From: Greg Kroah-Hartman Date: Thu, 30 Apr 2026 13:56:40 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.12.86~88 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5211666e29682e0b35b7439382c3c066d1866b6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: spi-ch341-fix-memory-leaks-on-probe-failures.patch spi-imx-fix-use-after-free-on-unbind.patch um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch vfio-cdx-fix-null-pointer-dereference-in-interrupt-trigger-path.patch vfio-cdx-serialize-vfio_device_set_irqs-with-a-per-device-mutex.patch wifi-rtw88-check-for-pci-upstream-bridge-existence.patch zram-do-not-forget-to-endio-for-partial-discard-requests.patch --- diff --git a/queue-6.12/series b/queue-6.12/series index 339de80510..c23f863dfb 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -25,3 +25,10 @@ drm-amdgpu-use-vmemdup_array_user-in-amdgpu_bo_creat.patch drm-amdgpu-limit-bo-list-entry-count-to-prevent-reso.patch device-property-make-modifications-of-fwnode-flags-thread-safe.patch ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch +zram-do-not-forget-to-endio-for-partial-discard-requests.patch +wifi-rtw88-check-for-pci-upstream-bridge-existence.patch +vfio-cdx-serialize-vfio_device_set_irqs-with-a-per-device-mutex.patch +vfio-cdx-fix-null-pointer-dereference-in-interrupt-trigger-path.patch +um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch +spi-imx-fix-use-after-free-on-unbind.patch +spi-ch341-fix-memory-leaks-on-probe-failures.patch diff --git a/queue-6.12/spi-ch341-fix-memory-leaks-on-probe-failures.patch b/queue-6.12/spi-ch341-fix-memory-leaks-on-probe-failures.patch new file mode 100644 index 0000000000..d60be70cb8 --- /dev/null +++ b/queue-6.12/spi-ch341-fix-memory-leaks-on-probe-failures.patch @@ -0,0 +1,102 @@ +From b99e3ddb91b499d920e63a2daff8880be68cfe9e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 27 Mar 2026 11:43:04 +0100 +Subject: spi: ch341: fix memory leaks on probe failures + +From: Johan Hovold + +commit b99e3ddb91b499d920e63a2daff8880be68cfe9e upstream. + +Make sure to deregister the controller, disable pins, and kill and free +the RX URB on probe failures to mirror disconnect and avoid memory +leaks and use-after-free. + +Also add an explicit URB kill on disconnect for symmetry (even if that +is not strictly required as USB core would have stopped it in the +current setup). + +Fixes: 8846739f52af ("spi: add ch341a usb2spi driver") +Cc: stable@vger.kernel.org # 6.11 +Cc: Johannes Thumshirn +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260327104305.1309915-2-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-ch341.c | 36 +++++++++++++++++++++++++----------- + 1 file changed, 25 insertions(+), 11 deletions(-) + +--- a/drivers/spi/spi-ch341.c ++++ b/drivers/spi/spi-ch341.c +@@ -173,17 +173,17 @@ static int ch341_probe(struct usb_interf + + ch341->tx_buf = + devm_kzalloc(&udev->dev, CH341_PACKET_LENGTH, GFP_KERNEL); +- if (!ch341->tx_buf) +- return -ENOMEM; ++ if (!ch341->tx_buf) { ++ ret = -ENOMEM; ++ goto err_free_urb; ++ } + + usb_fill_bulk_urb(ch341->rx_urb, udev, ch341->read_pipe, ch341->rx_buf, + ch341->rx_len, ch341_recv, ch341); + + ret = usb_submit_urb(ch341->rx_urb, GFP_KERNEL); +- if (ret) { +- usb_free_urb(ch341->rx_urb); +- return -ENOMEM; +- } ++ if (ret) ++ goto err_free_urb; + + ctrl->bus_num = -1; + ctrl->mode_bits = SPI_CPHA; +@@ -195,21 +195,34 @@ static int ch341_probe(struct usb_interf + + ret = ch341_config_stream(ch341); + if (ret) +- return ret; ++ goto err_kill_urb; + + ret = ch341_enable_pins(ch341, true); + if (ret) +- return ret; ++ goto err_kill_urb; + + ret = spi_register_controller(ctrl); + if (ret) +- return ret; ++ goto err_disable_pins; + + ch341->spidev = spi_new_device(ctrl, &chip); +- if (!ch341->spidev) +- return -ENOMEM; ++ if (!ch341->spidev) { ++ ret = -ENOMEM; ++ goto err_unregister; ++ } + + return 0; ++ ++err_unregister: ++ spi_unregister_controller(ctrl); ++err_disable_pins: ++ ch341_enable_pins(ch341, false); ++err_kill_urb: ++ usb_kill_urb(ch341->rx_urb); ++err_free_urb: ++ usb_free_urb(ch341->rx_urb); ++ ++ return ret; + } + + static void ch341_disconnect(struct usb_interface *intf) +@@ -219,6 +232,7 @@ static void ch341_disconnect(struct usb_ + spi_unregister_device(ch341->spidev); + spi_unregister_controller(ch341->ctrl); + ch341_enable_pins(ch341, false); ++ usb_kill_urb(ch341->rx_urb); + usb_free_urb(ch341->rx_urb); + } + diff --git a/queue-6.12/spi-imx-fix-use-after-free-on-unbind.patch b/queue-6.12/spi-imx-fix-use-after-free-on-unbind.patch new file mode 100644 index 0000000000..734170e157 --- /dev/null +++ b/queue-6.12/spi-imx-fix-use-after-free-on-unbind.patch @@ -0,0 +1,47 @@ +From 1c78c2002380a1fe31bfb01a3d5f29809e55a096 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 24 Mar 2026 09:23:22 +0100 +Subject: spi: imx: fix use-after-free on unbind + +From: Johan Hovold + +commit 1c78c2002380a1fe31bfb01a3d5f29809e55a096 upstream. + +The SPI subsystem frees the controller and any subsystem allocated +driver data as part of deregistration (unless the allocation is device +managed). + +Take another reference before deregistering the controller so that the +driver data is not freed until the driver is done with it. + +Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller") +Cc: stable@vger.kernel.org # 5.19 +Acked-by: Marc Kleine-Budde +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260324082326.901043-2-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-imx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1893,6 +1893,8 @@ static void spi_imx_remove(struct platfo + struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller); + int ret; + ++ spi_controller_get(controller); ++ + spi_unregister_controller(controller); + + ret = pm_runtime_get_sync(spi_imx->dev); +@@ -1906,6 +1908,8 @@ static void spi_imx_remove(struct platfo + pm_runtime_disable(spi_imx->dev); + + spi_imx_sdma_exit(spi_imx); ++ ++ spi_controller_put(controller); + } + + static int spi_imx_runtime_resume(struct device *dev) diff --git a/queue-6.12/um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch b/queue-6.12/um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch new file mode 100644 index 0000000000..d64b730c12 --- /dev/null +++ b/queue-6.12/um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch @@ -0,0 +1,57 @@ +From 91e901c65b4da02a6fd543e3f0049829ae9645b7 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Wed, 8 Apr 2026 03:01:02 -0400 +Subject: um: drivers: call kernel_strrchr() explicitly in cow_user.c + +From: Michael Bommarito + +commit 91e901c65b4da02a6fd543e3f0049829ae9645b7 upstream. + +Building ARCH=um on glibc >= 2.43 fails: + + arch/um/drivers/cow_user.c: error: implicit declaration of + function 'strrchr' [-Wimplicit-function-declaration] + +glibc 2.43's C23 const-preserving strrchr() macro does not survive +UML's global -Dstrrchr=kernel_strrchr remap from arch/um/Makefile. +Call kernel_strrchr() directly in cow_user.c so the source no longer +depends on the -D rewrite. + +Fixes: 2c51a4bc0233 ("um: fix strrchr() problems") +Suggested-by: Johannes Berg +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-6 +Assisted-by: Codex:gpt-5-4 +Signed-off-by: Michael Bommarito +Link: https://patch.msgid.link/20260408070102.2325572-1-michael.bommarito@gmail.com +[remove unnecessary 'extern'] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/drivers/cow_user.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/um/drivers/cow_user.c ++++ b/arch/um/drivers/cow_user.c +@@ -15,6 +15,12 @@ + #include "cow.h" + #include "cow_sys.h" + ++/* ++ * arch/um/Makefile remaps strrchr to kernel_strrchr; call the kernel ++ * name directly to avoid glibc >= 2.43's C23 strrchr macro. ++ */ ++char *kernel_strrchr(const char *, int); ++ + #define PATH_LEN_V1 256 + + /* unsigned time_t works until year 2106 */ +@@ -153,7 +159,7 @@ static int absolutize(char *to, int size + errno); + return -1; + } +- slash = strrchr(from, '/'); ++ slash = kernel_strrchr(from, '/'); + if (slash != NULL) { + *slash = '\0'; + if (chdir(from)) { diff --git a/queue-6.12/vfio-cdx-fix-null-pointer-dereference-in-interrupt-trigger-path.patch b/queue-6.12/vfio-cdx-fix-null-pointer-dereference-in-interrupt-trigger-path.patch new file mode 100644 index 0000000000..1ebea0904f --- /dev/null +++ b/queue-6.12/vfio-cdx-fix-null-pointer-dereference-in-interrupt-trigger-path.patch @@ -0,0 +1,49 @@ +From 5ea5880764cbb164afb17a62e76ca75dc371409d Mon Sep 17 00:00:00 2001 +From: Prasanna Kumar T S M +Date: Fri, 17 Apr 2026 14:27:56 -0600 +Subject: vfio/cdx: Fix NULL pointer dereference in interrupt trigger path + +From: Prasanna Kumar T S M + +commit 5ea5880764cbb164afb17a62e76ca75dc371409d upstream. + +Add validation to ensure MSI is configured before accessing cdx_irqs +array in vfio_cdx_set_msi_trigger(). Without this check, userspace +can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS +with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before +ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD. + +The vfio_cdx_msi_enable() function allocates the cdx_irqs array and +sets config_msi to 1 only when called through the EVENTFD path. The +trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been +done, but there was no enforcement of this call ordering. + +This matches the protection used in the PCI VFIO driver where +vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop. + +Fixes: 848e447e000c ("vfio/cdx: add interrupt support") +Cc: stable@vger.kernel.org +Signed-off-by: Prasanna Kumar T S M +Acked-by: Nipun Gupta +Signed-off-by: Alex Williamson +Acked-by: Nikhil Agarwal +Link: https://lore.kernel.org/r/20260417202800.88287-2-alex.williamson@nvidia.com +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/cdx/intr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/vfio/cdx/intr.c ++++ b/drivers/vfio/cdx/intr.c +@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(stru + return ret; + } + ++ /* Ensure MSI is configured before accessing cdx_irqs */ ++ if (!vdev->config_msi) ++ return -EINVAL; ++ + for (i = start; i < start + count; i++) { + if (!vdev->cdx_irqs[i].trigger) + continue; diff --git a/queue-6.12/vfio-cdx-serialize-vfio_device_set_irqs-with-a-per-device-mutex.patch b/queue-6.12/vfio-cdx-serialize-vfio_device_set_irqs-with-a-per-device-mutex.patch new file mode 100644 index 0000000000..b1cabd520f --- /dev/null +++ b/queue-6.12/vfio-cdx-serialize-vfio_device_set_irqs-with-a-per-device-mutex.patch @@ -0,0 +1,121 @@ +From 670e8864b1a218d72f08db40d0103adf38fa1d9b Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Fri, 17 Apr 2026 14:27:57 -0600 +Subject: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex + +From: Alex Williamson + +commit 670e8864b1a218d72f08db40d0103adf38fa1d9b upstream. + +vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the +vdev->cdx_irqs array based on its value, but provides no serialization +against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race +such that one observes config_msi as set while another clears it and +frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free +of the cdx_irqs array. + +Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in +vfio_cdx_set_msi_trigger(), which is the single chokepoint through +which all updates to config_msi, cdx_irqs, and msi_count flow, covering +both the ioctl path and the close-device cleanup path. This keeps the +test of config_msi atomic with the subsequent enable, disable, or +trigger operations. + +Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part +of this change: the optimization it provided is redundant with the +!config_msi early-return inside vfio_cdx_msi_disable(), and leaving the +test in place would be an unsynchronized read of state the new lock is +meant to protect. + +Fixes: 848e447e000c ("vfio/cdx: add interrupt support") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Alex Williamson +Acked-by: Nikhil Agarwal +Link: https://lore.kernel.org/r/20260417202800.88287-3-alex.williamson@nvidia.com +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/cdx/intr.c | 9 ++------- + drivers/vfio/cdx/main.c | 19 +++++++++++++++++++ + drivers/vfio/cdx/private.h | 3 +++ + 3 files changed, 24 insertions(+), 7 deletions(-) + +--- a/drivers/vfio/cdx/intr.c ++++ b/drivers/vfio/cdx/intr.c +@@ -152,6 +152,8 @@ static int vfio_cdx_set_msi_trigger(stru + if (start + count > cdx_dev->num_msi) + return -EINVAL; + ++ guard(mutex)(&vdev->cdx_irqs_lock); ++ + if (!count && (flags & VFIO_IRQ_SET_DATA_NONE)) { + vfio_cdx_msi_disable(vdev); + return 0; +@@ -206,12 +208,5 @@ int vfio_cdx_set_irqs_ioctl(struct vfio_ + /* Free All IRQs for the given device */ + void vfio_cdx_irqs_cleanup(struct vfio_cdx_device *vdev) + { +- /* +- * Device does not support any interrupt or the interrupts +- * were not configured +- */ +- if (!vdev->cdx_irqs) +- return; +- + vfio_cdx_set_msi_trigger(vdev, 0, 0, 0, VFIO_IRQ_SET_DATA_NONE, NULL); + } +--- a/drivers/vfio/cdx/main.c ++++ b/drivers/vfio/cdx/main.c +@@ -8,6 +8,23 @@ + + #include "private.h" + ++static int vfio_cdx_init_dev(struct vfio_device *core_vdev) ++{ ++ struct vfio_cdx_device *vdev = ++ container_of(core_vdev, struct vfio_cdx_device, vdev); ++ ++ mutex_init(&vdev->cdx_irqs_lock); ++ return 0; ++} ++ ++static void vfio_cdx_release_dev(struct vfio_device *core_vdev) ++{ ++ struct vfio_cdx_device *vdev = ++ container_of(core_vdev, struct vfio_cdx_device, vdev); ++ ++ mutex_destroy(&vdev->cdx_irqs_lock); ++} ++ + static int vfio_cdx_open_device(struct vfio_device *core_vdev) + { + struct vfio_cdx_device *vdev = +@@ -281,6 +298,8 @@ static int vfio_cdx_mmap(struct vfio_dev + + static const struct vfio_device_ops vfio_cdx_ops = { + .name = "vfio-cdx", ++ .init = vfio_cdx_init_dev, ++ .release = vfio_cdx_release_dev, + .open_device = vfio_cdx_open_device, + .close_device = vfio_cdx_close_device, + .ioctl = vfio_cdx_ioctl, +--- a/drivers/vfio/cdx/private.h ++++ b/drivers/vfio/cdx/private.h +@@ -6,6 +6,8 @@ + #ifndef VFIO_CDX_PRIVATE_H + #define VFIO_CDX_PRIVATE_H + ++#include ++ + #define VFIO_CDX_OFFSET_SHIFT 40 + + static inline u64 vfio_cdx_index_to_offset(u32 index) +@@ -31,6 +33,7 @@ struct vfio_cdx_region { + struct vfio_cdx_device { + struct vfio_device vdev; + struct vfio_cdx_region *regions; ++ struct mutex cdx_irqs_lock; + struct vfio_cdx_irq *cdx_irqs; + u32 flags; + #define BME_SUPPORT BIT(0) diff --git a/queue-6.12/wifi-rtw88-check-for-pci-upstream-bridge-existence.patch b/queue-6.12/wifi-rtw88-check-for-pci-upstream-bridge-existence.patch new file mode 100644 index 0000000000..89db0fd1d0 --- /dev/null +++ b/queue-6.12/wifi-rtw88-check-for-pci-upstream-bridge-existence.patch @@ -0,0 +1,44 @@ +From eb101d2abdcccb514ca4fccd3b278dd8267374f6 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Fri, 20 Feb 2026 12:47:30 +0300 +Subject: wifi: rtw88: check for PCI upstream bridge existence + +From: Fedor Pchelkin + +commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 upstream. + +pci_upstream_bridge() returns NULL if the device is on a root bus. If +8821CE is installed in the system with such a PCI topology, the probing +routine will crash. This has probably been unnoticed as 8821CE is mostly +supplied in laptops where there is a PCI-to-PCI bridge located upstream +from the device. However the card might be installed on a system with +different configuration. + +Check if the bridge does exist for the specific workaround to be applied. + +Found by Linux Verification Center (linuxtesting.org) with Svace static +analysis tool. + +Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtw88/pci.c ++++ b/drivers/net/wireless/realtek/rtw88/pci.c +@@ -1767,7 +1767,8 @@ int rtw_pci_probe(struct pci_dev *pdev, + } + + /* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */ +- if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL) ++ if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && ++ bridge && bridge->vendor == PCI_VENDOR_ID_INTEL) + rtwpci->rx_no_aspm = true; + + rtw_pci_phy_cfg(rtwdev); diff --git a/queue-6.12/zram-do-not-forget-to-endio-for-partial-discard-requests.patch b/queue-6.12/zram-do-not-forget-to-endio-for-partial-discard-requests.patch new file mode 100644 index 0000000000..5800fe81d6 --- /dev/null +++ b/queue-6.12/zram-do-not-forget-to-endio-for-partial-discard-requests.patch @@ -0,0 +1,59 @@ +From e3668b371329ea036ff022ce8ecc82f8befcf003 Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Tue, 31 Mar 2026 16:42:44 +0900 +Subject: zram: do not forget to endio for partial discard requests + +From: Sergey Senozhatsky + +commit e3668b371329ea036ff022ce8ecc82f8befcf003 upstream. + +As reported by Qu Wenruo and Avinesh Kumar, the following + + getconf PAGESIZE + 65536 + blkdiscard -p 4k /dev/zram0 + +takes literally forever to complete. zram doesn't support partial +discards and just returns immediately w/o doing any discard work in such +cases. The problem is that we forget to endio on our way out, so +blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to +end_bio label, which does bio_endio(). + +Link: https://lore.kernel.org/20260331074255.777019-1-senozhatsky@chromium.org +Fixes: 0120dd6e4e20 ("zram: make zram_bio_discard more self-contained") +Signed-off-by: Sergey Senozhatsky +Reported-by: Qu Wenruo +Closes: https://lore.kernel.org/linux-block/92361cd3-fb8b-482e-bc89-15ff1acb9a59@suse.com +Tested-by: Qu Wenruo +Reported-by: Avinesh Kumar +Closes: https://bugzilla.suse.com/show_bug.cgi?id=1256530 +Reviewed-by: Christoph Hellwig +Cc: Brian Geffon +Cc: Jens Axboe +Cc: Minchan Kim +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/zram/zram_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -2017,7 +2017,7 @@ static void zram_bio_discard(struct zram + */ + if (offset) { + if (n <= (PAGE_SIZE - offset)) +- return; ++ goto end_bio; + + n -= (PAGE_SIZE - offset); + index++; +@@ -2032,6 +2032,7 @@ static void zram_bio_discard(struct zram + n -= PAGE_SIZE; + } + ++end_bio: + bio_endio(bio); + } +