From: Sasha Levin Date: Mon, 15 Dec 2025 00:32:22 +0000 (-0500) Subject: Fixes for all trees X-Git-Tag: v6.12.63~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdd38f628ddfc7600719b99231ea56eb633323ff;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-uapi-fix-typo-in-asound.h-comment.patch b/queue-5.10/alsa-uapi-fix-typo-in-asound.h-comment.patch new file mode 100644 index 0000000000..adc0f7a451 --- /dev/null +++ b/queue-5.10/alsa-uapi-fix-typo-in-asound.h-comment.patch @@ -0,0 +1,36 @@ +From 4d3d484842d1ae4a0a7435bdc20b59a8bfe0e52a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 10:25:01 -0600 +Subject: ALSA: uapi: Fix typo in asound.h comment + +From: Andres J Rosa + +[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ] + +Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment. + +Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames") +Signed-off-by: Andres J Rosa +Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asound.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h +index 535a7229e1d94..eef23c761ae82 100644 +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -74,7 +74,7 @@ struct snd_cea_861_aud_if { + unsigned char db2_sf_ss; /* sample frequency and size */ + unsigned char db3; /* not used, all zeros */ + unsigned char db4_ca; /* channel allocation code */ +- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */ ++ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */ + }; + + /**************************************************************************** +-- +2.51.0 + diff --git a/queue-5.10/arm-9464-1-fix-input-only-operand-modification-in-lo.patch b/queue-5.10/arm-9464-1-fix-input-only-operand-modification-in-lo.patch new file mode 100644 index 0000000000..bddfbd7e1d --- /dev/null +++ b/queue-5.10/arm-9464-1-fix-input-only-operand-modification-in-lo.patch @@ -0,0 +1,67 @@ +From 8e405350c2fe3f454ddfedb0240e92dc7f4b2bbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 03:19:45 +0100 +Subject: ARM: 9464/1: fix input-only operand modification in + load_unaligned_zeropad() + +From: Liyuan Pang + +[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ] + +In the inline assembly inside load_unaligned_zeropad(), the "addr" is +constrained as input-only operand. The compiler assumes that on exit +from the asm statement these operands contain the same values as they +had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior. + +Use a temporary variable "tmp" to handle it, instead of modifying the +input-only operand, just like what arm64's load_unaligned_zeropad() +does. + +Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs") +Co-developed-by: Xie Yuanbin +Signed-off-by: Xie Yuanbin +Signed-off-by: Liyuan Pang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/word-at-a-time.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h +index 352ab213520d2..2e6d0b4349f47 100644 +--- a/arch/arm/include/asm/word-at-a-time.h ++++ b/arch/arm/include/asm/word-at-a-time.h +@@ -66,7 +66,7 @@ static inline unsigned long find_zero(unsigned long mask) + */ + static inline unsigned long load_unaligned_zeropad(const void *addr) + { +- unsigned long ret, offset; ++ unsigned long ret, tmp; + + /* Load word from unaligned pointer addr */ + asm( +@@ -74,9 +74,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + "2:\n" + " .pushsection .text.fixup,\"ax\"\n" + " .align 2\n" +- "3: and %1, %2, #0x3\n" +- " bic %2, %2, #0x3\n" +- " ldr %0, [%2]\n" ++ "3: bic %1, %2, #0x3\n" ++ " ldr %0, [%1]\n" ++ " and %1, %2, #0x3\n" + " lsl %1, %1, #0x3\n" + #ifndef __ARMEB__ + " lsr %0, %0, %1\n" +@@ -89,7 +89,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + " .align 3\n" + " .long 1b, 3b\n" + " .popsection" +- : "=&r" (ret), "=&r" (offset) ++ : "=&r" (ret), "=&r" (tmp) + : "r" (addr), "Qo" (*(unsigned long *)addr)); + + return ret; +-- +2.51.0 + diff --git a/queue-5.10/asoc-ak4458-disable-regulator-when-error-happens.patch b/queue-5.10/asoc-ak4458-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..c341868c8e --- /dev/null +++ b/queue-5.10/asoc-ak4458-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From e8e7365644e1a87c7a310136ca4c7f4ad2cf97cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:28 +0800 +Subject: ASoC: ak4458: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4458.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c +index 85a1d00894a9c..af4873c97d3aa 100644 +--- a/sound/soc/codecs/ak4458.c ++++ b/sound/soc/codecs/ak4458.c +@@ -683,7 +683,15 @@ static int __maybe_unused ak4458_runtime_resume(struct device *dev) + regcache_cache_only(ak4458->regmap, false); + regcache_mark_dirty(ak4458->regmap); + +- return regcache_sync(ak4458->regmap); ++ ret = regcache_sync(ak4458->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak4458->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies); ++ return ret; + } + #endif /* CONFIG_PM */ + +-- +2.51.0 + diff --git a/queue-5.10/asoc-ak5558-disable-regulator-when-error-happens.patch b/queue-5.10/asoc-ak5558-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..e3d96955a9 --- /dev/null +++ b/queue-5.10/asoc-ak5558-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 0508e0be7e8c7a32d82e69cb417c8f37ee7b85e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:29 +0800 +Subject: ASoC: ak5558: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak5558.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c +index adbdfdbc7a38b..60ca51845d3e5 100644 +--- a/sound/soc/codecs/ak5558.c ++++ b/sound/soc/codecs/ak5558.c +@@ -330,7 +330,15 @@ static int __maybe_unused ak5558_runtime_resume(struct device *dev) + regcache_cache_only(ak5558->regmap, false); + regcache_mark_dirty(ak5558->regmap); + +- return regcache_sync(ak5558->regmap); ++ ret = regcache_sync(ak5558->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak5558->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies); ++ return ret; + } + + static const struct dev_pm_ops ak5558_pm = { +-- +2.51.0 + diff --git a/queue-5.10/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch b/queue-5.10/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch new file mode 100644 index 0000000000..96e6cdb3b1 --- /dev/null +++ b/queue-5.10/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch @@ -0,0 +1,44 @@ +From e07ead38c8b3621ab2b79d8d779c20b53bebff41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:16:42 +0800 +Subject: ASoC: bcm: bcm63xx-pcm-whistler: Check return value of + of_dma_configure() + +From: Haotian Zhang + +[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ] + +bcm63xx_soc_pcm_new() does not check the return value of +of_dma_configure(), which may fail with -EPROBE_DEFER or +other errors, allowing PCM setup to continue with incomplete +DMA configuration. + +Add error checking for of_dma_configure() and return on failure. + +Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c +index 7ec8559d53a2f..9bca508cd844b 100644 +--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c ++++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c +@@ -390,7 +390,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component, + + i2s_priv = dev_get_drvdata(asoc_rtd_to_cpu(rtd, 0)->dev); + +- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ if (ret) ++ return ret; + + ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32)); + if (ret) +-- +2.51.0 + diff --git a/queue-5.10/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch b/queue-5.10/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch new file mode 100644 index 0000000000..81a66acc88 --- /dev/null +++ b/queue-5.10/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch @@ -0,0 +1,73 @@ +From 341ec077ffc894d81ec5c6dc414ace697ade7b68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 11:34:21 +0800 +Subject: blk-mq: Abort suspend when wakeup events are pending + +From: Cong Zhang + +[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ] + +During system suspend, wakeup capable IRQs for block device can be +delayed, which can cause blk_mq_hctx_notify_offline() to hang +indefinitely while waiting for pending request to complete. +Skip the request waiting loop and abort suspend when wakeup events are +pending to prevent the deadlock. + +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Signed-off-by: Cong Zhang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 21531aa163cb4..a720097460676 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2548,6 +2549,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + { + struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node, + struct blk_mq_hw_ctx, cpuhp_online); ++ int ret = 0; + + if (!cpumask_test_cpu(cpu, hctx->cpumask) || + !blk_mq_last_cpu_in_hctx(cpu, hctx)) +@@ -2569,12 +2571,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + * frozen and there are no requests. + */ + if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) { +- while (blk_mq_hctx_has_requests(hctx)) ++ while (blk_mq_hctx_has_requests(hctx)) { ++ /* ++ * The wakeup capable IRQ handler of block device is ++ * not called during suspend. Skip the loop by checking ++ * pm_wakeup_pending to prevent the deadlock and improve ++ * suspend latency. ++ */ ++ if (pm_wakeup_pending()) { ++ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state); ++ ret = -EBUSY; ++ break; ++ } + msleep(5); ++ } + percpu_ref_put(&hctx->queue->q_usage_counter); + } + +- return 0; ++ return ret; + } + + static int blk_mq_hctx_notify_online(unsigned int cpu, struct hlist_node *node) +-- +2.51.0 + diff --git a/queue-5.10/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch b/queue-5.10/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch new file mode 100644 index 0000000000..69a256ef56 --- /dev/null +++ b/queue-5.10/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch @@ -0,0 +1,44 @@ +From debfa944e0d34e8cbda2faaf153ddbe743e5c8c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 23:17:49 +0800 +Subject: block: fix comment for op_is_zone_mgmt() to include RESET_ALL + +From: shechenglong + +[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ] + +REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt() +has returned true for it. + +Update the comment to remove the misleading exception note so +the documentation matches the implementation. + +Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL") +Signed-off-by: shechenglong +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk_types.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index 40839ae52f61e..11c03df4709f4 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -487,10 +487,7 @@ static inline bool op_is_discard(unsigned int op) + } + + /* +- * Check if a bio or request operation is a zone management operation, with +- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case +- * due to its different handling in the block layer and device response in +- * case of command failure. ++ * Check if a bio or request operation is a zone management operation. + */ + static inline bool op_is_zone_mgmt(enum req_opf op) + { +-- +2.51.0 + diff --git a/queue-5.10/dm-log-writes-add-missing-set_freezable-for-freezabl.patch b/queue-5.10/dm-log-writes-add-missing-set_freezable-for-freezabl.patch new file mode 100644 index 0000000000..f02ec8bdf7 --- /dev/null +++ b/queue-5.10/dm-log-writes-add-missing-set_freezable-for-freezabl.patch @@ -0,0 +1,40 @@ +From 69eca3b8c4d71d3e6357ff9aecccaac8733a499a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:41:03 +0800 +Subject: dm log-writes: Add missing set_freezable() for freezable kthread + +From: Haotian Zhang + +[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ] + +The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(), +rendering the freeze attempt ineffective since kernel threads are +non-freezable by default. This prevents proper thread suspension during +system suspend/hibernate. + +Add set_freezable() to explicitly mark the thread as freezable. + +Fixes: 0e9cebe72459 ("dm: add log writes target") +Signed-off-by: Haotian Zhang +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-log-writes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c +index e3d35c6c9f714..ec194ed87d624 100644 +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -454,6 +454,7 @@ static int log_writes_kthread(void *arg) + struct log_writes_c *lc = (struct log_writes_c *)arg; + sector_t sector = 0; + ++ set_freezable(); + while (!kthread_should_stop()) { + bool super = false; + bool logging_enabled; +-- +2.51.0 + diff --git a/queue-5.10/dm-raid-fix-possible-null-dereference-with-undefined.patch b/queue-5.10/dm-raid-fix-possible-null-dereference-with-undefined.patch new file mode 100644 index 0000000000..127b4bc8d0 --- /dev/null +++ b/queue-5.10/dm-raid-fix-possible-null-dereference-with-undefined.patch @@ -0,0 +1,42 @@ +From 94c4cfd11efc65ce9b9c38da5bee0e40ab8ce3ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 20:18:38 +0300 +Subject: dm-raid: fix possible NULL dereference with undefined raid type + +From: Alexey Simakov + +[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ] + +rs->raid_type is assigned from get_raid_type_by_ll(), which may return +NULL. This NULL value could be dereferenced later in the condition +'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. + +Add a fail-fast check to return early with an error if raid_type is NULL, +similar to other uses of this function. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") +Signed-off-by: Alexey Simakov +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index 3c0960f294fb5..aa70f668b5cca 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2259,6 +2259,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev) + + mddev->reshape_position = le64_to_cpu(sb->reshape_position); + rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout); ++ if (!rs->raid_type) ++ return -EINVAL; + } + + } else { +-- +2.51.0 + diff --git a/queue-5.10/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch b/queue-5.10/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch new file mode 100644 index 0000000000..19763294c7 --- /dev/null +++ b/queue-5.10/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch @@ -0,0 +1,40 @@ +From 157e76f74baa5b2e6ed3839812ec161c239d0019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:28:10 -0600 +Subject: dma/pool: eliminate alloc_pages warning in atomic_pool_expand + +From: Dave Kleikamp + +[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ] + +atomic_pool_expand iteratively tries the allocation while decrementing +the page order. There is no need to issue a warning if an attempted +allocation fails. + +Signed-off-by: Dave Kleikamp +Reviewed-by: Robin Murphy +Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") +[mszyprow: fixed typo] +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 8396a2c5fb9a5..32efef1660096 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -96,7 +96,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, + page = dma_alloc_from_contiguous(NULL, 1 << order, + order, false); + if (!page) +- page = alloc_pages(gfp, order); ++ page = alloc_pages(gfp | __GFP_NOWARN, order); + } while (!page && order-- > 0); + if (!page) + goto out; +-- +2.51.0 + diff --git a/queue-5.10/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch b/queue-5.10/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch new file mode 100644 index 0000000000..40d58233d6 --- /dev/null +++ b/queue-5.10/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch @@ -0,0 +1,64 @@ +From a57cec50b442e73340372064b04edad65d9dd13c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 12:15:35 +0100 +Subject: fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ] + +After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"), +the return values of utf8_to_utf32() and utf32_to_utf8() are +inconsistent when encountering an error: utf8_to_utf32() returns -1, +while utf32_to_utf8() returns errno codes. Fix this inconsistency +by modifying utf8_to_utf32() to return errno codes as well. + +Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion") +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 7eacded3c17d1..f072eb6b563f6 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu) + l &= t->lmask; + if (l < t->lval || l > UNICODE_MAX || + (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; ++ + *pu = (unicode_t) l; + return nc; + } + if (inlen <= nc) +- return -1; ++ return -EOVERFLOW; ++ + s++; + c = (*s ^ 0x80) & 0xFF; + if (c & 0xC0) +- return -1; ++ return -EILSEQ; ++ + l = (l << 6) | c; + } +- return -1; ++ return -EILSEQ; + } + EXPORT_SYMBOL(utf8_to_utf32); + +-- +2.51.0 + diff --git a/queue-5.10/fs-nls-fix-utf16-to-utf8-conversion.patch b/queue-5.10/fs-nls-fix-utf16-to-utf8-conversion.patch new file mode 100644 index 0000000000..25730ccd05 --- /dev/null +++ b/queue-5.10/fs-nls-fix-utf16-to-utf8-conversion.patch @@ -0,0 +1,81 @@ +From 094a5cb39d493b35738332565b2329e7693624f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 14:11:22 +0100 +Subject: fs/nls: Fix utf16 to utf8 conversion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 25524b6190295577e4918c689644451365e6466d ] + +Currently the function responsible for converting between utf16 and +utf8 strings will ignore any characters that cannot be converted. This +however also includes multi-byte characters that do not fit into the +provided string buffer. + +This can cause problems if such a multi-byte character is followed by +a single-byte character. In such a case the multi-byte character might +be ignored when the provided string buffer is too small, but the +single-byte character might fit and is thus still copied into the +resulting string. + +Fix this by stop filling the provided string buffer once a character +does not fit. In order to be able to do this extend utf32_to_utf8() +to return useful errno codes instead of -1. + +Fixes: 74675a58507e ("NLS: update handling of Unicode") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index a026dbd3593f6..7eacded3c17d1 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + + l = u; + if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; + + nc = 0; + for (t = utf8_table; t->cmask && maxout; t++, maxout--) { +@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + return nc; + } + } +- return -1; ++ return -EOVERFLOW; + } + EXPORT_SYMBOL(utf32_to_utf8); + +@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian, + inlen--; + } + size = utf32_to_utf8(u, op, maxout); +- if (size == -1) { +- /* Ignore character and move on */ ++ if (size < 0) { ++ if (size == -EILSEQ) { ++ /* Ignore character and move on */ ++ continue; ++ } ++ /* ++ * Stop filling the buffer with data once a character ++ * does not fit anymore. ++ */ ++ break; + } else { + op += size; + maxout -= size; +-- +2.51.0 + diff --git a/queue-5.10/fs_context-drop-the-unused-lsm_flags-member.patch b/queue-5.10/fs_context-drop-the-unused-lsm_flags-member.patch new file mode 100644 index 0000000000..e4f399b8c5 --- /dev/null +++ b/queue-5.10/fs_context-drop-the-unused-lsm_flags-member.patch @@ -0,0 +1,79 @@ +From 1d0407ee9bb049f9a54ba287a7dc21f16bb58965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 14:07:51 +0100 +Subject: fs_context: drop the unused lsm_flags member + +From: Ondrej Mosnacek + +[ Upstream commit 4e04143c869c5b6d499fbd5083caa860d5c942c3 ] + +This isn't ever used by VFS now, and it couldn't even work. Any FS that +uses the SECURITY_LSM_NATIVE_LABELS flag needs to also process the +value returned back from the LSM, so it needs to do its +security_sb_set_mnt_opts() call on its own anyway. + +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Christian Brauner (Microsoft) +Stable-dep-of: 8675c69816e4 ("NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags") +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/mount_api.rst | 1 - + fs/nfs/super.c | 3 --- + include/linux/fs_context.h | 1 - + include/linux/security.h | 2 +- + 4 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/Documentation/filesystems/mount_api.rst b/Documentation/filesystems/mount_api.rst +index 8fb03f57546d1..a38cc2be8d998 100644 +--- a/Documentation/filesystems/mount_api.rst ++++ b/Documentation/filesystems/mount_api.rst +@@ -79,7 +79,6 @@ context. This is represented by the fs_context structure:: + unsigned int sb_flags; + unsigned int sb_flags_mask; + unsigned int s_iflags; +- unsigned int lsm_flags; + enum fs_context_purpose purpose:8; + ... + }; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 2d2238548a6e5..45b4240fdc081 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1259,9 +1259,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (server->caps & NFS_CAP_SECURITY_LABEL) +- fc->lsm_flags |= SECURITY_LSM_NATIVE_LABELS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h +index 40dd74bdd9fbd..9229ac6a53260 100644 +--- a/include/linux/fs_context.h ++++ b/include/linux/fs_context.h +@@ -104,7 +104,6 @@ struct fs_context { + unsigned int sb_flags; /* Proposed superblock flags (SB_*) */ + unsigned int sb_flags_mask; /* Superblock flags that were changed */ + unsigned int s_iflags; /* OR'd with sb->s_iflags */ +- unsigned int lsm_flags; /* Information flags from the fs to the LSM */ + enum fs_context_purpose purpose:8; + enum fs_context_phase phase:8; /* The phase the context is in */ + bool need_free:1; /* Need to call ops->free() */ +diff --git a/include/linux/security.h b/include/linux/security.h +index e32e040f094c2..c75dd495be77c 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -68,7 +68,7 @@ struct watch_notification; + /* If capable is being called by a setid function */ + #define CAP_OPT_INSETID BIT(2) + +-/* LSM Agnostic defines for fs_context::lsm_flags */ ++/* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ + #define SECURITY_LSM_NATIVE_LABELS 1 + + struct ctl_table; +-- +2.51.0 + diff --git a/queue-5.10/nfs-automounted-filesystems-should-inherit-ro-noexec.patch b/queue-5.10/nfs-automounted-filesystems-should-inherit-ro-noexec.patch new file mode 100644 index 0000000000..2fba3b80a4 --- /dev/null +++ b/queue-5.10/nfs-automounted-filesystems-should-inherit-ro-noexec.patch @@ -0,0 +1,65 @@ +From f66bbc265e8427973a131f422f858ada0ee3f1c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 14:22:44 -0500 +Subject: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync + flags + +From: Trond Myklebust + +[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ] + +When a filesystem is being automounted, it needs to preserve the +user-set superblock mount options, such as the "ro" flag. + +Reported-by: Li Lingfeng +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Fixes: f2aedb713c28 ("NFS: Add fs_context support.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/namespace.c | 6 ++++++ + fs/nfs/super.c | 4 ---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 1f03445b5cb43..d205598cdc457 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path) + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SB(path->dentry->d_sb); + struct nfs_client *client = server->nfs_client; ++ unsigned long s_flags = path->dentry->d_sb->s_flags; + int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + +@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path) + fc->net_ns = get_net(client->cl_net); + } + ++ /* Inherit the flags covered by NFS_SB_MASK */ ++ fc->sb_flags_mask |= NFS_SB_MASK; ++ fc->sb_flags &= ~NFS_SB_MASK; ++ fc->sb_flags |= s_flags & NFS_SB_MASK; ++ + /* for submounts we want the same server; referrals will reassign */ + memcpy(&ctx->nfs_server.address, &client->cl_addr, client->cl_addrlen); + ctx->nfs_server.addrlen = client->cl_addrlen; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 45b4240fdc081..b99f40e6b951b 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1255,10 +1255,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (server->flags & NFS_MOUNT_NOAC) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (ctx->clone_data.sb) +- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) +- fc->sb_flags |= SB_SYNCHRONOUS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +-- +2.51.0 + diff --git a/queue-5.10/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch b/queue-5.10/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch new file mode 100644 index 0000000000..e1e623c4c7 --- /dev/null +++ b/queue-5.10/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch @@ -0,0 +1,97 @@ +From 4e7a3469506bb05e00920968de00c409cd90c119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 15:28:17 -0500 +Subject: NFS: Avoid changing nlink when file removes and attribute updates + race + +From: Trond Myklebust + +[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ] + +If a file removal races with another operation that updates its +attributes, then skip the change to nlink, and just mark the attributes +as being stale. + +Reported-by: Aiden Lambert +Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 6dc3dcf23550d..847627a69a417 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1499,13 +1499,15 @@ static int nfs_dentry_delete(const struct dentry *dentry) + } + + /* Ensure that we revalidate inode->i_nlink */ +-static void nfs_drop_nlink(struct inode *inode) ++static void nfs_drop_nlink(struct inode *inode, unsigned long gencount) + { ++ struct nfs_inode *nfsi = NFS_I(inode); ++ + spin_lock(&inode->i_lock); + /* drop the inode if we're reasonably sure this is the last link */ +- if (inode->i_nlink > 0) ++ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount) + drop_nlink(inode); +- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); ++ nfsi->attr_gencount = nfs_inc_attr_generation_counter(); + nfs_set_cache_invalid( + inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | + NFS_INO_INVALID_OTHER | NFS_INO_REVAL_FORCED); +@@ -1523,8 +1525,9 @@ static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + nfs_set_cache_invalid(inode, NFS_INO_INVALID_DATA); + + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); + nfs_complete_unlink(dentry, inode); +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } + iput(inode); + } +@@ -2064,9 +2067,11 @@ static int nfs_safe_remove(struct dentry *dentry) + + trace_nfs_remove_enter(dir, dentry); + if (inode != NULL) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); ++ + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == 0) +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } else + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == -ENOENT) +@@ -2257,6 +2262,7 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); ++ unsigned long new_gencount = 0; + struct dentry *dentry = NULL; + struct rpc_task *task; + bool must_unblock = false; +@@ -2314,6 +2320,7 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + } else { + new_dentry->d_fsdata = NFS_FSDATA_BLOCKED; + must_unblock = true; ++ new_gencount = NFS_I(new_inode)->attr_gencount; + spin_unlock(&new_dentry->d_lock); + } + +@@ -2350,7 +2357,7 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + new_dir, new_dentry, error); + if (!error) { + if (new_inode != NULL) +- nfs_drop_nlink(new_inode); ++ nfs_drop_nlink(new_inode, new_gencount); + /* + * The d_move() should be here instead of in an async RPC completion + * handler because we need the proper locks to move the dentry. If +-- +2.51.0 + diff --git a/queue-5.10/nfs-clean-up-function-nfs_mark_dir_for_revalidate.patch b/queue-5.10/nfs-clean-up-function-nfs_mark_dir_for_revalidate.patch new file mode 100644 index 0000000000..b3c46ab01e --- /dev/null +++ b/queue-5.10/nfs-clean-up-function-nfs_mark_dir_for_revalidate.patch @@ -0,0 +1,65 @@ +From eee1a384ca250867105e4631a4475af1e9eb3cf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 14:42:53 -0500 +Subject: NFS: Clean up function nfs_mark_dir_for_revalidate() + +From: Trond Myklebust + +[ Upstream commit fd6d3feed041e96b84680d0bfc1e7abc8f65de92 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 4 +--- + fs/nfs/inode.c | 2 +- + fs/nfs/internal.h | 3 ++- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 935029632d5f6..e38ebe8bfb169 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1203,10 +1203,8 @@ int nfs_lookup_verify_inode(struct inode *inode, unsigned int flags) + + static void nfs_mark_dir_for_revalidate(struct inode *inode) + { +- struct nfs_inode *nfsi = NFS_I(inode); +- + spin_lock(&inode->i_lock); +- nfsi->cache_validity |= NFS_INO_REVAL_PAGECACHE; ++ nfs_set_cache_invalid(inode, NFS_INO_REVAL_PAGECACHE); + spin_unlock(&inode->i_lock); + } + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 3e3114a9d1937..e04739bf59261 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -207,7 +207,7 @@ static bool nfs_has_xattr_cache(const struct nfs_inode *nfsi) + } + #endif + +-static void nfs_set_cache_invalid(struct inode *inode, unsigned long flags) ++void nfs_set_cache_invalid(struct inode *inode, unsigned long flags) + { + struct nfs_inode *nfsi = NFS_I(inode); + bool have_delegation = NFS_PROTO(inode)->have_delegation(inode, FMODE_READ); +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 838f3a3744851..10759e1b89fb2 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -424,7 +424,8 @@ extern int nfs_write_inode(struct inode *, struct writeback_control *); + extern int nfs_drop_inode(struct inode *); + extern void nfs_clear_inode(struct inode *); + extern void nfs_evict_inode(struct inode *); +-void nfs_zap_acl_cache(struct inode *inode); ++extern void nfs_zap_acl_cache(struct inode *inode); ++extern void nfs_set_cache_invalid(struct inode *inode, unsigned long flags); + extern bool nfs_check_cache_invalid(struct inode *, unsigned long); + extern int nfs_wait_bit_killable(struct wait_bit_key *key, int mode); + extern int nfs_wait_atomic_killable(atomic_t *p, unsigned int mode); +-- +2.51.0 + diff --git a/queue-5.10/nfs-don-t-unhash-dentry-during-unlink-rename.patch b/queue-5.10/nfs-don-t-unhash-dentry-during-unlink-rename.patch new file mode 100644 index 0000000000..2c83712c33 --- /dev/null +++ b/queue-5.10/nfs-don-t-unhash-dentry-during-unlink-rename.patch @@ -0,0 +1,236 @@ +From 663686afcfb80678d56c7d60e094e419fd9da606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 10:33:34 +1000 +Subject: NFS: don't unhash dentry during unlink/rename + +From: NeilBrown + +[ Upstream commit 3c59366c207e4c6c6569524af606baf017a55c61 ] + +NFS unlink() (and rename over existing target) must determine if the +file is open, and must perform a "silly rename" instead of an unlink (or +before rename) if it is. Otherwise the client might hold a file open +which has been removed on the server. + +Consequently if it determines that the file isn't open, it must block +any subsequent opens until the unlink/rename has been completed on the +server. + +This is currently achieved by unhashing the dentry. This forces any +open attempt to the slow-path for lookup which will block on i_rwsem on +the directory until the unlink/rename completes. A future patch will +change the VFS to only get a shared lock on i_rwsem for unlink, so this +will no longer work. + +Instead we introduce an explicit interlock. A special value is stored +in dentry->d_fsdata while the unlink/rename is running and +->d_revalidate blocks while that value is present. When ->d_revalidate +unblocks, the dentry will be invalid. This closes the race +without requiring exclusion on i_rwsem. + +d_fsdata is already used in two different ways. +1/ an IS_ROOT directory dentry might have a "devname" stored in + d_fsdata. Such a dentry doesn't have a name and so cannot be the + target of unlink or rename. For safety we check if an old devname + is still stored, and remove it if it is. +2/ a dentry with DCACHE_NFSFS_RENAMED set will have a 'struct + nfs_unlinkdata' stored in d_fsdata. While this is set maydelete() + will fail, so an unlink or rename will never proceed on such + a dentry. + +Neither of these can be in effect when a dentry is the target of unlink +or rename. So we can expect d_fsdata to be NULL, and store a special +value ((void*)1) which is given the name NFS_FSDATA_BLOCKED to indicate +that any lookup will be blocked. + +The d_count() is incremented under d_lock() when a lookup finds the +dentry, so we check d_count() is low, and set NFS_FSDATA_BLOCKED under +the same lock to avoid any races. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 72 +++++++++++++++++++++++++++++++----------- + include/linux/nfs_fs.h | 9 ++++++ + 2 files changed, 63 insertions(+), 18 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 442e9835d5a3f..6dc3dcf23550d 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1411,6 +1411,8 @@ __nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags, + int ret; + + if (flags & LOOKUP_RCU) { ++ if (dentry->d_fsdata == NFS_FSDATA_BLOCKED) ++ return -ECHILD; + parent = READ_ONCE(dentry->d_parent); + dir = d_inode_rcu(parent); + if (!dir) +@@ -1419,6 +1421,9 @@ __nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags, + if (parent != READ_ONCE(dentry->d_parent)) + return -ECHILD; + } else { ++ /* Wait for unlink to complete */ ++ wait_var_event(&dentry->d_fsdata, ++ dentry->d_fsdata != NFS_FSDATA_BLOCKED); + parent = dget_parent(dentry); + ret = reval(d_inode(parent), dentry, flags); + dput(parent); +@@ -2079,7 +2084,6 @@ static int nfs_safe_remove(struct dentry *dentry) + int nfs_unlink(struct inode *dir, struct dentry *dentry) + { + int error; +- int need_rehash = 0; + + dfprintk(VFS, "NFS: unlink(%s/%lu, %pd)\n", dir->i_sb->s_id, + dir->i_ino, dentry); +@@ -2093,15 +2097,25 @@ int nfs_unlink(struct inode *dir, struct dentry *dentry) + error = nfs_sillyrename(dir, dentry); + goto out; + } +- if (!d_unhashed(dentry)) { +- __d_drop(dentry); +- need_rehash = 1; +- } ++ /* We must prevent any concurrent open until the unlink ++ * completes. ->d_revalidate will wait for ->d_fsdata ++ * to clear. We set it here to ensure no lookup succeeds until ++ * the unlink is complete on the server. ++ */ ++ error = -ETXTBSY; ++ if (WARN_ON(dentry->d_flags & DCACHE_NFSFS_RENAMED) || ++ WARN_ON(dentry->d_fsdata == NFS_FSDATA_BLOCKED)) ++ goto out; ++ if (dentry->d_fsdata) ++ /* old devname */ ++ kfree(dentry->d_fsdata); ++ dentry->d_fsdata = NFS_FSDATA_BLOCKED; ++ + spin_unlock(&dentry->d_lock); + error = nfs_safe_remove(dentry); + nfs_dentry_remove_handle_error(dir, dentry, error); +- if (need_rehash) +- d_rehash(dentry); ++ dentry->d_fsdata = NULL; ++ wake_up_var(&dentry->d_fsdata); + out: + trace_nfs_unlink_exit(dir, dentry, error); + return error; +@@ -2204,6 +2218,15 @@ nfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) + } + EXPORT_SYMBOL_GPL(nfs_link); + ++static void ++nfs_unblock_rename(struct rpc_task *task, struct nfs_renamedata *data) ++{ ++ struct dentry *new_dentry = data->new_dentry; ++ ++ new_dentry->d_fsdata = NULL; ++ wake_up_var(&new_dentry->d_fsdata); ++} ++ + /* + * RENAME + * FIXME: Some nfsds, like the Linux user space nfsd, may generate a +@@ -2234,8 +2257,9 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); +- struct dentry *dentry = NULL, *rehash = NULL; ++ struct dentry *dentry = NULL; + struct rpc_task *task; ++ bool must_unblock = false; + int error = -EBUSY; + + if (flags) +@@ -2253,18 +2277,27 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + * the new target. + */ + if (new_inode && !S_ISDIR(new_inode->i_mode)) { +- /* +- * To prevent any new references to the target during the +- * rename, we unhash the dentry in advance. ++ /* We must prevent any concurrent open until the unlink ++ * completes. ->d_revalidate will wait for ->d_fsdata ++ * to clear. We set it here to ensure no lookup succeeds until ++ * the unlink is complete on the server. + */ +- if (!d_unhashed(new_dentry)) { +- d_drop(new_dentry); +- rehash = new_dentry; ++ error = -ETXTBSY; ++ if (WARN_ON(new_dentry->d_flags & DCACHE_NFSFS_RENAMED) || ++ WARN_ON(new_dentry->d_fsdata == NFS_FSDATA_BLOCKED)) ++ goto out; ++ if (new_dentry->d_fsdata) { ++ /* old devname */ ++ kfree(new_dentry->d_fsdata); ++ new_dentry->d_fsdata = NULL; + } + ++ spin_lock(&new_dentry->d_lock); + if (d_count(new_dentry) > 2) { + int err; + ++ spin_unlock(&new_dentry->d_lock); ++ + /* copy the target dentry's name */ + dentry = d_alloc(new_dentry->d_parent, + &new_dentry->d_name); +@@ -2277,14 +2310,19 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + goto out; + + new_dentry = dentry; +- rehash = NULL; + new_inode = NULL; ++ } else { ++ new_dentry->d_fsdata = NFS_FSDATA_BLOCKED; ++ must_unblock = true; ++ spin_unlock(&new_dentry->d_lock); + } ++ + } + + if (S_ISREG(old_inode->i_mode)) + nfs_sync_inode(old_inode); +- task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, NULL); ++ task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, ++ must_unblock ? nfs_unblock_rename : NULL); + if (IS_ERR(task)) { + error = PTR_ERR(task); + goto out; +@@ -2308,8 +2346,6 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + spin_unlock(&old_inode->i_lock); + } + out: +- if (rehash) +- d_rehash(rehash); + trace_nfs_rename_exit(old_dir, old_dentry, + new_dir, new_dentry, error); + if (!error) { +diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h +index 7488864589a7a..8d4f019b7af8e 100644 +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -591,6 +591,15 @@ nfs_fileid_to_ino_t(u64 fileid) + + #define NFS_JUKEBOX_RETRY_TIME (5 * HZ) + ++/* We need to block new opens while a file is being unlinked. ++ * If it is opened *before* we decide to unlink, we will silly-rename ++ * instead. If it is opened *after*, then we need to create or will fail. ++ * If we allow the two to race, we could end up with a file that is open ++ * but deleted on the server resulting in ESTALE. ++ * So use ->d_fsdata to record when the unlink is happening ++ * and block dentry revalidation while it is set. ++ */ ++#define NFS_FSDATA_BLOCKED ((void*)1) + + # undef ifdebug + # ifdef NFS_DEBUG +-- +2.51.0 + diff --git a/queue-5.10/nfs-fix-open-coded-versions-of-nfs_set_cache_invalid.patch b/queue-5.10/nfs-fix-open-coded-versions-of-nfs_set_cache_invalid.patch new file mode 100644 index 0000000000..08cb791c27 --- /dev/null +++ b/queue-5.10/nfs-fix-open-coded-versions-of-nfs_set_cache_invalid.patch @@ -0,0 +1,136 @@ +From fedd2ec71fa8f3e2bab445332ffb8231b7aa30bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 14:42:54 -0500 +Subject: NFS: Fix open coded versions of nfs_set_cache_invalid() + +From: Trond Myklebust + +[ Upstream commit ac46b3d768e4c2754f7b191b81e1bea582e11907 ] + +nfs_set_cache_invalid() has code to handle delegations, and other +optimisations, so let's use it when appropriate. + +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 20 ++++++++++---------- + fs/nfs/inode.c | 4 ++-- + fs/nfs/unlink.c | 6 +++--- + fs/nfs/write.c | 8 ++++---- + 4 files changed, 19 insertions(+), 19 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index e38ebe8bfb169..62a614f4a64b5 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -82,8 +82,9 @@ static struct nfs_open_dir_context *alloc_nfs_open_dir_context(struct inode *dir + spin_lock(&dir->i_lock); + if (list_empty(&nfsi->open_files) && + (nfsi->cache_validity & NFS_INO_DATA_INVAL_DEFER)) +- nfsi->cache_validity |= NFS_INO_INVALID_DATA | +- NFS_INO_REVAL_FORCED; ++ nfs_set_cache_invalid(dir, ++ NFS_INO_INVALID_DATA | ++ NFS_INO_REVAL_FORCED); + list_add(&ctx->list, &nfsi->open_files); + spin_unlock(&dir->i_lock); + return ctx; +@@ -1500,10 +1501,9 @@ static void nfs_drop_nlink(struct inode *inode) + if (inode->i_nlink > 0) + drop_nlink(inode); + NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); +- NFS_I(inode)->cache_validity |= NFS_INO_INVALID_CHANGE +- | NFS_INO_INVALID_CTIME +- | NFS_INO_INVALID_OTHER +- | NFS_INO_REVAL_FORCED; ++ nfs_set_cache_invalid( ++ inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | ++ NFS_INO_INVALID_OTHER | NFS_INO_REVAL_FORCED); + spin_unlock(&inode->i_lock); + } + +@@ -1515,7 +1515,7 @@ static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + { + if (S_ISDIR(inode->i_mode)) + /* drop any readdir cache as it could easily be old */ +- NFS_I(inode)->cache_validity |= NFS_INO_INVALID_DATA; ++ nfs_set_cache_invalid(inode, NFS_INO_INVALID_DATA); + + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { + nfs_complete_unlink(dentry, inode); +@@ -2290,9 +2290,9 @@ int nfs_rename(struct inode *old_dir, struct dentry *old_dentry, + if (error == 0) { + spin_lock(&old_inode->i_lock); + NFS_I(old_inode)->attr_gencount = nfs_inc_attr_generation_counter(); +- NFS_I(old_inode)->cache_validity |= NFS_INO_INVALID_CHANGE +- | NFS_INO_INVALID_CTIME +- | NFS_INO_REVAL_FORCED; ++ nfs_set_cache_invalid(old_inode, NFS_INO_INVALID_CHANGE | ++ NFS_INO_INVALID_CTIME | ++ NFS_INO_REVAL_FORCED); + spin_unlock(&old_inode->i_lock); + } + out: +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index e04739bf59261..6b800df1df29e 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1065,8 +1065,8 @@ void nfs_inode_attach_open_context(struct nfs_open_context *ctx) + spin_lock(&inode->i_lock); + if (list_empty(&nfsi->open_files) && + (nfsi->cache_validity & NFS_INO_DATA_INVAL_DEFER)) +- nfsi->cache_validity |= NFS_INO_INVALID_DATA | +- NFS_INO_REVAL_FORCED; ++ nfs_set_cache_invalid(inode, NFS_INO_INVALID_DATA | ++ NFS_INO_REVAL_FORCED); + list_add_tail_rcu(&ctx->list, &nfsi->open_files); + spin_unlock(&inode->i_lock); + } +diff --git a/fs/nfs/unlink.c b/fs/nfs/unlink.c +index b27ebdccef703..5fa11e1aca4c2 100644 +--- a/fs/nfs/unlink.c ++++ b/fs/nfs/unlink.c +@@ -500,9 +500,9 @@ nfs_sillyrename(struct inode *dir, struct dentry *dentry) + nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); + spin_lock(&inode->i_lock); + NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); +- NFS_I(inode)->cache_validity |= NFS_INO_INVALID_CHANGE +- | NFS_INO_INVALID_CTIME +- | NFS_INO_REVAL_FORCED; ++ nfs_set_cache_invalid(inode, NFS_INO_INVALID_CHANGE | ++ NFS_INO_INVALID_CTIME | ++ NFS_INO_REVAL_FORCED); + spin_unlock(&inode->i_lock); + d_move(dentry, sdentry); + break; +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 0b05a40a21f3d..a95a747fbc8df 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -260,9 +260,9 @@ static void nfs_set_pageerror(struct address_space *mapping) + nfs_zap_mapping(mapping->host, mapping); + /* Force file size revalidation */ + spin_lock(&inode->i_lock); +- NFS_I(inode)->cache_validity |= NFS_INO_REVAL_FORCED | +- NFS_INO_REVAL_PAGECACHE | +- NFS_INO_INVALID_SIZE; ++ nfs_set_cache_invalid(inode, NFS_INO_REVAL_FORCED | ++ NFS_INO_REVAL_PAGECACHE | ++ NFS_INO_INVALID_SIZE); + spin_unlock(&inode->i_lock); + } + +@@ -1614,7 +1614,7 @@ static int nfs_writeback_done(struct rpc_task *task, + /* Deal with the suid/sgid bit corner case */ + if (nfs_should_remove_suid(inode)) { + spin_lock(&inode->i_lock); +- NFS_I(inode)->cache_validity |= NFS_INO_INVALID_OTHER; ++ nfs_set_cache_invalid(inode, NFS_INO_INVALID_OTHER); + spin_unlock(&inode->i_lock); + } + return 0; +-- +2.51.0 + diff --git a/queue-5.10/nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch b/queue-5.10/nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch new file mode 100644 index 0000000000..71bbdb89b7 --- /dev/null +++ b/queue-5.10/nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch @@ -0,0 +1,71 @@ +From ccc75c11cfeca08594f5fc6637c4faeef35055a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 21:43:09 -0400 +Subject: NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink() + +From: Trond Myklebust + +[ Upstream commit 9019fb391de02cbff422090768b73afe9f6174df ] + +After the success of an operation such as rmdir() or unlink(), we expect +to add the dentry back to the dcache as an ordinary negative dentry. +However in NFS, unless it is labelled with the appropriate verifier for +the parent directory state, then nfs_lookup_revalidate will end up +discarding that dentry and forcing a new lookup. + +The fix is to ensure that we relabel the dentry appropriately on +success. + +Signed-off-by: Trond Myklebust +Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 62a614f4a64b5..442e9835d5a3f 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1995,6 +1995,18 @@ static void nfs_dentry_handle_enoent(struct dentry *dentry) + d_delete(dentry); + } + ++static void nfs_dentry_remove_handle_error(struct inode *dir, ++ struct dentry *dentry, int error) ++{ ++ switch (error) { ++ case -ENOENT: ++ d_delete(dentry); ++ fallthrough; ++ case 0: ++ nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); ++ } ++} ++ + int nfs_rmdir(struct inode *dir, struct dentry *dentry) + { + int error; +@@ -2017,6 +2029,7 @@ int nfs_rmdir(struct inode *dir, struct dentry *dentry) + up_write(&NFS_I(d_inode(dentry))->rmdir_sem); + } else + error = NFS_PROTO(dir)->rmdir(dir, &dentry->d_name); ++ nfs_dentry_remove_handle_error(dir, dentry, error); + trace_nfs_rmdir_exit(dir, dentry, error); + + return error; +@@ -2086,9 +2099,8 @@ int nfs_unlink(struct inode *dir, struct dentry *dentry) + } + spin_unlock(&dentry->d_lock); + error = nfs_safe_remove(dentry); +- if (!error || error == -ENOENT) { +- nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); +- } else if (need_rehash) ++ nfs_dentry_remove_handle_error(dir, dentry, error); ++ if (need_rehash) + d_rehash(dentry); + out: + trace_nfs_unlink_exit(dir, dentry, error); +-- +2.51.0 + diff --git a/queue-5.10/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch b/queue-5.10/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch new file mode 100644 index 0000000000..0329db8119 --- /dev/null +++ b/queue-5.10/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch @@ -0,0 +1,43 @@ +From 48d2ac42f63275a059465e67d9e733cde0cd2baf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 18:02:42 +0000 +Subject: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in + pnfs_mark_layout_stateid_invalid + +From: Jonathan Curley + +[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ] + +Fixes a crash when layout is null during this call stack: + +write_inode + -> nfs4_write_inode + -> pnfs_layoutcommit_inode + +pnfs_set_layoutcommit relies on the lseg refcount to keep the layout +around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt +to reference a null layout. + +Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") +Signed-off-by: Jonathan Curley +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index e14cf7140bab4..c5dd301c43d7b 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -465,6 +465,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct pnfs_layout_segment *lseg, *next; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + pnfs_clear_lseg_state(lseg, lseg_list); + pnfs_clear_layoutreturn_info(lo); +-- +2.51.0 + diff --git a/queue-5.10/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch b/queue-5.10/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch new file mode 100644 index 0000000000..e0f7d38ad6 --- /dev/null +++ b/queue-5.10/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch @@ -0,0 +1,78 @@ +From 89bb192b5885bb50a9121ada25601118ca89a37c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 11:13:08 +0100 +Subject: platform/x86: asus-wmi: use brightness_set_blocking() for kbd led +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anton Khirnov + +[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ] + +kbd_led_set() can sleep, and so may not be used as the brightness_set() +callback. + +Otherwise using this led with a trigger leads to system hangs +accompanied by: +BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003 +CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1 +Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024 +Call Trace: + + [...] + schedule_timeout+0xbd/0x100 + __down_common+0x175/0x290 + down_timeout+0x67/0x70 + acpi_os_wait_semaphore+0x57/0x90 + [...] + asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi] + led_trigger_event+0x3f/0x60 + [...] + +Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process") +Signed-off-by: Anton Khirnov +Reviewed-by: Andy Shevchenko +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 265232d1b9a86..4f56f853b756b 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -721,14 +721,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value) + kbd_led_update(asus); + } + +-static void kbd_led_set(struct led_classdev *led_cdev, +- enum led_brightness value) ++static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value) + { + /* Prevent disabling keyboard backlight on module unregister */ + if (led_cdev->flags & LED_UNREGISTERING) +- return; ++ return 0; + + do_kbd_led_set(led_cdev, value); ++ return 0; + } + + static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value) +@@ -865,7 +865,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus) + asus->kbd_led_wk = led_val; + asus->kbd_led.name = "asus::kbd_backlight"; + asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED; +- asus->kbd_led.brightness_set = kbd_led_set; ++ asus->kbd_led.brightness_set_blocking = kbd_led_set; + asus->kbd_led.brightness_get = kbd_led_get; + asus->kbd_led.max_brightness = 3; + +-- +2.51.0 + diff --git a/queue-5.10/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch b/queue-5.10/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch new file mode 100644 index 0000000000..c75d0aba60 --- /dev/null +++ b/queue-5.10/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch @@ -0,0 +1,51 @@ +From cceef88a371ef667292af0dccd6f534399e008c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 19:39:34 +0000 +Subject: regulator: fixed: Rely on the core freeing the enable GPIO + +From: Mark Brown + +[ Upstream commit 79a45ddcdbba330f5139c7c7ff7042d69cf147b2 ] + +In order to simplify ownership rules for enable GPIOs supplied by drivers +regulator_register() always takes ownership of them, even if it ends up +failing for some other reason. We therefore should not free the GPIO if +registration fails but just let the core worry about things. + +Fixes: 636f4618b1cd (regulator: fixed: fix GPIO descriptor leak on register failure) +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/r/DEPEYUF5BRGY.UKFBWRRE8HNP@cknow-tech.com +Tested-by: Diederik de Haas +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20251204-regulator-fixed-fix-gpiod-leak-v1-1-48efea5b82c2@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 1503a5ea0cc89..acd9a75b76253 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -237,13 +237,10 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); +- if (IS_ERR(drvdata->dev)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), +- "Failed to register regulator: %ld\n", +- PTR_ERR(drvdata->dev)); +- gpiod_put(cfg.ena_gpiod); +- return ret; +- } ++ if (IS_ERR(drvdata->dev)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + + platform_set_drvdata(pdev, drvdata); + +-- +2.51.0 + diff --git a/queue-5.10/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-5.10/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..48b1219791 --- /dev/null +++ b/queue-5.10/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,48 @@ +From a70f53a7cb1e33c613f0c1cfa08d87ef0982928c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:38 -0500 +Subject: Revert "nfs: clear SB_RDONLY before getting superblock" + +From: Trond Myklebust + +[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ] + +This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 27923c2b36f77..2d2238548a6e5 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1248,17 +1248,8 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + +- /* +- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a +- * superblock among each filesystem that mounts sub-directories +- * belonging to a single exported root path. +- * To prevent interference between different filesystems, the +- * SB_RDONLY flag should be removed from the superblock. +- */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; +- else +- fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.51.0 + diff --git a/queue-5.10/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-5.10/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 0000000000..3d21830c2f --- /dev/null +++ b/queue-5.10/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,39 @@ +From 798f777e39ebb349e9ad33bdc4129878140b225d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:45 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when mounting nfs" + +From: Trond Myklebust + +[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ] + +This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 10759e1b89fb2..fd15280e827a0 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -11,7 +11,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.51.0 + diff --git a/queue-5.10/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-5.10/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..517e3004bc --- /dev/null +++ b/queue-5.10/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,47 @@ +From 270d486aaf336ba7a4d29b6c9622966b0d6b81ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:07 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when remounting nfs" + +From: Trond Myklebust + +[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ] + +This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 7c58a1688f7f7..27923c2b36f77 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1000,16 +1000,6 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + +- /* +- * The SB_RDONLY flag has been removed from the superblock during +- * mounts to prevent interference between different filesystems. +- * Similarly, it is also necessary to ignore the SB_RDONLY flag +- * during reconfiguration; otherwise, it may also result in the +- * creation of redundant superblocks when mounting a directory with +- * different rw and ro flags multiple times. +- */ +- fc->sb_flags_mask &= ~SB_RDONLY; +- + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 09d31314bf..f286c190dc 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -117,3 +117,28 @@ perf-tools-fix-split-kallsyms-dso-counting.patch pinctrl-single-fix-pin_config_bias_disable-handling.patch pinctrl-single-fix-incorrect-type-for-error-return-v.patch fbdev-ssd1307fb-fix-potential-page-leak-in-ssd1307fb.patch +nfs-clean-up-function-nfs_mark_dir_for_revalidate.patch +nfs-fix-open-coded-versions-of-nfs_set_cache_invalid.patch +nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch +nfs-don-t-unhash-dentry-during-unlink-rename.patch +nfs-avoid-changing-nlink-when-file-removes-and-attri.patch +fs-nls-fix-utf16-to-utf8-conversion.patch +nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch +revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch +revert-nfs-clear-sb_rdonly-before-getting-superblock.patch +revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch +fs_context-drop-the-unused-lsm_flags-member.patch +nfs-automounted-filesystems-should-inherit-ro-noexec.patch +fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch +platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch +asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch +asoc-ak4458-disable-regulator-when-error-happens.patch +asoc-ak5558-disable-regulator-when-error-happens.patch +blk-mq-abort-suspend-when-wakeup-events-are-pending.patch +block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch +regulator-fixed-rely-on-the-core-freeing-the-enable-.patch +dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch +alsa-uapi-fix-typo-in-asound.h-comment.patch +arm-9464-1-fix-input-only-operand-modification-in-lo.patch +dm-raid-fix-possible-null-dereference-with-undefined.patch +dm-log-writes-add-missing-set_freezable-for-freezabl.patch diff --git a/queue-5.15/alsa-uapi-fix-typo-in-asound.h-comment.patch b/queue-5.15/alsa-uapi-fix-typo-in-asound.h-comment.patch new file mode 100644 index 0000000000..d91798d4e0 --- /dev/null +++ b/queue-5.15/alsa-uapi-fix-typo-in-asound.h-comment.patch @@ -0,0 +1,36 @@ +From dab068fc75f2c1a69541151760a41d8506244531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 10:25:01 -0600 +Subject: ALSA: uapi: Fix typo in asound.h comment + +From: Andres J Rosa + +[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ] + +Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment. + +Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames") +Signed-off-by: Andres J Rosa +Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asound.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h +index 93e40f91bd49a..6b9d4e0befa9d 100644 +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -76,7 +76,7 @@ struct snd_cea_861_aud_if { + unsigned char db2_sf_ss; /* sample frequency and size */ + unsigned char db3; /* not used, all zeros */ + unsigned char db4_ca; /* channel allocation code */ +- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */ ++ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */ + }; + + /**************************************************************************** +-- +2.51.0 + diff --git a/queue-5.15/arm-9464-1-fix-input-only-operand-modification-in-lo.patch b/queue-5.15/arm-9464-1-fix-input-only-operand-modification-in-lo.patch new file mode 100644 index 0000000000..8235c643d1 --- /dev/null +++ b/queue-5.15/arm-9464-1-fix-input-only-operand-modification-in-lo.patch @@ -0,0 +1,67 @@ +From b4b60248b47801763ba1dca71cde34c9aaeab579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 03:19:45 +0100 +Subject: ARM: 9464/1: fix input-only operand modification in + load_unaligned_zeropad() + +From: Liyuan Pang + +[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ] + +In the inline assembly inside load_unaligned_zeropad(), the "addr" is +constrained as input-only operand. The compiler assumes that on exit +from the asm statement these operands contain the same values as they +had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior. + +Use a temporary variable "tmp" to handle it, instead of modifying the +input-only operand, just like what arm64's load_unaligned_zeropad() +does. + +Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs") +Co-developed-by: Xie Yuanbin +Signed-off-by: Xie Yuanbin +Signed-off-by: Liyuan Pang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/word-at-a-time.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h +index 352ab213520d2..2e6d0b4349f47 100644 +--- a/arch/arm/include/asm/word-at-a-time.h ++++ b/arch/arm/include/asm/word-at-a-time.h +@@ -66,7 +66,7 @@ static inline unsigned long find_zero(unsigned long mask) + */ + static inline unsigned long load_unaligned_zeropad(const void *addr) + { +- unsigned long ret, offset; ++ unsigned long ret, tmp; + + /* Load word from unaligned pointer addr */ + asm( +@@ -74,9 +74,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + "2:\n" + " .pushsection .text.fixup,\"ax\"\n" + " .align 2\n" +- "3: and %1, %2, #0x3\n" +- " bic %2, %2, #0x3\n" +- " ldr %0, [%2]\n" ++ "3: bic %1, %2, #0x3\n" ++ " ldr %0, [%1]\n" ++ " and %1, %2, #0x3\n" + " lsl %1, %1, #0x3\n" + #ifndef __ARMEB__ + " lsr %0, %0, %1\n" +@@ -89,7 +89,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + " .align 3\n" + " .long 1b, 3b\n" + " .popsection" +- : "=&r" (ret), "=&r" (offset) ++ : "=&r" (ret), "=&r" (tmp) + : "r" (addr), "Qo" (*(unsigned long *)addr)); + + return ret; +-- +2.51.0 + diff --git a/queue-5.15/asoc-ak4458-disable-regulator-when-error-happens.patch b/queue-5.15/asoc-ak4458-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..299aa01a8a --- /dev/null +++ b/queue-5.15/asoc-ak4458-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 93c72d09078366d760691a05e33974599fb77560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:28 +0800 +Subject: ASoC: ak4458: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4458.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c +index 29eb78702bf35..1c179df6f0926 100644 +--- a/sound/soc/codecs/ak4458.c ++++ b/sound/soc/codecs/ak4458.c +@@ -709,7 +709,15 @@ static int __maybe_unused ak4458_runtime_resume(struct device *dev) + regcache_cache_only(ak4458->regmap, false); + regcache_mark_dirty(ak4458->regmap); + +- return regcache_sync(ak4458->regmap); ++ ret = regcache_sync(ak4458->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak4458->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies); ++ return ret; + } + #endif /* CONFIG_PM */ + +-- +2.51.0 + diff --git a/queue-5.15/asoc-ak5558-disable-regulator-when-error-happens.patch b/queue-5.15/asoc-ak5558-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..b6d42648df --- /dev/null +++ b/queue-5.15/asoc-ak5558-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From e09e8613b43c6e6da1b149c7095820925e4b0268 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:29 +0800 +Subject: ASoC: ak5558: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak5558.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c +index 37d4600b6f2c2..ba32cef2bf8ad 100644 +--- a/sound/soc/codecs/ak5558.c ++++ b/sound/soc/codecs/ak5558.c +@@ -372,7 +372,15 @@ static int __maybe_unused ak5558_runtime_resume(struct device *dev) + regcache_cache_only(ak5558->regmap, false); + regcache_mark_dirty(ak5558->regmap); + +- return regcache_sync(ak5558->regmap); ++ ret = regcache_sync(ak5558->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak5558->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies); ++ return ret; + } + + static const struct dev_pm_ops ak5558_pm = { +-- +2.51.0 + diff --git a/queue-5.15/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch b/queue-5.15/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch new file mode 100644 index 0000000000..2d31ccb925 --- /dev/null +++ b/queue-5.15/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch @@ -0,0 +1,44 @@ +From a54f36974641b8f05aec2be6133b12a46dec2bcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:16:42 +0800 +Subject: ASoC: bcm: bcm63xx-pcm-whistler: Check return value of + of_dma_configure() + +From: Haotian Zhang + +[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ] + +bcm63xx_soc_pcm_new() does not check the return value of +of_dma_configure(), which may fail with -EPROBE_DEFER or +other errors, allowing PCM setup to continue with incomplete +DMA configuration. + +Add error checking for of_dma_configure() and return on failure. + +Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c +index b5096f64c576e..456aacc59e507 100644 +--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c ++++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c +@@ -353,7 +353,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component, + + i2s_priv = dev_get_drvdata(asoc_rtd_to_cpu(rtd, 0)->dev); + +- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ if (ret) ++ return ret; + + ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32)); + if (ret) +-- +2.51.0 + diff --git a/queue-5.15/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch b/queue-5.15/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch new file mode 100644 index 0000000000..47f35ff0ad --- /dev/null +++ b/queue-5.15/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch @@ -0,0 +1,73 @@ +From ecca0e33e22ef650cbde13f95a17116ed0c546e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 11:34:21 +0800 +Subject: blk-mq: Abort suspend when wakeup events are pending + +From: Cong Zhang + +[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ] + +During system suspend, wakeup capable IRQs for block device can be +delayed, which can cause blk_mq_hctx_notify_offline() to hang +indefinitely while waiting for pending request to complete. +Skip the request waiting loop and abort suspend when wakeup events are +pending to prevent the deadlock. + +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Signed-off-by: Cong Zhang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 46cb802cfcf05..48827708200b3 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2585,6 +2586,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + { + struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node, + struct blk_mq_hw_ctx, cpuhp_online); ++ int ret = 0; + + if (!cpumask_test_cpu(cpu, hctx->cpumask) || + !blk_mq_last_cpu_in_hctx(cpu, hctx)) +@@ -2606,12 +2608,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + * frozen and there are no requests. + */ + if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) { +- while (blk_mq_hctx_has_requests(hctx)) ++ while (blk_mq_hctx_has_requests(hctx)) { ++ /* ++ * The wakeup capable IRQ handler of block device is ++ * not called during suspend. Skip the loop by checking ++ * pm_wakeup_pending to prevent the deadlock and improve ++ * suspend latency. ++ */ ++ if (pm_wakeup_pending()) { ++ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state); ++ ret = -EBUSY; ++ break; ++ } + msleep(5); ++ } + percpu_ref_put(&hctx->queue->q_usage_counter); + } + +- return 0; ++ return ret; + } + + static int blk_mq_hctx_notify_online(unsigned int cpu, struct hlist_node *node) +-- +2.51.0 + diff --git a/queue-5.15/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch b/queue-5.15/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch new file mode 100644 index 0000000000..e6e5113f2a --- /dev/null +++ b/queue-5.15/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch @@ -0,0 +1,44 @@ +From 79d9cbc6437b3e75962552e5d7e989eefa82563f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 23:17:49 +0800 +Subject: block: fix comment for op_is_zone_mgmt() to include RESET_ALL + +From: shechenglong + +[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ] + +REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt() +has returned true for it. + +Update the comment to remove the misleading exception note so +the documentation matches the implementation. + +Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL") +Signed-off-by: shechenglong +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk_types.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index 2d21af10a9df9..a9e554ef3c4a8 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -472,10 +472,7 @@ static inline bool op_is_discard(unsigned int op) + } + + /* +- * Check if a bio or request operation is a zone management operation, with +- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case +- * due to its different handling in the block layer and device response in +- * case of command failure. ++ * Check if a bio or request operation is a zone management operation. + */ + static inline bool op_is_zone_mgmt(enum req_opf op) + { +-- +2.51.0 + diff --git a/queue-5.15/dm-log-writes-add-missing-set_freezable-for-freezabl.patch b/queue-5.15/dm-log-writes-add-missing-set_freezable-for-freezabl.patch new file mode 100644 index 0000000000..cc33645590 --- /dev/null +++ b/queue-5.15/dm-log-writes-add-missing-set_freezable-for-freezabl.patch @@ -0,0 +1,40 @@ +From d41b069d26a046fa932702475672f79c3652735e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:41:03 +0800 +Subject: dm log-writes: Add missing set_freezable() for freezable kthread + +From: Haotian Zhang + +[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ] + +The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(), +rendering the freeze attempt ineffective since kernel threads are +non-freezable by default. This prevents proper thread suspension during +system suspend/hibernate. + +Add set_freezable() to explicitly mark the thread as freezable. + +Fixes: 0e9cebe72459 ("dm: add log writes target") +Signed-off-by: Haotian Zhang +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-log-writes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c +index d93a4db235124..d9e17fd5fe764 100644 +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -454,6 +454,7 @@ static int log_writes_kthread(void *arg) + struct log_writes_c *lc = (struct log_writes_c *)arg; + sector_t sector = 0; + ++ set_freezable(); + while (!kthread_should_stop()) { + bool super = false; + bool logging_enabled; +-- +2.51.0 + diff --git a/queue-5.15/dm-raid-fix-possible-null-dereference-with-undefined.patch b/queue-5.15/dm-raid-fix-possible-null-dereference-with-undefined.patch new file mode 100644 index 0000000000..e53f6348be --- /dev/null +++ b/queue-5.15/dm-raid-fix-possible-null-dereference-with-undefined.patch @@ -0,0 +1,42 @@ +From 52de0552fbfb19ed55fead6f16d1699c46b21a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 20:18:38 +0300 +Subject: dm-raid: fix possible NULL dereference with undefined raid type + +From: Alexey Simakov + +[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ] + +rs->raid_type is assigned from get_raid_type_by_ll(), which may return +NULL. This NULL value could be dereferenced later in the condition +'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. + +Add a fail-fast check to return early with an error if raid_type is NULL, +similar to other uses of this function. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") +Signed-off-by: Alexey Simakov +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index 8f02fa6d3301f..d4a44dca33fd5 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2259,6 +2259,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev) + + mddev->reshape_position = le64_to_cpu(sb->reshape_position); + rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout); ++ if (!rs->raid_type) ++ return -EINVAL; + } + + } else { +-- +2.51.0 + diff --git a/queue-5.15/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch b/queue-5.15/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch new file mode 100644 index 0000000000..308a4910c5 --- /dev/null +++ b/queue-5.15/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch @@ -0,0 +1,40 @@ +From c40adf71ce704ff87e0b95a18be34bf045d57178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:28:10 -0600 +Subject: dma/pool: eliminate alloc_pages warning in atomic_pool_expand + +From: Dave Kleikamp + +[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ] + +atomic_pool_expand iteratively tries the allocation while decrementing +the page order. There is no need to issue a warning if an attempted +allocation fails. + +Signed-off-by: Dave Kleikamp +Reviewed-by: Robin Murphy +Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") +[mszyprow: fixed typo] +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 37d3ddd36ae5b..1e9d4cb018693 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, + page = dma_alloc_from_contiguous(NULL, 1 << order, + order, false); + if (!page) +- page = alloc_pages(gfp, order); ++ page = alloc_pages(gfp | __GFP_NOWARN, order); + } while (!page && order-- > 0); + if (!page) + goto out; +-- +2.51.0 + diff --git a/queue-5.15/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch b/queue-5.15/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch new file mode 100644 index 0000000000..18c9e6cbd7 --- /dev/null +++ b/queue-5.15/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch @@ -0,0 +1,64 @@ +From c0f42246ac6f15ef4d4122300f18879688560163 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 12:15:35 +0100 +Subject: fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ] + +After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"), +the return values of utf8_to_utf32() and utf32_to_utf8() are +inconsistent when encountering an error: utf8_to_utf32() returns -1, +while utf32_to_utf8() returns errno codes. Fix this inconsistency +by modifying utf8_to_utf32() to return errno codes as well. + +Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion") +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 7eacded3c17d1..f072eb6b563f6 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu) + l &= t->lmask; + if (l < t->lval || l > UNICODE_MAX || + (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; ++ + *pu = (unicode_t) l; + return nc; + } + if (inlen <= nc) +- return -1; ++ return -EOVERFLOW; ++ + s++; + c = (*s ^ 0x80) & 0xFF; + if (c & 0xC0) +- return -1; ++ return -EILSEQ; ++ + l = (l << 6) | c; + } +- return -1; ++ return -EILSEQ; + } + EXPORT_SYMBOL(utf8_to_utf32); + +-- +2.51.0 + diff --git a/queue-5.15/fs-nls-fix-utf16-to-utf8-conversion.patch b/queue-5.15/fs-nls-fix-utf16-to-utf8-conversion.patch new file mode 100644 index 0000000000..feaf9fa8e0 --- /dev/null +++ b/queue-5.15/fs-nls-fix-utf16-to-utf8-conversion.patch @@ -0,0 +1,81 @@ +From f4edb492eb92f93b2ccb186ee99796d920b43cf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 14:11:22 +0100 +Subject: fs/nls: Fix utf16 to utf8 conversion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 25524b6190295577e4918c689644451365e6466d ] + +Currently the function responsible for converting between utf16 and +utf8 strings will ignore any characters that cannot be converted. This +however also includes multi-byte characters that do not fit into the +provided string buffer. + +This can cause problems if such a multi-byte character is followed by +a single-byte character. In such a case the multi-byte character might +be ignored when the provided string buffer is too small, but the +single-byte character might fit and is thus still copied into the +resulting string. + +Fix this by stop filling the provided string buffer once a character +does not fit. In order to be able to do this extend utf32_to_utf8() +to return useful errno codes instead of -1. + +Fixes: 74675a58507e ("NLS: update handling of Unicode") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index a026dbd3593f6..7eacded3c17d1 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + + l = u; + if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; + + nc = 0; + for (t = utf8_table; t->cmask && maxout; t++, maxout--) { +@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + return nc; + } + } +- return -1; ++ return -EOVERFLOW; + } + EXPORT_SYMBOL(utf32_to_utf8); + +@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian, + inlen--; + } + size = utf32_to_utf8(u, op, maxout); +- if (size == -1) { +- /* Ignore character and move on */ ++ if (size < 0) { ++ if (size == -EILSEQ) { ++ /* Ignore character and move on */ ++ continue; ++ } ++ /* ++ * Stop filling the buffer with data once a character ++ * does not fit anymore. ++ */ ++ break; + } else { + op += size; + maxout -= size; +-- +2.51.0 + diff --git a/queue-5.15/fs_context-drop-the-unused-lsm_flags-member.patch b/queue-5.15/fs_context-drop-the-unused-lsm_flags-member.patch new file mode 100644 index 0000000000..51c30d08e3 --- /dev/null +++ b/queue-5.15/fs_context-drop-the-unused-lsm_flags-member.patch @@ -0,0 +1,79 @@ +From 03606e363b9d97034956adbbac244e2ec90523d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 14:07:51 +0100 +Subject: fs_context: drop the unused lsm_flags member + +From: Ondrej Mosnacek + +[ Upstream commit 4e04143c869c5b6d499fbd5083caa860d5c942c3 ] + +This isn't ever used by VFS now, and it couldn't even work. Any FS that +uses the SECURITY_LSM_NATIVE_LABELS flag needs to also process the +value returned back from the LSM, so it needs to do its +security_sb_set_mnt_opts() call on its own anyway. + +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Christian Brauner (Microsoft) +Stable-dep-of: 8675c69816e4 ("NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags") +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/mount_api.rst | 1 - + fs/nfs/super.c | 3 --- + include/linux/fs_context.h | 1 - + include/linux/security.h | 2 +- + 4 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/Documentation/filesystems/mount_api.rst b/Documentation/filesystems/mount_api.rst +index 12e30da6a511c..1dc90a83b5fd0 100644 +--- a/Documentation/filesystems/mount_api.rst ++++ b/Documentation/filesystems/mount_api.rst +@@ -79,7 +79,6 @@ context. This is represented by the fs_context structure:: + unsigned int sb_flags; + unsigned int sb_flags_mask; + unsigned int s_iflags; +- unsigned int lsm_flags; + enum fs_context_purpose purpose:8; + ... + }; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index f91cb1267b44e..0faed67d61bde 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1280,9 +1280,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (server->caps & NFS_CAP_SECURITY_LABEL) +- fc->lsm_flags |= SECURITY_LSM_NATIVE_LABELS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h +index c861b2c894ba3..0b386c5c03342 100644 +--- a/include/linux/fs_context.h ++++ b/include/linux/fs_context.h +@@ -104,7 +104,6 @@ struct fs_context { + unsigned int sb_flags; /* Proposed superblock flags (SB_*) */ + unsigned int sb_flags_mask; /* Superblock flags that were changed */ + unsigned int s_iflags; /* OR'd with sb->s_iflags */ +- unsigned int lsm_flags; /* Information flags from the fs to the LSM */ + enum fs_context_purpose purpose:8; + enum fs_context_phase phase:8; /* The phase the context is in */ + bool need_free:1; /* Need to call ops->free() */ +diff --git a/include/linux/security.h b/include/linux/security.h +index 946fa58eb05a4..95102b9f75c98 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -67,7 +67,7 @@ struct watch_notification; + /* If capable is being called by a setid function */ + #define CAP_OPT_INSETID BIT(2) + +-/* LSM Agnostic defines for fs_context::lsm_flags */ ++/* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ + #define SECURITY_LSM_NATIVE_LABELS 1 + + struct ctl_table; +-- +2.51.0 + diff --git a/queue-5.15/nfs-automounted-filesystems-should-inherit-ro-noexec.patch b/queue-5.15/nfs-automounted-filesystems-should-inherit-ro-noexec.patch new file mode 100644 index 0000000000..d8e8678fef --- /dev/null +++ b/queue-5.15/nfs-automounted-filesystems-should-inherit-ro-noexec.patch @@ -0,0 +1,65 @@ +From 535ebef50852a0f8b71d1ec5866e4bb7e19e333e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 14:22:44 -0500 +Subject: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync + flags + +From: Trond Myklebust + +[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ] + +When a filesystem is being automounted, it needs to preserve the +user-set superblock mount options, such as the "ro" flag. + +Reported-by: Li Lingfeng +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Fixes: f2aedb713c28 ("NFS: Add fs_context support.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/namespace.c | 6 ++++++ + fs/nfs/super.c | 4 ---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 565421c6682ed..8fb570fd376a1 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path) + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SB(path->dentry->d_sb); + struct nfs_client *client = server->nfs_client; ++ unsigned long s_flags = path->dentry->d_sb->s_flags; + int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + +@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path) + fc->net_ns = get_net(client->cl_net); + } + ++ /* Inherit the flags covered by NFS_SB_MASK */ ++ fc->sb_flags_mask |= NFS_SB_MASK; ++ fc->sb_flags &= ~NFS_SB_MASK; ++ fc->sb_flags |= s_flags & NFS_SB_MASK; ++ + /* for submounts we want the same server; referrals will reassign */ + memcpy(&ctx->nfs_server.address, &client->cl_addr, client->cl_addrlen); + ctx->nfs_server.addrlen = client->cl_addrlen; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 0faed67d61bde..d9d6f055771a9 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1276,10 +1276,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (server->flags & NFS_MOUNT_NOAC) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (ctx->clone_data.sb) +- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) +- fc->sb_flags |= SB_SYNCHRONOUS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +-- +2.51.0 + diff --git a/queue-5.15/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch b/queue-5.15/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch new file mode 100644 index 0000000000..d447f77310 --- /dev/null +++ b/queue-5.15/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch @@ -0,0 +1,97 @@ +From b4810536792ab09ab8a44735a83ff54d6be0f4a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 15:28:17 -0500 +Subject: NFS: Avoid changing nlink when file removes and attribute updates + race + +From: Trond Myklebust + +[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ] + +If a file removal races with another operation that updates its +attributes, then skip the change to nlink, and just mark the attributes +as being stale. + +Reported-by: Aiden Lambert +Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 671b427b7b97a..2a325a79327bc 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1714,13 +1714,15 @@ static int nfs_dentry_delete(const struct dentry *dentry) + } + + /* Ensure that we revalidate inode->i_nlink */ +-static void nfs_drop_nlink(struct inode *inode) ++static void nfs_drop_nlink(struct inode *inode, unsigned long gencount) + { ++ struct nfs_inode *nfsi = NFS_I(inode); ++ + spin_lock(&inode->i_lock); + /* drop the inode if we're reasonably sure this is the last link */ +- if (inode->i_nlink > 0) ++ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount) + drop_nlink(inode); +- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); ++ nfsi->attr_gencount = nfs_inc_attr_generation_counter(); + nfs_set_cache_invalid( + inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | + NFS_INO_INVALID_NLINK); +@@ -1738,8 +1740,9 @@ static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + nfs_set_cache_invalid(inode, NFS_INO_INVALID_DATA); + + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); + nfs_complete_unlink(dentry, inode); +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } + iput(inode); + } +@@ -2281,9 +2284,11 @@ static int nfs_safe_remove(struct dentry *dentry) + + trace_nfs_remove_enter(dir, dentry); + if (inode != NULL) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); ++ + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == 0) +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } else + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == -ENOENT) +@@ -2475,6 +2480,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); ++ unsigned long new_gencount = 0; + struct dentry *dentry = NULL; + struct rpc_task *task; + bool must_unblock = false; +@@ -2532,6 +2538,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + } else { + new_dentry->d_fsdata = NFS_FSDATA_BLOCKED; + must_unblock = true; ++ new_gencount = NFS_I(new_inode)->attr_gencount; + spin_unlock(&new_dentry->d_lock); + } + +@@ -2568,7 +2575,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + new_dir, new_dentry, error); + if (!error) { + if (new_inode != NULL) +- nfs_drop_nlink(new_inode); ++ nfs_drop_nlink(new_inode, new_gencount); + /* + * The d_move() should be here instead of in an async RPC completion + * handler because we need the proper locks to move the dentry. If +-- +2.51.0 + diff --git a/queue-5.15/nfs-don-t-unhash-dentry-during-unlink-rename.patch b/queue-5.15/nfs-don-t-unhash-dentry-during-unlink-rename.patch new file mode 100644 index 0000000000..d30ce7fdfe --- /dev/null +++ b/queue-5.15/nfs-don-t-unhash-dentry-during-unlink-rename.patch @@ -0,0 +1,236 @@ +From 12da63b11cc0e5d738cf5c61ac104552e208808a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 10:33:34 +1000 +Subject: NFS: don't unhash dentry during unlink/rename + +From: NeilBrown + +[ Upstream commit 3c59366c207e4c6c6569524af606baf017a55c61 ] + +NFS unlink() (and rename over existing target) must determine if the +file is open, and must perform a "silly rename" instead of an unlink (or +before rename) if it is. Otherwise the client might hold a file open +which has been removed on the server. + +Consequently if it determines that the file isn't open, it must block +any subsequent opens until the unlink/rename has been completed on the +server. + +This is currently achieved by unhashing the dentry. This forces any +open attempt to the slow-path for lookup which will block on i_rwsem on +the directory until the unlink/rename completes. A future patch will +change the VFS to only get a shared lock on i_rwsem for unlink, so this +will no longer work. + +Instead we introduce an explicit interlock. A special value is stored +in dentry->d_fsdata while the unlink/rename is running and +->d_revalidate blocks while that value is present. When ->d_revalidate +unblocks, the dentry will be invalid. This closes the race +without requiring exclusion on i_rwsem. + +d_fsdata is already used in two different ways. +1/ an IS_ROOT directory dentry might have a "devname" stored in + d_fsdata. Such a dentry doesn't have a name and so cannot be the + target of unlink or rename. For safety we check if an old devname + is still stored, and remove it if it is. +2/ a dentry with DCACHE_NFSFS_RENAMED set will have a 'struct + nfs_unlinkdata' stored in d_fsdata. While this is set maydelete() + will fail, so an unlink or rename will never proceed on such + a dentry. + +Neither of these can be in effect when a dentry is the target of unlink +or rename. So we can expect d_fsdata to be NULL, and store a special +value ((void*)1) which is given the name NFS_FSDATA_BLOCKED to indicate +that any lookup will be blocked. + +The d_count() is incremented under d_lock() when a lookup finds the +dentry, so we check d_count() is low, and set NFS_FSDATA_BLOCKED under +the same lock to avoid any races. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 72 +++++++++++++++++++++++++++++++----------- + include/linux/nfs_fs.h | 9 ++++++ + 2 files changed, 63 insertions(+), 18 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 9dceb6cb10417..671b427b7b97a 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1626,6 +1626,8 @@ __nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags, + int ret; + + if (flags & LOOKUP_RCU) { ++ if (dentry->d_fsdata == NFS_FSDATA_BLOCKED) ++ return -ECHILD; + parent = READ_ONCE(dentry->d_parent); + dir = d_inode_rcu(parent); + if (!dir) +@@ -1634,6 +1636,9 @@ __nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags, + if (parent != READ_ONCE(dentry->d_parent)) + return -ECHILD; + } else { ++ /* Wait for unlink to complete */ ++ wait_var_event(&dentry->d_fsdata, ++ dentry->d_fsdata != NFS_FSDATA_BLOCKED); + parent = dget_parent(dentry); + ret = reval(d_inode(parent), dentry, flags); + dput(parent); +@@ -2296,7 +2301,6 @@ static int nfs_safe_remove(struct dentry *dentry) + int nfs_unlink(struct inode *dir, struct dentry *dentry) + { + int error; +- int need_rehash = 0; + + dfprintk(VFS, "NFS: unlink(%s/%lu, %pd)\n", dir->i_sb->s_id, + dir->i_ino, dentry); +@@ -2310,15 +2314,25 @@ int nfs_unlink(struct inode *dir, struct dentry *dentry) + error = nfs_sillyrename(dir, dentry); + goto out; + } +- if (!d_unhashed(dentry)) { +- __d_drop(dentry); +- need_rehash = 1; +- } ++ /* We must prevent any concurrent open until the unlink ++ * completes. ->d_revalidate will wait for ->d_fsdata ++ * to clear. We set it here to ensure no lookup succeeds until ++ * the unlink is complete on the server. ++ */ ++ error = -ETXTBSY; ++ if (WARN_ON(dentry->d_flags & DCACHE_NFSFS_RENAMED) || ++ WARN_ON(dentry->d_fsdata == NFS_FSDATA_BLOCKED)) ++ goto out; ++ if (dentry->d_fsdata) ++ /* old devname */ ++ kfree(dentry->d_fsdata); ++ dentry->d_fsdata = NFS_FSDATA_BLOCKED; ++ + spin_unlock(&dentry->d_lock); + error = nfs_safe_remove(dentry); + nfs_dentry_remove_handle_error(dir, dentry, error); +- if (need_rehash) +- d_rehash(dentry); ++ dentry->d_fsdata = NULL; ++ wake_up_var(&dentry->d_fsdata); + out: + trace_nfs_unlink_exit(dir, dentry, error); + return error; +@@ -2422,6 +2436,15 @@ nfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) + } + EXPORT_SYMBOL_GPL(nfs_link); + ++static void ++nfs_unblock_rename(struct rpc_task *task, struct nfs_renamedata *data) ++{ ++ struct dentry *new_dentry = data->new_dentry; ++ ++ new_dentry->d_fsdata = NULL; ++ wake_up_var(&new_dentry->d_fsdata); ++} ++ + /* + * RENAME + * FIXME: Some nfsds, like the Linux user space nfsd, may generate a +@@ -2452,8 +2475,9 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); +- struct dentry *dentry = NULL, *rehash = NULL; ++ struct dentry *dentry = NULL; + struct rpc_task *task; ++ bool must_unblock = false; + int error = -EBUSY; + + if (flags) +@@ -2471,18 +2495,27 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + * the new target. + */ + if (new_inode && !S_ISDIR(new_inode->i_mode)) { +- /* +- * To prevent any new references to the target during the +- * rename, we unhash the dentry in advance. ++ /* We must prevent any concurrent open until the unlink ++ * completes. ->d_revalidate will wait for ->d_fsdata ++ * to clear. We set it here to ensure no lookup succeeds until ++ * the unlink is complete on the server. + */ +- if (!d_unhashed(new_dentry)) { +- d_drop(new_dentry); +- rehash = new_dentry; ++ error = -ETXTBSY; ++ if (WARN_ON(new_dentry->d_flags & DCACHE_NFSFS_RENAMED) || ++ WARN_ON(new_dentry->d_fsdata == NFS_FSDATA_BLOCKED)) ++ goto out; ++ if (new_dentry->d_fsdata) { ++ /* old devname */ ++ kfree(new_dentry->d_fsdata); ++ new_dentry->d_fsdata = NULL; + } + ++ spin_lock(&new_dentry->d_lock); + if (d_count(new_dentry) > 2) { + int err; + ++ spin_unlock(&new_dentry->d_lock); ++ + /* copy the target dentry's name */ + dentry = d_alloc(new_dentry->d_parent, + &new_dentry->d_name); +@@ -2495,14 +2528,19 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + goto out; + + new_dentry = dentry; +- rehash = NULL; + new_inode = NULL; ++ } else { ++ new_dentry->d_fsdata = NFS_FSDATA_BLOCKED; ++ must_unblock = true; ++ spin_unlock(&new_dentry->d_lock); + } ++ + } + + if (S_ISREG(old_inode->i_mode)) + nfs_sync_inode(old_inode); +- task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, NULL); ++ task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, ++ must_unblock ? nfs_unblock_rename : NULL); + if (IS_ERR(task)) { + error = PTR_ERR(task); + goto out; +@@ -2526,8 +2564,6 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + spin_unlock(&old_inode->i_lock); + } + out: +- if (rehash) +- d_rehash(rehash); + trace_nfs_rename_exit(old_dir, old_dentry, + new_dir, new_dentry, error); + if (!error) { +diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h +index 218e79ba263b2..d7c23708f7da4 100644 +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -673,6 +673,15 @@ static inline bool nfs_ooo_test(struct nfs_inode *nfsi) + + #define NFS_JUKEBOX_RETRY_TIME (5 * HZ) + ++/* We need to block new opens while a file is being unlinked. ++ * If it is opened *before* we decide to unlink, we will silly-rename ++ * instead. If it is opened *after*, then we need to create or will fail. ++ * If we allow the two to race, we could end up with a file that is open ++ * but deleted on the server resulting in ESTALE. ++ * So use ->d_fsdata to record when the unlink is happening ++ * and block dentry revalidation while it is set. ++ */ ++#define NFS_FSDATA_BLOCKED ((void*)1) + + # undef ifdebug + # ifdef NFS_DEBUG +-- +2.51.0 + diff --git a/queue-5.15/nfs-fix-the-verifier-for-case-sensitive-filesystem-i.patch b/queue-5.15/nfs-fix-the-verifier-for-case-sensitive-filesystem-i.patch new file mode 100644 index 0000000000..49f7c04278 --- /dev/null +++ b/queue-5.15/nfs-fix-the-verifier-for-case-sensitive-filesystem-i.patch @@ -0,0 +1,46 @@ +From 57ee5d2b359a73f415a4ccddd1354a863a2ed654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 15:36:58 -0500 +Subject: NFS: Fix the verifier for case sensitive filesystem in + nfs_atomic_open() + +From: Trond Myklebust + +[ Upstream commit 68eaba4ca924a97a863c5c81c0b23a11dcb6db90 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Stable-dep-of: 518c32a1bc4f ("NFS: Initialise verifiers for visible dentries in nfs_atomic_open()") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 2a325a79327bc..dc0c50b97643b 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1887,6 +1887,7 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + struct iattr attr = { .ia_valid = ATTR_OPEN }; + struct inode *inode; + unsigned int lookup_flags = 0; ++ unsigned long dir_verifier; + bool switched = false; + int created = 0; + int err; +@@ -1960,7 +1961,11 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + switch (err) { + case -ENOENT: + d_splice_alias(NULL, dentry); +- nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); ++ if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE)) ++ dir_verifier = inode_peek_iversion_raw(dir); ++ else ++ dir_verifier = nfs_save_change_attribute(dir); ++ nfs_set_verifier(dentry, dir_verifier); + break; + case -EISDIR: + case -ENOTDIR: +-- +2.51.0 + diff --git a/queue-5.15/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch b/queue-5.15/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch new file mode 100644 index 0000000000..37d7461fac --- /dev/null +++ b/queue-5.15/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch @@ -0,0 +1,41 @@ +From 99a6cf22376c8b2bbe03e00f92834bc03874172b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:39:50 -0500 +Subject: NFS: Initialise verifiers for visible dentries in nfs_atomic_open() + +From: Trond Myklebust + +[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in nfs_atomic_open(). + +Reported-by: Michael Stoler +Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index dc0c50b97643b..6dd56841feab9 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1960,12 +1960,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + d_drop(dentry); + switch (err) { + case -ENOENT: +- d_splice_alias(NULL, dentry); + if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE)) + dir_verifier = inode_peek_iversion_raw(dir); + else + dir_verifier = nfs_save_change_attribute(dir); + nfs_set_verifier(dentry, dir_verifier); ++ d_splice_alias(NULL, dentry); + break; + case -EISDIR: + case -ENOTDIR: +-- +2.51.0 + diff --git a/queue-5.15/nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch b/queue-5.15/nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch new file mode 100644 index 0000000000..3128f5f427 --- /dev/null +++ b/queue-5.15/nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch @@ -0,0 +1,71 @@ +From 4a8ec734db66025671369782d694440cb2dd1e13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 21:43:09 -0400 +Subject: NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink() + +From: Trond Myklebust + +[ Upstream commit 9019fb391de02cbff422090768b73afe9f6174df ] + +After the success of an operation such as rmdir() or unlink(), we expect +to add the dentry back to the dcache as an ordinary negative dentry. +However in NFS, unless it is labelled with the appropriate verifier for +the parent directory state, then nfs_lookup_revalidate will end up +discarding that dentry and forcing a new lookup. + +The fix is to ensure that we relabel the dentry appropriately on +success. + +Signed-off-by: Trond Myklebust +Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 32c3d0c454b19..9dceb6cb10417 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2212,6 +2212,18 @@ static void nfs_dentry_handle_enoent(struct dentry *dentry) + d_delete(dentry); + } + ++static void nfs_dentry_remove_handle_error(struct inode *dir, ++ struct dentry *dentry, int error) ++{ ++ switch (error) { ++ case -ENOENT: ++ d_delete(dentry); ++ fallthrough; ++ case 0: ++ nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); ++ } ++} ++ + int nfs_rmdir(struct inode *dir, struct dentry *dentry) + { + int error; +@@ -2234,6 +2246,7 @@ int nfs_rmdir(struct inode *dir, struct dentry *dentry) + up_write(&NFS_I(d_inode(dentry))->rmdir_sem); + } else + error = NFS_PROTO(dir)->rmdir(dir, &dentry->d_name); ++ nfs_dentry_remove_handle_error(dir, dentry, error); + trace_nfs_rmdir_exit(dir, dentry, error); + + return error; +@@ -2303,9 +2316,8 @@ int nfs_unlink(struct inode *dir, struct dentry *dentry) + } + spin_unlock(&dentry->d_lock); + error = nfs_safe_remove(dentry); +- if (!error || error == -ENOENT) { +- nfs_set_verifier(dentry, nfs_save_change_attribute(dir)); +- } else if (need_rehash) ++ nfs_dentry_remove_handle_error(dir, dentry, error); ++ if (need_rehash) + d_rehash(dentry); + out: + trace_nfs_unlink_exit(dir, dentry, error); +-- +2.51.0 + diff --git a/queue-5.15/nfsv4-add-some-support-for-case-insensitive-filesyst.patch b/queue-5.15/nfsv4-add-some-support-for-case-insensitive-filesyst.patch new file mode 100644 index 0000000000..20f92f4b45 --- /dev/null +++ b/queue-5.15/nfsv4-add-some-support-for-case-insensitive-filesyst.patch @@ -0,0 +1,136 @@ +From 6a0a2bcdf62928753088248d2c1add6063bd2570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 15:36:54 -0500 +Subject: NFSv4: Add some support for case insensitive filesystems + +From: Trond Myklebust + +[ Upstream commit 1ab5be4ac5b1c9ce39ce1037c45b68d2ce6eede0 ] + +Add capabilities to allow the NFS client to recognise when it is dealing +with case insensitive and case preserving filesystems. + +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Stable-dep-of: 518c32a1bc4f ("NFS: Initialise verifiers for visible dentries in nfs_atomic_open()") +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 8 +++++++- + fs/nfs/nfs4xdr.c | 40 +++++++++++++++++++++++++++++++++++++++ + include/linux/nfs_fs_sb.h | 2 ++ + include/linux/nfs_xdr.h | 2 ++ + 4 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 768433688cb2f..883e4106fbcd9 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3887,7 +3887,9 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f + FATTR4_WORD0_FH_EXPIRE_TYPE | + FATTR4_WORD0_LINK_SUPPORT | + FATTR4_WORD0_SYMLINK_SUPPORT | +- FATTR4_WORD0_ACLSUPPORT; ++ FATTR4_WORD0_ACLSUPPORT | ++ FATTR4_WORD0_CASE_INSENSITIVE | ++ FATTR4_WORD0_CASE_PRESERVING; + if (minorversion) + bitmask[2] = FATTR4_WORD2_SUPPATTR_EXCLCREAT; + +@@ -3917,6 +3919,10 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f + server->caps |= NFS_CAP_HARDLINKS; + if (res.has_symlinks != 0) + server->caps |= NFS_CAP_SYMLINKS; ++ if (res.case_insensitive) ++ server->caps |= NFS_CAP_CASE_INSENSITIVE; ++ if (res.case_preserving) ++ server->caps |= NFS_CAP_CASE_PRESERVING; + #ifdef CONFIG_NFS_V4_SECURITY_LABEL + if (res.attr_bitmask[2] & FATTR4_WORD2_SECURITY_LABEL) + server->caps |= NFS_CAP_SECURITY_LABEL; +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index 0ae9e06a0bba2..0b9fa58dd7cd7 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -3530,6 +3530,42 @@ static int decode_attr_aclsupport(struct xdr_stream *xdr, uint32_t *bitmap, uint + return 0; + } + ++static int decode_attr_case_insensitive(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) ++{ ++ __be32 *p; ++ ++ *res = 0; ++ if (unlikely(bitmap[0] & (FATTR4_WORD0_CASE_INSENSITIVE - 1U))) ++ return -EIO; ++ if (likely(bitmap[0] & FATTR4_WORD0_CASE_INSENSITIVE)) { ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(!p)) ++ return -EIO; ++ *res = be32_to_cpup(p); ++ bitmap[0] &= ~FATTR4_WORD0_CASE_INSENSITIVE; ++ } ++ dprintk("%s: case_insensitive=%s\n", __func__, *res == 0 ? "false" : "true"); ++ return 0; ++} ++ ++static int decode_attr_case_preserving(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res) ++{ ++ __be32 *p; ++ ++ *res = 0; ++ if (unlikely(bitmap[0] & (FATTR4_WORD0_CASE_PRESERVING - 1U))) ++ return -EIO; ++ if (likely(bitmap[0] & FATTR4_WORD0_CASE_PRESERVING)) { ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(!p)) ++ return -EIO; ++ *res = be32_to_cpup(p); ++ bitmap[0] &= ~FATTR4_WORD0_CASE_PRESERVING; ++ } ++ dprintk("%s: case_preserving=%s\n", __func__, *res == 0 ? "false" : "true"); ++ return 0; ++} ++ + static int decode_attr_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid) + { + __be32 *p; +@@ -4406,6 +4442,10 @@ static int decode_server_caps(struct xdr_stream *xdr, struct nfs4_server_caps_re + goto xdr_error; + if ((status = decode_attr_aclsupport(xdr, bitmap, &res->acl_bitmask)) != 0) + goto xdr_error; ++ if ((status = decode_attr_case_insensitive(xdr, bitmap, &res->case_insensitive)) != 0) ++ goto xdr_error; ++ if ((status = decode_attr_case_preserving(xdr, bitmap, &res->case_preserving)) != 0) ++ goto xdr_error; + if ((status = decode_attr_exclcreat_supported(xdr, bitmap, + res->exclcreat_bitmask)) != 0) + goto xdr_error; +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index 091fefc5e3615..6b770affcfb2f 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -273,6 +273,8 @@ struct nfs_server { + #define NFS_CAP_ACLS (1U << 3) + #define NFS_CAP_ATOMIC_OPEN (1U << 4) + #define NFS_CAP_LGOPEN (1U << 5) ++#define NFS_CAP_CASE_INSENSITIVE (1U << 6) ++#define NFS_CAP_CASE_PRESERVING (1U << 7) + #define NFS_CAP_POSIX_LOCK (1U << 14) + #define NFS_CAP_UIDGID_NOMAP (1U << 15) + #define NFS_CAP_STATEID_NFSV41 (1U << 16) +diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h +index 7fcd56c6ded65..7321a5a95087f 100644 +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -1202,6 +1202,8 @@ struct nfs4_server_caps_res { + u32 has_links; + u32 has_symlinks; + u32 fh_expire_type; ++ u32 case_insensitive; ++ u32 case_preserving; + }; + + #define NFS4_PATHNAME_MAXCOMPONENTS 512 +-- +2.51.0 + diff --git a/queue-5.15/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch b/queue-5.15/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch new file mode 100644 index 0000000000..f7fd1441fc --- /dev/null +++ b/queue-5.15/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch @@ -0,0 +1,43 @@ +From 4113662a6589cceb2c520505002cf024685d187c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 18:02:42 +0000 +Subject: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in + pnfs_mark_layout_stateid_invalid + +From: Jonathan Curley + +[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ] + +Fixes a crash when layout is null during this call stack: + +write_inode + -> nfs4_write_inode + -> pnfs_layoutcommit_inode + +pnfs_set_layoutcommit relies on the lseg refcount to keep the layout +around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt +to reference a null layout. + +Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") +Signed-off-by: Jonathan Curley +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index ef273b71f0198..50d608f6c6906 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -465,6 +465,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct pnfs_layout_segment *lseg, *next; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + pnfs_clear_lseg_state(lseg, lseg_list); + pnfs_clear_layoutreturn_info(lo); +-- +2.51.0 + diff --git a/queue-5.15/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch b/queue-5.15/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch new file mode 100644 index 0000000000..834967b73d --- /dev/null +++ b/queue-5.15/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch @@ -0,0 +1,78 @@ +From bb48036a714f89db91ae367ddc14f1c5ea552086 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 11:13:08 +0100 +Subject: platform/x86: asus-wmi: use brightness_set_blocking() for kbd led +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anton Khirnov + +[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ] + +kbd_led_set() can sleep, and so may not be used as the brightness_set() +callback. + +Otherwise using this led with a trigger leads to system hangs +accompanied by: +BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003 +CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1 +Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024 +Call Trace: + + [...] + schedule_timeout+0xbd/0x100 + __down_common+0x175/0x290 + down_timeout+0x67/0x70 + acpi_os_wait_semaphore+0x57/0x90 + [...] + asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi] + led_trigger_event+0x3f/0x60 + [...] + +Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process") +Signed-off-by: Anton Khirnov +Reviewed-by: Andy Shevchenko +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index d9933d3718129..7714a8327021f 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -822,14 +822,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value) + kbd_led_update(asus); + } + +-static void kbd_led_set(struct led_classdev *led_cdev, +- enum led_brightness value) ++static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value) + { + /* Prevent disabling keyboard backlight on module unregister */ + if (led_cdev->flags & LED_UNREGISTERING) +- return; ++ return 0; + + do_kbd_led_set(led_cdev, value); ++ return 0; + } + + static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value) +@@ -966,7 +966,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus) + asus->kbd_led_wk = led_val; + asus->kbd_led.name = "asus::kbd_backlight"; + asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED; +- asus->kbd_led.brightness_set = kbd_led_set; ++ asus->kbd_led.brightness_set_blocking = kbd_led_set; + asus->kbd_led.brightness_get = kbd_led_get; + asus->kbd_led.max_brightness = 3; + +-- +2.51.0 + diff --git a/queue-5.15/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch b/queue-5.15/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch new file mode 100644 index 0000000000..7ed107658d --- /dev/null +++ b/queue-5.15/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch @@ -0,0 +1,51 @@ +From e6b540855a9ecf18e0092298870256905cdbdd50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 19:39:34 +0000 +Subject: regulator: fixed: Rely on the core freeing the enable GPIO + +From: Mark Brown + +[ Upstream commit 79a45ddcdbba330f5139c7c7ff7042d69cf147b2 ] + +In order to simplify ownership rules for enable GPIOs supplied by drivers +regulator_register() always takes ownership of them, even if it ends up +failing for some other reason. We therefore should not free the GPIO if +registration fails but just let the core worry about things. + +Fixes: 636f4618b1cd (regulator: fixed: fix GPIO descriptor leak on register failure) +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/r/DEPEYUF5BRGY.UKFBWRRE8HNP@cknow-tech.com +Tested-by: Diederik de Haas +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20251204-regulator-fixed-fix-gpiod-leak-v1-1-48efea5b82c2@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index adc21b1bad94b..6702fcdc8691e 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -286,13 +286,10 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); +- if (IS_ERR(drvdata->dev)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), +- "Failed to register regulator: %ld\n", +- PTR_ERR(drvdata->dev)); +- gpiod_put(cfg.ena_gpiod); +- return ret; +- } ++ if (IS_ERR(drvdata->dev)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + + platform_set_drvdata(pdev, drvdata); + +-- +2.51.0 + diff --git a/queue-5.15/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-5.15/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..7cf553b478 --- /dev/null +++ b/queue-5.15/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,48 @@ +From 2b464b4c902af1a34f560f4f1b327ce24970e3ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:38 -0500 +Subject: Revert "nfs: clear SB_RDONLY before getting superblock" + +From: Trond Myklebust + +[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ] + +This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index aa11a6dcf6ce7..f91cb1267b44e 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1269,17 +1269,8 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + +- /* +- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a +- * superblock among each filesystem that mounts sub-directories +- * belonging to a single exported root path. +- * To prevent interference between different filesystems, the +- * SB_RDONLY flag should be removed from the superblock. +- */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; +- else +- fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.51.0 + diff --git a/queue-5.15/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-5.15/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 0000000000..0153292440 --- /dev/null +++ b/queue-5.15/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,39 @@ +From c454883466e0677bde7fa624fd0e09f1d91f1a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:45 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when mounting nfs" + +From: Trond Myklebust + +[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ] + +This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 00066057b1415..fc0a34e488617 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -11,7 +11,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.51.0 + diff --git a/queue-5.15/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-5.15/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..20a25f6071 --- /dev/null +++ b/queue-5.15/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,47 @@ +From cfe7728328528bb76cd6176d597678df32167e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:07 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when remounting nfs" + +From: Trond Myklebust + +[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ] + +This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index cc70800b9a4b2..aa11a6dcf6ce7 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1017,16 +1017,6 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + +- /* +- * The SB_RDONLY flag has been removed from the superblock during +- * mounts to prevent interference between different filesystems. +- * Similarly, it is also necessary to ignore the SB_RDONLY flag +- * during reconfiguration; otherwise, it may also result in the +- * creation of redundant superblocks when mounting a directory with +- * different rw and ro flags multiple times. +- */ +- fc->sb_flags_mask &= ~SB_RDONLY; +- + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 8fb64ae9b5..4449302c62 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -166,3 +166,29 @@ perf-tools-fix-split-kallsyms-dso-counting.patch pinctrl-single-fix-pin_config_bias_disable-handling.patch pinctrl-single-fix-incorrect-type-for-error-return-v.patch fbdev-ssd1307fb-fix-potential-page-leak-in-ssd1307fb.patch +nfs-label-the-dentry-with-a-verifier-in-nfs_rmdir-an.patch +nfs-don-t-unhash-dentry-during-unlink-rename.patch +nfs-avoid-changing-nlink-when-file-removes-and-attri.patch +fs-nls-fix-utf16-to-utf8-conversion.patch +nfsv4-add-some-support-for-case-insensitive-filesyst.patch +nfs-fix-the-verifier-for-case-sensitive-filesystem-i.patch +nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch +nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch +revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch +revert-nfs-clear-sb_rdonly-before-getting-superblock.patch +revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch +fs_context-drop-the-unused-lsm_flags-member.patch +nfs-automounted-filesystems-should-inherit-ro-noexec.patch +fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch +platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch +asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch +asoc-ak4458-disable-regulator-when-error-happens.patch +asoc-ak5558-disable-regulator-when-error-happens.patch +blk-mq-abort-suspend-when-wakeup-events-are-pending.patch +block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch +regulator-fixed-rely-on-the-core-freeing-the-enable-.patch +dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch +alsa-uapi-fix-typo-in-asound.h-comment.patch +arm-9464-1-fix-input-only-operand-modification-in-lo.patch +dm-raid-fix-possible-null-dereference-with-undefined.patch +dm-log-writes-add-missing-set_freezable-for-freezabl.patch diff --git a/queue-6.1/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch b/queue-6.1/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch new file mode 100644 index 0000000000..1cb32358a4 --- /dev/null +++ b/queue-6.1/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch @@ -0,0 +1,41 @@ +From ef5ad27203c4177061142cfc19f1651c580b45a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 13:16:41 +0800 +Subject: ALSA: firewire-motu: add bounds check in put_user loop for DSP events + +From: Junrui Luo + +[ Upstream commit 298e753880b6ea99ac30df34959a7a03b0878eed ] + +In the DSP event handling code, a put_user() loop copies event data. +When the user buffer size is not aligned to 4 bytes, it could overwrite +beyond the buffer boundary. + +Fix by adding a bounds check before put_user(). + +Suggested-by: Takashi Iwai +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 28885c8004aea..8519a9f9ce2c0 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + while (consumed < count && + snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) { + ptr = (u32 __user *)(buf + consumed); +- if (put_user(ev, ptr)) ++ if (consumed + sizeof(ev) > count || put_user(ev, ptr)) + return -EFAULT; + consumed += sizeof(ev); + } +-- +2.51.0 + diff --git a/queue-6.1/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch b/queue-6.1/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch new file mode 100644 index 0000000000..d2f070eaba --- /dev/null +++ b/queue-6.1/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch @@ -0,0 +1,48 @@ +From 81f80db99b334f2f3574f8f7949464449c351f5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:27:03 +0800 +Subject: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events + +From: Junrui Luo + +[ Upstream commit 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 ] + +The DSP event handling code in hwdep_read() could write more bytes to +the user buffer than requested, when a user provides a buffer smaller +than the event header size (8 bytes). + +Fix by using min_t() to clamp the copy size, This ensures we never copy +more than the user requested. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index a220ac0c8eb83..28885c8004aea 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; + event.motu_register_dsp_change.count = + (consumed - sizeof(event.motu_register_dsp_change)) / 4; +- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) ++ if (copy_to_user(buf, &event, ++ min_t(long, count, sizeof(event.motu_register_dsp_change)))) + return -EFAULT; + +- count = consumed; ++ count = min_t(long, count, consumed); + } else { + spin_unlock_irq(&motu->lock); + +-- +2.51.0 + diff --git a/queue-6.1/alsa-uapi-fix-typo-in-asound.h-comment.patch b/queue-6.1/alsa-uapi-fix-typo-in-asound.h-comment.patch new file mode 100644 index 0000000000..b6f57e62c2 --- /dev/null +++ b/queue-6.1/alsa-uapi-fix-typo-in-asound.h-comment.patch @@ -0,0 +1,36 @@ +From 613f63bc5c6319d61ecf5218997e03f708acc200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 10:25:01 -0600 +Subject: ALSA: uapi: Fix typo in asound.h comment + +From: Andres J Rosa + +[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ] + +Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment. + +Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames") +Signed-off-by: Andres J Rosa +Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asound.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h +index de6810e94abed..02b6f8eb0e29a 100644 +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -60,7 +60,7 @@ struct snd_cea_861_aud_if { + unsigned char db2_sf_ss; /* sample frequency and size */ + unsigned char db3; /* not used, all zeros */ + unsigned char db4_ca; /* channel allocation code */ +- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */ ++ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */ + }; + + /**************************************************************************** +-- +2.51.0 + diff --git a/queue-6.1/arm-9464-1-fix-input-only-operand-modification-in-lo.patch b/queue-6.1/arm-9464-1-fix-input-only-operand-modification-in-lo.patch new file mode 100644 index 0000000000..50c55b2bcb --- /dev/null +++ b/queue-6.1/arm-9464-1-fix-input-only-operand-modification-in-lo.patch @@ -0,0 +1,67 @@ +From 85eda9b6cfaa01e2c614a1b958d9bfcc8bf2fe03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 03:19:45 +0100 +Subject: ARM: 9464/1: fix input-only operand modification in + load_unaligned_zeropad() + +From: Liyuan Pang + +[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ] + +In the inline assembly inside load_unaligned_zeropad(), the "addr" is +constrained as input-only operand. The compiler assumes that on exit +from the asm statement these operands contain the same values as they +had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior. + +Use a temporary variable "tmp" to handle it, instead of modifying the +input-only operand, just like what arm64's load_unaligned_zeropad() +does. + +Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs") +Co-developed-by: Xie Yuanbin +Signed-off-by: Xie Yuanbin +Signed-off-by: Liyuan Pang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/word-at-a-time.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h +index 352ab213520d2..2e6d0b4349f47 100644 +--- a/arch/arm/include/asm/word-at-a-time.h ++++ b/arch/arm/include/asm/word-at-a-time.h +@@ -66,7 +66,7 @@ static inline unsigned long find_zero(unsigned long mask) + */ + static inline unsigned long load_unaligned_zeropad(const void *addr) + { +- unsigned long ret, offset; ++ unsigned long ret, tmp; + + /* Load word from unaligned pointer addr */ + asm( +@@ -74,9 +74,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + "2:\n" + " .pushsection .text.fixup,\"ax\"\n" + " .align 2\n" +- "3: and %1, %2, #0x3\n" +- " bic %2, %2, #0x3\n" +- " ldr %0, [%2]\n" ++ "3: bic %1, %2, #0x3\n" ++ " ldr %0, [%1]\n" ++ " and %1, %2, #0x3\n" + " lsl %1, %1, #0x3\n" + #ifndef __ARMEB__ + " lsr %0, %0, %1\n" +@@ -89,7 +89,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + " .align 3\n" + " .long 1b, 3b\n" + " .popsection" +- : "=&r" (ret), "=&r" (offset) ++ : "=&r" (ret), "=&r" (tmp) + : "r" (addr), "Qo" (*(unsigned long *)addr)); + + return ret; +-- +2.51.0 + diff --git a/queue-6.1/asoc-ak4458-disable-regulator-when-error-happens.patch b/queue-6.1/asoc-ak4458-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..667c64a259 --- /dev/null +++ b/queue-6.1/asoc-ak4458-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 3fc8fc653a43a73d6f23a55b3d3c6c36a18bb690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:28 +0800 +Subject: ASoC: ak4458: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4458.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c +index 1db73552c7466..fd7f2cc0abdc9 100644 +--- a/sound/soc/codecs/ak4458.c ++++ b/sound/soc/codecs/ak4458.c +@@ -674,7 +674,15 @@ static int __maybe_unused ak4458_runtime_resume(struct device *dev) + regcache_cache_only(ak4458->regmap, false); + regcache_mark_dirty(ak4458->regmap); + +- return regcache_sync(ak4458->regmap); ++ ret = regcache_sync(ak4458->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak4458->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies); ++ return ret; + } + #endif /* CONFIG_PM */ + +-- +2.51.0 + diff --git a/queue-6.1/asoc-ak5558-disable-regulator-when-error-happens.patch b/queue-6.1/asoc-ak5558-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..9159800548 --- /dev/null +++ b/queue-6.1/asoc-ak5558-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 54309fe884fda12afaa238dbe36d56ae755e814d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:29 +0800 +Subject: ASoC: ak5558: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak5558.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c +index 60abcffe6a0ce..1b6515fba91e0 100644 +--- a/sound/soc/codecs/ak5558.c ++++ b/sound/soc/codecs/ak5558.c +@@ -372,7 +372,15 @@ static int __maybe_unused ak5558_runtime_resume(struct device *dev) + regcache_cache_only(ak5558->regmap, false); + regcache_mark_dirty(ak5558->regmap); + +- return regcache_sync(ak5558->regmap); ++ ret = regcache_sync(ak5558->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak5558->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies); ++ return ret; + } + + static const struct dev_pm_ops ak5558_pm = { +-- +2.51.0 + diff --git a/queue-6.1/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch b/queue-6.1/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch new file mode 100644 index 0000000000..48013fc2fd --- /dev/null +++ b/queue-6.1/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch @@ -0,0 +1,44 @@ +From 32096a123b92e703a8cdffb233fc64e389d1335f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:16:42 +0800 +Subject: ASoC: bcm: bcm63xx-pcm-whistler: Check return value of + of_dma_configure() + +From: Haotian Zhang + +[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ] + +bcm63xx_soc_pcm_new() does not check the return value of +of_dma_configure(), which may fail with -EPROBE_DEFER or +other errors, allowing PCM setup to continue with incomplete +DMA configuration. + +Add error checking for of_dma_configure() and return on failure. + +Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c +index 2c600b017524f..760cb18870908 100644 +--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c ++++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c +@@ -354,7 +354,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component, + + i2s_priv = dev_get_drvdata(asoc_rtd_to_cpu(rtd, 0)->dev); + +- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ if (ret) ++ return ret; + + ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32)); + if (ret) +-- +2.51.0 + diff --git a/queue-6.1/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch b/queue-6.1/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch new file mode 100644 index 0000000000..264b3f320e --- /dev/null +++ b/queue-6.1/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch @@ -0,0 +1,73 @@ +From 2c50504c1c5d5d1f621ce26e18f4df0d59d19b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 11:34:21 +0800 +Subject: blk-mq: Abort suspend when wakeup events are pending + +From: Cong Zhang + +[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ] + +During system suspend, wakeup capable IRQs for block device can be +delayed, which can cause blk_mq_hctx_notify_offline() to hang +indefinitely while waiting for pending request to complete. +Skip the request waiting loop and abort suspend when wakeup events are +pending to prevent the deadlock. + +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Signed-off-by: Cong Zhang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 373a67a630f3b..d3ced0cff9161 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3510,6 +3511,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + { + struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node, + struct blk_mq_hw_ctx, cpuhp_online); ++ int ret = 0; + + if (!cpumask_test_cpu(cpu, hctx->cpumask) || + !blk_mq_last_cpu_in_hctx(cpu, hctx)) +@@ -3531,12 +3533,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + * frozen and there are no requests. + */ + if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) { +- while (blk_mq_hctx_has_requests(hctx)) ++ while (blk_mq_hctx_has_requests(hctx)) { ++ /* ++ * The wakeup capable IRQ handler of block device is ++ * not called during suspend. Skip the loop by checking ++ * pm_wakeup_pending to prevent the deadlock and improve ++ * suspend latency. ++ */ ++ if (pm_wakeup_pending()) { ++ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state); ++ ret = -EBUSY; ++ break; ++ } + msleep(5); ++ } + percpu_ref_put(&hctx->queue->q_usage_counter); + } + +- return 0; ++ return ret; + } + + static int blk_mq_hctx_notify_online(unsigned int cpu, struct hlist_node *node) +-- +2.51.0 + diff --git a/queue-6.1/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch b/queue-6.1/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch new file mode 100644 index 0000000000..88ae6279f8 --- /dev/null +++ b/queue-6.1/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch @@ -0,0 +1,44 @@ +From 2d5c624a210bcb1265e83311ef67191bc6d435e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 23:17:49 +0800 +Subject: block: fix comment for op_is_zone_mgmt() to include RESET_ALL + +From: shechenglong + +[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ] + +REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt() +has returned true for it. + +Update the comment to remove the misleading exception note so +the documentation matches the implementation. + +Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL") +Signed-off-by: shechenglong +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk_types.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index 83ede90bb106f..335bd6d0f6a5e 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -510,10 +510,7 @@ static inline bool op_is_discard(blk_opf_t op) + } + + /* +- * Check if a bio or request operation is a zone management operation, with +- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case +- * due to its different handling in the block layer and device response in +- * case of command failure. ++ * Check if a bio or request operation is a zone management operation. + */ + static inline bool op_is_zone_mgmt(enum req_op op) + { +-- +2.51.0 + diff --git a/queue-6.1/dm-log-writes-add-missing-set_freezable-for-freezabl.patch b/queue-6.1/dm-log-writes-add-missing-set_freezable-for-freezabl.patch new file mode 100644 index 0000000000..de8ec836ba --- /dev/null +++ b/queue-6.1/dm-log-writes-add-missing-set_freezable-for-freezabl.patch @@ -0,0 +1,40 @@ +From a79a6553b165507b699647fc599c835245bd2c87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:41:03 +0800 +Subject: dm log-writes: Add missing set_freezable() for freezable kthread + +From: Haotian Zhang + +[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ] + +The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(), +rendering the freeze attempt ineffective since kernel threads are +non-freezable by default. This prevents proper thread suspension during +system suspend/hibernate. + +Add set_freezable() to explicitly mark the thread as freezable. + +Fixes: 0e9cebe72459 ("dm: add log writes target") +Signed-off-by: Haotian Zhang +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-log-writes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c +index efdfb2e1868a4..4241f40f9ad26 100644 +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -431,6 +431,7 @@ static int log_writes_kthread(void *arg) + struct log_writes_c *lc = (struct log_writes_c *)arg; + sector_t sector = 0; + ++ set_freezable(); + while (!kthread_should_stop()) { + bool super = false; + bool logging_enabled; +-- +2.51.0 + diff --git a/queue-6.1/dm-raid-fix-possible-null-dereference-with-undefined.patch b/queue-6.1/dm-raid-fix-possible-null-dereference-with-undefined.patch new file mode 100644 index 0000000000..7267895a13 --- /dev/null +++ b/queue-6.1/dm-raid-fix-possible-null-dereference-with-undefined.patch @@ -0,0 +1,42 @@ +From d5a50634bf316e3aa228a2172e25b5230a042607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 20:18:38 +0300 +Subject: dm-raid: fix possible NULL dereference with undefined raid type + +From: Alexey Simakov + +[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ] + +rs->raid_type is assigned from get_raid_type_by_ll(), which may return +NULL. This NULL value could be dereferenced later in the condition +'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. + +Add a fail-fast check to return early with an error if raid_type is NULL, +similar to other uses of this function. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") +Signed-off-by: Alexey Simakov +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index 21a1586c69a7f..3d9be184d4606 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2259,6 +2259,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev) + + mddev->reshape_position = le64_to_cpu(sb->reshape_position); + rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout); ++ if (!rs->raid_type) ++ return -EINVAL; + } + + } else { +-- +2.51.0 + diff --git a/queue-6.1/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch b/queue-6.1/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch new file mode 100644 index 0000000000..fc01f3dbc0 --- /dev/null +++ b/queue-6.1/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch @@ -0,0 +1,40 @@ +From 5eb8b7136e1eb69de74c2eab35927c60cfc43e3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:28:10 -0600 +Subject: dma/pool: eliminate alloc_pages warning in atomic_pool_expand + +From: Dave Kleikamp + +[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ] + +atomic_pool_expand iteratively tries the allocation while decrementing +the page order. There is no need to issue a warning if an attempted +allocation fails. + +Signed-off-by: Dave Kleikamp +Reviewed-by: Robin Murphy +Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") +[mszyprow: fixed typo] +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 37d3ddd36ae5b..1e9d4cb018693 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, + page = dma_alloc_from_contiguous(NULL, 1 << order, + order, false); + if (!page) +- page = alloc_pages(gfp, order); ++ page = alloc_pages(gfp | __GFP_NOWARN, order); + } while (!page && order-- > 0); + if (!page) + goto out; +-- +2.51.0 + diff --git a/queue-6.1/expand-the-type-of-nfs_fattr-valid.patch b/queue-6.1/expand-the-type-of-nfs_fattr-valid.patch new file mode 100644 index 0000000000..aec6ef318e --- /dev/null +++ b/queue-6.1/expand-the-type-of-nfs_fattr-valid.patch @@ -0,0 +1,127 @@ +From b15cf8ab254789d13971a55995ec80183a263b98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 06:45:45 -0400 +Subject: Expand the type of nfs_fattr->valid + +From: Trond Myklebust + +[ Upstream commit ce60ab3964782df9ba34f0a64c0bc766dd508bde ] + +We need to be able to track more than 32 attributes per inode. + +Signed-off-by: Trond Myklebust +Signed-off-by: Lance Shelton +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Link: https://lore.kernel.org/r/1e3405fca54efd0be7c91c1da77917b94f5dfcc4.1748515333.git.bcodding@redhat.com +Signed-off-by: Trond Myklebust +Stable-dep-of: 2b092175f5e3 ("NFS: Fix inheritance of the block sizes when automounting") +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 2 +- + include/linux/nfs_fs_sb.h | 2 +- + include/linux/nfs_xdr.h | 54 +++++++++++++++++++-------------------- + 3 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 627410be2e884..11e690942dbb3 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -2075,7 +2075,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + bool attr_changed = false; + bool have_delegation; + +- dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%x)\n", ++ dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%llx)\n", + __func__, inode->i_sb->s_id, inode->i_ino, + nfs_display_fhandle_hash(NFS_FH(inode)), + atomic_read(&inode->i_count), fattr->valid); +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index a9671f9300848..eb1d41d87be30 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -155,8 +155,8 @@ struct nfs_server { + #define NFS_MOUNT_WRITE_WAIT 0x02000000 + #define NFS_MOUNT_TRUNK_DISCOVERY 0x04000000 + +- unsigned int fattr_valid; /* Valid attributes */ + unsigned int caps; /* server capabilities */ ++ __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ + unsigned int rpages; /* read size (in pages) */ + unsigned int wsize; /* write size */ +diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h +index 2fd973d188c47..0a380d41e4d95 100644 +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -45,7 +45,7 @@ struct nfs4_threshold { + }; + + struct nfs_fattr { +- unsigned int valid; /* which fields are valid */ ++ __u64 valid; /* which fields are valid */ + umode_t mode; + __u32 nlink; + kuid_t uid; +@@ -80,32 +80,32 @@ struct nfs_fattr { + struct nfs4_label *label; + }; + +-#define NFS_ATTR_FATTR_TYPE (1U << 0) +-#define NFS_ATTR_FATTR_MODE (1U << 1) +-#define NFS_ATTR_FATTR_NLINK (1U << 2) +-#define NFS_ATTR_FATTR_OWNER (1U << 3) +-#define NFS_ATTR_FATTR_GROUP (1U << 4) +-#define NFS_ATTR_FATTR_RDEV (1U << 5) +-#define NFS_ATTR_FATTR_SIZE (1U << 6) +-#define NFS_ATTR_FATTR_PRESIZE (1U << 7) +-#define NFS_ATTR_FATTR_BLOCKS_USED (1U << 8) +-#define NFS_ATTR_FATTR_SPACE_USED (1U << 9) +-#define NFS_ATTR_FATTR_FSID (1U << 10) +-#define NFS_ATTR_FATTR_FILEID (1U << 11) +-#define NFS_ATTR_FATTR_ATIME (1U << 12) +-#define NFS_ATTR_FATTR_MTIME (1U << 13) +-#define NFS_ATTR_FATTR_CTIME (1U << 14) +-#define NFS_ATTR_FATTR_PREMTIME (1U << 15) +-#define NFS_ATTR_FATTR_PRECTIME (1U << 16) +-#define NFS_ATTR_FATTR_CHANGE (1U << 17) +-#define NFS_ATTR_FATTR_PRECHANGE (1U << 18) +-#define NFS_ATTR_FATTR_V4_LOCATIONS (1U << 19) +-#define NFS_ATTR_FATTR_V4_REFERRAL (1U << 20) +-#define NFS_ATTR_FATTR_MOUNTPOINT (1U << 21) +-#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID (1U << 22) +-#define NFS_ATTR_FATTR_OWNER_NAME (1U << 23) +-#define NFS_ATTR_FATTR_GROUP_NAME (1U << 24) +-#define NFS_ATTR_FATTR_V4_SECURITY_LABEL (1U << 25) ++#define NFS_ATTR_FATTR_TYPE BIT_ULL(0) ++#define NFS_ATTR_FATTR_MODE BIT_ULL(1) ++#define NFS_ATTR_FATTR_NLINK BIT_ULL(2) ++#define NFS_ATTR_FATTR_OWNER BIT_ULL(3) ++#define NFS_ATTR_FATTR_GROUP BIT_ULL(4) ++#define NFS_ATTR_FATTR_RDEV BIT_ULL(5) ++#define NFS_ATTR_FATTR_SIZE BIT_ULL(6) ++#define NFS_ATTR_FATTR_PRESIZE BIT_ULL(7) ++#define NFS_ATTR_FATTR_BLOCKS_USED BIT_ULL(8) ++#define NFS_ATTR_FATTR_SPACE_USED BIT_ULL(9) ++#define NFS_ATTR_FATTR_FSID BIT_ULL(10) ++#define NFS_ATTR_FATTR_FILEID BIT_ULL(11) ++#define NFS_ATTR_FATTR_ATIME BIT_ULL(12) ++#define NFS_ATTR_FATTR_MTIME BIT_ULL(13) ++#define NFS_ATTR_FATTR_CTIME BIT_ULL(14) ++#define NFS_ATTR_FATTR_PREMTIME BIT_ULL(15) ++#define NFS_ATTR_FATTR_PRECTIME BIT_ULL(16) ++#define NFS_ATTR_FATTR_CHANGE BIT_ULL(17) ++#define NFS_ATTR_FATTR_PRECHANGE BIT_ULL(18) ++#define NFS_ATTR_FATTR_V4_LOCATIONS BIT_ULL(19) ++#define NFS_ATTR_FATTR_V4_REFERRAL BIT_ULL(20) ++#define NFS_ATTR_FATTR_MOUNTPOINT BIT_ULL(21) ++#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID BIT_ULL(22) ++#define NFS_ATTR_FATTR_OWNER_NAME BIT_ULL(23) ++#define NFS_ATTR_FATTR_GROUP_NAME BIT_ULL(24) ++#define NFS_ATTR_FATTR_V4_SECURITY_LABEL BIT_ULL(25) + + #define NFS_ATTR_FATTR (NFS_ATTR_FATTR_TYPE \ + | NFS_ATTR_FATTR_MODE \ +-- +2.51.0 + diff --git a/queue-6.1/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch b/queue-6.1/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch new file mode 100644 index 0000000000..134b015cec --- /dev/null +++ b/queue-6.1/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch @@ -0,0 +1,64 @@ +From 87ec5e66d52bae0ad525d20ec860cc59d2baeeae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 12:15:35 +0100 +Subject: fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ] + +After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"), +the return values of utf8_to_utf32() and utf32_to_utf8() are +inconsistent when encountering an error: utf8_to_utf32() returns -1, +while utf32_to_utf8() returns errno codes. Fix this inconsistency +by modifying utf8_to_utf32() to return errno codes as well. + +Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion") +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 7eacded3c17d1..f072eb6b563f6 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu) + l &= t->lmask; + if (l < t->lval || l > UNICODE_MAX || + (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; ++ + *pu = (unicode_t) l; + return nc; + } + if (inlen <= nc) +- return -1; ++ return -EOVERFLOW; ++ + s++; + c = (*s ^ 0x80) & 0xFF; + if (c & 0xC0) +- return -1; ++ return -EILSEQ; ++ + l = (l << 6) | c; + } +- return -1; ++ return -EILSEQ; + } + EXPORT_SYMBOL(utf8_to_utf32); + +-- +2.51.0 + diff --git a/queue-6.1/fs-nls-fix-utf16-to-utf8-conversion.patch b/queue-6.1/fs-nls-fix-utf16-to-utf8-conversion.patch new file mode 100644 index 0000000000..6ea67bfdc7 --- /dev/null +++ b/queue-6.1/fs-nls-fix-utf16-to-utf8-conversion.patch @@ -0,0 +1,81 @@ +From 354f6b4770a5352e0d510ffabafcf8d91865cdd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 14:11:22 +0100 +Subject: fs/nls: Fix utf16 to utf8 conversion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 25524b6190295577e4918c689644451365e6466d ] + +Currently the function responsible for converting between utf16 and +utf8 strings will ignore any characters that cannot be converted. This +however also includes multi-byte characters that do not fit into the +provided string buffer. + +This can cause problems if such a multi-byte character is followed by +a single-byte character. In such a case the multi-byte character might +be ignored when the provided string buffer is too small, but the +single-byte character might fit and is thus still copied into the +resulting string. + +Fix this by stop filling the provided string buffer once a character +does not fit. In order to be able to do this extend utf32_to_utf8() +to return useful errno codes instead of -1. + +Fixes: 74675a58507e ("NLS: update handling of Unicode") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index a026dbd3593f6..7eacded3c17d1 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + + l = u; + if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; + + nc = 0; + for (t = utf8_table; t->cmask && maxout; t++, maxout--) { +@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + return nc; + } + } +- return -1; ++ return -EOVERFLOW; + } + EXPORT_SYMBOL(utf32_to_utf8); + +@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian, + inlen--; + } + size = utf32_to_utf8(u, op, maxout); +- if (size == -1) { +- /* Ignore character and move on */ ++ if (size < 0) { ++ if (size == -EILSEQ) { ++ /* Ignore character and move on */ ++ continue; ++ } ++ /* ++ * Stop filling the buffer with data once a character ++ * does not fit anymore. ++ */ ++ break; + } else { + op += size; + maxout -= size; +-- +2.51.0 + diff --git a/queue-6.1/fs_context-drop-the-unused-lsm_flags-member.patch b/queue-6.1/fs_context-drop-the-unused-lsm_flags-member.patch new file mode 100644 index 0000000000..f197913615 --- /dev/null +++ b/queue-6.1/fs_context-drop-the-unused-lsm_flags-member.patch @@ -0,0 +1,79 @@ +From 01e835a5508bd3c9dd7c5949056c99d5140db01e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 14:07:51 +0100 +Subject: fs_context: drop the unused lsm_flags member + +From: Ondrej Mosnacek + +[ Upstream commit 4e04143c869c5b6d499fbd5083caa860d5c942c3 ] + +This isn't ever used by VFS now, and it couldn't even work. Any FS that +uses the SECURITY_LSM_NATIVE_LABELS flag needs to also process the +value returned back from the LSM, so it needs to do its +security_sb_set_mnt_opts() call on its own anyway. + +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Christian Brauner (Microsoft) +Stable-dep-of: 8675c69816e4 ("NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags") +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/mount_api.rst | 1 - + fs/nfs/super.c | 3 --- + include/linux/fs_context.h | 1 - + include/linux/security.h | 2 +- + 4 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/Documentation/filesystems/mount_api.rst b/Documentation/filesystems/mount_api.rst +index 253078b997990..c1c171da93885 100644 +--- a/Documentation/filesystems/mount_api.rst ++++ b/Documentation/filesystems/mount_api.rst +@@ -79,7 +79,6 @@ context. This is represented by the fs_context structure:: + unsigned int sb_flags; + unsigned int sb_flags_mask; + unsigned int s_iflags; +- unsigned int lsm_flags; + enum fs_context_purpose purpose:8; + ... + }; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 3dffeb1d17b9c..cee68f34db85c 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1284,9 +1284,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (server->caps & NFS_CAP_SECURITY_LABEL) +- fc->lsm_flags |= SECURITY_LSM_NATIVE_LABELS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h +index c861b2c894ba3..0b386c5c03342 100644 +--- a/include/linux/fs_context.h ++++ b/include/linux/fs_context.h +@@ -104,7 +104,6 @@ struct fs_context { + unsigned int sb_flags; /* Proposed superblock flags (SB_*) */ + unsigned int sb_flags_mask; /* Superblock flags that were changed */ + unsigned int s_iflags; /* OR'd with sb->s_iflags */ +- unsigned int lsm_flags; /* Information flags from the fs to the LSM */ + enum fs_context_purpose purpose:8; + enum fs_context_phase phase:8; /* The phase the context is in */ + bool need_free:1; /* Need to call ops->free() */ +diff --git a/include/linux/security.h b/include/linux/security.h +index c33c95f409eb6..600790f61f7d4 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -67,7 +67,7 @@ struct watch_notification; + /* If capable is being called by a setid function */ + #define CAP_OPT_INSETID BIT(2) + +-/* LSM Agnostic defines for fs_context::lsm_flags */ ++/* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ + #define SECURITY_LSM_NATIVE_LABELS 1 + + struct ctl_table; +-- +2.51.0 + diff --git a/queue-6.1/nfs-automounted-filesystems-should-inherit-ro-noexec.patch b/queue-6.1/nfs-automounted-filesystems-should-inherit-ro-noexec.patch new file mode 100644 index 0000000000..6e7fec5abd --- /dev/null +++ b/queue-6.1/nfs-automounted-filesystems-should-inherit-ro-noexec.patch @@ -0,0 +1,65 @@ +From b0f87cfafec2de3d5cf1a3bc3034704159daa327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 14:22:44 -0500 +Subject: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync + flags + +From: Trond Myklebust + +[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ] + +When a filesystem is being automounted, it needs to preserve the +user-set superblock mount options, such as the "ro" flag. + +Reported-by: Li Lingfeng +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Fixes: f2aedb713c28 ("NFS: Add fs_context support.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/namespace.c | 6 ++++++ + fs/nfs/super.c | 4 ---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 88a23af2bd5c9..789baa1cf768c 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path) + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SB(path->dentry->d_sb); + struct nfs_client *client = server->nfs_client; ++ unsigned long s_flags = path->dentry->d_sb->s_flags; + int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + +@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path) + fc->net_ns = get_net(client->cl_net); + } + ++ /* Inherit the flags covered by NFS_SB_MASK */ ++ fc->sb_flags_mask |= NFS_SB_MASK; ++ fc->sb_flags &= ~NFS_SB_MASK; ++ fc->sb_flags |= s_flags & NFS_SB_MASK; ++ + /* for submounts we want the same server; referrals will reassign */ + memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen); + ctx->nfs_server.addrlen = client->cl_addrlen; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index cee68f34db85c..3a002bc75d22a 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1280,10 +1280,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (server->flags & NFS_MOUNT_NOAC) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (ctx->clone_data.sb) +- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) +- fc->sb_flags |= SB_SYNCHRONOUS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +-- +2.51.0 + diff --git a/queue-6.1/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch b/queue-6.1/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch new file mode 100644 index 0000000000..3a02670493 --- /dev/null +++ b/queue-6.1/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch @@ -0,0 +1,97 @@ +From ea940b096a54df099109bd3e41ad5a4d437645db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 15:28:17 -0500 +Subject: NFS: Avoid changing nlink when file removes and attribute updates + race + +From: Trond Myklebust + +[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ] + +If a file removal races with another operation that updates its +attributes, then skip the change to nlink, and just mark the attributes +as being stale. + +Reported-by: Aiden Lambert +Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 3c98049912dfd..b54c92d8e2730 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1891,13 +1891,15 @@ static int nfs_dentry_delete(const struct dentry *dentry) + } + + /* Ensure that we revalidate inode->i_nlink */ +-static void nfs_drop_nlink(struct inode *inode) ++static void nfs_drop_nlink(struct inode *inode, unsigned long gencount) + { ++ struct nfs_inode *nfsi = NFS_I(inode); ++ + spin_lock(&inode->i_lock); + /* drop the inode if we're reasonably sure this is the last link */ +- if (inode->i_nlink > 0) ++ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount) + drop_nlink(inode); +- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); ++ nfsi->attr_gencount = nfs_inc_attr_generation_counter(); + nfs_set_cache_invalid( + inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | + NFS_INO_INVALID_NLINK); +@@ -1911,8 +1913,9 @@ static void nfs_drop_nlink(struct inode *inode) + static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + { + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); + nfs_complete_unlink(dentry, inode); +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } + iput(inode); + } +@@ -2465,9 +2468,11 @@ static int nfs_safe_remove(struct dentry *dentry) + + trace_nfs_remove_enter(dir, dentry); + if (inode != NULL) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); ++ + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == 0) +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } else + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == -ENOENT) +@@ -2672,6 +2677,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); ++ unsigned long new_gencount = 0; + struct dentry *dentry = NULL; + struct rpc_task *task; + bool must_unblock = false; +@@ -2724,6 +2730,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + } else { + block_revalidate(new_dentry); + must_unblock = true; ++ new_gencount = NFS_I(new_inode)->attr_gencount; + spin_unlock(&new_dentry->d_lock); + } + +@@ -2763,7 +2770,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir, + new_dir, new_dentry, error); + if (!error) { + if (new_inode != NULL) +- nfs_drop_nlink(new_inode); ++ nfs_drop_nlink(new_inode, new_gencount); + /* + * The d_move() should be here instead of in an async RPC completion + * handler because we need the proper locks to move the dentry. If +-- +2.51.0 + diff --git a/queue-6.1/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch b/queue-6.1/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch new file mode 100644 index 0000000000..023c2d5107 --- /dev/null +++ b/queue-6.1/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch @@ -0,0 +1,178 @@ +From 36cadb3bc2f8c8a98a3ece2b7e0b2e80fdca74a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 16:06:41 -0500 +Subject: NFS: Fix inheritance of the block sizes when automounting + +From: Trond Myklebust + +[ Upstream commit 2b092175f5e301cdaa935093edfef2be9defb6df ] + +Only inherit the block sizes that were actually specified as mount +parameters for the parent mount. + +Fixes: 62a55d088cd8 ("NFS: Additional refactoring for fs_context conversion") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 21 +++++++++++++++++---- + fs/nfs/internal.h | 1 - + fs/nfs/namespace.c | 5 ++++- + fs/nfs/nfs4client.c | 18 ++++++++++++++---- + fs/nfs/super.c | 10 +++------- + include/linux/nfs_fs_sb.h | 5 +++++ + 6 files changed, 43 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 2ca04dcb192aa..948bf8d7aed00 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -745,10 +745,18 @@ static int nfs_init_server(struct nfs_server *server, + server->fattr_valid = NFS_ATTR_FATTR_V4; + } + +- if (ctx->rsize) ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { + server->rsize = nfs_io_size(ctx->rsize, clp->cl_proto); +- if (ctx->wsize) ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { + server->wsize = nfs_io_size(ctx->wsize, clp->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +@@ -940,8 +948,13 @@ EXPORT_SYMBOL_GPL(nfs_probe_server); + void nfs_server_copy_userdata(struct nfs_server *target, struct nfs_server *source) + { + target->flags = source->flags; +- target->rsize = source->rsize; +- target->wsize = source->wsize; ++ target->automount_inherit = source->automount_inherit; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ target->bsize = source->bsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_RSIZE) ++ target->rsize = source->rsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_WSIZE) ++ target->wsize = source->wsize; + target->acregmin = source->acregmin; + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 323f50962a786..ec2e0d7ed7e36 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -145,7 +145,6 @@ struct nfs_fs_context { + struct super_block *sb; + struct dentry *dentry; + struct nfs_fattr *fattr; +- unsigned int inherited_bsize; + } clone_data; + }; + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 789baa1cf768c..663f1a3f7cc3e 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -190,6 +190,10 @@ struct vfsmount *nfs_d_automount(struct path *path) + ctx->nfs_mod = client->cl_nfs_mod; + __module_get(ctx->nfs_mod->owner); + ++ /* Inherit block sizes if they were specified as mount parameters */ ++ if (server->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ ctx->bsize = server->bsize; ++ + ret = client->rpc_ops->submount(fc, server); + if (ret < 0) { + mnt = ERR_PTR(ret); +@@ -289,7 +293,6 @@ int nfs_do_submount(struct fs_context *fc) + return -ENOMEM; + + ctx->internal = true; +- ctx->clone_data.inherited_bsize = ctx->clone_data.sb->s_blocksize_bits; + + p = nfs_devname(dentry, buffer, 4096); + if (IS_ERR(p)) { +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 4cb405e343b83..f8a50f6453dd1 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1149,10 +1149,20 @@ static int nfs4_init_server(struct nfs_server *server, struct fs_context *fc) + if (error < 0) + return error; + +- if (ctx->rsize) +- server->rsize = nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); +- if (ctx->wsize) +- server->wsize = nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { ++ server->rsize = ++ nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { ++ server->wsize = ++ nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 3a002bc75d22a..9a81f34362930 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1057,8 +1057,9 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + sb->s_blocksize = 0; + sb->s_xattr = server->nfs_client->cl_nfs_mod->xattr; + sb->s_op = server->nfs_client->cl_nfs_mod->sops; +- if (ctx->bsize) +- sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); ++ if (server->bsize) ++ sb->s_blocksize = ++ nfs_block_size(server->bsize, &sb->s_blocksize_bits); + + switch (server->nfs_client->rpc_ops->version) { + case 2: +@@ -1303,13 +1304,8 @@ int nfs_get_tree_common(struct fs_context *fc) + } + + if (!s->s_root) { +- unsigned bsize = ctx->clone_data.inherited_bsize; + /* initial superblock/root creation */ + nfs_fill_super(s, ctx); +- if (bsize) { +- s->s_blocksize_bits = bsize; +- s->s_blocksize = 1U << bsize; +- } + error = nfs_get_cache_cookie(s, ctx); + if (error < 0) + goto error_splat_super; +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index eb1d41d87be30..877d5523239cf 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -155,6 +155,11 @@ struct nfs_server { + #define NFS_MOUNT_WRITE_WAIT 0x02000000 + #define NFS_MOUNT_TRUNK_DISCOVERY 0x04000000 + ++ unsigned int automount_inherit; /* Properties inherited by automount */ ++#define NFS_AUTOMOUNT_INHERIT_BSIZE 0x0001 ++#define NFS_AUTOMOUNT_INHERIT_RSIZE 0x0002 ++#define NFS_AUTOMOUNT_INHERIT_WSIZE 0x0004 ++ + unsigned int caps; /* server capabilities */ + __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ +-- +2.51.0 + diff --git a/queue-6.1/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch b/queue-6.1/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch new file mode 100644 index 0000000000..6554b4a046 --- /dev/null +++ b/queue-6.1/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch @@ -0,0 +1,41 @@ +From 89259d40093faafb0555592958e43f1472ef2369 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:39:50 -0500 +Subject: NFS: Initialise verifiers for visible dentries in nfs_atomic_open() + +From: Trond Myklebust + +[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in nfs_atomic_open(). + +Reported-by: Michael Stoler +Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index c395b3ccaf6ec..a89c0528c858e 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2139,12 +2139,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + d_drop(dentry); + switch (err) { + case -ENOENT: +- d_splice_alias(NULL, dentry); + if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE)) + dir_verifier = inode_peek_iversion_raw(dir); + else + dir_verifier = nfs_save_change_attribute(dir); + nfs_set_verifier(dentry, dir_verifier); ++ d_splice_alias(NULL, dentry); + break; + case -EISDIR: + case -ENOTDIR: +-- +2.51.0 + diff --git a/queue-6.1/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch b/queue-6.1/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch new file mode 100644 index 0000000000..a785c55f59 --- /dev/null +++ b/queue-6.1/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch @@ -0,0 +1,62 @@ +From e3c62ebed9500a14a9fea6d9dc84a775055f9027 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:36:16 -0500 +Subject: NFS: Initialise verifiers for visible dentries in readdir and lookup + +From: Trond Myklebust + +[ Upstream commit 9bd545539b233725a3416801f7c374bff0327d6e ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in both nfs_prime_dcache() and nfs_lookup(). + +Reported-by: Michael Stoler +Fixes: a1147b8281bd ("NFS: Fix up directory verifier races") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index b54c92d8e2730..c395b3ccaf6ec 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -788,16 +788,17 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry, + goto out; + } + ++ nfs_set_verifier(dentry, dir_verifier); + inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr); + alias = d_splice_alias(inode, dentry); + d_lookup_done(dentry); + if (alias) { + if (IS_ERR(alias)) + goto out; ++ nfs_set_verifier(alias, dir_verifier); + dput(dentry); + dentry = alias; + } +- nfs_set_verifier(dentry, dir_verifier); + trace_nfs_readdir_lookup(d_inode(parent), dentry, 0); + out: + dput(dentry); +@@ -1990,13 +1991,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in + nfs_lookup_advise_force_readdirplus(dir, flags); + + no_entry: ++ nfs_set_verifier(dentry, dir_verifier); + res = d_splice_alias(inode, dentry); + if (res != NULL) { + if (IS_ERR(res)) + goto out; ++ nfs_set_verifier(res, dir_verifier); + dentry = res; + } +- nfs_set_verifier(dentry, dir_verifier); + out: + trace_nfs_lookup_exit(dir, dentry, flags, PTR_ERR_OR_ZERO(res)); + nfs_free_fattr(fattr); +-- +2.51.0 + diff --git a/queue-6.1/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch b/queue-6.1/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch new file mode 100644 index 0000000000..ee9b50bc28 --- /dev/null +++ b/queue-6.1/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch @@ -0,0 +1,43 @@ +From 48f2f07f41681e9e03d7cbe7d4f8f3985754fde2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 18:02:42 +0000 +Subject: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in + pnfs_mark_layout_stateid_invalid + +From: Jonathan Curley + +[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ] + +Fixes a crash when layout is null during this call stack: + +write_inode + -> nfs4_write_inode + -> pnfs_layoutcommit_inode + +pnfs_set_layoutcommit relies on the lseg refcount to keep the layout +around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt +to reference a null layout. + +Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") +Signed-off-by: Jonathan Curley +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 86f008241c56b..43cd2d6a0836a 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -465,6 +465,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct pnfs_layout_segment *lseg, *next; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + pnfs_clear_lseg_state(lseg, lseg_list); + pnfs_clear_layoutreturn_info(lo); +-- +2.51.0 + diff --git a/queue-6.1/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch b/queue-6.1/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch new file mode 100644 index 0000000000..738c797866 --- /dev/null +++ b/queue-6.1/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch @@ -0,0 +1,78 @@ +From b554c361cfb7fb97230b73191caaeefa2aa2fddb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 11:13:08 +0100 +Subject: platform/x86: asus-wmi: use brightness_set_blocking() for kbd led +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anton Khirnov + +[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ] + +kbd_led_set() can sleep, and so may not be used as the brightness_set() +callback. + +Otherwise using this led with a trigger leads to system hangs +accompanied by: +BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003 +CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1 +Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024 +Call Trace: + + [...] + schedule_timeout+0xbd/0x100 + __down_common+0x175/0x290 + down_timeout+0x67/0x70 + acpi_os_wait_semaphore+0x57/0x90 + [...] + asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi] + led_trigger_event+0x3f/0x60 + [...] + +Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process") +Signed-off-by: Anton Khirnov +Reviewed-by: Andy Shevchenko +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 33eacb4fc4c45..ed6ea8782558c 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1046,14 +1046,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value) + kbd_led_update(asus); + } + +-static void kbd_led_set(struct led_classdev *led_cdev, +- enum led_brightness value) ++static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value) + { + /* Prevent disabling keyboard backlight on module unregister */ + if (led_cdev->flags & LED_UNREGISTERING) +- return; ++ return 0; + + do_kbd_led_set(led_cdev, value); ++ return 0; + } + + static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value) +@@ -1206,7 +1206,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus) + asus->kbd_led_wk = led_val; + asus->kbd_led.name = "asus::kbd_backlight"; + asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED; +- asus->kbd_led.brightness_set = kbd_led_set; ++ asus->kbd_led.brightness_set_blocking = kbd_led_set; + asus->kbd_led.brightness_get = kbd_led_get; + asus->kbd_led.max_brightness = 3; + +-- +2.51.0 + diff --git a/queue-6.1/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch b/queue-6.1/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch new file mode 100644 index 0000000000..d820f0dcf5 --- /dev/null +++ b/queue-6.1/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch @@ -0,0 +1,51 @@ +From d38f207dd2e42072d7cab3e89b0228b743123337 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 19:39:34 +0000 +Subject: regulator: fixed: Rely on the core freeing the enable GPIO + +From: Mark Brown + +[ Upstream commit 79a45ddcdbba330f5139c7c7ff7042d69cf147b2 ] + +In order to simplify ownership rules for enable GPIOs supplied by drivers +regulator_register() always takes ownership of them, even if it ends up +failing for some other reason. We therefore should not free the GPIO if +registration fails but just let the core worry about things. + +Fixes: 636f4618b1cd (regulator: fixed: fix GPIO descriptor leak on register failure) +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/r/DEPEYUF5BRGY.UKFBWRRE8HNP@cknow-tech.com +Tested-by: Diederik de Haas +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20251204-regulator-fixed-fix-gpiod-leak-v1-1-48efea5b82c2@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index e273275e60259..40d6ec16fde9d 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -283,13 +283,10 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); +- if (IS_ERR(drvdata->dev)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), +- "Failed to register regulator: %ld\n", +- PTR_ERR(drvdata->dev)); +- gpiod_put(cfg.ena_gpiod); +- return ret; +- } ++ if (IS_ERR(drvdata->dev)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + + platform_set_drvdata(pdev, drvdata); + +-- +2.51.0 + diff --git a/queue-6.1/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-6.1/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..9045ff3725 --- /dev/null +++ b/queue-6.1/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,48 @@ +From 39dddd84120f7a99dd112db3b54a5f450f4ced48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:38 -0500 +Subject: Revert "nfs: clear SB_RDONLY before getting superblock" + +From: Trond Myklebust + +[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ] + +This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index a4679cd75f70a..3dffeb1d17b9c 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1273,17 +1273,8 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + +- /* +- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a +- * superblock among each filesystem that mounts sub-directories +- * belonging to a single exported root path. +- * To prevent interference between different filesystems, the +- * SB_RDONLY flag should be removed from the superblock. +- */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; +- else +- fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.51.0 + diff --git a/queue-6.1/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-6.1/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 0000000000..92122a04fa --- /dev/null +++ b/queue-6.1/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,39 @@ +From a35ece0d11dfeda97808a486a04e3a7721f26683 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:45 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when mounting nfs" + +From: Trond Myklebust + +[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ] + +This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index f6ed7113092e4..323f50962a786 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -11,7 +11,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.51.0 + diff --git a/queue-6.1/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-6.1/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..4b64568f29 --- /dev/null +++ b/queue-6.1/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,47 @@ +From c0cb530ba4da5fb968c7b606aa572b1ce2ea51ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:07 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when remounting nfs" + +From: Trond Myklebust + +[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ] + +This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 2dca011da034e..a4679cd75f70a 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1017,16 +1017,6 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + +- /* +- * The SB_RDONLY flag has been removed from the superblock during +- * mounts to prevent interference between different filesystems. +- * Similarly, it is also necessary to ignore the SB_RDONLY flag +- * during reconfiguration; otherwise, it may also result in the +- * creation of redundant superblocks when mounting a directory with +- * different rw and ro flags multiple times. +- */ +- fc->sb_flags_mask &= ~SB_RDONLY; +- + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.51.0 + diff --git a/queue-6.1/rtc-gamecube-check-the-return-value-of-ioremap.patch b/queue-6.1/rtc-gamecube-check-the-return-value-of-ioremap.patch new file mode 100644 index 0000000000..120a9c1fa6 --- /dev/null +++ b/queue-6.1/rtc-gamecube-check-the-return-value-of-ioremap.patch @@ -0,0 +1,44 @@ +From 9b8a39e5402341e9a36faac8fce60202aba37b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 16:06:25 +0800 +Subject: rtc: gamecube: Check the return value of ioremap() + +From: Haotian Zhang + +[ Upstream commit d1220e47e4bd2be8b84bc158f4dea44f2f88b226 ] + +The function ioremap() in gamecube_rtc_read_offset_from_sram() can fail +and return NULL, which is dereferenced without checking, leading to a +NULL pointer dereference. + +Add a check for the return value of ioremap() and return -ENOMEM on +failure. + +Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U") +Signed-off-by: Haotian Zhang +Reviewed-by: Link Mauve +Link: https://patch.msgid.link/20251126080625.1752-1-vulab@iscas.ac.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-gamecube.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rtc/rtc-gamecube.c b/drivers/rtc/rtc-gamecube.c +index c828bc8e05b9c..045d5d45ab4b0 100644 +--- a/drivers/rtc/rtc-gamecube.c ++++ b/drivers/rtc/rtc-gamecube.c +@@ -242,6 +242,10 @@ static int gamecube_rtc_read_offset_from_sram(struct priv *d) + } + + hw_srnprot = ioremap(res.start, resource_size(&res)); ++ if (!hw_srnprot) { ++ pr_err("failed to ioremap hw_srnprot\n"); ++ return -ENOMEM; ++ } + old = ioread32be(hw_srnprot); + + /* TODO: figure out why we use this magic constant. I obtained it by +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index b4576f9145..607f779754 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -184,3 +184,31 @@ perf-tools-fix-split-kallsyms-dso-counting.patch pinctrl-single-fix-pin_config_bias_disable-handling.patch pinctrl-single-fix-incorrect-type-for-error-return-v.patch fbdev-ssd1307fb-fix-potential-page-leak-in-ssd1307fb.patch +nfs-avoid-changing-nlink-when-file-removes-and-attri.patch +fs-nls-fix-utf16-to-utf8-conversion.patch +nfs-initialise-verifiers-for-visible-dentries-in-rea.patch +nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch +nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch +revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch +revert-nfs-clear-sb_rdonly-before-getting-superblock.patch +revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch +fs_context-drop-the-unused-lsm_flags-member.patch +nfs-automounted-filesystems-should-inherit-ro-noexec.patch +expand-the-type-of-nfs_fattr-valid.patch +nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch +fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch +platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch +asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch +asoc-ak4458-disable-regulator-when-error-happens.patch +asoc-ak5558-disable-regulator-when-error-happens.patch +blk-mq-abort-suspend-when-wakeup-events-are-pending.patch +block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch +regulator-fixed-rely-on-the-core-freeing-the-enable-.patch +alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch +dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch +alsa-uapi-fix-typo-in-asound.h-comment.patch +rtc-gamecube-check-the-return-value-of-ioremap.patch +alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch +arm-9464-1-fix-input-only-operand-modification-in-lo.patch +dm-raid-fix-possible-null-dereference-with-undefined.patch +dm-log-writes-add-missing-set_freezable-for-freezabl.patch diff --git a/queue-6.12/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch b/queue-6.12/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch new file mode 100644 index 0000000000..3fda0370fd --- /dev/null +++ b/queue-6.12/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch @@ -0,0 +1,41 @@ +From 5083ee6d9fe0cf8d36e9d8e3dc0a937436db770d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 13:16:41 +0800 +Subject: ALSA: firewire-motu: add bounds check in put_user loop for DSP events + +From: Junrui Luo + +[ Upstream commit 298e753880b6ea99ac30df34959a7a03b0878eed ] + +In the DSP event handling code, a put_user() loop copies event data. +When the user buffer size is not aligned to 4 bytes, it could overwrite +beyond the buffer boundary. + +Fix by adding a bounds check before put_user(). + +Suggested-by: Takashi Iwai +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 28885c8004aea..8519a9f9ce2c0 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + while (consumed < count && + snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) { + ptr = (u32 __user *)(buf + consumed); +- if (put_user(ev, ptr)) ++ if (consumed + sizeof(ev) > count || put_user(ev, ptr)) + return -EFAULT; + consumed += sizeof(ev); + } +-- +2.51.0 + diff --git a/queue-6.12/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch b/queue-6.12/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch new file mode 100644 index 0000000000..f2cd17d22a --- /dev/null +++ b/queue-6.12/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch @@ -0,0 +1,48 @@ +From f9a4576c672bce56e5130333ae89297fef739ae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:27:03 +0800 +Subject: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events + +From: Junrui Luo + +[ Upstream commit 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 ] + +The DSP event handling code in hwdep_read() could write more bytes to +the user buffer than requested, when a user provides a buffer smaller +than the event header size (8 bytes). + +Fix by using min_t() to clamp the copy size, This ensures we never copy +more than the user requested. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index a220ac0c8eb83..28885c8004aea 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; + event.motu_register_dsp_change.count = + (consumed - sizeof(event.motu_register_dsp_change)) / 4; +- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) ++ if (copy_to_user(buf, &event, ++ min_t(long, count, sizeof(event.motu_register_dsp_change)))) + return -EFAULT; + +- count = consumed; ++ count = min_t(long, count, consumed); + } else { + spin_unlock_irq(&motu->lock); + +-- +2.51.0 + diff --git a/queue-6.12/alsa-uapi-fix-typo-in-asound.h-comment.patch b/queue-6.12/alsa-uapi-fix-typo-in-asound.h-comment.patch new file mode 100644 index 0000000000..f31c0f248d --- /dev/null +++ b/queue-6.12/alsa-uapi-fix-typo-in-asound.h-comment.patch @@ -0,0 +1,36 @@ +From e1716a90ba338d35a5415b10831f81bfe4ddad14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 10:25:01 -0600 +Subject: ALSA: uapi: Fix typo in asound.h comment + +From: Andres J Rosa + +[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ] + +Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment. + +Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames") +Signed-off-by: Andres J Rosa +Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asound.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h +index 4cd513215bcd8..f35e5b0561399 100644 +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -60,7 +60,7 @@ struct snd_cea_861_aud_if { + unsigned char db2_sf_ss; /* sample frequency and size */ + unsigned char db3; /* not used, all zeros */ + unsigned char db4_ca; /* channel allocation code */ +- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */ ++ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */ + }; + + /**************************************************************************** +-- +2.51.0 + diff --git a/queue-6.12/arm-9464-1-fix-input-only-operand-modification-in-lo.patch b/queue-6.12/arm-9464-1-fix-input-only-operand-modification-in-lo.patch new file mode 100644 index 0000000000..db6ad5509a --- /dev/null +++ b/queue-6.12/arm-9464-1-fix-input-only-operand-modification-in-lo.patch @@ -0,0 +1,67 @@ +From 59ad078f1311cf499911264c0b17c22403cb9030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 03:19:45 +0100 +Subject: ARM: 9464/1: fix input-only operand modification in + load_unaligned_zeropad() + +From: Liyuan Pang + +[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ] + +In the inline assembly inside load_unaligned_zeropad(), the "addr" is +constrained as input-only operand. The compiler assumes that on exit +from the asm statement these operands contain the same values as they +had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior. + +Use a temporary variable "tmp" to handle it, instead of modifying the +input-only operand, just like what arm64's load_unaligned_zeropad() +does. + +Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs") +Co-developed-by: Xie Yuanbin +Signed-off-by: Xie Yuanbin +Signed-off-by: Liyuan Pang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/word-at-a-time.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h +index f9a3897b06e7f..5023f98d8293d 100644 +--- a/arch/arm/include/asm/word-at-a-time.h ++++ b/arch/arm/include/asm/word-at-a-time.h +@@ -67,7 +67,7 @@ static inline unsigned long find_zero(unsigned long mask) + */ + static inline unsigned long load_unaligned_zeropad(const void *addr) + { +- unsigned long ret, offset; ++ unsigned long ret, tmp; + + /* Load word from unaligned pointer addr */ + asm( +@@ -75,9 +75,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + "2:\n" + " .pushsection .text.fixup,\"ax\"\n" + " .align 2\n" +- "3: and %1, %2, #0x3\n" +- " bic %2, %2, #0x3\n" +- " ldr %0, [%2]\n" ++ "3: bic %1, %2, #0x3\n" ++ " ldr %0, [%1]\n" ++ " and %1, %2, #0x3\n" + " lsl %1, %1, #0x3\n" + #ifndef __ARMEB__ + " lsr %0, %0, %1\n" +@@ -90,7 +90,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + " .align 3\n" + " .long 1b, 3b\n" + " .popsection" +- : "=&r" (ret), "=&r" (offset) ++ : "=&r" (ret), "=&r" (tmp) + : "r" (addr), "Qo" (*(unsigned long *)addr)); + + return ret; +-- +2.51.0 + diff --git a/queue-6.12/asoc-ak4458-disable-regulator-when-error-happens.patch b/queue-6.12/asoc-ak4458-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..8c796b9aca --- /dev/null +++ b/queue-6.12/asoc-ak4458-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 4251e6be4195cfead6756d1ad33aed2261310815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:28 +0800 +Subject: ASoC: ak4458: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4458.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c +index d472d99526287..fb1ab335a4c18 100644 +--- a/sound/soc/codecs/ak4458.c ++++ b/sound/soc/codecs/ak4458.c +@@ -676,7 +676,15 @@ static int __maybe_unused ak4458_runtime_resume(struct device *dev) + regcache_cache_only(ak4458->regmap, false); + regcache_mark_dirty(ak4458->regmap); + +- return regcache_sync(ak4458->regmap); ++ ret = regcache_sync(ak4458->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak4458->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies); ++ return ret; + } + #endif /* CONFIG_PM */ + +-- +2.51.0 + diff --git a/queue-6.12/asoc-ak5558-disable-regulator-when-error-happens.patch b/queue-6.12/asoc-ak5558-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..269ec141f7 --- /dev/null +++ b/queue-6.12/asoc-ak5558-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 734ea1b00170cb36dd3b5bbcdd1bba14dea3a3cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:29 +0800 +Subject: ASoC: ak5558: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak5558.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c +index 6c767609f95df..b1797319e4f57 100644 +--- a/sound/soc/codecs/ak5558.c ++++ b/sound/soc/codecs/ak5558.c +@@ -372,7 +372,15 @@ static int __maybe_unused ak5558_runtime_resume(struct device *dev) + regcache_cache_only(ak5558->regmap, false); + regcache_mark_dirty(ak5558->regmap); + +- return regcache_sync(ak5558->regmap); ++ ret = regcache_sync(ak5558->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak5558->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies); ++ return ret; + } + + static const struct dev_pm_ops ak5558_pm = { +-- +2.51.0 + diff --git a/queue-6.12/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch b/queue-6.12/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch new file mode 100644 index 0000000000..d982ffd6ca --- /dev/null +++ b/queue-6.12/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch @@ -0,0 +1,44 @@ +From 4559bbc1b840da4ca30482aef7678a797872c05c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:16:42 +0800 +Subject: ASoC: bcm: bcm63xx-pcm-whistler: Check return value of + of_dma_configure() + +From: Haotian Zhang + +[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ] + +bcm63xx_soc_pcm_new() does not check the return value of +of_dma_configure(), which may fail with -EPROBE_DEFER or +other errors, allowing PCM setup to continue with incomplete +DMA configuration. + +Add error checking for of_dma_configure() and return on failure. + +Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c +index 018f2372e892c..3fd7a03f1edaa 100644 +--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c ++++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c +@@ -354,7 +354,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component, + + i2s_priv = dev_get_drvdata(snd_soc_rtd_to_cpu(rtd, 0)->dev); + +- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ if (ret) ++ return ret; + + ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32)); + if (ret) +-- +2.51.0 + diff --git a/queue-6.12/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch b/queue-6.12/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch new file mode 100644 index 0000000000..f725c576c6 --- /dev/null +++ b/queue-6.12/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch @@ -0,0 +1,73 @@ +From e24bf2816719ef66211563cf4fac6e0bdfdbd777 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 11:34:21 +0800 +Subject: blk-mq: Abort suspend when wakeup events are pending + +From: Cong Zhang + +[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ] + +During system suspend, wakeup capable IRQs for block device can be +delayed, which can cause blk_mq_hctx_notify_offline() to hang +indefinitely while waiting for pending request to complete. +Skip the request waiting loop and abort suspend when wakeup events are +pending to prevent the deadlock. + +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Signed-off-by: Cong Zhang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index e1bca29dc358b..9115419d33ed9 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3655,6 +3656,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + { + struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node, + struct blk_mq_hw_ctx, cpuhp_online); ++ int ret = 0; + + if (blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; +@@ -3675,12 +3677,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + * frozen and there are no requests. + */ + if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) { +- while (blk_mq_hctx_has_requests(hctx)) ++ while (blk_mq_hctx_has_requests(hctx)) { ++ /* ++ * The wakeup capable IRQ handler of block device is ++ * not called during suspend. Skip the loop by checking ++ * pm_wakeup_pending to prevent the deadlock and improve ++ * suspend latency. ++ */ ++ if (pm_wakeup_pending()) { ++ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state); ++ ret = -EBUSY; ++ break; ++ } + msleep(5); ++ } + percpu_ref_put(&hctx->queue->q_usage_counter); + } + +- return 0; ++ return ret; + } + + /* +-- +2.51.0 + diff --git a/queue-6.12/block-fix-cached-zone-reports-on-devices-with-native.patch b/queue-6.12/block-fix-cached-zone-reports-on-devices-with-native.patch new file mode 100644 index 0000000000..509c8fd83b --- /dev/null +++ b/queue-6.12/block-fix-cached-zone-reports-on-devices-with-native.patch @@ -0,0 +1,67 @@ +From 921d4c53b5c0da92417ec6c8d7dc98ece9a01728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 03:10:37 +0100 +Subject: block: fix cached zone reports on devices with native zone append + +From: Johannes Thumshirn + +[ Upstream commit 2c38ec934ddfe2d35c813edea2674356bea0fabe ] + +When mounting a btrfs file system on virtio-blk which supports native +Zone Append there has been a WARN triggering in btrfs' space management +code. + +Further looking into btrfs' zoned statistics uncovered the filesystem +expecting the zones to be used, but the write pointers being 0: + # cat /sys/fs/btrfs/8eabd2e7-3294-4f9e-9b58-7e64135c8bf4/zoned_stats + active block-groups: 4 + reclaimable: 0 + unused: 0 + need reclaim: false + data relocation block-group: 1342177280 + active zones: + start: 1073741824, wp: 0 used: 0, reserved: 0, unusable: 0 + start: 1342177280, wp: 0 used: 0, reserved: 0, unusable: 0 + start: 1610612736, wp: 0 used: 16384, reserved: 0, unusable: 18446744073709535232 + start: 1879048192, wp: 0 used: 131072, reserved: 0, unusable: 18446744073709420544 + +Looking at the blkzone report output for the zone in question +(1610612736) the write pointer on the device moved, but the filesystem +did not see a change on the write pointer: + # blkzone report -c 1 -o 0x300000 /dev/vda + start: 0x000300000, len 0x080000, cap 0x080000, wptr 0x000040 reset:0 non-seq:0, zcond: 2(oi) [type: 2(SEQ_WRITE_REQUIRED)] + +The zone write pointer is 0, because btrfs is using the cached version +of blkdev_report_zones() and as virtio-blk is supporting native zone +append, but blkdev_revalidate_zones() does not initialize the zone write +plugs in this case. + +Not skipping the revalidate of sequential zones in +blkdev_revalidate_zones() callchain fixes this issue. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Reviewed-by: Damien Le Moal +Fixes: a6aa36e957a1 ("block: Remove zone write plugs when handling native zone append writes") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-zoned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-zoned.c b/block/blk-zoned.c +index f1160cc2cf85d..42b08796f6bc1 100644 +--- a/block/blk-zoned.c ++++ b/block/blk-zoned.c +@@ -1621,7 +1621,7 @@ static int blk_revalidate_seq_zone(struct blk_zone *zone, unsigned int idx, + * we have a zone write plug for such zone if the device has a zone + * write plug hash table. + */ +- if (!queue_emulates_zone_append(disk->queue) || !disk->zone_wplugs_hash) ++ if (!disk->zone_wplugs_hash) + return 0; + + disk_zone_wplug_sync_wp_offset(disk, zone); +-- +2.51.0 + diff --git a/queue-6.12/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch b/queue-6.12/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch new file mode 100644 index 0000000000..508c35e0e5 --- /dev/null +++ b/queue-6.12/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch @@ -0,0 +1,44 @@ +From 369097b0592232b65914f1d672b193a81e05b3a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 23:17:49 +0800 +Subject: block: fix comment for op_is_zone_mgmt() to include RESET_ALL + +From: shechenglong + +[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ] + +REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt() +has returned true for it. + +Update the comment to remove the misleading exception note so +the documentation matches the implementation. + +Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL") +Signed-off-by: shechenglong +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk_types.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index ce395ea451a25..f535a86aafcd6 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -464,10 +464,7 @@ static inline bool op_is_discard(blk_opf_t op) + } + + /* +- * Check if a bio or request operation is a zone management operation, with +- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case +- * due to its different handling in the block layer and device response in +- * case of command failure. ++ * Check if a bio or request operation is a zone management operation. + */ + static inline bool op_is_zone_mgmt(enum req_op op) + { +-- +2.51.0 + diff --git a/queue-6.12/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch b/queue-6.12/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch new file mode 100644 index 0000000000..c1d4b004ce --- /dev/null +++ b/queue-6.12/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch @@ -0,0 +1,55 @@ +From e08ffe1cd36858738feff4440b16884e9f1241ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 23:42:59 +0530 +Subject: block: fix memory leak in __blkdev_issue_zero_pages + +From: Shaurya Rane + +[ Upstream commit f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf ] + +Move the fatal signal check before bio_alloc() to prevent a memory +leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. + +Previously, the bio was allocated before checking for a fatal signal. +If a signal was pending, the code would break out of the loop without +freeing or chaining the just-allocated bio, causing a memory leak. + +This matches the pattern already used in __blkdev_issue_write_zeroes() +where the signal check precedes the allocation. + +Fixes: bf86bcdb4012 ("blk-lib: check for kill signal in ioctl BLKZEROOUT") +Reported-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=527a7e48a3d3d315d862 +Signed-off-by: Shaurya Rane +Reviewed-by: Keith Busch +Tested-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-lib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/block/blk-lib.c b/block/blk-lib.c +index 4c9f20a689f7b..8cb2987db786f 100644 +--- a/block/blk-lib.c ++++ b/block/blk-lib.c +@@ -200,13 +200,13 @@ static void __blkdev_issue_zero_pages(struct block_device *bdev, + unsigned int nr_vecs = __blkdev_sectors_to_bio_pages(nr_sects); + struct bio *bio; + +- bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); +- bio->bi_iter.bi_sector = sector; +- + if ((flags & BLKDEV_ZERO_KILLABLE) && + fatal_signal_pending(current)) + break; + ++ bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); ++ bio->bi_iter.bi_sector = sector; ++ + do { + unsigned int len, added; + +-- +2.51.0 + diff --git a/queue-6.12/block-return-unsigned-int-from-queue_dma_alignment.patch b/queue-6.12/block-return-unsigned-int-from-queue_dma_alignment.patch new file mode 100644 index 0000000000..faf7761848 --- /dev/null +++ b/queue-6.12/block-return-unsigned-int-from-queue_dma_alignment.patch @@ -0,0 +1,40 @@ +From eddcf8e6e73dada1cdf8ddc38c7c361e63d5e482 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 17:09:19 +0100 +Subject: block: return unsigned int from queue_dma_alignment + +From: Christoph Hellwig + +[ Upstream commit ed5db174cf39374215934f21b04639a7a1513023 ] + +The underlying limit is defined as an unsigned int, so return that from +queue_dma_alignment as well. + +Signed-off-by: Christoph Hellwig +Reviewed-by: John Garry +Reviewed-by: Martin K. Petersen +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20241119160932.1327864-3-hch@lst.de +Signed-off-by: Jens Axboe +Stable-dep-of: 2c38ec934ddf ("block: fix cached zone reports on devices with native zone append") +Signed-off-by: Sasha Levin +--- + include/linux/blkdev.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index cd9c97f6f9484..11d0a1b8daa2c 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1450,7 +1450,7 @@ static inline bool bdev_is_zone_start(struct block_device *bdev, + int blk_zone_issue_zeroout(struct block_device *bdev, sector_t sector, + sector_t nr_sects, gfp_t gfp_mask); + +-static inline int queue_dma_alignment(const struct request_queue *q) ++static inline unsigned int queue_dma_alignment(const struct request_queue *q) + { + return q->limits.dma_alignment; + } +-- +2.51.0 + diff --git a/queue-6.12/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch b/queue-6.12/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch new file mode 100644 index 0000000000..3657312301 --- /dev/null +++ b/queue-6.12/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch @@ -0,0 +1,169 @@ +From 90a3007da5d8ad9ad8fc96384f1f7d99d0c7fa0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 13:17:02 -0800 +Subject: block: Use RCU in blk_mq_[un]quiesce_tagset() instead of + set->tag_list_lock + +From: Mohamed Khalfella + +[ Upstream commit 59e25ef2b413c72da6686d431e7759302cfccafa ] + +blk_mq_{add,del}_queue_tag_set() functions add and remove queues from +tagset, the functions make sure that tagset and queues are marked as +shared when two or more queues are attached to the same tagset. +Initially a tagset starts as unshared and when the number of added +queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along +with all the queues attached to it. When the number of attached queues +drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and +the remaining queues as unshared. + +Both functions need to freeze current queues in tagset before setting on +unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions +hold set->tag_list_lock mutex, which makes sense as we do not want +queues to be added or deleted in the process. This used to work fine +until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +made the nvme driver quiesce tagset instead of quiscing individual +queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in +set->tag_list while holding set->tag_list_lock also. + +This results in deadlock between two threads with these stacktraces: + + __schedule+0x47c/0xbb0 + ? timerqueue_add+0x66/0xb0 + schedule+0x1c/0xa0 + schedule_preempt_disabled+0xa/0x10 + __mutex_lock.constprop.0+0x271/0x600 + blk_mq_quiesce_tagset+0x25/0xc0 + nvme_dev_disable+0x9c/0x250 + nvme_timeout+0x1fc/0x520 + blk_mq_handle_expired+0x5c/0x90 + bt_iter+0x7e/0x90 + blk_mq_queue_tag_busy_iter+0x27e/0x550 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __call_rcu_common.constprop.0+0x1c0/0x210 + blk_mq_timeout_work+0x12d/0x170 + process_one_work+0x12e/0x2d0 + worker_thread+0x288/0x3a0 + ? rescuer_thread+0x480/0x480 + kthread+0xb8/0xe0 + ? kthread_park+0x80/0x80 + ret_from_fork+0x2d/0x50 + ? kthread_park+0x80/0x80 + ret_from_fork_asm+0x11/0x20 + + __schedule+0x47c/0xbb0 + ? xas_find+0x161/0x1a0 + schedule+0x1c/0xa0 + blk_mq_freeze_queue_wait+0x3d/0x70 + ? destroy_sched_domains_rcu+0x30/0x30 + blk_mq_update_tag_set_shared+0x44/0x80 + blk_mq_exit_queue+0x141/0x150 + del_gendisk+0x25a/0x2d0 + nvme_ns_remove+0xc9/0x170 + nvme_remove_namespaces+0xc7/0x100 + nvme_remove+0x62/0x150 + pci_device_remove+0x23/0x60 + device_release_driver_internal+0x159/0x200 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x112/0x1e0 + vfs_write+0x2b1/0x3d0 + ksys_write+0x4e/0xb0 + do_syscall_64+0x5b/0x160 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +The top stacktrace is showing nvme_timeout() called to handle nvme +command timeout. timeout handler is trying to disable the controller and +as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not +to call queue callback handlers. The thread is stuck waiting for +set->tag_list_lock as it tries to walk the queues in set->tag_list. + +The lock is held by the second thread in the bottom stack which is +waiting for one of queues to be frozen. The queue usage counter will +drop to zero after nvme_timeout() finishes, and this will not happen +because the thread will wait for this mutex forever. + +Given that [un]quiescing queue is an operation that does not need to +sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking +set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU +safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list) +in blk_mq_del_queue_tag_set() because we can not re-initialize it while +the list is being traversed under RCU. The deleted queue will not be +added/deleted to/from a tagset and it will be freed in blk_free_queue() +after the end of RCU grace period. + +Signed-off-by: Mohamed Khalfella +Fixes: 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +Reviewed-by: Ming Lei +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 9115419d33ed9..db72779760d5c 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -364,12 +364,12 @@ void blk_mq_quiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_quiesce_queue_nowait(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + + blk_mq_wait_quiesce_done(set); + } +@@ -379,12 +379,12 @@ void blk_mq_unquiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_unquiesce_queue(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + } + EXPORT_SYMBOL_GPL(blk_mq_unquiesce_tagset); + +@@ -4255,7 +4255,7 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + struct blk_mq_tag_set *set = q->tag_set; + + mutex_lock(&set->tag_list_lock); +- list_del(&q->tag_set_list); ++ list_del_rcu(&q->tag_set_list); + if (list_is_singular(&set->tag_list)) { + /* just transitioned to unshared */ + set->flags &= ~BLK_MQ_F_TAG_QUEUE_SHARED; +@@ -4263,7 +4263,6 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + blk_mq_update_tag_set_shared(set, false); + } + mutex_unlock(&set->tag_list_lock); +- INIT_LIST_HEAD(&q->tag_set_list); + } + + static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, +@@ -4282,7 +4281,7 @@ static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, + } + if (set->flags & BLK_MQ_F_TAG_QUEUE_SHARED) + queue_set_hctx_shared(q, true); +- list_add_tail(&q->tag_set_list, &set->tag_list); ++ list_add_tail_rcu(&q->tag_set_list, &set->tag_list); + + mutex_unlock(&set->tag_list_lock); + } +-- +2.51.0 + diff --git a/queue-6.12/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch b/queue-6.12/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch new file mode 100644 index 0000000000..3a1801055b --- /dev/null +++ b/queue-6.12/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch @@ -0,0 +1,57 @@ +From 1c9a7962c58ebb98bf64fba76e54bec07b269cfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 21:55:27 +0000 +Subject: cifs: Fix handling of a beyond-EOF DIO/unbuffered read over SMB2 + +From: David Howells + +[ Upstream commit 4ae4dde6f34a4124c65468ae4fa1f915fb40f900 ] + +If a DIO read or an unbuffered read request extends beyond the EOF, the +server will return a short read and a status code indicating that EOF was +hit, which gets translated to -ENODATA. Note that the client does not cap +the request at i_size, but asks for the amount requested in case there's a +race on the server with a third party. + +Now, on the client side, the request will get split into multiple +subrequests if rsize is smaller than the full request size. A subrequest +that starts before or at the EOF and returns short data up to the EOF will +be correctly handled, with the NETFS_SREQ_HIT_EOF flag being set, +indicating to netfslib that we can't read more. + +If a subrequest, however, starts after the EOF and not at it, HIT_EOF will +not be flagged, its error will be set to -ENODATA and it will be abandoned. +This will cause the request as a whole to fail with -ENODATA. + +Fix this by setting NETFS_SREQ_HIT_EOF on any subrequest that lies beyond +the EOF marker. + +Fixes: 1da29f2c39b6 ("netfs, cifs: Fix handling of short DIO read") +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Shyam Prasad N +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c +index 7aa87908e0ff1..b0ff9f7e8cea8 100644 +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4634,7 +4634,7 @@ smb2_readv_callback(struct mid_q_entry *mid) + } else { + size_t trans = rdata->subreq.transferred + rdata->got_bytes; + if (trans < rdata->subreq.len && +- rdata->subreq.start + trans == ictx->remote_i_size) { ++ rdata->subreq.start + trans >= ictx->remote_i_size) { + __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags); + rdata->result = 0; + } +-- +2.51.0 + diff --git a/queue-6.12/dm-log-writes-add-missing-set_freezable-for-freezabl.patch b/queue-6.12/dm-log-writes-add-missing-set_freezable-for-freezabl.patch new file mode 100644 index 0000000000..949c8fddf1 --- /dev/null +++ b/queue-6.12/dm-log-writes-add-missing-set_freezable-for-freezabl.patch @@ -0,0 +1,40 @@ +From 34907d7ccd26d1fbe00bab18441e001937eebf72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:41:03 +0800 +Subject: dm log-writes: Add missing set_freezable() for freezable kthread + +From: Haotian Zhang + +[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ] + +The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(), +rendering the freeze attempt ineffective since kernel threads are +non-freezable by default. This prevents proper thread suspension during +system suspend/hibernate. + +Add set_freezable() to explicitly mark the thread as freezable. + +Fixes: 0e9cebe72459 ("dm: add log writes target") +Signed-off-by: Haotian Zhang +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-log-writes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c +index 8d7df8303d0a1..6272c77184200 100644 +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -432,6 +432,7 @@ static int log_writes_kthread(void *arg) + struct log_writes_c *lc = arg; + sector_t sector = 0; + ++ set_freezable(); + while (!kthread_should_stop()) { + bool super = false; + bool logging_enabled; +-- +2.51.0 + diff --git a/queue-6.12/dm-raid-fix-possible-null-dereference-with-undefined.patch b/queue-6.12/dm-raid-fix-possible-null-dereference-with-undefined.patch new file mode 100644 index 0000000000..498b9973c4 --- /dev/null +++ b/queue-6.12/dm-raid-fix-possible-null-dereference-with-undefined.patch @@ -0,0 +1,42 @@ +From e69166a14dee101478920265ea618a96033a8cbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 20:18:38 +0300 +Subject: dm-raid: fix possible NULL dereference with undefined raid type + +From: Alexey Simakov + +[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ] + +rs->raid_type is assigned from get_raid_type_by_ll(), which may return +NULL. This NULL value could be dereferenced later in the condition +'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. + +Add a fail-fast check to return early with an error if raid_type is NULL, +similar to other uses of this function. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") +Signed-off-by: Alexey Simakov +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index c69696d2540ab..b7f1cd81ab056 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2291,6 +2291,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev) + + mddev->reshape_position = le64_to_cpu(sb->reshape_position); + rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout); ++ if (!rs->raid_type) ++ return -EINVAL; + } + + } else { +-- +2.51.0 + diff --git a/queue-6.12/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch b/queue-6.12/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch new file mode 100644 index 0000000000..22ffef500b --- /dev/null +++ b/queue-6.12/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch @@ -0,0 +1,40 @@ +From 426a0912a1e2a7769858c2b1011a4d643184b03b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:28:10 -0600 +Subject: dma/pool: eliminate alloc_pages warning in atomic_pool_expand + +From: Dave Kleikamp + +[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ] + +atomic_pool_expand iteratively tries the allocation while decrementing +the page order. There is no need to issue a warning if an attempted +allocation fails. + +Signed-off-by: Dave Kleikamp +Reviewed-by: Robin Murphy +Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") +[mszyprow: fixed typo] +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index ee45dee33d491..26392badc36b0 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, + page = dma_alloc_from_contiguous(NULL, 1 << order, + order, false); + if (!page) +- page = alloc_pages(gfp, order); ++ page = alloc_pages(gfp | __GFP_NOWARN, order); + } while (!page && order-- > 0); + if (!page) + goto out; +-- +2.51.0 + diff --git a/queue-6.12/docs-hwmon-fix-link-to-g762-devicetree-binding.patch b/queue-6.12/docs-hwmon-fix-link-to-g762-devicetree-binding.patch new file mode 100644 index 0000000000..5e74748511 --- /dev/null +++ b/queue-6.12/docs-hwmon-fix-link-to-g762-devicetree-binding.patch @@ -0,0 +1,37 @@ +From bb4751b9bd5f37377e456abf35bec25d4908e08c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 21:58:35 +0000 +Subject: docs: hwmon: fix link to g762 devicetree binding + +From: Kathara Sasikumar + +[ Upstream commit 08bfcf4ff9d39228150a757803fc02dffce84ab0 ] + +The devicetree binding for g762 was converted to YAML to match vendor +prefix conventions. Update the reference accordingly. + +Signed-off-by: Kathara Sasikumar +Link: https://lore.kernel.org/r/20251205215835.783273-1-katharasasikumar007@gmail.com +Fixes: 3d8e25372417 ("dt-bindings: hwmon: g762: Convert to yaml schema") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + Documentation/hwmon/g762.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/hwmon/g762.rst b/Documentation/hwmon/g762.rst +index 0371b3365c48c..f224552a2d3cc 100644 +--- a/Documentation/hwmon/g762.rst ++++ b/Documentation/hwmon/g762.rst +@@ -17,7 +17,7 @@ done via a userland daemon like fancontrol. + Note that those entries do not provide ways to setup the specific + hardware characteristics of the system (reference clock, pulses per + fan revolution, ...); Those can be modified via devicetree bindings +-documented in Documentation/devicetree/bindings/hwmon/g762.txt or ++documented in Documentation/devicetree/bindings/hwmon/gmt,g762.yaml or + using a specific platform_data structure in board initialization + file (see include/linux/platform_data/g762.h). + +-- +2.51.0 + diff --git a/queue-6.12/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch b/queue-6.12/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch new file mode 100644 index 0000000000..99f01a7241 --- /dev/null +++ b/queue-6.12/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch @@ -0,0 +1,93 @@ +From 59fcb61f4e24e71ed7d0771c40917b9995b72f59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 14:12:29 -0600 +Subject: drm/amdkfd: Use huge page size to check split svm range alignment + +From: Xiaogang Chen + +[ Upstream commit bf2084a7b1d75d093b6a79df4c10142d49fbaa0e ] + +When split svm ranges that have been mapped using huge page should use huge +page size(2MB) to check split range alignment, not prange->granularity that +means migration granularity. + +Fixes: 7ef6b2d4b7e5 ("drm/amdkfd: remap unaligned svm ranges that have split") +Signed-off-by: Xiaogang Chen +Reviewed-by: Philip Yang +Signed-off-by: Alex Deucher +(cherry picked from commit 448ee45353ef9fb1a34f5f26eb3f48923c6f0898) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 46 +++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +index 99ce4fe5eb170..d65b0b23ec7b8 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +@@ -1143,30 +1143,48 @@ static int + svm_range_split_tail(struct svm_range *prange, uint64_t new_last, + struct list_head *insert_list, struct list_head *remap_list) + { ++ unsigned long last_align_down = ALIGN_DOWN(prange->last, 512); ++ unsigned long start_align = ALIGN(prange->start, 512); ++ bool huge_page_mapping = last_align_down > start_align; + struct svm_range *tail = NULL; +- int r = svm_range_split(prange, prange->start, new_last, &tail); ++ int r; + +- if (!r) { +- list_add(&tail->list, insert_list); +- if (!IS_ALIGNED(new_last + 1, 1UL << prange->granularity)) +- list_add(&tail->update_list, remap_list); +- } +- return r; ++ r = svm_range_split(prange, prange->start, new_last, &tail); ++ ++ if (r) ++ return r; ++ ++ list_add(&tail->list, insert_list); ++ ++ if (huge_page_mapping && tail->start > start_align && ++ tail->start < last_align_down && (!IS_ALIGNED(tail->start, 512))) ++ list_add(&tail->update_list, remap_list); ++ ++ return 0; + } + + static int + svm_range_split_head(struct svm_range *prange, uint64_t new_start, + struct list_head *insert_list, struct list_head *remap_list) + { ++ unsigned long last_align_down = ALIGN_DOWN(prange->last, 512); ++ unsigned long start_align = ALIGN(prange->start, 512); ++ bool huge_page_mapping = last_align_down > start_align; + struct svm_range *head = NULL; +- int r = svm_range_split(prange, new_start, prange->last, &head); ++ int r; + +- if (!r) { +- list_add(&head->list, insert_list); +- if (!IS_ALIGNED(new_start, 1UL << prange->granularity)) +- list_add(&head->update_list, remap_list); +- } +- return r; ++ r = svm_range_split(prange, new_start, prange->last, &head); ++ ++ if (r) ++ return r; ++ ++ list_add(&head->list, insert_list); ++ ++ if (huge_page_mapping && head->last + 1 > start_align && ++ head->last + 1 < last_align_down && (!IS_ALIGNED(head->last, 512))) ++ list_add(&head->update_list, remap_list); ++ ++ return 0; + } + + static void +-- +2.51.0 + diff --git a/queue-6.12/drm-nouveau-refactor-deprecated-strcpy.patch b/queue-6.12/drm-nouveau-refactor-deprecated-strcpy.patch new file mode 100644 index 0000000000..fcff317c7f --- /dev/null +++ b/queue-6.12/drm-nouveau-refactor-deprecated-strcpy.patch @@ -0,0 +1,45 @@ +From 32f0db307f2cd277362ccfc765136451ad211788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 17:38:22 +0530 +Subject: drm/nouveau: refactor deprecated strcpy + +From: Madhur Kumar + +[ Upstream commit 2bdc2c0e12fac56e41ec05fb771ead986ea6dac0 ] + +strcpy() has been deprecated because it performs no bounds checking on the +destination buffer, which can lead to buffer overflows. Use the safer +strscpy() instead. + +Signed-off-by: Madhur Kumar +Reviewed-by: Lyude Paul +Fixes: 15a996bbb697 ("drm/nouveau: assign fence_chan->name correctly") +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251204120822.17502-1-madhurkumar004@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c +index edddfc036c6d1..65b7974defa10 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -197,11 +197,11 @@ nouveau_fence_context_new(struct nouveau_channel *chan, struct nouveau_fence_cha + fctx->context = drm->runl[chan->runlist].context_base + chan->chid; + + if (chan == drm->cechan) +- strcpy(fctx->name, "copy engine channel"); ++ strscpy(fctx->name, "copy engine channel"); + else if (chan == drm->channel) +- strcpy(fctx->name, "generic kernel channel"); ++ strscpy(fctx->name, "generic kernel channel"); + else +- strcpy(fctx->name, cli->name); ++ strscpy(fctx->name, cli->name); + + kref_init(&fctx->fence_ref); + if (!priv->uevent) +-- +2.51.0 + diff --git a/queue-6.12/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch b/queue-6.12/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch new file mode 100644 index 0000000000..a18b79a029 --- /dev/null +++ b/queue-6.12/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch @@ -0,0 +1,50 @@ +From df5035a528a8d3c47c34413a31c5c550b743b7a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 20:35:23 +0300 +Subject: drm/plane: Fix IS_ERR() vs NULL check in + drm_plane_create_hotspot_properties() + +From: Dan Carpenter + +[ Upstream commit 479acb9db3199cdb70e5478a6f633b5f20c7d8df ] + +The drm_property_create_signed_range() function doesn't return error +pointers it returns NULL on error. Fix the error checking to match. + +Fixes: 8f7179a1027d ("drm/atomic: Add support for mouse hotspots") +Signed-off-by: Dan Carpenter +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Zack Rusin +Link: https://patch.msgid.link/aTB023cfcIPkCsFS@stanley.mountain +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_plane.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c +index a28b22fdd7a41..4fcb5d486de67 100644 +--- a/drivers/gpu/drm/drm_plane.c ++++ b/drivers/gpu/drm/drm_plane.c +@@ -328,14 +328,14 @@ static int drm_plane_create_hotspot_properties(struct drm_plane *plane) + + prop_x = drm_property_create_signed_range(plane->dev, 0, "HOTSPOT_X", + INT_MIN, INT_MAX); +- if (IS_ERR(prop_x)) +- return PTR_ERR(prop_x); ++ if (!prop_x) ++ return -ENOMEM; + + prop_y = drm_property_create_signed_range(plane->dev, 0, "HOTSPOT_Y", + INT_MIN, INT_MAX); +- if (IS_ERR(prop_y)) { ++ if (!prop_y) { + drm_property_destroy(plane->dev, prop_x); +- return PTR_ERR(prop_y); ++ return -ENOMEM; + } + + drm_object_attach_property(&plane->base, prop_x, 0); +-- +2.51.0 + diff --git a/queue-6.12/expand-the-type-of-nfs_fattr-valid.patch b/queue-6.12/expand-the-type-of-nfs_fattr-valid.patch new file mode 100644 index 0000000000..43cb50564b --- /dev/null +++ b/queue-6.12/expand-the-type-of-nfs_fattr-valid.patch @@ -0,0 +1,127 @@ +From 51f8b1e92bb9ebcd24afd797362046a5717496b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 06:45:45 -0400 +Subject: Expand the type of nfs_fattr->valid + +From: Trond Myklebust + +[ Upstream commit ce60ab3964782df9ba34f0a64c0bc766dd508bde ] + +We need to be able to track more than 32 attributes per inode. + +Signed-off-by: Trond Myklebust +Signed-off-by: Lance Shelton +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Link: https://lore.kernel.org/r/1e3405fca54efd0be7c91c1da77917b94f5dfcc4.1748515333.git.bcodding@redhat.com +Signed-off-by: Trond Myklebust +Stable-dep-of: 2b092175f5e3 ("NFS: Fix inheritance of the block sizes when automounting") +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 2 +- + include/linux/nfs_fs_sb.h | 2 +- + include/linux/nfs_xdr.h | 54 +++++++++++++++++++-------------------- + 3 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 5bab9db5417c2..1b43331eb6ece 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -2214,7 +2214,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + bool attr_changed = false; + bool have_delegation; + +- dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%x)\n", ++ dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%llx)\n", + __func__, inode->i_sb->s_id, inode->i_ino, + nfs_display_fhandle_hash(NFS_FH(inode)), + atomic_read(&inode->i_count), fattr->valid); +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index 2cff5cafbaa78..97edf7b583d5e 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -169,8 +169,8 @@ struct nfs_server { + #define NFS_MOUNT_SHUTDOWN 0x08000000 + #define NFS_MOUNT_NO_ALIGNWRITE 0x10000000 + +- unsigned int fattr_valid; /* Valid attributes */ + unsigned int caps; /* server capabilities */ ++ __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ + unsigned int rpages; /* read size (in pages) */ + unsigned int wsize; /* write size */ +diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h +index b7a08c875514f..ea751edf247bf 100644 +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -45,7 +45,7 @@ struct nfs4_threshold { + }; + + struct nfs_fattr { +- unsigned int valid; /* which fields are valid */ ++ __u64 valid; /* which fields are valid */ + umode_t mode; + __u32 nlink; + kuid_t uid; +@@ -80,32 +80,32 @@ struct nfs_fattr { + struct nfs4_label *label; + }; + +-#define NFS_ATTR_FATTR_TYPE (1U << 0) +-#define NFS_ATTR_FATTR_MODE (1U << 1) +-#define NFS_ATTR_FATTR_NLINK (1U << 2) +-#define NFS_ATTR_FATTR_OWNER (1U << 3) +-#define NFS_ATTR_FATTR_GROUP (1U << 4) +-#define NFS_ATTR_FATTR_RDEV (1U << 5) +-#define NFS_ATTR_FATTR_SIZE (1U << 6) +-#define NFS_ATTR_FATTR_PRESIZE (1U << 7) +-#define NFS_ATTR_FATTR_BLOCKS_USED (1U << 8) +-#define NFS_ATTR_FATTR_SPACE_USED (1U << 9) +-#define NFS_ATTR_FATTR_FSID (1U << 10) +-#define NFS_ATTR_FATTR_FILEID (1U << 11) +-#define NFS_ATTR_FATTR_ATIME (1U << 12) +-#define NFS_ATTR_FATTR_MTIME (1U << 13) +-#define NFS_ATTR_FATTR_CTIME (1U << 14) +-#define NFS_ATTR_FATTR_PREMTIME (1U << 15) +-#define NFS_ATTR_FATTR_PRECTIME (1U << 16) +-#define NFS_ATTR_FATTR_CHANGE (1U << 17) +-#define NFS_ATTR_FATTR_PRECHANGE (1U << 18) +-#define NFS_ATTR_FATTR_V4_LOCATIONS (1U << 19) +-#define NFS_ATTR_FATTR_V4_REFERRAL (1U << 20) +-#define NFS_ATTR_FATTR_MOUNTPOINT (1U << 21) +-#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID (1U << 22) +-#define NFS_ATTR_FATTR_OWNER_NAME (1U << 23) +-#define NFS_ATTR_FATTR_GROUP_NAME (1U << 24) +-#define NFS_ATTR_FATTR_V4_SECURITY_LABEL (1U << 25) ++#define NFS_ATTR_FATTR_TYPE BIT_ULL(0) ++#define NFS_ATTR_FATTR_MODE BIT_ULL(1) ++#define NFS_ATTR_FATTR_NLINK BIT_ULL(2) ++#define NFS_ATTR_FATTR_OWNER BIT_ULL(3) ++#define NFS_ATTR_FATTR_GROUP BIT_ULL(4) ++#define NFS_ATTR_FATTR_RDEV BIT_ULL(5) ++#define NFS_ATTR_FATTR_SIZE BIT_ULL(6) ++#define NFS_ATTR_FATTR_PRESIZE BIT_ULL(7) ++#define NFS_ATTR_FATTR_BLOCKS_USED BIT_ULL(8) ++#define NFS_ATTR_FATTR_SPACE_USED BIT_ULL(9) ++#define NFS_ATTR_FATTR_FSID BIT_ULL(10) ++#define NFS_ATTR_FATTR_FILEID BIT_ULL(11) ++#define NFS_ATTR_FATTR_ATIME BIT_ULL(12) ++#define NFS_ATTR_FATTR_MTIME BIT_ULL(13) ++#define NFS_ATTR_FATTR_CTIME BIT_ULL(14) ++#define NFS_ATTR_FATTR_PREMTIME BIT_ULL(15) ++#define NFS_ATTR_FATTR_PRECTIME BIT_ULL(16) ++#define NFS_ATTR_FATTR_CHANGE BIT_ULL(17) ++#define NFS_ATTR_FATTR_PRECHANGE BIT_ULL(18) ++#define NFS_ATTR_FATTR_V4_LOCATIONS BIT_ULL(19) ++#define NFS_ATTR_FATTR_V4_REFERRAL BIT_ULL(20) ++#define NFS_ATTR_FATTR_MOUNTPOINT BIT_ULL(21) ++#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID BIT_ULL(22) ++#define NFS_ATTR_FATTR_OWNER_NAME BIT_ULL(23) ++#define NFS_ATTR_FATTR_GROUP_NAME BIT_ULL(24) ++#define NFS_ATTR_FATTR_V4_SECURITY_LABEL BIT_ULL(25) + + #define NFS_ATTR_FATTR (NFS_ATTR_FATTR_TYPE \ + | NFS_ATTR_FATTR_MODE \ +-- +2.51.0 + diff --git a/queue-6.12/f2fs-add-a-sysfs-entry-to-reclaim-posix_fadv_noreuse.patch b/queue-6.12/f2fs-add-a-sysfs-entry-to-reclaim-posix_fadv_noreuse.patch new file mode 100644 index 0000000000..a485fbeca9 --- /dev/null +++ b/queue-6.12/f2fs-add-a-sysfs-entry-to-reclaim-posix_fadv_noreuse.patch @@ -0,0 +1,273 @@ +From 3f75583a62c08efe2bdbea481c5348d03ac84802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 22:27:57 +0000 +Subject: f2fs: add a sysfs entry to reclaim POSIX_FADV_NOREUSE pages + +From: Jaegeuk Kim + +[ Upstream commit a907f3a68ee26ba493a08a958809208d17f3347e ] + +1. fadvise(fd1, POSIX_FADV_NOREUSE, {0,3}); +2. fadvise(fd2, POSIX_FADV_NOREUSE, {1,2}); +3. fadvise(fd3, POSIX_FADV_NOREUSE, {3,1}); +4. echo 1024 > /sys/fs/f2fs/tuning/reclaim_caches_kb + +This gives a way to reclaim file-backed pages by iterating all f2fs mounts until +reclaiming 1MB page cache ranges, registered by #1, #2, and #3. + +5. cat /sys/fs/f2fs/tuning/reclaim_caches_kb +-> gives total number of registered file ranges. + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-fs-f2fs | 7 ++ + fs/f2fs/f2fs.h | 2 + + fs/f2fs/shrinker.c | 90 +++++++++++++++++++++++++ + fs/f2fs/sysfs.c | 63 +++++++++++++++++ + 4 files changed, 162 insertions(+) + +diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs +index 3e1630c70d8ae..81deae2af84d2 100644 +--- a/Documentation/ABI/testing/sysfs-fs-f2fs ++++ b/Documentation/ABI/testing/sysfs-fs-f2fs +@@ -828,3 +828,10 @@ Date: November 2024 + Contact: "Chao Yu" + Description: It controls max read extent count for per-inode, the value of threshold + is 10240 by default. ++ ++What: /sys/fs/f2fs/tuning/reclaim_caches_kb ++Date: February 2025 ++Contact: "Jaegeuk Kim" ++Description: It reclaims the given KBs of file-backed pages registered by ++ ioctl(F2FS_IOC_DONATE_RANGE). ++ For example, writing N tries to drop N KBs spaces in LRU. +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 7ced2e2c65746..f2f3e02b6fd4c 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -4271,6 +4271,8 @@ unsigned long f2fs_shrink_count(struct shrinker *shrink, + struct shrink_control *sc); + unsigned long f2fs_shrink_scan(struct shrinker *shrink, + struct shrink_control *sc); ++unsigned int f2fs_donate_files(void); ++void f2fs_reclaim_caches(unsigned int reclaim_caches_kb); + void f2fs_join_shrinker(struct f2fs_sb_info *sbi); + void f2fs_leave_shrinker(struct f2fs_sb_info *sbi); + +diff --git a/fs/f2fs/shrinker.c b/fs/f2fs/shrinker.c +index 83d6fb97dcae0..45efff635d8e4 100644 +--- a/fs/f2fs/shrinker.c ++++ b/fs/f2fs/shrinker.c +@@ -130,6 +130,96 @@ unsigned long f2fs_shrink_scan(struct shrinker *shrink, + return freed; + } + ++unsigned int f2fs_donate_files(void) ++{ ++ struct f2fs_sb_info *sbi; ++ struct list_head *p; ++ unsigned int donate_files = 0; ++ ++ spin_lock(&f2fs_list_lock); ++ p = f2fs_list.next; ++ while (p != &f2fs_list) { ++ sbi = list_entry(p, struct f2fs_sb_info, s_list); ++ ++ /* stop f2fs_put_super */ ++ if (!mutex_trylock(&sbi->umount_mutex)) { ++ p = p->next; ++ continue; ++ } ++ spin_unlock(&f2fs_list_lock); ++ ++ donate_files += sbi->donate_files; ++ ++ spin_lock(&f2fs_list_lock); ++ p = p->next; ++ mutex_unlock(&sbi->umount_mutex); ++ } ++ spin_unlock(&f2fs_list_lock); ++ ++ return donate_files; ++} ++ ++static unsigned int do_reclaim_caches(struct f2fs_sb_info *sbi, ++ unsigned int reclaim_caches_kb) ++{ ++ struct inode *inode; ++ struct f2fs_inode_info *fi; ++ unsigned int nfiles = sbi->donate_files; ++ pgoff_t npages = reclaim_caches_kb >> (PAGE_SHIFT - 10); ++ ++ while (npages && nfiles--) { ++ pgoff_t len; ++ ++ spin_lock(&sbi->inode_lock[DONATE_INODE]); ++ if (list_empty(&sbi->inode_list[DONATE_INODE])) { ++ spin_unlock(&sbi->inode_lock[DONATE_INODE]); ++ break; ++ } ++ fi = list_first_entry(&sbi->inode_list[DONATE_INODE], ++ struct f2fs_inode_info, gdonate_list); ++ list_move_tail(&fi->gdonate_list, &sbi->inode_list[DONATE_INODE]); ++ inode = igrab(&fi->vfs_inode); ++ spin_unlock(&sbi->inode_lock[DONATE_INODE]); ++ ++ if (!inode) ++ continue; ++ ++ len = fi->donate_end - fi->donate_start + 1; ++ npages = npages < len ? 0 : npages - len; ++ invalidate_inode_pages2_range(inode->i_mapping, ++ fi->donate_start, fi->donate_end); ++ iput(inode); ++ cond_resched(); ++ } ++ return npages << (PAGE_SHIFT - 10); ++} ++ ++void f2fs_reclaim_caches(unsigned int reclaim_caches_kb) ++{ ++ struct f2fs_sb_info *sbi; ++ struct list_head *p; ++ ++ spin_lock(&f2fs_list_lock); ++ p = f2fs_list.next; ++ while (p != &f2fs_list && reclaim_caches_kb) { ++ sbi = list_entry(p, struct f2fs_sb_info, s_list); ++ ++ /* stop f2fs_put_super */ ++ if (!mutex_trylock(&sbi->umount_mutex)) { ++ p = p->next; ++ continue; ++ } ++ spin_unlock(&f2fs_list_lock); ++ ++ reclaim_caches_kb = do_reclaim_caches(sbi, reclaim_caches_kb); ++ ++ spin_lock(&f2fs_list_lock); ++ p = p->next; ++ mutex_unlock(&sbi->umount_mutex); ++ } ++ spin_unlock(&f2fs_list_lock); ++} ++ + void f2fs_join_shrinker(struct f2fs_sb_info *sbi) + { + spin_lock(&f2fs_list_lock); +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index b3c04ecc3a271..5c4fd0f3acab7 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -939,6 +939,39 @@ static struct f2fs_base_attr f2fs_base_attr_##_name = { \ + .show = f2fs_feature_show, \ + } + ++static ssize_t f2fs_tune_show(struct f2fs_base_attr *a, char *buf) ++{ ++ unsigned int res = 0; ++ ++ if (!strcmp(a->attr.name, "reclaim_caches_kb")) ++ res = f2fs_donate_files(); ++ ++ return sysfs_emit(buf, "%u\n", res); ++} ++ ++static ssize_t f2fs_tune_store(struct f2fs_base_attr *a, ++ const char *buf, size_t count) ++{ ++ unsigned long t; ++ int ret; ++ ++ ret = kstrtoul(skip_spaces(buf), 0, &t); ++ if (ret) ++ return ret; ++ ++ if (!strcmp(a->attr.name, "reclaim_caches_kb")) ++ f2fs_reclaim_caches(t); ++ ++ return count; ++} ++ ++#define F2FS_TUNE_RW_ATTR(_name) \ ++static struct f2fs_base_attr f2fs_base_attr_##_name = { \ ++ .attr = {.name = __stringify(_name), .mode = 0644 }, \ ++ .show = f2fs_tune_show, \ ++ .store = f2fs_tune_store, \ ++} ++ + static ssize_t f2fs_sb_feature_show(struct f2fs_attr *a, + struct f2fs_sb_info *sbi, char *buf) + { +@@ -1389,6 +1422,14 @@ static struct attribute *f2fs_sb_feat_attrs[] = { + }; + ATTRIBUTE_GROUPS(f2fs_sb_feat); + ++F2FS_TUNE_RW_ATTR(reclaim_caches_kb); ++ ++static struct attribute *f2fs_tune_attrs[] = { ++ BASE_ATTR_LIST(reclaim_caches_kb), ++ NULL, ++}; ++ATTRIBUTE_GROUPS(f2fs_tune); ++ + static const struct sysfs_ops f2fs_attr_ops = { + .show = f2fs_attr_show, + .store = f2fs_attr_store, +@@ -1422,6 +1463,20 @@ static struct kobject f2fs_feat = { + .kset = &f2fs_kset, + }; + ++static const struct sysfs_ops f2fs_tune_attr_ops = { ++ .show = f2fs_base_attr_show, ++ .store = f2fs_base_attr_store, ++}; ++ ++static const struct kobj_type f2fs_tune_ktype = { ++ .default_groups = f2fs_tune_groups, ++ .sysfs_ops = &f2fs_tune_attr_ops, ++}; ++ ++static struct kobject f2fs_tune = { ++ .kset = &f2fs_kset, ++}; ++ + static ssize_t f2fs_stat_attr_show(struct kobject *kobj, + struct attribute *attr, char *buf) + { +@@ -1660,6 +1715,11 @@ int __init f2fs_init_sysfs(void) + if (ret) + goto put_kobject; + ++ ret = kobject_init_and_add(&f2fs_tune, &f2fs_tune_ktype, ++ NULL, "tuning"); ++ if (ret) ++ goto put_kobject; ++ + f2fs_proc_root = proc_mkdir("fs/f2fs", NULL); + if (!f2fs_proc_root) { + ret = -ENOMEM; +@@ -1667,7 +1727,9 @@ int __init f2fs_init_sysfs(void) + } + + return 0; ++ + put_kobject: ++ kobject_put(&f2fs_tune); + kobject_put(&f2fs_feat); + kset_unregister(&f2fs_kset); + return ret; +@@ -1675,6 +1737,7 @@ int __init f2fs_init_sysfs(void) + + void f2fs_exit_sysfs(void) + { ++ kobject_put(&f2fs_tune); + kobject_put(&f2fs_feat); + kset_unregister(&f2fs_kset); + remove_proc_entry("fs/f2fs", NULL); +-- +2.51.0 + diff --git a/queue-6.12/f2fs-add-carve_out-sysfs-node.patch b/queue-6.12/f2fs-add-carve_out-sysfs-node.patch new file mode 100644 index 0000000000..6bd64e4da9 --- /dev/null +++ b/queue-6.12/f2fs-add-carve_out-sysfs-node.patch @@ -0,0 +1,98 @@ +From 08a879ebe11b574b67b11017db8810beed9b6c3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 11:29:31 -0700 +Subject: f2fs: add carve_out sysfs node + +From: Daeho Jeong + +[ Upstream commit d7b549def0eb42a950eebd3bd5343f5c8088c305 ] + +For several zoned storage devices, vendors will provide extra space +which was used for device level GC than specs and F2FS can use this +space for filesystem level GC. To do that, we can reserve the space +using reserved_blocks. However, it is not enough, since this extra +space should not be shown to users. So, with this new sysfs node, +we can hide the space by substracting reserved_blocks from total +bytes. + +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-fs-f2fs | 10 ++++++++++ + fs/f2fs/f2fs.h | 3 +++ + fs/f2fs/super.c | 3 ++- + fs/f2fs/sysfs.c | 2 ++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs +index 81deae2af84d2..c7ebda8c677e5 100644 +--- a/Documentation/ABI/testing/sysfs-fs-f2fs ++++ b/Documentation/ABI/testing/sysfs-fs-f2fs +@@ -835,3 +835,13 @@ Contact: "Jaegeuk Kim" + Description: It reclaims the given KBs of file-backed pages registered by + ioctl(F2FS_IOC_DONATE_RANGE). + For example, writing N tries to drop N KBs spaces in LRU. ++ ++What: /sys/fs/f2fs//carve_out ++Date: March 2025 ++Contact: "Daeho Jeong" ++Description: For several zoned storage devices, vendors will provide extra space which ++ was used for device level GC than specs and F2FS can use this space for ++ filesystem level GC. To do that, we can reserve the space using ++ reserved_blocks. However, it is not enough, since this extra space should ++ not be shown to users. So, with this new sysfs node, we can hide the space ++ by substracting reserved_blocks from total bytes. +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index f2f3e02b6fd4c..08bab3de5c50d 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1813,6 +1813,9 @@ struct f2fs_sb_info { + u64 committed_atomic_block; + u64 revoked_atomic_block; + ++ /* carve out reserved_blocks from total blocks */ ++ bool carve_out; ++ + #ifdef CONFIG_F2FS_FS_COMPRESSION + struct kmem_cache *page_array_slab; /* page array entry */ + unsigned int page_array_slab_size; /* default page array slab size */ +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 3be4e8bcbd138..ee8352246ce47 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1839,7 +1839,8 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf) + buf->f_blocks = total_count - start_count; + + spin_lock(&sbi->stat_lock); +- ++ if (sbi->carve_out) ++ buf->f_blocks -= sbi->current_reserved_blocks; + user_block_count = sbi->user_block_count; + total_valid_node_count = valid_node_count(sbi); + avail_node_count = sbi->total_node_count - F2FS_RESERVED_NODE_NUM; +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 5c4fd0f3acab7..9b4768b1efac5 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -1145,6 +1145,7 @@ F2FS_SBI_GENERAL_RW_ATTR(max_read_extent_count); + F2FS_SBI_GENERAL_RO_ATTR(unusable_blocks_per_sec); + F2FS_SBI_GENERAL_RW_ATTR(blkzone_alloc_policy); + #endif ++F2FS_SBI_GENERAL_RW_ATTR(carve_out); + + /* STAT_INFO ATTR */ + #ifdef CONFIG_F2FS_STAT_FS +@@ -1332,6 +1333,7 @@ static struct attribute *f2fs_attrs[] = { + ATTR_LIST(warm_data_age_threshold), + ATTR_LIST(last_age_weight), + ATTR_LIST(max_read_extent_count), ++ ATTR_LIST(carve_out), + NULL, + }; + ATTRIBUTE_GROUPS(f2fs); +-- +2.51.0 + diff --git a/queue-6.12/f2fs-add-gc_boost_gc_greedy-sysfs-node.patch b/queue-6.12/f2fs-add-gc_boost_gc_greedy-sysfs-node.patch new file mode 100644 index 0000000000..cca7097d2a --- /dev/null +++ b/queue-6.12/f2fs-add-gc_boost_gc_greedy-sysfs-node.patch @@ -0,0 +1,107 @@ +From 191449d16854fe3538104bb552695c06e893094d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 10:04:30 -0700 +Subject: f2fs: add gc_boost_gc_greedy sysfs node + +From: Daeho Jeong + +[ Upstream commit c8705cefce44fbe85ca3b180dee0e0b5f3d51dc5 ] + +Add this to control GC algorithm for boost GC. + +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-fs-f2fs | 6 ++++++ + fs/f2fs/gc.c | 3 ++- + fs/f2fs/gc.h | 1 + + fs/f2fs/sysfs.c | 9 +++++++++ + 4 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs +index e5ec2a7982eef..912d6e8628081 100644 +--- a/Documentation/ABI/testing/sysfs-fs-f2fs ++++ b/Documentation/ABI/testing/sysfs-fs-f2fs +@@ -874,3 +874,9 @@ Contact: "Daeho Jeong" + Description: Set a multiplier for the background GC migration window when F2FS GC is + boosted. The range should be from 1 to the segment count in a section. + Default: 5 ++ ++What: /sys/fs/f2fs//gc_boost_gc_greedy ++Date: June 2025 ++Contact: "Daeho Jeong" ++Description: Control GC algorithm for boost GC. 0: cost benefit, 1: greedy ++ Default: 1 +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 2cc7e16f76659..12737dfba5efb 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -141,7 +141,7 @@ static int gc_thread_func(void *data) + FOREGROUND : BACKGROUND); + + sync_mode = (F2FS_OPTION(sbi).bggc_mode == BGGC_MODE_SYNC) || +- gc_control.one_time; ++ (gc_control.one_time && gc_th->boost_gc_greedy); + + /* foreground GC was been triggered via f2fs_balance_fs() */ + if (foreground) +@@ -198,6 +198,7 @@ int f2fs_start_gc_thread(struct f2fs_sb_info *sbi) + gc_th->urgent_sleep_time = DEF_GC_THREAD_URGENT_SLEEP_TIME; + gc_th->valid_thresh_ratio = DEF_GC_THREAD_VALID_THRESH_RATIO; + gc_th->boost_gc_multiple = BOOST_GC_MULTIPLE; ++ gc_th->boost_gc_greedy = GC_GREEDY; + + if (f2fs_sb_has_blkzoned(sbi)) { + gc_th->min_sleep_time = DEF_GC_THREAD_MIN_SLEEP_TIME_ZONED; +diff --git a/fs/f2fs/gc.h b/fs/f2fs/gc.h +index efa1968810a06..1a2e7a84b59f1 100644 +--- a/fs/f2fs/gc.h ++++ b/fs/f2fs/gc.h +@@ -69,6 +69,7 @@ struct f2fs_gc_kthread { + unsigned int boost_zoned_gc_percent; + unsigned int valid_thresh_ratio; + unsigned int boost_gc_multiple; ++ unsigned int boost_gc_greedy; + }; + + struct gc_inode_list { +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index dce3ef405832e..0c1e9683316e6 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -861,6 +861,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a, + return count; + } + ++ if (!strcmp(a->attr.name, "gc_boost_gc_greedy")) { ++ if (t > GC_GREEDY) ++ return -EINVAL; ++ sbi->gc_thread->boost_gc_greedy = (unsigned int)t; ++ return count; ++ } ++ + *ui = (unsigned int)t; + + return count; +@@ -1088,6 +1095,7 @@ GC_THREAD_RW_ATTR(gc_no_zoned_gc_percent, no_zoned_gc_percent); + GC_THREAD_RW_ATTR(gc_boost_zoned_gc_percent, boost_zoned_gc_percent); + GC_THREAD_RW_ATTR(gc_valid_thresh_ratio, valid_thresh_ratio); + GC_THREAD_RW_ATTR(gc_boost_gc_multiple, boost_gc_multiple); ++GC_THREAD_RW_ATTR(gc_boost_gc_greedy, boost_gc_greedy); + + /* SM_INFO ATTR */ + SM_INFO_RW_ATTR(reclaim_segments, rec_prefree_segments); +@@ -1257,6 +1265,7 @@ static struct attribute *f2fs_attrs[] = { + ATTR_LIST(gc_boost_zoned_gc_percent), + ATTR_LIST(gc_valid_thresh_ratio), + ATTR_LIST(gc_boost_gc_multiple), ++ ATTR_LIST(gc_boost_gc_greedy), + ATTR_LIST(gc_idle), + ATTR_LIST(gc_urgent), + ATTR_LIST(reclaim_segments), +-- +2.51.0 + diff --git a/queue-6.12/f2fs-add-gc_boost_gc_multiple-sysfs-node.patch b/queue-6.12/f2fs-add-gc_boost_gc_multiple-sysfs-node.patch new file mode 100644 index 0000000000..e9c44cdd58 --- /dev/null +++ b/queue-6.12/f2fs-add-gc_boost_gc_multiple-sysfs-node.patch @@ -0,0 +1,109 @@ +From 73d21a781c2e89c19b4cfb832825062181280c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 09:45:44 -0700 +Subject: f2fs: add gc_boost_gc_multiple sysfs node + +From: Daeho Jeong + +[ Upstream commit 1d4c5dbba1a53aeaf2c6cc84e7ba94c436d18852 ] + +Add a sysfs knob to set a multiplier for the background GC migration +window when F2FS Garbage Collection is boosted. + +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-fs-f2fs | 7 +++++++ + fs/f2fs/gc.c | 3 ++- + fs/f2fs/gc.h | 1 + + fs/f2fs/sysfs.c | 9 +++++++++ + 4 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs +index ade7da6352de6..e5ec2a7982eef 100644 +--- a/Documentation/ABI/testing/sysfs-fs-f2fs ++++ b/Documentation/ABI/testing/sysfs-fs-f2fs +@@ -867,3 +867,10 @@ Description: This threshold is used to control triggering garbage collection whi + reserved section before preallocating on pinned file. + By default, the value is ovp_sections, especially, for zoned ufs, the + value is 1. ++ ++What: /sys/fs/f2fs//gc_boost_gc_multiple ++Date: June 2025 ++Contact: "Daeho Jeong" ++Description: Set a multiplier for the background GC migration window when F2FS GC is ++ boosted. The range should be from 1 to the segment count in a section. ++ Default: 5 +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index c0e43d6056a0a..2cc7e16f76659 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -197,6 +197,7 @@ int f2fs_start_gc_thread(struct f2fs_sb_info *sbi) + + gc_th->urgent_sleep_time = DEF_GC_THREAD_URGENT_SLEEP_TIME; + gc_th->valid_thresh_ratio = DEF_GC_THREAD_VALID_THRESH_RATIO; ++ gc_th->boost_gc_multiple = BOOST_GC_MULTIPLE; + + if (f2fs_sb_has_blkzoned(sbi)) { + gc_th->min_sleep_time = DEF_GC_THREAD_MIN_SLEEP_TIME_ZONED; +@@ -1757,7 +1758,7 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + !has_enough_free_blocks(sbi, + sbi->gc_thread->boost_zoned_gc_percent)) + window_granularity *= +- BOOST_GC_MULTIPLE; ++ sbi->gc_thread->boost_gc_multiple; + + end_segno = start_segno + window_granularity; + } +diff --git a/fs/f2fs/gc.h b/fs/f2fs/gc.h +index 5c1eaf55e1277..efa1968810a06 100644 +--- a/fs/f2fs/gc.h ++++ b/fs/f2fs/gc.h +@@ -68,6 +68,7 @@ struct f2fs_gc_kthread { + unsigned int no_zoned_gc_percent; + unsigned int boost_zoned_gc_percent; + unsigned int valid_thresh_ratio; ++ unsigned int boost_gc_multiple; + }; + + struct gc_inode_list { +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 624ce79f08fd2..dce3ef405832e 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -854,6 +854,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a, + return count; + } + ++ if (!strcmp(a->attr.name, "gc_boost_gc_multiple")) { ++ if (t < 1 || t > SEGS_PER_SEC(sbi)) ++ return -EINVAL; ++ sbi->gc_thread->boost_gc_multiple = (unsigned int)t; ++ return count; ++ } ++ + *ui = (unsigned int)t; + + return count; +@@ -1080,6 +1087,7 @@ GC_THREAD_RW_ATTR(gc_no_gc_sleep_time, no_gc_sleep_time); + GC_THREAD_RW_ATTR(gc_no_zoned_gc_percent, no_zoned_gc_percent); + GC_THREAD_RW_ATTR(gc_boost_zoned_gc_percent, boost_zoned_gc_percent); + GC_THREAD_RW_ATTR(gc_valid_thresh_ratio, valid_thresh_ratio); ++GC_THREAD_RW_ATTR(gc_boost_gc_multiple, boost_gc_multiple); + + /* SM_INFO ATTR */ + SM_INFO_RW_ATTR(reclaim_segments, rec_prefree_segments); +@@ -1248,6 +1256,7 @@ static struct attribute *f2fs_attrs[] = { + ATTR_LIST(gc_no_zoned_gc_percent), + ATTR_LIST(gc_boost_zoned_gc_percent), + ATTR_LIST(gc_valid_thresh_ratio), ++ ATTR_LIST(gc_boost_gc_multiple), + ATTR_LIST(gc_idle), + ATTR_LIST(gc_urgent), + ATTR_LIST(reclaim_segments), +-- +2.51.0 + diff --git a/queue-6.12/f2fs-fix-to-avoid-running-out-of-free-segments.patch b/queue-6.12/f2fs-fix-to-avoid-running-out-of-free-segments.patch new file mode 100644 index 0000000000..580efeb5a2 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-avoid-running-out-of-free-segments.patch @@ -0,0 +1,64 @@ +From c76ef3e129bd8baf76f9dcf704572514cf2d1408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:01:25 +0800 +Subject: f2fs: fix to avoid running out of free segments + +From: Chao Yu + +[ Upstream commit f7f8932ca6bb22494ef6db671633ad3b4d982271 ] + +If checkpoint is disabled, GC can not reclaim any segments, we need +to detect such condition and bail out from fallocate() of a pinfile, +rather than letting allocator running out of free segment, which may +cause f2fs to be shutdown. + +reproducer: +mkfs.f2fs -f /dev/vda 16777216 +mount -o checkpoint=disable:10% /dev/vda /mnt/f2fs +for ((i=0;i<4096;i++)) do { dd if=/dev/zero of=/mnt/f2fs/$i bs=1M count=1; } done +sync +for ((i=0;i<4096;i+=2)) do { rm /mnt/f2fs/$i; } done +sync +touch /mnt/f2fs/pinfile +f2fs_io pinfile set /mnt/f2fs/pinfile +f2fs_io fallocate 0 0 4201644032 /mnt/f2fs/pinfile + +cat /sys/kernel/debug/f2fs/status +output: + - Free: 0 (0) + +Fixes: f5a53edcf01e ("f2fs: support aligned pinned file") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index b8d24c1c48bd4..be32f672497d6 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1838,6 +1838,18 @@ static int f2fs_expand_inode_data(struct inode *inode, loff_t offset, + next_alloc: + f2fs_down_write(&sbi->pin_sem); + ++ if (unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) { ++ if (has_not_enough_free_secs(sbi, 0, 0)) { ++ f2fs_up_write(&sbi->pin_sem); ++ err = -ENOSPC; ++ f2fs_warn_ratelimited(sbi, ++ "ino:%lu, start:%lu, end:%lu, need to trigger GC to " ++ "reclaim enough free segment when checkpoint is enabled", ++ inode->i_ino, pg_start, pg_end); ++ goto out_err; ++ } ++ } ++ + if (has_not_enough_free_secs(sbi, 0, f2fs_sb_has_blkzoned(sbi) ? + ZONED_PIN_SEC_REQUIRED_COUNT : + GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) { +-- +2.51.0 + diff --git a/queue-6.12/f2fs-introduce-reserved_pin_section-sysfs-entry.patch b/queue-6.12/f2fs-introduce-reserved_pin_section-sysfs-entry.patch new file mode 100644 index 0000000000..175ad87f25 --- /dev/null +++ b/queue-6.12/f2fs-introduce-reserved_pin_section-sysfs-entry.patch @@ -0,0 +1,126 @@ +From 6fac59a3a2b800d702df6efc62eb446dcbd1bf7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 13:51:09 +0800 +Subject: f2fs: introduce reserved_pin_section sysfs entry + +From: Chao Yu + +[ Upstream commit 59c1c89e9ba8cefff05aa982dd9e6719f25e8ec5 ] + +This patch introduces /sys/fs/f2fs//reserved_pin_section for tuning +@needed parameter of has_not_enough_free_secs(), if we configure it w/ +zero, it can avoid f2fs_gc() as much as possible while fallocating on +pinned file. + +Signed-off-by: Chao Yu +Reviewed-by: wangzijie +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-fs-f2fs | 9 +++++++++ + fs/f2fs/f2fs.h | 3 +++ + fs/f2fs/file.c | 5 ++--- + fs/f2fs/super.c | 4 ++++ + fs/f2fs/sysfs.c | 9 +++++++++ + 5 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs +index 87b32ca7f3a46..ade7da6352de6 100644 +--- a/Documentation/ABI/testing/sysfs-fs-f2fs ++++ b/Documentation/ABI/testing/sysfs-fs-f2fs +@@ -858,3 +858,12 @@ Description: This is a read-only entry to show the value of sb.s_encoding_flags, + SB_ENC_STRICT_MODE_FL 0x00000001 + SB_ENC_NO_COMPAT_FALLBACK_FL 0x00000002 + ============================ ========== ++ ++What: /sys/fs/f2fs//reserved_pin_section ++Date: June 2025 ++Contact: "Chao Yu" ++Description: This threshold is used to control triggering garbage collection while ++ fallocating on pinned file, so, it can guarantee there is enough free ++ reserved section before preallocating on pinned file. ++ By default, the value is ovp_sections, especially, for zoned ufs, the ++ value is 1. +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 08bab3de5c50d..695f74875b8f1 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1702,6 +1702,9 @@ struct f2fs_sb_info { + /* for skip statistic */ + unsigned long long skipped_gc_rwsem; /* FG_GC only */ + ++ /* free sections reserved for pinned file */ ++ unsigned int reserved_pin_section; ++ + /* threshold for gc trials on pinned files */ + unsigned short gc_pin_file_threshold; + struct f2fs_rwsem pin_sem; +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index be32f672497d6..67053bf6ca3ec 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1850,9 +1850,8 @@ static int f2fs_expand_inode_data(struct inode *inode, loff_t offset, + } + } + +- if (has_not_enough_free_secs(sbi, 0, f2fs_sb_has_blkzoned(sbi) ? +- ZONED_PIN_SEC_REQUIRED_COUNT : +- GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) { ++ if (has_not_enough_free_secs(sbi, 0, ++ sbi->reserved_pin_section)) { + f2fs_down_write(&sbi->gc_lock); + stat_inc_gc_call_count(sbi, FOREGROUND); + err = f2fs_gc(sbi, &gc_control); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index ee8352246ce47..ae72639544040 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4705,6 +4705,10 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) + /* get segno of first zoned block device */ + sbi->first_seq_zone_segno = get_first_seq_zone_segno(sbi); + ++ sbi->reserved_pin_section = f2fs_sb_has_blkzoned(sbi) ? ++ ZONED_PIN_SEC_REQUIRED_COUNT : ++ GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)); ++ + /* Read accumulated write IO statistics if exists */ + seg_i = CURSEG_I(sbi, CURSEG_HOT_NODE); + if (__exist_node_summaries(sbi)) +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 309b73421dd92..624ce79f08fd2 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -847,6 +847,13 @@ static ssize_t __sbi_store(struct f2fs_attr *a, + return count; + } + ++ if (!strcmp(a->attr.name, "reserved_pin_section")) { ++ if (t > GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi))) ++ return -EINVAL; ++ *ui = (unsigned int)t; ++ return count; ++ } ++ + *ui = (unsigned int)t; + + return count; +@@ -1153,6 +1160,7 @@ F2FS_SBI_GENERAL_RO_ATTR(unusable_blocks_per_sec); + F2FS_SBI_GENERAL_RW_ATTR(blkzone_alloc_policy); + #endif + F2FS_SBI_GENERAL_RW_ATTR(carve_out); ++F2FS_SBI_GENERAL_RW_ATTR(reserved_pin_section); + + /* STAT_INFO ATTR */ + #ifdef CONFIG_F2FS_STAT_FS +@@ -1343,6 +1351,7 @@ static struct attribute *f2fs_attrs[] = { + ATTR_LIST(last_age_weight), + ATTR_LIST(max_read_extent_count), + ATTR_LIST(carve_out), ++ ATTR_LIST(reserved_pin_section), + NULL, + }; + ATTRIBUTE_GROUPS(f2fs); +-- +2.51.0 + diff --git a/queue-6.12/f2fs-keep-posix_fadv_noreuse-ranges.patch b/queue-6.12/f2fs-keep-posix_fadv_noreuse-ranges.patch new file mode 100644 index 0000000000..c32e7392e9 --- /dev/null +++ b/queue-6.12/f2fs-keep-posix_fadv_noreuse-ranges.patch @@ -0,0 +1,215 @@ +From 77a08e1aaa4cd65fd71e96e14446a86024beb413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 22:27:56 +0000 +Subject: f2fs: keep POSIX_FADV_NOREUSE ranges + +From: Jaegeuk Kim + +[ Upstream commit ef0c333cad8d1940f132a7ce15f15920216a3bd5 ] + +This patch records POSIX_FADV_NOREUSE ranges for users to reclaim the caches +instantly off from LRU. + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + fs/f2fs/debug.c | 3 +++ + fs/f2fs/f2fs.h | 12 +++++++++- + fs/f2fs/file.c | 60 ++++++++++++++++++++++++++++++++++++++++++++----- + fs/f2fs/inode.c | 14 ++++++++++++ + fs/f2fs/super.c | 1 + + 5 files changed, 84 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c +index 546b8ba912613..a3f807c3b72cb 100644 +--- a/fs/f2fs/debug.c ++++ b/fs/f2fs/debug.c +@@ -100,6 +100,7 @@ static void update_general_status(struct f2fs_sb_info *sbi) + si->ndirty_imeta = get_pages(sbi, F2FS_DIRTY_IMETA); + si->ndirty_dirs = sbi->ndirty_inode[DIR_INODE]; + si->ndirty_files = sbi->ndirty_inode[FILE_INODE]; ++ si->ndonate_files = sbi->donate_files; + si->nquota_files = sbi->nquota_files; + si->ndirty_all = sbi->ndirty_inode[DIRTY_META]; + si->aw_cnt = atomic_read(&sbi->atomic_files); +@@ -435,6 +436,8 @@ static int stat_show(struct seq_file *s, void *v) + si->compr_inode, si->compr_blocks); + seq_printf(s, " - Swapfile Inode: %u\n", + si->swapfile_inode); ++ seq_printf(s, " - Donate Inode: %u\n", ++ si->ndonate_files); + seq_printf(s, " - Orphan/Append/Update Inode: %u, %u, %u\n", + si->orphans, si->append, si->update); + seq_printf(s, "\nMain area: %d segs, %d secs %d zones\n", +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 0d3ef487f72ac..7ced2e2c65746 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -849,6 +849,11 @@ struct f2fs_inode_info { + #endif + struct list_head dirty_list; /* dirty list for dirs and files */ + struct list_head gdirty_list; /* linked in global dirty list */ ++ ++ /* linked in global inode list for cache donation */ ++ struct list_head gdonate_list; ++ pgoff_t donate_start, donate_end; /* inclusive */ ++ + struct task_struct *atomic_write_task; /* store atomic write task */ + struct extent_tree *extent_tree[NR_EXTENT_CACHES]; + /* cached extent_tree entry */ +@@ -1274,6 +1279,7 @@ enum inode_type { + DIR_INODE, /* for dirty dir inode */ + FILE_INODE, /* for dirty regular/symlink inode */ + DIRTY_META, /* for all dirtied inode metadata */ ++ DONATE_INODE, /* for all inode to donate pages */ + NR_INODE_TYPE, + }; + +@@ -1629,6 +1635,9 @@ struct f2fs_sb_info { + unsigned int warm_data_age_threshold; + unsigned int last_age_weight; + ++ /* control donate caches */ ++ unsigned int donate_files; ++ + /* basic filesystem units */ + unsigned int log_sectors_per_block; /* log2 sectors per block */ + unsigned int log_blocksize; /* log2 block size */ +@@ -3997,7 +4006,8 @@ struct f2fs_stat_info { + unsigned long long allocated_data_blocks; + int ndirty_node, ndirty_dent, ndirty_meta, ndirty_imeta; + int ndirty_data, ndirty_qdata; +- unsigned int ndirty_dirs, ndirty_files, nquota_files, ndirty_all; ++ unsigned int ndirty_dirs, ndirty_files, ndirty_all; ++ unsigned int nquota_files, ndonate_files; + int nats, dirty_nats, sits, dirty_sits; + int free_nids, avail_nids, alloc_nids; + int total_count, utilization; +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 6317dd523ecd1..b8d24c1c48bd4 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2452,6 +2452,52 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) + return ret; + } + ++static void f2fs_keep_noreuse_range(struct inode *inode, ++ loff_t offset, loff_t len) ++{ ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); ++ u64 max_bytes = F2FS_BLK_TO_BYTES(max_file_blocks(inode)); ++ u64 start, end; ++ ++ if (!S_ISREG(inode->i_mode)) ++ return; ++ ++ if (offset >= max_bytes || len > max_bytes || ++ (offset + len) > max_bytes) ++ return; ++ ++ start = offset >> PAGE_SHIFT; ++ end = DIV_ROUND_UP(offset + len, PAGE_SIZE); ++ ++ inode_lock(inode); ++ if (f2fs_is_atomic_file(inode)) { ++ inode_unlock(inode); ++ return; ++ } ++ ++ spin_lock(&sbi->inode_lock[DONATE_INODE]); ++ /* let's remove the range, if len = 0 */ ++ if (!len) { ++ if (!list_empty(&F2FS_I(inode)->gdonate_list)) { ++ list_del_init(&F2FS_I(inode)->gdonate_list); ++ sbi->donate_files--; ++ } ++ } else { ++ if (list_empty(&F2FS_I(inode)->gdonate_list)) { ++ list_add_tail(&F2FS_I(inode)->gdonate_list, ++ &sbi->inode_list[DONATE_INODE]); ++ sbi->donate_files++; ++ } else { ++ list_move_tail(&F2FS_I(inode)->gdonate_list, ++ &sbi->inode_list[DONATE_INODE]); ++ } ++ F2FS_I(inode)->donate_start = start; ++ F2FS_I(inode)->donate_end = end - 1; ++ } ++ spin_unlock(&sbi->inode_lock[DONATE_INODE]); ++ inode_unlock(inode); ++} ++ + static int f2fs_ioc_fitrim(struct file *filp, unsigned long arg) + { + struct inode *inode = file_inode(filp); +@@ -5144,12 +5190,16 @@ static int f2fs_file_fadvise(struct file *filp, loff_t offset, loff_t len, + } + + err = generic_fadvise(filp, offset, len, advice); +- if (!err && advice == POSIX_FADV_DONTNEED && +- test_opt(F2FS_I_SB(inode), COMPRESS_CACHE) && +- f2fs_compressed_file(inode)) +- f2fs_invalidate_compress_pages(F2FS_I_SB(inode), inode->i_ino); ++ if (err) ++ return err; + +- return err; ++ if (advice == POSIX_FADV_DONTNEED && ++ (test_opt(F2FS_I_SB(inode), COMPRESS_CACHE) && ++ f2fs_compressed_file(inode))) ++ f2fs_invalidate_compress_pages(F2FS_I_SB(inode), inode->i_ino); ++ else if (advice == POSIX_FADV_NOREUSE) ++ f2fs_keep_noreuse_range(inode, offset, len); ++ return 0; + } + + #ifdef CONFIG_COMPAT +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 41ead6c772e48..c77184dbc71cd 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -807,6 +807,19 @@ int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc) + return 0; + } + ++static void f2fs_remove_donate_inode(struct inode *inode) ++{ ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); ++ ++ if (list_empty(&F2FS_I(inode)->gdonate_list)) ++ return; ++ ++ spin_lock(&sbi->inode_lock[DONATE_INODE]); ++ list_del_init(&F2FS_I(inode)->gdonate_list); ++ sbi->donate_files--; ++ spin_unlock(&sbi->inode_lock[DONATE_INODE]); ++} ++ + /* + * Called at the last iput() if i_nlink is zero + */ +@@ -841,6 +854,7 @@ void f2fs_evict_inode(struct inode *inode) + + f2fs_bug_on(sbi, get_dirty_pages(inode)); + f2fs_remove_dirty_inode(inode); ++ f2fs_remove_donate_inode(inode); + + f2fs_destroy_extent_tree(inode); + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 875aef2fc5205..3be4e8bcbd138 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1429,6 +1429,7 @@ static struct inode *f2fs_alloc_inode(struct super_block *sb) + spin_lock_init(&fi->i_size_lock); + INIT_LIST_HEAD(&fi->dirty_list); + INIT_LIST_HEAD(&fi->gdirty_list); ++ INIT_LIST_HEAD(&fi->gdonate_list); + init_f2fs_rwsem(&fi->i_gc_rwsem[READ]); + init_f2fs_rwsem(&fi->i_gc_rwsem[WRITE]); + init_f2fs_rwsem(&fi->i_xattr_sem); +-- +2.51.0 + diff --git a/queue-6.12/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch b/queue-6.12/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch new file mode 100644 index 0000000000..aeeca54d7d --- /dev/null +++ b/queue-6.12/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch @@ -0,0 +1,88 @@ +From f34e0d82f4602868253686a7f28e22410e6bc5e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 15:43:08 -0700 +Subject: f2fs: maintain one time GC mode is enabled during whole zoned GC + cycle + +From: Daeho Jeong + +[ Upstream commit e462fc48ceb8224811c3224650afed05cb7f0872 ] + +The current version missed setting one time GC for normal zoned GC +cycle. So, valid threshold control is not working. Need to fix it to +prevent excessive GC for zoned devices. + +Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC") +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 12737dfba5efb..2dda8f23c0b99 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -38,13 +38,14 @@ static int gc_thread_func(void *data) + struct f2fs_gc_control gc_control = { + .victim_segno = NULL_SEGNO, + .should_migrate_blocks = false, +- .err_gc_skipped = false }; ++ .err_gc_skipped = false, ++ .one_time = false }; + + wait_ms = gc_th->min_sleep_time; + + set_freezable(); + do { +- bool sync_mode, foreground = false; ++ bool sync_mode, foreground = false, gc_boost = false; + + wait_event_freezable_timeout(*wq, + kthread_should_stop() || +@@ -52,8 +53,12 @@ static int gc_thread_func(void *data) + gc_th->gc_wake, + msecs_to_jiffies(wait_ms)); + +- if (test_opt(sbi, GC_MERGE) && waitqueue_active(fggc_wq)) ++ if (test_opt(sbi, GC_MERGE) && waitqueue_active(fggc_wq)) { + foreground = true; ++ gc_control.one_time = false; ++ } else if (f2fs_sb_has_blkzoned(sbi)) { ++ gc_control.one_time = true; ++ } + + /* give it a try one time */ + if (gc_th->gc_wake) +@@ -81,8 +86,6 @@ static int gc_thread_func(void *data) + continue; + } + +- gc_control.one_time = false; +- + /* + * [GC triggering condition] + * 0. GC is not conducted currently. +@@ -132,7 +135,7 @@ static int gc_thread_func(void *data) + if (need_to_boost_gc(sbi)) { + decrease_sleep_time(gc_th, &wait_ms); + if (f2fs_sb_has_blkzoned(sbi)) +- gc_control.one_time = true; ++ gc_boost = true; + } else { + increase_sleep_time(gc_th, &wait_ms); + } +@@ -141,7 +144,7 @@ static int gc_thread_func(void *data) + FOREGROUND : BACKGROUND); + + sync_mode = (F2FS_OPTION(sbi).bggc_mode == BGGC_MODE_SYNC) || +- (gc_control.one_time && gc_th->boost_gc_greedy); ++ (gc_boost && gc_th->boost_gc_greedy); + + /* foreground GC was been triggered via f2fs_balance_fs() */ + if (foreground) +-- +2.51.0 + diff --git a/queue-6.12/f2fs-sysfs-add-encoding_flags-entry.patch b/queue-6.12/f2fs-sysfs-add-encoding_flags-entry.patch new file mode 100644 index 0000000000..f21ea32d9c --- /dev/null +++ b/queue-6.12/f2fs-sysfs-add-encoding_flags-entry.patch @@ -0,0 +1,100 @@ +From 6a88497baa85b33bb176a760e3174e7efa15f411 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 15:47:25 +0800 +Subject: f2fs: sysfs: add encoding_flags entry + +From: Chao Yu + +[ Upstream commit 3fea0641b06ff4e53d95d07a96764d8951d4ced6 ] + +This patch adds a new sysfs entry /sys/fs/f2fs//encoding_flags, +it is a read-only entry to show the value of sb.s_encoding_flags, the +value is hexadecimal. + +============================ ========== +Flag_Name Flag_Value +============================ ========== +SB_ENC_STRICT_MODE_FL 0x00000001 +SB_ENC_NO_COMPAT_FALLBACK_FL 0x00000002 +============================ ========== + +case#1 +mkfs.f2fs -f -O casefold -C utf8:strict /dev/vda +mount /dev/vda /mnt/f2fs +cat /sys/fs/f2fs/vda/encoding_flags +1 + +case#2 +mkfs.f2fs -f -O casefold -C utf8 /dev/vda +fsck.f2fs --nolinear-lookup=1 /dev/vda +mount /dev/vda /mnt/f2fs +cat /sys/fs/f2fs/vda/encoding_flags +2 + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: e462fc48ceb8 ("f2fs: maintain one time GC mode is enabled during whole zoned GC cycle") +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-fs-f2fs | 13 +++++++++++++ + fs/f2fs/sysfs.c | 9 +++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs +index c7ebda8c677e5..87b32ca7f3a46 100644 +--- a/Documentation/ABI/testing/sysfs-fs-f2fs ++++ b/Documentation/ABI/testing/sysfs-fs-f2fs +@@ -845,3 +845,16 @@ Description: For several zoned storage devices, vendors will provide extra space + reserved_blocks. However, it is not enough, since this extra space should + not be shown to users. So, with this new sysfs node, we can hide the space + by substracting reserved_blocks from total bytes. ++ ++What: /sys/fs/f2fs//encoding_flags ++Date: April 2025 ++Contact: "Chao Yu" ++Description: This is a read-only entry to show the value of sb.s_encoding_flags, the ++ value is hexadecimal. ++ ++ ============================ ========== ++ Flag_Name Flag_Value ++ ============================ ========== ++ SB_ENC_STRICT_MODE_FL 0x00000001 ++ SB_ENC_NO_COMPAT_FALLBACK_FL 0x00000002 ++ ============================ ========== +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 9b4768b1efac5..309b73421dd92 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -274,6 +274,13 @@ static ssize_t encoding_show(struct f2fs_attr *a, + return sysfs_emit(buf, "(none)\n"); + } + ++static ssize_t encoding_flags_show(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, char *buf) ++{ ++ return sysfs_emit(buf, "%x\n", ++ le16_to_cpu(F2FS_RAW_SUPER(sbi)->s_encoding_flags)); ++} ++ + static ssize_t mounted_time_sec_show(struct f2fs_attr *a, + struct f2fs_sb_info *sbi, char *buf) + { +@@ -1181,6 +1188,7 @@ F2FS_GENERAL_RO_ATTR(features); + F2FS_GENERAL_RO_ATTR(current_reserved_blocks); + F2FS_GENERAL_RO_ATTR(unusable); + F2FS_GENERAL_RO_ATTR(encoding); ++F2FS_GENERAL_RO_ATTR(encoding_flags); + F2FS_GENERAL_RO_ATTR(mounted_time_sec); + F2FS_GENERAL_RO_ATTR(main_blkaddr); + F2FS_GENERAL_RO_ATTR(pending_discard); +@@ -1293,6 +1301,7 @@ static struct attribute *f2fs_attrs[] = { + ATTR_LIST(reserved_blocks), + ATTR_LIST(current_reserved_blocks), + ATTR_LIST(encoding), ++ ATTR_LIST(encoding_flags), + ATTR_LIST(mounted_time_sec), + #ifdef CONFIG_F2FS_STAT_FS + ATTR_LIST(cp_foreground_calls), +-- +2.51.0 + diff --git a/queue-6.12/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch b/queue-6.12/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch new file mode 100644 index 0000000000..65de8bd881 --- /dev/null +++ b/queue-6.12/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch @@ -0,0 +1,64 @@ +From 56ca192666a093eb2cd55224d09cb8b489018871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 12:15:35 +0100 +Subject: fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ] + +After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"), +the return values of utf8_to_utf32() and utf32_to_utf8() are +inconsistent when encountering an error: utf8_to_utf32() returns -1, +while utf32_to_utf8() returns errno codes. Fix this inconsistency +by modifying utf8_to_utf32() to return errno codes as well. + +Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion") +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index d434c4463a8f7..a5c3a9f1b8dc5 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu) + l &= t->lmask; + if (l < t->lval || l > UNICODE_MAX || + (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; ++ + *pu = (unicode_t) l; + return nc; + } + if (inlen <= nc) +- return -1; ++ return -EOVERFLOW; ++ + s++; + c = (*s ^ 0x80) & 0xFF; + if (c & 0xC0) +- return -1; ++ return -EILSEQ; ++ + l = (l << 6) | c; + } +- return -1; ++ return -EILSEQ; + } + EXPORT_SYMBOL(utf8_to_utf32); + +-- +2.51.0 + diff --git a/queue-6.12/fs-nls-fix-utf16-to-utf8-conversion.patch b/queue-6.12/fs-nls-fix-utf16-to-utf8-conversion.patch new file mode 100644 index 0000000000..cc5ec397c5 --- /dev/null +++ b/queue-6.12/fs-nls-fix-utf16-to-utf8-conversion.patch @@ -0,0 +1,81 @@ +From d3b13f76b9b8fe1a96253766230e7155c56e9fdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 14:11:22 +0100 +Subject: fs/nls: Fix utf16 to utf8 conversion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 25524b6190295577e4918c689644451365e6466d ] + +Currently the function responsible for converting between utf16 and +utf8 strings will ignore any characters that cannot be converted. This +however also includes multi-byte characters that do not fit into the +provided string buffer. + +This can cause problems if such a multi-byte character is followed by +a single-byte character. In such a case the multi-byte character might +be ignored when the provided string buffer is too small, but the +single-byte character might fit and is thus still copied into the +resulting string. + +Fix this by stop filling the provided string buffer once a character +does not fit. In order to be able to do this extend utf32_to_utf8() +to return useful errno codes instead of -1. + +Fixes: 74675a58507e ("NLS: update handling of Unicode") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 18d597e49a194..d434c4463a8f7 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + + l = u; + if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; + + nc = 0; + for (t = utf8_table; t->cmask && maxout; t++, maxout--) { +@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + return nc; + } + } +- return -1; ++ return -EOVERFLOW; + } + EXPORT_SYMBOL(utf32_to_utf8); + +@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian, + inlen--; + } + size = utf32_to_utf8(u, op, maxout); +- if (size == -1) { +- /* Ignore character and move on */ ++ if (size < 0) { ++ if (size == -EILSEQ) { ++ /* Ignore character and move on */ ++ continue; ++ } ++ /* ++ * Stop filling the buffer with data once a character ++ * does not fit anymore. ++ */ ++ break; + } else { + op += size; + maxout -= size; +-- +2.51.0 + diff --git a/queue-6.12/nfs-automounted-filesystems-should-inherit-ro-noexec.patch b/queue-6.12/nfs-automounted-filesystems-should-inherit-ro-noexec.patch new file mode 100644 index 0000000000..a87c19eba4 --- /dev/null +++ b/queue-6.12/nfs-automounted-filesystems-should-inherit-ro-noexec.patch @@ -0,0 +1,65 @@ +From e9e7a613af7dbd6f2ef237ca758a803ffba89ef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 14:22:44 -0500 +Subject: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync + flags + +From: Trond Myklebust + +[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ] + +When a filesystem is being automounted, it needs to preserve the +user-set superblock mount options, such as the "ro" flag. + +Reported-by: Li Lingfeng +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Fixes: f2aedb713c28 ("NFS: Add fs_context support.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/namespace.c | 6 ++++++ + fs/nfs/super.c | 4 ---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index e7494cdd957e5..40d7163bca870 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path) + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SB(path->dentry->d_sb); + struct nfs_client *client = server->nfs_client; ++ unsigned long s_flags = path->dentry->d_sb->s_flags; + int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + +@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path) + fc->net_ns = get_net(client->cl_net); + } + ++ /* Inherit the flags covered by NFS_SB_MASK */ ++ fc->sb_flags_mask |= NFS_SB_MASK; ++ fc->sb_flags &= ~NFS_SB_MASK; ++ fc->sb_flags |= s_flags & NFS_SB_MASK; ++ + /* for submounts we want the same server; referrals will reassign */ + memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen); + ctx->nfs_server.addrlen = client->cl_addrlen; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index ae5c5e39afa03..fbd5ed4639862 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1310,10 +1310,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (server->flags & NFS_MOUNT_NOAC) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (ctx->clone_data.sb) +- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) +- fc->sb_flags |= SB_SYNCHRONOUS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +-- +2.51.0 + diff --git a/queue-6.12/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch b/queue-6.12/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch new file mode 100644 index 0000000000..3ee2f0a120 --- /dev/null +++ b/queue-6.12/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch @@ -0,0 +1,97 @@ +From 0f2f03d92d288776dcf5a2c4fa617a7b2dfb50e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 15:28:17 -0500 +Subject: NFS: Avoid changing nlink when file removes and attribute updates + race + +From: Trond Myklebust + +[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ] + +If a file removal races with another operation that updates its +attributes, then skip the change to nlink, and just mark the attributes +as being stale. + +Reported-by: Aiden Lambert +Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 048ce25ebfb70..01af2bb8a7216 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1903,13 +1903,15 @@ static int nfs_dentry_delete(const struct dentry *dentry) + } + + /* Ensure that we revalidate inode->i_nlink */ +-static void nfs_drop_nlink(struct inode *inode) ++static void nfs_drop_nlink(struct inode *inode, unsigned long gencount) + { ++ struct nfs_inode *nfsi = NFS_I(inode); ++ + spin_lock(&inode->i_lock); + /* drop the inode if we're reasonably sure this is the last link */ +- if (inode->i_nlink > 0) ++ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount) + drop_nlink(inode); +- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); ++ nfsi->attr_gencount = nfs_inc_attr_generation_counter(); + nfs_set_cache_invalid( + inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | + NFS_INO_INVALID_NLINK); +@@ -1923,8 +1925,9 @@ static void nfs_drop_nlink(struct inode *inode) + static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + { + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); + nfs_complete_unlink(dentry, inode); +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } + iput(inode); + } +@@ -2523,9 +2526,11 @@ static int nfs_safe_remove(struct dentry *dentry) + + trace_nfs_remove_enter(dir, dentry); + if (inode != NULL) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); ++ + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == 0) +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } else + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == -ENOENT) +@@ -2725,6 +2730,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); ++ unsigned long new_gencount = 0; + struct dentry *dentry = NULL; + struct rpc_task *task; + bool must_unblock = false; +@@ -2777,6 +2783,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + } else { + block_revalidate(new_dentry); + must_unblock = true; ++ new_gencount = NFS_I(new_inode)->attr_gencount; + spin_unlock(&new_dentry->d_lock); + } + +@@ -2816,7 +2823,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + new_dir, new_dentry, error); + if (!error) { + if (new_inode != NULL) +- nfs_drop_nlink(new_inode); ++ nfs_drop_nlink(new_inode, new_gencount); + /* + * The d_move() should be here instead of in an async RPC completion + * handler because we need the proper locks to move the dentry. If +-- +2.51.0 + diff --git a/queue-6.12/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch b/queue-6.12/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch new file mode 100644 index 0000000000..70afeca52d --- /dev/null +++ b/queue-6.12/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch @@ -0,0 +1,178 @@ +From 359a1f94b0175d8b7c2538e88971380acb932e74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 16:06:41 -0500 +Subject: NFS: Fix inheritance of the block sizes when automounting + +From: Trond Myklebust + +[ Upstream commit 2b092175f5e301cdaa935093edfef2be9defb6df ] + +Only inherit the block sizes that were actually specified as mount +parameters for the parent mount. + +Fixes: 62a55d088cd8 ("NFS: Additional refactoring for fs_context conversion") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 21 +++++++++++++++++---- + fs/nfs/internal.h | 1 - + fs/nfs/namespace.c | 5 ++++- + fs/nfs/nfs4client.c | 18 ++++++++++++++---- + fs/nfs/super.c | 10 +++------- + include/linux/nfs_fs_sb.h | 5 +++++ + 6 files changed, 43 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 035474f3fb8f3..5fe20936e1455 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -767,10 +767,18 @@ static int nfs_init_server(struct nfs_server *server, + server->fattr_valid = NFS_ATTR_FATTR_V4; + } + +- if (ctx->rsize) ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { + server->rsize = nfs_io_size(ctx->rsize, clp->cl_proto); +- if (ctx->wsize) ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { + server->wsize = nfs_io_size(ctx->wsize, clp->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +@@ -962,8 +970,13 @@ EXPORT_SYMBOL_GPL(nfs_probe_server); + void nfs_server_copy_userdata(struct nfs_server *target, struct nfs_server *source) + { + target->flags = source->flags; +- target->rsize = source->rsize; +- target->wsize = source->wsize; ++ target->automount_inherit = source->automount_inherit; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ target->bsize = source->bsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_RSIZE) ++ target->rsize = source->rsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_WSIZE) ++ target->wsize = source->wsize; + target->acregmin = source->acregmin; + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 63ee469d6c8f7..b0ab79894544f 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -152,7 +152,6 @@ struct nfs_fs_context { + struct super_block *sb; + struct dentry *dentry; + struct nfs_fattr *fattr; +- unsigned int inherited_bsize; + } clone_data; + }; + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 40d7163bca870..923b5c1eb47e9 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -190,6 +190,10 @@ struct vfsmount *nfs_d_automount(struct path *path) + ctx->nfs_mod = client->cl_nfs_mod; + __module_get(ctx->nfs_mod->owner); + ++ /* Inherit block sizes if they were specified as mount parameters */ ++ if (server->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ ctx->bsize = server->bsize; ++ + ret = client->rpc_ops->submount(fc, server); + if (ret < 0) { + mnt = ERR_PTR(ret); +@@ -290,7 +294,6 @@ int nfs_do_submount(struct fs_context *fc) + return -ENOMEM; + + ctx->internal = true; +- ctx->clone_data.inherited_bsize = ctx->clone_data.sb->s_blocksize_bits; + + p = nfs_devname(dentry, buffer, 4096); + if (IS_ERR(p)) { +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index b14688da814d6..3f31d05e87ae1 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1176,10 +1176,20 @@ static int nfs4_init_server(struct nfs_server *server, struct fs_context *fc) + if (error < 0) + return error; + +- if (ctx->rsize) +- server->rsize = nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); +- if (ctx->wsize) +- server->wsize = nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { ++ server->rsize = ++ nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { ++ server->wsize = ++ nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index fbd5ed4639862..079393dc10956 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1086,8 +1086,9 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + sb->s_blocksize = 0; + sb->s_xattr = server->nfs_client->cl_nfs_mod->xattr; + sb->s_op = server->nfs_client->cl_nfs_mod->sops; +- if (ctx->bsize) +- sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); ++ if (server->bsize) ++ sb->s_blocksize = ++ nfs_block_size(server->bsize, &sb->s_blocksize_bits); + + switch (server->nfs_client->rpc_ops->version) { + case 2: +@@ -1333,13 +1334,8 @@ int nfs_get_tree_common(struct fs_context *fc) + } + + if (!s->s_root) { +- unsigned bsize = ctx->clone_data.inherited_bsize; + /* initial superblock/root creation */ + nfs_fill_super(s, ctx); +- if (bsize) { +- s->s_blocksize_bits = bsize; +- s->s_blocksize = 1U << bsize; +- } + error = nfs_get_cache_cookie(s, ctx); + if (error < 0) + goto error_splat_super; +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index 97edf7b583d5e..9b06695c79665 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -169,6 +169,11 @@ struct nfs_server { + #define NFS_MOUNT_SHUTDOWN 0x08000000 + #define NFS_MOUNT_NO_ALIGNWRITE 0x10000000 + ++ unsigned int automount_inherit; /* Properties inherited by automount */ ++#define NFS_AUTOMOUNT_INHERIT_BSIZE 0x0001 ++#define NFS_AUTOMOUNT_INHERIT_RSIZE 0x0002 ++#define NFS_AUTOMOUNT_INHERIT_WSIZE 0x0004 ++ + unsigned int caps; /* server capabilities */ + __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ +-- +2.51.0 + diff --git a/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch b/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch new file mode 100644 index 0000000000..93064834ec --- /dev/null +++ b/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch @@ -0,0 +1,69 @@ +From 2256a9df2a58736d8d0b5390077cd1a1abc65380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:43:21 -0500 +Subject: NFS: Initialise verifiers for visible dentries in + _nfs4_open_and_get_state + +From: Trond Myklebust + +[ Upstream commit 0f900f11002ff52391fc2aa4a75e59f26ed1c242 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in _nfs4_open_and_get_state(). + +Reported-by: Michael Stoler +Fixes: cf5b4059ba71 ("NFSv4: Fix races between open and dentry revalidation") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 7fe71aaa18666..172ff213b50b6 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3148,18 +3148,6 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + if (opendata->o_res.rflags & NFS4_OPEN_RESULT_PRESERVE_UNLINKED) + set_bit(NFS_INO_PRESERVE_UNLINKED, &NFS_I(state->inode)->flags); + +- dentry = opendata->dentry; +- if (d_really_is_negative(dentry)) { +- struct dentry *alias; +- d_drop(dentry); +- alias = d_splice_alias(igrab(state->inode), dentry); +- /* d_splice_alias() can't fail here - it's a non-directory */ +- if (alias) { +- dput(ctx->dentry); +- ctx->dentry = dentry = alias; +- } +- } +- + switch(opendata->o_arg.claim) { + default: + break; +@@ -3170,7 +3158,20 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + break; + if (opendata->o_res.delegation.type != 0) + dir_verifier = nfs_save_change_attribute(dir); +- nfs_set_verifier(dentry, dir_verifier); ++ } ++ ++ dentry = opendata->dentry; ++ nfs_set_verifier(dentry, dir_verifier); ++ if (d_really_is_negative(dentry)) { ++ struct dentry *alias; ++ d_drop(dentry); ++ alias = d_splice_alias(igrab(state->inode), dentry); ++ /* d_splice_alias() can't fail here - it's a non-directory */ ++ if (alias) { ++ dput(ctx->dentry); ++ nfs_set_verifier(alias, dir_verifier); ++ ctx->dentry = dentry = alias; ++ } + } + + /* Parse layoutget results before we check for access */ +-- +2.51.0 + diff --git a/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch b/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch new file mode 100644 index 0000000000..047f61e3da --- /dev/null +++ b/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch @@ -0,0 +1,41 @@ +From 0be6a3b9b82d512cd55c1c9dfa7f76074a73eee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:39:50 -0500 +Subject: NFS: Initialise verifiers for visible dentries in nfs_atomic_open() + +From: Trond Myklebust + +[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in nfs_atomic_open(). + +Reported-by: Michael Stoler +Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 8c4fcd140fa13..1cf1b2ddbf549 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2151,12 +2151,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + d_drop(dentry); + switch (err) { + case -ENOENT: +- d_splice_alias(NULL, dentry); + if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE)) + dir_verifier = inode_peek_iversion_raw(dir); + else + dir_verifier = nfs_save_change_attribute(dir); + nfs_set_verifier(dentry, dir_verifier); ++ d_splice_alias(NULL, dentry); + break; + case -EISDIR: + case -ENOTDIR: +-- +2.51.0 + diff --git a/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch b/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch new file mode 100644 index 0000000000..f9dc120743 --- /dev/null +++ b/queue-6.12/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch @@ -0,0 +1,62 @@ +From 265eb78e453405b34d58953d45fe472cdfc95128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:36:16 -0500 +Subject: NFS: Initialise verifiers for visible dentries in readdir and lookup + +From: Trond Myklebust + +[ Upstream commit 9bd545539b233725a3416801f7c374bff0327d6e ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in both nfs_prime_dcache() and nfs_lookup(). + +Reported-by: Michael Stoler +Fixes: a1147b8281bd ("NFS: Fix up directory verifier races") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 01af2bb8a7216..8c4fcd140fa13 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -787,16 +787,17 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry, + goto out; + } + ++ nfs_set_verifier(dentry, dir_verifier); + inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr); + alias = d_splice_alias(inode, dentry); + d_lookup_done(dentry); + if (alias) { + if (IS_ERR(alias)) + goto out; ++ nfs_set_verifier(alias, dir_verifier); + dput(dentry); + dentry = alias; + } +- nfs_set_verifier(dentry, dir_verifier); + trace_nfs_readdir_lookup(d_inode(parent), dentry, 0); + out: + dput(dentry); +@@ -2002,13 +2003,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in + nfs_lookup_advise_force_readdirplus(dir, flags); + + no_entry: ++ nfs_set_verifier(dentry, dir_verifier); + res = d_splice_alias(inode, dentry); + if (res != NULL) { + if (IS_ERR(res)) + goto out; ++ nfs_set_verifier(res, dir_verifier); + dentry = res; + } +- nfs_set_verifier(dentry, dir_verifier); + out: + trace_nfs_lookup_exit(dir, dentry, flags, PTR_ERR_OR_ZERO(res)); + nfs_free_fattr(fattr); +-- +2.51.0 + diff --git a/queue-6.12/nfs-vfs-discard-d_exact_alias.patch b/queue-6.12/nfs-vfs-discard-d_exact_alias.patch new file mode 100644 index 0000000000..e32ce70b40 --- /dev/null +++ b/queue-6.12/nfs-vfs-discard-d_exact_alias.patch @@ -0,0 +1,121 @@ +From 631cefe382f9f8839bb32c1161fa88b9cbb69963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 17:18:31 +1100 +Subject: nfs/vfs: discard d_exact_alias() + +From: NeilBrown + +[ Upstream commit 3ff6c8707c9a0116d00982851ec1216a42053ace ] + +d_exact_alias() is a descendent of d_add_unique() which was introduced +20 years ago mostly likely to work around problems with NFS servers of +the time. It is now not used in several situations were it was +originally needed and there have been no reports of problems - +presumably the old NFS servers have been improved. This only place it +is now use is in NFSv4 code and the old problematic servers are thought +to have been v2/v3 only. + +There is no clear benefit in reusing a unhashed() dentry which happens +to have the same name as the dentry we are adding. + +So this patch removes d_exact_alias() and the one place that it is used. + +Cc: Trond Myklebust +Signed-off-by: NeilBrown +Link: https://lore.kernel.org/r/20250226062135.2043651-2-neilb@suse.de +Signed-off-by: Christian Brauner +Stable-dep-of: 0f900f11002f ("NFS: Initialise verifiers for visible dentries in _nfs4_open_and_get_state") +Signed-off-by: Sasha Levin +--- + fs/dcache.c | 46 ------------------------------------------ + fs/nfs/nfs4proc.c | 4 +--- + include/linux/dcache.h | 1 - + 3 files changed, 1 insertion(+), 50 deletions(-) + +diff --git a/fs/dcache.c b/fs/dcache.c +index d7814142ba7db..6b29026d25cbc 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2664,52 +2664,6 @@ void d_add(struct dentry *entry, struct inode *inode) + } + EXPORT_SYMBOL(d_add); + +-/** +- * d_exact_alias - find and hash an exact unhashed alias +- * @entry: dentry to add +- * @inode: The inode to go with this dentry +- * +- * If an unhashed dentry with the same name/parent and desired +- * inode already exists, hash and return it. Otherwise, return +- * NULL. +- * +- * Parent directory should be locked. +- */ +-struct dentry *d_exact_alias(struct dentry *entry, struct inode *inode) +-{ +- struct dentry *alias; +- unsigned int hash = entry->d_name.hash; +- +- spin_lock(&inode->i_lock); +- hlist_for_each_entry(alias, &inode->i_dentry, d_u.d_alias) { +- /* +- * Don't need alias->d_lock here, because aliases with +- * d_parent == entry->d_parent are not subject to name or +- * parent changes, because the parent inode i_mutex is held. +- */ +- if (alias->d_name.hash != hash) +- continue; +- if (alias->d_parent != entry->d_parent) +- continue; +- if (!d_same_name(alias, entry->d_parent, &entry->d_name)) +- continue; +- spin_lock(&alias->d_lock); +- if (!d_unhashed(alias)) { +- spin_unlock(&alias->d_lock); +- alias = NULL; +- } else { +- dget_dlock(alias); +- __d_rehash(alias); +- spin_unlock(&alias->d_lock); +- } +- spin_unlock(&inode->i_lock); +- return alias; +- } +- spin_unlock(&inode->i_lock); +- return NULL; +-} +-EXPORT_SYMBOL(d_exact_alias); +- + static void swap_names(struct dentry *dentry, struct dentry *target) + { + if (unlikely(dname_external(target))) { +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 6342d360732d2..7fe71aaa18666 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3152,9 +3152,7 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + if (d_really_is_negative(dentry)) { + struct dentry *alias; + d_drop(dentry); +- alias = d_exact_alias(dentry, state->inode); +- if (!alias) +- alias = d_splice_alias(igrab(state->inode), dentry); ++ alias = d_splice_alias(igrab(state->inode), dentry); + /* d_splice_alias() can't fail here - it's a non-directory */ + if (alias) { + dput(ctx->dentry); +diff --git a/include/linux/dcache.h b/include/linux/dcache.h +index 3d53a60145911..51cc601b863d0 100644 +--- a/include/linux/dcache.h ++++ b/include/linux/dcache.h +@@ -242,7 +242,6 @@ extern struct dentry * d_splice_alias(struct inode *, struct dentry *); + extern struct dentry * d_add_ci(struct dentry *, struct inode *, struct qstr *); + extern bool d_same_name(const struct dentry *dentry, const struct dentry *parent, + const struct qstr *name); +-extern struct dentry * d_exact_alias(struct dentry *, struct inode *); + extern struct dentry *d_find_any_alias(struct inode *inode); + extern struct dentry * d_obtain_alias(struct inode *); + extern struct dentry * d_obtain_root(struct inode *); +-- +2.51.0 + diff --git a/queue-6.12/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch b/queue-6.12/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch new file mode 100644 index 0000000000..2113e26b89 --- /dev/null +++ b/queue-6.12/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch @@ -0,0 +1,43 @@ +From c003a07b1e209ff2928032f05bc466886e537b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 18:02:42 +0000 +Subject: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in + pnfs_mark_layout_stateid_invalid + +From: Jonathan Curley + +[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ] + +Fixes a crash when layout is null during this call stack: + +write_inode + -> nfs4_write_inode + -> pnfs_layoutcommit_inode + +pnfs_set_layoutcommit relies on the lseg refcount to keep the layout +around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt +to reference a null layout. + +Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") +Signed-off-by: Jonathan Curley +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 89d49dd3978f9..7a742bcff687b 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -466,6 +466,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct pnfs_layout_segment *lseg, *next; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + pnfs_clear_lseg_state(lseg, lseg_list); + pnfs_clear_layoutreturn_info(lo); +-- +2.51.0 + diff --git a/queue-6.12/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch b/queue-6.12/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch new file mode 100644 index 0000000000..d3a66faa19 --- /dev/null +++ b/queue-6.12/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch @@ -0,0 +1,38 @@ +From fcb99dc5f3b278c330acfcdbda23ddcf7de62b61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Nov 2025 16:46:48 +0200 +Subject: nvme-auth: use kvfree() for memory allocated with kvcalloc() + +From: Israel Rukshin + +[ Upstream commit bb9f4cca7c031de6f0e85f7ba24abf0172829f85 ] + +Memory allocated by kvcalloc() may come from vmalloc or kmalloc, +so use kvfree() instead of kfree() for proper deallocation. + +Fixes: aa36d711e945 ("nvme-auth: convert dhchap_auth_list to an array") +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c +index 5ea0e21709da3..c2fb22bf6846e 100644 +--- a/drivers/nvme/host/auth.c ++++ b/drivers/nvme/host/auth.c +@@ -994,7 +994,7 @@ void nvme_auth_free(struct nvme_ctrl *ctrl) + if (ctrl->dhchap_ctxs) { + for (i = 0; i < ctrl_max_dhchaps(ctrl); i++) + nvme_auth_free_dhchap(&ctrl->dhchap_ctxs[i]); +- kfree(ctrl->dhchap_ctxs); ++ kvfree(ctrl->dhchap_ctxs); + } + if (ctrl->host_key) { + nvme_auth_free_key(ctrl->host_key); +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch b/queue-6.12/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch new file mode 100644 index 0000000000..3408b48c51 --- /dev/null +++ b/queue-6.12/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch @@ -0,0 +1,78 @@ +From a9f8a27aeb61b866d7e5afde0c9288b9dffff246 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 11:13:08 +0100 +Subject: platform/x86: asus-wmi: use brightness_set_blocking() for kbd led +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anton Khirnov + +[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ] + +kbd_led_set() can sleep, and so may not be used as the brightness_set() +callback. + +Otherwise using this led with a trigger leads to system hangs +accompanied by: +BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003 +CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1 +Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024 +Call Trace: + + [...] + schedule_timeout+0xbd/0x100 + __down_common+0x175/0x290 + down_timeout+0x67/0x70 + acpi_os_wait_semaphore+0x57/0x90 + [...] + asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi] + led_trigger_event+0x3f/0x60 + [...] + +Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process") +Signed-off-by: Anton Khirnov +Reviewed-by: Andy Shevchenko +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 9d79c5ea8b495..92ce975d900d0 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1577,14 +1577,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value) + kbd_led_update(asus); + } + +-static void kbd_led_set(struct led_classdev *led_cdev, +- enum led_brightness value) ++static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value) + { + /* Prevent disabling keyboard backlight on module unregister */ + if (led_cdev->flags & LED_UNREGISTERING) +- return; ++ return 0; + + do_kbd_led_set(led_cdev, value); ++ return 0; + } + + static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value) +@@ -1760,7 +1760,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus) + asus->kbd_led_wk = led_val; + asus->kbd_led.name = "asus::kbd_backlight"; + asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED; +- asus->kbd_led.brightness_set = kbd_led_set; ++ asus->kbd_led.brightness_set_blocking = kbd_led_set; + asus->kbd_led.brightness_get = kbd_led_get; + asus->kbd_led.max_brightness = 3; + +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch b/queue-6.12/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch new file mode 100644 index 0000000000..a052a350ee --- /dev/null +++ b/queue-6.12/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch @@ -0,0 +1,44 @@ +From d6aff0aff0abe1a590a17cd5dfcdcbb8f72f620d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 14:45:29 -0700 +Subject: platform/x86:intel/pmc: Update Arrow Lake telemetry GUID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xi Pardee + +[ Upstream commit 644ab3bc98ee386f178d5209ae8170b3fac591aa ] + +Update ARL_PMT_DMU_GUID value. Arrow Lake PMT DMU GUID has been updated +after it was add to the driver. This updates ensures that the die C6 +value is available in the debug filesystem. + +Bugzilla Link: https://bugzilla.kernel.org/show_bug.cgi?id=220421 +Fixes: 83f168a1a437 ("platform/x86/intel/pmc: Add Arrow Lake S support to intel_pmc_core driver") +Tested-by: Mark Pearson +Signed-off-by: Xi Pardee +Link: https://patch.msgid.link/20251014214548.629023-2-xi.pardee@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/pmc/core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/pmc/core.h b/drivers/platform/x86/intel/pmc/core.h +index b9d3291d0bf2c..afc07427e39ef 100644 +--- a/drivers/platform/x86/intel/pmc/core.h ++++ b/drivers/platform/x86/intel/pmc/core.h +@@ -277,7 +277,7 @@ enum ppfear_regs { + /* Die C6 from PUNIT telemetry */ + #define MTL_PMT_DMU_DIE_C6_OFFSET 15 + #define MTL_PMT_DMU_GUID 0x1A067102 +-#define ARL_PMT_DMU_GUID 0x1A06A000 ++#define ARL_PMT_DMU_GUID 0x1A06A102 + + #define LNL_PMC_MMIO_REG_LEN 0x2708 + #define LNL_PMC_LTR_OSSE 0x1B88 +-- +2.51.0 + diff --git a/queue-6.12/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch b/queue-6.12/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch new file mode 100644 index 0000000000..26fba89264 --- /dev/null +++ b/queue-6.12/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch @@ -0,0 +1,51 @@ +From e770700dbfab9f50a7bc6acd5eb5437fc2415112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 19:39:34 +0000 +Subject: regulator: fixed: Rely on the core freeing the enable GPIO + +From: Mark Brown + +[ Upstream commit 79a45ddcdbba330f5139c7c7ff7042d69cf147b2 ] + +In order to simplify ownership rules for enable GPIOs supplied by drivers +regulator_register() always takes ownership of them, even if it ends up +failing for some other reason. We therefore should not free the GPIO if +registration fails but just let the core worry about things. + +Fixes: 636f4618b1cd (regulator: fixed: fix GPIO descriptor leak on register failure) +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/r/DEPEYUF5BRGY.UKFBWRRE8HNP@cknow-tech.com +Tested-by: Diederik de Haas +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20251204-regulator-fixed-fix-gpiod-leak-v1-1-48efea5b82c2@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index a2d16e9abfb58..254c0a8a45559 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -330,13 +330,10 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); +- if (IS_ERR(drvdata->dev)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), +- "Failed to register regulator: %ld\n", +- PTR_ERR(drvdata->dev)); +- gpiod_put(cfg.ena_gpiod); +- return ret; +- } ++ if (IS_ERR(drvdata->dev)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + + platform_set_drvdata(pdev, drvdata); + +-- +2.51.0 + diff --git a/queue-6.12/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-6.12/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..f100f2ec20 --- /dev/null +++ b/queue-6.12/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,48 @@ +From a0ffcdd94711cd0ca01e59c73a69cca0b05a948c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:38 -0500 +Subject: Revert "nfs: clear SB_RDONLY before getting superblock" + +From: Trond Myklebust + +[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ] + +This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 44e5cb00e2ccf..ae5c5e39afa03 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1303,17 +1303,8 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + +- /* +- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a +- * superblock among each filesystem that mounts sub-directories +- * belonging to a single exported root path. +- * To prevent interference between different filesystems, the +- * SB_RDONLY flag should be removed from the superblock. +- */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; +- else +- fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.51.0 + diff --git a/queue-6.12/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-6.12/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 0000000000..9562ebf2af --- /dev/null +++ b/queue-6.12/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,39 @@ +From 85ab891c11c04ae40e60789a703e02489bee043a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:45 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when mounting nfs" + +From: Trond Myklebust + +[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ] + +This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 456b423402814..63ee469d6c8f7 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -13,7 +13,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.51.0 + diff --git a/queue-6.12/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-6.12/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..378aad00af --- /dev/null +++ b/queue-6.12/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,47 @@ +From 2775f80f4ed9d69d62b610261ef13cae39e482f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:07 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when remounting nfs" + +From: Trond Myklebust + +[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ] + +This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index da5286514d8c7..44e5cb00e2ccf 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1046,16 +1046,6 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + +- /* +- * The SB_RDONLY flag has been removed from the superblock during +- * mounts to prevent interference between different filesystems. +- * Similarly, it is also necessary to ignore the SB_RDONLY flag +- * during reconfiguration; otherwise, it may also result in the +- * creation of redundant superblocks when mounting a directory with +- * different rw and ro flags multiple times. +- */ +- fc->sb_flags_mask &= ~SB_RDONLY; +- + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.51.0 + diff --git a/queue-6.12/rtc-gamecube-check-the-return-value-of-ioremap.patch b/queue-6.12/rtc-gamecube-check-the-return-value-of-ioremap.patch new file mode 100644 index 0000000000..8ca5931884 --- /dev/null +++ b/queue-6.12/rtc-gamecube-check-the-return-value-of-ioremap.patch @@ -0,0 +1,44 @@ +From 515915ea32a1a07070848e14a799e156064b40e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 16:06:25 +0800 +Subject: rtc: gamecube: Check the return value of ioremap() + +From: Haotian Zhang + +[ Upstream commit d1220e47e4bd2be8b84bc158f4dea44f2f88b226 ] + +The function ioremap() in gamecube_rtc_read_offset_from_sram() can fail +and return NULL, which is dereferenced without checking, leading to a +NULL pointer dereference. + +Add a check for the return value of ioremap() and return -ENOMEM on +failure. + +Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U") +Signed-off-by: Haotian Zhang +Reviewed-by: Link Mauve +Link: https://patch.msgid.link/20251126080625.1752-1-vulab@iscas.ac.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-gamecube.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rtc/rtc-gamecube.c b/drivers/rtc/rtc-gamecube.c +index c828bc8e05b9c..045d5d45ab4b0 100644 +--- a/drivers/rtc/rtc-gamecube.c ++++ b/drivers/rtc/rtc-gamecube.c +@@ -242,6 +242,10 @@ static int gamecube_rtc_read_offset_from_sram(struct priv *d) + } + + hw_srnprot = ioremap(res.start, resource_size(&res)); ++ if (!hw_srnprot) { ++ pr_err("failed to ioremap hw_srnprot\n"); ++ return -ENOMEM; ++ } + old = ioread32be(hw_srnprot); + + /* TODO: figure out why we use this magic constant. I obtained it by +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index f073a5834b..9dbc822b1a 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -289,3 +289,52 @@ pinctrl-single-fix-incorrect-type-for-error-return-v.patch fbdev-ssd1307fb-fix-potential-page-leak-in-ssd1307fb.patch 9p-fix-cache-debug-options-printing-in-v9fs_show_opt.patch sched-fair-fix-unfairness-caused-by-stalled-tg_load_.patch +platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch +f2fs-keep-posix_fadv_noreuse-ranges.patch +f2fs-add-a-sysfs-entry-to-reclaim-posix_fadv_noreuse.patch +f2fs-fix-to-avoid-running-out-of-free-segments.patch +f2fs-add-carve_out-sysfs-node.patch +f2fs-sysfs-add-encoding_flags-entry.patch +f2fs-introduce-reserved_pin_section-sysfs-entry.patch +f2fs-add-gc_boost_gc_multiple-sysfs-node.patch +f2fs-add-gc_boost_gc_greedy-sysfs-node.patch +f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch +nfs-avoid-changing-nlink-when-file-removes-and-attri.patch +fs-nls-fix-utf16-to-utf8-conversion.patch +nfs-initialise-verifiers-for-visible-dentries-in-rea.patch +nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch +nfs-vfs-discard-d_exact_alias.patch +nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch +nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch +revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch +revert-nfs-clear-sb_rdonly-before-getting-superblock.patch +revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch +nfs-automounted-filesystems-should-inherit-ro-noexec.patch +expand-the-type-of-nfs_fattr-valid.patch +nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch +fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch +platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch +asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch +asoc-ak4458-disable-regulator-when-error-happens.patch +asoc-ak5558-disable-regulator-when-error-happens.patch +blk-mq-abort-suspend-when-wakeup-events-are-pending.patch +block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch +block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch +nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch +drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch +regulator-fixed-rely-on-the-core-freeing-the-enable-.patch +alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch +drm-nouveau-refactor-deprecated-strcpy.patch +cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch +docs-hwmon-fix-link-to-g762-devicetree-binding.patch +dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch +alsa-uapi-fix-typo-in-asound.h-comment.patch +drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch +rtc-gamecube-check-the-return-value-of-ioremap.patch +alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch +arm-9464-1-fix-input-only-operand-modification-in-lo.patch +block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch +block-return-unsigned-int-from-queue_dma_alignment.patch +block-fix-cached-zone-reports-on-devices-with-native.patch +dm-raid-fix-possible-null-dereference-with-undefined.patch +dm-log-writes-add-missing-set_freezable-for-freezabl.patch diff --git a/queue-6.17/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch b/queue-6.17/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch new file mode 100644 index 0000000000..5972d8b24f --- /dev/null +++ b/queue-6.17/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch @@ -0,0 +1,41 @@ +From 529ed87ec3e3923f1ee284403f6a28b54245a4de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 13:16:41 +0800 +Subject: ALSA: firewire-motu: add bounds check in put_user loop for DSP events + +From: Junrui Luo + +[ Upstream commit 298e753880b6ea99ac30df34959a7a03b0878eed ] + +In the DSP event handling code, a put_user() loop copies event data. +When the user buffer size is not aligned to 4 bytes, it could overwrite +beyond the buffer boundary. + +Fix by adding a bounds check before put_user(). + +Suggested-by: Takashi Iwai +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index e594765747d5b..38807dd7a766b 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + while (consumed < count && + snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) { + ptr = (u32 __user *)(buf + consumed); +- if (put_user(ev, ptr)) ++ if (consumed + sizeof(ev) > count || put_user(ev, ptr)) + return -EFAULT; + consumed += sizeof(ev); + } +-- +2.51.0 + diff --git a/queue-6.17/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch b/queue-6.17/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch new file mode 100644 index 0000000000..76b7eb59de --- /dev/null +++ b/queue-6.17/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch @@ -0,0 +1,48 @@ +From 7c3a31115eb90f1d1ed21c68b2a53e3b9be9f49a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:27:03 +0800 +Subject: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events + +From: Junrui Luo + +[ Upstream commit 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 ] + +The DSP event handling code in hwdep_read() could write more bytes to +the user buffer than requested, when a user provides a buffer smaller +than the event header size (8 bytes). + +Fix by using min_t() to clamp the copy size, This ensures we never copy +more than the user requested. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index fa2685665db3a..e594765747d5b 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; + event.motu_register_dsp_change.count = + (consumed - sizeof(event.motu_register_dsp_change)) / 4; +- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) ++ if (copy_to_user(buf, &event, ++ min_t(long, count, sizeof(event.motu_register_dsp_change)))) + return -EFAULT; + +- count = consumed; ++ count = min_t(long, count, consumed); + } else { + spin_unlock_irq(&motu->lock); + +-- +2.51.0 + diff --git a/queue-6.17/alsa-uapi-fix-typo-in-asound.h-comment.patch b/queue-6.17/alsa-uapi-fix-typo-in-asound.h-comment.patch new file mode 100644 index 0000000000..0fa3e492d7 --- /dev/null +++ b/queue-6.17/alsa-uapi-fix-typo-in-asound.h-comment.patch @@ -0,0 +1,36 @@ +From fccf93a278b6172c40b0cb6c3ef60206619fa180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 10:25:01 -0600 +Subject: ALSA: uapi: Fix typo in asound.h comment + +From: Andres J Rosa + +[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ] + +Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment. + +Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames") +Signed-off-by: Andres J Rosa +Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asound.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h +index 5a049eeaeccea..d3ce75ba938a8 100644 +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -60,7 +60,7 @@ struct snd_cea_861_aud_if { + unsigned char db2_sf_ss; /* sample frequency and size */ + unsigned char db3; /* not used, all zeros */ + unsigned char db4_ca; /* channel allocation code */ +- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */ ++ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */ + }; + + /**************************************************************************** +-- +2.51.0 + diff --git a/queue-6.17/arm-9464-1-fix-input-only-operand-modification-in-lo.patch b/queue-6.17/arm-9464-1-fix-input-only-operand-modification-in-lo.patch new file mode 100644 index 0000000000..29c0d12aa0 --- /dev/null +++ b/queue-6.17/arm-9464-1-fix-input-only-operand-modification-in-lo.patch @@ -0,0 +1,67 @@ +From 4d1264f1b4f7ceff49fc26f5165978fdf6431513 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 03:19:45 +0100 +Subject: ARM: 9464/1: fix input-only operand modification in + load_unaligned_zeropad() + +From: Liyuan Pang + +[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ] + +In the inline assembly inside load_unaligned_zeropad(), the "addr" is +constrained as input-only operand. The compiler assumes that on exit +from the asm statement these operands contain the same values as they +had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior. + +Use a temporary variable "tmp" to handle it, instead of modifying the +input-only operand, just like what arm64's load_unaligned_zeropad() +does. + +Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs") +Co-developed-by: Xie Yuanbin +Signed-off-by: Xie Yuanbin +Signed-off-by: Liyuan Pang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/word-at-a-time.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h +index f9a3897b06e7f..5023f98d8293d 100644 +--- a/arch/arm/include/asm/word-at-a-time.h ++++ b/arch/arm/include/asm/word-at-a-time.h +@@ -67,7 +67,7 @@ static inline unsigned long find_zero(unsigned long mask) + */ + static inline unsigned long load_unaligned_zeropad(const void *addr) + { +- unsigned long ret, offset; ++ unsigned long ret, tmp; + + /* Load word from unaligned pointer addr */ + asm( +@@ -75,9 +75,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + "2:\n" + " .pushsection .text.fixup,\"ax\"\n" + " .align 2\n" +- "3: and %1, %2, #0x3\n" +- " bic %2, %2, #0x3\n" +- " ldr %0, [%2]\n" ++ "3: bic %1, %2, #0x3\n" ++ " ldr %0, [%1]\n" ++ " and %1, %2, #0x3\n" + " lsl %1, %1, #0x3\n" + #ifndef __ARMEB__ + " lsr %0, %0, %1\n" +@@ -90,7 +90,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + " .align 3\n" + " .long 1b, 3b\n" + " .popsection" +- : "=&r" (ret), "=&r" (offset) ++ : "=&r" (ret), "=&r" (tmp) + : "r" (addr), "Qo" (*(unsigned long *)addr)); + + return ret; +-- +2.51.0 + diff --git a/queue-6.17/asoc-ak4458-disable-regulator-when-error-happens.patch b/queue-6.17/asoc-ak4458-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..8fef3d6b68 --- /dev/null +++ b/queue-6.17/asoc-ak4458-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From e36b9ad2a3dad15ebc01c02ef5d675d6c9ed50de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:28 +0800 +Subject: ASoC: ak4458: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4458.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c +index 57cf601d3df35..a6c04dd3de3ed 100644 +--- a/sound/soc/codecs/ak4458.c ++++ b/sound/soc/codecs/ak4458.c +@@ -671,7 +671,15 @@ static int ak4458_runtime_resume(struct device *dev) + regcache_cache_only(ak4458->regmap, false); + regcache_mark_dirty(ak4458->regmap); + +- return regcache_sync(ak4458->regmap); ++ ret = regcache_sync(ak4458->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak4458->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies); ++ return ret; + } + + static const struct snd_soc_component_driver soc_codec_dev_ak4458 = { +-- +2.51.0 + diff --git a/queue-6.17/asoc-ak5558-disable-regulator-when-error-happens.patch b/queue-6.17/asoc-ak5558-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..c82d74b835 --- /dev/null +++ b/queue-6.17/asoc-ak5558-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 2cb0c17d5795c7d3af89ff770032d2317efa0f30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:29 +0800 +Subject: ASoC: ak5558: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak5558.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c +index 683f3e472f500..73684fc5beb1a 100644 +--- a/sound/soc/codecs/ak5558.c ++++ b/sound/soc/codecs/ak5558.c +@@ -372,7 +372,15 @@ static int ak5558_runtime_resume(struct device *dev) + regcache_cache_only(ak5558->regmap, false); + regcache_mark_dirty(ak5558->regmap); + +- return regcache_sync(ak5558->regmap); ++ ret = regcache_sync(ak5558->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak5558->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies); ++ return ret; + } + + static const struct dev_pm_ops ak5558_pm = { +-- +2.51.0 + diff --git a/queue-6.17/asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch b/queue-6.17/asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch new file mode 100644 index 0000000000..62f9d0330d --- /dev/null +++ b/queue-6.17/asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch @@ -0,0 +1,104 @@ +From 9f18df4af358682ba15e3a421ddac8655cf96625 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:16:48 +0530 +Subject: ASoC: amd: acp: Audio is not resuming after s0ix + +From: Hemalatha Pinnamreddy + +[ Upstream commit 3ee257aba1d56c3f0f1028669a8ad0f1a477f05b ] + +Audio fails to resume after system exits suspend mode +due to accessing incorrect ring buffer address during +resume. This patch resolves issue by selecting correct +address based on the ACP version. + +Fixes: f6f7d25b11033 ("ASoC: amd: acp: Add pte configuration for ACP7.0 platform") +Signed-off-by: Hemalatha Pinnamreddy +Signed-off-by: Raghavendra Prasad Mallela +Reviewed-by: Mario Limonciello (AMD) +Link: https://patch.msgid.link/20251203064650.2554625-1-raghavendraprasad.mallela@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-legacy-common.c | 30 +++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-legacy-common.c b/sound/soc/amd/acp/acp-legacy-common.c +index 3078f459e0050..4e477c48d4bdd 100644 +--- a/sound/soc/amd/acp/acp-legacy-common.c ++++ b/sound/soc/amd/acp/acp-legacy-common.c +@@ -219,7 +219,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + SP_PB_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_I2S_TX_FIFOADDR(chip); + reg_fifo_size = ACP_I2S_TX_FIFOSIZE(chip); +- phy_addr = I2S_SP_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_SP_TX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_SP_TX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_I2S_TX_RINGBUFADDR(chip)); + } else { + reg_dma_size = ACP_I2S_RX_DMA_SIZE(chip); +@@ -227,7 +230,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + SP_CAPT_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_I2S_RX_FIFOADDR(chip); + reg_fifo_size = ACP_I2S_RX_FIFOSIZE(chip); +- phy_addr = I2S_SP_RX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_SP_RX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_SP_RX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_I2S_RX_RINGBUFADDR(chip)); + } + break; +@@ -238,7 +244,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + BT_PB_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_BT_TX_FIFOADDR(chip); + reg_fifo_size = ACP_BT_TX_FIFOSIZE(chip); +- phy_addr = I2S_BT_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_BT_TX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_BT_TX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_BT_TX_RINGBUFADDR(chip)); + } else { + reg_dma_size = ACP_BT_RX_DMA_SIZE(chip); +@@ -246,7 +255,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + BT_CAPT_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_BT_RX_FIFOADDR(chip); + reg_fifo_size = ACP_BT_RX_FIFOSIZE(chip); +- phy_addr = I2S_BT_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_BT_RX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_BT_RX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_BT_RX_RINGBUFADDR(chip)); + } + break; +@@ -257,7 +269,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + HS_PB_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_HS_TX_FIFOADDR; + reg_fifo_size = ACP_HS_TX_FIFOSIZE; +- phy_addr = I2S_HS_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_HS_TX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_HS_TX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_HS_TX_RINGBUFADDR); + } else { + reg_dma_size = ACP_HS_RX_DMA_SIZE; +@@ -265,7 +280,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + HS_CAPT_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_HS_RX_FIFOADDR; + reg_fifo_size = ACP_HS_RX_FIFOSIZE; +- phy_addr = I2S_HS_RX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_HS_RX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_HS_RX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_HS_RX_RINGBUFADDR); + } + break; +-- +2.51.0 + diff --git a/queue-6.17/asoc-amd-acp-update-tdm-channels-for-specific-dai.patch b/queue-6.17/asoc-amd-acp-update-tdm-channels-for-specific-dai.patch new file mode 100644 index 0000000000..b3d833d256 --- /dev/null +++ b/queue-6.17/asoc-amd-acp-update-tdm-channels-for-specific-dai.patch @@ -0,0 +1,41 @@ +From 9f8d249017342231f428ab674072d7285553e09f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 17:31:34 +0530 +Subject: ASoC: amd: acp: update tdm channels for specific DAI + +From: Hemalatha Pinnamreddy + +[ Upstream commit f34836a8ddf9216ff919927cddb705022bf30aab ] + +TDM channel updates were applied to all DAIs, causing configurations +to overwrite for unrelated streams. The logic is modified to update +channels only for targeted DAI. This prevents corruption of other DAI +settings and resolves audio issues observed during system suspend and +resume cycles. + +Fixes: 12229b7e50cf ("ASoC: amd: acp: Add TDM support for acp i2s stream") +Signed-off-by: Hemalatha Pinnamreddy +Signed-off-by: Raghavendra Prasad Mallela +Link: https://patch.msgid.link/20251203120136.2591395-1-raghavendraprasad.mallela@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-i2s.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/acp/acp-i2s.c b/sound/soc/amd/acp/acp-i2s.c +index 4ba0a66981ea9..283a674c7e2c3 100644 +--- a/sound/soc/amd/acp/acp-i2s.c ++++ b/sound/soc/amd/acp/acp-i2s.c +@@ -157,6 +157,8 @@ static int acp_i2s_set_tdm_slot(struct snd_soc_dai *dai, u32 tx_mask, u32 rx_mas + + spin_lock_irq(&chip->acp_lock); + list_for_each_entry(stream, &chip->stream_list, list) { ++ if (dai->id != stream->dai_id) ++ continue; + switch (chip->acp_rev) { + case ACP_RN_PCI_ID: + case ACP_RMB_PCI_ID: +-- +2.51.0 + diff --git a/queue-6.17/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch b/queue-6.17/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch new file mode 100644 index 0000000000..88f2792f9e --- /dev/null +++ b/queue-6.17/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch @@ -0,0 +1,44 @@ +From 57495f538ee9b0791521652527f2dc7a05fac01e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:16:42 +0800 +Subject: ASoC: bcm: bcm63xx-pcm-whistler: Check return value of + of_dma_configure() + +From: Haotian Zhang + +[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ] + +bcm63xx_soc_pcm_new() does not check the return value of +of_dma_configure(), which may fail with -EPROBE_DEFER or +other errors, allowing PCM setup to continue with incomplete +DMA configuration. + +Add error checking for of_dma_configure() and return on failure. + +Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c +index e3a4fcc63a56d..efeb06ddabeb3 100644 +--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c ++++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c +@@ -358,7 +358,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component, + + i2s_priv = dev_get_drvdata(snd_soc_rtd_to_cpu(rtd, 0)->dev); + +- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ if (ret) ++ return ret; + + ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32)); + if (ret) +-- +2.51.0 + diff --git a/queue-6.17/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch b/queue-6.17/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch new file mode 100644 index 0000000000..c3638cc2e4 --- /dev/null +++ b/queue-6.17/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch @@ -0,0 +1,73 @@ +From 43ef9f9ba04ccc0f4e254f3027c494b988eaab55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 11:34:21 +0800 +Subject: blk-mq: Abort suspend when wakeup events are pending + +From: Cong Zhang + +[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ] + +During system suspend, wakeup capable IRQs for block device can be +delayed, which can cause blk_mq_hctx_notify_offline() to hang +indefinitely while waiting for pending request to complete. +Skip the request waiting loop and abort suspend when wakeup events are +pending to prevent the deadlock. + +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Signed-off-by: Cong Zhang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 19f62b070ca9d..3e9f82c9a89d2 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3721,6 +3722,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + { + struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node, + struct blk_mq_hw_ctx, cpuhp_online); ++ int ret = 0; + + if (blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; +@@ -3741,12 +3743,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + * frozen and there are no requests. + */ + if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) { +- while (blk_mq_hctx_has_requests(hctx)) ++ while (blk_mq_hctx_has_requests(hctx)) { ++ /* ++ * The wakeup capable IRQ handler of block device is ++ * not called during suspend. Skip the loop by checking ++ * pm_wakeup_pending to prevent the deadlock and improve ++ * suspend latency. ++ */ ++ if (pm_wakeup_pending()) { ++ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state); ++ ret = -EBUSY; ++ break; ++ } + msleep(5); ++ } + percpu_ref_put(&hctx->queue->q_usage_counter); + } + +- return 0; ++ return ret; + } + + /* +-- +2.51.0 + diff --git a/queue-6.17/block-fix-cached-zone-reports-on-devices-with-native.patch b/queue-6.17/block-fix-cached-zone-reports-on-devices-with-native.patch new file mode 100644 index 0000000000..fd75b80475 --- /dev/null +++ b/queue-6.17/block-fix-cached-zone-reports-on-devices-with-native.patch @@ -0,0 +1,67 @@ +From 93e4793a96e645acaffa5acba6d4a3a9a4c796e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 03:10:37 +0100 +Subject: block: fix cached zone reports on devices with native zone append + +From: Johannes Thumshirn + +[ Upstream commit 2c38ec934ddfe2d35c813edea2674356bea0fabe ] + +When mounting a btrfs file system on virtio-blk which supports native +Zone Append there has been a WARN triggering in btrfs' space management +code. + +Further looking into btrfs' zoned statistics uncovered the filesystem +expecting the zones to be used, but the write pointers being 0: + # cat /sys/fs/btrfs/8eabd2e7-3294-4f9e-9b58-7e64135c8bf4/zoned_stats + active block-groups: 4 + reclaimable: 0 + unused: 0 + need reclaim: false + data relocation block-group: 1342177280 + active zones: + start: 1073741824, wp: 0 used: 0, reserved: 0, unusable: 0 + start: 1342177280, wp: 0 used: 0, reserved: 0, unusable: 0 + start: 1610612736, wp: 0 used: 16384, reserved: 0, unusable: 18446744073709535232 + start: 1879048192, wp: 0 used: 131072, reserved: 0, unusable: 18446744073709420544 + +Looking at the blkzone report output for the zone in question +(1610612736) the write pointer on the device moved, but the filesystem +did not see a change on the write pointer: + # blkzone report -c 1 -o 0x300000 /dev/vda + start: 0x000300000, len 0x080000, cap 0x080000, wptr 0x000040 reset:0 non-seq:0, zcond: 2(oi) [type: 2(SEQ_WRITE_REQUIRED)] + +The zone write pointer is 0, because btrfs is using the cached version +of blkdev_report_zones() and as virtio-blk is supporting native zone +append, but blkdev_revalidate_zones() does not initialize the zone write +plugs in this case. + +Not skipping the revalidate of sequential zones in +blkdev_revalidate_zones() callchain fixes this issue. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Reviewed-by: Damien Le Moal +Fixes: a6aa36e957a1 ("block: Remove zone write plugs when handling native zone append writes") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-zoned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-zoned.c b/block/blk-zoned.c +index 5e2a5788dc3b2..1675d5d7bd9b1 100644 +--- a/block/blk-zoned.c ++++ b/block/blk-zoned.c +@@ -1629,7 +1629,7 @@ static int blk_revalidate_seq_zone(struct blk_zone *zone, unsigned int idx, + * we have a zone write plug for such zone if the device has a zone + * write plug hash table. + */ +- if (!queue_emulates_zone_append(disk->queue) || !disk->zone_wplugs_hash) ++ if (!disk->zone_wplugs_hash) + return 0; + + disk_zone_wplug_sync_wp_offset(disk, zone); +-- +2.51.0 + diff --git a/queue-6.17/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch b/queue-6.17/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch new file mode 100644 index 0000000000..da8fa3ecda --- /dev/null +++ b/queue-6.17/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch @@ -0,0 +1,44 @@ +From 17bde19b93ff12e5da4b9ecbd62bd7e8edc66cee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 23:17:49 +0800 +Subject: block: fix comment for op_is_zone_mgmt() to include RESET_ALL + +From: shechenglong + +[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ] + +REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt() +has returned true for it. + +Update the comment to remove the misleading exception note so +the documentation matches the implementation. + +Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL") +Signed-off-by: shechenglong +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk_types.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index 1d6e2df0fdd31..93d83aba236bf 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -471,10 +471,7 @@ static inline bool op_is_discard(blk_opf_t op) + } + + /* +- * Check if a bio or request operation is a zone management operation, with +- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case +- * due to its different handling in the block layer and device response in +- * case of command failure. ++ * Check if a bio or request operation is a zone management operation. + */ + static inline bool op_is_zone_mgmt(enum req_op op) + { +-- +2.51.0 + diff --git a/queue-6.17/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch b/queue-6.17/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch new file mode 100644 index 0000000000..41f23643c6 --- /dev/null +++ b/queue-6.17/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch @@ -0,0 +1,55 @@ +From da3bdb96057d7d8410cff825454068038d07d48d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 23:42:59 +0530 +Subject: block: fix memory leak in __blkdev_issue_zero_pages + +From: Shaurya Rane + +[ Upstream commit f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf ] + +Move the fatal signal check before bio_alloc() to prevent a memory +leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. + +Previously, the bio was allocated before checking for a fatal signal. +If a signal was pending, the code would break out of the loop without +freeing or chaining the just-allocated bio, causing a memory leak. + +This matches the pattern already used in __blkdev_issue_write_zeroes() +where the signal check precedes the allocation. + +Fixes: bf86bcdb4012 ("blk-lib: check for kill signal in ioctl BLKZEROOUT") +Reported-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=527a7e48a3d3d315d862 +Signed-off-by: Shaurya Rane +Reviewed-by: Keith Busch +Tested-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-lib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/block/blk-lib.c b/block/blk-lib.c +index 4c9f20a689f7b..8cb2987db786f 100644 +--- a/block/blk-lib.c ++++ b/block/blk-lib.c +@@ -200,13 +200,13 @@ static void __blkdev_issue_zero_pages(struct block_device *bdev, + unsigned int nr_vecs = __blkdev_sectors_to_bio_pages(nr_sects); + struct bio *bio; + +- bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); +- bio->bi_iter.bi_sector = sector; +- + if ((flags & BLKDEV_ZERO_KILLABLE) && + fatal_signal_pending(current)) + break; + ++ bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); ++ bio->bi_iter.bi_sector = sector; ++ + do { + unsigned int len, added; + +-- +2.51.0 + diff --git a/queue-6.17/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch b/queue-6.17/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch new file mode 100644 index 0000000000..c179f6fc89 --- /dev/null +++ b/queue-6.17/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch @@ -0,0 +1,169 @@ +From ca6fe3638b4cbad4d066c36a70ebb2f4e4354b12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 13:17:02 -0800 +Subject: block: Use RCU in blk_mq_[un]quiesce_tagset() instead of + set->tag_list_lock + +From: Mohamed Khalfella + +[ Upstream commit 59e25ef2b413c72da6686d431e7759302cfccafa ] + +blk_mq_{add,del}_queue_tag_set() functions add and remove queues from +tagset, the functions make sure that tagset and queues are marked as +shared when two or more queues are attached to the same tagset. +Initially a tagset starts as unshared and when the number of added +queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along +with all the queues attached to it. When the number of attached queues +drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and +the remaining queues as unshared. + +Both functions need to freeze current queues in tagset before setting on +unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions +hold set->tag_list_lock mutex, which makes sense as we do not want +queues to be added or deleted in the process. This used to work fine +until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +made the nvme driver quiesce tagset instead of quiscing individual +queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in +set->tag_list while holding set->tag_list_lock also. + +This results in deadlock between two threads with these stacktraces: + + __schedule+0x47c/0xbb0 + ? timerqueue_add+0x66/0xb0 + schedule+0x1c/0xa0 + schedule_preempt_disabled+0xa/0x10 + __mutex_lock.constprop.0+0x271/0x600 + blk_mq_quiesce_tagset+0x25/0xc0 + nvme_dev_disable+0x9c/0x250 + nvme_timeout+0x1fc/0x520 + blk_mq_handle_expired+0x5c/0x90 + bt_iter+0x7e/0x90 + blk_mq_queue_tag_busy_iter+0x27e/0x550 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __call_rcu_common.constprop.0+0x1c0/0x210 + blk_mq_timeout_work+0x12d/0x170 + process_one_work+0x12e/0x2d0 + worker_thread+0x288/0x3a0 + ? rescuer_thread+0x480/0x480 + kthread+0xb8/0xe0 + ? kthread_park+0x80/0x80 + ret_from_fork+0x2d/0x50 + ? kthread_park+0x80/0x80 + ret_from_fork_asm+0x11/0x20 + + __schedule+0x47c/0xbb0 + ? xas_find+0x161/0x1a0 + schedule+0x1c/0xa0 + blk_mq_freeze_queue_wait+0x3d/0x70 + ? destroy_sched_domains_rcu+0x30/0x30 + blk_mq_update_tag_set_shared+0x44/0x80 + blk_mq_exit_queue+0x141/0x150 + del_gendisk+0x25a/0x2d0 + nvme_ns_remove+0xc9/0x170 + nvme_remove_namespaces+0xc7/0x100 + nvme_remove+0x62/0x150 + pci_device_remove+0x23/0x60 + device_release_driver_internal+0x159/0x200 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x112/0x1e0 + vfs_write+0x2b1/0x3d0 + ksys_write+0x4e/0xb0 + do_syscall_64+0x5b/0x160 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +The top stacktrace is showing nvme_timeout() called to handle nvme +command timeout. timeout handler is trying to disable the controller and +as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not +to call queue callback handlers. The thread is stuck waiting for +set->tag_list_lock as it tries to walk the queues in set->tag_list. + +The lock is held by the second thread in the bottom stack which is +waiting for one of queues to be frozen. The queue usage counter will +drop to zero after nvme_timeout() finishes, and this will not happen +because the thread will wait for this mutex forever. + +Given that [un]quiescing queue is an operation that does not need to +sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking +set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU +safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list) +in blk_mq_del_queue_tag_set() because we can not re-initialize it while +the list is being traversed under RCU. The deleted queue will not be +added/deleted to/from a tagset and it will be freed in blk_free_queue() +after the end of RCU grace period. + +Signed-off-by: Mohamed Khalfella +Fixes: 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +Reviewed-by: Ming Lei +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 3e9f82c9a89d2..77261fba50900 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -336,12 +336,12 @@ void blk_mq_quiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_quiesce_queue_nowait(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + + blk_mq_wait_quiesce_done(set); + } +@@ -351,12 +351,12 @@ void blk_mq_unquiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_unquiesce_queue(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + } + EXPORT_SYMBOL_GPL(blk_mq_unquiesce_tagset); + +@@ -4317,7 +4317,7 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + struct blk_mq_tag_set *set = q->tag_set; + + mutex_lock(&set->tag_list_lock); +- list_del(&q->tag_set_list); ++ list_del_rcu(&q->tag_set_list); + if (list_is_singular(&set->tag_list)) { + /* just transitioned to unshared */ + set->flags &= ~BLK_MQ_F_TAG_QUEUE_SHARED; +@@ -4325,7 +4325,6 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + blk_mq_update_tag_set_shared(set, false); + } + mutex_unlock(&set->tag_list_lock); +- INIT_LIST_HEAD(&q->tag_set_list); + } + + static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, +@@ -4344,7 +4343,7 @@ static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, + } + if (set->flags & BLK_MQ_F_TAG_QUEUE_SHARED) + queue_set_hctx_shared(q, true); +- list_add_tail(&q->tag_set_list, &set->tag_list); ++ list_add_tail_rcu(&q->tag_set_list, &set->tag_list); + + mutex_unlock(&set->tag_list_lock); + } +-- +2.51.0 + diff --git a/queue-6.17/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch b/queue-6.17/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch new file mode 100644 index 0000000000..fd6921b5f4 --- /dev/null +++ b/queue-6.17/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch @@ -0,0 +1,61 @@ +From 68c60c3ace4ceba2d749a48756287974124aedd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 16:24:53 +0000 +Subject: cifs: Fix handling of a beyond-EOF DIO/unbuffered read over SMB1 + +From: David Howells + +[ Upstream commit 9d85ac939d52e93d80efb01a299c6f0bedb30487 ] + +If a DIO read or an unbuffered read request extends beyond the EOF, the +server will return a short read and a status code indicating that EOF was +hit, which gets translated to -ENODATA. Note that the client does not cap +the request at i_size, but asks for the amount requested in case there's a +race on the server with a third party. + +Now, on the client side, the request will get split into multiple +subrequests if rsize is smaller than the full request size. A subrequest +that starts before or at the EOF and returns short data up to the EOF will +be correctly handled, with the NETFS_SREQ_HIT_EOF flag being set, +indicating to netfslib that we can't read more. + +If a subrequest, however, starts after the EOF and not at it, HIT_EOF will +not be flagged, its error will be set to -ENODATA and it will be abandoned. +This will cause the request as a whole to fail with -ENODATA. + +Fix this by setting NETFS_SREQ_HIT_EOF on any subrequest that lies beyond +the EOF marker. + +This can be reproduced by mounting with "cache=none,sign,vers=1.0" and +doing a read of a file that's significantly bigger than the size of the +file (e.g. attempting to read 64KiB from a 16KiB file). + +Fixes: a68c74865f51 ("cifs: Fix SMB1 readv/writev callback in the same way as SMB2/3") +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Shyam Prasad N +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifssmb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c +index d20766f664c49..4368771aad167 100644 +--- a/fs/smb/client/cifssmb.c ++++ b/fs/smb/client/cifssmb.c +@@ -1364,7 +1364,7 @@ cifs_readv_callback(struct mid_q_entry *mid) + } else { + size_t trans = rdata->subreq.transferred + rdata->got_bytes; + if (trans < rdata->subreq.len && +- rdata->subreq.start + trans == ictx->remote_i_size) { ++ rdata->subreq.start + trans >= ictx->remote_i_size) { + rdata->result = 0; + __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags); + } else if (rdata->got_bytes > 0) { +-- +2.51.0 + diff --git a/queue-6.17/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14602 b/queue-6.17/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14602 new file mode 100644 index 0000000000..1030db7161 --- /dev/null +++ b/queue-6.17/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14602 @@ -0,0 +1,57 @@ +From 4da4c91b3bc2a5cc385be301a10a7cca311d9928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 21:55:27 +0000 +Subject: cifs: Fix handling of a beyond-EOF DIO/unbuffered read over SMB2 + +From: David Howells + +[ Upstream commit 4ae4dde6f34a4124c65468ae4fa1f915fb40f900 ] + +If a DIO read or an unbuffered read request extends beyond the EOF, the +server will return a short read and a status code indicating that EOF was +hit, which gets translated to -ENODATA. Note that the client does not cap +the request at i_size, but asks for the amount requested in case there's a +race on the server with a third party. + +Now, on the client side, the request will get split into multiple +subrequests if rsize is smaller than the full request size. A subrequest +that starts before or at the EOF and returns short data up to the EOF will +be correctly handled, with the NETFS_SREQ_HIT_EOF flag being set, +indicating to netfslib that we can't read more. + +If a subrequest, however, starts after the EOF and not at it, HIT_EOF will +not be flagged, its error will be set to -ENODATA and it will be abandoned. +This will cause the request as a whole to fail with -ENODATA. + +Fix this by setting NETFS_SREQ_HIT_EOF on any subrequest that lies beyond +the EOF marker. + +Fixes: 1da29f2c39b6 ("netfs, cifs: Fix handling of short DIO read") +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Shyam Prasad N +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c +index f925b2da76c1d..64fe2de662ff9 100644 +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4629,7 +4629,7 @@ smb2_readv_callback(struct mid_q_entry *mid) + } else { + size_t trans = rdata->subreq.transferred + rdata->got_bytes; + if (trans < rdata->subreq.len && +- rdata->subreq.start + trans == ictx->remote_i_size) { ++ rdata->subreq.start + trans >= ictx->remote_i_size) { + __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags); + rdata->result = 0; + } +-- +2.51.0 + diff --git a/queue-6.17/dm-log-writes-add-missing-set_freezable-for-freezabl.patch b/queue-6.17/dm-log-writes-add-missing-set_freezable-for-freezabl.patch new file mode 100644 index 0000000000..1974ca0442 --- /dev/null +++ b/queue-6.17/dm-log-writes-add-missing-set_freezable-for-freezabl.patch @@ -0,0 +1,40 @@ +From 24b48d157f4cc3eebf2fdb3d7460826b6d4e1ef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:41:03 +0800 +Subject: dm log-writes: Add missing set_freezable() for freezable kthread + +From: Haotian Zhang + +[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ] + +The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(), +rendering the freeze attempt ineffective since kernel threads are +non-freezable by default. This prevents proper thread suspension during +system suspend/hibernate. + +Add set_freezable() to explicitly mark the thread as freezable. + +Fixes: 0e9cebe72459 ("dm: add log writes target") +Signed-off-by: Haotian Zhang +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-log-writes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c +index 679b07dee2294..1f8fbc27a12f8 100644 +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -432,6 +432,7 @@ static int log_writes_kthread(void *arg) + struct log_writes_c *lc = arg; + sector_t sector = 0; + ++ set_freezable(); + while (!kthread_should_stop()) { + bool super = false; + bool logging_enabled; +-- +2.51.0 + diff --git a/queue-6.17/dm-raid-fix-possible-null-dereference-with-undefined.patch b/queue-6.17/dm-raid-fix-possible-null-dereference-with-undefined.patch new file mode 100644 index 0000000000..991eb82337 --- /dev/null +++ b/queue-6.17/dm-raid-fix-possible-null-dereference-with-undefined.patch @@ -0,0 +1,42 @@ +From bb9fd87ebe919a039e2c7255c492420852124348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 20:18:38 +0300 +Subject: dm-raid: fix possible NULL dereference with undefined raid type + +From: Alexey Simakov + +[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ] + +rs->raid_type is assigned from get_raid_type_by_ll(), which may return +NULL. This NULL value could be dereferenced later in the condition +'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. + +Add a fail-fast check to return early with an error if raid_type is NULL, +similar to other uses of this function. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") +Signed-off-by: Alexey Simakov +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index f4b904e243285..0d2e1c5eee92a 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2287,6 +2287,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev) + + mddev->reshape_position = le64_to_cpu(sb->reshape_position); + rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout); ++ if (!rs->raid_type) ++ return -EINVAL; + } + + } else { +-- +2.51.0 + diff --git a/queue-6.17/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch b/queue-6.17/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch new file mode 100644 index 0000000000..3f46cee359 --- /dev/null +++ b/queue-6.17/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch @@ -0,0 +1,40 @@ +From 25ade6a92b22176b62ca9c942377f266c7408615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:28:10 -0600 +Subject: dma/pool: eliminate alloc_pages warning in atomic_pool_expand + +From: Dave Kleikamp + +[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ] + +atomic_pool_expand iteratively tries the allocation while decrementing +the page order. There is no need to issue a warning if an attempted +allocation fails. + +Signed-off-by: Dave Kleikamp +Reviewed-by: Robin Murphy +Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") +[mszyprow: fixed typo] +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index ee45dee33d491..26392badc36b0 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, + page = dma_alloc_from_contiguous(NULL, 1 << order, + order, false); + if (!page) +- page = alloc_pages(gfp, order); ++ page = alloc_pages(gfp | __GFP_NOWARN, order); + } while (!page && order-- > 0); + if (!page) + goto out; +-- +2.51.0 + diff --git a/queue-6.17/docs-hwmon-fix-link-to-g762-devicetree-binding.patch b/queue-6.17/docs-hwmon-fix-link-to-g762-devicetree-binding.patch new file mode 100644 index 0000000000..e1cd00f663 --- /dev/null +++ b/queue-6.17/docs-hwmon-fix-link-to-g762-devicetree-binding.patch @@ -0,0 +1,37 @@ +From e89c2932575f55889753dc23500ede6b17958a7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 21:58:35 +0000 +Subject: docs: hwmon: fix link to g762 devicetree binding + +From: Kathara Sasikumar + +[ Upstream commit 08bfcf4ff9d39228150a757803fc02dffce84ab0 ] + +The devicetree binding for g762 was converted to YAML to match vendor +prefix conventions. Update the reference accordingly. + +Signed-off-by: Kathara Sasikumar +Link: https://lore.kernel.org/r/20251205215835.783273-1-katharasasikumar007@gmail.com +Fixes: 3d8e25372417 ("dt-bindings: hwmon: g762: Convert to yaml schema") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + Documentation/hwmon/g762.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/hwmon/g762.rst b/Documentation/hwmon/g762.rst +index 0371b3365c48c..f224552a2d3cc 100644 +--- a/Documentation/hwmon/g762.rst ++++ b/Documentation/hwmon/g762.rst +@@ -17,7 +17,7 @@ done via a userland daemon like fancontrol. + Note that those entries do not provide ways to setup the specific + hardware characteristics of the system (reference clock, pulses per + fan revolution, ...); Those can be modified via devicetree bindings +-documented in Documentation/devicetree/bindings/hwmon/g762.txt or ++documented in Documentation/devicetree/bindings/hwmon/gmt,g762.yaml or + using a specific platform_data structure in board initialization + file (see include/linux/platform_data/g762.h). + +-- +2.51.0 + diff --git a/queue-6.17/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch b/queue-6.17/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch new file mode 100644 index 0000000000..7913775dcd --- /dev/null +++ b/queue-6.17/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch @@ -0,0 +1,93 @@ +From 52943989e6da46fb07060139137c0c124f34e5fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 14:12:29 -0600 +Subject: drm/amdkfd: Use huge page size to check split svm range alignment + +From: Xiaogang Chen + +[ Upstream commit bf2084a7b1d75d093b6a79df4c10142d49fbaa0e ] + +When split svm ranges that have been mapped using huge page should use huge +page size(2MB) to check split range alignment, not prange->granularity that +means migration granularity. + +Fixes: 7ef6b2d4b7e5 ("drm/amdkfd: remap unaligned svm ranges that have split") +Signed-off-by: Xiaogang Chen +Reviewed-by: Philip Yang +Signed-off-by: Alex Deucher +(cherry picked from commit 448ee45353ef9fb1a34f5f26eb3f48923c6f0898) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 46 +++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +index fab6e7721c803..2850356b018db 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +@@ -1144,30 +1144,48 @@ static int + svm_range_split_tail(struct svm_range *prange, uint64_t new_last, + struct list_head *insert_list, struct list_head *remap_list) + { ++ unsigned long last_align_down = ALIGN_DOWN(prange->last, 512); ++ unsigned long start_align = ALIGN(prange->start, 512); ++ bool huge_page_mapping = last_align_down > start_align; + struct svm_range *tail = NULL; +- int r = svm_range_split(prange, prange->start, new_last, &tail); ++ int r; + +- if (!r) { +- list_add(&tail->list, insert_list); +- if (!IS_ALIGNED(new_last + 1, 1UL << prange->granularity)) +- list_add(&tail->update_list, remap_list); +- } +- return r; ++ r = svm_range_split(prange, prange->start, new_last, &tail); ++ ++ if (r) ++ return r; ++ ++ list_add(&tail->list, insert_list); ++ ++ if (huge_page_mapping && tail->start > start_align && ++ tail->start < last_align_down && (!IS_ALIGNED(tail->start, 512))) ++ list_add(&tail->update_list, remap_list); ++ ++ return 0; + } + + static int + svm_range_split_head(struct svm_range *prange, uint64_t new_start, + struct list_head *insert_list, struct list_head *remap_list) + { ++ unsigned long last_align_down = ALIGN_DOWN(prange->last, 512); ++ unsigned long start_align = ALIGN(prange->start, 512); ++ bool huge_page_mapping = last_align_down > start_align; + struct svm_range *head = NULL; +- int r = svm_range_split(prange, new_start, prange->last, &head); ++ int r; + +- if (!r) { +- list_add(&head->list, insert_list); +- if (!IS_ALIGNED(new_start, 1UL << prange->granularity)) +- list_add(&head->update_list, remap_list); +- } +- return r; ++ r = svm_range_split(prange, new_start, prange->last, &head); ++ ++ if (r) ++ return r; ++ ++ list_add(&head->list, insert_list); ++ ++ if (huge_page_mapping && head->last + 1 > start_align && ++ head->last + 1 < last_align_down && (!IS_ALIGNED(head->last, 512))) ++ list_add(&head->update_list, remap_list); ++ ++ return 0; + } + + static void +-- +2.51.0 + diff --git a/queue-6.17/drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch b/queue-6.17/drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch new file mode 100644 index 0000000000..37ac97921a --- /dev/null +++ b/queue-6.17/drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch @@ -0,0 +1,77 @@ +From dbaa550cb8222179c4e0c2788a40a9cf5269e3b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 19:24:03 +0530 +Subject: drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dibin Moolakadan Subrahmanian + +[ Upstream commit 460b31720369fc77c23301708641cfa1bf2fcb8f ] + +During fbdev probe, the xe driver allocates and pins a framebuffer +BO (via xe_bo_create_pin_map_novm() → xe_ggtt_insert_bo()). + +Without a runtime PM reference, xe_pm_runtime_get_noresume() warns about +missing outer PM protection as below: + + xe 0000:03:00.0: [drm] Missing outer runtime PM protection + +Acquire a runtime PM reference before framebuffer allocation to ensure +xe_ggtt_insert_bo() executes under active runtime PM context. + +Changes in v2: + - Update commit message to add Fixes tag (Jani Nikula) + +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6350 +Fixes: 44e694958b95 ("drm/xe/display: Implement display support") +Cc: Jani Nikula +Signed-off-by: Dibin Moolakadan Subrahmanian +Reviewed-by: Jouni Högander +Signed-off-by: Ankit Nautiyal +Link: https://patch.msgid.link/20251111135403.3415947-1-dibin.moolakadan.subrahmanian@intel.com +(cherry picked from commit 37fc7b7b3ab0e3bb900657199cd3770a4fda03fb) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev.c b/drivers/gpu/drm/i915/display/intel_fbdev.c +index e46c08762b847..7daf72b69bae4 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev.c +@@ -263,13 +263,18 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + drm_framebuffer_put(&fb->base); + fb = NULL; + } ++ ++ wakeref = intel_display_rpm_get(display); ++ + if (!fb || drm_WARN_ON(display->drm, !intel_fb_bo(&fb->base))) { + drm_dbg_kms(display->drm, + "no BIOS fb, allocating a new one\n"); + + fb = __intel_fbdev_fb_alloc(display, sizes); +- if (IS_ERR(fb)) +- return PTR_ERR(fb); ++ if (IS_ERR(fb)) { ++ ret = PTR_ERR(fb); ++ goto out_unlock; ++ } + } else { + drm_dbg_kms(display->drm, "re-using BIOS fb\n"); + prealloc = true; +@@ -277,8 +282,6 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + sizes->fb_height = fb->base.height; + } + +- wakeref = intel_display_rpm_get(display); +- + /* Pin the GGTT vma for our access via info->screen_base. + * This also validates that any existing fb inherited from the + * BIOS is suitable for own access. +-- +2.51.0 + diff --git a/queue-6.17/drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch b/queue-6.17/drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch new file mode 100644 index 0000000000..323a614ff7 --- /dev/null +++ b/queue-6.17/drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch @@ -0,0 +1,50 @@ +From acd7ea9ad7e027c7d0b17a85b982c624924460e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:52 +0300 +Subject: drm/i915/fbdev: make intel_framebuffer_create() error return handling + explicit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit 6979d2c80c2a5b1f04157c4d6eb038bb32861cfa ] + +It's sketchy to pass error pointers via to_intel_framebuffer(). It +probably works as long as struct intel_framebuffer embeds struct +drm_framebuffer at offset 0, but be explicit about it. + +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/17631db227d527d6c67f5d6b67adec1ff8dc6f8d.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev_fb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +index 210aee9ae88b8..b9dfd00a7d05b 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +@@ -67,9 +67,16 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + mode_cmd.pixel_format, + mode_cmd.modifier[0]), + &mode_cmd); ++ if (IS_ERR(fb)) { ++ i915_gem_object_put(obj); ++ goto err; ++ } ++ + i915_gem_object_put(obj); + + return to_intel_framebuffer(fb); ++err: ++ return ERR_CAST(fb); + } + + int intel_fbdev_fb_fill_info(struct intel_display *display, struct fb_info *info, +-- +2.51.0 + diff --git a/queue-6.17/drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch b/queue-6.17/drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch new file mode 100644 index 0000000000..6f7f694ec9 --- /dev/null +++ b/queue-6.17/drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch @@ -0,0 +1,216 @@ +From 3ff2f253fb0a0e00ce3121a5705088d55110c6a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:54 +0300 +Subject: drm/{i915, xe}/fbdev: deduplicate struct drm_mode_fb_cmd2 init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit f9ff39f940f5ddd1d4ffcff602de7206aa1ff05d ] + +Pull struct drm_mode_fb_cmd2 initialization out of the driver dependent +code into shared display code. + +v2: Rebase on xe stride alignment change + +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/e922e47bfd39f9c5777f869ff23c23309ebbb380.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev.c | 32 ++++++++++++++++++- + drivers/gpu/drm/i915/display/intel_fbdev_fb.c | 25 ++++----------- + drivers/gpu/drm/i915/display/intel_fbdev_fb.h | 4 +-- + drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 25 ++++----------- + 4 files changed, 45 insertions(+), 41 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev.c b/drivers/gpu/drm/i915/display/intel_fbdev.c +index 46c6de5f60888..e46c08762b847 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev.c +@@ -207,6 +207,35 @@ static const struct drm_fb_helper_funcs intel_fb_helper_funcs = { + .fb_set_suspend = intelfb_set_suspend, + }; + ++static void intel_fbdev_fill_mode_cmd(struct drm_fb_helper_surface_size *sizes, ++ struct drm_mode_fb_cmd2 *mode_cmd) ++{ ++ /* we don't do packed 24bpp */ ++ if (sizes->surface_bpp == 24) ++ sizes->surface_bpp = 32; ++ ++ mode_cmd->width = sizes->surface_width; ++ mode_cmd->height = sizes->surface_height; ++ ++ mode_cmd->pitches[0] = ALIGN(mode_cmd->width * DIV_ROUND_UP(sizes->surface_bpp, 8), 64); ++ mode_cmd->pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, ++ sizes->surface_depth); ++} ++ ++static struct intel_framebuffer * ++__intel_fbdev_fb_alloc(struct intel_display *display, ++ struct drm_fb_helper_surface_size *sizes) ++{ ++ struct drm_mode_fb_cmd2 mode_cmd = {}; ++ struct intel_framebuffer *fb; ++ ++ intel_fbdev_fill_mode_cmd(sizes, &mode_cmd); ++ ++ fb = intel_fbdev_fb_alloc(display->drm, &mode_cmd); ++ ++ return fb; ++} ++ + int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + struct drm_fb_helper_surface_size *sizes) + { +@@ -237,7 +266,8 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + if (!fb || drm_WARN_ON(display->drm, !intel_fb_bo(&fb->base))) { + drm_dbg_kms(display->drm, + "no BIOS fb, allocating a new one\n"); +- fb = intel_fbdev_fb_alloc(display->drm, sizes); ++ ++ fb = __intel_fbdev_fb_alloc(display, sizes); + if (IS_ERR(fb)) + return PTR_ERR(fb); + } else { +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +index 4de13d1a4c7a7..685612e6afc53 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +@@ -3,7 +3,7 @@ + * Copyright © 2023 Intel Corporation + */ + +-#include ++#include + + #include "gem/i915_gem_lmem.h" + +@@ -14,28 +14,15 @@ + #include "intel_fbdev_fb.h" + + struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, +- struct drm_fb_helper_surface_size *sizes) ++ struct drm_mode_fb_cmd2 *mode_cmd) + { + struct intel_display *display = to_intel_display(drm); + struct drm_i915_private *dev_priv = to_i915(drm); + struct drm_framebuffer *fb; +- struct drm_mode_fb_cmd2 mode_cmd = {}; + struct drm_i915_gem_object *obj; + int size; + +- /* we don't do packed 24bpp */ +- if (sizes->surface_bpp == 24) +- sizes->surface_bpp = 32; +- +- mode_cmd.width = sizes->surface_width; +- mode_cmd.height = sizes->surface_height; +- +- mode_cmd.pitches[0] = ALIGN(mode_cmd.width * +- DIV_ROUND_UP(sizes->surface_bpp, 8), 64); +- mode_cmd.pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, +- sizes->surface_depth); +- +- size = mode_cmd.pitches[0] * mode_cmd.height; ++ size = mode_cmd->pitches[0] * mode_cmd->height; + size = PAGE_ALIGN(size); + + obj = ERR_PTR(-ENODEV); +@@ -64,9 +51,9 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + + fb = intel_framebuffer_create(intel_bo_to_drm_bo(obj), + drm_get_format_info(drm, +- mode_cmd.pixel_format, +- mode_cmd.modifier[0]), +- &mode_cmd); ++ mode_cmd->pixel_format, ++ mode_cmd->modifier[0]), ++ mode_cmd); + if (IS_ERR(fb)) { + i915_gem_object_put(obj); + goto err; +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +index 668ae355f5e5b..83454ffbf79cd 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +@@ -7,14 +7,14 @@ + #define __INTEL_FBDEV_FB_H__ + + struct drm_device; +-struct drm_fb_helper_surface_size; + struct drm_gem_object; ++struct drm_mode_fb_cmd2; + struct fb_info; + struct i915_vma; + struct intel_display; + + struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, +- struct drm_fb_helper_surface_size *sizes); ++ struct drm_mode_fb_cmd2 *mode_cmd); + int intel_fbdev_fb_fill_info(struct intel_display *display, struct fb_info *info, + struct drm_gem_object *obj, struct i915_vma *vma); + +diff --git a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +index 4c9e4de92d3c7..96ad1c1009310 100644 +--- a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +@@ -3,7 +3,7 @@ + * Copyright © 2023 Intel Corporation + */ + +-#include ++#include + + #include "intel_display_core.h" + #include "intel_display_types.h" +@@ -16,27 +16,14 @@ + #include + + struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, +- struct drm_fb_helper_surface_size *sizes) ++ struct drm_mode_fb_cmd2 *mode_cmd) + { + struct drm_framebuffer *fb; + struct xe_device *xe = to_xe_device(drm); +- struct drm_mode_fb_cmd2 mode_cmd = {}; + struct xe_bo *obj; + int size; + +- /* we don't do packed 24bpp */ +- if (sizes->surface_bpp == 24) +- sizes->surface_bpp = 32; +- +- mode_cmd.width = sizes->surface_width; +- mode_cmd.height = sizes->surface_height; +- +- mode_cmd.pitches[0] = ALIGN(mode_cmd.width * +- DIV_ROUND_UP(sizes->surface_bpp, 8), 64); +- mode_cmd.pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, +- sizes->surface_depth); +- +- size = mode_cmd.pitches[0] * mode_cmd.height; ++ size = mode_cmd->pitches[0] * mode_cmd->height; + size = PAGE_ALIGN(size); + obj = ERR_PTR(-ENODEV); + +@@ -67,9 +54,9 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + + fb = intel_framebuffer_create(&obj->ttm.base, + drm_get_format_info(drm, +- mode_cmd.pixel_format, +- mode_cmd.modifier[0]), +- &mode_cmd); ++ mode_cmd->pixel_format, ++ mode_cmd->modifier[0]), ++ mode_cmd); + if (IS_ERR(fb)) { + xe_bo_unpin_map_no_vm(obj); + goto err; +-- +2.51.0 + diff --git a/queue-6.17/drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch b/queue-6.17/drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch new file mode 100644 index 0000000000..c80da0fc6e --- /dev/null +++ b/queue-6.17/drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch @@ -0,0 +1,127 @@ +From 306b2f1e3849e587a2064e63d11b450fdb3eace2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:53 +0300 +Subject: drm/{i915, xe}/fbdev: pass struct drm_device to + intel_fbdev_fb_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit 9e5cf822a207ee8c9856024c047abaccb4d185e5 ] + +The function doesn't actually need struct drm_fb_helper for anything, +just pass struct drm_device. + +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/16360584f80cdc5ee35fd94cfd92fd3955588dfd.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev.c | 2 +- + drivers/gpu/drm/i915/display/intel_fbdev_fb.c | 10 +++++----- + drivers/gpu/drm/i915/display/intel_fbdev_fb.h | 4 ++-- + drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 7 +++---- + 4 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev.c b/drivers/gpu/drm/i915/display/intel_fbdev.c +index 7c4709d58aa34..46c6de5f60888 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev.c +@@ -237,7 +237,7 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + if (!fb || drm_WARN_ON(display->drm, !intel_fb_bo(&fb->base))) { + drm_dbg_kms(display->drm, + "no BIOS fb, allocating a new one\n"); +- fb = intel_fbdev_fb_alloc(helper, sizes); ++ fb = intel_fbdev_fb_alloc(display->drm, sizes); + if (IS_ERR(fb)) + return PTR_ERR(fb); + } else { +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +index b9dfd00a7d05b..4de13d1a4c7a7 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +@@ -13,11 +13,11 @@ + #include "intel_fb.h" + #include "intel_fbdev_fb.h" + +-struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, ++struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + struct drm_fb_helper_surface_size *sizes) + { +- struct intel_display *display = to_intel_display(helper->dev); +- struct drm_i915_private *dev_priv = to_i915(display->drm); ++ struct intel_display *display = to_intel_display(drm); ++ struct drm_i915_private *dev_priv = to_i915(drm); + struct drm_framebuffer *fb; + struct drm_mode_fb_cmd2 mode_cmd = {}; + struct drm_i915_gem_object *obj; +@@ -58,12 +58,12 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + } + + if (IS_ERR(obj)) { +- drm_err(display->drm, "failed to allocate framebuffer (%pe)\n", obj); ++ drm_err(drm, "failed to allocate framebuffer (%pe)\n", obj); + return ERR_PTR(-ENOMEM); + } + + fb = intel_framebuffer_create(intel_bo_to_drm_bo(obj), +- drm_get_format_info(display->drm, ++ drm_get_format_info(drm, + mode_cmd.pixel_format, + mode_cmd.modifier[0]), + &mode_cmd); +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +index cb79572727150..668ae355f5e5b 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +@@ -6,14 +6,14 @@ + #ifndef __INTEL_FBDEV_FB_H__ + #define __INTEL_FBDEV_FB_H__ + +-struct drm_fb_helper; ++struct drm_device; + struct drm_fb_helper_surface_size; + struct drm_gem_object; + struct fb_info; + struct i915_vma; + struct intel_display; + +-struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, ++struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + struct drm_fb_helper_surface_size *sizes); + int intel_fbdev_fb_fill_info(struct intel_display *display, struct fb_info *info, + struct drm_gem_object *obj, struct i915_vma *vma); +diff --git a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +index 37a48c6f2d531..4c9e4de92d3c7 100644 +--- a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +@@ -15,12 +15,11 @@ + + #include + +-struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, ++struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + struct drm_fb_helper_surface_size *sizes) + { + struct drm_framebuffer *fb; +- struct drm_device *dev = helper->dev; +- struct xe_device *xe = to_xe_device(dev); ++ struct xe_device *xe = to_xe_device(drm); + struct drm_mode_fb_cmd2 mode_cmd = {}; + struct xe_bo *obj; + int size; +@@ -67,7 +66,7 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + } + + fb = intel_framebuffer_create(&obj->ttm.base, +- drm_get_format_info(dev, ++ drm_get_format_info(drm, + mode_cmd.pixel_format, + mode_cmd.modifier[0]), + &mode_cmd); +-- +2.51.0 + diff --git a/queue-6.17/drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch b/queue-6.17/drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch new file mode 100644 index 0000000000..4905d7cca5 --- /dev/null +++ b/queue-6.17/drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch @@ -0,0 +1,159 @@ +From 8067af55fa6bb3bec3fbd2c426140584cdfa1a33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 16:49:52 +0100 +Subject: drm/nouveau: fix circular dep oops from vendored i2c encoder +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit d84e47edf156a953ed340ba6a202dcd3ea39ba0a ] + +Since commit a73583107af9 ("drm/nouveau: vendor in drm_encoder_slave API") +nouveau appears to be broken for all dispnv04 GPUs (before NV50). Depending +on the kernel version, either having no display output and hanging in +kernel for a long time, or even oopsing in the cleanup path like: + +Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac +... +nouveau 0000:0a:00.0: drm: 0x14C5: Parsing digital output script table +BUG: Unable to handle kernel data access on read at 0x00041520 +Faulting instruction address: 0xc0003d0001be0844 +Oops: Kernel access of bad area, sig: 11 [#1] +BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=8 NUMA PowerMac +Modules linked in: windfarm_cpufreq_clamp windfarm_smu_sensors windfarm_smu_controls windfarm_pm112 snd_aoa_codec_onyx snd_aoa_fabric_layout snd_aoa windfarm_pid jo + apple_mfi_fastcharge rndis_host cdc_ether usbnet mii snd_aoa_i2sbus snd_aoa_soundbus snd_pcm snd_timer snd soundcore rack_meter windfarm_smu_sat windfarm_max6690_s +m75_sensor windfarm_core gpu_sched drm_gpuvm drm_exec drm_client_lib drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks syscopyar +_sys_fops i2c_algo_bit backlight uio_pdrv_genirq uio uninorth_agp agpgart zram dm_mod dax ipv6 nfsv4 dns_resolver nfs lockd grace sunrpc offb cfbfillrect cfbimgblt +ont input_leds sr_mod cdrom sd_mod uas ata_generic hid_apple hid_generic usbhid hid usb_storage pata_macio sata_svw libata firewire_ohci scsi_mod firewire_core ohci +ehci_pci ehci_hcd tg3 ohci_hcd libphy usbcore usb_common nls_base + led_class +CPU: 0 UID: 0 PID: 245 Comm: (udev-worker) Not tainted 6.14.0-09584-g7d06015d936c #7 PREEMPTLAZY +Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac +NIP: c0003d0001be0844 LR: c0003d0001be0830 CTR: 0000000000000000 +REGS: c0000000053f70e0 TRAP: 0300 Not tainted (6.14.0-09584-g7d06015d936c) +MSR: 9000000000009032 CR: 24222220 XER: 00000000 +DAR: 0000000000041520 DSISR: 40000000 IRQMASK: 0 \x0aGPR00: c0003d0001be0830 c0000000053f7380 c0003d0000911900 c000000007bc6800 \x0aGPR04: 0000000000000000 0000000000000000 c000000007bc6e70 0000000000000001 \x0aGPR08: 01f3040000000000 0000000000041520 0000000000000000 c0003d0000813958 \x0aGPR12: c000000000071a48 c000000000e28000 0000000000000020 0000000000000000 \x0aGPR16: 0000000000000000 0000000000f52630 0000000000000000 0000000000000000 \x0aGPR20: 0000000000000000 0000000000000000 0000000000000001 c0003d0000928528 \x0aGPR24: c0003d0000928598 0000000000000000 c000000007025480 c000000007025480 \x0aGPR28: c0000000010b4000 0000000000000000 c000000007bc1800 c000000007bc6800 +NIP [c0003d0001be0844] nv_crtc_destroy+0x44/0xd4 [nouveau] +LR [c0003d0001be0830] nv_crtc_destroy+0x30/0xd4 [nouveau] +Call Trace: +[c0000000053f7380] [c0003d0001be0830] nv_crtc_destroy+0x30/0xd4 [nouveau] (unreliable) +[c0000000053f73c0] [c0003d00007f7bf4] drm_mode_config_cleanup+0x27c/0x30c [drm] +[c0000000053f7490] [c0003d0001bdea50] nouveau_display_create+0x1cc/0x550 [nouveau] +[c0000000053f7500] [c0003d0001bcc29c] nouveau_drm_device_init+0x1c8/0x844 [nouveau] +[c0000000053f75e0] [c0003d0001bcc9ec] nouveau_drm_probe+0xd4/0x1e0 [nouveau] +[c0000000053f7670] [c000000000557d24] local_pci_probe+0x50/0xa8 +[c0000000053f76f0] [c000000000557fa8] pci_device_probe+0x22c/0x240 +[c0000000053f7760] [c0000000005fff3c] really_probe+0x188/0x31c +[c0000000053f77e0] [c000000000600204] __driver_probe_device+0x134/0x13c +[c0000000053f7860] [c0000000006002c0] driver_probe_device+0x3c/0xb4 +[c0000000053f78a0] [c000000000600534] __driver_attach+0x118/0x128 +[c0000000053f78e0] [c0000000005fe038] bus_for_each_dev+0xa8/0xf4 +[c0000000053f7950] [c0000000005ff460] driver_attach+0x2c/0x40 +[c0000000053f7970] [c0000000005fea68] bus_add_driver+0x130/0x278 +[c0000000053f7a00] [c00000000060117c] driver_register+0x9c/0x1a0 +[c0000000053f7a80] [c00000000055623c] __pci_register_driver+0x5c/0x70 +[c0000000053f7aa0] [c0003d0001c058a0] nouveau_drm_init+0x254/0x278 [nouveau] +[c0000000053f7b10] [c00000000000e9bc] do_one_initcall+0x84/0x268 +[c0000000053f7bf0] [c0000000001a0ba0] do_init_module+0x70/0x2d8 +[c0000000053f7c70] [c0000000001a42bc] init_module_from_file+0xb4/0x108 +[c0000000053f7d50] [c0000000001a4504] sys_finit_module+0x1ac/0x478 +[c0000000053f7e10] [c000000000023230] system_call_exception+0x1a4/0x20c +[c0000000053f7e50] [c00000000000c554] system_call_common+0xf4/0x258 + --- interrupt: c00 at 0xfd5f988 +NIP: 000000000fd5f988 LR: 000000000ff9b148 CTR: 0000000000000000 +REGS: c0000000053f7e80 TRAP: 0c00 Not tainted (6.14.0-09584-g7d06015d936c) +MSR: 100000000000d032 CR: 28222244 XER: 00000000 +IRQMASK: 0 \x0aGPR00: 0000000000000161 00000000ffcdc2d0 00000000405db160 0000000000000020 \x0aGPR04: 000000000ffa2c9c 0000000000000000 000000000000001f 0000000000000045 \x0aGPR08: 0000000011a13770 0000000000000000 0000000000000000 0000000000000000 \x0aGPR12: 0000000000000000 0000000010249d8c 0000000000000020 0000000000000000 \x0aGPR16: 0000000000000000 0000000000f52630 0000000000000000 0000000000000000 \x0aGPR20: 0000000000000000 0000000000000000 0000000000000000 0000000011a11a70 \x0aGPR24: 0000000011a13580 0000000011a11950 0000000011a11a70 0000000000020000 \x0aGPR28: 000000000ffa2c9c 0000000000000000 000000000ffafc40 0000000011a11a70 +NIP [000000000fd5f988] 0xfd5f988 +LR [000000000ff9b148] 0xff9b148 + --- interrupt: c00 +Code: f821ffc1 418200ac e93f0000 e9290038 e9291468 eba90000 48026c0d e8410018 e93f06aa 3d290001 392982a4 79291f24 <7fdd482a> 2c3e0000 41820030 7fc3f378 + ---[ end trace 0000000000000000 ]--- + +This is caused by the i2c encoder modules vendored into nouveau/ now +depending on the equally vendored nouveau_i2c_encoder_destroy +function. Trying to auto-load this modules hangs on nouveau +initialization until timeout, and nouveau continues without i2c video +encoders. + +Fix by avoiding nouveau dependency by __always_inlining that helper +functions into those i2c video encoder modules. + +Fixes: a73583107af9 ("drm/nouveau: vendor in drm_encoder_slave API") +Signed-off-by: René Rebe +Reviewed-by: Lyude Paul +[Lyude: fixed commit reference in description] +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251202.164952.2216481867721531616.rene@exactco.de +Signed-off-by: Sasha Levin +--- + .../nouveau/dispnv04/nouveau_i2c_encoder.c | 20 ------------------- + .../include/dispnv04/i2c/encoder_i2c.h | 19 +++++++++++++++++- + 2 files changed, 18 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c b/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c +index e2bf99c433366..a60209097a20a 100644 +--- a/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c +@@ -94,26 +94,6 @@ int nouveau_i2c_encoder_init(struct drm_device *dev, + return err; + } + +-/** +- * nouveau_i2c_encoder_destroy - Unregister the I2C device backing an encoder +- * @drm_encoder: Encoder to be unregistered. +- * +- * This should be called from the @destroy method of an I2C slave +- * encoder driver once I2C access is no longer needed. +- */ +-void nouveau_i2c_encoder_destroy(struct drm_encoder *drm_encoder) +-{ +- struct nouveau_i2c_encoder *encoder = to_encoder_i2c(drm_encoder); +- struct i2c_client *client = nouveau_i2c_encoder_get_client(drm_encoder); +- struct module *module = client->dev.driver->owner; +- +- i2c_unregister_device(client); +- encoder->i2c_client = NULL; +- +- module_put(module); +-} +-EXPORT_SYMBOL(nouveau_i2c_encoder_destroy); +- + /* + * Wrapper fxns which can be plugged in to drm_encoder_helper_funcs: + */ +diff --git a/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h b/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h +index 31334aa90781b..869820701a56e 100644 +--- a/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h ++++ b/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h +@@ -202,7 +202,24 @@ static inline struct i2c_client *nouveau_i2c_encoder_get_client(struct drm_encod + return to_encoder_i2c(encoder)->i2c_client; + } + +-void nouveau_i2c_encoder_destroy(struct drm_encoder *encoder); ++/** ++ * nouveau_i2c_encoder_destroy - Unregister the I2C device backing an encoder ++ * @drm_encoder: Encoder to be unregistered. ++ * ++ * This should be called from the @destroy method of an I2C slave ++ * encoder driver once I2C access is no longer needed. ++ */ ++static __always_inline void nouveau_i2c_encoder_destroy(struct drm_encoder *drm_encoder) ++{ ++ struct nouveau_i2c_encoder *encoder = to_encoder_i2c(drm_encoder); ++ struct i2c_client *client = nouveau_i2c_encoder_get_client(drm_encoder); ++ struct module *module = client->dev.driver->owner; ++ ++ i2c_unregister_device(client); ++ encoder->i2c_client = NULL; ++ ++ module_put(module); ++} + + /* + * Wrapper fxns which can be plugged in to drm_encoder_helper_funcs: +-- +2.51.0 + diff --git a/queue-6.17/drm-nouveau-refactor-deprecated-strcpy.patch b/queue-6.17/drm-nouveau-refactor-deprecated-strcpy.patch new file mode 100644 index 0000000000..61b3238725 --- /dev/null +++ b/queue-6.17/drm-nouveau-refactor-deprecated-strcpy.patch @@ -0,0 +1,45 @@ +From a1f0edc35adb4caaba908bfa69d13f2beeee3931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 17:38:22 +0530 +Subject: drm/nouveau: refactor deprecated strcpy + +From: Madhur Kumar + +[ Upstream commit 2bdc2c0e12fac56e41ec05fb771ead986ea6dac0 ] + +strcpy() has been deprecated because it performs no bounds checking on the +destination buffer, which can lead to buffer overflows. Use the safer +strscpy() instead. + +Signed-off-by: Madhur Kumar +Reviewed-by: Lyude Paul +Fixes: 15a996bbb697 ("drm/nouveau: assign fence_chan->name correctly") +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251204120822.17502-1-madhurkumar004@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c +index 869d4335c0f45..4a193b7d6d9e4 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -183,11 +183,11 @@ nouveau_fence_context_new(struct nouveau_channel *chan, struct nouveau_fence_cha + fctx->context = drm->runl[chan->runlist].context_base + chan->chid; + + if (chan == drm->cechan) +- strcpy(fctx->name, "copy engine channel"); ++ strscpy(fctx->name, "copy engine channel"); + else if (chan == drm->channel) +- strcpy(fctx->name, "generic kernel channel"); ++ strscpy(fctx->name, "generic kernel channel"); + else +- strcpy(fctx->name, cli->name); ++ strscpy(fctx->name, cli->name); + + kref_init(&fctx->fence_ref); + if (!priv->uevent) +-- +2.51.0 + diff --git a/queue-6.17/drm-panthor-prevent-potential-uaf-in-group-creation.patch b/queue-6.17/drm-panthor-prevent-potential-uaf-in-group-creation.patch new file mode 100644 index 0000000000..6f1ce641f9 --- /dev/null +++ b/queue-6.17/drm-panthor-prevent-potential-uaf-in-group-creation.patch @@ -0,0 +1,109 @@ +From b1c80edc0298a3197c9413ace8d2f8d580e2ac67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 16:49:12 +0000 +Subject: drm/panthor: Prevent potential UAF in group creation + +From: Akash Goel + +[ Upstream commit eec7e23d848d2194dd8791fcd0f4a54d4378eecd ] + +This commit prevents the possibility of a use after free issue in the +GROUP_CREATE ioctl function, which arose as pointer to the group is +accessed in that ioctl function after storing it in the Xarray. +A malicious userspace can second guess the handle of a group and try +to call GROUP_DESTROY ioctl from another thread around the same time +as GROUP_CREATE ioctl. + +To prevent the use after free exploit, this commit uses a mark on an +entry of group pool Xarray which is added just before returning from +the GROUP_CREATE ioctl function. The mark is checked for all ioctls +that specify the group handle and so userspace won't be abe to delete +a group that isn't marked yet. + +v2: Add R-bs and fixes tags + +Fixes: de85488138247 ("drm/panthor: Add the scheduler logical block") +Co-developed-by: Boris Brezillon +Signed-off-by: Boris Brezillon +Signed-off-by: Akash Goel +Reviewed-by: Boris Brezillon +Reviewed-by: Steven Price +Reviewed-by: Chia-I Wu +Link: https://patch.msgid.link/20251127164912.3788155-1-akash.goel@arm.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_sched.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c +index 35c4a86fe3052..9d58e01a88a5e 100644 +--- a/drivers/gpu/drm/panthor/panthor_sched.c ++++ b/drivers/gpu/drm/panthor/panthor_sched.c +@@ -772,6 +772,12 @@ struct panthor_job_profiling_data { + */ + #define MAX_GROUPS_PER_POOL 128 + ++/* ++ * Mark added on an entry of group pool Xarray to identify if the group has ++ * been fully initialized and can be accessed elsewhere in the driver code. ++ */ ++#define GROUP_REGISTERED XA_MARK_1 ++ + /** + * struct panthor_group_pool - Group pool + * +@@ -2887,7 +2893,7 @@ void panthor_fdinfo_gather_group_samples(struct panthor_file *pfile) + return; + + xa_lock(&gpool->xa); +- xa_for_each(&gpool->xa, i, group) { ++ xa_for_each_marked(&gpool->xa, i, group, GROUP_REGISTERED) { + guard(spinlock)(&group->fdinfo.lock); + pfile->stats.cycles += group->fdinfo.data.cycles; + pfile->stats.time += group->fdinfo.data.time; +@@ -3561,6 +3567,8 @@ int panthor_group_create(struct panthor_file *pfile, + + group_init_task_info(group); + ++ xa_set_mark(&gpool->xa, gid, GROUP_REGISTERED); ++ + return gid; + + err_put_group: +@@ -3575,6 +3583,9 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle) + struct panthor_scheduler *sched = ptdev->scheduler; + struct panthor_group *group; + ++ if (!xa_get_mark(&gpool->xa, group_handle, GROUP_REGISTERED)) ++ return -EINVAL; ++ + group = xa_erase(&gpool->xa, group_handle); + if (!group) + return -EINVAL; +@@ -3600,12 +3611,12 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle) + } + + static struct panthor_group *group_from_handle(struct panthor_group_pool *pool, +- u32 group_handle) ++ unsigned long group_handle) + { + struct panthor_group *group; + + xa_lock(&pool->xa); +- group = group_get(xa_load(&pool->xa, group_handle)); ++ group = group_get(xa_find(&pool->xa, &group_handle, group_handle, GROUP_REGISTERED)); + xa_unlock(&pool->xa); + + return group; +@@ -3692,7 +3703,7 @@ panthor_fdinfo_gather_group_mem_info(struct panthor_file *pfile, + return; + + xa_lock(&gpool->xa); +- xa_for_each(&gpool->xa, i, group) { ++ xa_for_each_marked(&gpool->xa, i, group, GROUP_REGISTERED) { + stats->resident += group->fdinfo.kbo_sizes; + if (group->csg_id >= 0) + stats->active += group->fdinfo.kbo_sizes; +-- +2.51.0 + diff --git a/queue-6.17/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch b/queue-6.17/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch new file mode 100644 index 0000000000..718ebe2484 --- /dev/null +++ b/queue-6.17/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch @@ -0,0 +1,50 @@ +From 211075e43a6c6d5e6ccd37e9c5bc5e46386cdcbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 20:35:23 +0300 +Subject: drm/plane: Fix IS_ERR() vs NULL check in + drm_plane_create_hotspot_properties() + +From: Dan Carpenter + +[ Upstream commit 479acb9db3199cdb70e5478a6f633b5f20c7d8df ] + +The drm_property_create_signed_range() function doesn't return error +pointers it returns NULL on error. Fix the error checking to match. + +Fixes: 8f7179a1027d ("drm/atomic: Add support for mouse hotspots") +Signed-off-by: Dan Carpenter +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Zack Rusin +Link: https://patch.msgid.link/aTB023cfcIPkCsFS@stanley.mountain +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_plane.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c +index a30493ed97157..4cadea997129d 100644 +--- a/drivers/gpu/drm/drm_plane.c ++++ b/drivers/gpu/drm/drm_plane.c +@@ -338,14 +338,14 @@ static int drm_plane_create_hotspot_properties(struct drm_plane *plane) + + prop_x = drm_property_create_signed_range(plane->dev, 0, "HOTSPOT_X", + INT_MIN, INT_MAX); +- if (IS_ERR(prop_x)) +- return PTR_ERR(prop_x); ++ if (!prop_x) ++ return -ENOMEM; + + prop_y = drm_property_create_signed_range(plane->dev, 0, "HOTSPOT_Y", + INT_MIN, INT_MAX); +- if (IS_ERR(prop_y)) { ++ if (!prop_y) { + drm_property_destroy(plane->dev, prop_x); +- return PTR_ERR(prop_y); ++ return -ENOMEM; + } + + drm_object_attach_property(&plane->base, prop_x, 0); +-- +2.51.0 + diff --git a/queue-6.17/drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch b/queue-6.17/drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch new file mode 100644 index 0000000000..4b6e0fffde --- /dev/null +++ b/queue-6.17/drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch @@ -0,0 +1,47 @@ +From 977d4acbd2bb93cd991fc56f6c143cb5472c4d94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:51 +0300 +Subject: drm/xe/fbdev: use the same 64-byte stride alignment as i915 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit 4a36b339a14ae6f2a366125e3d64f0c165193293 ] + +For reasons unknown, xe uses XE_PAGE_SIZE alignment for +stride. Presumably it's just a confusion between stride alignment and bo +allocation size alignment. Switch to 64 byte alignment to, uh, align +with i915. + +This will also be helpful in deduplicating and unifying the xe and i915 +framebuffer allocation. + +Link: https://lore.kernel.org/r/aLqsC87Ol_zCXOkN@intel.com +Suggested-by: Ville Syrjälä +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/7f4972104de8b179d5724ae83892ee294d3f3fd3.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +index fba9617a75a53..37a48c6f2d531 100644 +--- a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +@@ -33,7 +33,7 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + mode_cmd.height = sizes->surface_height; + + mode_cmd.pitches[0] = ALIGN(mode_cmd.width * +- DIV_ROUND_UP(sizes->surface_bpp, 8), XE_PAGE_SIZE); ++ DIV_ROUND_UP(sizes->surface_bpp, 8), 64); + mode_cmd.pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, + sizes->surface_depth); + +-- +2.51.0 + diff --git a/queue-6.17/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch b/queue-6.17/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch new file mode 100644 index 0000000000..18f4617c19 --- /dev/null +++ b/queue-6.17/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch @@ -0,0 +1,88 @@ +From 4654dd851b726531bc1951ce7856445616f4fe18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 15:43:08 -0700 +Subject: f2fs: maintain one time GC mode is enabled during whole zoned GC + cycle + +From: Daeho Jeong + +[ Upstream commit e462fc48ceb8224811c3224650afed05cb7f0872 ] + +The current version missed setting one time GC for normal zoned GC +cycle. So, valid threshold control is not working. Need to fix it to +prevent excessive GC for zoned devices. + +Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC") +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 5734e03864685..5a300f2bc85b4 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -38,13 +38,14 @@ static int gc_thread_func(void *data) + struct f2fs_gc_control gc_control = { + .victim_segno = NULL_SEGNO, + .should_migrate_blocks = false, +- .err_gc_skipped = false }; ++ .err_gc_skipped = false, ++ .one_time = false }; + + wait_ms = gc_th->min_sleep_time; + + set_freezable(); + do { +- bool sync_mode, foreground = false; ++ bool sync_mode, foreground = false, gc_boost = false; + + wait_event_freezable_timeout(*wq, + kthread_should_stop() || +@@ -52,8 +53,12 @@ static int gc_thread_func(void *data) + gc_th->gc_wake, + msecs_to_jiffies(wait_ms)); + +- if (test_opt(sbi, GC_MERGE) && waitqueue_active(fggc_wq)) ++ if (test_opt(sbi, GC_MERGE) && waitqueue_active(fggc_wq)) { + foreground = true; ++ gc_control.one_time = false; ++ } else if (f2fs_sb_has_blkzoned(sbi)) { ++ gc_control.one_time = true; ++ } + + /* give it a try one time */ + if (gc_th->gc_wake) +@@ -81,8 +86,6 @@ static int gc_thread_func(void *data) + continue; + } + +- gc_control.one_time = false; +- + /* + * [GC triggering condition] + * 0. GC is not conducted currently. +@@ -132,7 +135,7 @@ static int gc_thread_func(void *data) + if (need_to_boost_gc(sbi)) { + decrease_sleep_time(gc_th, &wait_ms); + if (f2fs_sb_has_blkzoned(sbi)) +- gc_control.one_time = true; ++ gc_boost = true; + } else { + increase_sleep_time(gc_th, &wait_ms); + } +@@ -141,7 +144,7 @@ static int gc_thread_func(void *data) + FOREGROUND : BACKGROUND); + + sync_mode = (F2FS_OPTION(sbi).bggc_mode == BGGC_MODE_SYNC) || +- (gc_control.one_time && gc_th->boost_gc_greedy); ++ (gc_boost && gc_th->boost_gc_greedy); + + /* foreground GC was been triggered via f2fs_balance_fs() */ + if (foreground && !f2fs_sb_has_blkzoned(sbi)) +-- +2.51.0 + diff --git a/queue-6.17/f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch b/queue-6.17/f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch new file mode 100644 index 0000000000..473207f3a9 --- /dev/null +++ b/queue-6.17/f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch @@ -0,0 +1,456 @@ +From 567a8190c74791d79e8c4acfdb55868044692c14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 09:52:46 -0800 +Subject: f2fs: revert summary entry count from 2048 to 512 in 16kb block + support + +From: Daeho Jeong + +[ Upstream commit 7ee8bc3942f20964ad730871b885688ea3a2961a ] + +The recent increase in the number of Segment Summary Area (SSA) entries +from 512 to 2048 was an unintentional change in logic of 16kb block +support. This commit corrects the issue. + +To better utilize the space available from the erroneous 2048-entry +calculation, we are implementing a solution to share the currently +unused SSA space with neighboring segments. This enhances overall +SSA utilization without impacting the established 8MB segment size. + +Fixes: d7e9a9037de2 ("f2fs: Support Block Size == Page Size") +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 + + fs/f2fs/gc.c | 117 +++++++++++++++++++++++----------------- + fs/f2fs/recovery.c | 2 +- + fs/f2fs/segment.c | 38 +++++++++---- + fs/f2fs/segment.h | 8 ++- + fs/f2fs/super.c | 14 +++++ + fs/f2fs/sysfs.c | 7 +++ + include/linux/f2fs_fs.h | 5 +- + 8 files changed, 130 insertions(+), 63 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index dac7d44885e47..ca2f640c03871 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -230,6 +230,7 @@ struct f2fs_mount_info { + #define F2FS_FEATURE_COMPRESSION 0x00002000 + #define F2FS_FEATURE_RO 0x00004000 + #define F2FS_FEATURE_DEVICE_ALIAS 0x00008000 ++#define F2FS_FEATURE_PACKED_SSA 0x00010000 + + #define __F2FS_HAS_FEATURE(raw_super, mask) \ + ((raw_super->feature & cpu_to_le32(mask)) != 0) +@@ -4648,6 +4649,7 @@ F2FS_FEATURE_FUNCS(casefold, CASEFOLD); + F2FS_FEATURE_FUNCS(compression, COMPRESSION); + F2FS_FEATURE_FUNCS(readonly, RO); + F2FS_FEATURE_FUNCS(device_alias, DEVICE_ALIAS); ++F2FS_FEATURE_FUNCS(packed_ssa, PACKED_SSA); + + #ifdef CONFIG_BLK_DEV_ZONED + static inline bool f2fs_zone_is_seq(struct f2fs_sb_info *sbi, int devi, +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 5a300f2bc85b4..57dd50d83cbb9 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1732,7 +1732,7 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + unsigned char type = IS_DATASEG(get_seg_entry(sbi, segno)->type) ? + SUM_TYPE_DATA : SUM_TYPE_NODE; + unsigned char data_type = (type == SUM_TYPE_DATA) ? DATA : NODE; +- int submitted = 0; ++ int submitted = 0, sum_blk_cnt; + + if (__is_large_section(sbi)) { + sec_end_segno = rounddown(end_segno, SEGS_PER_SEC(sbi)); +@@ -1766,22 +1766,28 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + + sanity_check_seg_type(sbi, get_seg_entry(sbi, segno)->type); + ++ segno = rounddown(segno, SUMS_PER_BLOCK); ++ sum_blk_cnt = DIV_ROUND_UP(end_segno - segno, SUMS_PER_BLOCK); + /* readahead multi ssa blocks those have contiguous address */ + if (__is_large_section(sbi)) + f2fs_ra_meta_pages(sbi, GET_SUM_BLOCK(sbi, segno), +- end_segno - segno, META_SSA, true); ++ sum_blk_cnt, META_SSA, true); + + /* reference all summary page */ + while (segno < end_segno) { +- struct folio *sum_folio = f2fs_get_sum_folio(sbi, segno++); ++ struct folio *sum_folio = f2fs_get_sum_folio(sbi, segno); ++ ++ segno += SUMS_PER_BLOCK; + if (IS_ERR(sum_folio)) { + int err = PTR_ERR(sum_folio); + +- end_segno = segno - 1; +- for (segno = start_segno; segno < end_segno; segno++) { ++ end_segno = segno - SUMS_PER_BLOCK; ++ segno = rounddown(start_segno, SUMS_PER_BLOCK); ++ while (segno < end_segno) { + sum_folio = filemap_get_folio(META_MAPPING(sbi), + GET_SUM_BLOCK(sbi, segno)); + folio_put_refs(sum_folio, 2); ++ segno += SUMS_PER_BLOCK; + } + return err; + } +@@ -1790,68 +1796,83 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + + blk_start_plug(&plug); + +- for (segno = start_segno; segno < end_segno; segno++) { +- struct f2fs_summary_block *sum; ++ segno = start_segno; ++ while (segno < end_segno) { ++ unsigned int cur_segno; + + /* find segment summary of victim */ + struct folio *sum_folio = filemap_get_folio(META_MAPPING(sbi), + GET_SUM_BLOCK(sbi, segno)); ++ unsigned int block_end_segno = rounddown(segno, SUMS_PER_BLOCK) ++ + SUMS_PER_BLOCK; ++ ++ if (block_end_segno > end_segno) ++ block_end_segno = end_segno; + + if (is_cursec(sbi, GET_SEC_FROM_SEG(sbi, segno))) { + f2fs_err(sbi, "%s: segment %u is used by log", + __func__, segno); + f2fs_bug_on(sbi, 1); +- goto skip; ++ goto next_block; + } + +- if (get_valid_blocks(sbi, segno, false) == 0) +- goto freed; +- if (gc_type == BG_GC && __is_large_section(sbi) && +- migrated >= sbi->migration_granularity) +- goto skip; + if (!folio_test_uptodate(sum_folio) || + unlikely(f2fs_cp_error(sbi))) +- goto skip; ++ goto next_block; + +- sum = folio_address(sum_folio); +- if (type != GET_SUM_TYPE((&sum->footer))) { +- f2fs_err(sbi, "Inconsistent segment (%u) type [%d, %d] in SIT and SSA", +- segno, type, GET_SUM_TYPE((&sum->footer))); +- f2fs_stop_checkpoint(sbi, false, +- STOP_CP_REASON_CORRUPTED_SUMMARY); +- goto skip; +- } ++ for (cur_segno = segno; cur_segno < block_end_segno; ++ cur_segno++) { ++ struct f2fs_summary_block *sum; + +- /* +- * this is to avoid deadlock: +- * - lock_page(sum_page) - f2fs_replace_block +- * - check_valid_map() - down_write(sentry_lock) +- * - down_read(sentry_lock) - change_curseg() +- * - lock_page(sum_page) +- */ +- if (type == SUM_TYPE_NODE) +- submitted += gc_node_segment(sbi, sum->entries, segno, +- gc_type); +- else +- submitted += gc_data_segment(sbi, sum->entries, gc_list, +- segno, gc_type, +- force_migrate); ++ if (get_valid_blocks(sbi, cur_segno, false) == 0) ++ goto freed; ++ if (gc_type == BG_GC && __is_large_section(sbi) && ++ migrated >= sbi->migration_granularity) ++ continue; + +- stat_inc_gc_seg_count(sbi, data_type, gc_type); +- sbi->gc_reclaimed_segs[sbi->gc_mode]++; +- migrated++; ++ sum = SUM_BLK_PAGE_ADDR(sum_folio, cur_segno); ++ if (type != GET_SUM_TYPE((&sum->footer))) { ++ f2fs_err(sbi, "Inconsistent segment (%u) type " ++ "[%d, %d] in SSA and SIT", ++ cur_segno, type, ++ GET_SUM_TYPE((&sum->footer))); ++ f2fs_stop_checkpoint(sbi, false, ++ STOP_CP_REASON_CORRUPTED_SUMMARY); ++ continue; ++ } + +-freed: +- if (gc_type == FG_GC && +- get_valid_blocks(sbi, segno, false) == 0) +- seg_freed++; ++ /* ++ * this is to avoid deadlock: ++ * - lock_page(sum_page) - f2fs_replace_block ++ * - check_valid_map() - down_write(sentry_lock) ++ * - down_read(sentry_lock) - change_curseg() ++ * - lock_page(sum_page) ++ */ ++ if (type == SUM_TYPE_NODE) ++ submitted += gc_node_segment(sbi, sum->entries, ++ cur_segno, gc_type); ++ else ++ submitted += gc_data_segment(sbi, sum->entries, ++ gc_list, cur_segno, ++ gc_type, force_migrate); + +- if (__is_large_section(sbi)) +- sbi->next_victim_seg[gc_type] = +- (segno + 1 < sec_end_segno) ? +- segno + 1 : NULL_SEGNO; +-skip: ++ stat_inc_gc_seg_count(sbi, data_type, gc_type); ++ sbi->gc_reclaimed_segs[sbi->gc_mode]++; ++ migrated++; ++ ++freed: ++ if (gc_type == FG_GC && ++ get_valid_blocks(sbi, cur_segno, false) == 0) ++ seg_freed++; ++ ++ if (__is_large_section(sbi)) ++ sbi->next_victim_seg[gc_type] = ++ (cur_segno + 1 < sec_end_segno) ? ++ cur_segno + 1 : NULL_SEGNO; ++ } ++next_block: + folio_put_refs(sum_folio, 2); ++ segno = block_end_segno; + } + + if (submitted) +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 215e442db72c8..af72309b9bfc6 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -519,7 +519,7 @@ static int check_index_in_prev_nodes(struct f2fs_sb_info *sbi, + sum_folio = f2fs_get_sum_folio(sbi, segno); + if (IS_ERR(sum_folio)) + return PTR_ERR(sum_folio); +- sum_node = folio_address(sum_folio); ++ sum_node = SUM_BLK_PAGE_ADDR(sum_folio, segno); + sum = sum_node->entries[blkoff]; + f2fs_folio_put(sum_folio, true); + got_it: +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index cc82d42ef14c5..3ffb796d0d070 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2712,7 +2712,15 @@ struct folio *f2fs_get_sum_folio(struct f2fs_sb_info *sbi, unsigned int segno) + void f2fs_update_meta_page(struct f2fs_sb_info *sbi, + void *src, block_t blk_addr) + { +- struct folio *folio = f2fs_grab_meta_folio(sbi, blk_addr); ++ struct folio *folio; ++ ++ if (SUMS_PER_BLOCK == 1) ++ folio = f2fs_grab_meta_folio(sbi, blk_addr); ++ else ++ folio = f2fs_get_meta_folio_retry(sbi, blk_addr); ++ ++ if (IS_ERR(folio)) ++ return; + + memcpy(folio_address(folio), src, PAGE_SIZE); + folio_mark_dirty(folio); +@@ -2720,9 +2728,21 @@ void f2fs_update_meta_page(struct f2fs_sb_info *sbi, + } + + static void write_sum_page(struct f2fs_sb_info *sbi, +- struct f2fs_summary_block *sum_blk, block_t blk_addr) ++ struct f2fs_summary_block *sum_blk, unsigned int segno) + { +- f2fs_update_meta_page(sbi, (void *)sum_blk, blk_addr); ++ struct folio *folio; ++ ++ if (SUMS_PER_BLOCK == 1) ++ return f2fs_update_meta_page(sbi, (void *)sum_blk, ++ GET_SUM_BLOCK(sbi, segno)); ++ ++ folio = f2fs_get_sum_folio(sbi, segno); ++ if (IS_ERR(folio)) ++ return; ++ ++ memcpy(SUM_BLK_PAGE_ADDR(folio, segno), sum_blk, sizeof(*sum_blk)); ++ folio_mark_dirty(folio); ++ f2fs_folio_put(folio, true); + } + + static void write_current_sum_page(struct f2fs_sb_info *sbi, +@@ -2970,7 +2990,7 @@ static int new_curseg(struct f2fs_sb_info *sbi, int type, bool new_sec) + int ret; + + if (curseg->inited) +- write_sum_page(sbi, curseg->sum_blk, GET_SUM_BLOCK(sbi, segno)); ++ write_sum_page(sbi, curseg->sum_blk, segno); + + segno = __get_next_segno(sbi, type); + ret = get_new_segment(sbi, &segno, new_sec, pinning); +@@ -3029,7 +3049,7 @@ static int change_curseg(struct f2fs_sb_info *sbi, int type) + struct folio *sum_folio; + + if (curseg->inited) +- write_sum_page(sbi, curseg->sum_blk, GET_SUM_BLOCK(sbi, curseg->segno)); ++ write_sum_page(sbi, curseg->sum_blk, curseg->segno); + + __set_test_and_inuse(sbi, new_segno); + +@@ -3048,7 +3068,7 @@ static int change_curseg(struct f2fs_sb_info *sbi, int type) + memset(curseg->sum_blk, 0, SUM_ENTRY_SIZE); + return PTR_ERR(sum_folio); + } +- sum_node = folio_address(sum_folio); ++ sum_node = SUM_BLK_PAGE_ADDR(sum_folio, new_segno); + memcpy(curseg->sum_blk, sum_node, SUM_ENTRY_SIZE); + f2fs_folio_put(sum_folio, true); + return 0; +@@ -3137,8 +3157,7 @@ static void __f2fs_save_inmem_curseg(struct f2fs_sb_info *sbi, int type) + goto out; + + if (get_valid_blocks(sbi, curseg->segno, false)) { +- write_sum_page(sbi, curseg->sum_blk, +- GET_SUM_BLOCK(sbi, curseg->segno)); ++ write_sum_page(sbi, curseg->sum_blk, curseg->segno); + } else { + mutex_lock(&DIRTY_I(sbi)->seglist_lock); + __set_test_and_free(sbi, curseg->segno, true); +@@ -3815,8 +3834,7 @@ int f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct folio *folio, + if (segment_full) { + if (type == CURSEG_COLD_DATA_PINNED && + !((curseg->segno + 1) % sbi->segs_per_sec)) { +- write_sum_page(sbi, curseg->sum_blk, +- GET_SUM_BLOCK(sbi, curseg->segno)); ++ write_sum_page(sbi, curseg->sum_blk, curseg->segno); + reset_curseg_fields(curseg); + goto skip_new_segment; + } +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 5e2ee5c686b12..5104876696104 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -85,8 +85,12 @@ static inline void sanity_check_seg_type(struct f2fs_sb_info *sbi, + #define GET_ZONE_FROM_SEG(sbi, segno) \ + GET_ZONE_FROM_SEC(sbi, GET_SEC_FROM_SEG(sbi, segno)) + +-#define GET_SUM_BLOCK(sbi, segno) \ +- ((sbi)->sm_info->ssa_blkaddr + (segno)) ++#define SUMS_PER_BLOCK (F2FS_BLKSIZE / F2FS_SUM_BLKSIZE) ++#define GET_SUM_BLOCK(sbi, segno) \ ++ (SM_I(sbi)->ssa_blkaddr + (segno / SUMS_PER_BLOCK)) ++#define GET_SUM_BLKOFF(segno) (segno % SUMS_PER_BLOCK) ++#define SUM_BLK_PAGE_ADDR(folio, segno) \ ++ (folio_address(folio) + GET_SUM_BLKOFF(segno) * F2FS_SUM_BLKSIZE) + + #define GET_SUM_TYPE(footer) ((footer)->entry_type) + #define SET_SUM_TYPE(footer, type) ((footer)->entry_type = (type)) +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 8086a3456e4d3..f47e2689d7fbf 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -3965,6 +3965,20 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, + if (sanity_check_area_boundary(sbi, folio, index)) + return -EFSCORRUPTED; + ++ /* ++ * Check for legacy summary layout on 16KB+ block devices. ++ * Modern f2fs-tools packs multiple 4KB summary areas into one block, ++ * whereas legacy versions used one block per summary, leading ++ * to a much larger SSA. ++ */ ++ if (SUMS_PER_BLOCK > 1 && ++ !(__F2FS_HAS_FEATURE(raw_super, F2FS_FEATURE_PACKED_SSA))) { ++ f2fs_info(sbi, "Error: Device formatted with a legacy version. " ++ "Please reformat with a tool supporting the packed ssa " ++ "feature for block sizes larger than 4kb."); ++ return -EOPNOTSUPP; ++ } ++ + return 0; + } + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 902ffb3faa1ff..0dee87b90e007 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -235,6 +235,9 @@ static ssize_t features_show(struct f2fs_attr *a, + if (f2fs_sb_has_compression(sbi)) + len += sysfs_emit_at(buf, len, "%s%s", + len ? ", " : "", "compression"); ++ if (f2fs_sb_has_packed_ssa(sbi)) ++ len += sysfs_emit_at(buf, len, "%s%s", ++ len ? ", " : "", "packed_ssa"); + len += sysfs_emit_at(buf, len, "%s%s", + len ? ", " : "", "pin_file"); + len += sysfs_emit_at(buf, len, "\n"); +@@ -1255,6 +1258,7 @@ F2FS_FEATURE_RO_ATTR(pin_file); + #ifdef CONFIG_UNICODE + F2FS_FEATURE_RO_ATTR(linear_lookup); + #endif ++F2FS_FEATURE_RO_ATTR(packed_ssa); + + #define ATTR_LIST(name) (&f2fs_attr_##name.attr) + static struct attribute *f2fs_attrs[] = { +@@ -1410,6 +1414,7 @@ static struct attribute *f2fs_feat_attrs[] = { + #ifdef CONFIG_UNICODE + BASE_ATTR_LIST(linear_lookup), + #endif ++ BASE_ATTR_LIST(packed_ssa), + NULL, + }; + ATTRIBUTE_GROUPS(f2fs_feat); +@@ -1445,6 +1450,7 @@ F2FS_SB_FEATURE_RO_ATTR(casefold, CASEFOLD); + F2FS_SB_FEATURE_RO_ATTR(compression, COMPRESSION); + F2FS_SB_FEATURE_RO_ATTR(readonly, RO); + F2FS_SB_FEATURE_RO_ATTR(device_alias, DEVICE_ALIAS); ++F2FS_SB_FEATURE_RO_ATTR(packed_ssa, PACKED_SSA); + + static struct attribute *f2fs_sb_feat_attrs[] = { + ATTR_LIST(sb_encryption), +@@ -1462,6 +1468,7 @@ static struct attribute *f2fs_sb_feat_attrs[] = { + ATTR_LIST(sb_compression), + ATTR_LIST(sb_readonly), + ATTR_LIST(sb_device_alias), ++ ATTR_LIST(sb_packed_ssa), + NULL, + }; + ATTRIBUTE_GROUPS(f2fs_sb_feat); +diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h +index 6afb4a13b81d6..a7880787cad36 100644 +--- a/include/linux/f2fs_fs.h ++++ b/include/linux/f2fs_fs.h +@@ -17,6 +17,7 @@ + #define F2FS_LOG_SECTORS_PER_BLOCK (PAGE_SHIFT - 9) /* log number for sector/blk */ + #define F2FS_BLKSIZE PAGE_SIZE /* support only block == page */ + #define F2FS_BLKSIZE_BITS PAGE_SHIFT /* bits for F2FS_BLKSIZE */ ++#define F2FS_SUM_BLKSIZE 4096 /* only support 4096 byte sum block */ + #define F2FS_MAX_EXTENSION 64 /* # of extension entries */ + #define F2FS_EXTENSION_LEN 8 /* max size of extension */ + +@@ -441,7 +442,7 @@ struct f2fs_sit_block { + * from node's page's beginning to get a data block address. + * ex) data_blkaddr = (block_t)(nodepage_start_address + ofs_in_node) + */ +-#define ENTRIES_IN_SUM (F2FS_BLKSIZE / 8) ++#define ENTRIES_IN_SUM (F2FS_SUM_BLKSIZE / 8) + #define SUMMARY_SIZE (7) /* sizeof(struct f2fs_summary) */ + #define SUM_FOOTER_SIZE (5) /* sizeof(struct summary_footer) */ + #define SUM_ENTRY_SIZE (SUMMARY_SIZE * ENTRIES_IN_SUM) +@@ -467,7 +468,7 @@ struct summary_footer { + __le32 check_sum; /* summary checksum */ + } __packed; + +-#define SUM_JOURNAL_SIZE (F2FS_BLKSIZE - SUM_FOOTER_SIZE -\ ++#define SUM_JOURNAL_SIZE (F2FS_SUM_BLKSIZE - SUM_FOOTER_SIZE -\ + SUM_ENTRY_SIZE) + #define NAT_JOURNAL_ENTRIES ((SUM_JOURNAL_SIZE - 2) /\ + sizeof(struct nat_journal_entry)) +-- +2.51.0 + diff --git a/queue-6.17/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch b/queue-6.17/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch new file mode 100644 index 0000000000..a7d919af39 --- /dev/null +++ b/queue-6.17/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch @@ -0,0 +1,64 @@ +From aeae5731f2e508629d7c353444fc9c535b6220d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 12:15:35 +0100 +Subject: fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ] + +After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"), +the return values of utf8_to_utf32() and utf32_to_utf8() are +inconsistent when encountering an error: utf8_to_utf32() returns -1, +while utf32_to_utf8() returns errno codes. Fix this inconsistency +by modifying utf8_to_utf32() to return errno codes as well. + +Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion") +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index d434c4463a8f7..a5c3a9f1b8dc5 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu) + l &= t->lmask; + if (l < t->lval || l > UNICODE_MAX || + (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; ++ + *pu = (unicode_t) l; + return nc; + } + if (inlen <= nc) +- return -1; ++ return -EOVERFLOW; ++ + s++; + c = (*s ^ 0x80) & 0xFF; + if (c & 0xC0) +- return -1; ++ return -EILSEQ; ++ + l = (l << 6) | c; + } +- return -1; ++ return -EILSEQ; + } + EXPORT_SYMBOL(utf8_to_utf32); + +-- +2.51.0 + diff --git a/queue-6.17/fs-nls-fix-utf16-to-utf8-conversion.patch b/queue-6.17/fs-nls-fix-utf16-to-utf8-conversion.patch new file mode 100644 index 0000000000..98ef28470c --- /dev/null +++ b/queue-6.17/fs-nls-fix-utf16-to-utf8-conversion.patch @@ -0,0 +1,81 @@ +From ae0824bd2af48ed3b33c5e50aee74f66ef0a5690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 14:11:22 +0100 +Subject: fs/nls: Fix utf16 to utf8 conversion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 25524b6190295577e4918c689644451365e6466d ] + +Currently the function responsible for converting between utf16 and +utf8 strings will ignore any characters that cannot be converted. This +however also includes multi-byte characters that do not fit into the +provided string buffer. + +This can cause problems if such a multi-byte character is followed by +a single-byte character. In such a case the multi-byte character might +be ignored when the provided string buffer is too small, but the +single-byte character might fit and is thus still copied into the +resulting string. + +Fix this by stop filling the provided string buffer once a character +does not fit. In order to be able to do this extend utf32_to_utf8() +to return useful errno codes instead of -1. + +Fixes: 74675a58507e ("NLS: update handling of Unicode") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 18d597e49a194..d434c4463a8f7 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + + l = u; + if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; + + nc = 0; + for (t = utf8_table; t->cmask && maxout; t++, maxout--) { +@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + return nc; + } + } +- return -1; ++ return -EOVERFLOW; + } + EXPORT_SYMBOL(utf32_to_utf8); + +@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian, + inlen--; + } + size = utf32_to_utf8(u, op, maxout); +- if (size == -1) { +- /* Ignore character and move on */ ++ if (size < 0) { ++ if (size == -EILSEQ) { ++ /* Ignore character and move on */ ++ continue; ++ } ++ /* ++ * Stop filling the buffer with data once a character ++ * does not fit anymore. ++ */ ++ break; + } else { + op += size; + maxout -= size; +-- +2.51.0 + diff --git a/queue-6.17/i2c-spacemit-fix-detect-issue.patch b/queue-6.17/i2c-spacemit-fix-detect-issue.patch new file mode 100644 index 0000000000..0c50c8cc72 --- /dev/null +++ b/queue-6.17/i2c-spacemit-fix-detect-issue.patch @@ -0,0 +1,96 @@ +From f976eaa1ca721dd7770fd1eb004b889ffa111d17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 21:21:50 +0800 +Subject: i2c: spacemit: fix detect issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Troy Mitchell + +[ Upstream commit 25faa5364638b86ec0d0edb4486daa9d40a0be8f ] + +This commit addresses two issues causing i2c detect to fail. + +The identified issues are: + +1. Incorrect error handling for BED (Bus Error No ACK/NAK): + Before this commit, Both ALD (Arbitration Loss Detected) and + BED returned -EAGAIN. +2. Missing interrupt status clear after initialization in xfer(): + On the K1 SoC, simply fixing the first issue changed the error + from -EAGAIN to -ETIMEOUT. Through tracing, it was determined that + this is likely due to MSD (Master Stop Detected) latency issues. + + That means the MSD bit in the ISR may still be set on the next transfer. + As a result, the controller won't work — we can see from the scope that + it doesn't issue any signal. + (This only occurs during rapid consecutive I2C transfers. + That explains why the issue only shows up with i2cdetect.) + +With these two fixes, i2c device detection now functions correctly on the K1 SoC. + +Fixes: 5ea558473fa31 ("i2c: spacemit: add support for SpacemiT K1 SoC") +Tested-by: Aurelien Jarno +Signed-off-by: Troy Mitchell +Reviewed-by: Aurelien Jarno +Tested-by: Michael Opdenacker +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20251113-fix-k1-detect-failure-v2-1-b02a9a74f65a@linux.spacemit.com +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-k1.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-k1.c b/drivers/i2c/busses/i2c-k1.c +index 6b918770e612e..d42c03ef5db59 100644 +--- a/drivers/i2c/busses/i2c-k1.c ++++ b/drivers/i2c/busses/i2c-k1.c +@@ -158,11 +158,16 @@ static int spacemit_i2c_handle_err(struct spacemit_i2c_dev *i2c) + { + dev_dbg(i2c->dev, "i2c error status: 0x%08x\n", i2c->status); + +- if (i2c->status & (SPACEMIT_SR_BED | SPACEMIT_SR_ALD)) { ++ /* Arbitration Loss Detected */ ++ if (i2c->status & SPACEMIT_SR_ALD) { + spacemit_i2c_reset(i2c); + return -EAGAIN; + } + ++ /* Bus Error No ACK/NAK */ ++ if (i2c->status & SPACEMIT_SR_BED) ++ spacemit_i2c_reset(i2c); ++ + return i2c->status & SPACEMIT_SR_ACKNAK ? -ENXIO : -EIO; + } + +@@ -224,6 +229,12 @@ static void spacemit_i2c_check_bus_release(struct spacemit_i2c_dev *i2c) + } + } + ++static inline void ++spacemit_i2c_clear_int_status(struct spacemit_i2c_dev *i2c, u32 mask) ++{ ++ writel(mask & SPACEMIT_I2C_INT_STATUS_MASK, i2c->base + SPACEMIT_ISR); ++} ++ + static void spacemit_i2c_init(struct spacemit_i2c_dev *i2c) + { + u32 val; +@@ -267,12 +278,8 @@ static void spacemit_i2c_init(struct spacemit_i2c_dev *i2c) + val = readl(i2c->base + SPACEMIT_IRCR); + val |= SPACEMIT_RCR_SDA_GLITCH_NOFIX; + writel(val, i2c->base + SPACEMIT_IRCR); +-} + +-static inline void +-spacemit_i2c_clear_int_status(struct spacemit_i2c_dev *i2c, u32 mask) +-{ +- writel(mask & SPACEMIT_I2C_INT_STATUS_MASK, i2c->base + SPACEMIT_ISR); ++ spacemit_i2c_clear_int_status(i2c, SPACEMIT_I2C_INT_STATUS_MASK); + } + + static void spacemit_i2c_start(struct spacemit_i2c_dev *i2c) +-- +2.51.0 + diff --git a/queue-6.17/kbuild-install-extmod-build-fix-when-given-dir-outsi.patch b/queue-6.17/kbuild-install-extmod-build-fix-when-given-dir-outsi.patch new file mode 100644 index 0000000000..0894f23ea6 --- /dev/null +++ b/queue-6.17/kbuild-install-extmod-build-fix-when-given-dir-outsi.patch @@ -0,0 +1,43 @@ +From 7f92b4062c1f33dc9bb4406d042864f9b138bf56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 10:14:17 +0100 +Subject: kbuild: install-extmod-build: Fix when given dir outside the build + dir + +From: James Le Cuirot + +[ Upstream commit 5ff90d427ef841fa48608d0c19a81c48d6126d46 ] + +Commit b5e395653546 ("kbuild: install-extmod-build: Fix build when +specifying KBUILD_OUTPUT") tried to address the "build" variable +expecting a relative path by using `realpath --relative-base=.`, but +this only works when the given directory is below the current directory. +`realpath --relative-to=.` will return a relative path in all cases. + +Fixes: b5e395653546 ("kbuild: install-extmod-build: Fix build when specifying KBUILD_OUTPUT") +Signed-off-by: James Le Cuirot +Reviewed-by: Nicolas Schier +Link: https://patch.msgid.link/20251016091417.9985-1-chewi@gentoo.org +Signed-off-by: Nathan Chancellor +Stable-dep-of: 4ab2ee307983 ("kbuild: install-extmod-build: Properly fix CC expansion when ccache is used") +Signed-off-by: Sasha Levin +--- + scripts/package/install-extmod-build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/package/install-extmod-build b/scripts/package/install-extmod-build +index b96538787f3d9..054fdf45cc37a 100755 +--- a/scripts/package/install-extmod-build ++++ b/scripts/package/install-extmod-build +@@ -63,7 +63,7 @@ if [ "${CC}" != "${HOSTCC}" ]; then + # Clear VPATH and srcroot because the source files reside in the output + # directory. + # shellcheck disable=SC2016 # $(MAKE) and $(build) will be expanded by Make +- "${MAKE}" run-command KBUILD_RUN_COMMAND='+$(MAKE) HOSTCC='"${CC}"' VPATH= srcroot=. $(build)='"$(realpath --relative-base=. "${destdir}")"/scripts ++ "${MAKE}" run-command KBUILD_RUN_COMMAND='+$(MAKE) HOSTCC='"${CC}"' VPATH= srcroot=. $(build)='"$(realpath --relative-to=. "${destdir}")"/scripts + + rm -f "${destdir}/scripts/Kbuild" + fi +-- +2.51.0 + diff --git a/queue-6.17/kbuild-install-extmod-build-properly-fix-cc-expansio.patch b/queue-6.17/kbuild-install-extmod-build-properly-fix-cc-expansio.patch new file mode 100644 index 0000000000..216779708b --- /dev/null +++ b/queue-6.17/kbuild-install-extmod-build-properly-fix-cc-expansio.patch @@ -0,0 +1,51 @@ +From 52ba4e835024f52699b1c951f98b54c9567f9d82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 08:43:51 +0200 +Subject: kbuild: install-extmod-build: Properly fix CC expansion when ccache + is used + +From: Abel Vesa + +[ Upstream commit 4ab2ee307983548b29ddaab0ecaef82d526cf4c9 ] + +Currently, when cross-compiling and ccache is used, the expanding of CC +turns out to be without any quotes, leading to the following error: + +make[4]: *** No rule to make target 'aarch64-linux-gnu-gcc'. Stop. +make[3]: *** [Makefile:2164: run-command] Error 2 + +And it makes sense, because after expansion it ends up like this: + +make run-command KBUILD_RUN_COMMAND=+$(MAKE) \ +HOSTCC=ccache aarch64-linux-gnu-gcc VPATH= srcroot=. $(build)= ... + +So add another set of double quotes to surround whatever CC expands to +to make sure the aarch64-linux-gnu-gcc isn't expanded to something that +looks like an entirely separate target. + +Fixes: 140332b6ed72 ("kbuild: fix linux-headers package build when $(CC) cannot link userspace") +Signed-off-by: Abel Vesa +Reviewed-by: Nicolas Schier +Link: https://patch.msgid.link/20251111-kbuild-install-extmod-build-fix-cc-expand-third-try-v2-1-15ba1b37e71a@linaro.org +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/package/install-extmod-build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/package/install-extmod-build b/scripts/package/install-extmod-build +index 054fdf45cc37a..2576cf7902dbb 100755 +--- a/scripts/package/install-extmod-build ++++ b/scripts/package/install-extmod-build +@@ -63,7 +63,7 @@ if [ "${CC}" != "${HOSTCC}" ]; then + # Clear VPATH and srcroot because the source files reside in the output + # directory. + # shellcheck disable=SC2016 # $(MAKE) and $(build) will be expanded by Make +- "${MAKE}" run-command KBUILD_RUN_COMMAND='+$(MAKE) HOSTCC='"${CC}"' VPATH= srcroot=. $(build)='"$(realpath --relative-to=. "${destdir}")"/scripts ++ "${MAKE}" run-command KBUILD_RUN_COMMAND='+$(MAKE) HOSTCC="'"${CC}"'" VPATH= srcroot=. $(build)='"$(realpath --relative-to=. "${destdir}")"/scripts + + rm -f "${destdir}/scripts/Kbuild" + fi +-- +2.51.0 + diff --git a/queue-6.17/nfs-automounted-filesystems-should-inherit-ro-noexec.patch b/queue-6.17/nfs-automounted-filesystems-should-inherit-ro-noexec.patch new file mode 100644 index 0000000000..b12d8e431d --- /dev/null +++ b/queue-6.17/nfs-automounted-filesystems-should-inherit-ro-noexec.patch @@ -0,0 +1,65 @@ +From 02f0263464ca39d271b98a2092d1df0fac5f66c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 14:22:44 -0500 +Subject: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync + flags + +From: Trond Myklebust + +[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ] + +When a filesystem is being automounted, it needs to preserve the +user-set superblock mount options, such as the "ro" flag. + +Reported-by: Li Lingfeng +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Fixes: f2aedb713c28 ("NFS: Add fs_context support.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/namespace.c | 6 ++++++ + fs/nfs/super.c | 4 ---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 7f1ec9c67ff21..c74e45a895000 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path) + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SB(path->dentry->d_sb); + struct nfs_client *client = server->nfs_client; ++ unsigned long s_flags = path->dentry->d_sb->s_flags; + int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + +@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path) + fc->net_ns = get_net(client->cl_net); + } + ++ /* Inherit the flags covered by NFS_SB_MASK */ ++ fc->sb_flags_mask |= NFS_SB_MASK; ++ fc->sb_flags &= ~NFS_SB_MASK; ++ fc->sb_flags |= s_flags & NFS_SB_MASK; ++ + /* for submounts we want the same server; referrals will reassign */ + memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen); + ctx->nfs_server.addrlen = client->cl_addrlen; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 9b9464e70a7f0..66413133b43e3 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1315,10 +1315,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (server->flags & NFS_MOUNT_NOAC) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (ctx->clone_data.sb) +- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) +- fc->sb_flags |= SB_SYNCHRONOUS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +-- +2.51.0 + diff --git a/queue-6.17/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch b/queue-6.17/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch new file mode 100644 index 0000000000..899d59ba23 --- /dev/null +++ b/queue-6.17/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch @@ -0,0 +1,97 @@ +From 8aac7f904782323cde4b73070490b47fb91ff43d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 15:28:17 -0500 +Subject: NFS: Avoid changing nlink when file removes and attribute updates + race + +From: Trond Myklebust + +[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ] + +If a file removal races with another operation that updates its +attributes, then skip the change to nlink, and just mark the attributes +as being stale. + +Reported-by: Aiden Lambert +Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 82ef36cc9ceec..a2ca8d53d9f59 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1894,13 +1894,15 @@ static int nfs_dentry_delete(const struct dentry *dentry) + } + + /* Ensure that we revalidate inode->i_nlink */ +-static void nfs_drop_nlink(struct inode *inode) ++static void nfs_drop_nlink(struct inode *inode, unsigned long gencount) + { ++ struct nfs_inode *nfsi = NFS_I(inode); ++ + spin_lock(&inode->i_lock); + /* drop the inode if we're reasonably sure this is the last link */ +- if (inode->i_nlink > 0) ++ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount) + drop_nlink(inode); +- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); ++ nfsi->attr_gencount = nfs_inc_attr_generation_counter(); + nfs_set_cache_invalid( + inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | + NFS_INO_INVALID_NLINK); +@@ -1914,8 +1916,9 @@ static void nfs_drop_nlink(struct inode *inode) + static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + { + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); + nfs_complete_unlink(dentry, inode); +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } + iput(inode); + } +@@ -2509,9 +2512,11 @@ static int nfs_safe_remove(struct dentry *dentry) + + trace_nfs_remove_enter(dir, dentry); + if (inode != NULL) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); ++ + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == 0) +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } else + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == -ENOENT) +@@ -2711,6 +2716,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); ++ unsigned long new_gencount = 0; + struct dentry *dentry = NULL; + struct rpc_task *task; + bool must_unblock = false; +@@ -2763,6 +2769,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + } else { + block_revalidate(new_dentry); + must_unblock = true; ++ new_gencount = NFS_I(new_inode)->attr_gencount; + spin_unlock(&new_dentry->d_lock); + } + +@@ -2802,7 +2809,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + new_dir, new_dentry, error); + if (!error) { + if (new_inode != NULL) +- nfs_drop_nlink(new_inode); ++ nfs_drop_nlink(new_inode, new_gencount); + /* + * The d_move() should be here instead of in an async RPC completion + * handler because we need the proper locks to move the dentry. If +-- +2.51.0 + diff --git a/queue-6.17/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch b/queue-6.17/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch new file mode 100644 index 0000000000..d02a7ab024 --- /dev/null +++ b/queue-6.17/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch @@ -0,0 +1,178 @@ +From 1f621563ebfa8e16974277717a8e42edf55a5f45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 16:06:41 -0500 +Subject: NFS: Fix inheritance of the block sizes when automounting + +From: Trond Myklebust + +[ Upstream commit 2b092175f5e301cdaa935093edfef2be9defb6df ] + +Only inherit the block sizes that were actually specified as mount +parameters for the parent mount. + +Fixes: 62a55d088cd8 ("NFS: Additional refactoring for fs_context conversion") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 21 +++++++++++++++++---- + fs/nfs/internal.h | 1 - + fs/nfs/namespace.c | 5 ++++- + fs/nfs/nfs4client.c | 18 ++++++++++++++---- + fs/nfs/super.c | 10 +++------- + include/linux/nfs_fs_sb.h | 5 +++++ + 6 files changed, 43 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 54699299d5b16..2aaea9c98c2cd 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -784,10 +784,18 @@ static int nfs_init_server(struct nfs_server *server, + server->fattr_valid = NFS_ATTR_FATTR_V4; + } + +- if (ctx->rsize) ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { + server->rsize = nfs_io_size(ctx->rsize, clp->cl_proto); +- if (ctx->wsize) ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { + server->wsize = nfs_io_size(ctx->wsize, clp->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +@@ -977,8 +985,13 @@ EXPORT_SYMBOL_GPL(nfs_probe_server); + void nfs_server_copy_userdata(struct nfs_server *target, struct nfs_server *source) + { + target->flags = source->flags; +- target->rsize = source->rsize; +- target->wsize = source->wsize; ++ target->automount_inherit = source->automount_inherit; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ target->bsize = source->bsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_RSIZE) ++ target->rsize = source->rsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_WSIZE) ++ target->wsize = source->wsize; + target->acregmin = source->acregmin; + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 5a43543c60b84..a76332820cff9 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -152,7 +152,6 @@ struct nfs_fs_context { + struct super_block *sb; + struct dentry *dentry; + struct nfs_fattr *fattr; +- unsigned int inherited_bsize; + } clone_data; + }; + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index c74e45a895000..5dd753eed6d1a 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -190,6 +190,10 @@ struct vfsmount *nfs_d_automount(struct path *path) + ctx->nfs_mod = client->cl_nfs_mod; + get_nfs_version(ctx->nfs_mod); + ++ /* Inherit block sizes if they were specified as mount parameters */ ++ if (server->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ ctx->bsize = server->bsize; ++ + ret = client->rpc_ops->submount(fc, server); + if (ret < 0) { + mnt = ERR_PTR(ret); +@@ -289,7 +293,6 @@ int nfs_do_submount(struct fs_context *fc) + return -ENOMEM; + + ctx->internal = true; +- ctx->clone_data.inherited_bsize = ctx->clone_data.sb->s_blocksize_bits; + + p = nfs_devname(dentry, buffer, 4096); + if (IS_ERR(p)) { +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 3a4baed993c96..4ff0e9dd1145e 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1174,10 +1174,20 @@ static int nfs4_init_server(struct nfs_server *server, struct fs_context *fc) + if (error < 0) + return error; + +- if (ctx->rsize) +- server->rsize = nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); +- if (ctx->wsize) +- server->wsize = nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { ++ server->rsize = ++ nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { ++ server->wsize = ++ nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 66413133b43e3..57d372db03b93 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1091,8 +1091,9 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + sb->s_blocksize = 0; + sb->s_xattr = server->nfs_client->cl_nfs_mod->xattr; + sb->s_op = server->nfs_client->cl_nfs_mod->sops; +- if (ctx->bsize) +- sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); ++ if (server->bsize) ++ sb->s_blocksize = ++ nfs_block_size(server->bsize, &sb->s_blocksize_bits); + + switch (server->nfs_client->rpc_ops->version) { + case 2: +@@ -1338,13 +1339,8 @@ int nfs_get_tree_common(struct fs_context *fc) + } + + if (!s->s_root) { +- unsigned bsize = ctx->clone_data.inherited_bsize; + /* initial superblock/root creation */ + nfs_fill_super(s, ctx); +- if (bsize) { +- s->s_blocksize_bits = bsize; +- s->s_blocksize = 1U << bsize; +- } + error = nfs_get_cache_cookie(s, ctx); + if (error < 0) + goto error_splat_super; +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index d30c0245031c0..30ac384e011a4 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -172,6 +172,11 @@ struct nfs_server { + #define NFS_MOUNT_FORCE_RDIRPLUS 0x20000000 + #define NFS_MOUNT_NETUNREACH_FATAL 0x40000000 + ++ unsigned int automount_inherit; /* Properties inherited by automount */ ++#define NFS_AUTOMOUNT_INHERIT_BSIZE 0x0001 ++#define NFS_AUTOMOUNT_INHERIT_RSIZE 0x0002 ++#define NFS_AUTOMOUNT_INHERIT_WSIZE 0x0004 ++ + unsigned int caps; /* server capabilities */ + __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ +-- +2.51.0 + diff --git a/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch b/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch new file mode 100644 index 0000000000..dea71e608f --- /dev/null +++ b/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch @@ -0,0 +1,69 @@ +From 7d4305ee587300f5ff2a4b9410d0a839635d9e93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:43:21 -0500 +Subject: NFS: Initialise verifiers for visible dentries in + _nfs4_open_and_get_state + +From: Trond Myklebust + +[ Upstream commit 0f900f11002ff52391fc2aa4a75e59f26ed1c242 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in _nfs4_open_and_get_state(). + +Reported-by: Michael Stoler +Fixes: cf5b4059ba71 ("NFSv4: Fix races between open and dentry revalidation") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index a1e95732fd031..106f0bf881376 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3174,18 +3174,6 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + if (opendata->o_res.rflags & NFS4_OPEN_RESULT_PRESERVE_UNLINKED) + set_bit(NFS_INO_PRESERVE_UNLINKED, &NFS_I(state->inode)->flags); + +- dentry = opendata->dentry; +- if (d_really_is_negative(dentry)) { +- struct dentry *alias; +- d_drop(dentry); +- alias = d_splice_alias(igrab(state->inode), dentry); +- /* d_splice_alias() can't fail here - it's a non-directory */ +- if (alias) { +- dput(ctx->dentry); +- ctx->dentry = dentry = alias; +- } +- } +- + switch(opendata->o_arg.claim) { + default: + break; +@@ -3196,7 +3184,20 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + break; + if (opendata->o_res.delegation.type != 0) + dir_verifier = nfs_save_change_attribute(dir); +- nfs_set_verifier(dentry, dir_verifier); ++ } ++ ++ dentry = opendata->dentry; ++ nfs_set_verifier(dentry, dir_verifier); ++ if (d_really_is_negative(dentry)) { ++ struct dentry *alias; ++ d_drop(dentry); ++ alias = d_splice_alias(igrab(state->inode), dentry); ++ /* d_splice_alias() can't fail here - it's a non-directory */ ++ if (alias) { ++ dput(ctx->dentry); ++ nfs_set_verifier(alias, dir_verifier); ++ ctx->dentry = dentry = alias; ++ } + } + + /* Parse layoutget results before we check for access */ +-- +2.51.0 + diff --git a/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch b/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch new file mode 100644 index 0000000000..564de29e7a --- /dev/null +++ b/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch @@ -0,0 +1,41 @@ +From cd8f1fef9fc7c1f9865df9f4393c87790c15919d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:39:50 -0500 +Subject: NFS: Initialise verifiers for visible dentries in nfs_atomic_open() + +From: Trond Myklebust + +[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in nfs_atomic_open(). + +Reported-by: Michael Stoler +Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 4f93c3059c566..c0b4d24e95bd5 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2144,12 +2144,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + d_drop(dentry); + switch (err) { + case -ENOENT: +- d_splice_alias(NULL, dentry); + if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE)) + dir_verifier = inode_peek_iversion_raw(dir); + else + dir_verifier = nfs_save_change_attribute(dir); + nfs_set_verifier(dentry, dir_verifier); ++ d_splice_alias(NULL, dentry); + break; + case -EISDIR: + case -ENOTDIR: +-- +2.51.0 + diff --git a/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch b/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch new file mode 100644 index 0000000000..8477084417 --- /dev/null +++ b/queue-6.17/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch @@ -0,0 +1,62 @@ +From 50294009749ee66a058cfa9a247e2cffa398dc6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:36:16 -0500 +Subject: NFS: Initialise verifiers for visible dentries in readdir and lookup + +From: Trond Myklebust + +[ Upstream commit 9bd545539b233725a3416801f7c374bff0327d6e ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in both nfs_prime_dcache() and nfs_lookup(). + +Reported-by: Michael Stoler +Fixes: a1147b8281bd ("NFS: Fix up directory verifier races") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index a2ca8d53d9f59..4f93c3059c566 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -789,16 +789,17 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry, + goto out; + } + ++ nfs_set_verifier(dentry, dir_verifier); + inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr); + alias = d_splice_alias(inode, dentry); + d_lookup_done(dentry); + if (alias) { + if (IS_ERR(alias)) + goto out; ++ nfs_set_verifier(alias, dir_verifier); + dput(dentry); + dentry = alias; + } +- nfs_set_verifier(dentry, dir_verifier); + trace_nfs_readdir_lookup(d_inode(parent), dentry, 0); + out: + dput(dentry); +@@ -1994,13 +1995,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in + nfs_lookup_advise_force_readdirplus(dir, flags); + + no_entry: ++ nfs_set_verifier(dentry, dir_verifier); + res = d_splice_alias(inode, dentry); + if (res != NULL) { + if (IS_ERR(res)) + goto out; ++ nfs_set_verifier(res, dir_verifier); + dentry = res; + } +- nfs_set_verifier(dentry, dir_verifier); + out: + trace_nfs_lookup_exit(dir, dentry, flags, PTR_ERR_OR_ZERO(res)); + nfs_free_fattr(fattr); +-- +2.51.0 + diff --git a/queue-6.17/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch b/queue-6.17/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch new file mode 100644 index 0000000000..54271f2ffd --- /dev/null +++ b/queue-6.17/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch @@ -0,0 +1,43 @@ +From 13f22d6d1ad75a16720feb8e7cca3c4fa81cd01a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 18:02:42 +0000 +Subject: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in + pnfs_mark_layout_stateid_invalid + +From: Jonathan Curley + +[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ] + +Fixes a crash when layout is null during this call stack: + +write_inode + -> nfs4_write_inode + -> pnfs_layoutcommit_inode + +pnfs_set_layoutcommit relies on the lseg refcount to keep the layout +around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt +to reference a null layout. + +Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") +Signed-off-by: Jonathan Curley +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index a3135b5af7eec..7ce2e840217cf 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -464,6 +464,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct pnfs_layout_segment *lseg, *next; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + pnfs_clear_lseg_state(lseg, lseg_list); + pnfs_clear_layoutreturn_info(lo); +-- +2.51.0 + diff --git a/queue-6.17/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch b/queue-6.17/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch new file mode 100644 index 0000000000..d65c7a8bce --- /dev/null +++ b/queue-6.17/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch @@ -0,0 +1,38 @@ +From 084432abef68260672e63ce402a83cd1107d2927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Nov 2025 16:46:48 +0200 +Subject: nvme-auth: use kvfree() for memory allocated with kvcalloc() + +From: Israel Rukshin + +[ Upstream commit bb9f4cca7c031de6f0e85f7ba24abf0172829f85 ] + +Memory allocated by kvcalloc() may come from vmalloc or kmalloc, +so use kvfree() instead of kfree() for proper deallocation. + +Fixes: aa36d711e945 ("nvme-auth: convert dhchap_auth_list to an array") +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c +index a01178caf15bb..8f3ccb317e4de 100644 +--- a/drivers/nvme/host/auth.c ++++ b/drivers/nvme/host/auth.c +@@ -1122,7 +1122,7 @@ void nvme_auth_free(struct nvme_ctrl *ctrl) + if (ctrl->dhchap_ctxs) { + for (i = 0; i < ctrl_max_dhchaps(ctrl); i++) + nvme_auth_free_dhchap(&ctrl->dhchap_ctxs[i]); +- kfree(ctrl->dhchap_ctxs); ++ kvfree(ctrl->dhchap_ctxs); + } + if (ctrl->host_key) { + nvme_auth_free_key(ctrl->host_key); +-- +2.51.0 + diff --git a/queue-6.17/panthor-save-task-pid-and-comm-in-panthor_group.patch b/queue-6.17/panthor-save-task-pid-and-comm-in-panthor_group.patch new file mode 100644 index 0000000000..27e59b64ca --- /dev/null +++ b/queue-6.17/panthor-save-task-pid-and-comm-in-panthor_group.patch @@ -0,0 +1,72 @@ +From bbec3eddb0d3aa80b796ef770c4b3cba8a26211a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 23:38:15 -0700 +Subject: panthor: save task pid and comm in panthor_group + +From: Chia-I Wu + +[ Upstream commit 33b9cb6dcda2520600ac4fec725946af32c2e586 ] + +We would like to report them on gpu errors. + +We choose to save the info on panthor_group_create rather than on +panthor_open because, when the two differ, we are more interested in the +task that created the group. + +Signed-off-by: Chia-I Wu +Reviewed-by: Steven Price +Signed-off-by: Steven Price +Link: https://lore.kernel.org/r/20250718063816.1452123-3-olvaffe@gmail.com +Stable-dep-of: eec7e23d848d ("drm/panthor: Prevent potential UAF in group creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_sched.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c +index 99ce0948f2bae..35c4a86fe3052 100644 +--- a/drivers/gpu/drm/panthor/panthor_sched.c ++++ b/drivers/gpu/drm/panthor/panthor_sched.c +@@ -641,6 +641,15 @@ struct panthor_group { + size_t kbo_sizes; + } fdinfo; + ++ /** @task_info: Info of current->group_leader that created the group. */ ++ struct { ++ /** @task_info.pid: pid of current->group_leader */ ++ pid_t pid; ++ ++ /** @task_info.comm: comm of current->group_leader */ ++ char comm[TASK_COMM_LEN]; ++ } task_info; ++ + /** @state: Group state. */ + enum panthor_group_state state; + +@@ -3391,6 +3400,14 @@ group_create_queue(struct panthor_group *group, + return ERR_PTR(ret); + } + ++static void group_init_task_info(struct panthor_group *group) ++{ ++ struct task_struct *task = current->group_leader; ++ ++ group->task_info.pid = task->pid; ++ get_task_comm(group->task_info.comm, task); ++} ++ + static void add_group_kbo_sizes(struct panthor_device *ptdev, + struct panthor_group *group) + { +@@ -3542,6 +3559,8 @@ int panthor_group_create(struct panthor_file *pfile, + add_group_kbo_sizes(group->ptdev, group); + spin_lock_init(&group->fdinfo.lock); + ++ group_init_task_info(group); ++ + return gid; + + err_put_group: +-- +2.51.0 + diff --git a/queue-6.17/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch b/queue-6.17/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch new file mode 100644 index 0000000000..4fe5f94f73 --- /dev/null +++ b/queue-6.17/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch @@ -0,0 +1,78 @@ +From 14a2e83bed0e4ecdea316ccc41c272182f07e7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 11:13:08 +0100 +Subject: platform/x86: asus-wmi: use brightness_set_blocking() for kbd led +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anton Khirnov + +[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ] + +kbd_led_set() can sleep, and so may not be used as the brightness_set() +callback. + +Otherwise using this led with a trigger leads to system hangs +accompanied by: +BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003 +CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1 +Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024 +Call Trace: + + [...] + schedule_timeout+0xbd/0x100 + __down_common+0x175/0x290 + down_timeout+0x67/0x70 + acpi_os_wait_semaphore+0x57/0x90 + [...] + asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi] + led_trigger_event+0x3f/0x60 + [...] + +Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process") +Signed-off-by: Anton Khirnov +Reviewed-by: Andy Shevchenko +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index e72a2b5d158e9..8e3300f5c2943 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1619,14 +1619,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value) + kbd_led_update(asus); + } + +-static void kbd_led_set(struct led_classdev *led_cdev, +- enum led_brightness value) ++static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value) + { + /* Prevent disabling keyboard backlight on module unregister */ + if (led_cdev->flags & LED_UNREGISTERING) +- return; ++ return 0; + + do_kbd_led_set(led_cdev, value); ++ return 0; + } + + static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value) +@@ -1802,7 +1802,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus) + asus->kbd_led_wk = led_val; + asus->kbd_led.name = "asus::kbd_backlight"; + asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED; +- asus->kbd_led.brightness_set = kbd_led_set; ++ asus->kbd_led.brightness_set_blocking = kbd_led_set; + asus->kbd_led.brightness_get = kbd_led_get; + asus->kbd_led.max_brightness = 3; + +-- +2.51.0 + diff --git a/queue-6.17/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch b/queue-6.17/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch new file mode 100644 index 0000000000..ded6ee71af --- /dev/null +++ b/queue-6.17/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch @@ -0,0 +1,44 @@ +From b4d5a2a9ae4d577a6b5a62bfdfc26b49b50c68f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 14:45:29 -0700 +Subject: platform/x86:intel/pmc: Update Arrow Lake telemetry GUID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xi Pardee + +[ Upstream commit 644ab3bc98ee386f178d5209ae8170b3fac591aa ] + +Update ARL_PMT_DMU_GUID value. Arrow Lake PMT DMU GUID has been updated +after it was add to the driver. This updates ensures that the die C6 +value is available in the debug filesystem. + +Bugzilla Link: https://bugzilla.kernel.org/show_bug.cgi?id=220421 +Fixes: 83f168a1a437 ("platform/x86/intel/pmc: Add Arrow Lake S support to intel_pmc_core driver") +Tested-by: Mark Pearson +Signed-off-by: Xi Pardee +Link: https://patch.msgid.link/20251014214548.629023-2-xi.pardee@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/pmc/core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/pmc/core.h b/drivers/platform/x86/intel/pmc/core.h +index 4a94a4ee031e6..24139617eef61 100644 +--- a/drivers/platform/x86/intel/pmc/core.h ++++ b/drivers/platform/x86/intel/pmc/core.h +@@ -282,7 +282,7 @@ enum ppfear_regs { + /* Die C6 from PUNIT telemetry */ + #define MTL_PMT_DMU_DIE_C6_OFFSET 15 + #define MTL_PMT_DMU_GUID 0x1A067102 +-#define ARL_PMT_DMU_GUID 0x1A06A000 ++#define ARL_PMT_DMU_GUID 0x1A06A102 + + #define LNL_PMC_MMIO_REG_LEN 0x2708 + #define LNL_PMC_LTR_OSSE 0x1B88 +-- +2.51.0 + diff --git a/queue-6.17/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch b/queue-6.17/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch new file mode 100644 index 0000000000..9d97c36e1b --- /dev/null +++ b/queue-6.17/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch @@ -0,0 +1,51 @@ +From ca24ea1d4b03daf9d38730a449bd8e5c57970268 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 19:39:34 +0000 +Subject: regulator: fixed: Rely on the core freeing the enable GPIO + +From: Mark Brown + +[ Upstream commit 79a45ddcdbba330f5139c7c7ff7042d69cf147b2 ] + +In order to simplify ownership rules for enable GPIOs supplied by drivers +regulator_register() always takes ownership of them, even if it ends up +failing for some other reason. We therefore should not free the GPIO if +registration fails but just let the core worry about things. + +Fixes: 636f4618b1cd (regulator: fixed: fix GPIO descriptor leak on register failure) +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/r/DEPEYUF5BRGY.UKFBWRRE8HNP@cknow-tech.com +Tested-by: Diederik de Haas +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20251204-regulator-fixed-fix-gpiod-leak-v1-1-48efea5b82c2@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index a2d16e9abfb58..254c0a8a45559 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -330,13 +330,10 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); +- if (IS_ERR(drvdata->dev)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), +- "Failed to register regulator: %ld\n", +- PTR_ERR(drvdata->dev)); +- gpiod_put(cfg.ena_gpiod); +- return ret; +- } ++ if (IS_ERR(drvdata->dev)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + + platform_set_drvdata(pdev, drvdata); + +-- +2.51.0 + diff --git a/queue-6.17/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-6.17/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..bb6869da00 --- /dev/null +++ b/queue-6.17/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,48 @@ +From 7b1a8be588c51b1e37eed51bd43f987097e6c39d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:38 -0500 +Subject: Revert "nfs: clear SB_RDONLY before getting superblock" + +From: Trond Myklebust + +[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ] + +This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 527000f5d150c..9b9464e70a7f0 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1308,17 +1308,8 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + +- /* +- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a +- * superblock among each filesystem that mounts sub-directories +- * belonging to a single exported root path. +- * To prevent interference between different filesystems, the +- * SB_RDONLY flag should be removed from the superblock. +- */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; +- else +- fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.51.0 + diff --git a/queue-6.17/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-6.17/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 0000000000..ec022e1d4c --- /dev/null +++ b/queue-6.17/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,39 @@ +From bdabb12435ca81f5b761009c15ba4f078f1527dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:45 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when mounting nfs" + +From: Trond Myklebust + +[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ] + +This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index c0a44f389f8f4..5a43543c60b84 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -13,7 +13,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.51.0 + diff --git a/queue-6.17/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-6.17/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..396982a1e1 --- /dev/null +++ b/queue-6.17/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,47 @@ +From 60c9cd75dbfc8ea049ccbabf9ed95db7b39a5abe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:07 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when remounting nfs" + +From: Trond Myklebust + +[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ] + +This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 72dee6f3050e6..527000f5d150c 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1051,16 +1051,6 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + +- /* +- * The SB_RDONLY flag has been removed from the superblock during +- * mounts to prevent interference between different filesystems. +- * Similarly, it is also necessary to ignore the SB_RDONLY flag +- * during reconfiguration; otherwise, it may also result in the +- * creation of redundant superblocks when mounting a directory with +- * different rw and ro flags multiple times. +- */ +- fc->sb_flags_mask &= ~SB_RDONLY; +- + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.51.0 + diff --git a/queue-6.17/rtc-amlogic-a4-fix-double-free-caused-by-devm.patch b/queue-6.17/rtc-amlogic-a4-fix-double-free-caused-by-devm.patch new file mode 100644 index 0000000000..6e6f443472 --- /dev/null +++ b/queue-6.17/rtc-amlogic-a4-fix-double-free-caused-by-devm.patch @@ -0,0 +1,53 @@ +From 82291917fa80c94adda102193dd2675c97998bcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 18:35:59 +0800 +Subject: rtc: amlogic-a4: fix double free caused by devm + +From: Haotian Zhang + +[ Upstream commit 384150d7a5b60c1086790a8ee07b0629f906cca2 ] + +The clock obtained via devm_clk_get_enabled() is automatically managed +by devres and will be disabled and freed on driver detach. Manually +calling clk_disable_unprepare() in error path and remove function +causes double free. + +Remove the redundant clk_disable_unprepare() calls from the probe +error path and aml_rtc_remove(), allowing the devm framework to +automatically manage the clock lifecycle. + +Fixes: c89ac9182ee2 ("rtc: support for the Amlogic on-chip RTC") +Signed-off-by: Haotian Zhang +Reviewed-by: Xianwei Zhao +Link: https://patch.msgid.link/20251021103559.1903-1-vulab@iscas.ac.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-amlogic-a4.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/rtc/rtc-amlogic-a4.c b/drivers/rtc/rtc-amlogic-a4.c +index 09d78c2cc6918..c3cac29d96f07 100644 +--- a/drivers/rtc/rtc-amlogic-a4.c ++++ b/drivers/rtc/rtc-amlogic-a4.c +@@ -390,7 +390,6 @@ static int aml_rtc_probe(struct platform_device *pdev) + + return 0; + err_clk: +- clk_disable_unprepare(rtc->sys_clk); + device_init_wakeup(dev, false); + + return ret; +@@ -423,9 +422,6 @@ static SIMPLE_DEV_PM_OPS(aml_rtc_pm_ops, + + static void aml_rtc_remove(struct platform_device *pdev) + { +- struct aml_rtc_data *rtc = dev_get_drvdata(&pdev->dev); +- +- clk_disable_unprepare(rtc->sys_clk); + device_init_wakeup(&pdev->dev, false); + } + +-- +2.51.0 + diff --git a/queue-6.17/rtc-gamecube-check-the-return-value-of-ioremap.patch b/queue-6.17/rtc-gamecube-check-the-return-value-of-ioremap.patch new file mode 100644 index 0000000000..cda4eb6339 --- /dev/null +++ b/queue-6.17/rtc-gamecube-check-the-return-value-of-ioremap.patch @@ -0,0 +1,44 @@ +From f0979f818ddc743a53042f769cff242fa24b657a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 16:06:25 +0800 +Subject: rtc: gamecube: Check the return value of ioremap() + +From: Haotian Zhang + +[ Upstream commit d1220e47e4bd2be8b84bc158f4dea44f2f88b226 ] + +The function ioremap() in gamecube_rtc_read_offset_from_sram() can fail +and return NULL, which is dereferenced without checking, leading to a +NULL pointer dereference. + +Add a check for the return value of ioremap() and return -ENOMEM on +failure. + +Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U") +Signed-off-by: Haotian Zhang +Reviewed-by: Link Mauve +Link: https://patch.msgid.link/20251126080625.1752-1-vulab@iscas.ac.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-gamecube.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rtc/rtc-gamecube.c b/drivers/rtc/rtc-gamecube.c +index c828bc8e05b9c..045d5d45ab4b0 100644 +--- a/drivers/rtc/rtc-gamecube.c ++++ b/drivers/rtc/rtc-gamecube.c +@@ -242,6 +242,10 @@ static int gamecube_rtc_read_offset_from_sram(struct priv *d) + } + + hw_srnprot = ioremap(res.start, resource_size(&res)); ++ if (!hw_srnprot) { ++ pr_err("failed to ioremap hw_srnprot\n"); ++ return -ENOMEM; ++ } + old = ioread32be(hw_srnprot); + + /* TODO: figure out why we use this magic constant. I obtained it by +-- +2.51.0 + diff --git a/queue-6.17/rtc-max31335-fix-ignored-return-value-in-set_alarm.patch b/queue-6.17/rtc-max31335-fix-ignored-return-value-in-set_alarm.patch new file mode 100644 index 0000000000..0ab4c9f574 --- /dev/null +++ b/queue-6.17/rtc-max31335-fix-ignored-return-value-in-set_alarm.patch @@ -0,0 +1,44 @@ +From 7c178be8edfe8cf14149d9a00983726fb85d40e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 16:36:38 +0000 +Subject: rtc: max31335: Fix ignored return value in set_alarm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit f07640f9fb8df2158199da1da1f8282948385a84 ] + +Return the result from regmap_update_bits() instead of ignoring it +and always returning 0. + +Fixes: dedaf03b99d6 ("rtc: max31335: add driver support") +Signed-off-by: Nuno Sá +Link: https://patch.msgid.link/20251128-max31335-handler-error-v1-1-6b6f7f78dbda@analog.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-max31335.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/rtc/rtc-max31335.c b/drivers/rtc/rtc-max31335.c +index dfb5bad3a3691..23b7bf16b4cd5 100644 +--- a/drivers/rtc/rtc-max31335.c ++++ b/drivers/rtc/rtc-max31335.c +@@ -391,10 +391,8 @@ static int max31335_set_alarm(struct device *dev, struct rtc_wkalrm *alrm) + if (ret) + return ret; + +- ret = regmap_update_bits(max31335->regmap, max31335->chip->int_status_reg, +- MAX31335_STATUS1_A1F, 0); +- +- return 0; ++ return regmap_update_bits(max31335->regmap, max31335->chip->int_status_reg, ++ MAX31335_STATUS1_A1F, 0); + } + + static int max31335_alarm_irq_enable(struct device *dev, unsigned int enabled) +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index e239a26e64..78eda13708 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -432,3 +432,58 @@ fbdev-ssd1307fb-fix-potential-page-leak-in-ssd1307fb.patch 9p-fix-cache-debug-options-printing-in-v9fs_show_opt.patch sched-fair-fix-unfairness-caused-by-stalled-tg_load_.patch sched-core-fix-psi_dequeue-for-proxy-execution.patch +platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch +f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch +rtc-amlogic-a4-fix-double-free-caused-by-devm.patch +kbuild-install-extmod-build-fix-when-given-dir-outsi.patch +kbuild-install-extmod-build-properly-fix-cc-expansio.patch +nfs-avoid-changing-nlink-when-file-removes-and-attri.patch +fs-nls-fix-utf16-to-utf8-conversion.patch +nfs-initialise-verifiers-for-visible-dentries-in-rea.patch +nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch +nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch +nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch +panthor-save-task-pid-and-comm-in-panthor_group.patch +drm-panthor-prevent-potential-uaf-in-group-creation.patch +revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch +revert-nfs-clear-sb_rdonly-before-getting-superblock.patch +revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch +nfs-automounted-filesystems-should-inherit-ro-noexec.patch +nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch +fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch +platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch +asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch +asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch +asoc-ak4458-disable-regulator-when-error-happens.patch +asoc-ak5558-disable-regulator-when-error-happens.patch +f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch +blk-mq-abort-suspend-when-wakeup-events-are-pending.patch +block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch +block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch +nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch +drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch +regulator-fixed-rely-on-the-core-freeing-the-enable-.patch +alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch +drm-nouveau-refactor-deprecated-strcpy.patch +drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch +cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch +cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14602 +docs-hwmon-fix-link-to-g762-devicetree-binding.patch +i2c-spacemit-fix-detect-issue.patch +dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch +alsa-uapi-fix-typo-in-asound.h-comment.patch +drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch +rtc-gamecube-check-the-return-value-of-ioremap.patch +rtc-max31335-fix-ignored-return-value-in-set_alarm.patch +alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch +arm-9464-1-fix-input-only-operand-modification-in-lo.patch +drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch +drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch +drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch +drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch +drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch +block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch +asoc-amd-acp-update-tdm-channels-for-specific-dai.patch +block-fix-cached-zone-reports-on-devices-with-native.patch +dm-raid-fix-possible-null-dereference-with-undefined.patch +dm-log-writes-add-missing-set_freezable-for-freezabl.patch diff --git a/queue-6.18/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch b/queue-6.18/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch new file mode 100644 index 0000000000..c5d5149e76 --- /dev/null +++ b/queue-6.18/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch @@ -0,0 +1,41 @@ +From 8b1ed3cb3673c27be8504e195e81cba8b3fa4c96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 13:16:41 +0800 +Subject: ALSA: firewire-motu: add bounds check in put_user loop for DSP events + +From: Junrui Luo + +[ Upstream commit 298e753880b6ea99ac30df34959a7a03b0878eed ] + +In the DSP event handling code, a put_user() loop copies event data. +When the user buffer size is not aligned to 4 bytes, it could overwrite +beyond the buffer boundary. + +Fix by adding a bounds check before put_user(). + +Suggested-by: Takashi Iwai +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 6675b23aad69e..89dc436a06529 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + while (consumed < count && + snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) { + ptr = (u32 __user *)(buf + consumed); +- if (put_user(ev, ptr)) ++ if (consumed + sizeof(ev) > count || put_user(ev, ptr)) + return -EFAULT; + consumed += sizeof(ev); + } +-- +2.51.0 + diff --git a/queue-6.18/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch b/queue-6.18/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch new file mode 100644 index 0000000000..f8664892a2 --- /dev/null +++ b/queue-6.18/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch @@ -0,0 +1,48 @@ +From 7c1be432ce9652f568fe18815175bc723a864e29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:27:03 +0800 +Subject: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events + +From: Junrui Luo + +[ Upstream commit 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 ] + +The DSP event handling code in hwdep_read() could write more bytes to +the user buffer than requested, when a user provides a buffer smaller +than the event header size (8 bytes). + +Fix by using min_t() to clamp the copy size, This ensures we never copy +more than the user requested. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 981c19430cb0f..6675b23aad69e 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; + event.motu_register_dsp_change.count = + (consumed - sizeof(event.motu_register_dsp_change)) / 4; +- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) ++ if (copy_to_user(buf, &event, ++ min_t(long, count, sizeof(event.motu_register_dsp_change)))) + return -EFAULT; + +- count = consumed; ++ count = min_t(long, count, consumed); + } else { + spin_unlock_irq(&motu->lock); + +-- +2.51.0 + diff --git a/queue-6.18/alsa-uapi-fix-typo-in-asound.h-comment.patch b/queue-6.18/alsa-uapi-fix-typo-in-asound.h-comment.patch new file mode 100644 index 0000000000..77b5d7f8d4 --- /dev/null +++ b/queue-6.18/alsa-uapi-fix-typo-in-asound.h-comment.patch @@ -0,0 +1,36 @@ +From f55b58a716da52fe0204c7d923b6149c365ead39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 10:25:01 -0600 +Subject: ALSA: uapi: Fix typo in asound.h comment + +From: Andres J Rosa + +[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ] + +Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment. + +Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames") +Signed-off-by: Andres J Rosa +Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asound.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h +index 5a049eeaeccea..d3ce75ba938a8 100644 +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -60,7 +60,7 @@ struct snd_cea_861_aud_if { + unsigned char db2_sf_ss; /* sample frequency and size */ + unsigned char db3; /* not used, all zeros */ + unsigned char db4_ca; /* channel allocation code */ +- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */ ++ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */ + }; + + /**************************************************************************** +-- +2.51.0 + diff --git a/queue-6.18/arm-9464-1-fix-input-only-operand-modification-in-lo.patch b/queue-6.18/arm-9464-1-fix-input-only-operand-modification-in-lo.patch new file mode 100644 index 0000000000..d6fd5f72db --- /dev/null +++ b/queue-6.18/arm-9464-1-fix-input-only-operand-modification-in-lo.patch @@ -0,0 +1,67 @@ +From 371574a0f134e84f525781907ad481cdf2b75f76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 03:19:45 +0100 +Subject: ARM: 9464/1: fix input-only operand modification in + load_unaligned_zeropad() + +From: Liyuan Pang + +[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ] + +In the inline assembly inside load_unaligned_zeropad(), the "addr" is +constrained as input-only operand. The compiler assumes that on exit +from the asm statement these operands contain the same values as they +had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior. + +Use a temporary variable "tmp" to handle it, instead of modifying the +input-only operand, just like what arm64's load_unaligned_zeropad() +does. + +Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs") +Co-developed-by: Xie Yuanbin +Signed-off-by: Xie Yuanbin +Signed-off-by: Liyuan Pang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/word-at-a-time.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h +index f9a3897b06e7f..5023f98d8293d 100644 +--- a/arch/arm/include/asm/word-at-a-time.h ++++ b/arch/arm/include/asm/word-at-a-time.h +@@ -67,7 +67,7 @@ static inline unsigned long find_zero(unsigned long mask) + */ + static inline unsigned long load_unaligned_zeropad(const void *addr) + { +- unsigned long ret, offset; ++ unsigned long ret, tmp; + + /* Load word from unaligned pointer addr */ + asm( +@@ -75,9 +75,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + "2:\n" + " .pushsection .text.fixup,\"ax\"\n" + " .align 2\n" +- "3: and %1, %2, #0x3\n" +- " bic %2, %2, #0x3\n" +- " ldr %0, [%2]\n" ++ "3: bic %1, %2, #0x3\n" ++ " ldr %0, [%1]\n" ++ " and %1, %2, #0x3\n" + " lsl %1, %1, #0x3\n" + #ifndef __ARMEB__ + " lsr %0, %0, %1\n" +@@ -90,7 +90,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + " .align 3\n" + " .long 1b, 3b\n" + " .popsection" +- : "=&r" (ret), "=&r" (offset) ++ : "=&r" (ret), "=&r" (tmp) + : "r" (addr), "Qo" (*(unsigned long *)addr)); + + return ret; +-- +2.51.0 + diff --git a/queue-6.18/asoc-ak4458-disable-regulator-when-error-happens.patch b/queue-6.18/asoc-ak4458-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..35eb5756a8 --- /dev/null +++ b/queue-6.18/asoc-ak4458-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From ff4e30fbc81145e8b89971bd3e94ba573cfa7a51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:28 +0800 +Subject: ASoC: ak4458: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4458.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c +index 57cf601d3df35..a6c04dd3de3ed 100644 +--- a/sound/soc/codecs/ak4458.c ++++ b/sound/soc/codecs/ak4458.c +@@ -671,7 +671,15 @@ static int ak4458_runtime_resume(struct device *dev) + regcache_cache_only(ak4458->regmap, false); + regcache_mark_dirty(ak4458->regmap); + +- return regcache_sync(ak4458->regmap); ++ ret = regcache_sync(ak4458->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak4458->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies); ++ return ret; + } + + static const struct snd_soc_component_driver soc_codec_dev_ak4458 = { +-- +2.51.0 + diff --git a/queue-6.18/asoc-ak5558-disable-regulator-when-error-happens.patch b/queue-6.18/asoc-ak5558-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..b9ebe69506 --- /dev/null +++ b/queue-6.18/asoc-ak5558-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From 00b91f477451b65601d05609a2123d5206b7ed16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:29 +0800 +Subject: ASoC: ak5558: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak5558.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c +index 683f3e472f500..73684fc5beb1a 100644 +--- a/sound/soc/codecs/ak5558.c ++++ b/sound/soc/codecs/ak5558.c +@@ -372,7 +372,15 @@ static int ak5558_runtime_resume(struct device *dev) + regcache_cache_only(ak5558->regmap, false); + regcache_mark_dirty(ak5558->regmap); + +- return regcache_sync(ak5558->regmap); ++ ret = regcache_sync(ak5558->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak5558->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies); ++ return ret; + } + + static const struct dev_pm_ops ak5558_pm = { +-- +2.51.0 + diff --git a/queue-6.18/asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch b/queue-6.18/asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch new file mode 100644 index 0000000000..40a8c475d2 --- /dev/null +++ b/queue-6.18/asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch @@ -0,0 +1,104 @@ +From 91cbafae20baa83eca869f212a74473999a6f64a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:16:48 +0530 +Subject: ASoC: amd: acp: Audio is not resuming after s0ix + +From: Hemalatha Pinnamreddy + +[ Upstream commit 3ee257aba1d56c3f0f1028669a8ad0f1a477f05b ] + +Audio fails to resume after system exits suspend mode +due to accessing incorrect ring buffer address during +resume. This patch resolves issue by selecting correct +address based on the ACP version. + +Fixes: f6f7d25b11033 ("ASoC: amd: acp: Add pte configuration for ACP7.0 platform") +Signed-off-by: Hemalatha Pinnamreddy +Signed-off-by: Raghavendra Prasad Mallela +Reviewed-by: Mario Limonciello (AMD) +Link: https://patch.msgid.link/20251203064650.2554625-1-raghavendraprasad.mallela@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-legacy-common.c | 30 +++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-legacy-common.c b/sound/soc/amd/acp/acp-legacy-common.c +index 3078f459e0050..4e477c48d4bdd 100644 +--- a/sound/soc/amd/acp/acp-legacy-common.c ++++ b/sound/soc/amd/acp/acp-legacy-common.c +@@ -219,7 +219,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + SP_PB_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_I2S_TX_FIFOADDR(chip); + reg_fifo_size = ACP_I2S_TX_FIFOSIZE(chip); +- phy_addr = I2S_SP_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_SP_TX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_SP_TX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_I2S_TX_RINGBUFADDR(chip)); + } else { + reg_dma_size = ACP_I2S_RX_DMA_SIZE(chip); +@@ -227,7 +230,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + SP_CAPT_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_I2S_RX_FIFOADDR(chip); + reg_fifo_size = ACP_I2S_RX_FIFOSIZE(chip); +- phy_addr = I2S_SP_RX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_SP_RX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_SP_RX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_I2S_RX_RINGBUFADDR(chip)); + } + break; +@@ -238,7 +244,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + BT_PB_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_BT_TX_FIFOADDR(chip); + reg_fifo_size = ACP_BT_TX_FIFOSIZE(chip); +- phy_addr = I2S_BT_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_BT_TX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_BT_TX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_BT_TX_RINGBUFADDR(chip)); + } else { + reg_dma_size = ACP_BT_RX_DMA_SIZE(chip); +@@ -246,7 +255,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + BT_CAPT_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_BT_RX_FIFOADDR(chip); + reg_fifo_size = ACP_BT_RX_FIFOSIZE(chip); +- phy_addr = I2S_BT_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_BT_RX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_BT_RX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_BT_RX_RINGBUFADDR(chip)); + } + break; +@@ -257,7 +269,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + HS_PB_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_HS_TX_FIFOADDR; + reg_fifo_size = ACP_HS_TX_FIFOSIZE; +- phy_addr = I2S_HS_TX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_HS_TX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_HS_TX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_HS_TX_RINGBUFADDR); + } else { + reg_dma_size = ACP_HS_RX_DMA_SIZE; +@@ -265,7 +280,10 @@ static int set_acp_i2s_dma_fifo(struct snd_pcm_substream *substream, + HS_CAPT_FIFO_ADDR_OFFSET; + reg_fifo_addr = ACP_HS_RX_FIFOADDR; + reg_fifo_size = ACP_HS_RX_FIFOSIZE; +- phy_addr = I2S_HS_RX_MEM_WINDOW_START + stream->reg_offset; ++ if (chip->acp_rev >= ACP70_PCI_ID) ++ phy_addr = ACP7x_I2S_HS_RX_MEM_WINDOW_START; ++ else ++ phy_addr = I2S_HS_RX_MEM_WINDOW_START + stream->reg_offset; + writel(phy_addr, chip->base + ACP_HS_RX_RINGBUFADDR); + } + break; +-- +2.51.0 + diff --git a/queue-6.18/asoc-amd-acp-update-tdm-channels-for-specific-dai.patch b/queue-6.18/asoc-amd-acp-update-tdm-channels-for-specific-dai.patch new file mode 100644 index 0000000000..ef95233513 --- /dev/null +++ b/queue-6.18/asoc-amd-acp-update-tdm-channels-for-specific-dai.patch @@ -0,0 +1,41 @@ +From 4749b0cfd307a1ba5e2f87b6de14a7695571cb00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 17:31:34 +0530 +Subject: ASoC: amd: acp: update tdm channels for specific DAI + +From: Hemalatha Pinnamreddy + +[ Upstream commit f34836a8ddf9216ff919927cddb705022bf30aab ] + +TDM channel updates were applied to all DAIs, causing configurations +to overwrite for unrelated streams. The logic is modified to update +channels only for targeted DAI. This prevents corruption of other DAI +settings and resolves audio issues observed during system suspend and +resume cycles. + +Fixes: 12229b7e50cf ("ASoC: amd: acp: Add TDM support for acp i2s stream") +Signed-off-by: Hemalatha Pinnamreddy +Signed-off-by: Raghavendra Prasad Mallela +Link: https://patch.msgid.link/20251203120136.2591395-1-raghavendraprasad.mallela@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-i2s.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/acp/acp-i2s.c b/sound/soc/amd/acp/acp-i2s.c +index 4ba0a66981ea9..283a674c7e2c3 100644 +--- a/sound/soc/amd/acp/acp-i2s.c ++++ b/sound/soc/amd/acp/acp-i2s.c +@@ -157,6 +157,8 @@ static int acp_i2s_set_tdm_slot(struct snd_soc_dai *dai, u32 tx_mask, u32 rx_mas + + spin_lock_irq(&chip->acp_lock); + list_for_each_entry(stream, &chip->stream_list, list) { ++ if (dai->id != stream->dai_id) ++ continue; + switch (chip->acp_rev) { + case ACP_RN_PCI_ID: + case ACP_RMB_PCI_ID: +-- +2.51.0 + diff --git a/queue-6.18/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch b/queue-6.18/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch new file mode 100644 index 0000000000..b73ed3977c --- /dev/null +++ b/queue-6.18/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch @@ -0,0 +1,44 @@ +From 290546f60b4b1e2d2e3f0ea0ab4232b611c435d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:16:42 +0800 +Subject: ASoC: bcm: bcm63xx-pcm-whistler: Check return value of + of_dma_configure() + +From: Haotian Zhang + +[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ] + +bcm63xx_soc_pcm_new() does not check the return value of +of_dma_configure(), which may fail with -EPROBE_DEFER or +other errors, allowing PCM setup to continue with incomplete +DMA configuration. + +Add error checking for of_dma_configure() and return on failure. + +Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c +index e3a4fcc63a56d..efeb06ddabeb3 100644 +--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c ++++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c +@@ -358,7 +358,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component, + + i2s_priv = dev_get_drvdata(snd_soc_rtd_to_cpu(rtd, 0)->dev); + +- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ if (ret) ++ return ret; + + ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32)); + if (ret) +-- +2.51.0 + diff --git a/queue-6.18/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch b/queue-6.18/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch new file mode 100644 index 0000000000..8e7e4b3a3d --- /dev/null +++ b/queue-6.18/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch @@ -0,0 +1,73 @@ +From 061593f925fbcfa34c3ec4b49a3f96559c2d7687 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 11:34:21 +0800 +Subject: blk-mq: Abort suspend when wakeup events are pending + +From: Cong Zhang + +[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ] + +During system suspend, wakeup capable IRQs for block device can be +delayed, which can cause blk_mq_hctx_notify_offline() to hang +indefinitely while waiting for pending request to complete. +Skip the request waiting loop and abort suspend when wakeup events are +pending to prevent the deadlock. + +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Signed-off-by: Cong Zhang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index d626d32f6e576..33a0062f9e56d 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3707,6 +3708,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + { + struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node, + struct blk_mq_hw_ctx, cpuhp_online); ++ int ret = 0; + + if (blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; +@@ -3727,12 +3729,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + * frozen and there are no requests. + */ + if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) { +- while (blk_mq_hctx_has_requests(hctx)) ++ while (blk_mq_hctx_has_requests(hctx)) { ++ /* ++ * The wakeup capable IRQ handler of block device is ++ * not called during suspend. Skip the loop by checking ++ * pm_wakeup_pending to prevent the deadlock and improve ++ * suspend latency. ++ */ ++ if (pm_wakeup_pending()) { ++ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state); ++ ret = -EBUSY; ++ break; ++ } + msleep(5); ++ } + percpu_ref_put(&hctx->queue->q_usage_counter); + } + +- return 0; ++ return ret; + } + + /* +-- +2.51.0 + diff --git a/queue-6.18/block-fix-cached-zone-reports-on-devices-with-native.patch b/queue-6.18/block-fix-cached-zone-reports-on-devices-with-native.patch new file mode 100644 index 0000000000..1bde35ebd5 --- /dev/null +++ b/queue-6.18/block-fix-cached-zone-reports-on-devices-with-native.patch @@ -0,0 +1,67 @@ +From 8824f5ef2b790ce17c86094cea8df1e928e419c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 03:10:37 +0100 +Subject: block: fix cached zone reports on devices with native zone append + +From: Johannes Thumshirn + +[ Upstream commit 2c38ec934ddfe2d35c813edea2674356bea0fabe ] + +When mounting a btrfs file system on virtio-blk which supports native +Zone Append there has been a WARN triggering in btrfs' space management +code. + +Further looking into btrfs' zoned statistics uncovered the filesystem +expecting the zones to be used, but the write pointers being 0: + # cat /sys/fs/btrfs/8eabd2e7-3294-4f9e-9b58-7e64135c8bf4/zoned_stats + active block-groups: 4 + reclaimable: 0 + unused: 0 + need reclaim: false + data relocation block-group: 1342177280 + active zones: + start: 1073741824, wp: 0 used: 0, reserved: 0, unusable: 0 + start: 1342177280, wp: 0 used: 0, reserved: 0, unusable: 0 + start: 1610612736, wp: 0 used: 16384, reserved: 0, unusable: 18446744073709535232 + start: 1879048192, wp: 0 used: 131072, reserved: 0, unusable: 18446744073709420544 + +Looking at the blkzone report output for the zone in question +(1610612736) the write pointer on the device moved, but the filesystem +did not see a change on the write pointer: + # blkzone report -c 1 -o 0x300000 /dev/vda + start: 0x000300000, len 0x080000, cap 0x080000, wptr 0x000040 reset:0 non-seq:0, zcond: 2(oi) [type: 2(SEQ_WRITE_REQUIRED)] + +The zone write pointer is 0, because btrfs is using the cached version +of blkdev_report_zones() and as virtio-blk is supporting native zone +append, but blkdev_revalidate_zones() does not initialize the zone write +plugs in this case. + +Not skipping the revalidate of sequential zones in +blkdev_revalidate_zones() callchain fixes this issue. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Reviewed-by: Damien Le Moal +Fixes: a6aa36e957a1 ("block: Remove zone write plugs when handling native zone append writes") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-zoned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-zoned.c b/block/blk-zoned.c +index 5e2a5788dc3b2..1675d5d7bd9b1 100644 +--- a/block/blk-zoned.c ++++ b/block/blk-zoned.c +@@ -1629,7 +1629,7 @@ static int blk_revalidate_seq_zone(struct blk_zone *zone, unsigned int idx, + * we have a zone write plug for such zone if the device has a zone + * write plug hash table. + */ +- if (!queue_emulates_zone_append(disk->queue) || !disk->zone_wplugs_hash) ++ if (!disk->zone_wplugs_hash) + return 0; + + disk_zone_wplug_sync_wp_offset(disk, zone); +-- +2.51.0 + diff --git a/queue-6.18/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch b/queue-6.18/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch new file mode 100644 index 0000000000..88906cc0ad --- /dev/null +++ b/queue-6.18/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch @@ -0,0 +1,44 @@ +From c4bc5d01544e7478cd8fed6052db63dd551517bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 23:17:49 +0800 +Subject: block: fix comment for op_is_zone_mgmt() to include RESET_ALL + +From: shechenglong + +[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ] + +REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt() +has returned true for it. + +Update the comment to remove the misleading exception note so +the documentation matches the implementation. + +Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL") +Signed-off-by: shechenglong +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk_types.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index 44c30183ecc34..4e2e3aed32f5f 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -469,10 +469,7 @@ static inline bool op_is_discard(blk_opf_t op) + } + + /* +- * Check if a bio or request operation is a zone management operation, with +- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case +- * due to its different handling in the block layer and device response in +- * case of command failure. ++ * Check if a bio or request operation is a zone management operation. + */ + static inline bool op_is_zone_mgmt(enum req_op op) + { +-- +2.51.0 + diff --git a/queue-6.18/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch b/queue-6.18/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch new file mode 100644 index 0000000000..b320aace36 --- /dev/null +++ b/queue-6.18/block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch @@ -0,0 +1,55 @@ +From 1643713cf444bb5d9ca120ee5fe576332d9d6266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 23:42:59 +0530 +Subject: block: fix memory leak in __blkdev_issue_zero_pages + +From: Shaurya Rane + +[ Upstream commit f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf ] + +Move the fatal signal check before bio_alloc() to prevent a memory +leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. + +Previously, the bio was allocated before checking for a fatal signal. +If a signal was pending, the code would break out of the loop without +freeing or chaining the just-allocated bio, causing a memory leak. + +This matches the pattern already used in __blkdev_issue_write_zeroes() +where the signal check precedes the allocation. + +Fixes: bf86bcdb4012 ("blk-lib: check for kill signal in ioctl BLKZEROOUT") +Reported-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=527a7e48a3d3d315d862 +Signed-off-by: Shaurya Rane +Reviewed-by: Keith Busch +Tested-by: syzbot+527a7e48a3d3d315d862@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-lib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/block/blk-lib.c b/block/blk-lib.c +index 3030a772d3aa0..352e3c0f8a7d7 100644 +--- a/block/blk-lib.c ++++ b/block/blk-lib.c +@@ -202,13 +202,13 @@ static void __blkdev_issue_zero_pages(struct block_device *bdev, + unsigned int nr_vecs = __blkdev_sectors_to_bio_pages(nr_sects); + struct bio *bio; + +- bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); +- bio->bi_iter.bi_sector = sector; +- + if ((flags & BLKDEV_ZERO_KILLABLE) && + fatal_signal_pending(current)) + break; + ++ bio = bio_alloc(bdev, nr_vecs, REQ_OP_WRITE, gfp_mask); ++ bio->bi_iter.bi_sector = sector; ++ + do { + unsigned int len; + +-- +2.51.0 + diff --git a/queue-6.18/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch b/queue-6.18/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch new file mode 100644 index 0000000000..b9b9611181 --- /dev/null +++ b/queue-6.18/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch @@ -0,0 +1,169 @@ +From 4e6f6e0a981ed78e5a6e9402e4895bf751293422 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 13:17:02 -0800 +Subject: block: Use RCU in blk_mq_[un]quiesce_tagset() instead of + set->tag_list_lock + +From: Mohamed Khalfella + +[ Upstream commit 59e25ef2b413c72da6686d431e7759302cfccafa ] + +blk_mq_{add,del}_queue_tag_set() functions add and remove queues from +tagset, the functions make sure that tagset and queues are marked as +shared when two or more queues are attached to the same tagset. +Initially a tagset starts as unshared and when the number of added +queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along +with all the queues attached to it. When the number of attached queues +drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and +the remaining queues as unshared. + +Both functions need to freeze current queues in tagset before setting on +unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions +hold set->tag_list_lock mutex, which makes sense as we do not want +queues to be added or deleted in the process. This used to work fine +until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +made the nvme driver quiesce tagset instead of quiscing individual +queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in +set->tag_list while holding set->tag_list_lock also. + +This results in deadlock between two threads with these stacktraces: + + __schedule+0x47c/0xbb0 + ? timerqueue_add+0x66/0xb0 + schedule+0x1c/0xa0 + schedule_preempt_disabled+0xa/0x10 + __mutex_lock.constprop.0+0x271/0x600 + blk_mq_quiesce_tagset+0x25/0xc0 + nvme_dev_disable+0x9c/0x250 + nvme_timeout+0x1fc/0x520 + blk_mq_handle_expired+0x5c/0x90 + bt_iter+0x7e/0x90 + blk_mq_queue_tag_busy_iter+0x27e/0x550 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __call_rcu_common.constprop.0+0x1c0/0x210 + blk_mq_timeout_work+0x12d/0x170 + process_one_work+0x12e/0x2d0 + worker_thread+0x288/0x3a0 + ? rescuer_thread+0x480/0x480 + kthread+0xb8/0xe0 + ? kthread_park+0x80/0x80 + ret_from_fork+0x2d/0x50 + ? kthread_park+0x80/0x80 + ret_from_fork_asm+0x11/0x20 + + __schedule+0x47c/0xbb0 + ? xas_find+0x161/0x1a0 + schedule+0x1c/0xa0 + blk_mq_freeze_queue_wait+0x3d/0x70 + ? destroy_sched_domains_rcu+0x30/0x30 + blk_mq_update_tag_set_shared+0x44/0x80 + blk_mq_exit_queue+0x141/0x150 + del_gendisk+0x25a/0x2d0 + nvme_ns_remove+0xc9/0x170 + nvme_remove_namespaces+0xc7/0x100 + nvme_remove+0x62/0x150 + pci_device_remove+0x23/0x60 + device_release_driver_internal+0x159/0x200 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x112/0x1e0 + vfs_write+0x2b1/0x3d0 + ksys_write+0x4e/0xb0 + do_syscall_64+0x5b/0x160 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +The top stacktrace is showing nvme_timeout() called to handle nvme +command timeout. timeout handler is trying to disable the controller and +as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not +to call queue callback handlers. The thread is stuck waiting for +set->tag_list_lock as it tries to walk the queues in set->tag_list. + +The lock is held by the second thread in the bottom stack which is +waiting for one of queues to be frozen. The queue usage counter will +drop to zero after nvme_timeout() finishes, and this will not happen +because the thread will wait for this mutex forever. + +Given that [un]quiescing queue is an operation that does not need to +sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking +set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU +safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list) +in blk_mq_del_queue_tag_set() because we can not re-initialize it while +the list is being traversed under RCU. The deleted queue will not be +added/deleted to/from a tagset and it will be freed in blk_free_queue() +after the end of RCU grace period. + +Signed-off-by: Mohamed Khalfella +Fixes: 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +Reviewed-by: Ming Lei +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 33a0062f9e56d..f901aeba85522 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -336,12 +336,12 @@ void blk_mq_quiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_quiesce_queue_nowait(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + + blk_mq_wait_quiesce_done(set); + } +@@ -351,12 +351,12 @@ void blk_mq_unquiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_unquiesce_queue(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + } + EXPORT_SYMBOL_GPL(blk_mq_unquiesce_tagset); + +@@ -4308,7 +4308,7 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + struct blk_mq_tag_set *set = q->tag_set; + + mutex_lock(&set->tag_list_lock); +- list_del(&q->tag_set_list); ++ list_del_rcu(&q->tag_set_list); + if (list_is_singular(&set->tag_list)) { + /* just transitioned to unshared */ + set->flags &= ~BLK_MQ_F_TAG_QUEUE_SHARED; +@@ -4316,7 +4316,6 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + blk_mq_update_tag_set_shared(set, false); + } + mutex_unlock(&set->tag_list_lock); +- INIT_LIST_HEAD(&q->tag_set_list); + } + + static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, +@@ -4335,7 +4334,7 @@ static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, + } + if (set->flags & BLK_MQ_F_TAG_QUEUE_SHARED) + queue_set_hctx_shared(q, true); +- list_add_tail(&q->tag_set_list, &set->tag_list); ++ list_add_tail_rcu(&q->tag_set_list, &set->tag_list); + + mutex_unlock(&set->tag_list_lock); + } +-- +2.51.0 + diff --git a/queue-6.18/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch b/queue-6.18/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch new file mode 100644 index 0000000000..d71ccbea12 --- /dev/null +++ b/queue-6.18/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch @@ -0,0 +1,61 @@ +From 6a64d09499f601bf000103052acfbbbf35a2f1ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 16:24:53 +0000 +Subject: cifs: Fix handling of a beyond-EOF DIO/unbuffered read over SMB1 + +From: David Howells + +[ Upstream commit 9d85ac939d52e93d80efb01a299c6f0bedb30487 ] + +If a DIO read or an unbuffered read request extends beyond the EOF, the +server will return a short read and a status code indicating that EOF was +hit, which gets translated to -ENODATA. Note that the client does not cap +the request at i_size, but asks for the amount requested in case there's a +race on the server with a third party. + +Now, on the client side, the request will get split into multiple +subrequests if rsize is smaller than the full request size. A subrequest +that starts before or at the EOF and returns short data up to the EOF will +be correctly handled, with the NETFS_SREQ_HIT_EOF flag being set, +indicating to netfslib that we can't read more. + +If a subrequest, however, starts after the EOF and not at it, HIT_EOF will +not be flagged, its error will be set to -ENODATA and it will be abandoned. +This will cause the request as a whole to fail with -ENODATA. + +Fix this by setting NETFS_SREQ_HIT_EOF on any subrequest that lies beyond +the EOF marker. + +This can be reproduced by mounting with "cache=none,sign,vers=1.0" and +doing a read of a file that's significantly bigger than the size of the +file (e.g. attempting to read 64KiB from a 16KiB file). + +Fixes: a68c74865f51 ("cifs: Fix SMB1 readv/writev callback in the same way as SMB2/3") +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Shyam Prasad N +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifssmb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c +index dcc50a2bfa4b2..bfc9b1ea76fac 100644 +--- a/fs/smb/client/cifssmb.c ++++ b/fs/smb/client/cifssmb.c +@@ -1374,7 +1374,7 @@ cifs_readv_callback(struct mid_q_entry *mid) + } else { + size_t trans = rdata->subreq.transferred + rdata->got_bytes; + if (trans < rdata->subreq.len && +- rdata->subreq.start + trans == ictx->remote_i_size) { ++ rdata->subreq.start + trans >= ictx->remote_i_size) { + rdata->result = 0; + __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags); + } else if (rdata->got_bytes > 0) { +-- +2.51.0 + diff --git a/queue-6.18/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14012 b/queue-6.18/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14012 new file mode 100644 index 0000000000..b61880d836 --- /dev/null +++ b/queue-6.18/cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14012 @@ -0,0 +1,57 @@ +From 5fe54a93699748efb327ee6acd49bfb35b7e181f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 21:55:27 +0000 +Subject: cifs: Fix handling of a beyond-EOF DIO/unbuffered read over SMB2 + +From: David Howells + +[ Upstream commit 4ae4dde6f34a4124c65468ae4fa1f915fb40f900 ] + +If a DIO read or an unbuffered read request extends beyond the EOF, the +server will return a short read and a status code indicating that EOF was +hit, which gets translated to -ENODATA. Note that the client does not cap +the request at i_size, but asks for the amount requested in case there's a +race on the server with a third party. + +Now, on the client side, the request will get split into multiple +subrequests if rsize is smaller than the full request size. A subrequest +that starts before or at the EOF and returns short data up to the EOF will +be correctly handled, with the NETFS_SREQ_HIT_EOF flag being set, +indicating to netfslib that we can't read more. + +If a subrequest, however, starts after the EOF and not at it, HIT_EOF will +not be flagged, its error will be set to -ENODATA and it will be abandoned. +This will cause the request as a whole to fail with -ENODATA. + +Fix this by setting NETFS_SREQ_HIT_EOF on any subrequest that lies beyond +the EOF marker. + +Fixes: 1da29f2c39b6 ("netfs, cifs: Fix handling of short DIO read") +Signed-off-by: David Howells +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Shyam Prasad N +cc: linux-cifs@vger.kernel.org +cc: netfs@lists.linux.dev +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c +index 8b4a4573e9c37..e661d40213eab 100644 +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4629,7 +4629,7 @@ smb2_readv_callback(struct mid_q_entry *mid) + } else { + size_t trans = rdata->subreq.transferred + rdata->got_bytes; + if (trans < rdata->subreq.len && +- rdata->subreq.start + trans == ictx->remote_i_size) { ++ rdata->subreq.start + trans >= ictx->remote_i_size) { + __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags); + rdata->result = 0; + } +-- +2.51.0 + diff --git a/queue-6.18/dm-log-writes-add-missing-set_freezable-for-freezabl.patch b/queue-6.18/dm-log-writes-add-missing-set_freezable-for-freezabl.patch new file mode 100644 index 0000000000..85a7599ce7 --- /dev/null +++ b/queue-6.18/dm-log-writes-add-missing-set_freezable-for-freezabl.patch @@ -0,0 +1,40 @@ +From f5465eb5d388ac86baf4aae9722db12ad74106f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:41:03 +0800 +Subject: dm log-writes: Add missing set_freezable() for freezable kthread + +From: Haotian Zhang + +[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ] + +The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(), +rendering the freeze attempt ineffective since kernel threads are +non-freezable by default. This prevents proper thread suspension during +system suspend/hibernate. + +Add set_freezable() to explicitly mark the thread as freezable. + +Fixes: 0e9cebe72459 ("dm: add log writes target") +Signed-off-by: Haotian Zhang +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-log-writes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c +index 7bb7174f8f4f8..f0c84e7a5daa6 100644 +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -432,6 +432,7 @@ static int log_writes_kthread(void *arg) + struct log_writes_c *lc = arg; + sector_t sector = 0; + ++ set_freezable(); + while (!kthread_should_stop()) { + bool super = false; + bool logging_enabled; +-- +2.51.0 + diff --git a/queue-6.18/dm-raid-fix-possible-null-dereference-with-undefined.patch b/queue-6.18/dm-raid-fix-possible-null-dereference-with-undefined.patch new file mode 100644 index 0000000000..de9af83e7a --- /dev/null +++ b/queue-6.18/dm-raid-fix-possible-null-dereference-with-undefined.patch @@ -0,0 +1,42 @@ +From 6b55df11838753f17961bc72be5cfc6308ec4fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 20:18:38 +0300 +Subject: dm-raid: fix possible NULL dereference with undefined raid type + +From: Alexey Simakov + +[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ] + +rs->raid_type is assigned from get_raid_type_by_ll(), which may return +NULL. This NULL value could be dereferenced later in the condition +'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. + +Add a fail-fast check to return early with an error if raid_type is NULL, +similar to other uses of this function. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") +Signed-off-by: Alexey Simakov +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index c6f7129e43d34..4bacdc499984b 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2287,6 +2287,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev) + + mddev->reshape_position = le64_to_cpu(sb->reshape_position); + rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout); ++ if (!rs->raid_type) ++ return -EINVAL; + } + + } else { +-- +2.51.0 + diff --git a/queue-6.18/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch b/queue-6.18/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch new file mode 100644 index 0000000000..3557b56a02 --- /dev/null +++ b/queue-6.18/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch @@ -0,0 +1,40 @@ +From 73c7646eb7f55be587754d8b7fc37f1808bdaf70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:28:10 -0600 +Subject: dma/pool: eliminate alloc_pages warning in atomic_pool_expand + +From: Dave Kleikamp + +[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ] + +atomic_pool_expand iteratively tries the allocation while decrementing +the page order. There is no need to issue a warning if an attempted +allocation fails. + +Signed-off-by: Dave Kleikamp +Reviewed-by: Robin Murphy +Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") +[mszyprow: fixed typo] +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index ee45dee33d491..26392badc36b0 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, + page = dma_alloc_from_contiguous(NULL, 1 << order, + order, false); + if (!page) +- page = alloc_pages(gfp, order); ++ page = alloc_pages(gfp | __GFP_NOWARN, order); + } while (!page && order-- > 0); + if (!page) + goto out; +-- +2.51.0 + diff --git a/queue-6.18/docs-hwmon-fix-link-to-g762-devicetree-binding.patch b/queue-6.18/docs-hwmon-fix-link-to-g762-devicetree-binding.patch new file mode 100644 index 0000000000..4360c3c272 --- /dev/null +++ b/queue-6.18/docs-hwmon-fix-link-to-g762-devicetree-binding.patch @@ -0,0 +1,37 @@ +From 4e4991e0665d5b5af926cbcf32914553e3e64006 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 21:58:35 +0000 +Subject: docs: hwmon: fix link to g762 devicetree binding + +From: Kathara Sasikumar + +[ Upstream commit 08bfcf4ff9d39228150a757803fc02dffce84ab0 ] + +The devicetree binding for g762 was converted to YAML to match vendor +prefix conventions. Update the reference accordingly. + +Signed-off-by: Kathara Sasikumar +Link: https://lore.kernel.org/r/20251205215835.783273-1-katharasasikumar007@gmail.com +Fixes: 3d8e25372417 ("dt-bindings: hwmon: g762: Convert to yaml schema") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + Documentation/hwmon/g762.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/hwmon/g762.rst b/Documentation/hwmon/g762.rst +index 0371b3365c48c..f224552a2d3cc 100644 +--- a/Documentation/hwmon/g762.rst ++++ b/Documentation/hwmon/g762.rst +@@ -17,7 +17,7 @@ done via a userland daemon like fancontrol. + Note that those entries do not provide ways to setup the specific + hardware characteristics of the system (reference clock, pulses per + fan revolution, ...); Those can be modified via devicetree bindings +-documented in Documentation/devicetree/bindings/hwmon/g762.txt or ++documented in Documentation/devicetree/bindings/hwmon/gmt,g762.yaml or + using a specific platform_data structure in board initialization + file (see include/linux/platform_data/g762.h). + +-- +2.51.0 + diff --git a/queue-6.18/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch b/queue-6.18/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch new file mode 100644 index 0000000000..73840c9332 --- /dev/null +++ b/queue-6.18/drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch @@ -0,0 +1,93 @@ +From 52d1c3155e5f003a84f9825b3783c667e3b51222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 14:12:29 -0600 +Subject: drm/amdkfd: Use huge page size to check split svm range alignment + +From: Xiaogang Chen + +[ Upstream commit bf2084a7b1d75d093b6a79df4c10142d49fbaa0e ] + +When split svm ranges that have been mapped using huge page should use huge +page size(2MB) to check split range alignment, not prange->granularity that +means migration granularity. + +Fixes: 7ef6b2d4b7e5 ("drm/amdkfd: remap unaligned svm ranges that have split") +Signed-off-by: Xiaogang Chen +Reviewed-by: Philip Yang +Signed-off-by: Alex Deucher +(cherry picked from commit 448ee45353ef9fb1a34f5f26eb3f48923c6f0898) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 46 +++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +index 74a1d3e1d52be..49dd0a81114e4 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +@@ -1144,30 +1144,48 @@ static int + svm_range_split_tail(struct svm_range *prange, uint64_t new_last, + struct list_head *insert_list, struct list_head *remap_list) + { ++ unsigned long last_align_down = ALIGN_DOWN(prange->last, 512); ++ unsigned long start_align = ALIGN(prange->start, 512); ++ bool huge_page_mapping = last_align_down > start_align; + struct svm_range *tail = NULL; +- int r = svm_range_split(prange, prange->start, new_last, &tail); ++ int r; + +- if (!r) { +- list_add(&tail->list, insert_list); +- if (!IS_ALIGNED(new_last + 1, 1UL << prange->granularity)) +- list_add(&tail->update_list, remap_list); +- } +- return r; ++ r = svm_range_split(prange, prange->start, new_last, &tail); ++ ++ if (r) ++ return r; ++ ++ list_add(&tail->list, insert_list); ++ ++ if (huge_page_mapping && tail->start > start_align && ++ tail->start < last_align_down && (!IS_ALIGNED(tail->start, 512))) ++ list_add(&tail->update_list, remap_list); ++ ++ return 0; + } + + static int + svm_range_split_head(struct svm_range *prange, uint64_t new_start, + struct list_head *insert_list, struct list_head *remap_list) + { ++ unsigned long last_align_down = ALIGN_DOWN(prange->last, 512); ++ unsigned long start_align = ALIGN(prange->start, 512); ++ bool huge_page_mapping = last_align_down > start_align; + struct svm_range *head = NULL; +- int r = svm_range_split(prange, new_start, prange->last, &head); ++ int r; + +- if (!r) { +- list_add(&head->list, insert_list); +- if (!IS_ALIGNED(new_start, 1UL << prange->granularity)) +- list_add(&head->update_list, remap_list); +- } +- return r; ++ r = svm_range_split(prange, new_start, prange->last, &head); ++ ++ if (r) ++ return r; ++ ++ list_add(&head->list, insert_list); ++ ++ if (huge_page_mapping && head->last + 1 > start_align && ++ head->last + 1 < last_align_down && (!IS_ALIGNED(head->last, 512))) ++ list_add(&head->update_list, remap_list); ++ ++ return 0; + } + + static void +-- +2.51.0 + diff --git a/queue-6.18/drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch b/queue-6.18/drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch new file mode 100644 index 0000000000..6bafbf6fd4 --- /dev/null +++ b/queue-6.18/drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch @@ -0,0 +1,77 @@ +From 046e630c7cd13fcecbcc64d4828d2ca4751c8a37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 19:24:03 +0530 +Subject: drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dibin Moolakadan Subrahmanian + +[ Upstream commit 460b31720369fc77c23301708641cfa1bf2fcb8f ] + +During fbdev probe, the xe driver allocates and pins a framebuffer +BO (via xe_bo_create_pin_map_novm() → xe_ggtt_insert_bo()). + +Without a runtime PM reference, xe_pm_runtime_get_noresume() warns about +missing outer PM protection as below: + + xe 0000:03:00.0: [drm] Missing outer runtime PM protection + +Acquire a runtime PM reference before framebuffer allocation to ensure +xe_ggtt_insert_bo() executes under active runtime PM context. + +Changes in v2: + - Update commit message to add Fixes tag (Jani Nikula) + +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6350 +Fixes: 44e694958b95 ("drm/xe/display: Implement display support") +Cc: Jani Nikula +Signed-off-by: Dibin Moolakadan Subrahmanian +Reviewed-by: Jouni Högander +Signed-off-by: Ankit Nautiyal +Link: https://patch.msgid.link/20251111135403.3415947-1-dibin.moolakadan.subrahmanian@intel.com +(cherry picked from commit 37fc7b7b3ab0e3bb900657199cd3770a4fda03fb) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev.c b/drivers/gpu/drm/i915/display/intel_fbdev.c +index e46c08762b847..7daf72b69bae4 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev.c +@@ -263,13 +263,18 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + drm_framebuffer_put(&fb->base); + fb = NULL; + } ++ ++ wakeref = intel_display_rpm_get(display); ++ + if (!fb || drm_WARN_ON(display->drm, !intel_fb_bo(&fb->base))) { + drm_dbg_kms(display->drm, + "no BIOS fb, allocating a new one\n"); + + fb = __intel_fbdev_fb_alloc(display, sizes); +- if (IS_ERR(fb)) +- return PTR_ERR(fb); ++ if (IS_ERR(fb)) { ++ ret = PTR_ERR(fb); ++ goto out_unlock; ++ } + } else { + drm_dbg_kms(display->drm, "re-using BIOS fb\n"); + prealloc = true; +@@ -277,8 +282,6 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + sizes->fb_height = fb->base.height; + } + +- wakeref = intel_display_rpm_get(display); +- + /* Pin the GGTT vma for our access via info->screen_base. + * This also validates that any existing fb inherited from the + * BIOS is suitable for own access. +-- +2.51.0 + diff --git a/queue-6.18/drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch b/queue-6.18/drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch new file mode 100644 index 0000000000..d545180f29 --- /dev/null +++ b/queue-6.18/drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch @@ -0,0 +1,50 @@ +From dfad64fe5781ba77a43c348e1275e9af210970aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:52 +0300 +Subject: drm/i915/fbdev: make intel_framebuffer_create() error return handling + explicit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit 6979d2c80c2a5b1f04157c4d6eb038bb32861cfa ] + +It's sketchy to pass error pointers via to_intel_framebuffer(). It +probably works as long as struct intel_framebuffer embeds struct +drm_framebuffer at offset 0, but be explicit about it. + +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/17631db227d527d6c67f5d6b67adec1ff8dc6f8d.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev_fb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +index 210aee9ae88b8..b9dfd00a7d05b 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +@@ -67,9 +67,16 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + mode_cmd.pixel_format, + mode_cmd.modifier[0]), + &mode_cmd); ++ if (IS_ERR(fb)) { ++ i915_gem_object_put(obj); ++ goto err; ++ } ++ + i915_gem_object_put(obj); + + return to_intel_framebuffer(fb); ++err: ++ return ERR_CAST(fb); + } + + int intel_fbdev_fb_fill_info(struct intel_display *display, struct fb_info *info, +-- +2.51.0 + diff --git a/queue-6.18/drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch b/queue-6.18/drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch new file mode 100644 index 0000000000..f696c349d0 --- /dev/null +++ b/queue-6.18/drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch @@ -0,0 +1,216 @@ +From e708be76949bb621cad605caf1e22b2ab12233c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:54 +0300 +Subject: drm/{i915, xe}/fbdev: deduplicate struct drm_mode_fb_cmd2 init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit f9ff39f940f5ddd1d4ffcff602de7206aa1ff05d ] + +Pull struct drm_mode_fb_cmd2 initialization out of the driver dependent +code into shared display code. + +v2: Rebase on xe stride alignment change + +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/e922e47bfd39f9c5777f869ff23c23309ebbb380.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev.c | 32 ++++++++++++++++++- + drivers/gpu/drm/i915/display/intel_fbdev_fb.c | 25 ++++----------- + drivers/gpu/drm/i915/display/intel_fbdev_fb.h | 4 +-- + drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 25 ++++----------- + 4 files changed, 45 insertions(+), 41 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev.c b/drivers/gpu/drm/i915/display/intel_fbdev.c +index 46c6de5f60888..e46c08762b847 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev.c +@@ -207,6 +207,35 @@ static const struct drm_fb_helper_funcs intel_fb_helper_funcs = { + .fb_set_suspend = intelfb_set_suspend, + }; + ++static void intel_fbdev_fill_mode_cmd(struct drm_fb_helper_surface_size *sizes, ++ struct drm_mode_fb_cmd2 *mode_cmd) ++{ ++ /* we don't do packed 24bpp */ ++ if (sizes->surface_bpp == 24) ++ sizes->surface_bpp = 32; ++ ++ mode_cmd->width = sizes->surface_width; ++ mode_cmd->height = sizes->surface_height; ++ ++ mode_cmd->pitches[0] = ALIGN(mode_cmd->width * DIV_ROUND_UP(sizes->surface_bpp, 8), 64); ++ mode_cmd->pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, ++ sizes->surface_depth); ++} ++ ++static struct intel_framebuffer * ++__intel_fbdev_fb_alloc(struct intel_display *display, ++ struct drm_fb_helper_surface_size *sizes) ++{ ++ struct drm_mode_fb_cmd2 mode_cmd = {}; ++ struct intel_framebuffer *fb; ++ ++ intel_fbdev_fill_mode_cmd(sizes, &mode_cmd); ++ ++ fb = intel_fbdev_fb_alloc(display->drm, &mode_cmd); ++ ++ return fb; ++} ++ + int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + struct drm_fb_helper_surface_size *sizes) + { +@@ -237,7 +266,8 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + if (!fb || drm_WARN_ON(display->drm, !intel_fb_bo(&fb->base))) { + drm_dbg_kms(display->drm, + "no BIOS fb, allocating a new one\n"); +- fb = intel_fbdev_fb_alloc(display->drm, sizes); ++ ++ fb = __intel_fbdev_fb_alloc(display, sizes); + if (IS_ERR(fb)) + return PTR_ERR(fb); + } else { +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +index 4de13d1a4c7a7..685612e6afc53 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +@@ -3,7 +3,7 @@ + * Copyright © 2023 Intel Corporation + */ + +-#include ++#include + + #include "gem/i915_gem_lmem.h" + +@@ -14,28 +14,15 @@ + #include "intel_fbdev_fb.h" + + struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, +- struct drm_fb_helper_surface_size *sizes) ++ struct drm_mode_fb_cmd2 *mode_cmd) + { + struct intel_display *display = to_intel_display(drm); + struct drm_i915_private *dev_priv = to_i915(drm); + struct drm_framebuffer *fb; +- struct drm_mode_fb_cmd2 mode_cmd = {}; + struct drm_i915_gem_object *obj; + int size; + +- /* we don't do packed 24bpp */ +- if (sizes->surface_bpp == 24) +- sizes->surface_bpp = 32; +- +- mode_cmd.width = sizes->surface_width; +- mode_cmd.height = sizes->surface_height; +- +- mode_cmd.pitches[0] = ALIGN(mode_cmd.width * +- DIV_ROUND_UP(sizes->surface_bpp, 8), 64); +- mode_cmd.pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, +- sizes->surface_depth); +- +- size = mode_cmd.pitches[0] * mode_cmd.height; ++ size = mode_cmd->pitches[0] * mode_cmd->height; + size = PAGE_ALIGN(size); + + obj = ERR_PTR(-ENODEV); +@@ -64,9 +51,9 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + + fb = intel_framebuffer_create(intel_bo_to_drm_bo(obj), + drm_get_format_info(drm, +- mode_cmd.pixel_format, +- mode_cmd.modifier[0]), +- &mode_cmd); ++ mode_cmd->pixel_format, ++ mode_cmd->modifier[0]), ++ mode_cmd); + if (IS_ERR(fb)) { + i915_gem_object_put(obj); + goto err; +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +index 668ae355f5e5b..83454ffbf79cd 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +@@ -7,14 +7,14 @@ + #define __INTEL_FBDEV_FB_H__ + + struct drm_device; +-struct drm_fb_helper_surface_size; + struct drm_gem_object; ++struct drm_mode_fb_cmd2; + struct fb_info; + struct i915_vma; + struct intel_display; + + struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, +- struct drm_fb_helper_surface_size *sizes); ++ struct drm_mode_fb_cmd2 *mode_cmd); + int intel_fbdev_fb_fill_info(struct intel_display *display, struct fb_info *info, + struct drm_gem_object *obj, struct i915_vma *vma); + +diff --git a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +index 5c0874bfa6ab1..8eaf1cc7fdf93 100644 +--- a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +@@ -3,7 +3,7 @@ + * Copyright © 2023 Intel Corporation + */ + +-#include ++#include + + #include "intel_display_core.h" + #include "intel_display_types.h" +@@ -16,27 +16,14 @@ + #include + + struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, +- struct drm_fb_helper_surface_size *sizes) ++ struct drm_mode_fb_cmd2 *mode_cmd) + { + struct drm_framebuffer *fb; + struct xe_device *xe = to_xe_device(drm); +- struct drm_mode_fb_cmd2 mode_cmd = {}; + struct xe_bo *obj; + int size; + +- /* we don't do packed 24bpp */ +- if (sizes->surface_bpp == 24) +- sizes->surface_bpp = 32; +- +- mode_cmd.width = sizes->surface_width; +- mode_cmd.height = sizes->surface_height; +- +- mode_cmd.pitches[0] = ALIGN(mode_cmd.width * +- DIV_ROUND_UP(sizes->surface_bpp, 8), 64); +- mode_cmd.pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, +- sizes->surface_depth); +- +- size = mode_cmd.pitches[0] * mode_cmd.height; ++ size = mode_cmd->pitches[0] * mode_cmd->height; + size = PAGE_ALIGN(size); + obj = ERR_PTR(-ENODEV); + +@@ -67,9 +54,9 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + + fb = intel_framebuffer_create(&obj->ttm.base, + drm_get_format_info(drm, +- mode_cmd.pixel_format, +- mode_cmd.modifier[0]), +- &mode_cmd); ++ mode_cmd->pixel_format, ++ mode_cmd->modifier[0]), ++ mode_cmd); + if (IS_ERR(fb)) { + xe_bo_unpin_map_no_vm(obj); + goto err; +-- +2.51.0 + diff --git a/queue-6.18/drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch b/queue-6.18/drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch new file mode 100644 index 0000000000..5d9f708b6a --- /dev/null +++ b/queue-6.18/drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch @@ -0,0 +1,127 @@ +From 90d4cb346bd2ff003d622e10418426389d0eae1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:53 +0300 +Subject: drm/{i915, xe}/fbdev: pass struct drm_device to + intel_fbdev_fb_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit 9e5cf822a207ee8c9856024c047abaccb4d185e5 ] + +The function doesn't actually need struct drm_fb_helper for anything, +just pass struct drm_device. + +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/16360584f80cdc5ee35fd94cfd92fd3955588dfd.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fbdev.c | 2 +- + drivers/gpu/drm/i915/display/intel_fbdev_fb.c | 10 +++++----- + drivers/gpu/drm/i915/display/intel_fbdev_fb.h | 4 ++-- + drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 7 +++---- + 4 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev.c b/drivers/gpu/drm/i915/display/intel_fbdev.c +index 7c4709d58aa34..46c6de5f60888 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev.c +@@ -237,7 +237,7 @@ int intel_fbdev_driver_fbdev_probe(struct drm_fb_helper *helper, + if (!fb || drm_WARN_ON(display->drm, !intel_fb_bo(&fb->base))) { + drm_dbg_kms(display->drm, + "no BIOS fb, allocating a new one\n"); +- fb = intel_fbdev_fb_alloc(helper, sizes); ++ fb = intel_fbdev_fb_alloc(display->drm, sizes); + if (IS_ERR(fb)) + return PTR_ERR(fb); + } else { +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +index b9dfd00a7d05b..4de13d1a4c7a7 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.c +@@ -13,11 +13,11 @@ + #include "intel_fb.h" + #include "intel_fbdev_fb.h" + +-struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, ++struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + struct drm_fb_helper_surface_size *sizes) + { +- struct intel_display *display = to_intel_display(helper->dev); +- struct drm_i915_private *dev_priv = to_i915(display->drm); ++ struct intel_display *display = to_intel_display(drm); ++ struct drm_i915_private *dev_priv = to_i915(drm); + struct drm_framebuffer *fb; + struct drm_mode_fb_cmd2 mode_cmd = {}; + struct drm_i915_gem_object *obj; +@@ -58,12 +58,12 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + } + + if (IS_ERR(obj)) { +- drm_err(display->drm, "failed to allocate framebuffer (%pe)\n", obj); ++ drm_err(drm, "failed to allocate framebuffer (%pe)\n", obj); + return ERR_PTR(-ENOMEM); + } + + fb = intel_framebuffer_create(intel_bo_to_drm_bo(obj), +- drm_get_format_info(display->drm, ++ drm_get_format_info(drm, + mode_cmd.pixel_format, + mode_cmd.modifier[0]), + &mode_cmd); +diff --git a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +index cb79572727150..668ae355f5e5b 100644 +--- a/drivers/gpu/drm/i915/display/intel_fbdev_fb.h ++++ b/drivers/gpu/drm/i915/display/intel_fbdev_fb.h +@@ -6,14 +6,14 @@ + #ifndef __INTEL_FBDEV_FB_H__ + #define __INTEL_FBDEV_FB_H__ + +-struct drm_fb_helper; ++struct drm_device; + struct drm_fb_helper_surface_size; + struct drm_gem_object; + struct fb_info; + struct i915_vma; + struct intel_display; + +-struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, ++struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + struct drm_fb_helper_surface_size *sizes); + int intel_fbdev_fb_fill_info(struct intel_display *display, struct fb_info *info, + struct drm_gem_object *obj, struct i915_vma *vma); +diff --git a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +index bce4cb16f6820..5c0874bfa6ab1 100644 +--- a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +@@ -15,12 +15,11 @@ + + #include + +-struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, ++struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_device *drm, + struct drm_fb_helper_surface_size *sizes) + { + struct drm_framebuffer *fb; +- struct drm_device *dev = helper->dev; +- struct xe_device *xe = to_xe_device(dev); ++ struct xe_device *xe = to_xe_device(drm); + struct drm_mode_fb_cmd2 mode_cmd = {}; + struct xe_bo *obj; + int size; +@@ -67,7 +66,7 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + } + + fb = intel_framebuffer_create(&obj->ttm.base, +- drm_get_format_info(dev, ++ drm_get_format_info(drm, + mode_cmd.pixel_format, + mode_cmd.modifier[0]), + &mode_cmd); +-- +2.51.0 + diff --git a/queue-6.18/drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch b/queue-6.18/drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch new file mode 100644 index 0000000000..ad811e6065 --- /dev/null +++ b/queue-6.18/drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch @@ -0,0 +1,159 @@ +From 0491ed752f4ce0652eb599ce86ce03d1600de705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 16:49:52 +0100 +Subject: drm/nouveau: fix circular dep oops from vendored i2c encoder +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +[ Upstream commit d84e47edf156a953ed340ba6a202dcd3ea39ba0a ] + +Since commit a73583107af9 ("drm/nouveau: vendor in drm_encoder_slave API") +nouveau appears to be broken for all dispnv04 GPUs (before NV50). Depending +on the kernel version, either having no display output and hanging in +kernel for a long time, or even oopsing in the cleanup path like: + +Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac +... +nouveau 0000:0a:00.0: drm: 0x14C5: Parsing digital output script table +BUG: Unable to handle kernel data access on read at 0x00041520 +Faulting instruction address: 0xc0003d0001be0844 +Oops: Kernel access of bad area, sig: 11 [#1] +BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=8 NUMA PowerMac +Modules linked in: windfarm_cpufreq_clamp windfarm_smu_sensors windfarm_smu_controls windfarm_pm112 snd_aoa_codec_onyx snd_aoa_fabric_layout snd_aoa windfarm_pid jo + apple_mfi_fastcharge rndis_host cdc_ether usbnet mii snd_aoa_i2sbus snd_aoa_soundbus snd_pcm snd_timer snd soundcore rack_meter windfarm_smu_sat windfarm_max6690_s +m75_sensor windfarm_core gpu_sched drm_gpuvm drm_exec drm_client_lib drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks syscopyar +_sys_fops i2c_algo_bit backlight uio_pdrv_genirq uio uninorth_agp agpgart zram dm_mod dax ipv6 nfsv4 dns_resolver nfs lockd grace sunrpc offb cfbfillrect cfbimgblt +ont input_leds sr_mod cdrom sd_mod uas ata_generic hid_apple hid_generic usbhid hid usb_storage pata_macio sata_svw libata firewire_ohci scsi_mod firewire_core ohci +ehci_pci ehci_hcd tg3 ohci_hcd libphy usbcore usb_common nls_base + led_class +CPU: 0 UID: 0 PID: 245 Comm: (udev-worker) Not tainted 6.14.0-09584-g7d06015d936c #7 PREEMPTLAZY +Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac +NIP: c0003d0001be0844 LR: c0003d0001be0830 CTR: 0000000000000000 +REGS: c0000000053f70e0 TRAP: 0300 Not tainted (6.14.0-09584-g7d06015d936c) +MSR: 9000000000009032 CR: 24222220 XER: 00000000 +DAR: 0000000000041520 DSISR: 40000000 IRQMASK: 0 \x0aGPR00: c0003d0001be0830 c0000000053f7380 c0003d0000911900 c000000007bc6800 \x0aGPR04: 0000000000000000 0000000000000000 c000000007bc6e70 0000000000000001 \x0aGPR08: 01f3040000000000 0000000000041520 0000000000000000 c0003d0000813958 \x0aGPR12: c000000000071a48 c000000000e28000 0000000000000020 0000000000000000 \x0aGPR16: 0000000000000000 0000000000f52630 0000000000000000 0000000000000000 \x0aGPR20: 0000000000000000 0000000000000000 0000000000000001 c0003d0000928528 \x0aGPR24: c0003d0000928598 0000000000000000 c000000007025480 c000000007025480 \x0aGPR28: c0000000010b4000 0000000000000000 c000000007bc1800 c000000007bc6800 +NIP [c0003d0001be0844] nv_crtc_destroy+0x44/0xd4 [nouveau] +LR [c0003d0001be0830] nv_crtc_destroy+0x30/0xd4 [nouveau] +Call Trace: +[c0000000053f7380] [c0003d0001be0830] nv_crtc_destroy+0x30/0xd4 [nouveau] (unreliable) +[c0000000053f73c0] [c0003d00007f7bf4] drm_mode_config_cleanup+0x27c/0x30c [drm] +[c0000000053f7490] [c0003d0001bdea50] nouveau_display_create+0x1cc/0x550 [nouveau] +[c0000000053f7500] [c0003d0001bcc29c] nouveau_drm_device_init+0x1c8/0x844 [nouveau] +[c0000000053f75e0] [c0003d0001bcc9ec] nouveau_drm_probe+0xd4/0x1e0 [nouveau] +[c0000000053f7670] [c000000000557d24] local_pci_probe+0x50/0xa8 +[c0000000053f76f0] [c000000000557fa8] pci_device_probe+0x22c/0x240 +[c0000000053f7760] [c0000000005fff3c] really_probe+0x188/0x31c +[c0000000053f77e0] [c000000000600204] __driver_probe_device+0x134/0x13c +[c0000000053f7860] [c0000000006002c0] driver_probe_device+0x3c/0xb4 +[c0000000053f78a0] [c000000000600534] __driver_attach+0x118/0x128 +[c0000000053f78e0] [c0000000005fe038] bus_for_each_dev+0xa8/0xf4 +[c0000000053f7950] [c0000000005ff460] driver_attach+0x2c/0x40 +[c0000000053f7970] [c0000000005fea68] bus_add_driver+0x130/0x278 +[c0000000053f7a00] [c00000000060117c] driver_register+0x9c/0x1a0 +[c0000000053f7a80] [c00000000055623c] __pci_register_driver+0x5c/0x70 +[c0000000053f7aa0] [c0003d0001c058a0] nouveau_drm_init+0x254/0x278 [nouveau] +[c0000000053f7b10] [c00000000000e9bc] do_one_initcall+0x84/0x268 +[c0000000053f7bf0] [c0000000001a0ba0] do_init_module+0x70/0x2d8 +[c0000000053f7c70] [c0000000001a42bc] init_module_from_file+0xb4/0x108 +[c0000000053f7d50] [c0000000001a4504] sys_finit_module+0x1ac/0x478 +[c0000000053f7e10] [c000000000023230] system_call_exception+0x1a4/0x20c +[c0000000053f7e50] [c00000000000c554] system_call_common+0xf4/0x258 + --- interrupt: c00 at 0xfd5f988 +NIP: 000000000fd5f988 LR: 000000000ff9b148 CTR: 0000000000000000 +REGS: c0000000053f7e80 TRAP: 0c00 Not tainted (6.14.0-09584-g7d06015d936c) +MSR: 100000000000d032 CR: 28222244 XER: 00000000 +IRQMASK: 0 \x0aGPR00: 0000000000000161 00000000ffcdc2d0 00000000405db160 0000000000000020 \x0aGPR04: 000000000ffa2c9c 0000000000000000 000000000000001f 0000000000000045 \x0aGPR08: 0000000011a13770 0000000000000000 0000000000000000 0000000000000000 \x0aGPR12: 0000000000000000 0000000010249d8c 0000000000000020 0000000000000000 \x0aGPR16: 0000000000000000 0000000000f52630 0000000000000000 0000000000000000 \x0aGPR20: 0000000000000000 0000000000000000 0000000000000000 0000000011a11a70 \x0aGPR24: 0000000011a13580 0000000011a11950 0000000011a11a70 0000000000020000 \x0aGPR28: 000000000ffa2c9c 0000000000000000 000000000ffafc40 0000000011a11a70 +NIP [000000000fd5f988] 0xfd5f988 +LR [000000000ff9b148] 0xff9b148 + --- interrupt: c00 +Code: f821ffc1 418200ac e93f0000 e9290038 e9291468 eba90000 48026c0d e8410018 e93f06aa 3d290001 392982a4 79291f24 <7fdd482a> 2c3e0000 41820030 7fc3f378 + ---[ end trace 0000000000000000 ]--- + +This is caused by the i2c encoder modules vendored into nouveau/ now +depending on the equally vendored nouveau_i2c_encoder_destroy +function. Trying to auto-load this modules hangs on nouveau +initialization until timeout, and nouveau continues without i2c video +encoders. + +Fix by avoiding nouveau dependency by __always_inlining that helper +functions into those i2c video encoder modules. + +Fixes: a73583107af9 ("drm/nouveau: vendor in drm_encoder_slave API") +Signed-off-by: René Rebe +Reviewed-by: Lyude Paul +[Lyude: fixed commit reference in description] +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251202.164952.2216481867721531616.rene@exactco.de +Signed-off-by: Sasha Levin +--- + .../nouveau/dispnv04/nouveau_i2c_encoder.c | 20 ------------------- + .../include/dispnv04/i2c/encoder_i2c.h | 19 +++++++++++++++++- + 2 files changed, 18 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c b/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c +index e2bf99c433366..a60209097a20a 100644 +--- a/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/nouveau_i2c_encoder.c +@@ -94,26 +94,6 @@ int nouveau_i2c_encoder_init(struct drm_device *dev, + return err; + } + +-/** +- * nouveau_i2c_encoder_destroy - Unregister the I2C device backing an encoder +- * @drm_encoder: Encoder to be unregistered. +- * +- * This should be called from the @destroy method of an I2C slave +- * encoder driver once I2C access is no longer needed. +- */ +-void nouveau_i2c_encoder_destroy(struct drm_encoder *drm_encoder) +-{ +- struct nouveau_i2c_encoder *encoder = to_encoder_i2c(drm_encoder); +- struct i2c_client *client = nouveau_i2c_encoder_get_client(drm_encoder); +- struct module *module = client->dev.driver->owner; +- +- i2c_unregister_device(client); +- encoder->i2c_client = NULL; +- +- module_put(module); +-} +-EXPORT_SYMBOL(nouveau_i2c_encoder_destroy); +- + /* + * Wrapper fxns which can be plugged in to drm_encoder_helper_funcs: + */ +diff --git a/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h b/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h +index 31334aa90781b..869820701a56e 100644 +--- a/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h ++++ b/drivers/gpu/drm/nouveau/include/dispnv04/i2c/encoder_i2c.h +@@ -202,7 +202,24 @@ static inline struct i2c_client *nouveau_i2c_encoder_get_client(struct drm_encod + return to_encoder_i2c(encoder)->i2c_client; + } + +-void nouveau_i2c_encoder_destroy(struct drm_encoder *encoder); ++/** ++ * nouveau_i2c_encoder_destroy - Unregister the I2C device backing an encoder ++ * @drm_encoder: Encoder to be unregistered. ++ * ++ * This should be called from the @destroy method of an I2C slave ++ * encoder driver once I2C access is no longer needed. ++ */ ++static __always_inline void nouveau_i2c_encoder_destroy(struct drm_encoder *drm_encoder) ++{ ++ struct nouveau_i2c_encoder *encoder = to_encoder_i2c(drm_encoder); ++ struct i2c_client *client = nouveau_i2c_encoder_get_client(drm_encoder); ++ struct module *module = client->dev.driver->owner; ++ ++ i2c_unregister_device(client); ++ encoder->i2c_client = NULL; ++ ++ module_put(module); ++} + + /* + * Wrapper fxns which can be plugged in to drm_encoder_helper_funcs: +-- +2.51.0 + diff --git a/queue-6.18/drm-nouveau-refactor-deprecated-strcpy.patch b/queue-6.18/drm-nouveau-refactor-deprecated-strcpy.patch new file mode 100644 index 0000000000..a1ab2cbae7 --- /dev/null +++ b/queue-6.18/drm-nouveau-refactor-deprecated-strcpy.patch @@ -0,0 +1,45 @@ +From d24fe18d46ebb72da6b2897352173a958fd2956c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 17:38:22 +0530 +Subject: drm/nouveau: refactor deprecated strcpy + +From: Madhur Kumar + +[ Upstream commit 2bdc2c0e12fac56e41ec05fb771ead986ea6dac0 ] + +strcpy() has been deprecated because it performs no bounds checking on the +destination buffer, which can lead to buffer overflows. Use the safer +strscpy() instead. + +Signed-off-by: Madhur Kumar +Reviewed-by: Lyude Paul +Fixes: 15a996bbb697 ("drm/nouveau: assign fence_chan->name correctly") +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251204120822.17502-1-madhurkumar004@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c +index 869d4335c0f45..4a193b7d6d9e4 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -183,11 +183,11 @@ nouveau_fence_context_new(struct nouveau_channel *chan, struct nouveau_fence_cha + fctx->context = drm->runl[chan->runlist].context_base + chan->chid; + + if (chan == drm->cechan) +- strcpy(fctx->name, "copy engine channel"); ++ strscpy(fctx->name, "copy engine channel"); + else if (chan == drm->channel) +- strcpy(fctx->name, "generic kernel channel"); ++ strscpy(fctx->name, "generic kernel channel"); + else +- strcpy(fctx->name, cli->name); ++ strscpy(fctx->name, cli->name); + + kref_init(&fctx->fence_ref); + if (!priv->uevent) +-- +2.51.0 + diff --git a/queue-6.18/drm-panel-novatek-nt35560-avoid-on-stack-device-stru.patch b/queue-6.18/drm-panel-novatek-nt35560-avoid-on-stack-device-stru.patch new file mode 100644 index 0000000000..fcae356ce9 --- /dev/null +++ b/queue-6.18/drm-panel-novatek-nt35560-avoid-on-stack-device-stru.patch @@ -0,0 +1,68 @@ +From 4bbb74751b8dfb35fc084cdc62c69522d620fd7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 10:45:45 +0100 +Subject: drm/panel: novatek-nt35560: avoid on-stack device structure + +From: Arnd Bergmann + +[ Upstream commit 1a7a7b80a22448dff55e1ad69a4681fd8b760b85 ] + +A cleanup patch apparently by accident used a local device structure +instead of a pointer to one in the nt35560_read_id() function, causing +a warning about stack usage: + +drivers/gpu/drm/panel/panel-novatek-nt35560.c: In function 'nt35560_read_id': +drivers/gpu/drm/panel/panel-novatek-nt35560.c:249:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=] + +Change this to a pointer as was liley intended here. + +Fixes: 5fbc0dbb92d6 ("drm/panel: novatek-nt35560: Clean up driver") +Signed-off-by: Arnd Bergmann +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patch.msgid.link/20251204094550.1030506-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-novatek-nt35560.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-novatek-nt35560.c b/drivers/gpu/drm/panel/panel-novatek-nt35560.c +index 561e6643dcbb6..6e5173f98a226 100644 +--- a/drivers/gpu/drm/panel/panel-novatek-nt35560.c ++++ b/drivers/gpu/drm/panel/panel-novatek-nt35560.c +@@ -213,7 +213,7 @@ static const struct backlight_properties nt35560_bl_props = { + + static void nt35560_read_id(struct mipi_dsi_multi_context *dsi_ctx) + { +- struct device dev = dsi_ctx->dsi->dev; ++ struct device *dev = &dsi_ctx->dsi->dev; + u8 vendor, version, panel; + u16 val; + +@@ -225,7 +225,7 @@ static void nt35560_read_id(struct mipi_dsi_multi_context *dsi_ctx) + return; + + if (vendor == 0x00) { +- dev_err(&dev, "device vendor ID is zero\n"); ++ dev_err(dev, "device vendor ID is zero\n"); + dsi_ctx->accum_err = -ENODEV; + return; + } +@@ -236,12 +236,12 @@ static void nt35560_read_id(struct mipi_dsi_multi_context *dsi_ctx) + case DISPLAY_SONY_ACX424AKP_ID2: + case DISPLAY_SONY_ACX424AKP_ID3: + case DISPLAY_SONY_ACX424AKP_ID4: +- dev_info(&dev, ++ dev_info(dev, + "MTP vendor: %02x, version: %02x, panel: %02x\n", + vendor, version, panel); + break; + default: +- dev_info(&dev, ++ dev_info(dev, + "unknown vendor: %02x, version: %02x, panel: %02x\n", + vendor, version, panel); + break; +-- +2.51.0 + diff --git a/queue-6.18/drm-panthor-prevent-potential-uaf-in-group-creation.patch b/queue-6.18/drm-panthor-prevent-potential-uaf-in-group-creation.patch new file mode 100644 index 0000000000..fc833d3119 --- /dev/null +++ b/queue-6.18/drm-panthor-prevent-potential-uaf-in-group-creation.patch @@ -0,0 +1,109 @@ +From b74bdac3bbb0dea3cd81de42f7a7487bfb6b88cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 16:49:12 +0000 +Subject: drm/panthor: Prevent potential UAF in group creation + +From: Akash Goel + +[ Upstream commit eec7e23d848d2194dd8791fcd0f4a54d4378eecd ] + +This commit prevents the possibility of a use after free issue in the +GROUP_CREATE ioctl function, which arose as pointer to the group is +accessed in that ioctl function after storing it in the Xarray. +A malicious userspace can second guess the handle of a group and try +to call GROUP_DESTROY ioctl from another thread around the same time +as GROUP_CREATE ioctl. + +To prevent the use after free exploit, this commit uses a mark on an +entry of group pool Xarray which is added just before returning from +the GROUP_CREATE ioctl function. The mark is checked for all ioctls +that specify the group handle and so userspace won't be abe to delete +a group that isn't marked yet. + +v2: Add R-bs and fixes tags + +Fixes: de85488138247 ("drm/panthor: Add the scheduler logical block") +Co-developed-by: Boris Brezillon +Signed-off-by: Boris Brezillon +Signed-off-by: Akash Goel +Reviewed-by: Boris Brezillon +Reviewed-by: Steven Price +Reviewed-by: Chia-I Wu +Link: https://patch.msgid.link/20251127164912.3788155-1-akash.goel@arm.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_sched.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c +index 0279e19aadae9..881a07ffbabc8 100644 +--- a/drivers/gpu/drm/panthor/panthor_sched.c ++++ b/drivers/gpu/drm/panthor/panthor_sched.c +@@ -772,6 +772,12 @@ struct panthor_job_profiling_data { + */ + #define MAX_GROUPS_PER_POOL 128 + ++/* ++ * Mark added on an entry of group pool Xarray to identify if the group has ++ * been fully initialized and can be accessed elsewhere in the driver code. ++ */ ++#define GROUP_REGISTERED XA_MARK_1 ++ + /** + * struct panthor_group_pool - Group pool + * +@@ -2900,7 +2906,7 @@ void panthor_fdinfo_gather_group_samples(struct panthor_file *pfile) + return; + + xa_lock(&gpool->xa); +- xa_for_each(&gpool->xa, i, group) { ++ xa_for_each_marked(&gpool->xa, i, group, GROUP_REGISTERED) { + guard(spinlock)(&group->fdinfo.lock); + pfile->stats.cycles += group->fdinfo.data.cycles; + pfile->stats.time += group->fdinfo.data.time; +@@ -3575,6 +3581,8 @@ int panthor_group_create(struct panthor_file *pfile, + + group_init_task_info(group); + ++ xa_set_mark(&gpool->xa, gid, GROUP_REGISTERED); ++ + return gid; + + err_put_group: +@@ -3589,6 +3597,9 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle) + struct panthor_scheduler *sched = ptdev->scheduler; + struct panthor_group *group; + ++ if (!xa_get_mark(&gpool->xa, group_handle, GROUP_REGISTERED)) ++ return -EINVAL; ++ + group = xa_erase(&gpool->xa, group_handle); + if (!group) + return -EINVAL; +@@ -3614,12 +3625,12 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle) + } + + static struct panthor_group *group_from_handle(struct panthor_group_pool *pool, +- u32 group_handle) ++ unsigned long group_handle) + { + struct panthor_group *group; + + xa_lock(&pool->xa); +- group = group_get(xa_load(&pool->xa, group_handle)); ++ group = group_get(xa_find(&pool->xa, &group_handle, group_handle, GROUP_REGISTERED)); + xa_unlock(&pool->xa); + + return group; +@@ -3706,7 +3717,7 @@ panthor_fdinfo_gather_group_mem_info(struct panthor_file *pfile, + return; + + xa_lock(&gpool->xa); +- xa_for_each(&gpool->xa, i, group) { ++ xa_for_each_marked(&gpool->xa, i, group, GROUP_REGISTERED) { + stats->resident += group->fdinfo.kbo_sizes; + if (group->csg_id >= 0) + stats->active += group->fdinfo.kbo_sizes; +-- +2.51.0 + diff --git a/queue-6.18/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch b/queue-6.18/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch new file mode 100644 index 0000000000..2c463e34ee --- /dev/null +++ b/queue-6.18/drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch @@ -0,0 +1,50 @@ +From a228dba4f1418b54e99503fc50fee2a52c118df8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 20:35:23 +0300 +Subject: drm/plane: Fix IS_ERR() vs NULL check in + drm_plane_create_hotspot_properties() + +From: Dan Carpenter + +[ Upstream commit 479acb9db3199cdb70e5478a6f633b5f20c7d8df ] + +The drm_property_create_signed_range() function doesn't return error +pointers it returns NULL on error. Fix the error checking to match. + +Fixes: 8f7179a1027d ("drm/atomic: Add support for mouse hotspots") +Signed-off-by: Dan Carpenter +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Zack Rusin +Link: https://patch.msgid.link/aTB023cfcIPkCsFS@stanley.mountain +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_plane.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c +index a30493ed97157..4cadea997129d 100644 +--- a/drivers/gpu/drm/drm_plane.c ++++ b/drivers/gpu/drm/drm_plane.c +@@ -338,14 +338,14 @@ static int drm_plane_create_hotspot_properties(struct drm_plane *plane) + + prop_x = drm_property_create_signed_range(plane->dev, 0, "HOTSPOT_X", + INT_MIN, INT_MAX); +- if (IS_ERR(prop_x)) +- return PTR_ERR(prop_x); ++ if (!prop_x) ++ return -ENOMEM; + + prop_y = drm_property_create_signed_range(plane->dev, 0, "HOTSPOT_Y", + INT_MIN, INT_MAX); +- if (IS_ERR(prop_y)) { ++ if (!prop_y) { + drm_property_destroy(plane->dev, prop_x); +- return PTR_ERR(prop_y); ++ return -ENOMEM; + } + + drm_object_attach_property(&plane->base, prop_x, 0); +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch b/queue-6.18/drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch new file mode 100644 index 0000000000..3a9a87ba72 --- /dev/null +++ b/queue-6.18/drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch @@ -0,0 +1,47 @@ +From 4f42375528414a9889bbb412209c856af5824e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 11:40:51 +0300 +Subject: drm/xe/fbdev: use the same 64-byte stride alignment as i915 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit 4a36b339a14ae6f2a366125e3d64f0c165193293 ] + +For reasons unknown, xe uses XE_PAGE_SIZE alignment for +stride. Presumably it's just a confusion between stride alignment and bo +allocation size alignment. Switch to 64 byte alignment to, uh, align +with i915. + +This will also be helpful in deduplicating and unifying the xe and i915 +framebuffer allocation. + +Link: https://lore.kernel.org/r/aLqsC87Ol_zCXOkN@intel.com +Suggested-by: Ville Syrjälä +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/7f4972104de8b179d5724ae83892ee294d3f3fd3.1758184771.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +Stable-dep-of: 460b31720369 ("drm/i915/fbdev: Hold runtime PM ref during fbdev BO creation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +index 8ea9a472113c4..bce4cb16f6820 100644 +--- a/drivers/gpu/drm/xe/display/intel_fbdev_fb.c ++++ b/drivers/gpu/drm/xe/display/intel_fbdev_fb.c +@@ -33,7 +33,7 @@ struct intel_framebuffer *intel_fbdev_fb_alloc(struct drm_fb_helper *helper, + mode_cmd.height = sizes->surface_height; + + mode_cmd.pitches[0] = ALIGN(mode_cmd.width * +- DIV_ROUND_UP(sizes->surface_bpp, 8), XE_PAGE_SIZE); ++ DIV_ROUND_UP(sizes->surface_bpp, 8), 64); + mode_cmd.pixel_format = drm_mode_legacy_fb_format(sizes->surface_bpp, + sizes->surface_depth); + +-- +2.51.0 + diff --git a/queue-6.18/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch b/queue-6.18/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch new file mode 100644 index 0000000000..f88b27f172 --- /dev/null +++ b/queue-6.18/f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch @@ -0,0 +1,88 @@ +From 7b03882e4904c47cd6f97efb25e49fee1f187961 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 15:43:08 -0700 +Subject: f2fs: maintain one time GC mode is enabled during whole zoned GC + cycle + +From: Daeho Jeong + +[ Upstream commit e462fc48ceb8224811c3224650afed05cb7f0872 ] + +The current version missed setting one time GC for normal zoned GC +cycle. So, valid threshold control is not working. Need to fix it to +prevent excessive GC for zoned devices. + +Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC") +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index a7708cf80c04e..8abf521530ff3 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -38,13 +38,14 @@ static int gc_thread_func(void *data) + struct f2fs_gc_control gc_control = { + .victim_segno = NULL_SEGNO, + .should_migrate_blocks = false, +- .err_gc_skipped = false }; ++ .err_gc_skipped = false, ++ .one_time = false }; + + wait_ms = gc_th->min_sleep_time; + + set_freezable(); + do { +- bool sync_mode, foreground = false; ++ bool sync_mode, foreground = false, gc_boost = false; + + wait_event_freezable_timeout(*wq, + kthread_should_stop() || +@@ -52,8 +53,12 @@ static int gc_thread_func(void *data) + gc_th->gc_wake, + msecs_to_jiffies(wait_ms)); + +- if (test_opt(sbi, GC_MERGE) && waitqueue_active(fggc_wq)) ++ if (test_opt(sbi, GC_MERGE) && waitqueue_active(fggc_wq)) { + foreground = true; ++ gc_control.one_time = false; ++ } else if (f2fs_sb_has_blkzoned(sbi)) { ++ gc_control.one_time = true; ++ } + + /* give it a try one time */ + if (gc_th->gc_wake) +@@ -81,8 +86,6 @@ static int gc_thread_func(void *data) + continue; + } + +- gc_control.one_time = false; +- + /* + * [GC triggering condition] + * 0. GC is not conducted currently. +@@ -132,7 +135,7 @@ static int gc_thread_func(void *data) + if (need_to_boost_gc(sbi)) { + decrease_sleep_time(gc_th, &wait_ms); + if (f2fs_sb_has_blkzoned(sbi)) +- gc_control.one_time = true; ++ gc_boost = true; + } else { + increase_sleep_time(gc_th, &wait_ms); + } +@@ -141,7 +144,7 @@ static int gc_thread_func(void *data) + FOREGROUND : BACKGROUND); + + sync_mode = (F2FS_OPTION(sbi).bggc_mode == BGGC_MODE_SYNC) || +- (gc_control.one_time && gc_th->boost_gc_greedy); ++ (gc_boost && gc_th->boost_gc_greedy); + + /* foreground GC was been triggered via f2fs_balance_fs() */ + if (foreground && !f2fs_sb_has_blkzoned(sbi)) +-- +2.51.0 + diff --git a/queue-6.18/f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch b/queue-6.18/f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch new file mode 100644 index 0000000000..7b5685567d --- /dev/null +++ b/queue-6.18/f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch @@ -0,0 +1,456 @@ +From 44d8ca7fc5213f1347dbdffd6fac7cdd8b21bdd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 09:52:46 -0800 +Subject: f2fs: revert summary entry count from 2048 to 512 in 16kb block + support + +From: Daeho Jeong + +[ Upstream commit 7ee8bc3942f20964ad730871b885688ea3a2961a ] + +The recent increase in the number of Segment Summary Area (SSA) entries +from 512 to 2048 was an unintentional change in logic of 16kb block +support. This commit corrects the issue. + +To better utilize the space available from the erroneous 2048-entry +calculation, we are implementing a solution to share the currently +unused SSA space with neighboring segments. This enhances overall +SSA utilization without impacting the established 8MB segment size. + +Fixes: d7e9a9037de2 ("f2fs: Support Block Size == Page Size") +Signed-off-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 + + fs/f2fs/gc.c | 117 +++++++++++++++++++++++----------------- + fs/f2fs/recovery.c | 2 +- + fs/f2fs/segment.c | 38 +++++++++---- + fs/f2fs/segment.h | 8 ++- + fs/f2fs/super.c | 14 +++++ + fs/f2fs/sysfs.c | 7 +++ + include/linux/f2fs_fs.h | 5 +- + 8 files changed, 130 insertions(+), 63 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 5b4e9548a231f..5149f351f03d2 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -245,6 +245,7 @@ struct f2fs_mount_info { + #define F2FS_FEATURE_COMPRESSION 0x00002000 + #define F2FS_FEATURE_RO 0x00004000 + #define F2FS_FEATURE_DEVICE_ALIAS 0x00008000 ++#define F2FS_FEATURE_PACKED_SSA 0x00010000 + + #define __F2FS_HAS_FEATURE(raw_super, mask) \ + ((raw_super->feature & cpu_to_le32(mask)) != 0) +@@ -4710,6 +4711,7 @@ F2FS_FEATURE_FUNCS(casefold, CASEFOLD); + F2FS_FEATURE_FUNCS(compression, COMPRESSION); + F2FS_FEATURE_FUNCS(readonly, RO); + F2FS_FEATURE_FUNCS(device_alias, DEVICE_ALIAS); ++F2FS_FEATURE_FUNCS(packed_ssa, PACKED_SSA); + + #ifdef CONFIG_BLK_DEV_ZONED + static inline bool f2fs_zone_is_seq(struct f2fs_sb_info *sbi, int devi, +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 8abf521530ff3..af2f4d28462c0 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1732,7 +1732,7 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + unsigned char type = IS_DATASEG(get_seg_entry(sbi, segno)->type) ? + SUM_TYPE_DATA : SUM_TYPE_NODE; + unsigned char data_type = (type == SUM_TYPE_DATA) ? DATA : NODE; +- int submitted = 0; ++ int submitted = 0, sum_blk_cnt; + + if (__is_large_section(sbi)) { + sec_end_segno = rounddown(end_segno, SEGS_PER_SEC(sbi)); +@@ -1766,22 +1766,28 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + + sanity_check_seg_type(sbi, get_seg_entry(sbi, segno)->type); + ++ segno = rounddown(segno, SUMS_PER_BLOCK); ++ sum_blk_cnt = DIV_ROUND_UP(end_segno - segno, SUMS_PER_BLOCK); + /* readahead multi ssa blocks those have contiguous address */ + if (__is_large_section(sbi)) + f2fs_ra_meta_pages(sbi, GET_SUM_BLOCK(sbi, segno), +- end_segno - segno, META_SSA, true); ++ sum_blk_cnt, META_SSA, true); + + /* reference all summary page */ + while (segno < end_segno) { +- struct folio *sum_folio = f2fs_get_sum_folio(sbi, segno++); ++ struct folio *sum_folio = f2fs_get_sum_folio(sbi, segno); ++ ++ segno += SUMS_PER_BLOCK; + if (IS_ERR(sum_folio)) { + int err = PTR_ERR(sum_folio); + +- end_segno = segno - 1; +- for (segno = start_segno; segno < end_segno; segno++) { ++ end_segno = segno - SUMS_PER_BLOCK; ++ segno = rounddown(start_segno, SUMS_PER_BLOCK); ++ while (segno < end_segno) { + sum_folio = filemap_get_folio(META_MAPPING(sbi), + GET_SUM_BLOCK(sbi, segno)); + folio_put_refs(sum_folio, 2); ++ segno += SUMS_PER_BLOCK; + } + return err; + } +@@ -1790,68 +1796,83 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi, + + blk_start_plug(&plug); + +- for (segno = start_segno; segno < end_segno; segno++) { +- struct f2fs_summary_block *sum; ++ segno = start_segno; ++ while (segno < end_segno) { ++ unsigned int cur_segno; + + /* find segment summary of victim */ + struct folio *sum_folio = filemap_get_folio(META_MAPPING(sbi), + GET_SUM_BLOCK(sbi, segno)); ++ unsigned int block_end_segno = rounddown(segno, SUMS_PER_BLOCK) ++ + SUMS_PER_BLOCK; ++ ++ if (block_end_segno > end_segno) ++ block_end_segno = end_segno; + + if (is_cursec(sbi, GET_SEC_FROM_SEG(sbi, segno))) { + f2fs_err(sbi, "%s: segment %u is used by log", + __func__, segno); + f2fs_bug_on(sbi, 1); +- goto skip; ++ goto next_block; + } + +- if (get_valid_blocks(sbi, segno, false) == 0) +- goto freed; +- if (gc_type == BG_GC && __is_large_section(sbi) && +- migrated >= sbi->migration_granularity) +- goto skip; + if (!folio_test_uptodate(sum_folio) || + unlikely(f2fs_cp_error(sbi))) +- goto skip; ++ goto next_block; + +- sum = folio_address(sum_folio); +- if (type != GET_SUM_TYPE((&sum->footer))) { +- f2fs_err(sbi, "Inconsistent segment (%u) type [%d, %d] in SIT and SSA", +- segno, type, GET_SUM_TYPE((&sum->footer))); +- f2fs_stop_checkpoint(sbi, false, +- STOP_CP_REASON_CORRUPTED_SUMMARY); +- goto skip; +- } ++ for (cur_segno = segno; cur_segno < block_end_segno; ++ cur_segno++) { ++ struct f2fs_summary_block *sum; + +- /* +- * this is to avoid deadlock: +- * - lock_page(sum_page) - f2fs_replace_block +- * - check_valid_map() - down_write(sentry_lock) +- * - down_read(sentry_lock) - change_curseg() +- * - lock_page(sum_page) +- */ +- if (type == SUM_TYPE_NODE) +- submitted += gc_node_segment(sbi, sum->entries, segno, +- gc_type); +- else +- submitted += gc_data_segment(sbi, sum->entries, gc_list, +- segno, gc_type, +- force_migrate); ++ if (get_valid_blocks(sbi, cur_segno, false) == 0) ++ goto freed; ++ if (gc_type == BG_GC && __is_large_section(sbi) && ++ migrated >= sbi->migration_granularity) ++ continue; + +- stat_inc_gc_seg_count(sbi, data_type, gc_type); +- sbi->gc_reclaimed_segs[sbi->gc_mode]++; +- migrated++; ++ sum = SUM_BLK_PAGE_ADDR(sum_folio, cur_segno); ++ if (type != GET_SUM_TYPE((&sum->footer))) { ++ f2fs_err(sbi, "Inconsistent segment (%u) type " ++ "[%d, %d] in SSA and SIT", ++ cur_segno, type, ++ GET_SUM_TYPE((&sum->footer))); ++ f2fs_stop_checkpoint(sbi, false, ++ STOP_CP_REASON_CORRUPTED_SUMMARY); ++ continue; ++ } + +-freed: +- if (gc_type == FG_GC && +- get_valid_blocks(sbi, segno, false) == 0) +- seg_freed++; ++ /* ++ * this is to avoid deadlock: ++ * - lock_page(sum_page) - f2fs_replace_block ++ * - check_valid_map() - down_write(sentry_lock) ++ * - down_read(sentry_lock) - change_curseg() ++ * - lock_page(sum_page) ++ */ ++ if (type == SUM_TYPE_NODE) ++ submitted += gc_node_segment(sbi, sum->entries, ++ cur_segno, gc_type); ++ else ++ submitted += gc_data_segment(sbi, sum->entries, ++ gc_list, cur_segno, ++ gc_type, force_migrate); + +- if (__is_large_section(sbi)) +- sbi->next_victim_seg[gc_type] = +- (segno + 1 < sec_end_segno) ? +- segno + 1 : NULL_SEGNO; +-skip: ++ stat_inc_gc_seg_count(sbi, data_type, gc_type); ++ sbi->gc_reclaimed_segs[sbi->gc_mode]++; ++ migrated++; ++ ++freed: ++ if (gc_type == FG_GC && ++ get_valid_blocks(sbi, cur_segno, false) == 0) ++ seg_freed++; ++ ++ if (__is_large_section(sbi)) ++ sbi->next_victim_seg[gc_type] = ++ (cur_segno + 1 < sec_end_segno) ? ++ cur_segno + 1 : NULL_SEGNO; ++ } ++next_block: + folio_put_refs(sum_folio, 2); ++ segno = block_end_segno; + } + + if (submitted) +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 215e442db72c8..af72309b9bfc6 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -519,7 +519,7 @@ static int check_index_in_prev_nodes(struct f2fs_sb_info *sbi, + sum_folio = f2fs_get_sum_folio(sbi, segno); + if (IS_ERR(sum_folio)) + return PTR_ERR(sum_folio); +- sum_node = folio_address(sum_folio); ++ sum_node = SUM_BLK_PAGE_ADDR(sum_folio, segno); + sum = sum_node->entries[blkoff]; + f2fs_folio_put(sum_folio, true); + got_it: +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index b45eace879d74..ac84559dc2693 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2712,7 +2712,15 @@ struct folio *f2fs_get_sum_folio(struct f2fs_sb_info *sbi, unsigned int segno) + void f2fs_update_meta_page(struct f2fs_sb_info *sbi, + void *src, block_t blk_addr) + { +- struct folio *folio = f2fs_grab_meta_folio(sbi, blk_addr); ++ struct folio *folio; ++ ++ if (SUMS_PER_BLOCK == 1) ++ folio = f2fs_grab_meta_folio(sbi, blk_addr); ++ else ++ folio = f2fs_get_meta_folio_retry(sbi, blk_addr); ++ ++ if (IS_ERR(folio)) ++ return; + + memcpy(folio_address(folio), src, PAGE_SIZE); + folio_mark_dirty(folio); +@@ -2720,9 +2728,21 @@ void f2fs_update_meta_page(struct f2fs_sb_info *sbi, + } + + static void write_sum_page(struct f2fs_sb_info *sbi, +- struct f2fs_summary_block *sum_blk, block_t blk_addr) ++ struct f2fs_summary_block *sum_blk, unsigned int segno) + { +- f2fs_update_meta_page(sbi, (void *)sum_blk, blk_addr); ++ struct folio *folio; ++ ++ if (SUMS_PER_BLOCK == 1) ++ return f2fs_update_meta_page(sbi, (void *)sum_blk, ++ GET_SUM_BLOCK(sbi, segno)); ++ ++ folio = f2fs_get_sum_folio(sbi, segno); ++ if (IS_ERR(folio)) ++ return; ++ ++ memcpy(SUM_BLK_PAGE_ADDR(folio, segno), sum_blk, sizeof(*sum_blk)); ++ folio_mark_dirty(folio); ++ f2fs_folio_put(folio, true); + } + + static void write_current_sum_page(struct f2fs_sb_info *sbi, +@@ -2987,7 +3007,7 @@ static int new_curseg(struct f2fs_sb_info *sbi, int type, bool new_sec) + int ret; + + if (curseg->inited) +- write_sum_page(sbi, curseg->sum_blk, GET_SUM_BLOCK(sbi, segno)); ++ write_sum_page(sbi, curseg->sum_blk, segno); + + segno = __get_next_segno(sbi, type); + ret = get_new_segment(sbi, &segno, new_sec, pinning); +@@ -3046,7 +3066,7 @@ static int change_curseg(struct f2fs_sb_info *sbi, int type) + struct folio *sum_folio; + + if (curseg->inited) +- write_sum_page(sbi, curseg->sum_blk, GET_SUM_BLOCK(sbi, curseg->segno)); ++ write_sum_page(sbi, curseg->sum_blk, curseg->segno); + + __set_test_and_inuse(sbi, new_segno); + +@@ -3065,7 +3085,7 @@ static int change_curseg(struct f2fs_sb_info *sbi, int type) + memset(curseg->sum_blk, 0, SUM_ENTRY_SIZE); + return PTR_ERR(sum_folio); + } +- sum_node = folio_address(sum_folio); ++ sum_node = SUM_BLK_PAGE_ADDR(sum_folio, new_segno); + memcpy(curseg->sum_blk, sum_node, SUM_ENTRY_SIZE); + f2fs_folio_put(sum_folio, true); + return 0; +@@ -3154,8 +3174,7 @@ static void __f2fs_save_inmem_curseg(struct f2fs_sb_info *sbi, int type) + goto out; + + if (get_valid_blocks(sbi, curseg->segno, false)) { +- write_sum_page(sbi, curseg->sum_blk, +- GET_SUM_BLOCK(sbi, curseg->segno)); ++ write_sum_page(sbi, curseg->sum_blk, curseg->segno); + } else { + mutex_lock(&DIRTY_I(sbi)->seglist_lock); + __set_test_and_free(sbi, curseg->segno, true); +@@ -3833,8 +3852,7 @@ int f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct folio *folio, + if (segment_full) { + if (type == CURSEG_COLD_DATA_PINNED && + !((curseg->segno + 1) % sbi->segs_per_sec)) { +- write_sum_page(sbi, curseg->sum_blk, +- GET_SUM_BLOCK(sbi, curseg->segno)); ++ write_sum_page(sbi, curseg->sum_blk, curseg->segno); + reset_curseg_fields(curseg); + goto skip_new_segment; + } +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 1ce2c8abaf488..e883f14c228f2 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -85,8 +85,12 @@ static inline void sanity_check_seg_type(struct f2fs_sb_info *sbi, + #define GET_ZONE_FROM_SEG(sbi, segno) \ + GET_ZONE_FROM_SEC(sbi, GET_SEC_FROM_SEG(sbi, segno)) + +-#define GET_SUM_BLOCK(sbi, segno) \ +- ((sbi)->sm_info->ssa_blkaddr + (segno)) ++#define SUMS_PER_BLOCK (F2FS_BLKSIZE / F2FS_SUM_BLKSIZE) ++#define GET_SUM_BLOCK(sbi, segno) \ ++ (SM_I(sbi)->ssa_blkaddr + (segno / SUMS_PER_BLOCK)) ++#define GET_SUM_BLKOFF(segno) (segno % SUMS_PER_BLOCK) ++#define SUM_BLK_PAGE_ADDR(folio, segno) \ ++ (folio_address(folio) + GET_SUM_BLKOFF(segno) * F2FS_SUM_BLKSIZE) + + #define GET_SUM_TYPE(footer) ((footer)->entry_type) + #define SET_SUM_TYPE(footer, type) ((footer)->entry_type = (type)) +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index db7afb8064115..9085b4a511a48 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4051,6 +4051,20 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi, + if (sanity_check_area_boundary(sbi, folio, index)) + return -EFSCORRUPTED; + ++ /* ++ * Check for legacy summary layout on 16KB+ block devices. ++ * Modern f2fs-tools packs multiple 4KB summary areas into one block, ++ * whereas legacy versions used one block per summary, leading ++ * to a much larger SSA. ++ */ ++ if (SUMS_PER_BLOCK > 1 && ++ !(__F2FS_HAS_FEATURE(raw_super, F2FS_FEATURE_PACKED_SSA))) { ++ f2fs_info(sbi, "Error: Device formatted with a legacy version. " ++ "Please reformat with a tool supporting the packed ssa " ++ "feature for block sizes larger than 4kb."); ++ return -EOPNOTSUPP; ++ } ++ + return 0; + } + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 6d2a4fba68a29..5685b454bfd12 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -235,6 +235,9 @@ static ssize_t features_show(struct f2fs_attr *a, + if (f2fs_sb_has_compression(sbi)) + len += sysfs_emit_at(buf, len, "%s%s", + len ? ", " : "", "compression"); ++ if (f2fs_sb_has_packed_ssa(sbi)) ++ len += sysfs_emit_at(buf, len, "%s%s", ++ len ? ", " : "", "packed_ssa"); + len += sysfs_emit_at(buf, len, "%s%s", + len ? ", " : "", "pin_file"); + len += sysfs_emit_at(buf, len, "\n"); +@@ -1296,6 +1299,7 @@ F2FS_FEATURE_RO_ATTR(pin_file); + #ifdef CONFIG_UNICODE + F2FS_FEATURE_RO_ATTR(linear_lookup); + #endif ++F2FS_FEATURE_RO_ATTR(packed_ssa); + + #define ATTR_LIST(name) (&f2fs_attr_##name.attr) + static struct attribute *f2fs_attrs[] = { +@@ -1455,6 +1459,7 @@ static struct attribute *f2fs_feat_attrs[] = { + #ifdef CONFIG_UNICODE + BASE_ATTR_LIST(linear_lookup), + #endif ++ BASE_ATTR_LIST(packed_ssa), + NULL, + }; + ATTRIBUTE_GROUPS(f2fs_feat); +@@ -1490,6 +1495,7 @@ F2FS_SB_FEATURE_RO_ATTR(casefold, CASEFOLD); + F2FS_SB_FEATURE_RO_ATTR(compression, COMPRESSION); + F2FS_SB_FEATURE_RO_ATTR(readonly, RO); + F2FS_SB_FEATURE_RO_ATTR(device_alias, DEVICE_ALIAS); ++F2FS_SB_FEATURE_RO_ATTR(packed_ssa, PACKED_SSA); + + static struct attribute *f2fs_sb_feat_attrs[] = { + ATTR_LIST(sb_encryption), +@@ -1507,6 +1513,7 @@ static struct attribute *f2fs_sb_feat_attrs[] = { + ATTR_LIST(sb_compression), + ATTR_LIST(sb_readonly), + ATTR_LIST(sb_device_alias), ++ ATTR_LIST(sb_packed_ssa), + NULL, + }; + ATTRIBUTE_GROUPS(f2fs_sb_feat); +diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h +index 6afb4a13b81d6..a7880787cad36 100644 +--- a/include/linux/f2fs_fs.h ++++ b/include/linux/f2fs_fs.h +@@ -17,6 +17,7 @@ + #define F2FS_LOG_SECTORS_PER_BLOCK (PAGE_SHIFT - 9) /* log number for sector/blk */ + #define F2FS_BLKSIZE PAGE_SIZE /* support only block == page */ + #define F2FS_BLKSIZE_BITS PAGE_SHIFT /* bits for F2FS_BLKSIZE */ ++#define F2FS_SUM_BLKSIZE 4096 /* only support 4096 byte sum block */ + #define F2FS_MAX_EXTENSION 64 /* # of extension entries */ + #define F2FS_EXTENSION_LEN 8 /* max size of extension */ + +@@ -441,7 +442,7 @@ struct f2fs_sit_block { + * from node's page's beginning to get a data block address. + * ex) data_blkaddr = (block_t)(nodepage_start_address + ofs_in_node) + */ +-#define ENTRIES_IN_SUM (F2FS_BLKSIZE / 8) ++#define ENTRIES_IN_SUM (F2FS_SUM_BLKSIZE / 8) + #define SUMMARY_SIZE (7) /* sizeof(struct f2fs_summary) */ + #define SUM_FOOTER_SIZE (5) /* sizeof(struct summary_footer) */ + #define SUM_ENTRY_SIZE (SUMMARY_SIZE * ENTRIES_IN_SUM) +@@ -467,7 +468,7 @@ struct summary_footer { + __le32 check_sum; /* summary checksum */ + } __packed; + +-#define SUM_JOURNAL_SIZE (F2FS_BLKSIZE - SUM_FOOTER_SIZE -\ ++#define SUM_JOURNAL_SIZE (F2FS_SUM_BLKSIZE - SUM_FOOTER_SIZE -\ + SUM_ENTRY_SIZE) + #define NAT_JOURNAL_ENTRIES ((SUM_JOURNAL_SIZE - 2) /\ + sizeof(struct nat_journal_entry)) +-- +2.51.0 + diff --git a/queue-6.18/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch b/queue-6.18/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch new file mode 100644 index 0000000000..c7c7389cac --- /dev/null +++ b/queue-6.18/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch @@ -0,0 +1,64 @@ +From ff77d29735316cb5ba75d65a86a26ed03345e829 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 12:15:35 +0100 +Subject: fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ] + +After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"), +the return values of utf8_to_utf32() and utf32_to_utf8() are +inconsistent when encountering an error: utf8_to_utf32() returns -1, +while utf32_to_utf8() returns errno codes. Fix this inconsistency +by modifying utf8_to_utf32() to return errno codes as well. + +Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion") +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index d434c4463a8f7..a5c3a9f1b8dc5 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu) + l &= t->lmask; + if (l < t->lval || l > UNICODE_MAX || + (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; ++ + *pu = (unicode_t) l; + return nc; + } + if (inlen <= nc) +- return -1; ++ return -EOVERFLOW; ++ + s++; + c = (*s ^ 0x80) & 0xFF; + if (c & 0xC0) +- return -1; ++ return -EILSEQ; ++ + l = (l << 6) | c; + } +- return -1; ++ return -EILSEQ; + } + EXPORT_SYMBOL(utf8_to_utf32); + +-- +2.51.0 + diff --git a/queue-6.18/fs-nls-fix-utf16-to-utf8-conversion.patch b/queue-6.18/fs-nls-fix-utf16-to-utf8-conversion.patch new file mode 100644 index 0000000000..1462287f58 --- /dev/null +++ b/queue-6.18/fs-nls-fix-utf16-to-utf8-conversion.patch @@ -0,0 +1,81 @@ +From e2c9c317146f15301a401e03a768ab0a2c378e46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 14:11:22 +0100 +Subject: fs/nls: Fix utf16 to utf8 conversion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 25524b6190295577e4918c689644451365e6466d ] + +Currently the function responsible for converting between utf16 and +utf8 strings will ignore any characters that cannot be converted. This +however also includes multi-byte characters that do not fit into the +provided string buffer. + +This can cause problems if such a multi-byte character is followed by +a single-byte character. In such a case the multi-byte character might +be ignored when the provided string buffer is too small, but the +single-byte character might fit and is thus still copied into the +resulting string. + +Fix this by stop filling the provided string buffer once a character +does not fit. In order to be able to do this extend utf32_to_utf8() +to return useful errno codes instead of -1. + +Fixes: 74675a58507e ("NLS: update handling of Unicode") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 18d597e49a194..d434c4463a8f7 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + + l = u; + if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; + + nc = 0; + for (t = utf8_table; t->cmask && maxout; t++, maxout--) { +@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + return nc; + } + } +- return -1; ++ return -EOVERFLOW; + } + EXPORT_SYMBOL(utf32_to_utf8); + +@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian, + inlen--; + } + size = utf32_to_utf8(u, op, maxout); +- if (size == -1) { +- /* Ignore character and move on */ ++ if (size < 0) { ++ if (size == -EILSEQ) { ++ /* Ignore character and move on */ ++ continue; ++ } ++ /* ++ * Stop filling the buffer with data once a character ++ * does not fit anymore. ++ */ ++ break; + } else { + op += size; + maxout -= size; +-- +2.51.0 + diff --git a/queue-6.18/gpio-tb10x-fix-of_gpio-dependency.patch b/queue-6.18/gpio-tb10x-fix-of_gpio-dependency.patch new file mode 100644 index 0000000000..a4678d6bb4 --- /dev/null +++ b/queue-6.18/gpio-tb10x-fix-of_gpio-dependency.patch @@ -0,0 +1,47 @@ +From f94266ac487c9233e6feae0e3ba60c57e0d118be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 10:54:09 +0100 +Subject: gpio: tb10x: fix OF_GPIO dependency + +From: Arnd Bergmann + +[ Upstream commit dd44d4d0c55a4ecf5eabf7856f96ed47e0684780 ] + +Selecting OF_GPIO is generally not allowed, it always gets enabled +when both GPIOLIB and OF are turned on. + +The tb10x driver now warns about this after it was enabled for +compile-testing: + +WARNING: unmet direct dependencies detected for OF_GPIO + Depends on [n]: GPIOLIB [=y] && OF [=n] && HAS_IOMEM [=y] + Selected by [y]: + - GPIO_TB10X [=y] && GPIOLIB [=y] && HAS_IOMEM [=y] && (ARC_PLAT_TB10X || COMPILE_TEST [=y]) + +OF_GPIO is not required for compile-testing and is already enabled +when the driver is usable, so just drop the 'select' line. + +Fixes: 682fbb18e14c ("gpio: tb10x: allow building the module with COMPILE_TEST=y") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20251205095429.1291866-1-arnd@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig +index 7ee3afbc2b05d..e053524c5e35f 100644 +--- a/drivers/gpio/Kconfig ++++ b/drivers/gpio/Kconfig +@@ -738,7 +738,6 @@ config GPIO_TB10X + depends on ARC_PLAT_TB10X || COMPILE_TEST + select GPIO_GENERIC + select GENERIC_IRQ_CHIP +- select OF_GPIO + + config GPIO_TEGRA + tristate "NVIDIA Tegra GPIO support" +-- +2.51.0 + diff --git a/queue-6.18/i2c-spacemit-fix-detect-issue.patch b/queue-6.18/i2c-spacemit-fix-detect-issue.patch new file mode 100644 index 0000000000..096ee9f4c4 --- /dev/null +++ b/queue-6.18/i2c-spacemit-fix-detect-issue.patch @@ -0,0 +1,96 @@ +From 2d72f2292faa764e9c5e6328f7acc1e87a7d459d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 21:21:50 +0800 +Subject: i2c: spacemit: fix detect issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Troy Mitchell + +[ Upstream commit 25faa5364638b86ec0d0edb4486daa9d40a0be8f ] + +This commit addresses two issues causing i2c detect to fail. + +The identified issues are: + +1. Incorrect error handling for BED (Bus Error No ACK/NAK): + Before this commit, Both ALD (Arbitration Loss Detected) and + BED returned -EAGAIN. +2. Missing interrupt status clear after initialization in xfer(): + On the K1 SoC, simply fixing the first issue changed the error + from -EAGAIN to -ETIMEOUT. Through tracing, it was determined that + this is likely due to MSD (Master Stop Detected) latency issues. + + That means the MSD bit in the ISR may still be set on the next transfer. + As a result, the controller won't work — we can see from the scope that + it doesn't issue any signal. + (This only occurs during rapid consecutive I2C transfers. + That explains why the issue only shows up with i2cdetect.) + +With these two fixes, i2c device detection now functions correctly on the K1 SoC. + +Fixes: 5ea558473fa31 ("i2c: spacemit: add support for SpacemiT K1 SoC") +Tested-by: Aurelien Jarno +Signed-off-by: Troy Mitchell +Reviewed-by: Aurelien Jarno +Tested-by: Michael Opdenacker +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20251113-fix-k1-detect-failure-v2-1-b02a9a74f65a@linux.spacemit.com +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-k1.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-k1.c b/drivers/i2c/busses/i2c-k1.c +index 6b918770e612e..d42c03ef5db59 100644 +--- a/drivers/i2c/busses/i2c-k1.c ++++ b/drivers/i2c/busses/i2c-k1.c +@@ -158,11 +158,16 @@ static int spacemit_i2c_handle_err(struct spacemit_i2c_dev *i2c) + { + dev_dbg(i2c->dev, "i2c error status: 0x%08x\n", i2c->status); + +- if (i2c->status & (SPACEMIT_SR_BED | SPACEMIT_SR_ALD)) { ++ /* Arbitration Loss Detected */ ++ if (i2c->status & SPACEMIT_SR_ALD) { + spacemit_i2c_reset(i2c); + return -EAGAIN; + } + ++ /* Bus Error No ACK/NAK */ ++ if (i2c->status & SPACEMIT_SR_BED) ++ spacemit_i2c_reset(i2c); ++ + return i2c->status & SPACEMIT_SR_ACKNAK ? -ENXIO : -EIO; + } + +@@ -224,6 +229,12 @@ static void spacemit_i2c_check_bus_release(struct spacemit_i2c_dev *i2c) + } + } + ++static inline void ++spacemit_i2c_clear_int_status(struct spacemit_i2c_dev *i2c, u32 mask) ++{ ++ writel(mask & SPACEMIT_I2C_INT_STATUS_MASK, i2c->base + SPACEMIT_ISR); ++} ++ + static void spacemit_i2c_init(struct spacemit_i2c_dev *i2c) + { + u32 val; +@@ -267,12 +278,8 @@ static void spacemit_i2c_init(struct spacemit_i2c_dev *i2c) + val = readl(i2c->base + SPACEMIT_IRCR); + val |= SPACEMIT_RCR_SDA_GLITCH_NOFIX; + writel(val, i2c->base + SPACEMIT_IRCR); +-} + +-static inline void +-spacemit_i2c_clear_int_status(struct spacemit_i2c_dev *i2c, u32 mask) +-{ +- writel(mask & SPACEMIT_I2C_INT_STATUS_MASK, i2c->base + SPACEMIT_ISR); ++ spacemit_i2c_clear_int_status(i2c, SPACEMIT_I2C_INT_STATUS_MASK); + } + + static void spacemit_i2c_start(struct spacemit_i2c_dev *i2c) +-- +2.51.0 + diff --git a/queue-6.18/io_uring-kbuf-use-read_once-for-userspace-mapped-mem.patch b/queue-6.18/io_uring-kbuf-use-read_once-for-userspace-mapped-mem.patch new file mode 100644 index 0000000000..6f68736a13 --- /dev/null +++ b/queue-6.18/io_uring-kbuf-use-read_once-for-userspace-mapped-mem.patch @@ -0,0 +1,71 @@ +From f12e64633282be53038562fee27cf1bf2f5b6cbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 15:43:31 -0700 +Subject: io_uring/kbuf: use READ_ONCE() for userspace-mapped memory + +From: Caleb Sander Mateos + +[ Upstream commit 78385c7299f7514697d196b3233a91bd5e485591 ] + +The struct io_uring_buf elements in a buffer ring are in a memory region +accessible from userspace. A malicious/buggy userspace program could +therefore write to them at any time, so they should be accessed with +READ_ONCE() in the kernel. Commit 98b6fa62c84f ("io_uring/kbuf: always +use READ_ONCE() to read ring provided buffer lengths") already switched +the reads of the len field to READ_ONCE(). Do the same for bid and addr. + +Signed-off-by: Caleb Sander Mateos +Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers") +Cc: Joanne Koong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/kbuf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c +index a727e020fe036..d974381d93ff7 100644 +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -44,7 +44,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len) + buf_len -= this_len; + /* Stop looping for invalid buffer length of 0 */ + if (buf_len || !this_len) { +- buf->addr += this_len; ++ buf->addr = READ_ONCE(buf->addr) + this_len; + buf->len = buf_len; + return false; + } +@@ -198,9 +198,9 @@ static struct io_br_sel io_ring_buffer_select(struct io_kiocb *req, size_t *len, + if (*len == 0 || *len > buf_len) + *len = buf_len; + req->flags |= REQ_F_BUFFER_RING | REQ_F_BUFFERS_COMMIT; +- req->buf_index = buf->bid; ++ req->buf_index = READ_ONCE(buf->bid); + sel.buf_list = bl; +- sel.addr = u64_to_user_ptr(buf->addr); ++ sel.addr = u64_to_user_ptr(READ_ONCE(buf->addr)); + + if (io_should_commit(req, issue_flags)) { + io_kbuf_commit(req, sel.buf_list, *len, 1); +@@ -280,7 +280,7 @@ static int io_ring_buffers_peek(struct io_kiocb *req, struct buf_sel_arg *arg, + if (!arg->max_len) + arg->max_len = INT_MAX; + +- req->buf_index = buf->bid; ++ req->buf_index = READ_ONCE(buf->bid); + do { + u32 len = READ_ONCE(buf->len); + +@@ -295,7 +295,7 @@ static int io_ring_buffers_peek(struct io_kiocb *req, struct buf_sel_arg *arg, + } + } + +- iov->iov_base = u64_to_user_ptr(buf->addr); ++ iov->iov_base = u64_to_user_ptr(READ_ONCE(buf->addr)); + iov->iov_len = len; + iov++; + +-- +2.51.0 + diff --git a/queue-6.18/kbuild-install-extmod-build-properly-fix-cc-expansio.patch b/queue-6.18/kbuild-install-extmod-build-properly-fix-cc-expansio.patch new file mode 100644 index 0000000000..12f41dbed6 --- /dev/null +++ b/queue-6.18/kbuild-install-extmod-build-properly-fix-cc-expansio.patch @@ -0,0 +1,51 @@ +From 009f7eadade266c5401c04a74dee32fadcc7ca0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 08:43:51 +0200 +Subject: kbuild: install-extmod-build: Properly fix CC expansion when ccache + is used + +From: Abel Vesa + +[ Upstream commit 4ab2ee307983548b29ddaab0ecaef82d526cf4c9 ] + +Currently, when cross-compiling and ccache is used, the expanding of CC +turns out to be without any quotes, leading to the following error: + +make[4]: *** No rule to make target 'aarch64-linux-gnu-gcc'. Stop. +make[3]: *** [Makefile:2164: run-command] Error 2 + +And it makes sense, because after expansion it ends up like this: + +make run-command KBUILD_RUN_COMMAND=+$(MAKE) \ +HOSTCC=ccache aarch64-linux-gnu-gcc VPATH= srcroot=. $(build)= ... + +So add another set of double quotes to surround whatever CC expands to +to make sure the aarch64-linux-gnu-gcc isn't expanded to something that +looks like an entirely separate target. + +Fixes: 140332b6ed72 ("kbuild: fix linux-headers package build when $(CC) cannot link userspace") +Signed-off-by: Abel Vesa +Reviewed-by: Nicolas Schier +Link: https://patch.msgid.link/20251111-kbuild-install-extmod-build-fix-cc-expand-third-try-v2-1-15ba1b37e71a@linaro.org +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/package/install-extmod-build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/package/install-extmod-build b/scripts/package/install-extmod-build +index 054fdf45cc37a..2576cf7902dbb 100755 +--- a/scripts/package/install-extmod-build ++++ b/scripts/package/install-extmod-build +@@ -63,7 +63,7 @@ if [ "${CC}" != "${HOSTCC}" ]; then + # Clear VPATH and srcroot because the source files reside in the output + # directory. + # shellcheck disable=SC2016 # $(MAKE) and $(build) will be expanded by Make +- "${MAKE}" run-command KBUILD_RUN_COMMAND='+$(MAKE) HOSTCC='"${CC}"' VPATH= srcroot=. $(build)='"$(realpath --relative-to=. "${destdir}")"/scripts ++ "${MAKE}" run-command KBUILD_RUN_COMMAND='+$(MAKE) HOSTCC="'"${CC}"'" VPATH= srcroot=. $(build)='"$(realpath --relative-to=. "${destdir}")"/scripts + + rm -f "${destdir}/scripts/Kbuild" + fi +-- +2.51.0 + diff --git a/queue-6.18/nfs-automounted-filesystems-should-inherit-ro-noexec.patch b/queue-6.18/nfs-automounted-filesystems-should-inherit-ro-noexec.patch new file mode 100644 index 0000000000..62febf62d2 --- /dev/null +++ b/queue-6.18/nfs-automounted-filesystems-should-inherit-ro-noexec.patch @@ -0,0 +1,65 @@ +From 403d572b85309320d73814a4675aa5e89ea5b9b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 14:22:44 -0500 +Subject: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync + flags + +From: Trond Myklebust + +[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ] + +When a filesystem is being automounted, it needs to preserve the +user-set superblock mount options, such as the "ro" flag. + +Reported-by: Li Lingfeng +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Fixes: f2aedb713c28 ("NFS: Add fs_context support.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/namespace.c | 6 ++++++ + fs/nfs/super.c | 4 ---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 5a4d193da1a98..dca055676c4f3 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path) + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SB(path->dentry->d_sb); + struct nfs_client *client = server->nfs_client; ++ unsigned long s_flags = path->dentry->d_sb->s_flags; + int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + +@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path) + fc->net_ns = get_net(client->cl_net); + } + ++ /* Inherit the flags covered by NFS_SB_MASK */ ++ fc->sb_flags_mask |= NFS_SB_MASK; ++ fc->sb_flags &= ~NFS_SB_MASK; ++ fc->sb_flags |= s_flags & NFS_SB_MASK; ++ + /* for submounts we want the same server; referrals will reassign */ + memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen); + ctx->nfs_server.addrlen = client->cl_addrlen; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 9b9464e70a7f0..66413133b43e3 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1315,10 +1315,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (server->flags & NFS_MOUNT_NOAC) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (ctx->clone_data.sb) +- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) +- fc->sb_flags |= SB_SYNCHRONOUS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +-- +2.51.0 + diff --git a/queue-6.18/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch b/queue-6.18/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch new file mode 100644 index 0000000000..92ea61d3e7 --- /dev/null +++ b/queue-6.18/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch @@ -0,0 +1,97 @@ +From 978c50590892831825e75df2d86345a2d20fadd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 15:28:17 -0500 +Subject: NFS: Avoid changing nlink when file removes and attribute updates + race + +From: Trond Myklebust + +[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ] + +If a file removal races with another operation that updates its +attributes, then skip the change to nlink, and just mark the attributes +as being stale. + +Reported-by: Aiden Lambert +Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index ea9f6ca8f30fa..d557b0443e8b0 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1894,13 +1894,15 @@ static int nfs_dentry_delete(const struct dentry *dentry) + } + + /* Ensure that we revalidate inode->i_nlink */ +-static void nfs_drop_nlink(struct inode *inode) ++static void nfs_drop_nlink(struct inode *inode, unsigned long gencount) + { ++ struct nfs_inode *nfsi = NFS_I(inode); ++ + spin_lock(&inode->i_lock); + /* drop the inode if we're reasonably sure this is the last link */ +- if (inode->i_nlink > 0) ++ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount) + drop_nlink(inode); +- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); ++ nfsi->attr_gencount = nfs_inc_attr_generation_counter(); + nfs_set_cache_invalid( + inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | + NFS_INO_INVALID_NLINK); +@@ -1914,8 +1916,9 @@ static void nfs_drop_nlink(struct inode *inode) + static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + { + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); + nfs_complete_unlink(dentry, inode); +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } + iput(inode); + } +@@ -2507,9 +2510,11 @@ static int nfs_safe_remove(struct dentry *dentry) + + trace_nfs_remove_enter(dir, dentry); + if (inode != NULL) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); ++ + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == 0) +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } else + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == -ENOENT) +@@ -2709,6 +2714,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); ++ unsigned long new_gencount = 0; + struct dentry *dentry = NULL; + struct rpc_task *task; + bool must_unblock = false; +@@ -2761,6 +2767,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + } else { + block_revalidate(new_dentry); + must_unblock = true; ++ new_gencount = NFS_I(new_inode)->attr_gencount; + spin_unlock(&new_dentry->d_lock); + } + +@@ -2800,7 +2807,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + new_dir, new_dentry, error); + if (!error) { + if (new_inode != NULL) +- nfs_drop_nlink(new_inode); ++ nfs_drop_nlink(new_inode, new_gencount); + /* + * The d_move() should be here instead of in an async RPC completion + * handler because we need the proper locks to move the dentry. If +-- +2.51.0 + diff --git a/queue-6.18/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch b/queue-6.18/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch new file mode 100644 index 0000000000..d8c7e6d6b3 --- /dev/null +++ b/queue-6.18/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch @@ -0,0 +1,178 @@ +From 552d8e275fecc467bd26ff857420c8c1f9b7126e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 16:06:41 -0500 +Subject: NFS: Fix inheritance of the block sizes when automounting + +From: Trond Myklebust + +[ Upstream commit 2b092175f5e301cdaa935093edfef2be9defb6df ] + +Only inherit the block sizes that were actually specified as mount +parameters for the parent mount. + +Fixes: 62a55d088cd8 ("NFS: Additional refactoring for fs_context conversion") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 21 +++++++++++++++++---- + fs/nfs/internal.h | 1 - + fs/nfs/namespace.c | 5 ++++- + fs/nfs/nfs4client.c | 18 ++++++++++++++---- + fs/nfs/super.c | 10 +++------- + include/linux/nfs_fs_sb.h | 5 +++++ + 6 files changed, 43 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 54699299d5b16..2aaea9c98c2cd 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -784,10 +784,18 @@ static int nfs_init_server(struct nfs_server *server, + server->fattr_valid = NFS_ATTR_FATTR_V4; + } + +- if (ctx->rsize) ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { + server->rsize = nfs_io_size(ctx->rsize, clp->cl_proto); +- if (ctx->wsize) ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { + server->wsize = nfs_io_size(ctx->wsize, clp->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +@@ -977,8 +985,13 @@ EXPORT_SYMBOL_GPL(nfs_probe_server); + void nfs_server_copy_userdata(struct nfs_server *target, struct nfs_server *source) + { + target->flags = source->flags; +- target->rsize = source->rsize; +- target->wsize = source->wsize; ++ target->automount_inherit = source->automount_inherit; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ target->bsize = source->bsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_RSIZE) ++ target->rsize = source->rsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_WSIZE) ++ target->wsize = source->wsize; + target->acregmin = source->acregmin; + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index ffd382aa31ac0..2e596244799f3 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -152,7 +152,6 @@ struct nfs_fs_context { + struct super_block *sb; + struct dentry *dentry; + struct nfs_fattr *fattr; +- unsigned int inherited_bsize; + } clone_data; + }; + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index dca055676c4f3..9e4d94f41fc67 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -190,6 +190,10 @@ struct vfsmount *nfs_d_automount(struct path *path) + ctx->nfs_mod = client->cl_nfs_mod; + get_nfs_version(ctx->nfs_mod); + ++ /* Inherit block sizes if they were specified as mount parameters */ ++ if (server->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ ctx->bsize = server->bsize; ++ + ret = client->rpc_ops->submount(fc, server); + if (ret < 0) { + mnt = ERR_PTR(ret); +@@ -289,7 +293,6 @@ int nfs_do_submount(struct fs_context *fc) + return -ENOMEM; + + ctx->internal = true; +- ctx->clone_data.inherited_bsize = ctx->clone_data.sb->s_blocksize_bits; + + p = nfs_devname(dentry, buffer, 4096); + if (IS_ERR(p)) { +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 3a4baed993c96..4ff0e9dd1145e 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1174,10 +1174,20 @@ static int nfs4_init_server(struct nfs_server *server, struct fs_context *fc) + if (error < 0) + return error; + +- if (ctx->rsize) +- server->rsize = nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); +- if (ctx->wsize) +- server->wsize = nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { ++ server->rsize = ++ nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { ++ server->wsize = ++ nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 66413133b43e3..57d372db03b93 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1091,8 +1091,9 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + sb->s_blocksize = 0; + sb->s_xattr = server->nfs_client->cl_nfs_mod->xattr; + sb->s_op = server->nfs_client->cl_nfs_mod->sops; +- if (ctx->bsize) +- sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); ++ if (server->bsize) ++ sb->s_blocksize = ++ nfs_block_size(server->bsize, &sb->s_blocksize_bits); + + switch (server->nfs_client->rpc_ops->version) { + case 2: +@@ -1338,13 +1339,8 @@ int nfs_get_tree_common(struct fs_context *fc) + } + + if (!s->s_root) { +- unsigned bsize = ctx->clone_data.inherited_bsize; + /* initial superblock/root creation */ + nfs_fill_super(s, ctx); +- if (bsize) { +- s->s_blocksize_bits = bsize; +- s->s_blocksize = 1U << bsize; +- } + error = nfs_get_cache_cookie(s, ctx); + if (error < 0) + goto error_splat_super; +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index d30c0245031c0..30ac384e011a4 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -172,6 +172,11 @@ struct nfs_server { + #define NFS_MOUNT_FORCE_RDIRPLUS 0x20000000 + #define NFS_MOUNT_NETUNREACH_FATAL 0x40000000 + ++ unsigned int automount_inherit; /* Properties inherited by automount */ ++#define NFS_AUTOMOUNT_INHERIT_BSIZE 0x0001 ++#define NFS_AUTOMOUNT_INHERIT_RSIZE 0x0002 ++#define NFS_AUTOMOUNT_INHERIT_WSIZE 0x0004 ++ + unsigned int caps; /* server capabilities */ + __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ +-- +2.51.0 + diff --git a/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch b/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch new file mode 100644 index 0000000000..a4ad79e04a --- /dev/null +++ b/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch @@ -0,0 +1,69 @@ +From 4465f247a0c9ba7c9b48303826fe1efefa9146ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:43:21 -0500 +Subject: NFS: Initialise verifiers for visible dentries in + _nfs4_open_and_get_state + +From: Trond Myklebust + +[ Upstream commit 0f900f11002ff52391fc2aa4a75e59f26ed1c242 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in _nfs4_open_and_get_state(). + +Reported-by: Michael Stoler +Fixes: cf5b4059ba71 ("NFSv4: Fix races between open and dentry revalidation") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 93c6ce04332b8..6f4e14fb7b9b8 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3174,18 +3174,6 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + if (opendata->o_res.rflags & NFS4_OPEN_RESULT_PRESERVE_UNLINKED) + set_bit(NFS_INO_PRESERVE_UNLINKED, &NFS_I(state->inode)->flags); + +- dentry = opendata->dentry; +- if (d_really_is_negative(dentry)) { +- struct dentry *alias; +- d_drop(dentry); +- alias = d_splice_alias(igrab(state->inode), dentry); +- /* d_splice_alias() can't fail here - it's a non-directory */ +- if (alias) { +- dput(ctx->dentry); +- ctx->dentry = dentry = alias; +- } +- } +- + switch(opendata->o_arg.claim) { + default: + break; +@@ -3196,7 +3184,20 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata, + break; + if (opendata->o_res.delegation.type != 0) + dir_verifier = nfs_save_change_attribute(dir); +- nfs_set_verifier(dentry, dir_verifier); ++ } ++ ++ dentry = opendata->dentry; ++ nfs_set_verifier(dentry, dir_verifier); ++ if (d_really_is_negative(dentry)) { ++ struct dentry *alias; ++ d_drop(dentry); ++ alias = d_splice_alias(igrab(state->inode), dentry); ++ /* d_splice_alias() can't fail here - it's a non-directory */ ++ if (alias) { ++ dput(ctx->dentry); ++ nfs_set_verifier(alias, dir_verifier); ++ ctx->dentry = dentry = alias; ++ } + } + + /* Parse layoutget results before we check for access */ +-- +2.51.0 + diff --git a/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch b/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch new file mode 100644 index 0000000000..e0b09f2717 --- /dev/null +++ b/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch @@ -0,0 +1,41 @@ +From 1dbfeb2c596c336f380d4ecbcfcbfb22f6b64bbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:39:50 -0500 +Subject: NFS: Initialise verifiers for visible dentries in nfs_atomic_open() + +From: Trond Myklebust + +[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in nfs_atomic_open(). + +Reported-by: Michael Stoler +Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 2eead7e85be5b..3b8250ee01412 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2144,12 +2144,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + d_drop(dentry); + switch (err) { + case -ENOENT: +- d_splice_alias(NULL, dentry); + if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE)) + dir_verifier = inode_peek_iversion_raw(dir); + else + dir_verifier = nfs_save_change_attribute(dir); + nfs_set_verifier(dentry, dir_verifier); ++ d_splice_alias(NULL, dentry); + break; + case -EISDIR: + case -ENOTDIR: +-- +2.51.0 + diff --git a/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch b/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch new file mode 100644 index 0000000000..f0771580ab --- /dev/null +++ b/queue-6.18/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch @@ -0,0 +1,62 @@ +From a66e611ea7fe15294b840660d5f2a552df4a7f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:36:16 -0500 +Subject: NFS: Initialise verifiers for visible dentries in readdir and lookup + +From: Trond Myklebust + +[ Upstream commit 9bd545539b233725a3416801f7c374bff0327d6e ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in both nfs_prime_dcache() and nfs_lookup(). + +Reported-by: Michael Stoler +Fixes: a1147b8281bd ("NFS: Fix up directory verifier races") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index d557b0443e8b0..2eead7e85be5b 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -789,16 +789,17 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry, + goto out; + } + ++ nfs_set_verifier(dentry, dir_verifier); + inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr); + alias = d_splice_alias(inode, dentry); + d_lookup_done(dentry); + if (alias) { + if (IS_ERR(alias)) + goto out; ++ nfs_set_verifier(alias, dir_verifier); + dput(dentry); + dentry = alias; + } +- nfs_set_verifier(dentry, dir_verifier); + trace_nfs_readdir_lookup(d_inode(parent), dentry, 0); + out: + dput(dentry); +@@ -1994,13 +1995,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in + nfs_lookup_advise_force_readdirplus(dir, flags); + + no_entry: ++ nfs_set_verifier(dentry, dir_verifier); + res = d_splice_alias(inode, dentry); + if (res != NULL) { + if (IS_ERR(res)) + goto out; ++ nfs_set_verifier(res, dir_verifier); + dentry = res; + } +- nfs_set_verifier(dentry, dir_verifier); + out: + trace_nfs_lookup_exit(dir, dentry, flags, PTR_ERR_OR_ZERO(res)); + nfs_free_fattr(fattr); +-- +2.51.0 + diff --git a/queue-6.18/nfs-localio-remove-61-byte-hole-from-needless-____ca.patch b/queue-6.18/nfs-localio-remove-61-byte-hole-from-needless-____ca.patch new file mode 100644 index 0000000000..d970092231 --- /dev/null +++ b/queue-6.18/nfs-localio-remove-61-byte-hole-from-needless-____ca.patch @@ -0,0 +1,39 @@ +From 433f145569de4af6d9843ba8d2cfc8a47a5b9bcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 01:01:27 -0500 +Subject: nfs/localio: remove 61 byte hole from needless ____cacheline_aligned + +From: Mike Snitzer + +[ Upstream commit 0b873de2c02f9cc655bef6bee0eb9e404126ed6c ] + +struct nfs_local_kiocb used ____cacheline_aligned on its iters[] array +and as the structure evolved it caused a 61 byte hole to form. Fix +this by removing ____cacheline_aligned and reordering iters[] before +iter_is_dio_aligned[]. + +Fixes: 6a218b9c3183 ("nfs/localio: do not issue misaligned DIO out-of-order") +Signed-off-by: Mike Snitzer +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/localio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c +index 512d9c5ff608a..b98bb292fef0c 100644 +--- a/fs/nfs/localio.c ++++ b/fs/nfs/localio.c +@@ -43,8 +43,8 @@ struct nfs_local_kiocb { + size_t end_len; + short int end_iter_index; + atomic_t n_iters; ++ struct iov_iter iters[NFSLOCAL_MAX_IOS]; + bool iter_is_dio_aligned[NFSLOCAL_MAX_IOS]; +- struct iov_iter iters[NFSLOCAL_MAX_IOS] ____cacheline_aligned; + /* End mostly DIO-specific members */ + }; + +-- +2.51.0 + diff --git a/queue-6.18/nfs-localio-remove-alignment-size-checking-in-nfs_is.patch b/queue-6.18/nfs-localio-remove-alignment-size-checking-in-nfs_is.patch new file mode 100644 index 0000000000..681dee02f2 --- /dev/null +++ b/queue-6.18/nfs-localio-remove-alignment-size-checking-in-nfs_is.patch @@ -0,0 +1,39 @@ +From cc2c0ff7f005d6dfdbc39e65fd740fa8abacd6b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 01:01:26 -0500 +Subject: nfs/localio: remove alignment size checking in + nfs_is_local_dio_possible + +From: Mike Snitzer + +[ Upstream commit f50d0328d02fe38ba196a73c143e5d87e341d4f7 ] + +This check to ensure dio_offset_align isn't larger than PAGE_SIZE is +no longer relevant (older iterations of NFS Direct was allocating +misaligned head and tail pages but no longer does, so this check isn't +needed). + +Fixes: c817248fc831 ("nfs/localio: add proper O_DIRECT support for READ and WRITE") +Signed-off-by: Mike Snitzer +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/localio.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c +index 656976b4f42ce..512d9c5ff608a 100644 +--- a/fs/nfs/localio.c ++++ b/fs/nfs/localio.c +@@ -339,8 +339,6 @@ nfs_is_local_dio_possible(struct nfs_local_kiocb *iocb, int rw, + + if (unlikely(!nf_dio_mem_align || !nf_dio_offset_align)) + return false; +- if (unlikely(nf_dio_offset_align > PAGE_SIZE)) +- return false; + if (unlikely(len < nf_dio_offset_align)) + return false; + +-- +2.51.0 + diff --git a/queue-6.18/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch b/queue-6.18/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch new file mode 100644 index 0000000000..4e7716c228 --- /dev/null +++ b/queue-6.18/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch @@ -0,0 +1,43 @@ +From 1c198ebd08468bd62a80afc0f84b049e31e0094f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 18:02:42 +0000 +Subject: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in + pnfs_mark_layout_stateid_invalid + +From: Jonathan Curley + +[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ] + +Fixes a crash when layout is null during this call stack: + +write_inode + -> nfs4_write_inode + -> pnfs_layoutcommit_inode + +pnfs_set_layoutcommit relies on the lseg refcount to keep the layout +around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt +to reference a null layout. + +Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") +Signed-off-by: Jonathan Curley +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index a3135b5af7eec..7ce2e840217cf 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -464,6 +464,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct pnfs_layout_segment *lseg, *next; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + pnfs_clear_lseg_state(lseg, lseg_list); + pnfs_clear_layoutreturn_info(lo); +-- +2.51.0 + diff --git a/queue-6.18/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch b/queue-6.18/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch new file mode 100644 index 0000000000..9674b745f5 --- /dev/null +++ b/queue-6.18/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch @@ -0,0 +1,38 @@ +From 5260e6d62f4435ba47e775adf8d49bdeda79f08b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Nov 2025 16:46:48 +0200 +Subject: nvme-auth: use kvfree() for memory allocated with kvcalloc() + +From: Israel Rukshin + +[ Upstream commit bb9f4cca7c031de6f0e85f7ba24abf0172829f85 ] + +Memory allocated by kvcalloc() may come from vmalloc or kmalloc, +so use kvfree() instead of kfree() for proper deallocation. + +Fixes: aa36d711e945 ("nvme-auth: convert dhchap_auth_list to an array") +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c +index a01178caf15bb..8f3ccb317e4de 100644 +--- a/drivers/nvme/host/auth.c ++++ b/drivers/nvme/host/auth.c +@@ -1122,7 +1122,7 @@ void nvme_auth_free(struct nvme_ctrl *ctrl) + if (ctrl->dhchap_ctxs) { + for (i = 0; i < ctrl_max_dhchaps(ctrl); i++) + nvme_auth_free_dhchap(&ctrl->dhchap_ctxs[i]); +- kfree(ctrl->dhchap_ctxs); ++ kvfree(ctrl->dhchap_ctxs); + } + if (ctrl->host_key) { + nvme_auth_free_key(ctrl->host_key); +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch b/queue-6.18/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch new file mode 100644 index 0000000000..d3227e3e3c --- /dev/null +++ b/queue-6.18/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch @@ -0,0 +1,78 @@ +From dd97ff4eeb52b821a653bc9b89b5d2e3eb824716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 11:13:08 +0100 +Subject: platform/x86: asus-wmi: use brightness_set_blocking() for kbd led +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anton Khirnov + +[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ] + +kbd_led_set() can sleep, and so may not be used as the brightness_set() +callback. + +Otherwise using this led with a trigger leads to system hangs +accompanied by: +BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003 +CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1 +Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024 +Call Trace: + + [...] + schedule_timeout+0xbd/0x100 + __down_common+0x175/0x290 + down_timeout+0x67/0x70 + acpi_os_wait_semaphore+0x57/0x90 + [...] + asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi] + led_trigger_event+0x3f/0x60 + [...] + +Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process") +Signed-off-by: Anton Khirnov +Reviewed-by: Andy Shevchenko +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index e72a2b5d158e9..8e3300f5c2943 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1619,14 +1619,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value) + kbd_led_update(asus); + } + +-static void kbd_led_set(struct led_classdev *led_cdev, +- enum led_brightness value) ++static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value) + { + /* Prevent disabling keyboard backlight on module unregister */ + if (led_cdev->flags & LED_UNREGISTERING) +- return; ++ return 0; + + do_kbd_led_set(led_cdev, value); ++ return 0; + } + + static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value) +@@ -1802,7 +1802,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus) + asus->kbd_led_wk = led_val; + asus->kbd_led.name = "asus::kbd_backlight"; + asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED; +- asus->kbd_led.brightness_set = kbd_led_set; ++ asus->kbd_led.brightness_set_blocking = kbd_led_set; + asus->kbd_led.brightness_get = kbd_led_get; + asus->kbd_led.max_brightness = 3; + +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch b/queue-6.18/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch new file mode 100644 index 0000000000..d3f9a8c8b4 --- /dev/null +++ b/queue-6.18/platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch @@ -0,0 +1,44 @@ +From 3c546b3f55860f6a8de50ea3a89dc1b6edcaa72e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 14:45:29 -0700 +Subject: platform/x86:intel/pmc: Update Arrow Lake telemetry GUID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xi Pardee + +[ Upstream commit 644ab3bc98ee386f178d5209ae8170b3fac591aa ] + +Update ARL_PMT_DMU_GUID value. Arrow Lake PMT DMU GUID has been updated +after it was add to the driver. This updates ensures that the die C6 +value is available in the debug filesystem. + +Bugzilla Link: https://bugzilla.kernel.org/show_bug.cgi?id=220421 +Fixes: 83f168a1a437 ("platform/x86/intel/pmc: Add Arrow Lake S support to intel_pmc_core driver") +Tested-by: Mark Pearson +Signed-off-by: Xi Pardee +Link: https://patch.msgid.link/20251014214548.629023-2-xi.pardee@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/pmc/core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/pmc/core.h b/drivers/platform/x86/intel/pmc/core.h +index f4dadb696a314..d6818bd34768e 100644 +--- a/drivers/platform/x86/intel/pmc/core.h ++++ b/drivers/platform/x86/intel/pmc/core.h +@@ -282,7 +282,7 @@ enum ppfear_regs { + /* Die C6 from PUNIT telemetry */ + #define MTL_PMT_DMU_DIE_C6_OFFSET 15 + #define MTL_PMT_DMU_GUID 0x1A067102 +-#define ARL_PMT_DMU_GUID 0x1A06A000 ++#define ARL_PMT_DMU_GUID 0x1A06A102 + + #define LNL_PMC_MMIO_REG_LEN 0x2708 + #define LNL_PMC_LTR_OSSE 0x1B88 +-- +2.51.0 + diff --git a/queue-6.18/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch b/queue-6.18/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch new file mode 100644 index 0000000000..691e648bd0 --- /dev/null +++ b/queue-6.18/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch @@ -0,0 +1,51 @@ +From f756ee3ec8a626da7a4feeeb9fffe08dfeb2529b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 19:39:34 +0000 +Subject: regulator: fixed: Rely on the core freeing the enable GPIO + +From: Mark Brown + +[ Upstream commit 79a45ddcdbba330f5139c7c7ff7042d69cf147b2 ] + +In order to simplify ownership rules for enable GPIOs supplied by drivers +regulator_register() always takes ownership of them, even if it ends up +failing for some other reason. We therefore should not free the GPIO if +registration fails but just let the core worry about things. + +Fixes: 636f4618b1cd (regulator: fixed: fix GPIO descriptor leak on register failure) +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/r/DEPEYUF5BRGY.UKFBWRRE8HNP@cknow-tech.com +Tested-by: Diederik de Haas +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20251204-regulator-fixed-fix-gpiod-leak-v1-1-48efea5b82c2@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index a2d16e9abfb58..254c0a8a45559 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -330,13 +330,10 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); +- if (IS_ERR(drvdata->dev)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), +- "Failed to register regulator: %ld\n", +- PTR_ERR(drvdata->dev)); +- gpiod_put(cfg.ena_gpiod); +- return ret; +- } ++ if (IS_ERR(drvdata->dev)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + + platform_set_drvdata(pdev, drvdata); + +-- +2.51.0 + diff --git a/queue-6.18/regulator-spacemit-align-input-supply-name-with-the-.patch b/queue-6.18/regulator-spacemit-align-input-supply-name-with-the-.patch new file mode 100644 index 0000000000..39211a3998 --- /dev/null +++ b/queue-6.18/regulator-spacemit-align-input-supply-name-with-the-.patch @@ -0,0 +1,72 @@ +From ffd73d4a6f57e62cd5694368fac48c9afeee4225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Dec 2025 14:38:48 +0100 +Subject: regulator: spacemit: Align input supply name with the DT binding + +From: Javier Martinez Canillas + +[ Upstream commit 99f0c3a654c4a762aca4fadc8d9f8636b36d570a ] + +The Device Tree binding schema for the SpacemiT P1 PMIC defines the main +input supply property as "vin-supply", but the driver defines the supply +name for BUCK and ALDO regulators as "vcc". + +This causes the regulator core to lookup for a non-existent "vcc-supply". +Rename the supply from "vcc" to "vin", to match the DT binding and ensure +that the regulators input supplies are correctly resolved. + +After this change, the regulators supply hierarchy is correctly reported: + + $ cat /sys/kernel/debug/regulator/regulator_summary + regulator use open bypass opmode voltage current min max + --------------------------------------------------------------------------------------- + regulator-dummy 1 0 0 unknown 0mV 0mA 0mV 0mV + dc_in_12v 2 1 0 unknown 12000mV 0mA 12000mV 12000mV + vcc_4v 7 10 0 unknown 4000mV 0mA 4000mV 4000mV + buck1 1 0 0 unknown 1050mV 0mA 500mV 3425mV + buck2 1 0 0 unknown 900mV 0mA 500mV 3425mV + buck3 1 0 0 unknown 1800mV 0mA 500mV 1800mV + buck4 1 0 0 unknown 3300mV 0mA 500mV 3300mV + buck5 3 7 0 unknown 2100mV 0mA 500mV 3425mV + dldo1 0 0 0 unknown 1200mV 0mA 500mV 3125mV + dldo2 0 0 0 unknown 500mV 0mA 500mV 3125mV + dldo3 0 0 0 unknown 500mV 0mA 500mV 3125mV + dldo4 1 0 0 unknown 1800mV 0mA 500mV 3125mV + dldo5 0 0 0 unknown 500mV 0mA 500mV 3125mV + dldo6 1 0 0 unknown 1800mV 0mA 500mV 3125mV + dldo7 0 0 0 unknown 500mV 0mA 500mV 3125mV + buck6 1 0 0 unknown 1100mV 0mA 500mV 3425mV + aldo1 0 0 0 unknown 1800mV 0mA 500mV 3125mV + aldo2 0 0 0 unknown 500mV 0mA 500mV 3125mV + aldo3 0 0 0 unknown 500mV 0mA 500mV 3125mV + aldo4 0 0 0 unknown 500mV 0mA 500mV 3125mV + +Fixes: 8b84d712ad84 ("regulator: spacemit: support SpacemiT P1 regulators") +Signed-off-by: Javier Martinez Canillas +Link: https://patch.msgid.link/20251206133852.1739475-1-javierm@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/spacemit-p1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/spacemit-p1.c b/drivers/regulator/spacemit-p1.c +index d437e6738ea1e..2bf9137e12b1d 100644 +--- a/drivers/regulator/spacemit-p1.c ++++ b/drivers/regulator/spacemit-p1.c +@@ -87,10 +87,10 @@ static const struct linear_range p1_ldo_ranges[] = { + } + + #define P1_BUCK_DESC(_n) \ +- P1_REG_DESC(BUCK, buck, _n, "vcc", 0x47, BUCK_MASK, 254, p1_buck_ranges) ++ P1_REG_DESC(BUCK, buck, _n, "vin", 0x47, BUCK_MASK, 254, p1_buck_ranges) + + #define P1_ALDO_DESC(_n) \ +- P1_REG_DESC(ALDO, aldo, _n, "vcc", 0x5b, LDO_MASK, 117, p1_ldo_ranges) ++ P1_REG_DESC(ALDO, aldo, _n, "vin", 0x5b, LDO_MASK, 117, p1_ldo_ranges) + + #define P1_DLDO_DESC(_n) \ + P1_REG_DESC(DLDO, dldo, _n, "buck5", 0x67, LDO_MASK, 117, p1_ldo_ranges) +-- +2.51.0 + diff --git a/queue-6.18/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-6.18/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..75010726cd --- /dev/null +++ b/queue-6.18/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,48 @@ +From ab770ef92ff7902e513c32c8d9a42d9aadaa8cae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:38 -0500 +Subject: Revert "nfs: clear SB_RDONLY before getting superblock" + +From: Trond Myklebust + +[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ] + +This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 527000f5d150c..9b9464e70a7f0 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1308,17 +1308,8 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + +- /* +- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a +- * superblock among each filesystem that mounts sub-directories +- * belonging to a single exported root path. +- * To prevent interference between different filesystems, the +- * SB_RDONLY flag should be removed from the superblock. +- */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; +- else +- fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.51.0 + diff --git a/queue-6.18/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-6.18/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 0000000000..88c62a0a1c --- /dev/null +++ b/queue-6.18/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,39 @@ +From d51f922c7a8b96298575b87878d99c50495f1359 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:45 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when mounting nfs" + +From: Trond Myklebust + +[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ] + +This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 2ecd38e1d17a8..ffd382aa31ac0 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -13,7 +13,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.51.0 + diff --git a/queue-6.18/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-6.18/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..dc3caaceef --- /dev/null +++ b/queue-6.18/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,47 @@ +From a027cef7de23a7674b557859e978fdbf2bcb4763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:07 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when remounting nfs" + +From: Trond Myklebust + +[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ] + +This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 72dee6f3050e6..527000f5d150c 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1051,16 +1051,6 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + +- /* +- * The SB_RDONLY flag has been removed from the superblock during +- * mounts to prevent interference between different filesystems. +- * Similarly, it is also necessary to ignore the SB_RDONLY flag +- * during reconfiguration; otherwise, it may also result in the +- * creation of redundant superblocks when mounting a directory with +- * different rw and ro flags multiple times. +- */ +- fc->sb_flags_mask &= ~SB_RDONLY; +- + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.51.0 + diff --git a/queue-6.18/rtc-amlogic-a4-fix-double-free-caused-by-devm.patch b/queue-6.18/rtc-amlogic-a4-fix-double-free-caused-by-devm.patch new file mode 100644 index 0000000000..2cbaa44e58 --- /dev/null +++ b/queue-6.18/rtc-amlogic-a4-fix-double-free-caused-by-devm.patch @@ -0,0 +1,53 @@ +From 0f061c0058e24a3f440e291cd5b8714a0cfcf795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 18:35:59 +0800 +Subject: rtc: amlogic-a4: fix double free caused by devm + +From: Haotian Zhang + +[ Upstream commit 384150d7a5b60c1086790a8ee07b0629f906cca2 ] + +The clock obtained via devm_clk_get_enabled() is automatically managed +by devres and will be disabled and freed on driver detach. Manually +calling clk_disable_unprepare() in error path and remove function +causes double free. + +Remove the redundant clk_disable_unprepare() calls from the probe +error path and aml_rtc_remove(), allowing the devm framework to +automatically manage the clock lifecycle. + +Fixes: c89ac9182ee2 ("rtc: support for the Amlogic on-chip RTC") +Signed-off-by: Haotian Zhang +Reviewed-by: Xianwei Zhao +Link: https://patch.msgid.link/20251021103559.1903-1-vulab@iscas.ac.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-amlogic-a4.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/rtc/rtc-amlogic-a4.c b/drivers/rtc/rtc-amlogic-a4.c +index 1928b29c10454..a993d35e1d6b0 100644 +--- a/drivers/rtc/rtc-amlogic-a4.c ++++ b/drivers/rtc/rtc-amlogic-a4.c +@@ -390,7 +390,6 @@ static int aml_rtc_probe(struct platform_device *pdev) + + return 0; + err_clk: +- clk_disable_unprepare(rtc->sys_clk); + device_init_wakeup(dev, false); + + return ret; +@@ -423,9 +422,6 @@ static SIMPLE_DEV_PM_OPS(aml_rtc_pm_ops, + + static void aml_rtc_remove(struct platform_device *pdev) + { +- struct aml_rtc_data *rtc = dev_get_drvdata(&pdev->dev); +- +- clk_disable_unprepare(rtc->sys_clk); + device_init_wakeup(&pdev->dev, false); + } + +-- +2.51.0 + diff --git a/queue-6.18/rtc-gamecube-check-the-return-value-of-ioremap.patch b/queue-6.18/rtc-gamecube-check-the-return-value-of-ioremap.patch new file mode 100644 index 0000000000..0ce50f8ff9 --- /dev/null +++ b/queue-6.18/rtc-gamecube-check-the-return-value-of-ioremap.patch @@ -0,0 +1,44 @@ +From 82440bf3b79ee3f1489d70ab5556f14d356a94ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 16:06:25 +0800 +Subject: rtc: gamecube: Check the return value of ioremap() + +From: Haotian Zhang + +[ Upstream commit d1220e47e4bd2be8b84bc158f4dea44f2f88b226 ] + +The function ioremap() in gamecube_rtc_read_offset_from_sram() can fail +and return NULL, which is dereferenced without checking, leading to a +NULL pointer dereference. + +Add a check for the return value of ioremap() and return -ENOMEM on +failure. + +Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U") +Signed-off-by: Haotian Zhang +Reviewed-by: Link Mauve +Link: https://patch.msgid.link/20251126080625.1752-1-vulab@iscas.ac.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-gamecube.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rtc/rtc-gamecube.c b/drivers/rtc/rtc-gamecube.c +index c828bc8e05b9c..045d5d45ab4b0 100644 +--- a/drivers/rtc/rtc-gamecube.c ++++ b/drivers/rtc/rtc-gamecube.c +@@ -242,6 +242,10 @@ static int gamecube_rtc_read_offset_from_sram(struct priv *d) + } + + hw_srnprot = ioremap(res.start, resource_size(&res)); ++ if (!hw_srnprot) { ++ pr_err("failed to ioremap hw_srnprot\n"); ++ return -ENOMEM; ++ } + old = ioread32be(hw_srnprot); + + /* TODO: figure out why we use this magic constant. I obtained it by +-- +2.51.0 + diff --git a/queue-6.18/rtc-max31335-fix-ignored-return-value-in-set_alarm.patch b/queue-6.18/rtc-max31335-fix-ignored-return-value-in-set_alarm.patch new file mode 100644 index 0000000000..d70dd872fd --- /dev/null +++ b/queue-6.18/rtc-max31335-fix-ignored-return-value-in-set_alarm.patch @@ -0,0 +1,44 @@ +From 4afcf7147f92daace8ef1d5fecc10de2140cab67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 16:36:38 +0000 +Subject: rtc: max31335: Fix ignored return value in set_alarm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit f07640f9fb8df2158199da1da1f8282948385a84 ] + +Return the result from regmap_update_bits() instead of ignoring it +and always returning 0. + +Fixes: dedaf03b99d6 ("rtc: max31335: add driver support") +Signed-off-by: Nuno Sá +Link: https://patch.msgid.link/20251128-max31335-handler-error-v1-1-6b6f7f78dbda@analog.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-max31335.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/rtc/rtc-max31335.c b/drivers/rtc/rtc-max31335.c +index dfb5bad3a3691..23b7bf16b4cd5 100644 +--- a/drivers/rtc/rtc-max31335.c ++++ b/drivers/rtc/rtc-max31335.c +@@ -391,10 +391,8 @@ static int max31335_set_alarm(struct device *dev, struct rtc_wkalrm *alrm) + if (ret) + return ret; + +- ret = regmap_update_bits(max31335->regmap, max31335->chip->int_status_reg, +- MAX31335_STATUS1_A1F, 0); +- +- return 0; ++ return regmap_update_bits(max31335->regmap, max31335->chip->int_status_reg, ++ MAX31335_STATUS1_A1F, 0); + } + + static int max31335_alarm_irq_enable(struct device *dev, unsigned int enabled) +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index d5aea428cc..dd08d9b536 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -534,3 +534,62 @@ fbdev-ssd1307fb-fix-potential-page-leak-in-ssd1307fb.patch 9p-fix-cache-debug-options-printing-in-v9fs_show_opt.patch sched-fair-fix-unfairness-caused-by-stalled-tg_load_.patch sched-core-fix-psi_dequeue-for-proxy-execution.patch +platform-x86-intel-pmc-update-arrow-lake-telemetry-g.patch +f2fs-maintain-one-time-gc-mode-is-enabled-during-who.patch +rtc-amlogic-a4-fix-double-free-caused-by-devm.patch +kbuild-install-extmod-build-properly-fix-cc-expansio.patch +nfs-avoid-changing-nlink-when-file-removes-and-attri.patch +fs-nls-fix-utf16-to-utf8-conversion.patch +nfs-initialise-verifiers-for-visible-dentries-in-rea.patch +nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch +nfs-initialise-verifiers-for-visible-dentries-in-_nf.patch +nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch +drm-panthor-prevent-potential-uaf-in-group-creation.patch +revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch +revert-nfs-clear-sb_rdonly-before-getting-superblock.patch +revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch +nfs-automounted-filesystems-should-inherit-ro-noexec.patch +nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch +fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch +platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch +asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch +asoc-amd-acp-audio-is-not-resuming-after-s0ix.patch +asoc-ak4458-disable-regulator-when-error-happens.patch +asoc-ak5558-disable-regulator-when-error-happens.patch +f2fs-revert-summary-entry-count-from-2048-to-512-in-.patch +blk-mq-abort-suspend-when-wakeup-events-are-pending.patch +drm-panel-novatek-nt35560-avoid-on-stack-device-stru.patch +block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch +block-fix-memory-leak-in-__blkdev_issue_zero_pages.patch +nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch +io_uring-kbuf-use-read_once-for-userspace-mapped-mem.patch +drm-plane-fix-is_err-vs-null-check-in-drm_plane_crea.patch +regulator-fixed-rely-on-the-core-freeing-the-enable-.patch +alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch +drm-nouveau-refactor-deprecated-strcpy.patch +drm-nouveau-fix-circular-dep-oops-from-vendored-i2c-.patch +cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch +cifs-fix-handling-of-a-beyond-eof-dio-unbuffered-rea.patch-14012 +nfs-localio-remove-alignment-size-checking-in-nfs_is.patch +nfs-localio-remove-61-byte-hole-from-needless-____ca.patch +gpio-tb10x-fix-of_gpio-dependency.patch +docs-hwmon-fix-link-to-g762-devicetree-binding.patch +i2c-spacemit-fix-detect-issue.patch +dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch +alsa-uapi-fix-typo-in-asound.h-comment.patch +drm-amdkfd-use-huge-page-size-to-check-split-svm-ran.patch +rtc-gamecube-check-the-return-value-of-ioremap.patch +rtc-max31335-fix-ignored-return-value-in-set_alarm.patch +regulator-spacemit-align-input-supply-name-with-the-.patch +alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch +arm-9464-1-fix-input-only-operand-modification-in-lo.patch +drm-xe-fbdev-use-the-same-64-byte-stride-alignment-a.patch +drm-i915-fbdev-make-intel_framebuffer_create-error-r.patch +drm-i915-xe-fbdev-pass-struct-drm_device-to-intel_fb.patch +drm-i915-xe-fbdev-deduplicate-struct-drm_mode_fb_cmd.patch +drm-i915-fbdev-hold-runtime-pm-ref-during-fbdev-bo-c.patch +block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch +asoc-amd-acp-update-tdm-channels-for-specific-dai.patch +block-fix-cached-zone-reports-on-devices-with-native.patch +dm-raid-fix-possible-null-dereference-with-undefined.patch +dm-log-writes-add-missing-set_freezable-for-freezabl.patch diff --git a/queue-6.6/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch b/queue-6.6/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch new file mode 100644 index 0000000000..daf28e7a16 --- /dev/null +++ b/queue-6.6/alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch @@ -0,0 +1,41 @@ +From 168fcd6f275f679a86e8a946b31b7c78d2628e32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 13:16:41 +0800 +Subject: ALSA: firewire-motu: add bounds check in put_user loop for DSP events + +From: Junrui Luo + +[ Upstream commit 298e753880b6ea99ac30df34959a7a03b0878eed ] + +In the DSP event handling code, a put_user() loop copies event data. +When the user buffer size is not aligned to 4 bytes, it could overwrite +beyond the buffer boundary. + +Fix by adding a bounds check before put_user(). + +Suggested-by: Takashi Iwai +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 28885c8004aea..8519a9f9ce2c0 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + while (consumed < count && + snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) { + ptr = (u32 __user *)(buf + consumed); +- if (put_user(ev, ptr)) ++ if (consumed + sizeof(ev) > count || put_user(ev, ptr)) + return -EFAULT; + consumed += sizeof(ev); + } +-- +2.51.0 + diff --git a/queue-6.6/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch b/queue-6.6/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch new file mode 100644 index 0000000000..8603e5a571 --- /dev/null +++ b/queue-6.6/alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch @@ -0,0 +1,48 @@ +From c107eb08e65e87e0d93f900b7d0489718d106dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 12:27:03 +0800 +Subject: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events + +From: Junrui Luo + +[ Upstream commit 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 ] + +The DSP event handling code in hwdep_read() could write more bytes to +the user buffer than requested, when a user provides a buffer smaller +than the event header size (8 bytes). + +Fix by using min_t() to clamp the copy size, This ensures we never copy +more than the user requested. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index a220ac0c8eb83..28885c8004aea 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, + event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; + event.motu_register_dsp_change.count = + (consumed - sizeof(event.motu_register_dsp_change)) / 4; +- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) ++ if (copy_to_user(buf, &event, ++ min_t(long, count, sizeof(event.motu_register_dsp_change)))) + return -EFAULT; + +- count = consumed; ++ count = min_t(long, count, consumed); + } else { + spin_unlock_irq(&motu->lock); + +-- +2.51.0 + diff --git a/queue-6.6/alsa-uapi-fix-typo-in-asound.h-comment.patch b/queue-6.6/alsa-uapi-fix-typo-in-asound.h-comment.patch new file mode 100644 index 0000000000..8f28bc91d5 --- /dev/null +++ b/queue-6.6/alsa-uapi-fix-typo-in-asound.h-comment.patch @@ -0,0 +1,36 @@ +From 19ee09320ba75f96e6f009dbdec3b0d020ec7290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 10:25:01 -0600 +Subject: ALSA: uapi: Fix typo in asound.h comment + +From: Andres J Rosa + +[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ] + +Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment. + +Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames") +Signed-off-by: Andres J Rosa +Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asound.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h +index f9939da411227..10966a9250cd9 100644 +--- a/include/uapi/sound/asound.h ++++ b/include/uapi/sound/asound.h +@@ -60,7 +60,7 @@ struct snd_cea_861_aud_if { + unsigned char db2_sf_ss; /* sample frequency and size */ + unsigned char db3; /* not used, all zeros */ + unsigned char db4_ca; /* channel allocation code */ +- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */ ++ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */ + }; + + /**************************************************************************** +-- +2.51.0 + diff --git a/queue-6.6/arm-9464-1-fix-input-only-operand-modification-in-lo.patch b/queue-6.6/arm-9464-1-fix-input-only-operand-modification-in-lo.patch new file mode 100644 index 0000000000..ea1b5aab6c --- /dev/null +++ b/queue-6.6/arm-9464-1-fix-input-only-operand-modification-in-lo.patch @@ -0,0 +1,67 @@ +From faf3193b599e4bf27a886451d32b776637907753 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 03:19:45 +0100 +Subject: ARM: 9464/1: fix input-only operand modification in + load_unaligned_zeropad() + +From: Liyuan Pang + +[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ] + +In the inline assembly inside load_unaligned_zeropad(), the "addr" is +constrained as input-only operand. The compiler assumes that on exit +from the asm statement these operands contain the same values as they +had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior. + +Use a temporary variable "tmp" to handle it, instead of modifying the +input-only operand, just like what arm64's load_unaligned_zeropad() +does. + +Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs") +Co-developed-by: Xie Yuanbin +Signed-off-by: Xie Yuanbin +Signed-off-by: Liyuan Pang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/word-at-a-time.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h +index 352ab213520d2..2e6d0b4349f47 100644 +--- a/arch/arm/include/asm/word-at-a-time.h ++++ b/arch/arm/include/asm/word-at-a-time.h +@@ -66,7 +66,7 @@ static inline unsigned long find_zero(unsigned long mask) + */ + static inline unsigned long load_unaligned_zeropad(const void *addr) + { +- unsigned long ret, offset; ++ unsigned long ret, tmp; + + /* Load word from unaligned pointer addr */ + asm( +@@ -74,9 +74,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + "2:\n" + " .pushsection .text.fixup,\"ax\"\n" + " .align 2\n" +- "3: and %1, %2, #0x3\n" +- " bic %2, %2, #0x3\n" +- " ldr %0, [%2]\n" ++ "3: bic %1, %2, #0x3\n" ++ " ldr %0, [%1]\n" ++ " and %1, %2, #0x3\n" + " lsl %1, %1, #0x3\n" + #ifndef __ARMEB__ + " lsr %0, %0, %1\n" +@@ -89,7 +89,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) + " .align 3\n" + " .long 1b, 3b\n" + " .popsection" +- : "=&r" (ret), "=&r" (offset) ++ : "=&r" (ret), "=&r" (tmp) + : "r" (addr), "Qo" (*(unsigned long *)addr)); + + return ret; +-- +2.51.0 + diff --git a/queue-6.6/asoc-ak4458-disable-regulator-when-error-happens.patch b/queue-6.6/asoc-ak4458-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..0e4e4c07d0 --- /dev/null +++ b/queue-6.6/asoc-ak4458-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From d0ac78467124ec20f926581aa34ff53666d3857b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:28 +0800 +Subject: ASoC: ak4458: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4458.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c +index 77678f85ad946..ec8771158ab25 100644 +--- a/sound/soc/codecs/ak4458.c ++++ b/sound/soc/codecs/ak4458.c +@@ -681,7 +681,15 @@ static int __maybe_unused ak4458_runtime_resume(struct device *dev) + regcache_cache_only(ak4458->regmap, false); + regcache_mark_dirty(ak4458->regmap); + +- return regcache_sync(ak4458->regmap); ++ ret = regcache_sync(ak4458->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak4458->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies); ++ return ret; + } + #endif /* CONFIG_PM */ + +-- +2.51.0 + diff --git a/queue-6.6/asoc-ak5558-disable-regulator-when-error-happens.patch b/queue-6.6/asoc-ak5558-disable-regulator-when-error-happens.patch new file mode 100644 index 0000000000..0c3ddce2a9 --- /dev/null +++ b/queue-6.6/asoc-ak5558-disable-regulator-when-error-happens.patch @@ -0,0 +1,45 @@ +From b228e116df5248dd1291910c6498d4d87ab0908b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 18:05:29 +0800 +Subject: ASoC: ak5558: Disable regulator when error happens + +From: Shengjiu Wang + +[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ] + +Disable regulator in runtime resume when error happens to balance +the reference count of regulator. + +Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak5558.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c +index 442e2cb42df4f..aeec8dabfe3fd 100644 +--- a/sound/soc/codecs/ak5558.c ++++ b/sound/soc/codecs/ak5558.c +@@ -372,7 +372,15 @@ static int __maybe_unused ak5558_runtime_resume(struct device *dev) + regcache_cache_only(ak5558->regmap, false); + regcache_mark_dirty(ak5558->regmap); + +- return regcache_sync(ak5558->regmap); ++ ret = regcache_sync(ak5558->regmap); ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ regcache_cache_only(ak5558->regmap, true); ++ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies); ++ return ret; + } + + static const struct dev_pm_ops ak5558_pm = { +-- +2.51.0 + diff --git a/queue-6.6/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch b/queue-6.6/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch new file mode 100644 index 0000000000..4fbe4cba35 --- /dev/null +++ b/queue-6.6/asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch @@ -0,0 +1,44 @@ +From cee8aafb0b7140bf3f237df5ff9d71191e10d3df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 18:16:42 +0800 +Subject: ASoC: bcm: bcm63xx-pcm-whistler: Check return value of + of_dma_configure() + +From: Haotian Zhang + +[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ] + +bcm63xx_soc_pcm_new() does not check the return value of +of_dma_configure(), which may fail with -EPROBE_DEFER or +other errors, allowing PCM setup to continue with incomplete +DMA configuration. + +Add error checking for of_dma_configure() and return on failure. + +Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c +index 2c600b017524f..760cb18870908 100644 +--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c ++++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c +@@ -354,7 +354,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component, + + i2s_priv = dev_get_drvdata(asoc_rtd_to_cpu(rtd, 0)->dev); + +- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1); ++ if (ret) ++ return ret; + + ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32)); + if (ret) +-- +2.51.0 + diff --git a/queue-6.6/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch b/queue-6.6/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch new file mode 100644 index 0000000000..0ae116ea5a --- /dev/null +++ b/queue-6.6/blk-mq-abort-suspend-when-wakeup-events-are-pending.patch @@ -0,0 +1,73 @@ +From 201c20a3d7057b9c263897a403d4fae326de2f50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 11:34:21 +0800 +Subject: blk-mq: Abort suspend when wakeup events are pending + +From: Cong Zhang + +[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ] + +During system suspend, wakeup capable IRQs for block device can be +delayed, which can cause blk_mq_hctx_notify_offline() to hang +indefinitely while waiting for pending request to complete. +Skip the request waiting loop and abort suspend when wakeup events are +pending to prevent the deadlock. + +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Signed-off-by: Cong Zhang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 5da948b07058b..4895c8a33d392 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3548,6 +3549,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + { + struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node, + struct blk_mq_hw_ctx, cpuhp_online); ++ int ret = 0; + + if (!cpumask_test_cpu(cpu, hctx->cpumask) || + !blk_mq_last_cpu_in_hctx(cpu, hctx)) +@@ -3569,12 +3571,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + * frozen and there are no requests. + */ + if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) { +- while (blk_mq_hctx_has_requests(hctx)) ++ while (blk_mq_hctx_has_requests(hctx)) { ++ /* ++ * The wakeup capable IRQ handler of block device is ++ * not called during suspend. Skip the loop by checking ++ * pm_wakeup_pending to prevent the deadlock and improve ++ * suspend latency. ++ */ ++ if (pm_wakeup_pending()) { ++ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state); ++ ret = -EBUSY; ++ break; ++ } + msleep(5); ++ } + percpu_ref_put(&hctx->queue->q_usage_counter); + } + +- return 0; ++ return ret; + } + + static int blk_mq_hctx_notify_online(unsigned int cpu, struct hlist_node *node) +-- +2.51.0 + diff --git a/queue-6.6/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch b/queue-6.6/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch new file mode 100644 index 0000000000..a8aaf711d6 --- /dev/null +++ b/queue-6.6/block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch @@ -0,0 +1,44 @@ +From bfa20729344aa2573991f231abc4b9ebd7cfd68c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 23:17:49 +0800 +Subject: block: fix comment for op_is_zone_mgmt() to include RESET_ALL + +From: shechenglong + +[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ] + +REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt() +has returned true for it. + +Update the comment to remove the misleading exception note so +the documentation matches the implementation. + +Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL") +Signed-off-by: shechenglong +Reviewed-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk_types.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h +index d328b318e44b1..b8ef39ca3d74f 100644 +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -508,10 +508,7 @@ static inline bool op_is_discard(blk_opf_t op) + } + + /* +- * Check if a bio or request operation is a zone management operation, with +- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case +- * due to its different handling in the block layer and device response in +- * case of command failure. ++ * Check if a bio or request operation is a zone management operation. + */ + static inline bool op_is_zone_mgmt(enum req_op op) + { +-- +2.51.0 + diff --git a/queue-6.6/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch b/queue-6.6/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch new file mode 100644 index 0000000000..3705c88fcd --- /dev/null +++ b/queue-6.6/block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch @@ -0,0 +1,169 @@ +From 905ec593ca48b589fb599e89b02702937ab391d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Dec 2025 13:17:02 -0800 +Subject: block: Use RCU in blk_mq_[un]quiesce_tagset() instead of + set->tag_list_lock + +From: Mohamed Khalfella + +[ Upstream commit 59e25ef2b413c72da6686d431e7759302cfccafa ] + +blk_mq_{add,del}_queue_tag_set() functions add and remove queues from +tagset, the functions make sure that tagset and queues are marked as +shared when two or more queues are attached to the same tagset. +Initially a tagset starts as unshared and when the number of added +queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along +with all the queues attached to it. When the number of attached queues +drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and +the remaining queues as unshared. + +Both functions need to freeze current queues in tagset before setting on +unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions +hold set->tag_list_lock mutex, which makes sense as we do not want +queues to be added or deleted in the process. This used to work fine +until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +made the nvme driver quiesce tagset instead of quiscing individual +queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in +set->tag_list while holding set->tag_list_lock also. + +This results in deadlock between two threads with these stacktraces: + + __schedule+0x47c/0xbb0 + ? timerqueue_add+0x66/0xb0 + schedule+0x1c/0xa0 + schedule_preempt_disabled+0xa/0x10 + __mutex_lock.constprop.0+0x271/0x600 + blk_mq_quiesce_tagset+0x25/0xc0 + nvme_dev_disable+0x9c/0x250 + nvme_timeout+0x1fc/0x520 + blk_mq_handle_expired+0x5c/0x90 + bt_iter+0x7e/0x90 + blk_mq_queue_tag_busy_iter+0x27e/0x550 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __blk_mq_complete_request_remote+0x10/0x10 + ? __call_rcu_common.constprop.0+0x1c0/0x210 + blk_mq_timeout_work+0x12d/0x170 + process_one_work+0x12e/0x2d0 + worker_thread+0x288/0x3a0 + ? rescuer_thread+0x480/0x480 + kthread+0xb8/0xe0 + ? kthread_park+0x80/0x80 + ret_from_fork+0x2d/0x50 + ? kthread_park+0x80/0x80 + ret_from_fork_asm+0x11/0x20 + + __schedule+0x47c/0xbb0 + ? xas_find+0x161/0x1a0 + schedule+0x1c/0xa0 + blk_mq_freeze_queue_wait+0x3d/0x70 + ? destroy_sched_domains_rcu+0x30/0x30 + blk_mq_update_tag_set_shared+0x44/0x80 + blk_mq_exit_queue+0x141/0x150 + del_gendisk+0x25a/0x2d0 + nvme_ns_remove+0xc9/0x170 + nvme_remove_namespaces+0xc7/0x100 + nvme_remove+0x62/0x150 + pci_device_remove+0x23/0x60 + device_release_driver_internal+0x159/0x200 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x112/0x1e0 + vfs_write+0x2b1/0x3d0 + ksys_write+0x4e/0xb0 + do_syscall_64+0x5b/0x160 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +The top stacktrace is showing nvme_timeout() called to handle nvme +command timeout. timeout handler is trying to disable the controller and +as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not +to call queue callback handlers. The thread is stuck waiting for +set->tag_list_lock as it tries to walk the queues in set->tag_list. + +The lock is held by the second thread in the bottom stack which is +waiting for one of queues to be frozen. The queue usage counter will +drop to zero after nvme_timeout() finishes, and this will not happen +because the thread will wait for this mutex forever. + +Given that [un]quiescing queue is an operation that does not need to +sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking +set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU +safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list) +in blk_mq_del_queue_tag_set() because we can not re-initialize it while +the list is being traversed under RCU. The deleted queue will not be +added/deleted to/from a tagset and it will be freed in blk_free_queue() +after the end of RCU grace period. + +Signed-off-by: Mohamed Khalfella +Fixes: 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") +Reviewed-by: Ming Lei +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 4895c8a33d392..01fe1e7156690 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -280,12 +280,12 @@ void blk_mq_quiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_quiesce_queue_nowait(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + + blk_mq_wait_quiesce_done(set); + } +@@ -295,12 +295,12 @@ void blk_mq_unquiesce_tagset(struct blk_mq_tag_set *set) + { + struct request_queue *q; + +- mutex_lock(&set->tag_list_lock); +- list_for_each_entry(q, &set->tag_list, tag_set_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) { + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_unquiesce_queue(q); + } +- mutex_unlock(&set->tag_list_lock); ++ rcu_read_unlock(); + } + EXPORT_SYMBOL_GPL(blk_mq_unquiesce_tagset); + +@@ -4117,7 +4117,7 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + struct blk_mq_tag_set *set = q->tag_set; + + mutex_lock(&set->tag_list_lock); +- list_del(&q->tag_set_list); ++ list_del_rcu(&q->tag_set_list); + if (list_is_singular(&set->tag_list)) { + /* just transitioned to unshared */ + set->flags &= ~BLK_MQ_F_TAG_QUEUE_SHARED; +@@ -4125,7 +4125,6 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q) + blk_mq_update_tag_set_shared(set, false); + } + mutex_unlock(&set->tag_list_lock); +- INIT_LIST_HEAD(&q->tag_set_list); + } + + static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, +@@ -4144,7 +4143,7 @@ static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set, + } + if (set->flags & BLK_MQ_F_TAG_QUEUE_SHARED) + queue_set_hctx_shared(q, true); +- list_add_tail(&q->tag_set_list, &set->tag_list); ++ list_add_tail_rcu(&q->tag_set_list, &set->tag_list); + + mutex_unlock(&set->tag_list_lock); + } +-- +2.51.0 + diff --git a/queue-6.6/dm-log-writes-add-missing-set_freezable-for-freezabl.patch b/queue-6.6/dm-log-writes-add-missing-set_freezable-for-freezabl.patch new file mode 100644 index 0000000000..725267d061 --- /dev/null +++ b/queue-6.6/dm-log-writes-add-missing-set_freezable-for-freezabl.patch @@ -0,0 +1,40 @@ +From 2015f72257937b2c921dfc013fa300edfb6a1176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 15:41:03 +0800 +Subject: dm log-writes: Add missing set_freezable() for freezable kthread + +From: Haotian Zhang + +[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ] + +The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(), +rendering the freeze attempt ineffective since kernel threads are +non-freezable by default. This prevents proper thread suspension during +system suspend/hibernate. + +Add set_freezable() to explicitly mark the thread as freezable. + +Fixes: 0e9cebe72459 ("dm: add log writes target") +Signed-off-by: Haotian Zhang +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-log-writes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c +index f17a6cf2284ec..dabfc856443a9 100644 +--- a/drivers/md/dm-log-writes.c ++++ b/drivers/md/dm-log-writes.c +@@ -432,6 +432,7 @@ static int log_writes_kthread(void *arg) + struct log_writes_c *lc = arg; + sector_t sector = 0; + ++ set_freezable(); + while (!kthread_should_stop()) { + bool super = false; + bool logging_enabled; +-- +2.51.0 + diff --git a/queue-6.6/dm-raid-fix-possible-null-dereference-with-undefined.patch b/queue-6.6/dm-raid-fix-possible-null-dereference-with-undefined.patch new file mode 100644 index 0000000000..0ceb7fa394 --- /dev/null +++ b/queue-6.6/dm-raid-fix-possible-null-dereference-with-undefined.patch @@ -0,0 +1,42 @@ +From c8e035730c509d9f309e42ec1a80f2e2b5c7714a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 20:18:38 +0300 +Subject: dm-raid: fix possible NULL dereference with undefined raid type + +From: Alexey Simakov + +[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ] + +rs->raid_type is assigned from get_raid_type_by_ll(), which may return +NULL. This NULL value could be dereferenced later in the condition +'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. + +Add a fail-fast check to return early with an error if raid_type is NULL, +similar to other uses of this function. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") +Signed-off-by: Alexey Simakov +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-raid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c +index f23edd79df45e..0c4ab6865182b 100644 +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2259,6 +2259,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev) + + mddev->reshape_position = le64_to_cpu(sb->reshape_position); + rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout); ++ if (!rs->raid_type) ++ return -EINVAL; + } + + } else { +-- +2.51.0 + diff --git a/queue-6.6/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch b/queue-6.6/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch new file mode 100644 index 0000000000..2b08b22f0a --- /dev/null +++ b/queue-6.6/dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch @@ -0,0 +1,40 @@ +From d9b482a409d420dbd955c0fffef43c39e6077c11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:28:10 -0600 +Subject: dma/pool: eliminate alloc_pages warning in atomic_pool_expand + +From: Dave Kleikamp + +[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ] + +atomic_pool_expand iteratively tries the allocation while decrementing +the page order. There is no need to issue a warning if an attempted +allocation fails. + +Signed-off-by: Dave Kleikamp +Reviewed-by: Robin Murphy +Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") +[mszyprow: fixed typo] +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com +Signed-off-by: Sasha Levin +--- + kernel/dma/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c +index 6b0be9598a973..b3b9c7ec5fc54 100644 +--- a/kernel/dma/pool.c ++++ b/kernel/dma/pool.c +@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, + page = dma_alloc_from_contiguous(NULL, 1 << order, + order, false); + if (!page) +- page = alloc_pages(gfp, order); ++ page = alloc_pages(gfp | __GFP_NOWARN, order); + } while (!page && order-- > 0); + if (!page) + goto out; +-- +2.51.0 + diff --git a/queue-6.6/expand-the-type-of-nfs_fattr-valid.patch b/queue-6.6/expand-the-type-of-nfs_fattr-valid.patch new file mode 100644 index 0000000000..12a20e2962 --- /dev/null +++ b/queue-6.6/expand-the-type-of-nfs_fattr-valid.patch @@ -0,0 +1,127 @@ +From e67b91862a40577b8a070755b283fc756f3821dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 06:45:45 -0400 +Subject: Expand the type of nfs_fattr->valid + +From: Trond Myklebust + +[ Upstream commit ce60ab3964782df9ba34f0a64c0bc766dd508bde ] + +We need to be able to track more than 32 attributes per inode. + +Signed-off-by: Trond Myklebust +Signed-off-by: Lance Shelton +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Link: https://lore.kernel.org/r/1e3405fca54efd0be7c91c1da77917b94f5dfcc4.1748515333.git.bcodding@redhat.com +Signed-off-by: Trond Myklebust +Stable-dep-of: 2b092175f5e3 ("NFS: Fix inheritance of the block sizes when automounting") +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 2 +- + include/linux/nfs_fs_sb.h | 2 +- + include/linux/nfs_xdr.h | 54 +++++++++++++++++++-------------------- + 3 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 5cd5e4226db36..0d7facfdafb95 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -2086,7 +2086,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr) + bool attr_changed = false; + bool have_delegation; + +- dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%x)\n", ++ dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%llx)\n", + __func__, inode->i_sb->s_id, inode->i_ino, + nfs_display_fhandle_hash(NFS_FH(inode)), + atomic_read(&inode->i_count), fattr->valid); +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index 374b1b208bd89..ac2d720a164f6 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -157,8 +157,8 @@ struct nfs_server { + #define NFS_MOUNT_TRUNK_DISCOVERY 0x04000000 + #define NFS_MOUNT_SHUTDOWN 0x08000000 + +- unsigned int fattr_valid; /* Valid attributes */ + unsigned int caps; /* server capabilities */ ++ __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ + unsigned int rpages; /* read size (in pages) */ + unsigned int wsize; /* write size */ +diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h +index 12bbb5c636646..e2a99bf46cdf8 100644 +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -45,7 +45,7 @@ struct nfs4_threshold { + }; + + struct nfs_fattr { +- unsigned int valid; /* which fields are valid */ ++ __u64 valid; /* which fields are valid */ + umode_t mode; + __u32 nlink; + kuid_t uid; +@@ -80,32 +80,32 @@ struct nfs_fattr { + struct nfs4_label *label; + }; + +-#define NFS_ATTR_FATTR_TYPE (1U << 0) +-#define NFS_ATTR_FATTR_MODE (1U << 1) +-#define NFS_ATTR_FATTR_NLINK (1U << 2) +-#define NFS_ATTR_FATTR_OWNER (1U << 3) +-#define NFS_ATTR_FATTR_GROUP (1U << 4) +-#define NFS_ATTR_FATTR_RDEV (1U << 5) +-#define NFS_ATTR_FATTR_SIZE (1U << 6) +-#define NFS_ATTR_FATTR_PRESIZE (1U << 7) +-#define NFS_ATTR_FATTR_BLOCKS_USED (1U << 8) +-#define NFS_ATTR_FATTR_SPACE_USED (1U << 9) +-#define NFS_ATTR_FATTR_FSID (1U << 10) +-#define NFS_ATTR_FATTR_FILEID (1U << 11) +-#define NFS_ATTR_FATTR_ATIME (1U << 12) +-#define NFS_ATTR_FATTR_MTIME (1U << 13) +-#define NFS_ATTR_FATTR_CTIME (1U << 14) +-#define NFS_ATTR_FATTR_PREMTIME (1U << 15) +-#define NFS_ATTR_FATTR_PRECTIME (1U << 16) +-#define NFS_ATTR_FATTR_CHANGE (1U << 17) +-#define NFS_ATTR_FATTR_PRECHANGE (1U << 18) +-#define NFS_ATTR_FATTR_V4_LOCATIONS (1U << 19) +-#define NFS_ATTR_FATTR_V4_REFERRAL (1U << 20) +-#define NFS_ATTR_FATTR_MOUNTPOINT (1U << 21) +-#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID (1U << 22) +-#define NFS_ATTR_FATTR_OWNER_NAME (1U << 23) +-#define NFS_ATTR_FATTR_GROUP_NAME (1U << 24) +-#define NFS_ATTR_FATTR_V4_SECURITY_LABEL (1U << 25) ++#define NFS_ATTR_FATTR_TYPE BIT_ULL(0) ++#define NFS_ATTR_FATTR_MODE BIT_ULL(1) ++#define NFS_ATTR_FATTR_NLINK BIT_ULL(2) ++#define NFS_ATTR_FATTR_OWNER BIT_ULL(3) ++#define NFS_ATTR_FATTR_GROUP BIT_ULL(4) ++#define NFS_ATTR_FATTR_RDEV BIT_ULL(5) ++#define NFS_ATTR_FATTR_SIZE BIT_ULL(6) ++#define NFS_ATTR_FATTR_PRESIZE BIT_ULL(7) ++#define NFS_ATTR_FATTR_BLOCKS_USED BIT_ULL(8) ++#define NFS_ATTR_FATTR_SPACE_USED BIT_ULL(9) ++#define NFS_ATTR_FATTR_FSID BIT_ULL(10) ++#define NFS_ATTR_FATTR_FILEID BIT_ULL(11) ++#define NFS_ATTR_FATTR_ATIME BIT_ULL(12) ++#define NFS_ATTR_FATTR_MTIME BIT_ULL(13) ++#define NFS_ATTR_FATTR_CTIME BIT_ULL(14) ++#define NFS_ATTR_FATTR_PREMTIME BIT_ULL(15) ++#define NFS_ATTR_FATTR_PRECTIME BIT_ULL(16) ++#define NFS_ATTR_FATTR_CHANGE BIT_ULL(17) ++#define NFS_ATTR_FATTR_PRECHANGE BIT_ULL(18) ++#define NFS_ATTR_FATTR_V4_LOCATIONS BIT_ULL(19) ++#define NFS_ATTR_FATTR_V4_REFERRAL BIT_ULL(20) ++#define NFS_ATTR_FATTR_MOUNTPOINT BIT_ULL(21) ++#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID BIT_ULL(22) ++#define NFS_ATTR_FATTR_OWNER_NAME BIT_ULL(23) ++#define NFS_ATTR_FATTR_GROUP_NAME BIT_ULL(24) ++#define NFS_ATTR_FATTR_V4_SECURITY_LABEL BIT_ULL(25) + + #define NFS_ATTR_FATTR (NFS_ATTR_FATTR_TYPE \ + | NFS_ATTR_FATTR_MODE \ +-- +2.51.0 + diff --git a/queue-6.6/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch b/queue-6.6/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch new file mode 100644 index 0000000000..6af172daf9 --- /dev/null +++ b/queue-6.6/fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch @@ -0,0 +1,64 @@ +From 3fb2f67e2bb193d77b03735d125c9b5b39aeea88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 12:15:35 +0100 +Subject: fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ] + +After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"), +the return values of utf8_to_utf32() and utf32_to_utf8() are +inconsistent when encountering an error: utf8_to_utf32() returns -1, +while utf32_to_utf8() returns errno codes. Fix this inconsistency +by modifying utf8_to_utf32() to return errno codes as well. + +Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion") +Suggested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index 7eacded3c17d1..f072eb6b563f6 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu) + l &= t->lmask; + if (l < t->lval || l > UNICODE_MAX || + (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; ++ + *pu = (unicode_t) l; + return nc; + } + if (inlen <= nc) +- return -1; ++ return -EOVERFLOW; ++ + s++; + c = (*s ^ 0x80) & 0xFF; + if (c & 0xC0) +- return -1; ++ return -EILSEQ; ++ + l = (l << 6) | c; + } +- return -1; ++ return -EILSEQ; + } + EXPORT_SYMBOL(utf8_to_utf32); + +-- +2.51.0 + diff --git a/queue-6.6/fs-nls-fix-utf16-to-utf8-conversion.patch b/queue-6.6/fs-nls-fix-utf16-to-utf8-conversion.patch new file mode 100644 index 0000000000..7a5efadb59 --- /dev/null +++ b/queue-6.6/fs-nls-fix-utf16-to-utf8-conversion.patch @@ -0,0 +1,81 @@ +From df1cc644b92c888b00ae737ecfcec8aa2a58acf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 14:11:22 +0100 +Subject: fs/nls: Fix utf16 to utf8 conversion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 25524b6190295577e4918c689644451365e6466d ] + +Currently the function responsible for converting between utf16 and +utf8 strings will ignore any characters that cannot be converted. This +however also includes multi-byte characters that do not fit into the +provided string buffer. + +This can cause problems if such a multi-byte character is followed by +a single-byte character. In such a case the multi-byte character might +be ignored when the provided string buffer is too small, but the +single-byte character might fit and is thus still copied into the +resulting string. + +Fix this by stop filling the provided string buffer once a character +does not fit. In order to be able to do this extend utf32_to_utf8() +to return useful errno codes instead of -1. + +Fixes: 74675a58507e ("NLS: update handling of Unicode") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + fs/nls/nls_base.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c +index a026dbd3593f6..7eacded3c17d1 100644 +--- a/fs/nls/nls_base.c ++++ b/fs/nls/nls_base.c +@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + + l = u; + if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR) +- return -1; ++ return -EILSEQ; + + nc = 0; + for (t = utf8_table; t->cmask && maxout; t++, maxout--) { +@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout) + return nc; + } + } +- return -1; ++ return -EOVERFLOW; + } + EXPORT_SYMBOL(utf32_to_utf8); + +@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian, + inlen--; + } + size = utf32_to_utf8(u, op, maxout); +- if (size == -1) { +- /* Ignore character and move on */ ++ if (size < 0) { ++ if (size == -EILSEQ) { ++ /* Ignore character and move on */ ++ continue; ++ } ++ /* ++ * Stop filling the buffer with data once a character ++ * does not fit anymore. ++ */ ++ break; + } else { + op += size; + maxout -= size; +-- +2.51.0 + diff --git a/queue-6.6/nfs-automounted-filesystems-should-inherit-ro-noexec.patch b/queue-6.6/nfs-automounted-filesystems-should-inherit-ro-noexec.patch new file mode 100644 index 0000000000..372684ef73 --- /dev/null +++ b/queue-6.6/nfs-automounted-filesystems-should-inherit-ro-noexec.patch @@ -0,0 +1,65 @@ +From 97aa1d1ea218f2a12ab2616ec7f6a22bd1c30ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 14:22:44 -0500 +Subject: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync + flags + +From: Trond Myklebust + +[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ] + +When a filesystem is being automounted, it needs to preserve the +user-set superblock mount options, such as the "ro" flag. + +Reported-by: Li Lingfeng +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Fixes: f2aedb713c28 ("NFS: Add fs_context support.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/namespace.c | 6 ++++++ + fs/nfs/super.c | 4 ---- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index e7494cdd957e5..40d7163bca870 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path) + struct vfsmount *mnt = ERR_PTR(-ENOMEM); + struct nfs_server *server = NFS_SB(path->dentry->d_sb); + struct nfs_client *client = server->nfs_client; ++ unsigned long s_flags = path->dentry->d_sb->s_flags; + int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout); + int ret; + +@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path) + fc->net_ns = get_net(client->cl_net); + } + ++ /* Inherit the flags covered by NFS_SB_MASK */ ++ fc->sb_flags_mask |= NFS_SB_MASK; ++ fc->sb_flags &= ~NFS_SB_MASK; ++ fc->sb_flags |= s_flags & NFS_SB_MASK; ++ + /* for submounts we want the same server; referrals will reassign */ + memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen); + ctx->nfs_server.addrlen = client->cl_addrlen; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index e1bcad5906ae7..2115b0d8ccae7 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1284,10 +1284,6 @@ int nfs_get_tree_common(struct fs_context *fc) + if (server->flags & NFS_MOUNT_NOAC) + fc->sb_flags |= SB_SYNCHRONOUS; + +- if (ctx->clone_data.sb) +- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS) +- fc->sb_flags |= SB_SYNCHRONOUS; +- + /* Get a superblock - note that we may end up sharing one that already exists */ + fc->s_fs_info = server; + s = sget_fc(fc, compare_super, nfs_set_super); +-- +2.51.0 + diff --git a/queue-6.6/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch b/queue-6.6/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch new file mode 100644 index 0000000000..083c2c37b5 --- /dev/null +++ b/queue-6.6/nfs-avoid-changing-nlink-when-file-removes-and-attri.patch @@ -0,0 +1,97 @@ +From 2ce69a004c61326ea11fda7a970943d100817bdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 15:28:17 -0500 +Subject: NFS: Avoid changing nlink when file removes and attribute updates + race + +From: Trond Myklebust + +[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ] + +If a file removal races with another operation that updates its +attributes, then skip the change to nlink, and just mark the attributes +as being stale. + +Reported-by: Aiden Lambert +Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 385baf871800c..70f55df9e4f95 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1901,13 +1901,15 @@ static int nfs_dentry_delete(const struct dentry *dentry) + } + + /* Ensure that we revalidate inode->i_nlink */ +-static void nfs_drop_nlink(struct inode *inode) ++static void nfs_drop_nlink(struct inode *inode, unsigned long gencount) + { ++ struct nfs_inode *nfsi = NFS_I(inode); ++ + spin_lock(&inode->i_lock); + /* drop the inode if we're reasonably sure this is the last link */ +- if (inode->i_nlink > 0) ++ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount) + drop_nlink(inode); +- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter(); ++ nfsi->attr_gencount = nfs_inc_attr_generation_counter(); + nfs_set_cache_invalid( + inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | + NFS_INO_INVALID_NLINK); +@@ -1921,8 +1923,9 @@ static void nfs_drop_nlink(struct inode *inode) + static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode) + { + if (dentry->d_flags & DCACHE_NFSFS_RENAMED) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); + nfs_complete_unlink(dentry, inode); +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } + iput(inode); + } +@@ -2475,9 +2478,11 @@ static int nfs_safe_remove(struct dentry *dentry) + + trace_nfs_remove_enter(dir, dentry); + if (inode != NULL) { ++ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount); ++ + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == 0) +- nfs_drop_nlink(inode); ++ nfs_drop_nlink(inode, gencount); + } else + error = NFS_PROTO(dir)->remove(dir, dentry); + if (error == -ENOENT) +@@ -2682,6 +2687,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + { + struct inode *old_inode = d_inode(old_dentry); + struct inode *new_inode = d_inode(new_dentry); ++ unsigned long new_gencount = 0; + struct dentry *dentry = NULL; + struct rpc_task *task; + bool must_unblock = false; +@@ -2734,6 +2740,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + } else { + block_revalidate(new_dentry); + must_unblock = true; ++ new_gencount = NFS_I(new_inode)->attr_gencount; + spin_unlock(&new_dentry->d_lock); + } + +@@ -2773,7 +2780,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + new_dir, new_dentry, error); + if (!error) { + if (new_inode != NULL) +- nfs_drop_nlink(new_inode); ++ nfs_drop_nlink(new_inode, new_gencount); + /* + * The d_move() should be here instead of in an async RPC completion + * handler because we need the proper locks to move the dentry. If +-- +2.51.0 + diff --git a/queue-6.6/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch b/queue-6.6/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch new file mode 100644 index 0000000000..9173e881a2 --- /dev/null +++ b/queue-6.6/nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch @@ -0,0 +1,178 @@ +From 28fd4b8ef5f81f5d159fbd59b1c7dafa41142747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 16:06:41 -0500 +Subject: NFS: Fix inheritance of the block sizes when automounting + +From: Trond Myklebust + +[ Upstream commit 2b092175f5e301cdaa935093edfef2be9defb6df ] + +Only inherit the block sizes that were actually specified as mount +parameters for the parent mount. + +Fixes: 62a55d088cd8 ("NFS: Additional refactoring for fs_context conversion") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 21 +++++++++++++++++---- + fs/nfs/internal.h | 1 - + fs/nfs/namespace.c | 5 ++++- + fs/nfs/nfs4client.c | 18 ++++++++++++++---- + fs/nfs/super.c | 10 +++------- + include/linux/nfs_fs_sb.h | 5 +++++ + 6 files changed, 43 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 1bcdaee7e856f..de4922ce4ac79 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -759,10 +759,18 @@ static int nfs_init_server(struct nfs_server *server, + server->fattr_valid = NFS_ATTR_FATTR_V4; + } + +- if (ctx->rsize) ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { + server->rsize = nfs_io_size(ctx->rsize, clp->cl_proto); +- if (ctx->wsize) ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { + server->wsize = nfs_io_size(ctx->wsize, clp->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +@@ -954,8 +962,13 @@ EXPORT_SYMBOL_GPL(nfs_probe_server); + void nfs_server_copy_userdata(struct nfs_server *target, struct nfs_server *source) + { + target->flags = source->flags; +- target->rsize = source->rsize; +- target->wsize = source->wsize; ++ target->automount_inherit = source->automount_inherit; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ target->bsize = source->bsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_RSIZE) ++ target->rsize = source->rsize; ++ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_WSIZE) ++ target->wsize = source->wsize; + target->acregmin = source->acregmin; + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 161c8fffbc1d9..3d5ae22ed3a81 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -150,7 +150,6 @@ struct nfs_fs_context { + struct super_block *sb; + struct dentry *dentry; + struct nfs_fattr *fattr; +- unsigned int inherited_bsize; + } clone_data; + }; + +diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c +index 40d7163bca870..923b5c1eb47e9 100644 +--- a/fs/nfs/namespace.c ++++ b/fs/nfs/namespace.c +@@ -190,6 +190,10 @@ struct vfsmount *nfs_d_automount(struct path *path) + ctx->nfs_mod = client->cl_nfs_mod; + __module_get(ctx->nfs_mod->owner); + ++ /* Inherit block sizes if they were specified as mount parameters */ ++ if (server->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE) ++ ctx->bsize = server->bsize; ++ + ret = client->rpc_ops->submount(fc, server); + if (ret < 0) { + mnt = ERR_PTR(ret); +@@ -290,7 +294,6 @@ int nfs_do_submount(struct fs_context *fc) + return -ENOMEM; + + ctx->internal = true; +- ctx->clone_data.inherited_bsize = ctx->clone_data.sb->s_blocksize_bits; + + p = nfs_devname(dentry, buffer, 4096); + if (IS_ERR(p)) { +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index b14688da814d6..3f31d05e87ae1 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1176,10 +1176,20 @@ static int nfs4_init_server(struct nfs_server *server, struct fs_context *fc) + if (error < 0) + return error; + +- if (ctx->rsize) +- server->rsize = nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); +- if (ctx->wsize) +- server->wsize = nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ if (ctx->bsize) { ++ server->bsize = ctx->bsize; ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE; ++ } ++ if (ctx->rsize) { ++ server->rsize = ++ nfs_io_size(ctx->rsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE; ++ } ++ if (ctx->wsize) { ++ server->wsize = ++ nfs_io_size(ctx->wsize, server->nfs_client->cl_proto); ++ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE; ++ } + + server->acregmin = ctx->acregmin * HZ; + server->acregmax = ctx->acregmax * HZ; +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 2115b0d8ccae7..5c14c30a84c0e 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1060,8 +1060,9 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + sb->s_blocksize = 0; + sb->s_xattr = server->nfs_client->cl_nfs_mod->xattr; + sb->s_op = server->nfs_client->cl_nfs_mod->sops; +- if (ctx->bsize) +- sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); ++ if (server->bsize) ++ sb->s_blocksize = ++ nfs_block_size(server->bsize, &sb->s_blocksize_bits); + + switch (server->nfs_client->rpc_ops->version) { + case 2: +@@ -1307,13 +1308,8 @@ int nfs_get_tree_common(struct fs_context *fc) + } + + if (!s->s_root) { +- unsigned bsize = ctx->clone_data.inherited_bsize; + /* initial superblock/root creation */ + nfs_fill_super(s, ctx); +- if (bsize) { +- s->s_blocksize_bits = bsize; +- s->s_blocksize = 1U << bsize; +- } + error = nfs_get_cache_cookie(s, ctx); + if (error < 0) + goto error_splat_super; +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index ac2d720a164f6..4ca77c50e489d 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -157,6 +157,11 @@ struct nfs_server { + #define NFS_MOUNT_TRUNK_DISCOVERY 0x04000000 + #define NFS_MOUNT_SHUTDOWN 0x08000000 + ++ unsigned int automount_inherit; /* Properties inherited by automount */ ++#define NFS_AUTOMOUNT_INHERIT_BSIZE 0x0001 ++#define NFS_AUTOMOUNT_INHERIT_RSIZE 0x0002 ++#define NFS_AUTOMOUNT_INHERIT_WSIZE 0x0004 ++ + unsigned int caps; /* server capabilities */ + __u64 fattr_valid; /* Valid attributes */ + unsigned int rsize; /* read size */ +-- +2.51.0 + diff --git a/queue-6.6/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch b/queue-6.6/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch new file mode 100644 index 0000000000..a52bb61f1e --- /dev/null +++ b/queue-6.6/nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch @@ -0,0 +1,41 @@ +From 31a78c1758dbbc97a6b24543d115c3bc7ca16f48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:39:50 -0500 +Subject: NFS: Initialise verifiers for visible dentries in nfs_atomic_open() + +From: Trond Myklebust + +[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in nfs_atomic_open(). + +Reported-by: Michael Stoler +Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index d47e908ef411c..32e922a20d0d4 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2149,12 +2149,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, + d_drop(dentry); + switch (err) { + case -ENOENT: +- d_splice_alias(NULL, dentry); + if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE)) + dir_verifier = inode_peek_iversion_raw(dir); + else + dir_verifier = nfs_save_change_attribute(dir); + nfs_set_verifier(dentry, dir_verifier); ++ d_splice_alias(NULL, dentry); + break; + case -EISDIR: + case -ENOTDIR: +-- +2.51.0 + diff --git a/queue-6.6/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch b/queue-6.6/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch new file mode 100644 index 0000000000..be425ba352 --- /dev/null +++ b/queue-6.6/nfs-initialise-verifiers-for-visible-dentries-in-rea.patch @@ -0,0 +1,62 @@ +From a362faf6465a2f9106d93f268fd16a20cfcf96bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 08:36:16 -0500 +Subject: NFS: Initialise verifiers for visible dentries in readdir and lookup + +From: Trond Myklebust + +[ Upstream commit 9bd545539b233725a3416801f7c374bff0327d6e ] + +Ensure that the verifiers are initialised before calling +d_splice_alias() in both nfs_prime_dcache() and nfs_lookup(). + +Reported-by: Michael Stoler +Fixes: a1147b8281bd ("NFS: Fix up directory verifier races") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 70f55df9e4f95..d47e908ef411c 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -785,16 +785,17 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry, + goto out; + } + ++ nfs_set_verifier(dentry, dir_verifier); + inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr); + alias = d_splice_alias(inode, dentry); + d_lookup_done(dentry); + if (alias) { + if (IS_ERR(alias)) + goto out; ++ nfs_set_verifier(alias, dir_verifier); + dput(dentry); + dentry = alias; + } +- nfs_set_verifier(dentry, dir_verifier); + trace_nfs_readdir_lookup(d_inode(parent), dentry, 0); + out: + dput(dentry); +@@ -2000,13 +2001,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in + nfs_lookup_advise_force_readdirplus(dir, flags); + + no_entry: ++ nfs_set_verifier(dentry, dir_verifier); + res = d_splice_alias(inode, dentry); + if (res != NULL) { + if (IS_ERR(res)) + goto out; ++ nfs_set_verifier(res, dir_verifier); + dentry = res; + } +- nfs_set_verifier(dentry, dir_verifier); + out: + trace_nfs_lookup_exit(dir, dentry, flags, PTR_ERR_OR_ZERO(res)); + nfs_free_fattr(fattr); +-- +2.51.0 + diff --git a/queue-6.6/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch b/queue-6.6/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch new file mode 100644 index 0000000000..98025968f8 --- /dev/null +++ b/queue-6.6/nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch @@ -0,0 +1,43 @@ +From 0986f5969c2a962b745342018318c694e1dd596f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 18:02:42 +0000 +Subject: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in + pnfs_mark_layout_stateid_invalid + +From: Jonathan Curley + +[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ] + +Fixes a crash when layout is null during this call stack: + +write_inode + -> nfs4_write_inode + -> pnfs_layoutcommit_inode + +pnfs_set_layoutcommit relies on the lseg refcount to keep the layout +around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt +to reference a null layout. + +Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid") +Signed-off-by: Jonathan Curley +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index b40c20bd364b0..0737d9a15d862 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -465,6 +465,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct pnfs_layout_segment *lseg, *next; + + set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags); ++ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags); + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) + pnfs_clear_lseg_state(lseg, lseg_list); + pnfs_clear_layoutreturn_info(lo); +-- +2.51.0 + diff --git a/queue-6.6/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch b/queue-6.6/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch new file mode 100644 index 0000000000..ee9e10aa10 --- /dev/null +++ b/queue-6.6/nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch @@ -0,0 +1,38 @@ +From b73f2856b65e7e7e3c71b993c89471e8b3945e15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Nov 2025 16:46:48 +0200 +Subject: nvme-auth: use kvfree() for memory allocated with kvcalloc() + +From: Israel Rukshin + +[ Upstream commit bb9f4cca7c031de6f0e85f7ba24abf0172829f85 ] + +Memory allocated by kvcalloc() may come from vmalloc or kmalloc, +so use kvfree() instead of kfree() for proper deallocation. + +Fixes: aa36d711e945 ("nvme-auth: convert dhchap_auth_list to an array") +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c +index 811541ce206bf..f1b0a8e7af896 100644 +--- a/drivers/nvme/host/auth.c ++++ b/drivers/nvme/host/auth.c +@@ -997,7 +997,7 @@ void nvme_auth_free(struct nvme_ctrl *ctrl) + if (ctrl->dhchap_ctxs) { + for (i = 0; i < ctrl_max_dhchaps(ctrl); i++) + nvme_auth_free_dhchap(&ctrl->dhchap_ctxs[i]); +- kfree(ctrl->dhchap_ctxs); ++ kvfree(ctrl->dhchap_ctxs); + } + if (ctrl->host_key) { + nvme_auth_free_key(ctrl->host_key); +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch b/queue-6.6/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch new file mode 100644 index 0000000000..2877625838 --- /dev/null +++ b/queue-6.6/platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch @@ -0,0 +1,78 @@ +From e119b1c2bf8eade15a2e82f4069e356d0dd5ada3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Nov 2025 11:13:08 +0100 +Subject: platform/x86: asus-wmi: use brightness_set_blocking() for kbd led +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anton Khirnov + +[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ] + +kbd_led_set() can sleep, and so may not be used as the brightness_set() +callback. + +Otherwise using this led with a trigger leads to system hangs +accompanied by: +BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003 +CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1 +Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024 +Call Trace: + + [...] + schedule_timeout+0xbd/0x100 + __down_common+0x175/0x290 + down_timeout+0x67/0x70 + acpi_os_wait_semaphore+0x57/0x90 + [...] + asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi] + led_trigger_event+0x3f/0x60 + [...] + +Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process") +Signed-off-by: Anton Khirnov +Reviewed-by: Andy Shevchenko +Reviewed-by: Denis Benato +Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 2c894ea8aa817..b56be64fcc631 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1405,14 +1405,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value) + kbd_led_update(asus); + } + +-static void kbd_led_set(struct led_classdev *led_cdev, +- enum led_brightness value) ++static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value) + { + /* Prevent disabling keyboard backlight on module unregister */ + if (led_cdev->flags & LED_UNREGISTERING) +- return; ++ return 0; + + do_kbd_led_set(led_cdev, value); ++ return 0; + } + + static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value) +@@ -1565,7 +1565,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus) + asus->kbd_led_wk = led_val; + asus->kbd_led.name = "asus::kbd_backlight"; + asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED; +- asus->kbd_led.brightness_set = kbd_led_set; ++ asus->kbd_led.brightness_set_blocking = kbd_led_set; + asus->kbd_led.brightness_get = kbd_led_get; + asus->kbd_led.max_brightness = 3; + +-- +2.51.0 + diff --git a/queue-6.6/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch b/queue-6.6/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch new file mode 100644 index 0000000000..d23485e1bf --- /dev/null +++ b/queue-6.6/regulator-fixed-rely-on-the-core-freeing-the-enable-.patch @@ -0,0 +1,51 @@ +From 261cf1d54dfabe6d1265c01918834f2ce480577c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 19:39:34 +0000 +Subject: regulator: fixed: Rely on the core freeing the enable GPIO + +From: Mark Brown + +[ Upstream commit 79a45ddcdbba330f5139c7c7ff7042d69cf147b2 ] + +In order to simplify ownership rules for enable GPIOs supplied by drivers +regulator_register() always takes ownership of them, even if it ends up +failing for some other reason. We therefore should not free the GPIO if +registration fails but just let the core worry about things. + +Fixes: 636f4618b1cd (regulator: fixed: fix GPIO descriptor leak on register failure) +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/r/DEPEYUF5BRGY.UKFBWRRE8HNP@cknow-tech.com +Tested-by: Diederik de Haas +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20251204-regulator-fixed-fix-gpiod-leak-v1-1-48efea5b82c2@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 4477bdeb9e60f..8981b29af3257 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -282,13 +282,10 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); +- if (IS_ERR(drvdata->dev)) { +- ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), +- "Failed to register regulator: %ld\n", +- PTR_ERR(drvdata->dev)); +- gpiod_put(cfg.ena_gpiod); +- return ret; +- } ++ if (IS_ERR(drvdata->dev)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + + platform_set_drvdata(pdev, drvdata); + +-- +2.51.0 + diff --git a/queue-6.6/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-6.6/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..64f5705be5 --- /dev/null +++ b/queue-6.6/revert-nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,48 @@ +From fedbc61e9ec28c1482e7fc0fc523cbb7163c07d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:38 -0500 +Subject: Revert "nfs: clear SB_RDONLY before getting superblock" + +From: Trond Myklebust + +[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ] + +This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 59bf4b2c0f86e..e1bcad5906ae7 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1277,17 +1277,8 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + +- /* +- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a +- * superblock among each filesystem that mounts sub-directories +- * belonging to a single exported root path. +- * To prevent interference between different filesystems, the +- * SB_RDONLY flag should be removed from the superblock. +- */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; +- else +- fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.51.0 + diff --git a/queue-6.6/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-6.6/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 0000000000..69cb0d8474 --- /dev/null +++ b/queue-6.6/revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,39 @@ +From 21964884dd9ae87d2d6b0d91b41791e031c0c07f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:45 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when mounting nfs" + +From: Trond Myklebust + +[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ] + +This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index bde81e0abf0ae..161c8fffbc1d9 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -12,7 +12,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.51.0 + diff --git a/queue-6.6/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-6.6/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..a591612a9b --- /dev/null +++ b/queue-6.6/revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,47 @@ +From 5e17c0f7f2d4323a0cf97213287753c14f2ee269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 13:39:07 -0500 +Subject: Revert "nfs: ignore SB_RDONLY when remounting nfs" + +From: Trond Myklebust + +[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ] + +This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a. + +Silently ignoring the "ro" and "rw" mount options causes user confusion, +and regressions. + +Reported-by: Alkis Georgopoulos +Cc: Li Lingfeng +Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 4e72ee57fc8fc..59bf4b2c0f86e 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1020,16 +1020,6 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + +- /* +- * The SB_RDONLY flag has been removed from the superblock during +- * mounts to prevent interference between different filesystems. +- * Similarly, it is also necessary to ignore the SB_RDONLY flag +- * during reconfiguration; otherwise, it may also result in the +- * creation of redundant superblocks when mounting a directory with +- * different rw and ro flags multiple times. +- */ +- fc->sb_flags_mask &= ~SB_RDONLY; +- + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.51.0 + diff --git a/queue-6.6/rtc-gamecube-check-the-return-value-of-ioremap.patch b/queue-6.6/rtc-gamecube-check-the-return-value-of-ioremap.patch new file mode 100644 index 0000000000..c72dbddce1 --- /dev/null +++ b/queue-6.6/rtc-gamecube-check-the-return-value-of-ioremap.patch @@ -0,0 +1,44 @@ +From ffc8c09cb6813fe221047b5cacf8a4c834d0c1f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 16:06:25 +0800 +Subject: rtc: gamecube: Check the return value of ioremap() + +From: Haotian Zhang + +[ Upstream commit d1220e47e4bd2be8b84bc158f4dea44f2f88b226 ] + +The function ioremap() in gamecube_rtc_read_offset_from_sram() can fail +and return NULL, which is dereferenced without checking, leading to a +NULL pointer dereference. + +Add a check for the return value of ioremap() and return -ENOMEM on +failure. + +Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U") +Signed-off-by: Haotian Zhang +Reviewed-by: Link Mauve +Link: https://patch.msgid.link/20251126080625.1752-1-vulab@iscas.ac.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-gamecube.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/rtc/rtc-gamecube.c b/drivers/rtc/rtc-gamecube.c +index c828bc8e05b9c..045d5d45ab4b0 100644 +--- a/drivers/rtc/rtc-gamecube.c ++++ b/drivers/rtc/rtc-gamecube.c +@@ -242,6 +242,10 @@ static int gamecube_rtc_read_offset_from_sram(struct priv *d) + } + + hw_srnprot = ioremap(res.start, resource_size(&res)); ++ if (!hw_srnprot) { ++ pr_err("failed to ioremap hw_srnprot\n"); ++ return -ENOMEM; ++ } + old = ioread32be(hw_srnprot); + + /* TODO: figure out why we use this magic constant. I obtained it by +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 0e92919ea1..519474af90 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -260,3 +260,32 @@ pinctrl-single-fix-pin_config_bias_disable-handling.patch pinctrl-single-fix-incorrect-type-for-error-return-v.patch fbdev-ssd1307fb-fix-potential-page-leak-in-ssd1307fb.patch 9p-fix-cache-debug-options-printing-in-v9fs_show_opt.patch +nfs-avoid-changing-nlink-when-file-removes-and-attri.patch +fs-nls-fix-utf16-to-utf8-conversion.patch +nfs-initialise-verifiers-for-visible-dentries-in-rea.patch +nfs-initialise-verifiers-for-visible-dentries-in-nfs.patch +nfsv4-pnfs-clear-nfs_ino_layoutcommit-in-pnfs_mark_l.patch +revert-nfs-ignore-sb_rdonly-when-remounting-nfs.patch +revert-nfs-clear-sb_rdonly-before-getting-superblock.patch +revert-nfs-ignore-sb_rdonly-when-mounting-nfs.patch +nfs-automounted-filesystems-should-inherit-ro-noexec.patch +expand-the-type-of-nfs_fattr-valid.patch +nfs-fix-inheritance-of-the-block-sizes-when-automoun.patch +fs-nls-fix-inconsistency-between-utf8_to_utf32-and-u.patch +platform-x86-asus-wmi-use-brightness_set_blocking-fo.patch +asoc-bcm-bcm63xx-pcm-whistler-check-return-value-of-.patch +asoc-ak4458-disable-regulator-when-error-happens.patch +asoc-ak5558-disable-regulator-when-error-happens.patch +blk-mq-abort-suspend-when-wakeup-events-are-pending.patch +block-fix-comment-for-op_is_zone_mgmt-to-include-res.patch +nvme-auth-use-kvfree-for-memory-allocated-with-kvcal.patch +regulator-fixed-rely-on-the-core-freeing-the-enable-.patch +alsa-firewire-motu-fix-buffer-overflow-in-hwdep-read.patch +dma-pool-eliminate-alloc_pages-warning-in-atomic_poo.patch +alsa-uapi-fix-typo-in-asound.h-comment.patch +rtc-gamecube-check-the-return-value-of-ioremap.patch +alsa-firewire-motu-add-bounds-check-in-put_user-loop.patch +arm-9464-1-fix-input-only-operand-modification-in-lo.patch +block-use-rcu-in-blk_mq_-un-quiesce_tagset-instead-o.patch +dm-raid-fix-possible-null-dereference-with-undefined.patch +dm-log-writes-add-missing-set_freezable-for-freezabl.patch