snapshot/subvolume +deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see +inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do +send/receive operations since it always peeks the first root ID in the +existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all +snapshots have the same content), and even if the key is missing, it +falls back to searching by BTRFS_UUID_KEY_SUBVOL key. + +A test case for fstests will be sent soon. + +Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") +CC: stable@vger.kernel.org # 3.12+ +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1904,6 +1904,22 @@ static noinline int create_pending_snaps + ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid, + BTRFS_UUID_KEY_RECEIVED_SUBVOL, + objectid); ++ /* ++ * We are creating of lot of snapshots of the same root that was ++ * received (has a received UUID) and reached a leaf's limit for ++ * an item. We can safely ignore this and avoid a transaction ++ * abort. A deletion of this snapshot will still work since we ++ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key ++ * is missing (see btrfs_delete_subvolume()). Send/receive will ++ * work too since it peeks the first root id from the existing ++ * item (it could peek any), and in case it's missing it ++ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys. ++ * Creation of a snapshot does not require CAP_SYS_ADMIN, so ++ * we don't want users triggering transaction aborts, either ++ * intentionally or not. ++ */ ++ if (ret == -EOVERFLOW) ++ ret = 0; + if (unlikely(ret && ret != -EEXIST)) { + btrfs_abort_transaction(trans, ret); + goto fail; diff --git a/queue-6.19/can-dev-keep-the-max-bitrate-error-at-5.patch b/queue-6.19/can-dev-keep-the-max-bitrate-error-at-5.patch new file mode 100644 index 0000000000..cfa596c4e3 --- /dev/null +++ b/queue-6.19/can-dev-keep-the-max-bitrate-error-at-5.patch @@ -0,0 +1,44 @@ +From 1eea46908c57abb7109b1fce024f366ae6c69c4f Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Fri, 6 Mar 2026 17:04:48 +0800 +Subject: can: dev: keep the max bitrate error at 5% + +From: Haibo Chen + +commit 1eea46908c57abb7109b1fce024f366ae6c69c4f upstream. + +Commit b360a13d44db ("can: dev: print bitrate error with two decimal +digits") changed calculation of the bit rate error from on-tenth of a +percent to on-hundredth of a percent, but forgot to adjust the scale of the +CAN_CALC_MAX_ERROR constant. + +Keeping the existing logic unchanged: Only when the bitrate error exceeds +5% should an error be returned. Otherwise, simply output a warning log. + +Fixes: b360a13d44db ("can: dev: print bitrate error with two decimal digits") +Signed-off-by: Haibo Chen +Link: https://patch.msgid.link/20260306-can-fix-v1-1-ac526cec6777@nxp.com +Cc: stable@kernel.org +[mkl: improve commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev/calc_bittiming.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev/calc_bittiming.c b/drivers/net/can/dev/calc_bittiming.c +index cc4022241553..42498e9d3f38 100644 +--- a/drivers/net/can/dev/calc_bittiming.c ++++ b/drivers/net/can/dev/calc_bittiming.c +@@ -8,7 +8,7 @@ + #include + #include + +-#define CAN_CALC_MAX_ERROR 50 /* in one-tenth of a percent */ ++#define CAN_CALC_MAX_ERROR 500 /* max error 5% */ + + /* CiA recommended sample points for Non Return to Zero encoding. */ + static int can_calc_sample_point_nrz(const struct can_bittiming *bt) +-- +2.53.0 + diff --git a/queue-6.19/cifs-make-default-value-of-retrans-as-zero.patch b/queue-6.19/cifs-make-default-value-of-retrans-as-zero.patch new file mode 100644 index 0000000000..544048cf35 --- /dev/null +++ b/queue-6.19/cifs-make-default-value-of-retrans-as-zero.patch @@ -0,0 +1,34 @@ +From e3beefd3af09f8e460ddaf39063d3d7664d7ab59 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Wed, 11 Mar 2026 10:48:54 +0530 +Subject: cifs: make default value of retrans as zero + +From: Shyam Prasad N + +commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 upstream. + +When retrans mount option was introduced, the default value was set +as 1. However, in the light of some bugs that this has exposed recently +we should change it to 0 and retain the old behaviour before this option +was introduced. + +Cc: +Reviewed-by: Bharath SM +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1998,7 +1998,7 @@ int smb3_init_fs_context(struct fs_conte + ctx->backupuid_specified = false; /* no backup intent for a user */ + ctx->backupgid_specified = false; /* no backup intent for a group */ + +- ctx->retrans = 1; ++ ctx->retrans = 0; + ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT; + ctx->symlink_type = CIFS_SYMLINK_TYPE_DEFAULT; + ctx->nonativesocket = 0; diff --git a/queue-6.19/drm-amd-fix-a-few-more-null-pointer-dereference-in-device-cleanup.patch b/queue-6.19/drm-amd-fix-a-few-more-null-pointer-dereference-in-device-cleanup.patch new file mode 100644 index 0000000000..18e736123a --- /dev/null +++ b/queue-6.19/drm-amd-fix-a-few-more-null-pointer-dereference-in-device-cleanup.patch @@ -0,0 +1,54 @@ +From 72ecb1dae72775fa9fea0159d8445d620a0a2295 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 5 Mar 2026 09:06:11 -0600 +Subject: drm/amd: Fix a few more NULL pointer dereference in device cleanup + +From: Mario Limonciello + +commit 72ecb1dae72775fa9fea0159d8445d620a0a2295 upstream. + +I found a few more paths that cleanup fails due to a NULL version pointer +on unsupported hardware. + +Add NULL checks as applicable. + +Fixes: 39fc2bc4da00 ("drm/amdgpu: Protect GPU register accesses in powergated state in some paths") +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3654,6 +3654,8 @@ static int amdgpu_device_ip_fini_early(s + int i, r; + + for (i = 0; i < adev->num_ip_blocks; i++) { ++ if (!adev->ip_blocks[i].version) ++ continue; + if (!adev->ip_blocks[i].version->funcs->early_fini) + continue; + +@@ -3730,6 +3732,8 @@ static int amdgpu_device_ip_fini(struct + if (!adev->ip_blocks[i].status.sw) + continue; + ++ if (!adev->ip_blocks[i].version) ++ continue; + if (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GMC) { + amdgpu_ucode_free_bo(adev); + amdgpu_free_static_csa(&adev->virt.csa_obj); +@@ -3756,6 +3760,8 @@ static int amdgpu_device_ip_fini(struct + for (i = adev->num_ip_blocks - 1; i >= 0; i--) { + if (!adev->ip_blocks[i].status.late_initialized) + continue; ++ if (!adev->ip_blocks[i].version) ++ continue; + if (adev->ip_blocks[i].version->funcs->late_fini) + adev->ip_blocks[i].version->funcs->late_fini(&adev->ip_blocks[i]); + adev->ip_blocks[i].status.late_initialized = false; diff --git a/queue-6.19/drm-amd-fix-null-pointer-dereference-in-device-cleanup.patch b/queue-6.19/drm-amd-fix-null-pointer-dereference-in-device-cleanup.patch new file mode 100644 index 0000000000..38fa356ccc --- /dev/null +++ b/queue-6.19/drm-amd-fix-null-pointer-dereference-in-device-cleanup.patch @@ -0,0 +1,52 @@ +From 062ea905fff7756b2e87143ffccaece5cdb44267 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 4 Mar 2026 14:07:40 -0600 +Subject: drm/amd: Fix NULL pointer dereference in device cleanup + +From: Mario Limonciello + +commit 062ea905fff7756b2e87143ffccaece5cdb44267 upstream. + +When GPU initialization fails due to an unsupported HW block +IP blocks may have a NULL version pointer. During cleanup in +amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and +amdgpu_device_set_cg_state which iterate over all IP blocks and access +adev->ip_blocks[i].version without NULL checks, leading to a kernel +NULL pointer dereference. + +Add NULL checks for adev->ip_blocks[i].version in both +amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent +dereferencing NULL pointers during GPU teardown when initialization has +failed. + +Fixes: 39fc2bc4da00 ("drm/amdgpu: Protect GPU register accesses in powergated state in some paths") +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3404,6 +3404,8 @@ int amdgpu_device_set_cg_state(struct am + i = state == AMD_CG_STATE_GATE ? j : adev->num_ip_blocks - j - 1; + if (!adev->ip_blocks[i].status.late_initialized) + continue; ++ if (!adev->ip_blocks[i].version) ++ continue; + /* skip CG for GFX, SDMA on S0ix */ + if (adev->in_s0ix && + (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX || +@@ -3443,6 +3445,8 @@ int amdgpu_device_set_pg_state(struct am + i = state == AMD_PG_STATE_GATE ? j : adev->num_ip_blocks - j - 1; + if (!adev->ip_blocks[i].status.late_initialized) + continue; ++ if (!adev->ip_blocks[i].version) ++ continue; + /* skip PG for GFX, SDMA on S0ix */ + if (adev->in_s0ix && + (adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX || diff --git a/queue-6.19/drm-amd-pm-remove-invalid-gpu_metrics.energy_accumulator-on-smu-v13.0.x.patch b/queue-6.19/drm-amd-pm-remove-invalid-gpu_metrics.energy_accumulator-on-smu-v13.0.x.patch new file mode 100644 index 0000000000..eb0fab983e --- /dev/null +++ b/queue-6.19/drm-amd-pm-remove-invalid-gpu_metrics.energy_accumulator-on-smu-v13.0.x.patch @@ -0,0 +1,62 @@ +From 68785c5e79e0fc1eacf63026fbba32be3867f410 Mon Sep 17 00:00:00 2001 +From: Yang Wang +Date: Wed, 25 Feb 2026 22:51:06 -0500 +Subject: drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x + +From: Yang Wang + +commit 68785c5e79e0fc1eacf63026fbba32be3867f410 upstream. + +v1: +The metrics->EnergyAccumulator field has been deprecated on newer pmfw. + +v2: +add smu 13.0.0/13.0.7/13.0.10 support. + +Signed-off-by: Yang Wang +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 8de9edb35976fa56565dc8fbb5d1310e8e10187c) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 8 +++++++- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 ++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -2110,6 +2110,7 @@ static ssize_t smu_v13_0_0_get_gpu_metri + (struct gpu_metrics_v1_3 *)smu_table->gpu_metrics_table; + SmuMetricsExternal_t metrics_ext; + SmuMetrics_t *metrics = &metrics_ext.SmuMetrics; ++ uint32_t mp1_ver = amdgpu_ip_version(smu->adev, MP1_HWIP, 0); + int ret = 0; + + ret = smu_cmn_get_metrics_table(smu, +@@ -2134,7 +2135,12 @@ static ssize_t smu_v13_0_0_get_gpu_metri + metrics->Vcn1ActivityPercentage); + + gpu_metrics->average_socket_power = metrics->AverageSocketPower; +- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator; ++ ++ if ((mp1_ver == IP_VERSION(13, 0, 0) && smu->smc_fw_version <= 0x004e1e00) || ++ (mp1_ver == IP_VERSION(13, 0, 10) && smu->smc_fw_version <= 0x00500800)) ++ gpu_metrics->energy_accumulator = metrics->EnergyAccumulator; ++ else ++ gpu_metrics->energy_accumulator = UINT_MAX; + + if (metrics->AverageGfxActivity <= SMU_13_0_0_BUSY_THRESHOLD) + gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs; +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -2120,7 +2120,8 @@ static ssize_t smu_v13_0_7_get_gpu_metri + metrics->Vcn1ActivityPercentage); + + gpu_metrics->average_socket_power = metrics->AverageSocketPower; +- gpu_metrics->energy_accumulator = metrics->EnergyAccumulator; ++ gpu_metrics->energy_accumulator = smu->smc_fw_version <= 0x00521400 ? ++ metrics->EnergyAccumulator : UINT_MAX; + + if (metrics->AverageGfxActivity <= SMU_13_0_7_BUSY_THRESHOLD) + gpu_metrics->average_gfxclk_frequency = metrics->AverageGfxclkFrequencyPostDs; diff --git a/queue-6.19/drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch b/queue-6.19/drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch new file mode 100644 index 0000000000..388d5880b9 --- /dev/null +++ b/queue-6.19/drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch @@ -0,0 +1,53 @@ +From 3646ff28780b4c52c5b5081443199e7a430110e5 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 10 Mar 2026 11:58:22 -0500 +Subject: drm/amd: Set num IP blocks to 0 if discovery fails + +From: Mario Limonciello + +commit 3646ff28780b4c52c5b5081443199e7a430110e5 upstream. + +If discovery has failed for any reason (such as no support for a block) +then there is no need to unwind all the IP blocks in fini. In this +condition there can actually be failures during the unwind too. + +Reset num_ip_blocks to zero during failure path and skip the unnecessary +cleanup path. + +Suggested-by: Lijo Lazar +Reviewed-by: Lijo Lazar +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit fae5984296b981c8cc3acca35b701c1f332a6cd8) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +++- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2843,8 +2843,10 @@ static int amdgpu_device_ip_early_init(s + break; + default: + r = amdgpu_discovery_set_ip_blocks(adev); +- if (r) ++ if (r) { ++ adev->num_ip_blocks = 0; + return r; ++ } + break; + } + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -83,7 +83,7 @@ void amdgpu_driver_unload_kms(struct drm + { + struct amdgpu_device *adev = drm_to_adev(dev); + +- if (adev == NULL) ++ if (adev == NULL || !adev->num_ip_blocks) + return; + + amdgpu_unregister_gpu_instance(adev); diff --git a/queue-6.19/drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch b/queue-6.19/drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch new file mode 100644 index 0000000000..4a8e262eca --- /dev/null +++ b/queue-6.19/drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch @@ -0,0 +1,45 @@ +From 2c1030f2e84885cc58bffef6af67d5b9d2e7098f Mon Sep 17 00:00:00 2001 +From: Alysa Liu +Date: Thu, 5 Feb 2026 11:21:45 -0500 +Subject: drm/amdgpu: Fix use-after-free race in VM acquire + +From: Alysa Liu + +commit 2c1030f2e84885cc58bffef6af67d5b9d2e7098f upstream. + +Replace non-atomic vm->process_info assignment with cmpxchg() +to prevent race when parent/child processes sharing a drm_file +both try to acquire the same VM after fork(). + +Reviewed-by: Harish Kasiviswanathan +Signed-off-by: Alysa Liu +Signed-off-by: Alex Deucher +(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1428,7 +1428,10 @@ static int init_kfd_vm(struct amdgpu_vm + *process_info = info; + } + +- vm->process_info = *process_info; ++ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) { ++ ret = -EINVAL; ++ goto already_acquired; ++ } + + /* Validate page directory and attach eviction fence */ + ret = amdgpu_bo_reserve(vm->root.bo, true); +@@ -1468,6 +1471,7 @@ validate_pd_fail: + amdgpu_bo_unreserve(vm->root.bo); + reserve_pd_fail: + vm->process_info = NULL; ++already_acquired: + if (info) { + dma_fence_put(&info->eviction_fence->base); + *process_info = NULL; diff --git a/queue-6.19/drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch b/queue-6.19/drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch new file mode 100644 index 0000000000..c055bd80f3 --- /dev/null +++ b/queue-6.19/drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch @@ -0,0 +1,50 @@ +From 2f22702dc0fee06a240404e0f7ead5b789b253d8 Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Thu, 26 Feb 2026 17:16:44 +0100 +Subject: drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding + +From: Luca Ceresoli + +commit 2f22702dc0fee06a240404e0f7ead5b789b253d8 upstream. + +The DSI frequency must be in the range: + + (CHA_DSI_CLK_RANGE * 5 MHz) <= DSI freq < ((CHA_DSI_CLK_RANGE + 1) * 5 MHz) + +So the register value should point to the lower range value, but +DIV_ROUND_UP() rounds the division to the higher range value, resulting in +an excess of 1 (unless the frequency is an exact multiple of 5 MHz). + +For example for a 437100000 MHz clock CHA_DSI_CLK_RANGE should be 87 (0x57): + + (87 * 5 = 435) <= 437.1 < (88 * 5 = 440) + +but current code returns 88 (0x58). + +Fix the computation by removing the DIV_ROUND_UP(). + +Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") +Cc: stable@vger.kernel.org +Reviewed-by: Marek Vasut +Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-1-2e15f5a9a6a0@bootlin.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/ti-sn65dsi83.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +@@ -351,9 +351,9 @@ static u8 sn65dsi83_get_dsi_range(struct + * DSI_CLK = mode clock * bpp / dsi_data_lanes / 2 + * the 2 is there because the bus is DDR. + */ +- return DIV_ROUND_UP(clamp((unsigned int)mode->clock * +- mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) / +- ctx->dsi->lanes / 2, 40000U, 500000U), 5000U); ++ return clamp((unsigned int)mode->clock * ++ mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) / ++ ctx->dsi->lanes / 2, 40000U, 500000U) / 5000U; + } + + static u8 sn65dsi83_get_dsi_div(struct sn65dsi83 *ctx) diff --git a/queue-6.19/drm-bridge-ti-sn65dsi83-halve-horizontal-syncs-for-dual-lvds-output.patch b/queue-6.19/drm-bridge-ti-sn65dsi83-halve-horizontal-syncs-for-dual-lvds-output.patch new file mode 100644 index 0000000000..ab4aa3766e --- /dev/null +++ b/queue-6.19/drm-bridge-ti-sn65dsi83-halve-horizontal-syncs-for-dual-lvds-output.patch @@ -0,0 +1,68 @@ +From d0d727746944096a6681dc6adb5f123fc5aa018d Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Thu, 26 Feb 2026 17:16:45 +0100 +Subject: drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output + +From: Luca Ceresoli + +commit d0d727746944096a6681dc6adb5f123fc5aa018d upstream. + +Dual LVDS output (available on the SN65DSI84) requires HSYNC_PULSE_WIDTH +and HORIZONTAL_BACK_PORCH to be divided by two with respect to the values +used for single LVDS output. + +While not clearly stated in the datasheet, this is needed according to the +DSI Tuner [0] output. It also makes sense intuitively because in dual LVDS +output two pixels at a time are output and so the output clock is half of +the pixel clock. + +Some dual-LVDS panels refuse to show any picture without this fix. + +Divide by two HORIZONTAL_FRONT_PORCH too, even though this register is used +only for test pattern generation which is not currently implemented by this +driver. + +[0] https://www.ti.com/tool/DSI-TUNER + +Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") +Cc: stable@vger.kernel.org +Reviewed-by: Marek Vasut +Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-2-2e15f5a9a6a0@bootlin.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +@@ -474,6 +474,7 @@ static void sn65dsi83_atomic_pre_enable( + struct drm_atomic_state *state) + { + struct sn65dsi83 *ctx = bridge_to_sn65dsi83(bridge); ++ const unsigned int dual_factor = ctx->lvds_dual_link ? 2 : 1; + const struct drm_bridge_state *bridge_state; + const struct drm_crtc_state *crtc_state; + const struct drm_display_mode *mode; +@@ -606,18 +607,18 @@ static void sn65dsi83_atomic_pre_enable( + /* 32 + 1 pixel clock to ensure proper operation */ + le16val = cpu_to_le16(32 + 1); + regmap_bulk_write(ctx->regmap, REG_VID_CHA_SYNC_DELAY_LOW, &le16val, 2); +- le16val = cpu_to_le16(mode->hsync_end - mode->hsync_start); ++ le16val = cpu_to_le16((mode->hsync_end - mode->hsync_start) / dual_factor); + regmap_bulk_write(ctx->regmap, REG_VID_CHA_HSYNC_PULSE_WIDTH_LOW, + &le16val, 2); + le16val = cpu_to_le16(mode->vsync_end - mode->vsync_start); + regmap_bulk_write(ctx->regmap, REG_VID_CHA_VSYNC_PULSE_WIDTH_LOW, + &le16val, 2); + regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_BACK_PORCH, +- mode->htotal - mode->hsync_end); ++ (mode->htotal - mode->hsync_end) / dual_factor); + regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_BACK_PORCH, + mode->vtotal - mode->vsync_end); + regmap_write(ctx->regmap, REG_VID_CHA_HORIZONTAL_FRONT_PORCH, +- mode->hsync_start - mode->hdisplay); ++ (mode->hsync_start - mode->hdisplay) / dual_factor); + regmap_write(ctx->regmap, REG_VID_CHA_VERTICAL_FRONT_PORCH, + mode->vsync_start - mode->vdisplay); + regmap_write(ctx->regmap, REG_VID_CHA_TEST_PATTERN, 0x00); diff --git a/queue-6.19/drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch b/queue-6.19/drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch new file mode 100644 index 0000000000..33fefeb585 --- /dev/null +++ b/queue-6.19/drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch @@ -0,0 +1,91 @@ +From 029ae067431ab9d0fca479bdabe780fa436706ea Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Tue, 24 Feb 2026 10:49:06 +0100 +Subject: drm/i915: Fix potential overflow of shmem scatterlist length + +From: Janusz Krzysztofik + +commit 029ae067431ab9d0fca479bdabe780fa436706ea upstream. + +When a scatterlists table of a GEM shmem object of size 4 GB or more is +populated with pages allocated from a folio, unsigned int .length +attribute of a scatterlist may get overflowed if total byte length of +pages allocated to that single scatterlist happens to reach or cross the +4GB limit. As a consequence, users of the object may suffer from hitting +unexpected, premature end of the object's backing pages. + +[278.780187] ------------[ cut here ]------------ +[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915] +... +[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary) +[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER +[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024 +[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915] +... +[278.780786] Call Trace: +[278.780787] +[278.780788] ? __apply_to_page_range+0x3e6/0x910 +[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915] +[278.780906] apply_to_page_range+0x14/0x30 +[278.780908] remap_io_sg+0x14d/0x260 [i915] +[278.781013] vm_fault_cpu+0xd2/0x330 [i915] +[278.781137] __do_fault+0x3a/0x1b0 +[278.781140] do_fault+0x322/0x640 +[278.781143] __handle_mm_fault+0x938/0xfd0 +[278.781150] handle_mm_fault+0x12c/0x300 +[278.781152] ? lock_mm_and_find_vma+0x4b/0x760 +[278.781155] do_user_addr_fault+0x2d6/0x8e0 +[278.781160] exc_page_fault+0x96/0x2c0 +[278.781165] asm_exc_page_fault+0x27/0x30 +... + +That issue was apprehended by the author of a change that introduced it, +and potential risk even annotated with a comment, but then never addressed. + +When adding folio pages to a scatterlist table, take care of byte length +of any single scatterlist not exceeding max_segment. + +Fixes: 0b62af28f249b ("i915: convert shmem_sg_free_table() to use a folio_batch") +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14809 +Cc: Matthew Wilcox (Oracle) +Cc: Andrew Morton +Cc: stable@vger.kernel.org # v6.5+ +Signed-off-by: Janusz Krzysztofik +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260224094944.2447913-2-janusz.krzysztofik@linux.intel.com +(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +@@ -151,8 +151,12 @@ int shmem_sg_alloc_table(struct drm_i915 + } + } while (1); + +- nr_pages = min_t(unsigned long, +- folio_nr_pages(folio), page_count - i); ++ nr_pages = min_array(((unsigned long[]) { ++ folio_nr_pages(folio), ++ page_count - i, ++ max_segment / PAGE_SIZE, ++ }), 3); ++ + if (!i || + sg->length >= max_segment || + folio_pfn(folio) != next_pfn) { +@@ -162,7 +166,9 @@ int shmem_sg_alloc_table(struct drm_i915 + st->nents++; + sg_set_folio(sg, folio, nr_pages * PAGE_SIZE, 0); + } else { +- /* XXX: could overflow? */ ++ nr_pages = min_t(unsigned long, nr_pages, ++ (max_segment - sg->length) / PAGE_SIZE); ++ + sg->length += nr_pages * PAGE_SIZE; + } + next_pfn = folio_pfn(folio) + nr_pages; diff --git a/queue-6.19/drm-i915-psr-repeat-selective-update-area-alignment.patch b/queue-6.19/drm-i915-psr-repeat-selective-update-area-alignment.patch new file mode 100644 index 0000000000..e41b7dfdf0 --- /dev/null +++ b/queue-6.19/drm-i915-psr-repeat-selective-update-area-alignment.patch @@ -0,0 +1,121 @@ +From 1be2fca84f520105413d0d89ed04bb0ff742ab16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Wed, 4 Mar 2026 13:30:08 +0200 +Subject: drm/i915/psr: Repeat Selective Update area alignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit 1be2fca84f520105413d0d89ed04bb0ff742ab16 upstream. + +Currently we are aligning Selective Update area to cover cursor fully if +needed only once. It may happen that cursor is in Selective Update area +after pipe alignment and after that covering cursor plane only +partially. Fix this by looping alignment as long as alignment isn't needed +anymore. + +v2: + - do not unecessarily loop if cursor was already fully covered + - rename aligned as su_area_changed + +Fixes: 1bff93b8bc27 ("drm/i915/psr: Extend SU area to cover cursor fully if needed") +Cc: # v6.9+ +Signed-off-by: Jouni Högander +Reviewed-by: Ankit Nautiyal +Link: https://patch.msgid.link/20260304113011.626542-2-jouni.hogander@intel.com +(cherry picked from commit 681e12440d8b110350a5709101169f319e10ccbb) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_psr.c | 50 +++++++++++++++++++++++-------- + 1 file changed, 38 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -2667,11 +2667,12 @@ static void clip_area_update(struct drm_ + overlap_damage_area->y2 = damage_area->y2; + } + +-static void intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state) ++static bool intel_psr2_sel_fetch_pipe_alignment(struct intel_crtc_state *crtc_state) + { + struct intel_display *display = to_intel_display(crtc_state); + const struct drm_dsc_config *vdsc_cfg = &crtc_state->dsc.config; + u16 y_alignment; ++ bool su_area_changed = false; + + /* ADLP aligns the SU region to vdsc slice height in case dsc is enabled */ + if (crtc_state->dsc.compression_enable && +@@ -2680,10 +2681,18 @@ static void intel_psr2_sel_fetch_pipe_al + else + y_alignment = crtc_state->su_y_granularity; + +- crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment; +- if (crtc_state->psr2_su_area.y2 % y_alignment) ++ if (crtc_state->psr2_su_area.y1 % y_alignment) { ++ crtc_state->psr2_su_area.y1 -= crtc_state->psr2_su_area.y1 % y_alignment; ++ su_area_changed = true; ++ } ++ ++ if (crtc_state->psr2_su_area.y2 % y_alignment) { + crtc_state->psr2_su_area.y2 = ((crtc_state->psr2_su_area.y2 / + y_alignment) + 1) * y_alignment; ++ su_area_changed = true; ++ } ++ ++ return su_area_changed; + } + + /* +@@ -2816,7 +2825,7 @@ int intel_psr2_sel_fetch_update(struct i + struct intel_crtc_state *crtc_state = intel_atomic_get_new_crtc_state(state, crtc); + struct intel_plane_state *new_plane_state, *old_plane_state; + struct intel_plane *plane; +- bool full_update = false, cursor_in_su_area = false; ++ bool full_update = false, su_area_changed; + int i, ret; + + if (!crtc_state->enable_psr2_sel_fetch) +@@ -2923,15 +2932,32 @@ int intel_psr2_sel_fetch_update(struct i + if (ret) + return ret; + +- /* +- * Adjust su area to cover cursor fully as necessary (early +- * transport). This needs to be done after +- * drm_atomic_add_affected_planes to ensure visible cursor is added into +- * affected planes even when cursor is not updated by itself. +- */ +- intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area); ++ do { ++ bool cursor_in_su_area; + +- intel_psr2_sel_fetch_pipe_alignment(crtc_state); ++ /* ++ * Adjust su area to cover cursor fully as necessary ++ * (early transport). This needs to be done after ++ * drm_atomic_add_affected_planes to ensure visible ++ * cursor is added into affected planes even when ++ * cursor is not updated by itself. ++ */ ++ intel_psr2_sel_fetch_et_alignment(state, crtc, &cursor_in_su_area); ++ ++ su_area_changed = intel_psr2_sel_fetch_pipe_alignment(crtc_state); ++ ++ /* ++ * If the cursor was outside the SU area before ++ * alignment, the alignment step (which only expands ++ * SU) may pull the cursor partially inside, so we ++ * must run ET alignment again to fully cover it. But ++ * if the cursor was already fully inside before ++ * alignment, expanding the SU area won't change that, ++ * so no further work is needed. ++ */ ++ if (cursor_in_su_area) ++ break; ++ } while (su_area_changed); + + /* + * Now that we have the pipe damaged area check if it intersect with diff --git a/queue-6.19/drm-i915-vrr-configure-vrr-timings-after-enabling-trans_ddi_func_ctl.patch b/queue-6.19/drm-i915-vrr-configure-vrr-timings-after-enabling-trans_ddi_func_ctl.patch new file mode 100644 index 0000000000..01391f46d1 --- /dev/null +++ b/queue-6.19/drm-i915-vrr-configure-vrr-timings-after-enabling-trans_ddi_func_ctl.patch @@ -0,0 +1,90 @@ +From 237aab549676288d9255bb8dcc284738e56eaa31 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Tue, 3 Mar 2026 11:54:14 +0200 +Subject: drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 237aab549676288d9255bb8dcc284738e56eaa31 upstream. + +Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE +before enabling TRANS_DDI_FUNC_CTL. + +Personally I was only able to reproduce a hang (on an Dell XPS 7390 +2-in-1) with an external display connected via a dock using a dodgy +type-C cable that made the link training fail. After the failed +link training the machine would hang. TGL seemed immune to the +problem for whatever reason. + +BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL +as well. The DMC firmware also does the VRR restore in two stages: +- first stage seems to be unconditional and includes TRANS_VRR_CTL + and a few other VRR registers, among other things +- second stage is conditional on the DDI being enabled, + and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE, + among other things + +So let's reorder the steps to match to avoid the hang, and +toss in an extra WARN to make sure we don't screw this up later. + +BSpec: 22243 +Cc: stable@vger.kernel.org +Cc: Ankit Nautiyal +Reported-by: Benjamin Tissoires +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15777 +Tested-by: Benjamin Tissoires +Fixes: dda7dcd9da73 ("drm/i915/vrr: Use fixed timings for platforms that support VRR") +Signed-off-by: Ville Syrjälä +Link: https://patch.msgid.link/20260303095414.4331-1-ville.syrjala@linux.intel.com +Reviewed-by: Ankit Nautiyal +(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_display.c | 1 - + drivers/gpu/drm/i915/display/intel_vrr.c | 14 ++++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_display.c ++++ b/drivers/gpu/drm/i915/display/intel_display.c +@@ -1614,7 +1614,6 @@ static void hsw_configure_cpu_transcoder + } + + intel_set_transcoder_timings(crtc_state); +- intel_vrr_set_transcoder_timings(crtc_state); + + if (cpu_transcoder != TRANSCODER_EDP) + intel_de_write(display, TRANS_MULT(display, cpu_transcoder), +--- a/drivers/gpu/drm/i915/display/intel_vrr.c ++++ b/drivers/gpu/drm/i915/display/intel_vrr.c +@@ -529,6 +529,18 @@ void intel_vrr_set_transcoder_timings(co + return; + + /* ++ * Bspec says: ++ * "(note: VRR needs to be programmed after ++ * TRANS_DDI_FUNC_CTL and before TRANS_CONF)." ++ * ++ * In practice it turns out that ICL can hang if ++ * TRANS_VRR_VMAX/FLIPLINE are written before ++ * enabling TRANS_DDI_FUNC_CTL. ++ */ ++ drm_WARN_ON(display->drm, ++ !(intel_de_read(display, TRANS_DDI_FUNC_CTL(display, cpu_transcoder)) & TRANS_DDI_FUNC_ENABLE)); ++ ++ /* + * This bit seems to have two meanings depending on the platform: + * TGL: generate VRR "safe window" for DSB vblank waits + * ADL/DG2: make TRANS_SET_CONTEXT_LATENCY effective with VRR +@@ -754,6 +766,8 @@ void intel_vrr_transcoder_enable(const s + { + struct intel_display *display = to_intel_display(crtc_state); + ++ intel_vrr_set_transcoder_timings(crtc_state); ++ + if (!intel_vrr_possible(crtc_state)) + return; + diff --git a/queue-6.19/drm-msm-dpu-correct-the-sa8775p-intr_underrun-intr_underrun-index.patch b/queue-6.19/drm-msm-dpu-correct-the-sa8775p-intr_underrun-intr_underrun-index.patch new file mode 100644 index 0000000000..86b028c9cc --- /dev/null +++ b/queue-6.19/drm-msm-dpu-correct-the-sa8775p-intr_underrun-intr_underrun-index.patch @@ -0,0 +1,39 @@ +From 4ce71cea574658f5c5c7412b1a3cc54efe4f9b50 Mon Sep 17 00:00:00 2001 +From: Abhinav Kumar +Date: Thu, 5 Mar 2026 18:17:07 +0800 +Subject: drm/msm/dpu: Correct the SA8775P intr_underrun/intr_underrun index + +From: Abhinav Kumar + +commit 4ce71cea574658f5c5c7412b1a3cc54efe4f9b50 upstream. + +The intr_underrun and intr_vsync indices have been swapped, just simply +corrects them. + +Cc: stable@vger.kernel.org +Fixes: b139c80d181c ("drm/msm/dpu: Add SA8775P support") +Signed-off-by: Abhinav Kumar +Signed-off-by: Yongxing Mou +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/709209/ +Link: https://lore.kernel.org/r/20260305-mdss_catalog-v5-2-06678ac39ac7@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_4_sa8775p.h +@@ -366,8 +366,8 @@ static const struct dpu_intf_cfg sa8775p + .type = INTF_NONE, + .controller_id = MSM_DP_CONTROLLER_0, /* pair with intf_0 for DP MST */ + .prog_fetch_lines_worst_case = 24, +- .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17), +- .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16), ++ .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16), ++ .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17), + }, { + .name = "intf_7", .id = INTF_7, + .base = 0x3b000, .len = 0x280, diff --git a/queue-6.19/drm-msm-fix-dma_free_attrs-buffer-size.patch b/queue-6.19/drm-msm-fix-dma_free_attrs-buffer-size.patch new file mode 100644 index 0000000000..8c9f85c4a1 --- /dev/null +++ b/queue-6.19/drm-msm-fix-dma_free_attrs-buffer-size.patch @@ -0,0 +1,38 @@ +From e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Thu, 26 Feb 2026 10:57:11 +0100 +Subject: drm/msm: Fix dma_free_attrs() buffer size + +From: Thomas Fourier + +commit e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd upstream. + +The gpummu->table buffer is alloc'd with size TABLE_SIZE + 32 in +a2xx_gpummu_new() but freed with size TABLE_SIZE in +a2xx_gpummu_destroy(). + +Change the free size to match the allocation. + +Fixes: c2052a4e5c99 ("drm/msm: implement a2xx mmu") +Cc: +Signed-off-by: Thomas Fourier +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/707340/ +Message-ID: <20260226095714.12126-2-fourier.thomas@gmail.com> +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/adreno/a2xx_gpummu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c ++++ b/drivers/gpu/drm/msm/adreno/a2xx_gpummu.c +@@ -78,7 +78,7 @@ static void a2xx_gpummu_destroy(struct m + { + struct a2xx_gpummu *gpummu = to_a2xx_gpummu(mmu); + +- dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base, ++ dma_free_attrs(mmu->dev, TABLE_SIZE + 32, gpummu->table, gpummu->pt_base, + DMA_ATTR_FORCE_CONTIGUOUS); + + kfree(gpummu); diff --git a/queue-6.19/dt-bindings-display-msm-fix-reg-ranges-and-clocks-on-glymur.patch b/queue-6.19/dt-bindings-display-msm-fix-reg-ranges-and-clocks-on-glymur.patch new file mode 100644 index 0000000000..acb6b23249 --- /dev/null +++ b/queue-6.19/dt-bindings-display-msm-fix-reg-ranges-and-clocks-on-glymur.patch @@ -0,0 +1,109 @@ +From 7403e87c138475a74e5176176778f391d847f42d Mon Sep 17 00:00:00 2001 +From: Abel Vesa +Date: Tue, 3 Mar 2026 11:03:11 +0200 +Subject: dt-bindings: display: msm: Fix reg ranges and clocks on Glymur + +From: Abel Vesa + +commit 7403e87c138475a74e5176176778f391d847f42d upstream. + +The Glymur platform has four DisplayPort controllers. The hardware +supports four streams (MST) per controller. However, on Glymur the first +three controllers only have two streams wired to the display subsystem, +while the fourth controller operates in single-stream mode. + +Add a dedicated clause for the Glymur compatible to require the register +ranges for all four stream blocks, while allowing either one pixel clock +(for the single-stream controller) or two pixel clocks (for the remaining +controllers). + +Update the Glymur MDSS schema example by adding the missing p2, p3, +mst2link and mst3link register blocks. Without these, the bindings +validation fails. Also replace the made-up register addresses with the +actual addresses from the first controller to match the SoC devicetree +description. + +Cc: stable@vger.kernel.org # v6.19 +Fixes: 8f63bf908213 ("dt-bindings: display: msm: Document the Glymur DiplayPort controller") +Fixes: 1aee577bbc60 ("dt-bindings: display: msm: Document the Glymur Mobile Display SubSystem") +Signed-off-by: Abel Vesa +Reviewed-by: Krzysztof Kozlowski +Patchwork: https://patchwork.freedesktop.org/patch/708518/ +Link: https://lore.kernel.org/r/20260303-glymur-fix-dp-bindings-reg-clocks-v4-1-1ebd9c7c2cee@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Greg Kroah-Hartman +--- + .../bindings/display/msm/dp-controller.yaml | 21 ++++++++++++++++++- + .../display/msm/qcom,glymur-mdss.yaml | 16 ++++++++------ + 2 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/Documentation/devicetree/bindings/display/msm/dp-controller.yaml b/Documentation/devicetree/bindings/display/msm/dp-controller.yaml +index ebda78db87a6..02ddfaab5f56 100644 +--- a/Documentation/devicetree/bindings/display/msm/dp-controller.yaml ++++ b/Documentation/devicetree/bindings/display/msm/dp-controller.yaml +@@ -253,7 +253,6 @@ allOf: + enum: + # these platforms support 2 streams MST on some interfaces, + # others are SST only +- - qcom,glymur-dp + - qcom,sc8280xp-dp + - qcom,x1e80100-dp + then: +@@ -310,6 +309,26 @@ allOf: + minItems: 6 + maxItems: 8 + ++ - if: ++ properties: ++ compatible: ++ contains: ++ enum: ++ # these platforms support 2 streams MST on some interfaces, ++ # others are SST only, but all controllers have 4 ports ++ - qcom,glymur-dp ++ then: ++ properties: ++ reg: ++ minItems: 9 ++ maxItems: 9 ++ clocks: ++ minItems: 5 ++ maxItems: 6 ++ clocks-names: ++ minItems: 5 ++ maxItems: 6 ++ + unevaluatedProperties: false + + examples: +diff --git a/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml b/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml +index 2329ed96e6cb..64dde43373ac 100644 +--- a/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml ++++ b/Documentation/devicetree/bindings/display/msm/qcom,glymur-mdss.yaml +@@ -176,13 +176,17 @@ examples: + }; + }; + +- displayport-controller@ae90000 { ++ displayport-controller@af54000 { + compatible = "qcom,glymur-dp"; +- reg = <0xae90000 0x200>, +- <0xae90200 0x200>, +- <0xae90400 0x600>, +- <0xae91000 0x400>, +- <0xae91400 0x400>; ++ reg = <0xaf54000 0x200>, ++ <0xaf54200 0x200>, ++ <0xaf55000 0xc00>, ++ <0xaf56000 0x400>, ++ <0xaf57000 0x400>, ++ <0xaf58000 0x400>, ++ <0xaf59000 0x400>, ++ <0xaf5a000 0x600>, ++ <0xaf5b000 0x600>; + + interrupt-parent = <&mdss>; + interrupts = <12>; +-- +2.53.0 + diff --git a/queue-6.19/iio-buffer-fix-wait_queue-not-being-removed.patch b/queue-6.19/iio-buffer-fix-wait_queue-not-being-removed.patch new file mode 100644 index 0000000000..d81f222c9e --- /dev/null +++ b/queue-6.19/iio-buffer-fix-wait_queue-not-being-removed.patch @@ -0,0 +1,41 @@ +From 064234044056c93a3719d6893e6e5a26a94a61b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Mon, 16 Feb 2026 13:24:27 +0000 +Subject: iio: buffer: Fix wait_queue not being removed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 064234044056c93a3719d6893e6e5a26a94a61b6 upstream. + +In the edge case where the IIO device is unregistered while we're +buffering, we were directly returning an error without removing the wait +queue. Instead, set 'ret' and break out of the loop. + +Fixes: 9eeee3b0bf19 ("iio: Add output buffer support") +Signed-off-by: Nuno Sá +Reviewed-by: David Lechner +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -228,8 +228,10 @@ static ssize_t iio_buffer_write(struct f + written = 0; + add_wait_queue(&rb->pollq, &wait); + do { +- if (!indio_dev->info) +- return -ENODEV; ++ if (!indio_dev->info) { ++ ret = -ENODEV; ++ break; ++ } + + if (!iio_buffer_space_available(rb)) { + if (signal_pending(current)) { diff --git a/queue-6.19/iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch b/queue-6.19/iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch new file mode 100644 index 0000000000..81f41c6d68 --- /dev/null +++ b/queue-6.19/iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch @@ -0,0 +1,41 @@ +From f55b9510cd9437da3a0efa08b089caeb47595ff1 Mon Sep 17 00:00:00 2001 +From: Chris Spencer +Date: Thu, 5 Feb 2026 14:55:45 +0000 +Subject: iio: chemical: bme680: Fix measurement wait duration calculation + +From: Chris Spencer + +commit f55b9510cd9437da3a0efa08b089caeb47595ff1 upstream. + +This function refers to the Bosch BME680 API as the source of the +calculation, but one of the constants does not match the Bosch +implementation. This appears to be a simple transposition of two digits, +resulting in a wait time that is too short. This can cause the following +'device measurement cycle incomplete' check to occasionally fail, returning +EBUSY to user space. + +Adjust the constant to match the Bosch implementation and resolve the EBUSY +errors. + +Fixes: 4241665e6ea0 ("iio: chemical: bme680: Fix sensor data read operation") +Link: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L521 +Signed-off-by: Chris Spencer +Acked-by: Vasileios Amoiridis +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/bme680_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -613,7 +613,7 @@ static int bme680_wait_for_eoc(struct bm + * + heater duration + */ + int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press + +- data->oversampling_humid) * 1936) + (477 * 4) + ++ data->oversampling_humid) * 1963) + (477 * 4) + + (477 * 5) + 1000 + (data->heater_dur * 1000); + + fsleep(wait_eoc_us); diff --git a/queue-6.19/iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch b/queue-6.19/iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch new file mode 100644 index 0000000000..50b420693d --- /dev/null +++ b/queue-6.19/iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch @@ -0,0 +1,35 @@ +From 216345f98cae7fcc84f49728c67478ac00321c87 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Thu, 12 Feb 2026 14:46:07 +0200 +Subject: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() + +From: Antoniu Miclaus + +commit 216345f98cae7fcc84f49728c67478ac00321c87 upstream. + +sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead +of the intended __be32 element size (4 bytes). Use sizeof(*meas) to +correctly match the buffer element type. + +Fixes: 8f3f13085278 ("iio: sps30: separate core and interface specific code") +Signed-off-by: Antoniu Miclaus +Acked-by: Tomasz Duszynski +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/sps30_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/sps30_i2c.c ++++ b/drivers/iio/chemical/sps30_i2c.c +@@ -171,7 +171,7 @@ static int sps30_i2c_read_meas(struct sp + if (!sps30_i2c_meas_ready(state)) + return -ETIMEDOUT; + +- return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(num) * num); ++ return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(*meas) * num); + } + + static int sps30_i2c_clean_fan(struct sps30_state *state) diff --git a/queue-6.19/iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch b/queue-6.19/iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch new file mode 100644 index 0000000000..0612261223 --- /dev/null +++ b/queue-6.19/iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch @@ -0,0 +1,36 @@ +From c3914ce1963c4db25e186112c90fa5d2361e9e0a Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Thu, 12 Feb 2026 14:46:08 +0200 +Subject: iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() + +From: Antoniu Miclaus + +commit c3914ce1963c4db25e186112c90fa5d2361e9e0a upstream. + +sizeof(num) evaluates to sizeof(size_t) which is 8 bytes on 64-bit, +but the buffer elements are only 4 bytes. The same function already +uses sizeof(*meas) on line 312, making the mismatch evident. Use +sizeof(*meas) consistently. + +Fixes: b2e171f5a5c6 ("iio: sps30: add support for serial interface") +Signed-off-by: Antoniu Miclaus +Acked-by: Tomasz Duszynski +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/sps30_serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/sps30_serial.c ++++ b/drivers/iio/chemical/sps30_serial.c +@@ -303,7 +303,7 @@ static int sps30_serial_read_meas(struct + if (msleep_interruptible(1000)) + return -EINTR; + +- ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(num)); ++ ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(*meas)); + if (ret < 0) + return ret; + /* if measurements aren't ready sensor returns empty frame */ diff --git a/queue-6.19/iio-dac-ds4424-reject-128-raw-value.patch b/queue-6.19/iio-dac-ds4424-reject-128-raw-value.patch new file mode 100644 index 0000000000..cc82abbb5f --- /dev/null +++ b/queue-6.19/iio-dac-ds4424-reject-128-raw-value.patch @@ -0,0 +1,39 @@ +From 5187e03b817c26c1c3bcb2645a612ea935c4be89 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Wed, 4 Feb 2026 15:00:33 +0100 +Subject: iio: dac: ds4424: reject -128 RAW value + +From: Oleksij Rempel + +commit 5187e03b817c26c1c3bcb2645a612ea935c4be89 upstream. + +The DS442x DAC uses sign-magnitude encoding, so -128 cannot be represented +in hardware (7-bit magnitude). + +Previously, passing -128 resulted in a truncated value that programmed +0mA (magnitude 0) instead of the expected maximum negative current, +effectively failing silently. + +Reject -128 to avoid producing the wrong current. + +Fixes: d632a2bd8ffc ("iio: dac: ds4422/ds4424 dac driver") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Reviewed-by: Andy Shevchenko +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ds4424.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dac/ds4424.c ++++ b/drivers/iio/dac/ds4424.c +@@ -141,7 +141,7 @@ static int ds4424_write_raw(struct iio_d + + switch (mask) { + case IIO_CHAN_INFO_RAW: +- if (val < S8_MIN || val > S8_MAX) ++ if (val <= S8_MIN || val > S8_MAX) + return -EINVAL; + + if (val > 0) { diff --git a/queue-6.19/iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch b/queue-6.19/iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch new file mode 100644 index 0000000000..89acb2d301 --- /dev/null +++ b/queue-6.19/iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch @@ -0,0 +1,39 @@ +From 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb Mon Sep 17 00:00:00 2001 +From: SeungJu Cheon +Date: Sat, 24 Jan 2026 04:47:58 +0900 +Subject: iio: frequency: adf4377: Fix duplicated soft reset mask + +From: SeungJu Cheon + +commit 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb upstream. + +The regmap_read_poll_timeout() uses ADF4377_0000_SOFT_RESET_R_MSK +twice instead of checking both SOFT_RESET_MSK (bit 0) and +SOFT_RESET_R_MSK (bit 7). This causes an incomplete reset status check. + +The code first sets both SOFT_RESET and SOFT_RESET_R bits to 1 via +regmap_update_bits(), then polls for them to be cleared. Since we set +both bits before polling, we should be waiting for both to clear. + +Fix by using both masks as done in regmap_update_bits() above. + +Fixes: eda549e2e524 ("iio: frequency: adf4377: add support for ADF4377") +Signed-off-by: SeungJu Cheon +Cc: Stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/frequency/adf4377.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/adf4377.c ++++ b/drivers/iio/frequency/adf4377.c +@@ -501,7 +501,7 @@ static int adf4377_soft_reset(struct adf + return ret; + + return regmap_read_poll_timeout(st->regmap, 0x0, read_val, +- !(read_val & (ADF4377_0000_SOFT_RESET_R_MSK | ++ !(read_val & (ADF4377_0000_SOFT_RESET_MSK | + ADF4377_0000_SOFT_RESET_R_MSK)), 200, 200 * 100); + } + diff --git a/queue-6.19/iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch b/queue-6.19/iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch new file mode 100644 index 0000000000..e4e8241621 --- /dev/null +++ b/queue-6.19/iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch @@ -0,0 +1,66 @@ +From acc3949aab3e8094641a9c7c2768de1958c88378 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Mon, 16 Feb 2026 11:57:56 +0200 +Subject: iio: gyro: mpu3050-core: fix pm_runtime error handling + +From: Antoniu Miclaus + +commit acc3949aab3e8094641a9c7c2768de1958c88378 upstream. + +The return value of pm_runtime_get_sync() is not checked, allowing +the driver to access hardware that may fail to resume. The device +usage count is also unconditionally incremented. Use +pm_runtime_resume_and_get() which propagates errors and avoids +incrementing the usage count on failure. + +In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() +failure since postdisable does not run when preenable fails. + +Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope") +Reviewed-by: Linus Walleij +Signed-off-by: Antoniu Miclaus +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/mpu3050-core.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -322,7 +322,9 @@ static int mpu3050_read_raw(struct iio_d + } + case IIO_CHAN_INFO_RAW: + /* Resume device */ +- pm_runtime_get_sync(mpu3050->dev); ++ ret = pm_runtime_resume_and_get(mpu3050->dev); ++ if (ret) ++ return ret; + mutex_lock(&mpu3050->lock); + + ret = mpu3050_set_8khz_samplerate(mpu3050); +@@ -647,14 +649,20 @@ out_trigger_unlock: + static int mpu3050_buffer_preenable(struct iio_dev *indio_dev) + { + struct mpu3050 *mpu3050 = iio_priv(indio_dev); ++ int ret; + +- pm_runtime_get_sync(mpu3050->dev); ++ ret = pm_runtime_resume_and_get(mpu3050->dev); ++ if (ret) ++ return ret; + + /* Unless we have OUR trigger active, run at full speed */ +- if (!mpu3050->hw_irq_trigger) +- return mpu3050_set_8khz_samplerate(mpu3050); ++ if (!mpu3050->hw_irq_trigger) { ++ ret = mpu3050_set_8khz_samplerate(mpu3050); ++ if (ret) ++ pm_runtime_put_autosuspend(mpu3050->dev); ++ } + +- return 0; ++ return ret; + } + + static int mpu3050_buffer_postdisable(struct iio_dev *indio_dev) diff --git a/queue-6.19/iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch b/queue-6.19/iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch new file mode 100644 index 0000000000..c3a4dad030 --- /dev/null +++ b/queue-6.19/iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch @@ -0,0 +1,37 @@ +From 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Mon, 16 Feb 2026 11:57:55 +0200 +Subject: iio: gyro: mpu3050-i2c: fix pm_runtime error handling + +From: Antoniu Miclaus + +commit 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb upstream. + +The return value of pm_runtime_get_sync() is not checked, and the +function always returns success. This allows I2C mux operations to +proceed even when the device fails to resume. + +Use pm_runtime_resume_and_get() and propagate its return value to +properly handle resume failures. + +Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope") +Signed-off-by: Antoniu Miclaus +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/mpu3050-i2c.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/gyro/mpu3050-i2c.c ++++ b/drivers/iio/gyro/mpu3050-i2c.c +@@ -19,8 +19,7 @@ static int mpu3050_i2c_bypass_select(str + struct mpu3050 *mpu3050 = i2c_mux_priv(mux); + + /* Just power up the device, that is all that is needed */ +- pm_runtime_get_sync(mpu3050->dev); +- return 0; ++ return pm_runtime_resume_and_get(mpu3050->dev); + } + + static int mpu3050_i2c_bypass_deselect(struct i2c_mux_core *mux, u32 chan_id) diff --git a/queue-6.19/iio-imu-adis-fix-null-pointer-dereference-in-adis_init.patch b/queue-6.19/iio-imu-adis-fix-null-pointer-dereference-in-adis_init.patch new file mode 100644 index 0000000000..50d6408555 --- /dev/null +++ b/queue-6.19/iio-imu-adis-fix-null-pointer-dereference-in-adis_init.patch @@ -0,0 +1,49 @@ +From 9990cd4f8827bd1ae3fb6eb7407630d8d463c430 Mon Sep 17 00:00:00 2001 +From: Radu Sabau +Date: Fri, 20 Feb 2026 16:16:41 +0200 +Subject: iio: imu: adis: Fix NULL pointer dereference in adis_init + +From: Radu Sabau + +commit 9990cd4f8827bd1ae3fb6eb7407630d8d463c430 upstream. + +The adis_init() function dereferences adis->ops to check if the +individual function pointers (write, read, reset) are NULL, but does +not first check if adis->ops itself is NULL. + +Drivers like adis16480, adis16490, adis16545 and others do not set +custom ops and rely on adis_init() assigning the defaults. Since struct +adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL +when adis_init() is called, causing a NULL pointer dereference: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + pc : adis_init+0xc0/0x118 + Call trace: + adis_init+0xc0/0x118 + adis16480_probe+0xe0/0x670 + +Fix this by checking if adis->ops is NULL before dereferencing it, +falling through to assign the default ops in that case. + +Fixes: 3b29bcee8f6f ("iio: imu: adis: Add custom ops struct") +Signed-off-by: Radu Sabau +Reviewed-by: Andy Shevchenko +Reviewed-by: Antoniu Miclaus +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/adis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/adis.c ++++ b/drivers/iio/imu/adis.c +@@ -526,7 +526,7 @@ int adis_init(struct adis *adis, struct + + adis->spi = spi; + adis->data = data; +- if (!adis->ops->write && !adis->ops->read && !adis->ops->reset) ++ if (!adis->ops) + adis->ops = &adis_default_ops; + else if (!adis->ops->write || !adis->ops->read || !adis->ops->reset) + return -EINVAL; diff --git a/queue-6.19/iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch b/queue-6.19/iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch new file mode 100644 index 0000000000..5527c80632 --- /dev/null +++ b/queue-6.19/iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch @@ -0,0 +1,49 @@ +From c9f3a593137d862d424130343e77d4b5260a4f5a Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Fri, 30 Jan 2026 16:38:47 +0100 +Subject: iio: imu: inv_icm42600: fix odr switch to the same value + +From: Jean-Baptiste Maneyrol + +commit c9f3a593137d862d424130343e77d4b5260a4f5a upstream. + +ODR switch is done in 2 steps when FIFO is on : change the ODR register +value and acknowledge change when reading the FIFO ODR change flag. +When we are switching to the same odr value, we end up waiting for a +FIFO ODR flag that is never happening. + +Fix the issue by doing nothing and exiting properly when we are +switching to the same ODR value. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Signed-off-by: Jean-Baptiste Maneyrol +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 ++ + drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c +@@ -651,6 +651,8 @@ static int inv_icm42600_accel_write_odr( + return -EINVAL; + + conf.odr = inv_icm42600_accel_odr_conv[idx / 2]; ++ if (conf.odr == st->conf.accel.odr) ++ return 0; + + pm_runtime_get_sync(dev); + mutex_lock(&st->lock); +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c +@@ -358,6 +358,8 @@ static int inv_icm42600_gyro_write_odr(s + return -EINVAL; + + conf.odr = inv_icm42600_gyro_odr_conv[idx / 2]; ++ if (conf.odr == st->conf.gyro.odr) ++ return 0; + + pm_runtime_get_sync(dev); + mutex_lock(&st->lock); diff --git a/queue-6.19/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch b/queue-6.19/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch new file mode 100644 index 0000000000..01b931c4d1 --- /dev/null +++ b/queue-6.19/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch @@ -0,0 +1,46 @@ +From ffd32db8263d2d785a2c419486a450dc80693235 Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Fri, 30 Jan 2026 17:10:23 +0100 +Subject: iio: imu: inv_icm42600: fix odr switch when turning buffer off + +From: Jean-Baptiste Maneyrol + +commit ffd32db8263d2d785a2c419486a450dc80693235 upstream. + +ODR switch is done in 2 steps when FIFO is on : change the ODR register +value and acknowledge change when reading the FIFO ODR change flag. +When we are switching odr and turning buffer off just afterward, we are +losing the FIFO ODR change flag and ODR switch is blocked. + +Fix the issue by force applying any waiting ODR change when turning +buffer off. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Signed-off-by: Jean-Baptiste Maneyrol +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c +@@ -371,6 +371,8 @@ static int inv_icm42600_buffer_predisabl + static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev) + { + struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev); ++ struct inv_icm42600_sensor_state *sensor_st = iio_priv(indio_dev); ++ struct inv_sensors_timestamp *ts = &sensor_st->ts; + struct device *dev = regmap_get_device(st->map); + unsigned int sensor; + unsigned int *watermark; +@@ -392,6 +394,8 @@ static int inv_icm42600_buffer_postdisab + + mutex_lock(&st->lock); + ++ inv_sensors_timestamp_apply_odr(ts, 0, 0, 0); ++ + ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor); + if (ret) + goto out_unlock; diff --git a/queue-6.19/iio-imu-inv_icm45600-fix-int1-drive-bit-inverted.patch b/queue-6.19/iio-imu-inv_icm45600-fix-int1-drive-bit-inverted.patch new file mode 100644 index 0000000000..ef4b3e6dbd --- /dev/null +++ b/queue-6.19/iio-imu-inv_icm45600-fix-int1-drive-bit-inverted.patch @@ -0,0 +1,50 @@ +From 7ef74d961d1ad6ec72b50887ca119d7f98f07717 Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Thu, 5 Feb 2026 17:59:14 +0100 +Subject: iio: imu: inv_icm45600: fix INT1 drive bit inverted + +From: Jean-Baptiste Maneyrol + +commit 7ef74d961d1ad6ec72b50887ca119d7f98f07717 upstream. + +Drive bit must be set for open-drain mode and be cleared for push-pull +mode. + +Referring to datasheet DS-000576_ICM-45605.pdf section 17.23 +INT1_CONFIG2. + +Fixes: 06674a72cf7a ("iio: imu: inv_icm45600: add buffer support in iio devices") +Signed-off-by: Jean-Baptiste Maneyrol +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm45600/inv_icm45600.h | 2 +- + drivers/iio/imu/inv_icm45600/inv_icm45600_core.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/imu/inv_icm45600/inv_icm45600.h ++++ b/drivers/iio/imu/inv_icm45600/inv_icm45600.h +@@ -205,7 +205,7 @@ struct inv_icm45600_sensor_state { + #define INV_ICM45600_SPI_SLEW_RATE_38NS 0 + + #define INV_ICM45600_REG_INT1_CONFIG2 0x0018 +-#define INV_ICM45600_INT1_CONFIG2_PUSH_PULL BIT(2) ++#define INV_ICM45600_INT1_CONFIG2_OPEN_DRAIN BIT(2) + #define INV_ICM45600_INT1_CONFIG2_LATCHED BIT(1) + #define INV_ICM45600_INT1_CONFIG2_ACTIVE_HIGH BIT(0) + #define INV_ICM45600_INT1_CONFIG2_ACTIVE_LOW 0x00 +--- a/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c ++++ b/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c +@@ -637,8 +637,8 @@ static int inv_icm45600_irq_init(struct + break; + } + +- if (!open_drain) +- val |= INV_ICM45600_INT1_CONFIG2_PUSH_PULL; ++ if (open_drain) ++ val |= INV_ICM45600_INT1_CONFIG2_OPEN_DRAIN; + + ret = regmap_write(st->map, INV_ICM45600_REG_INT1_CONFIG2, val); + if (ret) diff --git a/queue-6.19/iio-imu-inv_icm45600-fix-regulator-put-warning-when-probe-fails.patch b/queue-6.19/iio-imu-inv_icm45600-fix-regulator-put-warning-when-probe-fails.patch new file mode 100644 index 0000000000..003d45e296 --- /dev/null +++ b/queue-6.19/iio-imu-inv_icm45600-fix-regulator-put-warning-when-probe-fails.patch @@ -0,0 +1,55 @@ +From 2617595538be8a2f270ad13fccb9f56007b292d7 Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Tue, 17 Feb 2026 11:44:50 +0100 +Subject: iio: imu: inv_icm45600: fix regulator put warning when probe fails + +From: Jean-Baptiste Maneyrol + +commit 2617595538be8a2f270ad13fccb9f56007b292d7 upstream. + +When the driver probe fails we encounter a regulator put warning +because vddio regulator is not stopped before release. The issue +comes from pm_runtime not already setup when core probe fails and +the vddio regulator disable callback is called. + +Fix the issue by setting pm_runtime active early before vddio +regulator resource cleanup. This requires to cut pm_runtime +set_active and enable in 2 function calls. + +Fixes: 7ff021a3faca ("iio: imu: inv_icm45600: add new inv_icm45600 driver") +Signed-off-by: Jean-Baptiste Maneyrol +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm45600/inv_icm45600_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c b/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c +index e4638926a10c..d49053161a65 100644 +--- a/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c ++++ b/drivers/iio/imu/inv_icm45600/inv_icm45600_core.c +@@ -744,6 +744,11 @@ int inv_icm45600_core_probe(struct regmap *regmap, const struct inv_icm45600_chi + */ + fsleep(5 * USEC_PER_MSEC); + ++ /* set pm_runtime active early for disable vddio resource cleanup */ ++ ret = pm_runtime_set_active(dev); ++ if (ret) ++ return ret; ++ + ret = inv_icm45600_enable_regulator_vddio(st); + if (ret) + return ret; +@@ -776,7 +781,7 @@ int inv_icm45600_core_probe(struct regmap *regmap, const struct inv_icm45600_chi + if (ret) + return ret; + +- ret = devm_pm_runtime_set_active_enabled(dev); ++ ret = devm_pm_runtime_enable(dev); + if (ret) + return ret; + +-- +2.53.0 + diff --git a/queue-6.19/iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch b/queue-6.19/iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch new file mode 100644 index 0000000000..f6735e07a5 --- /dev/null +++ b/queue-6.19/iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch @@ -0,0 +1,37 @@ +From dd72e6c3cdea05cad24e99710939086f7a113fb5 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Fri, 30 Jan 2026 13:30:20 +0200 +Subject: iio: light: bh1780: fix PM runtime leak on error path + +From: Antoniu Miclaus + +commit dd72e6c3cdea05cad24e99710939086f7a113fb5 upstream. + +Move pm_runtime_put_autosuspend() before the error check to ensure +the PM runtime reference count is always decremented after +pm_runtime_get_sync(), regardless of whether the read operation +succeeds or fails. + +Fixes: 1f0477f18306 ("iio: light: new driver for the ROHM BH1780") +Signed-off-by: Antoniu Miclaus +Reviewed-by: Linus Walleij +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/bh1780.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/bh1780.c ++++ b/drivers/iio/light/bh1780.c +@@ -109,9 +109,9 @@ static int bh1780_read_raw(struct iio_de + case IIO_LIGHT: + pm_runtime_get_sync(&bh1780->client->dev); + value = bh1780_read_word(bh1780, BH1780_REG_DLOW); ++ pm_runtime_put_autosuspend(&bh1780->client->dev); + if (value < 0) + return value; +- pm_runtime_put_autosuspend(&bh1780->client->dev); + *val = value; + + return IIO_VAL_INT; diff --git a/queue-6.19/iio-magnetometer-tlv493d-remove-erroneous-shift-in-x-axis-data.patch b/queue-6.19/iio-magnetometer-tlv493d-remove-erroneous-shift-in-x-axis-data.patch new file mode 100644 index 0000000000..c151f434dd --- /dev/null +++ b/queue-6.19/iio-magnetometer-tlv493d-remove-erroneous-shift-in-x-axis-data.patch @@ -0,0 +1,34 @@ +From 82ee91d6b15f06b6094eea2c26afe0032fe8e177 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Tue, 10 Feb 2026 18:49:50 +0200 +Subject: iio: magnetometer: tlv493d: remove erroneous shift in X-axis data + +From: Antoniu Miclaus + +commit 82ee91d6b15f06b6094eea2c26afe0032fe8e177 upstream. + +TLV493D_BX2_MAG_X_AXIS_LSB is defined as GENMASK(7, 4). FIELD_GET() +already right-shifts bits [7:4] to [3:0], so the additional >> 4 +discards most of the X-axis low nibble. The Y and Z axes correctly +omit this extra shift. Remove it. + +Fixes: 106511d280c7 ("iio: magnetometer: add support for Infineon TLV493D 3D Magentic sensor") +Signed-off-by: Antoniu Miclaus +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/magnetometer/tlv493d.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/magnetometer/tlv493d.c ++++ b/drivers/iio/magnetometer/tlv493d.c +@@ -171,7 +171,7 @@ static s16 tlv493d_get_channel_data(u8 * + switch (ch) { + case TLV493D_AXIS_X: + val = FIELD_GET(TLV493D_BX_MAG_X_AXIS_MSB, b[TLV493D_RD_REG_BX]) << 4 | +- FIELD_GET(TLV493D_BX2_MAG_X_AXIS_LSB, b[TLV493D_RD_REG_BX2]) >> 4; ++ FIELD_GET(TLV493D_BX2_MAG_X_AXIS_LSB, b[TLV493D_RD_REG_BX2]); + break; + case TLV493D_AXIS_Y: + val = FIELD_GET(TLV493D_BY_MAG_Y_AXIS_MSB, b[TLV493D_RD_REG_BY]) << 4 | diff --git a/queue-6.19/iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch b/queue-6.19/iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch new file mode 100644 index 0000000000..f31c92f34b --- /dev/null +++ b/queue-6.19/iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch @@ -0,0 +1,40 @@ +From 85e4614524dca6c0a43874f475a17de2b9725648 Mon Sep 17 00:00:00 2001 +From: Lukas Schmid +Date: Mon, 2 Feb 2026 21:15:35 +0100 +Subject: iio: potentiometer: mcp4131: fix double application of wiper shift + +From: Lukas Schmid + +commit 85e4614524dca6c0a43874f475a17de2b9725648 upstream. + +The MCP4131 wiper address is shifted twice when preparing the SPI +command in mcp4131_write_raw(). + +The address is already shifted when assigned to the local variable +"address", but is then shifted again when written to data->buf[0]. +This results in an incorrect command being sent to the device and +breaks wiper writes to the second channel. + +Remove the second shift and use the pre-shifted address directly +when composing the SPI transfer. + +Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X") +Signed-off-by: Lukas Schmid # +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/potentiometer/mcp4131.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/potentiometer/mcp4131.c ++++ b/drivers/iio/potentiometer/mcp4131.c +@@ -221,7 +221,7 @@ static int mcp4131_write_raw(struct iio_ + + mutex_lock(&data->lock); + +- data->buf[0] = address << MCP4131_WIPER_SHIFT; ++ data->buf[0] = address; + data->buf[0] |= MCP4131_WRITE | (val >> 8); + data->buf[1] = val & 0xFF; /* 8 bits here */ + diff --git a/queue-6.19/iio-proximity-hx9023s-fix-assignment-order-for-__counted_by.patch b/queue-6.19/iio-proximity-hx9023s-fix-assignment-order-for-__counted_by.patch new file mode 100644 index 0000000000..b86edf39ad --- /dev/null +++ b/queue-6.19/iio-proximity-hx9023s-fix-assignment-order-for-__counted_by.patch @@ -0,0 +1,36 @@ +From 585b90c0161ab77416fe3acdbdc55b978e33e16c Mon Sep 17 00:00:00 2001 +From: Yasin Lee +Date: Fri, 13 Feb 2026 23:14:43 +0800 +Subject: iio: proximity: hx9023s: fix assignment order for __counted_by + +From: Yasin Lee + +commit 585b90c0161ab77416fe3acdbdc55b978e33e16c upstream. + +Initialize fw_size before copying firmware data into the flexible +array member to match the __counted_by() annotation. This fixes the +incorrect assignment order that triggers runtime safety checks. + +Fixes: e9ed97be4fcc ("iio: proximity: hx9023s: Added firmware file parsing functionality") +Signed-off-by: Yasin Lee +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/proximity/hx9023s.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/proximity/hx9023s.c ++++ b/drivers/iio/proximity/hx9023s.c +@@ -1034,9 +1034,8 @@ static int hx9023s_send_cfg(const struct + if (!bin) + return -ENOMEM; + +- memcpy(bin->data, fw->data, fw->size); +- + bin->fw_size = fw->size; ++ memcpy(bin->data, fw->data, bin->fw_size); + bin->fw_ver = bin->data[FW_VER_OFFSET]; + bin->reg_count = get_unaligned_le16(bin->data + FW_REG_CNT_OFFSET); + diff --git a/queue-6.19/iio-proximity-hx9023s-protect-against-division-by-zero-in-set_samp_freq.patch b/queue-6.19/iio-proximity-hx9023s-protect-against-division-by-zero-in-set_samp_freq.patch new file mode 100644 index 0000000000..4ef67afcf2 --- /dev/null +++ b/queue-6.19/iio-proximity-hx9023s-protect-against-division-by-zero-in-set_samp_freq.patch @@ -0,0 +1,33 @@ +From a318cfc0853706f1d6ce682dba660bc455d674ef Mon Sep 17 00:00:00 2001 +From: Yasin Lee +Date: Fri, 13 Feb 2026 23:14:44 +0800 +Subject: iio: proximity: hx9023s: Protect against division by zero in set_samp_freq + +From: Yasin Lee + +commit a318cfc0853706f1d6ce682dba660bc455d674ef upstream. + +Avoid division by zero when sampling frequency is unspecified. + +Fixes: 60df548277b7 ("iio: proximity: Add driver support for TYHX's HX9023S capacitive proximity sensor") +Signed-off-by: Yasin Lee +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/proximity/hx9023s.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iio/proximity/hx9023s.c ++++ b/drivers/iio/proximity/hx9023s.c +@@ -719,6 +719,9 @@ static int hx9023s_set_samp_freq(struct + struct device *dev = regmap_get_device(data->regmap); + unsigned int i, period_ms; + ++ if (!val && !val2) ++ return -EINVAL; ++ + period_ms = div_u64(NANO, (val * MEGA + val2)); + + for (i = 0; i < ARRAY_SIZE(hx9023s_samp_freq_table); i++) { diff --git a/queue-6.19/io_uring-kbuf-check-if-target-buffer-list-is-still-legacy-on-recycle.patch b/queue-6.19/io_uring-kbuf-check-if-target-buffer-list-is-still-legacy-on-recycle.patch new file mode 100644 index 0000000000..91efc8b501 --- /dev/null +++ b/queue-6.19/io_uring-kbuf-check-if-target-buffer-list-is-still-legacy-on-recycle.patch @@ -0,0 +1,48 @@ +From c2c185be5c85d37215397c8e8781abf0a69bec1f Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 12 Mar 2026 08:59:25 -0600 +Subject: io_uring/kbuf: check if target buffer list is still legacy on recycle + +From: Jens Axboe + +commit c2c185be5c85d37215397c8e8781abf0a69bec1f upstream. + +There's a gap between when the buffer was grabbed and when it +potentially gets recycled, where if the list is empty, someone could've +upgraded it to a ring provided type. This can happen if the request +is forced via io-wq. The legacy recycling is missing checking if the +buffer_list still exists, and if it's of the correct type. Add those +checks. + +Cc: stable@vger.kernel.org +Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers") +Reported-by: Keenan Dong +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/kbuf.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -111,9 +111,18 @@ bool io_kbuf_recycle_legacy(struct io_ki + + buf = req->kbuf; + bl = io_buffer_get_list(ctx, buf->bgid); +- list_add(&buf->list, &bl->buf_list); +- bl->nbufs++; ++ /* ++ * If the buffer list was upgraded to a ring-based one, or removed, ++ * while the request was in-flight in io-wq, drop it. ++ */ ++ if (bl && !(bl->flags & IOBL_BUF_RING)) { ++ list_add(&buf->list, &bl->buf_list); ++ bl->nbufs++; ++ } else { ++ kfree(buf); ++ } + req->flags &= ~REQ_F_BUFFER_SELECTED; ++ req->kbuf = NULL; + + io_ring_submit_unlock(ctx, issue_flags); + return true; diff --git a/queue-6.19/kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch b/queue-6.19/kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch new file mode 100644 index 0000000000..0717551e85 --- /dev/null +++ b/queue-6.19/kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch @@ -0,0 +1,41 @@ +From 5ef268cb7a0aac55521fd9881f1939fa94a8988e Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Fri, 13 Mar 2026 23:04:11 +0900 +Subject: kprobes: Remove unneeded warnings from __arm_kprobe_ftrace() + +From: Masami Hiramatsu (Google) + +commit 5ef268cb7a0aac55521fd9881f1939fa94a8988e upstream. + +Remove unneeded warnings for handled errors from __arm_kprobe_ftrace() +because all caller handled the error correctly. + +Link: https://lore.kernel.org/all/177261531182.1312989.8737778408503961141.stgit@mhiramat.tok.corp.google.com/ + +Reported-by: Zw Tang +Closes: https://lore.kernel.org/all/CAPHJ_V+J6YDb_wX2nhXU6kh466Dt_nyDSas-1i_Y8s7tqY-Mzw@mail.gmail.com/ +Fixes: 9c89bb8e3272 ("kprobes: treewide: Cleanup the error messages for kprobes") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1070,12 +1070,12 @@ static int __arm_kprobe_ftrace(struct kp + lockdep_assert_held(&kprobe_mutex); + + ret = ftrace_set_filter_ip(ops, (unsigned long)p->addr, 0, 0); +- if (WARN_ONCE(ret < 0, "Failed to arm kprobe-ftrace at %pS (error %d)\n", p->addr, ret)) ++ if (ret < 0) + return ret; + + if (*cnt == 0) { + ret = register_ftrace_function(ops); +- if (WARN(ret < 0, "Failed to register kprobe-ftrace (error %d)\n", ret)) { ++ if (ret < 0) { + /* + * At this point, sinec ops is not registered, we should be sefe from + * registering empty filter. diff --git a/queue-6.19/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch b/queue-6.19/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch new file mode 100644 index 0000000000..46ce281f01 --- /dev/null +++ b/queue-6.19/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch @@ -0,0 +1,42 @@ +From 560f763baa0f2c9a44da4294c06af071405ac46f Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Thu, 12 Mar 2026 19:11:42 +0000 +Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace() + +From: Josh Law + +commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream. + +The bounds check for brace_index happens after the array write. +While the current call pattern prevents an actual out-of-bounds +access (the previous call would have returned an error), the +write-before-check pattern is fragile and would become a real +out-of-bounds write if the error return were ever not propagated. + +Move the bounds check before the array write so the function is +self-contained and safe regardless of caller behavior. + +Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/ + +Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/bootconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -532,9 +532,9 @@ static char *skip_spaces_until_newline(c + static int __init __xbc_open_brace(char *p) + { + /* Push the last key as open brace */ +- open_brace[brace_index++] = xbc_node_index(last_parent); + if (brace_index >= XBC_DEPTH_MAX) + return xbc_parse_error("Exceed max depth of braces", p); ++ open_brace[brace_index++] = xbc_node_index(last_parent); + + return 0; + } diff --git a/queue-6.19/lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch b/queue-6.19/lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch new file mode 100644 index 0000000000..406f95c9f9 --- /dev/null +++ b/queue-6.19/lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch @@ -0,0 +1,43 @@ +From 39ebc8d7f561e1b64eca87353ef9b18e2825e591 Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Thu, 12 Mar 2026 19:11:41 +0000 +Subject: lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error + +From: Josh Law + +commit 39ebc8d7f561e1b64eca87353ef9b18e2825e591 upstream. + +__xbc_open_brace() pushes entries with post-increment +(open_brace[brace_index++]), so brace_index always points one past +the last valid entry. xbc_verify_tree() reads open_brace[brace_index] +to report which brace is unclosed, but this is one past the last +pushed entry and contains stale/zero data, causing the error message +to reference the wrong node. + +Use open_brace[brace_index - 1] to correctly identify the unclosed +brace. brace_index is known to be > 0 here since we are inside the +if (brace_index) guard. + +Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/ + +Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Law +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/bootconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -791,7 +791,7 @@ static int __init xbc_verify_tree(void) + + /* Brace closing */ + if (brace_index) { +- n = &xbc_nodes[open_brace[brace_index]]; ++ n = &xbc_nodes[open_brace[brace_index - 1]]; + return xbc_parse_error("Brace is not closed", + xbc_node_get_data(n)); + } diff --git a/queue-6.19/lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch b/queue-6.19/lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch new file mode 100644 index 0000000000..4ddd6efb08 --- /dev/null +++ b/queue-6.19/lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch @@ -0,0 +1,40 @@ +From 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Thu, 12 Mar 2026 19:11:43 +0000 +Subject: lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() + +From: Josh Law + +commit 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 upstream. + +snprintf() returns the number of characters that would have been +written excluding the NUL terminator. Output is truncated when the +return value is >= the buffer size, not just > the buffer size. + +When ret == size, the current code takes the non-truncated path, +advancing buf by ret and reducing size to 0. This is wrong because +the output was actually truncated (the last character was replaced by +NUL). Fix by using >= so the truncation path is taken correctly. + +Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/ + +Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/bootconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -316,7 +316,7 @@ int __init xbc_node_compose_key_after(st + depth ? "." : ""); + if (ret < 0) + return ret; +- if (ret > size) { ++ if (ret >= size) { + size = 0; + } else { + size -= ret; diff --git a/queue-6.19/net-shapers-don-t-free-reply-skb-after-genlmsg_reply.patch b/queue-6.19/net-shapers-don-t-free-reply-skb-after-genlmsg_reply.patch new file mode 100644 index 0000000000..27a4f7d1de --- /dev/null +++ b/queue-6.19/net-shapers-don-t-free-reply-skb-after-genlmsg_reply.patch @@ -0,0 +1,58 @@ +From 57885276cc16a2e2b76282c808a4e84cbecb3aae Mon Sep 17 00:00:00 2001 +From: Paul Moses +Date: Mon, 9 Mar 2026 17:35:10 +0000 +Subject: net-shapers: don't free reply skb after genlmsg_reply() + +From: Paul Moses + +commit 57885276cc16a2e2b76282c808a4e84cbecb3aae upstream. + +genlmsg_reply() hands the reply skb to netlink, and +netlink_unicast() consumes it on all return paths, whether the +skb is queued successfully or freed on an error path. + +net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() +currently jump to free_msg after genlmsg_reply() fails and call +nlmsg_free(msg), which can hit the same skb twice. + +Return the genlmsg_reply() error directly and keep free_msg +only for pre-reply failures. + +Fixes: 4b623f9f0f59 ("net-shapers: implement NL get operation") +Fixes: 553ea9f1efd6 ("net: shaper: implement introspection support") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Moses +Link: https://patch.msgid.link/20260309173450.538026-2-p@1g4.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/shaper/shaper.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/net/shaper/shaper.c ++++ b/net/shaper/shaper.c +@@ -759,11 +759,7 @@ int net_shaper_nl_get_doit(struct sk_buf + if (ret) + goto free_msg; + +- ret = genlmsg_reply(msg, info); +- if (ret) +- goto free_msg; +- +- return 0; ++ return genlmsg_reply(msg, info); + + free_msg: + nlmsg_free(msg); +@@ -1314,10 +1310,7 @@ int net_shaper_nl_cap_get_doit(struct sk + if (ret) + goto free_msg; + +- ret = genlmsg_reply(msg, info); +- if (ret) +- goto free_msg; +- return 0; ++ return genlmsg_reply(msg, info); + + free_msg: + nlmsg_free(msg); diff --git a/queue-6.19/powerpc-pseries-correct-msi-allocation-tracking.patch b/queue-6.19/powerpc-pseries-correct-msi-allocation-tracking.patch new file mode 100644 index 0000000000..7db0b3d94a --- /dev/null +++ b/queue-6.19/powerpc-pseries-correct-msi-allocation-tracking.patch @@ -0,0 +1,38 @@ +From 35e4f2a17eb40288f9bcdb09549fa04a63a96279 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 2 Mar 2026 01:39:48 +0100 +Subject: powerpc/pseries: Correct MSI allocation tracking + +From: Nam Cao + +commit 35e4f2a17eb40288f9bcdb09549fa04a63a96279 upstream. + +The per-device MSI allocation calculation in pseries_irq_domain_alloc() +is clearly wrong. It can still happen to work when nr_irqs is 1. + +Correct it. + +Fixes: c0215e2d72de ("powerpc/pseries: Fix MSI-X allocation failure when quota is exceeded") +Cc: stable@vger.kernel.org +Signed-off-by: Nam Cao +Reviewed-by: Mahesh Salgaonkar +Reviewed-by: Nilay Shroff +[maddy: Fixed Nilay's reviewed-by tag] +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260302003948.1452016-1-namcao@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/msi.c ++++ b/arch/powerpc/platforms/pseries/msi.c +@@ -605,7 +605,7 @@ static int pseries_irq_domain_alloc(stru + &pseries_msi_irq_chip, pseries_dev); + } + +- pseries_dev->msi_used++; ++ pseries_dev->msi_used += nr_irqs; + return 0; + + out: diff --git a/queue-6.19/powerpc64-bpf-fix-kfunc-call-support.patch b/queue-6.19/powerpc64-bpf-fix-kfunc-call-support.patch new file mode 100644 index 0000000000..6a62bfbf5b --- /dev/null +++ b/queue-6.19/powerpc64-bpf-fix-kfunc-call-support.patch @@ -0,0 +1,167 @@ +From 01b6ac72729610ae732ca2a66e3a642e23f6cd60 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Tue, 3 Mar 2026 23:40:30 +0530 +Subject: powerpc64/bpf: fix kfunc call support + +From: Hari Bathini + +commit 01b6ac72729610ae732ca2a66e3a642e23f6cd60 upstream. + +Commit 61688a82e047 ("powerpc/bpf: enable kfunc call") inadvertently +enabled kfunc call support for 32-bit powerpc but that support will +not be possible until ABI mismatch between 32-bit powerpc and eBPF is +handled in 32-bit powerpc JIT code. Till then, advertise support only +for 64-bit powerpc. Also, in powerpc ABI, caller needs to extend the +arguments properly based on signedness. The JIT code is responsible +for handling this explicitly for kfunc calls as verifier can't handle +this for each architecture-specific ABI needs. But this was not taken +care of while kfunc call support was enabled for powerpc. Fix it by +handling this with bpf_jit_find_kfunc_model() and using zero_extend() +& sign_extend() helper functions. + +Fixes: 61688a82e047 ("powerpc/bpf: enable kfunc call") +Cc: stable@vger.kernel.org +Signed-off-by: Hari Bathini +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260303181031.390073-7-hbathini@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp.c | 2 + arch/powerpc/net/bpf_jit_comp64.c | 101 ++++++++++++++++++++++++++++++++++---- + 2 files changed, 94 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -437,7 +437,7 @@ void bpf_jit_free(struct bpf_prog *fp) + + bool bpf_jit_supports_kfunc_call(void) + { +- return true; ++ return IS_ENABLED(CONFIG_PPC64); + } + + bool bpf_jit_supports_arena(void) +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -319,6 +319,83 @@ int bpf_jit_emit_func_call_rel(u32 *imag + return 0; + } + ++static int zero_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size) ++{ ++ switch (size) { ++ case 1: ++ /* zero-extend 8 bits into 64 bits */ ++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 56)); ++ return 0; ++ case 2: ++ /* zero-extend 16 bits into 64 bits */ ++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 48)); ++ return 0; ++ case 4: ++ /* zero-extend 32 bits into 64 bits */ ++ EMIT(PPC_RAW_RLDICL(dst_reg, src_reg, 0, 32)); ++ fallthrough; ++ case 8: ++ /* Nothing to do */ ++ return 0; ++ default: ++ return -1; ++ } ++} ++ ++static int sign_extend(u32 *image, struct codegen_context *ctx, u32 src_reg, u32 dst_reg, u32 size) ++{ ++ switch (size) { ++ case 1: ++ /* sign-extend 8 bits into 64 bits */ ++ EMIT(PPC_RAW_EXTSB(dst_reg, src_reg)); ++ return 0; ++ case 2: ++ /* sign-extend 16 bits into 64 bits */ ++ EMIT(PPC_RAW_EXTSH(dst_reg, src_reg)); ++ return 0; ++ case 4: ++ /* sign-extend 32 bits into 64 bits */ ++ EMIT(PPC_RAW_EXTSW(dst_reg, src_reg)); ++ fallthrough; ++ case 8: ++ /* Nothing to do */ ++ return 0; ++ default: ++ return -1; ++ } ++} ++ ++/* ++ * Handle powerpc ABI expectations from caller: ++ * - Unsigned arguments are zero-extended. ++ * - Signed arguments are sign-extended. ++ */ ++static int prepare_for_kfunc_call(const struct bpf_prog *fp, u32 *image, ++ struct codegen_context *ctx, ++ const struct bpf_insn *insn) ++{ ++ const struct btf_func_model *m = bpf_jit_find_kfunc_model(fp, insn); ++ int i; ++ ++ if (!m) ++ return -1; ++ ++ for (i = 0; i < m->nr_args; i++) { ++ /* Note that BPF ABI only allows up to 5 args for kfuncs */ ++ u32 reg = bpf_to_ppc(BPF_REG_1 + i), size = m->arg_size[i]; ++ ++ if (!(m->arg_flags[i] & BTF_FMODEL_SIGNED_ARG)) { ++ if (zero_extend(image, ctx, reg, reg, size)) ++ return -1; ++ } else { ++ if (sign_extend(image, ctx, reg, reg, size)) ++ return -1; ++ } ++ } ++ ++ return 0; ++} ++ + static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out) + { + /* +@@ -931,14 +1008,16 @@ int bpf_jit_build_body(struct bpf_prog * + /* special mov32 for zext */ + EMIT(PPC_RAW_RLWINM(dst_reg, dst_reg, 0, 0, 31)); + break; +- } else if (off == 8) { +- EMIT(PPC_RAW_EXTSB(dst_reg, src_reg)); +- } else if (off == 16) { +- EMIT(PPC_RAW_EXTSH(dst_reg, src_reg)); +- } else if (off == 32) { +- EMIT(PPC_RAW_EXTSW(dst_reg, src_reg)); +- } else if (dst_reg != src_reg) +- EMIT(PPC_RAW_MR(dst_reg, src_reg)); ++ } ++ if (off == 0) { ++ /* MOV */ ++ if (dst_reg != src_reg) ++ EMIT(PPC_RAW_MR(dst_reg, src_reg)); ++ } else { ++ /* MOVSX: dst = (s8,s16,s32)src (off = 8,16,32) */ ++ if (sign_extend(image, ctx, src_reg, dst_reg, off / 8)) ++ return -1; ++ } + goto bpf_alu32_trunc; + case BPF_ALU | BPF_MOV | BPF_K: /* (u32) dst = imm */ + case BPF_ALU64 | BPF_MOV | BPF_K: /* dst = (s64) imm */ +@@ -1395,6 +1474,12 @@ emit_clear: + if (ret < 0) + return ret; + ++ /* Take care of powerpc ABI requirements before kfunc call */ ++ if (insn[i].src_reg == BPF_PSEUDO_KFUNC_CALL) { ++ if (prepare_for_kfunc_call(fp, image, ctx, &insn[i])) ++ return -1; ++ } ++ + ret = bpf_jit_emit_func_call_rel(image, fimage, ctx, func_addr); + if (ret) + return ret; diff --git a/queue-6.19/powerpc64-bpf-fix-the-address-returned-by-bpf_get_func_ip.patch b/queue-6.19/powerpc64-bpf-fix-the-address-returned-by-bpf_get_func_ip.patch new file mode 100644 index 0000000000..d91e152c3f --- /dev/null +++ b/queue-6.19/powerpc64-bpf-fix-the-address-returned-by-bpf_get_func_ip.patch @@ -0,0 +1,92 @@ +From 157820264ac3dadfafffad63184b883eb28f9ae0 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Tue, 3 Mar 2026 23:40:26 +0530 +Subject: powerpc64/bpf: fix the address returned by bpf_get_func_ip + +From: Hari Bathini + +commit 157820264ac3dadfafffad63184b883eb28f9ae0 upstream. + +bpf_get_func_ip() helper function returns the address of the traced +function. It relies on the IP address stored at ctx - 16 by the bpf +trampoline. On 64-bit powerpc, this address is recovered from LR +accounting for OOL trampoline. But the address stored here was off +by 4-bytes. Ensure the address is the actual start of the traced +function. + +Reported-by: Abhishek Dubey +Fixes: d243b62b7bd3 ("powerpc64/bpf: Add support for bpf trampolines") +Cc: stable@vger.kernel.org +Tested-by: Venkat Rao Bagalkote +Signed-off-by: Hari Bathini +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260303181031.390073-3-hbathini@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -722,9 +722,9 @@ static int __arch_prepare_bpf_trampoline + * retval_off [ return value ] + * [ reg argN ] + * [ ... ] +- * regs_off [ reg_arg1 ] prog ctx context +- * nregs_off [ args count ] +- * ip_off [ traced function ] ++ * regs_off [ reg_arg1 ] prog_ctx ++ * nregs_off [ args count ] ((u64 *)prog_ctx)[-1] ++ * ip_off [ traced function ] ((u64 *)prog_ctx)[-2] + * [ ... ] + * run_ctx_off [ bpf_tramp_run_ctx ] + * [ reg argN ] +@@ -824,7 +824,7 @@ static int __arch_prepare_bpf_trampoline + + bpf_trampoline_save_args(image, ctx, func_frame_offset, nr_regs, regs_off); + +- /* Save our return address */ ++ /* Save our LR/return address */ + EMIT(PPC_RAW_MFLR(_R3)); + if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE)) + EMIT(PPC_RAW_STL(_R3, _R1, alt_lr_off)); +@@ -832,24 +832,34 @@ static int __arch_prepare_bpf_trampoline + EMIT(PPC_RAW_STL(_R3, _R1, bpf_frame_size + PPC_LR_STKOFF)); + + /* +- * Save ip address of the traced function. +- * We could recover this from LR, but we will need to address for OOL trampoline, +- * and optional GEP area. ++ * Derive IP address of the traced function. ++ * In case of CONFIG_PPC_FTRACE_OUT_OF_LINE or BPF program, LR points to the instruction ++ * after the 'bl' instruction in the OOL stub. Refer to ftrace_init_ool_stub() and ++ * bpf_arch_text_poke() for OOL stub of kernel functions and bpf programs respectively. ++ * Relevant stub sequence: ++ * ++ * bl ++ * LR (R3) => mtlr r0 ++ * b ++ * ++ * Recover kernel function/bpf program address from the unconditional ++ * branch instruction at the end of OOL stub. + */ + if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE) || flags & BPF_TRAMP_F_IP_ARG) { + EMIT(PPC_RAW_LWZ(_R4, _R3, 4)); + EMIT(PPC_RAW_SLWI(_R4, _R4, 6)); + EMIT(PPC_RAW_SRAWI(_R4, _R4, 6)); + EMIT(PPC_RAW_ADD(_R3, _R3, _R4)); +- EMIT(PPC_RAW_ADDI(_R3, _R3, 4)); + } + + if (flags & BPF_TRAMP_F_IP_ARG) + EMIT(PPC_RAW_STL(_R3, _R1, ip_off)); + +- if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE)) ++ if (IS_ENABLED(CONFIG_PPC_FTRACE_OUT_OF_LINE)) { + /* Fake our LR for unwind */ ++ EMIT(PPC_RAW_ADDI(_R3, _R3, 4)); + EMIT(PPC_RAW_STL(_R3, _R1, bpf_frame_size + PPC_LR_STKOFF)); ++ } + + /* Save function arg count -- see bpf_get_func_arg_cnt() */ + EMIT(PPC_RAW_LI(_R3, nr_regs)); diff --git a/queue-6.19/qmi_wwan-allow-max_mtu-above-hard_mtu-to-control-rx_urb_size.patch b/queue-6.19/qmi_wwan-allow-max_mtu-above-hard_mtu-to-control-rx_urb_size.patch new file mode 100644 index 0000000000..a7fd003d91 --- /dev/null +++ b/queue-6.19/qmi_wwan-allow-max_mtu-above-hard_mtu-to-control-rx_urb_size.patch @@ -0,0 +1,90 @@ +From 55f854dd5bdd8e19b936a00ef1f8d776ac32c7b0 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Wed, 4 Mar 2026 14:43:38 +0100 +Subject: qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size + +From: Laurent Vivier + +commit 55f854dd5bdd8e19b936a00ef1f8d776ac32c7b0 upstream. + +Commit c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu") +capped net->max_mtu to the device's hard_mtu in usbnet_probe(). While +this correctly prevents oversized packets on standard USB network +devices, it breaks the qmi_wwan driver. + +qmi_wwan relies on userspace (e.g. ModemManager) setting a large MTU on +the wwan0 interface to configure rx_urb_size via usbnet_change_mtu(). +QMI modems negotiate USB transfer sizes of 16,383 or 32,767 bytes, and +the USB receive buffers must be sized accordingly. With max_mtu capped +to hard_mtu (~1500 bytes), userspace can no longer raise the MTU, the +receive buffers remain small, and download speeds drop from >300 Mbps +to ~0.8 Mbps. + +Introduce a FLAG_NOMAXMTU driver flag that allows individual usbnet +drivers to opt out of the max_mtu cap. Set this flag in qmi_wwan's +driver_info structures to restore the previous behavior for QMI devices, +while keeping the safety fix in place for all other usbnet drivers. + +Fixes: c7159e960f14 ("usbnet: limit max_mtu based on device's hard_mtu") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/CAPh3n803k8JcBPV5qEzUB-oKzWkAs-D5CU7z=Vd_nLRCr5ZqQg@mail.gmail.com/ +Reported-by: Koen Vandeputte +Tested-by: Daniele Palmas +Signed-off-by: Laurent Vivier +Link: https://patch.msgid.link/20260304134338.1785002-1-lvivier@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 4 ++-- + drivers/net/usb/usbnet.c | 7 ++++--- + include/linux/usb/usbnet.h | 1 + + 3 files changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -928,7 +928,7 @@ err: + + static const struct driver_info qmi_wwan_info = { + .description = "WWAN/QMI device", +- .flags = FLAG_WWAN | FLAG_SEND_ZLP, ++ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP, + .bind = qmi_wwan_bind, + .unbind = qmi_wwan_unbind, + .manage_power = qmi_wwan_manage_power, +@@ -937,7 +937,7 @@ static const struct driver_info qmi_wwan + + static const struct driver_info qmi_wwan_info_quirk_dtr = { + .description = "WWAN/QMI device", +- .flags = FLAG_WWAN | FLAG_SEND_ZLP, ++ .flags = FLAG_WWAN | FLAG_NOMAXMTU | FLAG_SEND_ZLP, + .bind = qmi_wwan_bind, + .unbind = qmi_wwan_unbind, + .manage_power = qmi_wwan_manage_power, +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1821,11 +1821,12 @@ usbnet_probe(struct usb_interface *udev, + if ((dev->driver_info->flags & FLAG_NOARP) != 0) + net->flags |= IFF_NOARP; + +- if (net->max_mtu > (dev->hard_mtu - net->hard_header_len)) ++ if ((dev->driver_info->flags & FLAG_NOMAXMTU) == 0 && ++ net->max_mtu > (dev->hard_mtu - net->hard_header_len)) + net->max_mtu = dev->hard_mtu - net->hard_header_len; + +- if (net->mtu > net->max_mtu) +- net->mtu = net->max_mtu; ++ if (net->mtu > (dev->hard_mtu - net->hard_header_len)) ++ net->mtu = dev->hard_mtu - net->hard_header_len; + + } else if (!info->in || !info->out) + status = usbnet_get_endpoints(dev, udev); +--- a/include/linux/usb/usbnet.h ++++ b/include/linux/usb/usbnet.h +@@ -132,6 +132,7 @@ struct driver_info { + #define FLAG_MULTI_PACKET 0x2000 + #define FLAG_RX_ASSEMBLE 0x4000 /* rx packets may span >1 frames */ + #define FLAG_NOARP 0x8000 /* device can't do ARP */ ++#define FLAG_NOMAXMTU 0x10000 /* allow max_mtu above hard_mtu */ + + /* init device ... can sleep, or cause probe() failure */ + int (*bind)(struct usbnet *, struct usb_interface *); diff --git a/queue-6.19/s390-dasd-copy-detected-format-information-to-secondary-device.patch b/queue-6.19/s390-dasd-copy-detected-format-information-to-secondary-device.patch new file mode 100644 index 0000000000..2e4a087df4 --- /dev/null +++ b/queue-6.19/s390-dasd-copy-detected-format-information-to-secondary-device.patch @@ -0,0 +1,74 @@ +From 4c527c7e030672efd788d0806d7a68972a7ba3c1 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Tue, 10 Mar 2026 15:23:30 +0100 +Subject: s390/dasd: Copy detected format information to secondary device + +From: Stefan Haberland + +commit 4c527c7e030672efd788d0806d7a68972a7ba3c1 upstream. + +During online processing for a DASD device an IO operation is started to +determine the format of the device. CDL format contains specifically +sized blocks at the beginning of the disk. + +For a PPRC secondary device no real IO operation is possible therefore +this IO request can not be started and this step is skipped for online +processing of secondary devices. This is generally fine since the +secondary is a copy of the primary device. + +In case of an additional partition detection that is run after a swap +operation the format information is needed to properly drive partition +detection IO. + +Currently the information is not passed leading to IO errors during +partition detection and a wrongly detected partition table which in turn +might lead to data corruption on the disk with the wrong partition table. + +Fix by passing the format information from primary to secondary device. + +Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability") +Cc: stable@vger.kernel.org #6.1 +Reviewed-by: Jan Hoeppner +Acked-by: Eduard Shishkin +Signed-off-by: Stefan Haberland +Link: https://patch.msgid.link/20260310142330.4080106-3-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -6135,6 +6135,7 @@ static void copy_pair_set_active(struct + static int dasd_eckd_copy_pair_swap(struct dasd_device *device, char *prim_busid, + char *sec_busid) + { ++ struct dasd_eckd_private *prim_priv, *sec_priv; + struct dasd_device *primary, *secondary; + struct dasd_copy_relation *copy; + struct dasd_block *block; +@@ -6155,6 +6156,9 @@ static int dasd_eckd_copy_pair_swap(stru + if (!secondary) + return DASD_COPYPAIRSWAP_SECONDARY; + ++ prim_priv = primary->private; ++ sec_priv = secondary->private; ++ + /* + * usually the device should be quiesced for swap + * for paranoia stop device and requeue requests again +@@ -6187,6 +6191,13 @@ static int dasd_eckd_copy_pair_swap(stru + dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE); + } + ++ /* ++ * The secondary device never got through format detection, but since it ++ * is a copy of the primary device, the format is exactly the same; ++ * therefore, the detected layout can simply be copied. ++ */ ++ sec_priv->uses_cdl = prim_priv->uses_cdl; ++ + /* re-enable device */ + dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC); + dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC); diff --git a/queue-6.19/s390-dasd-move-quiesce-state-with-pprc-swap.patch b/queue-6.19/s390-dasd-move-quiesce-state-with-pprc-swap.patch new file mode 100644 index 0000000000..a9394c3768 --- /dev/null +++ b/queue-6.19/s390-dasd-move-quiesce-state-with-pprc-swap.patch @@ -0,0 +1,46 @@ +From 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Tue, 10 Mar 2026 15:23:29 +0100 +Subject: s390/dasd: Move quiesce state with pprc swap + +From: Stefan Haberland + +commit 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b upstream. + +Quiesce and resume is a mechanism to suspend operations on DASD devices. +In the context of a controlled copy pair swap operation, the quiesce +operation is usually issued before the actual swap and a resume +afterwards. + +During the swap operation, the underlying device is exchanged. Therefore, +the quiesce flag must be moved to the secondary device to ensure a +consistent quiesce state after the swap. + +The secondary device itself cannot be suspended separately because there +is no separate block device representation for it. + +Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability") +Cc: stable@vger.kernel.org #6.1 +Reviewed-by: Jan Hoeppner +Signed-off-by: Stefan Haberland +Link: https://patch.msgid.link/20260310142330.4080106-2-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -6182,6 +6182,11 @@ static int dasd_eckd_copy_pair_swap(stru + dev_name(&secondary->cdev->dev), rc); + } + ++ if (primary->stopped & DASD_STOPPED_QUIESCE) { ++ dasd_device_set_stop_bits(secondary, DASD_STOPPED_QUIESCE); ++ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE); ++ } ++ + /* re-enable device */ + dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC); + dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC); diff --git a/queue-6.19/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch b/queue-6.19/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch new file mode 100644 index 0000000000..379eb033e0 --- /dev/null +++ b/queue-6.19/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch @@ -0,0 +1,68 @@ +From 598bbefa8032cc58b564a81d1ad68bd815c8dc0f Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Fri, 27 Feb 2026 14:30:51 +0100 +Subject: s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute + +From: Harald Freudenberger + +commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f upstream. + +The serialnr sysfs attribute for CCA cards when queried always +used the default domain for sending the request down to the card. +If for any reason exactly this default domain is disabled then +the attribute code fails to retrieve the CCA info and the sysfs +entry shows an empty string. Works as designed but the serial +number is a card attribute and thus it does not matter which +domain is used for the query. So if there are other domains on +this card available, these could be used. + +So extend the code to use AUTOSEL_DOM for the domain value to +address any online domain within the card for querying the cca +info and thus show the serialnr as long as there is one domain +usable regardless of the default domain setting. + +Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs") +Suggested-by: Ingo Franzki +Signed-off-by: Harald Freudenberger +Reviewed-by: Ingo Franzki +Cc: stable@vger.kernel.org +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++----- + drivers/s390/crypto/zcrypt_cex4.c | 3 +-- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/s390/crypto/zcrypt_ccamisc.c ++++ b/drivers/s390/crypto/zcrypt_ccamisc.c +@@ -1639,11 +1639,13 @@ int cca_get_info(u16 cardnr, u16 domain, + + memset(ci, 0, sizeof(*ci)); + +- /* get first info from zcrypt device driver about this apqn */ +- rc = zcrypt_device_status_ext(cardnr, domain, &devstat); +- if (rc) +- return rc; +- ci->hwtype = devstat.hwtype; ++ /* if specific domain given, fetch status and hw info for this apqn */ ++ if (domain != AUTOSEL_DOM) { ++ rc = zcrypt_device_status_ext(cardnr, domain, &devstat); ++ if (rc) ++ return rc; ++ ci->hwtype = devstat.hwtype; ++ } + + /* + * Prep memory for rule array and var array use. +--- a/drivers/s390/crypto/zcrypt_cex4.c ++++ b/drivers/s390/crypto/zcrypt_cex4.c +@@ -84,8 +84,7 @@ static ssize_t cca_serialnr_show(struct + + memset(&ci, 0, sizeof(ci)); + +- if (ap_domain_index >= 0) +- cca_get_info(ac->id, ap_domain_index, &ci, 0); ++ cca_get_info(ac->id, AUTOSEL_DOM, &ci, 0); + + return sysfs_emit(buf, "%s\n", ci.serial); + } diff --git a/queue-6.19/sched_ext-fix-enqueue_task_scx-truncation-of-upper-enqueue-flags.patch b/queue-6.19/sched_ext-fix-enqueue_task_scx-truncation-of-upper-enqueue-flags.patch new file mode 100644 index 0000000000..acf70779ee --- /dev/null +++ b/queue-6.19/sched_ext-fix-enqueue_task_scx-truncation-of-upper-enqueue-flags.patch @@ -0,0 +1,54 @@ +From 57ccf5ccdc56954f2a91a7f66684fd31c566bde5 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Sat, 7 Mar 2026 04:53:32 -1000 +Subject: sched_ext: Fix enqueue_task_scx() truncation of upper enqueue flags + +From: Tejun Heo + +commit 57ccf5ccdc56954f2a91a7f66684fd31c566bde5 upstream. + +enqueue_task_scx() takes int enq_flags from the sched_class interface. +SCX enqueue flags starting at bit 32 (SCX_ENQ_PREEMPT and above) are +silently truncated when passed through activate_task(). extra_enq_flags +was added as a workaround - storing high bits in rq->scx.extra_enq_flags +and OR-ing them back in enqueue_task_scx(). However, the OR target is +still the int parameter, so the high bits are lost anyway. + +The current impact is limited as the only affected flag is SCX_ENQ_PREEMPT +which is informational to the BPF scheduler - its loss means the scheduler +doesn't know about preemption but doesn't cause incorrect behavior. + +Fix by renaming the int parameter to core_enq_flags and introducing a +u64 enq_flags local that merges both sources. All downstream functions +already take u64 enq_flags. + +Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class") +Cc: stable@vger.kernel.org # v6.12+ +Acked-by: Andrea Righi +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -1464,16 +1464,15 @@ static void clr_task_runnable(struct tas + p->scx.flags |= SCX_TASK_RESET_RUNNABLE_AT; + } + +-static void enqueue_task_scx(struct rq *rq, struct task_struct *p, int enq_flags) ++static void enqueue_task_scx(struct rq *rq, struct task_struct *p, int core_enq_flags) + { + struct scx_sched *sch = scx_root; + int sticky_cpu = p->scx.sticky_cpu; ++ u64 enq_flags = core_enq_flags | rq->scx.extra_enq_flags; + + if (enq_flags & ENQUEUE_WAKEUP) + rq->scx.flags |= SCX_RQ_IN_WAKEUP; + +- enq_flags |= rq->scx.extra_enq_flags; +- + if (sticky_cpu >= 0) + p->scx.sticky_cpu = -1; + diff --git a/queue-6.19/scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch b/queue-6.19/scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch new file mode 100644 index 0000000000..62d792917c --- /dev/null +++ b/queue-6.19/scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch @@ -0,0 +1,41 @@ +From 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Wed, 4 Mar 2026 08:46:03 -0800 +Subject: scsi: core: Fix error handling for scsi_alloc_sdev() + +From: Junxiao Bi + +commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 upstream. + +After scsi_sysfs_device_initialize() was called, error paths must call +__scsi_remove_device(). + +Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt") +Cc: stable@vger.kernel.org +Signed-off-by: Junxiao Bi +Reviewed-by: John Garry +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_scan.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -360,12 +360,8 @@ static struct scsi_device *scsi_alloc_sd + * default device queue depth to figure out sbitmap shift + * since we use this queue depth most of times. + */ +- if (scsi_realloc_sdev_budget_map(sdev, depth)) { +- kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags); +- put_device(&starget->dev); +- kfree(sdev); +- goto out; +- } ++ if (scsi_realloc_sdev_budget_map(sdev, depth)) ++ goto out_device_destroy; + + scsi_change_queue_depth(sdev, depth); + diff --git a/queue-6.19/series b/queue-6.19/series index 4bb17f1e36..884d1154d2 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -298,3 +298,67 @@ net-ncsi-fix-skb-leak-in-error-paths.patch net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch net-macb-shuffle-the-tx-ring-before-enabling-tx.patch +drm-amd-pm-remove-invalid-gpu_metrics.energy_accumulator-on-smu-v13.0.x.patch +drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch +drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch +drm-amd-fix-null-pointer-dereference-in-device-cleanup.patch +drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch +drm-bridge-ti-sn65dsi83-halve-horizontal-syncs-for-dual-lvds-output.patch +drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch +drm-i915-psr-repeat-selective-update-area-alignment.patch +drm-msm-fix-dma_free_attrs-buffer-size.patch +drm-amd-fix-a-few-more-null-pointer-dereference-in-device-cleanup.patch +drm-msm-dpu-correct-the-sa8775p-intr_underrun-intr_underrun-index.patch +drm-i915-vrr-configure-vrr-timings-after-enabling-trans_ddi_func_ctl.patch +tracing-fix-enabling-multiple-events-on-the-kernel-command-line-and-bootconfig.patch +tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch +net-shapers-don-t-free-reply-skb-after-genlmsg_reply.patch +qmi_wwan-allow-max_mtu-above-hard_mtu-to-control-rx_urb_size.patch +can-dev-keep-the-max-bitrate-error-at-5.patch +io_uring-kbuf-check-if-target-buffer-list-is-still-legacy-on-recycle.patch +cifs-make-default-value-of-retrans-as-zero.patch +xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch +xfs-fix-returned-valued-from-xfs_defer_can_append.patch +xfs-fix-undersized-l_iclog_roundoff-values.patch +xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch +sched_ext-fix-enqueue_task_scx-truncation-of-upper-enqueue-flags.patch +s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch +dt-bindings-display-msm-fix-reg-ranges-and-clocks-on-glymur.patch +ublk-fix-null-pointer-dereference-in-ublk_ctrl_set_size.patch +s390-dasd-move-quiesce-state-with-pprc-swap.patch +s390-dasd-copy-detected-format-information-to-secondary-device.patch +powerpc-pseries-correct-msi-allocation-tracking.patch +powerpc64-bpf-fix-kfunc-call-support.patch +powerpc64-bpf-fix-the-address-returned-by-bpf_get_func_ip.patch +lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch +scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch +x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch +kprobes-remove-unneeded-warnings-from-__arm_kprobe_ftrace.patch +lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch +lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch +smb-client-fix-atomic-open-with-o_direct-o_sync.patch +smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch +smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch +btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch +btrfs-fix-transaction-abort-on-file-creation-due-to-name-hash-collision.patch +btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch +btrfs-add-missing-rcu-unlock-in-error-path-in-try_release_subpage_extent_buffer.patch +btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch +iio-dac-ds4424-reject-128-raw-value.patch +iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch +iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch +iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch +iio-magnetometer-tlv493d-remove-erroneous-shift-in-x-axis-data.patch +iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch +iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch +iio-buffer-fix-wait_queue-not-being-removed.patch +iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch +iio-imu-adis-fix-null-pointer-dereference-in-adis_init.patch +iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch +iio-imu-inv_icm45600-fix-regulator-put-warning-when-probe-fails.patch +iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch +iio-imu-inv_icm45600-fix-int1-drive-bit-inverted.patch +iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch +iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch +iio-proximity-hx9023s-fix-assignment-order-for-__counted_by.patch +iio-proximity-hx9023s-protect-against-division-by-zero-in-set_samp_freq.patch diff --git a/queue-6.19/smb-client-fix-atomic-open-with-o_direct-o_sync.patch b/queue-6.19/smb-client-fix-atomic-open-with-o_direct-o_sync.patch new file mode 100644 index 0000000000..3d1a66e6e5 --- /dev/null +++ b/queue-6.19/smb-client-fix-atomic-open-with-o_direct-o_sync.patch @@ -0,0 +1,102 @@ +From 4a7d2729dc99437dbb880a64c47828c0d191b308 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sat, 7 Mar 2026 18:20:16 -0300 +Subject: smb: client: fix atomic open with O_DIRECT & O_SYNC + +From: Paulo Alcantara + +commit 4a7d2729dc99437dbb880a64c47828c0d191b308 upstream. + +When user application requests O_DIRECT|O_SYNC along with O_CREAT on +open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in +CREATE request when performing an atomic open, thus leading to +potentially data integrity issues. + +Fix this by setting those missing bits in CREATE request when +O_DIRECT|O_SYNC has been specified in cifs_do_create(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Acked-by: Henrique Carvalho +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsglob.h | 11 +++++++++++ + fs/smb/client/dir.c | 1 + + fs/smb/client/file.c | 18 +++--------------- + 3 files changed, 15 insertions(+), 15 deletions(-) + +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include "cifs_fs_sb.h" + #include "cifsacl.h" + #include +@@ -2313,4 +2314,14 @@ static inline void cifs_requeue_server_r + queue_delayed_work(cifsiod_wq, &server->reconnect, delay * HZ); + } + ++static inline int cifs_open_create_options(unsigned int oflags, int opts) ++{ ++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ ++ if (oflags & O_SYNC) ++ opts |= CREATE_WRITE_THROUGH; ++ if (oflags & O_DIRECT) ++ opts |= CREATE_NO_BUFFER; ++ return opts; ++} ++ + #endif /* _CIFS_GLOB_H */ +--- a/fs/smb/client/dir.c ++++ b/fs/smb/client/dir.c +@@ -307,6 +307,7 @@ static int cifs_do_create(struct inode * + goto out; + } + ++ create_options |= cifs_open_create_options(oflags, create_options); + /* + * if we're not using unix extensions, see if we need to set + * ATTR_READONLY on the create call +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -585,15 +585,8 @@ static int cifs_nt_open(const char *full + *********************************************************************/ + + disposition = cifs_get_disposition(f_flags); +- + /* BB pass O_SYNC flag through on file attributes .. BB */ +- +- /* O_SYNC also has bit for O_DSYNC so following check picks up either */ +- if (f_flags & O_SYNC) +- create_options |= CREATE_WRITE_THROUGH; +- +- if (f_flags & O_DIRECT) +- create_options |= CREATE_NO_BUFFER; ++ create_options |= cifs_open_create_options(f_flags, create_options); + + retry_open: + oparms = (struct cifs_open_parms) { +@@ -1319,13 +1312,8 @@ cifs_reopen_file(struct cifsFileInfo *cf + rdwr_for_fscache = 1; + + desired_access = cifs_convert_flags(cfile->f_flags, rdwr_for_fscache); +- +- /* O_SYNC also has bit for O_DSYNC so following check picks up either */ +- if (cfile->f_flags & O_SYNC) +- create_options |= CREATE_WRITE_THROUGH; +- +- if (cfile->f_flags & O_DIRECT) +- create_options |= CREATE_NO_BUFFER; ++ create_options |= cifs_open_create_options(cfile->f_flags, ++ create_options); + + if (server->ops->get_lease_key) + server->ops->get_lease_key(inode, &cfile->fid); diff --git a/queue-6.19/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch b/queue-6.19/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch new file mode 100644 index 0000000000..15b0bc25d6 --- /dev/null +++ b/queue-6.19/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch @@ -0,0 +1,74 @@ +From d4c7210d2f3ea481a6481f03040a64d9077a6172 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Wed, 11 Mar 2026 20:17:23 -0300 +Subject: smb: client: fix iface port assignment in parse_server_interfaces + +From: Henrique Carvalho + +commit d4c7210d2f3ea481a6481f03040a64d9077a6172 upstream. + +parse_server_interfaces() initializes interface socket addresses with +CIFS_PORT. When the mount uses a non-default port this overwrites the +configured destination port. + +Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr, +causing reconnect attempts to use the wrong port after server interface +updates. + +Use the existing port from server->dstaddr instead. + +Cc: stable@vger.kernel.org +Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries") +Tested-by: Dr. Thomas Orgis +Reviewed-by: Enzo Matsumiya +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -628,6 +628,7 @@ parse_server_interfaces(struct network_i + struct smb_sockaddr_in6 *p6; + struct cifs_server_iface *info = NULL, *iface = NULL, *niface = NULL; + struct cifs_server_iface tmp_iface; ++ __be16 port; + ssize_t bytes_left; + size_t next = 0; + int nb_iface = 0; +@@ -662,6 +663,15 @@ parse_server_interfaces(struct network_i + goto out; + } + ++ spin_lock(&ses->server->srv_lock); ++ if (ses->server->dstaddr.ss_family == AF_INET) ++ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port; ++ else if (ses->server->dstaddr.ss_family == AF_INET6) ++ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port; ++ else ++ port = cpu_to_be16(CIFS_PORT); ++ spin_unlock(&ses->server->srv_lock); ++ + while (bytes_left >= (ssize_t)sizeof(*p)) { + memset(&tmp_iface, 0, sizeof(tmp_iface)); + /* default to 1Gbps when link speed is unset */ +@@ -682,7 +692,7 @@ parse_server_interfaces(struct network_i + memcpy(&addr4->sin_addr, &p4->IPv4Address, 4); + + /* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */ +- addr4->sin_port = cpu_to_be16(CIFS_PORT); ++ addr4->sin_port = port; + + cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__, + &addr4->sin_addr); +@@ -696,7 +706,7 @@ parse_server_interfaces(struct network_i + /* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */ + addr6->sin6_flowinfo = 0; + addr6->sin6_scope_id = 0; +- addr6->sin6_port = cpu_to_be16(CIFS_PORT); ++ addr6->sin6_port = port; + + cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__, + &addr6->sin6_addr); diff --git a/queue-6.19/smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch b/queue-6.19/smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch new file mode 100644 index 0000000000..cbe90386b1 --- /dev/null +++ b/queue-6.19/smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch @@ -0,0 +1,53 @@ +From d78840a6a38d312dc1a51a65317bb67e46f0b929 Mon Sep 17 00:00:00 2001 +From: Bharath SM +Date: Mon, 9 Mar 2026 16:00:49 +0530 +Subject: smb: client: fix in-place encryption corruption in SMB2_write() + +From: Bharath SM + +commit d78840a6a38d312dc1a51a65317bb67e46f0b929 upstream. + +SMB2_write() places write payload in iov[1..n] as part of rq_iov. +smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() +encrypts iov[1] in-place, replacing the original plaintext with +ciphertext. On a replayable error, the retry sends the same iov[1] +which now contains ciphertext instead of the original data, +resulting in corruption. + +The corruption is most likely to be observed when connections are +unstable, as reconnects trigger write retries that re-send the +already-encrypted data. + +This affects SFU mknod, MF symlinks, etc. On kernels before +6.10 (prior to the netfs conversion), sync writes also used +this path and were similarly affected. The async write path +wasn't unaffected as it uses rq_iter which gets deep-copied. + +Fix by moving the write payload into rq_iter via iov_iter_kvec(), +so smb3_init_transform_rq() deep-copies it before encryption. + +Cc: stable@vger.kernel.org #6.3+ +Acked-by: Henrique Carvalho +Acked-by: Shyam Prasad N +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Bharath SM +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -5237,7 +5237,10 @@ replay_again: + + memset(&rqst, 0, sizeof(struct smb_rqst)); + rqst.rq_iov = iov; +- rqst.rq_nvec = n_vec + 1; ++ /* iov[0] is the SMB header; move payload to rq_iter for encryption safety */ ++ rqst.rq_nvec = 1; ++ iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec, ++ io_parms->length); + + if (retries) + smb2_set_replay(server, &rqst); diff --git a/queue-6.19/tracing-fix-enabling-multiple-events-on-the-kernel-command-line-and-bootconfig.patch b/queue-6.19/tracing-fix-enabling-multiple-events-on-the-kernel-command-line-and-bootconfig.patch new file mode 100644 index 0000000000..290037c813 --- /dev/null +++ b/queue-6.19/tracing-fix-enabling-multiple-events-on-the-kernel-command-line-and-bootconfig.patch @@ -0,0 +1,48 @@ +From 3b1679e086bb869ca02722f6bd29b3573a6a0e7e Mon Sep 17 00:00:00 2001 +From: Andrei-Alexandru Tachici +Date: Mon, 2 Mar 2026 11:27:34 +0100 +Subject: tracing: Fix enabling multiple events on the kernel command line and bootconfig + +From: Andrei-Alexandru Tachici + +commit 3b1679e086bb869ca02722f6bd29b3573a6a0e7e upstream. + +Multiple events can be enabled on the kernel command line via a comma +separator. But if the are specified one at a time, then only the last +event is enabled. This is because the event names are saved in a temporary +buffer, and each call by the init cmdline code will reset that buffer. + +This also affects names in the boot config file, as it may call the +callback multiple times with an example of: + + kernel.trace_event = ":mod:rproc_qcom_common", ":mod:qrtr", ":mod:qcom_aoss" + +Change the cmdline callback function to append a comma and the next value +if the temporary buffer already has content. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/20260302-trace-events-allow-multiple-modules-v1-1-ce4436e37fb8@oss.qualcomm.com +Signed-off-by: Andrei-Alexandru Tachici +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -4341,7 +4341,11 @@ static char bootup_event_buf[COMMAND_LIN + + static __init int setup_trace_event(char *str) + { +- strscpy(bootup_event_buf, str, COMMAND_LINE_SIZE); ++ if (bootup_event_buf[0] != '\0') ++ strlcat(bootup_event_buf, ",", COMMAND_LINE_SIZE); ++ ++ strlcat(bootup_event_buf, str, COMMAND_LINE_SIZE); ++ + trace_set_ring_buffer_expanded(NULL); + disable_tracing_selftest("running event tracing"); + diff --git a/queue-6.19/tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch b/queue-6.19/tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch new file mode 100644 index 0000000000..a81b91c03c --- /dev/null +++ b/queue-6.19/tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch @@ -0,0 +1,61 @@ +From d008ba8be8984760e36d7dcd4adbd5a41a645708 Mon Sep 17 00:00:00 2001 +From: Calvin Owens +Date: Fri, 6 Mar 2026 19:19:25 -0800 +Subject: tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G + +From: Calvin Owens + +commit d008ba8be8984760e36d7dcd4adbd5a41a645708 upstream. + +Some of the sizing logic through tracer_alloc_buffers() uses int +internally, causing unexpected behavior if the user passes a value that +does not fit in an int (on my x86 machine, the result is uselessly tiny +buffers). + +Fix by plumbing the parameter's real type (unsigned long) through to the +ring buffer allocation functions, which already use unsigned long. + +It has always been possible to create larger ring buffers via the sysfs +interface: this only affects the cmdline parameter. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/bff42a4288aada08bdf74da3f5b67a2c28b761f8.1772852067.git.calvin@wbinvd.org +Fixes: 73c5162aa362 ("tracing: keep ring buffer to minimum size till used") +Signed-off-by: Calvin Owens +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -10136,7 +10136,7 @@ static void setup_trace_scratch(struct t + } + + static int +-allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, int size) ++allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, unsigned long size) + { + enum ring_buffer_flags rb_flags; + struct trace_scratch *tscratch; +@@ -10191,7 +10191,7 @@ static void free_trace_buffer(struct arr + } + } + +-static int allocate_trace_buffers(struct trace_array *tr, int size) ++static int allocate_trace_buffers(struct trace_array *tr, unsigned long size) + { + int ret; + +@@ -11557,7 +11557,7 @@ __init static void enable_instances(void + + __init static int tracer_alloc_buffers(void) + { +- int ring_buf_size; ++ unsigned long ring_buf_size; + int ret = -ENOMEM; + + diff --git a/queue-6.19/ublk-fix-null-pointer-dereference-in-ublk_ctrl_set_size.patch b/queue-6.19/ublk-fix-null-pointer-dereference-in-ublk_ctrl_set_size.patch new file mode 100644 index 0000000000..bb0d66bcad --- /dev/null +++ b/queue-6.19/ublk-fix-null-pointer-dereference-in-ublk_ctrl_set_size.patch @@ -0,0 +1,68 @@ +From 25966fc097691e5c925ad080f64a2f19c5fd940a Mon Sep 17 00:00:00 2001 +From: Mehul Rao +Date: Thu, 5 Mar 2026 14:31:46 -0500 +Subject: ublk: fix NULL pointer dereference in ublk_ctrl_set_size() + +From: Mehul Rao + +commit 25966fc097691e5c925ad080f64a2f19c5fd940a upstream. + +ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via +set_capacity_and_notify() without checking if it is NULL. + +ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only +assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs +(ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE +handler performs no state validation, a user can trigger a NULL pointer +dereference by sending UPDATE_SIZE to a device that has been added but +not yet started, or one that has been stopped. + +Fix this by checking ub->ub_disk under ub->mutex before dereferencing +it, and returning -ENODEV if the disk is not available. + +Fixes: 98b995660bff ("ublk: Add UBLK_U_CMD_UPDATE_SIZE") +Cc: stable@vger.kernel.org +Signed-off-by: Mehul Rao +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/ublk_drv.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -3534,15 +3534,22 @@ static int ublk_ctrl_get_features(const + return 0; + } + +-static void ublk_ctrl_set_size(struct ublk_device *ub, const struct ublksrv_ctrl_cmd *header) ++static int ublk_ctrl_set_size(struct ublk_device *ub, const struct ublksrv_ctrl_cmd *header) + { + struct ublk_param_basic *p = &ub->params.basic; + u64 new_size = header->data[0]; ++ int ret = 0; + + mutex_lock(&ub->mutex); ++ if (!ub->ub_disk) { ++ ret = -ENODEV; ++ goto out; ++ } + p->dev_sectors = new_size; + set_capacity_and_notify(ub->ub_disk, p->dev_sectors); ++out: + mutex_unlock(&ub->mutex); ++ return ret; + } + + struct count_busy { +@@ -3853,8 +3860,7 @@ static int ublk_ctrl_uring_cmd(struct io + ret = ublk_ctrl_end_recovery(ub, &header); + break; + case UBLK_CMD_UPDATE_SIZE: +- ublk_ctrl_set_size(ub, &header); +- ret = 0; ++ ret = ublk_ctrl_set_size(ub, &header); + break; + case UBLK_CMD_QUIESCE_DEV: + ret = ublk_ctrl_quiesce_dev(ub, &header); diff --git a/queue-6.19/x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch b/queue-6.19/x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch new file mode 100644 index 0000000000..83446cad87 --- /dev/null +++ b/queue-6.19/x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch @@ -0,0 +1,86 @@ +From 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 Mon Sep 17 00:00:00 2001 +From: Shashank Balaji +Date: Fri, 6 Mar 2026 14:46:28 +0900 +Subject: x86/apic: Disable x2apic on resume if the kernel expects so + +From: Shashank Balaji + +commit 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 upstream. + +When resuming from s2ram, firmware may re-enable x2apic mode, which may have +been disabled by the kernel during boot either because it doesn't support IRQ +remapping or for other reasons. This causes the kernel to continue using the +xapic interface, while the hardware is in x2apic mode, which causes hangs. +This happens on defconfig + bare metal + s2ram. + +Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be +disabled, i.e. when x2apic_mode = 0. + +The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the +pre-sleep configuration or initial boot configuration for each CPU, including +MSR state: + + When executing from the power-on reset vector as a result of waking from an + S2 or S3 sleep state, the platform firmware performs only the hardware + initialization required to restore the system to either the state the + platform was in prior to the initial operating system boot, or to the + pre-sleep configuration state. In multiprocessor systems, non-boot + processors should be placed in the same state as prior to the initial + operating system boot. + + (further ahead) + + If this is an S2 or S3 wake, then the platform runtime firmware restores + minimum context of the system before jumping to the waking vector. This + includes: + + CPU configuration. Platform runtime firmware restores the pre-sleep + configuration or initial boot configuration of each CPU (MSR, MTRR, + firmware update, SMBase, and so on). Interrupts must be disabled (for + IA-32 processors, disabled by CLI instruction). + + (and other things) + +So at least as per the spec, re-enablement of x2apic by the firmware is +allowed if "x2apic on" is a part of the initial boot configuration. + + [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization + + [ bp: Massage. ] + +Fixes: 6e1cb38a2aef ("x64, x2apic/intr-remap: add x2apic support, including enabling interrupt-remapping") +Co-developed-by: Rahul Bukte +Signed-off-by: Rahul Bukte +Signed-off-by: Shashank Balaji +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Thomas Gleixner +Reviewed-by: Sohil Mehta +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260306-x2apic-fix-v2-1-bee99c12efa3@sony.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1894,6 +1894,7 @@ void __init check_x2apic(void) + + static inline void try_to_enable_x2apic(int remap_mode) { } + static inline void __x2apic_enable(void) { } ++static inline void __x2apic_disable(void) { } + #endif /* !CONFIG_X86_X2APIC */ + + void __init enable_IR_x2apic(void) +@@ -2456,6 +2457,11 @@ static void lapic_resume(void *data) + if (x2apic_mode) { + __x2apic_enable(); + } else { ++ if (x2apic_enabled()) { ++ pr_warn_once("x2apic: re-enabled by firmware during resume. Disabling\n"); ++ __x2apic_disable(); ++ } ++ + /* + * Make sure the APICBASE points to the right address + * diff --git a/queue-6.19/xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch b/queue-6.19/xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch new file mode 100644 index 0000000000..d299ced3a1 --- /dev/null +++ b/queue-6.19/xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch @@ -0,0 +1,65 @@ +From 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Thu, 5 Mar 2026 16:49:22 +0800 +Subject: xfs: ensure dquot item is deleted from AIL only after log shutdown + +From: Long Li + +commit 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c upstream. + +In xfs_qm_dqflush(), when a dquot flush fails due to corruption +(the out_abort error path), the original code removed the dquot log +item from the AIL before calling xfs_force_shutdown(). This ordering +introduces a subtle race condition that can lead to data loss after +a crash. + +The AIL tracks the oldest dirty metadata in the journal. The position +of the tail item in the AIL determines the log tail LSN, which is the +oldest LSN that must be preserved for crash recovery. When an item is +removed from the AIL, the log tail can advance past the LSN of that item. + +The race window is as follows: if the dquot item happens to be at +the tail of the log, removing it from the AIL allows the log tail +to advance. If a concurrent log write is sampling the tail LSN at +the same time and subsequently writes a complete checkpoint (i.e., +one containing a commit record) to disk before the shutdown takes +effect, the journal will no longer protect the dquot's last +modification. On the next mount, log recovery will not replay the +dquot changes, even though they were never written back to disk, +resulting in silent data loss. + +Fix this by calling xfs_force_shutdown() before xfs_trans_ail_delete() +in the out_abort path. Once the log is shut down, no new log writes +can complete with an updated tail LSN, making it safe to remove the +dquot item from the AIL. + +Cc: stable@vger.kernel.org +Fixes: b707fffda6a3 ("xfs: abort consistently on dquot flush failure") +Signed-off-by: Long Li +Reviewed-by: Carlos Maiolino +Reviewed-by: Christoph Hellwig +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_dquot.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_dquot.c ++++ b/fs/xfs/xfs_dquot.c +@@ -1439,9 +1439,15 @@ xfs_qm_dqflush( + return 0; + + out_abort: ++ /* ++ * Shut down the log before removing the dquot item from the AIL. ++ * Otherwise, the log tail may advance past this item's LSN while ++ * log writes are still in progress, making these unflushed changes ++ * unrecoverable on the next mount. ++ */ ++ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE); + dqp->q_flags &= ~XFS_DQFLAG_DIRTY; + xfs_trans_ail_delete(lip, 0); +- xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE); + xfs_dqfunlock(dqp); + return error; + } diff --git a/queue-6.19/xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch b/queue-6.19/xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch new file mode 100644 index 0000000000..7574c89eb1 --- /dev/null +++ b/queue-6.19/xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch @@ -0,0 +1,38 @@ +From 362c490980867930a098b99f421268fbd7ca05fd Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Tue, 10 Mar 2026 20:32:33 +0800 +Subject: xfs: fix integer overflow in bmap intent sort comparator + +From: Long Li + +commit 362c490980867930a098b99f421268fbd7ca05fd upstream. + +xfs_bmap_update_diff_items() sorts bmap intents by inode number using +a subtraction of two xfs_ino_t (uint64_t) values, with the result +truncated to int. This is incorrect when two inode numbers differ by +more than INT_MAX (2^31 - 1), which is entirely possible on large XFS +filesystems. + +Fix this by replacing the subtraction with cmp_int(). + +Cc: # v4.9 +Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations") +Signed-off-by: Long Li +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_bmap_item.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/xfs_bmap_item.c ++++ b/fs/xfs/xfs_bmap_item.c +@@ -247,7 +247,7 @@ xfs_bmap_update_diff_items( + struct xfs_bmap_intent *ba = bi_entry(a); + struct xfs_bmap_intent *bb = bi_entry(b); + +- return ba->bi_owner->i_ino - bb->bi_owner->i_ino; ++ return cmp_int(ba->bi_owner->i_ino, bb->bi_owner->i_ino); + } + + /* Log bmap updates in the intent item. */ diff --git a/queue-6.19/xfs-fix-returned-valued-from-xfs_defer_can_append.patch b/queue-6.19/xfs-fix-returned-valued-from-xfs_defer_can_append.patch new file mode 100644 index 0000000000..1847a679dd --- /dev/null +++ b/queue-6.19/xfs-fix-returned-valued-from-xfs_defer_can_append.patch @@ -0,0 +1,36 @@ +From 54fcd2f95f8d216183965a370ec69e1aab14f5da Mon Sep 17 00:00:00 2001 +From: Carlos Maiolino +Date: Wed, 4 Mar 2026 19:54:27 +0100 +Subject: xfs: fix returned valued from xfs_defer_can_append + +From: Carlos Maiolino + +commit 54fcd2f95f8d216183965a370ec69e1aab14f5da upstream. + +xfs_defer_can_append returns a bool, it shouldn't be returning +a NULL. + +Found by code inspection. + +Fixes: 4dffb2cbb483 ("xfs: allow pausing of pending deferred work items") +Cc: # v6.8 +Signed-off-by: Carlos Maiolino +Reviewed-by: Darrick J. Wong +Acked-by: Souptick Joarder +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/libxfs/xfs_defer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/libxfs/xfs_defer.c ++++ b/fs/xfs/libxfs/xfs_defer.c +@@ -809,7 +809,7 @@ xfs_defer_can_append( + + /* Paused items cannot absorb more work */ + if (dfp->dfp_flags & XFS_DEFER_PAUSED) +- return NULL; ++ return false; + + /* Already full? */ + if (ops->max_items && dfp->dfp_count >= ops->max_items) diff --git a/queue-6.19/xfs-fix-undersized-l_iclog_roundoff-values.patch b/queue-6.19/xfs-fix-undersized-l_iclog_roundoff-values.patch new file mode 100644 index 0000000000..a24e551683 --- /dev/null +++ b/queue-6.19/xfs-fix-undersized-l_iclog_roundoff-values.patch @@ -0,0 +1,66 @@ +From 52a8a1ba883defbfe3200baa22cf4cd21985d51a Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Wed, 4 Mar 2026 20:26:20 -0800 +Subject: xfs: fix undersized l_iclog_roundoff values + +From: Darrick J. Wong + +commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a upstream. + +If the superblock doesn't list a log stripe unit, we set the incore log +roundoff value to 512. This leads to corrupt logs and unmountable +filesystems in generic/617 on a disk with 4k physical sectors... + +XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c +XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. +XFS (sda1): failed to locate log tail +XFS (sda1): log mount/recovery failed: error -74 +XFS (sda1): log mount failed +XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c +XFS (sda1): Ending clean mount + +...on the current xfsprogs for-next which has a broken mkfs. xfs_info +shows this... + +meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks + = sectsz=4096 attr=2, projid32bit=1 + = crc=1 finobt=1, sparse=1, rmapbt=1 + = reflink=1 bigtime=1 inobtcount=1 nrext64=1 + = exchange=1 metadir=1 +data = bsize=4096 blocks=2579968, imaxpct=25 + = sunit=0 swidth=0 blks +naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 +log =internal log bsize=4096 blocks=16384, version=2 + = sectsz=4096 sunit=0 blks, lazy-count=1 +realtime =none extsz=4096 blocks=0, rtextents=0 + = rgcount=0 rgsize=268435456 extents + = zoned=0 start=0 reserved=0 + +...observe that the log section has sectsz=4096 sunit=0, which means +that the roundoff factor is 512, not 4096 as you'd expect. We should +fix mkfs not to generate broken filesystems, but anyone can fuzz the +ondisk superblock so we should be more cautious. I think the inadequate +logic predates commit a6a65fef5ef8d0, but that's clearly going to +require a different backport. + +Cc: stable@vger.kernel.org # v5.14 +Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_log.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -1399,6 +1399,8 @@ xlog_alloc_log( + + if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1) + log->l_iclog_roundoff = mp->m_sb.sb_logsunit; ++ else if (mp->m_sb.sb_logsectsize > 0) ++ log->l_iclog_roundoff = mp->m_sb.sb_logsectsize; + else + log->l_iclog_roundoff = BBSIZE; +