From: Sasha Levin Date: Mon, 15 Dec 2025 11:06:50 +0000 (-0500) Subject: Fixes for all trees X-Git-Tag: v6.12.63~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f02f7673c3093afd28e862211f52c0c26df0ddf1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch b/queue-5.10/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch new file mode 100644 index 0000000000..6d474583db --- /dev/null +++ b/queue-5.10/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch @@ -0,0 +1,133 @@ +From 2a72545fa7a789e7ebd79c817c6cf92728a69156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:54 -0700 +Subject: efi/cper: Add a new helper function to print bitmasks + +From: Mauro Carvalho Chehab + +[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ] + +Add a helper function to print a string with names associated +to each bit field. + +A typical example is: + + const char * const bits[] = { + "bit 3 name", + "bit 4 name", + "bit 5 name", + }; + char str[120]; + unsigned int bitmask = BIT(3) | BIT(5); + + #define MASK GENMASK(5,3) + + cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), + bits, ARRAY_SIZE(bits)); + +The above code fills string "str" with "bit 3 name|bit 5 name". + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++ + include/linux/cper.h | 2 ++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index 232c092c4c970..a49868d01808b 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -12,6 +12,7 @@ + * Specification version 2.4. + */ + ++#include + #include + #include + #include +@@ -105,6 +106,65 @@ void cper_print_bits(const char *pfx, unsigned int bits, + printk("%s\n", buf); + } + ++/** ++ * cper_bits_to_str - return a string for set bits ++ * @buf: buffer to store the output string ++ * @buf_size: size of the output string buffer ++ * @bits: bit mask ++ * @strs: string array, indexed by bit position ++ * @strs_size: size of the string array: @strs ++ * ++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits, ++ * add the corresponding string describing the bit in @strs to @buf. ++ * ++ * A typical example is:: ++ * ++ * const char * const bits[] = { ++ * "bit 3 name", ++ * "bit 4 name", ++ * "bit 5 name", ++ * }; ++ * char str[120]; ++ * unsigned int bitmask = BIT(3) | BIT(5); ++ * #define MASK GENMASK(5,3) ++ * ++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), ++ * bits, ARRAY_SIZE(bits)); ++ * ++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``. ++ * ++ * Return: number of bytes stored or an error code if lower than zero. ++ */ ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size) ++{ ++ int len = buf_size; ++ char *str = buf; ++ int i, size; ++ ++ *buf = '\0'; ++ ++ for_each_set_bit(i, &bits, strs_size) { ++ if (!(bits & BIT_ULL(i))) ++ continue; ++ ++ if (*buf && len > 0) { ++ *str = '|'; ++ len--; ++ str++; ++ } ++ ++ size = strscpy(str, strs[i], len); ++ if (size < 0) ++ return size; ++ ++ len -= size; ++ str += size; ++ } ++ return len - buf_size; ++} ++EXPORT_SYMBOL_GPL(cper_bits_to_str); ++ + static const char * const proc_type_strs[] = { + "IA32/X64", + "IA64", +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 6a511a1078ca0..724a5e3c122d6 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -560,6 +560,8 @@ const char *cper_severity_str(unsigned int); + const char *cper_mem_err_type_str(unsigned int); + void cper_print_bits(const char *prefix, unsigned int bits, + const char * const strs[], unsigned int strs_size); ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size); + void cper_mem_err_pack(const struct cper_sec_mem_err *, + struct cper_mem_err_compact *); + const char *cper_mem_err_unpack(struct trace_seq *, +-- +2.51.0 + diff --git a/queue-5.10/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch b/queue-5.10/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch new file mode 100644 index 0000000000..73bbb9653b --- /dev/null +++ b/queue-5.10/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch @@ -0,0 +1,50 @@ +From 37accc429f5df1ed19c24b6aa5921ba2346ff737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:53 -0700 +Subject: efi/cper: Adjust infopfx size to accept an extra space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ] + +Compiling with W=1 with werror enabled produces an error: + +drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’: +drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^ +drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64 + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As the logic there adds an space at the end of infopx buffer. +Add an extra space to avoid such warning. + +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index 36d3b8b9da47e..f4b7a48327fbb 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -241,7 +241,7 @@ void cper_print_proc_arm(const char *pfx, + int i, len, max_ctx_type; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; +- char newpfx[64], infopfx[64]; ++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +-- +2.51.0 + diff --git a/queue-5.10/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch b/queue-5.10/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch new file mode 100644 index 0000000000..ff0105b76f --- /dev/null +++ b/queue-5.10/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch @@ -0,0 +1,230 @@ +From b957b2b8c190f3c7ec31140b8abc48fc9a90bda1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:55 -0700 +Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs + +From: Mauro Carvalho Chehab + +[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ] + +Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor +was defined simply as: + +Type at byte offset 4: + + - Cache error + - TLB Error + - Bus Error + - Micro-architectural Error + All other values are reserved + +Yet, there was no information about how this would be encoded. + +Spec 2.9A errata corrected it by defining: + + - Bit 1 - Cache Error + - Bit 2 - TLB Error + - Bit 3 - Bus Error + - Bit 4 - Micro-architectural Error + All other values are reserved + +That actually aligns with the values already defined on older +versions at N.2.4.1. Generic Processor Error Section. + +Spec 2.10 also preserve the same encoding as 2.9A. + +Adjust CPER and GHES handling code for both generic and ARM +processors to properly handle UEFI 2.9A and 2.10 encoding. + +Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 16 +++++++---- + drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++----------------- + include/linux/cper.h | 10 +++---- + 3 files changed, 39 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 250ea9ec5f0c2..bdb23ca251e23 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -500,6 +501,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); + int flags = sync ? MF_ACTION_REQUIRED : 0; ++ char error_type[120]; + bool queued = false; + int sec_sev, i; + char *p; +@@ -513,9 +515,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + p = (char *)(err + 1); + for (i = 0; i < err->err_info_num; i++) { + struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p; +- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR); ++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR; + bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR); +- const char *error_type = "unknown error"; + + /* + * The field (err_info->error_info & BIT(26)) is fixed to set to +@@ -529,12 +530,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + continue; + } + +- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs)) +- error_type = cper_proc_error_type_strs[err_info->type]; ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); + + pr_warn_ratelimited(FW_WARN GHES_PFX +- "Unhandled processor error type: %s\n", +- error_type); ++ "Unhandled processor error type 0x%02x: %s%s\n", ++ err_info->type, error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); + p += err_info->length; + } + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index f4b7a48327fbb..ea43589944ba5 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -94,15 +94,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + bool proc_context_corrupt, corrected, precise_pc, restartable_pc; + bool time_out, access_mode; + +- /* If the type is unknown, bail. */ +- if (type > CPER_ARM_MAX_TYPE) +- return; +- + /* + * Vendor type errors have error information values that are vendor + * specific. + */ +- if (type == CPER_ARM_VENDOR_ERROR) ++ if (type & CPER_ARM_VENDOR_ERROR) + return; + + if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) { +@@ -117,43 +113,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) { + op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT) + & CPER_ARM_ERR_OPERATION_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) { + if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%scache error, operation type: %s\n", pfx, + arm_cache_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_TLB_ERROR: ++ } ++ if (type & CPER_ARM_TLB_ERROR) { + if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sTLB error, operation type: %s\n", pfx, + arm_tlb_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_BUS_ERROR: ++ } ++ if (type & CPER_ARM_BUS_ERROR) { + if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sbus error, operation type: %s\n", pfx, + arm_bus_err_op_strs[op_type]); + } +- break; + } + } + + if (error_info & CPER_ARM_ERR_VALID_LEVEL) { + level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT) + & CPER_ARM_ERR_LEVEL_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) + printk("%scache level: %d\n", pfx, level); +- break; +- case CPER_ARM_TLB_ERROR: ++ ++ if (type & CPER_ARM_TLB_ERROR) + printk("%sTLB level: %d\n", pfx, level); +- break; +- case CPER_ARM_BUS_ERROR: ++ ++ if (type & CPER_ARM_BUS_ERROR) + printk("%saffinity level at which the bus error occurred: %d\n", + pfx, level); +- break; +- } + } + + if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) { +@@ -242,6 +233,7 @@ void cper_print_proc_arm(const char *pfx, + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; ++ char error_type[120]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +@@ -290,9 +282,15 @@ void cper_print_proc_arm(const char *pfx, + newpfx); + } + +- printk("%serror_type: %d, %s\n", newpfx, err_info->type, +- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ? +- cper_proc_error_type_strs[err_info->type] : "unknown"); ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); ++ ++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type, ++ error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); ++ + if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) { + printk("%serror_info: 0x%016llx\n", newpfx, + err_info->error_info); +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 724a5e3c122d6..a31e22cc839eb 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -270,11 +270,11 @@ enum { + #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2) + #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3) + +-#define CPER_ARM_CACHE_ERROR 0 +-#define CPER_ARM_TLB_ERROR 1 +-#define CPER_ARM_BUS_ERROR 2 +-#define CPER_ARM_VENDOR_ERROR 3 +-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR ++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1) ++#define CPER_ARM_CACHE_ERROR BIT(1) ++#define CPER_ARM_TLB_ERROR BIT(2) ++#define CPER_ARM_BUS_ERROR BIT(3) ++#define CPER_ARM_VENDOR_ERROR BIT(4) + + #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0) + #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1) +-- +2.51.0 + diff --git a/queue-5.10/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch b/queue-5.10/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch new file mode 100644 index 0000000000..f00dc35b50 --- /dev/null +++ b/queue-5.10/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch @@ -0,0 +1,45 @@ +From 5415675f40754e79db72a23973787e8c3546ef7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 09:51:59 +0300 +Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left() + +From: Dmitry Antipov + +[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ] + +In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after +move, thus allowing 'ocfs2_free_path()' to free it before return. + +Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru +Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 +Reviewed-by: Heming Zhao +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 94c7acfebe183..9f61a6d64cbce 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -3649,7 +3649,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, + * So we use the new rightmost path. + */ + ocfs2_mv_path(right_path, left_path); +- left_path = NULL; + } else + ocfs2_complete_edge_insert(handle, left_path, + right_path, subtree_index); +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index f286c190dc..5c53d47ff1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -142,3 +142,7 @@ alsa-uapi-fix-typo-in-asound.h-comment.patch arm-9464-1-fix-input-only-operand-modification-in-lo.patch dm-raid-fix-possible-null-dereference-with-undefined.patch dm-log-writes-add-missing-set_freezable-for-freezabl.patch +efi-cper-add-a-new-helper-function-to-print-bitmasks.patch +efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch +efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch +ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch diff --git a/queue-5.15/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch b/queue-5.15/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch new file mode 100644 index 0000000000..54aa0e6494 --- /dev/null +++ b/queue-5.15/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch @@ -0,0 +1,133 @@ +From 433107503b64b57f27108d4ad58979294ebdf134 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:54 -0700 +Subject: efi/cper: Add a new helper function to print bitmasks + +From: Mauro Carvalho Chehab + +[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ] + +Add a helper function to print a string with names associated +to each bit field. + +A typical example is: + + const char * const bits[] = { + "bit 3 name", + "bit 4 name", + "bit 5 name", + }; + char str[120]; + unsigned int bitmask = BIT(3) | BIT(5); + + #define MASK GENMASK(5,3) + + cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), + bits, ARRAY_SIZE(bits)); + +The above code fills string "str" with "bit 3 name|bit 5 name". + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++ + include/linux/cper.h | 2 ++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index 6ec8edec63296..d0668452dca9e 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -12,6 +12,7 @@ + * Specification version 2.4. + */ + ++#include + #include + #include + #include +@@ -105,6 +106,65 @@ void cper_print_bits(const char *pfx, unsigned int bits, + printk("%s\n", buf); + } + ++/** ++ * cper_bits_to_str - return a string for set bits ++ * @buf: buffer to store the output string ++ * @buf_size: size of the output string buffer ++ * @bits: bit mask ++ * @strs: string array, indexed by bit position ++ * @strs_size: size of the string array: @strs ++ * ++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits, ++ * add the corresponding string describing the bit in @strs to @buf. ++ * ++ * A typical example is:: ++ * ++ * const char * const bits[] = { ++ * "bit 3 name", ++ * "bit 4 name", ++ * "bit 5 name", ++ * }; ++ * char str[120]; ++ * unsigned int bitmask = BIT(3) | BIT(5); ++ * #define MASK GENMASK(5,3) ++ * ++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), ++ * bits, ARRAY_SIZE(bits)); ++ * ++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``. ++ * ++ * Return: number of bytes stored or an error code if lower than zero. ++ */ ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size) ++{ ++ int len = buf_size; ++ char *str = buf; ++ int i, size; ++ ++ *buf = '\0'; ++ ++ for_each_set_bit(i, &bits, strs_size) { ++ if (!(bits & BIT_ULL(i))) ++ continue; ++ ++ if (*buf && len > 0) { ++ *str = '|'; ++ len--; ++ str++; ++ } ++ ++ size = strscpy(str, strs[i], len); ++ if (size < 0) ++ return size; ++ ++ len -= size; ++ str += size; ++ } ++ return len - buf_size; ++} ++EXPORT_SYMBOL_GPL(cper_bits_to_str); ++ + static const char * const proc_type_strs[] = { + "IA32/X64", + "IA64", +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 6a511a1078ca0..724a5e3c122d6 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -560,6 +560,8 @@ const char *cper_severity_str(unsigned int); + const char *cper_mem_err_type_str(unsigned int); + void cper_print_bits(const char *prefix, unsigned int bits, + const char * const strs[], unsigned int strs_size); ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size); + void cper_mem_err_pack(const struct cper_sec_mem_err *, + struct cper_mem_err_compact *); + const char *cper_mem_err_unpack(struct trace_seq *, +-- +2.51.0 + diff --git a/queue-5.15/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch b/queue-5.15/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch new file mode 100644 index 0000000000..bcabcd5a96 --- /dev/null +++ b/queue-5.15/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch @@ -0,0 +1,50 @@ +From 4c0140f3f7d25cccb8dd1b8b18239c56e64b4551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:53 -0700 +Subject: efi/cper: Adjust infopfx size to accept an extra space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ] + +Compiling with W=1 with werror enabled produces an error: + +drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’: +drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^ +drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64 + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As the logic there adds an space at the end of infopx buffer. +Add an extra space to avoid such warning. + +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index 36d3b8b9da47e..f4b7a48327fbb 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -241,7 +241,7 @@ void cper_print_proc_arm(const char *pfx, + int i, len, max_ctx_type; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; +- char newpfx[64], infopfx[64]; ++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +-- +2.51.0 + diff --git a/queue-5.15/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch b/queue-5.15/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch new file mode 100644 index 0000000000..5682154baa --- /dev/null +++ b/queue-5.15/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch @@ -0,0 +1,230 @@ +From 044ce86484d9478a7de8f6de75310ed10ad4f22f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:55 -0700 +Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs + +From: Mauro Carvalho Chehab + +[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ] + +Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor +was defined simply as: + +Type at byte offset 4: + + - Cache error + - TLB Error + - Bus Error + - Micro-architectural Error + All other values are reserved + +Yet, there was no information about how this would be encoded. + +Spec 2.9A errata corrected it by defining: + + - Bit 1 - Cache Error + - Bit 2 - TLB Error + - Bit 3 - Bus Error + - Bit 4 - Micro-architectural Error + All other values are reserved + +That actually aligns with the values already defined on older +versions at N.2.4.1. Generic Processor Error Section. + +Spec 2.10 also preserve the same encoding as 2.9A. + +Adjust CPER and GHES handling code for both generic and ARM +processors to properly handle UEFI 2.9A and 2.10 encoding. + +Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 16 +++++++---- + drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++----------------- + include/linux/cper.h | 10 +++---- + 3 files changed, 39 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 250ea9ec5f0c2..bdb23ca251e23 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -500,6 +501,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); + int flags = sync ? MF_ACTION_REQUIRED : 0; ++ char error_type[120]; + bool queued = false; + int sec_sev, i; + char *p; +@@ -513,9 +515,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + p = (char *)(err + 1); + for (i = 0; i < err->err_info_num; i++) { + struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p; +- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR); ++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR; + bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR); +- const char *error_type = "unknown error"; + + /* + * The field (err_info->error_info & BIT(26)) is fixed to set to +@@ -529,12 +530,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + continue; + } + +- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs)) +- error_type = cper_proc_error_type_strs[err_info->type]; ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); + + pr_warn_ratelimited(FW_WARN GHES_PFX +- "Unhandled processor error type: %s\n", +- error_type); ++ "Unhandled processor error type 0x%02x: %s%s\n", ++ err_info->type, error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); + p += err_info->length; + } + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index f4b7a48327fbb..ea43589944ba5 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -94,15 +94,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + bool proc_context_corrupt, corrected, precise_pc, restartable_pc; + bool time_out, access_mode; + +- /* If the type is unknown, bail. */ +- if (type > CPER_ARM_MAX_TYPE) +- return; +- + /* + * Vendor type errors have error information values that are vendor + * specific. + */ +- if (type == CPER_ARM_VENDOR_ERROR) ++ if (type & CPER_ARM_VENDOR_ERROR) + return; + + if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) { +@@ -117,43 +113,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) { + op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT) + & CPER_ARM_ERR_OPERATION_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) { + if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%scache error, operation type: %s\n", pfx, + arm_cache_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_TLB_ERROR: ++ } ++ if (type & CPER_ARM_TLB_ERROR) { + if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sTLB error, operation type: %s\n", pfx, + arm_tlb_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_BUS_ERROR: ++ } ++ if (type & CPER_ARM_BUS_ERROR) { + if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sbus error, operation type: %s\n", pfx, + arm_bus_err_op_strs[op_type]); + } +- break; + } + } + + if (error_info & CPER_ARM_ERR_VALID_LEVEL) { + level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT) + & CPER_ARM_ERR_LEVEL_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) + printk("%scache level: %d\n", pfx, level); +- break; +- case CPER_ARM_TLB_ERROR: ++ ++ if (type & CPER_ARM_TLB_ERROR) + printk("%sTLB level: %d\n", pfx, level); +- break; +- case CPER_ARM_BUS_ERROR: ++ ++ if (type & CPER_ARM_BUS_ERROR) + printk("%saffinity level at which the bus error occurred: %d\n", + pfx, level); +- break; +- } + } + + if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) { +@@ -242,6 +233,7 @@ void cper_print_proc_arm(const char *pfx, + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; ++ char error_type[120]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +@@ -290,9 +282,15 @@ void cper_print_proc_arm(const char *pfx, + newpfx); + } + +- printk("%serror_type: %d, %s\n", newpfx, err_info->type, +- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ? +- cper_proc_error_type_strs[err_info->type] : "unknown"); ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); ++ ++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type, ++ error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); ++ + if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) { + printk("%serror_info: 0x%016llx\n", newpfx, + err_info->error_info); +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 724a5e3c122d6..a31e22cc839eb 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -270,11 +270,11 @@ enum { + #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2) + #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3) + +-#define CPER_ARM_CACHE_ERROR 0 +-#define CPER_ARM_TLB_ERROR 1 +-#define CPER_ARM_BUS_ERROR 2 +-#define CPER_ARM_VENDOR_ERROR 3 +-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR ++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1) ++#define CPER_ARM_CACHE_ERROR BIT(1) ++#define CPER_ARM_TLB_ERROR BIT(2) ++#define CPER_ARM_BUS_ERROR BIT(3) ++#define CPER_ARM_VENDOR_ERROR BIT(4) + + #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0) + #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1) +-- +2.51.0 + diff --git a/queue-5.15/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch b/queue-5.15/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch new file mode 100644 index 0000000000..91c9048b0b --- /dev/null +++ b/queue-5.15/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch @@ -0,0 +1,45 @@ +From e51a06577cad57759182511cf12e6279879e508d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 09:51:59 +0300 +Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left() + +From: Dmitry Antipov + +[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ] + +In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after +move, thus allowing 'ocfs2_free_path()' to free it before return. + +Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru +Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 +Reviewed-by: Heming Zhao +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 9c95d911a14b1..9589b462b5913 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, + * So we use the new rightmost path. + */ + ocfs2_mv_path(right_path, left_path); +- left_path = NULL; + } else + ocfs2_complete_edge_insert(handle, left_path, + right_path, subtree_index); +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 4449302c62..3c56cc9d5b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -192,3 +192,7 @@ alsa-uapi-fix-typo-in-asound.h-comment.patch arm-9464-1-fix-input-only-operand-modification-in-lo.patch dm-raid-fix-possible-null-dereference-with-undefined.patch dm-log-writes-add-missing-set_freezable-for-freezabl.patch +efi-cper-add-a-new-helper-function-to-print-bitmasks.patch +efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch +efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch +ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch diff --git a/queue-6.1/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch b/queue-6.1/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch new file mode 100644 index 0000000000..ef5d4904ee --- /dev/null +++ b/queue-6.1/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch @@ -0,0 +1,133 @@ +From 0b5152e45f8f73ddb04fec9dd6b3a3ff6468d07b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:54 -0700 +Subject: efi/cper: Add a new helper function to print bitmasks + +From: Mauro Carvalho Chehab + +[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ] + +Add a helper function to print a string with names associated +to each bit field. + +A typical example is: + + const char * const bits[] = { + "bit 3 name", + "bit 4 name", + "bit 5 name", + }; + char str[120]; + unsigned int bitmask = BIT(3) | BIT(5); + + #define MASK GENMASK(5,3) + + cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), + bits, ARRAY_SIZE(bits)); + +The above code fills string "str" with "bit 3 name|bit 5 name". + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++ + include/linux/cper.h | 2 ++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index e4e5ea7ce910a..eb5e67af69273 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -12,6 +12,7 @@ + * Specification version 2.4. + */ + ++#include + #include + #include + #include +@@ -105,6 +106,65 @@ void cper_print_bits(const char *pfx, unsigned int bits, + printk("%s\n", buf); + } + ++/** ++ * cper_bits_to_str - return a string for set bits ++ * @buf: buffer to store the output string ++ * @buf_size: size of the output string buffer ++ * @bits: bit mask ++ * @strs: string array, indexed by bit position ++ * @strs_size: size of the string array: @strs ++ * ++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits, ++ * add the corresponding string describing the bit in @strs to @buf. ++ * ++ * A typical example is:: ++ * ++ * const char * const bits[] = { ++ * "bit 3 name", ++ * "bit 4 name", ++ * "bit 5 name", ++ * }; ++ * char str[120]; ++ * unsigned int bitmask = BIT(3) | BIT(5); ++ * #define MASK GENMASK(5,3) ++ * ++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), ++ * bits, ARRAY_SIZE(bits)); ++ * ++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``. ++ * ++ * Return: number of bytes stored or an error code if lower than zero. ++ */ ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size) ++{ ++ int len = buf_size; ++ char *str = buf; ++ int i, size; ++ ++ *buf = '\0'; ++ ++ for_each_set_bit(i, &bits, strs_size) { ++ if (!(bits & BIT_ULL(i))) ++ continue; ++ ++ if (*buf && len > 0) { ++ *str = '|'; ++ len--; ++ str++; ++ } ++ ++ size = strscpy(str, strs[i], len); ++ if (size < 0) ++ return size; ++ ++ len -= size; ++ str += size; ++ } ++ return len - buf_size; ++} ++EXPORT_SYMBOL_GPL(cper_bits_to_str); ++ + static const char * const proc_type_strs[] = { + "IA32/X64", + "IA64", +diff --git a/include/linux/cper.h b/include/linux/cper.h +index eacb7dd7b3af3..a15b7b9740344 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -561,6 +561,8 @@ const char *cper_mem_err_type_str(unsigned int); + const char *cper_mem_err_status_str(u64 status); + void cper_print_bits(const char *prefix, unsigned int bits, + const char * const strs[], unsigned int strs_size); ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size); + void cper_mem_err_pack(const struct cper_sec_mem_err *, + struct cper_mem_err_compact *); + const char *cper_mem_err_unpack(struct trace_seq *, +-- +2.51.0 + diff --git a/queue-6.1/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch b/queue-6.1/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch new file mode 100644 index 0000000000..6d7e549133 --- /dev/null +++ b/queue-6.1/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch @@ -0,0 +1,50 @@ +From caa00aa9d967ac1c3e8b42d9115371bd6bd00ed8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:53 -0700 +Subject: efi/cper: Adjust infopfx size to accept an extra space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ] + +Compiling with W=1 with werror enabled produces an error: + +drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’: +drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^ +drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64 + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As the logic there adds an space at the end of infopx buffer. +Add an extra space to avoid such warning. + +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index 36d3b8b9da47e..f4b7a48327fbb 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -241,7 +241,7 @@ void cper_print_proc_arm(const char *pfx, + int i, len, max_ctx_type; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; +- char newpfx[64], infopfx[64]; ++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +-- +2.51.0 + diff --git a/queue-6.1/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch b/queue-6.1/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch new file mode 100644 index 0000000000..930168ca6c --- /dev/null +++ b/queue-6.1/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch @@ -0,0 +1,230 @@ +From 8dbff6c2cb2b85edc5b673c5bbf5807e08cc97ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:55 -0700 +Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs + +From: Mauro Carvalho Chehab + +[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ] + +Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor +was defined simply as: + +Type at byte offset 4: + + - Cache error + - TLB Error + - Bus Error + - Micro-architectural Error + All other values are reserved + +Yet, there was no information about how this would be encoded. + +Spec 2.9A errata corrected it by defining: + + - Bit 1 - Cache Error + - Bit 2 - TLB Error + - Bit 3 - Bus Error + - Bit 4 - Micro-architectural Error + All other values are reserved + +That actually aligns with the values already defined on older +versions at N.2.4.1. Generic Processor Error Section. + +Spec 2.10 also preserve the same encoding as 2.9A. + +Adjust CPER and GHES handling code for both generic and ARM +processors to properly handle UEFI 2.9A and 2.10 encoding. + +Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 16 +++++++---- + drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++----------------- + include/linux/cper.h | 10 +++---- + 3 files changed, 39 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 3c862acaa28af..03344c2732220 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -500,6 +501,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); + int flags = sync ? MF_ACTION_REQUIRED : 0; ++ char error_type[120]; + bool queued = false; + int sec_sev, i; + char *p; +@@ -513,9 +515,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + p = (char *)(err + 1); + for (i = 0; i < err->err_info_num; i++) { + struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p; +- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR); ++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR; + bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR); +- const char *error_type = "unknown error"; + + /* + * The field (err_info->error_info & BIT(26)) is fixed to set to +@@ -529,12 +530,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + continue; + } + +- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs)) +- error_type = cper_proc_error_type_strs[err_info->type]; ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); + + pr_warn_ratelimited(FW_WARN GHES_PFX +- "Unhandled processor error type: %s\n", +- error_type); ++ "Unhandled processor error type 0x%02x: %s%s\n", ++ err_info->type, error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); + p += err_info->length; + } + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index f4b7a48327fbb..ea43589944ba5 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -94,15 +94,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + bool proc_context_corrupt, corrected, precise_pc, restartable_pc; + bool time_out, access_mode; + +- /* If the type is unknown, bail. */ +- if (type > CPER_ARM_MAX_TYPE) +- return; +- + /* + * Vendor type errors have error information values that are vendor + * specific. + */ +- if (type == CPER_ARM_VENDOR_ERROR) ++ if (type & CPER_ARM_VENDOR_ERROR) + return; + + if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) { +@@ -117,43 +113,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) { + op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT) + & CPER_ARM_ERR_OPERATION_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) { + if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%scache error, operation type: %s\n", pfx, + arm_cache_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_TLB_ERROR: ++ } ++ if (type & CPER_ARM_TLB_ERROR) { + if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sTLB error, operation type: %s\n", pfx, + arm_tlb_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_BUS_ERROR: ++ } ++ if (type & CPER_ARM_BUS_ERROR) { + if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sbus error, operation type: %s\n", pfx, + arm_bus_err_op_strs[op_type]); + } +- break; + } + } + + if (error_info & CPER_ARM_ERR_VALID_LEVEL) { + level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT) + & CPER_ARM_ERR_LEVEL_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) + printk("%scache level: %d\n", pfx, level); +- break; +- case CPER_ARM_TLB_ERROR: ++ ++ if (type & CPER_ARM_TLB_ERROR) + printk("%sTLB level: %d\n", pfx, level); +- break; +- case CPER_ARM_BUS_ERROR: ++ ++ if (type & CPER_ARM_BUS_ERROR) + printk("%saffinity level at which the bus error occurred: %d\n", + pfx, level); +- break; +- } + } + + if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) { +@@ -242,6 +233,7 @@ void cper_print_proc_arm(const char *pfx, + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; ++ char error_type[120]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +@@ -290,9 +282,15 @@ void cper_print_proc_arm(const char *pfx, + newpfx); + } + +- printk("%serror_type: %d, %s\n", newpfx, err_info->type, +- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ? +- cper_proc_error_type_strs[err_info->type] : "unknown"); ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); ++ ++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type, ++ error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); ++ + if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) { + printk("%serror_info: 0x%016llx\n", newpfx, + err_info->error_info); +diff --git a/include/linux/cper.h b/include/linux/cper.h +index a15b7b9740344..ff84d72cdee82 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -270,11 +270,11 @@ enum { + #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2) + #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3) + +-#define CPER_ARM_CACHE_ERROR 0 +-#define CPER_ARM_TLB_ERROR 1 +-#define CPER_ARM_BUS_ERROR 2 +-#define CPER_ARM_VENDOR_ERROR 3 +-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR ++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1) ++#define CPER_ARM_CACHE_ERROR BIT(1) ++#define CPER_ARM_TLB_ERROR BIT(2) ++#define CPER_ARM_BUS_ERROR BIT(3) ++#define CPER_ARM_VENDOR_ERROR BIT(4) + + #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0) + #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1) +-- +2.51.0 + diff --git a/queue-6.1/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch b/queue-6.1/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch new file mode 100644 index 0000000000..3c8d591ad9 --- /dev/null +++ b/queue-6.1/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch @@ -0,0 +1,41 @@ +From dcec477b9709854b4ae121978d00d27d0e97ae91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:54:16 +0300 +Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() + +From: Dan Carpenter + +[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ] + +If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then +it results in an out of bounds access. + +The code checks for invalid values, but doesn't set the error code. Return +-EINVAL in that case, instead of returning success. + +Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mchp-eic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c +index c726a19837d29..7f84c736d2827 100644 +--- a/drivers/irqchip/irq-mchp-eic.c ++++ b/drivers/irqchip/irq-mchp-eic.c +@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq, + + ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type); + if (ret || hwirq >= MCHP_EIC_NIRQ) +- return ret; ++ return ret ?: -EINVAL; + + switch (type) { + case IRQ_TYPE_EDGE_RISING: +-- +2.51.0 + diff --git a/queue-6.1/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch b/queue-6.1/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch new file mode 100644 index 0000000000..60d7b2db01 --- /dev/null +++ b/queue-6.1/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch @@ -0,0 +1,45 @@ +From eb6e70e2103f0460f2950a5fe6353286248b9ca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 09:51:59 +0300 +Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left() + +From: Dmitry Antipov + +[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ] + +In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after +move, thus allowing 'ocfs2_free_path()' to free it before return. + +Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru +Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 +Reviewed-by: Heming Zhao +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 7f11ffacc9150..fa5223b05fad7 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, + * So we use the new rightmost path. + */ + ocfs2_mv_path(right_path, left_path); +- left_path = NULL; + } else + ocfs2_complete_edge_insert(handle, left_path, + right_path, subtree_index); +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 607f779754..ee87f58a53 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -212,3 +212,8 @@ alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch arm-9464-1-fix-input-only-operand-modification-in-lo.patch dm-raid-fix-possible-null-dereference-with-undefined.patch dm-log-writes-add-missing-set_freezable-for-freezabl.patch +efi-cper-add-a-new-helper-function-to-print-bitmasks.patch +efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch +efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch +irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch +ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch diff --git a/queue-6.12/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch b/queue-6.12/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch new file mode 100644 index 0000000000..b43edfb98d --- /dev/null +++ b/queue-6.12/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch @@ -0,0 +1,133 @@ +From db7bd7e5e25e4839a59d0c66ce938fa5313ec037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:54 -0700 +Subject: efi/cper: Add a new helper function to print bitmasks + +From: Mauro Carvalho Chehab + +[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ] + +Add a helper function to print a string with names associated +to each bit field. + +A typical example is: + + const char * const bits[] = { + "bit 3 name", + "bit 4 name", + "bit 5 name", + }; + char str[120]; + unsigned int bitmask = BIT(3) | BIT(5); + + #define MASK GENMASK(5,3) + + cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), + bits, ARRAY_SIZE(bits)); + +The above code fills string "str" with "bit 3 name|bit 5 name". + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++ + include/linux/cper.h | 2 ++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index b69e68ef3f02b..7f89a9fb2ecad 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -12,6 +12,7 @@ + * Specification version 2.4. + */ + ++#include + #include + #include + #include +@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits, + printk("%s\n", buf); + } + ++/** ++ * cper_bits_to_str - return a string for set bits ++ * @buf: buffer to store the output string ++ * @buf_size: size of the output string buffer ++ * @bits: bit mask ++ * @strs: string array, indexed by bit position ++ * @strs_size: size of the string array: @strs ++ * ++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits, ++ * add the corresponding string describing the bit in @strs to @buf. ++ * ++ * A typical example is:: ++ * ++ * const char * const bits[] = { ++ * "bit 3 name", ++ * "bit 4 name", ++ * "bit 5 name", ++ * }; ++ * char str[120]; ++ * unsigned int bitmask = BIT(3) | BIT(5); ++ * #define MASK GENMASK(5,3) ++ * ++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), ++ * bits, ARRAY_SIZE(bits)); ++ * ++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``. ++ * ++ * Return: number of bytes stored or an error code if lower than zero. ++ */ ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size) ++{ ++ int len = buf_size; ++ char *str = buf; ++ int i, size; ++ ++ *buf = '\0'; ++ ++ for_each_set_bit(i, &bits, strs_size) { ++ if (!(bits & BIT_ULL(i))) ++ continue; ++ ++ if (*buf && len > 0) { ++ *str = '|'; ++ len--; ++ str++; ++ } ++ ++ size = strscpy(str, strs[i], len); ++ if (size < 0) ++ return size; ++ ++ len -= size; ++ str += size; ++ } ++ return len - buf_size; ++} ++EXPORT_SYMBOL_GPL(cper_bits_to_str); ++ + static const char * const proc_type_strs[] = { + "IA32/X64", + "IA64", +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 265b0f8fc0b3c..25858a7608b7d 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -584,6 +584,8 @@ const char *cper_mem_err_type_str(unsigned int); + const char *cper_mem_err_status_str(u64 status); + void cper_print_bits(const char *prefix, unsigned int bits, + const char * const strs[], unsigned int strs_size); ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size); + void cper_mem_err_pack(const struct cper_sec_mem_err *, + struct cper_mem_err_compact *); + const char *cper_mem_err_unpack(struct trace_seq *, +-- +2.51.0 + diff --git a/queue-6.12/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch b/queue-6.12/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch new file mode 100644 index 0000000000..96a71ab9b2 --- /dev/null +++ b/queue-6.12/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch @@ -0,0 +1,50 @@ +From 4fa26cb43d3407cb35dcc264edfb7a372a92fd9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:53 -0700 +Subject: efi/cper: Adjust infopfx size to accept an extra space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ] + +Compiling with W=1 with werror enabled produces an error: + +drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’: +drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^ +drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64 + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As the logic there adds an space at the end of infopx buffer. +Add an extra space to avoid such warning. + +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index fa9c1c3bf168b..eb7ee6af55f23 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx, + int i, len, max_ctx_type; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; +- char newpfx[64], infopfx[64]; ++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +-- +2.51.0 + diff --git a/queue-6.12/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch b/queue-6.12/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch new file mode 100644 index 0000000000..9cccebf23a --- /dev/null +++ b/queue-6.12/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch @@ -0,0 +1,230 @@ +From 0ebd99d4eff5ab41fa293c2ccb79c51e26a1719c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:55 -0700 +Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs + +From: Mauro Carvalho Chehab + +[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ] + +Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor +was defined simply as: + +Type at byte offset 4: + + - Cache error + - TLB Error + - Bus Error + - Micro-architectural Error + All other values are reserved + +Yet, there was no information about how this would be encoded. + +Spec 2.9A errata corrected it by defining: + + - Bit 1 - Cache Error + - Bit 2 - TLB Error + - Bit 3 - Bus Error + - Bit 4 - Micro-architectural Error + All other values are reserved + +That actually aligns with the values already defined on older +versions at N.2.4.1. Generic Processor Error Section. + +Spec 2.10 also preserve the same encoding as 2.9A. + +Adjust CPER and GHES handling code for both generic and ARM +processors to properly handle UEFI 2.9A and 2.10 encoding. + +Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 16 +++++++---- + drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++----------------- + include/linux/cper.h | 10 +++---- + 3 files changed, 39 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 99659478e0bd0..45fa2510e4cf5 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -531,6 +532,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); + int flags = sync ? MF_ACTION_REQUIRED : 0; ++ char error_type[120]; + bool queued = false; + int sec_sev, i; + char *p; +@@ -543,9 +545,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + p = (char *)(err + 1); + for (i = 0; i < err->err_info_num; i++) { + struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p; +- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR); ++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR; + bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR); +- const char *error_type = "unknown error"; + + /* + * The field (err_info->error_info & BIT(26)) is fixed to set to +@@ -559,12 +560,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + continue; + } + +- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs)) +- error_type = cper_proc_error_type_strs[err_info->type]; ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); + + pr_warn_ratelimited(FW_WARN GHES_PFX +- "Unhandled processor error type: %s\n", +- error_type); ++ "Unhandled processor error type 0x%02x: %s%s\n", ++ err_info->type, error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); + p += err_info->length; + } + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index eb7ee6af55f23..52d18490b59e3 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + bool proc_context_corrupt, corrected, precise_pc, restartable_pc; + bool time_out, access_mode; + +- /* If the type is unknown, bail. */ +- if (type > CPER_ARM_MAX_TYPE) +- return; +- + /* + * Vendor type errors have error information values that are vendor + * specific. + */ +- if (type == CPER_ARM_VENDOR_ERROR) ++ if (type & CPER_ARM_VENDOR_ERROR) + return; + + if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) { +@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) { + op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT) + & CPER_ARM_ERR_OPERATION_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) { + if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%scache error, operation type: %s\n", pfx, + arm_cache_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_TLB_ERROR: ++ } ++ if (type & CPER_ARM_TLB_ERROR) { + if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sTLB error, operation type: %s\n", pfx, + arm_tlb_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_BUS_ERROR: ++ } ++ if (type & CPER_ARM_BUS_ERROR) { + if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sbus error, operation type: %s\n", pfx, + arm_bus_err_op_strs[op_type]); + } +- break; + } + } + + if (error_info & CPER_ARM_ERR_VALID_LEVEL) { + level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT) + & CPER_ARM_ERR_LEVEL_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) + printk("%scache level: %d\n", pfx, level); +- break; +- case CPER_ARM_TLB_ERROR: ++ ++ if (type & CPER_ARM_TLB_ERROR) + printk("%sTLB level: %d\n", pfx, level); +- break; +- case CPER_ARM_BUS_ERROR: ++ ++ if (type & CPER_ARM_BUS_ERROR) + printk("%saffinity level at which the bus error occurred: %d\n", + pfx, level); +- break; +- } + } + + if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) { +@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx, + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; ++ char error_type[120]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx, + newpfx); + } + +- printk("%serror_type: %d, %s\n", newpfx, err_info->type, +- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ? +- cper_proc_error_type_strs[err_info->type] : "unknown"); ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); ++ ++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type, ++ error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); ++ + if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) { + printk("%serror_info: 0x%016llx\n", newpfx, + err_info->error_info); +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 25858a7608b7d..3670b866ac119 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -293,11 +293,11 @@ enum { + #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2) + #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3) + +-#define CPER_ARM_CACHE_ERROR 0 +-#define CPER_ARM_TLB_ERROR 1 +-#define CPER_ARM_BUS_ERROR 2 +-#define CPER_ARM_VENDOR_ERROR 3 +-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR ++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1) ++#define CPER_ARM_CACHE_ERROR BIT(1) ++#define CPER_ARM_TLB_ERROR BIT(2) ++#define CPER_ARM_BUS_ERROR BIT(3) ++#define CPER_ARM_VENDOR_ERROR BIT(4) + + #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0) + #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1) +-- +2.51.0 + diff --git a/queue-6.12/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch b/queue-6.12/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch new file mode 100644 index 0000000000..320f38da43 --- /dev/null +++ b/queue-6.12/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch @@ -0,0 +1,41 @@ +From 02815138f8b59806eb32e0dfe15ea0e052ed3cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:54:16 +0300 +Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() + +From: Dan Carpenter + +[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ] + +If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then +it results in an out of bounds access. + +The code checks for invalid values, but doesn't set the error code. Return +-EINVAL in that case, instead of returning success. + +Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mchp-eic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c +index 5dcd94c000a26..8a5baa0987a4b 100644 +--- a/drivers/irqchip/irq-mchp-eic.c ++++ b/drivers/irqchip/irq-mchp-eic.c +@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq, + + ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type); + if (ret || hwirq >= MCHP_EIC_NIRQ) +- return ret; ++ return ret ?: -EINVAL; + + switch (type) { + case IRQ_TYPE_EDGE_RISING: +-- +2.51.0 + diff --git a/queue-6.12/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch b/queue-6.12/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch new file mode 100644 index 0000000000..9483bec191 --- /dev/null +++ b/queue-6.12/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch @@ -0,0 +1,45 @@ +From bfc97e6800a613b44fb8d5e110cd3d1c1b9dc09b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 09:51:59 +0300 +Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left() + +From: Dmitry Antipov + +[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ] + +In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after +move, thus allowing 'ocfs2_free_path()' to free it before return. + +Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru +Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 +Reviewed-by: Heming Zhao +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 5d9388b44e5be..f8025433ce3bf 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -3654,7 +3654,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, + * So we use the new rightmost path. + */ + ocfs2_mv_path(right_path, left_path); +- left_path = NULL; + } else + ocfs2_complete_edge_insert(handle, left_path, + right_path, subtree_index); +-- +2.51.0 + diff --git a/queue-6.12/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch b/queue-6.12/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch new file mode 100644 index 0000000000..764e5db39a --- /dev/null +++ b/queue-6.12/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch @@ -0,0 +1,56 @@ +From 9c87bb55f86293540959d60dbd1fa0520059a40a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 18:01:49 +0800 +Subject: scsi: imm: Fix use-after-free bug caused by unfinished delayed work + +From: Duoming Zhou + +[ Upstream commit ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c ] + +The delayed work item 'imm_tq' is initialized in imm_attach() and +scheduled via imm_queuecommand() for processing SCSI commands. When the +IMM parallel port SCSI host adapter is detached through imm_detach(), +the imm_struct device instance is deallocated. + +However, the delayed work might still be pending or executing +when imm_detach() is called, leading to use-after-free bugs +when the work function imm_interrupt() accesses the already +freed imm_struct memory. + +The race condition can occur as follows: + +CPU 0(detach thread) | CPU 1 + | imm_queuecommand() + | imm_queuecommand_lck() +imm_detach() | schedule_delayed_work() + kfree(dev) //FREE | imm_interrupt() + | dev = container_of(...) //USE + dev-> //USE + +Add disable_delayed_work_sync() in imm_detach() to guarantee proper +cancellation of the delayed work item before imm_struct is deallocated. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20251028100149.40721-1-duoming@zju.edu.cn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/imm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/imm.c b/drivers/scsi/imm.c +index 1d4c7310f1a63..d77490e2d7bc8 100644 +--- a/drivers/scsi/imm.c ++++ b/drivers/scsi/imm.c +@@ -1261,6 +1261,7 @@ static void imm_detach(struct parport *pb) + imm_struct *dev; + list_for_each_entry(dev, &imm_hosts, list) { + if (dev->dev->port == pb) { ++ disable_delayed_work_sync(&dev->imm_tq); + list_del_init(&dev->list); + scsi_remove_host(dev->host); + scsi_host_put(dev->host); +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 784774dc1c..31521f090c 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -337,3 +337,9 @@ block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch block-return-unsigned-int-from-queue_dma_alignment.patch dm-raid-fix-possible-null-dereference-with-undefined.patch dm-log-writes-add-missing-set_freezable-for-freezabl.patch +efi-cper-add-a-new-helper-function-to-print-bitmasks.patch +efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch +efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch +scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch +irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch +ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch diff --git a/queue-6.17/cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch b/queue-6.17/cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch new file mode 100644 index 0000000000..dc474bd5a7 --- /dev/null +++ b/queue-6.17/cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch @@ -0,0 +1,86 @@ +From 6d378222a4e30f6e418cc523b1110aac0d1c15b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 15:47:23 +0100 +Subject: cpu: Make atomic hotplug callbacks run with interrupts disabled on UP + +From: Sebastian Andrzej Siewior + +[ Upstream commit c94291914b200e10c72cef23c8e4c67eb4fdbcd9 ] + +On SMP systems the CPU hotplug callbacks in the "starting" range are +invoked while the CPU is brought up and interrupts are still +disabled. Callbacks which are added later are invoked via the +hotplug-thread on the target CPU and interrupts are explicitly disabled. + +In the UP case callbacks which are added later are invoked directly without +the thread indirection. This is in principle okay since there is just one +CPU but those callbacks are invoked with interrupt disabled code. That's +incorrect as those callbacks assume interrupt disabled context. + +Disable interrupts before invoking the callbacks on UP if the state is +atomic and interrupts are expected to be disabled. The "save" part is +required because this is also invoked early in the boot process while +interrupts are disabled and must not be enabled prematurely. + +Fixes: 06ddd17521bf1 ("sched/smp: Always define is_percpu_thread() and scheduler_ipi()") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20251127144723.ev9DuXXR@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index db9f6c539b28c..15000c7abc659 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -249,6 +249,14 @@ static int cpuhp_invoke_callback(unsigned int cpu, enum cpuhp_state state, + return ret; + } + ++/* ++ * The former STARTING/DYING states, ran with IRQs disabled and must not fail. ++ */ ++static bool cpuhp_is_atomic_state(enum cpuhp_state state) ++{ ++ return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE; ++} ++ + #ifdef CONFIG_SMP + static bool cpuhp_is_ap_state(enum cpuhp_state state) + { +@@ -271,14 +279,6 @@ static inline void complete_ap_thread(struct cpuhp_cpu_state *st, bool bringup) + complete(done); + } + +-/* +- * The former STARTING/DYING states, ran with IRQs disabled and must not fail. +- */ +-static bool cpuhp_is_atomic_state(enum cpuhp_state state) +-{ +- return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE; +-} +- + /* Synchronization state management */ + enum cpuhp_sync_state { + SYNC_STATE_DEAD, +@@ -2364,7 +2364,14 @@ static int cpuhp_issue_call(int cpu, enum cpuhp_state state, bool bringup, + else + ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); + #else +- ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); ++ if (cpuhp_is_atomic_state(state)) { ++ guard(irqsave)(); ++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); ++ /* STARTING/DYING must not fail! */ ++ WARN_ON_ONCE(ret); ++ } else { ++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); ++ } + #endif + BUG_ON(ret && !bringup); + return ret; +-- +2.51.0 + diff --git a/queue-6.17/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch b/queue-6.17/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch new file mode 100644 index 0000000000..8b207c41d3 --- /dev/null +++ b/queue-6.17/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch @@ -0,0 +1,133 @@ +From 614d1fad37c65e8f5c0f6eb3de6cd6fd99a9d7d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:54 -0700 +Subject: efi/cper: Add a new helper function to print bitmasks + +From: Mauro Carvalho Chehab + +[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ] + +Add a helper function to print a string with names associated +to each bit field. + +A typical example is: + + const char * const bits[] = { + "bit 3 name", + "bit 4 name", + "bit 5 name", + }; + char str[120]; + unsigned int bitmask = BIT(3) | BIT(5); + + #define MASK GENMASK(5,3) + + cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), + bits, ARRAY_SIZE(bits)); + +The above code fills string "str" with "bit 3 name|bit 5 name". + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++ + include/linux/cper.h | 2 ++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index 928409199a1a4..79ba688a64f8d 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -12,6 +12,7 @@ + * Specification version 2.4. + */ + ++#include + #include + #include + #include +@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits, + printk("%s\n", buf); + } + ++/** ++ * cper_bits_to_str - return a string for set bits ++ * @buf: buffer to store the output string ++ * @buf_size: size of the output string buffer ++ * @bits: bit mask ++ * @strs: string array, indexed by bit position ++ * @strs_size: size of the string array: @strs ++ * ++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits, ++ * add the corresponding string describing the bit in @strs to @buf. ++ * ++ * A typical example is:: ++ * ++ * const char * const bits[] = { ++ * "bit 3 name", ++ * "bit 4 name", ++ * "bit 5 name", ++ * }; ++ * char str[120]; ++ * unsigned int bitmask = BIT(3) | BIT(5); ++ * #define MASK GENMASK(5,3) ++ * ++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), ++ * bits, ARRAY_SIZE(bits)); ++ * ++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``. ++ * ++ * Return: number of bytes stored or an error code if lower than zero. ++ */ ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size) ++{ ++ int len = buf_size; ++ char *str = buf; ++ int i, size; ++ ++ *buf = '\0'; ++ ++ for_each_set_bit(i, &bits, strs_size) { ++ if (!(bits & BIT_ULL(i))) ++ continue; ++ ++ if (*buf && len > 0) { ++ *str = '|'; ++ len--; ++ str++; ++ } ++ ++ size = strscpy(str, strs[i], len); ++ if (size < 0) ++ return size; ++ ++ len -= size; ++ str += size; ++ } ++ return len - buf_size; ++} ++EXPORT_SYMBOL_GPL(cper_bits_to_str); ++ + static const char * const proc_type_strs[] = { + "IA32/X64", + "IA64", +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 0ed60a91eca9d..58f40477c824e 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -588,6 +588,8 @@ const char *cper_mem_err_type_str(unsigned int); + const char *cper_mem_err_status_str(u64 status); + void cper_print_bits(const char *prefix, unsigned int bits, + const char * const strs[], unsigned int strs_size); ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size); + void cper_mem_err_pack(const struct cper_sec_mem_err *, + struct cper_mem_err_compact *); + const char *cper_mem_err_unpack(struct trace_seq *, +-- +2.51.0 + diff --git a/queue-6.17/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch b/queue-6.17/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch new file mode 100644 index 0000000000..b4c7d10518 --- /dev/null +++ b/queue-6.17/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch @@ -0,0 +1,50 @@ +From 0f6cbe1b97074c212f8d708c4768fa26ac96c43d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:53 -0700 +Subject: efi/cper: Adjust infopfx size to accept an extra space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ] + +Compiling with W=1 with werror enabled produces an error: + +drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’: +drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^ +drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64 + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As the logic there adds an space at the end of infopx buffer. +Add an extra space to avoid such warning. + +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index f0a63d09d3c49..6ff781e47147c 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx, + int i, len, max_ctx_type; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; +- char newpfx[64], infopfx[64]; ++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +-- +2.51.0 + diff --git a/queue-6.17/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch b/queue-6.17/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch new file mode 100644 index 0000000000..376ca0bcfb --- /dev/null +++ b/queue-6.17/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch @@ -0,0 +1,230 @@ +From dbb5570151a226b3a45331a570c5392f1b858ada Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:55 -0700 +Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs + +From: Mauro Carvalho Chehab + +[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ] + +Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor +was defined simply as: + +Type at byte offset 4: + + - Cache error + - TLB Error + - Bus Error + - Micro-architectural Error + All other values are reserved + +Yet, there was no information about how this would be encoded. + +Spec 2.9A errata corrected it by defining: + + - Bit 1 - Cache Error + - Bit 2 - TLB Error + - Bit 3 - Bus Error + - Bit 4 - Micro-architectural Error + All other values are reserved + +That actually aligns with the values already defined on older +versions at N.2.4.1. Generic Processor Error Section. + +Spec 2.10 also preserve the same encoding as 2.9A. + +Adjust CPER and GHES handling code for both generic and ARM +processors to properly handle UEFI 2.9A and 2.10 encoding. + +Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 16 +++++++---- + drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++----------------- + include/linux/cper.h | 10 +++---- + 3 files changed, 39 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 7fca0ede9ecc0..307dc7f62e525 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -556,6 +557,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); + int flags = sync ? MF_ACTION_REQUIRED : 0; ++ char error_type[120]; + bool queued = false; + int sec_sev, i; + char *p; +@@ -568,9 +570,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + p = (char *)(err + 1); + for (i = 0; i < err->err_info_num; i++) { + struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p; +- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR); ++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR; + bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR); +- const char *error_type = "unknown error"; + + /* + * The field (err_info->error_info & BIT(26)) is fixed to set to +@@ -584,12 +585,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + continue; + } + +- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs)) +- error_type = cper_proc_error_type_strs[err_info->type]; ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); + + pr_warn_ratelimited(FW_WARN GHES_PFX +- "Unhandled processor error type: %s\n", +- error_type); ++ "Unhandled processor error type 0x%02x: %s%s\n", ++ err_info->type, error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); + p += err_info->length; + } + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index 6ff781e47147c..76542a53e2027 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + bool proc_context_corrupt, corrected, precise_pc, restartable_pc; + bool time_out, access_mode; + +- /* If the type is unknown, bail. */ +- if (type > CPER_ARM_MAX_TYPE) +- return; +- + /* + * Vendor type errors have error information values that are vendor + * specific. + */ +- if (type == CPER_ARM_VENDOR_ERROR) ++ if (type & CPER_ARM_VENDOR_ERROR) + return; + + if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) { +@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) { + op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT) + & CPER_ARM_ERR_OPERATION_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) { + if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%scache error, operation type: %s\n", pfx, + arm_cache_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_TLB_ERROR: ++ } ++ if (type & CPER_ARM_TLB_ERROR) { + if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sTLB error, operation type: %s\n", pfx, + arm_tlb_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_BUS_ERROR: ++ } ++ if (type & CPER_ARM_BUS_ERROR) { + if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sbus error, operation type: %s\n", pfx, + arm_bus_err_op_strs[op_type]); + } +- break; + } + } + + if (error_info & CPER_ARM_ERR_VALID_LEVEL) { + level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT) + & CPER_ARM_ERR_LEVEL_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) + printk("%scache level: %d\n", pfx, level); +- break; +- case CPER_ARM_TLB_ERROR: ++ ++ if (type & CPER_ARM_TLB_ERROR) + printk("%sTLB level: %d\n", pfx, level); +- break; +- case CPER_ARM_BUS_ERROR: ++ ++ if (type & CPER_ARM_BUS_ERROR) + printk("%saffinity level at which the bus error occurred: %d\n", + pfx, level); +- break; +- } + } + + if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) { +@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx, + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; ++ char error_type[120]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx, + newpfx); + } + +- printk("%serror_type: %d, %s\n", newpfx, err_info->type, +- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ? +- cper_proc_error_type_strs[err_info->type] : "unknown"); ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); ++ ++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type, ++ error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); ++ + if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) { + printk("%serror_info: 0x%016llx\n", newpfx, + err_info->error_info); +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 58f40477c824e..5b1236d8c65bb 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -297,11 +297,11 @@ enum { + #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2) + #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3) + +-#define CPER_ARM_CACHE_ERROR 0 +-#define CPER_ARM_TLB_ERROR 1 +-#define CPER_ARM_BUS_ERROR 2 +-#define CPER_ARM_VENDOR_ERROR 3 +-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR ++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1) ++#define CPER_ARM_CACHE_ERROR BIT(1) ++#define CPER_ARM_TLB_ERROR BIT(2) ++#define CPER_ARM_BUS_ERROR BIT(3) ++#define CPER_ARM_VENDOR_ERROR BIT(4) + + #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0) + #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1) +-- +2.51.0 + diff --git a/queue-6.17/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch b/queue-6.17/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch new file mode 100644 index 0000000000..c7546765b8 --- /dev/null +++ b/queue-6.17/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch @@ -0,0 +1,41 @@ +From 2df1f4da8e6dd48cafea2b30b47d3a7ac9b23f7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:54:16 +0300 +Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() + +From: Dan Carpenter + +[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ] + +If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then +it results in an out of bounds access. + +The code checks for invalid values, but doesn't set the error code. Return +-EINVAL in that case, instead of returning success. + +Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mchp-eic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c +index 516a3a0e359cc..c6b5529e17f1a 100644 +--- a/drivers/irqchip/irq-mchp-eic.c ++++ b/drivers/irqchip/irq-mchp-eic.c +@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq, + + ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type); + if (ret || hwirq >= MCHP_EIC_NIRQ) +- return ret; ++ return ret ?: -EINVAL; + + switch (type) { + case IRQ_TYPE_EDGE_RISING: +-- +2.51.0 + diff --git a/queue-6.17/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch b/queue-6.17/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch new file mode 100644 index 0000000000..66dbf46b16 --- /dev/null +++ b/queue-6.17/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch @@ -0,0 +1,45 @@ +From 368a7d2de28ec533753c601d0a577104de6af34f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 09:51:59 +0300 +Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left() + +From: Dmitry Antipov + +[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ] + +In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after +move, thus allowing 'ocfs2_free_path()' to free it before return. + +Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru +Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 +Reviewed-by: Heming Zhao +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 821cb7874685e..b23eb63dc838b 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -3654,7 +3654,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, + * So we use the new rightmost path. + */ + ocfs2_mv_path(right_path, left_path); +- left_path = NULL; + } else + ocfs2_complete_edge_insert(handle, left_path, + right_path, subtree_index); +-- +2.51.0 + diff --git a/queue-6.17/perf-core-fix-missing-read-event-generation-on-task-.patch b/queue-6.17/perf-core-fix-missing-read-event-generation-on-task-.patch new file mode 100644 index 0000000000..4a0a17e39b --- /dev/null +++ b/queue-6.17/perf-core-fix-missing-read-event-generation-on-task-.patch @@ -0,0 +1,162 @@ +From a7dd63cda492a9fe1c90bff56e22ad4fc3ff8ddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 12:16:00 +0800 +Subject: perf/core: Fix missing read event generation on task exit + +From: Thaumy Cheng + +[ Upstream commit c418d8b4d7a43a86b82ee39cb52ece3034383530 ] + +For events with inherit_stat enabled, a "read" event will be generated +to collect per task event counts on task exit. + +The call chain is as follows: + +do_exit + -> perf_event_exit_task + -> perf_event_exit_task_context + -> perf_event_exit_event + -> perf_remove_from_context + -> perf_child_detach + -> sync_child_event + -> perf_event_read_event + +However, the child event context detaches the task too early in +perf_event_exit_task_context, which causes sync_child_event to never +generate the read event in this case, since child_event->ctx->task is +always set to TASK_TOMBSTONE. Fix that by moving context lock section +backward to ensure ctx->task is not set to TASK_TOMBSTONE before +generating the read event. + +Because perf_event_free_task calls perf_event_exit_task_context with +exit = false to tear down all child events from the context, and the +task never lived, accessing the task PID can lead to a use-after-free. + +To fix that, let sync_child_event read task from argument and move the +call to the only place it should be triggered to avoid the effect of +setting ctx->task to TASK_TOMESTONE, and add a task parameter to +perf_event_exit_event to trigger the sync_child_event properly when +needed. + +This bug can be reproduced by running "perf record -s" and attaching to +any program that generates perf events in its child tasks. If we check +the result with "perf report -T", the last line of the report will leave +an empty table like "# PID TID", which is expected to contain the +per-task event counts by design. + +Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()") +Signed-off-by: Thaumy Cheng +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: linux-perf-users@vger.kernel.org +Link: https://patch.msgid.link/20251209041600.963586-1-thaumy.love@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 01d080978865f..a9d7ad4301353 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2316,8 +2316,6 @@ static void perf_group_detach(struct perf_event *event) + perf_event__header_size(leader); + } + +-static void sync_child_event(struct perf_event *child_event); +- + static void perf_child_detach(struct perf_event *event) + { + struct perf_event *parent_event = event->parent; +@@ -2336,7 +2334,6 @@ static void perf_child_detach(struct perf_event *event) + lockdep_assert_held(&parent_event->child_mutex); + */ + +- sync_child_event(event); + list_del_init(&event->child_list); + } + +@@ -4587,6 +4584,7 @@ static void perf_event_enable_on_exec(struct perf_event_context *ctx) + static void perf_remove_from_owner(struct perf_event *event); + static void perf_event_exit_event(struct perf_event *event, + struct perf_event_context *ctx, ++ struct task_struct *task, + bool revoke); + + /* +@@ -4614,7 +4612,7 @@ static void perf_event_remove_on_exec(struct perf_event_context *ctx) + + modified = true; + +- perf_event_exit_event(event, ctx, false); ++ perf_event_exit_event(event, ctx, ctx->task, false); + } + + raw_spin_lock_irqsave(&ctx->lock, flags); +@@ -12431,7 +12429,7 @@ static void __pmu_detach_event(struct pmu *pmu, struct perf_event *event, + /* + * De-schedule the event and mark it REVOKED. + */ +- perf_event_exit_event(event, ctx, true); ++ perf_event_exit_event(event, ctx, ctx->task, true); + + /* + * All _free_event() bits that rely on event->pmu: +@@ -13988,14 +13986,13 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) + } + EXPORT_SYMBOL_GPL(perf_pmu_migrate_context); + +-static void sync_child_event(struct perf_event *child_event) ++static void sync_child_event(struct perf_event *child_event, ++ struct task_struct *task) + { + struct perf_event *parent_event = child_event->parent; + u64 child_val; + + if (child_event->attr.inherit_stat) { +- struct task_struct *task = child_event->ctx->task; +- + if (task && task != TASK_TOMBSTONE) + perf_event_read_event(child_event, task); + } +@@ -14014,7 +14011,9 @@ static void sync_child_event(struct perf_event *child_event) + + static void + perf_event_exit_event(struct perf_event *event, +- struct perf_event_context *ctx, bool revoke) ++ struct perf_event_context *ctx, ++ struct task_struct *task, ++ bool revoke) + { + struct perf_event *parent_event = event->parent; + unsigned long detach_flags = DETACH_EXIT; +@@ -14037,6 +14036,9 @@ perf_event_exit_event(struct perf_event *event, + mutex_lock(&parent_event->child_mutex); + /* PERF_ATTACH_ITRACE might be set concurrently */ + attach_state = READ_ONCE(event->attach_state); ++ ++ if (attach_state & PERF_ATTACH_CHILD) ++ sync_child_event(event, task); + } + + if (revoke) +@@ -14128,7 +14130,7 @@ static void perf_event_exit_task_context(struct task_struct *task, bool exit) + perf_event_task(task, ctx, 0); + + list_for_each_entry_safe(child_event, next, &ctx->event_list, event_entry) +- perf_event_exit_event(child_event, ctx, false); ++ perf_event_exit_event(child_event, ctx, exit ? task : NULL, false); + + mutex_unlock(&ctx->mutex); + +-- +2.51.0 + diff --git a/queue-6.17/perf-x86-intel-fix-null-event-dereference-crash-in-h.patch b/queue-6.17/perf-x86-intel-fix-null-event-dereference-crash-in-h.patch new file mode 100644 index 0000000000..220d575342 --- /dev/null +++ b/queue-6.17/perf-x86-intel-fix-null-event-dereference-crash-in-h.patch @@ -0,0 +1,61 @@ +From 4b94121077155aff60902437ba085c9542b69207 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 16:49:43 +0800 +Subject: perf/x86/intel: Fix NULL event dereference crash in + handle_pmi_common() + +From: Evan Li + +[ Upstream commit 9415f749d34b926b9e4853da1462f4d941f89a0d ] + +handle_pmi_common() may observe an active bit set in cpuc->active_mask +while the corresponding cpuc->events[] entry has already been cleared, +which leads to a NULL pointer dereference. + +This can happen when interrupt throttling stops all events in a group +while PEBS processing is still in progress. perf_event_overflow() can +trigger perf_event_throttle_group(), which stops the group and clears +the cpuc->events[] entry, but the active bit may still be set when +handle_pmi_common() iterates over the events. + +The following recent fix: + + 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss") + +moved the cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del() and +relied on cpuc->active_mask/pebs_enabled checks. However, +handle_pmi_common() can still encounter a NULL cpuc->events[] entry +despite the active bit being set. + +Add an explicit NULL check on the event pointer before using it, +to cover this legitimate scenario and avoid the NULL dereference crash. + +Fixes: 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss") +Reported-by: kitta +Co-developed-by: kitta +Signed-off-by: Evan Li +Signed-off-by: Ingo Molnar +Link: https://patch.msgid.link/20251212084943.2124787-1-evan.li@linux.alibaba.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220855 +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 52270268144c2..76cd840e33e30 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3249,6 +3249,9 @@ static int handle_pmi_common(struct pt_regs *regs, u64 status) + + if (!test_bit(bit, cpuc->active_mask)) + continue; ++ /* Event may have already been cleared: */ ++ if (!event) ++ continue; + + /* + * There may be unprocessed PEBS records in the PEBS buffer, +-- +2.51.0 + diff --git a/queue-6.17/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch b/queue-6.17/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch new file mode 100644 index 0000000000..ee79823b03 --- /dev/null +++ b/queue-6.17/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch @@ -0,0 +1,56 @@ +From 6d83260eda448f97733ad4a6583c06c5f483a370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 18:01:49 +0800 +Subject: scsi: imm: Fix use-after-free bug caused by unfinished delayed work + +From: Duoming Zhou + +[ Upstream commit ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c ] + +The delayed work item 'imm_tq' is initialized in imm_attach() and +scheduled via imm_queuecommand() for processing SCSI commands. When the +IMM parallel port SCSI host adapter is detached through imm_detach(), +the imm_struct device instance is deallocated. + +However, the delayed work might still be pending or executing +when imm_detach() is called, leading to use-after-free bugs +when the work function imm_interrupt() accesses the already +freed imm_struct memory. + +The race condition can occur as follows: + +CPU 0(detach thread) | CPU 1 + | imm_queuecommand() + | imm_queuecommand_lck() +imm_detach() | schedule_delayed_work() + kfree(dev) //FREE | imm_interrupt() + | dev = container_of(...) //USE + dev-> //USE + +Add disable_delayed_work_sync() in imm_detach() to guarantee proper +cancellation of the delayed work item before imm_struct is deallocated. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20251028100149.40721-1-duoming@zju.edu.cn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/imm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/imm.c b/drivers/scsi/imm.c +index 0821cf994b986..8a099bc27e06c 100644 +--- a/drivers/scsi/imm.c ++++ b/drivers/scsi/imm.c +@@ -1260,6 +1260,7 @@ static void imm_detach(struct parport *pb) + imm_struct *dev; + list_for_each_entry(dev, &imm_hosts, list) { + if (dev->dev->port == pb) { ++ disable_delayed_work_sync(&dev->imm_tq); + list_del_init(&dev->list); + scsi_remove_host(dev->host); + scsi_host_put(dev->host); +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index 228ab51664..d91bd182c4 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -486,3 +486,12 @@ block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch asoc-amd-acp-update-tdm-channels-for-specific-dai.patch dm-raid-fix-possible-null-dereference-with-undefined.patch dm-log-writes-add-missing-set_freezable-for-freezabl.patch +efi-cper-add-a-new-helper-function-to-print-bitmasks.patch +efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch +efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch +scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch +perf-core-fix-missing-read-event-generation-on-task-.patch +irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch +cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch +ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch +perf-x86-intel-fix-null-event-dereference-crash-in-h.patch diff --git a/queue-6.18/cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch b/queue-6.18/cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch new file mode 100644 index 0000000000..ecbecab0fc --- /dev/null +++ b/queue-6.18/cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch @@ -0,0 +1,86 @@ +From 73698ee794ce0f31ce804713c6915ea089fdda5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 15:47:23 +0100 +Subject: cpu: Make atomic hotplug callbacks run with interrupts disabled on UP + +From: Sebastian Andrzej Siewior + +[ Upstream commit c94291914b200e10c72cef23c8e4c67eb4fdbcd9 ] + +On SMP systems the CPU hotplug callbacks in the "starting" range are +invoked while the CPU is brought up and interrupts are still +disabled. Callbacks which are added later are invoked via the +hotplug-thread on the target CPU and interrupts are explicitly disabled. + +In the UP case callbacks which are added later are invoked directly without +the thread indirection. This is in principle okay since there is just one +CPU but those callbacks are invoked with interrupt disabled code. That's +incorrect as those callbacks assume interrupt disabled context. + +Disable interrupts before invoking the callbacks on UP if the state is +atomic and interrupts are expected to be disabled. The "save" part is +required because this is also invoked early in the boot process while +interrupts are disabled and must not be enabled prematurely. + +Fixes: 06ddd17521bf1 ("sched/smp: Always define is_percpu_thread() and scheduler_ipi()") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20251127144723.ev9DuXXR@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index db9f6c539b28c..15000c7abc659 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -249,6 +249,14 @@ static int cpuhp_invoke_callback(unsigned int cpu, enum cpuhp_state state, + return ret; + } + ++/* ++ * The former STARTING/DYING states, ran with IRQs disabled and must not fail. ++ */ ++static bool cpuhp_is_atomic_state(enum cpuhp_state state) ++{ ++ return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE; ++} ++ + #ifdef CONFIG_SMP + static bool cpuhp_is_ap_state(enum cpuhp_state state) + { +@@ -271,14 +279,6 @@ static inline void complete_ap_thread(struct cpuhp_cpu_state *st, bool bringup) + complete(done); + } + +-/* +- * The former STARTING/DYING states, ran with IRQs disabled and must not fail. +- */ +-static bool cpuhp_is_atomic_state(enum cpuhp_state state) +-{ +- return CPUHP_AP_IDLE_DEAD <= state && state < CPUHP_AP_ONLINE; +-} +- + /* Synchronization state management */ + enum cpuhp_sync_state { + SYNC_STATE_DEAD, +@@ -2364,7 +2364,14 @@ static int cpuhp_issue_call(int cpu, enum cpuhp_state state, bool bringup, + else + ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); + #else +- ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); ++ if (cpuhp_is_atomic_state(state)) { ++ guard(irqsave)(); ++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); ++ /* STARTING/DYING must not fail! */ ++ WARN_ON_ONCE(ret); ++ } else { ++ ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL); ++ } + #endif + BUG_ON(ret && !bringup); + return ret; +-- +2.51.0 + diff --git a/queue-6.18/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch b/queue-6.18/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch new file mode 100644 index 0000000000..2f6996c91f --- /dev/null +++ b/queue-6.18/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch @@ -0,0 +1,133 @@ +From 06d39b93424e64e47244b0ccb97a3c6b2c033cfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:54 -0700 +Subject: efi/cper: Add a new helper function to print bitmasks + +From: Mauro Carvalho Chehab + +[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ] + +Add a helper function to print a string with names associated +to each bit field. + +A typical example is: + + const char * const bits[] = { + "bit 3 name", + "bit 4 name", + "bit 5 name", + }; + char str[120]; + unsigned int bitmask = BIT(3) | BIT(5); + + #define MASK GENMASK(5,3) + + cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), + bits, ARRAY_SIZE(bits)); + +The above code fills string "str" with "bit 3 name|bit 5 name". + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++ + include/linux/cper.h | 2 ++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index 928409199a1a4..79ba688a64f8d 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -12,6 +12,7 @@ + * Specification version 2.4. + */ + ++#include + #include + #include + #include +@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits, + printk("%s\n", buf); + } + ++/** ++ * cper_bits_to_str - return a string for set bits ++ * @buf: buffer to store the output string ++ * @buf_size: size of the output string buffer ++ * @bits: bit mask ++ * @strs: string array, indexed by bit position ++ * @strs_size: size of the string array: @strs ++ * ++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits, ++ * add the corresponding string describing the bit in @strs to @buf. ++ * ++ * A typical example is:: ++ * ++ * const char * const bits[] = { ++ * "bit 3 name", ++ * "bit 4 name", ++ * "bit 5 name", ++ * }; ++ * char str[120]; ++ * unsigned int bitmask = BIT(3) | BIT(5); ++ * #define MASK GENMASK(5,3) ++ * ++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), ++ * bits, ARRAY_SIZE(bits)); ++ * ++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``. ++ * ++ * Return: number of bytes stored or an error code if lower than zero. ++ */ ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size) ++{ ++ int len = buf_size; ++ char *str = buf; ++ int i, size; ++ ++ *buf = '\0'; ++ ++ for_each_set_bit(i, &bits, strs_size) { ++ if (!(bits & BIT_ULL(i))) ++ continue; ++ ++ if (*buf && len > 0) { ++ *str = '|'; ++ len--; ++ str++; ++ } ++ ++ size = strscpy(str, strs[i], len); ++ if (size < 0) ++ return size; ++ ++ len -= size; ++ str += size; ++ } ++ return len - buf_size; ++} ++EXPORT_SYMBOL_GPL(cper_bits_to_str); ++ + static const char * const proc_type_strs[] = { + "IA32/X64", + "IA64", +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 0ed60a91eca9d..58f40477c824e 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -588,6 +588,8 @@ const char *cper_mem_err_type_str(unsigned int); + const char *cper_mem_err_status_str(u64 status); + void cper_print_bits(const char *prefix, unsigned int bits, + const char * const strs[], unsigned int strs_size); ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size); + void cper_mem_err_pack(const struct cper_sec_mem_err *, + struct cper_mem_err_compact *); + const char *cper_mem_err_unpack(struct trace_seq *, +-- +2.51.0 + diff --git a/queue-6.18/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch b/queue-6.18/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch new file mode 100644 index 0000000000..8353d6cfb1 --- /dev/null +++ b/queue-6.18/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch @@ -0,0 +1,50 @@ +From 3d7673efcd982e70a20ef7e41ea394c5d120da30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:53 -0700 +Subject: efi/cper: Adjust infopfx size to accept an extra space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ] + +Compiling with W=1 with werror enabled produces an error: + +drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’: +drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^ +drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64 + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As the logic there adds an space at the end of infopx buffer. +Add an extra space to avoid such warning. + +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index f0a63d09d3c49..6ff781e47147c 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx, + int i, len, max_ctx_type; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; +- char newpfx[64], infopfx[64]; ++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +-- +2.51.0 + diff --git a/queue-6.18/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch b/queue-6.18/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch new file mode 100644 index 0000000000..f5442c8920 --- /dev/null +++ b/queue-6.18/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch @@ -0,0 +1,230 @@ +From 30c01cc4441a729b83856c5870420e420d9f3f20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:55 -0700 +Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs + +From: Mauro Carvalho Chehab + +[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ] + +Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor +was defined simply as: + +Type at byte offset 4: + + - Cache error + - TLB Error + - Bus Error + - Micro-architectural Error + All other values are reserved + +Yet, there was no information about how this would be encoded. + +Spec 2.9A errata corrected it by defining: + + - Bit 1 - Cache Error + - Bit 2 - TLB Error + - Bit 3 - Bus Error + - Bit 4 - Micro-architectural Error + All other values are reserved + +That actually aligns with the values already defined on older +versions at N.2.4.1. Generic Processor Error Section. + +Spec 2.10 also preserve the same encoding as 2.9A. + +Adjust CPER and GHES handling code for both generic and ARM +processors to properly handle UEFI 2.9A and 2.10 encoding. + +Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 16 +++++++---- + drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++----------------- + include/linux/cper.h | 10 +++---- + 3 files changed, 39 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 7d2466b515046..56107aa002744 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -556,6 +557,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); + int flags = sync ? MF_ACTION_REQUIRED : 0; ++ char error_type[120]; + bool queued = false; + int sec_sev, i; + char *p; +@@ -568,9 +570,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + p = (char *)(err + 1); + for (i = 0; i < err->err_info_num; i++) { + struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p; +- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR); ++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR; + bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR); +- const char *error_type = "unknown error"; + + /* + * The field (err_info->error_info & BIT(26)) is fixed to set to +@@ -584,12 +585,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + continue; + } + +- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs)) +- error_type = cper_proc_error_type_strs[err_info->type]; ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); + + pr_warn_ratelimited(FW_WARN GHES_PFX +- "Unhandled processor error type: %s\n", +- error_type); ++ "Unhandled processor error type 0x%02x: %s%s\n", ++ err_info->type, error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); + p += err_info->length; + } + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index 6ff781e47147c..76542a53e2027 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + bool proc_context_corrupt, corrected, precise_pc, restartable_pc; + bool time_out, access_mode; + +- /* If the type is unknown, bail. */ +- if (type > CPER_ARM_MAX_TYPE) +- return; +- + /* + * Vendor type errors have error information values that are vendor + * specific. + */ +- if (type == CPER_ARM_VENDOR_ERROR) ++ if (type & CPER_ARM_VENDOR_ERROR) + return; + + if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) { +@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) { + op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT) + & CPER_ARM_ERR_OPERATION_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) { + if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%scache error, operation type: %s\n", pfx, + arm_cache_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_TLB_ERROR: ++ } ++ if (type & CPER_ARM_TLB_ERROR) { + if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sTLB error, operation type: %s\n", pfx, + arm_tlb_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_BUS_ERROR: ++ } ++ if (type & CPER_ARM_BUS_ERROR) { + if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sbus error, operation type: %s\n", pfx, + arm_bus_err_op_strs[op_type]); + } +- break; + } + } + + if (error_info & CPER_ARM_ERR_VALID_LEVEL) { + level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT) + & CPER_ARM_ERR_LEVEL_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) + printk("%scache level: %d\n", pfx, level); +- break; +- case CPER_ARM_TLB_ERROR: ++ ++ if (type & CPER_ARM_TLB_ERROR) + printk("%sTLB level: %d\n", pfx, level); +- break; +- case CPER_ARM_BUS_ERROR: ++ ++ if (type & CPER_ARM_BUS_ERROR) + printk("%saffinity level at which the bus error occurred: %d\n", + pfx, level); +- break; +- } + } + + if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) { +@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx, + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; ++ char error_type[120]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx, + newpfx); + } + +- printk("%serror_type: %d, %s\n", newpfx, err_info->type, +- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ? +- cper_proc_error_type_strs[err_info->type] : "unknown"); ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); ++ ++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type, ++ error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); ++ + if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) { + printk("%serror_info: 0x%016llx\n", newpfx, + err_info->error_info); +diff --git a/include/linux/cper.h b/include/linux/cper.h +index 58f40477c824e..5b1236d8c65bb 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -297,11 +297,11 @@ enum { + #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2) + #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3) + +-#define CPER_ARM_CACHE_ERROR 0 +-#define CPER_ARM_TLB_ERROR 1 +-#define CPER_ARM_BUS_ERROR 2 +-#define CPER_ARM_VENDOR_ERROR 3 +-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR ++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1) ++#define CPER_ARM_CACHE_ERROR BIT(1) ++#define CPER_ARM_TLB_ERROR BIT(2) ++#define CPER_ARM_BUS_ERROR BIT(3) ++#define CPER_ARM_VENDOR_ERROR BIT(4) + + #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0) + #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1) +-- +2.51.0 + diff --git a/queue-6.18/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch b/queue-6.18/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch new file mode 100644 index 0000000000..2addfacea6 --- /dev/null +++ b/queue-6.18/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch @@ -0,0 +1,41 @@ +From a50e5feaa66480a00615d4cbd4d3940b83aadfb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:54:16 +0300 +Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() + +From: Dan Carpenter + +[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ] + +If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then +it results in an out of bounds access. + +The code checks for invalid values, but doesn't set the error code. Return +-EINVAL in that case, instead of returning success. + +Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mchp-eic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c +index b513a899c0853..979bb86929f8e 100644 +--- a/drivers/irqchip/irq-mchp-eic.c ++++ b/drivers/irqchip/irq-mchp-eic.c +@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq, + + ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type); + if (ret || hwirq >= MCHP_EIC_NIRQ) +- return ret; ++ return ret ?: -EINVAL; + + switch (type) { + case IRQ_TYPE_EDGE_RISING: +-- +2.51.0 + diff --git a/queue-6.18/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch b/queue-6.18/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch new file mode 100644 index 0000000000..51ab0b80f5 --- /dev/null +++ b/queue-6.18/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch @@ -0,0 +1,45 @@ +From 3b126a0b5f9a1b494641ecaf84555487f07f29fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 09:51:59 +0300 +Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left() + +From: Dmitry Antipov + +[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ] + +In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after +move, thus allowing 'ocfs2_free_path()' to free it before return. + +Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru +Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 +Reviewed-by: Heming Zhao +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 162711cc5b201..a0ced11e0c24a 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -3654,7 +3654,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, + * So we use the new rightmost path. + */ + ocfs2_mv_path(right_path, left_path); +- left_path = NULL; + } else + ocfs2_complete_edge_insert(handle, left_path, + right_path, subtree_index); +-- +2.51.0 + diff --git a/queue-6.18/perf-core-fix-missing-read-event-generation-on-task-.patch b/queue-6.18/perf-core-fix-missing-read-event-generation-on-task-.patch new file mode 100644 index 0000000000..7731411090 --- /dev/null +++ b/queue-6.18/perf-core-fix-missing-read-event-generation-on-task-.patch @@ -0,0 +1,162 @@ +From 7e7f6f2e17ff9a64f49496f49ce41f1bccf4724c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 12:16:00 +0800 +Subject: perf/core: Fix missing read event generation on task exit + +From: Thaumy Cheng + +[ Upstream commit c418d8b4d7a43a86b82ee39cb52ece3034383530 ] + +For events with inherit_stat enabled, a "read" event will be generated +to collect per task event counts on task exit. + +The call chain is as follows: + +do_exit + -> perf_event_exit_task + -> perf_event_exit_task_context + -> perf_event_exit_event + -> perf_remove_from_context + -> perf_child_detach + -> sync_child_event + -> perf_event_read_event + +However, the child event context detaches the task too early in +perf_event_exit_task_context, which causes sync_child_event to never +generate the read event in this case, since child_event->ctx->task is +always set to TASK_TOMBSTONE. Fix that by moving context lock section +backward to ensure ctx->task is not set to TASK_TOMBSTONE before +generating the read event. + +Because perf_event_free_task calls perf_event_exit_task_context with +exit = false to tear down all child events from the context, and the +task never lived, accessing the task PID can lead to a use-after-free. + +To fix that, let sync_child_event read task from argument and move the +call to the only place it should be triggered to avoid the effect of +setting ctx->task to TASK_TOMESTONE, and add a task parameter to +perf_event_exit_event to trigger the sync_child_event properly when +needed. + +This bug can be reproduced by running "perf record -s" and attaching to +any program that generates perf events in its child tasks. If we check +the result with "perf report -T", the last line of the report will leave +an empty table like "# PID TID", which is expected to contain the +per-task event counts by design. + +Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()") +Signed-off-by: Thaumy Cheng +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: linux-perf-users@vger.kernel.org +Link: https://patch.msgid.link/20251209041600.963586-1-thaumy.love@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 2c35acc2722b0..413b88a4e00fb 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2316,8 +2316,6 @@ static void perf_group_detach(struct perf_event *event) + perf_event__header_size(leader); + } + +-static void sync_child_event(struct perf_event *child_event); +- + static void perf_child_detach(struct perf_event *event) + { + struct perf_event *parent_event = event->parent; +@@ -2336,7 +2334,6 @@ static void perf_child_detach(struct perf_event *event) + lockdep_assert_held(&parent_event->child_mutex); + */ + +- sync_child_event(event); + list_del_init(&event->child_list); + } + +@@ -4587,6 +4584,7 @@ static void perf_event_enable_on_exec(struct perf_event_context *ctx) + static void perf_remove_from_owner(struct perf_event *event); + static void perf_event_exit_event(struct perf_event *event, + struct perf_event_context *ctx, ++ struct task_struct *task, + bool revoke); + + /* +@@ -4614,7 +4612,7 @@ static void perf_event_remove_on_exec(struct perf_event_context *ctx) + + modified = true; + +- perf_event_exit_event(event, ctx, false); ++ perf_event_exit_event(event, ctx, ctx->task, false); + } + + raw_spin_lock_irqsave(&ctx->lock, flags); +@@ -12447,7 +12445,7 @@ static void __pmu_detach_event(struct pmu *pmu, struct perf_event *event, + /* + * De-schedule the event and mark it REVOKED. + */ +- perf_event_exit_event(event, ctx, true); ++ perf_event_exit_event(event, ctx, ctx->task, true); + + /* + * All _free_event() bits that rely on event->pmu: +@@ -14004,14 +14002,13 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu) + } + EXPORT_SYMBOL_GPL(perf_pmu_migrate_context); + +-static void sync_child_event(struct perf_event *child_event) ++static void sync_child_event(struct perf_event *child_event, ++ struct task_struct *task) + { + struct perf_event *parent_event = child_event->parent; + u64 child_val; + + if (child_event->attr.inherit_stat) { +- struct task_struct *task = child_event->ctx->task; +- + if (task && task != TASK_TOMBSTONE) + perf_event_read_event(child_event, task); + } +@@ -14030,7 +14027,9 @@ static void sync_child_event(struct perf_event *child_event) + + static void + perf_event_exit_event(struct perf_event *event, +- struct perf_event_context *ctx, bool revoke) ++ struct perf_event_context *ctx, ++ struct task_struct *task, ++ bool revoke) + { + struct perf_event *parent_event = event->parent; + unsigned long detach_flags = DETACH_EXIT; +@@ -14053,6 +14052,9 @@ perf_event_exit_event(struct perf_event *event, + mutex_lock(&parent_event->child_mutex); + /* PERF_ATTACH_ITRACE might be set concurrently */ + attach_state = READ_ONCE(event->attach_state); ++ ++ if (attach_state & PERF_ATTACH_CHILD) ++ sync_child_event(event, task); + } + + if (revoke) +@@ -14144,7 +14146,7 @@ static void perf_event_exit_task_context(struct task_struct *task, bool exit) + perf_event_task(task, ctx, 0); + + list_for_each_entry_safe(child_event, next, &ctx->event_list, event_entry) +- perf_event_exit_event(child_event, ctx, false); ++ perf_event_exit_event(child_event, ctx, exit ? task : NULL, false); + + mutex_unlock(&ctx->mutex); + +-- +2.51.0 + diff --git a/queue-6.18/perf-x86-intel-fix-null-event-dereference-crash-in-h.patch b/queue-6.18/perf-x86-intel-fix-null-event-dereference-crash-in-h.patch new file mode 100644 index 0000000000..8f8a1576ae --- /dev/null +++ b/queue-6.18/perf-x86-intel-fix-null-event-dereference-crash-in-h.patch @@ -0,0 +1,61 @@ +From b2b3d64e727ec6d64797108fe6b64cffc37bf213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 16:49:43 +0800 +Subject: perf/x86/intel: Fix NULL event dereference crash in + handle_pmi_common() + +From: Evan Li + +[ Upstream commit 9415f749d34b926b9e4853da1462f4d941f89a0d ] + +handle_pmi_common() may observe an active bit set in cpuc->active_mask +while the corresponding cpuc->events[] entry has already been cleared, +which leads to a NULL pointer dereference. + +This can happen when interrupt throttling stops all events in a group +while PEBS processing is still in progress. perf_event_overflow() can +trigger perf_event_throttle_group(), which stops the group and clears +the cpuc->events[] entry, but the active bit may still be set when +handle_pmi_common() iterates over the events. + +The following recent fix: + + 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss") + +moved the cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del() and +relied on cpuc->active_mask/pebs_enabled checks. However, +handle_pmi_common() can still encounter a NULL cpuc->events[] entry +despite the active bit being set. + +Add an explicit NULL check on the event pointer before using it, +to cover this legitimate scenario and avoid the NULL dereference crash. + +Fixes: 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss") +Reported-by: kitta +Co-developed-by: kitta +Signed-off-by: Evan Li +Signed-off-by: Ingo Molnar +Link: https://patch.msgid.link/20251212084943.2124787-1-evan.li@linux.alibaba.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220855 +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 9b824ed6fc1de..32d551f2646a7 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3249,6 +3249,9 @@ static int handle_pmi_common(struct pt_regs *regs, u64 status) + + if (!test_bit(bit, cpuc->active_mask)) + continue; ++ /* Event may have already been cleared: */ ++ if (!event) ++ continue; + + /* + * There may be unprocessed PEBS records in the PEBS buffer, +-- +2.51.0 + diff --git a/queue-6.18/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch b/queue-6.18/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch new file mode 100644 index 0000000000..1b046ffb13 --- /dev/null +++ b/queue-6.18/scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch @@ -0,0 +1,56 @@ +From d0e4a1277acdb5d7bb4f60a1df9b24af251dbe7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 18:01:49 +0800 +Subject: scsi: imm: Fix use-after-free bug caused by unfinished delayed work + +From: Duoming Zhou + +[ Upstream commit ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c ] + +The delayed work item 'imm_tq' is initialized in imm_attach() and +scheduled via imm_queuecommand() for processing SCSI commands. When the +IMM parallel port SCSI host adapter is detached through imm_detach(), +the imm_struct device instance is deallocated. + +However, the delayed work might still be pending or executing +when imm_detach() is called, leading to use-after-free bugs +when the work function imm_interrupt() accesses the already +freed imm_struct memory. + +The race condition can occur as follows: + +CPU 0(detach thread) | CPU 1 + | imm_queuecommand() + | imm_queuecommand_lck() +imm_detach() | schedule_delayed_work() + kfree(dev) //FREE | imm_interrupt() + | dev = container_of(...) //USE + dev-> //USE + +Add disable_delayed_work_sync() in imm_detach() to guarantee proper +cancellation of the delayed work item before imm_struct is deallocated. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Duoming Zhou +Link: https://patch.msgid.link/20251028100149.40721-1-duoming@zju.edu.cn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/imm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/imm.c b/drivers/scsi/imm.c +index 5c602c0577989..45b0e33293a59 100644 +--- a/drivers/scsi/imm.c ++++ b/drivers/scsi/imm.c +@@ -1260,6 +1260,7 @@ static void imm_detach(struct parport *pb) + imm_struct *dev; + list_for_each_entry(dev, &imm_hosts, list) { + if (dev->dev->port == pb) { ++ disable_delayed_work_sync(&dev->imm_tq); + list_del_init(&dev->list); + scsi_remove_host(dev->host); + scsi_host_put(dev->host); +-- +2.51.0 + diff --git a/queue-6.18/scsi-ufs-core-fix-an-error-handler-crash.patch b/queue-6.18/scsi-ufs-core-fix-an-error-handler-crash.patch new file mode 100644 index 0000000000..357b57ee30 --- /dev/null +++ b/queue-6.18/scsi-ufs-core-fix-an-error-handler-crash.patch @@ -0,0 +1,69 @@ +From 5ad46053d12de48c7637b97e0872561ed407deaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 07:04:52 -1000 +Subject: scsi: ufs: core: Fix an error handler crash + +From: Bart Van Assche + +[ Upstream commit 14be351e5cd07349377010e457a58fac99201832 ] + +The UFS error handler may be activated before SCSI scanning has started +and hence before hba->ufs_device_wlun has been set. Check the +hba->ufs_device_wlun pointer before using it. + +Cc: Peter Wang +Cc: Nitin Rawat +Fixes: e23ef4f22db3 ("scsi: ufs: core: Fix error handler host_sem issue") +Fixes: f966e02ae521 ("scsi: ufs: core: Fix runtime suspend error deadlock") +Signed-off-by: Bart Van Assche +Reviewed-by: Peter Wang +Reviewed-by: Nitin Rawat +Tested-by: Nitin Rawat #SM8750 +Link: https://patch.msgid.link/20251204170457.994851-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 12f5a7a973128..a921a9098a291 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -6670,19 +6670,22 @@ static void ufshcd_err_handler(struct work_struct *work) + hba->saved_uic_err, hba->force_reset, + ufshcd_is_link_broken(hba) ? "; link is broken" : ""); + +- /* +- * Use ufshcd_rpm_get_noresume() here to safely perform link recovery +- * even if an error occurs during runtime suspend or runtime resume. +- * This avoids potential deadlocks that could happen if we tried to +- * resume the device while a PM operation is already in progress. +- */ +- ufshcd_rpm_get_noresume(hba); +- if (hba->pm_op_in_progress) { +- ufshcd_link_recovery(hba); ++ if (hba->ufs_device_wlun) { ++ /* ++ * Use ufshcd_rpm_get_noresume() here to safely perform link ++ * recovery even if an error occurs during runtime suspend or ++ * runtime resume. This avoids potential deadlocks that could ++ * happen if we tried to resume the device while a PM operation ++ * is already in progress. ++ */ ++ ufshcd_rpm_get_noresume(hba); ++ if (hba->pm_op_in_progress) { ++ ufshcd_link_recovery(hba); ++ ufshcd_rpm_put(hba); ++ return; ++ } + ufshcd_rpm_put(hba); +- return; + } +- ufshcd_rpm_put(hba); + + down(&hba->host_sem); + spin_lock_irqsave(hba->host->host_lock, flags); +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 89ebf84bf0..ef9192f501 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -592,3 +592,13 @@ block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch asoc-amd-acp-update-tdm-channels-for-specific-dai.patch dm-raid-fix-possible-null-dereference-with-undefined.patch dm-log-writes-add-missing-set_freezable-for-freezabl.patch +scsi-imm-fix-use-after-free-bug-caused-by-unfinished.patch +scsi-ufs-core-fix-an-error-handler-crash.patch +perf-core-fix-missing-read-event-generation-on-task-.patch +irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch +cpu-make-atomic-hotplug-callbacks-run-with-interrupt.patch +ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch +perf-x86-intel-fix-null-event-dereference-crash-in-h.patch +efi-cper-add-a-new-helper-function-to-print-bitmasks.patch +efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch +efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch diff --git a/queue-6.6/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch b/queue-6.6/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch new file mode 100644 index 0000000000..51271e7079 --- /dev/null +++ b/queue-6.6/efi-cper-add-a-new-helper-function-to-print-bitmasks.patch @@ -0,0 +1,133 @@ +From 811403030fb11b2429c2707db96ec5353e67bcd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:54 -0700 +Subject: efi/cper: Add a new helper function to print bitmasks + +From: Mauro Carvalho Chehab + +[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ] + +Add a helper function to print a string with names associated +to each bit field. + +A typical example is: + + const char * const bits[] = { + "bit 3 name", + "bit 4 name", + "bit 5 name", + }; + char str[120]; + unsigned int bitmask = BIT(3) | BIT(5); + + #define MASK GENMASK(5,3) + + cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), + bits, ARRAY_SIZE(bits)); + +The above code fills string "str" with "bit 3 name|bit 5 name". + +Reviewed-by: Jonathan Cameron +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++ + include/linux/cper.h | 2 ++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index 35c37f667781c..cd34ef9384f1e 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -12,6 +12,7 @@ + * Specification version 2.4. + */ + ++#include + #include + #include + #include +@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits, + printk("%s\n", buf); + } + ++/** ++ * cper_bits_to_str - return a string for set bits ++ * @buf: buffer to store the output string ++ * @buf_size: size of the output string buffer ++ * @bits: bit mask ++ * @strs: string array, indexed by bit position ++ * @strs_size: size of the string array: @strs ++ * ++ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits, ++ * add the corresponding string describing the bit in @strs to @buf. ++ * ++ * A typical example is:: ++ * ++ * const char * const bits[] = { ++ * "bit 3 name", ++ * "bit 4 name", ++ * "bit 5 name", ++ * }; ++ * char str[120]; ++ * unsigned int bitmask = BIT(3) | BIT(5); ++ * #define MASK GENMASK(5,3) ++ * ++ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask), ++ * bits, ARRAY_SIZE(bits)); ++ * ++ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``. ++ * ++ * Return: number of bytes stored or an error code if lower than zero. ++ */ ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size) ++{ ++ int len = buf_size; ++ char *str = buf; ++ int i, size; ++ ++ *buf = '\0'; ++ ++ for_each_set_bit(i, &bits, strs_size) { ++ if (!(bits & BIT_ULL(i))) ++ continue; ++ ++ if (*buf && len > 0) { ++ *str = '|'; ++ len--; ++ str++; ++ } ++ ++ size = strscpy(str, strs[i], len); ++ if (size < 0) ++ return size; ++ ++ len -= size; ++ str += size; ++ } ++ return len - buf_size; ++} ++EXPORT_SYMBOL_GPL(cper_bits_to_str); ++ + static const char * const proc_type_strs[] = { + "IA32/X64", + "IA64", +diff --git a/include/linux/cper.h b/include/linux/cper.h +index c1a7dc3251215..f792e4b3df907 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -561,6 +561,8 @@ const char *cper_mem_err_type_str(unsigned int); + const char *cper_mem_err_status_str(u64 status); + void cper_print_bits(const char *prefix, unsigned int bits, + const char * const strs[], unsigned int strs_size); ++int cper_bits_to_str(char *buf, int buf_size, unsigned long bits, ++ const char * const strs[], unsigned int strs_size); + void cper_mem_err_pack(const struct cper_sec_mem_err *, + struct cper_mem_err_compact *); + const char *cper_mem_err_unpack(struct trace_seq *, +-- +2.51.0 + diff --git a/queue-6.6/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch b/queue-6.6/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch new file mode 100644 index 0000000000..2477076d36 --- /dev/null +++ b/queue-6.6/efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch @@ -0,0 +1,50 @@ +From 360fa38e44f411b8133da4a1f2e9d7fd23b04e7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:53 -0700 +Subject: efi/cper: Adjust infopfx size to accept an extra space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauro Carvalho Chehab + +[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ] + +Compiling with W=1 with werror enabled produces an error: + +drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’: +drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^ +drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64 + 298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As the logic there adds an space at the end of infopx buffer. +Add an extra space to avoid such warning. + +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper-arm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index fa9c1c3bf168b..eb7ee6af55f23 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx, + int i, len, max_ctx_type; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; +- char newpfx[64], infopfx[64]; ++ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +-- +2.51.0 + diff --git a/queue-6.6/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch b/queue-6.6/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch new file mode 100644 index 0000000000..e170974f4b --- /dev/null +++ b/queue-6.6/efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch @@ -0,0 +1,230 @@ +From a7bedbca518bf07e22b97e32a8bc0315a991d7b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:52:55 -0700 +Subject: efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs + +From: Mauro Carvalho Chehab + +[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ] + +Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor +was defined simply as: + +Type at byte offset 4: + + - Cache error + - TLB Error + - Bus Error + - Micro-architectural Error + All other values are reserved + +Yet, there was no information about how this would be encoded. + +Spec 2.9A errata corrected it by defining: + + - Bit 1 - Cache Error + - Bit 2 - TLB Error + - Bit 3 - Bus Error + - Bit 4 - Micro-architectural Error + All other values are reserved + +That actually aligns with the values already defined on older +versions at N.2.4.1. Generic Processor Error Section. + +Spec 2.10 also preserve the same encoding as 2.9A. + +Adjust CPER and GHES handling code for both generic and ARM +processors to properly handle UEFI 2.9A and 2.10 encoding. + +Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jonathan Cameron +Acked-by: Borislav Petkov (AMD) +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 16 +++++++---- + drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++----------------- + include/linux/cper.h | 10 +++---- + 3 files changed, 39 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index ec364c2541124..e768dfd345fb2 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -528,6 +529,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); + int flags = sync ? MF_ACTION_REQUIRED : 0; ++ char error_type[120]; + bool queued = false; + int sec_sev, i; + char *p; +@@ -541,9 +543,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + p = (char *)(err + 1); + for (i = 0; i < err->err_info_num; i++) { + struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p; +- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR); ++ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR; + bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR); +- const char *error_type = "unknown error"; + + /* + * The field (err_info->error_info & BIT(26)) is fixed to set to +@@ -557,12 +558,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, + continue; + } + +- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs)) +- error_type = cper_proc_error_type_strs[err_info->type]; ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); + + pr_warn_ratelimited(FW_WARN GHES_PFX +- "Unhandled processor error type: %s\n", +- error_type); ++ "Unhandled processor error type 0x%02x: %s%s\n", ++ err_info->type, error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); + p += err_info->length; + } + +diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c +index eb7ee6af55f23..52d18490b59e3 100644 +--- a/drivers/firmware/efi/cper-arm.c ++++ b/drivers/firmware/efi/cper-arm.c +@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + bool proc_context_corrupt, corrected, precise_pc, restartable_pc; + bool time_out, access_mode; + +- /* If the type is unknown, bail. */ +- if (type > CPER_ARM_MAX_TYPE) +- return; +- + /* + * Vendor type errors have error information values that are vendor + * specific. + */ +- if (type == CPER_ARM_VENDOR_ERROR) ++ if (type & CPER_ARM_VENDOR_ERROR) + return; + + if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) { +@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type, + if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) { + op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT) + & CPER_ARM_ERR_OPERATION_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) { + if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%scache error, operation type: %s\n", pfx, + arm_cache_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_TLB_ERROR: ++ } ++ if (type & CPER_ARM_TLB_ERROR) { + if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sTLB error, operation type: %s\n", pfx, + arm_tlb_err_op_strs[op_type]); + } +- break; +- case CPER_ARM_BUS_ERROR: ++ } ++ if (type & CPER_ARM_BUS_ERROR) { + if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) { +- printk("%soperation type: %s\n", pfx, ++ printk("%sbus error, operation type: %s\n", pfx, + arm_bus_err_op_strs[op_type]); + } +- break; + } + } + + if (error_info & CPER_ARM_ERR_VALID_LEVEL) { + level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT) + & CPER_ARM_ERR_LEVEL_MASK); +- switch (type) { +- case CPER_ARM_CACHE_ERROR: ++ if (type & CPER_ARM_CACHE_ERROR) + printk("%scache level: %d\n", pfx, level); +- break; +- case CPER_ARM_TLB_ERROR: ++ ++ if (type & CPER_ARM_TLB_ERROR) + printk("%sTLB level: %d\n", pfx, level); +- break; +- case CPER_ARM_BUS_ERROR: ++ ++ if (type & CPER_ARM_BUS_ERROR) + printk("%saffinity level at which the bus error occurred: %d\n", + pfx, level); +- break; +- } + } + + if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) { +@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx, + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1]; ++ char error_type[120]; + + printk("%sMIDR: 0x%016llx\n", pfx, proc->midr); + +@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx, + newpfx); + } + +- printk("%serror_type: %d, %s\n", newpfx, err_info->type, +- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ? +- cper_proc_error_type_strs[err_info->type] : "unknown"); ++ cper_bits_to_str(error_type, sizeof(error_type), ++ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type), ++ cper_proc_error_type_strs, ++ ARRAY_SIZE(cper_proc_error_type_strs)); ++ ++ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type, ++ error_type, ++ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : ""); ++ + if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) { + printk("%serror_info: 0x%016llx\n", newpfx, + err_info->error_info); +diff --git a/include/linux/cper.h b/include/linux/cper.h +index f792e4b3df907..ad1ed24730917 100644 +--- a/include/linux/cper.h ++++ b/include/linux/cper.h +@@ -270,11 +270,11 @@ enum { + #define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2) + #define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3) + +-#define CPER_ARM_CACHE_ERROR 0 +-#define CPER_ARM_TLB_ERROR 1 +-#define CPER_ARM_BUS_ERROR 2 +-#define CPER_ARM_VENDOR_ERROR 3 +-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR ++#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1) ++#define CPER_ARM_CACHE_ERROR BIT(1) ++#define CPER_ARM_TLB_ERROR BIT(2) ++#define CPER_ARM_BUS_ERROR BIT(3) ++#define CPER_ARM_VENDOR_ERROR BIT(4) + + #define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0) + #define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1) +-- +2.51.0 + diff --git a/queue-6.6/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch b/queue-6.6/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch new file mode 100644 index 0000000000..4cb9d37b72 --- /dev/null +++ b/queue-6.6/irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch @@ -0,0 +1,41 @@ +From dccede945f43dc08eb1598cb639def281cc6ac00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:54:16 +0300 +Subject: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() + +From: Dan Carpenter + +[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ] + +If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then +it results in an out of bounds access. + +The code checks for invalid values, but doesn't set the error code. Return +-EINVAL in that case, instead of returning success. + +Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mchp-eic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c +index 5dcd94c000a26..8a5baa0987a4b 100644 +--- a/drivers/irqchip/irq-mchp-eic.c ++++ b/drivers/irqchip/irq-mchp-eic.c +@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq, + + ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type); + if (ret || hwirq >= MCHP_EIC_NIRQ) +- return ret; ++ return ret ?: -EINVAL; + + switch (type) { + case IRQ_TYPE_EDGE_RISING: +-- +2.51.0 + diff --git a/queue-6.6/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch b/queue-6.6/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch new file mode 100644 index 0000000000..8f13826b58 --- /dev/null +++ b/queue-6.6/ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch @@ -0,0 +1,45 @@ +From b52c4db0dbd123bb94925f38930da8f5004ef872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 09:51:59 +0300 +Subject: ocfs2: fix memory leak in ocfs2_merge_rec_left() + +From: Dmitry Antipov + +[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ] + +In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after +move, thus allowing 'ocfs2_free_path()' to free it before return. + +Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru +Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 +Reviewed-by: Heming Zhao +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index e6191249169e6..af40f0da3a95c 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, + * So we use the new rightmost path. + */ + ocfs2_mv_path(right_path, left_path); +- left_path = NULL; + } else + ocfs2_complete_edge_insert(handle, left_path, + right_path, subtree_index); +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index f4db078f82..a39c911039 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -286,3 +286,8 @@ arm-9464-1-fix-input-only-operand-modification-in-lo.patch block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch dm-raid-fix-possible-null-dereference-with-undefined.patch dm-log-writes-add-missing-set_freezable-for-freezabl.patch +efi-cper-add-a-new-helper-function-to-print-bitmasks.patch +efi-cper-adjust-infopfx-size-to-accept-an-extra-spac.patch +efi-cper-align-arm-cper-type-with-uefi-2.9a-2.10-spe.patch +irqchip-mchp-eic-fix-error-code-in-mchp_eic_domain_a.patch +ocfs2-fix-memory-leak-in-ocfs2_merge_rec_left.patch