From: Greg Kroah-Hartman Date: Wed, 28 Jan 2026 14:24:53 +0000 (+0100) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e28ac1f0498421d17bc88be4bfddc73048e02489;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch arm64-dts-rockchip-remove-redundant-max-link-speed-from-nanopi-r4s.patch asoc-codecs-wsa881x-drop-unused-version-readout.patch asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch bridge-mcast-fix-use-after-free-during-router-port-configuration.patch can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch dmaengine-stm32-dmamux-fix-device-leak-on-route-allocation.patch dmaengine-stm32-dmamux-fix-of-node-leak-on-route-allocation-failure.patch drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch fs-ntfs3-initialize-allocated-memory-before-use.patch iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch iio-core-add-missing-mutex_destroy-in-iio_dev_release.patch iio-core-add-separate-lockdep-class-for-info_exist_lock.patch ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch migrate-correct-lock-ordering-for-hugetlb-file-folios.patch mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch mm-page_alloc-prevent-pcp-corruption-with-smp-n.patch mm-rmap-fix-two-comments-related-to-huge_pmd_unshare.patch net-phy-allow-mdio-bus-pm-ops-to-start-stop-state-machine-for-phylink-controlled-phy.patch net-phy-fix-phy_uses_state_machine.patch net-phy-move-phy_link_change-prior-to-mdio_bus_phy_may_suspend.patch nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch nvme-fc-rename-free_ctrl-callback-to-match-name-pattern.patch nvme-fix-pcie-subsystem-reset-controller-state-transition.patch nvme-pci-do-not-directly-handle-subsys-reset-fallout.patch phy-phy-rockchip-inno-usb2-use-dev_err_probe-in-the-probe-path.patch phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch selftests-bpf-check-for-timeout-in-perf_link-test.patch usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch wifi-ath11k-fix-rcu-stall-while-reaping-monitor-destination-ring.patch x86-fpu-clear-xstate_bv-in-guest-xsave-state-whenever-xfd-1.patch --- diff --git a/queue-6.6/alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch b/queue-6.6/alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch new file mode 100644 index 0000000000..d59db261f1 --- /dev/null +++ b/queue-6.6/alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch @@ -0,0 +1,57 @@ +From stable+bounces-211893-greg=kroah.com@vger.kernel.org Tue Jan 27 22:08:43 2026 +From: Sasha Levin +Date: Tue, 27 Jan 2026 16:08:23 -0500 +Subject: ALSA: scarlett2: Fix buffer overflow in config retrieval +To: stable@vger.kernel.org +Cc: Samasth Norway Ananda , Takashi Iwai , Sasha Levin +Message-ID: <20260127210823.2165565-1-sashal@kernel.org> + +From: Samasth Norway Ananda + +[ Upstream commit 6f5c69f72e50d51be3a8c028ae7eda42c82902cb ] + +The scarlett2_usb_get_config() function has a logic error in the +endianness conversion code that can cause buffer overflows when +count > 1. + +The code checks `if (size == 2)` where `size` is the total buffer size in +bytes, then loops `count` times treating each element as u16 (2 bytes). +This causes the loop to access `count * 2` bytes when the buffer only +has `size` bytes allocated. + +Fix by checking the element size (config_item->size) instead of the +total buffer size. This ensures the endianness conversion matches the +actual element type. + +Fixes: ac34df733d2d ("ALSA: usb-audio: scarlett2: Update get_config to do endian conversion") +Cc: stable@vger.kernel.org +Signed-off-by: Samasth Norway Ananda +Link: https://patch.msgid.link/20260117012706.1715574-1-samasth.norway.ananda@oracle.com +Signed-off-by: Takashi Iwai +[ add 32-bit handling block ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett2.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer_scarlett2.c ++++ b/sound/usb/mixer_scarlett2.c +@@ -1408,11 +1408,16 @@ static int scarlett2_usb_get_config( + err = scarlett2_usb_get(mixer, config_item->offset, buf, size); + if (err < 0) + return err; +- if (size == 2) { ++ if (config_item->size == 16) { + u16 *buf_16 = buf; + + for (i = 0; i < count; i++, buf_16++) + *buf_16 = le16_to_cpu(*(__le16 *)buf_16); ++ } else if (config_item->size == 32) { ++ u32 *buf_32 = (u32 *)buf; ++ ++ for (i = 0; i < count; i++, buf_32++) ++ *buf_32 = le32_to_cpu(*(__le32 *)buf_32); + } + return 0; + } diff --git a/queue-6.6/arm64-dts-rockchip-remove-redundant-max-link-speed-from-nanopi-r4s.patch b/queue-6.6/arm64-dts-rockchip-remove-redundant-max-link-speed-from-nanopi-r4s.patch new file mode 100644 index 0000000000..f6f39685bd --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-remove-redundant-max-link-speed-from-nanopi-r4s.patch @@ -0,0 +1,40 @@ +From stable+bounces-211648-greg=kroah.com@vger.kernel.org Mon Jan 26 17:17:49 2026 +From: Sasha Levin +Date: Mon, 26 Jan 2026 11:13:38 -0500 +Subject: arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s +To: stable@vger.kernel.org +Cc: Geraldo Nascimento , Dragan Simic , Shawn Lin , Heiko Stuebner , Sasha Levin +Message-ID: <20260126161339.3354675-1-sashal@kernel.org> + +From: Geraldo Nascimento + +[ Upstream commit ce652c98a7bfa0b7c675ef5cd85c44c186db96af ] + +This is already the default in rk3399-base.dtsi, remove redundant +declaration from rk3399-nanopi-r4s.dtsi. + +Fixes: db792e9adbf8 ("rockchip: rk3399: Add support for FriendlyARM NanoPi R4S") +Cc: stable@vger.kernel.org +Reported-by: Dragan Simic +Reviewed-by: Dragan Simic +Signed-off-by: Geraldo Nascimento +Acked-by: Shawn Lin +Link: https://patch.msgid.link/6694456a735844177c897581f785cc00c064c7d1.1763415706.git.geraldogabriel@gmail.com +Signed-off-by: Heiko Stuebner +[ adapted file path from rk3399-nanopi-r4s.dtsi to rk3399-nanopi-r4s.dts ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts +@@ -73,7 +73,6 @@ + }; + + &pcie0 { +- max-link-speed = <1>; + num-lanes = <1>; + vpcie3v3-supply = <&vcc3v3_sys>; + }; diff --git a/queue-6.6/asoc-codecs-wsa881x-drop-unused-version-readout.patch b/queue-6.6/asoc-codecs-wsa881x-drop-unused-version-readout.patch new file mode 100644 index 0000000000..1975a572d7 --- /dev/null +++ b/queue-6.6/asoc-codecs-wsa881x-drop-unused-version-readout.patch @@ -0,0 +1,43 @@ +From stable+bounces-210637-greg=kroah.com@vger.kernel.org Wed Jan 21 02:39:40 2026 +From: Sasha Levin +Date: Tue, 20 Jan 2026 20:39:05 -0500 +Subject: ASoC: codecs: wsa881x: Drop unused version readout +To: stable@vger.kernel.org +Cc: Krzysztof Kozlowski , Mark Brown , Sasha Levin +Message-ID: <20260121013906.1104336-1-sashal@kernel.org> + +From: Krzysztof Kozlowski + +[ Upstream commit 3d2a69eb503d15171a7ba51cf0b562728ac396b7 ] + +Driver does not use the device version after reading it from the +registers, so simplify by dropping unneeded code. + +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20240710-asoc-wsa88xx-version-v1-1-f1c54966ccde@linaro.org +Signed-off-by: Mark Brown +Stable-dep-of: 29d71b8a5a40 ("ASoC: codecs: wsa881x: fix unnecessary initialisation") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wsa881x.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/sound/soc/codecs/wsa881x.c ++++ b/sound/soc/codecs/wsa881x.c +@@ -680,7 +680,6 @@ struct wsa881x_priv { + * For backwards compatibility. + */ + unsigned int sd_n_val; +- int version; + int active_ports; + bool port_prepared[WSA881X_MAX_SWR_PORTS]; + bool port_enable[WSA881X_MAX_SWR_PORTS]; +@@ -691,7 +690,6 @@ static void wsa881x_init(struct wsa881x_ + struct regmap *rm = wsa881x->regmap; + unsigned int val = 0; + +- regmap_read(rm, WSA881X_CHIP_ID1, &wsa881x->version); + regmap_register_patch(wsa881x->regmap, wsa881x_rev_2_0, + ARRAY_SIZE(wsa881x_rev_2_0)); + diff --git a/queue-6.6/asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch b/queue-6.6/asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch new file mode 100644 index 0000000000..fd2be49425 --- /dev/null +++ b/queue-6.6/asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch @@ -0,0 +1,69 @@ +From stable+bounces-210638-greg=kroah.com@vger.kernel.org Wed Jan 21 02:40:14 2026 +From: Sasha Levin +Date: Tue, 20 Jan 2026 20:39:06 -0500 +Subject: ASoC: codecs: wsa881x: fix unnecessary initialisation +To: stable@vger.kernel.org +Cc: Johan Hovold , Srinivas Kandagatla , Krzysztof Kozlowski , Srinivas Kandagatla , Mark Brown , Sasha Levin +Message-ID: <20260121013906.1104336-2-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 29d71b8a5a40708b3eed9ba4953bfc2312c9c776 ] + +The soundwire update_status() callback may be called multiple times with +the same ATTACHED status but initialisation should only be done when +transitioning from UNATTACHED to ATTACHED. + +Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support") +Cc: stable@vger.kernel.org # 5.6 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260102111413.9605-3-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wsa881x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wsa881x.c ++++ b/sound/soc/codecs/wsa881x.c +@@ -681,6 +681,7 @@ struct wsa881x_priv { + */ + unsigned int sd_n_val; + int active_ports; ++ bool hw_init; + bool port_prepared[WSA881X_MAX_SWR_PORTS]; + bool port_enable[WSA881X_MAX_SWR_PORTS]; + }; +@@ -690,6 +691,9 @@ static void wsa881x_init(struct wsa881x_ + struct regmap *rm = wsa881x->regmap; + unsigned int val = 0; + ++ if (wsa881x->hw_init) ++ return; ++ + regmap_register_patch(wsa881x->regmap, wsa881x_rev_2_0, + ARRAY_SIZE(wsa881x_rev_2_0)); + +@@ -727,6 +731,8 @@ static void wsa881x_init(struct wsa881x_ + regmap_update_bits(rm, WSA881X_OTP_REG_28, 0x3F, 0x3A); + regmap_update_bits(rm, WSA881X_BONGO_RESRV_REG1, 0xFF, 0xB2); + regmap_update_bits(rm, WSA881X_BONGO_RESRV_REG2, 0xFF, 0x05); ++ ++ wsa881x->hw_init = true; + } + + static int wsa881x_component_probe(struct snd_soc_component *comp) +@@ -1071,6 +1077,9 @@ static int wsa881x_update_status(struct + { + struct wsa881x_priv *wsa881x = dev_get_drvdata(&slave->dev); + ++ if (status == SDW_SLAVE_UNATTACHED) ++ wsa881x->hw_init = false; ++ + if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0) + wsa881x_init(wsa881x); + diff --git a/queue-6.6/asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch b/queue-6.6/asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch new file mode 100644 index 0000000000..efae3a898a --- /dev/null +++ b/queue-6.6/asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch @@ -0,0 +1,80 @@ +From stable+bounces-210384-greg=kroah.com@vger.kernel.org Mon Jan 19 18:22:37 2026 +From: Sasha Levin +Date: Mon, 19 Jan 2026 11:58:47 -0500 +Subject: ASoC: codecs: wsa883x: fix unnecessary initialisation +To: stable@vger.kernel.org +Cc: Johan Hovold , Srinivas Kandagatla , Krzysztof Kozlowski , Srinivas Kandagatla , Mark Brown , Sasha Levin +Message-ID: <20260119165847.3262757-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 49aadf830eb048134d33ad7329d92ecff45d8dbb ] + +The soundwire update_status() callback may be called multiple times with +the same ATTACHED status but initialisation should only be done when +transitioning from UNATTACHED to ATTACHED. + +This avoids repeated initialisation of the codecs during boot of +machines like the Lenovo ThinkPad X13s: + +[ 11.614523] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.618022] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.621377] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.624065] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.631382] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.634424] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 + +Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support") +Cc: stable@vger.kernel.org # 6.0 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260102111413.9605-2-johan@kernel.org +Signed-off-by: Mark Brown +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wsa883x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wsa883x.c ++++ b/sound/soc/codecs/wsa883x.c +@@ -444,6 +444,7 @@ struct wsa883x_priv { + int active_ports; + int dev_mode; + int comp_offset; ++ bool hw_init; + }; + + enum { +@@ -1003,6 +1004,9 @@ static int wsa883x_init(struct wsa883x_p + struct regmap *regmap = wsa883x->regmap; + int variant, version, ret; + ++ if (wsa883x->hw_init) ++ return 0; ++ + ret = regmap_read(regmap, WSA883X_OTP_REG_0, &variant); + if (ret) + return ret; +@@ -1046,6 +1050,8 @@ static int wsa883x_init(struct wsa883x_p + wsa883x->comp_offset); + } + ++ wsa883x->hw_init = true; ++ + return 0; + } + +@@ -1054,6 +1060,9 @@ static int wsa883x_update_status(struct + { + struct wsa883x_priv *wsa883x = dev_get_drvdata(&slave->dev); + ++ if (status == SDW_SLAVE_UNATTACHED) ++ wsa883x->hw_init = false; ++ + if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0) + return wsa883x_init(wsa883x); + diff --git a/queue-6.6/bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch b/queue-6.6/bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch new file mode 100644 index 0000000000..83f7ea31db --- /dev/null +++ b/queue-6.6/bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch @@ -0,0 +1,78 @@ +From 04a899573fb87273a656f178b5f920c505f68875 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 20 Oct 2025 09:54:41 +0200 +Subject: bpf: Do not let BPF test infra emit invalid GSO types to stack + +From: Daniel Borkmann + +commit 04a899573fb87273a656f178b5f920c505f68875 upstream. + +Yinhao et al. reported that their fuzzer tool was able to trigger a +skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). +When a BPF program - triggered via BPF test infra - pushes the packet +to the loopback device via bpf_clone_redirect() then mentioned offload +warning can be seen. GSO-related features are then rightfully disabled. + +We get into this situation due to convert___skb_to_skb() setting +gso_segs and gso_size but not gso_type. Technically, it makes sense +that this warning triggers since the GSO properties are malformed due +to the gso_type. Potentially, the gso_type could be marked non-trustworthy +through setting it at least to SKB_GSO_DODGY without any other specific +assumptions, but that also feels wrong given we should not go further +into the GSO engine in the first place. + +The checks were added in 121d57af308d ("gso: validate gso_type in GSO +handlers") because there were malicious (syzbot) senders that combine +a protocol with a non-matching gso_type. If we would want to drop such +packets, gso_features_check() currently only returns feature flags via +netif_skb_features(), so one location for potentially dropping such skbs +could be validate_xmit_unreadable_skb(), but then otoh it would be +an additional check in the fast-path for a very corner case. Given +bpf_clone_redirect() is the only place where BPF test infra could emit +such packets, lets reject them right there. + +Fixes: 850a88cc4096 ("bpf: Expose __sk_buff wire_len/gso_segs to BPF_PROG_TEST_RUN") +Fixes: cf62089b0edd ("bpf: Add gso_size to __sk_buff") +Reported-by: Yinhao Hu +Reported-by: Kaiyan Mei +Reported-by: Dongliang Mu +Signed-off-by: Daniel Borkmann +Signed-off-by: Martin KaFai Lau +Link: https://patch.msgid.link/20251020075441.127980-1-daniel@iogearbox.net +Signed-off-by: Shung-Hsi Yu +Signed-off-by: Greg Kroah-Hartman +--- + net/bpf/test_run.c | 5 +++++ + net/core/filter.c | 7 +++++++ + 2 files changed, 12 insertions(+) + +--- a/net/bpf/test_run.c ++++ b/net/bpf/test_run.c +@@ -914,6 +914,11 @@ static int convert___skb_to_skb(struct s + + if (__skb->gso_segs > GSO_MAX_SEGS) + return -EINVAL; ++ ++ /* Currently GSO type is zero/unset. If this gets extended with ++ * a small list of accepted GSO types in future, the filter for ++ * an unset GSO type in bpf_clone_redirect() can be lifted. ++ */ + skb_shinfo(skb)->gso_segs = __skb->gso_segs; + skb_shinfo(skb)->gso_size = __skb->gso_size; + skb_shinfo(skb)->hwtstamps.hwtstamp = __skb->hwtstamp; +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2451,6 +2451,13 @@ BPF_CALL_3(bpf_clone_redirect, struct sk + if (unlikely(flags & (~(BPF_F_INGRESS) | BPF_F_REDIRECT_INTERNAL))) + return -EINVAL; + ++ /* BPF test infra's convert___skb_to_skb() can create type-less ++ * GSO packets. gso_features_check() will detect this as a bad ++ * offload. However, lets not leak them out in the first place. ++ */ ++ if (unlikely(skb_is_gso(skb) && !skb_shinfo(skb)->gso_type)) ++ return -EBADMSG; ++ + dev = dev_get_by_index_rcu(dev_net(skb->dev), ifindex); + if (unlikely(!dev)) + return -EINVAL; diff --git a/queue-6.6/bridge-mcast-fix-use-after-free-during-router-port-configuration.patch b/queue-6.6/bridge-mcast-fix-use-after-free-during-router-port-configuration.patch new file mode 100644 index 0000000000..29e28c9827 --- /dev/null +++ b/queue-6.6/bridge-mcast-fix-use-after-free-during-router-port-configuration.patch @@ -0,0 +1,179 @@ +From 7544f3f5b0b58c396f374d060898b5939da31709 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Thu, 19 Jun 2025 21:22:28 +0300 +Subject: bridge: mcast: Fix use-after-free during router port configuration + +From: Ido Schimmel + +commit 7544f3f5b0b58c396f374d060898b5939da31709 upstream. + +The bridge maintains a global list of ports behind which a multicast +router resides. The list is consulted during forwarding to ensure +multicast packets are forwarded to these ports even if the ports are not +member in the matching MDB entry. + +When per-VLAN multicast snooping is enabled, the per-port multicast +context is disabled on each port and the port is removed from the global +router port list: + + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 + # ip link add name dummy1 up master br1 type dummy + # ip link set dev dummy1 type bridge_slave mcast_router 2 + $ bridge -d mdb show | grep router + router ports on br1: dummy1 + # ip link set dev br1 type bridge mcast_vlan_snooping 1 + $ bridge -d mdb show | grep router + +However, the port can be re-added to the global list even when per-VLAN +multicast snooping is enabled: + + # ip link set dev dummy1 type bridge_slave mcast_router 0 + # ip link set dev dummy1 type bridge_slave mcast_router 2 + $ bridge -d mdb show | grep router + router ports on br1: dummy1 + +Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement +br_multicast_{enable, disable}_port functions"), when per-VLAN multicast +snooping is enabled, multicast disablement on a port will disable the +per-{port, VLAN} multicast contexts and not the per-port one. As a +result, a port will remain in the global router port list even after it +is deleted. This will lead to a use-after-free [1] when the list is +traversed (when adding a new port to the list, for example): + + # ip link del dev dummy1 + # ip link add name dummy2 up master br1 type dummy + # ip link set dev dummy2 type bridge_slave mcast_router 2 + +Similarly, stale entries can also be found in the per-VLAN router port +list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} +contexts are disabled on each port and the port is removed from the +per-VLAN router port list: + + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 + # ip link add name dummy1 up master br1 type dummy + # bridge vlan add vid 2 dev dummy1 + # bridge vlan global set vid 2 dev br1 mcast_snooping 1 + # bridge vlan set vid 2 dev dummy1 mcast_router 2 + $ bridge vlan global show dev br1 vid 2 | grep router + router ports: dummy1 + # ip link set dev br1 type bridge mcast_vlan_snooping 0 + $ bridge vlan global show dev br1 vid 2 | grep router + +However, the port can be re-added to the per-VLAN list even when +per-VLAN multicast snooping is disabled: + + # bridge vlan set vid 2 dev dummy1 mcast_router 0 + # bridge vlan set vid 2 dev dummy1 mcast_router 2 + $ bridge vlan global show dev br1 vid 2 | grep router + router ports: dummy1 + +When the VLAN is deleted from the port, the per-{port, VLAN} multicast +context will not be disabled since multicast snooping is not enabled +on the VLAN. As a result, the port will remain in the per-VLAN router +port list even after it is no longer member in the VLAN. This will lead +to a use-after-free [2] when the list is traversed (when adding a new +port to the list, for example): + + # ip link add name dummy2 up master br1 type dummy + # bridge vlan add vid 2 dev dummy2 + # bridge vlan del vid 2 dev dummy1 + # bridge vlan set vid 2 dev dummy2 mcast_router 2 + +Fix these issues by removing the port from the relevant (global or +per-VLAN) router port list in br_multicast_port_ctx_deinit(). The +function is invoked during port deletion with the per-port multicast +context and during VLAN deletion with the per-{port, VLAN} multicast +context. + +Note that deleting the multicast router timer is not enough as it only +takes care of the temporary multicast router states (1 or 3) and not the +permanent one (2). + +[1] +BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 +Write of size 8 at addr ffff888004a67328 by task ip/384 +[...] +Call Trace: + + dump_stack_lvl+0x6f/0xa0 + print_address_description.constprop.0+0x6f/0x350 + print_report+0x108/0x205 + kasan_report+0xdf/0x110 + br_multicast_add_router.part.0+0x3f1/0x560 + br_multicast_set_port_router+0x74e/0xac0 + br_setport+0xa55/0x1870 + br_port_slave_changelink+0x95/0x120 + __rtnl_newlink+0x5e8/0xa40 + rtnl_newlink+0x627/0xb00 + rtnetlink_rcv_msg+0x6fb/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + __sys_sendmsg+0x124/0x1c0 + do_syscall_64+0xbb/0x360 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] +BUG: KASAN: slab-use-after-free in br_multicast_add_router.part.0+0x378/0x560 +Read of size 8 at addr ffff888009f00840 by task bridge/391 +[...] +Call Trace: + + dump_stack_lvl+0x6f/0xa0 + print_address_description.constprop.0+0x6f/0x350 + print_report+0x108/0x205 + kasan_report+0xdf/0x110 + br_multicast_add_router.part.0+0x378/0x560 + br_multicast_set_port_router+0x6f9/0xac0 + br_vlan_process_options+0x8b6/0x1430 + br_vlan_rtm_process_one+0x605/0xa30 + br_vlan_rtm_process+0x396/0x4c0 + rtnetlink_rcv_msg+0x2f7/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + __sys_sendmsg+0x124/0x1c0 + do_syscall_64+0xbb/0x360 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: 2796d846d74a ("net: bridge: vlan: convert mcast router global option to per-vlan entry") +Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions") +Reported-by: syzbot+7bfa4b72c6a5da128d32@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/684c18bd.a00a0220.279073.000b.GAE@google.com/T/ +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250619182228.1656906-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2013,10 +2013,19 @@ void br_multicast_port_ctx_init(struct n + + void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx) + { ++ struct net_bridge *br = pmctx->port->br; ++ bool del = false; ++ + #if IS_ENABLED(CONFIG_IPV6) + del_timer_sync(&pmctx->ip6_mc_router_timer); + #endif + del_timer_sync(&pmctx->ip4_mc_router_timer); ++ ++ spin_lock_bh(&br->multicast_lock); ++ del |= br_ip6_multicast_rport_del(pmctx); ++ del |= br_ip4_multicast_rport_del(pmctx); ++ br_multicast_rport_del_notify(pmctx, del); ++ spin_unlock_bh(&br->multicast_lock); + } + + int br_multicast_add_port(struct net_bridge_port *port) diff --git a/queue-6.6/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-6.6/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..70ec23bef6 --- /dev/null +++ b/queue-6.6/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,59 @@ +From 5a4391bdc6c8357242f62f22069c865b792406b3 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 5a4391bdc6c8357242f62f22069c865b792406b3 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In esd_usb_open(), the URBs for USB-in transfers are allocated, added to +the dev->rx_submitted anchor and submitted. In the complete callback +esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +esd_usb_close() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in esd_usb_close(). + +Fix the memory leak by anchoring the URB in the +esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/esd_usb.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/esd_usb.c ++++ b/drivers/net/can/usb/esd_usb.c +@@ -539,13 +539,20 @@ resubmit_urb: + urb->transfer_buffer, ESD_USB_RX_BUFFER_SIZE, + esd_usb_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); ++ + if (retval == -ENODEV) { + for (i = 0; i < dev->net_count; i++) { + if (dev->nets[i]) + netif_device_detach(dev->nets[i]->netdev); + } +- } else if (retval) { ++ } else { + dev_err(dev->udev->dev.parent, + "failed resubmitting read bulk urb: %d\n", retval); + } diff --git a/queue-6.6/dmaengine-stm32-dmamux-fix-device-leak-on-route-allocation.patch b/queue-6.6/dmaengine-stm32-dmamux-fix-device-leak-on-route-allocation.patch new file mode 100644 index 0000000000..09c3695b99 --- /dev/null +++ b/queue-6.6/dmaengine-stm32-dmamux-fix-device-leak-on-route-allocation.patch @@ -0,0 +1,91 @@ +From stable+bounces-210737-greg=kroah.com@vger.kernel.org Wed Jan 21 13:25:00 2026 +From: Sasha Levin +Date: Wed, 21 Jan 2026 07:15:50 -0500 +Subject: dmaengine: stm32: dmamux: fix device leak on route allocation +To: stable@vger.kernel.org +Cc: Johan Hovold , Pierre-Yves MORDRET , Amelie Delaunay , Vinod Koul , Sasha Levin +Message-ID: <20260121121550.1523155-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit dd6e4943889fb354efa3f700e42739da9bddb6ef ] + +Make sure to drop the reference taken when looking up the DMA mux +platform device during route allocation. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Fixes: df7e762db5f6 ("dmaengine: Add STM32 DMAMUX driver") +Cc: stable@vger.kernel.org # 4.15 +Cc: Pierre-Yves MORDRET +Signed-off-by: Johan Hovold +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/20251117161258.10679-11-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-dmamux.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/dma/stm32-dmamux.c ++++ b/drivers/dma/stm32-dmamux.c +@@ -90,23 +90,25 @@ static void *stm32_dmamux_route_allocate + struct stm32_dmamux_data *dmamux = platform_get_drvdata(pdev); + struct stm32_dmamux *mux; + u32 i, min, max; +- int ret; ++ int ret = -EINVAL; + unsigned long flags; + + if (dma_spec->args_count != 3) { + dev_err(&pdev->dev, "invalid number of dma mux args\n"); +- return ERR_PTR(-EINVAL); ++ goto err_put_pdev; + } + + if (dma_spec->args[0] > dmamux->dmamux_requests) { + dev_err(&pdev->dev, "invalid mux request number: %d\n", + dma_spec->args[0]); +- return ERR_PTR(-EINVAL); ++ goto err_put_pdev; + } + + mux = kzalloc(sizeof(*mux), GFP_KERNEL); +- if (!mux) +- return ERR_PTR(-ENOMEM); ++ if (!mux) { ++ ret = -ENOMEM; ++ goto err_put_pdev; ++ } + + spin_lock_irqsave(&dmamux->lock, flags); + mux->chan_id = find_first_zero_bit(dmamux->dma_inuse, +@@ -133,7 +135,6 @@ static void *stm32_dmamux_route_allocate + dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", i - 1); + if (!dma_spec->np) { + dev_err(&pdev->dev, "can't get dma master\n"); +- ret = -EINVAL; + goto error; + } + +@@ -160,6 +161,8 @@ static void *stm32_dmamux_route_allocate + dev_dbg(&pdev->dev, "Mapping DMAMUX(%u) to DMA%u(%u)\n", + mux->request, mux->master, mux->chan_id); + ++ put_device(&pdev->dev); ++ + return mux; + + error: +@@ -167,6 +170,9 @@ error: + + error_chan_id: + kfree(mux); ++err_put_pdev: ++ put_device(&pdev->dev); ++ + return ERR_PTR(ret); + } + diff --git a/queue-6.6/dmaengine-stm32-dmamux-fix-of-node-leak-on-route-allocation-failure.patch b/queue-6.6/dmaengine-stm32-dmamux-fix-of-node-leak-on-route-allocation-failure.patch new file mode 100644 index 0000000000..e6fb1bde28 --- /dev/null +++ b/queue-6.6/dmaengine-stm32-dmamux-fix-of-node-leak-on-route-allocation-failure.patch @@ -0,0 +1,48 @@ +From stable+bounces-210740-greg=kroah.com@vger.kernel.org Wed Jan 21 13:23:53 2026 +From: Sasha Levin +Date: Wed, 21 Jan 2026 07:20:47 -0500 +Subject: dmaengine: stm32: dmamux: fix OF node leak on route allocation failure +To: stable@vger.kernel.org +Cc: Johan Hovold , Pierre-Yves MORDRET , Amelie Delaunay , Vinod Koul , Sasha Levin +Message-ID: <20260121122047.1526648-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit b1b590a590af13ded598e70f0b72bc1e515787a1 ] + +Make sure to drop the reference taken to the DMA master OF node also on +late route allocation failures. + +Fixes: df7e762db5f6 ("dmaengine: Add STM32 DMAMUX driver") +Cc: stable@vger.kernel.org # 4.15 +Cc: Pierre-Yves MORDRET +Signed-off-by: Johan Hovold +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/20251117161258.10679-12-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/stm32-dmamux.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/dma/stm32-dmamux.c ++++ b/drivers/dma/stm32-dmamux.c +@@ -143,7 +143,7 @@ static void *stm32_dmamux_route_allocate + ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) { + spin_unlock_irqrestore(&dmamux->lock, flags); +- goto error; ++ goto err_put_dma_spec_np; + } + spin_unlock_irqrestore(&dmamux->lock, flags); + +@@ -165,6 +165,8 @@ static void *stm32_dmamux_route_allocate + + return mux; + ++err_put_dma_spec_np: ++ of_node_put(dma_spec->np); + error: + clear_bit(mux->chan_id, dmamux->dma_inuse); + diff --git a/queue-6.6/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch b/queue-6.6/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch new file mode 100644 index 0000000000..b8aa73e35a --- /dev/null +++ b/queue-6.6/drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch @@ -0,0 +1,64 @@ +From stable+bounces-211919-greg=kroah.com@vger.kernel.org Wed Jan 28 04:22:57 2026 +From: Li hongliang <1468888505@139.com> +Date: Wed, 28 Jan 2026 11:22:38 +0800 +Subject: drm/amdgpu: csa unmap use uninterruptible lock +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org +Message-ID: <20260128032238.1182576-1-1468888505@139.com> + +From: Philip Yang + +[ Upstream commit a0fa7873f2f869087b1e7793f7fac3713a1e3afe ] + +After process exit to unmap csa and free GPU vm, if signal is accepted +and then waiting to take vm lock is interrupted and return, it causes +memory leaking and below warning backtrace. + +Change to use uninterruptible wait lock fix the issue. + +WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 + amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] + Call Trace: + + drm_file_free.part.0+0x1da/0x230 [drm] + drm_close_helper.isra.0+0x65/0x70 [drm] + drm_release+0x6a/0x120 [drm] + amdgpu_drm_release+0x51/0x60 [amdgpu] + __fput+0x9f/0x280 + ____fput+0xe/0x20 + task_work_run+0x67/0xa0 + do_exit+0x217/0x3c0 + do_group_exit+0x3b/0xb0 + get_signal+0x14a/0x8d0 + arch_do_signal_or_restart+0xde/0x100 + exit_to_user_mode_loop+0xc1/0x1a0 + exit_to_user_mode_prepare+0xf4/0x100 + syscall_exit_to_user_mode+0x17/0x40 + do_syscall_64+0x69/0xc0 + +Signed-off-by: Philip Yang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab) +Cc: stable@vger.kernel.org +[The third parameter of drm_exec_init() was introduced by commit + 05d249352f1a ("drm/exec: Pass in initial # of objects") after Linux 6.8. + This code targets linux 6.6, so the current implementation is used + and the third parameter is not needed.] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c +@@ -110,7 +110,7 @@ int amdgpu_unmap_static_csa(struct amdgp + struct drm_exec exec; + int r; + +- drm_exec_init(&exec, DRM_EXEC_INTERRUPTIBLE_WAIT); ++ drm_exec_init(&exec, 0); + drm_exec_until_all_locked(&exec) { + r = amdgpu_vm_lock_pd(vm, &exec, 0); + if (likely(!r)) diff --git a/queue-6.6/fs-ntfs3-initialize-allocated-memory-before-use.patch b/queue-6.6/fs-ntfs3-initialize-allocated-memory-before-use.patch new file mode 100644 index 0000000000..11585a868b --- /dev/null +++ b/queue-6.6/fs-ntfs3-initialize-allocated-memory-before-use.patch @@ -0,0 +1,75 @@ +From stable+bounces-211342-greg=kroah.com@vger.kernel.org Fri Jan 23 08:03:23 2026 +From: Li hongliang <1468888505@139.com> +Date: Fri, 23 Jan 2026 14:57:53 +0800 +Subject: fs/ntfs3: Initialize allocated memory before use +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, kubik.bartlomiej@gmail.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, khalid@kernel.org, almaz.alexandrovich@paragon-software.com, ntfs3@lists.linux.dev +Message-ID: <20260123065753.4067735-1-1468888505@139.com> + +From: Bartlomiej Kubik + +[ Upstream commit a8a3ca23bbd9d849308a7921a049330dc6c91398 ] + +KMSAN reports: Multiple uninitialized values detected: + +- KMSAN: uninit-value in ntfs_read_hdr (3) +- KMSAN: uninit-value in bcmp (3) + +Memory is allocated by __getname(), which is a wrapper for +kmem_cache_alloc(). This memory is used before being properly +cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to +properly allocate and clear memory before use. + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations") +Tested-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com +Reported-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=332bd4e9d148f11a87dc + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations") +Tested-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com +Reported-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764 + +Reviewed-by: Khalid Aziz +Signed-off-by: Bartlomiej Kubik +Signed-off-by: Konstantin Komarov +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/inode.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -1327,7 +1327,7 @@ struct inode *ntfs_create_inode(struct m + fa |= FILE_ATTRIBUTE_READONLY; + + /* Allocate PATH_MAX bytes. */ +- new_de = __getname(); ++ new_de = kmem_cache_zalloc(names_cachep, GFP_KERNEL); + if (!new_de) { + err = -ENOMEM; + goto out1; +@@ -1756,10 +1756,9 @@ int ntfs_link_inode(struct inode *inode, + struct NTFS_DE *de; + + /* Allocate PATH_MAX bytes. */ +- de = __getname(); ++ de = kmem_cache_zalloc(names_cachep, GFP_KERNEL); + if (!de) + return -ENOMEM; +- memset(de, 0, PATH_MAX); + + /* Mark rw ntfs as dirty. It will be cleared at umount. */ + ntfs_set_state(sbi, NTFS_DIRTY_DIRTY); +@@ -1795,7 +1794,7 @@ int ntfs_unlink_inode(struct inode *dir, + return -EINVAL; + + /* Allocate PATH_MAX bytes. */ +- de = __getname(); ++ de = kmem_cache_zalloc(names_cachep, GFP_KERNEL); + if (!de) + return -ENOMEM; + diff --git a/queue-6.6/iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch b/queue-6.6/iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch new file mode 100644 index 0000000000..f14c633ff9 --- /dev/null +++ b/queue-6.6/iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch @@ -0,0 +1,69 @@ +From stable+bounces-211880-greg=kroah.com@vger.kernel.org Tue Jan 27 19:26:31 2026 +From: Sasha Levin +Date: Tue, 27 Jan 2026 13:26:19 -0500 +Subject: iio: adc: exynos_adc: fix OF populate on driver rebind +To: stable@vger.kernel.org +Cc: Johan Hovold , Krzysztof Kozlowski , Jonathan Cameron , Sasha Levin +Message-ID: <20260127182619.2050612-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit ea6b4feba85e996e840e0b661bc42793df6eb701 ] + +Since commit c6e126de43e7 ("of: Keep track of populated platform +devices") child devices will not be created by of_platform_populate() +if the devices had previously been deregistered individually so that the +OF_POPULATED flag is still set in the corresponding OF nodes. + +Switch to using of_platform_depopulate() instead of open coding so that +the child devices are created if the driver is rebound. + +Fixes: c6e126de43e7 ("of: Keep track of populated platform devices") +Cc: stable@vger.kernel.org # 3.16 +Signed-off-by: Johan Hovold +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jonathan Cameron +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/exynos_adc.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/iio/adc/exynos_adc.c ++++ b/drivers/iio/adc/exynos_adc.c +@@ -721,14 +721,7 @@ static const struct iio_chan_spec exynos + ADC_CHANNEL(9, "adc9"), + }; + +-static int exynos_adc_remove_devices(struct device *dev, void *c) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- +- platform_device_unregister(pdev); + +- return 0; +-} + + static int exynos_adc_ts_open(struct input_dev *dev) + { +@@ -929,8 +922,7 @@ static int exynos_adc_probe(struct platf + return 0; + + err_of_populate: +- device_for_each_child(&indio_dev->dev, NULL, +- exynos_adc_remove_devices); ++ of_platform_depopulate(&indio_dev->dev); + if (has_ts) { + input_unregister_device(info->input); + free_irq(info->tsirq, info); +@@ -959,8 +951,7 @@ static int exynos_adc_remove(struct plat + free_irq(info->tsirq, info); + input_unregister_device(info->input); + } +- device_for_each_child(&indio_dev->dev, NULL, +- exynos_adc_remove_devices); ++ of_platform_depopulate(&indio_dev->dev); + iio_device_unregister(indio_dev); + free_irq(info->irq, info); + if (info->data->exit_hw) diff --git a/queue-6.6/iio-core-add-missing-mutex_destroy-in-iio_dev_release.patch b/queue-6.6/iio-core-add-missing-mutex_destroy-in-iio_dev_release.patch new file mode 100644 index 0000000000..94274f90ec --- /dev/null +++ b/queue-6.6/iio-core-add-missing-mutex_destroy-in-iio_dev_release.patch @@ -0,0 +1,65 @@ +From stable+bounces-211672-greg=kroah.com@vger.kernel.org Mon Jan 26 19:29:01 2026 +From: Sasha Levin +Date: Mon, 26 Jan 2026 13:28:54 -0500 +Subject: iio: core: add missing mutex_destroy in iio_dev_release() +To: stable@vger.kernel.org +Cc: "Andy Shevchenko" , "Nuno Sá" , "Jonathan Cameron" , "Sasha Levin" +Message-ID: <20260126182855.3622441-1-sashal@kernel.org> + +From: Andy Shevchenko + +[ Upstream commit f5d203467a31798191365efeb16cd619d2c8f23a ] + +Add missing mutex_destroy() call in iio_dev_release() to properly +clean up the mutex initialized in iio_device_alloc(). Ensure proper +resource cleanup and follows kernel practices. + +Found by code review. + +While at it, create a lockdep key before mutex initialisation. +This will help with converting it to the better API in the future. + +Fixes: 847ec80bbaa7 ("Staging: IIO: core support for device registration and management") +Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister under lock.") +Signed-off-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Signed-off-by: Jonathan Cameron +Stable-dep-of: 9910159f0659 ("iio: core: add separate lockdep class for info_exist_lock") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1618,6 +1618,9 @@ static void iio_dev_release(struct devic + + iio_device_detach_buffers(indio_dev); + ++ mutex_destroy(&iio_dev_opaque->info_exist_lock); ++ mutex_destroy(&iio_dev_opaque->mlock); ++ + lockdep_unregister_key(&iio_dev_opaque->mlock_key); + + ida_free(&iio_ida, iio_dev_opaque->id); +@@ -1663,8 +1666,7 @@ struct iio_dev *iio_device_alloc(struct + indio_dev->dev.type = &iio_device_type; + indio_dev->dev.bus = &iio_bus_type; + device_initialize(&indio_dev->dev); +- mutex_init(&iio_dev_opaque->mlock); +- mutex_init(&iio_dev_opaque->info_exist_lock); ++ + INIT_LIST_HEAD(&iio_dev_opaque->channel_attr_list); + + iio_dev_opaque->id = ida_alloc(&iio_ida, GFP_KERNEL); +@@ -1687,6 +1689,9 @@ struct iio_dev *iio_device_alloc(struct + lockdep_register_key(&iio_dev_opaque->mlock_key); + lockdep_set_class(&iio_dev_opaque->mlock, &iio_dev_opaque->mlock_key); + ++ mutex_init(&iio_dev_opaque->mlock); ++ mutex_init(&iio_dev_opaque->info_exist_lock); ++ + return indio_dev; + } + EXPORT_SYMBOL(iio_device_alloc); diff --git a/queue-6.6/iio-core-add-separate-lockdep-class-for-info_exist_lock.patch b/queue-6.6/iio-core-add-separate-lockdep-class-for-info_exist_lock.patch new file mode 100644 index 0000000000..d33304412d --- /dev/null +++ b/queue-6.6/iio-core-add-separate-lockdep-class-for-info_exist_lock.patch @@ -0,0 +1,114 @@ +From stable+bounces-211673-greg=kroah.com@vger.kernel.org Mon Jan 26 19:29:03 2026 +From: Sasha Levin +Date: Mon, 26 Jan 2026 13:28:55 -0500 +Subject: iio: core: add separate lockdep class for info_exist_lock +To: stable@vger.kernel.org +Cc: Rasmus Villemoes , Peter Rosin , Jonathan Cameron , Sasha Levin +Message-ID: <20260126182855.3622441-2-sashal@kernel.org> + +From: Rasmus Villemoes + +[ Upstream commit 9910159f06590c17df4fbddedaabb4c0201cc4cb ] + +When one iio device is a consumer of another, it is possible that +the ->info_exist_lock of both ends up being taken when reading the +value of the consumer device. + +Since they currently belong to the same lockdep class (being +initialized in a single location with mutex_init()), that results in a +lockdep warning + + CPU0 + ---- + lock(&iio_dev_opaque->info_exist_lock); + lock(&iio_dev_opaque->info_exist_lock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 4 locks held by sensors/414: + #0: c31fd6dc (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0x44/0x4e4 + #1: c4f5a1c4 (&of->mutex){+.+.}-{3:3}, at: kernfs_seq_start+0x1c/0xac + #2: c2827548 (kn->active#34){.+.+}-{0:0}, at: kernfs_seq_start+0x30/0xac + #3: c1dd2b68 (&iio_dev_opaque->info_exist_lock){+.+.}-{3:3}, at: iio_read_channel_processed_scale+0x24/0xd8 + + stack backtrace: + CPU: 0 UID: 0 PID: 414 Comm: sensors Not tainted 6.17.11 #5 NONE + Hardware name: Generic AM33XX (Flattened Device Tree) + Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x44/0x60 + dump_stack_lvl from print_deadlock_bug+0x2b8/0x334 + print_deadlock_bug from __lock_acquire+0x13a4/0x2ab0 + __lock_acquire from lock_acquire+0xd0/0x2c0 + lock_acquire from __mutex_lock+0xa0/0xe8c + __mutex_lock from mutex_lock_nested+0x1c/0x24 + mutex_lock_nested from iio_read_channel_raw+0x20/0x6c + iio_read_channel_raw from rescale_read_raw+0x128/0x1c4 + rescale_read_raw from iio_channel_read+0xe4/0xf4 + iio_channel_read from iio_read_channel_processed_scale+0x6c/0xd8 + iio_read_channel_processed_scale from iio_hwmon_read_val+0x68/0xbc + iio_hwmon_read_val from dev_attr_show+0x18/0x48 + dev_attr_show from sysfs_kf_seq_show+0x80/0x110 + sysfs_kf_seq_show from seq_read_iter+0xdc/0x4e4 + seq_read_iter from vfs_read+0x238/0x2e4 + vfs_read from ksys_read+0x6c/0xec + ksys_read from ret_fast_syscall+0x0/0x1c + +Just as the mlock_key already has its own lockdep class, add a +lock_class_key for the info_exist mutex. + +Note that this has in theory been a problem since before IIO first +left staging, but it only occurs when a chain of consumers is in use +and that is not often done. + +Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister under lock.") +Signed-off-by: Rasmus Villemoes +Reviewed-by: Peter Rosin +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-core.c | 3 ++- + include/linux/iio/iio-opaque.h | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1621,6 +1621,7 @@ static void iio_dev_release(struct devic + mutex_destroy(&iio_dev_opaque->info_exist_lock); + mutex_destroy(&iio_dev_opaque->mlock); + ++ lockdep_unregister_key(&iio_dev_opaque->info_exist_key); + lockdep_unregister_key(&iio_dev_opaque->mlock_key); + + ida_free(&iio_ida, iio_dev_opaque->id); +@@ -1687,7 +1688,7 @@ struct iio_dev *iio_device_alloc(struct + INIT_LIST_HEAD(&iio_dev_opaque->ioctl_handlers); + + lockdep_register_key(&iio_dev_opaque->mlock_key); +- lockdep_set_class(&iio_dev_opaque->mlock, &iio_dev_opaque->mlock_key); ++ lockdep_register_key(&iio_dev_opaque->info_exist_key); + + mutex_init(&iio_dev_opaque->mlock); + mutex_init(&iio_dev_opaque->info_exist_lock); +--- a/include/linux/iio/iio-opaque.h ++++ b/include/linux/iio/iio-opaque.h +@@ -14,6 +14,7 @@ + * @mlock: lock used to prevent simultaneous device state changes + * @mlock_key: lockdep class for iio_dev lock + * @info_exist_lock: lock to prevent use during removal ++ * @info_exist_key: lockdep class for info_exist lock + * @trig_readonly: mark the current trigger immutable + * @event_interface: event chrdevs associated with interrupt lines + * @attached_buffers: array of buffers statically attached by the driver +@@ -47,6 +48,7 @@ struct iio_dev_opaque { + struct mutex mlock; + struct lock_class_key mlock_key; + struct mutex info_exist_lock; ++ struct lock_class_key info_exist_key; + bool trig_readonly; + struct iio_event_interface *event_interface; + struct iio_buffer **attached_buffers; diff --git a/queue-6.6/ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch b/queue-6.6/ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch new file mode 100644 index 0000000000..a3205f5254 --- /dev/null +++ b/queue-6.6/ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch @@ -0,0 +1,119 @@ +From stable+bounces-211734-greg=kroah.com@vger.kernel.org Tue Jan 27 09:32:16 2026 +From: Li hongliang <1468888505@139.com> +Date: Tue, 27 Jan 2026 16:31:49 +0800 +Subject: ksmbd: fix use-after-free in ksmbd_session_rpc_open +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, linkinjeon@kernel.org +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, sujana.subramaniam@sap.com, sashal@kernel.org, linux-cifs@vger.kernel.org, norbert@doyensec.com, stfrench@microsoft.com +Message-ID: <20260127083149.3344689-1-1468888505@139.com> + +From: Namjae Jeon + +[ Upstream commit a1f46c99d9ea411f9bf30025b912d881d36fc709 ] + +A UAF issue can occur due to a race condition between +ksmbd_session_rpc_open() and __session_rpc_close(). +Add rpc_lock to the session to protect it. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +[ KSMBD_DEFAULT_GFP is introduced by commit 0066f623bce8 ("ksmbd: use __GFP_RETRY_MAYFAIL") + after linux-6.13. Here we still use GFP_KERNEL. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 20 ++++++++++++++------ + fs/smb/server/mgmt/user_session.h | 1 + + 2 files changed, 15 insertions(+), 6 deletions(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -59,10 +59,12 @@ static void ksmbd_session_rpc_clear_list + struct ksmbd_session_rpc *entry; + long index; + ++ down_write(&sess->rpc_lock); + xa_for_each(&sess->rpc_handle_list, index, entry) { + xa_erase(&sess->rpc_handle_list, index); + __session_rpc_close(sess, entry); + } ++ up_write(&sess->rpc_lock); + + xa_destroy(&sess->rpc_handle_list); + } +@@ -92,7 +94,7 @@ int ksmbd_session_rpc_open(struct ksmbd_ + { + struct ksmbd_session_rpc *entry, *old; + struct ksmbd_rpc_command *resp; +- int method; ++ int method, id; + + method = __rpc_method(rpc_name); + if (!method) +@@ -102,26 +104,29 @@ int ksmbd_session_rpc_open(struct ksmbd_ + if (!entry) + return -ENOMEM; + ++ down_read(&sess->rpc_lock); + entry->method = method; +- entry->id = ksmbd_ipc_id_alloc(); +- if (entry->id < 0) ++ entry->id = id = ksmbd_ipc_id_alloc(); ++ if (id < 0) + goto free_entry; +- old = xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); ++ old = xa_store(&sess->rpc_handle_list, id, entry, GFP_KERNEL); + if (xa_is_err(old)) + goto free_id; + +- resp = ksmbd_rpc_open(sess, entry->id); ++ resp = ksmbd_rpc_open(sess, id); + if (!resp) + goto erase_xa; + ++ up_read(&sess->rpc_lock); + kvfree(resp); +- return entry->id; ++ return id; + erase_xa: + xa_erase(&sess->rpc_handle_list, entry->id); + free_id: + ksmbd_rpc_id_free(entry->id); + free_entry: + kfree(entry); ++ up_read(&sess->rpc_lock); + return -EINVAL; + } + +@@ -129,9 +134,11 @@ void ksmbd_session_rpc_close(struct ksmb + { + struct ksmbd_session_rpc *entry; + ++ down_write(&sess->rpc_lock); + entry = xa_erase(&sess->rpc_handle_list, id); + if (entry) + __session_rpc_close(sess, entry); ++ up_write(&sess->rpc_lock); + } + + int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id) +@@ -438,6 +445,7 @@ static struct ksmbd_session *__session_c + sess->sequence_number = 1; + rwlock_init(&sess->tree_conns_lock); + atomic_set(&sess->refcnt, 2); ++ init_rwsem(&sess->rpc_lock); + + ret = __init_smb2_session(sess); + if (ret) +--- a/fs/smb/server/mgmt/user_session.h ++++ b/fs/smb/server/mgmt/user_session.h +@@ -63,6 +63,7 @@ struct ksmbd_session { + rwlock_t tree_conns_lock; + + atomic_t refcnt; ++ struct rw_semaphore rpc_lock; + }; + + static inline int test_session_flag(struct ksmbd_session *sess, int bit) diff --git a/queue-6.6/migrate-correct-lock-ordering-for-hugetlb-file-folios.patch b/queue-6.6/migrate-correct-lock-ordering-for-hugetlb-file-folios.patch new file mode 100644 index 0000000000..5979b7b9c2 --- /dev/null +++ b/queue-6.6/migrate-correct-lock-ordering-for-hugetlb-file-folios.patch @@ -0,0 +1,106 @@ +From b7880cb166ab62c2409046b2347261abf701530e Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Fri, 9 Jan 2026 04:13:42 +0000 +Subject: migrate: correct lock ordering for hugetlb file folios + +From: Matthew Wilcox (Oracle) + +commit b7880cb166ab62c2409046b2347261abf701530e upstream. + +Syzbot has found a deadlock (analyzed by Lance Yang): + +1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). +2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire +folio_lock. + +migrate_pages() + -> migrate_hugetlbs() + -> unmap_and_move_huge_page() <- Takes folio_lock! + -> remove_migration_ptes() + -> __rmap_walk_file() + -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)! + +hugetlbfs_fallocate() + -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! + -> hugetlbfs_zero_partial_page() + -> filemap_lock_hugetlb_folio() + -> filemap_lock_folio() + -> __filemap_get_folio <- Waits for folio_lock! + +The migration path is the one taking locks in the wrong order according to +the documentation at the top of mm/rmap.c. So expand the scope of the +existing i_mmap_lock to cover the calls to remove_migration_ptes() too. + +This is (mostly) how it used to be after commit c0d0381ade79. That was +removed by 336bf30eb765 for both file & anon hugetlb pages when it should +only have been removed for anon hugetlb pages. + +Link: https://lkml.kernel.org/r/20260109041345.3863089-2-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Fixes: 336bf30eb765 ("hugetlbfs: fix anon huge page migration race") +Reported-by: syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/68e9715a.050a0220.1186a4.000d.GAE@google.com +Debugged-by: Lance Yang +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Zi Yan +Cc: Alistair Popple +Cc: Byungchul Park +Cc: Gregory Price +Cc: Jann Horn +Cc: Joshua Hahn +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Matthew Brost +Cc: Rakie Kim +Cc: Rik van Riel +Cc: Vlastimil Babka +Cc: Ying Huang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -1369,6 +1369,7 @@ static int unmap_and_move_huge_page(new_ + int page_was_mapped = 0; + struct anon_vma *anon_vma = NULL; + struct address_space *mapping = NULL; ++ enum ttu_flags ttu = 0; + + if (folio_ref_count(src) == 1) { + /* page was freed from under us. So we are done. */ +@@ -1410,8 +1411,6 @@ static int unmap_and_move_huge_page(new_ + goto put_anon; + + if (folio_mapped(src)) { +- enum ttu_flags ttu = 0; +- + if (!folio_test_anon(src)) { + /* + * In shared mappings, try_to_unmap could potentially +@@ -1428,9 +1427,6 @@ static int unmap_and_move_huge_page(new_ + + try_to_migrate(src, ttu); + page_was_mapped = 1; +- +- if (ttu & TTU_RMAP_LOCKED) +- i_mmap_unlock_write(mapping); + } + + if (!folio_mapped(src)) +@@ -1438,7 +1434,11 @@ static int unmap_and_move_huge_page(new_ + + if (page_was_mapped) + remove_migration_ptes(src, +- rc == MIGRATEPAGE_SUCCESS ? dst : src, false); ++ rc == MIGRATEPAGE_SUCCESS ? dst : src, ++ ttu ? true : false); ++ ++ if (ttu & TTU_RMAP_LOCKED) ++ i_mmap_unlock_write(mapping); + + unlock_put_anon: + folio_unlock(dst); diff --git a/queue-6.6/mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch b/queue-6.6/mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch new file mode 100644 index 0000000000..5230bf079c --- /dev/null +++ b/queue-6.6/mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch @@ -0,0 +1,52 @@ +From 392b3d9d595f34877dd745b470c711e8ebcd225c Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Wed, 24 Dec 2025 18:30:37 -0800 +Subject: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure + +From: SeongJae Park + +commit 392b3d9d595f34877dd745b470c711e8ebcd225c upstream. + +When a DAMOS-scheme DAMON sysfs directory setup fails after setup of +access_pattern/ directory, subdirectories of access_pattern/ directory are +not cleaned up. As a result, DAMON sysfs interface is nearly broken until +the system reboots, and the memory for the unremoved directory is leaked. + +Cleanup the directories under such failures. + +Link: https://lkml.kernel.org/r/20251225023043.18579-5-sj@kernel.org +Fixes: 9bbb820a5bd5 ("mm/damon/sysfs: support DAMOS quotas") +Signed-off-by: SeongJae Park +Cc: chongjiapeng +Cc: # 5.18.x +Signed-off-by: Andrew Morton +Signed-off-by: SeongJae Park +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -1282,9 +1282,10 @@ static int damon_sysfs_scheme_add_dirs(s + err = damon_sysfs_scheme_set_access_pattern(scheme); + if (err) + return err; ++ + err = damon_sysfs_scheme_set_quotas(scheme); + if (err) +- goto put_access_pattern_out; ++ goto rmdir_put_access_pattern_out; + err = damon_sysfs_scheme_set_watermarks(scheme); + if (err) + goto put_quotas_access_pattern_out; +@@ -1311,7 +1312,8 @@ put_watermarks_quotas_access_pattern_out + put_quotas_access_pattern_out: + kobject_put(&scheme->quotas->kobj); + scheme->quotas = NULL; +-put_access_pattern_out: ++rmdir_put_access_pattern_out: ++ damon_sysfs_access_pattern_rm_dirs(scheme->access_pattern); + kobject_put(&scheme->access_pattern->kobj); + scheme->access_pattern = NULL; + return err; diff --git a/queue-6.6/mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch b/queue-6.6/mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch new file mode 100644 index 0000000000..690a8f9f67 --- /dev/null +++ b/queue-6.6/mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch @@ -0,0 +1,48 @@ +From dc7e1d75fd8c505096d0cddeca9e2efb2b55aaf9 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Wed, 24 Dec 2025 18:30:36 -0800 +Subject: mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure + +From: SeongJae Park + +commit dc7e1d75fd8c505096d0cddeca9e2efb2b55aaf9 upstream. + +When a DAMOS-scheme DAMON sysfs directory setup fails after setup of +quotas/ directory, subdirectories of quotas/ directory are not cleaned up. +As a result, DAMON sysfs interface is nearly broken until the system +reboots, and the memory for the unremoved directory is leaked. + +Cleanup the directories under such failures. + +Link: https://lkml.kernel.org/r/20251225023043.18579-4-sj@kernel.org +Fixes: 1b32234ab087 ("mm/damon/sysfs: support DAMOS watermarks") +Signed-off-by: SeongJae Park +Cc: chongjiapeng +Cc: # 5.18.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -1288,7 +1288,7 @@ static int damon_sysfs_scheme_add_dirs(s + goto rmdir_put_access_pattern_out; + err = damon_sysfs_scheme_set_watermarks(scheme); + if (err) +- goto put_quotas_access_pattern_out; ++ goto rmdir_put_quotas_access_pattern_out; + err = damon_sysfs_scheme_set_filters(scheme); + if (err) + goto put_watermarks_quotas_access_pattern_out; +@@ -1309,7 +1309,8 @@ put_filters_watermarks_quotas_access_pat + put_watermarks_quotas_access_pattern_out: + kobject_put(&scheme->watermarks->kobj); + scheme->watermarks = NULL; +-put_quotas_access_pattern_out: ++rmdir_put_quotas_access_pattern_out: ++ damon_sysfs_quotas_rm_dirs(scheme->quotas); + kobject_put(&scheme->quotas->kobj); + scheme->quotas = NULL; + rmdir_put_access_pattern_out: diff --git a/queue-6.6/mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch b/queue-6.6/mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch new file mode 100644 index 0000000000..40f91b4ae7 --- /dev/null +++ b/queue-6.6/mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch @@ -0,0 +1,55 @@ +From stable+bounces-210724-greg=kroah.com@vger.kernel.org Wed Jan 21 12:19:38 2026 +From: Sasha Levin +Date: Wed, 21 Jan 2026 05:55:42 -0500 +Subject: mm: kmsan: fix poisoning of high-order non-compound pages +To: stable@vger.kernel.org +Cc: Ryan Roberts , Alexander Potapenko , Dmitriy Vyukov , Marco Elver , Andrew Morton , Sasha Levin +Message-ID: <20260121105542.1438885-1-sashal@kernel.org> + +From: Ryan Roberts + +[ Upstream commit 4795d205d78690a46b60164f44b8bb7b3e800865 ] + +kmsan_free_page() is called by the page allocator's free_pages_prepare() +during page freeing. Its job is to poison all the memory covered by the +page. It can be called with an order-0 page, a compound high-order page +or a non-compound high-order page. But page_size() only works for order-0 +and compound pages. For a non-compound high-order page it will +incorrectly return PAGE_SIZE. + +The implication is that the tail pages of a high-order non-compound page +do not get poisoned at free, so any invalid access while they are free +could go unnoticed. It looks like the pages will be poisoned again at +allocation time, so that would bookend the window. + +Fix this by using the order parameter to calculate the size. + +Link: https://lkml.kernel.org/r/20260104134348.3544298-1-ryan.roberts@arm.com +Fixes: b073d7f8aee4 ("mm: kmsan: maintain KMSAN metadata for page operations") +Signed-off-by: Ryan Roberts +Reviewed-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Cc: Dmitriy Vyukov +Cc: Dmitry Vyukov +Cc: Marco Elver +Cc: Ryan Roberts +Cc: +Signed-off-by: Andrew Morton +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmsan/shadow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/kmsan/shadow.c ++++ b/mm/kmsan/shadow.c +@@ -210,7 +210,7 @@ void kmsan_free_page(struct page *page, + return; + kmsan_enter_runtime(); + kmsan_internal_poison_memory(page_address(page), +- page_size(page), ++ PAGE_SIZE << order, + GFP_KERNEL, + KMSAN_POISON_CHECK | KMSAN_POISON_FREE); + kmsan_leave_runtime(); diff --git a/queue-6.6/mm-page_alloc-prevent-pcp-corruption-with-smp-n.patch b/queue-6.6/mm-page_alloc-prevent-pcp-corruption-with-smp-n.patch new file mode 100644 index 0000000000..27abced238 --- /dev/null +++ b/queue-6.6/mm-page_alloc-prevent-pcp-corruption-with-smp-n.patch @@ -0,0 +1,171 @@ +From stable+bounces-210734-greg=kroah.com@vger.kernel.org Wed Jan 21 13:05:19 2026 +From: Sasha Levin +Date: Wed, 21 Jan 2026 07:03:39 -0500 +Subject: mm/page_alloc: prevent pcp corruption with SMP=n +To: stable@vger.kernel.org +Cc: Vlastimil Babka , kernel test robot , Matthew Wilcox , Mel Gorman , Brendan Jackman , Johannes Weiner , Michal Hocko , Sebastian Andrzej Siewior , Steven Rostedt , Suren Baghdasaryan , Zi Yan , Andrew Morton , Sasha Levin +Message-ID: <20260121120339.1504037-1-sashal@kernel.org> + +From: Vlastimil Babka + +[ Upstream commit 038a102535eb49e10e93eafac54352fcc5d78847 ] + +The kernel test robot has reported: + + BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 + lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 + CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 + Call Trace: + + __dump_stack (lib/dump_stack.c:95) + dump_stack_lvl (lib/dump_stack.c:123) + dump_stack (lib/dump_stack.c:130) + spin_dump (kernel/locking/spinlock_debug.c:71) + do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) + _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) + __free_frozen_pages (mm/page_alloc.c:2973) + ___free_pages (mm/page_alloc.c:5295) + __free_pages (mm/page_alloc.c:5334) + tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) + ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) + ? rcu_core (kernel/rcu/tree.c:?) + rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) + rcu_core_si (kernel/rcu/tree.c:2879) + handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) + __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) + irq_exit_rcu (kernel/softirq.c:741) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) + + + RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) + free_pcppages_bulk (mm/page_alloc.c:1494) + drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) + __drain_all_pages (mm/page_alloc.c:2731) + drain_all_pages (mm/page_alloc.c:2747) + kcompactd (mm/compaction.c:3115) + kthread (kernel/kthread.c:465) + ? __cfi_kcompactd (mm/compaction.c:3166) + ? __cfi_kthread (kernel/kthread.c:412) + ret_from_fork (arch/x86/kernel/process.c:164) + ? __cfi_kthread (kernel/kthread.c:412) + ret_from_fork_asm (arch/x86/entry/entry_64.S:255) + + +Matthew has analyzed the report and identified that in drain_page_zone() +we are in a section protected by spin_lock(&pcp->lock) and then get an +interrupt that attempts spin_trylock() on the same lock. The code is +designed to work this way without disabling IRQs and occasionally fail the +trylock with a fallback. However, the SMP=n spinlock implementation +assumes spin_trylock() will always succeed, and thus it's normally a +no-op. Here the enabled lock debugging catches the problem, but otherwise +it could cause a corruption of the pcp structure. + +The problem has been introduced by commit 574907741599 ("mm/page_alloc: +leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme +recognizes the need for disabling IRQs to prevent nesting spin_trylock() +sections on SMP=n, but the need to prevent the nesting in spin_lock() has +not been recognized. Fix it by introducing local wrappers that change the +spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places +that do spin_lock(&pcp->lock). + +[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] +Link: https://lkml.kernel.org/r/20260105-fix-pcp-up-v1-1-5579662d2071@suse.cz +Fixes: 574907741599 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations") +Signed-off-by: Vlastimil Babka +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202512101320.e2f2dd6f-lkp@intel.com +Analyzed-by: Matthew Wilcox +Link: https://lore.kernel.org/all/aUW05pyc9nZkvY-1@casper.infradead.org/ +Acked-by: Mel Gorman +Cc: Brendan Jackman +Cc: Johannes Weiner +Cc: Michal Hocko +Cc: Sebastian Andrzej Siewior +Cc: Steven Rostedt +Cc: Suren Baghdasaryan +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +[ drop changes to decay_pcp_high() and zone_pcp_update_cacheinfo() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -160,6 +160,33 @@ static DEFINE_MUTEX(pcp_batch_high_lock) + #define pcp_spin_unlock(ptr) \ + pcpu_spin_unlock(lock, ptr) + ++/* ++ * With the UP spinlock implementation, when we spin_lock(&pcp->lock) (for i.e. ++ * a potentially remote cpu drain) and get interrupted by an operation that ++ * attempts pcp_spin_trylock(), we can't rely on the trylock failure due to UP ++ * spinlock assumptions making the trylock a no-op. So we have to turn that ++ * spin_lock() to a spin_lock_irqsave(). This works because on UP there are no ++ * remote cpu's so we can only be locking the only existing local one. ++ */ ++#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT_RT) ++static inline void __flags_noop(unsigned long *flags) { } ++#define pcp_spin_lock_maybe_irqsave(ptr, flags) \ ++({ \ ++ __flags_noop(&(flags)); \ ++ spin_lock(&(ptr)->lock); \ ++}) ++#define pcp_spin_unlock_maybe_irqrestore(ptr, flags) \ ++({ \ ++ spin_unlock(&(ptr)->lock); \ ++ __flags_noop(&(flags)); \ ++}) ++#else ++#define pcp_spin_lock_maybe_irqsave(ptr, flags) \ ++ spin_lock_irqsave(&(ptr)->lock, flags) ++#define pcp_spin_unlock_maybe_irqrestore(ptr, flags) \ ++ spin_unlock_irqrestore(&(ptr)->lock, flags) ++#endif ++ + #ifdef CONFIG_USE_PERCPU_NUMA_NODE_ID + DEFINE_PER_CPU(int, numa_node); + EXPORT_PER_CPU_SYMBOL(numa_node); +@@ -2181,14 +2208,15 @@ static int rmqueue_bulk(struct zone *zon + */ + void drain_zone_pages(struct zone *zone, struct per_cpu_pages *pcp) + { ++ unsigned long UP_flags; + int to_drain, batch; + + batch = READ_ONCE(pcp->batch); + to_drain = min(pcp->count, batch); + if (to_drain > 0) { +- spin_lock(&pcp->lock); ++ pcp_spin_lock_maybe_irqsave(pcp, UP_flags); + free_pcppages_bulk(zone, to_drain, pcp, 0); +- spin_unlock(&pcp->lock); ++ pcp_spin_unlock_maybe_irqrestore(pcp, UP_flags); + } + } + #endif +@@ -2199,10 +2227,11 @@ void drain_zone_pages(struct zone *zone, + static void drain_pages_zone(unsigned int cpu, struct zone *zone) + { + struct per_cpu_pages *pcp = per_cpu_ptr(zone->per_cpu_pageset, cpu); ++ unsigned long UP_flags; + int count; + + do { +- spin_lock(&pcp->lock); ++ pcp_spin_lock_maybe_irqsave(pcp, UP_flags); + count = pcp->count; + if (count) { + int to_drain = min(count, +@@ -2211,7 +2240,7 @@ static void drain_pages_zone(unsigned in + free_pcppages_bulk(zone, to_drain, pcp, 0); + count -= to_drain; + } +- spin_unlock(&pcp->lock); ++ pcp_spin_unlock_maybe_irqrestore(pcp, UP_flags); + } while (count); + } + diff --git a/queue-6.6/mm-rmap-fix-two-comments-related-to-huge_pmd_unshare.patch b/queue-6.6/mm-rmap-fix-two-comments-related-to-huge_pmd_unshare.patch new file mode 100644 index 0000000000..364d36d796 --- /dev/null +++ b/queue-6.6/mm-rmap-fix-two-comments-related-to-huge_pmd_unshare.patch @@ -0,0 +1,76 @@ +From stable+bounces-211669-greg=kroah.com@vger.kernel.org Mon Jan 26 18:56:02 2026 +From: Sasha Levin +Date: Mon, 26 Jan 2026 12:55:51 -0500 +Subject: mm/rmap: fix two comments related to huge_pmd_unshare() +To: stable@vger.kernel.org +Cc: "David Hildenbrand (Red Hat)" , Rik van Riel , Laurence Oberman , Lorenzo Stoakes , Oscar Salvador , Liu Shixin , Harry Yoo , Lance Yang , "Uschakow, Stanislav" , Andrew Morton , Sasha Levin +Message-ID: <20260126175552.3481327-1-sashal@kernel.org> + +From: "David Hildenbrand (Red Hat)" + +[ Upstream commit a8682d500f691b6dfaa16ae1502d990aeb86e8be ] + +PMD page table unsharing no longer touches the refcount of a PMD page +table. Also, it is not about dropping the refcount of a "PMD page" but +the "PMD page table". + +Let's just simplify by saying that the PMD page table was unmapped, +consequently also unmapping the folio that was mapped into this page. + +This code should be deduplicated in the future. + +Link: https://lkml.kernel.org/r/20251223214037.580860-4-david@kernel.org +Fixes: 59d9094df3d7 ("mm: hugetlb: independent PMD page table shared count") +Signed-off-by: David Hildenbrand (Red Hat) +Reviewed-by: Rik van Riel +Tested-by: Laurence Oberman +Reviewed-by: Lorenzo Stoakes +Acked-by: Oscar Salvador +Cc: Liu Shixin +Cc: Harry Yoo +Cc: Lance Yang +Cc: "Uschakow, Stanislav" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/rmap.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -1579,14 +1579,8 @@ static bool try_to_unmap_one(struct foli + flush_tlb_range(vma, + range.start, range.end); + /* +- * The ref count of the PMD page was +- * dropped which is part of the way map +- * counting is done for shared PMDs. +- * Return 'true' here. When there is +- * no other sharing, huge_pmd_unshare +- * returns false and we will unmap the +- * actual page and drop map count +- * to zero. ++ * The PMD table was unmapped, ++ * consequently unmapping the folio. + */ + page_vma_mapped_walk_done(&pvmw); + break; +@@ -1945,14 +1939,8 @@ static bool try_to_migrate_one(struct fo + range.start, range.end); + + /* +- * The ref count of the PMD page was +- * dropped which is part of the way map +- * counting is done for shared PMDs. +- * Return 'true' here. When there is +- * no other sharing, huge_pmd_unshare +- * returns false and we will unmap the +- * actual page and drop map count +- * to zero. ++ * The PMD table was unmapped, ++ * consequently unmapping the folio. + */ + page_vma_mapped_walk_done(&pvmw); + break; diff --git a/queue-6.6/net-phy-allow-mdio-bus-pm-ops-to-start-stop-state-machine-for-phylink-controlled-phy.patch b/queue-6.6/net-phy-allow-mdio-bus-pm-ops-to-start-stop-state-machine-for-phylink-controlled-phy.patch new file mode 100644 index 0000000000..ffc3aef110 --- /dev/null +++ b/queue-6.6/net-phy-allow-mdio-bus-pm-ops-to-start-stop-state-machine-for-phylink-controlled-phy.patch @@ -0,0 +1,162 @@ +From stable+bounces-209991-greg=kroah.com@vger.kernel.org Fri Jan 16 07:57:03 2026 +From: Rajani Kantha <681739313@139.com> +Date: Fri, 16 Jan 2026 14:53:33 +0800 +Subject: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY +To: vladimir.oltean@nxp.com, rmk+kernel@armlinux.org.uk, kuba@kernel.org, stable@vger.kernel.org +Message-ID: <20260116065334.18180-2-681739313@139.com> + +From: Vladimir Oltean + +[ Upstream commit fc75ea20ffb452652f0d4033f38fe88d7cfdae35 ] + +DSA has 2 kinds of drivers: + +1. Those who call dsa_switch_suspend() and dsa_switch_resume() from + their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz +2. Those who don't: all others. The above methods should be optional. + +For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(), +and dsa_switch_resume() calls dsa_user_resume() -> phylink_start(). +These seem good candidates for setting mac_managed_pm = true because +that is essentially its definition [1], but that does not seem to be the +biggest problem for now, and is not what this change focuses on. + +Talking strictly about the 2nd category of DSA drivers here (which +do not have MAC managed PM, meaning that for their attached PHYs, +mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full), +I have noticed that the following warning from mdio_bus_phy_resume() is +triggered: + + WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY && + phydev->state != PHY_UP); + +because the PHY state machine is running. + +It's running as a result of a previous dsa_user_open() -> ... -> +phylink_start() -> phy_start() having been initiated by the user. + +The previous mdio_bus_phy_suspend() was supposed to have called +phy_stop_machine(), but it didn't. So this is why the PHY is in state +PHY_NOLINK by the time mdio_bus_phy_resume() runs. + +mdio_bus_phy_suspend() did not call phy_stop_machine() because for +phylink, the phydev->adjust_link function pointer is NULL. This seems a +technicality introduced by commit fddd91016d16 ("phylib: fix PAL state +machine restart on resume"). That commit was written before phylink +existed, and was intended to avoid crashing with consumer drivers which +don't use the PHY state machine - phylink always does, when using a PHY. +But phylink itself has historically not been developed with +suspend/resume in mind, and apparently not tested too much in that +scenario, allowing this bug to exist unnoticed for so long. Plus, prior +to the WARN_ON(), it would have likely been invisible. + +This issue is not in fact restricted to type 2 DSA drivers (according to +the above ad-hoc classification), but can be extrapolated to any MAC +driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where +the issue was reported. Assuming mac_managed_pm is set correctly, a +quick search indicates the following other drivers might be affected: + +$ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm +drivers/net/ethernet/atheros/ag71xx.c +drivers/net/ethernet/microchip/sparx5/sparx5_main.c +drivers/net/ethernet/microchip/lan966x/lan966x_main.c +drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c +drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c +drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +drivers/net/ethernet/freescale/ucc_geth.c +drivers/net/ethernet/freescale/enetc/enetc_pf_common.c +drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +drivers/net/ethernet/marvell/mvneta.c +drivers/net/ethernet/marvell/prestera/prestera_main.c +drivers/net/ethernet/mediatek/mtk_eth_soc.c +drivers/net/ethernet/altera/altera_tse_main.c +drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c +drivers/net/ethernet/meta/fbnic/fbnic_phylink.c +drivers/net/ethernet/tehuti/tn40_phy.c +drivers/net/ethernet/mscc/ocelot_net.c + +Make the existing conditions dependent on the PHY device having a +phydev->phy_link_change() implementation equal to the default +phy_link_change() provided by phylib. Otherwise, we implicitly know that +the phydev has the phylink-provided phylink_phy_change() callback, and +when phylink is used, the PHY state machine always needs to be stopped/ +started on the suspend/resume path. The code is structured as such that +if phydev->phy_link_change() is absent, it is a matter of time until the +kernel will crash - no need to further complicate the test. + +Thus, for the situation where the PM is not managed by the MAC, we will +make the MDIO bus PM ops treat identically the phylink-controlled PHYs +with the phylib-controlled PHYs where an adjust_link() callback is +supplied. In both cases, the MDIO bus PM ops should stop and restart the +PHY state machine. + +[1] https://lore.kernel.org/netdev/Z-1tiW9zjcoFkhwc@shell.armlinux.org.uk/ + +Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") +Reported-by: Wei Fang +Tested-by: Wei Fang +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20250407094042.2155633-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 31 +++++++++++++++++++++++++++++-- + 1 file changed, 29 insertions(+), 2 deletions(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -281,6 +281,33 @@ static void phy_link_change(struct phy_d + phydev->mii_ts->link_state(phydev->mii_ts, phydev); + } + ++/** ++ * phy_uses_state_machine - test whether consumer driver uses PAL state machine ++ * @phydev: the target PHY device structure ++ * ++ * Ultimately, this aims to indirectly determine whether the PHY is attached ++ * to a consumer which uses the state machine by calling phy_start() and ++ * phy_stop(). ++ * ++ * When the PHY driver consumer uses phylib, it must have previously called ++ * phy_connect_direct() or one of its derivatives, so that phy_prepare_link() ++ * has set up a hook for monitoring state changes. ++ * ++ * When the PHY driver is used by the MAC driver consumer through phylink (the ++ * only other provider of a phy_link_change() method), using the PHY state ++ * machine is not optional. ++ * ++ * Return: true if consumer calls phy_start() and phy_stop(), false otherwise. ++ */ ++static bool phy_uses_state_machine(struct phy_device *phydev) ++{ ++ if (phydev->phy_link_change == phy_link_change) ++ return phydev->attached_dev && phydev->adjust_link; ++ ++ /* phydev->phy_link_change is implicitly phylink_phy_change() */ ++ return true; ++} ++ + static bool mdio_bus_phy_may_suspend(struct phy_device *phydev) + { + struct device_driver *drv = phydev->mdio.dev.driver; +@@ -341,7 +368,7 @@ static __maybe_unused int mdio_bus_phy_s + * may call phy routines that try to grab the same lock, and that may + * lead to a deadlock. + */ +- if (phydev->attached_dev && phydev->adjust_link) ++ if (phy_uses_state_machine(phydev)) + phy_stop_machine(phydev); + + if (!mdio_bus_phy_may_suspend(phydev)) +@@ -395,7 +422,7 @@ no_resume: + } + } + +- if (phydev->attached_dev && phydev->adjust_link) ++ if (phy_uses_state_machine(phydev)) + phy_start_machine(phydev); + + return 0; diff --git a/queue-6.6/net-phy-fix-phy_uses_state_machine.patch b/queue-6.6/net-phy-fix-phy_uses_state_machine.patch new file mode 100644 index 0000000000..84125e84d8 --- /dev/null +++ b/queue-6.6/net-phy-fix-phy_uses_state_machine.patch @@ -0,0 +1,79 @@ +From stable+bounces-209990-greg=kroah.com@vger.kernel.org Fri Jan 16 07:57:03 2026 +From: Rajani Kantha <681739313@139.com> +Date: Fri, 16 Jan 2026 14:53:34 +0800 +Subject: net: phy: fix phy_uses_state_machine() +To: vladimir.oltean@nxp.com, rmk+kernel@armlinux.org.uk, kuba@kernel.org, stable@vger.kernel.org +Message-ID: <20260116065334.18180-3-681739313@139.com> + +From: "Russell King (Oracle)" + +[ Upstream commit e0d1c55501d377163eb57feed863777ed1c973ad ] + +The blamed commit changed the conditions which phylib uses to stop +and start the state machine in the suspend and resume paths, and +while improving it, has caused two issues. + +The original code used this test: + + phydev->attached_dev && phydev->adjust_link + +and if true, the paths would handle the PHY state machine. This test +evaluates true for normal drivers that are using phylib directly +while the PHY is attached to the network device, but false in all +other cases, which include the following cases: + +- when the PHY has never been attached to a network device. +- when the PHY has been detached from a network device (as phy_detach() + sets phydev->attached_dev to NULL, phy_disconnect() calls + phy_detach() and additionally sets phydev->adjust_link NULL.) +- when phylink is using the driver (as phydev->adjust_link is NULL.) + +Only the third case was incorrect, and the blamed commit attempted to +fix this by changing this test to (simplified for brevity, see +phy_uses_state_machine()): + + phydev->phy_link_change == phy_link_change ? + phydev->attached_dev && phydev->adjust_link : true + +However, this also incorrectly evaluates true in the first two cases. + +Fix the first case by ensuring that phy_uses_state_machine() returns +false when phydev->phy_link_change is NULL. + +Fix the second case by ensuring that phydev->phy_link_change is set to +NULL when phy_detach() is called. + +Reported-by: Xu Yang +Link: https://lore.kernel.org/r/20250806082931.3289134-1-xu.yang_2@nxp.com +Fixes: fc75ea20ffb4 ("net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY") +Signed-off-by: Russell King (Oracle) +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/E1uvMEz-00000003Aoe-3qWe@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -304,8 +304,7 @@ static bool phy_uses_state_machine(struc + if (phydev->phy_link_change == phy_link_change) + return phydev->attached_dev && phydev->adjust_link; + +- /* phydev->phy_link_change is implicitly phylink_phy_change() */ +- return true; ++ return !!phydev->phy_link_change; + } + + static bool mdio_bus_phy_may_suspend(struct phy_device *phydev) +@@ -1853,6 +1852,8 @@ void phy_detach(struct phy_device *phyde + phydev->attached_dev->phydev = NULL; + phydev->attached_dev = NULL; + } ++ ++ phydev->phy_link_change = NULL; + phydev->phylink = NULL; + + if (!phydev->is_on_sfp_module) diff --git a/queue-6.6/net-phy-move-phy_link_change-prior-to-mdio_bus_phy_may_suspend.patch b/queue-6.6/net-phy-move-phy_link_change-prior-to-mdio_bus_phy_may_suspend.patch new file mode 100644 index 0000000000..22e3d1f1cd --- /dev/null +++ b/queue-6.6/net-phy-move-phy_link_change-prior-to-mdio_bus_phy_may_suspend.patch @@ -0,0 +1,76 @@ +From stable+bounces-209992-greg=kroah.com@vger.kernel.org Fri Jan 16 07:57:08 2026 +From: Rajani Kantha <681739313@139.com> +Date: Fri, 16 Jan 2026 14:53:32 +0800 +Subject: net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() +To: vladimir.oltean@nxp.com, rmk+kernel@armlinux.org.uk, kuba@kernel.org, stable@vger.kernel.org +Message-ID: <20260116065334.18180-1-681739313@139.com> + +From: Vladimir Oltean + +[ Upstream commit f40a673d6b4a128fe95dd9b8c3ed02da50a6a862 ] + +In an upcoming change, mdio_bus_phy_may_suspend() will need to +distinguish a phylib-based PHY client from a phylink PHY client. +For that, it will need to compare the phydev->phy_link_change() function +pointer with the eponymous phy_link_change() provided by phylib. + +To avoid forward function declarations, the default PHY link state +change method should be moved upwards. There is no functional change +associated with this patch, it is only to reduce the noise from a real +bug fix. + +Signed-off-by: Vladimir Oltean +Reviewed-by: Russell King (Oracle) +Link: https://patch.msgid.link/20250407093900.2155112-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +[ Minor context change fixed ] +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy_device.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -268,6 +268,19 @@ static struct phy_driver genphy_driver; + static LIST_HEAD(phy_fixup_list); + static DEFINE_MUTEX(phy_fixup_lock); + ++static void phy_link_change(struct phy_device *phydev, bool up) ++{ ++ struct net_device *netdev = phydev->attached_dev; ++ ++ if (up) ++ netif_carrier_on(netdev); ++ else ++ netif_carrier_off(netdev); ++ phydev->adjust_link(netdev); ++ if (phydev->mii_ts && phydev->mii_ts->link_state) ++ phydev->mii_ts->link_state(phydev->mii_ts, phydev); ++} ++ + static bool mdio_bus_phy_may_suspend(struct phy_device *phydev) + { + struct device_driver *drv = phydev->mdio.dev.driver; +@@ -1069,19 +1082,6 @@ struct phy_device *phy_find_first(struct + } + EXPORT_SYMBOL(phy_find_first); + +-static void phy_link_change(struct phy_device *phydev, bool up) +-{ +- struct net_device *netdev = phydev->attached_dev; +- +- if (up) +- netif_carrier_on(netdev); +- else +- netif_carrier_off(netdev); +- phydev->adjust_link(netdev); +- if (phydev->mii_ts && phydev->mii_ts->link_state) +- phydev->mii_ts->link_state(phydev->mii_ts, phydev); +-} +- + /** + * phy_prepare_link - prepares the PHY layer to monitor link status + * @phydev: target phy_device struct diff --git a/queue-6.6/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch b/queue-6.6/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch new file mode 100644 index 0000000000..f3907d1429 --- /dev/null +++ b/queue-6.6/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch @@ -0,0 +1,169 @@ +From stable+bounces-210682-greg=kroah.com@vger.kernel.org Wed Jan 21 05:17:39 2026 +From: Rahul Sharma +Date: Wed, 21 Jan 2026 12:16:18 +0800 +Subject: NFSD: fix race between nfsd registration and exports_proc +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Maninder Singh , Shubham Rana , Jeff Layton , Chuck Lever , Rahul Sharma +Message-ID: <20260121041618.3534193-1-black.hawk@163.com> + +From: Maninder Singh + +[ Upstream commit f7fb730cac9aafda8b9813b55d04e28a9664d17c ] + +As of now nfsd calls create_proc_exports_entry() at start of init_nfsd +and cleanup by remove_proc_entry() at last of exit_nfsd. + +Which causes kernel OOPs if there is race between below 2 operations: +(i) exportfs -r +(ii) mount -t nfsd none /proc/fs/nfsd + +for 5.4 kernel ARM64: + +CPU 1: +el1_irq+0xbc/0x180 +arch_counter_get_cntvct+0x14/0x18 +running_clock+0xc/0x18 +preempt_count_add+0x88/0x110 +prep_new_page+0xb0/0x220 +get_page_from_freelist+0x2d8/0x1778 +__alloc_pages_nodemask+0x15c/0xef0 +__vmalloc_node_range+0x28c/0x478 +__vmalloc_node_flags_caller+0x8c/0xb0 +kvmalloc_node+0x88/0xe0 +nfsd_init_net+0x6c/0x108 [nfsd] +ops_init+0x44/0x170 +register_pernet_operations+0x114/0x270 +register_pernet_subsys+0x34/0x50 +init_nfsd+0xa8/0x718 [nfsd] +do_one_initcall+0x54/0x2e0 + +CPU 2 : +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 + +PC is at : exports_net_open+0x50/0x68 [nfsd] + +Call trace: +exports_net_open+0x50/0x68 [nfsd] +exports_proc_open+0x2c/0x38 [nfsd] +proc_reg_open+0xb8/0x198 +do_dentry_open+0x1c4/0x418 +vfs_open+0x38/0x48 +path_openat+0x28c/0xf18 +do_filp_open+0x70/0xe8 +do_sys_open+0x154/0x248 + +Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu(). + +and same is happening on latest 6.14 kernel as well: + +[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty +... +[ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 +... +[ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4 +... +[ 285.469695] Call trace: +[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P) +[ 285.470488] seq_read+0xe0/0x11c +[ 285.470675] proc_reg_read+0x9c/0xf0 +[ 285.470874] vfs_read+0xc4/0x2fc +[ 285.471057] ksys_read+0x6c/0xf4 +[ 285.471231] __arm64_sys_read+0x1c/0x28 +[ 285.471428] invoke_syscall+0x44/0x100 +[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0 +[ 285.471870] do_el0_svc_compat+0x1c/0x34 +[ 285.472073] el0_svc_compat+0x2c/0x80 +[ 285.472265] el0t_32_sync_handler+0x90/0x140 +[ 285.472473] el0t_32_sync+0x19c/0x1a0 +[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) +[ 285.473422] ---[ end trace 0000000000000000 ]--- + +It reproduced simply with below script: +while [ 1 ] +do +/exportfs -r +done & + +while [ 1 ] +do +insmod /nfsd.ko +mount -t nfsd none /proc/fs/nfsd +umount /proc/fs/nfsd +rmmod nfsd +done & + +So exporting interfaces to user space shall be done at last and +cleanup at first place. + +With change there is no Kernel OOPs. + +Co-developed-by: Shubham Rana +Signed-off-by: Shubham Rana +Signed-off-by: Maninder Singh +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +[ The context change is due to the commit bd9d6a3efa97 +("NFSD: add rpc_status netlink support") +and the proper adoption is done. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1582,12 +1582,9 @@ static int __init init_nfsd(void) + if (retval) + goto out_free_pnfs; + nfsd_lockd_init(); /* lockd->nfsd callbacks */ +- retval = create_proc_exports_entry(); +- if (retval) +- goto out_free_lockd; + retval = register_pernet_subsys(&nfsd_net_ops); + if (retval < 0) +- goto out_free_exports; ++ goto out_free_lockd; + retval = register_cld_notifier(); + if (retval) + goto out_free_subsys; +@@ -1596,17 +1593,19 @@ static int __init init_nfsd(void) + goto out_free_cld; + retval = register_filesystem(&nfsd_fs_type); + if (retval) ++ goto out_free_nfsd4; ++ retval = create_proc_exports_entry(); ++ if (retval) + goto out_free_all; + return 0; + out_free_all: ++ unregister_filesystem(&nfsd_fs_type); ++out_free_nfsd4: + nfsd4_destroy_laundry_wq(); + out_free_cld: + unregister_cld_notifier(); + out_free_subsys: + unregister_pernet_subsys(&nfsd_net_ops); +-out_free_exports: +- remove_proc_entry("fs/nfs/exports", NULL); +- remove_proc_entry("fs/nfs", NULL); + out_free_lockd: + nfsd_lockd_shutdown(); + nfsd_drc_slab_free(); +@@ -1619,13 +1618,13 @@ out_free_slabs: + + static void __exit exit_nfsd(void) + { ++ remove_proc_entry("fs/nfs/exports", NULL); ++ remove_proc_entry("fs/nfs", NULL); + unregister_filesystem(&nfsd_fs_type); + nfsd4_destroy_laundry_wq(); + unregister_cld_notifier(); + unregister_pernet_subsys(&nfsd_net_ops); + nfsd_drc_slab_free(); +- remove_proc_entry("fs/nfs/exports", NULL); +- remove_proc_entry("fs/nfs", NULL); + nfsd_lockd_shutdown(); + nfsd4_free_slabs(); + nfsd4_exit_pnfs(); diff --git a/queue-6.6/nvme-fc-rename-free_ctrl-callback-to-match-name-pattern.patch b/queue-6.6/nvme-fc-rename-free_ctrl-callback-to-match-name-pattern.patch new file mode 100644 index 0000000000..694ca27721 --- /dev/null +++ b/queue-6.6/nvme-fc-rename-free_ctrl-callback-to-match-name-pattern.patch @@ -0,0 +1,47 @@ +From stable+bounces-210659-greg=kroah.com@vger.kernel.org Wed Jan 21 03:55:06 2026 +From: Sasha Levin +Date: Tue, 20 Jan 2026 21:52:26 -0500 +Subject: nvme-fc: rename free_ctrl callback to match name pattern +To: stable@vger.kernel.org +Cc: Daniel Wagner , Christoph Hellwig , Sagi Grimberg , Hannes Reinecke , Keith Busch , Sasha Levin +Message-ID: <20260121025228.1153601-1-sashal@kernel.org> + +From: Daniel Wagner + +[ Upstream commit 205fb5fa6fde1b5b426015eb1ff69f2ff25ef5bb ] + +Rename nvme_fc_nvme_ctrl_freed to nvme_fc_free_ctrl to match the name +pattern for the callback. + +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Hannes Reinecke +Signed-off-by: Daniel Wagner +Signed-off-by: Keith Busch +Stable-dep-of: 0edb475ac0a7 ("nvme: fix PCIe subsystem reset controller state transition") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2384,7 +2384,7 @@ nvme_fc_ctrl_get(struct nvme_fc_ctrl *ct + * controller. Called after last nvme_put_ctrl() call + */ + static void +-nvme_fc_nvme_ctrl_freed(struct nvme_ctrl *nctrl) ++nvme_fc_free_ctrl(struct nvme_ctrl *nctrl) + { + struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl); + +@@ -3349,7 +3349,7 @@ static const struct nvme_ctrl_ops nvme_f + .reg_read32 = nvmf_reg_read32, + .reg_read64 = nvmf_reg_read64, + .reg_write32 = nvmf_reg_write32, +- .free_ctrl = nvme_fc_nvme_ctrl_freed, ++ .free_ctrl = nvme_fc_free_ctrl, + .submit_async_event = nvme_fc_submit_async_event, + .delete_ctrl = nvme_fc_delete_ctrl, + .get_address = nvmf_get_address, diff --git a/queue-6.6/nvme-fix-pcie-subsystem-reset-controller-state-transition.patch b/queue-6.6/nvme-fix-pcie-subsystem-reset-controller-state-transition.patch new file mode 100644 index 0000000000..c2b2cbccdb --- /dev/null +++ b/queue-6.6/nvme-fix-pcie-subsystem-reset-controller-state-transition.patch @@ -0,0 +1,58 @@ +From stable+bounces-210660-greg=kroah.com@vger.kernel.org Wed Jan 21 03:55:09 2026 +From: Sasha Levin +Date: Tue, 20 Jan 2026 21:52:28 -0500 +Subject: nvme: fix PCIe subsystem reset controller state transition +To: stable@vger.kernel.org +Cc: Nilay Shroff , Daniel Wagner , Keith Busch , Sasha Levin +Message-ID: <20260121025228.1153601-3-sashal@kernel.org> + +From: Nilay Shroff + +[ Upstream commit 0edb475ac0a7d153318a24d4dca175a270a5cc4f ] + +The commit d2fe192348f9 (“nvme: only allow entering LIVE from CONNECTING +state”) disallows controller state transitions directly from RESETTING +to LIVE. However, the NVMe PCIe subsystem reset path relies on this +transition to recover the controller on PowerPC (PPC) systems. + +On PPC systems, issuing a subsystem reset causes a temporary loss of +communication with the NVMe adapter. A subsequent PCIe MMIO read then +triggers EEH recovery, which restores the PCIe link and brings the +controller back online. For EEH recovery to proceed correctly, the +controller must transition back to the LIVE state. + +Due to the changes introduced by commit d2fe192348f9 (“nvme: only allow +entering LIVE from CONNECTING state”), the controller can no longer +transition directly from RESETTING to LIVE. As a result, EEH recovery +exits prematurely, leaving the controller stuck in the RESETTING state. + +Fix this by explicitly transitioning the controller state from RESETTING +to CONNECTING and then to LIVE. This satisfies the updated state +transition rules and allows the controller to be successfully recovered +on PPC systems following a PCIe subsystem reset. + +Cc: stable@vger.kernel.org +Fixes: d2fe192348f9 ("nvme: only allow entering LIVE from CONNECTING state") +Reviewed-by: Daniel Wagner +Signed-off-by: Nilay Shroff +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1166,7 +1166,10 @@ static int nvme_pci_subsystem_reset(stru + } + + writel(NVME_SUBSYS_RESET, dev->bar + NVME_REG_NSSR); +- nvme_change_ctrl_state(ctrl, NVME_CTRL_LIVE); ++ ++ if (!nvme_change_ctrl_state(ctrl, NVME_CTRL_CONNECTING) || ++ !nvme_change_ctrl_state(ctrl, NVME_CTRL_LIVE)) ++ goto unlock; + + /* + * Read controller status to flush the previous write and trigger a diff --git a/queue-6.6/nvme-pci-do-not-directly-handle-subsys-reset-fallout.patch b/queue-6.6/nvme-pci-do-not-directly-handle-subsys-reset-fallout.patch new file mode 100644 index 0000000000..89862655b2 --- /dev/null +++ b/queue-6.6/nvme-pci-do-not-directly-handle-subsys-reset-fallout.patch @@ -0,0 +1,205 @@ +From stable+bounces-210658-greg=kroah.com@vger.kernel.org Wed Jan 21 03:53:56 2026 +From: Sasha Levin +Date: Tue, 20 Jan 2026 21:52:27 -0500 +Subject: nvme-pci: do not directly handle subsys reset fallout +To: stable@vger.kernel.org +Cc: Keith Busch , Nilay Shroff , Christoph Hellwig , Sasha Levin +Message-ID: <20260121025228.1153601-2-sashal@kernel.org> + +From: Keith Busch + +[ Upstream commit 210b1f6576e8b367907e7ff51ef425062e1468e4 ] + +Scheduling reset_work after a nvme subsystem reset is expected to fail +on pcie, but this also prevents potential handling the platform's pcie +services may provide that might successfully recovering the link without +re-enumeration. Such examples include AER, DPC, and power's EEH. + +Provide a pci specific operation that safely initiates a subsystem +reset, and instead of scheduling reset work, read back the status +register to trigger a pcie read error. + +Since this only affects pci, the other fabrics drivers subscribe to a +generic nvmf subsystem reset that is exactly the same as before. The +loop fabric doesn't use it because nvmet doesn't support setting that +property anyway. + +And since we're using the magic NSSR value in two places now, provide a +symbolic define for it. + +Reported-by: Nilay Shroff +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Stable-dep-of: 0edb475ac0a7 ("nvme: fix PCIe subsystem reset controller state transition") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.c | 15 +++++++++++++++ + drivers/nvme/host/fabrics.h | 1 + + drivers/nvme/host/fc.c | 1 + + drivers/nvme/host/nvme.h | 14 +++----------- + drivers/nvme/host/pci.c | 36 ++++++++++++++++++++++++++++++++++++ + drivers/nvme/host/rdma.c | 1 + + drivers/nvme/host/tcp.c | 1 + + include/linux/nvme.h | 3 +++ + 8 files changed, 61 insertions(+), 11 deletions(-) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -279,6 +279,21 @@ int nvmf_reg_write32(struct nvme_ctrl *c + } + EXPORT_SYMBOL_GPL(nvmf_reg_write32); + ++int nvmf_subsystem_reset(struct nvme_ctrl *ctrl) ++{ ++ int ret; ++ ++ if (!nvme_wait_reset(ctrl)) ++ return -EBUSY; ++ ++ ret = ctrl->ops->reg_write32(ctrl, NVME_REG_NSSR, NVME_SUBSYS_RESET); ++ if (ret) ++ return ret; ++ ++ return nvme_try_sched_reset(ctrl); ++} ++EXPORT_SYMBOL_GPL(nvmf_subsystem_reset); ++ + /** + * nvmf_log_connect_error() - Error-parsing-diagnostic print out function for + * connect() errors. +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -206,6 +206,7 @@ static inline unsigned int nvmf_nr_io_qu + int nvmf_reg_read32(struct nvme_ctrl *ctrl, u32 off, u32 *val); + int nvmf_reg_read64(struct nvme_ctrl *ctrl, u32 off, u64 *val); + int nvmf_reg_write32(struct nvme_ctrl *ctrl, u32 off, u32 val); ++int nvmf_subsystem_reset(struct nvme_ctrl *ctrl); + int nvmf_connect_admin_queue(struct nvme_ctrl *ctrl); + int nvmf_connect_io_queue(struct nvme_ctrl *ctrl, u16 qid); + int nvmf_register_transport(struct nvmf_transport_ops *ops); +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3349,6 +3349,7 @@ static const struct nvme_ctrl_ops nvme_f + .reg_read32 = nvmf_reg_read32, + .reg_read64 = nvmf_reg_read64, + .reg_write32 = nvmf_reg_write32, ++ .subsystem_reset = nvmf_subsystem_reset, + .free_ctrl = nvme_fc_free_ctrl, + .submit_async_event = nvme_fc_submit_async_event, + .delete_ctrl = nvme_fc_delete_ctrl, +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -562,6 +562,7 @@ struct nvme_ctrl_ops { + int (*reg_read64)(struct nvme_ctrl *ctrl, u32 off, u64 *val); + void (*free_ctrl)(struct nvme_ctrl *ctrl); + void (*submit_async_event)(struct nvme_ctrl *ctrl); ++ int (*subsystem_reset)(struct nvme_ctrl *ctrl); + void (*delete_ctrl)(struct nvme_ctrl *ctrl); + void (*stop_ctrl)(struct nvme_ctrl *ctrl); + int (*get_address)(struct nvme_ctrl *ctrl, char *buf, int size); +@@ -660,18 +661,9 @@ int nvme_try_sched_reset(struct nvme_ctr + + static inline int nvme_reset_subsystem(struct nvme_ctrl *ctrl) + { +- int ret; +- +- if (!ctrl->subsystem) ++ if (!ctrl->subsystem || !ctrl->ops->subsystem_reset) + return -ENOTTY; +- if (!nvme_wait_reset(ctrl)) +- return -EBUSY; +- +- ret = ctrl->ops->reg_write32(ctrl, NVME_REG_NSSR, 0x4E564D65); +- if (ret) +- return ret; +- +- return nvme_try_sched_reset(ctrl); ++ return ctrl->ops->subsystem_reset(ctrl); + } + + /* +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1143,6 +1143,41 @@ static void nvme_pci_submit_async_event( + spin_unlock(&nvmeq->sq_lock); + } + ++static int nvme_pci_subsystem_reset(struct nvme_ctrl *ctrl) ++{ ++ struct nvme_dev *dev = to_nvme_dev(ctrl); ++ int ret = 0; ++ ++ /* ++ * Taking the shutdown_lock ensures the BAR mapping is not being ++ * altered by reset_work. Holding this lock before the RESETTING state ++ * change, if successful, also ensures nvme_remove won't be able to ++ * proceed to iounmap until we're done. ++ */ ++ mutex_lock(&dev->shutdown_lock); ++ if (!dev->bar_mapped_size) { ++ ret = -ENODEV; ++ goto unlock; ++ } ++ ++ if (!nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING)) { ++ ret = -EBUSY; ++ goto unlock; ++ } ++ ++ writel(NVME_SUBSYS_RESET, dev->bar + NVME_REG_NSSR); ++ nvme_change_ctrl_state(ctrl, NVME_CTRL_LIVE); ++ ++ /* ++ * Read controller status to flush the previous write and trigger a ++ * pcie read error. ++ */ ++ readl(dev->bar + NVME_REG_CSTS); ++unlock: ++ mutex_unlock(&dev->shutdown_lock); ++ return ret; ++} ++ + static int adapter_delete_queue(struct nvme_dev *dev, u8 opcode, u16 id) + { + struct nvme_command c = { }; +@@ -2910,6 +2945,7 @@ static const struct nvme_ctrl_ops nvme_p + .reg_read64 = nvme_pci_reg_read64, + .free_ctrl = nvme_pci_free_ctrl, + .submit_async_event = nvme_pci_submit_async_event, ++ .subsystem_reset = nvme_pci_subsystem_reset, + .get_address = nvme_pci_get_address, + .print_device_info = nvme_pci_print_device_info, + .supports_pci_p2pdma = nvme_pci_supports_pci_p2pdma, +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -2174,6 +2174,7 @@ static const struct nvme_ctrl_ops nvme_r + .reg_read32 = nvmf_reg_read32, + .reg_read64 = nvmf_reg_read64, + .reg_write32 = nvmf_reg_write32, ++ .subsystem_reset = nvmf_subsystem_reset, + .free_ctrl = nvme_rdma_free_ctrl, + .submit_async_event = nvme_rdma_submit_async_event, + .delete_ctrl = nvme_rdma_delete_ctrl, +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2561,6 +2561,7 @@ static const struct nvme_ctrl_ops nvme_t + .reg_read32 = nvmf_reg_read32, + .reg_read64 = nvmf_reg_read64, + .reg_write32 = nvmf_reg_write32, ++ .subsystem_reset = nvmf_subsystem_reset, + .free_ctrl = nvme_tcp_free_ctrl, + .submit_async_event = nvme_tcp_submit_async_event, + .delete_ctrl = nvme_tcp_delete_ctrl, +--- a/include/linux/nvme.h ++++ b/include/linux/nvme.h +@@ -28,6 +28,9 @@ + + #define NVME_NSID_ALL 0xffffffff + ++/* Special NSSR value, 'NVMe' */ ++#define NVME_SUBSYS_RESET 0x4E564D65 ++ + enum nvme_subsys_type { + /* Referral to another discovery type target subsystem */ + NVME_NQN_DISC = 1, diff --git a/queue-6.6/phy-phy-rockchip-inno-usb2-use-dev_err_probe-in-the-probe-path.patch b/queue-6.6/phy-phy-rockchip-inno-usb2-use-dev_err_probe-in-the-probe-path.patch new file mode 100644 index 0000000000..5ef72b4966 --- /dev/null +++ b/queue-6.6/phy-phy-rockchip-inno-usb2-use-dev_err_probe-in-the-probe-path.patch @@ -0,0 +1,90 @@ +From stable+bounces-210639-greg=kroah.com@vger.kernel.org Wed Jan 21 02:50:08 2026 +From: Sasha Levin +Date: Tue, 20 Jan 2026 20:49:10 -0500 +Subject: phy: phy-rockchip-inno-usb2: Use dev_err_probe() in the probe path +To: stable@vger.kernel.org +Cc: Dragan Simic , Heiko Stuebner , Vinod Koul , Sasha Levin +Message-ID: <20260121014911.1112178-1-sashal@kernel.org> + +From: Dragan Simic + +[ Upstream commit 40452520850683f6771094ca218ff206d1fcb022 ] + +Improve error handling in the probe path by using function dev_err_probe() +instead of function dev_err(), where appropriate. + +Signed-off-by: Dragan Simic +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/d4ccd9fc278fb46ea868406bf77811ee507f0e4e.1725524803.git.dsimic@manjaro.org +Signed-off-by: Vinod Koul +Stable-dep-of: e07dea3de508 ("phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 27 +++++++++----------------- + 1 file changed, 10 insertions(+), 17 deletions(-) + +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -420,11 +420,9 @@ static int rockchip_usb2phy_extcon_regis + + if (of_property_read_bool(node, "extcon")) { + edev = extcon_get_edev_by_phandle(rphy->dev, 0); +- if (IS_ERR(edev)) { +- if (PTR_ERR(edev) != -EPROBE_DEFER) +- dev_err(rphy->dev, "Invalid or missing extcon\n"); +- return PTR_ERR(edev); +- } ++ if (IS_ERR(edev)) ++ return dev_err_probe(rphy->dev, PTR_ERR(edev), ++ "invalid or missing extcon\n"); + } else { + /* Initialize extcon device */ + edev = devm_extcon_dev_allocate(rphy->dev, +@@ -434,10 +432,9 @@ static int rockchip_usb2phy_extcon_regis + return -ENOMEM; + + ret = devm_extcon_dev_register(rphy->dev, edev); +- if (ret) { +- dev_err(rphy->dev, "failed to register extcon device\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(rphy->dev, ret, ++ "failed to register extcon device\n"); + } + + rphy->edev = edev; +@@ -1396,10 +1393,8 @@ static int rockchip_usb2phy_probe(struct + } + + ret = rockchip_usb2phy_clk480m_register(rphy); +- if (ret) { +- dev_err(dev, "failed to register 480m output clock\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "failed to register 480m output clock\n"); + + if (rphy->phy_cfg->phy_tuning) { + ret = rphy->phy_cfg->phy_tuning(rphy); +@@ -1419,8 +1414,7 @@ static int rockchip_usb2phy_probe(struct + + phy = devm_phy_create(dev, child_np, &rockchip_usb2phy_ops); + if (IS_ERR(phy)) { +- dev_err_probe(dev, PTR_ERR(phy), "failed to create phy\n"); +- ret = PTR_ERR(phy); ++ ret = dev_err_probe(dev, PTR_ERR(phy), "failed to create phy\n"); + goto put_child; + } + +@@ -1457,8 +1451,7 @@ next_child: + "rockchip_usb2phy", + rphy); + if (ret) { +- dev_err(rphy->dev, +- "failed to request usb2phy irq handle\n"); ++ dev_err_probe(rphy->dev, ret, "failed to request usb2phy irq handle\n"); + goto put_child; + } + } diff --git a/queue-6.6/phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch b/queue-6.6/phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch new file mode 100644 index 0000000000..96c01a3acf --- /dev/null +++ b/queue-6.6/phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch @@ -0,0 +1,43 @@ +From stable+bounces-210640-greg=kroah.com@vger.kernel.org Wed Jan 21 02:50:07 2026 +From: Sasha Levin +Date: Tue, 20 Jan 2026 20:49:11 -0500 +Subject: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() +To: stable@vger.kernel.org +Cc: Wentao Liang , Neil Armstrong , Vinod Koul , Sasha Levin +Message-ID: <20260121014911.1112178-2-sashal@kernel.org> + +From: Wentao Liang + +[ Upstream commit e07dea3de508cd6950c937cec42de7603190e1ca ] + +The for_each_available_child_of_node() calls of_node_put() to +release child_np in each success loop. After breaking from the +loop with the child_np has been released, the code will jump to +the put_child label and will call the of_node_put() again if the +devm_request_threaded_irq() fails. These cause a double free bug. + +Fix by returning directly to avoid the duplicate of_node_put(). + +Fixes: ed2b5a8e6b98 ("phy: phy-rockchip-inno-usb2: support muxed interrupts") +Cc: stable@vger.kernel.org +Signed-off-by: Wentao Liang +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20260109154626.2452034-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -1452,7 +1452,7 @@ next_child: + rphy); + if (ret) { + dev_err_probe(rphy->dev, ret, "failed to request usb2phy irq handle\n"); +- goto put_child; ++ return ret; + } + } + diff --git a/queue-6.6/selftests-bpf-check-for-timeout-in-perf_link-test.patch b/queue-6.6/selftests-bpf-check-for-timeout-in-perf_link-test.patch new file mode 100644 index 0000000000..f7d0e089e3 --- /dev/null +++ b/queue-6.6/selftests-bpf-check-for-timeout-in-perf_link-test.patch @@ -0,0 +1,72 @@ +From e6c209da7e0e9aaf955a7b59e91ed78c2b6c96fb Mon Sep 17 00:00:00 2001 +From: Ihor Solodrai +Date: Fri, 11 Oct 2024 15:31:07 +0000 +Subject: selftests/bpf: Check for timeout in perf_link test + +From: Ihor Solodrai + +commit e6c209da7e0e9aaf955a7b59e91ed78c2b6c96fb upstream. + +Recently perf_link test started unreliably failing on libbpf CI: + * https://github.com/libbpf/libbpf/actions/runs/11260672407/job/31312405473 + * https://github.com/libbpf/libbpf/actions/runs/11260992334/job/31315514626 + * https://github.com/libbpf/libbpf/actions/runs/11263162459/job/31320458251 + +Part of the test is running a dummy loop for a while and then checking +for a counter incremented by the test program. + +Instead of waiting for an arbitrary number of loop iterations once, +check for the test counter in a loop and use get_time_ns() helper to +enforce a 100ms timeout. + +v1: https://lore.kernel.org/bpf/zuRd072x9tumn2iN4wDNs5av0nu5nekMNV4PkR-YwCT10eFFTrUtZBRkLWFbrcCe7guvLStGQlhibo8qWojCO7i2-NGajes5GYIyynexD-w=@pm.me/ + +Signed-off-by: Ihor Solodrai +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241011153104.249800-1-ihor.solodrai@pm.me +Signed-off-by: Shung-Hsi Yu +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/prog_tests/perf_link.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/bpf/prog_tests/perf_link.c ++++ b/tools/testing/selftests/bpf/prog_tests/perf_link.c +@@ -4,8 +4,12 @@ + #include + #include + #include ++#include "testing_helpers.h" + #include "test_perf_link.skel.h" + ++#define BURN_TIMEOUT_MS 100 ++#define BURN_TIMEOUT_NS BURN_TIMEOUT_MS * 1000000 ++ + static void burn_cpu(void) + { + volatile int j = 0; +@@ -32,6 +36,7 @@ void serial_test_perf_link(void) + int run_cnt_before, run_cnt_after; + struct bpf_link_info info; + __u32 info_len = sizeof(info); ++ __u64 timeout_time_ns; + + /* create perf event */ + memset(&attr, 0, sizeof(attr)); +@@ -63,8 +68,14 @@ void serial_test_perf_link(void) + ASSERT_GT(info.prog_id, 0, "link_prog_id"); + + /* ensure we get at least one perf_event prog execution */ +- burn_cpu(); +- ASSERT_GT(skel->bss->run_cnt, 0, "run_cnt"); ++ timeout_time_ns = get_time_ns() + BURN_TIMEOUT_NS; ++ while (true) { ++ burn_cpu(); ++ if (skel->bss->run_cnt > 0) ++ break; ++ if (!ASSERT_LT(get_time_ns(), timeout_time_ns, "run_cnt_timeout")) ++ break; ++ } + + /* perf_event is still active, but we close link and BPF program + * shouldn't be executed anymore diff --git a/queue-6.6/series b/queue-6.6/series index d890612e85..ad749e0596 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -217,3 +217,38 @@ can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch +migrate-correct-lock-ordering-for-hugetlb-file-folios.patch +selftests-bpf-check-for-timeout-in-perf_link-test.patch +bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch +bridge-mcast-fix-use-after-free-during-router-port-configuration.patch +can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch +mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch +mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch +iio-core-add-missing-mutex_destroy-in-iio_dev_release.patch +iio-core-add-separate-lockdep-class-for-info_exist_lock.patch +mm-rmap-fix-two-comments-related-to-huge_pmd_unshare.patch +arm64-dts-rockchip-remove-redundant-max-link-speed-from-nanopi-r4s.patch +alsa-scarlett2-fix-buffer-overflow-in-config-retrieval.patch +iio-adc-exynos_adc-fix-of-populate-on-driver-rebind.patch +dmaengine-stm32-dmamux-fix-device-leak-on-route-allocation.patch +dmaengine-stm32-dmamux-fix-of-node-leak-on-route-allocation-failure.patch +mm-page_alloc-prevent-pcp-corruption-with-smp-n.patch +mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch +phy-phy-rockchip-inno-usb2-use-dev_err_probe-in-the-probe-path.patch +phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch +asoc-codecs-wsa881x-drop-unused-version-readout.patch +asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch +asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch +nvme-fc-rename-free_ctrl-callback-to-match-name-pattern.patch +nvme-pci-do-not-directly-handle-subsys-reset-fallout.patch +nvme-fix-pcie-subsystem-reset-controller-state-transition.patch +nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch +usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch +ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch +fs-ntfs3-initialize-allocated-memory-before-use.patch +drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch +wifi-ath11k-fix-rcu-stall-while-reaping-monitor-destination-ring.patch +x86-fpu-clear-xstate_bv-in-guest-xsave-state-whenever-xfd-1.patch +net-phy-move-phy_link_change-prior-to-mdio_bus_phy_may_suspend.patch +net-phy-allow-mdio-bus-pm-ops-to-start-stop-state-machine-for-phylink-controlled-phy.patch +net-phy-fix-phy_uses_state_machine.patch diff --git a/queue-6.6/usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch b/queue-6.6/usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch new file mode 100644 index 0000000000..6c3ffdc193 --- /dev/null +++ b/queue-6.6/usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch @@ -0,0 +1,78 @@ +From black.hawk@163.com Wed Jan 21 07:53:05 2026 +From: Rahul Sharma +Date: Wed, 21 Jan 2026 14:51:59 +0800 +Subject: usbnet: Fix using smp_processor_id() in preemptible code warnings +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Zqiang , Jakub Kicinski , Paolo Abeni , Rahul Sharma +Message-ID: <20260121065159.2877946-1-black.hawk@163.com> + +From: Zqiang + +[ Upstream commit 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 ] + +Syzbot reported the following warning: + +BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 +caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 +CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 + check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 + usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 + usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 + usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 + __dev_set_mtu net/core/dev.c:9443 [inline] + netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 + netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 + dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 + dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 + dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 + sock_do_ioctl+0x19d/0x280 net/socket.c:1204 + sock_ioctl+0x42f/0x6a0 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl fs/ioctl.c:892 [inline] + __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +For historical and portability reasons, the netif_rx() is usually +run in the softirq or interrupt context, this commit therefore add +local_bh_disable/enable() protection in the usbnet_resume_rx(). + +Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change") +Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1 +Suggested-by: Jakub Kicinski +Signed-off-by: Zqiang +Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev +Signed-off-by: Paolo Abeni +[ The context change is due to the commit 2c04d279e857 +("net: usb: Convert tasklet API to new bottom half workqueue mechanism") +in v6.17 which is irrelevant to the logic of this patch.] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -702,6 +702,7 @@ void usbnet_resume_rx(struct usbnet *dev + struct sk_buff *skb; + int num = 0; + ++ local_bh_disable(); + clear_bit(EVENT_RX_PAUSED, &dev->flags); + + while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) { +@@ -710,6 +711,7 @@ void usbnet_resume_rx(struct usbnet *dev + } + + tasklet_schedule(&dev->bh); ++ local_bh_enable(); + + netif_dbg(dev, rx_status, dev->net, + "paused rx queue disabled, %d skbs requeued\n", num); diff --git a/queue-6.6/wifi-ath11k-fix-rcu-stall-while-reaping-monitor-destination-ring.patch b/queue-6.6/wifi-ath11k-fix-rcu-stall-while-reaping-monitor-destination-ring.patch new file mode 100644 index 0000000000..f99be9c356 --- /dev/null +++ b/queue-6.6/wifi-ath11k-fix-rcu-stall-while-reaping-monitor-destination-ring.patch @@ -0,0 +1,64 @@ +From stable+bounces-211921-greg=kroah.com@vger.kernel.org Wed Jan 28 04:28:19 2026 +From: Li hongliang <1468888505@139.com> +Date: Wed, 28 Jan 2026 11:27:15 +0800 +Subject: wifi: ath11k: fix RCU stall while reaping monitor destination ring +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, quic_ppranees@quicinc.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, quic_kangyang@quicinc.com, kvalo@kernel.org, quic_jjohnson@quicinc.com, jeff.johnson@oss.qualcomm.com, jjohnson@kernel.org, quic_msinada@quicinc.com, rmanohar@codeaurora.org, julia.lawall@lip6.fr, quic_pradeepc@quicinc.com, linux-wireless@vger.kernel.org, ath11k@lists.infradead.org +Message-ID: <20260128032715.1183385-1-1468888505@139.com> + +From: P Praneesh + +[ Upstream commit 16c6c35c03ea73054a1f6d3302a4ce4a331b427d ] + +While processing the monitor destination ring, MSDUs are reaped from the +link descriptor based on the corresponding buf_id. + +However, sometimes the driver cannot obtain a valid buffer corresponding +to the buf_id received from the hardware. This causes an infinite loop +in the destination processing, resulting in a kernel crash. + +kernel log: +ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 +ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed +ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 +ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed + +Fix this by skipping the problematic buf_id and reaping the next entry, +replacing the break with the next MSDU processing. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: P Praneesh +Signed-off-by: Kang Yang +Acked-by: Kalle Valo +Acked-by: Jeff Johnson +Link: https://patch.msgid.link/20241219110531.2096-2-quic_kangyang@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -4728,7 +4728,7 @@ ath11k_dp_rx_mon_mpdu_pop(struct ath11k + if (!msdu) { + ath11k_dbg(ar->ab, ATH11K_DBG_DATA, + "msdu_pop: invalid buf_id %d\n", buf_id); +- break; ++ goto next_msdu; + } + rxcb = ATH11K_SKB_RXCB(msdu); + if (!rxcb->unmapped) { +@@ -5362,7 +5362,7 @@ ath11k_dp_rx_full_mon_mpdu_pop(struct at + "full mon msdu_pop: invalid buf_id %d\n", + buf_id); + spin_unlock_bh(&rx_ring->idr_lock); +- break; ++ goto next_msdu; + } + idr_remove(&rx_ring->bufs_idr, buf_id); + spin_unlock_bh(&rx_ring->idr_lock); diff --git a/queue-6.6/x86-fpu-clear-xstate_bv-in-guest-xsave-state-whenever-xfd-1.patch b/queue-6.6/x86-fpu-clear-xstate_bv-in-guest-xsave-state-whenever-xfd-1.patch new file mode 100644 index 0000000000..aa34da8744 --- /dev/null +++ b/queue-6.6/x86-fpu-clear-xstate_bv-in-guest-xsave-state-whenever-xfd-1.patch @@ -0,0 +1,177 @@ +From stable+bounces-210368-greg=kroah.com@vger.kernel.org Mon Jan 19 16:28:30 2026 +From: Sasha Levin +Date: Mon, 19 Jan 2026 10:28:25 -0500 +Subject: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 +To: stable@vger.kernel.org +Cc: Sean Christopherson , Paolo Bonzini , Binbin Wu , Sasha Levin +Message-ID: <20260119152825.3011564-1-sashal@kernel.org> + +From: Sean Christopherson + +[ Upstream commit b45f721775947a84996deb5c661602254ce25ce6 ] + +When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in +response to a guest WRMSR, clear XFD-disabled features in the saved (or to +be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for +features that are disabled via the guest's XFD. Because the kernel +executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 +will cause XRSTOR to #NM and panic the kernel. + +E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: + + ------------[ cut here ]------------ + WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 + Modules linked in: kvm_intel kvm irqbypass + CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:exc_device_not_available+0x101/0x110 + Call Trace: + + asm_exc_device_not_available+0x1a/0x20 + RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 + switch_fpu_return+0x4a/0xb0 + kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] + kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] + __x64_sys_ioctl+0x8f/0xd0 + do_syscall_64+0x62/0x940 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + ---[ end trace 0000000000000000 ]--- + +This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, +and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's +call to fpu_update_guest_xfd(). + +and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: + + ------------[ cut here ]------------ + WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 + Modules linked in: kvm_intel kvm irqbypass + CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:exc_device_not_available+0x101/0x110 + Call Trace: + + asm_exc_device_not_available+0x1a/0x20 + RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 + fpu_swap_kvm_fpstate+0x6b/0x120 + kvm_load_guest_fpu+0x30/0x80 [kvm] + kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] + kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] + __x64_sys_ioctl+0x8f/0xd0 + do_syscall_64+0x62/0x940 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + ---[ end trace 0000000000000000 ]--- + +The new behavior is consistent with the AMX architecture. Per Intel's SDM, +XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD +(and non-compacted XSAVE saves the initial configuration of the state +component): + + If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, + the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; + instead, it operates as if XINUSE[i] = 0 (and the state component was + in its initial state): it saves bit i of XSTATE_BV field of the XSAVE + header as 0; in addition, XSAVE saves the initial configuration of the + state component (the other instructions do not save state component i). + +Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using +a constant XFD based on the set of enabled features when XSAVEing for +a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled +features can only happen in the above interrupt case, or in similar +scenarios involving preemption on preemptible kernels, because +fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the +outgoing FPU state with the current XFD; and that is (on all but the +first WRMSR to XFD) the guest XFD. + +Therefore, XFD can only go out of sync with XSTATE_BV in the above +interrupt case, or in similar scenarios involving preemption on +preemptible kernels, and it we can consider it (de facto) part of KVM +ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. + +Reported-by: Paolo Bonzini +Cc: stable@vger.kernel.org +Fixes: 820a6ee944e7 ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14) +Signed-off-by: Sean Christopherson +[Move clearing of XSTATE_BV from fpu_copy_uabi_to_guest_fpstate + to kvm_vcpu_ioctl_x86_set_xsave. - Paolo] +Reviewed-by: Binbin Wu +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/fpu/core.c | 32 +++++++++++++++++++++++++++++--- + arch/x86/kvm/x86.c | 9 +++++++++ + 2 files changed, 38 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -294,10 +294,29 @@ EXPORT_SYMBOL_GPL(fpu_enable_guest_xfd_f + #ifdef CONFIG_X86_64 + void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd) + { ++ struct fpstate *fpstate = guest_fpu->fpstate; ++ + fpregs_lock(); +- guest_fpu->fpstate->xfd = xfd; +- if (guest_fpu->fpstate->in_use) +- xfd_update_state(guest_fpu->fpstate); ++ ++ /* ++ * KVM's guest ABI is that setting XFD[i]=1 *can* immediately revert the ++ * save state to its initial configuration. Likewise, KVM_GET_XSAVE does ++ * the same as XSAVE and returns XSTATE_BV[i]=0 whenever XFD[i]=1. ++ * ++ * If the guest's FPU state is in hardware, just update XFD: the XSAVE ++ * in fpu_swap_kvm_fpstate will clear XSTATE_BV[i] whenever XFD[i]=1. ++ * ++ * If however the guest's FPU state is NOT resident in hardware, clear ++ * disabled components in XSTATE_BV now, or a subsequent XRSTOR will ++ * attempt to load disabled components and generate #NM _in the host_. ++ */ ++ if (xfd && test_thread_flag(TIF_NEED_FPU_LOAD)) ++ fpstate->regs.xsave.header.xfeatures &= ~xfd; ++ ++ fpstate->xfd = xfd; ++ if (fpstate->in_use) ++ xfd_update_state(fpstate); ++ + fpregs_unlock(); + } + EXPORT_SYMBOL_GPL(fpu_update_guest_xfd); +@@ -406,6 +425,13 @@ int fpu_copy_uabi_to_guest_fpstate(struc + return -EINVAL; + + /* ++ * Disabled features must be in their initial state, otherwise XRSTOR ++ * causes an exception. ++ */ ++ if (WARN_ON_ONCE(ustate->xsave.header.xfeatures & kstate->xfd)) ++ return -EINVAL; ++ ++ /* + * Nullify @vpkru to preserve its current value if PKRU's bit isn't set + * in the header. KVM's odd ABI is to leave PKRU untouched in this + * case (all other components are eventually re-initialized). +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5432,9 +5432,18 @@ static void kvm_vcpu_ioctl_x86_get_xsave + static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu, + struct kvm_xsave *guest_xsave) + { ++ union fpregs_state *xstate = (union fpregs_state *)guest_xsave->region; ++ + if (fpstate_is_confidential(&vcpu->arch.guest_fpu)) + return 0; + ++ /* ++ * For backwards compatibility, do not expect disabled features to be in ++ * their initial state. XSTATE_BV[i] must still be cleared whenever ++ * XFD[i]=1, or XRSTOR would cause a #NM. ++ */ ++ xstate->xsave.header.xfeatures &= ~vcpu->arch.guest_fpu.fpstate->xfd; ++ + return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu, + guest_xsave->region, + kvm_caps.supported_xcr0,