From: Greg Kroah-Hartman Date: Fri, 1 May 2026 12:32:03 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.12.86~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b20cac226ba025a481fd89c6ce689e266fce7279;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: arm64-dts-marvell-udpu-add-ethernet-aliases.patch drm-arcpgu-fix-device-node-leak.patch extract-cert-wrap-key_pass-with-ifdef-use_pkcs11_engine.patch ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch loongarch-show-cpu-vulnerabilites-correctly.patch net-ks8851-avoid-excess-softirq-scheduling.patch net-ks8851-reinstate-disabling-of-bhs-around-irq-handler.patch net-qrtr-ns-free-the-node-during-ctrl_cmd_bye.patch net-rds-fix-mr-cleanup-on-copy-error.patch net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch net-txgbe-fix-firmware-version-check.patch netconsole-avoid-out-of-bounds-access-on-empty-string-in-trim_newline.patch power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch rxrpc-fix-re-decryption-of-response-packets.patch rxrpc-fix-rxkad-crypto-unalignment-handling.patch tools-accounting-handle-truncated-taskstats-netlink-messages.patch tpm-avoid-wunused-but-set-variable.patch --- diff --git a/queue-6.12/arm64-dts-marvell-udpu-add-ethernet-aliases.patch b/queue-6.12/arm64-dts-marvell-udpu-add-ethernet-aliases.patch new file mode 100644 index 0000000000..e2bd95efd7 --- /dev/null +++ b/queue-6.12/arm64-dts-marvell-udpu-add-ethernet-aliases.patch @@ -0,0 +1,39 @@ +From 38f09c97340cd23f976242e6cb1e7aa4c8ed28d0 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Tue, 27 Jan 2026 13:32:15 +0100 +Subject: arm64: dts: marvell: uDPU: add ethernet aliases + +From: Robert Marko + +commit 38f09c97340cd23f976242e6cb1e7aa4c8ed28d0 upstream. + +On eDPU plus, which is an updated revision of eDPU which uses an external +MV88E6361 switch we are relying on U-Boot to detect the board, and then +enable and disable the required nodes for that revision. + +However, it seems that I missed adding the required aliases for ethernet +controllers, and this worked as in OpenWrt we had added those locally. + +Cc: stable@vger.kernel.org +Fixes: 660b8b2f3944 ("arm64: dts: marvell: eDPU: add support for version with external switch") +Signed-off-by: Robert Marko +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi +@@ -15,6 +15,11 @@ + #include "armada-372x.dtsi" + + / { ++ aliases { ++ ethernet0 = ð0; ++ ethernet1 = ð1; ++ }; ++ + chosen { + stdout-path = "serial0:115200n8"; + }; diff --git a/queue-6.12/drm-arcpgu-fix-device-node-leak.patch b/queue-6.12/drm-arcpgu-fix-device-node-leak.patch new file mode 100644 index 0000000000..f8470f5284 --- /dev/null +++ b/queue-6.12/drm-arcpgu-fix-device-node-leak.patch @@ -0,0 +1,39 @@ +From ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Thu, 2 Apr 2026 18:42:20 +0200 +Subject: drm/arcpgu: fix device node leak + +From: Luca Ceresoli + +commit ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c upstream. + +This function gets a device_node reference via +of_graph_get_remote_port_parent() and stores it in encoder_node, but never +puts that reference. Add it. + +There used to be a of_node_put(encoder_node) but it has been removed by +mistake during a rework in commit 3ea66a794fdc ("drm/arc: Inline +arcpgu_drm_hdmi_init"). + +Fixes: 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init") +Cc: stable@vger.kernel.org +Reviewed-by: Louis Chauvet +Link: https://patch.msgid.link/20260402-drm-arcgpu-fix-device-node-leak-v2-1-d773cf754ae5@bootlin.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tiny/arcpgu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/tiny/arcpgu.c ++++ b/drivers/gpu/drm/tiny/arcpgu.c +@@ -248,7 +248,8 @@ DEFINE_DRM_GEM_DMA_FOPS(arcpgu_drm_ops); + static int arcpgu_load(struct arcpgu_drm_private *arcpgu) + { + struct platform_device *pdev = to_platform_device(arcpgu->drm.dev); +- struct device_node *encoder_node = NULL, *endpoint_node = NULL; ++ struct device_node *encoder_node __free(device_node) = NULL; ++ struct device_node *endpoint_node = NULL; + struct drm_connector *connector = NULL; + struct drm_device *drm = &arcpgu->drm; + struct resource *res; diff --git a/queue-6.12/extract-cert-wrap-key_pass-with-ifdef-use_pkcs11_engine.patch b/queue-6.12/extract-cert-wrap-key_pass-with-ifdef-use_pkcs11_engine.patch new file mode 100644 index 0000000000..33bd510c6c --- /dev/null +++ b/queue-6.12/extract-cert-wrap-key_pass-with-ifdef-use_pkcs11_engine.patch @@ -0,0 +1,61 @@ +From 4f96b7c68a9904e01049ef610d701b382dca9574 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 25 Mar 2026 18:19:15 -0700 +Subject: extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE' + +From: Nathan Chancellor + +commit 4f96b7c68a9904e01049ef610d701b382dca9574 upstream. + +A recent strengthening of -Wunused-but-set-variable (enabled with -Wall) +in clang under a new subwarning, -Wunused-but-set-global, points out an +unused static global variable in certs/extract-cert.c: + + certs/extract-cert.c:46:20: error: variable 'key_pass' set but not used [-Werror,-Wunused-but-set-global] + 46 | static const char *key_pass; + | ^ + +After commit 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider +for OPENSSL MAJOR >= 3"), key_pass is only used with the OpenSSL engine +API, not the new provider API. Wrap key_pass's declaration and +assignment with '#ifdef USE_PKCS11_ENGINE' so that it is only included +with its use to clear up the warning. While this is a little uglier than +just marking key_pass with the unused attribute, this will make it +easier to clean up all code associated with the use of the engine API if +it were ever removed in the future. While in the area, use a tab for +the key_pass assignment line to match the rest of the file. + +Cc: stable@vger.kernel.org +Fixes: 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3") +Reviewed-by: Nick Desaulniers +Tested-by: Nick Desaulniers +Link: https://patch.msgid.link/20260325-certs-extract-cert-key_pass-unused-but-set-global-v1-1-ecf94326d532@kernel.org +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + certs/extract-cert.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/certs/extract-cert.c ++++ b/certs/extract-cert.c +@@ -43,7 +43,9 @@ void format(void) + exit(2); + } + ++#ifdef USE_PKCS11_ENGINE + static const char *key_pass; ++#endif + static BIO *wb; + static char *cert_dst; + static bool verbose; +@@ -135,7 +137,9 @@ int main(int argc, char **argv) + if (verbose_env && strchr(verbose_env, '1')) + verbose = true; + +- key_pass = getenv("KBUILD_SIGN_PIN"); ++#ifdef USE_PKCS11_ENGINE ++ key_pass = getenv("KBUILD_SIGN_PIN"); ++#endif + + if (argc != 3) + format(); diff --git a/queue-6.12/ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch b/queue-6.12/ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch new file mode 100644 index 0000000000..e311529d19 --- /dev/null +++ b/queue-6.12/ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch @@ -0,0 +1,54 @@ +From 67bf002a2d7387a6312138210d0bd06e3cf4879b Mon Sep 17 00:00:00 2001 +From: Ruide Cao +Date: Tue, 21 Apr 2026 12:16:31 +0800 +Subject: ipv4: icmp: validate reply type before using icmp_pointers + +From: Ruide Cao + +commit 67bf002a2d7387a6312138210d0bd06e3cf4879b upstream. + +Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. +That value is outside the range covered by icmp_pointers[], which only +describes the traditional ICMP types up to NR_ICMP_TYPES. + +Avoid consulting icmp_pointers[] for reply types outside that range, and +use array_index_nospec() for the remaining in-range lookup. Normal ICMP +replies keep their existing behavior unchanged. + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/0dace90c01a5978e829ca741ef684dbd7304ce62.1776628519.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -64,6 +64,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -361,7 +362,9 @@ static int icmp_glue_bits(void *from, ch + to, len); + + skb->csum = csum_block_add(skb->csum, csum, odd); +- if (icmp_pointers[icmp_param->data.icmph.type].error) ++ if (icmp_param->data.icmph.type <= NR_ICMP_TYPES && ++ icmp_pointers[array_index_nospec(icmp_param->data.icmph.type, ++ NR_ICMP_TYPES + 1)].error) + nf_ct_attach(skb, icmp_param->skb); + return 0; + } diff --git a/queue-6.12/libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch b/queue-6.12/libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch new file mode 100644 index 0000000000..4478ef4b51 --- /dev/null +++ b/queue-6.12/libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch @@ -0,0 +1,42 @@ +From 5199c125d25aeae8615c4fc31652cc0fe624338e Mon Sep 17 00:00:00 2001 +From: Raphael Zimmer +Date: Wed, 18 Mar 2026 18:09:03 +0100 +Subject: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() + +From: Raphael Zimmer + +commit 5199c125d25aeae8615c4fc31652cc0fe624338e upstream. + +If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both +protocol and result, this is currently not treated as an error. In case +of ac->negotiating == true and ac->protocol > 0, this leads to setting +ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for +ac->protocol != protocol returns false, and init_protocol() is not +called. Subsequently, ac->ops->handle_reply() is called, which leads to +a null pointer dereference, because ac->ops is still NULL. + +This patch changes the check for ac->protocol != protocol to +!ac->protocol, as this also includes the case when the protocol was set +to zero in the message. This causes the message to be treated as +containing a bad auth protocol. + +Cc: stable@vger.kernel.org +Signed-off-by: Raphael Zimmer +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/auth.c ++++ b/net/ceph/auth.c +@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_a + ac->protocol = 0; + ac->ops = NULL; + } +- if (ac->protocol != protocol) { ++ if (!ac->protocol) { + ret = init_protocol(ac, protocol); + if (ret) { + pr_err("auth protocol '%s' init failed: %d\n", diff --git a/queue-6.12/loongarch-show-cpu-vulnerabilites-correctly.patch b/queue-6.12/loongarch-show-cpu-vulnerabilites-correctly.patch new file mode 100644 index 0000000000..3bfb98c224 --- /dev/null +++ b/queue-6.12/loongarch-show-cpu-vulnerabilites-correctly.patch @@ -0,0 +1,45 @@ +From 37e57e8ad96cdec4a57b55fd10bef50f7370a954 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 22 Apr 2026 15:45:12 +0800 +Subject: LoongArch: Show CPU vulnerabilites correctly + +From: Huacai Chen + +commit 37e57e8ad96cdec4a57b55fd10bef50f7370a954 upstream. + +Most LoongArch processors are vulnerable to Spectre-V1 Proof-of-Concept +(PoC). And the generic mechanism, __user pointer sanitization, can be +used as a mitigation. This means to use array_index_nospec() to prevent +out of boundry access in syscall and other critical paths. + +Implement the arch-specific cpu_show_spectre_v1() to show CPU Spectre-V1 +vulnerabilites correctly. + +Cc: stable@vger.kernel.org +Link: https://cc-sw.com/chinese-loongarch-architecture-evaluation-part-3-of-3/ +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/cpu-probe.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/loongarch/kernel/cpu-probe.c ++++ b/arch/loongarch/kernel/cpu-probe.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -352,3 +353,9 @@ void cpu_probe(void) + + cpu_report(); + } ++ ++ssize_t cpu_show_spectre_v1(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sysfs_emit(buf, "Mitigation: __user pointer sanitization\n"); ++} diff --git a/queue-6.12/net-ks8851-avoid-excess-softirq-scheduling.patch b/queue-6.12/net-ks8851-avoid-excess-softirq-scheduling.patch new file mode 100644 index 0000000000..8a95f3eba1 --- /dev/null +++ b/queue-6.12/net-ks8851-avoid-excess-softirq-scheduling.patch @@ -0,0 +1,41 @@ +From 22230e68b2cf1ab6b027be8cf1198164a949c4fa Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 16 Apr 2026 01:09:45 +0200 +Subject: net: ks8851: Avoid excess softirq scheduling + +From: Marek Vasut + +commit 22230e68b2cf1ab6b027be8cf1198164a949c4fa upstream. + +The code injects a packet into netif_rx() repeatedly, which will add +it to its internal NAPI and schedule a softirq, and process it. It is +more efficient to queue multiple packets and process them all at the +local_bh_enable() time. + +Reviewed-by: Sebastian Andrzej Siewior +Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Vasut +Link: https://patch.msgid.link/20260415231020.455298-2-marex@nabladev.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/micrel/ks8851_common.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/micrel/ks8851_common.c ++++ b/drivers/net/ethernet/micrel/ks8851_common.c +@@ -389,9 +389,12 @@ static irqreturn_t ks8851_irq(int irq, v + if (status & IRQ_LCI) + mii_check_link(&ks->mii); + +- if (status & IRQ_RXI) ++ if (status & IRQ_RXI) { ++ local_bh_disable(); + while ((skb = __skb_dequeue(&rxq))) + netif_rx(skb); ++ local_bh_enable(); ++ } + + return IRQ_HANDLED; + } diff --git a/queue-6.12/net-ks8851-reinstate-disabling-of-bhs-around-irq-handler.patch b/queue-6.12/net-ks8851-reinstate-disabling-of-bhs-around-irq-handler.patch new file mode 100644 index 0000000000..ef5f2d248e --- /dev/null +++ b/queue-6.12/net-ks8851-reinstate-disabling-of-bhs-around-irq-handler.patch @@ -0,0 +1,469 @@ +From 5c9fcac3c872224316714d0d8914d9af16c76a6d Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 16 Apr 2026 01:09:44 +0200 +Subject: net: ks8851: Reinstate disabling of BHs around IRQ handler + +From: Marek Vasut + +commit 5c9fcac3c872224316714d0d8914d9af16c76a6d upstream. + +If the driver executes ks8851_irq() AND a TX packet has been sent, then +the driver enables TX queue via netif_wake_queue() which schedules TX +softirq to queue packets for this device. + +If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by +the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to +allocate SKBs for the received packets. If netdev_alloc_skb_ip_align() +is called with BH enabled, then local_bh_enable() at the end of +netdev_alloc_skb_ip_align() will trigger the pending softirq processing, +which may ultimately call the .xmit callback ks8851_start_xmit_par(). +The ks8851_start_xmit_par() will try to lock struct ks8851_net_par +.lock spinlock, which is already locked by ks8851_irq() from which +ks8851_start_xmit_par() was called. This leads to a deadlock, which +is reported by the kernel, including a trace listed below. + +If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0 +("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock +can also be triggered without received packet in the RX FIFO. The +pending softirqs will be processed on return from +spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the +deadlock as well. + +Fix the problem by disabling BH around critical sections, including the +IRQ handler, thus preventing the net_tx_action() softirq from triggering +during these critical sections. The net_tx_action() softirq is triggered +once BH are re-enabled and at the end of the IRQ handler, once all the +other IRQ handler actions have been completed. + + __schedule from schedule_rtlock+0x1c/0x34 + schedule_rtlock from rtlock_slowlock_locked+0x548/0x904 + rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c + rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8 + ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44 + netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188 + dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c + sch_direct_xmit from __qdisc_run+0x1f8/0x4ec + __qdisc_run from qdisc_run+0x1c/0x28 + qdisc_run from net_tx_action+0x1f0/0x268 + net_tx_action from handle_softirqs+0x1a4/0x270 + handle_softirqs from __local_bh_enable_ip+0xcc/0xe0 + __local_bh_enable_ip from __alloc_skb+0xd8/0x128 + __alloc_skb from __netdev_alloc_skb+0x3c/0x19c + __netdev_alloc_skb from ks8851_irq+0x388/0x4d4 + ks8851_irq from irq_thread_fn+0x24/0x64 + irq_thread_fn from irq_thread+0x178/0x28c + irq_thread from kthread+0x12c/0x138 + kthread from ret_from_fork+0x14/0x28 + +Reviewed-by: Sebastian Andrzej Siewior +Fixes: e0863634bf9f ("net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Vasut +Link: https://patch.msgid.link/20260415231020.455298-1-marex@nabladev.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/micrel/ks8851.h | 6 -- + drivers/net/ethernet/micrel/ks8851_common.c | 64 +++++++++++----------------- + drivers/net/ethernet/micrel/ks8851_par.c | 15 ++---- + drivers/net/ethernet/micrel/ks8851_spi.c | 11 +--- + 4 files changed, 38 insertions(+), 58 deletions(-) + +--- a/drivers/net/ethernet/micrel/ks8851.h ++++ b/drivers/net/ethernet/micrel/ks8851.h +@@ -408,10 +408,8 @@ struct ks8851_net { + struct gpio_desc *gpio; + struct mii_bus *mii_bus; + +- void (*lock)(struct ks8851_net *ks, +- unsigned long *flags); +- void (*unlock)(struct ks8851_net *ks, +- unsigned long *flags); ++ void (*lock)(struct ks8851_net *ks); ++ void (*unlock)(struct ks8851_net *ks); + unsigned int (*rdreg16)(struct ks8851_net *ks, + unsigned int reg); + void (*wrreg16)(struct ks8851_net *ks, +--- a/drivers/net/ethernet/micrel/ks8851_common.c ++++ b/drivers/net/ethernet/micrel/ks8851_common.c +@@ -28,25 +28,23 @@ + /** + * ks8851_lock - register access lock + * @ks: The chip state +- * @flags: Spinlock flags + * + * Claim chip register access lock + */ +-static void ks8851_lock(struct ks8851_net *ks, unsigned long *flags) ++static void ks8851_lock(struct ks8851_net *ks) + { +- ks->lock(ks, flags); ++ ks->lock(ks); + } + + /** + * ks8851_unlock - register access unlock + * @ks: The chip state +- * @flags: Spinlock flags + * + * Release chip register access lock + */ +-static void ks8851_unlock(struct ks8851_net *ks, unsigned long *flags) ++static void ks8851_unlock(struct ks8851_net *ks) + { +- ks->unlock(ks, flags); ++ ks->unlock(ks); + } + + /** +@@ -129,11 +127,10 @@ static void ks8851_set_powermode(struct + static int ks8851_write_mac_addr(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); +- unsigned long flags; + u16 val; + int i; + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + + /* + * Wake up chip in case it was powered off when stopped; otherwise, +@@ -149,7 +146,7 @@ static int ks8851_write_mac_addr(struct + if (!netif_running(dev)) + ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN); + +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + + return 0; + } +@@ -163,12 +160,11 @@ static int ks8851_write_mac_addr(struct + static void ks8851_read_mac_addr(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); +- unsigned long flags; + u8 addr[ETH_ALEN]; + u16 reg; + int i; + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + + for (i = 0; i < ETH_ALEN; i += 2) { + reg = ks8851_rdreg16(ks, KS_MAR(i)); +@@ -177,7 +173,7 @@ static void ks8851_read_mac_addr(struct + } + eth_hw_addr_set(dev, addr); + +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + } + + /** +@@ -328,11 +324,10 @@ static irqreturn_t ks8851_irq(int irq, v + { + struct ks8851_net *ks = _ks; + struct sk_buff_head rxq; +- unsigned long flags; + unsigned int status; + struct sk_buff *skb; + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + + status = ks8851_rdreg16(ks, KS_ISR); + ks8851_wrreg16(ks, KS_ISR, status); +@@ -389,7 +384,7 @@ static irqreturn_t ks8851_irq(int irq, v + ks8851_wrreg16(ks, KS_RXCR1, rxc->rxcr1); + } + +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + + if (status & IRQ_LCI) + mii_check_link(&ks->mii); +@@ -421,7 +416,6 @@ static void ks8851_flush_tx_work(struct + static int ks8851_net_open(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); +- unsigned long flags; + int ret; + + ret = request_threaded_irq(dev->irq, NULL, ks8851_irq, +@@ -434,7 +428,7 @@ static int ks8851_net_open(struct net_de + + /* lock the card, even if we may not actually be doing anything + * else at the moment */ +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + + netif_dbg(ks, ifup, ks->netdev, "opening\n"); + +@@ -487,7 +481,7 @@ static int ks8851_net_open(struct net_de + + netif_dbg(ks, ifup, ks->netdev, "network device up\n"); + +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + mii_check_link(&ks->mii); + return 0; + } +@@ -503,23 +497,22 @@ static int ks8851_net_open(struct net_de + static int ks8851_net_stop(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); +- unsigned long flags; + + netif_info(ks, ifdown, dev, "shutting down\n"); + + netif_stop_queue(dev); + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + /* turn off the IRQs and ack any outstanding */ + ks8851_wrreg16(ks, KS_IER, 0x0000); + ks8851_wrreg16(ks, KS_ISR, 0xffff); +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + + /* stop any outstanding work */ + ks8851_flush_tx_work(ks); + flush_work(&ks->rxctrl_work); + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + /* shutdown RX process */ + ks8851_wrreg16(ks, KS_RXCR1, 0x0000); + +@@ -528,7 +521,7 @@ static int ks8851_net_stop(struct net_de + + /* set powermode to soft power down to save power */ + ks8851_set_powermode(ks, PMECR_PM_SOFTDOWN); +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + + /* ensure any queued tx buffers are dumped */ + while (!skb_queue_empty(&ks->txq)) { +@@ -582,14 +575,13 @@ static netdev_tx_t ks8851_start_xmit(str + static void ks8851_rxctrl_work(struct work_struct *work) + { + struct ks8851_net *ks = container_of(work, struct ks8851_net, rxctrl_work); +- unsigned long flags; + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + + /* need to shutdown RXQ before modifying filter parameters */ + ks8851_wrreg16(ks, KS_RXCR1, 0x00); + +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + } + + static void ks8851_set_rx_mode(struct net_device *dev) +@@ -796,7 +788,6 @@ static int ks8851_set_eeprom(struct net_ + { + struct ks8851_net *ks = netdev_priv(dev); + int offset = ee->offset; +- unsigned long flags; + int len = ee->len; + u16 tmp; + +@@ -810,7 +801,7 @@ static int ks8851_set_eeprom(struct net_ + if (!(ks->rc_ccr & CCR_EEPROM)) + return -ENOENT; + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + + ks8851_eeprom_claim(ks); + +@@ -833,7 +824,7 @@ static int ks8851_set_eeprom(struct net_ + eeprom_93cx6_wren(&ks->eeprom, false); + + ks8851_eeprom_release(ks); +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + + return 0; + } +@@ -843,7 +834,6 @@ static int ks8851_get_eeprom(struct net_ + { + struct ks8851_net *ks = netdev_priv(dev); + int offset = ee->offset; +- unsigned long flags; + int len = ee->len; + + /* must be 2 byte aligned */ +@@ -853,7 +843,7 @@ static int ks8851_get_eeprom(struct net_ + if (!(ks->rc_ccr & CCR_EEPROM)) + return -ENOENT; + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + + ks8851_eeprom_claim(ks); + +@@ -861,7 +851,7 @@ static int ks8851_get_eeprom(struct net_ + + eeprom_93cx6_multiread(&ks->eeprom, offset/2, (__le16 *)data, len/2); + ks8851_eeprom_release(ks); +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + + return 0; + } +@@ -920,7 +910,6 @@ static int ks8851_phy_reg(int reg) + static int ks8851_phy_read_common(struct net_device *dev, int phy_addr, int reg) + { + struct ks8851_net *ks = netdev_priv(dev); +- unsigned long flags; + int result; + int ksreg; + +@@ -928,9 +917,9 @@ static int ks8851_phy_read_common(struct + if (ksreg < 0) + return ksreg; + +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + result = ks8851_rdreg16(ks, ksreg); +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + + return result; + } +@@ -965,14 +954,13 @@ static void ks8851_phy_write(struct net_ + int phy, int reg, int value) + { + struct ks8851_net *ks = netdev_priv(dev); +- unsigned long flags; + int ksreg; + + ksreg = ks8851_phy_reg(reg); + if (ksreg >= 0) { +- ks8851_lock(ks, &flags); ++ ks8851_lock(ks); + ks8851_wrreg16(ks, ksreg, value); +- ks8851_unlock(ks, &flags); ++ ks8851_unlock(ks); + } + } + +--- a/drivers/net/ethernet/micrel/ks8851_par.c ++++ b/drivers/net/ethernet/micrel/ks8851_par.c +@@ -55,29 +55,27 @@ struct ks8851_net_par { + /** + * ks8851_lock_par - register access lock + * @ks: The chip state +- * @flags: Spinlock flags + * + * Claim chip register access lock + */ +-static void ks8851_lock_par(struct ks8851_net *ks, unsigned long *flags) ++static void ks8851_lock_par(struct ks8851_net *ks) + { + struct ks8851_net_par *ksp = to_ks8851_par(ks); + +- spin_lock_irqsave(&ksp->lock, *flags); ++ spin_lock_bh(&ksp->lock); + } + + /** + * ks8851_unlock_par - register access unlock + * @ks: The chip state +- * @flags: Spinlock flags + * + * Release chip register access lock + */ +-static void ks8851_unlock_par(struct ks8851_net *ks, unsigned long *flags) ++static void ks8851_unlock_par(struct ks8851_net *ks) + { + struct ks8851_net_par *ksp = to_ks8851_par(ks); + +- spin_unlock_irqrestore(&ksp->lock, *flags); ++ spin_unlock_bh(&ksp->lock); + } + + /** +@@ -233,7 +231,6 @@ static netdev_tx_t ks8851_start_xmit_par + { + struct ks8851_net *ks = netdev_priv(dev); + netdev_tx_t ret = NETDEV_TX_OK; +- unsigned long flags; + unsigned int txqcr; + u16 txmir; + int err; +@@ -241,7 +238,7 @@ static netdev_tx_t ks8851_start_xmit_par + netif_dbg(ks, tx_queued, ks->netdev, + "%s: skb %p, %d@%p\n", __func__, skb, skb->len, skb->data); + +- ks8851_lock_par(ks, &flags); ++ ks8851_lock_par(ks); + + txmir = ks8851_rdreg16_par(ks, KS_TXMIR) & 0x1fff; + +@@ -262,7 +259,7 @@ static netdev_tx_t ks8851_start_xmit_par + ret = NETDEV_TX_BUSY; + } + +- ks8851_unlock_par(ks, &flags); ++ ks8851_unlock_par(ks); + + return ret; + } +--- a/drivers/net/ethernet/micrel/ks8851_spi.c ++++ b/drivers/net/ethernet/micrel/ks8851_spi.c +@@ -73,11 +73,10 @@ struct ks8851_net_spi { + /** + * ks8851_lock_spi - register access lock + * @ks: The chip state +- * @flags: Spinlock flags + * + * Claim chip register access lock + */ +-static void ks8851_lock_spi(struct ks8851_net *ks, unsigned long *flags) ++static void ks8851_lock_spi(struct ks8851_net *ks) + { + struct ks8851_net_spi *kss = to_ks8851_spi(ks); + +@@ -87,11 +86,10 @@ static void ks8851_lock_spi(struct ks885 + /** + * ks8851_unlock_spi - register access unlock + * @ks: The chip state +- * @flags: Spinlock flags + * + * Release chip register access lock + */ +-static void ks8851_unlock_spi(struct ks8851_net *ks, unsigned long *flags) ++static void ks8851_unlock_spi(struct ks8851_net *ks) + { + struct ks8851_net_spi *kss = to_ks8851_spi(ks); + +@@ -311,7 +309,6 @@ static void ks8851_tx_work(struct work_s + struct ks8851_net_spi *kss; + unsigned short tx_space; + struct ks8851_net *ks; +- unsigned long flags; + struct sk_buff *txb; + bool last; + +@@ -319,7 +316,7 @@ static void ks8851_tx_work(struct work_s + ks = &kss->ks8851; + last = skb_queue_empty(&ks->txq); + +- ks8851_lock_spi(ks, &flags); ++ ks8851_lock_spi(ks); + + while (!last) { + txb = skb_dequeue(&ks->txq); +@@ -345,7 +342,7 @@ static void ks8851_tx_work(struct work_s + ks->tx_space = tx_space; + spin_unlock_bh(&ks->statelock); + +- ks8851_unlock_spi(ks, &flags); ++ ks8851_unlock_spi(ks); + } + + /** diff --git a/queue-6.12/net-qrtr-ns-free-the-node-during-ctrl_cmd_bye.patch b/queue-6.12/net-qrtr-ns-free-the-node-during-ctrl_cmd_bye.patch new file mode 100644 index 0000000000..74f4cdbda8 --- /dev/null +++ b/queue-6.12/net-qrtr-ns-free-the-node-during-ctrl_cmd_bye.patch @@ -0,0 +1,73 @@ +From 68efba36446a7774ea5b971257ade049272a07ac Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 9 Apr 2026 23:04:14 +0530 +Subject: net: qrtr: ns: Free the node during ctrl_cmd_bye() + +From: Manivannan Sadhasivam + +commit 68efba36446a7774ea5b971257ade049272a07ac upstream. + +A node sends the BYE packet when it is about to go down. So the nameserver +should advertise the removal of the node to all remote and local observers +and free the node finally. But currently, the nameserver doesn't free the +node memory even after processing the BYE packet. This causes the node +memory to leak. + +Hence, remove the node from Xarray list and free the node memory during +both success and failure case of ctrl_cmd_bye(). + +Cc: stable@vger.kernel.org +Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20260409-qrtr-fix-v3-3-00a8a5ff2b51@oss.qualcomm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/ns.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/net/qrtr/ns.c ++++ b/net/qrtr/ns.c +@@ -342,7 +342,7 @@ static int ctrl_cmd_bye(struct sockaddr_ + struct qrtr_node *node; + unsigned long index; + struct kvec iv; +- int ret; ++ int ret = 0; + + iv.iov_base = &pkt; + iv.iov_len = sizeof(pkt); +@@ -357,8 +357,10 @@ static int ctrl_cmd_bye(struct sockaddr_ + + /* Advertise the removal of this client to all local servers */ + local_node = node_get(qrtr_ns.local_node); +- if (!local_node) +- return 0; ++ if (!local_node) { ++ ret = 0; ++ goto delete_node; ++ } + + memset(&pkt, 0, sizeof(pkt)); + pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE); +@@ -375,10 +377,18 @@ static int ctrl_cmd_bye(struct sockaddr_ + ret = kernel_sendmsg(qrtr_ns.sock, &msg, &iv, 1, sizeof(pkt)); + if (ret < 0 && ret != -ENODEV) { + pr_err("failed to send bye cmd\n"); +- return ret; ++ goto delete_node; + } + } +- return 0; ++ ++ /* Ignore -ENODEV */ ++ ret = 0; ++ ++delete_node: ++ xa_erase(&nodes, from->sq_node); ++ kfree(node); ++ ++ return ret; + } + + static int ctrl_cmd_del_client(struct sockaddr_qrtr *from, diff --git a/queue-6.12/net-rds-fix-mr-cleanup-on-copy-error.patch b/queue-6.12/net-rds-fix-mr-cleanup-on-copy-error.patch new file mode 100644 index 0000000000..e582b58ea9 --- /dev/null +++ b/queue-6.12/net-rds-fix-mr-cleanup-on-copy-error.patch @@ -0,0 +1,47 @@ +From 8141a2dc70080eda1aedc0389ed2db2b292af5bd Mon Sep 17 00:00:00 2001 +From: Ao Zhou +Date: Wed, 22 Apr 2026 22:52:07 +0800 +Subject: net: rds: fix MR cleanup on copy error + +From: Ao Zhou + +commit 8141a2dc70080eda1aedc0389ed2db2b292af5bd upstream. + +__rds_rdma_map() hands sg/pages ownership to the transport after +get_mr() succeeds. If copying the generated cookie back to user space +fails after that point, the error path must not free those resources +again before dropping the MR reference. + +Remove the duplicate unpin/free from the put_user() failure branch so +that MR teardown is handled only through the existing final cleanup +path. + +Fixes: 0d4597c8c5ab ("net/rds: Track user mapped pages through special API") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ao Zhou +Signed-off-by: Ren Wei +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/79c8ef73ec8e5844d71038983940cc2943099baf.1776764247.git.draw51280@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/rdma.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -326,10 +326,6 @@ static int __rds_rdma_map(struct rds_soc + + if (args->cookie_addr && + put_user(cookie, (u64 __user *)(unsigned long)args->cookie_addr)) { +- if (!need_odp) { +- unpin_user_pages(pages, nr_pages); +- kfree(sg); +- } + ret = -EFAULT; + goto out; + } diff --git a/queue-6.12/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch b/queue-6.12/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch new file mode 100644 index 0000000000..61c66e986c --- /dev/null +++ b/queue-6.12/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch @@ -0,0 +1,49 @@ +From 5a8db80f721deee8e916c2cfdee78decda02ce4f Mon Sep 17 00:00:00 2001 +From: Ruijie Li +Date: Wed, 22 Apr 2026 23:40:18 +0800 +Subject: net/smc: avoid early lgr access in smc_clc_wait_msg + +From: Ruijie Li + +commit 5a8db80f721deee8e916c2cfdee78decda02ce4f upstream. + +A CLC decline can be received while the handshake is still in an early +stage, before the connection has been associated with a link group. + +The decline handling in smc_clc_wait_msg() updates link-group level sync +state for first-contact declines, but that state only exists after link +group setup has completed. Guard the link-group update accordingly and +keep the per-socket peer diagnosis handling unchanged. + +This preserves the existing sync_err handling for established link-group +contexts and avoids touching link-group state before it is available. + +Fixes: 0cfdd8f92cac ("smc: connection and link group creation") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruijie Li +Signed-off-by: Ren Wei +Reviewed-by: Dust Li +Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_clc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -785,8 +785,8 @@ int smc_clc_wait_msg(struct smc_sock *sm + dclc = (struct smc_clc_msg_decline *)clcm; + reason_code = SMC_CLC_DECL_PEERDECL; + smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); +- if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & +- SMC_FIRST_CONTACT_MASK) { ++ if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && ++ smc->conn.lgr) { + smc->conn.lgr->sync_err = 1; + smc_lgr_terminate_sched(smc->conn.lgr); + } diff --git a/queue-6.12/net-txgbe-fix-firmware-version-check.patch b/queue-6.12/net-txgbe-fix-firmware-version-check.patch new file mode 100644 index 0000000000..0dbb53e5de --- /dev/null +++ b/queue-6.12/net-txgbe-fix-firmware-version-check.patch @@ -0,0 +1,48 @@ +From c263f644add3d6ad81f9d62a99284fde408f0caa Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Wed, 22 Apr 2026 15:18:37 +0800 +Subject: net: txgbe: fix firmware version check + +From: Jiawen Wu + +commit c263f644add3d6ad81f9d62a99284fde408f0caa upstream. + +For the device SP, the firmware version is a 32-bit value where the +lower 20 bits represent the base version number. And the customized +firmware version populates the upper 12 bits with a specific +identification number. + +For other devices AML 25G and 40G, the upper 12 bits of the firmware +version is always non-zero, and they have other naming conventions. + +Only SP devices need to check this to tell if XPCS will work properly. +So the judgement of MAC type is added here. + +And the original logic compared the entire 32-bit value against 0x20010, +which caused the outdated base firmwares bypass the version check +without a warning. Apply a mask 0xfffff to isolate the lower 20 bits for +an accurate base version comparison. + +Fixes: ab928c24e6cd ("net: txgbe: add FW version warning") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/C787AA5C07598B13+20260422071837.372731-1-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c +@@ -668,7 +668,8 @@ static int txgbe_probe(struct pci_dev *p + "0x%08x", etrack_id); + } + +- if (etrack_id < 0x20010) ++ if (wx->mac.type == wx_mac_sp && ++ ((etrack_id & 0xfffff) < 0x20010)) + dev_warn(&pdev->dev, "Please upgrade the firmware to 0x20010 or above.\n"); + + txgbe = devm_kzalloc(&pdev->dev, sizeof(*txgbe), GFP_KERNEL); diff --git a/queue-6.12/netconsole-avoid-out-of-bounds-access-on-empty-string-in-trim_newline.patch b/queue-6.12/netconsole-avoid-out-of-bounds-access-on-empty-string-in-trim_newline.patch new file mode 100644 index 0000000000..ecfccc6543 --- /dev/null +++ b/queue-6.12/netconsole-avoid-out-of-bounds-access-on-empty-string-in-trim_newline.patch @@ -0,0 +1,52 @@ +From 7079c8c13f2d33992bc846240517d88f4ab07781 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Mon, 20 Apr 2026 03:18:36 -0700 +Subject: netconsole: avoid out-of-bounds access on empty string in trim_newline() + +From: Breno Leitao + +commit 7079c8c13f2d33992bc846240517d88f4ab07781 upstream. + +trim_newline() unconditionally dereferences s[len - 1] after computing +len = strnlen(s, maxlen). When the string is empty, len is 0 and the +expression underflows to s[(size_t)-1], reading (and potentially +writing) one byte before the buffer. + +The two callers feed trim_newline() with the result of strscpy() from +configfs store callbacks (dev_name_store, userdatum_value_store). +configfs guarantees count >= 1 reaches the callback, but the byte +itself can be NUL: a userspace write(fd, "\0", 1) leaves the +destination empty after strscpy() and triggers the underflow. The OOB +write only fires if the adjacent byte happens to be '\n', so this is +not a security issue, but the access is undefined behaviour either way. + +This pattern is commonly flagged by LLM-based code reviewers. While it +is not a security fix, the underlying access is undefined behaviour and +the change is small and self-contained, so it is a reasonable candidate +for the stable trees. + +Guard the dereference on a non-zero length. + +Fixes: ae001dc67907 ("net: netconsole: move newline trimming to function") +Cc: stable@vger.kernel.org +Signed-off-by: Breno Leitao +Reviewed-by: Gustavo Luiz Duarte +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260420-netcons_trim_newline-v1-1-dc35889aeedf@debian.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/netconsole.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/netconsole.c ++++ b/drivers/net/netconsole.c +@@ -300,6 +300,8 @@ static void trim_newline(char *s, size_t + size_t len; + + len = strnlen(s, maxlen); ++ if (!len) ++ return; + if (s[len - 1] == '\n') + s[len - 1] = '\0'; + } diff --git a/queue-6.12/power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch b/queue-6.12/power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch new file mode 100644 index 0000000000..2bb94da16f --- /dev/null +++ b/queue-6.12/power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch @@ -0,0 +1,83 @@ +From 658342fd75b582cbb06544d513171c3d645faead Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 20 Feb 2026 18:49:39 +0100 +Subject: power: supply: axp288_charger: Do not cancel work before initializing it + +From: Krzysztof Kozlowski + +commit 658342fd75b582cbb06544d513171c3d645faead upstream. + +Driver registered devm handler to cancel_work_sync() before even the +work was initialized, thus leading to possible warning from +kernel/workqueue.c on (!work->func) check, if the error path was hit +before the initialization happened. + +Use devm_work_autocancel() on each work item independently, which +handles the initialization and handler to cancel work. + +Fixes: 165c2357744e ("power: supply: axp288_charger: Properly stop work on probe-error / remove") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Hans de Goede +Reviewed-by: Chen-Yu Tsai +Link: https://patch.msgid.link/20260220174938.672883-5-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -821,14 +822,6 @@ static int charger_init_hw_regs(struct a + return 0; + } + +-static void axp288_charger_cancel_work(void *data) +-{ +- struct axp288_chrg_info *info = data; +- +- cancel_work_sync(&info->otg.work); +- cancel_work_sync(&info->cable.work); +-} +- + static int axp288_charger_probe(struct platform_device *pdev) + { + int ret, i, pirq; +@@ -911,12 +904,12 @@ static int axp288_charger_probe(struct p + } + + /* Cancel our work on cleanup, register this before the notifiers */ +- ret = devm_add_action(dev, axp288_charger_cancel_work, info); ++ ret = devm_work_autocancel(dev, &info->cable.work, ++ axp288_charger_extcon_evt_worker); + if (ret) + return ret; + + /* Register for extcon notification */ +- INIT_WORK(&info->cable.work, axp288_charger_extcon_evt_worker); + info->cable.nb.notifier_call = axp288_charger_handle_cable_evt; + ret = devm_extcon_register_notifier_all(dev, info->cable.edev, + &info->cable.nb); +@@ -926,8 +919,12 @@ static int axp288_charger_probe(struct p + } + schedule_work(&info->cable.work); + ++ ret = devm_work_autocancel(dev, &info->otg.work, ++ axp288_charger_otg_evt_worker); ++ if (ret) ++ return ret; ++ + /* Register for OTG notification */ +- INIT_WORK(&info->otg.work, axp288_charger_otg_evt_worker); + info->otg.id_nb.notifier_call = axp288_charger_handle_otg_evt; + if (info->otg.cable) { + ret = devm_extcon_register_notifier(dev, info->otg.cable, diff --git a/queue-6.12/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch b/queue-6.12/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch new file mode 100644 index 0000000000..0326c627ed --- /dev/null +++ b/queue-6.12/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch @@ -0,0 +1,51 @@ +From 7244491dab347f648e661da96dc0febadd9daec3 Mon Sep 17 00:00:00 2001 +From: hkbinbin +Date: Wed, 1 Apr 2026 12:19:07 +0000 +Subject: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv + +From: hkbinbin + +commit 7244491dab347f648e661da96dc0febadd9daec3 upstream. + +rxe_rcv() currently checks only that the incoming packet is at least +header_size(pkt) bytes long before payload_size() is used. + +However, payload_size() subtracts both the attacker-controlled BTH pad +field and RXE_ICRC_SIZE from pkt->paylen: + + payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) + - RXE_ICRC_SIZE + +This means a short packet can still make payload_size() underflow even +if it includes enough bytes for the fixed headers. Simply requiring +header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a +packet with a forged non-zero BTH pad can still leave payload_size() +negative and pass an underflowed value to later receive-path users. + +Fix this by validating pkt->paylen against the full minimum length +required by payload_size(): header_size(pkt) + bth_pad(pkt) + +RXE_ICRC_SIZE. + +Cc: stable@vger.kernel.org +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com +Signed-off-by: hkbinbin +Reviewed-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -330,7 +330,8 @@ void rxe_rcv(struct sk_buff *skb) + pkt->qp = NULL; + pkt->mask |= rxe_opcode[pkt->opcode].mask; + +- if (unlikely(skb->len < header_size(pkt))) ++ if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + ++ RXE_ICRC_SIZE)) + goto drop; + + err = hdr_check(pkt); diff --git a/queue-6.12/rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch b/queue-6.12/rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch new file mode 100644 index 0000000000..77bc262ffc --- /dev/null +++ b/queue-6.12/rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch @@ -0,0 +1,231 @@ +From 34f61a07e0cdefaecd3ec03bb5fb22215643678f Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 22 Apr 2026 17:14:30 +0100 +Subject: rxrpc: Fix memory leaks in rxkad_verify_response() + +From: David Howells + +commit 34f61a07e0cdefaecd3ec03bb5fb22215643678f upstream. + +Fix rxkad_verify_response() to free the ticket and the server key under all +circumstances by initialising the ticket pointer to NULL and then making +all paths through the function after the first allocation has been done go +through a single common epilogue that just releases everything - where all +the releases skip on a NULL pointer. + +Fixes: 57af281e5389 ("rxrpc: Tidy up abort generation infrastructure") +Fixes: ec832bd06d6f ("rxrpc: Don't retain the server key in the connection") +Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260422161438.2593376-2-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxkad.c | 103 ++++++++++++++++++++++-------------------------------- + 1 file changed, 42 insertions(+), 61 deletions(-) + +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -1048,7 +1048,7 @@ static int rxkad_verify_response(struct + struct rxrpc_crypt session_key; + struct key *server_key; + time64_t expiry; +- void *ticket; ++ void *ticket = NULL; + u32 version, kvno, ticket_len, level; + __be32 csum; + int ret, i; +@@ -1074,13 +1074,13 @@ static int rxkad_verify_response(struct + ret = -ENOMEM; + response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); + if (!response) +- goto temporary_error; ++ goto error; + + if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), + response, sizeof(*response)) < 0) { +- rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, +- rxkad_abort_resp_short); +- goto protocol_error; ++ ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, ++ rxkad_abort_resp_short); ++ goto error; + } + + version = ntohl(response->version); +@@ -1090,62 +1090,62 @@ static int rxkad_verify_response(struct + trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len); + + if (version != RXKAD_VERSION) { +- rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, +- rxkad_abort_resp_version); +- goto protocol_error; ++ ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO, ++ rxkad_abort_resp_version); ++ goto error; + } + + if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN) { +- rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO, +- rxkad_abort_resp_tkt_len); +- goto protocol_error; ++ ret = rxrpc_abort_conn(conn, skb, RXKADTICKETLEN, -EPROTO, ++ rxkad_abort_resp_tkt_len); ++ goto error; + } + + if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5) { +- rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO, +- rxkad_abort_resp_unknown_tkt); +- goto protocol_error; ++ ret = rxrpc_abort_conn(conn, skb, RXKADUNKNOWNKEY, -EPROTO, ++ rxkad_abort_resp_unknown_tkt); ++ goto error; + } + + /* extract the kerberos ticket and decrypt and decode it */ + ret = -ENOMEM; + ticket = kmalloc(ticket_len, GFP_NOFS); + if (!ticket) +- goto temporary_error_free_resp; ++ goto error; + + if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response), + ticket, ticket_len) < 0) { +- rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, +- rxkad_abort_resp_short_tkt); +- goto protocol_error; ++ ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO, ++ rxkad_abort_resp_short_tkt); ++ goto error; + } + + ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len, + &session_key, &expiry); + if (ret < 0) +- goto temporary_error_free_ticket; ++ goto error; + + /* use the session key from inside the ticket to decrypt the + * response */ + ret = rxkad_decrypt_response(conn, response, &session_key); + if (ret < 0) +- goto temporary_error_free_ticket; ++ goto error; + + if (ntohl(response->encrypted.epoch) != conn->proto.epoch || + ntohl(response->encrypted.cid) != conn->proto.cid || + ntohl(response->encrypted.securityIndex) != conn->security_ix) { +- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, +- rxkad_abort_resp_bad_param); +- goto protocol_error_free; ++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, ++ rxkad_abort_resp_bad_param); ++ goto error; + } + + csum = response->encrypted.checksum; + response->encrypted.checksum = 0; + rxkad_calc_response_checksum(response); + if (response->encrypted.checksum != csum) { +- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, +- rxkad_abort_resp_bad_checksum); +- goto protocol_error_free; ++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, ++ rxkad_abort_resp_bad_checksum); ++ goto error; + } + + for (i = 0; i < RXRPC_MAXCALLS; i++) { +@@ -1153,38 +1153,38 @@ static int rxkad_verify_response(struct + u32 counter = READ_ONCE(conn->channels[i].call_counter); + + if (call_id > INT_MAX) { +- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, +- rxkad_abort_resp_bad_callid); +- goto protocol_error_free; ++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, ++ rxkad_abort_resp_bad_callid); ++ goto error; + } + + if (call_id < counter) { +- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, +- rxkad_abort_resp_call_ctr); +- goto protocol_error_free; ++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, ++ rxkad_abort_resp_call_ctr); ++ goto error; + } + + if (call_id > counter) { + if (conn->channels[i].call) { +- rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, ++ ret = rxrpc_abort_conn(conn, skb, RXKADSEALEDINCON, -EPROTO, + rxkad_abort_resp_call_state); +- goto protocol_error_free; ++ goto error; + } + conn->channels[i].call_counter = call_id; + } + } + + if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1) { +- rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO, +- rxkad_abort_resp_ooseq); +- goto protocol_error_free; ++ ret = rxrpc_abort_conn(conn, skb, RXKADOUTOFSEQUENCE, -EPROTO, ++ rxkad_abort_resp_ooseq); ++ goto error; + } + + level = ntohl(response->encrypted.level); + if (level > RXRPC_SECURITY_ENCRYPT) { +- rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO, +- rxkad_abort_resp_level); +- goto protocol_error_free; ++ ret = rxrpc_abort_conn(conn, skb, RXKADLEVELFAIL, -EPROTO, ++ rxkad_abort_resp_level); ++ goto error; + } + conn->security_level = level; + +@@ -1192,31 +1192,12 @@ static int rxkad_verify_response(struct + * this the connection security can be handled in exactly the same way + * as for a client connection */ + ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); +- if (ret < 0) +- goto temporary_error_free_ticket; +- +- kfree(ticket); +- kfree(response); +- _leave(" = 0"); +- return 0; +- +-protocol_error_free: +- kfree(ticket); +-protocol_error: +- kfree(response); +- key_put(server_key); +- return -EPROTO; + +-temporary_error_free_ticket: ++error: + kfree(ticket); +-temporary_error_free_resp: + kfree(response); +-temporary_error: +- /* Ignore the response packet if we got a temporary error such as +- * ENOMEM. We just want to send the challenge again. Note that we +- * also come out this way if the ticket decryption fails. +- */ + key_put(server_key); ++ _leave(" = %d", ret); + return ret; + } + diff --git a/queue-6.12/rxrpc-fix-re-decryption-of-response-packets.patch b/queue-6.12/rxrpc-fix-re-decryption-of-response-packets.patch new file mode 100644 index 0000000000..439188c594 --- /dev/null +++ b/queue-6.12/rxrpc-fix-re-decryption-of-response-packets.patch @@ -0,0 +1,73 @@ +From 0422e7a4883f25101903f3e8105c0808aa5f4ce9 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 23 Apr 2026 21:09:07 +0100 +Subject: rxrpc: Fix re-decryption of RESPONSE packets + +From: David Howells + +commit 0422e7a4883f25101903f3e8105c0808aa5f4ce9 upstream. + +If a RESPONSE packet gets a temporary failure during processing, it may end +up in a partially decrypted state - and then get requeued for a retry. + +Fix this by just discarding the packet; we will send another CHALLENGE +packet and thereby elicit a further response. Similarly, discard an +incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; +the server will send another CHALLENGE. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Closes: https://sashiko.dev/#/patchset/20260422161438.2593376-4-dhowells@redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260423200909.3049438-3-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 1 - + net/rxrpc/conn_event.c | 14 ++------------ + 2 files changed, 2 insertions(+), 13 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -236,7 +236,6 @@ + EM(rxrpc_conn_put_unidle, "PUT unidle ") \ + EM(rxrpc_conn_put_work, "PUT work ") \ + EM(rxrpc_conn_queue_challenge, "QUE chall ") \ +- EM(rxrpc_conn_queue_retry_work, "QUE retry-wk") \ + EM(rxrpc_conn_queue_rx_work, "QUE rx-work ") \ + EM(rxrpc_conn_see_new_service_conn, "SEE new-svc ") \ + EM(rxrpc_conn_see_reap_service, "SEE reap-svc") \ +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -344,7 +344,6 @@ again: + static void rxrpc_do_process_connection(struct rxrpc_connection *conn) + { + struct sk_buff *skb; +- int ret; + + if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events)) + rxrpc_secure_connection(conn); +@@ -353,17 +352,8 @@ static void rxrpc_do_process_connection( + * connection that each one has when we've finished with it */ + while ((skb = skb_dequeue(&conn->rx_queue))) { + rxrpc_see_skb(skb, rxrpc_skb_see_conn_work); +- ret = rxrpc_process_event(conn, skb); +- switch (ret) { +- case -ENOMEM: +- case -EAGAIN: +- skb_queue_head(&conn->rx_queue, skb); +- rxrpc_queue_conn(conn, rxrpc_conn_queue_retry_work); +- break; +- default: +- rxrpc_free_skb(skb, rxrpc_skb_put_conn_work); +- break; +- } ++ rxrpc_process_event(conn, skb); ++ rxrpc_free_skb(skb, rxrpc_skb_put_conn_work); + } + } + diff --git a/queue-6.12/rxrpc-fix-rxkad-crypto-unalignment-handling.patch b/queue-6.12/rxrpc-fix-rxkad-crypto-unalignment-handling.patch new file mode 100644 index 0000000000..5cf8b5f684 --- /dev/null +++ b/queue-6.12/rxrpc-fix-rxkad-crypto-unalignment-handling.patch @@ -0,0 +1,65 @@ +From def304aae2edf321d2671fd6ca766a93c21f877e Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 22 Apr 2026 17:14:31 +0100 +Subject: rxrpc: Fix rxkad crypto unalignment handling + +From: David Howells + +commit def304aae2edf321d2671fd6ca766a93c21f877e upstream. + +Fix handling of a packet with a misaligned crypto length. Also handle +non-ENOMEM errors from decryption by aborting. Further, remove the +WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can +still be emitted). + +Fixes: f93af41b9f5f ("rxrpc: Fix missing error checks for rxkad encryption/decryption failure") +Closes: https://sashiko.dev/#/patchset/20260408121252.2249051-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260422161438.2593376-3-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 1 + + net/rxrpc/rxkad.c | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -36,6 +36,7 @@ + EM(rxkad_abort_1_short_encdata, "rxkad1-short-encdata") \ + EM(rxkad_abort_1_short_header, "rxkad1-short-hdr") \ + EM(rxkad_abort_2_short_check, "rxkad2-short-check") \ ++ EM(rxkad_abort_2_crypto_unaligned, "rxkad2-crypto-unaligned") \ + EM(rxkad_abort_2_short_data, "rxkad2-short-data") \ + EM(rxkad_abort_2_short_header, "rxkad2-short-hdr") \ + EM(rxkad_abort_2_short_len, "rxkad2-short-len") \ +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -494,6 +494,9 @@ static int rxkad_verify_packet_2(struct + return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, + rxkad_abort_2_short_header); + ++ /* Don't let the crypto algo see a misaligned length. */ ++ sp->len = round_down(sp->len, 8); ++ + /* Decrypt the skbuff in-place. TODO: We really want to decrypt + * directly into the target buffer. + */ +@@ -527,8 +530,10 @@ static int rxkad_verify_packet_2(struct + if (sg != _sg) + kfree(sg); + if (ret < 0) { +- WARN_ON_ONCE(ret != -ENOMEM); +- return ret; ++ if (ret == -ENOMEM) ++ return ret; ++ return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON, ++ rxkad_abort_2_crypto_unaligned); + } + + /* Extract the decrypted packet length */ diff --git a/queue-6.12/series b/queue-6.12/series index addf2e9274..3e678a9dc1 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -78,3 +78,23 @@ alsa-6fire-fix-input-volume-change-detection.patch alsa-pcmtest-fix-reference-leak-on-failed-device-registration.patch alsa-pcmtest-fix-resource-leaks-in-module-init-error-paths.patch iio-adc-ad7768-1-fix-one-shot-mode-data-acquisition.patch +rxrpc-fix-memory-leaks-in-rxkad_verify_response.patch +rxrpc-fix-rxkad-crypto-unalignment-handling.patch +rxrpc-fix-re-decryption-of-response-packets.patch +tools-accounting-handle-truncated-taskstats-netlink-messages.patch +arm64-dts-marvell-udpu-add-ethernet-aliases.patch +net-qrtr-ns-free-the-node-during-ctrl_cmd_bye.patch +net-rds-fix-mr-cleanup-on-copy-error.patch +net-txgbe-fix-firmware-version-check.patch +net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch +net-ks8851-reinstate-disabling-of-bhs-around-irq-handler.patch +netconsole-avoid-out-of-bounds-access-on-empty-string-in-trim_newline.patch +net-ks8851-avoid-excess-softirq-scheduling.patch +drm-arcpgu-fix-device-node-leak.patch +rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch +ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch +libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch +extract-cert-wrap-key_pass-with-ifdef-use_pkcs11_engine.patch +tpm-avoid-wunused-but-set-variable.patch +loongarch-show-cpu-vulnerabilites-correctly.patch +power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch diff --git a/queue-6.12/tools-accounting-handle-truncated-taskstats-netlink-messages.patch b/queue-6.12/tools-accounting-handle-truncated-taskstats-netlink-messages.patch new file mode 100644 index 0000000000..914eca7b52 --- /dev/null +++ b/queue-6.12/tools-accounting-handle-truncated-taskstats-netlink-messages.patch @@ -0,0 +1,181 @@ +From cc82b3dcc6a8fa259fbda12ab00d6fc00908a49e Mon Sep 17 00:00:00 2001 +From: Yiyang Chen +Date: Mon, 30 Mar 2026 03:00:41 +0800 +Subject: tools/accounting: handle truncated taskstats netlink messages + +From: Yiyang Chen + +commit cc82b3dcc6a8fa259fbda12ab00d6fc00908a49e upstream. + +procacct and getdelays use a fixed receive buffer for taskstats generic +netlink messages. A multi-threaded process exit can emit a single +PID+TGID notification large enough to exceed that buffer on newer kernels. + +Switch to recvmsg() so MSG_TRUNC is detected explicitly, increase the +message buffer size, and report truncated datagrams clearly instead of +misparsing them as fatal netlink errors. + +Also print the taskstats version in debug output to make version +mismatches easier to diagnose while inspecting taskstats traffic. + +Link: https://lkml.kernel.org/r/520308bb4cbbaf8dc2c7296b5f60f11e12fb30a5.1774810498.git.cyyzero16@gmail.com +Signed-off-by: Yiyang Chen +Cc: Balbir Singh +Cc: Dr. Thomas Orgis +Cc: Fan Yu +Cc: Wang Yaxin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/accounting/getdelays.c | 41 +++++++++++++++++++++++++++++++++++++---- + tools/accounting/procacct.c | 40 ++++++++++++++++++++++++++++++++++++---- + 2 files changed, 73 insertions(+), 8 deletions(-) + +--- a/tools/accounting/getdelays.c ++++ b/tools/accounting/getdelays.c +@@ -59,7 +59,7 @@ int print_task_context_switch_counts; + } + + /* Maximum size of response requested or message sent */ +-#define MAX_MSG_SIZE 1024 ++#define MAX_MSG_SIZE 2048 + /* Maximum number of cpus expected to be specified in a cpumask */ + #define MAX_CPUS 32 + +@@ -114,6 +114,32 @@ error: + return -1; + } + ++static int recv_taskstats_msg(int sd, struct msgtemplate *msg) ++{ ++ struct sockaddr_nl nladdr; ++ struct iovec iov = { ++ .iov_base = msg, ++ .iov_len = sizeof(*msg), ++ }; ++ struct msghdr hdr = { ++ .msg_name = &nladdr, ++ .msg_namelen = sizeof(nladdr), ++ .msg_iov = &iov, ++ .msg_iovlen = 1, ++ }; ++ int ret; ++ ++ ret = recvmsg(sd, &hdr, 0); ++ if (ret < 0) ++ return -1; ++ if (hdr.msg_flags & MSG_TRUNC) { ++ errno = EMSGSIZE; ++ return -1; ++ } ++ ++ return ret; ++} ++ + + static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid, + __u8 genl_cmd, __u16 nla_type, +@@ -465,12 +491,16 @@ int main(int argc, char *argv[]) + } + + do { +- rep_len = recv(nl_sd, &msg, sizeof(msg), 0); ++ rep_len = recv_taskstats_msg(nl_sd, &msg); + PRINTF("received %d bytes\n", rep_len); + + if (rep_len < 0) { +- fprintf(stderr, "nonfatal reply error: errno %d\n", +- errno); ++ if (errno == EMSGSIZE) ++ fprintf(stderr, ++ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n"); ++ else ++ fprintf(stderr, "nonfatal reply error: errno %d\n", ++ errno); + continue; + } + if (msg.n.nlmsg_type == NLMSG_ERROR || +@@ -512,6 +542,9 @@ int main(int argc, char *argv[]) + printf("TGID\t%d\n", rtid); + break; + case TASKSTATS_TYPE_STATS: ++ PRINTF("version %u\n", ++ ((struct taskstats *) ++ NLA_DATA(na))->version); + if (print_delays) + print_delayacct((struct taskstats *) NLA_DATA(na)); + if (print_io_accounting) +--- a/tools/accounting/procacct.c ++++ b/tools/accounting/procacct.c +@@ -71,7 +71,7 @@ int print_task_context_switch_counts; + } + + /* Maximum size of response requested or message sent */ +-#define MAX_MSG_SIZE 1024 ++#define MAX_MSG_SIZE 2048 + /* Maximum number of cpus expected to be specified in a cpumask */ + #define MAX_CPUS 32 + +@@ -121,6 +121,32 @@ error: + return -1; + } + ++static int recv_taskstats_msg(int sd, struct msgtemplate *msg) ++{ ++ struct sockaddr_nl nladdr; ++ struct iovec iov = { ++ .iov_base = msg, ++ .iov_len = sizeof(*msg), ++ }; ++ struct msghdr hdr = { ++ .msg_name = &nladdr, ++ .msg_namelen = sizeof(nladdr), ++ .msg_iov = &iov, ++ .msg_iovlen = 1, ++ }; ++ int ret; ++ ++ ret = recvmsg(sd, &hdr, 0); ++ if (ret < 0) ++ return -1; ++ if (hdr.msg_flags & MSG_TRUNC) { ++ errno = EMSGSIZE; ++ return -1; ++ } ++ ++ return ret; ++} ++ + + static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid, + __u8 genl_cmd, __u16 nla_type, +@@ -239,6 +265,8 @@ void handle_aggr(int mother, struct nlat + PRINTF("TGID\t%d\n", rtid); + break; + case TASKSTATS_TYPE_STATS: ++ PRINTF("version %u\n", ++ ((struct taskstats *)NLA_DATA(na))->version); + if (mother == TASKSTATS_TYPE_AGGR_PID) + print_procacct((struct taskstats *) NLA_DATA(na)); + if (fd) { +@@ -348,12 +376,16 @@ int main(int argc, char *argv[]) + } + + do { +- rep_len = recv(nl_sd, &msg, sizeof(msg), 0); ++ rep_len = recv_taskstats_msg(nl_sd, &msg); + PRINTF("received %d bytes\n", rep_len); + + if (rep_len < 0) { +- fprintf(stderr, "nonfatal reply error: errno %d\n", +- errno); ++ if (errno == EMSGSIZE) ++ fprintf(stderr, ++ "dropped truncated taskstats netlink message, please increase MAX_MSG_SIZE\n"); ++ else ++ fprintf(stderr, "nonfatal reply error: errno %d\n", ++ errno); + continue; + } + if (msg.n.nlmsg_type == NLMSG_ERROR || diff --git a/queue-6.12/tpm-avoid-wunused-but-set-variable.patch b/queue-6.12/tpm-avoid-wunused-but-set-variable.patch new file mode 100644 index 0000000000..253987a829 --- /dev/null +++ b/queue-6.12/tpm-avoid-wunused-but-set-variable.patch @@ -0,0 +1,52 @@ +From 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Mar 2024 14:22:48 +0100 +Subject: tpm: avoid -Wunused-but-set-variable + +From: Arnd Bergmann + +commit 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 upstream. + +Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are +defined as trivial macros, leading to the mapping_size variable ending +up unused: + +In file included from drivers/char/tpm/tpm-sysfs.c:16: +In file included from drivers/char/tpm/tpm.h:28: +include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable] + 167 | int mapping_size; + +Turn the stubs into inline functions to avoid this warning. + +Cc: stable@vger.kernel.org # v5.3+ +Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") +Signed-off-by: Arnd Bergmann +Reviewed-by: Thorsten Blum +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tpm_eventlog.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -131,11 +131,16 @@ struct tcg_algorithm_info { + }; + + #ifndef TPM_MEMREMAP +-#define TPM_MEMREMAP(start, size) NULL ++static inline void *TPM_MEMREMAP(unsigned long start, size_t size) ++{ ++ return NULL; ++} + #endif + + #ifndef TPM_MEMUNMAP +-#define TPM_MEMUNMAP(start, size) do{} while(0) ++static inline void TPM_MEMUNMAP(void *mapping, size_t size) ++{ ++} + #endif + + /**