From: Greg Kroah-Hartman Date: Mon, 9 Mar 2026 11:04:42 +0000 (+0100) Subject: 6.19-stable patches X-Git-Tag: v6.19.7~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c052ecba6073b5b27e71471e81bc9c15a71384d2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: alsa-doc-usb-audio-add-doc-for-quirk_flag_skip_iface_setup.patch alsa-hda-intel-increase-default-bdl_pos_adj-for-nvidia-controllers.patch alsa-hda-realtek-add-quirk-for-acer-aspire-v3-572g.patch alsa-hda-realtek-add-quirk-for-acer-nitro-anv15-51.patch alsa-hda-realtek-add-quirk-for-hp-pavilion-15-eh1xxx-to-enable-mute-led.patch alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-flex-nt950qct-a38a.patch alsa-hda-realtek-fix-model-name-typo-for-samsung-galaxy-book-flex-nt950qcg-x716.patch alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch arm64-gcs-do-not-set-pte_shared-on-gcs-mappings-if-feat_lpa2-is-enabled.patch bluetooth-purge-error-queues-in-socket-destructors.patch cpufreq-intel_pstate-fix-crash-during-turbo-disable.patch drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch drbd-fix-null-pointer-dereference-on-local-read-error.patch gve-fix-incorrect-buffer-cleanup-in-gve_tx_clean_pending_packets-for-qpl.patch ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch kbuild-leave-objtool-binary-around-with-make-clean.patch kbuild-split-.modinfo-out-from-elf_details.patch ksmbd-compare-macs-in-constant-time.patch mm-thp-deny-thp-for-files-on-anonymous-inodes.patch mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch mptcp-pm-in-kernel-always-mark-signal-subflow-endp-as-used.patch net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch perf-x86-intel-uncore-add-per-scheduler-imc-cas-count-events.patch platform-x86-alienware-wmi-wmax-add-g-mode-support-to-m18-laptops.patch platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch rdma-ionic-fix-kernel-stack-leak-in-ionic_create_cq.patch rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch scsi-core-fix-refcount-leak-for-tagset_refcnt.patch scsi-target-fix-recursive-locking-in-__configfs_open_file.patch scsi-ufs-core-fix-rpmb-region-size-detection-for-ufs-2.2.patch selftests-mptcp-join-check-removing-signal-subflow-endp.patch selftests-mptcp-join-check-rm_addr-not-sent-over-same-subflow.patch selftests-mptcp-more-stable-simult_flows-tests.patch smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch smb-client-fix-broken-multichannel-with-krb5-signing.patch smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch smb-client-fix-oops-due-to-uninitialised-var-in-smb2_unlink.patch squashfs-check-metadata-block-offset-is-within-range.patch tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch wifi-libertas-fix-use-after-free-in-lbs_free_adapter.patch wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch wifi-radiotap-reject-radiotap-with-unknown-bits.patch x86-boot-handle-relative-config_efi_sbat_file-file-paths.patch x86-boot-sev-move-sev-decompressor-variables-into-the-.data-section.patch x86-sev-allow-ibpb-on-entry-feature-for-snp-guests.patch xfs-fix-error-pointer-dereference.patch xfs-fix-xfs_group-release-bug-in-xfs_dax_notify_dev_failure.patch --- diff --git a/queue-6.19/alsa-doc-usb-audio-add-doc-for-quirk_flag_skip_iface_setup.patch b/queue-6.19/alsa-doc-usb-audio-add-doc-for-quirk_flag_skip_iface_setup.patch new file mode 100644 index 0000000000..2d93e4a9da --- /dev/null +++ b/queue-6.19/alsa-doc-usb-audio-add-doc-for-quirk_flag_skip_iface_setup.patch @@ -0,0 +1,35 @@ +From 93992667d0ab695ac30ceec91a516fd4bf725d75 Mon Sep 17 00:00:00 2001 +From: Rong Zhang +Date: Tue, 3 Mar 2026 01:32:59 +0800 +Subject: ALSA: doc: usb-audio: Add doc for QUIRK_FLAG_SKIP_IFACE_SETUP + +From: Rong Zhang + +commit 93992667d0ab695ac30ceec91a516fd4bf725d75 upstream. + +QUIRK_FLAG_SKIP_IFACE_SETUP was introduced into usb-audio before without +appropriate documentation, so add it. + +Fixes: 38c322068a26 ("ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP") +Cc: stable@vger.kernel.org +Signed-off-by: Rong Zhang +Link: https://patch.msgid.link/20260302173300.322673-1-i@rong.moe +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sound/alsa-configuration.rst | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/Documentation/sound/alsa-configuration.rst ++++ b/Documentation/sound/alsa-configuration.rst +@@ -2372,6 +2372,10 @@ quirk_flags + audible volume + * bit 25: ``mixer_capture_min_mute`` + Similar to bit 24 but for capture streams ++ * bit 26: ``skip_iface_setup`` ++ Skip the probe-time interface setup (usb_set_interface, ++ init_pitch, init_sample_rate); redundant with ++ snd_usb_endpoint_prepare() at stream-open time + + This module supports multiple devices, autoprobe and hotplugging. + diff --git a/queue-6.19/alsa-hda-intel-increase-default-bdl_pos_adj-for-nvidia-controllers.patch b/queue-6.19/alsa-hda-intel-increase-default-bdl_pos_adj-for-nvidia-controllers.patch new file mode 100644 index 0000000000..ce7afef274 --- /dev/null +++ b/queue-6.19/alsa-hda-intel-increase-default-bdl_pos_adj-for-nvidia-controllers.patch @@ -0,0 +1,41 @@ +From e9fb2028f1eb563e653cff3b0d1c87c5e0203d45 Mon Sep 17 00:00:00 2001 +From: Panagiotis Foliadis +Date: Wed, 25 Feb 2026 14:53:43 +0000 +Subject: ALSA: hda/intel: increase default bdl_pos_adj for Nvidia controllers + +From: Panagiotis Foliadis + +commit e9fb2028f1eb563e653cff3b0d1c87c5e0203d45 upstream. + +The default bdl_pos_adj of 32 for Nvidia HDA controllers is +insufficient on GA102 (and likely other recent Nvidia GPUs) after S3 +suspend/resume. The controller's DMA timing degrades after resume, +causing premature IRQ detection in azx_position_ok() which results in +silent HDMI/DP audio output despite userspace reporting a valid +playback state and correct ELD data. + +Increase bdl_pos_adj to 64 for AZX_DRIVER_NVIDIA, matching the value +already used by Intel Apollo Lake for the same class of timing issue. + +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221069 +Suggested-by: Charalampos Mitrodimas +Signed-off-by: Panagiotis Foliadis +Link: https://patch.msgid.link/20260225-nvidia-audio-fix-v1-1-b1383c37ec49@posteo.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/controllers/intel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/hda/controllers/intel.c ++++ b/sound/hda/controllers/intel.c +@@ -1751,6 +1751,8 @@ static int default_bdl_pos_adj(struct az + return 1; + case AZX_DRIVER_ZHAOXINHDMI: + return 128; ++ case AZX_DRIVER_NVIDIA: ++ return 64; + default: + return 32; + } diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-acer-aspire-v3-572g.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-acer-aspire-v3-572g.patch new file mode 100644 index 0000000000..46a9d5dd52 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-acer-aspire-v3-572g.patch @@ -0,0 +1,38 @@ +From cbddd303416456db5ceeedaf9e262096f079e861 Mon Sep 17 00:00:00 2001 +From: Panagiotis Foliadis +Date: Sat, 21 Feb 2026 19:40:58 +0000 +Subject: ALSA: hda/realtek: Add quirk for Acer Aspire V3-572G + +From: Panagiotis Foliadis + +commit cbddd303416456db5ceeedaf9e262096f079e861 upstream. + +The Acer Aspire V3-572G has a combo jack (ALC283) but the BIOS +sets pin 0x19 to 0x411111f0 (not connected), so the headset mic +is not detected. + +Add a quirk to override pin 0x19 as a headset mic and enable +headset mode. + +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221075 +Suggested-by: Charalampos Mitrodimas +Signed-off-by: Panagiotis Foliadis +Reviewed-by: Charalampos Mitrodimas +Link: https://patch.msgid.link/20260221-fix-detect-mic-v1-1-b6e427b5275d@posteo.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6591,6 +6591,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS), + SND_PCI_QUIRK(0x1025, 0x080d, "Acer Aspire V5-122P", ALC269_FIXUP_ASPIRE_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x0840, "Acer Aspire E1", ALC269VB_FIXUP_ASPIRE_E1_COEF), ++ SND_PCI_QUIRK(0x1025, 0x0943, "Acer Aspire V3-572G", ALC269_FIXUP_ASPIRE_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x100c, "Acer Aspire E5-574G", ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1025, 0x101c, "Acer Veriton N2510G", ALC269_FIXUP_LIFEBOOK), + SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE), diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-acer-nitro-anv15-51.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-acer-nitro-anv15-51.patch new file mode 100644 index 0000000000..fe415d1b4f --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-acer-nitro-anv15-51.patch @@ -0,0 +1,54 @@ +From aa4876fe2d9fcbcaa0592b25f34ec6f6ea7876c1 Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Mon, 9 Feb 2026 21:41:49 +0800 +Subject: ALSA: hda/realtek: add quirk for Acer Nitro ANV15-51 + +From: Zhang Heng + +commit aa4876fe2d9fcbcaa0592b25f34ec6f6ea7876c1 upstream. + +fix mute/micmute LEDs and headset microphone for Acer Nitro ANV15-51. + +[ The headset microphone issue is solved by Kailang] + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220279 +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Heng +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20260209134149.3076957-1-zhangheng@kylinos.cn +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -4056,6 +4056,7 @@ enum { + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_GPIO, + ALC233_FIXUP_LENOVO_GPIO2_MIC_HOTKEY, + ALC245_FIXUP_BASS_HP_DAC, ++ ALC245_FIXUP_ACER_MICMUTE_LED, + }; + + /* A special fixup for Lenovo C940 and Yoga Duet 7; +@@ -6576,6 +6577,12 @@ static const struct hda_fixup alc269_fix + /* Borrow the DAC routing selected for those Thinkpads */ + .v.func = alc285_fixup_thinkpad_x1_gen7, + }, ++ [ALC245_FIXUP_ACER_MICMUTE_LED] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_hp_coef_micmute_led, ++ .chained = true, ++ .chain_id = ALC2XX_FIXUP_HEADSET_MIC, ++ } + }; + + static const struct hda_quirk alc269_fixup_tbl[] = { +@@ -6628,6 +6635,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1025, 0x159c, "Acer Nitro 5 AN515-58", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1597, "Acer Nitro 5 AN517-55", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x169a, "Acer Swift SFG16", ALC256_FIXUP_ACER_SFG16_MICMUTE_LED), ++ SND_PCI_QUIRK(0x1025, 0x171e, "Acer Nitro ANV15-51", ALC245_FIXUP_ACER_MICMUTE_LED), + SND_PCI_QUIRK(0x1025, 0x1826, "Acer Helios ZPC", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1025, 0x182c, "Acer Helios ZPD", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1025, 0x1844, "Acer Helios ZPS", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2), diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-hp-pavilion-15-eh1xxx-to-enable-mute-led.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-hp-pavilion-15-eh1xxx-to-enable-mute-led.patch new file mode 100644 index 0000000000..8a28add0b6 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-hp-pavilion-15-eh1xxx-to-enable-mute-led.patch @@ -0,0 +1,33 @@ +From 068641bc9dc3d680d1ec4f6ee9199d4812041dff Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Fri, 27 Feb 2026 20:13:27 +0800 +Subject: ALSA: hda/realtek: Add quirk for HP Pavilion 15-eh1xxx to enable mute LED + +From: Zhang Heng + +commit 068641bc9dc3d680d1ec4f6ee9199d4812041dff upstream. + +The HP Pavilion 15-eh1xxx series uses the HP mainboard 88D1 with ALC245 +and needs the ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT quirk to make the +mute led working. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215978 +Cc: +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260227121327.3751341-1-zhangheng@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6872,6 +6872,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8898, "HP EliteBook 845 G8 Notebook PC", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x103c, 0x88b3, "HP ENVY x360 Convertible 15-es0xxx", ALC245_FIXUP_HP_ENVY_X360_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x88d0, "HP Pavilion 15-eh1xxx (mainboard 88D0)", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x88d1, "HP Pavilion 15-eh1xxx (mainboard 88D1)", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x88dd, "HP Pavilion 15z-ec200", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x88eb, "HP Victus 16-e0xxx", ALC245_FIXUP_HP_MUTE_LED_V2_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8902, "HP OMEN 16", ALC285_FIXUP_HP_MUTE_LED), diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-flex-nt950qct-a38a.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-flex-nt950qct-a38a.patch new file mode 100644 index 0000000000..4ca5a97bf8 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-flex-nt950qct-a38a.patch @@ -0,0 +1,31 @@ +From 9fb16a5c5ff93058851099a2b80a899b0c53fe3f Mon Sep 17 00:00:00 2001 +From: Juhyung Park +Date: Sun, 22 Feb 2026 21:26:09 +0900 +Subject: ALSA: hda/realtek: add quirk for Samsung Galaxy Book Flex (NT950QCT-A38A) + +From: Juhyung Park + +commit 9fb16a5c5ff93058851099a2b80a899b0c53fe3f upstream. + +Similar to other Samsung laptops, NT950QCT also requires the +ALC298_FIXUP_SAMSUNG_AMP quirk applied. + +Cc: +Signed-off-by: Juhyung Park +Link: https://patch.msgid.link/20260222122609.281191-2-qkrwngud825@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7313,6 +7313,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc188, "Samsung Galaxy Book Flex (NT950QCT-A38A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-6.19/alsa-hda-realtek-fix-model-name-typo-for-samsung-galaxy-book-flex-nt950qcg-x716.patch b/queue-6.19/alsa-hda-realtek-fix-model-name-typo-for-samsung-galaxy-book-flex-nt950qcg-x716.patch new file mode 100644 index 0000000000..22f6e7845c --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-fix-model-name-typo-for-samsung-galaxy-book-flex-nt950qcg-x716.patch @@ -0,0 +1,34 @@ +From 43a44fb7f2fa163926b23149805e989ba2395db1 Mon Sep 17 00:00:00 2001 +From: Juhyung Park +Date: Sun, 22 Feb 2026 21:26:08 +0900 +Subject: ALSA: hda/realtek: fix model name typo for Samsung Galaxy Book Flex (NT950QCG-X716) + +From: Juhyung Park + +commit 43a44fb7f2fa163926b23149805e989ba2395db1 upstream. + +There's no product named "Samsung Galaxy Flex Book". +Use the correct "Samsung Galaxy Book Flex" name. + +Link: https://www.samsung.com/sec/support/model/NT950QCG-X716 +Link: https://www.samsung.com/us/computing/galaxy-books/galaxy-book-flex/galaxy-book-flex-15-6-qled-512gb-storage-s-pen-included-np950qcg-k01us +Cc: +Signed-off-by: Juhyung Park +Link: https://patch.msgid.link/20260222122609.281191-1-qkrwngud825@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7312,7 +7312,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_AMP), +- SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Book Flex (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a3, "Samsung Galaxy Book Pro (NP935XDB-KC1SE)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc1a4, "Samsung Galaxy Book Pro 360 (NT935QBD)", ALC298_FIXUP_SAMSUNG_AMP), diff --git a/queue-6.19/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch b/queue-6.19/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch new file mode 100644 index 0000000000..5e2e168e1b --- /dev/null +++ b/queue-6.19/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch @@ -0,0 +1,43 @@ +From 54f9d645a5453d0bfece0c465d34aaf072ea99fa Mon Sep 17 00:00:00 2001 +From: Jun Seo +Date: Thu, 26 Feb 2026 10:08:20 +0900 +Subject: ALSA: usb-audio: Use correct version for UAC3 header validation + +From: Jun Seo + +commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream. + +The entry of the validators table for UAC3 AC header descriptor is +defined with the wrong protocol version UAC_VERSION_2, while it should +have been UAC_VERSION_3. This results in the validator never matching +for actual UAC3 devices (protocol == UAC_VERSION_3), causing their +header descriptors to bypass validation entirely. A malicious USB +device presenting a truncated UAC3 header could exploit this to cause +out-of-bounds reads when the driver later accesses unvalidated +descriptor fields. + +The bug was introduced in the same commit as the recently fixed UAC3 +feature unit sub-type typo, and appears to be from the same copy-paste +error when the UAC3 section was created from the UAC2 section. + +Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") +Cc: +Signed-off-by: Jun Seo +Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/validate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -281,7 +281,7 @@ static const struct usb_desc_validator a + /* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */ + + /* UAC3 */ +- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor), ++ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor), + FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL, + struct uac3_input_terminal_descriptor), + FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL, diff --git a/queue-6.19/arm64-gcs-do-not-set-pte_shared-on-gcs-mappings-if-feat_lpa2-is-enabled.patch b/queue-6.19/arm64-gcs-do-not-set-pte_shared-on-gcs-mappings-if-feat_lpa2-is-enabled.patch new file mode 100644 index 0000000000..25311156fe --- /dev/null +++ b/queue-6.19/arm64-gcs-do-not-set-pte_shared-on-gcs-mappings-if-feat_lpa2-is-enabled.patch @@ -0,0 +1,136 @@ +From 8a85b3131225a8c8143ba2ae29c0eef8c1f9117f Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Mon, 23 Feb 2026 17:45:30 +0000 +Subject: arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled + +From: Catalin Marinas + +commit 8a85b3131225a8c8143ba2ae29c0eef8c1f9117f upstream. + +When FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the +shareability attribute with bits 50-51 of the output address. The +_PAGE_GCS{,_RO} definitions include the PTE_SHARED bits as 0b11 (this +matches the other _PAGE_* definitions) but using this macro directly +leads to the following panic when enabling GCS on a system/model with +LPA2: + + Unable to handle kernel paging request at virtual address fffff1ffc32d8008 + Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + swapper pgtable: 4k pages, 52-bit VAs, pgdp=0000000060f4d000 + [fffff1ffc32d8008] pgd=100000006184b003, p4d=0000000000000000 + Internal error: Oops: 0000000096000004 [#1] SMP + CPU: 0 UID: 0 PID: 513 Comm: gcs_write_fault Tainted: G M 7.0.0-rc1 #1 PREEMPT + Tainted: [M]=MACHINE_CHECK + Hardware name: QEMU QEMU Virtual Machine, BIOS 2025.02-8+deb13u1 11/08/2025 + pstate: 03402005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) + pc : zap_huge_pmd+0x168/0x468 + lr : zap_huge_pmd+0x2c/0x468 + sp : ffff800080beb660 + x29: ffff800080beb660 x28: fff00000c2058180 x27: ffff800080beb898 + x26: fff00000c2058180 x25: ffff800080beb820 x24: 00c800010b600f41 + x23: ffffc1ffc30af1a8 x22: fff00000c2058180 x21: 0000ffff8dc00000 + x20: fff00000c2bc6370 x19: ffff800080beb898 x18: ffff800080bebb60 + x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000007 + x14: 000000000000000a x13: 0000aaaacbbbffff x12: 0000000000000000 + x11: 0000ffff8ddfffff x10: 00000000000001fe x9 : 0000ffff8ddfffff + x8 : 0000ffff8de00000 x7 : 0000ffff8da00000 x6 : fff00000c2bc6370 + x5 : 0000ffff8da00000 x4 : 000000010b600000 x3 : ffffc1ffc0000000 + x2 : fff00000c2058180 x1 : fffff1ffc32d8000 x0 : 000000c00010b600 + Call trace: + zap_huge_pmd+0x168/0x468 (P) + unmap_page_range+0xd70/0x1560 + unmap_single_vma+0x48/0x80 + unmap_vmas+0x90/0x180 + unmap_region+0x88/0xe4 + vms_complete_munmap_vmas+0xf8/0x1e0 + do_vmi_align_munmap+0x158/0x180 + do_vmi_munmap+0xac/0x160 + __vm_munmap+0xb0/0x138 + vm_munmap+0x14/0x20 + gcs_free+0x70/0x80 + mm_release+0x1c/0xc8 + exit_mm_release+0x28/0x38 + do_exit+0x190/0x8ec + do_group_exit+0x34/0x90 + get_signal+0x794/0x858 + arch_do_signal_or_restart+0x11c/0x3e0 + exit_to_user_mode_loop+0x10c/0x17c + el0_da+0x8c/0x9c + el0t_64_sync_handler+0xd0/0xf0 + el0t_64_sync+0x198/0x19c + Code: aa1603e2 d34cfc00 cb813001 8b011861 (f9400420) + +Similarly to how the kernel handles protection_map[], use a +gcs_page_prot variable to store the protection bits and clear PTE_SHARED +if LPA2 is enabled. + +Also remove the unused PAGE_GCS{,_RO} macros. + +Signed-off-by: Catalin Marinas +Fixes: 6497b66ba694 ("arm64/mm: Map pages for guarded control stack") +Reported-by: Emanuele Rocca +Cc: stable@vger.kernel.org +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: David Hildenbrand (Arm) +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/pgtable-prot.h | 3 --- + arch/arm64/mm/mmap.c | 8 ++++++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -164,9 +164,6 @@ static inline bool __pure lpa2_is_enable + #define _PAGE_GCS (_PAGE_DEFAULT | PTE_NG | PTE_UXN | PTE_WRITE | PTE_USER) + #define _PAGE_GCS_RO (_PAGE_DEFAULT | PTE_NG | PTE_UXN | PTE_USER) + +-#define PAGE_GCS __pgprot(_PAGE_GCS) +-#define PAGE_GCS_RO __pgprot(_PAGE_GCS_RO) +- + #define PIE_E0 ( \ + PIRx_ELx_PERM_PREP(pte_pi_index(_PAGE_GCS), PIE_GCS) | \ + PIRx_ELx_PERM_PREP(pte_pi_index(_PAGE_GCS_RO), PIE_R) | \ +--- a/arch/arm64/mm/mmap.c ++++ b/arch/arm64/mm/mmap.c +@@ -34,6 +34,8 @@ static pgprot_t protection_map[16] __ro_ + [VM_SHARED | VM_EXEC | VM_WRITE | VM_READ] = PAGE_SHARED_EXEC + }; + ++static ptdesc_t gcs_page_prot __ro_after_init = _PAGE_GCS_RO; ++ + /* + * You really shouldn't be using read() or write() on /dev/mem. This might go + * away in the future. +@@ -73,9 +75,11 @@ static int __init adjust_protection_map( + protection_map[VM_EXEC | VM_SHARED] = PAGE_EXECONLY; + } + +- if (lpa2_is_enabled()) ++ if (lpa2_is_enabled()) { + for (int i = 0; i < ARRAY_SIZE(protection_map); i++) + pgprot_val(protection_map[i]) &= ~PTE_SHARED; ++ gcs_page_prot &= ~PTE_SHARED; ++ } + + return 0; + } +@@ -87,7 +91,7 @@ pgprot_t vm_get_page_prot(vm_flags_t vm_ + + /* Short circuit GCS to avoid bloating the table. */ + if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) { +- prot = _PAGE_GCS_RO; ++ prot = gcs_page_prot; + } else { + prot = pgprot_val(protection_map[vm_flags & + (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]); diff --git a/queue-6.19/bluetooth-purge-error-queues-in-socket-destructors.patch b/queue-6.19/bluetooth-purge-error-queues-in-socket-destructors.patch new file mode 100644 index 0000000000..a5054aa9ed --- /dev/null +++ b/queue-6.19/bluetooth-purge-error-queues-in-socket-destructors.patch @@ -0,0 +1,71 @@ +From 21e4271e65094172aadd5beb8caea95dd0fbf6d7 Mon Sep 17 00:00:00 2001 +From: Heitor Alves de Siqueira +Date: Wed, 11 Feb 2026 15:03:35 -0300 +Subject: Bluetooth: purge error queues in socket destructors + +From: Heitor Alves de Siqueira + +commit 21e4271e65094172aadd5beb8caea95dd0fbf6d7 upstream. + +When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued +into sk_error_queue and will stay there until consumed. If userspace never +gets to read the timestamps, or if the controller is removed unexpectedly, +these SKBs will leak. + +Fix by adding skb_queue_purge() calls for sk_error_queue in affected +bluetooth destructors. RFCOMM does not currently use sk_error_queue. + +Fixes: 134f4b39df7b ("Bluetooth: add support for skb TX SND/COMPLETION timestamping") +Reported-by: syzbot+7ff4013eabad1407b70a@syzkaller.appspotmail.com +Closes: https://syzbot.org/bug?extid=7ff4013eabad1407b70a +Cc: stable@vger.kernel.org +Signed-off-by: Heitor Alves de Siqueira +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sock.c | 1 + + net/bluetooth/iso.c | 1 + + net/bluetooth/l2cap_sock.c | 1 + + net/bluetooth/sco.c | 1 + + 4 files changed, 4 insertions(+) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -2166,6 +2166,7 @@ static void hci_sock_destruct(struct soc + mgmt_cleanup(sk); + skb_queue_purge(&sk->sk_receive_queue); + skb_queue_purge(&sk->sk_write_queue); ++ skb_queue_purge(&sk->sk_error_queue); + } + + static const struct proto_ops hci_sock_ops = { +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -746,6 +746,7 @@ static void iso_sock_destruct(struct soc + + skb_queue_purge(&sk->sk_receive_queue); + skb_queue_purge(&sk->sk_write_queue); ++ skb_queue_purge(&sk->sk_error_queue); + } + + static void iso_sock_cleanup_listen(struct sock *parent) +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1806,6 +1806,7 @@ static void l2cap_sock_destruct(struct s + + skb_queue_purge(&sk->sk_receive_queue); + skb_queue_purge(&sk->sk_write_queue); ++ skb_queue_purge(&sk->sk_error_queue); + } + + static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -470,6 +470,7 @@ static void sco_sock_destruct(struct soc + + skb_queue_purge(&sk->sk_receive_queue); + skb_queue_purge(&sk->sk_write_queue); ++ skb_queue_purge(&sk->sk_error_queue); + } + + static void sco_sock_cleanup_listen(struct sock *parent) diff --git a/queue-6.19/cpufreq-intel_pstate-fix-crash-during-turbo-disable.patch b/queue-6.19/cpufreq-intel_pstate-fix-crash-during-turbo-disable.patch new file mode 100644 index 0000000000..caf2e2b432 --- /dev/null +++ b/queue-6.19/cpufreq-intel_pstate-fix-crash-during-turbo-disable.patch @@ -0,0 +1,81 @@ +From 6b050482ec40569429d963ac52afa878691b04c9 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Tue, 24 Feb 2026 16:17:52 -0800 +Subject: cpufreq: intel_pstate: Fix crash during turbo disable + +From: Srinivas Pandruvada + +commit 6b050482ec40569429d963ac52afa878691b04c9 upstream. + +When the system is booted with kernel command line argument "nosmt" or +"maxcpus" to limit the number of CPUs, disabling turbo via: + + echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo + +results in a crash: + + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP PTI + ... + RIP: 0010:store_no_turbo+0x100/0x1f0 + ... + +This occurs because for_each_possible_cpu() returns CPUs even if they +are not online. For those CPUs, all_cpu_data[] will be NULL. Since +commit 973207ae3d7c ("cpufreq: intel_pstate: Rearrange max frequency +updates handling code"), all_cpu_data[] is dereferenced even for CPUs +which are not online, causing the NULL pointer dereference. + +To fix that, pass CPU number to intel_pstate_update_max_freq() and use +all_cpu_data[] for those CPUs for which there is a valid cpufreq policy. + +Fixes: 973207ae3d7c ("cpufreq: intel_pstate: Rearrange max frequency updates handling code") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221068 +Signed-off-by: Srinivas Pandruvada +Cc: 6.16+ # 6.16+ +Link: https://patch.msgid.link/20260225001752.890164-1-srinivas.pandruvada@linux.intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/intel_pstate.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -1476,13 +1476,13 @@ static void __intel_pstate_update_max_fr + refresh_frequency_limits(policy); + } + +-static bool intel_pstate_update_max_freq(struct cpudata *cpudata) ++static bool intel_pstate_update_max_freq(int cpu) + { +- struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpudata->cpu); ++ struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpu); + if (!policy) + return false; + +- __intel_pstate_update_max_freq(policy, cpudata); ++ __intel_pstate_update_max_freq(policy, all_cpu_data[cpu]); + + return true; + } +@@ -1501,7 +1501,7 @@ static void intel_pstate_update_limits_f + int cpu; + + for_each_possible_cpu(cpu) +- intel_pstate_update_max_freq(all_cpu_data[cpu]); ++ intel_pstate_update_max_freq(cpu); + + mutex_lock(&hybrid_capacity_lock); + +@@ -1908,7 +1908,7 @@ static void intel_pstate_notify_work(str + struct cpudata *cpudata = + container_of(to_delayed_work(work), struct cpudata, hwp_notify_work); + +- if (intel_pstate_update_max_freq(cpudata)) { ++ if (intel_pstate_update_max_freq(cpudata->cpu)) { + /* + * The driver will not be unregistered while this function is + * running, so update the capacity without acquiring the driver diff --git a/queue-6.19/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch b/queue-6.19/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch new file mode 100644 index 0000000000..07bb3aebec --- /dev/null +++ b/queue-6.19/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch @@ -0,0 +1,161 @@ +From ab140365fb62c0bdab22b2f516aff563b2559e3b Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Thu, 19 Feb 2026 15:20:12 +0100 +Subject: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lars Ellenberg + +commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream. + +Even though we check that we "should" be able to do lc_get_cumulative() +while holding the device->al_lock spinlock, it may still fail, +if some other code path decided to do lc_try_lock() with bad timing. + +If that happened, we logged "LOGIC BUG for enr=...", +but still did not return an error. + +The rest of the code now assumed that this request has references +for the relevant activity log extents. + +The implcations are that during an active resync, mutual exclusivity of +resync versus application IO is not guaranteed. And a potential crash +at this point may not realizs that these extents could have been target +of in-flight IO and would need to be resynced just in case. + +Also, once the request completes, it will give up activity log references it +does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). + +Fix: + +Do not crash the kernel for a condition that is harmless during normal +operation: also catch "e->refcnt == 0", not only "e == NULL" +when being noisy about "al_complete_io() called on inactive extent %u\n". + +And do not try to be smart and "guess" whether something will work, then +be surprised when it does not. +Deal with the fact that it may or may not work. If it does not, remember a +possible "partially in activity log" state (only possible for requests that +cross extent boundaries), and return an error code from +drbd_al_begin_io_nonblock(). + +A latter call for the same request will then resume from where we left off. + +Cc: stable@vger.kernel.org +Signed-off-by: Lars Ellenberg +Signed-off-by: Christoph Böhmwalder +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++--------------------- + drivers/block/drbd/drbd_interval.h | 5 ++- + 2 files changed, 27 insertions(+), 31 deletions(-) + +--- a/drivers/block/drbd/drbd_actlog.c ++++ b/drivers/block/drbd/drbd_actlog.c +@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device + + int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i) + { +- struct lru_cache *al = device->act_log; + /* for bios crossing activity log extent boundaries, + * we may need to activate two extents in one go */ + unsigned first = i->sector >> (AL_EXTENT_SHIFT-9); + unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9); +- unsigned nr_al_extents; +- unsigned available_update_slots; + unsigned enr; + +- D_ASSERT(device, first <= last); +- +- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */ +- available_update_slots = min(al->nr_elements - al->used, +- al->max_pending_changes - al->pending_changes); +- +- /* We want all necessary updates for a given request within the same transaction +- * We could first check how many updates are *actually* needed, +- * and use that instead of the worst-case nr_al_extents */ +- if (available_update_slots < nr_al_extents) { +- /* Too many activity log extents are currently "hot". +- * +- * If we have accumulated pending changes already, +- * we made progress. +- * +- * If we cannot get even a single pending change through, +- * stop the fast path until we made some progress, +- * or requests to "cold" extents could be starved. */ +- if (!al->pending_changes) +- __set_bit(__LC_STARVING, &device->act_log->flags); +- return -ENOBUFS; ++ if (i->partially_in_al_next_enr) { ++ D_ASSERT(device, first < i->partially_in_al_next_enr); ++ D_ASSERT(device, last >= i->partially_in_al_next_enr); ++ first = i->partially_in_al_next_enr; + } + ++ D_ASSERT(device, first <= last); ++ + /* Is resync active in this area? */ + for (enr = first; enr <= last; enr++) { + struct lc_element *tmp; +@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb + } + } + +- /* Checkout the refcounts. +- * Given that we checked for available elements and update slots above, +- * this has to be successful. */ ++ /* Try to checkout the refcounts. */ + for (enr = first; enr <= last; enr++) { + struct lc_element *al_ext; + al_ext = lc_get_cumulative(device->act_log, enr); +- if (!al_ext) +- drbd_info(device, "LOGIC BUG for enr=%u\n", enr); ++ ++ if (!al_ext) { ++ /* Did not work. We may have exhausted the possible ++ * changes per transaction. Or raced with someone ++ * "locking" it against changes. ++ * Remember where to continue from. ++ */ ++ if (enr > first) ++ i->partially_in_al_next_enr = enr; ++ return -ENOBUFS; ++ } + } + return 0; + } +@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev + + for (enr = first; enr <= last; enr++) { + extent = lc_find(device->act_log, enr); +- if (!extent) { ++ /* Yes, this masks a bug elsewhere. However, during normal ++ * operation this is harmless, so no need to crash the kernel ++ * by the BUG_ON(refcount == 0) in lc_put(). ++ */ ++ if (!extent || extent->refcnt == 0) { + drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr); + continue; + } +--- a/drivers/block/drbd/drbd_interval.h ++++ b/drivers/block/drbd/drbd_interval.h +@@ -8,12 +8,15 @@ + struct drbd_interval { + struct rb_node rb; + sector_t sector; /* start sector of the interval */ +- unsigned int size; /* size in bytes */ + sector_t end; /* highest interval end in subtree */ ++ unsigned int size; /* size in bytes */ + unsigned int local:1 /* local or remote request? */; + unsigned int waiting:1; /* someone is waiting for completion */ + unsigned int completed:1; /* this has been completed already; + * ignore for conflict detection */ ++ ++ /* to resume a partially successful drbd_al_begin_io_nonblock(); */ ++ unsigned int partially_in_al_next_enr; + }; + + static inline void drbd_clear_interval(struct drbd_interval *i) diff --git a/queue-6.19/drbd-fix-null-pointer-dereference-on-local-read-error.patch b/queue-6.19/drbd-fix-null-pointer-dereference-on-local-read-error.patch new file mode 100644 index 0000000000..ff7ca31a25 --- /dev/null +++ b/queue-6.19/drbd-fix-null-pointer-dereference-on-local-read-error.patch @@ -0,0 +1,47 @@ +From 0d195d3b205ca90db30d70d09d7bb6909aac178f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?= + +Date: Fri, 20 Feb 2026 12:39:37 +0100 +Subject: drbd: fix null-pointer dereference on local read error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Böhmwalder + +commit 0d195d3b205ca90db30d70d09d7bb6909aac178f upstream. + +In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to +__req_mod() with a NULL peer_device: + + __req_mod(req, what, NULL, &m); + +The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this +NULL peer_device to drbd_set_out_of_sync(), which dereferences it, +causing a null-pointer dereference. + +Fix this by obtaining the peer_device via first_peer_device(device), +matching how drbd_req_destroy() handles the same situation. + +Cc: stable@vger.kernel.org +Reported-by: Tuo Li +Link: https://lore.kernel.org/linux-block/20260104165355.151864-1-islituo@gmail.com +Signed-off-by: Christoph Böhmwalder +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_req.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/drbd/drbd_req.c ++++ b/drivers/block/drbd/drbd_req.c +@@ -621,7 +621,8 @@ int __req_mod(struct drbd_request *req, + break; + + case READ_COMPLETED_WITH_ERROR: +- drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size); ++ drbd_set_out_of_sync(first_peer_device(device), ++ req->i.sector, req->i.size); + drbd_report_io_error(device, req); + __drbd_chk_io_error(device, DRBD_READ_ERROR); + fallthrough; diff --git a/queue-6.19/gve-fix-incorrect-buffer-cleanup-in-gve_tx_clean_pending_packets-for-qpl.patch b/queue-6.19/gve-fix-incorrect-buffer-cleanup-in-gve_tx_clean_pending_packets-for-qpl.patch new file mode 100644 index 0000000000..896c6251cb --- /dev/null +++ b/queue-6.19/gve-fix-incorrect-buffer-cleanup-in-gve_tx_clean_pending_packets-for-qpl.patch @@ -0,0 +1,130 @@ +From fb868db5f4bccd7a78219313ab2917429f715cea Mon Sep 17 00:00:00 2001 +From: Ankit Garg +Date: Fri, 20 Feb 2026 13:53:24 -0800 +Subject: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL + +From: Ankit Garg + +commit fb868db5f4bccd7a78219313ab2917429f715cea upstream. + +In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA +buffer cleanup path. It iterates num_bufs times and attempts to unmap +entries in the dma array. + +This leads to two issues: +1. The dma array shares storage with tx_qpl_buf_ids (union). + Interpreting buffer IDs as DMA addresses results in attempting to + unmap incorrect memory locations. +2. num_bufs in QPL mode (counting 2K chunks) can significantly exceed + the size of the dma array, causing out-of-bounds access warnings +(trace below is how we noticed this issue). + +UBSAN: array-index-out-of-bounds in +drivers/net/ethernet/drivers/net/ethernet/google/gve/gve_tx_dqo.c:178:5 index 18 is out of +range for type 'dma_addr_t[18]' (aka 'unsigned long long[18]') +Workqueue: gve gve_service_task [gve] +Call Trace: + +dump_stack_lvl+0x33/0xa0 +__ubsan_handle_out_of_bounds+0xdc/0x110 +gve_tx_stop_ring_dqo+0x182/0x200 [gve] +gve_close+0x1be/0x450 [gve] +gve_reset+0x99/0x120 [gve] +gve_service_task+0x61/0x100 [gve] +process_scheduled_works+0x1e9/0x380 + +Fix this by properly checking for QPL mode and delegating to +gve_free_tx_qpl_bufs() to reclaim the buffers. + +Cc: stable@vger.kernel.org +Fixes: a6fb8d5a8b69 ("gve: Tx path for DQO-QPL") +Signed-off-by: Ankit Garg +Reviewed-by: Jordan Rhee +Reviewed-by: Harshitha Ramamurthy +Signed-off-by: Joshua Washington +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260220215324.1631350-1-joshwash@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_tx_dqo.c | 54 ++++++++++++--------------- + 1 file changed, 24 insertions(+), 30 deletions(-) + +--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c ++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +@@ -167,6 +167,25 @@ gve_free_pending_packet(struct gve_tx_ri + } + } + ++static void gve_unmap_packet(struct device *dev, ++ struct gve_tx_pending_packet_dqo *pkt) ++{ ++ int i; ++ ++ if (!pkt->num_bufs) ++ return; ++ ++ /* SKB linear portion is guaranteed to be mapped */ ++ dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]), ++ dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE); ++ for (i = 1; i < pkt->num_bufs; i++) { ++ netmem_dma_unmap_page_attrs(dev, dma_unmap_addr(pkt, dma[i]), ++ dma_unmap_len(pkt, len[i]), ++ DMA_TO_DEVICE, 0); ++ } ++ pkt->num_bufs = 0; ++} ++ + /* gve_tx_free_desc - Cleans up all pending tx requests and buffers. + */ + static void gve_tx_clean_pending_packets(struct gve_tx_ring *tx) +@@ -176,21 +195,12 @@ static void gve_tx_clean_pending_packets + for (i = 0; i < tx->dqo.num_pending_packets; i++) { + struct gve_tx_pending_packet_dqo *cur_state = + &tx->dqo.pending_packets[i]; +- int j; + +- for (j = 0; j < cur_state->num_bufs; j++) { +- if (j == 0) { +- dma_unmap_single(tx->dev, +- dma_unmap_addr(cur_state, dma[j]), +- dma_unmap_len(cur_state, len[j]), +- DMA_TO_DEVICE); +- } else { +- dma_unmap_page(tx->dev, +- dma_unmap_addr(cur_state, dma[j]), +- dma_unmap_len(cur_state, len[j]), +- DMA_TO_DEVICE); +- } +- } ++ if (tx->dqo.qpl) ++ gve_free_tx_qpl_bufs(tx, cur_state); ++ else ++ gve_unmap_packet(tx->dev, cur_state); ++ + if (cur_state->skb) { + dev_consume_skb_any(cur_state->skb); + cur_state->skb = NULL; +@@ -1160,22 +1170,6 @@ static void remove_from_list(struct gve_ + } + } + +-static void gve_unmap_packet(struct device *dev, +- struct gve_tx_pending_packet_dqo *pkt) +-{ +- int i; +- +- /* SKB linear portion is guaranteed to be mapped */ +- dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]), +- dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE); +- for (i = 1; i < pkt->num_bufs; i++) { +- netmem_dma_unmap_page_attrs(dev, dma_unmap_addr(pkt, dma[i]), +- dma_unmap_len(pkt, len[i]), +- DMA_TO_DEVICE, 0); +- } +- pkt->num_bufs = 0; +-} +- + /* Completion types and expected behavior: + * No Miss compl + Packet compl = Packet completed normally. + * Miss compl + Re-inject compl = Packet completed normally. diff --git a/queue-6.19/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch b/queue-6.19/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch new file mode 100644 index 0000000000..106056565a --- /dev/null +++ b/queue-6.19/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch @@ -0,0 +1,49 @@ +From 117942ca43e2e3c3d121faae530989931b7f67e1 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 16 Feb 2026 11:02:48 -0400 +Subject: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() + +From: Jason Gunthorpe + +commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream. + +Fix a user triggerable leak on the system call failure path. + +Cc: stable@vger.kernel.org +Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation") +Signed-off-by: Jason Gunthorpe +Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mthca/mthca_provider.c ++++ b/drivers/infiniband/hw/mthca/mthca_provider.c +@@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_sr + + if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) { + mthca_free_srq(to_mdev(ibsrq->device), srq); ++ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar, ++ context->db_tab, ucmd.db_index); + return -EFAULT; + } + +@@ -436,6 +438,7 @@ static int mthca_create_srq(struct ib_sr + + static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata) + { ++ mthca_free_srq(to_mdev(srq->device), to_msrq(srq)); + if (udata) { + struct mthca_ucontext *context = + rdma_udata_to_drv_context( +@@ -446,8 +449,6 @@ static int mthca_destroy_srq(struct ib_s + mthca_unmap_user_db(to_mdev(srq->device), &context->uar, + context->db_tab, to_msrq(srq)->db_index); + } +- +- mthca_free_srq(to_mdev(srq->device), to_msrq(srq)); + return 0; + } + diff --git a/queue-6.19/kbuild-leave-objtool-binary-around-with-make-clean.patch b/queue-6.19/kbuild-leave-objtool-binary-around-with-make-clean.patch new file mode 100644 index 0000000000..fabf41e818 --- /dev/null +++ b/queue-6.19/kbuild-leave-objtool-binary-around-with-make-clean.patch @@ -0,0 +1,103 @@ +From fdb12c8a24a453bdd6759979b6ef1e04ebd4beb4 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 27 Feb 2026 22:40:48 -0700 +Subject: kbuild: Leave objtool binary around with 'make clean' + +From: Nathan Chancellor + +commit fdb12c8a24a453bdd6759979b6ef1e04ebd4beb4 upstream. + +The difference between 'make clean' and 'make mrproper' is documented in +'make help' as: + + clean - Remove most generated files but keep the config and + enough build support to build external modules + mrproper - Remove all generated files + config + various backup files + +After commit 68b4fe32d737 ("kbuild: Add objtool to top-level clean +target"), running 'make clean' then attempting to build an external +module with the resulting build directory fails with + + $ make ARCH=x86_64 O=build clean + + $ make -C build M=... MO=... + ... + /bin/sh: line 1: .../build/tools/objtool/objtool: No such file or directory + +as 'make clean' removes the objtool binary. + +Split the objtool clean target into mrproper and clean like Kbuild does +and remove all generated artifacts with 'make clean' except for the +objtool binary, which is removed with 'make mrproper'. To avoid a small +race when running the objtool clean target through both objtool_mrproper +and objtool_clean when running 'make mrproper', modify objtool's clean +up find command to avoid using find's '-delete' command by piping the +files into 'xargs rm -f' like the rest of Kbuild does. + +Cc: stable@vger.kernel.org +Fixes: 68b4fe32d737 ("kbuild: Add objtool to top-level clean target") +Reported-by: Michal Suchanek +Closes: https://lore.kernel.org/20260225112633.6123-1-msuchanek@suse.de/ +Reported-by: Rainer Fiebig +Closes: https://lore.kernel.org/62d12399-76e5-3d40-126a-7490b4795b17@mailbox.org/ +Acked-by: Josh Poimboeuf +Acked-by: Peter Zijlstra (Intel) +Reviewed-by: Nicolas Schier +Tested-by: Nicolas Schier +Link: https://patch.msgid.link/20260227-avoid-objtool-binary-removal-clean-v1-1-122f3e55eae9@kernel.org +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 8 ++++---- + tools/objtool/Makefile | 8 +++++--- + 2 files changed, 9 insertions(+), 7 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -1474,13 +1474,13 @@ ifneq ($(wildcard $(resolve_btfids_O)),) + $(Q)$(MAKE) -sC $(srctree)/tools/bpf/resolve_btfids O=$(resolve_btfids_O) clean + endif + +-PHONY += objtool_clean ++PHONY += objtool_clean objtool_mrproper + + objtool_O = $(abspath $(objtree))/tools/objtool + +-objtool_clean: ++objtool_clean objtool_mrproper: + ifneq ($(wildcard $(objtool_O)),) +- $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) clean ++ $(Q)$(MAKE) -sC $(abs_srctree)/tools/objtool O=$(objtool_O) srctree=$(abs_srctree) $(patsubst objtool_%,%,$@) + endif + + tools/: FORCE +@@ -1657,7 +1657,7 @@ PHONY += $(mrproper-dirs) mrproper + $(mrproper-dirs): + $(Q)$(MAKE) $(clean)=$(patsubst _mrproper_%,%,$@) + +-mrproper: clean $(mrproper-dirs) ++mrproper: clean objtool_mrproper $(mrproper-dirs) + $(call cmd,rmfiles) + @find . $(RCS_FIND_IGNORE) \ + \( -name '*.rmeta' \) \ +--- a/tools/objtool/Makefile ++++ b/tools/objtool/Makefile +@@ -142,13 +142,15 @@ $(LIBSUBCMD)-clean: + $(Q)$(RM) -r -- $(LIBSUBCMD_OUTPUT) + + clean: $(LIBSUBCMD)-clean +- $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL) +- $(Q)find $(OUTPUT) -name '*.o' -delete -o -name '\.*.cmd' -delete -o -name '\.*.d' -delete ++ $(Q)find $(OUTPUT) \( -name '*.o' -o -name '\.*.cmd' -o -name '\.*.d' \) -type f -print | xargs $(RM) + $(Q)$(RM) $(OUTPUT)arch/x86/lib/cpu-feature-names.c $(OUTPUT)fixdep + $(Q)$(RM) $(OUTPUT)arch/x86/lib/inat-tables.c $(OUTPUT)fixdep + $(Q)$(RM) -- $(OUTPUT)FEATURE-DUMP.objtool + $(Q)$(RM) -r -- $(OUTPUT)feature + ++mrproper: clean ++ $(call QUIET_CLEAN, objtool) $(RM) $(OBJTOOL) ++ + FORCE: + +-.PHONY: clean FORCE ++.PHONY: clean mrproper FORCE diff --git a/queue-6.19/kbuild-split-.modinfo-out-from-elf_details.patch b/queue-6.19/kbuild-split-.modinfo-out-from-elf_details.patch new file mode 100644 index 0000000000..35103a9d2e --- /dev/null +++ b/queue-6.19/kbuild-split-.modinfo-out-from-elf_details.patch @@ -0,0 +1,350 @@ +From 8678591b47469fe16357234efef9b260317b8be4 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 25 Feb 2026 15:02:51 -0700 +Subject: kbuild: Split .modinfo out from ELF_DETAILS + +From: Nathan Chancellor + +commit 8678591b47469fe16357234efef9b260317b8be4 upstream. + +Commit 3e86e4d74c04 ("kbuild: keep .modinfo section in +vmlinux.unstripped") added .modinfo to ELF_DETAILS while removing it +from COMMON_DISCARDS, as it was needed in vmlinux.unstripped and +ELF_DETAILS was present in all architecture specific vmlinux linker +scripts. While this shuffle is fine for vmlinux, ELF_DETAILS and +COMMON_DISCARDS may be used by other linker scripts, such as the s390 +and x86 compressed boot images, which may not expect to have a .modinfo +section. In certain circumstances, this could result in a bootloader +failing to load the compressed kernel [1]. + +Commit ddc6cbef3ef1 ("s390/boot/vmlinux.lds.S: Ensure bzImage ends with +SecureBoot trailer") recently addressed this for the s390 bzImage but +the same bug remains for arm, parisc, and x86. The presence of .modinfo +in the x86 bzImage was the root cause of the issue worked around with +commit d50f21091358 ("kbuild: align modinfo section for Secureboot +Authenticode EDK2 compat"). misc.c in arch/x86/boot/compressed includes +lib/decompress_unzstd.c, which in turn includes lib/xxhash.c and its +MODULE_LICENSE / MODULE_DESCRIPTION macros due to the STATIC definition. + +Split .modinfo out from ELF_DETAILS into its own macro and handle it in +all vmlinux linker scripts. Discard .modinfo in the places where it was +previously being discarded from being in COMMON_DISCARDS, as it has +never been necessary in those uses. + +Cc: stable@vger.kernel.org +Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped") +Reported-by: Ed W +Closes: https://lore.kernel.org/587f25e0-a80e-46a5-9f01-87cb40cfa377@wildgooses.com/ [1] +Tested-by: Ed W # x86_64 +Link: https://patch.msgid.link/20260225-separate-modinfo-from-elf-details-v1-1-387ced6baf4b@kernel.org +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/vmlinux.lds.S | 1 + + arch/arc/kernel/vmlinux.lds.S | 1 + + arch/arm/boot/compressed/vmlinux.lds.S | 1 + + arch/arm/kernel/vmlinux-xip.lds.S | 1 + + arch/arm/kernel/vmlinux.lds.S | 1 + + arch/arm64/kernel/vmlinux.lds.S | 1 + + arch/csky/kernel/vmlinux.lds.S | 1 + + arch/hexagon/kernel/vmlinux.lds.S | 1 + + arch/loongarch/kernel/vmlinux.lds.S | 1 + + arch/m68k/kernel/vmlinux-nommu.lds | 1 + + arch/m68k/kernel/vmlinux-std.lds | 1 + + arch/m68k/kernel/vmlinux-sun3.lds | 1 + + arch/mips/kernel/vmlinux.lds.S | 1 + + arch/nios2/kernel/vmlinux.lds.S | 1 + + arch/openrisc/kernel/vmlinux.lds.S | 1 + + arch/parisc/boot/compressed/vmlinux.lds.S | 1 + + arch/parisc/kernel/vmlinux.lds.S | 1 + + arch/powerpc/kernel/vmlinux.lds.S | 1 + + arch/riscv/kernel/vmlinux.lds.S | 1 + + arch/s390/kernel/vmlinux.lds.S | 1 + + arch/sh/kernel/vmlinux.lds.S | 1 + + arch/sparc/kernel/vmlinux.lds.S | 1 + + arch/um/kernel/dyn.lds.S | 1 + + arch/um/kernel/uml.lds.S | 1 + + arch/x86/boot/compressed/vmlinux.lds.S | 2 +- + arch/x86/kernel/vmlinux.lds.S | 1 + + include/asm-generic/vmlinux.lds.h | 4 +++- + 27 files changed, 29 insertions(+), 2 deletions(-) + +--- a/arch/alpha/kernel/vmlinux.lds.S ++++ b/arch/alpha/kernel/vmlinux.lds.S +@@ -71,6 +71,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/arc/kernel/vmlinux.lds.S ++++ b/arch/arc/kernel/vmlinux.lds.S +@@ -123,6 +123,7 @@ SECTIONS + _end = . ; + + STABS_DEBUG ++ MODINFO + ELF_DETAILS + DISCARDS + +--- a/arch/arm/boot/compressed/vmlinux.lds.S ++++ b/arch/arm/boot/compressed/vmlinux.lds.S +@@ -21,6 +21,7 @@ SECTIONS + COMMON_DISCARDS + *(.ARM.exidx*) + *(.ARM.extab*) ++ *(.modinfo) + *(.note.*) + *(.rel.*) + *(.printk_index) +--- a/arch/arm/kernel/vmlinux-xip.lds.S ++++ b/arch/arm/kernel/vmlinux-xip.lds.S +@@ -154,6 +154,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ARM_DETAILS + + ARM_ASSERTS +--- a/arch/arm/kernel/vmlinux.lds.S ++++ b/arch/arm/kernel/vmlinux.lds.S +@@ -153,6 +153,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ARM_DETAILS + + ARM_ASSERTS +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -349,6 +349,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + HEAD_SYMBOLS +--- a/arch/csky/kernel/vmlinux.lds.S ++++ b/arch/csky/kernel/vmlinux.lds.S +@@ -109,6 +109,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/hexagon/kernel/vmlinux.lds.S ++++ b/arch/hexagon/kernel/vmlinux.lds.S +@@ -62,6 +62,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + .hexagon.attributes 0 : { *(.hexagon.attributes) } + +--- a/arch/loongarch/kernel/vmlinux.lds.S ++++ b/arch/loongarch/kernel/vmlinux.lds.S +@@ -147,6 +147,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + #ifdef CONFIG_EFI_STUB +--- a/arch/m68k/kernel/vmlinux-nommu.lds ++++ b/arch/m68k/kernel/vmlinux-nommu.lds +@@ -85,6 +85,7 @@ SECTIONS { + _end = .; + + STABS_DEBUG ++ MODINFO + ELF_DETAILS + + /* Sections to be discarded */ +--- a/arch/m68k/kernel/vmlinux-std.lds ++++ b/arch/m68k/kernel/vmlinux-std.lds +@@ -58,6 +58,7 @@ SECTIONS + _end = . ; + + STABS_DEBUG ++ MODINFO + ELF_DETAILS + + /* Sections to be discarded */ +--- a/arch/m68k/kernel/vmlinux-sun3.lds ++++ b/arch/m68k/kernel/vmlinux-sun3.lds +@@ -51,6 +51,7 @@ __init_begin = .; + _end = . ; + + STABS_DEBUG ++ MODINFO + ELF_DETAILS + + /* Sections to be discarded */ +--- a/arch/mips/kernel/vmlinux.lds.S ++++ b/arch/mips/kernel/vmlinux.lds.S +@@ -217,6 +217,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + /* These must appear regardless of . */ +--- a/arch/nios2/kernel/vmlinux.lds.S ++++ b/arch/nios2/kernel/vmlinux.lds.S +@@ -57,6 +57,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/openrisc/kernel/vmlinux.lds.S ++++ b/arch/openrisc/kernel/vmlinux.lds.S +@@ -101,6 +101,7 @@ SECTIONS + /* Throw in the debugging sections */ + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + /* Sections to be discarded -- must be last */ +--- a/arch/parisc/boot/compressed/vmlinux.lds.S ++++ b/arch/parisc/boot/compressed/vmlinux.lds.S +@@ -90,6 +90,7 @@ SECTIONS + /* Sections to be discarded */ + DISCARDS + /DISCARD/ : { ++ *(.modinfo) + #ifdef CONFIG_64BIT + /* temporary hack until binutils is fixed to not emit these + * for static binaries +--- a/arch/parisc/kernel/vmlinux.lds.S ++++ b/arch/parisc/kernel/vmlinux.lds.S +@@ -165,6 +165,7 @@ SECTIONS + _end = . ; + + STABS_DEBUG ++ MODINFO + ELF_DETAILS + .note 0 : { *(.note) } + +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -397,6 +397,7 @@ SECTIONS + _end = . ; + + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/riscv/kernel/vmlinux.lds.S ++++ b/arch/riscv/kernel/vmlinux.lds.S +@@ -170,6 +170,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + .riscv.attributes 0 : { *(.riscv.attributes) } + +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -221,6 +221,7 @@ SECTIONS + /* Debugging sections. */ + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + /* +--- a/arch/sh/kernel/vmlinux.lds.S ++++ b/arch/sh/kernel/vmlinux.lds.S +@@ -89,6 +89,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/sparc/kernel/vmlinux.lds.S ++++ b/arch/sparc/kernel/vmlinux.lds.S +@@ -191,6 +191,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/um/kernel/dyn.lds.S ++++ b/arch/um/kernel/dyn.lds.S +@@ -172,6 +172,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/um/kernel/uml.lds.S ++++ b/arch/um/kernel/uml.lds.S +@@ -113,6 +113,7 @@ SECTIONS + + STABS_DEBUG + DWARF_DEBUG ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/arch/x86/boot/compressed/vmlinux.lds.S ++++ b/arch/x86/boot/compressed/vmlinux.lds.S +@@ -88,7 +88,7 @@ SECTIONS + /DISCARD/ : { + *(.dynamic) *(.dynsym) *(.dynstr) *(.dynbss) + *(.hash) *(.gnu.hash) +- *(.note.*) ++ *(.note.*) *(.modinfo) + } + + .got.plt (INFO) : { +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -424,6 +424,7 @@ SECTIONS + .llvm_bb_addr_map : { *(.llvm_bb_addr_map) } + #endif + ++ MODINFO + ELF_DETAILS + + DISCARDS +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -848,12 +848,14 @@ + + /* Required sections not related to debugging. */ + #define ELF_DETAILS \ +- .modinfo : { *(.modinfo) . = ALIGN(8); } \ + .comment 0 : { *(.comment) } \ + .symtab 0 : { *(.symtab) } \ + .strtab 0 : { *(.strtab) } \ + .shstrtab 0 : { *(.shstrtab) } + ++#define MODINFO \ ++ .modinfo : { *(.modinfo) . = ALIGN(8); } ++ + #ifdef CONFIG_GENERIC_BUG + #define BUG_TABLE \ + . = ALIGN(8); \ diff --git a/queue-6.19/ksmbd-compare-macs-in-constant-time.patch b/queue-6.19/ksmbd-compare-macs-in-constant-time.patch new file mode 100644 index 0000000000..1a39335f6f --- /dev/null +++ b/queue-6.19/ksmbd-compare-macs-in-constant-time.patch @@ -0,0 +1,82 @@ +From c5794709bc9105935dbedef8b9cf9c06f2b559fa Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 17 Feb 2026 20:28:29 -0800 +Subject: ksmbd: Compare MACs in constant time + +From: Eric Biggers + +commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream. + +To prevent timing attacks, MAC comparisons need to be constant-time. +Replace the memcmp() with the correct function, crypto_memneq(). + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/Kconfig | 1 + + fs/smb/server/auth.c | 4 +++- + fs/smb/server/smb2pdu.c | 5 +++-- + 3 files changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/Kconfig ++++ b/fs/smb/server/Kconfig +@@ -13,6 +13,7 @@ config SMB_SERVER + select CRYPTO_LIB_MD5 + select CRYPTO_LIB_SHA256 + select CRYPTO_LIB_SHA512 ++ select CRYPTO_LIB_UTILS + select CRYPTO_CMAC + select CRYPTO_AEAD2 + select CRYPTO_CCM +--- a/fs/smb/server/auth.c ++++ b/fs/smb/server/auth.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -165,7 +166,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn + ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE, + sess->sess_key); + +- if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0) ++ if (crypto_memneq(ntlmv2->ntlmv2_hash, ntlmv2_rsp, ++ CIFS_HMAC_MD5_HASH_SIZE)) + return -EINVAL; + return 0; + } +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2018 Samsung Electronics Co., Ltd. + */ + ++#include + #include + #include + #include +@@ -8879,7 +8880,7 @@ int smb2_check_sign_req(struct ksmbd_wor + ksmbd_sign_smb2_pdu(work->conn, work->sess->sess_key, iov, 1, + signature); + +- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { ++ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) { + pr_err("bad smb2 signature\n"); + return 0; + } +@@ -8967,7 +8968,7 @@ int smb3_check_sign_req(struct ksmbd_wor + if (ksmbd_sign_smb3_pdu(conn, signing_key, iov, 1, signature)) + return 0; + +- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) { ++ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) { + pr_err("bad smb2 signature\n"); + return 0; + } diff --git a/queue-6.19/mm-thp-deny-thp-for-files-on-anonymous-inodes.patch b/queue-6.19/mm-thp-deny-thp-for-files-on-anonymous-inodes.patch new file mode 100644 index 0000000000..4dbbb611cd --- /dev/null +++ b/queue-6.19/mm-thp-deny-thp-for-files-on-anonymous-inodes.patch @@ -0,0 +1,91 @@ +From dd085fe9a8ebfc5d10314c60452db38d2b75e609 Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Sat, 14 Feb 2026 05:45:35 +0530 +Subject: mm: thp: deny THP for files on anonymous inodes + +From: Deepanshu Kartikey + +commit dd085fe9a8ebfc5d10314c60452db38d2b75e609 upstream. + +file_thp_enabled() incorrectly allows THP for files on anonymous inodes +(e.g. guest_memfd and secretmem). These files are created via +alloc_file_pseudo(), which does not call get_write_access() and leaves +inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being +true, they appear as read-only regular files when +CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP +collapse. + +Anonymous inodes can never pass the inode_is_open_for_write() check +since their i_writecount is never incremented through the normal VFS +open path. The right thing to do is to exclude them from THP eligibility +altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real +filesystem files (e.g. shared libraries), not for pseudo-filesystem +inodes. + +For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create +large folios in the page cache via the collapse path, but the +guest_memfd fault handler does not support large folios. This triggers +WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). + +For secretmem, collapse_file() tries to copy page contents through the +direct map, but secretmem pages are removed from the direct map. This +can result in a kernel crash: + + BUG: unable to handle page fault for address: ffff88810284d000 + RIP: 0010:memcpy_orig+0x16/0x130 + Call Trace: + collapse_file + hpage_collapse_scan_file + madvise_collapse + +Secretmem is not affected by the crash on upstream as the memory failure +recovery handles the failed copy gracefully, but it still triggers +confusing false memory failure reports: + + Memory failure: 0x106d96f: recovery action for clean unevictable + LRU page: Recovered + +Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all +anonymous inode files. + +Link: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44 +Link: https://lore.kernel.org/linux-mm/CAEvNRgHegcz3ro35ixkDw39ES8=U6rs6S7iP0gkR9enr7HoGtA@mail.gmail.com +Link: https://lkml.kernel.org/r/20260214001535.435626-1-kartikey406@gmail.com +Fixes: 7fbb5e188248 ("mm: remove VM_EXEC requirement for THP eligibility") +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=33a04338019ac7e43a44 +Tested-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com +Tested-by: Lance Yang +Acked-by: David Hildenbrand (Arm) +Reviewed-by: Barry Song +Reviewed-by: Ackerley Tng +Tested-by: Ackerley Tng +Reviewed-by: Lorenzo Stoakes +Cc: Baolin Wang +Cc: Dev Jain +Cc: Fangrui Song +Cc: Liam Howlett +Cc: Nico Pache +Cc: Ryan Roberts +Cc: Yang Shi +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -94,6 +94,9 @@ static inline bool file_thp_enabled(stru + + inode = file_inode(vma->vm_file); + ++ if (IS_ANON_FILE(inode)) ++ return false; ++ + return !inode_is_open_for_write(inode) && S_ISREG(inode->i_mode); + } + diff --git a/queue-6.19/mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch b/queue-6.19/mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch new file mode 100644 index 0000000000..0ef66e7976 --- /dev/null +++ b/queue-6.19/mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch @@ -0,0 +1,120 @@ +From fb8d0bccb221080630efcd9660c9f9349e53cc9e Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 3 Mar 2026 11:56:03 +0100 +Subject: mptcp: pm: avoid sending RM_ADDR over same subflow + +From: Matthieu Baerts (NGI0) + +commit fb8d0bccb221080630efcd9660c9f9349e53cc9e upstream. + +RM_ADDR are sent over an active subflow, the first one in the subflows +list. There is then a high chance the initial subflow is picked. With +the in-kernel PM, when an endpoint is removed, a RM_ADDR is sent, then +linked subflows are closed. This is done for each active MPTCP +connection. + +MPTCP endpoints are likely removed because the attached network is no +longer available or usable. In this case, it is better to avoid sending +this RM_ADDR over the subflow that is going to be removed, but prefer +sending it over another active and non stale subflow, if any. + +This modification avoids situations where the other end is not notified +when a subflow is no longer usable: typically when the endpoint linked +to the initial subflow is removed, especially on the server side. + +Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr") +Cc: stable@vger.kernel.org +Reported-by: Frank Lorenz +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/612 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-2-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 43 insertions(+), 12 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -212,9 +212,24 @@ void mptcp_pm_send_ack(struct mptcp_sock + spin_lock_bh(&msk->pm.lock); + } + +-void mptcp_pm_addr_send_ack(struct mptcp_sock *msk) ++static bool subflow_in_rm_list(const struct mptcp_subflow_context *subflow, ++ const struct mptcp_rm_list *rm_list) ++{ ++ u8 i, id = subflow_get_local_id(subflow); ++ ++ for (i = 0; i < rm_list->nr; i++) { ++ if (rm_list->ids[i] == id) ++ return true; ++ } ++ ++ return false; ++} ++ ++static void ++mptcp_pm_addr_send_ack_avoid_list(struct mptcp_sock *msk, ++ const struct mptcp_rm_list *rm_list) + { +- struct mptcp_subflow_context *subflow, *alt = NULL; ++ struct mptcp_subflow_context *subflow, *stale = NULL, *same_id = NULL; + + msk_owned_by_me(msk); + lockdep_assert_held(&msk->pm.lock); +@@ -224,19 +239,35 @@ void mptcp_pm_addr_send_ack(struct mptcp + return; + + mptcp_for_each_subflow(msk, subflow) { +- if (__mptcp_subflow_active(subflow)) { +- if (!subflow->stale) { +- mptcp_pm_send_ack(msk, subflow, false, false); +- return; +- } ++ if (!__mptcp_subflow_active(subflow)) ++ continue; + +- if (!alt) +- alt = subflow; ++ if (unlikely(subflow->stale)) { ++ if (!stale) ++ stale = subflow; ++ } else if (unlikely(rm_list && ++ subflow_in_rm_list(subflow, rm_list))) { ++ if (!same_id) ++ same_id = subflow; ++ } else { ++ goto send_ack; + } + } + +- if (alt) +- mptcp_pm_send_ack(msk, alt, false, false); ++ if (same_id) ++ subflow = same_id; ++ else if (stale) ++ subflow = stale; ++ else ++ return; ++ ++send_ack: ++ mptcp_pm_send_ack(msk, subflow, false, false); ++} ++ ++void mptcp_pm_addr_send_ack(struct mptcp_sock *msk) ++{ ++ mptcp_pm_addr_send_ack_avoid_list(msk, NULL); + } + + int mptcp_pm_mp_prio_send_ack(struct mptcp_sock *msk, +@@ -470,7 +501,7 @@ int mptcp_pm_remove_addr(struct mptcp_so + msk->pm.rm_list_tx = *rm_list; + rm_addr |= BIT(MPTCP_RM_ADDR_SIGNAL); + WRITE_ONCE(msk->pm.addr_signal, rm_addr); +- mptcp_pm_addr_send_ack(msk); ++ mptcp_pm_addr_send_ack_avoid_list(msk, rm_list); + return 0; + } + diff --git a/queue-6.19/mptcp-pm-in-kernel-always-mark-signal-subflow-endp-as-used.patch b/queue-6.19/mptcp-pm-in-kernel-always-mark-signal-subflow-endp-as-used.patch new file mode 100644 index 0000000000..777920e787 --- /dev/null +++ b/queue-6.19/mptcp-pm-in-kernel-always-mark-signal-subflow-endp-as-used.patch @@ -0,0 +1,120 @@ +From 579a752464a64cb5f9139102f0e6b90a1f595ceb Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 3 Mar 2026 11:56:05 +0100 +Subject: mptcp: pm: in-kernel: always mark signal+subflow endp as used + +From: Matthieu Baerts (NGI0) + +commit 579a752464a64cb5f9139102f0e6b90a1f595ceb upstream. + +Syzkaller managed to find a combination of actions that was generating +this warning: + + msk->pm.local_addr_used == 0 + WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961 + WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961 + WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961 + Modules linked in: + CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full) + Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014 + RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline] + RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline] + RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210 + Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a + RSP: 0018:ffffc90001663880 EFLAGS: 00010293 + RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff + R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640 + R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650 + FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0 + Call Trace: + + genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0xc9/0xf0 net/socket.c:742 + ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592 + ___sys_sendmsg+0x2de/0x320 net/socket.c:2646 + __sys_sendmsg net/socket.c:2678 [inline] + __do_sys_sendmsg net/socket.c:2683 [inline] + __se_sys_sendmsg net/socket.c:2681 [inline] + __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f66346f826d + Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d + RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8 + R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770 + + +The actions that caused that seem to be: + + - Set the MPTCP subflows limit to 0 + - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags + - Create a new MPTCP connection from a different address: an ADD_ADDR + linked to the MPTCP endpoint will be sent ('signal' flag), but no + subflows is initiated ('subflow' flag) + - Remove the MPTCP endpoint + +In this case, msk->pm.local_addr_used has been kept to 0 -- because no +subflows have been created -- but the corresponding bit in +msk->pm.id_avail_bitmap has been cleared when the ADD_ADDR has been +sent. This later causes a splat when removing the MPTCP endpoint because +msk->pm.local_addr_used has been kept to 0. + +Now, if an endpoint has both the signal and subflow flags, but it is not +possible to create subflows because of the limits or the c-flag case, +then the local endpoint counter is still incremented: the endpoint is +used at the end. This avoids issues later when removing the endpoint and +calling __mark_subflow_endp_available(), which expects +msk->pm.local_addr_used to have been previously incremented if the +endpoint was marked as used according to msk->pm.id_avail_bitmap. + +Note that signal_and_subflow variable is reset to false when the limits +and the c-flag case allows subflows creation. Also, local_addr_used is +only incremented for non ID0 subflows. + +Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/613 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-4-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_kernel.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/mptcp/pm_kernel.c ++++ b/net/mptcp/pm_kernel.c +@@ -418,6 +418,15 @@ subflow: + } + + exit: ++ /* If an endpoint has both the signal and subflow flags, but it is not ++ * possible to create subflows -- the 'while' loop body above never ++ * executed -- then still mark the endp as used, which is somehow the ++ * case. This avoids issues later when removing the endpoint and calling ++ * __mark_subflow_endp_available(), which expects the increment here. ++ */ ++ if (signal_and_subflow && local.addr.id != msk->mpc_endpoint_id) ++ msk->pm.local_addr_used++; ++ + mptcp_pm_nl_check_work_pending(msk); + } + diff --git a/queue-6.19/net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch b/queue-6.19/net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch new file mode 100644 index 0000000000..eab7e2e611 --- /dev/null +++ b/queue-6.19/net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch @@ -0,0 +1,123 @@ +From c8dbdc6e380e7e96a51706db3e4b7870d8a9402d Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 22 Feb 2026 16:26:01 +0100 +Subject: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock + +From: Andrew Lunn + +commit c8dbdc6e380e7e96a51706db3e4b7870d8a9402d upstream. + +There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and +LED_TRIGGER_PHY are enabled: + +[ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock); +[ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234 +[ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c +[ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c +[ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0 +[ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0 +[ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c +[ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78 +[ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock(); +[ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0 +[ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c +[ 1362.104022] [<80014504>] syscall_common+0x34/0x58 + +Here LED_TRIGGER_PHY is registering LED triggers during phy_attach +while holding RTNL and then taking triggers_list_lock. + +[ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock(); +[ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4 +[ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock); +[ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c +[ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc +[ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c +[ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4 +[ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c +[ 1362.232164] [<80014504>] syscall_common+0x34/0x58 + +Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes +triggers_list_lock and then RTNL. A classical AB-BA deadlock. + +phy_led_triggers_registers() does not require the RTNL, it does not +make any calls into the network stack which require protection. There +is also no requirement the PHY has been attached to a MAC, the +triggers only make use of phydev state. This allows the call to +phy_led_triggers_registers() to be placed elsewhere. PHY probe() and +release() don't hold RTNL, so solving the AB-BA deadlock. + +Reported-by: Shiji Yang +Closes: https://lore.kernel.org/all/OS7PR01MB13602B128BA1AD3FA38B6D1FFBC69A@OS7PR01MB13602.jpnprd01.prod.outlook.com/ +Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger") +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Lunn +Tested-by: Shiji Yang +Link: https://patch.msgid.link/20260222152601.1978655-1-andrew@lunn.ch +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1763,8 +1763,6 @@ int phy_attach_direct(struct net_device + goto error; + + phy_resume(phydev); +- if (!phydev->is_on_sfp_module) +- phy_led_triggers_register(phydev); + + /** + * If the external phy used by current mac interface is managed by +@@ -1879,9 +1877,6 @@ void phy_detach(struct phy_device *phyde + phydev->phy_link_change = NULL; + phydev->phylink = NULL; + +- if (!phydev->is_on_sfp_module) +- phy_led_triggers_unregister(phydev); +- + if (phydev->mdio.dev.driver) + module_put(phydev->mdio.dev.driver->owner); + +@@ -3512,16 +3507,27 @@ static int phy_probe(struct device *dev) + /* Set the state to READY by default */ + phydev->state = PHY_READY; + ++ /* Register the PHY LED triggers */ ++ if (!phydev->is_on_sfp_module) ++ phy_led_triggers_register(phydev); ++ + /* Get the LEDs from the device tree, and instantiate standard + * LEDs for them. + */ +- if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev)) ++ if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev)) { + err = of_phy_leds(phydev); ++ if (err) ++ goto out; ++ } ++ ++ return 0; + + out: ++ if (!phydev->is_on_sfp_module) ++ phy_led_triggers_unregister(phydev); ++ + /* Re-assert the reset signal on error */ +- if (err) +- phy_device_reset(phydev, 1); ++ phy_device_reset(phydev, 1); + + return err; + } +@@ -3535,6 +3541,9 @@ static int phy_remove(struct device *dev + if (IS_ENABLED(CONFIG_PHYLIB_LEDS) && !phy_driver_is_genphy(phydev)) + phy_leds_unregister(phydev); + ++ if (!phydev->is_on_sfp_module) ++ phy_led_triggers_unregister(phydev); ++ + phydev->state = PHY_DOWN; + + sfp_bus_del_upstream(phydev->sfp_bus); diff --git a/queue-6.19/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch b/queue-6.19/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch new file mode 100644 index 0000000000..68a99b8a63 --- /dev/null +++ b/queue-6.19/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch @@ -0,0 +1,115 @@ +From e35626f610f3d2b7953ccddf6a77453da22b3a9e Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Tue, 24 Feb 2026 21:28:32 +0100 +Subject: net/sched: ets: fix divide by zero in the offload path + +From: Davide Caratti + +commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream. + +Offloading ETS requires computing each class' WRR weight: this is done by +averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned +int, the same integer size as the individual DRR quanta, can overflow and +even cause division by zero, like it happened in the following splat: + + Oops: divide error: 0000 [#1] SMP PTI + CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) + Tainted: [E]=UNSIGNED_MODULE + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] + Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 + RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 + RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 + RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe + R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe + R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 + FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 + Call Trace: + + ets_qdisc_change+0x870/0xf40 [sch_ets] + qdisc_create+0x12b/0x540 + tc_modify_qdisc+0x6d7/0xbd0 + rtnetlink_rcv_msg+0x168/0x6b0 + netlink_rcv_skb+0x5c/0x110 + netlink_unicast+0x1d6/0x2b0 + netlink_sendmsg+0x22e/0x470 + ____sys_sendmsg+0x38a/0x3c0 + ___sys_sendmsg+0x99/0xe0 + __sys_sendmsg+0x8a/0xf0 + do_syscall_64+0x111/0xf80 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f440b81c77e + Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa + RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e + RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 + RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 + R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 + + Modules linked in: sch_ets(E) netdevsim(E) + ---[ end trace 0000000000000000 ]--- + RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] + Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 + RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 + RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 + RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe + R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe + R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 + FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 + Kernel panic - not syncing: Fatal exception + Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Fix this using 64-bit integers for 'q_sum' and 'q_psum'. + +Cc: stable@vger.kernel.org +Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable") +Signed-off-by: Davide Caratti +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Petr Machata +Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd + struct ets_sched *q = qdisc_priv(sch); + struct tc_ets_qopt_offload qopt; + unsigned int w_psum_prev = 0; +- unsigned int q_psum = 0; +- unsigned int q_sum = 0; + unsigned int quantum; + unsigned int w_psum; + unsigned int weight; + unsigned int i; ++ u64 q_psum = 0; ++ u64 q_sum = 0; + + if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc) + return; +@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd + + for (i = 0; i < q->nbands; i++) { + quantum = q->classes[i].quantum; +- q_psum += quantum; +- w_psum = quantum ? q_psum * 100 / q_sum : 0; ++ if (quantum) { ++ q_psum += quantum; ++ w_psum = div64_u64(q_psum * 100, q_sum); ++ } else { ++ w_psum = 0; ++ } + weight = w_psum - w_psum_prev; + w_psum_prev = w_psum; + diff --git a/queue-6.19/nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch b/queue-6.19/nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch new file mode 100644 index 0000000000..0e369eaf71 --- /dev/null +++ b/queue-6.19/nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch @@ -0,0 +1,73 @@ +From 1cb968a2013ffa8112d52ebe605009ea1c6a582c Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Sat, 24 Jan 2026 04:18:40 +0000 +Subject: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). + +From: Kuniyuki Iwashima + +commit 1cb968a2013ffa8112d52ebe605009ea1c6a582c upstream. + +syzbot reported memory leak of struct cred. [0] + +nfsd_nl_threads_set_doit() passes get_current_cred() to +nfsd_svc(), but put_cred() is not called after that. + +The cred is finally passed down to _svc_xprt_create(), +which calls get_cred() with the cred for struct svc_xprt. + +The ownership of the refcount by get_current_cred() is not +transferred to anywhere and is just leaked. + +nfsd_svc() is also called from write_threads(), but it does +not bump file->f_cred there. + +nfsd_nl_threads_set_doit() is called from sendmsg() and +current->cred does not go away. + +Let's use current_cred() in nfsd_nl_threads_set_doit(). + +[0]: +BUG: memory leak +unreferenced object 0xffff888108b89480 (size 184): + comm "syz-executor", pid 5994, jiffies 4294943386 + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 369454a7): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270 + prepare_creds+0x22/0x600 kernel/cred.c:185 + copy_creds+0x44/0x290 kernel/cred.c:286 + copy_process+0x7a7/0x2870 kernel/fork.c:2086 + kernel_clone+0xac/0x6e0 kernel/fork.c:2651 + __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 924f4fb003ba ("NFSD: convert write_threads to netlink command") +Cc: stable@vger.kernel.org +Reported-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69744674.a00a0220.33ccc7.0000.GAE@google.com/ +Tested-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1642,7 +1642,7 @@ int nfsd_nl_threads_set_doit(struct sk_b + scope = nla_data(attr); + } + +- ret = nfsd_svc(nrpools, nthreads, net, get_current_cred(), scope); ++ ret = nfsd_svc(nrpools, nthreads, net, current_cred(), scope); + if (ret > 0) + ret = 0; + out_unlock: diff --git a/queue-6.19/perf-x86-intel-uncore-add-per-scheduler-imc-cas-count-events.patch b/queue-6.19/perf-x86-intel-uncore-add-per-scheduler-imc-cas-count-events.patch new file mode 100644 index 0000000000..cb8cbe4f95 --- /dev/null +++ b/queue-6.19/perf-x86-intel-uncore-add-per-scheduler-imc-cas-count-events.patch @@ -0,0 +1,81 @@ +From 6a8a48644c4b804123e59dbfc5d6cd29a0194046 Mon Sep 17 00:00:00 2001 +From: Zide Chen +Date: Mon, 9 Feb 2026 16:52:25 -0800 +Subject: perf/x86/intel/uncore: Add per-scheduler IMC CAS count events + +From: Zide Chen + +commit 6a8a48644c4b804123e59dbfc5d6cd29a0194046 upstream. + +IMC on SPR and EMR does not support sub-channels. In contrast, CPUs +that use gnr_uncores[] (e.g. Granite Rapids and Sierra Forest) +implement two command schedulers (SCH0/SCH1) per memory channel, +providing logically independent command and data paths. + +Do not reuse the spr_uncore_imc[] configuration for these CPUs. +Instead, introduce a dedicated gnr_uncore_imc[] with per-scheduler +events, so userspace can monitor SCH0 and SCH1 independently. + +On these CPUs, replace cas_count_{read,write} with +cas_count_{read,write}_sch{0,1}. This may break existing userspace +that relies on cas_count_{read,write}, prompting it to switch to the +per-scheduler events, as the legacy event reports only partial +traffic (SCH0). + +Fixes: 632c4bf6d007 ("perf/x86/intel/uncore: Support Granite Rapids") +Fixes: cb4a6ccf3583 ("perf/x86/intel/uncore: Support Sierra Forest and Grand Ridge") +Reported-by: Reinette Chatre +Signed-off-by: Zide Chen +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Dapeng Mi +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260210005225.20311-1-zide.chen@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -6610,6 +6610,32 @@ static struct intel_uncore_type gnr_unco + .attr_update = uncore_alias_groups, + }; + ++static struct uncore_event_desc gnr_uncore_imc_events[] = { ++ INTEL_UNCORE_EVENT_DESC(clockticks, "event=0x01,umask=0x00"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0, "event=0x05,umask=0xcf"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0.scale, "6.103515625e-5"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch0.unit, "MiB"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1, "event=0x06,umask=0xcf"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1.scale, "6.103515625e-5"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_read_sch1.unit, "MiB"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0, "event=0x05,umask=0xf0"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0.scale, "6.103515625e-5"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch0.unit, "MiB"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1, "event=0x06,umask=0xf0"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1.scale, "6.103515625e-5"), ++ INTEL_UNCORE_EVENT_DESC(cas_count_write_sch1.unit, "MiB"), ++ { /* end: all zeroes */ }, ++}; ++ ++static struct intel_uncore_type gnr_uncore_imc = { ++ SPR_UNCORE_MMIO_COMMON_FORMAT(), ++ .name = "imc", ++ .fixed_ctr_bits = 48, ++ .fixed_ctr = SNR_IMC_MMIO_PMON_FIXED_CTR, ++ .fixed_ctl = SNR_IMC_MMIO_PMON_FIXED_CTL, ++ .event_descs = gnr_uncore_imc_events, ++}; ++ + static struct intel_uncore_type gnr_uncore_pciex8 = { + SPR_UNCORE_PCI_COMMON_FORMAT(), + .name = "pciex8", +@@ -6657,7 +6683,7 @@ static struct intel_uncore_type *gnr_unc + NULL, + &spr_uncore_pcu, + &gnr_uncore_ubox, +- &spr_uncore_imc, ++ &gnr_uncore_imc, + NULL, + &gnr_uncore_upi, + NULL, diff --git a/queue-6.19/platform-x86-alienware-wmi-wmax-add-g-mode-support-to-m18-laptops.patch b/queue-6.19/platform-x86-alienware-wmi-wmax-add-g-mode-support-to-m18-laptops.patch new file mode 100644 index 0000000000..3384be80fe --- /dev/null +++ b/queue-6.19/platform-x86-alienware-wmi-wmax-add-g-mode-support-to-m18-laptops.patch @@ -0,0 +1,37 @@ +From bd5914caeb4b2de233992c31babccda88041b035 Mon Sep 17 00:00:00 2001 +From: Kurt Borja +Date: Thu, 29 Jan 2026 12:19:24 -0500 +Subject: platform/x86: alienware-wmi-wmax: Add G-Mode support to m18 laptops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +commit bd5914caeb4b2de233992c31babccda88041b035 upstream. + +Alienware m18 laptops support G-Mode. Therefore, match them with +G-Series quirks. + +Cc: stable@vger.kernel.org +Tested-by: Olexa Bilaniuk +Signed-off-by: Kurt Borja +Link: https://patch.msgid.link/20260129-m18-gmode-v1-1-48be521487b9@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/alienware-wmi-wmax.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/dell/alienware-wmi-wmax.c ++++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c +@@ -175,7 +175,7 @@ static const struct dmi_system_id awcc_d + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), + DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m18"), + }, +- .driver_data = &generic_quirks, ++ .driver_data = &g_series_quirks, + }, + { + .ident = "Alienware x15", diff --git a/queue-6.19/platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch b/queue-6.19/platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch new file mode 100644 index 0000000000..c79bf638b3 --- /dev/null +++ b/queue-6.19/platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch @@ -0,0 +1,42 @@ +From 26a7601471f62b95d56a81c3a8ccb551b5a6630f Mon Sep 17 00:00:00 2001 +From: Kurt Borja +Date: Sat, 7 Feb 2026 12:16:34 -0500 +Subject: platform/x86: dell-wmi: Add audio/mic mute key codes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +commit 26a7601471f62b95d56a81c3a8ccb551b5a6630f upstream. + +Add audio/mic mute key codes found in Alienware m18 r1 AMD. + +Cc: stable@vger.kernel.org +Tested-by: Olexa Bilaniuk +Suggested-by: Olexa Bilaniuk +Signed-off-by: Kurt Borja +Acked-by: Pali Rohár +Link: https://patch.msgid.link/20260207-mute-keys-v2-1-c55e5471c9c1@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/dell-wmi-base.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/platform/x86/dell/dell-wmi-base.c ++++ b/drivers/platform/x86/dell/dell-wmi-base.c +@@ -80,6 +80,12 @@ static const struct dmi_system_id dell_w + static const struct key_entry dell_wmi_keymap_type_0000[] = { + { KE_IGNORE, 0x003a, { KEY_CAPSLOCK } }, + ++ /* Audio mute toggle */ ++ { KE_KEY, 0x0109, { KEY_MUTE } }, ++ ++ /* Mic mute toggle */ ++ { KE_KEY, 0x0150, { KEY_MICMUTE } }, ++ + /* Meta key lock */ + { KE_IGNORE, 0xe000, { KEY_RIGHTMETA } }, + diff --git a/queue-6.19/platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch b/queue-6.19/platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch new file mode 100644 index 0000000000..6defa6a5fb --- /dev/null +++ b/queue-6.19/platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch @@ -0,0 +1,37 @@ +From d1a196e0a6dcddd03748468a0e9e3100790fc85c Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 3 Mar 2026 12:30:51 +0100 +Subject: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thorsten Blum + +commit d1a196e0a6dcddd03748468a0e9e3100790fc85c upstream. + +set_new_password() hex dumps the entire buffer, which contains plaintext +password data, including current and new passwords. Remove the hex dump +to avoid leaking credentials. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Link: https://patch.msgid.link/20260303113050.58127-2-thorsten.blum@linux.dev +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c +@@ -93,7 +93,6 @@ int set_new_password(const char *passwor + if (ret < 0) + goto out; + +- print_hex_dump_bytes("set new password data: ", DUMP_PREFIX_NONE, buffer, buffer_size); + ret = call_password_interface(wmi_priv.password_attr_wdev, buffer, buffer_size); + /* on success copy the new password to current password */ + if (!ret) diff --git a/queue-6.19/rdma-ionic-fix-kernel-stack-leak-in-ionic_create_cq.patch b/queue-6.19/rdma-ionic-fix-kernel-stack-leak-in-ionic_create_cq.patch new file mode 100644 index 0000000000..5f3d3a31da --- /dev/null +++ b/queue-6.19/rdma-ionic-fix-kernel-stack-leak-in-ionic_create_cq.patch @@ -0,0 +1,45 @@ +From faa72102b178c7ae6c6afea23879e7c84fc59b4e Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 16 Feb 2026 11:02:50 -0400 +Subject: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() + +From: Jason Gunthorpe + +commit faa72102b178c7ae6c6afea23879e7c84fc59b4e upstream. + +struct ionic_cq_resp resp { + __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) + __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask) + __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK +}; + +rsvd[7]: 7 bytes of stack memory leaked unconditionally. + +cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices +where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 entries but +udma_count could be 1, meaning cqid[1] might never be written via +ionic_create_cq_common(). If udma_mask only has bit 0 set, cqid[1] (4 +bytes) is also leaked. So potentially 11 bytes leaked. + +Cc: stable@vger.kernel.org +Fixes: e8521822c733 ("RDMA/ionic: Register device ops for control path") +Signed-off-by: Jason Gunthorpe +Link: https://patch.msgid.link/4-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com +Acked-by: Abhijit Gangurde +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/ionic/ionic_controlpath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/ionic/ionic_controlpath.c ++++ b/drivers/infiniband/hw/ionic/ionic_controlpath.c +@@ -1218,7 +1218,7 @@ int ionic_create_cq(struct ib_cq *ibcq, + rdma_udata_to_drv_context(udata, struct ionic_ctx, ibctx); + struct ionic_vcq *vcq = to_ionic_vcq(ibcq); + struct ionic_tbl_buf buf = {}; +- struct ionic_cq_resp resp; ++ struct ionic_cq_resp resp = {}; + struct ionic_cq_req req; + int udma_idx = 0, rc; + diff --git a/queue-6.19/rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch b/queue-6.19/rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch new file mode 100644 index 0000000000..9c1066aab2 --- /dev/null +++ b/queue-6.19/rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch @@ -0,0 +1,39 @@ +From 74586c6da9ea222a61c98394f2fc0a604748438c Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 16 Feb 2026 11:02:49 -0400 +Subject: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() + +From: Jason Gunthorpe + +commit 74586c6da9ea222a61c98394f2fc0a604748438c upstream. + +struct irdma_create_ah_resp { // 8 bytes, no padding + __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) + __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK +}; + +rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata(). + +The reserved members of the structure were not zeroed. + +Cc: stable@vger.kernel.org +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Signed-off-by: Jason Gunthorpe +Link: https://patch.msgid.link/3-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/irdma/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -5209,7 +5209,7 @@ static int irdma_create_user_ah(struct i + #define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd) + struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah); + struct irdma_device *iwdev = to_iwdev(ibah->pd->device); +- struct irdma_create_ah_resp uresp; ++ struct irdma_create_ah_resp uresp = {}; + struct irdma_ah *parent_ah; + int err; + diff --git a/queue-6.19/scsi-core-fix-refcount-leak-for-tagset_refcnt.patch b/queue-6.19/scsi-core-fix-refcount-leak-for-tagset_refcnt.patch new file mode 100644 index 0000000000..e07b6f9f52 --- /dev/null +++ b/queue-6.19/scsi-core-fix-refcount-leak-for-tagset_refcnt.patch @@ -0,0 +1,48 @@ +From 1ac22c8eae81366101597d48360718dff9b9d980 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Mon, 23 Feb 2026 15:27:28 -0800 +Subject: scsi: core: Fix refcount leak for tagset_refcnt + +From: Junxiao Bi + +commit 1ac22c8eae81366101597d48360718dff9b9d980 upstream. + +This leak will cause a hang when tearing down the SCSI host. For example, +iscsid hangs with the following call trace: + +[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured + +PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" + #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 + #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f + #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 + #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f + #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b + #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] + #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] + #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] + #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 + #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef + +Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free") +Cc: stable@vger.kernel.org +Signed-off-by: Junxiao Bi +Reviewed-by: Mike Christie +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_scan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -361,6 +361,7 @@ static struct scsi_device *scsi_alloc_sd + * since we use this queue depth most of times. + */ + if (scsi_realloc_sdev_budget_map(sdev, depth)) { ++ kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags); + put_device(&starget->dev); + kfree(sdev); + goto out; diff --git a/queue-6.19/scsi-target-fix-recursive-locking-in-__configfs_open_file.patch b/queue-6.19/scsi-target-fix-recursive-locking-in-__configfs_open_file.patch new file mode 100644 index 0000000000..226ce390c4 --- /dev/null +++ b/queue-6.19/scsi-target-fix-recursive-locking-in-__configfs_open_file.patch @@ -0,0 +1,92 @@ +From 14d4ac19d1895397532eec407433c5d74d9da53b Mon Sep 17 00:00:00 2001 +From: Prithvi Tambewagh +Date: Mon, 16 Feb 2026 11:50:02 +0530 +Subject: scsi: target: Fix recursive locking in __configfs_open_file() + +From: Prithvi Tambewagh + +commit 14d4ac19d1895397532eec407433c5d74d9da53b upstream. + +In flush_write_buffer, &p->frag_sem is acquired and then the loaded store +function is called, which, here, is target_core_item_dbroot_store(). This +function called filp_open(), following which these functions were called +(in reverse order), according to the call trace: + + down_read + __configfs_open_file + do_dentry_open + vfs_open + do_open + path_openat + do_filp_open + file_open_name + filp_open + target_core_item_dbroot_store + flush_write_buffer + configfs_write_iter + +target_core_item_dbroot_store() tries to validate the new file path by +trying to open the file path provided to it; however, in this case, the bug +report shows: + +db_root: not a directory: /sys/kernel/config/target/dbroot + +indicating that the same configfs file was tried to be opened, on which it +is currently working on. Thus, it is trying to acquire frag_sem semaphore +of the same file of which it already holds the semaphore obtained in +flush_write_buffer(), leading to acquiring the semaphore in a nested manner +and a possibility of recursive locking. + +Fix this by modifying target_core_item_dbroot_store() to use kern_path() +instead of filp_open() to avoid opening the file using filesystem-specific +function __configfs_open_file(), and further modifying it to make this fix +compatible. + +Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797 +Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Prithvi Tambewagh +Reviewed-by: Dmitry Bogdanov +Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_configfs.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -108,8 +108,8 @@ static ssize_t target_core_item_dbroot_s + const char *page, size_t count) + { + ssize_t read_bytes; +- struct file *fp; + ssize_t r = -EINVAL; ++ struct path path = {}; + + mutex_lock(&target_devices_lock); + if (target_devices) { +@@ -131,17 +131,14 @@ static ssize_t target_core_item_dbroot_s + db_root_stage[read_bytes - 1] = '\0'; + + /* validate new db root before accepting it */ +- fp = filp_open(db_root_stage, O_RDONLY, 0); +- if (IS_ERR(fp)) { ++ r = kern_path(db_root_stage, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path); ++ if (r) { + pr_err("db_root: cannot open: %s\n", db_root_stage); ++ if (r == -ENOTDIR) ++ pr_err("db_root: not a directory: %s\n", db_root_stage); + goto unlock; + } +- if (!S_ISDIR(file_inode(fp)->i_mode)) { +- filp_close(fp, NULL); +- pr_err("db_root: not a directory: %s\n", db_root_stage); +- goto unlock; +- } +- filp_close(fp, NULL); ++ path_put(&path); + + strscpy(db_root, db_root_stage); + pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root); diff --git a/queue-6.19/scsi-ufs-core-fix-rpmb-region-size-detection-for-ufs-2.2.patch b/queue-6.19/scsi-ufs-core-fix-rpmb-region-size-detection-for-ufs-2.2.patch new file mode 100644 index 0000000000..fa04cacc4a --- /dev/null +++ b/queue-6.19/scsi-ufs-core-fix-rpmb-region-size-detection-for-ufs-2.2.patch @@ -0,0 +1,68 @@ +From 2e6b5cd6a4b37a95b78cf8c39a979b58c915c8ed Mon Sep 17 00:00:00 2001 +From: Alexey Charkov +Date: Mon, 9 Feb 2026 19:17:34 +0400 +Subject: scsi: ufs: core: Fix RPMB region size detection for UFS 2.2 + +From: Alexey Charkov + +commit 2e6b5cd6a4b37a95b78cf8c39a979b58c915c8ed upstream. + +Older UFS spec devices (2.2 and earlier) do not expose per-region RPMB +sizes, as only one RPMB region is supported. In such cases, the size of the +single RPMB region can be deduced from the Logical Block Count and Logical +Block Size fields in the RPMB Unit Descriptor. + +Add a fallback mechanism to calculate the RPMB region size from these +fields if the device implements an older spec, so that the RPMB driver can +work with such devices - otherwise it silently skips the whole RPMB. + + Section 14.1.4.6 (RPMB Unit Descriptor) + +Link: https://www.jedec.org/system/files/docs/JESD220C-2_2.pdf +Cc: stable@vger.kernel.org +Fixes: b06b8c421485 ("scsi: ufs: core: Add OP-TEE based RPMB driver for UFS devices") +Reviewed-by: Bean Huo +Signed-off-by: Alexey Charkov +Link: https://patch.msgid.link/20260209-ufs-rpmb-v3-1-b1804e71bd38@flipper.net +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -5237,6 +5238,25 @@ static void ufshcd_lu_init(struct ufs_hb + hba->dev_info.rpmb_region_size[1] = desc_buf[RPMB_UNIT_DESC_PARAM_REGION1_SIZE]; + hba->dev_info.rpmb_region_size[2] = desc_buf[RPMB_UNIT_DESC_PARAM_REGION2_SIZE]; + hba->dev_info.rpmb_region_size[3] = desc_buf[RPMB_UNIT_DESC_PARAM_REGION3_SIZE]; ++ ++ if (hba->dev_info.wspecversion <= 0x0220) { ++ /* ++ * These older spec chips have only one RPMB region, ++ * sized between 128 kB minimum and 16 MB maximum. ++ * No per region size fields are provided (respective ++ * REGIONX_SIZE fields always contain zeros), so get ++ * it from the logical block count and size fields for ++ * compatibility ++ * ++ * (See JESD220C-2_2 Section 14.1.4.6 ++ * RPMB Unit Descriptor,* offset 13h, 4 bytes) ++ */ ++ hba->dev_info.rpmb_region_size[0] = ++ (get_unaligned_be64(desc_buf ++ + RPMB_UNIT_DESC_PARAM_LOGICAL_BLK_COUNT) ++ << desc_buf[RPMB_UNIT_DESC_PARAM_LOGICAL_BLK_SIZE]) ++ / SZ_128K; ++ } + } + + diff --git a/queue-6.19/selftests-mptcp-join-check-removing-signal-subflow-endp.patch b/queue-6.19/selftests-mptcp-join-check-removing-signal-subflow-endp.patch new file mode 100644 index 0000000000..6f254ecb23 --- /dev/null +++ b/queue-6.19/selftests-mptcp-join-check-removing-signal-subflow-endp.patch @@ -0,0 +1,57 @@ +From 1777f349ff41b62dfe27454b69c27b0bc99ffca5 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 3 Mar 2026 11:56:06 +0100 +Subject: selftests: mptcp: join: check removing signal+subflow endp + +From: Matthieu Baerts (NGI0) + +commit 1777f349ff41b62dfe27454b69c27b0bc99ffca5 upstream. + +This validates the previous commit: endpoints with both the signal and +subflow flags should always be marked as used even if it was not +possible to create new subflows due to the MPTCP PM limits. + +For this test, an extra endpoint is created with both the signal and the +subflow flags, and limits are set not to create extra subflows. In this +case, an ADD_ADDR is sent, but no subflows are created. Still, the local +endpoint is marked as used, and no warning is fired when removing the +endpoint, after having sent a RM_ADDR. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-5-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -2637,6 +2637,19 @@ remove_tests() + chk_rst_nr 0 0 + fi + ++ # signal+subflow with limits, remove ++ if reset "remove signal+subflow with limits"; then ++ pm_nl_set_limits $ns1 0 0 ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,subflow ++ pm_nl_set_limits $ns2 0 0 ++ addr_nr_ns1=-1 speed=slow \ ++ run_tests $ns1 $ns2 10.0.1.1 ++ chk_join_nr 0 0 0 ++ chk_add_nr 1 1 ++ chk_rm_nr 1 0 invert ++ chk_rst_nr 0 0 ++ fi ++ + # addresses remove + if reset "remove addresses"; then + pm_nl_set_limits $ns1 3 3 diff --git a/queue-6.19/selftests-mptcp-join-check-rm_addr-not-sent-over-same-subflow.patch b/queue-6.19/selftests-mptcp-join-check-rm_addr-not-sent-over-same-subflow.patch new file mode 100644 index 0000000000..b420070388 --- /dev/null +++ b/queue-6.19/selftests-mptcp-join-check-rm_addr-not-sent-over-same-subflow.patch @@ -0,0 +1,112 @@ +From 560edd99b5f58b2d4bbe3c8e51e1eed68d887b0e Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 3 Mar 2026 11:56:04 +0100 +Subject: selftests: mptcp: join: check RM_ADDR not sent over same subflow + +From: Matthieu Baerts (NGI0) + +commit 560edd99b5f58b2d4bbe3c8e51e1eed68d887b0e upstream. + +This validates the previous commit: RM_ADDR were sent over the first +found active subflow which could be the same as the one being removed. +It is more likely to loose this notification. + +For this check, RM_ADDR are explicitly dropped when trying to send them +over the initial subflow, when removing the endpoint attached to it. If +it is dropped, the test will complain because some RM_ADDR have not been +received. + +Note that only the RM_ADDR are dropped, to allow the linked subflow to +be quickly and cleanly closed. To only drop those RM_ADDR, a cBPF byte +code is used. If the IPTables commands fail, that's OK, the tests will +continue to pass, but not validate this part. This can be ignored: +another subtest fully depends on such command, and will be marked as +skipped. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 8dd5efb1f91b ("mptcp: send ack for rm_addr") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-3-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 36 ++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -104,6 +104,24 @@ CBPF_MPTCP_SUBOPTION_ADD_ADDR="14, + 6 0 0 65535, + 6 0 0 0" + ++# IPv4: TCP hdr of 48B, a first suboption of 12B (DACK8), the RM_ADDR suboption ++# generated using "nfbpf_compile '(ip[32] & 0xf0) == 0xc0 && ip[53] == 0x0c && ++# (ip[66] & 0xf0) == 0x40'" ++CBPF_MPTCP_SUBOPTION_RM_ADDR="13, ++ 48 0 0 0, ++ 84 0 0 240, ++ 21 0 9 64, ++ 48 0 0 32, ++ 84 0 0 240, ++ 21 0 6 192, ++ 48 0 0 53, ++ 21 0 4 12, ++ 48 0 0 66, ++ 84 0 0 240, ++ 21 0 1 64, ++ 6 0 0 65535, ++ 6 0 0 0" ++ + init_partial() + { + capout=$(mktemp) +@@ -4222,6 +4240,14 @@ endpoint_tests() + chk_subflow_nr "after no reject" 3 + chk_mptcp_info subflows 2 subflows 2 + ++ # To make sure RM_ADDR are sent over a different subflow, but ++ # allow the rest to quickly and cleanly close the subflow ++ local ipt=1 ++ ip netns exec "${ns2}" ${iptables} -I OUTPUT -s "10.0.1.2" \ ++ -p tcp -m tcp --tcp-option 30 \ ++ -m bpf --bytecode \ ++ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \ ++ -j DROP || ipt=0 + local i + for i in $(seq 3); do + pm_nl_del_endpoint $ns2 1 10.0.1.2 +@@ -4234,6 +4260,7 @@ endpoint_tests() + chk_subflow_nr "after re-add id 0 ($i)" 3 + chk_mptcp_info subflows 3 subflows 3 + done ++ [ ${ipt} = 1 ] && ip netns exec "${ns2}" ${iptables} -D OUTPUT 1 + + mptcp_lib_kill_group_wait $tests_pid + +@@ -4293,11 +4320,20 @@ endpoint_tests() + chk_mptcp_info subflows 2 subflows 2 + chk_mptcp_info add_addr_signal 2 add_addr_accepted 2 + ++ # To make sure RM_ADDR are sent over a different subflow, but ++ # allow the rest to quickly and cleanly close the subflow ++ local ipt=1 ++ ip netns exec "${ns1}" ${iptables} -I OUTPUT -s "10.0.1.1" \ ++ -p tcp -m tcp --tcp-option 30 \ ++ -m bpf --bytecode \ ++ "$CBPF_MPTCP_SUBOPTION_RM_ADDR" \ ++ -j DROP || ipt=0 + pm_nl_del_endpoint $ns1 42 10.0.1.1 + sleep 0.5 + chk_subflow_nr "after delete ID 0" 2 + chk_mptcp_info subflows 2 subflows 2 + chk_mptcp_info add_addr_signal 2 add_addr_accepted 2 ++ [ ${ipt} = 1 ] && ip netns exec "${ns1}" ${iptables} -D OUTPUT 1 + + pm_nl_add_endpoint $ns1 10.0.1.1 id 99 flags signal + wait_mpj $ns2 diff --git a/queue-6.19/selftests-mptcp-more-stable-simult_flows-tests.patch b/queue-6.19/selftests-mptcp-more-stable-simult_flows-tests.patch new file mode 100644 index 0000000000..c7a7fcf5fa --- /dev/null +++ b/queue-6.19/selftests-mptcp-more-stable-simult_flows-tests.patch @@ -0,0 +1,60 @@ +From 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 3 Mar 2026 11:56:02 +0100 +Subject: selftests: mptcp: more stable simult_flows tests + +From: Paolo Abeni + +commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream. + +By default, the netem qdisc can keep up to 1000 packets under its belly +to deal with the configured rate and delay. The simult flows test-case +simulates very low speed links, to avoid problems due to slow CPUs and +the TCP stack tend to transmit at a slightly higher rate than the +(virtual) link constraints. + +All the above causes a relatively large amount of packets being enqueued +in the netem qdiscs - the longer the transfer, the longer the queue - +producing increasingly high TCP RTT samples and consequently increasingly +larger receive buffer size due to DRS. + +When the receive buffer size becomes considerably larger than the needed +size, the tests results can flake, i.e. because minimal inaccuracy in the +pacing rate can lead to a single subflow usage towards the end of the +connection for a considerable amount of data. + +Address the issue explicitly setting netem limits suitable for the +configured link speeds and unflake all the affected tests. + +Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/simult_flows.sh ++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh +@@ -237,10 +237,13 @@ run_test() + for dev in ns2eth1 ns2eth2; do + tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1 + done +- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 +- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 +- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 +- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 ++ ++ # keep the queued pkts number low, or the RTT estimator will see ++ # increasing latency over time. ++ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50 ++ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50 ++ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50 ++ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50 + + # time is measured in ms, account for transfer size, aggregated link speed + # and header overhead (10%) diff --git a/queue-6.19/series b/queue-6.19/series index 0982a62aa7..7cc77c55e0 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -114,3 +114,55 @@ hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch hid-pidff-fix-condition-effect-bit-clearing.patch hid-multitouch-keep-latency-normal-on-deactivate-for-reactivation-gesture.patch x86-efi-defer-freeing-of-boot-services-memory.patch +perf-x86-intel-uncore-add-per-scheduler-imc-cas-count-events.patch +x86-boot-handle-relative-config_efi_sbat_file-file-paths.patch +x86-sev-allow-ibpb-on-entry-feature-for-snp-guests.patch +x86-boot-sev-move-sev-decompressor-variables-into-the-.data-section.patch +platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch +platform-x86-alienware-wmi-wmax-add-g-mode-support-to-m18-laptops.patch +platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch +alsa-hda-realtek-add-quirk-for-hp-pavilion-15-eh1xxx-to-enable-mute-led.patch +alsa-doc-usb-audio-add-doc-for-quirk_flag_skip_iface_setup.patch +alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch +alsa-hda-intel-increase-default-bdl_pos_adj-for-nvidia-controllers.patch +alsa-hda-realtek-fix-model-name-typo-for-samsung-galaxy-book-flex-nt950qcg-x716.patch +alsa-hda-realtek-add-quirk-for-acer-aspire-v3-572g.patch +alsa-hda-realtek-add-quirk-for-samsung-galaxy-book-flex-nt950qct-a38a.patch +alsa-hda-realtek-add-quirk-for-acer-nitro-anv15-51.patch +wifi-radiotap-reject-radiotap-with-unknown-bits.patch +wifi-libertas-fix-use-after-free-in-lbs_free_adapter.patch +wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch +wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch +wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch +bluetooth-purge-error-queues-in-socket-destructors.patch +gve-fix-incorrect-buffer-cleanup-in-gve_tx_clean_pending_packets-for-qpl.patch +net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch +ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch +rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch +rdma-ionic-fix-kernel-stack-leak-in-ionic_create_cq.patch +ksmbd-compare-macs-in-constant-time.patch +cpufreq-intel_pstate-fix-crash-during-turbo-disable.patch +arm64-gcs-do-not-set-pte_shared-on-gcs-mappings-if-feat_lpa2-is-enabled.patch +net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch +nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch +tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch +scsi-target-fix-recursive-locking-in-__configfs_open_file.patch +mm-thp-deny-thp-for-files-on-anonymous-inodes.patch +squashfs-check-metadata-block-offset-is-within-range.patch +drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch +drbd-fix-null-pointer-dereference-on-local-read-error.patch +xfs-fix-xfs_group-release-bug-in-xfs_dax_notify_dev_failure.patch +xfs-fix-error-pointer-dereference.patch +smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch +smb-client-fix-broken-multichannel-with-krb5-signing.patch +smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch +smb-client-fix-oops-due-to-uninitialised-var-in-smb2_unlink.patch +scsi-core-fix-refcount-leak-for-tagset_refcnt.patch +scsi-ufs-core-fix-rpmb-region-size-detection-for-ufs-2.2.patch +mptcp-pm-avoid-sending-rm_addr-over-same-subflow.patch +mptcp-pm-in-kernel-always-mark-signal-subflow-endp-as-used.patch +selftests-mptcp-more-stable-simult_flows-tests.patch +selftests-mptcp-join-check-rm_addr-not-sent-over-same-subflow.patch +selftests-mptcp-join-check-removing-signal-subflow-endp.patch +kbuild-split-.modinfo-out-from-elf_details.patch +kbuild-leave-objtool-binary-around-with-make-clean.patch diff --git a/queue-6.19/smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch b/queue-6.19/smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch new file mode 100644 index 0000000000..ea99a05c28 --- /dev/null +++ b/queue-6.19/smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch @@ -0,0 +1,33 @@ +From 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Thu, 26 Feb 2026 22:28:45 +0100 +Subject: smb: client: Don't log plaintext credentials in cifs_set_cifscreds + +From: Thorsten Blum + +commit 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d upstream. + +When debug logging is enabled, cifs_set_cifscreds() logs the key +payload and exposes the plaintext username and password. Remove the +debug log to avoid exposing credentials. + +Fixes: 8a8798a5ff90 ("cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts") +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Thorsten Blum +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -2233,7 +2233,6 @@ cifs_set_cifscreds(struct smb3_fs_contex + /* find first : in payload */ + payload = upayload->data; + delim = strnchr(payload, upayload->datalen, ':'); +- cifs_dbg(FYI, "payload=%s\n", payload); + if (!delim) { + cifs_dbg(FYI, "Unable to find ':' in payload (datalen=%d)\n", + upayload->datalen); diff --git a/queue-6.19/smb-client-fix-broken-multichannel-with-krb5-signing.patch b/queue-6.19/smb-client-fix-broken-multichannel-with-krb5-signing.patch new file mode 100644 index 0000000000..1e2add8081 --- /dev/null +++ b/queue-6.19/smb-client-fix-broken-multichannel-with-krb5-signing.patch @@ -0,0 +1,76 @@ +From d9d1e319b39ea685ede59319002d567c159d23c3 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 25 Feb 2026 21:34:55 -0300 +Subject: smb: client: fix broken multichannel with krb5+signing + +From: Paulo Alcantara + +commit d9d1e319b39ea685ede59319002d567c159d23c3 upstream. + +When mounting a share with 'multichannel,max_channels=n,sec=krb5i', +the client was duplicating signing key for all secondary channels, +thus making the server fail all commands sent from secondary channels +due to bad signatures. + +Every channel has its own signing key, so when establishing a new +channel with krb5 auth, make sure to use the new session key as the +derived key to generate channel's signing key in SMB2_auth_kerberos(). + +Repro: + +$ mount.cifs //srv/share /mnt -o multichannel,max_channels=4,sec=krb5i +$ sleep 5 +$ umount /mnt +$ dmesg + ... + CIFS: VFS: sign fail cmd 0x5 message id 0x2 + CIFS: VFS: \\srv SMB signature verification returned error = -13 + CIFS: VFS: sign fail cmd 0x5 message id 0x2 + CIFS: VFS: \\srv SMB signature verification returned error = -13 + CIFS: VFS: sign fail cmd 0x4 message id 0x2 + CIFS: VFS: \\srv SMB signature verification returned error = -13 + +Reported-by: Xiaoli Feng +Reviewed-by: Enzo Matsumiya +Signed-off-by: Paulo Alcantara (Red Hat) +Cc: David Howells +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -1715,19 +1715,17 @@ SMB2_auth_kerberos(struct SMB2_sess_data + is_binding = (ses->ses_status == SES_GOOD); + spin_unlock(&ses->ses_lock); + +- /* keep session key if binding */ +- if (!is_binding) { +- kfree_sensitive(ses->auth_key.response); +- ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, +- GFP_KERNEL); +- if (!ses->auth_key.response) { +- cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", +- msg->sesskey_len); +- rc = -ENOMEM; +- goto out_put_spnego_key; +- } +- ses->auth_key.len = msg->sesskey_len; ++ kfree_sensitive(ses->auth_key.response); ++ ses->auth_key.response = kmemdup(msg->data, ++ msg->sesskey_len, ++ GFP_KERNEL); ++ if (!ses->auth_key.response) { ++ cifs_dbg(VFS, "%s: can't allocate (%u bytes) memory\n", ++ __func__, msg->sesskey_len); ++ rc = -ENOMEM; ++ goto out_put_spnego_key; + } ++ ses->auth_key.len = msg->sesskey_len; + + sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; + sess_data->iov[1].iov_len = msg->secblob_len; diff --git a/queue-6.19/smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch b/queue-6.19/smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch new file mode 100644 index 0000000000..9368762207 --- /dev/null +++ b/queue-6.19/smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch @@ -0,0 +1,71 @@ +From 663c28469d3274d6456f206a6671c91493d85ff1 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Sat, 21 Feb 2026 01:59:44 -0300 +Subject: smb: client: fix cifs_pick_channel when channels are equally loaded + +From: Henrique Carvalho + +commit 663c28469d3274d6456f206a6671c91493d85ff1 upstream. + +cifs_pick_channel uses (start % chan_count) when channels are equally +loaded, but that can return a channel that failed the eligibility +checks. + +Drop the fallback and return the scan-selected channel instead. If none +is eligible, keep the existing behavior of using the primary channel. + +Signed-off-by: Henrique Carvalho +Acked-by: Paulo Alcantara (Red Hat) +Acked-by: Meetakshi Setiya +Reviewed-by: Shyam Prasad N +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/transport.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -808,16 +808,21 @@ cifs_cancelled_callback(struct TCP_Serve + } + + /* +- * Return a channel (master if none) of @ses that can be used to send +- * regular requests. ++ * cifs_pick_channel - pick an eligible channel for network operations + * +- * If we are currently binding a new channel (negprot/sess.setup), +- * return the new incomplete channel. ++ * @ses: session reference ++ * ++ * Select an eligible channel (not terminating and not marked as needing ++ * reconnect), preferring the least loaded one. If no eligible channel is ++ * found, fall back to the primary channel (index 0). ++ * ++ * Return: TCP_Server_Info pointer for the chosen channel, or NULL if @ses is ++ * NULL. + */ + struct TCP_Server_Info *cifs_pick_channel(struct cifs_ses *ses) + { + uint index = 0; +- unsigned int min_in_flight = UINT_MAX, max_in_flight = 0; ++ unsigned int min_in_flight = UINT_MAX; + struct TCP_Server_Info *server = NULL; + int i, start, cur; + +@@ -847,14 +852,8 @@ struct TCP_Server_Info *cifs_pick_channe + min_in_flight = server->in_flight; + index = cur; + } +- if (server->in_flight > max_in_flight) +- max_in_flight = server->in_flight; + } + +- /* if all channels are equally loaded, fall back to round-robin */ +- if (min_in_flight == max_in_flight) +- index = (uint)start % ses->chan_count; +- + server = ses->chans[index].server; + spin_unlock(&ses->chan_lock); + diff --git a/queue-6.19/smb-client-fix-oops-due-to-uninitialised-var-in-smb2_unlink.patch b/queue-6.19/smb-client-fix-oops-due-to-uninitialised-var-in-smb2_unlink.patch new file mode 100644 index 0000000000..a3db03d193 --- /dev/null +++ b/queue-6.19/smb-client-fix-oops-due-to-uninitialised-var-in-smb2_unlink.patch @@ -0,0 +1,56 @@ +From 048efe129a297256d3c2088cf8d79515ff5ec864 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 5 Mar 2026 21:57:06 -0300 +Subject: smb: client: fix oops due to uninitialised var in smb2_unlink() + +From: Paulo Alcantara + +commit 048efe129a297256d3c2088cf8d79515ff5ec864 upstream. + +If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the +iovs set @rqst will be left uninitialised, hence calling +SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will +oops. + +Fix this by initialising @close_iov and @open_iov before setting them +in @rqst. + +Reported-by: Thiago Becker +Fixes: 1cf9f2a6a544 ("smb: client: handle unlink(2) of files open by different clients") +Signed-off-by: Paulo Alcantara (Red Hat) +Cc: David Howells +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -1208,6 +1208,7 @@ again: + memset(resp_buftype, 0, sizeof(resp_buftype)); + memset(rsp_iov, 0, sizeof(rsp_iov)); + ++ memset(open_iov, 0, sizeof(open_iov)); + rqst[0].rq_iov = open_iov; + rqst[0].rq_nvec = ARRAY_SIZE(open_iov); + +@@ -1232,14 +1233,15 @@ again: + creq = rqst[0].rq_iov[0].iov_base; + creq->ShareAccess = FILE_SHARE_DELETE_LE; + ++ memset(&close_iov, 0, sizeof(close_iov)); + rqst[1].rq_iov = &close_iov; + rqst[1].rq_nvec = 1; + + rc = SMB2_close_init(tcon, server, &rqst[1], + COMPOUND_FID, COMPOUND_FID, false); +- smb2_set_related(&rqst[1]); + if (rc) + goto err_free; ++ smb2_set_related(&rqst[1]); + + if (retries) { + for (int i = 0; i < ARRAY_SIZE(rqst); i++) diff --git a/queue-6.19/squashfs-check-metadata-block-offset-is-within-range.patch b/queue-6.19/squashfs-check-metadata-block-offset-is-within-range.patch new file mode 100644 index 0000000000..6a3511c9ad --- /dev/null +++ b/queue-6.19/squashfs-check-metadata-block-offset-is-within-range.patch @@ -0,0 +1,46 @@ +From fdb24a820a5832ec4532273282cbd4f22c291a0d Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Tue, 17 Feb 2026 05:09:55 +0000 +Subject: Squashfs: check metadata block offset is within range + +From: Phillip Lougher + +commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream. + +Syzkaller reports a "general protection fault in squashfs_copy_data" + +This is ultimately caused by a corrupted index look-up table, which +produces a negative metadata block offset. + +This is subsequently passed to squashfs_copy_data (via +squashfs_read_metadata) where the negative offset causes an out of bounds +access. + +The fix is to check that the offset is within range in +squashfs_read_metadata. This will trap this and other cases. + +Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk +Fixes: f400e12656ab ("Squashfs: cache operations") +Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/ +Signed-off-by: Phillip Lougher +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/squashfs/cache.c ++++ b/fs/squashfs/cache.c +@@ -344,6 +344,9 @@ int squashfs_read_metadata(struct super_ + if (unlikely(length < 0)) + return -EIO; + ++ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE)) ++ return -EIO; ++ + while (length) { + entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0); + if (entry->error) { diff --git a/queue-6.19/tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch b/queue-6.19/tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch new file mode 100644 index 0000000000..b7bf4b27ee --- /dev/null +++ b/queue-6.19/tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch @@ -0,0 +1,111 @@ +From e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e Mon Sep 17 00:00:00 2001 +From: Qing Wang +Date: Fri, 27 Feb 2026 10:58:42 +0800 +Subject: tracing: Fix WARN_ON in tracing_buffers_mmap_close + +From: Qing Wang + +commit e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e upstream. + +When a process forks, the child process copies the parent's VMAs but the +user_mapped reference count is not incremented. As a result, when both the +parent and child processes exit, tracing_buffers_mmap_close() is called +twice. On the second call, user_mapped is already 0, causing the function to +return -ENODEV and triggering a WARN_ON. + +Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. +But this is only a hint, and the application can call +madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the +application does that, it can trigger this issue on fork. + +Fix it by incrementing the user_mapped reference count without re-mapping +the pages in the VMA's open callback. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Vincent Donnefort +Cc: Lorenzo Stoakes +Link: https://patch.msgid.link/20260227025842.1085206-1-wangqing7171@gmail.com +Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer") +Reported-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3b5dd2030fe08afdf65d +Tested-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com +Signed-off-by: Qing Wang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ring_buffer.h | 1 + + kernel/trace/ring_buffer.c | 21 +++++++++++++++++++++ + kernel/trace/trace.c | 13 +++++++++++++ + 3 files changed, 35 insertions(+) + +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -248,6 +248,7 @@ int trace_rb_cpu_prepare(unsigned int cp + + int ring_buffer_map(struct trace_buffer *buffer, int cpu, + struct vm_area_struct *vma); ++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu); + int ring_buffer_unmap(struct trace_buffer *buffer, int cpu); + int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu); + #endif /* _LINUX_RING_BUFFER_H */ +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -7292,6 +7292,27 @@ int ring_buffer_map(struct trace_buffer + return err; + } + ++/* ++ * This is called when a VMA is duplicated (e.g., on fork()) to increment ++ * the user_mapped counter without remapping pages. ++ */ ++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu) ++{ ++ struct ring_buffer_per_cpu *cpu_buffer; ++ ++ if (WARN_ON(!cpumask_test_cpu(cpu, buffer->cpumask))) ++ return; ++ ++ cpu_buffer = buffer->buffers[cpu]; ++ ++ guard(mutex)(&cpu_buffer->mapping_lock); ++ ++ if (cpu_buffer->user_mapped) ++ __rb_inc_dec_mapped(cpu_buffer, true); ++ else ++ WARN(1, "Unexpected buffer stat, it should be mapped"); ++} ++ + int ring_buffer_unmap(struct trace_buffer *buffer, int cpu) + { + struct ring_buffer_per_cpu *cpu_buffer; +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -8999,6 +8999,18 @@ static inline int get_snapshot_map(struc + static inline void put_snapshot_map(struct trace_array *tr) { } + #endif + ++/* ++ * This is called when a VMA is duplicated (e.g., on fork()) to increment ++ * the user_mapped counter without remapping pages. ++ */ ++static void tracing_buffers_mmap_open(struct vm_area_struct *vma) ++{ ++ struct ftrace_buffer_info *info = vma->vm_file->private_data; ++ struct trace_iterator *iter = &info->iter; ++ ++ ring_buffer_map_dup(iter->array_buffer->buffer, iter->cpu_file); ++} ++ + static void tracing_buffers_mmap_close(struct vm_area_struct *vma) + { + struct ftrace_buffer_info *info = vma->vm_file->private_data; +@@ -9018,6 +9030,7 @@ static int tracing_buffers_may_split(str + } + + static const struct vm_operations_struct tracing_buffers_vmops = { ++ .open = tracing_buffers_mmap_open, + .close = tracing_buffers_mmap_close, + .may_split = tracing_buffers_may_split, + }; diff --git a/queue-6.19/wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch b/queue-6.19/wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch new file mode 100644 index 0000000000..b74b8afee7 --- /dev/null +++ b/queue-6.19/wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch @@ -0,0 +1,57 @@ +From 767d23ade706d5fa51c36168e92a9c5533c351a1 Mon Sep 17 00:00:00 2001 +From: Daniil Dulov +Date: Wed, 11 Feb 2026 11:20:24 +0300 +Subject: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() + +From: Daniil Dulov + +commit 767d23ade706d5fa51c36168e92a9c5533c351a1 upstream. + +There is a use-after-free error in cfg80211_shutdown_all_interfaces found +by syzkaller: + +BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 +Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 +CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Workqueue: events cfg80211_rfkill_block_work +Call Trace: + + dump_stack_lvl+0x116/0x1f0 + print_report+0xcd/0x630 + kasan_report+0xe0/0x110 + cfg80211_shutdown_all_interfaces+0x213/0x220 + cfg80211_rfkill_block_work+0x1e/0x30 + process_one_work+0x9cf/0x1b70 + worker_thread+0x6c8/0xf10 + kthread+0x3c5/0x780 + ret_from_fork+0x56d/0x700 + ret_from_fork_asm+0x1a/0x30 + + +The problem arises due to the rfkill_block work is not cancelled when wiphy +is being unregistered. In order to fix the issue cancel the corresponding +work in wiphy_unregister(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support") +Cc: stable@vger.kernel.org +Signed-off-by: Daniil Dulov +Link: https://patch.msgid.link/20260211082024.1967588-1-d.dulov@aladdin.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1210,6 +1210,7 @@ void wiphy_unregister(struct wiphy *wiph + /* this has nothing to do now but make sure it's gone */ + cancel_work_sync(&rdev->wiphy_work); + ++ cancel_work_sync(&rdev->rfkill_block); + cancel_work_sync(&rdev->conn_work); + flush_work(&rdev->event_work); + cancel_delayed_work_sync(&rdev->dfs_update_channels_wk); diff --git a/queue-6.19/wifi-libertas-fix-use-after-free-in-lbs_free_adapter.patch b/queue-6.19/wifi-libertas-fix-use-after-free-in-lbs_free_adapter.patch new file mode 100644 index 0000000000..9a18687747 --- /dev/null +++ b/queue-6.19/wifi-libertas-fix-use-after-free-in-lbs_free_adapter.patch @@ -0,0 +1,54 @@ +From 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 Mon Sep 17 00:00:00 2001 +From: Daniel Hodges +Date: Fri, 6 Feb 2026 14:53:56 -0500 +Subject: wifi: libertas: fix use-after-free in lbs_free_adapter() + +From: Daniel Hodges + +commit 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 upstream. + +The lbs_free_adapter() function uses timer_delete() (non-synchronous) +for both command_timer and tx_lockup_timer before the structure is +freed. This is incorrect because timer_delete() does not wait for +any running timer callback to complete. + +If a timer callback is executing when lbs_free_adapter() is called, +the callback will access freed memory since lbs_cfg_free() frees the +containing structure immediately after lbs_free_adapter() returns. + +Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) +access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, +which would all be use-after-free violations. + +Use timer_delete_sync() instead to ensure any running timer callback +has completed before returning. + +This bug was introduced in commit 8f641d93c38a ("libertas: detect TX +lockups and reset hardware") where del_timer() was used instead of +del_timer_sync() in the cleanup path. The command_timer has had the +same issue since the driver was first written. + +Fixes: 8f641d93c38a ("libertas: detect TX lockups and reset hardware") +Fixes: 954ee164f4f4 ("[PATCH] libertas: reorganize and simplify init sequence") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Hodges +Link: https://patch.msgid.link/20260206195356.15647-1-git@danielhodges.dev +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/libertas/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/marvell/libertas/main.c ++++ b/drivers/net/wireless/marvell/libertas/main.c +@@ -799,8 +799,8 @@ static void lbs_free_adapter(struct lbs_ + { + lbs_free_cmd_buffer(priv); + kfifo_free(&priv->event_fifo); +- timer_delete(&priv->command_timer); +- timer_delete(&priv->tx_lockup_timer); ++ timer_delete_sync(&priv->command_timer); ++ timer_delete_sync(&priv->tx_lockup_timer); + } + + static const struct net_device_ops lbs_netdev_ops = { diff --git a/queue-6.19/wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch b/queue-6.19/wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch new file mode 100644 index 0000000000..0305cfb64b --- /dev/null +++ b/queue-6.19/wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch @@ -0,0 +1,38 @@ +From 162d331d833dc73a3e905a24c44dd33732af1fc5 Mon Sep 17 00:00:00 2001 +From: Ariel Silver +Date: Fri, 20 Feb 2026 10:11:29 +0000 +Subject: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration + +From: Ariel Silver + +commit 162d331d833dc73a3e905a24c44dd33732af1fc5 upstream. + +link_id is taken from the ML Reconfiguration element (control & 0x000f), +so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS +(15) elements, so index 15 is out-of-bounds. Skip subelements with +link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds +write. + +Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element") +Reported-by: Ariel Silver +Signed-off-by: Ariel Silver +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260220101129.1202657-1-Ariel.Silver@cybereason.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -6975,6 +6975,9 @@ static void ieee80211_ml_reconfiguration + control = le16_to_cpu(prof->control); + link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID; + ++ if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS) ++ continue; ++ + removed_links |= BIT(link_id); + + /* the MAC address should not be included, but handle it */ diff --git a/queue-6.19/wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch b/queue-6.19/wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch new file mode 100644 index 0000000000..7fdd7a01f2 --- /dev/null +++ b/queue-6.19/wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch @@ -0,0 +1,63 @@ +From 017c1792525064a723971f0216e6ef86a8c7af11 Mon Sep 17 00:00:00 2001 +From: Vahagn Vardanian +Date: Mon, 23 Feb 2026 00:00:00 +0000 +Subject: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() + +From: Vahagn Vardanian + +commit 017c1792525064a723971f0216e6ef86a8c7af11 upstream. + +In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced +at lines 1638 and 1642 without a prior NULL check: + + ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; + ... + pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); + +The mesh_matches_local() check above only validates the Mesh ID, +Mesh Configuration, and Supported Rates IEs. It does not verify the +presence of the Mesh Channel Switch Parameters IE (element ID 118). +When a received CSA action frame omits that IE, ieee802_11_parse_elems() +leaves elems->mesh_chansw_params_ie as NULL, and the unconditional +dereference causes a kernel NULL pointer dereference. + +A remote mesh peer with an established peer link (PLINK_ESTAB) can +trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame +that includes a matching Mesh ID and Mesh Configuration IE but omits the +Mesh Channel Switch Parameters IE. No authentication beyond the default +open mesh peering is required. + +Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + Oops: Oops: 0000 [#1] SMP NOPTI + RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] + CR2: 0000000000000000 + +Fix by adding a NULL check for mesh_chansw_params_ie after +mesh_matches_local() returns, consistent with how other optional IEs +are guarded throughout the mesh code. + +The bug has been present since v3.13 (released 2014-01-19). + +Fixes: 8f2535b92d68 ("mac80211: process the CSA frame for mesh accordingly") +Cc: stable@vger.kernel.org +Signed-off-by: Vahagn Vardanian +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1636,6 +1636,9 @@ static void mesh_rx_csa_frame(struct iee + if (!mesh_matches_local(sdata, elems)) + goto free; + ++ if (!elems->mesh_chansw_params_ie) ++ goto free; ++ + ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; + if (!--ifmsh->chsw_ttl) + fwd_csa = false; diff --git a/queue-6.19/wifi-radiotap-reject-radiotap-with-unknown-bits.patch b/queue-6.19/wifi-radiotap-reject-radiotap-with-unknown-bits.patch new file mode 100644 index 0000000000..8416e5f659 --- /dev/null +++ b/queue-6.19/wifi-radiotap-reject-radiotap-with-unknown-bits.patch @@ -0,0 +1,51 @@ +From c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 Feb 2026 13:05:26 +0100 +Subject: wifi: radiotap: reject radiotap with unknown bits + +From: Johannes Berg + +commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream. + +The radiotap parser is currently only used with the radiotap +namespace (not with vendor namespaces), but if the undefined +field 18 is used, the alignment/size is unknown as well. In +this case, iterator->_next_ns_data isn't initialized (it's +only set for skipping vendor namespaces), and syzbot points +out that we later compare against this uninitialized value. + +Fix this by moving the rejection of unknown radiotap fields +down to after the in-namespace lookup, so it will really use +iterator->_next_ns_data only for vendor namespaces, even in +case undefined fields are present. + +Cc: stable@vger.kernel.org +Fixes: 33e5a2f776e3 ("wireless: update radiotap parser") +Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com +Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/radiotap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/radiotap.c ++++ b/net/wireless/radiotap.c +@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next( + default: + if (!iterator->current_namespace || + iterator->_arg_index >= iterator->current_namespace->n_bits) { +- if (iterator->current_namespace == &radiotap_ns) +- return -ENOENT; + align = 0; + } else { + align = iterator->current_namespace->align_size[iterator->_arg_index].align; + size = iterator->current_namespace->align_size[iterator->_arg_index].size; + } + if (!align) { ++ if (iterator->current_namespace == &radiotap_ns) ++ return -ENOENT; + /* skip all subsequent data */ + iterator->_arg = iterator->_next_ns_data; + /* give up on this namespace */ diff --git a/queue-6.19/x86-boot-handle-relative-config_efi_sbat_file-file-paths.patch b/queue-6.19/x86-boot-handle-relative-config_efi_sbat_file-file-paths.patch new file mode 100644 index 0000000000..93301bf1a7 --- /dev/null +++ b/queue-6.19/x86-boot-handle-relative-config_efi_sbat_file-file-paths.patch @@ -0,0 +1,41 @@ +From 3d1973a0c76a78a4728cff13648a188ed486cf44 Mon Sep 17 00:00:00 2001 +From: Jan Stancek +Date: Wed, 25 Feb 2026 20:30:23 +0100 +Subject: x86/boot: Handle relative CONFIG_EFI_SBAT_FILE file paths + +From: Jan Stancek + +commit 3d1973a0c76a78a4728cff13648a188ed486cf44 upstream. + +CONFIG_EFI_SBAT_FILE can be a relative path. When compiling using a different +output directory (O=) the build currently fails because it can't find the +filename set in CONFIG_EFI_SBAT_FILE: + + arch/x86/boot/compressed/sbat.S: Assembler messages: + arch/x86/boot/compressed/sbat.S:6: Error: file not found: kernel.sbat + +Add $(srctree) as include dir for sbat.o. + + [ bp: Massage commit message. ] + +Fixes: 61b57d35396a ("x86/efi: Implement support for embedding SBAT data for x86") +Signed-off-by: Jan Stancek +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Vitaly Kuznetsov +Cc: +Link: https://patch.msgid.link/f4eda155b0cef91d4d316b4e92f5771cb0aa7187.1772047658.git.jstancek@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -113,6 +113,7 @@ vmlinux-objs-$(CONFIG_EFI_SBAT) += $(obj + + ifdef CONFIG_EFI_SBAT + $(obj)/sbat.o: $(CONFIG_EFI_SBAT_FILE) ++AFLAGS_sbat.o += -I $(srctree) + endif + + $(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE diff --git a/queue-6.19/x86-boot-sev-move-sev-decompressor-variables-into-the-.data-section.patch b/queue-6.19/x86-boot-sev-move-sev-decompressor-variables-into-the-.data-section.patch new file mode 100644 index 0000000000..a218f4c0d0 --- /dev/null +++ b/queue-6.19/x86-boot-sev-move-sev-decompressor-variables-into-the-.data-section.patch @@ -0,0 +1,89 @@ +From 4ca191cec17a997d0e3b2cd312f3a884288acc27 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Wed, 4 Feb 2026 09:01:00 -0600 +Subject: x86/boot/sev: Move SEV decompressor variables into the .data section + +From: Tom Lendacky + +commit 4ca191cec17a997d0e3b2cd312f3a884288acc27 upstream. + +As part of the work to remove the dependency on calling into the decompressor +code (startup_64()) for a UEFI boot, a call to rmpadjust() was removed from +sev_enable() in favor of checking the value of the snp_vmpl variable. + +When booting through a non-UEFI path and calling startup_64(), the call to +sev_enable() is performed before the BSS section is zeroed. With the removal +of the rmpadjust() call and the corresponding check of the return code, the +snp_vmpl variable is checked. + +Since the kernel is running at VMPL0, the snp_vmpl variable will not have been +set and should be the default value of 0. However, since the call occurs +before the BSS is zeroed, the snp_vmpl variable may not actually be zero, +which will cause the guest boot to fail. + +Since the decompressor relocates itself, the BSS would need to be cleared both +before and after the relocation, but this would, in effect, cause all of the +changes to BSS variables before relocation to be lost after relocation. + +Instead, move the snp_vmpl variable into the .data section so that it is +initialized and the value made safe during relocation. As a pre-caution +against future changes, move other SEV-related decompressor variables into the +.data section, too. + +Fixes: 68a501d7fd82 ("x86/boot: Drop redundant RMPADJUST in SEV SVSM presence check") +Signed-off-by: Tom Lendacky +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Ard Biesheuvel +Reviewed-by: Changyuan Lyu +Tested-by: Kevin Hui +Tested-by: Changyuan Lyu +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/5648b7de5b0a5d0dfef3785f9582b718678c6448.1770217260.git.thomas.lendacky@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/sev.c | 8 ++++---- + arch/x86/boot/startup/sev-shared.c | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c +index c8c1464b3a56..46b54720d91d 100644 +--- a/arch/x86/boot/compressed/sev.c ++++ b/arch/x86/boot/compressed/sev.c +@@ -28,17 +28,17 @@ + #include "sev.h" + + static struct ghcb boot_ghcb_page __aligned(PAGE_SIZE); +-struct ghcb *boot_ghcb; ++struct ghcb *boot_ghcb __section(".data"); + + #undef __init + #define __init + + #define __BOOT_COMPRESSED + +-u8 snp_vmpl; +-u16 ghcb_version; ++u8 snp_vmpl __section(".data"); ++u16 ghcb_version __section(".data"); + +-u64 boot_svsm_caa_pa; ++u64 boot_svsm_caa_pa __section(".data"); + + /* Include code for early handlers */ + #include "../../boot/startup/sev-shared.c" +diff --git a/arch/x86/boot/startup/sev-shared.c b/arch/x86/boot/startup/sev-shared.c +index a0fa8bb2b945..d9ac3a929d33 100644 +--- a/arch/x86/boot/startup/sev-shared.c ++++ b/arch/x86/boot/startup/sev-shared.c +@@ -31,7 +31,7 @@ static u32 cpuid_std_range_max __ro_after_init; + static u32 cpuid_hyp_range_max __ro_after_init; + static u32 cpuid_ext_range_max __ro_after_init; + +-bool sev_snp_needs_sfw; ++bool sev_snp_needs_sfw __section(".data"); + + void __noreturn + sev_es_terminate(unsigned int set, unsigned int reason) +-- +2.53.0 + diff --git a/queue-6.19/x86-sev-allow-ibpb-on-entry-feature-for-snp-guests.patch b/queue-6.19/x86-sev-allow-ibpb-on-entry-feature-for-snp-guests.patch new file mode 100644 index 0000000000..db5ba7d523 --- /dev/null +++ b/queue-6.19/x86-sev-allow-ibpb-on-entry-feature-for-snp-guests.patch @@ -0,0 +1,72 @@ +From 9073428bb204d921ae15326bb7d4558d9d269aab Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Tue, 3 Feb 2026 16:24:03 -0600 +Subject: x86/sev: Allow IBPB-on-Entry feature for SNP guests + +From: Kim Phillips + +commit 9073428bb204d921ae15326bb7d4558d9d269aab upstream. + +The SEV-SNP IBPB-on-Entry feature does not require a guest-side +implementation. It was added in Zen5 h/w, after the first SNP Zen +implementation, and thus was not accounted for when the initial set of SNP +features were added to the kernel. + +In its abundant precaution, commit + + 8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support") + +included SEV_STATUS' IBPB-on-Entry bit as a reserved bit, thereby masking +guests from using the feature. + +Allow guests to make use of IBPB-on-Entry when supported by the hypervisor, as +the bit is now architecturally defined and safe to expose. + +Fixes: 8c29f0165405 ("x86/sev: Add SEV-SNP guest feature negotiation support") +Signed-off-by: Kim Phillips +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Nikunj A Dadhania +Reviewed-by: Tom Lendacky +Cc: stable@kernel.org +Link: https://patch.msgid.link/20260203222405.4065706-2-kim.phillips@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/sev.c | 1 + + arch/x86/coco/sev/core.c | 1 + + arch/x86/include/asm/msr-index.h | 5 ++++- + 3 files changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/boot/compressed/sev.c ++++ b/arch/x86/boot/compressed/sev.c +@@ -188,6 +188,7 @@ bool sev_es_check_ghcb_fault(unsigned lo + MSR_AMD64_SNP_RESERVED_BIT13 | \ + MSR_AMD64_SNP_RESERVED_BIT15 | \ + MSR_AMD64_SNP_SECURE_AVIC | \ ++ MSR_AMD64_SNP_RESERVED_BITS19_22 | \ + MSR_AMD64_SNP_RESERVED_MASK) + + #ifdef CONFIG_AMD_SECURE_AVIC +--- a/arch/x86/coco/sev/core.c ++++ b/arch/x86/coco/sev/core.c +@@ -122,6 +122,7 @@ static const char * const sev_status_fea + [MSR_AMD64_SNP_VMSA_REG_PROT_BIT] = "VMSARegProt", + [MSR_AMD64_SNP_SMT_PROT_BIT] = "SMTProt", + [MSR_AMD64_SNP_SECURE_AVIC_BIT] = "SecureAVIC", ++ [MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT] = "IBPBOnEntry", + }; + + /* +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -735,7 +735,10 @@ + #define MSR_AMD64_SNP_SMT_PROT BIT_ULL(MSR_AMD64_SNP_SMT_PROT_BIT) + #define MSR_AMD64_SNP_SECURE_AVIC_BIT 18 + #define MSR_AMD64_SNP_SECURE_AVIC BIT_ULL(MSR_AMD64_SNP_SECURE_AVIC_BIT) +-#define MSR_AMD64_SNP_RESV_BIT 19 ++#define MSR_AMD64_SNP_RESERVED_BITS19_22 GENMASK_ULL(22, 19) ++#define MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT 23 ++#define MSR_AMD64_SNP_IBPB_ON_ENTRY BIT_ULL(MSR_AMD64_SNP_IBPB_ON_ENTRY_BIT) ++#define MSR_AMD64_SNP_RESV_BIT 24 + #define MSR_AMD64_SNP_RESERVED_MASK GENMASK_ULL(63, MSR_AMD64_SNP_RESV_BIT) + #define MSR_AMD64_SAVIC_CONTROL 0xc0010138 + #define MSR_AMD64_SAVIC_EN_BIT 0 diff --git a/queue-6.19/xfs-fix-error-pointer-dereference.patch b/queue-6.19/xfs-fix-error-pointer-dereference.patch new file mode 100644 index 0000000000..6b4222ef08 --- /dev/null +++ b/queue-6.19/xfs-fix-error-pointer-dereference.patch @@ -0,0 +1,56 @@ +From cddfa648f1ab99e30e91455be19cd5ade26338c2 Mon Sep 17 00:00:00 2001 +From: Ethan Tidmore +Date: Thu, 19 Feb 2026 21:38:25 -0600 +Subject: xfs: Fix error pointer dereference + +From: Ethan Tidmore + +commit cddfa648f1ab99e30e91455be19cd5ade26338c2 upstream. + +The function try_lookup_noperm() can return an error pointer and is not +checked for one. + +Add checks for error pointer in xrep_adoption_check_dcache() and +xrep_adoption_zap_dcache(). + +Detected by Smatch: +fs/xfs/scrub/orphanage.c:449 xrep_adoption_check_dcache() error: +'d_child' dereferencing possible ERR_PTR() + +fs/xfs/scrub/orphanage.c:485 xrep_adoption_zap_dcache() error: +'d_child' dereferencing possible ERR_PTR() + +Fixes: 73597e3e42b4 ("xfs: ensure dentry consistency when the orphanage adopts a file") +Cc: stable@vger.kernel.org # v6.16 +Signed-off-by: Ethan Tidmore +Reviewed-by: Darrick J. Wong +Reviewed-by: Nirjhar Roy (IBM) +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/orphanage.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/xfs/scrub/orphanage.c ++++ b/fs/xfs/scrub/orphanage.c +@@ -442,6 +442,11 @@ xrep_adoption_check_dcache( + return 0; + + d_child = try_lookup_noperm(&qname, d_orphanage); ++ if (IS_ERR(d_child)) { ++ dput(d_orphanage); ++ return PTR_ERR(d_child); ++ } ++ + if (d_child) { + trace_xrep_adoption_check_child(sc->mp, d_child); + +@@ -479,7 +484,7 @@ xrep_adoption_zap_dcache( + return; + + d_child = try_lookup_noperm(&qname, d_orphanage); +- while (d_child != NULL) { ++ while (!IS_ERR_OR_NULL(d_child)) { + trace_xrep_adoption_invalidate_child(sc->mp, d_child); + + ASSERT(d_is_negative(d_child)); diff --git a/queue-6.19/xfs-fix-xfs_group-release-bug-in-xfs_dax_notify_dev_failure.patch b/queue-6.19/xfs-fix-xfs_group-release-bug-in-xfs_dax_notify_dev_failure.patch new file mode 100644 index 0000000000..b52a6721b9 --- /dev/null +++ b/queue-6.19/xfs-fix-xfs_group-release-bug-in-xfs_dax_notify_dev_failure.patch @@ -0,0 +1,46 @@ +From eb8550fb75a875657dc29e3925a40244ec6b6bd6 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Wed, 18 Feb 2026 15:25:36 -0800 +Subject: xfs: fix xfs_group release bug in xfs_dax_notify_dev_failure + +From: Darrick J. Wong + +commit eb8550fb75a875657dc29e3925a40244ec6b6bd6 upstream. + +Chris Mason reports that his AI tools noticed that we were using +xfs_perag_put and xfs_group_put to release the group reference returned +by xfs_group_next_range. However, the iterator function returns an +object with an active refcount, which means that we must use the correct +function to release the active refcount, which is _rele. + +Cc: # v6.0 +Fixes: 6f643c57d57c56 ("xfs: implement ->notify_failure() for XFS") +Signed-off-by: "Darrick J. Wong" +Reviewed-by: Christoph Hellwig +Reviewed-by: Carlos Maiolino +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_notify_failure.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/xfs/xfs_notify_failure.c ++++ b/fs/xfs/xfs_notify_failure.c +@@ -293,7 +293,7 @@ xfs_dax_notify_dev_failure( + + error = xfs_alloc_read_agf(pag, tp, 0, &agf_bp); + if (error) { +- xfs_perag_put(pag); ++ xfs_perag_rele(pag); + break; + } + +@@ -329,7 +329,7 @@ xfs_dax_notify_dev_failure( + if (rtg) + xfs_rtgroup_unlock(rtg, XFS_RTGLOCK_RMAP); + if (error) { +- xfs_group_put(xg); ++ xfs_group_rele(xg); + break; + } + }