From: Greg Kroah-Hartman Date: Tue, 23 Dec 2025 16:54:35 +0000 (+0100) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de4cb4869de60ef36a8831b774f5e7c02bcf3ace;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch can-gs_usb-gs_can_open-fix-error-handling.patch dt-bindings-mmc-sdhci-of-aspeed-switch-ref-to-sdhci-common.yaml.patch hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch input-apple_z2-fix-reading-incorrect-reports-after-exiting-sleep.patch input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch input-lkkbd-disable-pending-work-before-freeing-device.patch input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch input-xpad-add-support-for-crkd-guitars.patch ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch mmc-sdhci-of-arasan-increase-cd-stable-timeout-to-2-seconds.patch net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch platform-x86-intel_pmc_ipc-fix-acpi-buffer-memory-leak.patch soc-tegra-fuse-do-not-register-soc-device-on-acpi-boot.patch spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch x86-bug-fix-old-gcc-compile-fails.patch x86-msi-make-irq_retrigger-functional-for-posted-msi.patch xfs-don-t-leak-a-locked-dquot-when-xfs_dquot_attach_buf-fails.patch --- diff --git a/queue-6.18/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch b/queue-6.18/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch new file mode 100644 index 0000000000..5bb1963718 --- /dev/null +++ b/queue-6.18/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch @@ -0,0 +1,40 @@ +From 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b Mon Sep 17 00:00:00 2001 +From: Pengjie Zhang +Date: Wed, 10 Dec 2025 21:22:27 +0800 +Subject: ACPI: CPPC: Fix missing PCC check for guaranteed_perf + +From: Pengjie Zhang + +commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream. + +The current implementation overlooks the 'guaranteed_perf' +register in this check. + +If the Guaranteed Performance register is located in the PCC +subspace, the function currently attempts to read it without +acquiring the lock and without sending the CMD_READ doorbell +to the firmware. This can result in reading stale data. + +Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance") +Signed-off-by: Pengjie Zhang +Cc: 4.20+ # 4.20+ +[ rjw: Subject and changelog edits ] +Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/cppc_acpi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -1366,7 +1366,8 @@ int cppc_get_perf_caps(int cpunum, struc + /* Are any of the regs PCC ?*/ + if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) || + CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) || +- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) { ++ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) || ++ CPC_IN_PCC(guaranteed_reg)) { + if (pcc_ss_id < 0) { + pr_debug("Invalid pcc_ss_id\n"); + return -ENODEV; diff --git a/queue-6.18/acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch b/queue-6.18/acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch new file mode 100644 index 0000000000..b8efe93524 --- /dev/null +++ b/queue-6.18/acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch @@ -0,0 +1,40 @@ +From f103fa127c93016bcd89b05d8e11dc1a84f6990d Mon Sep 17 00:00:00 2001 +From: Pengjie Zhang +Date: Wed, 10 Dec 2025 21:26:34 +0800 +Subject: ACPI: PCC: Fix race condition by removing static qualifier + +From: Pengjie Zhang + +commit f103fa127c93016bcd89b05d8e11dc1a84f6990d upstream. + +Local variable 'ret' in acpi_pcc_address_space_setup() is currently +declared as 'static'. This can lead to race conditions in a +multithreaded environment. + +Remove the 'static' qualifier to ensure that 'ret' will be allocated +directly on the stack as a local variable. + +Fixes: a10b1c99e2dc ("ACPI: PCC: Setup PCC Opregion handler only if platform interrupt is available") +Signed-off-by: Pengjie Zhang +Reviewed-by: Sudeep Holla +Acked-by: lihuisong@huawei.com +Cc: 6.2+ # 6.2+ +[ rjw: Changelog edits ] +Link: https://patch.msgid.link/20251210132634.2050033-1-zhangpengjie2@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_pcc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_pcc.c ++++ b/drivers/acpi/acpi_pcc.c +@@ -52,7 +52,7 @@ acpi_pcc_address_space_setup(acpi_handle + struct pcc_data *data; + struct acpi_pcc_info *ctx = handler_context; + struct pcc_mbox_chan *pcc_chan; +- static acpi_status ret; ++ acpi_status ret; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) diff --git a/queue-6.18/can-gs_usb-gs_can_open-fix-error-handling.patch b/queue-6.18/can-gs_usb-gs_can_open-fix-error-handling.patch new file mode 100644 index 0000000000..3dc54d9b69 --- /dev/null +++ b/queue-6.18/can-gs_usb-gs_can_open-fix-error-handling.patch @@ -0,0 +1,43 @@ +From 3e54d3b4a8437b6783d4145c86962a2aa51022f3 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 1 Dec 2025 19:26:38 +0100 +Subject: can: gs_usb: gs_can_open(): fix error handling + +From: Marc Kleine-Budde + +commit 3e54d3b4a8437b6783d4145c86962a2aa51022f3 upstream. + +Commit 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling") +added missing error handling to the gs_can_open() function. + +The driver uses 2 USB anchors to track the allocated URBs: the TX URBs in +struct gs_can::tx_submitted for each netdev and the RX URBs in struct +gs_usb::rx_submitted for the USB device. gs_can_open() allocates the RX +URBs, while TX URBs are allocated during gs_can_start_xmit(). + +The cleanup in gs_can_open() kills all anchored dev->tx_submitted +URBs (which is not necessary since the netdev is not yet registered), but +misses the parent->rx_submitted URBs. + +Fix the problem by killing the rx_submitted instead of the tx_submitted. + +Fixes: 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251210-gs_usb-fix-error-handling-v1-1-d6a5a03f10bb@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -1074,7 +1074,7 @@ out_usb_free_urb: + usb_free_urb(urb); + out_usb_kill_anchored_urbs: + if (!parent->active_channels) { +- usb_kill_anchored_urbs(&dev->tx_submitted); ++ usb_kill_anchored_urbs(&parent->rx_submitted); + + if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) + gs_usb_timestamp_stop(parent); diff --git a/queue-6.18/dt-bindings-mmc-sdhci-of-aspeed-switch-ref-to-sdhci-common.yaml.patch b/queue-6.18/dt-bindings-mmc-sdhci-of-aspeed-switch-ref-to-sdhci-common.yaml.patch new file mode 100644 index 0000000000..8b7334e6cf --- /dev/null +++ b/queue-6.18/dt-bindings-mmc-sdhci-of-aspeed-switch-ref-to-sdhci-common.yaml.patch @@ -0,0 +1,31 @@ +From ed724ea1b82a800af4704311cb89e5ef1b4ea7ac Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Thu, 11 Dec 2025 17:45:48 +0900 +Subject: dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml + +From: Andrew Jeffery + +commit ed724ea1b82a800af4704311cb89e5ef1b4ea7ac upstream. + +Enable use of common SDHCI-related properties such as sdhci-caps-mask as +found in the AST2600 EVB DTS. + +Cc: stable@vger.kernel.org # v6.2+ +Signed-off-by: Andrew Jeffery +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml ++++ b/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml +@@ -41,7 +41,7 @@ properties: + patternProperties: + "^sdhci@[0-9a-f]+$": + type: object +- $ref: mmc-controller.yaml ++ $ref: sdhci-common.yaml + unevaluatedProperties: false + + properties: diff --git a/queue-6.18/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch b/queue-6.18/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch new file mode 100644 index 0000000000..96ed8af178 --- /dev/null +++ b/queue-6.18/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch @@ -0,0 +1,70 @@ +From 7953794f741e94d30df9dafaaa4c031c85b891d6 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Mon, 27 Oct 2025 13:37:42 -0700 +Subject: HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen + +From: Ping Cheng + +commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream. + +HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z +should be used to report ABS_DISTANCE for stylus and pen as described at: +Documentation/input/event-codes.rst#n226 + +* ABS_DISTANCE: + + - Used to describe the distance of a tool from an interaction surface. This + event should only be emitted while the tool is hovering, meaning in close + proximity of the device and while the value of the BTN_TOUCH code is 0. If + the input device may be used freely in three dimensions, consider ABS_Z + instead. + - BTN_TOOL_ should be set to 1 when the tool comes into detectable + proximity and set to 0 when the tool leaves detectable proximity. + BTN_TOOL_ signals the type of tool that is currently detected by the + hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH. + +This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped +by any HID usage in hid-generic driver. + +Signed-off-by: Ping Cheng +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-input.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -878,7 +878,7 @@ static void hidinput_configure_usage(str + + switch (usage->hid) { + /* These usage IDs map directly to the usage codes. */ +- case HID_GD_X: case HID_GD_Y: case HID_GD_Z: ++ case HID_GD_X: case HID_GD_Y: + case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ: + if (field->flags & HID_MAIN_ITEM_RELATIVE) + map_rel(usage->hid & 0xf); +@@ -886,6 +886,22 @@ static void hidinput_configure_usage(str + map_abs_clear(usage->hid & 0xf); + break; + ++ case HID_GD_Z: ++ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */ ++ if (field->flags & HID_MAIN_ITEM_RELATIVE) { ++ map_rel(usage->hid & 0xf); ++ } else { ++ if (field->application == HID_DG_PEN || ++ field->physical == HID_DG_PEN || ++ field->logical == HID_DG_STYLUS || ++ field->physical == HID_DG_STYLUS || ++ field->application == HID_DG_DIGITIZER) ++ map_abs_clear(ABS_DISTANCE); ++ else ++ map_abs_clear(usage->hid & 0xf); ++ } ++ break; ++ + case HID_GD_WHEEL: + if (field->flags & HID_MAIN_ITEM_RELATIVE) { + set_bit(REL_WHEEL, input->relbit); diff --git a/queue-6.18/input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch b/queue-6.18/input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch new file mode 100644 index 0000000000..08e2531726 --- /dev/null +++ b/queue-6.18/input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch @@ -0,0 +1,61 @@ +From bf40644ef8c8a288742fa45580897ed0e0289474 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 17 Dec 2025 11:00:17 +0800 +Subject: Input: alps - fix use-after-free bugs caused by dev3_register_work + +From: Duoming Zhou + +commit bf40644ef8c8a288742fa45580897ed0e0289474 upstream. + +The dev3_register_work delayed work item is initialized within +alps_reconnect() and scheduled upon receipt of the first bare +PS/2 packet from an external PS/2 device connected to the ALPS +touchpad. During device detachment, the original implementation +calls flush_workqueue() in psmouse_disconnect() to ensure +completion of dev3_register_work. However, the flush_workqueue() +in psmouse_disconnect() only blocks and waits for work items that +were already queued to the workqueue prior to its invocation. Any +work items submitted after flush_workqueue() is called are not +included in the set of tasks that the flush operation awaits. +This means that after flush_workqueue() has finished executing, +the dev3_register_work could still be scheduled. Although the +psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), +the scheduling of dev3_register_work remains unaffected. + +The race condition can occur as follows: + +CPU 0 (cleanup path) | CPU 1 (delayed work) +psmouse_disconnect() | + psmouse_set_state() | + flush_workqueue() | alps_report_bare_ps2_packet() + alps_disconnect() | psmouse_queue_work() + kfree(priv); // FREE | alps_register_bare_ps2_mouse() + | priv = container_of(work...); // USE + | priv->dev3 // USE + +Add disable_delayed_work_sync() in alps_disconnect() to ensure +that dev3_register_work is properly canceled and prevented from +executing after the alps_data structure has been deallocated. + +This bug is identified by static analysis. + +Fixes: 04aae283ba6a ("Input: ALPS - do not mix trackstick and external PS/2 mouse data") +Cc: stable@kernel.org +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/b57b0a9ccca51a3f06be141bfc02b9ffe69d1845.1765939397.git.duoming@zju.edu.cn +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/alps.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -2975,6 +2975,7 @@ static void alps_disconnect(struct psmou + + psmouse_reset(psmouse); + timer_shutdown_sync(&priv->timer); ++ disable_delayed_work_sync(&priv->dev3_register_work); + if (priv->dev2) + input_unregister_device(priv->dev2); + if (!IS_ERR_OR_NULL(priv->dev3)) diff --git a/queue-6.18/input-apple_z2-fix-reading-incorrect-reports-after-exiting-sleep.patch b/queue-6.18/input-apple_z2-fix-reading-incorrect-reports-after-exiting-sleep.patch new file mode 100644 index 0000000000..483041169f --- /dev/null +++ b/queue-6.18/input-apple_z2-fix-reading-incorrect-reports-after-exiting-sleep.patch @@ -0,0 +1,48 @@ +From d579478cee228bdc0029a0c12a1f6a63ea9d1c77 Mon Sep 17 00:00:00 2001 +From: Sasha Finkelstein +Date: Thu, 18 Dec 2025 10:15:23 -0800 +Subject: Input: apple_z2 - fix reading incorrect reports after exiting sleep + +From: Sasha Finkelstein + +commit d579478cee228bdc0029a0c12a1f6a63ea9d1c77 upstream. + +Under certain conditions (more prevalent after a suspend/resume cycle), +the touchscreen controller can send the "boot complete" interrupt before +it actually finished booting. In those cases, attempting to read touch +data resuls in a stream of "not ready" messages being read and +interpreted as a touch report. Check that the response is in fact a +touch report and discard it otherwise. + +Reported-by: pitust +Closes: https://oftc.catirclogs.org/asahi/2025-12-17#34878715; +Fixes: 471a92f8a21a ("Input: apple_z2 - add a driver for Apple Z2 touchscreens") +Signed-off-by: Sasha Finkelstein +Link: https://patch.msgid.link/20251218-z2-init-fix-v1-1-48e3aa239caf@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/apple_z2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/touchscreen/apple_z2.c ++++ b/drivers/input/touchscreen/apple_z2.c +@@ -21,6 +21,7 @@ + #define APPLE_Z2_TOUCH_STARTED 3 + #define APPLE_Z2_TOUCH_MOVED 4 + #define APPLE_Z2_CMD_READ_INTERRUPT_DATA 0xEB ++#define APPLE_Z2_REPLY_INTERRUPT_DATA 0xE1 + #define APPLE_Z2_HBPP_CMD_BLOB 0x3001 + #define APPLE_Z2_FW_MAGIC 0x5746325A + #define LOAD_COMMAND_INIT_PAYLOAD 0 +@@ -142,6 +143,9 @@ static int apple_z2_read_packet(struct a + if (error) + return error; + ++ if (z2->rx_buf[0] != APPLE_Z2_REPLY_INTERRUPT_DATA) ++ return 0; ++ + pkt_len = (get_unaligned_le16(z2->rx_buf + 1) + 8) & 0xfffffffc; + + error = spi_read(z2->spidev, z2->rx_buf, pkt_len); diff --git a/queue-6.18/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch b/queue-6.18/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch new file mode 100644 index 0000000000..4f1b4a4bec --- /dev/null +++ b/queue-6.18/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch @@ -0,0 +1,39 @@ +From aed3716db7fff74919cc5775ca3a80c8bb246489 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Mon, 24 Nov 2025 21:31:34 +0100 +Subject: Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table + +From: Christoffer Sandberg + +commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream. + +The device occasionally wakes up from suspend with missing input on the +internal keyboard and the following suspend attempt results in an instant +wake-up. The quirks fix both issues for this device. + +Signed-off-by: Christoffer Sandberg +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -1169,6 +1169,13 @@ static const struct dmi_system_id i8042_ + .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | + SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, + /* + * A lot of modern Clevo barebones have touchpad and/or keyboard issues + * after suspend fixable with the forcenorestore quirk. diff --git a/queue-6.18/input-lkkbd-disable-pending-work-before-freeing-device.patch b/queue-6.18/input-lkkbd-disable-pending-work-before-freeing-device.patch new file mode 100644 index 0000000000..4237777936 --- /dev/null +++ b/queue-6.18/input-lkkbd-disable-pending-work-before-freeing-device.patch @@ -0,0 +1,52 @@ +From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001 +From: Minseong Kim +Date: Fri, 12 Dec 2025 00:29:23 -0800 +Subject: Input: lkkbd - disable pending work before freeing device + +From: Minseong Kim + +commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream. + +lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work +handler lkkbd_reinit() dereferences the lkkbd structure and its +serio/input_dev fields. + +lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd +structure without preventing the reinit work from being queued again +until serio_close() returns. This can allow the work handler to run +after the structure has been freed, leading to a potential use-after-free. + +Use disable_work_sync() instead of cancel_work_sync() to ensure the +reinit work cannot be re-queued, and call it both in lkkbd_disconnect() +and in lkkbd_connect() error paths after serio_open(). + +Signed-off-by: Minseong Kim +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/lkkbd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/input/keyboard/lkkbd.c ++++ b/drivers/input/keyboard/lkkbd.c +@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s + + return 0; + +- fail3: serio_close(serio); ++ fail3: disable_work_sync(&lk->tq); ++ serio_close(serio); + fail2: serio_set_drvdata(serio, NULL); + fail1: input_free_device(input_dev); + kfree(lk); +@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri + { + struct lkkbd *lk = serio_get_drvdata(serio); + ++ disable_work_sync(&lk->tq); ++ + input_get_device(lk->dev); + input_unregister_device(lk->dev); + serio_close(serio); diff --git a/queue-6.18/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch b/queue-6.18/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch new file mode 100644 index 0000000000..f93d0f4043 --- /dev/null +++ b/queue-6.18/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch @@ -0,0 +1,38 @@ +From 248d3a73a0167dce15ba100477c3e778c4787178 Mon Sep 17 00:00:00 2001 +From: Junjie Cao +Date: Thu, 18 Dec 2025 21:56:59 -0800 +Subject: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation + +From: Junjie Cao + +commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream. + +The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows +wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds +access when used as index in 'config_pins[wire_order[i]]'. + +Since config_pins has 4 elements (indices 0-3), the valid range for +wire_order should be 0-3. Fix the off-by-one error by using >= instead +of > in the validation check. + +Signed-off-by: Junjie Cao +Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com +Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/ti_am335x_tsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ti_am335x_tsc.c ++++ b/drivers/input/touchscreen/ti_am335x_tsc.c +@@ -85,7 +85,7 @@ static int titsc_config_wires(struct tit + wire_order[i] = ts_dev->config_inp[i] & 0x0F; + if (WARN_ON(analog_line[i] > 7)) + return -EINVAL; +- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins))) ++ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins))) + return -EINVAL; + } + diff --git a/queue-6.18/input-xpad-add-support-for-crkd-guitars.patch b/queue-6.18/input-xpad-add-support-for-crkd-guitars.patch new file mode 100644 index 0000000000..98394eb046 --- /dev/null +++ b/queue-6.18/input-xpad-add-support-for-crkd-guitars.patch @@ -0,0 +1,55 @@ +From 806ec7b797adc1cc9b11535307638a55ddfb873c Mon Sep 17 00:00:00 2001 +From: Sanjay Govind +Date: Sat, 29 Nov 2025 20:37:11 +1300 +Subject: Input: xpad - add support for CRKD Guitars + +From: Sanjay Govind + +commit 806ec7b797adc1cc9b11535307638a55ddfb873c upstream. + +Add support for various CRKD Guitar Controllers. + +Signed-off-by: Sanjay Govind +Link: https://patch.msgid.link/20251129073720.2750-2-sanjay.govind9@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -133,6 +133,8 @@ static const struct xpad_device { + } xpad_device[] = { + /* Please keep this list sorted by vendor and product ID. */ + { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, ++ { 0x0351, 0x1000, "CRKD LP Blueberry Burst Pro Edition (Xbox)", 0, XTYPE_XBOX360 }, ++ { 0x0351, 0x2000, "CRKD LP Black Tribal Edition (Xbox) ", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 }, + { 0x03f0, 0x038D, "HyperX Clutch", 0, XTYPE_XBOX360 }, /* wired */ +@@ -420,6 +422,7 @@ static const struct xpad_device { + { 0x3285, 0x0663, "Nacon Evol-X", 0, XTYPE_XBOXONE }, + { 0x3537, 0x1004, "GameSir T4 Kaleid", 0, XTYPE_XBOX360 }, + { 0x3537, 0x1010, "GameSir G7 SE", 0, XTYPE_XBOXONE }, ++ { 0x3651, 0x1000, "CRKD SG", 0, XTYPE_XBOX360 }, + { 0x366c, 0x0005, "ByoWave Proteus Controller", MAP_SHARE_BUTTON, XTYPE_XBOXONE, FLAG_DELAY_INIT }, + { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, + { 0x37d7, 0x2501, "Flydigi Apex 5", 0, XTYPE_XBOX360 }, +@@ -518,6 +521,7 @@ static const struct usb_device_id xpad_t + */ + { USB_INTERFACE_INFO('X', 'B', 0) }, /* Xbox USB-IF not-approved class */ + XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 controller */ ++ XPAD_XBOX360_VENDOR(0x0351), /* CRKD Controllers */ + XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ + XPAD_XBOX360_VENDOR(0x03f0), /* HP HyperX Xbox 360 controllers */ + XPAD_XBOXONE_VENDOR(0x03f0), /* HP HyperX Xbox One controllers */ +@@ -578,6 +582,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOXONE_VENDOR(0x3285), /* Nacon Evol-X */ + XPAD_XBOX360_VENDOR(0x3537), /* GameSir Controllers */ + XPAD_XBOXONE_VENDOR(0x3537), /* GameSir Controllers */ ++ XPAD_XBOX360_VENDOR(0x3651), /* CRKD Controllers */ + XPAD_XBOXONE_VENDOR(0x366c), /* ByoWave controllers */ + XPAD_XBOX360_VENDOR(0x37d7), /* Flydigi Controllers */ + XPAD_XBOX360_VENDOR(0x413d), /* Black Shark Green Ghost Controller */ diff --git a/queue-6.18/ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch b/queue-6.18/ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch new file mode 100644 index 0000000000..21568da9d2 --- /dev/null +++ b/queue-6.18/ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch @@ -0,0 +1,46 @@ +From 95d7a890e4b03e198836d49d699408fd1867cb55 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 14 Dec 2025 15:06:34 +0900 +Subject: ksmbd: fix buffer validation by including null terminator size in EA length + +From: Namjae Jeon + +commit 95d7a890e4b03e198836d49d699408fd1867cb55 upstream. + +The smb2_set_ea function, which handles Extended Attributes (EA), +was performing buffer validation checks that incorrectly omitted the size +of the null terminating character (+1 byte) for EA Name. +This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where +the null terminator is expected to be present in the buffer, ensuring +the validation accurately reflects the total required buffer size. + +Cc: stable@vger.kernel.org +Reported-by: Roger +Reported-by: Stanislas Polu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2373,7 +2373,7 @@ static int smb2_set_ea(struct smb2_ea_in + int rc = 0; + unsigned int next = 0; + +- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + ++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 + + le16_to_cpu(eabuf->EaValueLength)) + return -EINVAL; + +@@ -2450,7 +2450,7 @@ next: + break; + } + +- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + ++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 + + le16_to_cpu(eabuf->EaValueLength)) { + rc = -EINVAL; + break; diff --git a/queue-6.18/ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch b/queue-6.18/ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch new file mode 100644 index 0000000000..7a46838411 --- /dev/null +++ b/queue-6.18/ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch @@ -0,0 +1,39 @@ +From cafb57f7bdd57abba87725eb4e82bbdca4959644 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 14 Dec 2025 15:05:56 +0900 +Subject: ksmbd: Fix refcount leak when invalid session is found on session lookup + +From: Namjae Jeon + +commit cafb57f7bdd57abba87725eb4e82bbdca4959644 upstream. + +When a session is found but its state is not SMB2_SESSION_VALID, It +indicates that no valid session was found, but it is missing to decrement +the reference count acquired by the session lookup, which results in +a reference count leak. This patch fixes the issue by explicitly calling +ksmbd_user_session_put to release the reference to the session. + +Cc: stable@vger.kernel.org +Reported-by: Alexandre +Reported-by: Stanislas Polu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -325,8 +325,10 @@ struct ksmbd_session *ksmbd_session_look + sess = ksmbd_session_lookup(conn, id); + if (!sess && conn->binding) + sess = ksmbd_session_lookup_slowpath(id); +- if (sess && sess->state != SMB2_SESSION_VALID) ++ if (sess && sess->state != SMB2_SESSION_VALID) { ++ ksmbd_user_session_put(sess); + sess = NULL; ++ } + return sess; + } + diff --git a/queue-6.18/ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch b/queue-6.18/ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch new file mode 100644 index 0000000000..8e3e0c4523 --- /dev/null +++ b/queue-6.18/ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch @@ -0,0 +1,45 @@ +From 5d510ac31626ed157d2182149559430350cf2104 Mon Sep 17 00:00:00 2001 +From: Qianchang Zhao +Date: Sun, 9 Nov 2025 10:00:55 +0900 +Subject: ksmbd: skip lock-range check on equal size to avoid size==0 underflow + +From: Qianchang Zhao + +commit 5d510ac31626ed157d2182149559430350cf2104 upstream. + +When size equals the current i_size (including 0), the code used to call +check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1` +and can underflow for size==0. Skip the equal case. + +Cc: stable@vger.kernel.org +Reported-by: Qianchang Zhao +Reported-by: Zhitong Liu +Signed-off-by: Qianchang Zhao +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -324,6 +324,9 @@ static int check_lock_range(struct file + struct file_lock_context *ctx = locks_inode_context(file_inode(filp)); + int error = 0; + ++ if (start == end) ++ return 0; ++ + if (!ctx || list_empty_careful(&ctx->flc_posix)) + return 0; + +@@ -828,7 +831,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work + if (size < inode->i_size) { + err = check_lock_range(filp, size, + inode->i_size - 1, WRITE); +- } else { ++ } else if (size > inode->i_size) { + err = check_lock_range(filp, inode->i_size, + size - 1, WRITE); + } diff --git a/queue-6.18/mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch b/queue-6.18/mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch new file mode 100644 index 0000000000..ab7b099990 --- /dev/null +++ b/queue-6.18/mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch @@ -0,0 +1,43 @@ +From d3ecb12e2e04ce53c95f933c462f2d8b150b965b Mon Sep 17 00:00:00 2001 +From: Jared Kangas +Date: Fri, 12 Dec 2025 07:03:17 -0800 +Subject: mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig + +From: Jared Kangas + +commit d3ecb12e2e04ce53c95f933c462f2d8b150b965b upstream. + +MMC_SDHCI_ESDHC_IMX requires ARCH_MXC despite also being used on +ARCH_S32, which results in unmet dependencies when compiling strictly +for ARCH_S32. Resolve this by adding ARCH_S32 as an alternative to +ARCH_MXC in the driver's dependencies. + +Fixes: 5c4f00627c9a ("mmc: sdhci-esdhc-imx: add NXP S32G2 support") +Cc: stable@bvger.kernel.org +Signed-off-by: Jared Kangas +Reviewed-by: Haibo Chen +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/Kconfig ++++ b/drivers/mmc/host/Kconfig +@@ -315,14 +315,14 @@ config MMC_SDHCI_ESDHC_MCF + + config MMC_SDHCI_ESDHC_IMX + tristate "SDHCI support for the Freescale eSDHC/uSDHC i.MX controller" +- depends on ARCH_MXC || COMPILE_TEST ++ depends on ARCH_MXC || ARCH_S32 || COMPILE_TEST + depends on MMC_SDHCI_PLTFM + depends on OF + select MMC_SDHCI_IO_ACCESSORS + select MMC_CQHCI + help + This selects the Freescale eSDHC/uSDHC controller support +- found on i.MX25, i.MX35 i.MX5x and i.MX6x. ++ found on i.MX25, i.MX35, i.MX5x, i.MX6x, and S32G. + + If you have a controller with this interface, say Y or M here. + diff --git a/queue-6.18/mmc-sdhci-of-arasan-increase-cd-stable-timeout-to-2-seconds.patch b/queue-6.18/mmc-sdhci-of-arasan-increase-cd-stable-timeout-to-2-seconds.patch new file mode 100644 index 0000000000..301e965d08 --- /dev/null +++ b/queue-6.18/mmc-sdhci-of-arasan-increase-cd-stable-timeout-to-2-seconds.patch @@ -0,0 +1,36 @@ +From a9c4c9085ec8ce3ce01be21b75184789e74f5f19 Mon Sep 17 00:00:00 2001 +From: Sai Krishna Potthuri +Date: Fri, 12 Dec 2025 12:05:09 +0530 +Subject: mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds + +From: Sai Krishna Potthuri + +commit a9c4c9085ec8ce3ce01be21b75184789e74f5f19 upstream. + +On Xilinx/AMD platforms, the CD stable bit take slightly longer than +one second(about an additional 100ms) to assert after a host +controller reset. Although no functional failure observed with the +existing one second delay but to ensure reliable initialization, increase +the CD stable timeout to 2 seconds. + +Fixes: e251709aaddb ("mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up") +Cc: stable@vger.kernel.org +Signed-off-by: Sai Krishna Potthuri +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-arasan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-arasan.c ++++ b/drivers/mmc/host/sdhci-of-arasan.c +@@ -99,7 +99,7 @@ + #define HIWORD_UPDATE(val, mask, shift) \ + ((val) << (shift) | (mask) << ((shift) + 16)) + +-#define CD_STABLE_TIMEOUT_US 1000000 ++#define CD_STABLE_TIMEOUT_US 2000000 + #define CD_STABLE_MAX_SLEEP_US 10 + + /** diff --git a/queue-6.18/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch b/queue-6.18/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch new file mode 100644 index 0000000000..bc5e3c8cf4 --- /dev/null +++ b/queue-6.18/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch @@ -0,0 +1,85 @@ +From 188e0fa5a679570ea35474575e724d8211423d17 Mon Sep 17 00:00:00 2001 +From: Shaurya Rane +Date: Sat, 29 Nov 2025 15:07:18 +0530 +Subject: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() + +From: Shaurya Rane + +commit 188e0fa5a679570ea35474575e724d8211423d17 upstream. + +prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std +but doesn't check if the allocation failed. If __pskb_copy() returns +NULL, skb_clone() is called with a NULL pointer, causing a crash: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] +CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 +Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c +RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 +RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 +RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 +RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee +R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 +R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 +FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 +Call Trace: + + hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] + hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 + hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 + __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 + __netif_receive_skb_one_core net/core/dev.c:6077 [inline] + __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 + netif_receive_skb_internal net/core/dev.c:6278 [inline] + netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 + tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 + tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 + tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x5c9/0xb30 fs/read_write.c:686 + ksys_write+0x145/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f0449f8e1ff +Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 +RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff +RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 +RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 +R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 + + +Add a NULL check immediately after __pskb_copy() to handle allocation +failures gracefully. + +Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05 +Fixes: f266a683a480 ("net/hsr: Better frame dispatch") +Cc: stable@vger.kernel.org +Signed-off-by: Shaurya Rane +Reviewed-by: Felix Maurer +Tested-by: Felix Maurer +Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_forward.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -205,6 +205,8 @@ struct sk_buff *prp_get_untagged_frame(s + __pskb_copy(frame->skb_prp, + skb_headroom(frame->skb_prp), + GFP_ATOMIC); ++ if (!frame->skb_std) ++ return NULL; + } else { + /* Unexpected */ + WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n", diff --git a/queue-6.18/platform-x86-intel_pmc_ipc-fix-acpi-buffer-memory-leak.patch b/queue-6.18/platform-x86-intel_pmc_ipc-fix-acpi-buffer-memory-leak.patch new file mode 100644 index 0000000000..678b14fa90 --- /dev/null +++ b/queue-6.18/platform-x86-intel_pmc_ipc-fix-acpi-buffer-memory-leak.patch @@ -0,0 +1,82 @@ +From 611cf41ef6ac8301d23daadd8e78b013db0c5071 Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Fri, 28 Nov 2025 18:24:38 +0800 +Subject: platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yongxin Liu + +commit 611cf41ef6ac8301d23daadd8e78b013db0c5071 upstream. + +The intel_pmc_ipc() function uses ACPI_ALLOCATE_BUFFER to allocate memory +for the ACPI evaluation result but never frees it, causing a 192-byte +memory leak on each call. + +This leak is triggered during network interface initialization when the +stmmac driver calls intel_mac_finish() -> intel_pmc_ipc(). + + unreferenced object 0xffff96a848d6ea80 (size 192): + comm "dhcpcd", pid 541, jiffies 4294684345 + hex dump (first 32 bytes): + 04 00 00 00 05 00 00 00 98 ea d6 48 a8 96 ff ff ...........H.... + 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + backtrace (crc b1564374): + kmemleak_alloc+0x2d/0x40 + __kmalloc_noprof+0x2fa/0x730 + acpi_ut_initialize_buffer+0x83/0xc0 + acpi_evaluate_object+0x29a/0x2f0 + intel_pmc_ipc+0xfd/0x170 + intel_mac_finish+0x168/0x230 + stmmac_mac_finish+0x3d/0x50 + phylink_major_config+0x22b/0x5b0 + phylink_mac_initial_config.constprop.0+0xf1/0x1b0 + phylink_start+0x8e/0x210 + __stmmac_open+0x12c/0x2b0 + stmmac_open+0x23c/0x380 + __dev_open+0x11d/0x2c0 + __dev_change_flags+0x1d2/0x250 + netif_change_flags+0x2b/0x70 + dev_change_flags+0x40/0xb0 + +Add __free(kfree) for ACPI object to properly release the allocated buffer. + +Cc: stable@vger.kernel.org +Fixes: 7e2f7e25f6ff ("arch: x86: add IPC mailbox accessor function and add SoC register access") +Signed-off-by: Yongxin Liu +Link: https://patch.msgid.link/20251128102437.3412891-2-yongxin.liu@windriver.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/platform_data/x86/intel_pmc_ipc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/platform_data/x86/intel_pmc_ipc.h ++++ b/include/linux/platform_data/x86/intel_pmc_ipc.h +@@ -9,6 +9,7 @@ + #ifndef INTEL_PMC_IPC_H + #define INTEL_PMC_IPC_H + #include ++#include + + #define IPC_SOC_REGISTER_ACCESS 0xAA + #define IPC_SOC_SUB_CMD_READ 0x00 +@@ -48,7 +49,6 @@ static inline int intel_pmc_ipc(struct p + {.type = ACPI_TYPE_INTEGER,}, + }; + struct acpi_object_list arg_list = { PMC_IPCS_PARAM_COUNT, params }; +- union acpi_object *obj; + int status; + + if (!ipc_cmd || !rbuf) +@@ -72,7 +72,7 @@ static inline int intel_pmc_ipc(struct p + if (ACPI_FAILURE(status)) + return -ENODEV; + +- obj = buffer.pointer; ++ union acpi_object *obj __free(kfree) = buffer.pointer; + + if (obj && obj->type == ACPI_TYPE_PACKAGE && + obj->package.count == VALID_IPC_RESPONSE) { diff --git a/queue-6.18/series b/queue-6.18/series index b7fb8e0c5b..50425919e7 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -140,3 +140,26 @@ drm-xe-oa-always-set-oag_oaglbctxctrl_counter_resume.patch amd-iommu-preserve-domain-ids-inside-the-kdump-kerne.patch arm64-dts-mediatek-apply-mt8395-radxa-dt-overlay-at-.patch hwmon-ltc4282-fix-reset_history-file-permissions.patch +ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch +ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch +ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch +hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch +input-apple_z2-fix-reading-incorrect-reports-after-exiting-sleep.patch +input-xpad-add-support-for-crkd-guitars.patch +input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch +input-lkkbd-disable-pending-work-before-freeing-device.patch +input-alps-fix-use-after-free-bugs-caused-by-dev3_register_work.patch +input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch +xfs-don-t-leak-a-locked-dquot-when-xfs_dquot_attach_buf-fails.patch +can-gs_usb-gs_can_open-fix-error-handling.patch +soc-tegra-fuse-do-not-register-soc-device-on-acpi-boot.patch +platform-x86-intel_pmc_ipc-fix-acpi-buffer-memory-leak.patch +acpi-pcc-fix-race-condition-by-removing-static-qualifier.patch +acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch +spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch +mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch +mmc-sdhci-of-arasan-increase-cd-stable-timeout-to-2-seconds.patch +dt-bindings-mmc-sdhci-of-aspeed-switch-ref-to-sdhci-common.yaml.patch +net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch +x86-bug-fix-old-gcc-compile-fails.patch +x86-msi-make-irq_retrigger-functional-for-posted-msi.patch diff --git a/queue-6.18/soc-tegra-fuse-do-not-register-soc-device-on-acpi-boot.patch b/queue-6.18/soc-tegra-fuse-do-not-register-soc-device-on-acpi-boot.patch new file mode 100644 index 0000000000..0dfe845b29 --- /dev/null +++ b/queue-6.18/soc-tegra-fuse-do-not-register-soc-device-on-acpi-boot.patch @@ -0,0 +1,37 @@ +From c87f820bc4748fdd4d50969e8930cd88d1b61582 Mon Sep 17 00:00:00 2001 +From: Kartik Rajput +Date: Wed, 8 Oct 2025 16:46:18 +0530 +Subject: soc/tegra: fuse: Do not register SoC device on ACPI boot + +From: Kartik Rajput + +commit c87f820bc4748fdd4d50969e8930cd88d1b61582 upstream. + +On Tegra platforms using ACPI, the SMCCC driver already registers the +SoC device. This makes the registration performed by the Tegra fuse +driver redundant. + +When booted via ACPI, skip registering the SoC device and suppress +printing SKU information from the Tegra fuse driver, as this information +is already provided by the SMCCC driver. + +Fixes: 972167c69080 ("soc/tegra: fuse: Add ACPI support for Tegra194 and Tegra234") +Cc: stable@vger.kernel.org +Signed-off-by: Kartik Rajput +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/tegra/fuse/fuse-tegra.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/soc/tegra/fuse/fuse-tegra.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra.c +@@ -182,8 +182,6 @@ static int tegra_fuse_probe(struct platf + } + + fuse->soc->init(fuse); +- tegra_fuse_print_sku_info(&tegra_sku_info); +- tegra_soc_device_register(); + + err = tegra_fuse_add_lookups(fuse); + if (err) diff --git a/queue-6.18/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch b/queue-6.18/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch new file mode 100644 index 0000000000..1975a460d1 --- /dev/null +++ b/queue-6.18/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch @@ -0,0 +1,46 @@ +From 1417927df8049a0194933861e9b098669a95c762 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 20 Nov 2025 09:34:49 +0100 +Subject: spi: fsl-cpm: Check length parity before switching to 16 bit mode + +From: Christophe Leroy + +commit 1417927df8049a0194933861e9b098669a95c762 upstream. + +Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers +with even size") failed to make sure that the size is really even +before switching to 16 bit mode. Until recently the problem went +unnoticed because kernfs uses a pre-allocated bounce buffer of size +PAGE_SIZE for reading EEPROM. + +But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") +introduced an additional dynamically allocated bounce buffer whose size +is exactly the size of the transfer, leading to a buffer overrun in +the fsl-cpm driver when that size is odd. + +Add the missing length parity verification and remain in 8 bit mode +when the length is not even. + +Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/ +Signed-off-by: Christophe Leroy +Reviewed-by: Sverdlin Alexander +Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -335,7 +335,7 @@ static int fsl_spi_prepare_message(struc + if (t->bits_per_word == 16 || t->bits_per_word == 32) + t->bits_per_word = 8; /* pretend its 8 bits */ + if (t->bits_per_word == 8 && t->len >= 256 && +- (mpc8xxx_spi->flags & SPI_CPM1)) ++ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1)) + t->bits_per_word = 16; + } + } diff --git a/queue-6.18/x86-bug-fix-old-gcc-compile-fails.patch b/queue-6.18/x86-bug-fix-old-gcc-compile-fails.patch new file mode 100644 index 0000000000..d44e1b4103 --- /dev/null +++ b/queue-6.18/x86-bug-fix-old-gcc-compile-fails.patch @@ -0,0 +1,43 @@ +From c56a12c71ad38f381105f6e5036dede64ad2dfee Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Dec 2025 11:47:38 +0100 +Subject: x86/bug: Fix old GCC compile fails + +From: Peter Zijlstra + +commit c56a12c71ad38f381105f6e5036dede64ad2dfee upstream. + +For some mysterious reasons the GCC 8 and 9 preprocessor manages to +sporadically fumble _ASM_BYTES(0x0f, 0x0b): + +$ grep ".byte[ ]*0x0f" defconfig-build/drivers/net/wireless/realtek/rtlwifi/base.s + 1: .byte0x0f,0x0b ; + 1: .byte 0x0f,0x0b ; + +which makes the assembler upset and all that. While there are more +_ASM_BYTES() users (notably the NOP instructions), those don't seem +affected. Therefore replace the offending ASM_UD2 with one using the +ud2 mnemonic. + +Reported-by: Jean Delvare +Suggested-by: Uros Bizjak +Fixes: 85a2d4a890dc ("x86,ibt: Use UDB instead of 0xEA") +Cc: stable@kernel.org +Signed-off-by: Peter Zijlstra (Intel) +Link: https://patch.msgid.link/20251218104659.GT3911114@noisy.programming.kicks-ass.net +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/bug.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/bug.h ++++ b/arch/x86/include/asm/bug.h +@@ -10,7 +10,7 @@ + /* + * Despite that some emulators terminate on UD2, we use it for WARN(). + */ +-#define ASM_UD2 _ASM_BYTES(0x0f, 0x0b) ++#define ASM_UD2 __ASM_FORM(ud2) + #define INSN_UD2 0x0b0f + #define LEN_UD2 2 + diff --git a/queue-6.18/x86-msi-make-irq_retrigger-functional-for-posted-msi.patch b/queue-6.18/x86-msi-make-irq_retrigger-functional-for-posted-msi.patch new file mode 100644 index 0000000000..5360f0258a --- /dev/null +++ b/queue-6.18/x86-msi-make-irq_retrigger-functional-for-posted-msi.patch @@ -0,0 +1,155 @@ +From 0edc78b82bea85e1b2165d8e870a5c3535919695 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 25 Nov 2025 22:50:45 +0100 +Subject: x86/msi: Make irq_retrigger() functional for posted MSI + +From: Thomas Gleixner + +commit 0edc78b82bea85e1b2165d8e870a5c3535919695 upstream. + +Luigi reported that retriggering a posted MSI interrupt does not work +correctly. + +The reason is that the retrigger happens at the vector domain by sending an +IPI to the actual vector on the target CPU. That works correctly exactly +once because the posted MSI interrupt chip does not issue an EOI as that's +only required for the posted MSI notification vector itself. + +As a consequence the vector becomes stale in the ISR, which not only +affects this vector but also any lower priority vector in the affected +APIC because the ISR bit is not cleared. + +Luigi proposed to set the vector in the remap PIR bitmap and raise the +posted MSI notification vector. That works, but that still does not cure a +related problem: + + If there is ever a stray interrupt on such a vector, then the related + APIC ISR bit becomes stale due to the lack of EOI as described above. + Unlikely to happen, but if it happens it's not debuggable at all. + +So instead of playing games with the PIR, this can be actually solved +for both cases by: + + 1) Keeping track of the posted interrupt vector handler state + + 2) Implementing a posted MSI specific irq_ack() callback which checks that + state. If the posted vector handler is inactive it issues an EOI, + otherwise it delegates that to the posted handler. + +This is correct versus affinity changes and concurrent events on the posted +vector as the actual handler invocation is serialized through the interrupt +descriptor lock. + +Fixes: ed1e48ea4370 ("iommu/vt-d: Enable posted mode for device MSIs") +Reported-by: Luigi Rizzo +Signed-off-by: Thomas Gleixner +Tested-by: Luigi Rizzo +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251125214631.044440658@linutronix.de +Closes: https://lore.kernel.org/lkml/20251124104836.3685533-1-lrizzo@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/irq_remapping.h | 7 +++++++ + arch/x86/kernel/irq.c | 23 +++++++++++++++++++++++ + drivers/iommu/intel/irq_remapping.c | 8 ++++---- + 3 files changed, 34 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/irq_remapping.h ++++ b/arch/x86/include/asm/irq_remapping.h +@@ -87,4 +87,11 @@ static inline void panic_if_irq_remap(co + } + + #endif /* CONFIG_IRQ_REMAP */ ++ ++#ifdef CONFIG_X86_POSTED_MSI ++void intel_ack_posted_msi_irq(struct irq_data *irqd); ++#else ++#define intel_ack_posted_msi_irq NULL ++#endif ++ + #endif /* __X86_IRQ_REMAPPING_H */ +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -396,6 +396,7 @@ DEFINE_IDTENTRY_SYSVEC_SIMPLE(sysvec_kvm + + /* Posted Interrupt Descriptors for coalesced MSIs to be posted */ + DEFINE_PER_CPU_ALIGNED(struct pi_desc, posted_msi_pi_desc); ++static DEFINE_PER_CPU_CACHE_HOT(bool, posted_msi_handler_active); + + void intel_posted_msi_init(void) + { +@@ -413,6 +414,25 @@ void intel_posted_msi_init(void) + this_cpu_write(posted_msi_pi_desc.ndst, destination); + } + ++void intel_ack_posted_msi_irq(struct irq_data *irqd) ++{ ++ irq_move_irq(irqd); ++ ++ /* ++ * Handle the rare case that irq_retrigger() raised the actual ++ * assigned vector on the target CPU, which means that it was not ++ * invoked via the posted MSI handler below. In that case APIC EOI ++ * is required as otherwise the ISR entry becomes stale and lower ++ * priority interrupts are never going to be delivered after that. ++ * ++ * If the posted handler invoked the device interrupt handler then ++ * the EOI would be premature because it would acknowledge the ++ * posted vector. ++ */ ++ if (unlikely(!__this_cpu_read(posted_msi_handler_active))) ++ apic_eoi(); ++} ++ + static __always_inline bool handle_pending_pir(unsigned long *pir, struct pt_regs *regs) + { + unsigned long pir_copy[NR_PIR_WORDS]; +@@ -445,6 +465,8 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi + + pid = this_cpu_ptr(&posted_msi_pi_desc); + ++ /* Mark the handler active for intel_ack_posted_msi_irq() */ ++ __this_cpu_write(posted_msi_handler_active, true); + inc_irq_stat(posted_msi_notification_count); + irq_enter(); + +@@ -473,6 +495,7 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi + + apic_eoi(); + irq_exit(); ++ __this_cpu_write(posted_msi_handler_active, false); + set_irq_regs(old_regs); + } + #endif /* X86_POSTED_MSI */ +--- a/drivers/iommu/intel/irq_remapping.c ++++ b/drivers/iommu/intel/irq_remapping.c +@@ -1303,17 +1303,17 @@ static struct irq_chip intel_ir_chip = { + * irq_enter(); + * handle_edge_irq() + * irq_chip_ack_parent() +- * irq_move_irq(); // No EOI ++ * intel_ack_posted_msi_irq(); // No EOI + * handle_irq_event() + * driver_handler() + * handle_edge_irq() + * irq_chip_ack_parent() +- * irq_move_irq(); // No EOI ++ * intel_ack_posted_msi_irq(); // No EOI + * handle_irq_event() + * driver_handler() + * handle_edge_irq() + * irq_chip_ack_parent() +- * irq_move_irq(); // No EOI ++ * intel_ack_posted_msi_irq(); // No EOI + * handle_irq_event() + * driver_handler() + * apic_eoi() +@@ -1322,7 +1322,7 @@ static struct irq_chip intel_ir_chip = { + */ + static struct irq_chip intel_ir_chip_post_msi = { + .name = "INTEL-IR-POST", +- .irq_ack = irq_move_irq, ++ .irq_ack = intel_ack_posted_msi_irq, + .irq_set_affinity = intel_ir_set_affinity, + .irq_compose_msi_msg = intel_ir_compose_msi_msg, + .irq_set_vcpu_affinity = intel_ir_set_vcpu_affinity, diff --git a/queue-6.18/xfs-don-t-leak-a-locked-dquot-when-xfs_dquot_attach_buf-fails.patch b/queue-6.18/xfs-don-t-leak-a-locked-dquot-when-xfs_dquot_attach_buf-fails.patch new file mode 100644 index 0000000000..8a0876083e --- /dev/null +++ b/queue-6.18/xfs-don-t-leak-a-locked-dquot-when-xfs_dquot_attach_buf-fails.patch @@ -0,0 +1,47 @@ +From 204c8f77e8d4a3006f8abe40331f221a597ce608 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 10 Nov 2025 14:22:53 +0100 +Subject: xfs: don't leak a locked dquot when xfs_dquot_attach_buf fails + +From: Christoph Hellwig + +commit 204c8f77e8d4a3006f8abe40331f221a597ce608 upstream. + +xfs_qm_quotacheck_dqadjust acquired the dquot through xfs_qm_dqget, +which means it owns a reference and holds q_qlock. Both need to +be dropped on an error exit. + +Cc: # v6.13 +Fixes: ca378189fdfa ("xfs: convert quotacheck to attach dquot buffers") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_qm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/xfs/xfs_qm.c ++++ b/fs/xfs/xfs_qm.c +@@ -1318,7 +1318,7 @@ xfs_qm_quotacheck_dqadjust( + + error = xfs_dquot_attach_buf(NULL, dqp); + if (error) +- return error; ++ goto out_unlock; + + trace_xfs_dqadjust(dqp); + +@@ -1348,8 +1348,9 @@ xfs_qm_quotacheck_dqadjust( + } + + dqp->q_flags |= XFS_DQFLAG_DIRTY; ++out_unlock: + xfs_qm_dqput(dqp); +- return 0; ++ return error; + } + + /*