From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 12:11:19 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.18.19~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c34f01fdfb1e8812e94f6c538dd4735970eb1cdb;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch ice-fix-retry-for-aq-command-0x06ee.patch media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch net-mana-ring-doorbell-at-4-cq-wraparounds.patch net-ncsi-fix-skb-leak-in-error-paths.patch nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch parisc-check-kernel-mapping-earlier-at-bootup.patch parisc-fix-initial-page-table-creation-for-boot.patch parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch smb-server-fix-use-after-free-in-smb2_open.patch --- diff --git a/queue-6.1/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch b/queue-6.1/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch new file mode 100644 index 0000000000..cda6c27fff --- /dev/null +++ b/queue-6.1/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch @@ -0,0 +1,106 @@ +From cfc83a3c71517b59c1047db57da31e26a9dc2f33 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 16 Feb 2026 11:20:29 +0100 +Subject: batman-adv: Avoid double-rtnl_lock ELP metric worker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sven Eckelmann + +commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream. + +batadv_v_elp_get_throughput() might be called when the RTNL lock is already +held. This could be problematic when the work queue item is cancelled via +cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, +an rtnl_lock() would cause a deadlock. + +To avoid this, rtnl_trylock() was used in this function to skip the +retrieval of the ethtool information in case the RTNL lock was already +held. + +But for cfg80211 interfaces, batadv_get_real_netdev() was called - which +also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must +also be used instead and the lockless version __batadv_get_real_netdev() +has to be called. + +Cc: stable@vger.kernel.org +Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker") +Reported-by: Christian Schmidbauer +Signed-off-by: Sven Eckelmann +Tested-by: Sören Skaarup +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 10 +++++++++- + net/batman-adv/hard-interface.c | 8 ++++---- + net/batman-adv/hard-interface.h | 1 + + 3 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -113,7 +113,15 @@ static bool batadv_v_elp_get_throughput( + /* unsupported WiFi driver version */ + goto default_throughput; + +- real_netdev = batadv_get_real_netdev(hard_iface->net_dev); ++ /* only use rtnl_trylock because the elp worker will be cancelled while ++ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise ++ * wait forever when the elp work_item was started and it is then also ++ * trying to rtnl_lock ++ */ ++ if (!rtnl_trylock()) ++ return false; ++ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev); ++ rtnl_unlock(); + if (!real_netdev) + goto default_throughput; + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -202,7 +202,7 @@ static bool batadv_is_valid_iface(const + } + + /** +- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual ++ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual + * interface on top of another 'real' interface + * @netdev: the device to check + * +@@ -212,7 +212,7 @@ static bool batadv_is_valid_iface(const + * Return: the 'real' net device or the original net device and NULL in case + * of an error. + */ +-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev) ++struct net_device *__batadv_get_real_netdev(struct net_device *netdev) + { + struct batadv_hard_iface *hard_iface = NULL; + struct net_device *real_netdev = NULL; +@@ -265,7 +265,7 @@ struct net_device *batadv_get_real_netde + struct net_device *real_netdev; + + rtnl_lock(); +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + rtnl_unlock(); + + return real_netdev; +@@ -334,7 +334,7 @@ static u32 batadv_wifi_flags_evaluate(st + if (batadv_is_cfg80211_netdev(net_device)) + wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT; + +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + if (!real_netdev) + return wifi_flags; + +--- a/net/batman-adv/hard-interface.h ++++ b/net/batman-adv/hard-interface.h +@@ -68,6 +68,7 @@ enum batadv_hard_if_bcast { + + extern struct notifier_block batadv_hard_if_notifier; + ++struct net_device *__batadv_get_real_netdev(struct net_device *net_device); + struct net_device *batadv_get_real_netdev(struct net_device *net_device); + bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface); + bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface); diff --git a/queue-6.1/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch b/queue-6.1/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch new file mode 100644 index 0000000000..6fda278594 --- /dev/null +++ b/queue-6.1/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch @@ -0,0 +1,86 @@ +From 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Wed, 4 Mar 2026 15:51:17 -0800 +Subject: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read + +From: Sanman Pradhan + +commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream. + +The q54sj108a2_debugfs_read function suffers from a stack buffer overflow +due to incorrect arguments passed to bin2hex(). The function currently +passes 'data' as the destination and 'data_char' as the source. + +Because bin2hex() converts each input byte into two hex characters, a +32-byte block read results in 64 bytes of output. Since 'data' is only +34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end +of the buffer onto the stack. + +Additionally, the arguments were swapped: it was reading from the +zero-initialized 'data_char' and writing to 'data', resulting in +all-zero output regardless of the actual I2C read. + +Fix this by: +1. Expanding 'data_char' to 66 bytes to safely hold the hex output. +2. Correcting the bin2hex() argument order and using the actual read count. +3. Using a pointer to select the correct output buffer for the final + simple_read_from_buffer call. + +Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/hwmon/pmbus/q54sj108a2.c ++++ b/drivers/hwmon/pmbus/q54sj108a2.c +@@ -77,7 +77,8 @@ static ssize_t q54sj108a2_debugfs_read(s + int idx = *idxp; + struct q54sj108a2_data *psu = to_psu(idxp, idx); + char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; +- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; ++ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 }; ++ char *out = data; + char *res; + + switch (idx) { +@@ -148,27 +149,27 @@ static ssize_t q54sj108a2_debugfs_read(s + if (rc < 0) + return rc; + +- res = bin2hex(data, data_char, 32); +- rc = res - data; +- ++ res = bin2hex(data_char, data, rc); ++ rc = res - data_char; ++ out = data_char; + break; + case Q54SJ108A2_DEBUGFS_FLASH_KEY: + rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data); + if (rc < 0) + return rc; + +- res = bin2hex(data, data_char, 4); +- rc = res - data; +- ++ res = bin2hex(data_char, data, rc); ++ rc = res - data_char; ++ out = data_char; + break; + default: + return -EINVAL; + } + +- data[rc] = '\n'; ++ out[rc] = '\n'; + rc += 2; + +- return simple_read_from_buffer(buf, count, ppos, data, rc); ++ return simple_read_from_buffer(buf, count, ppos, out, rc); + } + + static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf, diff --git a/queue-6.1/ice-fix-retry-for-aq-command-0x06ee.patch b/queue-6.1/ice-fix-retry-for-aq-command-0x06ee.patch new file mode 100644 index 0000000000..4aa4066fda --- /dev/null +++ b/queue-6.1/ice-fix-retry-for-aq-command-0x06ee.patch @@ -0,0 +1,103 @@ +From fb4903b3354aed4a2301180cf991226f896c87ed Mon Sep 17 00:00:00 2001 +From: Jakub Staniszewski +Date: Tue, 13 Jan 2026 20:38:17 +0100 +Subject: ice: fix retry for AQ command 0x06EE + +From: Jakub Staniszewski + +commit fb4903b3354aed4a2301180cf991226f896c87ed upstream. + +Executing ethtool -m can fail reporting a netlink I/O error while firmware +link management holds the i2c bus used to communicate with the module. + +According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1] +Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE) +request should to be retried upon receiving EBUSY from firmware. + +Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool") +implemented it only for part of ice_get_module_eeprom(), leaving all other +calls to ice_aq_sff_eeprom() vulnerable to returning early on getting +EBUSY without retrying. + +Remove the retry loop from ice_get_module_eeprom() and add Admin Queue +(AQ) command with opcode 0x06EE to the list of commands that should be +retried on receiving EBUSY from firmware. + +Cc: stable@vger.kernel.org +Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool") +Signed-off-by: Jakub Staniszewski +Co-developed-by: Dawid Osuchowski +Signed-off-by: Dawid Osuchowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1] +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_common.c | 1 + drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++----------------- + 2 files changed, 15 insertions(+), 21 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1570,6 +1570,7 @@ static bool ice_should_retry_sq_send_cmd + case ice_aqc_opc_lldp_stop: + case ice_aqc_opc_lldp_start: + case ice_aqc_opc_lldp_filter_ctrl: ++ case ice_aqc_opc_sff_eeprom: + return true; + } + +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -4089,7 +4089,7 @@ ice_get_module_eeprom(struct net_device + struct ice_pf *pf = vsi->back; + struct ice_hw *hw = &pf->hw; + bool is_sfp = false; +- unsigned int i, j; ++ unsigned int i; + u16 offset = 0; + u8 page = 0; + int status; +@@ -4131,26 +4131,19 @@ ice_get_module_eeprom(struct net_device + if (page == 0 || !(data[0x2] & 0x4)) { + u32 copy_len; + +- /* If i2c bus is busy due to slow page change or +- * link management access, call can fail. This is normal. +- * So we retry this a few times. +- */ +- for (j = 0; j < 4; j++) { +- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page, +- !is_sfp, value, +- SFF_READ_BLOCK_SIZE, +- 0, NULL); +- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n", +- addr, offset, page, is_sfp, +- value[0], value[1], value[2], value[3], +- value[4], value[5], value[6], value[7], +- status); +- if (status) { +- usleep_range(1500, 2500); +- memset(value, 0, SFF_READ_BLOCK_SIZE); +- continue; +- } +- break; ++ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page, ++ !is_sfp, value, ++ SFF_READ_BLOCK_SIZE, ++ 0, NULL); ++ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n", ++ addr, offset, page, is_sfp, ++ value[0], value[1], value[2], value[3], ++ value[4], value[5], value[6], value[7], ++ ERR_PTR(status)); ++ if (status) { ++ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n", ++ __func__, ERR_PTR(status)); ++ return status; + } + + /* Make sure we have enough room for the new block */ diff --git a/queue-6.1/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch b/queue-6.1/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch new file mode 100644 index 0000000000..bcef47e83d --- /dev/null +++ b/queue-6.1/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch @@ -0,0 +1,41 @@ +From 24d87712727a5017ad142d63940589a36cd25647 Mon Sep 17 00:00:00 2001 +From: Ariel Silver +Date: Sat, 21 Feb 2026 15:26:00 +0100 +Subject: media: dvb-net: fix OOB access in ULE extension header tables + +From: Ariel Silver + +commit 24d87712727a5017ad142d63940589a36cd25647 upstream. + +The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables +in handle_one_ule_extension() are declared with 255 elements (valid +indices 0-254), but the index htype is derived from network-controlled +data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When +htype equals 255, an out-of-bounds read occurs on the function pointer +table, and the OOB value may be called as a function pointer. + +Add a bounds check on htype against the array size before either table +is accessed. Out-of-range values now cause the SNDU to be discarded. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Ariel Silver +Signed-off-by: Ariel Silver +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_net.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str + unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8; + unsigned char htype = p->ule_sndu_type & 0x00FF; + ++ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers)) ++ return -1; ++ + /* Discriminate mandatory and optional extension headers. */ + if (hlen == 0) { + /* Mandatory extension header */ diff --git a/queue-6.1/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch b/queue-6.1/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch new file mode 100644 index 0000000000..2db2ef3f4e --- /dev/null +++ b/queue-6.1/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch @@ -0,0 +1,53 @@ +From 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c Mon Sep 17 00:00:00 2001 +From: Fan Wu +Date: Mon, 9 Mar 2026 13:24:09 +0000 +Subject: net: ethernet: arc: emac: quiesce interrupts before requesting IRQ + +From: Fan Wu + +commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream. + +Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe +should not see interrupt delivery in the usual case. However, hardware may +still present stale or latched interrupt status left by firmware or the +bootloader. + +If probe later unwinds after devm_request_irq() has installed the handler, +such a stale interrupt can still reach arc_emac_intr() during teardown and +race with release of the associated net_device. + +Avoid that window by putting the device into a known quiescent state before +requesting the IRQ: disable all EMAC interrupt sources and clear any +pending EMAC interrupt status bits. This keeps the change hardware-focused +and minimal, while preventing spurious IRQ delivery from leftover state. + +Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver") +Cc: stable@vger.kernel.org +Signed-off-by: Fan Wu +Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/arc/emac_main.c ++++ b/drivers/net/ethernet/arc/emac_main.c +@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd + /* Set poll rate so that it polls every 1 ms */ + arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000); + ++ /* ++ * Put the device into a known quiescent state before requesting ++ * the IRQ. Clear only EMAC interrupt status bits here; leave the ++ * MDIO completion bit alone and avoid writing TXPL_MASK, which is ++ * used to force TX polling rather than acknowledge interrupts. ++ */ ++ arc_reg_set(priv, R_ENABLE, 0); ++ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK | ++ TXCH_MASK | MSER_MASK | RXCR_MASK | ++ RXFR_MASK | RXFL_MASK); ++ + ndev->irq = irq; + dev_info(dev, "IRQ is %d\n", ndev->irq); + diff --git a/queue-6.1/net-mana-ring-doorbell-at-4-cq-wraparounds.patch b/queue-6.1/net-mana-ring-doorbell-at-4-cq-wraparounds.patch new file mode 100644 index 0000000000..49d8dab3ee --- /dev/null +++ b/queue-6.1/net-mana-ring-doorbell-at-4-cq-wraparounds.patch @@ -0,0 +1,88 @@ +From dabffd08545ffa1d7183bc45e387860984025291 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Thu, 26 Feb 2026 11:28:33 -0800 +Subject: net: mana: Ring doorbell at 4 CQ wraparounds + +From: Long Li + +commit dabffd08545ffa1d7183bc45e387860984025291 upstream. + +MANA hardware requires at least one doorbell ring every 8 wraparounds +of the CQ. The driver rings the doorbell as a form of flow control to +inform hardware that CQEs have been consumed. + +The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can +poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ +has fewer than 512 entries, a single poll call can process more than +4 wraparounds without ringing the doorbell. The doorbell threshold +check also uses ">" instead of ">=", delaying the ring by one extra +CQE beyond 4 wraparounds. Combined, these issues can cause the driver +to exceed the 8-wraparound hardware limit, leading to missed +completions and stalled queues. + +Fix this by capping the number of CQEs polled per call to 4 wraparounds +of the CQ in both TX and RX paths. Also change the doorbell threshold +from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are +reached. + +Cc: stable@vger.kernel.org +Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings") +Signed-off-by: Long Li +Reviewed-by: Haiyang Zhang +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -973,8 +973,14 @@ static void mana_poll_tx_cq(struct mana_ + ndev = txq->ndev; + apc = netdev_priv(ndev); + ++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the ++ * doorbell can be rung in time for the hardware's requirement ++ * of at least one doorbell ring every 8 wraparounds. ++ */ + comp_read = mana_gd_poll_cq(cq->gdma_cq, completions, +- CQE_POLLING_BUFFER); ++ min((cq->gdma_cq->queue_size / ++ COMP_ENTRY_SIZE) * 4, ++ CQE_POLLING_BUFFER)); + + if (comp_read < 1) + return; +@@ -1288,7 +1294,14 @@ static void mana_poll_rx_cq(struct mana_ + struct mana_rxq *rxq = cq->rxq; + int comp_read, i; + +- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER); ++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the ++ * doorbell can be rung in time for the hardware's requirement ++ * of at least one doorbell ring every 8 wraparounds. ++ */ ++ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, ++ min((cq->gdma_cq->queue_size / ++ COMP_ENTRY_SIZE) * 4, ++ CQE_POLLING_BUFFER)); + WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER); + + rxq->xdp_flush = false; +@@ -1327,11 +1340,11 @@ static int mana_cq_handler(void *context + mana_gd_ring_cq(gdma_queue, SET_ARM_BIT); + cq->work_done_since_doorbell = 0; + napi_complete_done(&cq->napi, w); +- } else if (cq->work_done_since_doorbell > +- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) { ++ } else if (cq->work_done_since_doorbell >= ++ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) { + /* MANA hardware requires at least one doorbell ring every 8 + * wraparounds of CQ even if there is no need to arm the CQ. +- * This driver rings the doorbell as soon as we have exceeded ++ * This driver rings the doorbell as soon as it has processed + * 4 wraparounds. + */ + mana_gd_ring_cq(gdma_queue, 0); diff --git a/queue-6.1/net-ncsi-fix-skb-leak-in-error-paths.patch b/queue-6.1/net-ncsi-fix-skb-leak-in-error-paths.patch new file mode 100644 index 0000000000..af37831cd9 --- /dev/null +++ b/queue-6.1/net-ncsi-fix-skb-leak-in-error-paths.patch @@ -0,0 +1,85 @@ +From 5c3398a54266541610c8d0a7082e654e9ff3e259 Mon Sep 17 00:00:00 2001 +From: Jian Zhang +Date: Thu, 5 Mar 2026 14:06:55 +0800 +Subject: net: ncsi: fix skb leak in error paths + +From: Jian Zhang + +commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream. + +Early return paths in NCSI RX and AEN handlers fail to release +the received skb, resulting in a memory leak. + +Specifically, ncsi_aen_handler() returns on invalid AEN packets +without consuming the skb. Similarly, ncsi_rcv_rsp() exits early +when failing to resolve the NCSI device, response handler, or +request, leaving the skb unfreed. + +CC: stable@vger.kernel.org +Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler") +Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") +Signed-off-by: Jian Zhang +Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-aen.c | 3 ++- + net/ncsi/ncsi-rsp.c | 16 ++++++++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/ncsi/ncsi-aen.c ++++ b/net/ncsi/ncsi-aen.c +@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri + if (!nah) { + netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n", + h->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto out; + } + + ret = ncsi_validate_aen_pkt(h, nah->payload); +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + /* Find the NCSI device */ + nd = ncsi_find_dev(orig_dev); + ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL; +- if (!ndp) +- return -ENODEV; ++ if (!ndp) { ++ ret = -ENODEV; ++ goto err_free_skb; ++ } + + /* Check if it is AEN packet */ + hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb); +@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + if (!nrh) { + netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n", + hdr->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto err_free_skb; + } + + /* Associate with the request */ +@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + nr = &ndp->requests[hdr->id]; + if (!nr->used) { + spin_unlock_irqrestore(&ndp->lock, flags); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_free_skb; + } + + nr->rsp = skb; +@@ -1261,4 +1265,8 @@ out_netlink: + out: + ncsi_free_request(nr); + return ret; ++ ++err_free_skb: ++ kfree_skb(skb); ++ return ret; + } diff --git a/queue-6.1/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch b/queue-6.1/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch new file mode 100644 index 0000000000..643fc515e5 --- /dev/null +++ b/queue-6.1/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch @@ -0,0 +1,45 @@ +From 8f3c6f08ababad2e3bdd239728cf66a9949446b4 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 24 Feb 2026 13:17:50 +1000 +Subject: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep + +From: Dave Airlie + +commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream. + +If we have runtime suspended, and userspace wants to use /dev/drm_dp_* +then just tell it the device is busy instead of crashing in the GSP +code. + +WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] +CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) +Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 +RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] + +This is a simple fix to get backported. We should probably engineer a +proper power domain solution to wake up devices and keep them awake +while fw updates are happening. + +Cc: stable@vger.kernel.org +Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector") +Reviewed-by: Lyude Paul +Signed-off-by: Dave Airlie +Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -1210,6 +1210,9 @@ nouveau_connector_aux_xfer(struct drm_dp + u8 size = msg->size; + int ret; + ++ if (pm_runtime_suspended(nv_connector->base.dev->dev)) ++ return -EBUSY; ++ + nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP); + if (!nv_encoder || !(aux = nv_encoder->aux)) + return -ENODEV; diff --git a/queue-6.1/parisc-check-kernel-mapping-earlier-at-bootup.patch b/queue-6.1/parisc-check-kernel-mapping-earlier-at-bootup.patch new file mode 100644 index 0000000000..292af62cf6 --- /dev/null +++ b/queue-6.1/parisc-check-kernel-mapping-earlier-at-bootup.patch @@ -0,0 +1,60 @@ +From 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 3 Mar 2026 23:36:11 +0100 +Subject: parisc: Check kernel mapping earlier at bootup + +From: Helge Deller + +commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream. + +The check if the initial mapping is sufficient needs to happen much +earlier during bootup. Move this test directly to the start_parisc() +function and use native PDC iodc functions to print the warning, because +panic() and printk() are not functional yet. + +This fixes boot when enabling various KALLSYSMS options which need +much more space. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/setup.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/arch/parisc/kernel/setup.c ++++ b/arch/parisc/kernel/setup.c +@@ -135,14 +135,6 @@ void __init setup_arch(char **cmdline_p) + #endif + printk(KERN_CONT ".\n"); + +- /* +- * Check if initial kernel page mappings are sufficient. +- * panic early if not, else we may access kernel functions +- * and variables which can't be reached. +- */ +- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE) +- panic("KERNEL_INITIAL_ORDER too small!"); +- + #ifdef CONFIG_64BIT + if(parisc_narrow_firmware) { + printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n"); +@@ -398,6 +390,18 @@ void __init start_parisc(void) + int ret, cpunum; + struct pdc_coproc_cfg coproc_cfg; + ++ /* ++ * Check if initial kernel page mapping is sufficient. ++ * Print warning if not, because we may access kernel functions and ++ * variables which can't be reached yet through the initial mappings. ++ * Note that the panic() and printk() functions are not functional ++ * yet, so we need to use direct iodc() firmware calls instead. ++ */ ++ const char warn1[] = "CRITICAL: Kernel may crash because " ++ "KERNEL_INITIAL_ORDER is too small.\n"; ++ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE) ++ pdc_iodc_print(warn1, sizeof(warn1) - 1); ++ + /* check QEMU/SeaBIOS marker in PAGE0 */ + running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0); + diff --git a/queue-6.1/parisc-fix-initial-page-table-creation-for-boot.patch b/queue-6.1/parisc-fix-initial-page-table-creation-for-boot.patch new file mode 100644 index 0000000000..8a750d508e --- /dev/null +++ b/queue-6.1/parisc-fix-initial-page-table-creation-for-boot.patch @@ -0,0 +1,46 @@ +From 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 4 Mar 2026 22:24:18 +0100 +Subject: parisc: Fix initial page table creation for boot + +From: Helge Deller + +commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream. + +The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or +64 MB) of the page table during bootup. Up until now the whole area was +initialized with PTE entries, but there was no check if we filled too +many entries. Change the code to fill up with so many entries that the +"_end" symbol can be reached by the kernel, but not more entries than +actually fit into the initial PTE tables. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/head.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start) + + .import __bss_start,data + .import __bss_stop,data ++ .import __end,data + + load32 PA(__bss_start),%r3 + load32 PA(__bss_stop),%r4 +@@ -149,7 +150,11 @@ $cpu_ok: + * everything ... it will get remapped correctly later */ + ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */ + load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */ +- load32 PA(pg0),%r1 ++ load32 PA(_end),%r1 ++ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */ ++ cmpb,<<,n %r11,%r1,1f ++ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */ ++1: load32 PA(pg0),%r1 + + $pgt_fill_loop: + STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1) diff --git a/queue-6.1/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch b/queue-6.1/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch new file mode 100644 index 0000000000..05e971b4a6 --- /dev/null +++ b/queue-6.1/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch @@ -0,0 +1,30 @@ +From 8e732934fb81282be41602550e7e07baf265e972 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 3 Mar 2026 23:36:10 +0100 +Subject: parisc: Increase initial mapping to 64 MB with KALLSYMS + +From: Helge Deller + +commit 8e732934fb81282be41602550e7e07baf265e972 upstream. + +The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS +is used. Increase the mapping to 64 MB in this case. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -94,7 +94,7 @@ extern void __update_cache(pte_t pte); + printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e)) + + /* This is the size of the initially mapped kernel memory */ +-#if defined(CONFIG_64BIT) ++#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS) + #define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */ + #else + #define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */ diff --git a/queue-6.1/series b/queue-6.1/series index 2675a8b9e9..9620da09d6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -234,3 +234,15 @@ irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports ixgbevf-fix-link-setup-issue.patch staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch +media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch +net-mana-ring-doorbell-at-4-cq-wraparounds.patch +ice-fix-retry-for-aq-command-0x06ee.patch +batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch +parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch +nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch +hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch +parisc-fix-initial-page-table-creation-for-boot.patch +parisc-check-kernel-mapping-earlier-at-bootup.patch +smb-server-fix-use-after-free-in-smb2_open.patch +net-ncsi-fix-skb-leak-in-error-paths.patch +net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch diff --git a/queue-6.1/smb-server-fix-use-after-free-in-smb2_open.patch b/queue-6.1/smb-server-fix-use-after-free-in-smb2_open.patch new file mode 100644 index 0000000000..65535936a6 --- /dev/null +++ b/queue-6.1/smb-server-fix-use-after-free-in-smb2_open.patch @@ -0,0 +1,44 @@ +From 1e689a56173827669a35da7cb2a3c78ed5c53680 Mon Sep 17 00:00:00 2001 +From: Marios Makassikis +Date: Tue, 3 Mar 2026 11:14:32 +0100 +Subject: smb: server: fix use-after-free in smb2_open() + +From: Marios Makassikis + +commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream. + +The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is +dereferenced after rcu_read_unlock(), creating a use-after-free +window. + +Cc: stable@vger.kernel.org +Signed-off-by: Marios Makassikis +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3343,10 +3343,8 @@ int smb2_open(struct ksmbd_work *work) + memcpy(fp->client_guid, conn->ClientGUID, SMB2_CLIENT_GUID_SIZE); + + rsp->StructureSize = cpu_to_le16(89); +- rcu_read_lock(); +- opinfo = rcu_dereference(fp->f_opinfo); ++ opinfo = opinfo_get(fp); + rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0; +- rcu_read_unlock(); + rsp->Flags = 0; + rsp->CreateAction = cpu_to_le32(file_info); + rsp->CreationTime = cpu_to_le64(fp->create_time); +@@ -3387,6 +3385,7 @@ int smb2_open(struct ksmbd_work *work) + next_ptr = &lease_ccontext->Next; + next_off = conn->vals->create_lease_size; + } ++ opinfo_put(opinfo); + + if (maximal_access_ctxt) { + struct create_context *mxac_ccontext;