From: Sasha Levin Date: Mon, 2 Feb 2026 15:11:26 +0000 (-0500) Subject: Fixes for all trees X-Git-Tag: v5.10.249~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3be441ae71cc84ca626051053bb1939fecd5757;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/dma-pool-distinguish-between-missing-and-exhausted-a.patch b/queue-5.10/dma-pool-distinguish-between-missing-and-exhausted-a.patch new file mode 100644 index 0000000000..c6d965b320 --- /dev/null +++ b/queue-5.10/dma-pool-distinguish-between-missing-and-exhausted-a.patch @@ -0,0 +1,68 @@ +From 0f97a11d4ab8b3ae1d198102c1a67b480be7f356 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 19:05:54 +0530 +Subject: dma/pool: distinguish between missing and exhausted atomic pools + +From: Sai Sree Kartheek Adivi + +[ Upstream commit 56c430c7f06d838fe3b2077dbbc4cc0bf992312b ] + +Currently, dma_alloc_from_pool() unconditionally warns and dumps a stack +trace when an allocation fails, with the message "Failed to get suitable +pool". + +This conflates two distinct failure modes: +1. Configuration error: No atomic pool is available for the requested + DMA mask (a fundamental system setup issue) +2. Resource Exhaustion: A suitable pool exists but is currently full (a + recoverable runtime state) + +This lack of distinction prevents drivers from using __GFP_NOWARN to +suppress error messages during temporary pressure spikes, such as when +awaiting synchronous reclaim of descriptors. + +Refactor the error handling to distinguish these cases: +- If no suitable pool is found, keep the unconditional WARN regarding + the missing pool. +- If a pool was found but is exhausted, respect __GFP_NOWARN and update + the warning message to explicitly state "DMA pool exhausted". + +Fixes: 9420139f516d ("dma-pool: fix coherent pool allocations for IOMMU mappings") +Signed-off-by: Sai Sree Kartheek Adivi +Reviewed-by: Robin Murphy +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260128133554.3056582-1-s-adivi@ti.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 32efef1660096..484050de72fd4 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -271,15 +271,20 @@ struct page *dma_alloc_from_pool(struct device *dev, size_t size, + { + struct gen_pool *pool = NULL; + struct page *page; ++ bool pool_found = false; + + while ((pool = dma_guess_pool(pool, gfp))) { ++ pool_found = true; + page = __dma_alloc_from_pool(dev, size, pool, cpu_addr, + phys_addr_ok); + if (page) + return page; + } + +- WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); ++ if (pool_found) ++ WARN(!(gfp & __GFP_NOWARN), "DMA pool exhausted for %s\n", dev_name(dev)); ++ else ++ WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); + return NULL; + } + +-- +2.51.0 + diff --git a/queue-5.10/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch b/queue-5.10/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch new file mode 100644 index 0000000000..3038db32b2 --- /dev/null +++ b/queue-5.10/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch @@ -0,0 +1,56 @@ +From e053c544b4797559585e7aafc8fc0d5f095af324 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 19:45:15 +0800 +Subject: scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() + +From: Kery Qi + +[ Upstream commit b2d6b1d443009ed4da2d69f5423ab38e5780505a ] + +The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of +"tpg->tport_tpgt" is u16. This causes a type truncation issue. + +When a user creates a TPG via configfs mkdir, for example: + + mkdir /sys/kernel/config/target/sbp//tpgt_70000 + +The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less +than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt, +the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the +value the user specified to differ from what is actually stored, leading to +confusion and potential unexpected behavior. + +Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which +will properly reject values outside the u16 range. + +Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/sbp/sbp_target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index e4a9b9fe3dfb0..9445bf3409fd1 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -1989,12 +1989,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, + container_of(wwn, struct sbp_tport, tport_wwn); + + struct sbp_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 10, &tpgt)) + return ERR_PTR(-EINVAL); + + if (tport->tpg) { +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index ede948d733..3343f40960 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -130,3 +130,5 @@ net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch net-bridge-fix-static-key-check.patch +scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch +dma-pool-distinguish-between-missing-and-exhausted-a.patch diff --git a/queue-5.15/dma-pool-distinguish-between-missing-and-exhausted-a.patch b/queue-5.15/dma-pool-distinguish-between-missing-and-exhausted-a.patch new file mode 100644 index 0000000000..b434670597 --- /dev/null +++ b/queue-5.15/dma-pool-distinguish-between-missing-and-exhausted-a.patch @@ -0,0 +1,68 @@ +From b9a100f357306f379d838973c4948210cfd32543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 19:05:54 +0530 +Subject: dma/pool: distinguish between missing and exhausted atomic pools + +From: Sai Sree Kartheek Adivi + +[ Upstream commit 56c430c7f06d838fe3b2077dbbc4cc0bf992312b ] + +Currently, dma_alloc_from_pool() unconditionally warns and dumps a stack +trace when an allocation fails, with the message "Failed to get suitable +pool". + +This conflates two distinct failure modes: +1. Configuration error: No atomic pool is available for the requested + DMA mask (a fundamental system setup issue) +2. Resource Exhaustion: A suitable pool exists but is currently full (a + recoverable runtime state) + +This lack of distinction prevents drivers from using __GFP_NOWARN to +suppress error messages during temporary pressure spikes, such as when +awaiting synchronous reclaim of descriptors. + +Refactor the error handling to distinguish these cases: +- If no suitable pool is found, keep the unconditional WARN regarding + the missing pool. +- If a pool was found but is exhausted, respect __GFP_NOWARN and update + the warning message to explicitly state "DMA pool exhausted". + +Fixes: 9420139f516d ("dma-pool: fix coherent pool allocations for IOMMU mappings") +Signed-off-by: Sai Sree Kartheek Adivi +Reviewed-by: Robin Murphy +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260128133554.3056582-1-s-adivi@ti.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 1e9d4cb018693..8fc6e3b8f8372 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -268,15 +268,20 @@ struct page *dma_alloc_from_pool(struct device *dev, size_t size, + { + struct gen_pool *pool = NULL; + struct page *page; ++ bool pool_found = false; + + while ((pool = dma_guess_pool(pool, gfp))) { ++ pool_found = true; + page = __dma_alloc_from_pool(dev, size, pool, cpu_addr, + phys_addr_ok); + if (page) + return page; + } + +- WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); ++ if (pool_found) ++ WARN(!(gfp & __GFP_NOWARN), "DMA pool exhausted for %s\n", dev_name(dev)); ++ else ++ WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); + return NULL; + } + +-- +2.51.0 + diff --git a/queue-5.15/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch b/queue-5.15/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch new file mode 100644 index 0000000000..c7c92e5f4a --- /dev/null +++ b/queue-5.15/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch @@ -0,0 +1,45 @@ +From 903479dae41c31ff60ab5cc0f207ef89dd5b2d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 06:59:14 +0300 +Subject: gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler + +From: Denis Sergeev + +[ Upstream commit c0ae43d303e45764918fa8c1dc13d6a5db59c479 ] + +The BIT() macro uses unsigned long, which is 32 bits on 32-bit +architectures. When iterating over GPIO pins with index >= 32, +the expression (*value & BIT(i)) causes undefined behavior due +to shifting by a value >= type width. + +Since 'value' is a pointer to u64, use BIT_ULL() to ensure correct +64-bit mask on all architectures. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 2c4d00cb8fc5 ("gpiolib: acpi: Use BIT() macro to increase readability") +Signed-off-by: Denis Sergeev +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20260126035914.16586-1-denserg.edu@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index 27e3fb9938049..3e4fd028a82da 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1173,7 +1173,7 @@ acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address, + mutex_unlock(&achip->conn_lock); + + if (function == ACPI_WRITE) +- gpiod_set_raw_value_cansleep(desc, !!(*value & BIT(i))); ++ gpiod_set_raw_value_cansleep(desc, !!(*value & BIT_ULL(i))); + else + *value |= (u64)gpiod_get_raw_value_cansleep(desc) << i; + } +-- +2.51.0 + diff --git a/queue-5.15/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch b/queue-5.15/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch new file mode 100644 index 0000000000..12c0c33187 --- /dev/null +++ b/queue-5.15/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch @@ -0,0 +1,56 @@ +From ea8cd367c464f9fc2add575bfd111763ff2488ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 19:45:15 +0800 +Subject: scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() + +From: Kery Qi + +[ Upstream commit b2d6b1d443009ed4da2d69f5423ab38e5780505a ] + +The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of +"tpg->tport_tpgt" is u16. This causes a type truncation issue. + +When a user creates a TPG via configfs mkdir, for example: + + mkdir /sys/kernel/config/target/sbp//tpgt_70000 + +The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less +than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt, +the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the +value the user specified to differ from what is actually stored, leading to +confusion and potential unexpected behavior. + +Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which +will properly reject values outside the u16 range. + +Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/sbp/sbp_target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index b9f9fb5d7e63e..7e7d32669dfbc 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -1986,12 +1986,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, + container_of(wwn, struct sbp_tport, tport_wwn); + + struct sbp_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 10, &tpgt)) + return ERR_PTR(-EINVAL); + + if (tport->tpg) { +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 4d5974b92b..638567924a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -145,3 +145,6 @@ net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch net-bridge-fix-static-key-check.patch +scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch +gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch +dma-pool-distinguish-between-missing-and-exhausted-a.patch diff --git a/queue-6.1/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch b/queue-6.1/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch new file mode 100644 index 0000000000..afac542bb5 --- /dev/null +++ b/queue-6.1/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch @@ -0,0 +1,43 @@ +From 0f2c3f6450c41e3f11b05cea959ca8e43505dda6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 18:24:35 +0300 +Subject: ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion + +From: Tagir Garaev + +[ Upstream commit 213c4e51267fd825cd21a08a055450cac7e0b7fb ] + +The headphone GPIO should be set to the inverse of speaker_en. +When speakers are enabled, headphones should be disabled and vice versa. + +Currently both GPIOs are set to the same value (speaker_en), causing +audio to play through both speakers and headphones simultaneously +when headphones are plugged in. + +Tested on Huawei Matebook (BOD-WXX9) with ES8336 codec. + +Fixes: 6e1ff1459e00 ("ASoC: Intel: sof_es8336: support a separate gpio to control headphone") +Signed-off-by: Tagir Garaev +Link: https://patch.msgid.link/20260121152435.101698-1-tgaraev653@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_es8336.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c +index e22d767b6e97a..41dab5dcf79a3 100644 +--- a/sound/soc/intel/boards/sof_es8336.c ++++ b/sound/soc/intel/boards/sof_es8336.c +@@ -120,7 +120,7 @@ static void pcm_pop_work_events(struct work_struct *work) + gpiod_set_value_cansleep(priv->gpio_speakers, priv->speaker_en); + + if (quirk & SOF_ES8336_HEADPHONE_GPIO) +- gpiod_set_value_cansleep(priv->gpio_headphone, priv->speaker_en); ++ gpiod_set_value_cansleep(priv->gpio_headphone, !priv->speaker_en); + + } + +-- +2.51.0 + diff --git a/queue-6.1/dma-pool-distinguish-between-missing-and-exhausted-a.patch b/queue-6.1/dma-pool-distinguish-between-missing-and-exhausted-a.patch new file mode 100644 index 0000000000..2c75c3645d --- /dev/null +++ b/queue-6.1/dma-pool-distinguish-between-missing-and-exhausted-a.patch @@ -0,0 +1,68 @@ +From 04bce4fe7028c9d68754dc2122fb8f6897112335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 19:05:54 +0530 +Subject: dma/pool: distinguish between missing and exhausted atomic pools + +From: Sai Sree Kartheek Adivi + +[ Upstream commit 56c430c7f06d838fe3b2077dbbc4cc0bf992312b ] + +Currently, dma_alloc_from_pool() unconditionally warns and dumps a stack +trace when an allocation fails, with the message "Failed to get suitable +pool". + +This conflates two distinct failure modes: +1. Configuration error: No atomic pool is available for the requested + DMA mask (a fundamental system setup issue) +2. Resource Exhaustion: A suitable pool exists but is currently full (a + recoverable runtime state) + +This lack of distinction prevents drivers from using __GFP_NOWARN to +suppress error messages during temporary pressure spikes, such as when +awaiting synchronous reclaim of descriptors. + +Refactor the error handling to distinguish these cases: +- If no suitable pool is found, keep the unconditional WARN regarding + the missing pool. +- If a pool was found but is exhausted, respect __GFP_NOWARN and update + the warning message to explicitly state "DMA pool exhausted". + +Fixes: 9420139f516d ("dma-pool: fix coherent pool allocations for IOMMU mappings") +Signed-off-by: Sai Sree Kartheek Adivi +Reviewed-by: Robin Murphy +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260128133554.3056582-1-s-adivi@ti.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 1e9d4cb018693..8fc6e3b8f8372 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -268,15 +268,20 @@ struct page *dma_alloc_from_pool(struct device *dev, size_t size, + { + struct gen_pool *pool = NULL; + struct page *page; ++ bool pool_found = false; + + while ((pool = dma_guess_pool(pool, gfp))) { ++ pool_found = true; + page = __dma_alloc_from_pool(dev, size, pool, cpu_addr, + phys_addr_ok); + if (page) + return page; + } + +- WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); ++ if (pool_found) ++ WARN(!(gfp & __GFP_NOWARN), "DMA pool exhausted for %s\n", dev_name(dev)); ++ else ++ WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); + return NULL; + } + +-- +2.51.0 + diff --git a/queue-6.1/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch b/queue-6.1/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch new file mode 100644 index 0000000000..7688b76ae4 --- /dev/null +++ b/queue-6.1/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch @@ -0,0 +1,45 @@ +From aada42a7589ed7c487055bc54309d5f64f386352 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 06:59:14 +0300 +Subject: gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler + +From: Denis Sergeev + +[ Upstream commit c0ae43d303e45764918fa8c1dc13d6a5db59c479 ] + +The BIT() macro uses unsigned long, which is 32 bits on 32-bit +architectures. When iterating over GPIO pins with index >= 32, +the expression (*value & BIT(i)) causes undefined behavior due +to shifting by a value >= type width. + +Since 'value' is a pointer to u64, use BIT_ULL() to ensure correct +64-bit mask on all architectures. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 2c4d00cb8fc5 ("gpiolib: acpi: Use BIT() macro to increase readability") +Signed-off-by: Denis Sergeev +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20260126035914.16586-1-denserg.edu@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index baa77a8e83652..11338f47d884d 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1184,7 +1184,7 @@ acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address, + mutex_unlock(&achip->conn_lock); + + if (function == ACPI_WRITE) +- gpiod_set_raw_value_cansleep(desc, !!(*value & BIT(i))); ++ gpiod_set_raw_value_cansleep(desc, !!(*value & BIT_ULL(i))); + else + *value |= (u64)gpiod_get_raw_value_cansleep(desc) << i; + } +-- +2.51.0 + diff --git a/queue-6.1/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch b/queue-6.1/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch new file mode 100644 index 0000000000..9a0780966a --- /dev/null +++ b/queue-6.1/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch @@ -0,0 +1,56 @@ +From 21ac29a37cfe84fe76887fabd033428ed1863aab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 19:45:15 +0800 +Subject: scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() + +From: Kery Qi + +[ Upstream commit b2d6b1d443009ed4da2d69f5423ab38e5780505a ] + +The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of +"tpg->tport_tpgt" is u16. This causes a type truncation issue. + +When a user creates a TPG via configfs mkdir, for example: + + mkdir /sys/kernel/config/target/sbp//tpgt_70000 + +The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less +than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt, +the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the +value the user specified to differ from what is actually stored, leading to +confusion and potential unexpected behavior. + +Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which +will properly reject values outside the u16 range. + +Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/sbp/sbp_target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index 504670994fb46..97a5565fb14e9 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -1986,12 +1986,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, + container_of(wwn, struct sbp_tport, tport_wwn); + + struct sbp_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 10, &tpgt)) + return ERR_PTR(-EINVAL); + + if (tport->tpg) { +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 8b7b518602..833797dc31 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -199,3 +199,7 @@ net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch net-bridge-fix-static-key-check.patch +scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch +asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch +gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch +dma-pool-distinguish-between-missing-and-exhausted-a.patch diff --git a/queue-6.12/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch b/queue-6.12/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch new file mode 100644 index 0000000000..29b207b918 --- /dev/null +++ b/queue-6.12/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch @@ -0,0 +1,43 @@ +From 777fe9cc59c974f4e06f25a113403e9d99386403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 18:24:35 +0300 +Subject: ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion + +From: Tagir Garaev + +[ Upstream commit 213c4e51267fd825cd21a08a055450cac7e0b7fb ] + +The headphone GPIO should be set to the inverse of speaker_en. +When speakers are enabled, headphones should be disabled and vice versa. + +Currently both GPIOs are set to the same value (speaker_en), causing +audio to play through both speakers and headphones simultaneously +when headphones are plugged in. + +Tested on Huawei Matebook (BOD-WXX9) with ES8336 codec. + +Fixes: 6e1ff1459e00 ("ASoC: Intel: sof_es8336: support a separate gpio to control headphone") +Signed-off-by: Tagir Garaev +Link: https://patch.msgid.link/20260121152435.101698-1-tgaraev653@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_es8336.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c +index fc998fe4b1960..bc27229be7c24 100644 +--- a/sound/soc/intel/boards/sof_es8336.c ++++ b/sound/soc/intel/boards/sof_es8336.c +@@ -120,7 +120,7 @@ static void pcm_pop_work_events(struct work_struct *work) + gpiod_set_value_cansleep(priv->gpio_speakers, priv->speaker_en); + + if (quirk & SOF_ES8336_HEADPHONE_GPIO) +- gpiod_set_value_cansleep(priv->gpio_headphone, priv->speaker_en); ++ gpiod_set_value_cansleep(priv->gpio_headphone, !priv->speaker_en); + + } + +-- +2.51.0 + diff --git a/queue-6.12/bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch b/queue-6.12/bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch new file mode 100644 index 0000000000..ef96ba63d7 --- /dev/null +++ b/queue-6.12/bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch @@ -0,0 +1,39 @@ +From c0678590c84de16a52bce6696282ed9987ab12c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 16:21:12 +0800 +Subject: bcache: fix I/O accounting leak in detached_dev_do_request + +From: Shida Zhang + +[ Upstream commit 4da7c5c3ec34d839bba6e035c3d05c447a2f9d4f ] + +When a bcache device is detached, discard requests are completed +immediately. However, the I/O accounting started in +cached_dev_make_request() is not ended, leading to 100% disk +utilization reports in iostat. Add the missing bio_end_io_acct() call. + +Fixes: cafe56359144 ("bcache: A block layer cache") +Signed-off-by: Shida Zhang +Acked-by: Coly Li +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/request.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index a02aecac05cdf..6cba1180be8aa 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -1107,6 +1107,7 @@ static void detached_dev_do_request(struct bcache_device *d, + + if (bio_op(orig_bio) == REQ_OP_DISCARD && + !bdev_max_discard_sectors(dc->bdev)) { ++ bio_end_io_acct(orig_bio, start_time); + bio_endio(orig_bio); + return; + } +-- +2.51.0 + diff --git a/queue-6.12/bcache-fix-improper-use-of-bi_end_io.patch b/queue-6.12/bcache-fix-improper-use-of-bi_end_io.patch new file mode 100644 index 0000000000..66635447bf --- /dev/null +++ b/queue-6.12/bcache-fix-improper-use-of-bi_end_io.patch @@ -0,0 +1,56 @@ +From 17add4550ceaa87d7495fcf63fd2527c1626da05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 17:01:56 +0800 +Subject: bcache: fix improper use of bi_end_io + +From: Shida Zhang + +[ Upstream commit 53280e398471f0bddbb17b798a63d41264651325 ] + +Don't call bio->bi_end_io() directly. Use the bio_endio() helper +function instead, which handles completion more safely and uniformly. + +Suggested-by: Christoph Hellwig +Reviewed-by: Christoph Hellwig +Signed-off-by: Shida Zhang +Signed-off-by: Jens Axboe +Stable-dep-of: 4da7c5c3ec34 ("bcache: fix I/O accounting leak in detached_dev_do_request") +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/request.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index af345dc6fde14..82fdea7dea7aa 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -1104,7 +1104,7 @@ static void detached_dev_end_io(struct bio *bio) + } + + kfree(ddip); +- bio->bi_end_io(bio); ++ bio_endio(bio); + } + + static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, +@@ -1121,7 +1121,7 @@ static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, + ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO); + if (!ddip) { + bio->bi_status = BLK_STS_RESOURCE; +- bio->bi_end_io(bio); ++ bio_endio(bio); + return; + } + +@@ -1136,7 +1136,7 @@ static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, + + if ((bio_op(bio) == REQ_OP_DISCARD) && + !bdev_max_discard_sectors(dc->bdev)) +- bio->bi_end_io(bio); ++ detached_dev_end_io(bio); + else + submit_bio_noacct(bio); + } +-- +2.51.0 + diff --git a/queue-6.12/bcache-use-bio-cloning-for-detached-device-requests.patch b/queue-6.12/bcache-use-bio-cloning-for-detached-device-requests.patch new file mode 100644 index 0000000000..dd18ee4daf --- /dev/null +++ b/queue-6.12/bcache-use-bio-cloning-for-detached-device-requests.patch @@ -0,0 +1,234 @@ +From 6eda74680fb97cab757aa9d95761e5c798e740c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 14:13:21 +0800 +Subject: bcache: use bio cloning for detached device requests + +From: Shida Zhang + +[ Upstream commit 3ef825dfd4e487d6f92b23ee2df2455814583ef4 ] + +Previously, bcache hijacked the bi_end_io and bi_private fields of +the incoming bio when the backing device was in a detached state. +This is fragile and breaks if the bio is needed to be processed by +other layers. + +This patch transitions to using a cloned bio embedded within a private +structure. This ensures the original bio's metadata remains untouched. + +Fixes: 53280e398471 ("bcache: fix improper use of bi_end_io") +Co-developed-by: Christoph Hellwig +Signed-off-by: Christoph Hellwig +Signed-off-by: Shida Zhang +Acked-by: Coly Li +Signed-off-by: Jens Axboe +Stable-dep-of: 4da7c5c3ec34 ("bcache: fix I/O accounting leak in detached_dev_do_request") +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/bcache.h | 9 +++++ + drivers/md/bcache/request.c | 79 ++++++++++++++++--------------------- + drivers/md/bcache/super.c | 12 +++++- + 3 files changed, 54 insertions(+), 46 deletions(-) + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 1d33e40d26ea5..cca5756030d71 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -273,6 +273,8 @@ struct bcache_device { + + struct bio_set bio_split; + ++ struct bio_set bio_detached; ++ + unsigned int data_csum:1; + + int (*cache_miss)(struct btree *b, struct search *s, +@@ -755,6 +757,13 @@ struct bbio { + struct bio bio; + }; + ++struct detached_dev_io_private { ++ struct bcache_device *d; ++ unsigned long start_time; ++ struct bio *orig_bio; ++ struct bio bio; ++}; ++ + #define BTREE_PRIO USHRT_MAX + #define INITIAL_PRIO 32768U + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index 82fdea7dea7aa..a02aecac05cdf 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -1077,68 +1077,58 @@ static CLOSURE_CALLBACK(cached_dev_nodata) + continue_at(cl, cached_dev_bio_complete, NULL); + } + +-struct detached_dev_io_private { +- struct bcache_device *d; +- unsigned long start_time; +- bio_end_io_t *bi_end_io; +- void *bi_private; +- struct block_device *orig_bdev; +-}; +- + static void detached_dev_end_io(struct bio *bio) + { +- struct detached_dev_io_private *ddip; +- +- ddip = bio->bi_private; +- bio->bi_end_io = ddip->bi_end_io; +- bio->bi_private = ddip->bi_private; ++ struct detached_dev_io_private *ddip = ++ container_of(bio, struct detached_dev_io_private, bio); ++ struct bio *orig_bio = ddip->orig_bio; + + /* Count on the bcache device */ +- bio_end_io_acct_remapped(bio, ddip->start_time, ddip->orig_bdev); ++ bio_end_io_acct(orig_bio, ddip->start_time); + + if (bio->bi_status) { +- struct cached_dev *dc = container_of(ddip->d, +- struct cached_dev, disk); ++ struct cached_dev *dc = bio->bi_private; ++ + /* should count I/O error for backing device here */ + bch_count_backing_io_errors(dc, bio); ++ orig_bio->bi_status = bio->bi_status; + } + +- kfree(ddip); +- bio_endio(bio); ++ bio_put(bio); ++ bio_endio(orig_bio); + } + +-static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, +- struct block_device *orig_bdev, unsigned long start_time) ++static void detached_dev_do_request(struct bcache_device *d, ++ struct bio *orig_bio, unsigned long start_time) + { + struct detached_dev_io_private *ddip; + struct cached_dev *dc = container_of(d, struct cached_dev, disk); ++ struct bio *clone_bio; + +- /* +- * no need to call closure_get(&dc->disk.cl), +- * because upper layer had already opened bcache device, +- * which would call closure_get(&dc->disk.cl) +- */ +- ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO); +- if (!ddip) { +- bio->bi_status = BLK_STS_RESOURCE; +- bio_endio(bio); ++ if (bio_op(orig_bio) == REQ_OP_DISCARD && ++ !bdev_max_discard_sectors(dc->bdev)) { ++ bio_endio(orig_bio); + return; + } + +- ddip->d = d; ++ clone_bio = bio_alloc_clone(dc->bdev, orig_bio, GFP_NOIO, ++ &d->bio_detached); ++ if (!clone_bio) { ++ orig_bio->bi_status = BLK_STS_RESOURCE; ++ bio_endio(orig_bio); ++ return; ++ } ++ ++ ddip = container_of(clone_bio, struct detached_dev_io_private, bio); + /* Count on the bcache device */ +- ddip->orig_bdev = orig_bdev; ++ ddip->d = d; + ddip->start_time = start_time; +- ddip->bi_end_io = bio->bi_end_io; +- ddip->bi_private = bio->bi_private; +- bio->bi_end_io = detached_dev_end_io; +- bio->bi_private = ddip; +- +- if ((bio_op(bio) == REQ_OP_DISCARD) && +- !bdev_max_discard_sectors(dc->bdev)) +- detached_dev_end_io(bio); +- else +- submit_bio_noacct(bio); ++ ddip->orig_bio = orig_bio; ++ ++ clone_bio->bi_end_io = detached_dev_end_io; ++ clone_bio->bi_private = dc; ++ ++ submit_bio_noacct(clone_bio); + } + + static void quit_max_writeback_rate(struct cache_set *c, +@@ -1214,10 +1204,10 @@ void cached_dev_submit_bio(struct bio *bio) + + start_time = bio_start_io_acct(bio); + +- bio_set_dev(bio, dc->bdev); + bio->bi_iter.bi_sector += dc->sb.data_offset; + + if (cached_dev_get(dc)) { ++ bio_set_dev(bio, dc->bdev); + s = search_alloc(bio, d, orig_bdev, start_time); + trace_bcache_request_start(s->d, bio); + +@@ -1237,9 +1227,10 @@ void cached_dev_submit_bio(struct bio *bio) + else + cached_dev_read(dc, s); + } +- } else ++ } else { + /* I/O request sent to backing device */ +- detached_dev_do_request(d, bio, orig_bdev, start_time); ++ detached_dev_do_request(d, bio, start_time); ++ } + } + + static int cached_dev_ioctl(struct bcache_device *d, blk_mode_t mode, +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 1084b3f0dfe71..017a1ef42f1b0 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -887,6 +887,7 @@ static void bcache_device_free(struct bcache_device *d) + } + + bioset_exit(&d->bio_split); ++ bioset_exit(&d->bio_detached); + kvfree(d->full_dirty_stripes); + kvfree(d->stripe_sectors_dirty); + +@@ -949,6 +950,11 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER)) + goto out_ida_remove; + ++ if (bioset_init(&d->bio_detached, 4, ++ offsetof(struct detached_dev_io_private, bio), ++ BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER)) ++ goto out_bioset_split_exit; ++ + if (lim.logical_block_size > PAGE_SIZE && cached_bdev) { + /* + * This should only happen with BCACHE_SB_VERSION_BDEV. +@@ -964,7 +970,7 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + + d->disk = blk_alloc_disk(&lim, NUMA_NO_NODE); + if (IS_ERR(d->disk)) +- goto out_bioset_exit; ++ goto out_bioset_detach_exit; + + set_capacity(d->disk, sectors); + snprintf(d->disk->disk_name, DISK_NAME_LEN, "bcache%i", idx); +@@ -976,7 +982,9 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + d->disk->private_data = d; + return 0; + +-out_bioset_exit: ++out_bioset_detach_exit: ++ bioset_exit(&d->bio_detached); ++out_bioset_split_exit: + bioset_exit(&d->bio_split); + out_ida_remove: + ida_free(&bcache_device_idx, idx); +-- +2.51.0 + diff --git a/queue-6.12/dma-pool-distinguish-between-missing-and-exhausted-a.patch b/queue-6.12/dma-pool-distinguish-between-missing-and-exhausted-a.patch new file mode 100644 index 0000000000..e44f8d5852 --- /dev/null +++ b/queue-6.12/dma-pool-distinguish-between-missing-and-exhausted-a.patch @@ -0,0 +1,68 @@ +From ec62bfb818d35bb3a9d983a0a1673641e04e67ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 19:05:54 +0530 +Subject: dma/pool: distinguish between missing and exhausted atomic pools + +From: Sai Sree Kartheek Adivi + +[ Upstream commit 56c430c7f06d838fe3b2077dbbc4cc0bf992312b ] + +Currently, dma_alloc_from_pool() unconditionally warns and dumps a stack +trace when an allocation fails, with the message "Failed to get suitable +pool". + +This conflates two distinct failure modes: +1. Configuration error: No atomic pool is available for the requested + DMA mask (a fundamental system setup issue) +2. Resource Exhaustion: A suitable pool exists but is currently full (a + recoverable runtime state) + +This lack of distinction prevents drivers from using __GFP_NOWARN to +suppress error messages during temporary pressure spikes, such as when +awaiting synchronous reclaim of descriptors. + +Refactor the error handling to distinguish these cases: +- If no suitable pool is found, keep the unconditional WARN regarding + the missing pool. +- If a pool was found but is exhausted, respect __GFP_NOWARN and update + the warning message to explicitly state "DMA pool exhausted". + +Fixes: 9420139f516d ("dma-pool: fix coherent pool allocations for IOMMU mappings") +Signed-off-by: Sai Sree Kartheek Adivi +Reviewed-by: Robin Murphy +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260128133554.3056582-1-s-adivi@ti.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 26392badc36b0..985d6aa102b67 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -268,15 +268,20 @@ struct page *dma_alloc_from_pool(struct device *dev, size_t size, + { + struct gen_pool *pool = NULL; + struct page *page; ++ bool pool_found = false; + + while ((pool = dma_guess_pool(pool, gfp))) { ++ pool_found = true; + page = __dma_alloc_from_pool(dev, size, pool, cpu_addr, + phys_addr_ok); + if (page) + return page; + } + +- WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); ++ if (pool_found) ++ WARN(!(gfp & __GFP_NOWARN), "DMA pool exhausted for %s\n", dev_name(dev)); ++ else ++ WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); + return NULL; + } + +-- +2.51.0 + diff --git a/queue-6.12/gpio-virtuser-fix-uaf-in-configfs-release-path.patch b/queue-6.12/gpio-virtuser-fix-uaf-in-configfs-release-path.patch new file mode 100644 index 0000000000..924f0215e3 --- /dev/null +++ b/queue-6.12/gpio-virtuser-fix-uaf-in-configfs-release-path.patch @@ -0,0 +1,53 @@ +From 1e47e969ee089cfcf4d60a90317e070f04ebfdea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 12:03:48 +0800 +Subject: gpio: virtuser: fix UAF in configfs release path + +From: Yuhao Huang + +[ Upstream commit 53ad4a948a4586359b841d607c08fb16c5503230 ] + +The gpio-virtuser configfs release path uses guard(mutex) to protect +the device structure. However, the device is freed before the guard +cleanup runs, causing mutex_unlock() to operate on freed memory. + +Specifically, gpio_virtuser_device_config_group_release() destroys +the mutex and frees the device while still inside the guard(mutex) +scope. When the function returns, the guard cleanup invokes +mutex_unlock(&dev->lock), resulting in a slab use-after-free. + +Limit the mutex lifetime by using a scoped_guard() only around the +activation check, so that the lock is released before mutex_destroy() +and kfree() are called. + +Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GPIO API") +Signed-off-by: Yuhao Huang +Link: https://lore.kernel.org/r/20260126040348.11167-1-yuhaohuang@YuhaodeMacBook-Pro.local +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-virtuser.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpio/gpio-virtuser.c b/drivers/gpio/gpio-virtuser.c +index dcecb7a259117..8a313dd624c26 100644 +--- a/drivers/gpio/gpio-virtuser.c ++++ b/drivers/gpio/gpio-virtuser.c +@@ -1738,10 +1738,10 @@ static void gpio_virtuser_device_config_group_release(struct config_item *item) + { + struct gpio_virtuser_device *dev = to_gpio_virtuser_device(item); + +- guard(mutex)(&dev->lock); +- +- if (gpio_virtuser_device_is_live(dev)) +- gpio_virtuser_device_deactivate(dev); ++ scoped_guard(mutex, &dev->lock) { ++ if (gpio_virtuser_device_is_live(dev)) ++ gpio_virtuser_device_deactivate(dev); ++ } + + mutex_destroy(&dev->lock); + ida_free(&gpio_virtuser_ida, dev->id); +-- +2.51.0 + diff --git a/queue-6.12/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch b/queue-6.12/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch new file mode 100644 index 0000000000..3abeff68e2 --- /dev/null +++ b/queue-6.12/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch @@ -0,0 +1,45 @@ +From 2aecf441a6624cbfbc11339cb94ffa3e64f3c19d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 06:59:14 +0300 +Subject: gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler + +From: Denis Sergeev + +[ Upstream commit c0ae43d303e45764918fa8c1dc13d6a5db59c479 ] + +The BIT() macro uses unsigned long, which is 32 bits on 32-bit +architectures. When iterating over GPIO pins with index >= 32, +the expression (*value & BIT(i)) causes undefined behavior due +to shifting by a value >= type width. + +Since 'value' is a pointer to u64, use BIT_ULL() to ensure correct +64-bit mask on all architectures. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 2c4d00cb8fc5 ("gpiolib: acpi: Use BIT() macro to increase readability") +Signed-off-by: Denis Sergeev +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20260126035914.16586-1-denserg.edu@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c +index 97862185318ed..f7d2cb7ff4ee8 100644 +--- a/drivers/gpio/gpiolib-acpi-core.c ++++ b/drivers/gpio/gpiolib-acpi-core.c +@@ -1149,7 +1149,7 @@ acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address, + mutex_unlock(&achip->conn_lock); + + if (function == ACPI_WRITE) +- gpiod_set_raw_value_cansleep(desc, !!(*value & BIT(i))); ++ gpiod_set_raw_value_cansleep(desc, !!(*value & BIT_ULL(i))); + else + *value |= (u64)gpiod_get_raw_value_cansleep(desc) << i; + } +-- +2.51.0 + diff --git a/queue-6.12/sched-deadline-document-dl_server.patch b/queue-6.12/sched-deadline-document-dl_server.patch new file mode 100644 index 0000000000..93573815dd --- /dev/null +++ b/queue-6.12/sched-deadline-document-dl_server.patch @@ -0,0 +1,227 @@ +From 36fa32fa8a7f7f4479e45c5ca3334073c471a3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 11:25:52 +0100 +Subject: sched/deadline: Document dl_server + +From: Peter Zijlstra + +[ Upstream commit 2614069c5912e9d6f1f57c262face1b368fb8c93 ] + +Place the notes that resulted from going through the dl_server code in a +comment. + +Signed-off-by: Peter Zijlstra (Intel) +Stable-dep-of: 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 194 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 194 insertions(+) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index abd0fb2d839c1..a860d77062395 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1624,6 +1624,200 @@ void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec) + update_curr_dl_se(dl_se->rq, dl_se, delta_exec); + } + ++/* ++ * dl_server && dl_defer: ++ * ++ * 6 ++ * +--------------------+ ++ * v | ++ * +-------------+ 4 +-----------+ 5 +------------------+ ++ * +-> | A:init | <--- | D:running | -----> | E:replenish-wait | ++ * | +-------------+ +-----------+ +------------------+ ++ * | | | 1 ^ ^ | ++ * | | 1 +----------+ | 3 | ++ * | v | | ++ * | +--------------------------------+ 2 | ++ * | | | ----+ | ++ * | 8 | B:zero_laxity-wait | | | ++ * | | | <---+ | ++ * | +--------------------------------+ | ++ * | | ^ ^ 2 | ++ * | | 7 | 2 +--------------------+ ++ * | v | ++ * | +-------------+ | ++ * +-- | C:idle-wait | -+ ++ * +-------------+ ++ * ^ 7 | ++ * +---------+ ++ * ++ * ++ * [A] - init ++ * dl_server_active = 0 ++ * dl_throttled = 0 ++ * dl_defer_armed = 0 ++ * dl_defer_running = 0/1 ++ * dl_defer_idle = 0 ++ * ++ * [B] - zero_laxity-wait ++ * dl_server_active = 1 ++ * dl_throttled = 1 ++ * dl_defer_armed = 1 ++ * dl_defer_running = 0 ++ * dl_defer_idle = 0 ++ * ++ * [C] - idle-wait ++ * dl_server_active = 1 ++ * dl_throttled = 1 ++ * dl_defer_armed = 1 ++ * dl_defer_running = 0 ++ * dl_defer_idle = 1 ++ * ++ * [D] - running ++ * dl_server_active = 1 ++ * dl_throttled = 0 ++ * dl_defer_armed = 0 ++ * dl_defer_running = 1 ++ * dl_defer_idle = 0 ++ * ++ * [E] - replenish-wait ++ * dl_server_active = 1 ++ * dl_throttled = 1 ++ * dl_defer_armed = 0 ++ * dl_defer_running = 1 ++ * dl_defer_idle = 0 ++ * ++ * ++ * [1] A->B, A->D ++ * dl_server_start() ++ * dl_server_active = 1; ++ * enqueue_dl_entity() ++ * update_dl_entity(WAKEUP) ++ * if (!dl_defer_running) ++ * dl_defer_armed = 1; ++ * dl_throttled = 1; ++ * if (dl_throttled && start_dl_timer()) ++ * return; // [B] ++ * __enqueue_dl_entity(); ++ * // [D] ++ * ++ * // deplete server runtime from client-class ++ * [2] B->B, C->B, E->B ++ * dl_server_update() ++ * update_curr_dl_se() // idle = false ++ * if (dl_defer_idle) ++ * dl_defer_idle = 0; ++ * if (dl_defer && dl_throttled && dl_runtime_exceeded()) ++ * dl_defer_running = 0; ++ * hrtimer_try_to_cancel(); // stop timer ++ * replenish_dl_new_period() ++ * // fwd period ++ * dl_throttled = 1; ++ * dl_defer_armed = 1; ++ * start_dl_timer(); // restart timer ++ * // [B] ++ * ++ * // timer actually fires means we have runtime ++ * [3] B->D ++ * dl_server_timer() ++ * if (dl_defer_armed) ++ * dl_defer_running = 1; ++ * enqueue_dl_entity(REPLENISH) ++ * replenish_dl_entity() ++ * // fwd period ++ * if (dl_throttled) ++ * dl_throttled = 0; ++ * if (dl_defer_armed) ++ * dl_defer_armed = 0; ++ * __enqueue_dl_entity(); ++ * // [D] ++ * ++ * // schedule server ++ * [4] D->A ++ * pick_task_dl() ++ * p = server_pick_task(); ++ * if (!p) ++ * dl_server_stop() ++ * dequeue_dl_entity(); ++ * hrtimer_try_to_cancel(); ++ * dl_defer_armed = 0; ++ * dl_throttled = 0; ++ * dl_server_active = 0; ++ * // [A] ++ * return p; ++ * ++ * // server running ++ * [5] D->E ++ * update_curr_dl_se() ++ * if (dl_runtime_exceeded()) ++ * dl_throttled = 1; ++ * dequeue_dl_entity(); ++ * start_dl_timer(); ++ * // [E] ++ * ++ * // server replenished ++ * [6] E->D ++ * dl_server_timer() ++ * enqueue_dl_entity(REPLENISH) ++ * replenish_dl_entity() ++ * fwd-period ++ * if (dl_throttled) ++ * dl_throttled = 0; ++ * __enqueue_dl_entity(); ++ * // [D] ++ * ++ * // deplete server runtime from idle ++ * [7] B->C, C->C ++ * dl_server_update_idle() ++ * update_curr_dl_se() // idle = true ++ * if (dl_defer && dl_throttled && dl_runtime_exceeded()) ++ * if (dl_defer_idle) ++ * return; ++ * dl_defer_running = 0; ++ * hrtimer_try_to_cancel(); ++ * replenish_dl_new_period() ++ * // fwd period ++ * dl_throttled = 1; ++ * dl_defer_armed = 1; ++ * dl_defer_idle = 1; ++ * start_dl_timer(); // restart timer ++ * // [C] ++ * ++ * // stop idle server ++ * [8] C->A ++ * dl_server_timer() ++ * if (dl_defer_idle) ++ * dl_server_stop(); ++ * // [A] ++ * ++ * ++ * digraph dl_server { ++ * "A:init" -> "B:zero_laxity-wait" [label="1:dl_server_start"] ++ * "A:init" -> "D:running" [label="1:dl_server_start"] ++ * "B:zero_laxity-wait" -> "B:zero_laxity-wait" [label="2:dl_server_update"] ++ * "B:zero_laxity-wait" -> "C:idle-wait" [label="7:dl_server_update_idle"] ++ * "B:zero_laxity-wait" -> "D:running" [label="3:dl_server_timer"] ++ * "C:idle-wait" -> "A:init" [label="8:dl_server_timer"] ++ * "C:idle-wait" -> "B:zero_laxity-wait" [label="2:dl_server_update"] ++ * "C:idle-wait" -> "C:idle-wait" [label="7:dl_server_update_idle"] ++ * "D:running" -> "A:init" [label="4:pick_task_dl"] ++ * "D:running" -> "E:replenish-wait" [label="5:update_curr_dl_se"] ++ * "E:replenish-wait" -> "B:zero_laxity-wait" [label="2:dl_server_update"] ++ * "E:replenish-wait" -> "D:running" [label="6:dl_server_timer"] ++ * } ++ * ++ * ++ * Notes: ++ * ++ * - When there are fair tasks running the most likely loop is [2]->[2]. ++ * the dl_server never actually runs, the timer never fires. ++ * ++ * - When there is actual fair starvation; the timer fires and starts the ++ * dl_server. This will then throttle and replenish like a normal DL ++ * task. Notably it will not 'defer' again. ++ * ++ * - When idle it will push the actication forward once, and then wait ++ * for the timer to hit or a non-idle update to restart things. ++ */ + void dl_server_start(struct sched_dl_entity *dl_se) + { + struct rq *rq = dl_se->rq; +-- +2.51.0 + diff --git a/queue-6.12/sched-deadline-fix-stuck-dl_server.patch b/queue-6.12/sched-deadline-fix-stuck-dl_server.patch new file mode 100644 index 0000000000..89ea691d6c --- /dev/null +++ b/queue-6.12/sched-deadline-fix-stuck-dl_server.patch @@ -0,0 +1,67 @@ +From 73c0ba9006119a5de9a590a534df79d32e391197 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 13:41:00 +0100 +Subject: sched/deadline: Fix 'stuck' dl_server + +From: Peter Zijlstra + +[ Upstream commit 115135422562e2f791e98a6f55ec57b2da3b3a95 ] + +Andrea reported the dl_server getting stuck for him. He tracked it +down to a state where dl_server_start() saw dl_defer_running==1, but +the dl_server's job is no longer valid at the time of +dl_server_start(). + +In the state diagram this corresponds to [4] D->A (or dl_server_stop() +due to no more runnable tasks) followed by [1], which in case of a +lapsed deadline must then be A->B. + +Now our A has dl_defer_running==1, while B demands +dl_defer_running==0, therefore it must get cleared when the CBS wakeup +rules demand a replenish. + +Fixes: a110a81c52a9 ("sched/deadline: Deferrable dl server") +Reported-by: Andrea Righi arighi@nvidia.com +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Tested-by: Andrea Righi arighi@nvidia.com +Link: https://lkml.kernel.org/r/20260123161645.2181752-1-arighi@nvidia.com +Link: https://patch.msgid.link/20260130124100.GC1079264@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index a860d77062395..1689d190dea8f 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1086,6 +1086,12 @@ static void update_dl_entity(struct sched_dl_entity *dl_se) + return; + } + ++ /* ++ * When [4] D->A is followed by [1] A->B, dl_defer_running ++ * needs to be cleared, otherwise it will fail to properly ++ * start the zero-laxity timer. ++ */ ++ dl_se->dl_defer_running = 0; + replenish_dl_new_period(dl_se, rq); + } else if (dl_server(dl_se) && dl_se->dl_defer) { + /* +@@ -1692,6 +1698,12 @@ void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec) + * dl_server_active = 1; + * enqueue_dl_entity() + * update_dl_entity(WAKEUP) ++ * if (dl_time_before() || dl_entity_overflow()) ++ * dl_defer_running = 0; ++ * replenish_dl_new_period(); ++ * // fwd period ++ * dl_throttled = 1; ++ * dl_defer_armed = 1; + * if (!dl_defer_running) + * dl_defer_armed = 1; + * dl_throttled = 1; +-- +2.51.0 + diff --git a/queue-6.12/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch b/queue-6.12/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch new file mode 100644 index 0000000000..7fd141f3c7 --- /dev/null +++ b/queue-6.12/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch @@ -0,0 +1,56 @@ +From 64ed1486c984a035475f7515c6a2243761e1657e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 19:45:15 +0800 +Subject: scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() + +From: Kery Qi + +[ Upstream commit b2d6b1d443009ed4da2d69f5423ab38e5780505a ] + +The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of +"tpg->tport_tpgt" is u16. This causes a type truncation issue. + +When a user creates a TPG via configfs mkdir, for example: + + mkdir /sys/kernel/config/target/sbp//tpgt_70000 + +The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less +than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt, +the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the +value the user specified to differ from what is actually stored, leading to +confusion and potential unexpected behavior. + +Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which +will properly reject values outside the u16 range. + +Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/sbp/sbp_target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index 3b89b5a70331f..ad03bf7929f8b 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -1961,12 +1961,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, + container_of(wwn, struct sbp_tport, tport_wwn); + + struct sbp_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 10, &tpgt)) + return ERR_PTR(-EINVAL); + + if (tport->tpg) { +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 3e110dbae8..5118e063b4 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -21,3 +21,13 @@ net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch net-mlx5-initialize-events-outside-devlink-lock.patch net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch +scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch +asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch +gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch +gpio-virtuser-fix-uaf-in-configfs-release-path.patch +bcache-fix-improper-use-of-bi_end_io.patch +bcache-use-bio-cloning-for-detached-device-requests.patch +bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch +dma-pool-distinguish-between-missing-and-exhausted-a.patch +sched-deadline-document-dl_server.patch +sched-deadline-fix-stuck-dl_server.patch diff --git a/queue-6.18/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch b/queue-6.18/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch new file mode 100644 index 0000000000..2e4a709c9b --- /dev/null +++ b/queue-6.18/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch @@ -0,0 +1,43 @@ +From 29a3842b2d5d72276ab45958c6ab81fdc426e3a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 18:24:35 +0300 +Subject: ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion + +From: Tagir Garaev + +[ Upstream commit 213c4e51267fd825cd21a08a055450cac7e0b7fb ] + +The headphone GPIO should be set to the inverse of speaker_en. +When speakers are enabled, headphones should be disabled and vice versa. + +Currently both GPIOs are set to the same value (speaker_en), causing +audio to play through both speakers and headphones simultaneously +when headphones are plugged in. + +Tested on Huawei Matebook (BOD-WXX9) with ES8336 codec. + +Fixes: 6e1ff1459e00 ("ASoC: Intel: sof_es8336: support a separate gpio to control headphone") +Signed-off-by: Tagir Garaev +Link: https://patch.msgid.link/20260121152435.101698-1-tgaraev653@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_es8336.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c +index 10b189ea88dba..09acd80d23e0f 100644 +--- a/sound/soc/intel/boards/sof_es8336.c ++++ b/sound/soc/intel/boards/sof_es8336.c +@@ -120,7 +120,7 @@ static void pcm_pop_work_events(struct work_struct *work) + gpiod_set_value_cansleep(priv->gpio_speakers, priv->speaker_en); + + if (quirk & SOF_ES8336_HEADPHONE_GPIO) +- gpiod_set_value_cansleep(priv->gpio_headphone, priv->speaker_en); ++ gpiod_set_value_cansleep(priv->gpio_headphone, !priv->speaker_en); + + } + +-- +2.51.0 + diff --git a/queue-6.18/asoc-soc-acpi-intel-ptl-match-fix-name_prefix-of-rt1.patch b/queue-6.18/asoc-soc-acpi-intel-ptl-match-fix-name_prefix-of-rt1.patch new file mode 100644 index 0000000000..46429f3d02 --- /dev/null +++ b/queue-6.18/asoc-soc-acpi-intel-ptl-match-fix-name_prefix-of-rt1.patch @@ -0,0 +1,41 @@ +From c7eebe69d315bf76caf4d473f751c702121271f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 19:38:09 +0800 +Subject: ASoC: soc-acpi-intel-ptl-match: fix name_prefix of rt1320-2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bard Liao + +[ Upstream commit 403a0591be681eebc0c4825f8b42afe7fd13ee7f ] + +rt1320_2_group2_adr works with rt1320_1_group2_adr and the name_prefix +should be rt1320-2. + +Fixes: ffe450cb6bce ("ASoC: Intel: soc-acpi-intel-ptl-match: add rt713_vb_l3_rt1320_l12 support") +Signed-off-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Link: https://patch.msgid.link/20260123113809.2238766-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/common/soc-acpi-intel-ptl-match.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/common/soc-acpi-intel-ptl-match.c b/sound/soc/intel/common/soc-acpi-intel-ptl-match.c +index 4853f4f31786f..55505625b3609 100644 +--- a/sound/soc/intel/common/soc-acpi-intel-ptl-match.c ++++ b/sound/soc/intel/common/soc-acpi-intel-ptl-match.c +@@ -418,7 +418,7 @@ static const struct snd_soc_acpi_adr_device rt1320_2_group2_adr[] = { + .adr = 0x000230025D132001ull, + .num_endpoints = 1, + .endpoints = &spk_r_endpoint, +- .name_prefix = "rt1320-1" ++ .name_prefix = "rt1320-2" + } + }; + +-- +2.51.0 + diff --git a/queue-6.18/bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch b/queue-6.18/bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch new file mode 100644 index 0000000000..7a0e6db8b2 --- /dev/null +++ b/queue-6.18/bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch @@ -0,0 +1,39 @@ +From 82e4bdde38a36d05c54ae5442446ea3e6909efcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 16:21:12 +0800 +Subject: bcache: fix I/O accounting leak in detached_dev_do_request + +From: Shida Zhang + +[ Upstream commit 4da7c5c3ec34d839bba6e035c3d05c447a2f9d4f ] + +When a bcache device is detached, discard requests are completed +immediately. However, the I/O accounting started in +cached_dev_make_request() is not ended, leading to 100% disk +utilization reports in iostat. Add the missing bio_end_io_acct() call. + +Fixes: cafe56359144 ("bcache: A block layer cache") +Signed-off-by: Shida Zhang +Acked-by: Coly Li +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/request.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index a02aecac05cdf..6cba1180be8aa 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -1107,6 +1107,7 @@ static void detached_dev_do_request(struct bcache_device *d, + + if (bio_op(orig_bio) == REQ_OP_DISCARD && + !bdev_max_discard_sectors(dc->bdev)) { ++ bio_end_io_acct(orig_bio, start_time); + bio_endio(orig_bio); + return; + } +-- +2.51.0 + diff --git a/queue-6.18/bcache-fix-improper-use-of-bi_end_io.patch b/queue-6.18/bcache-fix-improper-use-of-bi_end_io.patch new file mode 100644 index 0000000000..802e5f99f0 --- /dev/null +++ b/queue-6.18/bcache-fix-improper-use-of-bi_end_io.patch @@ -0,0 +1,56 @@ +From 9c9c2dd8f41341cfc06d9ed40c40acea7132a228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 17:01:56 +0800 +Subject: bcache: fix improper use of bi_end_io + +From: Shida Zhang + +[ Upstream commit 53280e398471f0bddbb17b798a63d41264651325 ] + +Don't call bio->bi_end_io() directly. Use the bio_endio() helper +function instead, which handles completion more safely and uniformly. + +Suggested-by: Christoph Hellwig +Reviewed-by: Christoph Hellwig +Signed-off-by: Shida Zhang +Signed-off-by: Jens Axboe +Stable-dep-of: 4da7c5c3ec34 ("bcache: fix I/O accounting leak in detached_dev_do_request") +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/request.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index af345dc6fde14..82fdea7dea7aa 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -1104,7 +1104,7 @@ static void detached_dev_end_io(struct bio *bio) + } + + kfree(ddip); +- bio->bi_end_io(bio); ++ bio_endio(bio); + } + + static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, +@@ -1121,7 +1121,7 @@ static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, + ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO); + if (!ddip) { + bio->bi_status = BLK_STS_RESOURCE; +- bio->bi_end_io(bio); ++ bio_endio(bio); + return; + } + +@@ -1136,7 +1136,7 @@ static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, + + if ((bio_op(bio) == REQ_OP_DISCARD) && + !bdev_max_discard_sectors(dc->bdev)) +- bio->bi_end_io(bio); ++ detached_dev_end_io(bio); + else + submit_bio_noacct(bio); + } +-- +2.51.0 + diff --git a/queue-6.18/bcache-use-bio-cloning-for-detached-device-requests.patch b/queue-6.18/bcache-use-bio-cloning-for-detached-device-requests.patch new file mode 100644 index 0000000000..881fa3561a --- /dev/null +++ b/queue-6.18/bcache-use-bio-cloning-for-detached-device-requests.patch @@ -0,0 +1,234 @@ +From 0423f790a0e78f840ebb5279b531d5a66e7fa99a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 14:13:21 +0800 +Subject: bcache: use bio cloning for detached device requests + +From: Shida Zhang + +[ Upstream commit 3ef825dfd4e487d6f92b23ee2df2455814583ef4 ] + +Previously, bcache hijacked the bi_end_io and bi_private fields of +the incoming bio when the backing device was in a detached state. +This is fragile and breaks if the bio is needed to be processed by +other layers. + +This patch transitions to using a cloned bio embedded within a private +structure. This ensures the original bio's metadata remains untouched. + +Fixes: 53280e398471 ("bcache: fix improper use of bi_end_io") +Co-developed-by: Christoph Hellwig +Signed-off-by: Christoph Hellwig +Signed-off-by: Shida Zhang +Acked-by: Coly Li +Signed-off-by: Jens Axboe +Stable-dep-of: 4da7c5c3ec34 ("bcache: fix I/O accounting leak in detached_dev_do_request") +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/bcache.h | 9 +++++ + drivers/md/bcache/request.c | 79 ++++++++++++++++--------------------- + drivers/md/bcache/super.c | 12 +++++- + 3 files changed, 54 insertions(+), 46 deletions(-) + +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 1d33e40d26ea5..cca5756030d71 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -273,6 +273,8 @@ struct bcache_device { + + struct bio_set bio_split; + ++ struct bio_set bio_detached; ++ + unsigned int data_csum:1; + + int (*cache_miss)(struct btree *b, struct search *s, +@@ -755,6 +757,13 @@ struct bbio { + struct bio bio; + }; + ++struct detached_dev_io_private { ++ struct bcache_device *d; ++ unsigned long start_time; ++ struct bio *orig_bio; ++ struct bio bio; ++}; ++ + #define BTREE_PRIO USHRT_MAX + #define INITIAL_PRIO 32768U + +diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c +index 82fdea7dea7aa..a02aecac05cdf 100644 +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -1077,68 +1077,58 @@ static CLOSURE_CALLBACK(cached_dev_nodata) + continue_at(cl, cached_dev_bio_complete, NULL); + } + +-struct detached_dev_io_private { +- struct bcache_device *d; +- unsigned long start_time; +- bio_end_io_t *bi_end_io; +- void *bi_private; +- struct block_device *orig_bdev; +-}; +- + static void detached_dev_end_io(struct bio *bio) + { +- struct detached_dev_io_private *ddip; +- +- ddip = bio->bi_private; +- bio->bi_end_io = ddip->bi_end_io; +- bio->bi_private = ddip->bi_private; ++ struct detached_dev_io_private *ddip = ++ container_of(bio, struct detached_dev_io_private, bio); ++ struct bio *orig_bio = ddip->orig_bio; + + /* Count on the bcache device */ +- bio_end_io_acct_remapped(bio, ddip->start_time, ddip->orig_bdev); ++ bio_end_io_acct(orig_bio, ddip->start_time); + + if (bio->bi_status) { +- struct cached_dev *dc = container_of(ddip->d, +- struct cached_dev, disk); ++ struct cached_dev *dc = bio->bi_private; ++ + /* should count I/O error for backing device here */ + bch_count_backing_io_errors(dc, bio); ++ orig_bio->bi_status = bio->bi_status; + } + +- kfree(ddip); +- bio_endio(bio); ++ bio_put(bio); ++ bio_endio(orig_bio); + } + +-static void detached_dev_do_request(struct bcache_device *d, struct bio *bio, +- struct block_device *orig_bdev, unsigned long start_time) ++static void detached_dev_do_request(struct bcache_device *d, ++ struct bio *orig_bio, unsigned long start_time) + { + struct detached_dev_io_private *ddip; + struct cached_dev *dc = container_of(d, struct cached_dev, disk); ++ struct bio *clone_bio; + +- /* +- * no need to call closure_get(&dc->disk.cl), +- * because upper layer had already opened bcache device, +- * which would call closure_get(&dc->disk.cl) +- */ +- ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO); +- if (!ddip) { +- bio->bi_status = BLK_STS_RESOURCE; +- bio_endio(bio); ++ if (bio_op(orig_bio) == REQ_OP_DISCARD && ++ !bdev_max_discard_sectors(dc->bdev)) { ++ bio_endio(orig_bio); + return; + } + +- ddip->d = d; ++ clone_bio = bio_alloc_clone(dc->bdev, orig_bio, GFP_NOIO, ++ &d->bio_detached); ++ if (!clone_bio) { ++ orig_bio->bi_status = BLK_STS_RESOURCE; ++ bio_endio(orig_bio); ++ return; ++ } ++ ++ ddip = container_of(clone_bio, struct detached_dev_io_private, bio); + /* Count on the bcache device */ +- ddip->orig_bdev = orig_bdev; ++ ddip->d = d; + ddip->start_time = start_time; +- ddip->bi_end_io = bio->bi_end_io; +- ddip->bi_private = bio->bi_private; +- bio->bi_end_io = detached_dev_end_io; +- bio->bi_private = ddip; +- +- if ((bio_op(bio) == REQ_OP_DISCARD) && +- !bdev_max_discard_sectors(dc->bdev)) +- detached_dev_end_io(bio); +- else +- submit_bio_noacct(bio); ++ ddip->orig_bio = orig_bio; ++ ++ clone_bio->bi_end_io = detached_dev_end_io; ++ clone_bio->bi_private = dc; ++ ++ submit_bio_noacct(clone_bio); + } + + static void quit_max_writeback_rate(struct cache_set *c, +@@ -1214,10 +1204,10 @@ void cached_dev_submit_bio(struct bio *bio) + + start_time = bio_start_io_acct(bio); + +- bio_set_dev(bio, dc->bdev); + bio->bi_iter.bi_sector += dc->sb.data_offset; + + if (cached_dev_get(dc)) { ++ bio_set_dev(bio, dc->bdev); + s = search_alloc(bio, d, orig_bdev, start_time); + trace_bcache_request_start(s->d, bio); + +@@ -1237,9 +1227,10 @@ void cached_dev_submit_bio(struct bio *bio) + else + cached_dev_read(dc, s); + } +- } else ++ } else { + /* I/O request sent to backing device */ +- detached_dev_do_request(d, bio, orig_bdev, start_time); ++ detached_dev_do_request(d, bio, start_time); ++ } + } + + static int cached_dev_ioctl(struct bcache_device *d, blk_mode_t mode, +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 6d250e366412c..9218b9dbd4af2 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -887,6 +887,7 @@ static void bcache_device_free(struct bcache_device *d) + } + + bioset_exit(&d->bio_split); ++ bioset_exit(&d->bio_detached); + kvfree(d->full_dirty_stripes); + kvfree(d->stripe_sectors_dirty); + +@@ -949,6 +950,11 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER)) + goto out_ida_remove; + ++ if (bioset_init(&d->bio_detached, 4, ++ offsetof(struct detached_dev_io_private, bio), ++ BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER)) ++ goto out_bioset_split_exit; ++ + if (lim.logical_block_size > PAGE_SIZE && cached_bdev) { + /* + * This should only happen with BCACHE_SB_VERSION_BDEV. +@@ -964,7 +970,7 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + + d->disk = blk_alloc_disk(&lim, NUMA_NO_NODE); + if (IS_ERR(d->disk)) +- goto out_bioset_exit; ++ goto out_bioset_detach_exit; + + set_capacity(d->disk, sectors); + snprintf(d->disk->disk_name, DISK_NAME_LEN, "bcache%i", idx); +@@ -976,7 +982,9 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + d->disk->private_data = d; + return 0; + +-out_bioset_exit: ++out_bioset_detach_exit: ++ bioset_exit(&d->bio_detached); ++out_bioset_split_exit: + bioset_exit(&d->bio_split); + out_ida_remove: + ida_free(&bcache_device_idx, idx); +-- +2.51.0 + diff --git a/queue-6.18/dma-pool-distinguish-between-missing-and-exhausted-a.patch b/queue-6.18/dma-pool-distinguish-between-missing-and-exhausted-a.patch new file mode 100644 index 0000000000..ebc65e2808 --- /dev/null +++ b/queue-6.18/dma-pool-distinguish-between-missing-and-exhausted-a.patch @@ -0,0 +1,68 @@ +From f5b9b4bae6f3c83daadb12be34d80f707e3d84ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 19:05:54 +0530 +Subject: dma/pool: distinguish between missing and exhausted atomic pools + +From: Sai Sree Kartheek Adivi + +[ Upstream commit 56c430c7f06d838fe3b2077dbbc4cc0bf992312b ] + +Currently, dma_alloc_from_pool() unconditionally warns and dumps a stack +trace when an allocation fails, with the message "Failed to get suitable +pool". + +This conflates two distinct failure modes: +1. Configuration error: No atomic pool is available for the requested + DMA mask (a fundamental system setup issue) +2. Resource Exhaustion: A suitable pool exists but is currently full (a + recoverable runtime state) + +This lack of distinction prevents drivers from using __GFP_NOWARN to +suppress error messages during temporary pressure spikes, such as when +awaiting synchronous reclaim of descriptors. + +Refactor the error handling to distinguish these cases: +- If no suitable pool is found, keep the unconditional WARN regarding + the missing pool. +- If a pool was found but is exhausted, respect __GFP_NOWARN and update + the warning message to explicitly state "DMA pool exhausted". + +Fixes: 9420139f516d ("dma-pool: fix coherent pool allocations for IOMMU mappings") +Signed-off-by: Sai Sree Kartheek Adivi +Reviewed-by: Robin Murphy +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260128133554.3056582-1-s-adivi@ti.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 26392badc36b0..985d6aa102b67 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -268,15 +268,20 @@ struct page *dma_alloc_from_pool(struct device *dev, size_t size, + { + struct gen_pool *pool = NULL; + struct page *page; ++ bool pool_found = false; + + while ((pool = dma_guess_pool(pool, gfp))) { ++ pool_found = true; + page = __dma_alloc_from_pool(dev, size, pool, cpu_addr, + phys_addr_ok); + if (page) + return page; + } + +- WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); ++ if (pool_found) ++ WARN(!(gfp & __GFP_NOWARN), "DMA pool exhausted for %s\n", dev_name(dev)); ++ else ++ WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); + return NULL; + } + +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-fix-race-in-power-state-check-before-mute.patch b/queue-6.18/drm-amd-pm-fix-race-in-power-state-check-before-mute.patch new file mode 100644 index 0000000000..3e3ddaaa21 --- /dev/null +++ b/queue-6.18/drm-amd-pm-fix-race-in-power-state-check-before-mute.patch @@ -0,0 +1,62 @@ +From 9baee00e4c6ee2095dada24604853fa615ee8da9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:07:07 +0800 +Subject: drm/amd/pm: fix race in power state check before mutex lock + +From: Yang Wang + +[ Upstream commit ee8d07cd5730038e33bf5e551448190bbd480eb8 ] + +The power state check in amdgpu_dpm_set_powergating_by_smu() is done +before acquiring the pm mutex, leading to a race condition where: +1. Thread A checks state and thinks no change is needed +2. Thread B acquires mutex and modifies the state +3. Thread A returns without updating state, causing inconsistency + +Fix this by moving the mutex lock before the power state check, +ensuring atomicity of the state check and modification. + +Fixes: 6ee27ee27ba8 ("drm/amd/pm: avoid duplicate powergate/ungate setting") +Signed-off-by: Yang Wang +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +(cherry picked from commit 7a3fbdfd19ec5992c0fc2d0bd83888644f5f2f38) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/amdgpu_dpm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/amdgpu_dpm.c b/drivers/gpu/drm/amd/pm/amdgpu_dpm.c +index bc29a923fa6e5..8253d2977408d 100644 +--- a/drivers/gpu/drm/amd/pm/amdgpu_dpm.c ++++ b/drivers/gpu/drm/amd/pm/amdgpu_dpm.c +@@ -80,15 +80,15 @@ int amdgpu_dpm_set_powergating_by_smu(struct amdgpu_device *adev, + enum ip_power_state pwr_state = gate ? POWER_STATE_OFF : POWER_STATE_ON; + bool is_vcn = block_type == AMD_IP_BLOCK_TYPE_VCN; + ++ mutex_lock(&adev->pm.mutex); ++ + if (atomic_read(&adev->pm.pwr_state[block_type]) == pwr_state && + (!is_vcn || adev->vcn.num_vcn_inst == 1)) { + dev_dbg(adev->dev, "IP block%d already in the target %s state!", + block_type, gate ? "gate" : "ungate"); +- return 0; ++ goto out_unlock; + } + +- mutex_lock(&adev->pm.mutex); +- + switch (block_type) { + case AMD_IP_BLOCK_TYPE_UVD: + case AMD_IP_BLOCK_TYPE_VCE: +@@ -115,6 +115,7 @@ int amdgpu_dpm_set_powergating_by_smu(struct amdgpu_device *adev, + if (!ret) + atomic_set(&adev->pm.pwr_state[block_type], pwr_state); + ++out_unlock: + mutex_unlock(&adev->pm.mutex); + + return ret; +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-configfs-fix-is_bound-pci_dev-lifetime.patch b/queue-6.18/drm-xe-configfs-fix-is_bound-pci_dev-lifetime.patch new file mode 100644 index 0000000000..dc5f33e1fb --- /dev/null +++ b/queue-6.18/drm-xe-configfs-fix-is_bound-pci_dev-lifetime.patch @@ -0,0 +1,47 @@ +From 05c7a191f2cc28869d3cc453c73866786deb9bcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 17:37:51 +0000 +Subject: drm/xe/configfs: Fix is_bound() pci_dev lifetime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuicheng Lin + +[ Upstream commit c1ed856c09d0d730c2f63bbb757cb6011db148f9 ] + +Move pci_dev_put() after pci_dbg() to avoid using pdev after dropping its +reference. + +Fixes: 2674f1ef29f46 ("drm/xe/configfs: Block runtime attribute changes") +Signed-off-by: Shuicheng Lin +Reviewed-by: Ashutosh Dixit +Signed-off-by: Ashutosh Dixit +Link: https://patch.msgid.link/20260121173750.3090907-2-shuicheng.lin@intel.com +(cherry picked from commit 63b33604365bdca43dee41bab809da2230491036) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_configfs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_configfs.c b/drivers/gpu/drm/xe/xe_configfs.c +index 1396634231857..6688b2954d20b 100644 +--- a/drivers/gpu/drm/xe/xe_configfs.c ++++ b/drivers/gpu/drm/xe/xe_configfs.c +@@ -258,11 +258,10 @@ static bool is_bound(struct xe_config_group_device *dev) + return false; + + ret = pci_get_drvdata(pdev); +- pci_dev_put(pdev); +- + if (ret) + pci_dbg(pdev, "Already bound to driver\n"); + ++ pci_dev_put(pdev); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-nvm-fix-double-free-on-aux-add-failure.patch b/queue-6.18/drm-xe-nvm-fix-double-free-on-aux-add-failure.patch new file mode 100644 index 0000000000..b1c751e0a2 --- /dev/null +++ b/queue-6.18/drm-xe-nvm-fix-double-free-on-aux-add-failure.patch @@ -0,0 +1,88 @@ +From 744fc470c709cdf96588d19c5c1aacb5ecc30f2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 18:32:42 +0000 +Subject: drm/xe/nvm: Fix double-free on aux add failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuicheng Lin + +[ Upstream commit 8a44241b0b83a6047c5448da1fff03fcc29496b5 ] + +After a successful auxiliary_device_init(), aux_dev->dev.release +(xe_nvm_release_dev()) is responsible for the kfree(nvm). When +there is failure with auxiliary_device_add(), driver will call +auxiliary_device_uninit(), which call put_device(). So that the +.release callback will be triggered to free the memory associated +with the auxiliary_device. + +Move the kfree(nvm) into the auxiliary_device_init() failure path +and remove the err goto path to fix below error. + +" +[ 13.232905] ================================================================== +[ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe] +[ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273 + +[ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary) +... +[ 13.233125] Call Trace: +[ 13.233126] +[ 13.233127] dump_stack_lvl+0x7f/0xc0 +[ 13.233132] print_report+0xce/0x610 +[ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0 +[ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe] +... +" + +v2: drop err goto path. (Alexander) + +Fixes: 7926ba2143d8 ("drm/xe: defer free of NVM auxiliary container to device release callback") +Reviewed-by: Nitin Gote +Reviewed-by: Brian Nguyen +Cc: Alexander Usyskin +Cc: Rodrigo Vivi +Suggested-by: Brian Nguyen +Signed-off-by: Shuicheng Lin +Signed-off-by: Ashutosh Dixit +Link: https://patch.msgid.link/20260120183239.2966782-7-shuicheng.lin@intel.com +(cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_nvm.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_nvm.c b/drivers/gpu/drm/xe/xe_nvm.c +index 1fff24dbc7cd4..6da42b2b5e467 100644 +--- a/drivers/gpu/drm/xe/xe_nvm.c ++++ b/drivers/gpu/drm/xe/xe_nvm.c +@@ -153,19 +153,17 @@ int xe_nvm_init(struct xe_device *xe) + ret = auxiliary_device_init(aux_dev); + if (ret) { + drm_err(&xe->drm, "xe-nvm aux init failed %d\n", ret); +- goto err; ++ kfree(nvm); ++ xe->nvm = NULL; ++ return ret; + } + + ret = auxiliary_device_add(aux_dev); + if (ret) { + drm_err(&xe->drm, "xe-nvm aux add failed %d\n", ret); + auxiliary_device_uninit(aux_dev); +- goto err; ++ xe->nvm = NULL; ++ return ret; + } + return devm_add_action_or_reset(xe->drm.dev, xe_nvm_fini, xe); +- +-err: +- kfree(nvm); +- xe->nvm = NULL; +- return ret; + } +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-nvm-manage-nvm-aux-cleanup-with-devres.patch b/queue-6.18/drm-xe-nvm-manage-nvm-aux-cleanup-with-devres.patch new file mode 100644 index 0000000000..592e557023 --- /dev/null +++ b/queue-6.18/drm-xe-nvm-manage-nvm-aux-cleanup-with-devres.patch @@ -0,0 +1,176 @@ +From 6a005f9b91c0c51ff205b5aafce3edc75ce6d7c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 18:32:41 +0000 +Subject: drm/xe/nvm: Manage nvm aux cleanup with devres +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuicheng Lin + +[ Upstream commit 2da8fbb8f1c17129a08c1e0e42c71eabdca76062 ] + +Move nvm teardown to a devm-managed action registered from xe_nvm_init(). +This ensures the auxiliary NVM device is deleted on probe failure and +device detach without requiring explicit calls from remove paths. + +As part of this, drop xe_nvm_fini() from xe_device_remove() and from the +survivability sysfs teardown, and remove the public xe_nvm_fini() API from +the header. + +This is to fix below warn message when there is probe failure after +xe_nvm_init(), then xe_device_probe() is called again: +" +[ 207.318152] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:01.0/0000:01:00.0/0000:02:01.0/0000:03:00.0/xe.nvm.768' +[ 207.318157] CPU: 5 UID: 0 PID: 10261 Comm: modprobe Tainted: G B W 6.19.0-rc2-lgci-xe-kernel+ #223 PREEMPT(voluntary) +[ 207.318160] Tainted: [B]=BAD_PAGE, [W]=WARN +[ 207.318161] Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS 0812 02/24/2023 +[ 207.318163] Call Trace: +[ 207.318163] +[ 207.318165] dump_stack_lvl+0xa0/0xc0 +[ 207.318170] dump_stack+0x10/0x20 +[ 207.318171] sysfs_warn_dup+0xd5/0x110 +[ 207.318175] sysfs_create_dir_ns+0x1f6/0x280 +[ 207.318177] ? __pfx_sysfs_create_dir_ns+0x10/0x10 +[ 207.318179] ? lock_acquire+0x1a4/0x2e0 +[ 207.318182] ? __kasan_check_read+0x11/0x20 +[ 207.318185] ? do_raw_spin_unlock+0x5c/0x240 +[ 207.318187] kobject_add_internal+0x28d/0x8e0 +[ 207.318189] kobject_add+0x11f/0x1f0 +[ 207.318191] ? __pfx_kobject_add+0x10/0x10 +[ 207.318193] ? lockdep_init_map_type+0x4b/0x230 +[ 207.318195] ? get_device_parent.isra.0+0x43/0x4c0 +[ 207.318197] ? kobject_get+0x55/0xf0 +[ 207.318199] device_add+0x2d7/0x1500 +[ 207.318201] ? __pfx_device_add+0x10/0x10 +[ 207.318203] ? lockdep_init_map_type+0x4b/0x230 +[ 207.318205] __auxiliary_device_add+0x99/0x140 +[ 207.318208] xe_nvm_init+0x7a2/0xef0 [xe] +[ 207.318333] ? xe_devcoredump_init+0x80/0x110 [xe] +[ 207.318452] ? __devm_add_action+0x82/0xc0 +[ 207.318454] ? fs_reclaim_release+0xc0/0x110 +[ 207.318457] xe_device_probe+0x17dd/0x2c40 [xe] +[ 207.318574] ? __pfx___drm_dev_dbg+0x10/0x10 +[ 207.318576] ? add_dr+0x180/0x220 +[ 207.318579] ? __pfx___drmm_mutex_release+0x10/0x10 +[ 207.318582] ? __pfx_xe_device_probe+0x10/0x10 [xe] +[ 207.318697] ? xe_pm_init_early+0x33a/0x410 [xe] +[ 207.318850] xe_pci_probe+0x936/0x1250 [xe] +[ 207.318999] ? lock_acquire+0x1a4/0x2e0 +[ 207.319003] ? __pfx_xe_pci_probe+0x10/0x10 [xe] +[ 207.319151] local_pci_probe+0xe6/0x1a0 +[ 207.319154] pci_device_probe+0x523/0x840 +[ 207.319157] ? __pfx_pci_device_probe+0x10/0x10 +[ 207.319159] ? sysfs_do_create_link_sd.isra.0+0x8c/0x110 +[ 207.319162] ? sysfs_create_link+0x48/0xc0 +... +" + +Fixes: c28bfb107dac ("drm/xe/nvm: add on-die non-volatile memory device") +Reviewed-by: Alexander Usyskin +Reviewed-by: Brian Nguyen +Cc: Rodrigo Vivi +Cc: Riana Tauro +Signed-off-by: Shuicheng Lin +Signed-off-by: Ashutosh Dixit +Link: https://patch.msgid.link/20260120183239.2966782-6-shuicheng.lin@intel.com +(cherry picked from commit 11035eab1b7d88daa7904440046e64d3810b1ca1) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_device.c | 2 -- + drivers/gpu/drm/xe/xe_nvm.c | 43 +++++++++++++++++----------------- + drivers/gpu/drm/xe/xe_nvm.h | 2 -- + 3 files changed, 22 insertions(+), 25 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c +index 5f757790d6f53..fe5aadb27b779 100644 +--- a/drivers/gpu/drm/xe/xe_device.c ++++ b/drivers/gpu/drm/xe/xe_device.c +@@ -974,8 +974,6 @@ void xe_device_remove(struct xe_device *xe) + { + xe_display_unregister(xe); + +- xe_nvm_fini(xe); +- + drm_dev_unplug(&xe->drm); + + xe_bo_pci_dev_remove_all(xe); +diff --git a/drivers/gpu/drm/xe/xe_nvm.c b/drivers/gpu/drm/xe/xe_nvm.c +index 33f4ac82fc80a..1fff24dbc7cd4 100644 +--- a/drivers/gpu/drm/xe/xe_nvm.c ++++ b/drivers/gpu/drm/xe/xe_nvm.c +@@ -83,6 +83,27 @@ static bool xe_nvm_writable_override(struct xe_device *xe) + return writable_override; + } + ++static void xe_nvm_fini(void *arg) ++{ ++ struct xe_device *xe = arg; ++ struct intel_dg_nvm_dev *nvm = xe->nvm; ++ ++ if (!xe->info.has_gsc_nvm) ++ return; ++ ++ /* No access to internal NVM from VFs */ ++ if (IS_SRIOV_VF(xe)) ++ return; ++ ++ /* Nvm pointer should not be NULL here */ ++ if (WARN_ON(!nvm)) ++ return; ++ ++ auxiliary_device_delete(&nvm->aux_dev); ++ auxiliary_device_uninit(&nvm->aux_dev); ++ xe->nvm = NULL; ++} ++ + int xe_nvm_init(struct xe_device *xe) + { + struct pci_dev *pdev = to_pci_dev(xe->drm.dev); +@@ -141,30 +162,10 @@ int xe_nvm_init(struct xe_device *xe) + auxiliary_device_uninit(aux_dev); + goto err; + } +- return 0; ++ return devm_add_action_or_reset(xe->drm.dev, xe_nvm_fini, xe); + + err: + kfree(nvm); + xe->nvm = NULL; + return ret; + } +- +-void xe_nvm_fini(struct xe_device *xe) +-{ +- struct intel_dg_nvm_dev *nvm = xe->nvm; +- +- if (!xe->info.has_gsc_nvm) +- return; +- +- /* No access to internal NVM from VFs */ +- if (IS_SRIOV_VF(xe)) +- return; +- +- /* Nvm pointer should not be NULL here */ +- if (WARN_ON(!nvm)) +- return; +- +- auxiliary_device_delete(&nvm->aux_dev); +- auxiliary_device_uninit(&nvm->aux_dev); +- xe->nvm = NULL; +-} +diff --git a/drivers/gpu/drm/xe/xe_nvm.h b/drivers/gpu/drm/xe/xe_nvm.h +index 7f3d5f57bed08..fd3467ad35a4d 100644 +--- a/drivers/gpu/drm/xe/xe_nvm.h ++++ b/drivers/gpu/drm/xe/xe_nvm.h +@@ -10,6 +10,4 @@ struct xe_device; + + int xe_nvm_init(struct xe_device *xe); + +-void xe_nvm_fini(struct xe_device *xe); +- + #endif +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-skip-address-copy-for-sync-only-execs.patch b/queue-6.18/drm-xe-skip-address-copy-for-sync-only-execs.patch new file mode 100644 index 0000000000..07d1c1662c --- /dev/null +++ b/queue-6.18/drm-xe-skip-address-copy-for-sync-only-execs.patch @@ -0,0 +1,62 @@ +From c27451ca92388ec2f28fa3f7a93883bb40f22ed9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 21:40:54 +0000 +Subject: drm/xe: Skip address copy for sync-only execs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuicheng Lin + +[ Upstream commit c73a8917b31e8ddbd53cc248e17410cec27f8f58 ] + +For parallel exec queues, xe_exec_ioctl() copied the batch buffer address +array from userspace without checking num_batch_buffer. +If user creates a sync-only exec that doesn't use the address field, the +exec will fail with -EFAULT. +Add num_batch_buffer check to skip the copy, and the exec could be executed +successfully. + +Here is the sync-only exec: +struct drm_xe_exec exec = { + .extensions = 0, + .exec_queue_id = qid, + .num_syncs = 1, + .syncs = (uintptr_t)&sync, + .address = 0, /* ignored for sync-only */ + .num_batch_buffer = 0, /* sync-only */ +}; + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Cc: Matthew Brost +Signed-off-by: Shuicheng Lin +Reviewed-by: Matthew Brost +Signed-off-by: Matthew Brost +Link: https://patch.msgid.link/20260122214053.3189366-2-shuicheng.lin@intel.com +(cherry picked from commit 4761791c1e736273d612ff564f318bfbbb04fa4e) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_exec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_exec.c b/drivers/gpu/drm/xe/xe_exec.c +index ca85f7c15fabe..87a32b61bece6 100644 +--- a/drivers/gpu/drm/xe/xe_exec.c ++++ b/drivers/gpu/drm/xe/xe_exec.c +@@ -182,9 +182,9 @@ int xe_exec_ioctl(struct drm_device *dev, void *data, struct drm_file *file) + goto err_syncs; + } + +- if (xe_exec_queue_is_parallel(q)) { +- err = copy_from_user(addresses, addresses_user, sizeof(u64) * +- q->width); ++ if (args->num_batch_buffer && xe_exec_queue_is_parallel(q)) { ++ err = copy_from_user(addresses, addresses_user, ++ sizeof(u64) * q->width); + if (err) { + err = -EFAULT; + goto err_syncs; +-- +2.51.0 + diff --git a/queue-6.18/gpio-brcmstb-correct-hwirq-to-bank-map.patch b/queue-6.18/gpio-brcmstb-correct-hwirq-to-bank-map.patch new file mode 100644 index 0000000000..a35c924447 --- /dev/null +++ b/queue-6.18/gpio-brcmstb-correct-hwirq-to-bank-map.patch @@ -0,0 +1,52 @@ +From ab7ae1f7b368afec91fb4a29bf3accca6971d75e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 13:46:54 -0800 +Subject: gpio: brcmstb: correct hwirq to bank map + +From: Doug Berger + +[ Upstream commit b2cf569ed81e7574d4287eaf3b2c38690a934d34 ] + +The brcmstb_gpio_hwirq_to_bank() function was designed to +accommodate the downward numbering of dynamic GPIOs by +traversing the bank list in the reverse order. However, the +dynamic numbering has changed to increment upward which can +produce an incorrect mapping. + +The function is modified to no longer assume an ordering of +the list to accommodate either option. + +Fixes: 7b61212f2a07 ("gpiolib: Get rid of ARCH_NR_GPIOS") +Signed-off-by: Doug Berger +Signed-off-by: Florian Fainelli +Reviewed-by: Linus Walleij +Link: https://patch.msgid.link/20260127214656.447333-2-florian.fainelli@broadcom.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-brcmstb.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpio-brcmstb.c b/drivers/gpio/gpio-brcmstb.c +index f40c9472588bc..f0cb1991b326c 100644 +--- a/drivers/gpio/gpio-brcmstb.c ++++ b/drivers/gpio/gpio-brcmstb.c +@@ -301,12 +301,10 @@ static struct brcmstb_gpio_bank *brcmstb_gpio_hwirq_to_bank( + struct brcmstb_gpio_priv *priv, irq_hw_number_t hwirq) + { + struct brcmstb_gpio_bank *bank; +- int i = 0; + +- /* banks are in descending order */ +- list_for_each_entry_reverse(bank, &priv->bank_list, node) { +- i += bank->chip.gc.ngpio; +- if (hwirq < i) ++ list_for_each_entry(bank, &priv->bank_list, node) { ++ if (hwirq >= bank->chip.gc.offset && ++ hwirq < (bank->chip.gc.offset + bank->chip.gc.ngpio)) + return bank; + } + return NULL; +-- +2.51.0 + diff --git a/queue-6.18/gpio-virtuser-fix-uaf-in-configfs-release-path.patch b/queue-6.18/gpio-virtuser-fix-uaf-in-configfs-release-path.patch new file mode 100644 index 0000000000..b9711dab16 --- /dev/null +++ b/queue-6.18/gpio-virtuser-fix-uaf-in-configfs-release-path.patch @@ -0,0 +1,53 @@ +From c3a81e960fb9a0f3d90475b0299db05ce18699b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 12:03:48 +0800 +Subject: gpio: virtuser: fix UAF in configfs release path + +From: Yuhao Huang + +[ Upstream commit 53ad4a948a4586359b841d607c08fb16c5503230 ] + +The gpio-virtuser configfs release path uses guard(mutex) to protect +the device structure. However, the device is freed before the guard +cleanup runs, causing mutex_unlock() to operate on freed memory. + +Specifically, gpio_virtuser_device_config_group_release() destroys +the mutex and frees the device while still inside the guard(mutex) +scope. When the function returns, the guard cleanup invokes +mutex_unlock(&dev->lock), resulting in a slab use-after-free. + +Limit the mutex lifetime by using a scoped_guard() only around the +activation check, so that the lock is released before mutex_destroy() +and kfree() are called. + +Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GPIO API") +Signed-off-by: Yuhao Huang +Link: https://lore.kernel.org/r/20260126040348.11167-1-yuhaohuang@YuhaodeMacBook-Pro.local +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-virtuser.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpio/gpio-virtuser.c b/drivers/gpio/gpio-virtuser.c +index a10eab7d2617e..252fec5ea3835 100644 +--- a/drivers/gpio/gpio-virtuser.c ++++ b/drivers/gpio/gpio-virtuser.c +@@ -1684,10 +1684,10 @@ static void gpio_virtuser_device_config_group_release(struct config_item *item) + { + struct gpio_virtuser_device *dev = to_gpio_virtuser_device(item); + +- guard(mutex)(&dev->lock); +- +- if (gpio_virtuser_device_is_live(dev)) +- gpio_virtuser_device_deactivate(dev); ++ scoped_guard(mutex, &dev->lock) { ++ if (gpio_virtuser_device_is_live(dev)) ++ gpio_virtuser_device_deactivate(dev); ++ } + + mutex_destroy(&dev->lock); + ida_free(&gpio_virtuser_ida, dev->id); +-- +2.51.0 + diff --git a/queue-6.18/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch b/queue-6.18/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch new file mode 100644 index 0000000000..033513b872 --- /dev/null +++ b/queue-6.18/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch @@ -0,0 +1,45 @@ +From 9bba43b4194124fd89332c8a21a060fd6743bb2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 06:59:14 +0300 +Subject: gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler + +From: Denis Sergeev + +[ Upstream commit c0ae43d303e45764918fa8c1dc13d6a5db59c479 ] + +The BIT() macro uses unsigned long, which is 32 bits on 32-bit +architectures. When iterating over GPIO pins with index >= 32, +the expression (*value & BIT(i)) causes undefined behavior due +to shifting by a value >= type width. + +Since 'value' is a pointer to u64, use BIT_ULL() to ensure correct +64-bit mask on all architectures. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 2c4d00cb8fc5 ("gpiolib: acpi: Use BIT() macro to increase readability") +Signed-off-by: Denis Sergeev +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20260126035914.16586-1-denserg.edu@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c +index d441c1236d8ca..2ac6c708d927a 100644 +--- a/drivers/gpio/gpiolib-acpi-core.c ++++ b/drivers/gpio/gpiolib-acpi-core.c +@@ -1159,7 +1159,7 @@ acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address, + mutex_unlock(&achip->conn_lock); + + if (function == ACPI_WRITE) +- gpiod_set_raw_value_cansleep(desc, !!(*value & BIT(i))); ++ gpiod_set_raw_value_cansleep(desc, !!(*value & BIT_ULL(i))); + else + *value |= (u64)gpiod_get_raw_value_cansleep(desc) << i; + } +-- +2.51.0 + diff --git a/queue-6.18/kbuild-fix-permissions-of-modules.builtin.modinfo.patch b/queue-6.18/kbuild-fix-permissions-of-modules.builtin.modinfo.patch new file mode 100644 index 0000000000..934706cdd2 --- /dev/null +++ b/queue-6.18/kbuild-fix-permissions-of-modules.builtin.modinfo.patch @@ -0,0 +1,47 @@ +From 2d134a494f01460a4753bf6d13ede01195fabe4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 14:37:51 +0800 +Subject: kbuild: Fix permissions of modules.builtin.modinfo + +From: Ethan Zuo + +[ Upstream commit 6d60354ea2f90352b22039ed8371c4f4321df90e ] + +Currently, modules.builtin.modinfo is created with executable permissions +(0755). This is because after commit 39cfd5b12160 ("kbuild: extract +modules.builtin.modinfo from vmlinux.unstripped"), modules.builtin.modinfo +is extracted from vmlinux.unstripped using objcopy. When extracting +sections, objcopy inherits attributes from the source ELF file. + +Since modules.builtin.modinfo is a data file and not an executable, +it should have regular file permissions (0644). The executable bit +can trigger warnings in Debian's Lintian tool. + +Explicitly remove the executable bit after generation. + +Fixes: 39cfd5b12160 ("kbuild: extract modules.builtin.modinfo from vmlinux.unstripped") +Signed-off-by: Ethan Zuo +Link: https://patch.msgid.link/SY0P300MB0609F6916B24ADF65502940B9C91A@SY0P300MB0609.AUSP300.PROD.OUTLOOK.COM +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/Makefile.vmlinux | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux +index cd788cac9d91d..276c3134a563a 100644 +--- a/scripts/Makefile.vmlinux ++++ b/scripts/Makefile.vmlinux +@@ -113,7 +113,8 @@ vmlinux: vmlinux.unstripped FORCE + # what kmod expects to parse. + quiet_cmd_modules_builtin_modinfo = GEN $@ + cmd_modules_builtin_modinfo = $(cmd_objcopy); \ +- sed -i 's/\x00\+$$/\x00/g' $@ ++ sed -i 's/\x00\+$$/\x00/g' $@; \ ++ chmod -x $@ + + OBJCOPYFLAGS_modules.builtin.modinfo := -j .modinfo -O binary + +-- +2.51.0 + diff --git a/queue-6.18/kbuild-rpm-pkg-generate-debuginfo-package-manually.patch b/queue-6.18/kbuild-rpm-pkg-generate-debuginfo-package-manually.patch new file mode 100644 index 0000000000..7cf0687c67 --- /dev/null +++ b/queue-6.18/kbuild-rpm-pkg-generate-debuginfo-package-manually.patch @@ -0,0 +1,146 @@ +From 2a38046e39228c26dbf8b36bab7f4ca9d50cca2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 15:29:15 -0700 +Subject: kbuild: rpm-pkg: Generate debuginfo package manually + +From: Nathan Chancellor + +[ Upstream commit 62089b804895e845f82e132ea9d46a1fc53ed5a7 ] + +Commit a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM") adjusted +the __spec_install_post macro to include __os_install_post, which runs +brp-strip. This ends up stripping module signatures, breaking loading +modules with lockdown enabled. + +Undo most of the changes of the aforementioned debuginfo patch and +mirror commit 16c36f8864e3 ("kbuild: deb-pkg: use build ID instead of +debug link for dbg package") in kernel.spec to generate a functionally +equivalent debuginfo package while avoiding touching the modules after +they have already been signed during modules_install. + +Fixes: a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM") +Reported-by: Holger Kiehl +Closes: https://lore.kernel.org/68c375f6-e07e-fec-434d-6a45a4f1390@praktifix.dwd.de/ +Tested-by: Holger Kiehl +Signed-off-by: Nathan Chancellor +Link: https://patch.msgid.link/20260121-fix-module-signing-binrpm-pkg-v1-1-8fc5832b6cbc@kernel.org +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/package/kernel.spec | 65 +++++++++++++++++-------------------- + 1 file changed, 30 insertions(+), 35 deletions(-) + +diff --git a/scripts/package/kernel.spec b/scripts/package/kernel.spec +index 98f206cb7c607..0f1c8de1bd95f 100644 +--- a/scripts/package/kernel.spec ++++ b/scripts/package/kernel.spec +@@ -2,6 +2,8 @@ + %{!?_arch: %define _arch dummy} + %{!?make: %define make make} + %define makeflags %{?_smp_mflags} ARCH=%{ARCH} ++%define __spec_install_post /usr/lib/rpm/brp-compress || : ++%define debug_package %{nil} + + Name: kernel + Summary: The Linux Kernel +@@ -46,34 +48,12 @@ against the %{version} kernel package. + %endif + + %if %{with_debuginfo} +-# list of debuginfo-related options taken from distribution kernel.spec +-# files +-%undefine _include_minidebuginfo +-%undefine _find_debuginfo_dwz_opts +-%undefine _unique_build_ids +-%undefine _unique_debug_names +-%undefine _unique_debug_srcs +-%undefine _debugsource_packages +-%undefine _debuginfo_subpackages +-%global _find_debuginfo_opts -r +-%global _missing_build_ids_terminate_build 1 +-%global _no_recompute_build_ids 1 +-%{debug_package} ++%package debuginfo ++Summary: Debug information package for the Linux kernel ++%description debuginfo ++This package provides debug information for the kernel image and modules from the ++%{version} package. + %endif +-# some (but not all) versions of rpmbuild emit %%debug_package with +-# %%install. since we've already emitted it manually, that would cause +-# a package redefinition error. ensure that doesn't happen +-%define debug_package %{nil} +- +-# later, we make all modules executable so that find-debuginfo.sh strips +-# them up. but they don't actually need to be executable, so remove the +-# executable bit, taking care to do it _after_ find-debuginfo.sh has run +-%define __spec_install_post \ +- %{?__debug_package:%{__debug_install_post}} \ +- %{__arch_install_post} \ +- %{__os_install_post} \ +- find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \\\ +- | xargs --no-run-if-empty chmod u-x + + %prep + %setup -q -n linux +@@ -87,7 +67,7 @@ patch -p1 < %{SOURCE2} + mkdir -p %{buildroot}/lib/modules/%{KERNELRELEASE} + cp $(%{make} %{makeflags} -s image_name) %{buildroot}/lib/modules/%{KERNELRELEASE}/vmlinuz + # DEPMOD=true makes depmod no-op. We do not package depmod-generated files. +-%{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} DEPMOD=true modules_install ++%{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} INSTALL_MOD_STRIP=1 DEPMOD=true modules_install + %{make} %{makeflags} INSTALL_HDR_PATH=%{buildroot}/usr headers_install + cp System.map %{buildroot}/lib/modules/%{KERNELRELEASE} + cp .config %{buildroot}/lib/modules/%{KERNELRELEASE}/config +@@ -118,22 +98,31 @@ ln -fns /usr/src/kernels/%{KERNELRELEASE} %{buildroot}/lib/modules/%{KERNELRELEA + echo "%exclude /lib/modules/%{KERNELRELEASE}/build" + } > %{buildroot}/kernel.list + +-# make modules executable so that find-debuginfo.sh strips them. this +-# will be undone later in %%__spec_install_post +-find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \ +- | xargs --no-run-if-empty chmod u+x +- + %if %{with_debuginfo} + # copying vmlinux directly to the debug directory means it will not get + # stripped (but its source paths will still be collected + fixed up) + mkdir -p %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} + cp vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE} ++ ++echo /usr/lib/debug/lib/modules/%{KERNELRELEASE}/vmlinux > %{buildroot}/debuginfo.list ++ ++while read -r mod; do ++ mod="${mod%.o}.ko" ++ dbg="%{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE}/kernel/${mod}" ++ buildid=$("${READELF}" -n "${mod}" | sed -n 's@^.*Build ID: \(..\)\(.*\)@\1/\2@p') ++ link="%{buildroot}/usr/lib/debug/.build-id/${buildid}.debug" ++ ++ mkdir -p "${dbg%/*}" "${link%/*}" ++ "${OBJCOPY}" --only-keep-debug "${mod}" "${dbg}" ++ ln -sf --relative "${dbg}" "${link}" ++ ++ echo "${dbg#%{buildroot}}" >> %{buildroot}/debuginfo.list ++ echo "${link#%{buildroot}}" >> %{buildroot}/debuginfo.list ++done < modules.order + %endif + + %clean + rm -rf %{buildroot} +-rm -f debugfiles.list debuglinks.list debugsourcefiles.list debugsources.list \ +- elfbins.list + + %post + if [ -x /usr/bin/kernel-install ]; then +@@ -172,3 +161,9 @@ fi + /usr/src/kernels/%{KERNELRELEASE} + /lib/modules/%{KERNELRELEASE}/build + %endif ++ ++%if %{with_debuginfo} ++%files -f %{buildroot}/debuginfo.list debuginfo ++%defattr (-, root, root) ++%exclude /debuginfo.list ++%endif +-- +2.51.0 + diff --git a/queue-6.18/of-reserved_mem-allow-reserved_mem-framework-detect-.patch b/queue-6.18/of-reserved_mem-allow-reserved_mem-framework-detect-.patch new file mode 100644 index 0000000000..1fc11fdbb6 --- /dev/null +++ b/queue-6.18/of-reserved_mem-allow-reserved_mem-framework-detect-.patch @@ -0,0 +1,150 @@ +From a01b3303c2096e1199e623b506e073db207aed52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 18:13:27 +0100 +Subject: of: reserved_mem: Allow reserved_mem framework detect "cma=" kernel + param + +From: Oreoluwa Babatunde + +[ Upstream commit 0fd17e5983337231dc655e9ca0095d2ca3f47405 ] + +When initializing the default cma region, the "cma=" kernel parameter +takes priority over a DT defined linux,cma-default region. Hence, give +the reserved_mem framework the ability to detect this so that the DT +defined cma region can skip initialization accordingly. + +Signed-off-by: Oreoluwa Babatunde +Tested-by: Joy Zou +Acked-by: Rob Herring (Arm) +Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed") +Fixes: 2c223f7239f3 ("of: reserved_mem: Restructure call site for dma_contiguous_early_fixup()") +Link: https://lore.kernel.org/r/20251210002027.1171519-1-oreoluwa.babatunde@oss.qualcomm.com +[mszyprow: rebased onto v6.19-rc1, added fixes tags, added a stub for + cma_skip_dt_default_reserved_mem() if no CONFIG_DMA_CMA is set] +Signed-off-by: Marek Szyprowski +Signed-off-by: Sasha Levin +--- + drivers/of/of_reserved_mem.c | 19 +++++++++++++++++-- + include/linux/cma.h | 9 +++++++++ + kernel/dma/contiguous.c | 16 ++++++++++------ + 3 files changed, 36 insertions(+), 8 deletions(-) + +diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c +index e5ea4f1e5eff7..fe111d1ea7397 100644 +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -158,7 +158,7 @@ static int __init __reserved_mem_reserve_reg(unsigned long node, + phys_addr_t base, size; + int len; + const __be32 *prop; +- bool nomap; ++ bool nomap, default_cma; + + prop = of_get_flat_dt_prop(node, "reg", &len); + if (!prop) +@@ -171,6 +171,12 @@ static int __init __reserved_mem_reserve_reg(unsigned long node, + } + + nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL; ++ default_cma = of_get_flat_dt_prop(node, "linux,cma-default", NULL); ++ ++ if (default_cma && cma_skip_dt_default_reserved_mem()) { ++ pr_err("Skipping dt linux,cma-default for \"cma=\" kernel param.\n"); ++ return -EINVAL; ++ } + + while (len >= t_len) { + base = dt_mem_next_cell(dt_root_addr_cells, &prop); +@@ -253,10 +259,13 @@ void __init fdt_scan_reserved_mem_reg_nodes(void) + + fdt_for_each_subnode(child, fdt, node) { + const char *uname; ++ bool default_cma = of_get_flat_dt_prop(child, "linux,cma-default", NULL); + u64 b, s; + + if (!of_fdt_device_is_available(fdt, child)) + continue; ++ if (default_cma && cma_skip_dt_default_reserved_mem()) ++ continue; + + if (!of_flat_dt_get_addr_size(child, "reg", &b, &s)) + continue; +@@ -395,7 +404,7 @@ static int __init __reserved_mem_alloc_size(unsigned long node, const char *unam + phys_addr_t base = 0, align = 0, size; + int len; + const __be32 *prop; +- bool nomap; ++ bool nomap, default_cma; + int ret; + + prop = of_get_flat_dt_prop(node, "size", &len); +@@ -419,6 +428,12 @@ static int __init __reserved_mem_alloc_size(unsigned long node, const char *unam + } + + nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL; ++ default_cma = of_get_flat_dt_prop(node, "linux,cma-default", NULL); ++ ++ if (default_cma && cma_skip_dt_default_reserved_mem()) { ++ pr_err("Skipping dt linux,cma-default for \"cma=\" kernel param.\n"); ++ return -EINVAL; ++ } + + /* Need adjust the alignment to satisfy the CMA requirement */ + if (IS_ENABLED(CONFIG_CMA) +diff --git a/include/linux/cma.h b/include/linux/cma.h +index 62d9c1cf63265..2e6931735880b 100644 +--- a/include/linux/cma.h ++++ b/include/linux/cma.h +@@ -57,6 +57,15 @@ extern bool cma_intersects(struct cma *cma, unsigned long start, unsigned long e + + extern void cma_reserve_pages_on_error(struct cma *cma); + ++#ifdef CONFIG_DMA_CMA ++extern bool cma_skip_dt_default_reserved_mem(void); ++#else ++static inline bool cma_skip_dt_default_reserved_mem(void) ++{ ++ return false; ++} ++#endif ++ + #ifdef CONFIG_CMA + struct folio *cma_alloc_folio(struct cma *cma, int order, gfp_t gfp); + bool cma_free_folio(struct cma *cma, const struct folio *folio); +diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c +index d9b9dcba6ff7c..9071c08650e3a 100644 +--- a/kernel/dma/contiguous.c ++++ b/kernel/dma/contiguous.c +@@ -90,6 +90,16 @@ static int __init early_cma(char *p) + } + early_param("cma", early_cma); + ++/* ++ * cma_skip_dt_default_reserved_mem - This is called from the ++ * reserved_mem framework to detect if the default cma region is being ++ * set by the "cma=" kernel parameter. ++ */ ++bool __init cma_skip_dt_default_reserved_mem(void) ++{ ++ return size_cmdline != -1; ++} ++ + #ifdef CONFIG_DMA_NUMA_CMA + + static struct cma *dma_contiguous_numa_area[MAX_NUMNODES]; +@@ -463,12 +473,6 @@ static int __init rmem_cma_setup(struct reserved_mem *rmem) + struct cma *cma; + int err; + +- if (size_cmdline != -1 && default_cma) { +- pr_info("Reserved memory: bypass %s node, using cmdline CMA params instead\n", +- rmem->name); +- return -EBUSY; +- } +- + if (!of_get_flat_dt_prop(node, "reusable", NULL) || + of_get_flat_dt_prop(node, "no-map", NULL)) + return -EINVAL; +-- +2.51.0 + diff --git a/queue-6.18/of-reserved_mem-simplify-the-logic-of-fdt_scan_reser.patch b/queue-6.18/of-reserved_mem-simplify-the-logic-of-fdt_scan_reser.patch new file mode 100644 index 0000000000..f6f3800aff --- /dev/null +++ b/queue-6.18/of-reserved_mem-simplify-the-logic-of-fdt_scan_reser.patch @@ -0,0 +1,79 @@ +From be6e231368e9f01cff816eb1fcd65e4825e02124 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Nov 2025 21:47:52 +0800 +Subject: of/reserved_mem: Simplify the logic of + fdt_scan_reserved_mem_reg_nodes() + +From: Yuntao Wang + +[ Upstream commit 85a8a30c5b8e0ffaaf9f4dc51550dc71a1100df4 ] + +Use the existing helper functions to simplify the logic of +fdt_scan_reserved_mem_reg_nodes() + +Signed-off-by: Yuntao Wang +Link: https://patch.msgid.link/20251115134753.179931-8-yuntao.wang@linux.dev +Signed-off-by: Rob Herring (Arm) +Stable-dep-of: 0fd17e598333 ("of: reserved_mem: Allow reserved_mem framework detect "cma=" kernel param") +Signed-off-by: Sasha Levin +--- + drivers/of/of_reserved_mem.c | 25 +++++++------------------ + 1 file changed, 7 insertions(+), 18 deletions(-) + +diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c +index 2e9ea751ed2df..e5ea4f1e5eff7 100644 +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -230,12 +230,9 @@ static void __init __rmem_check_for_overlap(void); + */ + void __init fdt_scan_reserved_mem_reg_nodes(void) + { +- int t_len = (dt_root_addr_cells + dt_root_size_cells) * sizeof(__be32); + const void *fdt = initial_boot_params; + phys_addr_t base, size; +- const __be32 *prop; + int node, child; +- int len; + + if (!fdt) + return; +@@ -256,29 +253,21 @@ void __init fdt_scan_reserved_mem_reg_nodes(void) + + fdt_for_each_subnode(child, fdt, node) { + const char *uname; ++ u64 b, s; + +- prop = of_get_flat_dt_prop(child, "reg", &len); +- if (!prop) +- continue; + if (!of_fdt_device_is_available(fdt, child)) + continue; + +- uname = fdt_get_name(fdt, child, NULL); +- if (len && len % t_len != 0) { +- pr_err("Reserved memory: invalid reg property in '%s', skipping node.\n", +- uname); ++ if (!of_flat_dt_get_addr_size(child, "reg", &b, &s)) + continue; +- } + +- if (len > t_len) +- pr_warn("%s() ignores %d regions in node '%s'\n", +- __func__, len / t_len - 1, uname); ++ base = b; ++ size = s; + +- base = dt_mem_next_cell(dt_root_addr_cells, &prop); +- size = dt_mem_next_cell(dt_root_size_cells, &prop); +- +- if (size) ++ if (size) { ++ uname = fdt_get_name(fdt, child, NULL); + fdt_reserved_mem_save_node(child, uname, base, size); ++ } + } + + /* check for overlapping reserved regions */ +-- +2.51.0 + diff --git a/queue-6.18/sched-deadline-document-dl_server.patch b/queue-6.18/sched-deadline-document-dl_server.patch new file mode 100644 index 0000000000..d473e9da67 --- /dev/null +++ b/queue-6.18/sched-deadline-document-dl_server.patch @@ -0,0 +1,227 @@ +From 0d7b847c8f1c6e61ca187a1f425993fc6d05892d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 11:25:52 +0100 +Subject: sched/deadline: Document dl_server + +From: Peter Zijlstra + +[ Upstream commit 2614069c5912e9d6f1f57c262face1b368fb8c93 ] + +Place the notes that resulted from going through the dl_server code in a +comment. + +Signed-off-by: Peter Zijlstra (Intel) +Stable-dep-of: 115135422562 ("sched/deadline: Fix 'stuck' dl_server") +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 194 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 194 insertions(+) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 465592fa530ef..6bfffb244162f 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1573,6 +1573,200 @@ void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec) + update_curr_dl_se(dl_se->rq, dl_se, delta_exec); + } + ++/* ++ * dl_server && dl_defer: ++ * ++ * 6 ++ * +--------------------+ ++ * v | ++ * +-------------+ 4 +-----------+ 5 +------------------+ ++ * +-> | A:init | <--- | D:running | -----> | E:replenish-wait | ++ * | +-------------+ +-----------+ +------------------+ ++ * | | | 1 ^ ^ | ++ * | | 1 +----------+ | 3 | ++ * | v | | ++ * | +--------------------------------+ 2 | ++ * | | | ----+ | ++ * | 8 | B:zero_laxity-wait | | | ++ * | | | <---+ | ++ * | +--------------------------------+ | ++ * | | ^ ^ 2 | ++ * | | 7 | 2 +--------------------+ ++ * | v | ++ * | +-------------+ | ++ * +-- | C:idle-wait | -+ ++ * +-------------+ ++ * ^ 7 | ++ * +---------+ ++ * ++ * ++ * [A] - init ++ * dl_server_active = 0 ++ * dl_throttled = 0 ++ * dl_defer_armed = 0 ++ * dl_defer_running = 0/1 ++ * dl_defer_idle = 0 ++ * ++ * [B] - zero_laxity-wait ++ * dl_server_active = 1 ++ * dl_throttled = 1 ++ * dl_defer_armed = 1 ++ * dl_defer_running = 0 ++ * dl_defer_idle = 0 ++ * ++ * [C] - idle-wait ++ * dl_server_active = 1 ++ * dl_throttled = 1 ++ * dl_defer_armed = 1 ++ * dl_defer_running = 0 ++ * dl_defer_idle = 1 ++ * ++ * [D] - running ++ * dl_server_active = 1 ++ * dl_throttled = 0 ++ * dl_defer_armed = 0 ++ * dl_defer_running = 1 ++ * dl_defer_idle = 0 ++ * ++ * [E] - replenish-wait ++ * dl_server_active = 1 ++ * dl_throttled = 1 ++ * dl_defer_armed = 0 ++ * dl_defer_running = 1 ++ * dl_defer_idle = 0 ++ * ++ * ++ * [1] A->B, A->D ++ * dl_server_start() ++ * dl_server_active = 1; ++ * enqueue_dl_entity() ++ * update_dl_entity(WAKEUP) ++ * if (!dl_defer_running) ++ * dl_defer_armed = 1; ++ * dl_throttled = 1; ++ * if (dl_throttled && start_dl_timer()) ++ * return; // [B] ++ * __enqueue_dl_entity(); ++ * // [D] ++ * ++ * // deplete server runtime from client-class ++ * [2] B->B, C->B, E->B ++ * dl_server_update() ++ * update_curr_dl_se() // idle = false ++ * if (dl_defer_idle) ++ * dl_defer_idle = 0; ++ * if (dl_defer && dl_throttled && dl_runtime_exceeded()) ++ * dl_defer_running = 0; ++ * hrtimer_try_to_cancel(); // stop timer ++ * replenish_dl_new_period() ++ * // fwd period ++ * dl_throttled = 1; ++ * dl_defer_armed = 1; ++ * start_dl_timer(); // restart timer ++ * // [B] ++ * ++ * // timer actually fires means we have runtime ++ * [3] B->D ++ * dl_server_timer() ++ * if (dl_defer_armed) ++ * dl_defer_running = 1; ++ * enqueue_dl_entity(REPLENISH) ++ * replenish_dl_entity() ++ * // fwd period ++ * if (dl_throttled) ++ * dl_throttled = 0; ++ * if (dl_defer_armed) ++ * dl_defer_armed = 0; ++ * __enqueue_dl_entity(); ++ * // [D] ++ * ++ * // schedule server ++ * [4] D->A ++ * pick_task_dl() ++ * p = server_pick_task(); ++ * if (!p) ++ * dl_server_stop() ++ * dequeue_dl_entity(); ++ * hrtimer_try_to_cancel(); ++ * dl_defer_armed = 0; ++ * dl_throttled = 0; ++ * dl_server_active = 0; ++ * // [A] ++ * return p; ++ * ++ * // server running ++ * [5] D->E ++ * update_curr_dl_se() ++ * if (dl_runtime_exceeded()) ++ * dl_throttled = 1; ++ * dequeue_dl_entity(); ++ * start_dl_timer(); ++ * // [E] ++ * ++ * // server replenished ++ * [6] E->D ++ * dl_server_timer() ++ * enqueue_dl_entity(REPLENISH) ++ * replenish_dl_entity() ++ * fwd-period ++ * if (dl_throttled) ++ * dl_throttled = 0; ++ * __enqueue_dl_entity(); ++ * // [D] ++ * ++ * // deplete server runtime from idle ++ * [7] B->C, C->C ++ * dl_server_update_idle() ++ * update_curr_dl_se() // idle = true ++ * if (dl_defer && dl_throttled && dl_runtime_exceeded()) ++ * if (dl_defer_idle) ++ * return; ++ * dl_defer_running = 0; ++ * hrtimer_try_to_cancel(); ++ * replenish_dl_new_period() ++ * // fwd period ++ * dl_throttled = 1; ++ * dl_defer_armed = 1; ++ * dl_defer_idle = 1; ++ * start_dl_timer(); // restart timer ++ * // [C] ++ * ++ * // stop idle server ++ * [8] C->A ++ * dl_server_timer() ++ * if (dl_defer_idle) ++ * dl_server_stop(); ++ * // [A] ++ * ++ * ++ * digraph dl_server { ++ * "A:init" -> "B:zero_laxity-wait" [label="1:dl_server_start"] ++ * "A:init" -> "D:running" [label="1:dl_server_start"] ++ * "B:zero_laxity-wait" -> "B:zero_laxity-wait" [label="2:dl_server_update"] ++ * "B:zero_laxity-wait" -> "C:idle-wait" [label="7:dl_server_update_idle"] ++ * "B:zero_laxity-wait" -> "D:running" [label="3:dl_server_timer"] ++ * "C:idle-wait" -> "A:init" [label="8:dl_server_timer"] ++ * "C:idle-wait" -> "B:zero_laxity-wait" [label="2:dl_server_update"] ++ * "C:idle-wait" -> "C:idle-wait" [label="7:dl_server_update_idle"] ++ * "D:running" -> "A:init" [label="4:pick_task_dl"] ++ * "D:running" -> "E:replenish-wait" [label="5:update_curr_dl_se"] ++ * "E:replenish-wait" -> "B:zero_laxity-wait" [label="2:dl_server_update"] ++ * "E:replenish-wait" -> "D:running" [label="6:dl_server_timer"] ++ * } ++ * ++ * ++ * Notes: ++ * ++ * - When there are fair tasks running the most likely loop is [2]->[2]. ++ * the dl_server never actually runs, the timer never fires. ++ * ++ * - When there is actual fair starvation; the timer fires and starts the ++ * dl_server. This will then throttle and replenish like a normal DL ++ * task. Notably it will not 'defer' again. ++ * ++ * - When idle it will push the actication forward once, and then wait ++ * for the timer to hit or a non-idle update to restart things. ++ */ + void dl_server_start(struct sched_dl_entity *dl_se) + { + struct rq *rq = dl_se->rq; +-- +2.51.0 + diff --git a/queue-6.18/sched-deadline-fix-stuck-dl_server.patch b/queue-6.18/sched-deadline-fix-stuck-dl_server.patch new file mode 100644 index 0000000000..4266ca3563 --- /dev/null +++ b/queue-6.18/sched-deadline-fix-stuck-dl_server.patch @@ -0,0 +1,67 @@ +From facd9c47144e4b88e943519741143f93a4439d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 13:41:00 +0100 +Subject: sched/deadline: Fix 'stuck' dl_server + +From: Peter Zijlstra + +[ Upstream commit 115135422562e2f791e98a6f55ec57b2da3b3a95 ] + +Andrea reported the dl_server getting stuck for him. He tracked it +down to a state where dl_server_start() saw dl_defer_running==1, but +the dl_server's job is no longer valid at the time of +dl_server_start(). + +In the state diagram this corresponds to [4] D->A (or dl_server_stop() +due to no more runnable tasks) followed by [1], which in case of a +lapsed deadline must then be A->B. + +Now our A has dl_defer_running==1, while B demands +dl_defer_running==0, therefore it must get cleared when the CBS wakeup +rules demand a replenish. + +Fixes: a110a81c52a9 ("sched/deadline: Deferrable dl server") +Reported-by: Andrea Righi arighi@nvidia.com +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Tested-by: Andrea Righi arighi@nvidia.com +Link: https://lkml.kernel.org/r/20260123161645.2181752-1-arighi@nvidia.com +Link: https://patch.msgid.link/20260130124100.GC1079264@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 6bfffb244162f..c7a8717e837dd 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1043,6 +1043,12 @@ static void update_dl_entity(struct sched_dl_entity *dl_se) + return; + } + ++ /* ++ * When [4] D->A is followed by [1] A->B, dl_defer_running ++ * needs to be cleared, otherwise it will fail to properly ++ * start the zero-laxity timer. ++ */ ++ dl_se->dl_defer_running = 0; + replenish_dl_new_period(dl_se, rq); + } else if (dl_server(dl_se) && dl_se->dl_defer) { + /* +@@ -1641,6 +1647,12 @@ void dl_server_update(struct sched_dl_entity *dl_se, s64 delta_exec) + * dl_server_active = 1; + * enqueue_dl_entity() + * update_dl_entity(WAKEUP) ++ * if (dl_time_before() || dl_entity_overflow()) ++ * dl_defer_running = 0; ++ * replenish_dl_new_period(); ++ * // fwd period ++ * dl_throttled = 1; ++ * dl_defer_armed = 1; + * if (!dl_defer_running) + * dl_defer_armed = 1; + * dl_throttled = 1; +-- +2.51.0 + diff --git a/queue-6.18/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch b/queue-6.18/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch new file mode 100644 index 0000000000..37fcf62086 --- /dev/null +++ b/queue-6.18/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch @@ -0,0 +1,56 @@ +From f87bc23a3c03705a3dceade9fbe25ccd0288abc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 19:45:15 +0800 +Subject: scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() + +From: Kery Qi + +[ Upstream commit b2d6b1d443009ed4da2d69f5423ab38e5780505a ] + +The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of +"tpg->tport_tpgt" is u16. This causes a type truncation issue. + +When a user creates a TPG via configfs mkdir, for example: + + mkdir /sys/kernel/config/target/sbp//tpgt_70000 + +The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less +than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt, +the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the +value the user specified to differ from what is actually stored, leading to +confusion and potential unexpected behavior. + +Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which +will properly reject values outside the u16 range. + +Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/sbp/sbp_target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index 3b89b5a70331f..ad03bf7929f8b 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -1961,12 +1961,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, + container_of(wwn, struct sbp_tport, tport_wwn); + + struct sbp_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 10, &tpgt)) + return ERR_PTR(-EINVAL); + + if (tport->tpg) { +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index f7c3bc0cf3..309e51ccfd 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -35,3 +35,24 @@ net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch wifi-mac80211-parse-all-ttlm-entries.patch wifi-mac80211-apply-advertised-ttlm-from-association.patch wifi-mac80211-correctly-decode-ttlm-with-default-lin.patch +scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch +asoc-soc-acpi-intel-ptl-match-fix-name_prefix-of-rt1.patch +drm-xe-skip-address-copy-for-sync-only-execs.patch +asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch +gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch +gpio-virtuser-fix-uaf-in-configfs-release-path.patch +drm-amd-pm-fix-race-in-power-state-check-before-mute.patch +gpio-brcmstb-correct-hwirq-to-bank-map.patch +kbuild-rpm-pkg-generate-debuginfo-package-manually.patch +kbuild-fix-permissions-of-modules.builtin.modinfo.patch +of-reserved_mem-simplify-the-logic-of-fdt_scan_reser.patch +of-reserved_mem-allow-reserved_mem-framework-detect-.patch +bcache-fix-improper-use-of-bi_end_io.patch +bcache-use-bio-cloning-for-detached-device-requests.patch +bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch +dma-pool-distinguish-between-missing-and-exhausted-a.patch +drm-xe-configfs-fix-is_bound-pci_dev-lifetime.patch +drm-xe-nvm-manage-nvm-aux-cleanup-with-devres.patch +drm-xe-nvm-fix-double-free-on-aux-add-failure.patch +sched-deadline-document-dl_server.patch +sched-deadline-fix-stuck-dl_server.patch diff --git a/queue-6.6/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch b/queue-6.6/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch new file mode 100644 index 0000000000..fe2bb21cdf --- /dev/null +++ b/queue-6.6/asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch @@ -0,0 +1,43 @@ +From e035ec94bb0d12f1379188b4683cbcc2bcdf081c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 18:24:35 +0300 +Subject: ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion + +From: Tagir Garaev + +[ Upstream commit 213c4e51267fd825cd21a08a055450cac7e0b7fb ] + +The headphone GPIO should be set to the inverse of speaker_en. +When speakers are enabled, headphones should be disabled and vice versa. + +Currently both GPIOs are set to the same value (speaker_en), causing +audio to play through both speakers and headphones simultaneously +when headphones are plugged in. + +Tested on Huawei Matebook (BOD-WXX9) with ES8336 codec. + +Fixes: 6e1ff1459e00 ("ASoC: Intel: sof_es8336: support a separate gpio to control headphone") +Signed-off-by: Tagir Garaev +Link: https://patch.msgid.link/20260121152435.101698-1-tgaraev653@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_es8336.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c +index 9904a9e33cccb..c9d9381c76796 100644 +--- a/sound/soc/intel/boards/sof_es8336.c ++++ b/sound/soc/intel/boards/sof_es8336.c +@@ -120,7 +120,7 @@ static void pcm_pop_work_events(struct work_struct *work) + gpiod_set_value_cansleep(priv->gpio_speakers, priv->speaker_en); + + if (quirk & SOF_ES8336_HEADPHONE_GPIO) +- gpiod_set_value_cansleep(priv->gpio_headphone, priv->speaker_en); ++ gpiod_set_value_cansleep(priv->gpio_headphone, !priv->speaker_en); + + } + +-- +2.51.0 + diff --git a/queue-6.6/dma-pool-distinguish-between-missing-and-exhausted-a.patch b/queue-6.6/dma-pool-distinguish-between-missing-and-exhausted-a.patch new file mode 100644 index 0000000000..3cd902219f --- /dev/null +++ b/queue-6.6/dma-pool-distinguish-between-missing-and-exhausted-a.patch @@ -0,0 +1,68 @@ +From 05844f97ca3f29aa3ab774efacc3c3b801ca245e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 19:05:54 +0530 +Subject: dma/pool: distinguish between missing and exhausted atomic pools + +From: Sai Sree Kartheek Adivi + +[ Upstream commit 56c430c7f06d838fe3b2077dbbc4cc0bf992312b ] + +Currently, dma_alloc_from_pool() unconditionally warns and dumps a stack +trace when an allocation fails, with the message "Failed to get suitable +pool". + +This conflates two distinct failure modes: +1. Configuration error: No atomic pool is available for the requested + DMA mask (a fundamental system setup issue) +2. Resource Exhaustion: A suitable pool exists but is currently full (a + recoverable runtime state) + +This lack of distinction prevents drivers from using __GFP_NOWARN to +suppress error messages during temporary pressure spikes, such as when +awaiting synchronous reclaim of descriptors. + +Refactor the error handling to distinguish these cases: +- If no suitable pool is found, keep the unconditional WARN regarding + the missing pool. +- If a pool was found but is exhausted, respect __GFP_NOWARN and update + the warning message to explicitly state "DMA pool exhausted". + +Fixes: 9420139f516d ("dma-pool: fix coherent pool allocations for IOMMU mappings") +Signed-off-by: Sai Sree Kartheek Adivi +Reviewed-by: Robin Murphy +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20260128133554.3056582-1-s-adivi@ti.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index b3b9c7ec5fc54..8a15b5008b20c 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -268,15 +268,20 @@ struct page *dma_alloc_from_pool(struct device *dev, size_t size, + { + struct gen_pool *pool = NULL; + struct page *page; ++ bool pool_found = false; + + while ((pool = dma_guess_pool(pool, gfp))) { ++ pool_found = true; + page = __dma_alloc_from_pool(dev, size, pool, cpu_addr, + phys_addr_ok); + if (page) + return page; + } + +- WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); ++ if (pool_found) ++ WARN(!(gfp & __GFP_NOWARN), "DMA pool exhausted for %s\n", dev_name(dev)); ++ else ++ WARN(1, "Failed to get suitable pool for %s\n", dev_name(dev)); + return NULL; + } + +-- +2.51.0 + diff --git a/queue-6.6/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch b/queue-6.6/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch new file mode 100644 index 0000000000..9f6dd1b68d --- /dev/null +++ b/queue-6.6/gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch @@ -0,0 +1,45 @@ +From a496ab14f032a99408732ee36abc0b7f937946d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 06:59:14 +0300 +Subject: gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler + +From: Denis Sergeev + +[ Upstream commit c0ae43d303e45764918fa8c1dc13d6a5db59c479 ] + +The BIT() macro uses unsigned long, which is 32 bits on 32-bit +architectures. When iterating over GPIO pins with index >= 32, +the expression (*value & BIT(i)) causes undefined behavior due +to shifting by a value >= type width. + +Since 'value' is a pointer to u64, use BIT_ULL() to ensure correct +64-bit mask on all architectures. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 2c4d00cb8fc5 ("gpiolib: acpi: Use BIT() macro to increase readability") +Signed-off-by: Denis Sergeev +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20260126035914.16586-1-denserg.edu@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index 86de8740c0d46..69d4297ae5754 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1228,7 +1228,7 @@ acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address, + mutex_unlock(&achip->conn_lock); + + if (function == ACPI_WRITE) +- gpiod_set_raw_value_cansleep(desc, !!(*value & BIT(i))); ++ gpiod_set_raw_value_cansleep(desc, !!(*value & BIT_ULL(i))); + else + *value |= (u64)gpiod_get_raw_value_cansleep(desc) << i; + } +-- +2.51.0 + diff --git a/queue-6.6/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch b/queue-6.6/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch new file mode 100644 index 0000000000..15205f3e0a --- /dev/null +++ b/queue-6.6/scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch @@ -0,0 +1,56 @@ +From b2afbc2feb9b44c782c3f14771e3418b750b8870 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 19:45:15 +0800 +Subject: scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() + +From: Kery Qi + +[ Upstream commit b2d6b1d443009ed4da2d69f5423ab38e5780505a ] + +The code in sbp_make_tpg() limits "tpgt" to UINT_MAX but the data type of +"tpg->tport_tpgt" is u16. This causes a type truncation issue. + +When a user creates a TPG via configfs mkdir, for example: + + mkdir /sys/kernel/config/target/sbp//tpgt_70000 + +The value 70000 passes the "tpgt > UINT_MAX" check since 70000 is far less +than 4294967295. However, when assigned to the u16 field tpg->tport_tpgt, +the value is silently truncated to 4464 (70000 & 0xFFFF). This causes the +value the user specified to differ from what is actually stored, leading to +confusion and potential unexpected behavior. + +Fix this by changing the type of "tpgt" to u16 and using kstrtou16() which +will properly reject values outside the u16 range. + +Fixes: a511ce339780 ("sbp-target: Initial merge of firewire/ieee-1394 target mode support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260121114515.1829-2-qikeyu2017@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/sbp/sbp_target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index 2a761bc091938..ac20c3cd71061 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -1961,12 +1961,12 @@ static struct se_portal_group *sbp_make_tpg(struct se_wwn *wwn, + container_of(wwn, struct sbp_tport, tport_wwn); + + struct sbp_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 10, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 10, &tpgt)) + return ERR_PTR(-EINVAL); + + if (tport->tpg) { +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index b2f6f6ea3f..b849f50873 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -16,3 +16,7 @@ net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch net-bridge-fix-static-key-check.patch net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch +scsi-firewire-sbp-target-fix-overflow-in-sbp_make_tp.patch +asoc-intel-sof_es8336-fix-headphone-gpio-logic-inver.patch +gpiolib-acpi-use-bit_ull-for-u64-mask-in-address-spa.patch +dma-pool-distinguish-between-missing-and-exhausted-a.patch