From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 12:11:32 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.18.19~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d164d935b4b4577056090046b083fdd5337ae1d4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch ice-fix-retry-for-aq-command-0x06ee.patch ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch net-mana-ring-doorbell-at-4-cq-wraparounds.patch net-ncsi-fix-skb-leak-in-error-paths.patch nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch parisc-check-kernel-mapping-earlier-at-bootup.patch parisc-fix-initial-page-table-creation-for-boot.patch parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch smb-server-fix-use-after-free-in-smb2_open.patch tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch --- diff --git a/queue-6.6/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch b/queue-6.6/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch new file mode 100644 index 0000000000..a85a033e88 --- /dev/null +++ b/queue-6.6/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch @@ -0,0 +1,63 @@ +From c25c4aa3f79a488cc270507935a29c07dc6bddfc Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Fri, 27 Feb 2026 18:53:06 +0000 +Subject: arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation + +From: Catalin Marinas + +commit c25c4aa3f79a488cc270507935a29c07dc6bddfc upstream. + +Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in +pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY +when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap +pages that haven't actually been written. + +However, this broke kexec and hibernation for some platforms. Both go +through trans_pgd_create_copy() -> _copy_pte(), which calls +pte_mkwrite_novma() to make the temporary linear-map copy fully +writable. With the updated pte_mkwrite_novma(), read-only kernel pages +(without PTE_DIRTY) remain read-only in the temporary mapping. +While such behaviour is fine for user pages where hardware DBM or +trapping will make them writeable, subsequent in-kernel writes by the +kexec relocation code will fault. + +Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was +the case prior to 5.4, commit aa57157be69f ("arm64: Ensure +VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel +linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma() +correctly clears PTE_RDONLY. + +Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()") +Signed-off-by: Catalin Marinas +Cc: stable@vger.kernel.org +Reported-by: Jianpeng Chang +Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com +Cc: Will Deacon +Cc: Huang, Ying +Cc: Guenter Roeck +Reviewed-by: Huang Ying +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/pgtable-prot.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -45,11 +45,11 @@ + + #define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL)) + +-#define _PAGE_KERNEL (PROT_NORMAL) +-#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY) +-#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY) +-#define _PAGE_KERNEL_EXEC (PROT_NORMAL & ~PTE_PXN) +-#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT) ++#define _PAGE_KERNEL (PROT_NORMAL | PTE_DIRTY) ++#define _PAGE_KERNEL_RO ((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY) ++#define _PAGE_KERNEL_ROX ((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY) ++#define _PAGE_KERNEL_EXEC ((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY) ++#define _PAGE_KERNEL_EXEC_CONT ((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY) + + #define _PAGE_SHARED (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN | PTE_WRITE) + #define _PAGE_SHARED_EXEC (_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE) diff --git a/queue-6.6/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch b/queue-6.6/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch new file mode 100644 index 0000000000..820d5e7b6b --- /dev/null +++ b/queue-6.6/batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch @@ -0,0 +1,106 @@ +From cfc83a3c71517b59c1047db57da31e26a9dc2f33 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 16 Feb 2026 11:20:29 +0100 +Subject: batman-adv: Avoid double-rtnl_lock ELP metric worker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sven Eckelmann + +commit cfc83a3c71517b59c1047db57da31e26a9dc2f33 upstream. + +batadv_v_elp_get_throughput() might be called when the RTNL lock is already +held. This could be problematic when the work queue item is cancelled via +cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, +an rtnl_lock() would cause a deadlock. + +To avoid this, rtnl_trylock() was used in this function to skip the +retrieval of the ethtool information in case the RTNL lock was already +held. + +But for cfg80211 interfaces, batadv_get_real_netdev() was called - which +also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must +also be used instead and the lockless version __batadv_get_real_netdev() +has to be called. + +Cc: stable@vger.kernel.org +Fixes: 8c8ecc98f5c6 ("batman-adv: Drop unmanaged ELP metric worker") +Reported-by: Christian Schmidbauer +Signed-off-by: Sven Eckelmann +Tested-by: Sören Skaarup +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 10 +++++++++- + net/batman-adv/hard-interface.c | 8 ++++---- + net/batman-adv/hard-interface.h | 1 + + 3 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -112,7 +112,15 @@ static bool batadv_v_elp_get_throughput( + /* unsupported WiFi driver version */ + goto default_throughput; + +- real_netdev = batadv_get_real_netdev(hard_iface->net_dev); ++ /* only use rtnl_trylock because the elp worker will be cancelled while ++ * the rntl_lock is held. the cancel_delayed_work_sync() would otherwise ++ * wait forever when the elp work_item was started and it is then also ++ * trying to rtnl_lock ++ */ ++ if (!rtnl_trylock()) ++ return false; ++ real_netdev = __batadv_get_real_netdev(hard_iface->net_dev); ++ rtnl_unlock(); + if (!real_netdev) + goto default_throughput; + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -203,7 +203,7 @@ static bool batadv_is_valid_iface(const + } + + /** +- * batadv_get_real_netdevice() - check if the given netdev struct is a virtual ++ * __batadv_get_real_netdev() - check if the given netdev struct is a virtual + * interface on top of another 'real' interface + * @netdev: the device to check + * +@@ -213,7 +213,7 @@ static bool batadv_is_valid_iface(const + * Return: the 'real' net device or the original net device and NULL in case + * of an error. + */ +-static struct net_device *batadv_get_real_netdevice(struct net_device *netdev) ++struct net_device *__batadv_get_real_netdev(struct net_device *netdev) + { + struct batadv_hard_iface *hard_iface = NULL; + struct net_device *real_netdev = NULL; +@@ -266,7 +266,7 @@ struct net_device *batadv_get_real_netde + struct net_device *real_netdev; + + rtnl_lock(); +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + rtnl_unlock(); + + return real_netdev; +@@ -335,7 +335,7 @@ static u32 batadv_wifi_flags_evaluate(st + if (batadv_is_cfg80211_netdev(net_device)) + wifi_flags |= BATADV_HARDIF_WIFI_CFG80211_DIRECT; + +- real_netdev = batadv_get_real_netdevice(net_device); ++ real_netdev = __batadv_get_real_netdev(net_device); + if (!real_netdev) + return wifi_flags; + +--- a/net/batman-adv/hard-interface.h ++++ b/net/batman-adv/hard-interface.h +@@ -68,6 +68,7 @@ enum batadv_hard_if_bcast { + + extern struct notifier_block batadv_hard_if_notifier; + ++struct net_device *__batadv_get_real_netdev(struct net_device *net_device); + struct net_device *batadv_get_real_netdev(struct net_device *net_device); + bool batadv_is_cfg80211_hardif(struct batadv_hard_iface *hard_iface); + bool batadv_is_wifi_hardif(struct batadv_hard_iface *hard_iface); diff --git a/queue-6.6/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch b/queue-6.6/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch new file mode 100644 index 0000000000..abca6f72fb --- /dev/null +++ b/queue-6.6/hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch @@ -0,0 +1,86 @@ +From 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Wed, 4 Mar 2026 15:51:17 -0800 +Subject: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read + +From: Sanman Pradhan + +commit 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 upstream. + +The q54sj108a2_debugfs_read function suffers from a stack buffer overflow +due to incorrect arguments passed to bin2hex(). The function currently +passes 'data' as the destination and 'data_char' as the source. + +Because bin2hex() converts each input byte into two hex characters, a +32-byte block read results in 64 bytes of output. Since 'data' is only +34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end +of the buffer onto the stack. + +Additionally, the arguments were swapped: it was reading from the +zero-initialized 'data_char' and writing to 'data', resulting in +all-zero output regardless of the actual I2C read. + +Fix this by: +1. Expanding 'data_char' to 66 bytes to safely hold the hex output. +2. Correcting the bin2hex() argument order and using the actual read count. +3. Using a pointer to select the correct output buffer for the final + simple_read_from_buffer call. + +Fixes: d014538aa385 ("hwmon: (pmbus) Driver for Delta power supplies Q54SJ108A2") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260304235116.1045-1-sanman.p211993@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/q54sj108a2.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/hwmon/pmbus/q54sj108a2.c ++++ b/drivers/hwmon/pmbus/q54sj108a2.c +@@ -78,7 +78,8 @@ static ssize_t q54sj108a2_debugfs_read(s + int idx = *idxp; + struct q54sj108a2_data *psu = to_psu(idxp, idx); + char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; +- char data_char[I2C_SMBUS_BLOCK_MAX + 2] = { 0 }; ++ char data_char[I2C_SMBUS_BLOCK_MAX * 2 + 2] = { 0 }; ++ char *out = data; + char *res; + + switch (idx) { +@@ -149,27 +150,27 @@ static ssize_t q54sj108a2_debugfs_read(s + if (rc < 0) + return rc; + +- res = bin2hex(data, data_char, 32); +- rc = res - data; +- ++ res = bin2hex(data_char, data, rc); ++ rc = res - data_char; ++ out = data_char; + break; + case Q54SJ108A2_DEBUGFS_FLASH_KEY: + rc = i2c_smbus_read_block_data(psu->client, PMBUS_FLASH_KEY_WRITE, data); + if (rc < 0) + return rc; + +- res = bin2hex(data, data_char, 4); +- rc = res - data; +- ++ res = bin2hex(data_char, data, rc); ++ rc = res - data_char; ++ out = data_char; + break; + default: + return -EINVAL; + } + +- data[rc] = '\n'; ++ out[rc] = '\n'; + rc += 2; + +- return simple_read_from_buffer(buf, count, ppos, data, rc); ++ return simple_read_from_buffer(buf, count, ppos, out, rc); + } + + static ssize_t q54sj108a2_debugfs_write(struct file *file, const char __user *buf, diff --git a/queue-6.6/ice-fix-retry-for-aq-command-0x06ee.patch b/queue-6.6/ice-fix-retry-for-aq-command-0x06ee.patch new file mode 100644 index 0000000000..5f0671f4f8 --- /dev/null +++ b/queue-6.6/ice-fix-retry-for-aq-command-0x06ee.patch @@ -0,0 +1,103 @@ +From fb4903b3354aed4a2301180cf991226f896c87ed Mon Sep 17 00:00:00 2001 +From: Jakub Staniszewski +Date: Tue, 13 Jan 2026 20:38:17 +0100 +Subject: ice: fix retry for AQ command 0x06EE + +From: Jakub Staniszewski + +commit fb4903b3354aed4a2301180cf991226f896c87ed upstream. + +Executing ethtool -m can fail reporting a netlink I/O error while firmware +link management holds the i2c bus used to communicate with the module. + +According to Intel(R) Ethernet Controller E810 Datasheet Rev 2.8 [1] +Section 3.3.10.4 Read/Write SFF EEPROM (0x06EE) +request should to be retried upon receiving EBUSY from firmware. + +Commit e9c9692c8a81 ("ice: Reimplement module reads used by ethtool") +implemented it only for part of ice_get_module_eeprom(), leaving all other +calls to ice_aq_sff_eeprom() vulnerable to returning early on getting +EBUSY without retrying. + +Remove the retry loop from ice_get_module_eeprom() and add Admin Queue +(AQ) command with opcode 0x06EE to the list of commands that should be +retried on receiving EBUSY from firmware. + +Cc: stable@vger.kernel.org +Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool") +Signed-off-by: Jakub Staniszewski +Co-developed-by: Dawid Osuchowski +Signed-off-by: Dawid Osuchowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Link: https://www.intel.com/content/www/us/en/content-details/613875/intel-ethernet-controller-e810-datasheet.html [1] +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_common.c | 1 + drivers/net/ethernet/intel/ice/ice_ethtool.c | 35 ++++++++++----------------- + 2 files changed, 15 insertions(+), 21 deletions(-) + +--- a/drivers/net/ethernet/intel/ice/ice_common.c ++++ b/drivers/net/ethernet/intel/ice/ice_common.c +@@ -1611,6 +1611,7 @@ static bool ice_should_retry_sq_send_cmd + case ice_aqc_opc_lldp_stop: + case ice_aqc_opc_lldp_start: + case ice_aqc_opc_lldp_filter_ctrl: ++ case ice_aqc_opc_sff_eeprom: + return true; + } + +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -4045,7 +4045,7 @@ ice_get_module_eeprom(struct net_device + struct ice_pf *pf = vsi->back; + struct ice_hw *hw = &pf->hw; + bool is_sfp = false; +- unsigned int i, j; ++ unsigned int i; + u16 offset = 0; + u8 page = 0; + int status; +@@ -4087,26 +4087,19 @@ ice_get_module_eeprom(struct net_device + if (page == 0 || !(data[0x2] & 0x4)) { + u32 copy_len; + +- /* If i2c bus is busy due to slow page change or +- * link management access, call can fail. This is normal. +- * So we retry this a few times. +- */ +- for (j = 0; j < 4; j++) { +- status = ice_aq_sff_eeprom(hw, 0, addr, offset, page, +- !is_sfp, value, +- SFF_READ_BLOCK_SIZE, +- 0, NULL); +- netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%X)\n", +- addr, offset, page, is_sfp, +- value[0], value[1], value[2], value[3], +- value[4], value[5], value[6], value[7], +- status); +- if (status) { +- usleep_range(1500, 2500); +- memset(value, 0, SFF_READ_BLOCK_SIZE); +- continue; +- } +- break; ++ status = ice_aq_sff_eeprom(hw, 0, addr, offset, page, ++ !is_sfp, value, ++ SFF_READ_BLOCK_SIZE, ++ 0, NULL); ++ netdev_dbg(netdev, "SFF %02X %02X %02X %X = %02X%02X%02X%02X.%02X%02X%02X%02X (%pe)\n", ++ addr, offset, page, is_sfp, ++ value[0], value[1], value[2], value[3], ++ value[4], value[5], value[6], value[7], ++ ERR_PTR(status)); ++ if (status) { ++ netdev_err(netdev, "%s: error reading module EEPROM: status %pe\n", ++ __func__, ERR_PTR(status)); ++ return status; + } + + /* Make sure we have enough room for the new block */ diff --git a/queue-6.6/ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch b/queue-6.6/ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch new file mode 100644 index 0000000000..ebcd97c288 --- /dev/null +++ b/queue-6.6/ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch @@ -0,0 +1,114 @@ +From 1dfd062caa165ec9d7ee0823087930f3ab8a6294 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 7 Mar 2026 11:32:31 +0900 +Subject: ksmbd: fix use-after-free by using call_rcu() for oplock_info + +From: Namjae Jeon + +commit 1dfd062caa165ec9d7ee0823087930f3ab8a6294 upstream. + +ksmbd currently frees oplock_info immediately using kfree(), even +though it is accessed under RCU read-side critical sections in places +like opinfo_get() and proc_show_files(). + +Since there is no RCU grace period delay between nullifying the pointer +and freeing the memory, a reader can still access oplock_info +structure after it has been freed. This can leads to a use-after-free +especially in opinfo_get() where atomic_inc_not_zero() is called on +already freed memory. + +Fix this by switching to deferred freeing using call_rcu(). + +Fixes: 18b4fac5ef17 ("ksmbd: fix use-after-free in smb_break_all_levII_oplock()") +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 29 +++++++++++++++++++++-------- + fs/smb/server/oplock.h | 5 +++-- + 2 files changed, 24 insertions(+), 10 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -120,7 +120,7 @@ static void free_lease(struct oplock_inf + kfree(lease); + } + +-static void free_opinfo(struct oplock_info *opinfo) ++static void __free_opinfo(struct oplock_info *opinfo) + { + if (opinfo->is_lease) + free_lease(opinfo); +@@ -129,6 +129,18 @@ static void free_opinfo(struct oplock_in + kfree(opinfo); + } + ++static void free_opinfo_rcu(struct rcu_head *rcu) ++{ ++ struct oplock_info *opinfo = container_of(rcu, struct oplock_info, rcu); ++ ++ __free_opinfo(opinfo); ++} ++ ++static void free_opinfo(struct oplock_info *opinfo) ++{ ++ call_rcu(&opinfo->rcu, free_opinfo_rcu); ++} ++ + struct oplock_info *opinfo_get(struct ksmbd_file *fp) + { + struct oplock_info *opinfo; +@@ -176,9 +188,9 @@ void opinfo_put(struct oplock_info *opin + free_opinfo(opinfo); + } + +-static void opinfo_add(struct oplock_info *opinfo) ++static void opinfo_add(struct oplock_info *opinfo, struct ksmbd_file *fp) + { +- struct ksmbd_inode *ci = opinfo->o_fp->f_ci; ++ struct ksmbd_inode *ci = fp->f_ci; + + down_write(&ci->m_lock); + list_add(&opinfo->op_entry, &ci->m_op_list); +@@ -1279,20 +1291,21 @@ set_lev: + set_oplock_level(opinfo, req_op_level, lctx); + + out: +- rcu_assign_pointer(fp->f_opinfo, opinfo); +- opinfo->o_fp = fp; +- + opinfo_count_inc(fp); +- opinfo_add(opinfo); ++ opinfo_add(opinfo, fp); ++ + if (opinfo->is_lease) { + err = add_lease_global_list(opinfo); + if (err) + goto err_out; + } + ++ rcu_assign_pointer(fp->f_opinfo, opinfo); ++ opinfo->o_fp = fp; ++ + return 0; + err_out: +- free_opinfo(opinfo); ++ __free_opinfo(opinfo); + return err; + } + +--- a/fs/smb/server/oplock.h ++++ b/fs/smb/server/oplock.h +@@ -76,8 +76,9 @@ struct oplock_info { + struct lease *o_lease; + struct list_head op_entry; + struct list_head lease_entry; +- wait_queue_head_t oplock_q; /* Other server threads */ +- wait_queue_head_t oplock_brk; /* oplock breaking wait */ ++ wait_queue_head_t oplock_q; /* Other server threads */ ++ wait_queue_head_t oplock_brk; /* oplock breaking wait */ ++ struct rcu_head rcu; + }; + + struct lease_break_info { diff --git a/queue-6.6/ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch b/queue-6.6/ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch new file mode 100644 index 0000000000..a7bffdeee4 --- /dev/null +++ b/queue-6.6/ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch @@ -0,0 +1,41 @@ +From eac3361e3d5dd8067b3258c69615888eb45e9f25 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Mon, 2 Mar 2026 12:55:02 +0900 +Subject: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() + +From: Namjae Jeon + +commit eac3361e3d5dd8067b3258c69615888eb45e9f25 upstream. + +opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being +accessed after rcu_read_unlock() has been called. This creates a +race condition where the memory could be freed by a concurrent +writer between the unlock and the subsequent pointer dereferences +(opinfo->is_lease, etc.), leading to a use-after-free. + +Fixes: 5fb282ba4fef ("ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close") +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1123,10 +1123,12 @@ void smb_lazy_parent_lease_break_close(s + + rcu_read_lock(); + opinfo = rcu_dereference(fp->f_opinfo); +- rcu_read_unlock(); + +- if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) ++ if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) { ++ rcu_read_unlock(); + return; ++ } ++ rcu_read_unlock(); + + p_ci = ksmbd_inode_lookup_lock(fp->filp->f_path.dentry->d_parent); + if (!p_ci) diff --git a/queue-6.6/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch b/queue-6.6/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch new file mode 100644 index 0000000000..bcef47e83d --- /dev/null +++ b/queue-6.6/media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch @@ -0,0 +1,41 @@ +From 24d87712727a5017ad142d63940589a36cd25647 Mon Sep 17 00:00:00 2001 +From: Ariel Silver +Date: Sat, 21 Feb 2026 15:26:00 +0100 +Subject: media: dvb-net: fix OOB access in ULE extension header tables + +From: Ariel Silver + +commit 24d87712727a5017ad142d63940589a36cd25647 upstream. + +The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables +in handle_one_ule_extension() are declared with 255 elements (valid +indices 0-254), but the index htype is derived from network-controlled +data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When +htype equals 255, an out-of-bounds read occurs on the function pointer +table, and the OOB value may be called as a function pointer. + +Add a bounds check on htype against the array size before either table +is accessed. Out-of-range values now cause the SNDU to be discarded. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Ariel Silver +Signed-off-by: Ariel Silver +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_net.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -228,6 +228,9 @@ static int handle_one_ule_extension( str + unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8; + unsigned char htype = p->ule_sndu_type & 0x00FF; + ++ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers)) ++ return -1; ++ + /* Discriminate mandatory and optional extension headers. */ + if (hlen == 0) { + /* Mandatory extension header */ diff --git a/queue-6.6/net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch b/queue-6.6/net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch new file mode 100644 index 0000000000..2014785b7e --- /dev/null +++ b/queue-6.6/net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch @@ -0,0 +1,56 @@ +From 99c8c16a4aad0b37293cae213e15957c573cf79b Mon Sep 17 00:00:00 2001 +From: "Bastien Curutchet (Schneider Electric)" +Date: Mon, 9 Mar 2026 14:15:43 +0100 +Subject: net: dsa: microchip: Fix error path in PTP IRQ setup + +From: Bastien Curutchet (Schneider Electric) + +commit 99c8c16a4aad0b37293cae213e15957c573cf79b upstream. + +If request_threaded_irq() fails during the PTP message IRQ setup, the +newly created IRQ mapping is never disposed. Indeed, the +ksz_ptp_irq_setup()'s error path only frees the mappings that were +successfully set up. + +Dispose the newly created mapping if the associated +request_threaded_irq() fails at setup. + +Cc: stable@vger.kernel.org +Fixes: d0b8fec8ae505 ("net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}()") +Signed-off-by: Bastien Curutchet (Schneider Electric) +Reviewed-by: Simon Horman +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20260309-ksz-ptp-irq-fix-v1-1-757b3b985955@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_ptp.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_ptp.c ++++ b/drivers/net/dsa/microchip/ksz_ptp.c +@@ -1101,6 +1101,7 @@ static int ksz_ptp_msg_irq_setup(struct + const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops; + struct ksz_irq *ptpirq = &port->ptpirq; + struct ksz_ptp_irq *ptpmsg_irq; ++ int ret; + + ptpmsg_irq = &port->ptpmsg_irq[n]; + ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n); +@@ -1112,9 +1113,13 @@ static int ksz_ptp_msg_irq_setup(struct + + snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]); + +- return request_threaded_irq(ptpmsg_irq->num, NULL, +- ksz_ptp_msg_thread_fn, IRQF_ONESHOT, +- ptpmsg_irq->name, ptpmsg_irq); ++ ret = request_threaded_irq(ptpmsg_irq->num, NULL, ++ ksz_ptp_msg_thread_fn, IRQF_ONESHOT, ++ ptpmsg_irq->name, ptpmsg_irq); ++ if (ret) ++ irq_dispose_mapping(ptpmsg_irq->num); ++ ++ return ret; + } + + int ksz_ptp_irq_setup(struct dsa_switch *ds, u8 p) diff --git a/queue-6.6/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch b/queue-6.6/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch new file mode 100644 index 0000000000..2db2ef3f4e --- /dev/null +++ b/queue-6.6/net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch @@ -0,0 +1,53 @@ +From 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c Mon Sep 17 00:00:00 2001 +From: Fan Wu +Date: Mon, 9 Mar 2026 13:24:09 +0000 +Subject: net: ethernet: arc: emac: quiesce interrupts before requesting IRQ + +From: Fan Wu + +commit 2503d08f8a2de618e5c3a8183b250ff4a2e2d52c upstream. + +Normal RX/TX interrupts are enabled later, in arc_emac_open(), so probe +should not see interrupt delivery in the usual case. However, hardware may +still present stale or latched interrupt status left by firmware or the +bootloader. + +If probe later unwinds after devm_request_irq() has installed the handler, +such a stale interrupt can still reach arc_emac_intr() during teardown and +race with release of the associated net_device. + +Avoid that window by putting the device into a known quiescent state before +requesting the IRQ: disable all EMAC interrupt sources and clear any +pending EMAC interrupt status bits. This keeps the change hardware-focused +and minimal, while preventing spurious IRQ delivery from leftover state. + +Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver") +Cc: stable@vger.kernel.org +Signed-off-by: Fan Wu +Link: https://patch.msgid.link/20260309132409.584966-1-fanwu01@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/arc/emac_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/arc/emac_main.c ++++ b/drivers/net/ethernet/arc/emac_main.c +@@ -934,6 +934,17 @@ int arc_emac_probe(struct net_device *nd + /* Set poll rate so that it polls every 1 ms */ + arc_reg_set(priv, R_POLLRATE, clock_frequency / 1000000); + ++ /* ++ * Put the device into a known quiescent state before requesting ++ * the IRQ. Clear only EMAC interrupt status bits here; leave the ++ * MDIO completion bit alone and avoid writing TXPL_MASK, which is ++ * used to force TX polling rather than acknowledge interrupts. ++ */ ++ arc_reg_set(priv, R_ENABLE, 0); ++ arc_reg_set(priv, R_STATUS, RXINT_MASK | TXINT_MASK | ERR_MASK | ++ TXCH_MASK | MSER_MASK | RXCR_MASK | ++ RXFR_MASK | RXFL_MASK); ++ + ndev->irq = irq; + dev_info(dev, "IRQ is %d\n", ndev->irq); + diff --git a/queue-6.6/net-mana-ring-doorbell-at-4-cq-wraparounds.patch b/queue-6.6/net-mana-ring-doorbell-at-4-cq-wraparounds.patch new file mode 100644 index 0000000000..a72a4e5dfb --- /dev/null +++ b/queue-6.6/net-mana-ring-doorbell-at-4-cq-wraparounds.patch @@ -0,0 +1,88 @@ +From dabffd08545ffa1d7183bc45e387860984025291 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Thu, 26 Feb 2026 11:28:33 -0800 +Subject: net: mana: Ring doorbell at 4 CQ wraparounds + +From: Long Li + +commit dabffd08545ffa1d7183bc45e387860984025291 upstream. + +MANA hardware requires at least one doorbell ring every 8 wraparounds +of the CQ. The driver rings the doorbell as a form of flow control to +inform hardware that CQEs have been consumed. + +The NAPI poll functions mana_poll_tx_cq() and mana_poll_rx_cq() can +poll up to CQE_POLLING_BUFFER (512) completions per call. If the CQ +has fewer than 512 entries, a single poll call can process more than +4 wraparounds without ringing the doorbell. The doorbell threshold +check also uses ">" instead of ">=", delaying the ring by one extra +CQE beyond 4 wraparounds. Combined, these issues can cause the driver +to exceed the 8-wraparound hardware limit, leading to missed +completions and stalled queues. + +Fix this by capping the number of CQEs polled per call to 4 wraparounds +of the CQ in both TX and RX paths. Also change the doorbell threshold +from ">" to ">=" so the doorbell is rung as soon as 4 wraparounds are +reached. + +Cc: stable@vger.kernel.org +Fixes: 58a63729c957 ("net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings") +Signed-off-by: Long Li +Reviewed-by: Haiyang Zhang +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260226192833.1050807-1-longli@microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1368,8 +1368,14 @@ static void mana_poll_tx_cq(struct mana_ + ndev = txq->ndev; + apc = netdev_priv(ndev); + ++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the ++ * doorbell can be rung in time for the hardware's requirement ++ * of at least one doorbell ring every 8 wraparounds. ++ */ + comp_read = mana_gd_poll_cq(cq->gdma_cq, completions, +- CQE_POLLING_BUFFER); ++ min((cq->gdma_cq->queue_size / ++ COMP_ENTRY_SIZE) * 4, ++ CQE_POLLING_BUFFER)); + + if (comp_read < 1) + return; +@@ -1749,7 +1755,14 @@ static void mana_poll_rx_cq(struct mana_ + struct mana_rxq *rxq = cq->rxq; + int comp_read, i; + +- comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, CQE_POLLING_BUFFER); ++ /* Limit CQEs polled to 4 wraparounds of the CQ to ensure the ++ * doorbell can be rung in time for the hardware's requirement ++ * of at least one doorbell ring every 8 wraparounds. ++ */ ++ comp_read = mana_gd_poll_cq(cq->gdma_cq, comp, ++ min((cq->gdma_cq->queue_size / ++ COMP_ENTRY_SIZE) * 4, ++ CQE_POLLING_BUFFER)); + WARN_ON_ONCE(comp_read > CQE_POLLING_BUFFER); + + rxq->xdp_flush = false; +@@ -1794,11 +1807,11 @@ static int mana_cq_handler(void *context + mana_gd_ring_cq(gdma_queue, SET_ARM_BIT); + cq->work_done_since_doorbell = 0; + napi_complete_done(&cq->napi, w); +- } else if (cq->work_done_since_doorbell > +- cq->gdma_cq->queue_size / COMP_ENTRY_SIZE * 4) { ++ } else if (cq->work_done_since_doorbell >= ++ (cq->gdma_cq->queue_size / COMP_ENTRY_SIZE) * 4) { + /* MANA hardware requires at least one doorbell ring every 8 + * wraparounds of CQ even if there is no need to arm the CQ. +- * This driver rings the doorbell as soon as we have exceeded ++ * This driver rings the doorbell as soon as it has processed + * 4 wraparounds. + */ + mana_gd_ring_cq(gdma_queue, 0); diff --git a/queue-6.6/net-ncsi-fix-skb-leak-in-error-paths.patch b/queue-6.6/net-ncsi-fix-skb-leak-in-error-paths.patch new file mode 100644 index 0000000000..af37831cd9 --- /dev/null +++ b/queue-6.6/net-ncsi-fix-skb-leak-in-error-paths.patch @@ -0,0 +1,85 @@ +From 5c3398a54266541610c8d0a7082e654e9ff3e259 Mon Sep 17 00:00:00 2001 +From: Jian Zhang +Date: Thu, 5 Mar 2026 14:06:55 +0800 +Subject: net: ncsi: fix skb leak in error paths + +From: Jian Zhang + +commit 5c3398a54266541610c8d0a7082e654e9ff3e259 upstream. + +Early return paths in NCSI RX and AEN handlers fail to release +the received skb, resulting in a memory leak. + +Specifically, ncsi_aen_handler() returns on invalid AEN packets +without consuming the skb. Similarly, ncsi_rcv_rsp() exits early +when failing to resolve the NCSI device, response handler, or +request, leaving the skb unfreed. + +CC: stable@vger.kernel.org +Fixes: 7a82ecf4cfb8 ("net/ncsi: NCSI AEN packet handler") +Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler") +Signed-off-by: Jian Zhang +Link: https://patch.msgid.link/20260305060656.3357250-1-zhangjian.3032@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-aen.c | 3 ++- + net/ncsi/ncsi-rsp.c | 16 ++++++++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/net/ncsi/ncsi-aen.c ++++ b/net/ncsi/ncsi-aen.c +@@ -224,7 +224,8 @@ int ncsi_aen_handler(struct ncsi_dev_pri + if (!nah) { + netdev_warn(ndp->ndev.dev, "Invalid AEN (0x%x) received\n", + h->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto out; + } + + ret = ncsi_validate_aen_pkt(h, nah->payload); +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -1176,8 +1176,10 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + /* Find the NCSI device */ + nd = ncsi_find_dev(orig_dev); + ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL; +- if (!ndp) +- return -ENODEV; ++ if (!ndp) { ++ ret = -ENODEV; ++ goto err_free_skb; ++ } + + /* Check if it is AEN packet */ + hdr = (struct ncsi_pkt_hdr *)skb_network_header(skb); +@@ -1199,7 +1201,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + if (!nrh) { + netdev_err(nd->dev, "Received unrecognized packet (0x%x)\n", + hdr->type); +- return -ENOENT; ++ ret = -ENOENT; ++ goto err_free_skb; + } + + /* Associate with the request */ +@@ -1207,7 +1210,8 @@ int ncsi_rcv_rsp(struct sk_buff *skb, st + nr = &ndp->requests[hdr->id]; + if (!nr->used) { + spin_unlock_irqrestore(&ndp->lock, flags); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_free_skb; + } + + nr->rsp = skb; +@@ -1261,4 +1265,8 @@ out_netlink: + out: + ncsi_free_request(nr); + return ret; ++ ++err_free_skb: ++ kfree_skb(skb); ++ return ret; + } diff --git a/queue-6.6/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch b/queue-6.6/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch new file mode 100644 index 0000000000..af787db426 --- /dev/null +++ b/queue-6.6/nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch @@ -0,0 +1,45 @@ +From 8f3c6f08ababad2e3bdd239728cf66a9949446b4 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 24 Feb 2026 13:17:50 +1000 +Subject: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep + +From: Dave Airlie + +commit 8f3c6f08ababad2e3bdd239728cf66a9949446b4 upstream. + +If we have runtime suspended, and userspace wants to use /dev/drm_dp_* +then just tell it the device is busy instead of crashing in the GSP +code. + +WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] +CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) +Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 +RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] + +This is a simple fix to get backported. We should probably engineer a +proper power domain solution to wake up devices and keep them awake +while fw updates are happening. + +Cc: stable@vger.kernel.org +Fixes: 8894f4919bc4 ("drm/nouveau: register a drm_dp_aux channel for each dp connector") +Reviewed-by: Lyude Paul +Signed-off-by: Dave Airlie +Link: https://patch.msgid.link/20260224031750.791621-1-airlied@gmail.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c +@@ -1212,6 +1212,9 @@ nouveau_connector_aux_xfer(struct drm_dp + u8 size = msg->size; + int ret; + ++ if (pm_runtime_suspended(nv_connector->base.dev->dev)) ++ return -EBUSY; ++ + nv_encoder = find_encoder(&nv_connector->base, DCB_OUTPUT_DP); + if (!nv_encoder || !(aux = nv_encoder->aux)) + return -ENODEV; diff --git a/queue-6.6/parisc-check-kernel-mapping-earlier-at-bootup.patch b/queue-6.6/parisc-check-kernel-mapping-earlier-at-bootup.patch new file mode 100644 index 0000000000..6daf8b51dd --- /dev/null +++ b/queue-6.6/parisc-check-kernel-mapping-earlier-at-bootup.patch @@ -0,0 +1,60 @@ +From 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 3 Mar 2026 23:36:11 +0100 +Subject: parisc: Check kernel mapping earlier at bootup + +From: Helge Deller + +commit 17c144f1104bfc29a3ce3f7d0931a1bfb7a3558c upstream. + +The check if the initial mapping is sufficient needs to happen much +earlier during bootup. Move this test directly to the start_parisc() +function and use native PDC iodc functions to print the warning, because +panic() and printk() are not functional yet. + +This fixes boot when enabling various KALLSYSMS options which need +much more space. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/setup.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/arch/parisc/kernel/setup.c ++++ b/arch/parisc/kernel/setup.c +@@ -123,14 +123,6 @@ void __init setup_arch(char **cmdline_p) + #endif + printk(KERN_CONT ".\n"); + +- /* +- * Check if initial kernel page mappings are sufficient. +- * panic early if not, else we may access kernel functions +- * and variables which can't be reached. +- */ +- if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE) +- panic("KERNEL_INITIAL_ORDER too small!"); +- + #ifdef CONFIG_64BIT + if(parisc_narrow_firmware) { + printk(KERN_INFO "Kernel is using PDC in 32-bit mode.\n"); +@@ -282,6 +274,18 @@ void __init start_parisc(void) + int ret, cpunum; + struct pdc_coproc_cfg coproc_cfg; + ++ /* ++ * Check if initial kernel page mapping is sufficient. ++ * Print warning if not, because we may access kernel functions and ++ * variables which can't be reached yet through the initial mappings. ++ * Note that the panic() and printk() functions are not functional ++ * yet, so we need to use direct iodc() firmware calls instead. ++ */ ++ const char warn1[] = "CRITICAL: Kernel may crash because " ++ "KERNEL_INITIAL_ORDER is too small.\n"; ++ if (__pa((unsigned long) &_end) >= KERNEL_INITIAL_SIZE) ++ pdc_iodc_print(warn1, sizeof(warn1) - 1); ++ + /* check QEMU/SeaBIOS marker in PAGE0 */ + running_on_qemu = (memcmp(&PAGE0->pad0, "SeaBIOS", 8) == 0); + diff --git a/queue-6.6/parisc-fix-initial-page-table-creation-for-boot.patch b/queue-6.6/parisc-fix-initial-page-table-creation-for-boot.patch new file mode 100644 index 0000000000..8a750d508e --- /dev/null +++ b/queue-6.6/parisc-fix-initial-page-table-creation-for-boot.patch @@ -0,0 +1,46 @@ +From 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 4 Mar 2026 22:24:18 +0100 +Subject: parisc: Fix initial page table creation for boot + +From: Helge Deller + +commit 8475d8fe21ec9c7eb2faca555fbc5b68cf0d2597 upstream. + +The KERNEL_INITIAL_ORDER value defines the initial size (usually 32 or +64 MB) of the page table during bootup. Up until now the whole area was +initialized with PTE entries, but there was no check if we filled too +many entries. Change the code to fill up with so many entries that the +"_end" symbol can be reached by the kernel, but not more entries than +actually fit into the initial PTE tables. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/head.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -56,6 +56,7 @@ ENTRY(parisc_kernel_start) + + .import __bss_start,data + .import __bss_stop,data ++ .import __end,data + + load32 PA(__bss_start),%r3 + load32 PA(__bss_stop),%r4 +@@ -149,7 +150,11 @@ $cpu_ok: + * everything ... it will get remapped correctly later */ + ldo 0+_PAGE_KERNEL_RWX(%r0),%r3 /* Hardwired 0 phys addr start */ + load32 (1<<(KERNEL_INITIAL_ORDER-PAGE_SHIFT)),%r11 /* PFN count */ +- load32 PA(pg0),%r1 ++ load32 PA(_end),%r1 ++ SHRREG %r1,PAGE_SHIFT,%r1 /* %r1 is PFN count for _end symbol */ ++ cmpb,<<,n %r11,%r1,1f ++ copy %r1,%r11 /* %r1 PFN count smaller than %r11 */ ++1: load32 PA(pg0),%r1 + + $pgt_fill_loop: + STREGM %r3,ASM_PTE_ENTRY_SIZE(%r1) diff --git a/queue-6.6/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch b/queue-6.6/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch new file mode 100644 index 0000000000..67df5531c7 --- /dev/null +++ b/queue-6.6/parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch @@ -0,0 +1,30 @@ +From 8e732934fb81282be41602550e7e07baf265e972 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 3 Mar 2026 23:36:10 +0100 +Subject: parisc: Increase initial mapping to 64 MB with KALLSYMS + +From: Helge Deller + +commit 8e732934fb81282be41602550e7e07baf265e972 upstream. + +The 32MB initial kernel mapping can become too small when CONFIG_KALLSYMS +is used. Increase the mapping to 64 MB in this case. + +Signed-off-by: Helge Deller +Cc: # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -85,7 +85,7 @@ extern void __update_cache(pte_t pte); + printk("%s:%d: bad pgd %08lx.\n", __FILE__, __LINE__, (unsigned long)pgd_val(e)) + + /* This is the size of the initially mapped kernel memory */ +-#if defined(CONFIG_64BIT) ++#if defined(CONFIG_64BIT) || defined(CONFIG_KALLSYMS) + #define KERNEL_INITIAL_ORDER 26 /* 1<<26 = 64MB */ + #else + #define KERNEL_INITIAL_ORDER 25 /* 1<<25 = 32MB */ diff --git a/queue-6.6/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch b/queue-6.6/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch new file mode 100644 index 0000000000..e3fec4a975 --- /dev/null +++ b/queue-6.6/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch @@ -0,0 +1,55 @@ +From 550bae2c0931dbb664a61b08c21cf156f0a5362a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Thu, 12 Feb 2026 11:49:44 -0300 +Subject: pmdomain: bcm: bcm2835-power: Fix broken reset status read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit 550bae2c0931dbb664a61b08c21cf156f0a5362a upstream. + +bcm2835_reset_status() has a misplaced parenthesis on every PM_READ() +call. Since PM_READ(reg) expands to readl(power->base + (reg)), the +expression: + + PM_READ(PM_GRAFX & PM_V3DRSTN) + +computes the bitwise AND of the register offset PM_GRAFX with the +bitmask PM_V3DRSTN before using the result as a register offset, reading +from the wrong MMIO address instead of the intended PM_GRAFX register. +The same issue affects the PM_IMAGE cases. + +Fix by moving the closing parenthesis so PM_READ() receives only the +register offset, and the bitmask is applied to the value returned by +the read. + +Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.") +Signed-off-by: Maíra Canal +Reviewed-by: Florian Fainelli +Reviewed-by: Stefan Wahren +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/bcm/bcm2835-power.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pmdomain/bcm/bcm2835-power.c ++++ b/drivers/pmdomain/bcm/bcm2835-power.c +@@ -580,11 +580,11 @@ static int bcm2835_reset_status(struct r + + switch (id) { + case BCM2835_RESET_V3D: +- return !PM_READ(PM_GRAFX & PM_V3DRSTN); ++ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN); + case BCM2835_RESET_H264: +- return !PM_READ(PM_IMAGE & PM_H264RSTN); ++ return !(PM_READ(PM_IMAGE) & PM_H264RSTN); + case BCM2835_RESET_ISP: +- return !PM_READ(PM_IMAGE & PM_ISPRSTN); ++ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN); + default: + return -EINVAL; + } diff --git a/queue-6.6/series b/queue-6.6/series index 0d4351fd9b..af85f49872 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -313,3 +313,21 @@ ice-reintroduce-retry-mechanism-for-indirect-aq.patch ixgbevf-fix-link-setup-issue.patch staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch +media-dvb-net-fix-oob-access-in-ule-extension-header-tables.patch +net-mana-ring-doorbell-at-4-cq-wraparounds.patch +ice-fix-retry-for-aq-command-0x06ee.patch +tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch +batman-adv-avoid-double-rtnl_lock-elp-metric-worker.patch +parisc-increase-initial-mapping-to-64-mb-with-kallsyms.patch +nouveau-dpcd-return-ebusy-for-aux-xfer-if-the-device-is-asleep.patch +arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch +hwmon-pmbus-q54sj108a2-fix-stack-overflow-in-debugfs-read.patch +parisc-fix-initial-page-table-creation-for-boot.patch +parisc-check-kernel-mapping-earlier-at-bootup.patch +pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch +ksmbd-fix-use-after-free-in-smb_lazy_parent_lease_break_close.patch +smb-server-fix-use-after-free-in-smb2_open.patch +ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch +net-ncsi-fix-skb-leak-in-error-paths.patch +net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch +net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch diff --git a/queue-6.6/smb-server-fix-use-after-free-in-smb2_open.patch b/queue-6.6/smb-server-fix-use-after-free-in-smb2_open.patch new file mode 100644 index 0000000000..dc392e1b56 --- /dev/null +++ b/queue-6.6/smb-server-fix-use-after-free-in-smb2_open.patch @@ -0,0 +1,44 @@ +From 1e689a56173827669a35da7cb2a3c78ed5c53680 Mon Sep 17 00:00:00 2001 +From: Marios Makassikis +Date: Tue, 3 Mar 2026 11:14:32 +0100 +Subject: smb: server: fix use-after-free in smb2_open() + +From: Marios Makassikis + +commit 1e689a56173827669a35da7cb2a3c78ed5c53680 upstream. + +The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is +dereferenced after rcu_read_unlock(), creating a use-after-free +window. + +Cc: stable@vger.kernel.org +Signed-off-by: Marios Makassikis +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3593,10 +3593,8 @@ int smb2_open(struct ksmbd_work *work) + + reconnected_fp: + rsp->StructureSize = cpu_to_le16(89); +- rcu_read_lock(); +- opinfo = rcu_dereference(fp->f_opinfo); ++ opinfo = opinfo_get(fp); + rsp->OplockLevel = opinfo != NULL ? opinfo->level : 0; +- rcu_read_unlock(); + rsp->Flags = 0; + rsp->CreateAction = cpu_to_le32(file_info); + rsp->CreationTime = cpu_to_le64(fp->create_time); +@@ -3637,6 +3635,7 @@ reconnected_fp: + next_ptr = &lease_ccontext->Next; + next_off = conn->vals->create_lease_size; + } ++ opinfo_put(opinfo); + + if (maximal_access_ctxt) { + struct create_context *mxac_ccontext; diff --git a/queue-6.6/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch b/queue-6.6/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch new file mode 100644 index 0000000000..294a7d9628 --- /dev/null +++ b/queue-6.6/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch @@ -0,0 +1,119 @@ +From 0a663b764dbdf135a126284f454c9f01f95a87d4 Mon Sep 17 00:00:00 2001 +From: Huiwen He +Date: Tue, 24 Feb 2026 10:35:44 +0800 +Subject: tracing: Fix syscall events activation by ensuring refcount hits zero + +From: Huiwen He + +commit 0a663b764dbdf135a126284f454c9f01f95a87d4 upstream. + +When multiple syscall events are specified in the kernel command line +(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close), +they are often not captured after boot, even though they appear enabled +in the tracing/set_event file. + +The issue stems from how syscall events are initialized. Syscall +tracepoints require the global reference count (sys_tracepoint_refcount) +to transition from 0 to 1 to trigger the registration of the syscall +work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1). + +The current implementation of early_enable_events() with disable_first=true +used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B". +If multiple syscalls are enabled, the refcount never drops to zero, +preventing the 0->1 transition that triggers actual registration. + +Fix this by splitting early_enable_events() into two distinct phases: +1. Disable all events specified in the buffer. +2. Enable all events specified in the buffer. + +This ensures the refcount hits zero before re-enabling, allowing syscall +events to be properly activated during early boot. + +The code is also refactored to use a helper function to avoid logic +duplication between the disable and enable phases. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn +Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line") +Signed-off-by: Huiwen He +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 52 +++++++++++++++++++++++++++++++------------- + 1 file changed, 37 insertions(+), 15 deletions(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -4140,26 +4140,22 @@ static __init int event_trace_memsetup(v + return 0; + } + +-__init void +-early_enable_events(struct trace_array *tr, char *buf, bool disable_first) ++/* ++ * Helper function to enable or disable a comma-separated list of events ++ * from the bootup buffer. ++ */ ++static __init void __early_set_events(struct trace_array *tr, char *buf, bool enable) + { + char *token; +- int ret; +- +- while (true) { +- token = strsep(&buf, ","); +- +- if (!token) +- break; + ++ while ((token = strsep(&buf, ","))) { + if (*token) { +- /* Restarting syscalls requires that we stop them first */ +- if (disable_first) ++ if (enable) { ++ if (ftrace_set_clr_event(tr, token, 1)) ++ pr_warn("Failed to enable trace event: %s\n", token); ++ } else { + ftrace_set_clr_event(tr, token, 0); +- +- ret = ftrace_set_clr_event(tr, token, 1); +- if (ret) +- pr_warn("Failed to enable trace event: %s\n", token); ++ } + } + + /* Put back the comma to allow this to be called again */ +@@ -4168,6 +4164,32 @@ early_enable_events(struct trace_array * + } + } + ++/** ++ * early_enable_events - enable events from the bootup buffer ++ * @tr: The trace array to enable the events in ++ * @buf: The buffer containing the comma separated list of events ++ * @disable_first: If true, disable all events in @buf before enabling them ++ * ++ * This function enables events from the bootup buffer. If @disable_first ++ * is true, it will first disable all events in the buffer before enabling ++ * them. ++ * ++ * For syscall events, which rely on a global refcount to register the ++ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must ++ * ensure the refcount hits zero before re-enabling them. A simple ++ * "disable then enable" per-event is not enough if multiple syscalls are ++ * used, as the refcount will stay above zero. Thus, we need a two-phase ++ * approach: disable all, then enable all. ++ */ ++__init void ++early_enable_events(struct trace_array *tr, char *buf, bool disable_first) ++{ ++ if (disable_first) ++ __early_set_events(tr, buf, false); ++ ++ __early_set_events(tr, buf, true); ++} ++ + static __init int event_trace_enable(void) + { + struct trace_array *tr = top_trace_array();