From 152cd35f51cc29d229b2ed1cad8c5527879ef7d5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 20 Jan 2026 14:19:47 +0100 Subject: [PATCH] 6.18-stable patches added patches: alsa-hda-realtek-add-quirk-for-hp-pavilion-x360-to-enable-mute-led.patch alsa-hda-tas2781-skip-uefi-calibration-on-asus-rog-xbox-ally-x.patch alsa-pcm-improve-the-fix-for-race-of-buffer-access-at-pcm-oss-layer.patch asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch can-ctucanfd-fix-ssp_src-in-cases-when-bit-rate-is-higher-than-1-mbit.patch can-gs_usb-gs_usb_receive_bulk_callback-fix-urb-memory-leak.patch edac-i3200-fix-a-resource-leak-in-i3200_probe1.patch edac-x38-fix-a-resource-leak-in-x38_probe1.patch ext4-fix-ext4_tune_sb_params-padding.patch ext4-fix-iloc.bh-leak-in-ext4_xattr_inode_update_ref.patch ftrace-do-not-over-allocate-ftrace-memory.patch hrtimer-fix-softirq-base-check-in-update_needs_ipi.patch i2c-riic-move-suspend-handling-to-noirq-phase.patch lib-buildid-use-__kernel_read-for-sleepable-context.patch loongarch-dts-describe-pci-sideband-irq-through-interrupt-extended.patch loongarch-fix-pmu-counter-allocation-for-mixed-type-event-groups.patch mm-damon-core-remove-call_control-in-inactive-contexts.patch mm-damon-sysfs-cleanup-attrs-subdirs-on-context-dir-setup-failure.patch mm-damon-sysfs-cleanup-intervals-subdirs-on-attrs-dir-setup-failure.patch mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch mm-numa-memblock-include-asm-numa.h-for-numa_nodes_parsed.patch mm-page_alloc-make-percpu_pagelist_high_fraction-reads-lock-free.patch mm-zswap-fix-error-pointer-free-in-zswap_cpu_comp_prepare.patch net-can-j1939-j1939_xtp_rx_rts_session_active-deactivate-session-upon-receiving-the-second-rts.patch null_blk-fix-kmemleak-by-releasing-references-to-fault-configfs-items.patch nvme-fix-pcie-subsystem-reset-controller-state-transition.patch nvme-pci-disable-secondary-temp-for-wodposit-wpbsnm8.patch phy-freescale-imx8m-pcie-assert-phy-reset-during-power-on.patch phy-fsl-imx8mq-usb-fix-typec-orientation-switch-when-built-as-module.patch phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch phy-rockchip-inno-usb2-fix-communication-disruption-in-gadget-mode.patch phy-rockchip-inno-usb2-fix-disconnection-in-gadget-mode.patch phy-tegra-xusb-explicitly-configure-hs_discon_level-to-0x7.patch phy-ti-gmii-sel-fix-regmap-leak-on-probe-failure.patch scsi-core-fix-error-handler-encryption-support.patch selftests-kvm-replace-numbered-sync-points-with-actions.patch selftests-kvm-try-getting-xfd-and-xsave-state-out-of-sync.patch tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch tools-testing-selftests-add-forked-un-faulted-vma-merge-tests.patch tools-testing-selftests-add-tests-for-tgt-src-mremap-merges.patch tools-testing-selftests-fix-gup_longterm-for-unknown-fs.patch usb-core-add-usb_quirk_no_bos-for-devices-that-hang-on-bos-descriptor.patch usb-dwc3-check-for-usb4-ip_name.patch usb-gadget-uvc-fix-interval_duration-calculation.patch usb-gadget-uvc-fix-req_payload_size-calculation.patch usb-host-xhci-tegra-use-platform_get_irq_optional-for-wake-irqs.patch usb-ohci-uhci-add-soft-dependencies-on-ehci_platform.patch usb-serial-ftdi_sio-add-support-for-picaxe-axe027-cable.patch usb-serial-option-add-telit-le910-mbim-composition.patch virtio-net-don-t-schedule-delayed-refill-worker.patch x86-kaslr-recognize-all-zone_device-users-as-physaddr-consumers.patch x86-resctrl-add-missing-resctrl-initialization-for-hygon.patch x86-resctrl-fix-memory-bandwidth-counter-width-for-hygon.patch xfs-fix-the-return-value-of-xfs_rtcopy_summary.patch xfs-set-max_agbno-to-allow-sparse-alloc-of-last-full-inode-chunk.patch xhci-sideband-don-t-dereference-freed-ring-when-removing-sideband-endpoint.patch --- ...-hp-pavilion-x360-to-enable-mute-led.patch | 32 ++ ...-calibration-on-asus-rog-xbox-ally-x.patch | 72 ++++ ...ce-of-buffer-access-at-pcm-oss-layer.patch | 73 ++++ ...a881x-fix-unnecessary-initialisation.patch | 65 ++++ ...-when-bit-rate-is-higher-than-1-mbit.patch | 66 ++++ ...ve_bulk_callback-fix-urb-memory-leak.patch | 43 +++ ...-fix-a-resource-leak-in-i3200_probe1.patch | 52 +++ ...38-fix-a-resource-leak-in-x38_probe1.patch | 51 +++ ...ext4-fix-ext4_tune_sb_params-padding.patch | 51 +++ ...-leak-in-ext4_xattr_inode_update_ref.patch | 34 ++ ...e-do-not-over-allocate-ftrace-memory.patch | 159 ++++++++ ...ftirq-base-check-in-update_needs_ipi.patch | 37 ++ ...move-suspend-handling-to-noirq-phase.patch | 152 ++++++++ ...-__kernel_read-for-sleepable-context.patch | 108 ++++++ ...eband-irq-through-interrupt-extended.patch | 177 +++++++++ ...location-for-mixed-type-event-groups.patch | 124 ++++++ ...ve-call_control-in-inactive-contexts.patch | 105 +++++ ...subdirs-on-context-dir-setup-failure.patch | 48 +++ ...s-subdirs-on-attrs-dir-setup-failure.patch | 79 ++++ ...-subdirs-on-scheme-dir-setup-failure.patch | 48 +++ ...-subdirs-on-scheme-dir-setup-failure.patch | 48 +++ ...ing-of-high-order-non-compound-pages.patch | 50 +++ ...ude-asm-numa.h-for-numa_nodes_parsed.patch | 38 ++ ...gelist_high_fraction-reads-lock-free.patch | 60 +++ ...inter-free-in-zswap_cpu_comp_prepare.patch | 39 ++ ...ession-upon-receiving-the-second-rts.patch | 52 +++ ...g-references-to-fault-configfs-items.patch | 85 ++++ ...em-reset-controller-state-transition.patch | 57 +++ ...-secondary-temp-for-wodposit-wpbsnm8.patch | 40 ++ ...cie-assert-phy-reset-during-power-on.patch | 46 +++ ...entation-switch-when-built-as-module.patch | 62 +++ ...e-free-bug-in-rockchip_usb2phy_probe.patch | 39 ++ ...munication-disruption-in-gadget-mode.patch | 80 ++++ ...sb2-fix-disconnection-in-gadget-mode.patch | 88 +++++ ...tly-configure-hs_discon_level-to-0x7.patch | 45 +++ ...sel-fix-regmap-leak-on-probe-failure.patch | 37 ++ ...fix-error-handler-encryption-support.patch | 105 +++++ ...ce-numbered-sync-points-with-actions.patch | 204 ++++++++++ ...ting-xfd-and-xsave-state-out-of-sync.patch | 103 +++++ queue-6.18/series | 58 +++ ...-for-role_sw-device-in-the-main-node.patch | 40 ++ ...dd-forked-un-faulted-vma-merge-tests.patch | 365 ++++++++++++++++++ ...-add-tests-for-tgt-src-mremap-merges.patch | 322 +++++++++++++++ ...ests-fix-gup_longterm-for-unknown-fs.patch | 63 +++ ...-devices-that-hang-on-bos-descriptor.patch | 65 ++++ .../usb-dwc3-check-for-usb4-ip_name.patch | 44 +++ ...vc-fix-interval_duration-calculation.patch | 66 ++++ ...uvc-fix-req_payload_size-calculation.patch | 107 +++++ ...tform_get_irq_optional-for-wake-irqs.patch | 44 +++ ...d-soft-dependencies-on-ehci_platform.patch | 89 +++++ ...-add-support-for-picaxe-axe027-cable.patch | 43 +++ ...ion-add-telit-le910-mbim-composition.patch | 62 +++ ...don-t-schedule-delayed-refill-worker.patch | 117 ++++++ ...e_device-users-as-physaddr-consumers.patch | 111 ++++++ ...ing-resctrl-initialization-for-hygon.patch | 58 +++ ...ry-bandwidth-counter-width-for-hygon.patch | 74 ++++ ...e-return-value-of-xfs_rtcopy_summary.patch | 35 ++ ...parse-alloc-of-last-full-inode-chunk.patch | 81 ++++ ...ring-when-removing-sideband-endpoint.patch | 91 +++++ 59 files changed, 4789 insertions(+) create mode 100644 queue-6.18/alsa-hda-realtek-add-quirk-for-hp-pavilion-x360-to-enable-mute-led.patch create mode 100644 queue-6.18/alsa-hda-tas2781-skip-uefi-calibration-on-asus-rog-xbox-ally-x.patch create mode 100644 queue-6.18/alsa-pcm-improve-the-fix-for-race-of-buffer-access-at-pcm-oss-layer.patch create mode 100644 queue-6.18/asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch create mode 100644 queue-6.18/can-ctucanfd-fix-ssp_src-in-cases-when-bit-rate-is-higher-than-1-mbit.patch create mode 100644 queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-urb-memory-leak.patch create mode 100644 queue-6.18/edac-i3200-fix-a-resource-leak-in-i3200_probe1.patch create mode 100644 queue-6.18/edac-x38-fix-a-resource-leak-in-x38_probe1.patch create mode 100644 queue-6.18/ext4-fix-ext4_tune_sb_params-padding.patch create mode 100644 queue-6.18/ext4-fix-iloc.bh-leak-in-ext4_xattr_inode_update_ref.patch create mode 100644 queue-6.18/ftrace-do-not-over-allocate-ftrace-memory.patch create mode 100644 queue-6.18/hrtimer-fix-softirq-base-check-in-update_needs_ipi.patch create mode 100644 queue-6.18/i2c-riic-move-suspend-handling-to-noirq-phase.patch create mode 100644 queue-6.18/lib-buildid-use-__kernel_read-for-sleepable-context.patch create mode 100644 queue-6.18/loongarch-dts-describe-pci-sideband-irq-through-interrupt-extended.patch create mode 100644 queue-6.18/loongarch-fix-pmu-counter-allocation-for-mixed-type-event-groups.patch create mode 100644 queue-6.18/mm-damon-core-remove-call_control-in-inactive-contexts.patch create mode 100644 queue-6.18/mm-damon-sysfs-cleanup-attrs-subdirs-on-context-dir-setup-failure.patch create mode 100644 queue-6.18/mm-damon-sysfs-cleanup-intervals-subdirs-on-attrs-dir-setup-failure.patch create mode 100644 queue-6.18/mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch create mode 100644 queue-6.18/mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch create mode 100644 queue-6.18/mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch create mode 100644 queue-6.18/mm-numa-memblock-include-asm-numa.h-for-numa_nodes_parsed.patch create mode 100644 queue-6.18/mm-page_alloc-make-percpu_pagelist_high_fraction-reads-lock-free.patch create mode 100644 queue-6.18/mm-zswap-fix-error-pointer-free-in-zswap_cpu_comp_prepare.patch create mode 100644 queue-6.18/net-can-j1939-j1939_xtp_rx_rts_session_active-deactivate-session-upon-receiving-the-second-rts.patch create mode 100644 queue-6.18/null_blk-fix-kmemleak-by-releasing-references-to-fault-configfs-items.patch create mode 100644 queue-6.18/nvme-fix-pcie-subsystem-reset-controller-state-transition.patch create mode 100644 queue-6.18/nvme-pci-disable-secondary-temp-for-wodposit-wpbsnm8.patch create mode 100644 queue-6.18/phy-freescale-imx8m-pcie-assert-phy-reset-during-power-on.patch create mode 100644 queue-6.18/phy-fsl-imx8mq-usb-fix-typec-orientation-switch-when-built-as-module.patch create mode 100644 queue-6.18/phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch create mode 100644 queue-6.18/phy-rockchip-inno-usb2-fix-communication-disruption-in-gadget-mode.patch create mode 100644 queue-6.18/phy-rockchip-inno-usb2-fix-disconnection-in-gadget-mode.patch create mode 100644 queue-6.18/phy-tegra-xusb-explicitly-configure-hs_discon_level-to-0x7.patch create mode 100644 queue-6.18/phy-ti-gmii-sel-fix-regmap-leak-on-probe-failure.patch create mode 100644 queue-6.18/scsi-core-fix-error-handler-encryption-support.patch create mode 100644 queue-6.18/selftests-kvm-replace-numbered-sync-points-with-actions.patch create mode 100644 queue-6.18/selftests-kvm-try-getting-xfd-and-xsave-state-out-of-sync.patch create mode 100644 queue-6.18/tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch create mode 100644 queue-6.18/tools-testing-selftests-add-forked-un-faulted-vma-merge-tests.patch create mode 100644 queue-6.18/tools-testing-selftests-add-tests-for-tgt-src-mremap-merges.patch create mode 100644 queue-6.18/tools-testing-selftests-fix-gup_longterm-for-unknown-fs.patch create mode 100644 queue-6.18/usb-core-add-usb_quirk_no_bos-for-devices-that-hang-on-bos-descriptor.patch create mode 100644 queue-6.18/usb-dwc3-check-for-usb4-ip_name.patch create mode 100644 queue-6.18/usb-gadget-uvc-fix-interval_duration-calculation.patch create mode 100644 queue-6.18/usb-gadget-uvc-fix-req_payload_size-calculation.patch create mode 100644 queue-6.18/usb-host-xhci-tegra-use-platform_get_irq_optional-for-wake-irqs.patch create mode 100644 queue-6.18/usb-ohci-uhci-add-soft-dependencies-on-ehci_platform.patch create mode 100644 queue-6.18/usb-serial-ftdi_sio-add-support-for-picaxe-axe027-cable.patch create mode 100644 queue-6.18/usb-serial-option-add-telit-le910-mbim-composition.patch create mode 100644 queue-6.18/virtio-net-don-t-schedule-delayed-refill-worker.patch create mode 100644 queue-6.18/x86-kaslr-recognize-all-zone_device-users-as-physaddr-consumers.patch create mode 100644 queue-6.18/x86-resctrl-add-missing-resctrl-initialization-for-hygon.patch create mode 100644 queue-6.18/x86-resctrl-fix-memory-bandwidth-counter-width-for-hygon.patch create mode 100644 queue-6.18/xfs-fix-the-return-value-of-xfs_rtcopy_summary.patch create mode 100644 queue-6.18/xfs-set-max_agbno-to-allow-sparse-alloc-of-last-full-inode-chunk.patch create mode 100644 queue-6.18/xhci-sideband-don-t-dereference-freed-ring-when-removing-sideband-endpoint.patch diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-hp-pavilion-x360-to-enable-mute-led.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-hp-pavilion-x360-to-enable-mute-led.patch new file mode 100644 index 0000000000..e0ad029986 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-hp-pavilion-x360-to-enable-mute-led.patch @@ -0,0 +1,32 @@ +From ab2be3af8c4ea57f779474cd2a2fe8dd4ad537a6 Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Thu, 15 Jan 2026 09:58:44 +0800 +Subject: ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED + +From: Zhang Heng + +commit ab2be3af8c4ea57f779474cd2a2fe8dd4ad537a6 upstream. + +This quirk enables mute LED on HP Pavilion x360 2-in-1 Laptop 14-ek0xxx, +which use ALC245 codec. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220220 +Cc: +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260115015844.3129890-1-zhangheng@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6529,6 +6529,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8a2e, "HP Envy 16", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8a30, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8a31, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8a34, "HP Pavilion x360 2-in-1 Laptop 14-ek0xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8a4f, "HP Victus 15-fa0xxx (MB 8A4F)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8a6e, "HP EDNA 360", ALC287_FIXUP_CS35L41_I2C_4), + SND_PCI_QUIRK(0x103c, 0x8a74, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.18/alsa-hda-tas2781-skip-uefi-calibration-on-asus-rog-xbox-ally-x.patch b/queue-6.18/alsa-hda-tas2781-skip-uefi-calibration-on-asus-rog-xbox-ally-x.patch new file mode 100644 index 0000000000..48761b479d --- /dev/null +++ b/queue-6.18/alsa-hda-tas2781-skip-uefi-calibration-on-asus-rog-xbox-ally-x.patch @@ -0,0 +1,72 @@ +From b7e26c8bdae70832d7c4b31ec2995b1812a60169 Mon Sep 17 00:00:00 2001 +From: Matthew Schwartz +Date: Thu, 8 Jan 2026 01:36:50 -0800 +Subject: ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X + +From: Matthew Schwartz + +commit b7e26c8bdae70832d7c4b31ec2995b1812a60169 upstream. + +There is currently an issue with UEFI calibration data parsing for some +TAS devices, like the ASUS ROG Xbox Ally X (RC73XA), that causes audio +quality issues such as gaps in playback. Until the issue is root caused +and fixed, add a quirk to skip using the UEFI calibration data and fall +back to using the calibration data provided by the DSP firmware, which +restores full speaker functionality on affected devices. + +Cc: stable@vger.kernel.org # 6.18 +Link: https://lore.kernel.org/all/160aef32646c4d5498cbfd624fd683cc@ti.com/ +Closes: https://lore.kernel.org/all/0ba100d0-9b6f-4a3b-bffa-61abe1b46cd5@linux.dev/ +Suggested-by: Baojun Xu +Signed-off-by: Matthew Schwartz +Reviewed-by: Antheas Kapenekakis +Link: https://patch.msgid.link/20260108093650.1142176-1-matthew.schwartz@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c ++++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c +@@ -60,6 +60,7 @@ struct tas2781_hda_i2c_priv { + int (*save_calibration)(struct tas2781_hda *h); + + int hda_chip_id; ++ bool skip_calibration; + }; + + static int tas2781_get_i2c_res(struct acpi_resource *ares, void *data) +@@ -491,7 +492,8 @@ static void tasdevice_dspfw_init(void *c + /* If calibrated data occurs error, dsp will still works with default + * calibrated data inside algo. + */ +- hda_priv->save_calibration(tas_hda); ++ if (!hda_priv->skip_calibration) ++ hda_priv->save_calibration(tas_hda); + } + + static void tasdev_fw_ready(const struct firmware *fmw, void *context) +@@ -548,6 +550,7 @@ static int tas2781_hda_bind(struct devic + void *master_data) + { + struct tas2781_hda *tas_hda = dev_get_drvdata(dev); ++ struct tas2781_hda_i2c_priv *hda_priv = tas_hda->hda_priv; + struct hda_component_parent *parent = master_data; + struct hda_component *comp; + struct hda_codec *codec; +@@ -573,6 +576,14 @@ static int tas2781_hda_bind(struct devic + break; + } + ++ /* ++ * Using ASUS ROG Xbox Ally X (RC73XA) UEFI calibration data ++ * causes audio dropouts during playback, use fallback data ++ * from DSP firmware as a workaround. ++ */ ++ if (codec->core.subsystem_id == 0x10431384) ++ hda_priv->skip_calibration = true; ++ + pm_runtime_get_sync(dev); + + comp->dev = dev; diff --git a/queue-6.18/alsa-pcm-improve-the-fix-for-race-of-buffer-access-at-pcm-oss-layer.patch b/queue-6.18/alsa-pcm-improve-the-fix-for-race-of-buffer-access-at-pcm-oss-layer.patch new file mode 100644 index 0000000000..0ea95f7f24 --- /dev/null +++ b/queue-6.18/alsa-pcm-improve-the-fix-for-race-of-buffer-access-at-pcm-oss-layer.patch @@ -0,0 +1,73 @@ +From 47c27c9c9c720bc93fdc69605d0ecd9382e99047 Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Wed, 7 Jan 2026 22:36:42 +0100 +Subject: ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer + +From: Jaroslav Kysela + +commit 47c27c9c9c720bc93fdc69605d0ecd9382e99047 upstream. + +Handle the error code from snd_pcm_buffer_access_lock() in +snd_pcm_runtime_buffer_set_silence() function. + +Found by Alexandros Panagiotou + +Fixes: 93a81ca06577 ("ALSA: pcm: Fix race of buffer access at PCM OSS layer") +Cc: stable@vger.kernel.org # 6.15 +Signed-off-by: Jaroslav Kysela +Link: https://patch.msgid.link/20260107213642.332954-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/pcm.h | 2 +- + sound/core/oss/pcm_oss.c | 4 +++- + sound/core/pcm_native.c | 9 +++++++-- + 3 files changed, 11 insertions(+), 4 deletions(-) + +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -1402,7 +1402,7 @@ int snd_pcm_lib_mmap_iomem(struct snd_pc + #define snd_pcm_lib_mmap_iomem NULL + #endif + +-void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime); ++int snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime); + + /** + * snd_pcm_limit_isa_dma_size - Get the max size fitting with ISA DMA transfer +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1074,7 +1074,9 @@ static int snd_pcm_oss_change_params_loc + runtime->oss.params = 0; + runtime->oss.prepare = 1; + runtime->oss.buffer_used = 0; +- snd_pcm_runtime_buffer_set_silence(runtime); ++ err = snd_pcm_runtime_buffer_set_silence(runtime); ++ if (err < 0) ++ goto failure; + + runtime->oss.period_frames = snd_pcm_alsa_frames(substream, oss_period_size); + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -730,13 +730,18 @@ static void snd_pcm_buffer_access_unlock + } + + /* fill the PCM buffer with the current silence format; called from pcm_oss.c */ +-void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime) ++int snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime) + { +- snd_pcm_buffer_access_lock(runtime); ++ int err; ++ ++ err = snd_pcm_buffer_access_lock(runtime); ++ if (err < 0) ++ return err; + if (runtime->dma_area) + snd_pcm_format_set_silence(runtime->format, runtime->dma_area, + bytes_to_samples(runtime, runtime->dma_bytes)); + snd_pcm_buffer_access_unlock(runtime); ++ return 0; + } + EXPORT_SYMBOL_GPL(snd_pcm_runtime_buffer_set_silence); + diff --git a/queue-6.18/asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch b/queue-6.18/asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch new file mode 100644 index 0000000000..1649c905c1 --- /dev/null +++ b/queue-6.18/asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch @@ -0,0 +1,65 @@ +From 29d71b8a5a40708b3eed9ba4953bfc2312c9c776 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 2 Jan 2026 12:14:11 +0100 +Subject: ASoC: codecs: wsa881x: fix unnecessary initialisation + +From: Johan Hovold + +commit 29d71b8a5a40708b3eed9ba4953bfc2312c9c776 upstream. + +The soundwire update_status() callback may be called multiple times with +the same ATTACHED status but initialisation should only be done when +transitioning from UNATTACHED to ATTACHED. + +Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support") +Cc: stable@vger.kernel.org # 5.6 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260102111413.9605-3-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wsa881x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wsa881x.c ++++ b/sound/soc/codecs/wsa881x.c +@@ -678,6 +678,7 @@ struct wsa881x_priv { + */ + unsigned int sd_n_val; + int active_ports; ++ bool hw_init; + bool port_prepared[WSA881X_MAX_SWR_PORTS]; + bool port_enable[WSA881X_MAX_SWR_PORTS]; + }; +@@ -687,6 +688,9 @@ static void wsa881x_init(struct wsa881x_ + struct regmap *rm = wsa881x->regmap; + unsigned int val = 0; + ++ if (wsa881x->hw_init) ++ return; ++ + regmap_register_patch(wsa881x->regmap, wsa881x_rev_2_0, + ARRAY_SIZE(wsa881x_rev_2_0)); + +@@ -724,6 +728,8 @@ static void wsa881x_init(struct wsa881x_ + regmap_update_bits(rm, WSA881X_OTP_REG_28, 0x3F, 0x3A); + regmap_update_bits(rm, WSA881X_BONGO_RESRV_REG1, 0xFF, 0xB2); + regmap_update_bits(rm, WSA881X_BONGO_RESRV_REG2, 0xFF, 0x05); ++ ++ wsa881x->hw_init = true; + } + + static int wsa881x_component_probe(struct snd_soc_component *comp) +@@ -1067,6 +1073,9 @@ static int wsa881x_update_status(struct + { + struct wsa881x_priv *wsa881x = dev_get_drvdata(&slave->dev); + ++ if (status == SDW_SLAVE_UNATTACHED) ++ wsa881x->hw_init = false; ++ + if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0) + wsa881x_init(wsa881x); + diff --git a/queue-6.18/can-ctucanfd-fix-ssp_src-in-cases-when-bit-rate-is-higher-than-1-mbit.patch b/queue-6.18/can-ctucanfd-fix-ssp_src-in-cases-when-bit-rate-is-higher-than-1-mbit.patch new file mode 100644 index 0000000000..f642ab61d9 --- /dev/null +++ b/queue-6.18/can-ctucanfd-fix-ssp_src-in-cases-when-bit-rate-is-higher-than-1-mbit.patch @@ -0,0 +1,66 @@ +From e707c591a139d1bfa4ddc83036fc820ca006a140 Mon Sep 17 00:00:00 2001 +From: Ondrej Ille +Date: Mon, 5 Jan 2026 12:16:20 +0100 +Subject: can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit. + +From: Ondrej Ille + +commit e707c591a139d1bfa4ddc83036fc820ca006a140 upstream. + +The Secondary Sample Point Source field has been +set to an incorrect value by some mistake in the +past + + 0b01 - SSP_SRC_NO_SSP - SSP is not used. + +for data bitrates above 1 MBit/s. The correct/default +value already used for lower bitrates is + + 0b00 - SSP_SRC_MEAS_N_OFFSET - SSP position = TRV_DELAY + (Measured Transmitter delay) + SSP_OFFSET. + +The related configuration register structure is described +in section 3.1.46 SSP_CFG of the CTU CAN FD +IP CORE Datasheet. + +The analysis leading to the proper configuration +is described in section 2.8.3 Secondary sampling point +of the datasheet. + +The change has been tested on AMD/Xilinx Zynq +with the next CTU CN FD IP core versions: + + - 2.6 aka master in the "integration with Zynq-7000 system" test + 6.12.43-rt12+ #1 SMP PREEMPT_RT kernel with CTU CAN FD git + driver (change already included in the driver repo) + - older 2.5 snapshot with mainline kernels with this patch + applied locally in the multiple CAN latency tester nightly runs + 6.18.0-rc4-rt3-dut #1 SMP PREEMPT_RT + 6.19.0-rc3-dut + +The logs, the datasheet and sources are available at + + https://canbus.pages.fel.cvut.cz/ + +Signed-off-by: Ondrej Ille +Signed-off-by: Pavel Pisa +Link: https://patch.msgid.link/20260105111620.16580-1-pisa@fel.cvut.cz +Fixes: 2dcb8e8782d8 ("can: ctucanfd: add support for CTU CAN FD open-source IP core - bus independent part.") +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/ctucanfd/ctucanfd_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/ctucanfd/ctucanfd_base.c ++++ b/drivers/net/can/ctucanfd/ctucanfd_base.c +@@ -310,7 +310,7 @@ static int ctucan_set_secondary_sample_p + } + + ssp_cfg = FIELD_PREP(REG_TRV_DELAY_SSP_OFFSET, ssp_offset); +- ssp_cfg |= FIELD_PREP(REG_TRV_DELAY_SSP_SRC, 0x1); ++ ssp_cfg |= FIELD_PREP(REG_TRV_DELAY_SSP_SRC, 0x0); + } + + ctucan_write32(priv, CTUCANFD_TRV_DELAY, ssp_cfg); diff --git a/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-urb-memory-leak.patch b/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..5f76040c4c --- /dev/null +++ b/queue-6.18/can-gs_usb-gs_usb_receive_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,43 @@ +From 7352e1d5932a0e777e39fa4b619801191f57e603 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 23 Dec 2025 21:21:39 +0100 +Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 7352e1d5932a0e777e39fa4b619801191f57e603 upstream. + +In gs_can_open(), the URBs for USB-in transfers are allocated, added to the +parent->rx_submitted anchor and submitted. In the complete callback +gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In +gs_can_close() the URBs are freed by calling +usb_kill_anchored_urbs(parent->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in gs_can_close(). + +Fix the memory leak by anchoring the URB in the +gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260105-gs_usb-fix-memory-leak-v2-1-cc6ed6438034@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -751,6 +751,8 @@ resubmit_urb: + hf, parent->hf_size_rx, + gs_usb_receive_bulk_callback, parent); + ++ usb_anchor_urb(urb, &parent->rx_submitted); ++ + rc = usb_submit_urb(urb, GFP_ATOMIC); + + /* USB failure take down all interfaces */ diff --git a/queue-6.18/edac-i3200-fix-a-resource-leak-in-i3200_probe1.patch b/queue-6.18/edac-i3200-fix-a-resource-leak-in-i3200_probe1.patch new file mode 100644 index 0000000000..6f83d19e77 --- /dev/null +++ b/queue-6.18/edac-i3200-fix-a-resource-leak-in-i3200_probe1.patch @@ -0,0 +1,52 @@ +From d42d5715dcb559342ff356327b241c53a67584d9 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Tue, 23 Dec 2025 20:32:02 +0800 +Subject: EDAC/i3200: Fix a resource leak in i3200_probe1() + +From: Haoxiang Li + +commit d42d5715dcb559342ff356327b241c53a67584d9 upstream. + +If edac_mc_alloc() fails, also unmap the window. + + [ bp: Use separate labels, turning it into the classic unwind pattern. ] + +Fixes: dd8ef1db87a4 ("edac: i3200 memory controller driver") +Signed-off-by: Haoxiang Li +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251223123202.1492038-1-lihaoxiang@isrc.iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/i3200_edac.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/edac/i3200_edac.c ++++ b/drivers/edac/i3200_edac.c +@@ -358,10 +358,11 @@ static int i3200_probe1(struct pci_dev * + layers[1].type = EDAC_MC_LAYER_CHANNEL; + layers[1].size = nr_channels; + layers[1].is_virt_csrow = false; +- mci = edac_mc_alloc(0, ARRAY_SIZE(layers), layers, +- sizeof(struct i3200_priv)); ++ ++ rc = -ENOMEM; ++ mci = edac_mc_alloc(0, ARRAY_SIZE(layers), layers, sizeof(struct i3200_priv)); + if (!mci) +- return -ENOMEM; ++ goto unmap; + + edac_dbg(3, "MC: init mci\n"); + +@@ -421,9 +422,9 @@ static int i3200_probe1(struct pci_dev * + return 0; + + fail: ++ edac_mc_free(mci); ++unmap: + iounmap(window); +- if (mci) +- edac_mc_free(mci); + + return rc; + } diff --git a/queue-6.18/edac-x38-fix-a-resource-leak-in-x38_probe1.patch b/queue-6.18/edac-x38-fix-a-resource-leak-in-x38_probe1.patch new file mode 100644 index 0000000000..d4ee214caa --- /dev/null +++ b/queue-6.18/edac-x38-fix-a-resource-leak-in-x38_probe1.patch @@ -0,0 +1,51 @@ +From 0ff7c44106b4715fc27a2e455d9f57f1dfcfd54f Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Tue, 23 Dec 2025 20:43:50 +0800 +Subject: EDAC/x38: Fix a resource leak in x38_probe1() + +From: Haoxiang Li + +commit 0ff7c44106b4715fc27a2e455d9f57f1dfcfd54f upstream. + +If edac_mc_alloc() fails, also unmap the window. + + [ bp: Use separate labels, turning it into the classic unwind pattern. ] + +Fixes: df8bc08c192f ("edac x38: new MC driver module") +Signed-off-by: Haoxiang Li +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251223124350.1496325-1-lihaoxiang@isrc.iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/x38_edac.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/edac/x38_edac.c ++++ b/drivers/edac/x38_edac.c +@@ -341,9 +341,12 @@ static int x38_probe1(struct pci_dev *pd + layers[1].type = EDAC_MC_LAYER_CHANNEL; + layers[1].size = x38_channel_num; + layers[1].is_virt_csrow = false; ++ ++ ++ rc = -ENOMEM; + mci = edac_mc_alloc(0, ARRAY_SIZE(layers), layers, 0); + if (!mci) +- return -ENOMEM; ++ goto unmap; + + edac_dbg(3, "MC: init mci\n"); + +@@ -403,9 +406,9 @@ static int x38_probe1(struct pci_dev *pd + return 0; + + fail: ++ edac_mc_free(mci); ++unmap: + iounmap(window); +- if (mci) +- edac_mc_free(mci); + + return rc; + } diff --git a/queue-6.18/ext4-fix-ext4_tune_sb_params-padding.patch b/queue-6.18/ext4-fix-ext4_tune_sb_params-padding.patch new file mode 100644 index 0000000000..5fd5010760 --- /dev/null +++ b/queue-6.18/ext4-fix-ext4_tune_sb_params-padding.patch @@ -0,0 +1,51 @@ +From cd16edba1c6a24af138e1a5ded2711231fffa99f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 4 Dec 2025 11:19:10 +0100 +Subject: ext4: fix ext4_tune_sb_params padding + +From: Arnd Bergmann + +commit cd16edba1c6a24af138e1a5ded2711231fffa99f upstream. + +The padding at the end of struct ext4_tune_sb_params is architecture +specific and in particular is different between x86-32 and x86-64, +since the __u64 member only enforces struct alignment on the latter. + +This shows up as a new warning when test-building the headers with +-Wpadded: + +include/linux/ext4.h:144:1: error: padding struct size to alignment boundary with 4 bytes [-Werror=padded] + +All members inside the structure are naturally aligned, so the only +difference here is the amount of padding at the end. Make the padding +explicit, to have a consistent sizeof(struct ext4_tune_sb_params) of +232 on all architectures and avoid adding compat ioctl handling for +EXT4_IOC_GET_TUNE_SB_PARAM/EXT4_IOC_SET_TUNE_SB_PARAM. + +This is an ABI break on x86-32 but hopefully this can go into 6.18.y early +enough as a fixup so no actual users will be affected. Alternatively, the +kernel could handle the ioctl commands for both sizes (232 and 228 bytes) +on all architectures. + +Fixes: 04a91570ac67 ("ext4: implemet new ioctls to set and get superblock parameters") +Signed-off-by: Arnd Bergmann +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20251204101914.1037148-1-arnd@kernel.org +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/ext4.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/ext4.h ++++ b/include/uapi/linux/ext4.h +@@ -139,7 +139,7 @@ struct ext4_tune_sb_params { + __u32 clear_feature_incompat_mask; + __u32 clear_feature_ro_compat_mask; + __u8 mount_opts[64]; +- __u8 pad[64]; ++ __u8 pad[68]; + }; + + #define EXT4_TUNE_FL_ERRORS_BEHAVIOR 0x00000001 diff --git a/queue-6.18/ext4-fix-iloc.bh-leak-in-ext4_xattr_inode_update_ref.patch b/queue-6.18/ext4-fix-iloc.bh-leak-in-ext4_xattr_inode_update_ref.patch new file mode 100644 index 0000000000..08242577fc --- /dev/null +++ b/queue-6.18/ext4-fix-iloc.bh-leak-in-ext4_xattr_inode_update_ref.patch @@ -0,0 +1,34 @@ +From d250bdf531d9cd4096fedbb9f172bb2ca660c868 Mon Sep 17 00:00:00 2001 +From: Yang Erkun +Date: Sat, 13 Dec 2025 13:57:06 +0800 +Subject: ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref + +From: Yang Erkun + +commit d250bdf531d9cd4096fedbb9f172bb2ca660c868 upstream. + +The error branch for ext4_xattr_inode_update_ref forget to release the +refcount for iloc.bh. Find this when review code. + +Fixes: 57295e835408 ("ext4: guard against EA inode refcount underflow in xattr update") +Signed-off-by: Yang Erkun +Reviewed-by: Baokun Li +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20251213055706.3417529-1-yangerkun@huawei.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1037,6 +1037,7 @@ static int ext4_xattr_inode_update_ref(h + ext4_error_inode(ea_inode, __func__, __LINE__, 0, + "EA inode %lu ref wraparound: ref_count=%lld ref_change=%d", + ea_inode->i_ino, ref_count, ref_change); ++ brelse(iloc.bh); + ret = -EFSCORRUPTED; + goto out; + } diff --git a/queue-6.18/ftrace-do-not-over-allocate-ftrace-memory.patch b/queue-6.18/ftrace-do-not-over-allocate-ftrace-memory.patch new file mode 100644 index 0000000000..d182cb49ad --- /dev/null +++ b/queue-6.18/ftrace-do-not-over-allocate-ftrace-memory.patch @@ -0,0 +1,159 @@ +From be55257fab181b93af38f8c4b1b3cb453a78d742 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 13 Jan 2026 07:22:42 -0800 +Subject: ftrace: Do not over-allocate ftrace memory + +From: Guenter Roeck + +commit be55257fab181b93af38f8c4b1b3cb453a78d742 upstream. + +The pg_remaining calculation in ftrace_process_locs() assumes that +ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the +allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE +(integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g. +4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages) +have significantly more capacity than 256 * 170. This leads to pg_remaining +being underestimated, which in turn makes skip (derived from skipped - +pg_remaining) larger than expected, causing the WARN(skip != remaining) +to trigger. + +Extra allocated pages for ftrace: 2 with 654 skipped +WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0 + +A similar problem in ftrace_allocate_records() can result in allocating +too many pages. This can trigger the second warning in +ftrace_process_locs(). + +Extra allocated pages for ftrace +WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580 + +Use the actual capacity of a page group to determine the number of pages +to allocate. Have ftrace_allocate_pages() return the number of allocated +pages to avoid having to calculate it. Use the actual page group capacity +when validating the number of unused pages due to skipped entries. +Drop the definition of ENTRIES_PER_PAGE since it is no longer used. + +Cc: stable@vger.kernel.org +Fixes: 4a3efc6baff93 ("ftrace: Update the mcount_loc check of skipped entries") +Link: https://patch.msgid.link/20260113152243.3557219-1-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1122,7 +1122,6 @@ struct ftrace_page { + }; + + #define ENTRY_SIZE sizeof(struct dyn_ftrace) +-#define ENTRIES_PER_PAGE (PAGE_SIZE / ENTRY_SIZE) + + static struct ftrace_page *ftrace_pages_start; + static struct ftrace_page *ftrace_pages; +@@ -3808,7 +3807,8 @@ static int ftrace_update_code(struct mod + return 0; + } + +-static int ftrace_allocate_records(struct ftrace_page *pg, int count) ++static int ftrace_allocate_records(struct ftrace_page *pg, int count, ++ unsigned long *num_pages) + { + int order; + int pages; +@@ -3818,7 +3818,7 @@ static int ftrace_allocate_records(struc + return -EINVAL; + + /* We want to fill as much as possible, with no empty pages */ +- pages = DIV_ROUND_UP(count, ENTRIES_PER_PAGE); ++ pages = DIV_ROUND_UP(count * ENTRY_SIZE, PAGE_SIZE); + order = fls(pages) - 1; + + again: +@@ -3833,6 +3833,7 @@ static int ftrace_allocate_records(struc + } + + ftrace_number_of_pages += 1 << order; ++ *num_pages += 1 << order; + ftrace_number_of_groups++; + + cnt = (PAGE_SIZE << order) / ENTRY_SIZE; +@@ -3861,12 +3862,14 @@ static void ftrace_free_pages(struct ftr + } + + static struct ftrace_page * +-ftrace_allocate_pages(unsigned long num_to_init) ++ftrace_allocate_pages(unsigned long num_to_init, unsigned long *num_pages) + { + struct ftrace_page *start_pg; + struct ftrace_page *pg; + int cnt; + ++ *num_pages = 0; ++ + if (!num_to_init) + return NULL; + +@@ -3880,7 +3883,7 @@ ftrace_allocate_pages(unsigned long num_ + * waste as little space as possible. + */ + for (;;) { +- cnt = ftrace_allocate_records(pg, num_to_init); ++ cnt = ftrace_allocate_records(pg, num_to_init, num_pages); + if (cnt < 0) + goto free_pages; + +@@ -7148,8 +7151,6 @@ static int ftrace_process_locs(struct mo + if (!count) + return 0; + +- pages = DIV_ROUND_UP(count, ENTRIES_PER_PAGE); +- + /* + * Sorting mcount in vmlinux at build time depend on + * CONFIG_BUILDTIME_MCOUNT_SORT, while mcount loc in +@@ -7162,7 +7163,7 @@ static int ftrace_process_locs(struct mo + test_is_sorted(start, count); + } + +- start_pg = ftrace_allocate_pages(count); ++ start_pg = ftrace_allocate_pages(count, &pages); + if (!start_pg) + return -ENOMEM; + +@@ -7261,27 +7262,27 @@ static int ftrace_process_locs(struct mo + /* We should have used all pages unless we skipped some */ + if (pg_unuse) { + unsigned long pg_remaining, remaining = 0; +- unsigned long skip; ++ long skip; + + /* Count the number of entries unused and compare it to skipped. */ +- pg_remaining = (ENTRIES_PER_PAGE << pg->order) - pg->index; ++ pg_remaining = (PAGE_SIZE << pg->order) / ENTRY_SIZE - pg->index; + + if (!WARN(skipped < pg_remaining, "Extra allocated pages for ftrace")) { + + skip = skipped - pg_remaining; + +- for (pg = pg_unuse; pg; pg = pg->next) ++ for (pg = pg_unuse; pg && skip > 0; pg = pg->next) { + remaining += 1 << pg->order; ++ skip -= (PAGE_SIZE << pg->order) / ENTRY_SIZE; ++ } + + pages -= remaining; + +- skip = DIV_ROUND_UP(skip, ENTRIES_PER_PAGE); +- + /* + * Check to see if the number of pages remaining would + * just fit the number of entries skipped. + */ +- WARN(skip != remaining, "Extra allocated pages for ftrace: %lu with %lu skipped", ++ WARN(pg || skip > 0, "Extra allocated pages for ftrace: %lu with %lu skipped", + remaining, skipped); + } + /* Need to synchronize with ftrace_location_range() */ diff --git a/queue-6.18/hrtimer-fix-softirq-base-check-in-update_needs_ipi.patch b/queue-6.18/hrtimer-fix-softirq-base-check-in-update_needs_ipi.patch new file mode 100644 index 0000000000..318fe60b94 --- /dev/null +++ b/queue-6.18/hrtimer-fix-softirq-base-check-in-update_needs_ipi.patch @@ -0,0 +1,37 @@ +From 05dc4a9fc8b36d4c99d76bbc02aa9ec0132de4c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Wed, 7 Jan 2026 11:39:24 +0100 +Subject: hrtimer: Fix softirq base check in update_needs_ipi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 05dc4a9fc8b36d4c99d76bbc02aa9ec0132de4c2 upstream. + +The 'clockid' field is not the correct way to check for a softirq base. + +Fix the check to correctly compare the base type instead of the clockid. + +Fixes: 1e7f7fbcd40c ("hrtimer: Avoid more SMP function calls in clock_was_set()") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260107-hrtimer-clock-base-check-v1-1-afb5dbce94a1@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/hrtimer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -913,7 +913,7 @@ static bool update_needs_ipi(struct hrti + return true; + + /* Extra check for softirq clock bases */ +- if (base->clockid < HRTIMER_BASE_MONOTONIC_SOFT) ++ if (base->index < HRTIMER_BASE_MONOTONIC_SOFT) + continue; + if (cpu_base->softirq_activated) + continue; diff --git a/queue-6.18/i2c-riic-move-suspend-handling-to-noirq-phase.patch b/queue-6.18/i2c-riic-move-suspend-handling-to-noirq-phase.patch new file mode 100644 index 0000000000..342a2628ae --- /dev/null +++ b/queue-6.18/i2c-riic-move-suspend-handling-to-noirq-phase.patch @@ -0,0 +1,152 @@ +From e383f0961422f983451ac4dd6aed1a3d3311f2be Mon Sep 17 00:00:00 2001 +From: Tommaso Merciai +Date: Thu, 18 Dec 2025 16:10:21 +0100 +Subject: i2c: riic: Move suspend handling to NOIRQ phase + +From: Tommaso Merciai + +commit e383f0961422f983451ac4dd6aed1a3d3311f2be upstream. + +Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added +suspend support for the Renesas I2C driver and following this change +on RZ/G3E the following WARNING is seen on entering suspend ... + +[ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 134.285536] ------------[ cut here ]------------ +[ 134.290298] i2c i2c-2: Transfer while suspended +[ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388 +[ 134.365507] Tainted: [W]=WARN +[ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT) +[ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214 +[ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214 +[ 134.391717] sp : ffff800083f23860 +[ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60 +[ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001 +[ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936 +[ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006 +[ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280 +[ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09 +[ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8 +[ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000 +[ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000 +[ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80 +[ 134.466851] Call trace: +[ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P) +[ 134.473715] i2c_smbus_xfer+0xbc/0x120 +[ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84 +[ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208] +[ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208] +[ 134.493226] __rtc_read_time+0x44/0x88 +[ 134.497012] rtc_read_time+0x3c/0x68 +[ 134.500622] rtc_suspend+0x9c/0x170 + +The warning is triggered because I2C transfers can still be attempted +while the controller is already suspended, due to inappropriate ordering +of the system sleep callbacks. + +If the controller is autosuspended, there is no way to wake it up once +runtime PM disabled (in suspend_late()). During system resume, the I2C +controller will be available only after runtime PM is re-enabled +(in resume_early()). However, this may be too late for some devices. + +Wake up the controller in the suspend() callback while runtime PM is +still enabled. The I2C controller will remain available until the +suspend_noirq() callback (pm_runtime_force_suspend()) is called. During +resume, the I2C controller can be restored by the resume_noirq() callback +(pm_runtime_force_resume()). Finally, the resume() callback re-enables +autosuspend. As a result, the I2C controller can remain available until +the system enters suspend_noirq() and from resume_noirq(). + +Cc: stable@vger.kernel.org +Fixes: 53326135d0e0 ("i2c: riic: Add suspend/resume support") +Signed-off-by: Tommaso Merciai +Reviewed-by: Biju Das +Tested-by: Biju Das +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-riic.c | 46 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 39 insertions(+), 7 deletions(-) + +--- a/drivers/i2c/busses/i2c-riic.c ++++ b/drivers/i2c/busses/i2c-riic.c +@@ -670,12 +670,39 @@ static const struct riic_of_data riic_rz + + static int riic_i2c_suspend(struct device *dev) + { +- struct riic_dev *riic = dev_get_drvdata(dev); +- int ret; ++ /* ++ * Some I2C devices may need the I2C controller to remain active ++ * during resume_noirq() or suspend_noirq(). If the controller is ++ * autosuspended, there is no way to wake it up once runtime PM is ++ * disabled (in suspend_late()). ++ * ++ * During system resume, the I2C controller will be available only ++ * after runtime PM is re-enabled (in resume_early()). However, this ++ * may be too late for some devices. ++ * ++ * Wake up the controller in the suspend() callback while runtime PM ++ * is still enabled. The I2C controller will remain available until ++ * the suspend_noirq() callback (pm_runtime_force_suspend()) is ++ * called. During resume, the I2C controller can be restored by the ++ * resume_noirq() callback (pm_runtime_force_resume()). ++ * ++ * Finally, the resume() callback re-enables autosuspend, ensuring ++ * the I2C controller remains available until the system enters ++ * suspend_noirq() and from resume_noirq(). ++ */ ++ return pm_runtime_resume_and_get(dev); ++} + +- ret = pm_runtime_resume_and_get(dev); +- if (ret) +- return ret; ++static int riic_i2c_resume(struct device *dev) ++{ ++ pm_runtime_put_autosuspend(dev); ++ ++ return 0; ++} ++ ++static int riic_i2c_suspend_noirq(struct device *dev) ++{ ++ struct riic_dev *riic = dev_get_drvdata(dev); + + i2c_mark_adapter_suspended(&riic->adapter); + +@@ -683,12 +710,12 @@ static int riic_i2c_suspend(struct devic + riic_clear_set_bit(riic, ICCR1_ICE, 0, RIIC_ICCR1); + + pm_runtime_mark_last_busy(dev); +- pm_runtime_put_sync(dev); ++ pm_runtime_force_suspend(dev); + + return reset_control_assert(riic->rstc); + } + +-static int riic_i2c_resume(struct device *dev) ++static int riic_i2c_resume_noirq(struct device *dev) + { + struct riic_dev *riic = dev_get_drvdata(dev); + int ret; +@@ -697,6 +724,10 @@ static int riic_i2c_resume(struct device + if (ret) + return ret; + ++ ret = pm_runtime_force_resume(dev); ++ if (ret) ++ return ret; ++ + ret = riic_init_hw(riic); + if (ret) { + /* +@@ -714,6 +745,7 @@ static int riic_i2c_resume(struct device + } + + static const struct dev_pm_ops riic_i2c_pm_ops = { ++ NOIRQ_SYSTEM_SLEEP_PM_OPS(riic_i2c_suspend_noirq, riic_i2c_resume_noirq) + SYSTEM_SLEEP_PM_OPS(riic_i2c_suspend, riic_i2c_resume) + }; + diff --git a/queue-6.18/lib-buildid-use-__kernel_read-for-sleepable-context.patch b/queue-6.18/lib-buildid-use-__kernel_read-for-sleepable-context.patch new file mode 100644 index 0000000000..3df57aa46d --- /dev/null +++ b/queue-6.18/lib-buildid-use-__kernel_read-for-sleepable-context.patch @@ -0,0 +1,108 @@ +From 777a8560fd29738350c5094d4166fe5499452409 Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Mon, 22 Dec 2025 12:58:59 -0800 +Subject: lib/buildid: use __kernel_read() for sleepable context + +From: Shakeel Butt + +commit 777a8560fd29738350c5094d4166fe5499452409 upstream. + +Prevent a "BUG: unable to handle kernel NULL pointer dereference in +filemap_read_folio". + +For the sleepable context, convert freader to use __kernel_read() instead +of direct page cache access via read_cache_folio(). This simplifies the +faultable code path by using the standard kernel file reading interface +which handles all the complexity of reading file data. + +At the moment we are not changing the code for non-sleepable context which +uses filemap_get_folio() and only succeeds if the target folios are +already in memory and up-to-date. The reason is to keep the patch simple +and easier to backport to stable kernels. + +Syzbot repro does not crash the kernel anymore and the selftests run +successfully. + +In the follow up we will make __kernel_read() with IOCB_NOWAIT work for +non-sleepable contexts. In addition, I would like to replace the +secretmem check with a more generic approach and will add fstest for the +buildid code. + +Link: https://lkml.kernel.org/r/20251222205859.3968077-1-shakeel.butt@linux.dev +Fixes: ad41251c290d ("lib/buildid: implement sleepable build_id_parse() API") +Reported-by: syzbot+09b7d050e4806540153d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=09b7d050e4806540153d +Signed-off-by: Shakeel Butt +Reviewed-by: Christoph Hellwig +Tested-by: Jinchao Wang + Link: https://lkml.kernel.org/r/aUteBPWPYzVWIZFH@ndev +Reviewed-by: Christian Brauner +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkman +Cc: "Darrick J. Wong" +Cc: Matthew Wilcox (Oracle) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/buildid.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +--- a/lib/buildid.c ++++ b/lib/buildid.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + + #define BUILD_ID 3 +@@ -65,20 +66,9 @@ static int freader_get_folio(struct frea + + freader_put_folio(r); + +- /* reject secretmem folios created with memfd_secret() */ +- if (secretmem_mapping(r->file->f_mapping)) +- return -EFAULT; +- ++ /* only use page cache lookup - fail if not already cached */ + r->folio = filemap_get_folio(r->file->f_mapping, file_off >> PAGE_SHIFT); + +- /* if sleeping is allowed, wait for the page, if necessary */ +- if (r->may_fault && (IS_ERR(r->folio) || !folio_test_uptodate(r->folio))) { +- filemap_invalidate_lock_shared(r->file->f_mapping); +- r->folio = read_cache_folio(r->file->f_mapping, file_off >> PAGE_SHIFT, +- NULL, r->file); +- filemap_invalidate_unlock_shared(r->file->f_mapping); +- } +- + if (IS_ERR(r->folio) || !folio_test_uptodate(r->folio)) { + if (!IS_ERR(r->folio)) + folio_put(r->folio); +@@ -116,6 +106,24 @@ static const void *freader_fetch(struct + return r->data + file_off; + } + ++ /* reject secretmem folios created with memfd_secret() */ ++ if (secretmem_mapping(r->file->f_mapping)) { ++ r->err = -EFAULT; ++ return NULL; ++ } ++ ++ /* use __kernel_read() for sleepable context */ ++ if (r->may_fault) { ++ ssize_t ret; ++ ++ ret = __kernel_read(r->file, r->buf, sz, &file_off); ++ if (ret != sz) { ++ r->err = (ret < 0) ? ret : -EIO; ++ return NULL; ++ } ++ return r->buf; ++ } ++ + /* fetch or reuse folio for given file offset */ + r->err = freader_get_folio(r, file_off); + if (r->err) diff --git a/queue-6.18/loongarch-dts-describe-pci-sideband-irq-through-interrupt-extended.patch b/queue-6.18/loongarch-dts-describe-pci-sideband-irq-through-interrupt-extended.patch new file mode 100644 index 0000000000..3a2295c683 --- /dev/null +++ b/queue-6.18/loongarch-dts-describe-pci-sideband-irq-through-interrupt-extended.patch @@ -0,0 +1,177 @@ +From 762cf75bec2ad9d17899087899a34336b1757238 Mon Sep 17 00:00:00 2001 +From: Yao Zi +Date: Sat, 17 Jan 2026 10:56:52 +0800 +Subject: LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended + +From: Yao Zi + +commit 762cf75bec2ad9d17899087899a34336b1757238 upstream. + +SoC integrated peripherals on LS2K1000 and LS2K2000 could be discovered +as PCI devices, but require sideband interrupts to function, which are +previously described by interrupts and interrupt-parent properties. + +However, pci/pci-device.yaml allows interrupts property to only specify +PCI INTx interrupts, not sideband ones. Convert these devices to use +interrupt-extended property, which describes sideband interrupts used by +PCI devices since dt-schema commit e6ea659d2baa ("schemas: pci-device: +Allow interrupts-extended for sideband interrupts"), eliminating +dtbs_check warnings. + +Cc: stable@vger.kernel.org +Fixes: 30a5532a3206 ("LoongArch: dts: DeviceTree for Loongson-2K1000") +Signed-off-by: Yao Zi +Signed-off-by: Binbin Zhou +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/boot/dts/loongson-2k1000.dtsi | 25 +++++++-------------- + arch/loongarch/boot/dts/loongson-2k2000.dtsi | 32 ++++++++++----------------- + 2 files changed, 21 insertions(+), 36 deletions(-) + +--- a/arch/loongarch/boot/dts/loongson-2k1000.dtsi ++++ b/arch/loongarch/boot/dts/loongson-2k1000.dtsi +@@ -437,54 +437,47 @@ + + gmac0: ethernet@3,0 { + reg = <0x1800 0x0 0x0 0x0 0x0>; +- interrupt-parent = <&liointc0>; +- interrupts = <12 IRQ_TYPE_LEVEL_HIGH>, +- <13 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&liointc0 12 IRQ_TYPE_LEVEL_HIGH>, ++ <&liointc0 13 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "macirq", "eth_lpi"; + status = "disabled"; + }; + + gmac1: ethernet@3,1 { + reg = <0x1900 0x0 0x0 0x0 0x0>; +- interrupt-parent = <&liointc0>; +- interrupts = <14 IRQ_TYPE_LEVEL_HIGH>, +- <15 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&liointc0 14 IRQ_TYPE_LEVEL_HIGH>, ++ <&liointc0 15 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "macirq", "eth_lpi"; + status = "disabled"; + }; + + ehci0: usb@4,1 { + reg = <0x2100 0x0 0x0 0x0 0x0>; +- interrupt-parent = <&liointc1>; +- interrupts = <18 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&liointc1 18 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + + ohci0: usb@4,2 { + reg = <0x2200 0x0 0x0 0x0 0x0>; +- interrupt-parent = <&liointc1>; +- interrupts = <19 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&liointc1 19 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + + display@6,0 { + reg = <0x3000 0x0 0x0 0x0 0x0>; +- interrupt-parent = <&liointc0>; +- interrupts = <28 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&liointc0 28 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + + hda@7,0 { + reg = <0x3800 0x0 0x0 0x0 0x0>; +- interrupt-parent = <&liointc0>; +- interrupts = <4 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&liointc0 4 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + + sata: sata@8,0 { + reg = <0x4000 0x0 0x0 0x0 0x0>; +- interrupt-parent = <&liointc0>; +- interrupts = <19 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&liointc0 19 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + +--- a/arch/loongarch/boot/dts/loongson-2k2000.dtsi ++++ b/arch/loongarch/boot/dts/loongson-2k2000.dtsi +@@ -291,65 +291,57 @@ + + gmac0: ethernet@3,0 { + reg = <0x1800 0x0 0x0 0x0 0x0>; +- interrupts = <12 IRQ_TYPE_LEVEL_HIGH>, +- <13 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&pic 12 IRQ_TYPE_LEVEL_HIGH>, ++ <&pic 13 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "macirq", "eth_lpi"; +- interrupt-parent = <&pic>; + status = "disabled"; + }; + + gmac1: ethernet@3,1 { + reg = <0x1900 0x0 0x0 0x0 0x0>; +- interrupts = <14 IRQ_TYPE_LEVEL_HIGH>, +- <15 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&pic 14 IRQ_TYPE_LEVEL_HIGH>, ++ <&pic 15 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "macirq", "eth_lpi"; +- interrupt-parent = <&pic>; + status = "disabled"; + }; + + gmac2: ethernet@3,2 { + reg = <0x1a00 0x0 0x0 0x0 0x0>; +- interrupts = <17 IRQ_TYPE_LEVEL_HIGH>, +- <18 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&pic 17 IRQ_TYPE_LEVEL_HIGH>, ++ <&pic 18 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "macirq", "eth_lpi"; +- interrupt-parent = <&pic>; + status = "disabled"; + }; + + xhci0: usb@4,0 { + reg = <0x2000 0x0 0x0 0x0 0x0>; +- interrupts = <48 IRQ_TYPE_LEVEL_HIGH>; +- interrupt-parent = <&pic>; ++ interrupts-extended = <&pic 48 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + + xhci1: usb@19,0 { + reg = <0xc800 0x0 0x0 0x0 0x0>; +- interrupts = <22 IRQ_TYPE_LEVEL_HIGH>; +- interrupt-parent = <&pic>; ++ interrupts-extended = <&pic 22 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + + display@6,1 { + reg = <0x3100 0x0 0x0 0x0 0x0>; +- interrupts = <28 IRQ_TYPE_LEVEL_HIGH>; +- interrupt-parent = <&pic>; ++ interrupts-extended = <&pic 28 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + + i2s@7,0 { + reg = <0x3800 0x0 0x0 0x0 0x0>; +- interrupts = <78 IRQ_TYPE_LEVEL_HIGH>, +- <79 IRQ_TYPE_LEVEL_HIGH>; ++ interrupts-extended = <&pic 78 IRQ_TYPE_LEVEL_HIGH>, ++ <&pic 79 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "tx", "rx"; +- interrupt-parent = <&pic>; + status = "disabled"; + }; + + sata: sata@8,0 { + reg = <0x4000 0x0 0x0 0x0 0x0>; +- interrupts = <16 IRQ_TYPE_LEVEL_HIGH>; +- interrupt-parent = <&pic>; ++ interrupts-extended = <&pic 16 IRQ_TYPE_LEVEL_HIGH>; + status = "disabled"; + }; + diff --git a/queue-6.18/loongarch-fix-pmu-counter-allocation-for-mixed-type-event-groups.patch b/queue-6.18/loongarch-fix-pmu-counter-allocation-for-mixed-type-event-groups.patch new file mode 100644 index 0000000000..0373144e76 --- /dev/null +++ b/queue-6.18/loongarch-fix-pmu-counter-allocation-for-mixed-type-event-groups.patch @@ -0,0 +1,124 @@ +From a91f86e27087f250a5d9c89bb4a427b9c30fd815 Mon Sep 17 00:00:00 2001 +From: Lisa Robinson +Date: Sat, 17 Jan 2026 10:56:43 +0800 +Subject: LoongArch: Fix PMU counter allocation for mixed-type event groups + +From: Lisa Robinson + +commit a91f86e27087f250a5d9c89bb4a427b9c30fd815 upstream. + +When validating a perf event group, validate_group() unconditionally +attempts to allocate hardware PMU counters for the leader, sibling +events and the new event being added. + +This is incorrect for mixed-type groups. If a PERF_TYPE_SOFTWARE event +is part of the group, the current code still tries to allocate a hardware +PMU counter for it, which can wrongly consume hardware PMU resources and +cause spurious allocation failures. + +Fix this by only allocating PMU counters for hardware events during group +validation, and skipping software events. + +A trimmed down reproducer is as simple as this: + + #include + #include + #include + #include + #include + #include + + int main (int argc, char *argv[]) + { + struct perf_event_attr attr = { 0 }; + int fds[5]; + + attr.disabled = 1; + attr.exclude_kernel = 1; + attr.exclude_hv = 1; + attr.read_format = PERF_FORMAT_TOTAL_TIME_ENABLED | + PERF_FORMAT_TOTAL_TIME_RUNNING | PERF_FORMAT_ID | PERF_FORMAT_GROUP; + attr.size = sizeof (attr); + + attr.type = PERF_TYPE_SOFTWARE; + attr.config = PERF_COUNT_SW_DUMMY; + fds[0] = syscall (SYS_perf_event_open, &attr, 0, -1, -1, 0); + assert (fds[0] >= 0); + + attr.type = PERF_TYPE_HARDWARE; + attr.config = PERF_COUNT_HW_CPU_CYCLES; + fds[1] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0); + assert (fds[1] >= 0); + + attr.type = PERF_TYPE_HARDWARE; + attr.config = PERF_COUNT_HW_INSTRUCTIONS; + fds[2] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0); + assert (fds[2] >= 0); + + attr.type = PERF_TYPE_HARDWARE; + attr.config = PERF_COUNT_HW_BRANCH_MISSES; + fds[3] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0); + assert (fds[3] >= 0); + + attr.type = PERF_TYPE_HARDWARE; + attr.config = PERF_COUNT_HW_CACHE_REFERENCES; + fds[4] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0); + assert (fds[4] >= 0); + + printf ("PASSED\n"); + + return 0; + } + +Cc: stable@vger.kernel.org +Fixes: b37042b2bb7c ("LoongArch: Add perf events support") +Signed-off-by: Lisa Robinson +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/perf_event.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/loongarch/kernel/perf_event.c ++++ b/arch/loongarch/kernel/perf_event.c +@@ -626,6 +626,18 @@ static const struct loongarch_perf_event + return pev; + } + ++static inline bool loongarch_pmu_event_requires_counter(const struct perf_event *event) ++{ ++ switch (event->attr.type) { ++ case PERF_TYPE_HARDWARE: ++ case PERF_TYPE_HW_CACHE: ++ case PERF_TYPE_RAW: ++ return true; ++ default: ++ return false; ++ } ++} ++ + static int validate_group(struct perf_event *event) + { + struct cpu_hw_events fake_cpuc; +@@ -633,15 +645,18 @@ static int validate_group(struct perf_ev + + memset(&fake_cpuc, 0, sizeof(fake_cpuc)); + +- if (loongarch_pmu_alloc_counter(&fake_cpuc, &leader->hw) < 0) ++ if (loongarch_pmu_event_requires_counter(leader) && ++ loongarch_pmu_alloc_counter(&fake_cpuc, &leader->hw) < 0) + return -EINVAL; + + for_each_sibling_event(sibling, leader) { +- if (loongarch_pmu_alloc_counter(&fake_cpuc, &sibling->hw) < 0) ++ if (loongarch_pmu_event_requires_counter(sibling) && ++ loongarch_pmu_alloc_counter(&fake_cpuc, &sibling->hw) < 0) + return -EINVAL; + } + +- if (loongarch_pmu_alloc_counter(&fake_cpuc, &event->hw) < 0) ++ if (loongarch_pmu_event_requires_counter(event) && ++ loongarch_pmu_alloc_counter(&fake_cpuc, &event->hw) < 0) + return -EINVAL; + + return 0; diff --git a/queue-6.18/mm-damon-core-remove-call_control-in-inactive-contexts.patch b/queue-6.18/mm-damon-core-remove-call_control-in-inactive-contexts.patch new file mode 100644 index 0000000000..ba207544aa --- /dev/null +++ b/queue-6.18/mm-damon-core-remove-call_control-in-inactive-contexts.patch @@ -0,0 +1,105 @@ +From f9132fbc2e83baf2c45a77043672a63a675c9394 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Tue, 30 Dec 2025 17:23:13 -0800 +Subject: mm/damon/core: remove call_control in inactive contexts + +From: SeongJae Park + +commit f9132fbc2e83baf2c45a77043672a63a675c9394 upstream. + +If damon_call() is executed against a DAMON context that is not running, +the function returns error while keeping the damon_call_control object +linked to the context's call_controls list. Let's suppose the object is +deallocated after the damon_call(), and yet another damon_call() is +executed against the same context. The function tries to add the new +damon_call_control object to the call_controls list, which still has the +pointer to the previous damon_call_control object, which is deallocated. +As a result, use-after-free happens. + +This can actually be triggered using the DAMON sysfs interface. It is not +easily exploitable since it requires the sysfs write permission and making +a definitely weird file writes, though. Please refer to the report for +more details about the issue reproduction steps. + +Fix the issue by making two changes. Firstly, move the final +kdamond_call() for cancelling all existing damon_call() requests from +terminating DAMON context to be done before the ctx->kdamond reset. This +makes any code that sees NULL ctx->kdamond can safely assume the context +may not access damon_call() requests anymore. Secondly, let damon_call() +to cleanup the damon_call_control objects that were added to the +already-terminated DAMON context, before returning the error. + +Link: https://lkml.kernel.org/r/20251231012315.75835-1-sj@kernel.org +Fixes: 004ded6bee11 ("mm/damon: accept parallel damon_call() requests") +Signed-off-by: SeongJae Park +Reported-by: JaeJoon Jung +Closes: https://lore.kernel.org/20251224094401.20384-1-rgbi3307@gmail.com +Cc: # 6.17.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/core.c | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +--- a/mm/damon/core.c ++++ b/mm/damon/core.c +@@ -1426,6 +1426,35 @@ bool damon_is_running(struct damon_ctx * + return running; + } + ++/* ++ * damon_call_handle_inactive_ctx() - handle DAMON call request that added to ++ * an inactive context. ++ * @ctx: The inactive DAMON context. ++ * @control: Control variable of the call request. ++ * ++ * This function is called in a case that @control is added to @ctx but @ctx is ++ * not running (inactive). See if @ctx handled @control or not, and cleanup ++ * @control if it was not handled. ++ * ++ * Returns 0 if @control was handled by @ctx, negative error code otherwise. ++ */ ++static int damon_call_handle_inactive_ctx( ++ struct damon_ctx *ctx, struct damon_call_control *control) ++{ ++ struct damon_call_control *c; ++ ++ mutex_lock(&ctx->call_controls_lock); ++ list_for_each_entry(c, &ctx->call_controls, list) { ++ if (c == control) { ++ list_del(&control->list); ++ mutex_unlock(&ctx->call_controls_lock); ++ return -EINVAL; ++ } ++ } ++ mutex_unlock(&ctx->call_controls_lock); ++ return 0; ++} ++ + /** + * damon_call() - Invoke a given function on DAMON worker thread (kdamond). + * @ctx: DAMON context to call the function for. +@@ -1456,7 +1485,7 @@ int damon_call(struct damon_ctx *ctx, st + list_add_tail(&control->list, &ctx->call_controls); + mutex_unlock(&ctx->call_controls_lock); + if (!damon_is_running(ctx)) +- return -EINVAL; ++ return damon_call_handle_inactive_ctx(ctx, control); + if (control->repeat) + return 0; + wait_for_completion(&control->completion); +@@ -2704,13 +2733,13 @@ done: + if (ctx->ops.cleanup) + ctx->ops.cleanup(ctx); + kfree(ctx->regions_score_histogram); ++ kdamond_call(ctx, true); + + pr_debug("kdamond (%d) finishes\n", current->pid); + mutex_lock(&ctx->kdamond_lock); + ctx->kdamond = NULL; + mutex_unlock(&ctx->kdamond_lock); + +- kdamond_call(ctx, true); + damos_walk_cancel(ctx); + + mutex_lock(&damon_lock); diff --git a/queue-6.18/mm-damon-sysfs-cleanup-attrs-subdirs-on-context-dir-setup-failure.patch b/queue-6.18/mm-damon-sysfs-cleanup-attrs-subdirs-on-context-dir-setup-failure.patch new file mode 100644 index 0000000000..6f197573c8 --- /dev/null +++ b/queue-6.18/mm-damon-sysfs-cleanup-attrs-subdirs-on-context-dir-setup-failure.patch @@ -0,0 +1,48 @@ +From 9814cc832b88bd040fc2a1817c2b5469d0f7e862 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Wed, 24 Dec 2025 18:30:35 -0800 +Subject: mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure + +From: SeongJae Park + +commit 9814cc832b88bd040fc2a1817c2b5469d0f7e862 upstream. + +When a context DAMON sysfs directory setup is failed after setup of attrs/ +directory, subdirectories of attrs/ directory are not cleaned up. As a +result, DAMON sysfs interface is nearly broken until the system reboots, +and the memory for the unremoved directory is leaked. + +Cleanup the directories under such failures. + +Link: https://lkml.kernel.org/r/20251225023043.18579-3-sj@kernel.org +Fixes: c951cd3b8901 ("mm/damon: implement a minimal stub for sysfs-based DAMON interface") +Signed-off-by: SeongJae Park +Cc: chongjiapeng +Cc: # 5.18.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/damon/sysfs.c ++++ b/mm/damon/sysfs.c +@@ -922,7 +922,7 @@ static int damon_sysfs_context_add_dirs( + + err = damon_sysfs_context_set_targets(context); + if (err) +- goto put_attrs_out; ++ goto rmdir_put_attrs_out; + + err = damon_sysfs_context_set_schemes(context); + if (err) +@@ -932,7 +932,8 @@ static int damon_sysfs_context_add_dirs( + put_targets_attrs_out: + kobject_put(&context->targets->kobj); + context->targets = NULL; +-put_attrs_out: ++rmdir_put_attrs_out: ++ damon_sysfs_attrs_rm_dirs(context->attrs); + kobject_put(&context->attrs->kobj); + context->attrs = NULL; + return err; diff --git a/queue-6.18/mm-damon-sysfs-cleanup-intervals-subdirs-on-attrs-dir-setup-failure.patch b/queue-6.18/mm-damon-sysfs-cleanup-intervals-subdirs-on-attrs-dir-setup-failure.patch new file mode 100644 index 0000000000..fcde84fbbd --- /dev/null +++ b/queue-6.18/mm-damon-sysfs-cleanup-intervals-subdirs-on-attrs-dir-setup-failure.patch @@ -0,0 +1,79 @@ +From a24ca8ebb0cd5ea07a1462b77be0f0823c40f319 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Wed, 24 Dec 2025 18:30:34 -0800 +Subject: mm/damon/sysfs: cleanup intervals subdirs on attrs dir setup failure + +From: SeongJae Park + +commit a24ca8ebb0cd5ea07a1462b77be0f0823c40f319 upstream. + +Patch series "mm/damon/sysfs: free setup failures generated zombie sub-sub +dirs". + +Some DAMON sysfs directory setup functions generates its sub and sub-sub +directories. For example, 'monitoring_attrs/' directory setup creates +'intervals/' and 'intervals/intervals_goal/' directories under +'monitoring_attrs/' directory. When such sub-sub directories are +successfully made but followup setup is failed, the setup function should +recursively clean up the subdirectories. + +However, such setup functions are only dereferencing sub directory +reference counters. As a result, under certain setup failures, the +sub-sub directories keep having non-zero reference counters. It means the +directories cannot be removed like zombies, and the memory for the +directories cannot be freed. + +The user impact of this issue is limited due to the following reasons. + +When the issue happens, the zombie directories are still taking the path. +Hence attempts to generate the directories again will fail, without +additional memory leak. This means the upper bound memory leak is +limited. Nonetheless this also implies controlling DAMON with a feature +that requires the setup-failed sysfs files will be impossible until the +system reboots. + +Also, the setup operations are quite simple. The certain failures would +hence only rarely happen, and are difficult to artificially trigger. + + +This patch (of 4): + +When attrs/ DAMON sysfs directory setup is failed after setup of +intervals/ directory, intervals/intervals_goal/ directory is not cleaned +up. As a result, DAMON sysfs interface is nearly broken until the system +reboots, and the memory for the unremoved directory is leaked. + +Cleanup the directory under such failures. + +Link: https://lkml.kernel.org/r/20251225023043.18579-1-sj@kernel.org +Link: https://lkml.kernel.org/r/20251225023043.18579-2-sj@kernel.org +Fixes: 8fbbcbeaafeb ("mm/damon/sysfs: implement intervals tuning goal directory") +Signed-off-by: SeongJae Park +Cc: chongjiapeng +Cc: # 6.15.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/damon/sysfs.c ++++ b/mm/damon/sysfs.c +@@ -764,7 +764,7 @@ static int damon_sysfs_attrs_add_dirs(st + nr_regions_range = damon_sysfs_ul_range_alloc(10, 1000); + if (!nr_regions_range) { + err = -ENOMEM; +- goto put_intervals_out; ++ goto rmdir_put_intervals_out; + } + + err = kobject_init_and_add(&nr_regions_range->kobj, +@@ -778,6 +778,8 @@ static int damon_sysfs_attrs_add_dirs(st + put_nr_regions_intervals_out: + kobject_put(&nr_regions_range->kobj); + attrs->nr_regions_range = NULL; ++rmdir_put_intervals_out: ++ damon_sysfs_intervals_rm_dirs(intervals); + put_intervals_out: + kobject_put(&intervals->kobj); + attrs->intervals = NULL; diff --git a/queue-6.18/mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch b/queue-6.18/mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch new file mode 100644 index 0000000000..95bf4834a5 --- /dev/null +++ b/queue-6.18/mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch @@ -0,0 +1,48 @@ +From 392b3d9d595f34877dd745b470c711e8ebcd225c Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Wed, 24 Dec 2025 18:30:37 -0800 +Subject: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure + +From: SeongJae Park + +commit 392b3d9d595f34877dd745b470c711e8ebcd225c upstream. + +When a DAMOS-scheme DAMON sysfs directory setup fails after setup of +access_pattern/ directory, subdirectories of access_pattern/ directory are +not cleaned up. As a result, DAMON sysfs interface is nearly broken until +the system reboots, and the memory for the unremoved directory is leaked. + +Cleanup the directories under such failures. + +Link: https://lkml.kernel.org/r/20251225023043.18579-5-sj@kernel.org +Fixes: 9bbb820a5bd5 ("mm/damon/sysfs: support DAMOS quotas") +Signed-off-by: SeongJae Park +Cc: chongjiapeng +Cc: # 5.18.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -2111,7 +2111,7 @@ static int damon_sysfs_scheme_add_dirs(s + return err; + err = damos_sysfs_set_dests(scheme); + if (err) +- goto put_access_pattern_out; ++ goto rmdir_put_access_pattern_out; + err = damon_sysfs_scheme_set_quotas(scheme); + if (err) + goto put_dests_out; +@@ -2149,7 +2149,8 @@ rmdir_put_quotas_access_pattern_out: + put_dests_out: + kobject_put(&scheme->dests->kobj); + scheme->dests = NULL; +-put_access_pattern_out: ++rmdir_put_access_pattern_out: ++ damon_sysfs_access_pattern_rm_dirs(scheme->access_pattern); + kobject_put(&scheme->access_pattern->kobj); + scheme->access_pattern = NULL; + return err; diff --git a/queue-6.18/mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch b/queue-6.18/mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch new file mode 100644 index 0000000000..e99e471d0c --- /dev/null +++ b/queue-6.18/mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch @@ -0,0 +1,48 @@ +From dc7e1d75fd8c505096d0cddeca9e2efb2b55aaf9 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Wed, 24 Dec 2025 18:30:36 -0800 +Subject: mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure + +From: SeongJae Park + +commit dc7e1d75fd8c505096d0cddeca9e2efb2b55aaf9 upstream. + +When a DAMOS-scheme DAMON sysfs directory setup fails after setup of +quotas/ directory, subdirectories of quotas/ directory are not cleaned up. +As a result, DAMON sysfs interface is nearly broken until the system +reboots, and the memory for the unremoved directory is leaked. + +Cleanup the directories under such failures. + +Link: https://lkml.kernel.org/r/20251225023043.18579-4-sj@kernel.org +Fixes: 1b32234ab087 ("mm/damon/sysfs: support DAMOS watermarks") +Signed-off-by: SeongJae Park +Cc: chongjiapeng +Cc: # 5.18.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -2117,7 +2117,7 @@ static int damon_sysfs_scheme_add_dirs(s + goto put_dests_out; + err = damon_sysfs_scheme_set_watermarks(scheme); + if (err) +- goto put_quotas_access_pattern_out; ++ goto rmdir_put_quotas_access_pattern_out; + err = damos_sysfs_set_filter_dirs(scheme); + if (err) + goto put_watermarks_quotas_access_pattern_out; +@@ -2142,7 +2142,8 @@ put_filters_watermarks_quotas_access_pat + put_watermarks_quotas_access_pattern_out: + kobject_put(&scheme->watermarks->kobj); + scheme->watermarks = NULL; +-put_quotas_access_pattern_out: ++rmdir_put_quotas_access_pattern_out: ++ damon_sysfs_quotas_rm_dirs(scheme->quotas); + kobject_put(&scheme->quotas->kobj); + scheme->quotas = NULL; + put_dests_out: diff --git a/queue-6.18/mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch b/queue-6.18/mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch new file mode 100644 index 0000000000..cc7b10fdcf --- /dev/null +++ b/queue-6.18/mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch @@ -0,0 +1,50 @@ +From 4795d205d78690a46b60164f44b8bb7b3e800865 Mon Sep 17 00:00:00 2001 +From: Ryan Roberts +Date: Sun, 4 Jan 2026 13:43:47 +0000 +Subject: mm: kmsan: fix poisoning of high-order non-compound pages + +From: Ryan Roberts + +commit 4795d205d78690a46b60164f44b8bb7b3e800865 upstream. + +kmsan_free_page() is called by the page allocator's free_pages_prepare() +during page freeing. Its job is to poison all the memory covered by the +page. It can be called with an order-0 page, a compound high-order page +or a non-compound high-order page. But page_size() only works for order-0 +and compound pages. For a non-compound high-order page it will +incorrectly return PAGE_SIZE. + +The implication is that the tail pages of a high-order non-compound page +do not get poisoned at free, so any invalid access while they are free +could go unnoticed. It looks like the pages will be poisoned again at +allocation time, so that would bookend the window. + +Fix this by using the order parameter to calculate the size. + +Link: https://lkml.kernel.org/r/20260104134348.3544298-1-ryan.roberts@arm.com +Fixes: b073d7f8aee4 ("mm: kmsan: maintain KMSAN metadata for page operations") +Signed-off-by: Ryan Roberts +Reviewed-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Cc: Dmitriy Vyukov +Cc: Dmitry Vyukov +Cc: Marco Elver +Cc: Ryan Roberts +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmsan/shadow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/kmsan/shadow.c ++++ b/mm/kmsan/shadow.c +@@ -207,7 +207,7 @@ void kmsan_free_page(struct page *page, + if (!kmsan_enabled || kmsan_in_runtime()) + return; + kmsan_enter_runtime(); +- kmsan_internal_poison_memory(page_address(page), page_size(page), ++ kmsan_internal_poison_memory(page_address(page), PAGE_SIZE << order, + GFP_KERNEL & ~(__GFP_RECLAIM), + KMSAN_POISON_CHECK | KMSAN_POISON_FREE); + kmsan_leave_runtime(); diff --git a/queue-6.18/mm-numa-memblock-include-asm-numa.h-for-numa_nodes_parsed.patch b/queue-6.18/mm-numa-memblock-include-asm-numa.h-for-numa_nodes_parsed.patch new file mode 100644 index 0000000000..78c547fcdc --- /dev/null +++ b/queue-6.18/mm-numa-memblock-include-asm-numa.h-for-numa_nodes_parsed.patch @@ -0,0 +1,38 @@ +From f46c26f1bcd9164d7f3377f15ca75488a3e44362 Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Thu, 8 Jan 2026 10:15:39 +0000 +Subject: mm: numa,memblock: include for 'numa_nodes_parsed' + +From: Ben Dooks + +commit f46c26f1bcd9164d7f3377f15ca75488a3e44362 upstream. + +The 'numa_nodes_parsed' is defined in but this file +is not included in mm/numa_memblks.c (build x86_64) so add this +to the incldues to fix the following sparse warning: + +mm/numa_memblks.c:13:12: warning: symbol 'numa_nodes_parsed' was not declared. Should it be static? + +Link: https://lkml.kernel.org/r/20260108101539.229192-1-ben.dooks@codethink.co.uk +Fixes: 87482708210f ("mm: introduce numa_memblks") +Signed-off-by: Ben Dooks +Reviewed-by: Mike Rapoport (Microsoft) +Cc: Ben Dooks +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/numa_memblks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/numa_memblks.c ++++ b/mm/numa_memblks.c +@@ -7,6 +7,8 @@ + #include + #include + ++#include ++ + int numa_distance_cnt; + static u8 *numa_distance; + diff --git a/queue-6.18/mm-page_alloc-make-percpu_pagelist_high_fraction-reads-lock-free.patch b/queue-6.18/mm-page_alloc-make-percpu_pagelist_high_fraction-reads-lock-free.patch new file mode 100644 index 0000000000..60e7b3475b --- /dev/null +++ b/queue-6.18/mm-page_alloc-make-percpu_pagelist_high_fraction-reads-lock-free.patch @@ -0,0 +1,60 @@ +From b9efe36b5e3eb2e91aa3d706066428648af034fc Mon Sep 17 00:00:00 2001 +From: Aboorva Devarajan +Date: Mon, 1 Dec 2025 11:30:09 +0530 +Subject: mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free + +From: Aboorva Devarajan + +commit b9efe36b5e3eb2e91aa3d706066428648af034fc upstream. + +When page isolation loops indefinitely during memory offline, reading +/proc/sys/vm/percpu_pagelist_high_fraction blocks on pcp_batch_high_lock, +causing hung task warnings. + +Make procfs reads lock-free since percpu_pagelist_high_fraction is a +simple integer with naturally atomic reads, writers still serialize via +the mutex. + +This prevents hung task warnings when reading the procfs file during +long-running memory offline operations. + +[akpm@linux-foundation.org: add comment, per Michal] + Link: https://lkml.kernel.org/r/aS_y9AuJQFydLEXo@tiehlicka +Link: https://lkml.kernel.org/r/20251201060009.1420792-1-aboorvad@linux.ibm.com +Signed-off-by: Aboorva Devarajan +Acked-by: Michal Hocko +Cc: Brendan Jackman +Cc: Johannes Weiner +Cc: Suren Baghdasaryan +Cc: Vlastimil Babka +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -6611,11 +6611,19 @@ static int percpu_pagelist_high_fraction + int old_percpu_pagelist_high_fraction; + int ret; + ++ /* ++ * Avoid using pcp_batch_high_lock for reads as the value is read ++ * atomically and a race with offlining is harmless. ++ */ ++ ++ if (!write) ++ return proc_dointvec_minmax(table, write, buffer, length, ppos); ++ + mutex_lock(&pcp_batch_high_lock); + old_percpu_pagelist_high_fraction = percpu_pagelist_high_fraction; + + ret = proc_dointvec_minmax(table, write, buffer, length, ppos); +- if (!write || ret < 0) ++ if (ret < 0) + goto out; + + /* Sanity checking to avoid pcp imbalance */ diff --git a/queue-6.18/mm-zswap-fix-error-pointer-free-in-zswap_cpu_comp_prepare.patch b/queue-6.18/mm-zswap-fix-error-pointer-free-in-zswap_cpu_comp_prepare.patch new file mode 100644 index 0000000000..271db09da0 --- /dev/null +++ b/queue-6.18/mm-zswap-fix-error-pointer-free-in-zswap_cpu_comp_prepare.patch @@ -0,0 +1,39 @@ +From 590b13669b813d55844fecd9142c56abd567914d Mon Sep 17 00:00:00 2001 +From: Pavel Butsykin +Date: Wed, 31 Dec 2025 11:46:38 +0400 +Subject: mm/zswap: fix error pointer free in zswap_cpu_comp_prepare() + +From: Pavel Butsykin + +commit 590b13669b813d55844fecd9142c56abd567914d upstream. + +crypto_alloc_acomp_node() may return ERR_PTR(), but the fail path checks +only for NULL and can pass an error pointer to crypto_free_acomp(). Use +IS_ERR_OR_NULL() to only free valid acomp instances. + +Link: https://lkml.kernel.org/r/20251231074638.2564302-1-pbutsykin@cloudlinux.com +Fixes: 779b9955f643 ("mm: zswap: move allocations during CPU init outside the lock") +Signed-off-by: Pavel Butsykin +Reviewed-by: SeongJae Park +Acked-by: Yosry Ahmed +Acked-by: Nhat Pham +Cc: Johannes Weiner +Cc: Chengming Zhou +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/zswap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -787,7 +787,7 @@ static int zswap_cpu_comp_prepare(unsign + return 0; + + fail: +- if (acomp) ++ if (!IS_ERR_OR_NULL(acomp)) + crypto_free_acomp(acomp); + kfree(buffer); + return ret; diff --git a/queue-6.18/net-can-j1939-j1939_xtp_rx_rts_session_active-deactivate-session-upon-receiving-the-second-rts.patch b/queue-6.18/net-can-j1939-j1939_xtp_rx_rts_session_active-deactivate-session-upon-receiving-the-second-rts.patch new file mode 100644 index 0000000000..6c0bf1e19b --- /dev/null +++ b/queue-6.18/net-can-j1939-j1939_xtp_rx_rts_session_active-deactivate-session-upon-receiving-the-second-rts.patch @@ -0,0 +1,52 @@ +From 1809c82aa073a11b7d335ae932d81ce51a588a4a Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 14 Jan 2026 00:28:47 +0900 +Subject: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts + +From: Tetsuo Handa + +commit 1809c82aa073a11b7d335ae932d81ce51a588a4a upstream. + +Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is +called only when the timer is enabled, we need to call +j1939_session_deactivate_activate_next() if we cancelled the timer. +Otherwise, refcount for j1939_session leaks, which will later appear as + +| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. + +problem. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 +Signed-off-by: Tetsuo Handa +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://patch.msgid.link/b1212653-8fa1-44e1-be9d-12f950fb3a07@I-love.SAKURA.ne.jp +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1695,8 +1695,16 @@ static int j1939_xtp_rx_rts_session_acti + + j1939_session_timers_cancel(session); + j1939_session_cancel(session, J1939_XTP_ABORT_BUSY); +- if (session->transmission) ++ if (session->transmission) { + j1939_session_deactivate_activate_next(session); ++ } else if (session->state == J1939_SESSION_WAITING_ABORT) { ++ /* Force deactivation for the receiver. ++ * If we rely on the timer starting in j1939_session_cancel, ++ * a second RTS call here will cancel that timer and fail ++ * to restart it because the state is already WAITING_ABORT. ++ */ ++ j1939_session_deactivate_activate_next(session); ++ } + + return -EBUSY; + } diff --git a/queue-6.18/null_blk-fix-kmemleak-by-releasing-references-to-fault-configfs-items.patch b/queue-6.18/null_blk-fix-kmemleak-by-releasing-references-to-fault-configfs-items.patch new file mode 100644 index 0000000000..656979453d --- /dev/null +++ b/queue-6.18/null_blk-fix-kmemleak-by-releasing-references-to-fault-configfs-items.patch @@ -0,0 +1,85 @@ +From 40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 Mon Sep 17 00:00:00 2001 +From: Nilay Shroff +Date: Tue, 13 Jan 2026 12:27:22 +0530 +Subject: null_blk: fix kmemleak by releasing references to fault configfs items + +From: Nilay Shroff + +commit 40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 upstream. + +When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk +driver sets up fault injection support by creating the timeout_inject, +requeue_inject, and init_hctx_fault_inject configfs items as children +of the top-level nullbX configfs group. + +However, when the nullbX device is removed, the references taken to +these fault-config configfs items are not released. As a result, +kmemleak reports a memory leak, for example: + +unreferenced object 0xc00000021ff25c40 (size 32): + comm "mkdir", pid 10665, jiffies 4322121578 + hex dump (first 32 bytes): + 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_ + 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject.......... + backtrace (crc 1a018c86): + __kmalloc_node_track_caller_noprof+0x494/0xbd8 + kvasprintf+0x74/0xf4 + config_item_set_name+0xf0/0x104 + config_group_init_type_name+0x48/0xfc + fault_config_init+0x48/0xf0 + 0xc0080000180559e4 + configfs_mkdir+0x304/0x814 + vfs_mkdir+0x49c/0x604 + do_mkdirat+0x314/0x3d0 + sys_mkdir+0xa0/0xd8 + system_call_exception+0x1b0/0x4f0 + system_call_vectored_common+0x15c/0x2ec + +Fix this by explicitly releasing the references to the fault-config +configfs items when dropping the reference to the top-level nullbX +configfs group. + +Cc: stable@vger.kernel.org +Reviewed-by: Chaitanya Kulkarni +Fixes: bb4c19e030f4 ("block: null_blk: make fault-injection dynamically configurable per device") +Signed-off-by: Nilay Shroff +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk/main.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -665,12 +665,22 @@ static void nullb_add_fault_config(struc + configfs_add_default_group(&dev->init_hctx_fault_config.group, &dev->group); + } + ++static void nullb_del_fault_config(struct nullb_device *dev) ++{ ++ config_item_put(&dev->init_hctx_fault_config.group.cg_item); ++ config_item_put(&dev->requeue_config.group.cg_item); ++ config_item_put(&dev->timeout_config.group.cg_item); ++} ++ + #else + + static void nullb_add_fault_config(struct nullb_device *dev) + { + } + ++static void nullb_del_fault_config(struct nullb_device *dev) ++{ ++} + #endif + + static struct +@@ -702,7 +712,7 @@ nullb_group_drop_item(struct config_grou + null_del_dev(dev->nullb); + mutex_unlock(&lock); + } +- ++ nullb_del_fault_config(dev); + config_item_put(item); + } + diff --git a/queue-6.18/nvme-fix-pcie-subsystem-reset-controller-state-transition.patch b/queue-6.18/nvme-fix-pcie-subsystem-reset-controller-state-transition.patch new file mode 100644 index 0000000000..168796df10 --- /dev/null +++ b/queue-6.18/nvme-fix-pcie-subsystem-reset-controller-state-transition.patch @@ -0,0 +1,57 @@ +From 0edb475ac0a7d153318a24d4dca175a270a5cc4f Mon Sep 17 00:00:00 2001 +From: Nilay Shroff +Date: Wed, 14 Jan 2026 12:54:13 +0530 +Subject: nvme: fix PCIe subsystem reset controller state transition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nilay Shroff + +commit 0edb475ac0a7d153318a24d4dca175a270a5cc4f upstream. + +The commit d2fe192348f9 (“nvme: only allow entering LIVE from CONNECTING +state”) disallows controller state transitions directly from RESETTING +to LIVE. However, the NVMe PCIe subsystem reset path relies on this +transition to recover the controller on PowerPC (PPC) systems. + +On PPC systems, issuing a subsystem reset causes a temporary loss of +communication with the NVMe adapter. A subsequent PCIe MMIO read then +triggers EEH recovery, which restores the PCIe link and brings the +controller back online. For EEH recovery to proceed correctly, the +controller must transition back to the LIVE state. + +Due to the changes introduced by commit d2fe192348f9 (“nvme: only allow +entering LIVE from CONNECTING state”), the controller can no longer +transition directly from RESETTING to LIVE. As a result, EEH recovery +exits prematurely, leaving the controller stuck in the RESETTING state. + +Fix this by explicitly transitioning the controller state from RESETTING +to CONNECTING and then to LIVE. This satisfies the updated state +transition rules and allows the controller to be successfully recovered +on PPC systems following a PCIe subsystem reset. + +Cc: stable@vger.kernel.org +Fixes: d2fe192348f9 ("nvme: only allow entering LIVE from CONNECTING state") +Reviewed-by: Daniel Wagner +Signed-off-by: Nilay Shroff +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1461,7 +1461,10 @@ static int nvme_pci_subsystem_reset(stru + } + + writel(NVME_SUBSYS_RESET, dev->bar + NVME_REG_NSSR); +- nvme_change_ctrl_state(ctrl, NVME_CTRL_LIVE); ++ ++ if (!nvme_change_ctrl_state(ctrl, NVME_CTRL_CONNECTING) || ++ !nvme_change_ctrl_state(ctrl, NVME_CTRL_LIVE)) ++ goto unlock; + + /* + * Read controller status to flush the previous write and trigger a diff --git a/queue-6.18/nvme-pci-disable-secondary-temp-for-wodposit-wpbsnm8.patch b/queue-6.18/nvme-pci-disable-secondary-temp-for-wodposit-wpbsnm8.patch new file mode 100644 index 0000000000..1b9ec2c1df --- /dev/null +++ b/queue-6.18/nvme-pci-disable-secondary-temp-for-wodposit-wpbsnm8.patch @@ -0,0 +1,40 @@ +From 340f4fc5508c2905a1f30de229e2a4b299d55735 Mon Sep 17 00:00:00 2001 +From: Ilikara Zheng +Date: Mon, 8 Dec 2025 21:23:40 +0800 +Subject: nvme-pci: disable secondary temp for Wodposit WPBSNM8 + +From: Ilikara Zheng + +commit 340f4fc5508c2905a1f30de229e2a4b299d55735 upstream. + +Secondary temperature thresholds (temp2_{min,max}) were not reported +properly on this NVMe SSD. This resulted in an error while attempting to +read these values with sensors(1): + + ERROR: Can't get value of subfeature temp2_min: I/O error + ERROR: Can't get value of subfeature temp2_max: I/O error + +Add the device to the nvme_id_table with the +NVME_QUIRK_NO_SECONDARY_TEMP_THRESH flag to suppress access to all non- +composite temperature thresholds. + +Cc: stable@vger.kernel.org +Tested-by: Wu Haotian +Signed-off-by: Ilikara Zheng +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3917,6 +3917,8 @@ static const struct pci_device_id nvme_i + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, + { PCI_DEVICE(0x1e49, 0x0041), /* ZHITAI TiPro7000 NVMe SSD */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, ++ { PCI_DEVICE(0x1fa0, 0x2283), /* Wodposit WPBSNM8-256GTP */ ++ .driver_data = NVME_QUIRK_NO_SECONDARY_TEMP_THRESH, }, + { PCI_DEVICE(0x025e, 0xf1ac), /* SOLIDIGM P44 pro SSDPFKKW020X7 */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, + { PCI_DEVICE(0xc0a9, 0x540a), /* Crucial P2 */ diff --git a/queue-6.18/phy-freescale-imx8m-pcie-assert-phy-reset-during-power-on.patch b/queue-6.18/phy-freescale-imx8m-pcie-assert-phy-reset-during-power-on.patch new file mode 100644 index 0000000000..84129c0b94 --- /dev/null +++ b/queue-6.18/phy-freescale-imx8m-pcie-assert-phy-reset-during-power-on.patch @@ -0,0 +1,46 @@ +From f2ec4723defbc66a50e0abafa830ae9f8bceb0d7 Mon Sep 17 00:00:00 2001 +From: Rafael Beims +Date: Tue, 23 Dec 2025 12:02:54 -0300 +Subject: phy: freescale: imx8m-pcie: assert phy reset during power on + +From: Rafael Beims + +commit f2ec4723defbc66a50e0abafa830ae9f8bceb0d7 upstream. + +After U-Boot initializes PCIe with "pcie enum", Linux fails to detect +an NVMe disk on some boot cycles with: + + phy phy-32f00000.pcie-phy.0: phy poweron failed --> -110 + +Discussion with NXP identified that the iMX8MP PCIe PHY PLL may fail to +lock when re-initialized without a reset cycle [1]. + +The issue reproduces on 7% of tested hardware platforms, with a 30-40% +failure rate per affected device across boot cycles. + +Insert a reset cycle in the power-on routine to ensure the PHY is +initialized from a known state. + +[1] https://community.nxp.com/t5/i-MX-Processors/iMX8MP-PCIe-initialization-in-U-Boot/m-p/2248437#M242401 + +Signed-off-by: Rafael Beims +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251223150254.1075221-1-rafael@beims.me +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c ++++ b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c +@@ -89,7 +89,8 @@ static int imx8_pcie_phy_power_on(struct + writel(imx8_phy->tx_deemph_gen2, + imx8_phy->base + PCIE_PHY_TRSV_REG6); + break; +- case IMX8MP: /* Do nothing. */ ++ case IMX8MP: ++ reset_control_assert(imx8_phy->reset); + break; + } + diff --git a/queue-6.18/phy-fsl-imx8mq-usb-fix-typec-orientation-switch-when-built-as-module.patch b/queue-6.18/phy-fsl-imx8mq-usb-fix-typec-orientation-switch-when-built-as-module.patch new file mode 100644 index 0000000000..2b0643f736 --- /dev/null +++ b/queue-6.18/phy-fsl-imx8mq-usb-fix-typec-orientation-switch-when-built-as-module.patch @@ -0,0 +1,62 @@ +From 49ccab4bedd4779899246107dc19fb01c5b6fea3 Mon Sep 17 00:00:00 2001 +From: Franz Schnyder +Date: Wed, 26 Nov 2025 15:01:33 +0100 +Subject: phy: fsl-imx8mq-usb: fix typec orientation switch when built as module + +From: Franz Schnyder + +commit 49ccab4bedd4779899246107dc19fb01c5b6fea3 upstream. + +Currently, the PHY only registers the typec orientation switch when it +is built in. If the typec driver is built as a module, the switch +registration is skipped due to the preprocessor condition, causing +orientation detection to fail. + +With commit +45fe729be9a6 ("usb: typec: Stub out typec_switch APIs when CONFIG_TYPEC=n") +the preprocessor condition is not needed anymore and the orientation +switch is correctly registered for both built-in and module builds. + +Fixes: b58f0f86fd61 ("phy: fsl-imx8mq-usb: add tca function driver for imx95") +Cc: stable@vger.kernel.org +Suggested-by: Xu Yang +Signed-off-by: Franz Schnyder +Reviewed-by: Frank Li +Reviewed-by: Xu Yang +Link: https://patch.msgid.link/20251126140136.1202241-1-fra.schnyder@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 14 -------------- + 1 file changed, 14 deletions(-) + +--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c ++++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +@@ -124,8 +124,6 @@ struct imx8mq_usb_phy { + static void tca_blk_orientation_set(struct tca_blk *tca, + enum typec_orientation orientation); + +-#ifdef CONFIG_TYPEC +- + static int tca_blk_typec_switch_set(struct typec_switch_dev *sw, + enum typec_orientation orientation) + { +@@ -173,18 +171,6 @@ static void tca_blk_put_typec_switch(str + typec_switch_unregister(sw); + } + +-#else +- +-static struct typec_switch_dev *tca_blk_get_typec_switch(struct platform_device *pdev, +- struct imx8mq_usb_phy *imx_phy) +-{ +- return NULL; +-} +- +-static void tca_blk_put_typec_switch(struct typec_switch_dev *sw) {} +- +-#endif /* CONFIG_TYPEC */ +- + static void tca_blk_orientation_set(struct tca_blk *tca, + enum typec_orientation orientation) + { diff --git a/queue-6.18/phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch b/queue-6.18/phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch new file mode 100644 index 0000000000..6d332fc569 --- /dev/null +++ b/queue-6.18/phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch @@ -0,0 +1,39 @@ +From e07dea3de508cd6950c937cec42de7603190e1ca Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Fri, 9 Jan 2026 15:46:26 +0000 +Subject: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() + +From: Wentao Liang + +commit e07dea3de508cd6950c937cec42de7603190e1ca upstream. + +The for_each_available_child_of_node() calls of_node_put() to +release child_np in each success loop. After breaking from the +loop with the child_np has been released, the code will jump to +the put_child label and will call the of_node_put() again if the +devm_request_threaded_irq() fails. These cause a double free bug. + +Fix by returning directly to avoid the duplicate of_node_put(). + +Fixes: ed2b5a8e6b98 ("phy: phy-rockchip-inno-usb2: support muxed interrupts") +Cc: stable@vger.kernel.org +Signed-off-by: Wentao Liang +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20260109154626.2452034-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -1493,7 +1493,7 @@ next_child: + rphy); + if (ret) { + dev_err_probe(rphy->dev, ret, "failed to request usb2phy irq handle\n"); +- goto put_child; ++ return ret; + } + } + diff --git a/queue-6.18/phy-rockchip-inno-usb2-fix-communication-disruption-in-gadget-mode.patch b/queue-6.18/phy-rockchip-inno-usb2-fix-communication-disruption-in-gadget-mode.patch new file mode 100644 index 0000000000..485c5e145b --- /dev/null +++ b/queue-6.18/phy-rockchip-inno-usb2-fix-communication-disruption-in-gadget-mode.patch @@ -0,0 +1,80 @@ +From 7d8f725b79e35fa47e42c88716aad8711e1168d8 Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Thu, 27 Nov 2025 11:26:17 +0100 +Subject: phy: rockchip: inno-usb2: fix communication disruption in gadget mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luca Ceresoli + +commit 7d8f725b79e35fa47e42c88716aad8711e1168d8 upstream. + +When the OTG USB port is used to power to SoC, configured as peripheral and +used in gadget mode, communication stops without notice about 6 seconds +after the gadget is configured and enumerated. + +The problem was observed on a Radxa Rock Pi S board, which can only be +powered by the only USB-C connector. That connector is the only one usable +in gadget mode. This implies the USB cable is connected from before boot +and never disconnects while the kernel runs. + +The related code flow in the PHY driver code can be summarized as: + + * the first time chg_detect_work starts (6 seconds after gadget is + configured and enumerated) + -> rockchip_chg_detect_work(): + if chg_state is UNDEFINED: + property_enable(base, &rphy->phy_cfg->chg_det.opmode, false); [Y] + + * rockchip_chg_detect_work() changes state and re-triggers itself a few + times until it reaches the DETECTED state: + -> rockchip_chg_detect_work(): + if chg_state is DETECTED: + property_enable(base, &rphy->phy_cfg->chg_det.opmode, true); [Z] + +At [Y] all existing communications stop. E.g. using a CDC serial gadget, +the /dev/tty* devices are still present on both host and device, but no +data is transferred anymore. The later call with a 'true' argument at [Z] +does not restore it. + +Due to the lack of documentation, what chg_det.opmode does exactly is not +clear, however by code inspection it seems reasonable that is disables +something needed to keep the communication working, and testing proves that +disabling these lines lets gadget mode keep working. So prevent changes to +chg_det.opmode when there is a cable connected (VBUS present). + +Fixes: 98898f3bc83c ("phy: rockchip-inno-usb2: support otg-port for rk3399") +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/lkml/20250414185458.7767aabc@booty/ +Signed-off-by: Luca Ceresoli +Reviewed-by: Théo Lebrun +Link: https://patch.msgid.link/20251127-rk3308-fix-usb-gadget-phy-disconnect-v2-2-dac8a02cd2ca@bootlin.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -831,7 +831,8 @@ static void rockchip_chg_detect_work(str + if (!rport->suspended) + rockchip_usb2phy_power_off(rport->phy); + /* put the controller in non-driving mode */ +- property_enable(base, &rphy->phy_cfg->chg_det.opmode, false); ++ if (!vbus_attach) ++ property_enable(base, &rphy->phy_cfg->chg_det.opmode, false); + /* Start DCD processing stage 1 */ + rockchip_chg_enable_dcd(rphy, true); + rphy->chg_state = USB_CHG_STATE_WAIT_FOR_DCD; +@@ -894,7 +895,8 @@ static void rockchip_chg_detect_work(str + fallthrough; + case USB_CHG_STATE_DETECTED: + /* put the controller in normal mode */ +- property_enable(base, &rphy->phy_cfg->chg_det.opmode, true); ++ if (!vbus_attach) ++ property_enable(base, &rphy->phy_cfg->chg_det.opmode, true); + rockchip_usb2phy_otg_sm_work(&rport->otg_sm_work.work); + dev_dbg(&rport->phy->dev, "charger = %s\n", + chg_to_string(rphy->chg_type)); diff --git a/queue-6.18/phy-rockchip-inno-usb2-fix-disconnection-in-gadget-mode.patch b/queue-6.18/phy-rockchip-inno-usb2-fix-disconnection-in-gadget-mode.patch new file mode 100644 index 0000000000..8ce032c437 --- /dev/null +++ b/queue-6.18/phy-rockchip-inno-usb2-fix-disconnection-in-gadget-mode.patch @@ -0,0 +1,88 @@ +From 028e8ca7b20fb7324f3e5db34ba8bd366d9d3acc Mon Sep 17 00:00:00 2001 +From: Louis Chauvet +Date: Thu, 27 Nov 2025 11:26:16 +0100 +Subject: phy: rockchip: inno-usb2: fix disconnection in gadget mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Louis Chauvet + +commit 028e8ca7b20fb7324f3e5db34ba8bd366d9d3acc upstream. + +When the OTG USB port is used to power the SoC, configured as peripheral +and used in gadget mode, there is a disconnection about 6 seconds after the +gadget is configured and enumerated. + +The problem was observed on a Radxa Rock Pi S board, which can only be +powered by the only USB-C connector. That connector is the only one usable +in gadget mode. This implies the USB cable is connected from before boot +and never disconnects while the kernel runs. + +The problem happens because of the PHY driver code flow, summarized as: + + * UDC start code (triggered via configfs at any time after boot) + -> phy_init + -> rockchip_usb2phy_init + -> schedule_delayed_work(otg_sm_work [A], 6 sec) + -> phy_power_on + -> rockchip_usb2phy_power_on + -> enable clock + -> rockchip_usb2phy_reset + + * Now the gadget interface is up and running. + + * 6 seconds later otg_sm_work starts [A] + -> rockchip_usb2phy_otg_sm_work(): + if (B_IDLE state && VBUS present && ...): + schedule_delayed_work(&rport->chg_work [B], 0); + + * immediately the chg_detect_work starts [B] + -> rockchip_chg_detect_work(): + if chg_state is UNDEFINED: + if (!rport->suspended): + rockchip_usb2phy_power_off() <--- [X] + +At [X], the PHY is powered off, causing a disconnection. This quickly +triggers a new connection and following re-enumeration, but any connection +that had been established during the 6 seconds is broken. + +The code already checks for !rport->suspended (which, somewhat +counter-intuitively, means the PHY is powered on), so add a guard for VBUS +as well to avoid a disconnection when a cable is connected. + +Fixes: 98898f3bc83c ("phy: rockchip-inno-usb2: support otg-port for rk3399") +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/lkml/20250414185458.7767aabc@booty/ +Signed-off-by: Louis Chauvet +Co-developed-by: Luca Ceresoli +Signed-off-by: Luca Ceresoli +Reviewed-by: Théo Lebrun +Link: https://patch.msgid.link/20251127-rk3308-fix-usb-gadget-phy-disconnect-v2-1-dac8a02cd2ca@bootlin.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -821,14 +821,16 @@ static void rockchip_chg_detect_work(str + container_of(work, struct rockchip_usb2phy_port, chg_work.work); + struct rockchip_usb2phy *rphy = dev_get_drvdata(rport->phy->dev.parent); + struct regmap *base = get_reg_base(rphy); +- bool is_dcd, tmout, vout; ++ bool is_dcd, tmout, vout, vbus_attach; + unsigned long delay; + ++ vbus_attach = property_enabled(rphy->grf, &rport->port_cfg->utmi_bvalid); ++ + dev_dbg(&rport->phy->dev, "chg detection work state = %d\n", + rphy->chg_state); + switch (rphy->chg_state) { + case USB_CHG_STATE_UNDEFINED: +- if (!rport->suspended) ++ if (!rport->suspended && !vbus_attach) + rockchip_usb2phy_power_off(rport->phy); + /* put the controller in non-driving mode */ + if (!vbus_attach) diff --git a/queue-6.18/phy-tegra-xusb-explicitly-configure-hs_discon_level-to-0x7.patch b/queue-6.18/phy-tegra-xusb-explicitly-configure-hs_discon_level-to-0x7.patch new file mode 100644 index 0000000000..115786f86e --- /dev/null +++ b/queue-6.18/phy-tegra-xusb-explicitly-configure-hs_discon_level-to-0x7.patch @@ -0,0 +1,45 @@ +From b246caa68037aa495390a60d080acaeb84f45fff Mon Sep 17 00:00:00 2001 +From: Wayne Chang +Date: Fri, 12 Dec 2025 11:21:16 +0800 +Subject: phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7 + +From: Wayne Chang + +commit b246caa68037aa495390a60d080acaeb84f45fff upstream. + +The USB2 Bias Pad Control register manages analog parameters for signal +detection. Previously, the HS_DISCON_LEVEL relied on hardware reset +values, which may lead to the detection failure. + +Explicitly configure HS_DISCON_LEVEL to 0x7. This ensures the disconnect +threshold is sufficient to guarantee reliable detection. + +Fixes: bbf711682cd5 ("phy: tegra: xusb: Add Tegra186 support") +Cc: stable@vger.kernel.org +Signed-off-by: Wayne Chang +Link: https://patch.msgid.link/20251212032116.768307-1-waynec@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb-tegra186.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/phy/tegra/xusb-tegra186.c ++++ b/drivers/phy/tegra/xusb-tegra186.c +@@ -84,6 +84,7 @@ + #define XUSB_PADCTL_USB2_BIAS_PAD_CTL0 0x284 + #define BIAS_PAD_PD BIT(11) + #define HS_SQUELCH_LEVEL(x) (((x) & 0x7) << 0) ++#define HS_DISCON_LEVEL(x) (((x) & 0x7) << 3) + + #define XUSB_PADCTL_USB2_BIAS_PAD_CTL1 0x288 + #define USB2_TRK_START_TIMER(x) (((x) & 0x7f) << 12) +@@ -623,6 +624,8 @@ static void tegra186_utmi_bias_pad_power + value &= ~BIAS_PAD_PD; + value &= ~HS_SQUELCH_LEVEL(~0); + value |= HS_SQUELCH_LEVEL(priv->calib.hs_squelch); ++ value &= ~HS_DISCON_LEVEL(~0); ++ value |= HS_DISCON_LEVEL(0x7); + padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL0); + + udelay(1); diff --git a/queue-6.18/phy-ti-gmii-sel-fix-regmap-leak-on-probe-failure.patch b/queue-6.18/phy-ti-gmii-sel-fix-regmap-leak-on-probe-failure.patch new file mode 100644 index 0000000000..9051d1299b --- /dev/null +++ b/queue-6.18/phy-ti-gmii-sel-fix-regmap-leak-on-probe-failure.patch @@ -0,0 +1,37 @@ +From 4914d67da947031d6f645c81c74f7879e0844d5d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 27 Nov 2025 14:48:34 +0100 +Subject: phy: ti: gmii-sel: fix regmap leak on probe failure + +From: Johan Hovold + +commit 4914d67da947031d6f645c81c74f7879e0844d5d upstream. + +The mmio regmap that may be allocated during probe is never freed. + +Switch to using the device managed allocator so that the regmap is +released on probe failures (e.g. probe deferral) and on driver unbind. + +Fixes: 5ab90f40121a ("phy: ti: gmii-sel: Do not use syscon helper to build regmap") +Cc: stable@vger.kernel.org # 6.14 +Cc: Andrew Davis +Signed-off-by: Johan Hovold +Acked-by: Andrew Davis +Link: https://patch.msgid.link/20251127134834.2030-1-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/ti/phy-gmii-sel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/ti/phy-gmii-sel.c ++++ b/drivers/phy/ti/phy-gmii-sel.c +@@ -512,7 +512,7 @@ static int phy_gmii_sel_probe(struct pla + return dev_err_probe(dev, PTR_ERR(base), + "failed to get base memory resource\n"); + +- priv->regmap = regmap_init_mmio(dev, base, &phy_gmii_sel_regmap_cfg); ++ priv->regmap = devm_regmap_init_mmio(dev, base, &phy_gmii_sel_regmap_cfg); + if (IS_ERR(priv->regmap)) + return dev_err_probe(dev, PTR_ERR(priv->regmap), + "Failed to get syscon\n"); diff --git a/queue-6.18/scsi-core-fix-error-handler-encryption-support.patch b/queue-6.18/scsi-core-fix-error-handler-encryption-support.patch new file mode 100644 index 0000000000..799a4096c7 --- /dev/null +++ b/queue-6.18/scsi-core-fix-error-handler-encryption-support.patch @@ -0,0 +1,105 @@ +From 9a49157deeb23581fc5c8189b486340d7343264a Mon Sep 17 00:00:00 2001 +From: Brian Kao +Date: Thu, 18 Dec 2025 03:17:23 +0000 +Subject: scsi: core: Fix error handler encryption support + +From: Brian Kao + +commit 9a49157deeb23581fc5c8189b486340d7343264a upstream. + +Some low-level drivers (LLD) access block layer crypto fields, such as +rq->crypt_keyslot and rq->crypt_ctx within `struct request`, to +configure hardware for inline encryption. However, SCSI Error Handling +(EH) commands (e.g., TEST UNIT READY, START STOP UNIT) should not +involve any encryption setup. + +To prevent drivers from erroneously applying crypto settings during EH, +this patch saves the original values of rq->crypt_keyslot and +rq->crypt_ctx before an EH command is prepared via scsi_eh_prep_cmnd(). +These fields in the 'struct request' are then set to NULL. The original +values are restored in scsi_eh_restore_cmnd() after the EH command +completes. + +This ensures that the block layer crypto context does not leak into EH +command execution. + +Signed-off-by: Brian Kao +Link: https://patch.msgid.link/20251218031726.2642834-1-powenkao@google.com +Cc: stable@vger.kernel.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_error.c | 24 ++++++++++++++++++++++++ + include/scsi/scsi_eh.h | 6 ++++++ + 2 files changed, 30 insertions(+) + +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -1060,6 +1060,9 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd + unsigned char *cmnd, int cmnd_size, unsigned sense_bytes) + { + struct scsi_device *sdev = scmd->device; ++#ifdef CONFIG_BLK_INLINE_ENCRYPTION ++ struct request *rq = scsi_cmd_to_rq(scmd); ++#endif + + /* + * We need saved copies of a number of fields - this is because +@@ -1112,6 +1115,18 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd + (sdev->lun << 5 & 0xe0); + + /* ++ * Encryption must be disabled for the commands submitted by the error handler. ++ * Hence, clear the encryption context information. ++ */ ++#ifdef CONFIG_BLK_INLINE_ENCRYPTION ++ ses->rq_crypt_keyslot = rq->crypt_keyslot; ++ ses->rq_crypt_ctx = rq->crypt_ctx; ++ ++ rq->crypt_keyslot = NULL; ++ rq->crypt_ctx = NULL; ++#endif ++ ++ /* + * Zero the sense buffer. The scsi spec mandates that any + * untransferred sense data should be interpreted as being zero. + */ +@@ -1128,6 +1143,10 @@ EXPORT_SYMBOL(scsi_eh_prep_cmnd); + */ + void scsi_eh_restore_cmnd(struct scsi_cmnd* scmd, struct scsi_eh_save *ses) + { ++#ifdef CONFIG_BLK_INLINE_ENCRYPTION ++ struct request *rq = scsi_cmd_to_rq(scmd); ++#endif ++ + /* + * Restore original data + */ +@@ -1140,6 +1159,11 @@ void scsi_eh_restore_cmnd(struct scsi_cm + scmd->underflow = ses->underflow; + scmd->prot_op = ses->prot_op; + scmd->eh_eflags = ses->eh_eflags; ++ ++#ifdef CONFIG_BLK_INLINE_ENCRYPTION ++ rq->crypt_keyslot = ses->rq_crypt_keyslot; ++ rq->crypt_ctx = ses->rq_crypt_ctx; ++#endif + } + EXPORT_SYMBOL(scsi_eh_restore_cmnd); + +--- a/include/scsi/scsi_eh.h ++++ b/include/scsi/scsi_eh.h +@@ -41,6 +41,12 @@ struct scsi_eh_save { + unsigned char cmnd[32]; + struct scsi_data_buffer sdb; + struct scatterlist sense_sgl; ++ ++ /* struct request fields */ ++#ifdef CONFIG_BLK_INLINE_ENCRYPTION ++ struct bio_crypt_ctx *rq_crypt_ctx; ++ struct blk_crypto_keyslot *rq_crypt_keyslot; ++#endif + }; + + extern void scsi_eh_prep_cmnd(struct scsi_cmnd *scmd, diff --git a/queue-6.18/selftests-kvm-replace-numbered-sync-points-with-actions.patch b/queue-6.18/selftests-kvm-replace-numbered-sync-points-with-actions.patch new file mode 100644 index 0000000000..f5dec515b5 --- /dev/null +++ b/queue-6.18/selftests-kvm-replace-numbered-sync-points-with-actions.patch @@ -0,0 +1,204 @@ +From a1025dcd377ef92d9a09af03b70ce80be281ee22 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 24 Dec 2025 00:44:49 +0100 +Subject: selftests: kvm: replace numbered sync points with actions + +From: Paolo Bonzini + +commit a1025dcd377ef92d9a09af03b70ce80be281ee22 upstream. + +Rework the guest=>host syncs in the AMX test to use named actions instead +of arbitrary, incrementing numbers. The "stage" of the test has no real +meaning, what matters is what action the test wants the host to perform. +The incrementing numbers are somewhat helpful for triaging failures, but +fully debugging failures almost always requires a much deeper dive into +the test (and KVM). + +Using named actions not only makes it easier to extend the test without +having to shift all sync point numbers, it makes the code easier to read. + +[Commit message by Sean Christopherson] + +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/kvm/x86/amx_test.c | 88 ++++++++++++++--------------- + 1 file changed, 43 insertions(+), 45 deletions(-) + +--- a/tools/testing/selftests/kvm/x86/amx_test.c ++++ b/tools/testing/selftests/kvm/x86/amx_test.c +@@ -124,6 +124,14 @@ static void set_tilecfg(struct tile_conf + } + } + ++enum { ++ /* Check TMM0 against tiledata */ ++ TEST_COMPARE_TILEDATA = 1, ++ ++ /* Full VM save/restore */ ++ TEST_SAVE_RESTORE = 2, ++}; ++ + static void __attribute__((__flatten__)) guest_code(struct tile_config *amx_cfg, + struct tile_data *tiledata, + struct xstate *xstate) +@@ -131,20 +139,20 @@ static void __attribute__((__flatten__)) + GUEST_ASSERT(this_cpu_has(X86_FEATURE_XSAVE) && + this_cpu_has(X86_FEATURE_OSXSAVE)); + check_xtile_info(); +- GUEST_SYNC(1); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + + /* xfd=0, enable amx */ + wrmsr(MSR_IA32_XFD, 0); +- GUEST_SYNC(2); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == 0); + set_tilecfg(amx_cfg); + __ldtilecfg(amx_cfg); +- GUEST_SYNC(3); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + /* Check save/restore when trap to userspace */ + __tileloadd(tiledata); +- GUEST_SYNC(4); ++ GUEST_SYNC(TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE); + __tilerelease(); +- GUEST_SYNC(5); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + /* + * After XSAVEC, XTILEDATA is cleared in the xstate_bv but is set in + * the xcomp_bv. +@@ -154,6 +162,8 @@ static void __attribute__((__flatten__)) + GUEST_ASSERT(!(xstate->header.xstate_bv & XFEATURE_MASK_XTILE_DATA)); + GUEST_ASSERT(xstate->header.xcomp_bv & XFEATURE_MASK_XTILE_DATA); + ++ /* #NM test */ ++ + /* xfd=0x40000, disable amx tiledata */ + wrmsr(MSR_IA32_XFD, XFEATURE_MASK_XTILE_DATA); + +@@ -166,13 +176,13 @@ static void __attribute__((__flatten__)) + GUEST_ASSERT(!(xstate->header.xstate_bv & XFEATURE_MASK_XTILE_DATA)); + GUEST_ASSERT((xstate->header.xcomp_bv & XFEATURE_MASK_XTILE_DATA)); + +- GUEST_SYNC(6); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == XFEATURE_MASK_XTILE_DATA); + set_tilecfg(amx_cfg); + __ldtilecfg(amx_cfg); + /* Trigger #NM exception */ + __tileloadd(tiledata); +- GUEST_SYNC(10); ++ GUEST_SYNC(TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE); + + GUEST_DONE(); + } +@@ -180,18 +190,18 @@ static void __attribute__((__flatten__)) + void guest_nm_handler(struct ex_regs *regs) + { + /* Check if #NM is triggered by XFEATURE_MASK_XTILE_DATA */ +- GUEST_SYNC(7); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + GUEST_ASSERT(!(get_cr0() & X86_CR0_TS)); + GUEST_ASSERT(rdmsr(MSR_IA32_XFD_ERR) == XFEATURE_MASK_XTILE_DATA); + GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == XFEATURE_MASK_XTILE_DATA); +- GUEST_SYNC(8); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + GUEST_ASSERT(rdmsr(MSR_IA32_XFD_ERR) == XFEATURE_MASK_XTILE_DATA); + GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == XFEATURE_MASK_XTILE_DATA); + /* Clear xfd_err */ + wrmsr(MSR_IA32_XFD_ERR, 0); + /* xfd=0, enable amx */ + wrmsr(MSR_IA32_XFD, 0); +- GUEST_SYNC(9); ++ GUEST_SYNC(TEST_SAVE_RESTORE); + } + + int main(int argc, char *argv[]) +@@ -244,6 +254,7 @@ int main(int argc, char *argv[]) + memset(addr_gva2hva(vm, xstate), 0, PAGE_SIZE * DIV_ROUND_UP(XSAVE_SIZE, PAGE_SIZE)); + vcpu_args_set(vcpu, 3, amx_cfg, tiledata, xstate); + ++ int iter = 0; + for (;;) { + vcpu_run(vcpu); + TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_IO); +@@ -253,20 +264,9 @@ int main(int argc, char *argv[]) + REPORT_GUEST_ASSERT(uc); + /* NOT REACHED */ + case UCALL_SYNC: +- switch (uc.args[1]) { +- case 1: +- case 2: +- case 3: +- case 5: +- case 6: +- case 7: +- case 8: +- fprintf(stderr, "GUEST_SYNC(%ld)\n", uc.args[1]); +- break; +- case 4: +- case 10: +- fprintf(stderr, +- "GUEST_SYNC(%ld), check save/restore status\n", uc.args[1]); ++ ++iter; ++ if (uc.args[1] & TEST_COMPARE_TILEDATA) { ++ fprintf(stderr, "GUEST_SYNC #%d, check TMM0 contents\n", iter); + + /* Compacted mode, get amx offset by xsave area + * size subtract 8K amx size. +@@ -279,11 +279,25 @@ int main(int argc, char *argv[]) + ret = memcmp(amx_start, tiles_data, TILE_SIZE); + TEST_ASSERT(ret == 0, "memcmp failed, ret=%d", ret); + kvm_x86_state_cleanup(state); +- break; +- case 9: +- fprintf(stderr, +- "GUEST_SYNC(%ld), #NM exception and enable amx\n", uc.args[1]); +- break; ++ } ++ if (uc.args[1] & TEST_SAVE_RESTORE) { ++ fprintf(stderr, "GUEST_SYNC #%d, save/restore VM state\n", iter); ++ state = vcpu_save_state(vcpu); ++ memset(®s1, 0, sizeof(regs1)); ++ vcpu_regs_get(vcpu, ®s1); ++ ++ kvm_vm_release(vm); ++ ++ /* Restore state in a new VM. */ ++ vcpu = vm_recreate_with_one_vcpu(vm); ++ vcpu_load_state(vcpu, state); ++ kvm_x86_state_cleanup(state); ++ ++ memset(®s2, 0, sizeof(regs2)); ++ vcpu_regs_get(vcpu, ®s2); ++ TEST_ASSERT(!memcmp(®s1, ®s2, sizeof(regs2)), ++ "Unexpected register values after vcpu_load_state; rdi: %lx rsi: %lx", ++ (ulong) regs2.rdi, (ulong) regs2.rsi); + } + break; + case UCALL_DONE: +@@ -293,22 +307,6 @@ int main(int argc, char *argv[]) + TEST_FAIL("Unknown ucall %lu", uc.cmd); + } + +- state = vcpu_save_state(vcpu); +- memset(®s1, 0, sizeof(regs1)); +- vcpu_regs_get(vcpu, ®s1); +- +- kvm_vm_release(vm); +- +- /* Restore state in a new VM. */ +- vcpu = vm_recreate_with_one_vcpu(vm); +- vcpu_load_state(vcpu, state); +- kvm_x86_state_cleanup(state); +- +- memset(®s2, 0, sizeof(regs2)); +- vcpu_regs_get(vcpu, ®s2); +- TEST_ASSERT(!memcmp(®s1, ®s2, sizeof(regs2)), +- "Unexpected register values after vcpu_load_state; rdi: %lx rsi: %lx", +- (ulong) regs2.rdi, (ulong) regs2.rsi); + } + done: + kvm_vm_free(vm); diff --git a/queue-6.18/selftests-kvm-try-getting-xfd-and-xsave-state-out-of-sync.patch b/queue-6.18/selftests-kvm-try-getting-xfd-and-xsave-state-out-of-sync.patch new file mode 100644 index 0000000000..f7e4915b2f --- /dev/null +++ b/queue-6.18/selftests-kvm-try-getting-xfd-and-xsave-state-out-of-sync.patch @@ -0,0 +1,103 @@ +From 0383a8edef396cf0a6884b0be81d62bde60737b0 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 31 Dec 2025 16:47:26 +0100 +Subject: selftests: kvm: try getting XFD and XSAVE state out of sync + +From: Paolo Bonzini + +commit 0383a8edef396cf0a6884b0be81d62bde60737b0 upstream. + +The host is allowed to set FPU state that includes a disabled +xstate component. Check that this does not cause bad effects. + +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/kvm/x86/amx_test.c | 38 ++++++++++++++++++++++------- + 1 file changed, 30 insertions(+), 8 deletions(-) + +--- a/tools/testing/selftests/kvm/x86/amx_test.c ++++ b/tools/testing/selftests/kvm/x86/amx_test.c +@@ -125,11 +125,17 @@ static void set_tilecfg(struct tile_conf + } + + enum { ++ /* Retrieve TMM0 from guest, stash it for TEST_RESTORE_TILEDATA */ ++ TEST_SAVE_TILEDATA = 1, ++ + /* Check TMM0 against tiledata */ +- TEST_COMPARE_TILEDATA = 1, ++ TEST_COMPARE_TILEDATA = 2, ++ ++ /* Restore TMM0 from earlier save */ ++ TEST_RESTORE_TILEDATA = 4, + + /* Full VM save/restore */ +- TEST_SAVE_RESTORE = 2, ++ TEST_SAVE_RESTORE = 8, + }; + + static void __attribute__((__flatten__)) guest_code(struct tile_config *amx_cfg, +@@ -150,7 +156,16 @@ static void __attribute__((__flatten__)) + GUEST_SYNC(TEST_SAVE_RESTORE); + /* Check save/restore when trap to userspace */ + __tileloadd(tiledata); +- GUEST_SYNC(TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE); ++ GUEST_SYNC(TEST_SAVE_TILEDATA | TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE); ++ ++ /* xfd=0x40000, disable amx tiledata */ ++ wrmsr(MSR_IA32_XFD, XFEATURE_MASK_XTILE_DATA); ++ ++ /* host tries setting tiledata while guest XFD is set */ ++ GUEST_SYNC(TEST_RESTORE_TILEDATA); ++ GUEST_SYNC(TEST_SAVE_RESTORE); ++ ++ wrmsr(MSR_IA32_XFD, 0); + __tilerelease(); + GUEST_SYNC(TEST_SAVE_RESTORE); + /* +@@ -210,10 +225,10 @@ int main(int argc, char *argv[]) + struct kvm_vcpu *vcpu; + struct kvm_vm *vm; + struct kvm_x86_state *state; ++ struct kvm_x86_state *tile_state = NULL; + int xsave_restore_size; + vm_vaddr_t amx_cfg, tiledata, xstate; + struct ucall uc; +- u32 amx_offset; + int ret; + + /* +@@ -265,20 +280,27 @@ int main(int argc, char *argv[]) + /* NOT REACHED */ + case UCALL_SYNC: + ++iter; ++ if (uc.args[1] & TEST_SAVE_TILEDATA) { ++ fprintf(stderr, "GUEST_SYNC #%d, save tiledata\n", iter); ++ tile_state = vcpu_save_state(vcpu); ++ } + if (uc.args[1] & TEST_COMPARE_TILEDATA) { + fprintf(stderr, "GUEST_SYNC #%d, check TMM0 contents\n", iter); + + /* Compacted mode, get amx offset by xsave area + * size subtract 8K amx size. + */ +- amx_offset = xsave_restore_size - NUM_TILES*TILE_SIZE; +- state = vcpu_save_state(vcpu); +- void *amx_start = (void *)state->xsave + amx_offset; ++ u32 amx_offset = xsave_restore_size - NUM_TILES*TILE_SIZE; ++ void *amx_start = (void *)tile_state->xsave + amx_offset; + void *tiles_data = (void *)addr_gva2hva(vm, tiledata); + /* Only check TMM0 register, 1 tile */ + ret = memcmp(amx_start, tiles_data, TILE_SIZE); + TEST_ASSERT(ret == 0, "memcmp failed, ret=%d", ret); +- kvm_x86_state_cleanup(state); ++ } ++ if (uc.args[1] & TEST_RESTORE_TILEDATA) { ++ fprintf(stderr, "GUEST_SYNC #%d, before KVM_SET_XSAVE\n", iter); ++ vcpu_xsave_set(vcpu, tile_state->xsave); ++ fprintf(stderr, "GUEST_SYNC #%d, after KVM_SET_XSAVE\n", iter); + } + if (uc.args[1] & TEST_SAVE_RESTORE) { + fprintf(stderr, "GUEST_SYNC #%d, save/restore VM state\n", iter); diff --git a/queue-6.18/series b/queue-6.18/series index f8c035dfa1..f125d3ea50 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -88,3 +88,61 @@ sched-deadline-avoid-double-update_rq_clock.patch sched-deadline-has-dynamic-priority.patch hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch selftests-bpf-fix-selftest-verif_scale_strobemeta-failure-with-llvm22.patch +scsi-core-fix-error-handler-encryption-support.patch +selftests-kvm-replace-numbered-sync-points-with-actions.patch +selftests-kvm-try-getting-xfd-and-xsave-state-out-of-sync.patch +alsa-pcm-improve-the-fix-for-race-of-buffer-access-at-pcm-oss-layer.patch +alsa-hda-tas2781-skip-uefi-calibration-on-asus-rog-xbox-ally-x.patch +alsa-hda-realtek-add-quirk-for-hp-pavilion-x360-to-enable-mute-led.patch +null_blk-fix-kmemleak-by-releasing-references-to-fault-configfs-items.patch +can-gs_usb-gs_usb_receive_bulk_callback-fix-urb-memory-leak.patch +can-ctucanfd-fix-ssp_src-in-cases-when-bit-rate-is-higher-than-1-mbit.patch +net-can-j1939-j1939_xtp_rx_rts_session_active-deactivate-session-upon-receiving-the-second-rts.patch +tools-testing-selftests-add-tests-for-tgt-src-mremap-merges.patch +tools-testing-selftests-add-forked-un-faulted-vma-merge-tests.patch +tools-testing-selftests-fix-gup_longterm-for-unknown-fs.patch +ftrace-do-not-over-allocate-ftrace-memory.patch +xfs-set-max_agbno-to-allow-sparse-alloc-of-last-full-inode-chunk.patch +xfs-fix-the-return-value-of-xfs_rtcopy_summary.patch +virtio-net-don-t-schedule-delayed-refill-worker.patch +lib-buildid-use-__kernel_read-for-sleepable-context.patch +x86-kaslr-recognize-all-zone_device-users-as-physaddr-consumers.patch +phy-rockchip-inno-usb2-fix-communication-disruption-in-gadget-mode.patch +phy-ti-gmii-sel-fix-regmap-leak-on-probe-failure.patch +phy-rockchip-inno-usb2-fix-a-double-free-bug-in-rockchip_usb2phy_probe.patch +phy-freescale-imx8m-pcie-assert-phy-reset-during-power-on.patch +phy-rockchip-inno-usb2-fix-disconnection-in-gadget-mode.patch +phy-fsl-imx8mq-usb-fix-typec-orientation-switch-when-built-as-module.patch +phy-tegra-xusb-explicitly-configure-hs_discon_level-to-0x7.patch +usb-host-xhci-tegra-use-platform_get_irq_optional-for-wake-irqs.patch +xhci-sideband-don-t-dereference-freed-ring-when-removing-sideband-endpoint.patch +usb-gadget-uvc-fix-interval_duration-calculation.patch +usb-gadget-uvc-fix-req_payload_size-calculation.patch +usb-dwc3-check-for-usb4-ip_name.patch +usb-core-add-usb_quirk_no_bos-for-devices-that-hang-on-bos-descriptor.patch +usb-ohci-uhci-add-soft-dependencies-on-ehci_platform.patch +usb-serial-option-add-telit-le910-mbim-composition.patch +usb-serial-ftdi_sio-add-support-for-picaxe-axe027-cable.patch +nvme-pci-disable-secondary-temp-for-wodposit-wpbsnm8.patch +asoc-codecs-wsa881x-fix-unnecessary-initialisation.patch +ext4-fix-ext4_tune_sb_params-padding.patch +ext4-fix-iloc.bh-leak-in-ext4_xattr_inode_update_ref.patch +hrtimer-fix-softirq-base-check-in-update_needs_ipi.patch +edac-x38-fix-a-resource-leak-in-x38_probe1.patch +edac-i3200-fix-a-resource-leak-in-i3200_probe1.patch +tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch +i2c-riic-move-suspend-handling-to-noirq-phase.patch +x86-resctrl-add-missing-resctrl-initialization-for-hygon.patch +x86-resctrl-fix-memory-bandwidth-counter-width-for-hygon.patch +nvme-fix-pcie-subsystem-reset-controller-state-transition.patch +mm-kmsan-fix-poisoning-of-high-order-non-compound-pages.patch +mm-numa-memblock-include-asm-numa.h-for-numa_nodes_parsed.patch +mm-zswap-fix-error-pointer-free-in-zswap_cpu_comp_prepare.patch +mm-page_alloc-make-percpu_pagelist_high_fraction-reads-lock-free.patch +mm-damon-core-remove-call_control-in-inactive-contexts.patch +mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch +mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch +mm-damon-sysfs-cleanup-intervals-subdirs-on-attrs-dir-setup-failure.patch +mm-damon-sysfs-cleanup-attrs-subdirs-on-context-dir-setup-failure.patch +loongarch-fix-pmu-counter-allocation-for-mixed-type-event-groups.patch +loongarch-dts-describe-pci-sideband-irq-through-interrupt-extended.patch diff --git a/queue-6.18/tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch b/queue-6.18/tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch new file mode 100644 index 0000000000..c52430a90a --- /dev/null +++ b/queue-6.18/tcpm-allow-looking-for-role_sw-device-in-the-main-node.patch @@ -0,0 +1,40 @@ +From 1366cd228b0c67b60a2c0c26ef37fe9f7cfedb7f Mon Sep 17 00:00:00 2001 +From: Arnaud Ferraris +Date: Mon, 5 Jan 2026 09:43:23 +0100 +Subject: tcpm: allow looking for role_sw device in the main node + +From: Arnaud Ferraris + +commit 1366cd228b0c67b60a2c0c26ef37fe9f7cfedb7f upstream. + +If ports are defined in the tcpc main node, fwnode_usb_role_switch_get() +returns an error, meaning usb_role_switch_get() (which would succeed) +never gets a chance to run as port->role_sw isn't NULL, causing a +regression on devices where this is the case. + +Fix this by turning the NULL check into IS_ERR_OR_NULL(), so +usb_role_switch_get() can actually run and the device get properly probed. + +Fixes: 2d8713f807a4 ("tcpm: switch check for role_sw device with fw_node") +Cc: stable +Reviewed-by: Heikki Krogerus +Reviewed-by: Dragan Simic +Signed-off-by: Arnaud Ferraris +Link: https://patch.msgid.link/20260105-fix-ppp-power-v2-1-6924f5a41224@collabora.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -7877,7 +7877,7 @@ struct tcpm_port *tcpm_register_port(str + port->partner_desc.identity = &port->partner_ident; + + port->role_sw = fwnode_usb_role_switch_get(tcpc->fwnode); +- if (!port->role_sw) ++ if (IS_ERR_OR_NULL(port->role_sw)) + port->role_sw = usb_role_switch_get(port->dev); + if (IS_ERR(port->role_sw)) { + err = PTR_ERR(port->role_sw); diff --git a/queue-6.18/tools-testing-selftests-add-forked-un-faulted-vma-merge-tests.patch b/queue-6.18/tools-testing-selftests-add-forked-un-faulted-vma-merge-tests.patch new file mode 100644 index 0000000000..9309eacf87 --- /dev/null +++ b/queue-6.18/tools-testing-selftests-add-forked-un-faulted-vma-merge-tests.patch @@ -0,0 +1,365 @@ +From fb39444732f02c32a8312c168d97e33d872c14d3 Mon Sep 17 00:00:00 2001 +From: Lorenzo Stoakes +Date: Mon, 5 Jan 2026 20:11:50 +0000 +Subject: tools/testing/selftests: add forked (un)/faulted VMA merge tests + +From: Lorenzo Stoakes + +commit fb39444732f02c32a8312c168d97e33d872c14d3 upstream. + +Now we correctly handle forked faulted/unfaulted merge on mremap(), +exhaustively assert that we handle this correctly. + +Do this in the less duplicative way by adding a new merge_with_fork +fixture and forked/unforked variants, and abstract the forking logic as +necessary to avoid code duplication with this also. + +Link: https://lkml.kernel.org/r/1daf76d89fdb9d96f38a6a0152d8f3c2e9e30ac7.1767638272.git.lorenzo.stoakes@oracle.com +Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") +Signed-off-by: Lorenzo Stoakes +Cc: David Hildenbrand (Red Hat) +Cc: Jann Horn +Cc: Jeongjun Park +Cc: Liam Howlett +Cc: Pedro Falcato +Cc: Rik van Riel +Cc: Vlastimil Babka +Cc: Yeoreum Yun +Cc: Harry Yoo +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/merge.c | 180 ++++++++++++++++++++++------- + 1 file changed, 139 insertions(+), 41 deletions(-) + +diff --git a/tools/testing/selftests/mm/merge.c b/tools/testing/selftests/mm/merge.c +index 22be149f7109..10b686102b79 100644 +--- a/tools/testing/selftests/mm/merge.c ++++ b/tools/testing/selftests/mm/merge.c +@@ -22,12 +22,37 @@ FIXTURE(merge) + struct procmap_fd procmap; + }; + ++static char *map_carveout(unsigned int page_size) ++{ ++ return mmap(NULL, 30 * page_size, PROT_NONE, ++ MAP_ANON | MAP_PRIVATE, -1, 0); ++} ++ ++static pid_t do_fork(struct procmap_fd *procmap) ++{ ++ pid_t pid = fork(); ++ ++ if (pid == -1) ++ return -1; ++ if (pid != 0) { ++ wait(NULL); ++ return pid; ++ } ++ ++ /* Reopen for child. */ ++ if (close_procmap(procmap)) ++ return -1; ++ if (open_self_procmap(procmap)) ++ return -1; ++ ++ return 0; ++} ++ + FIXTURE_SETUP(merge) + { + self->page_size = psize(); + /* Carve out PROT_NONE region to map over. */ +- self->carveout = mmap(NULL, 30 * self->page_size, PROT_NONE, +- MAP_ANON | MAP_PRIVATE, -1, 0); ++ self->carveout = map_carveout(self->page_size); + ASSERT_NE(self->carveout, MAP_FAILED); + /* Setup PROCMAP_QUERY interface. */ + ASSERT_EQ(open_self_procmap(&self->procmap), 0); +@@ -36,7 +61,8 @@ FIXTURE_SETUP(merge) + FIXTURE_TEARDOWN(merge) + { + ASSERT_EQ(munmap(self->carveout, 30 * self->page_size), 0); +- ASSERT_EQ(close_procmap(&self->procmap), 0); ++ /* May fail for parent of forked process. */ ++ close_procmap(&self->procmap); + /* + * Clear unconditionally, as some tests set this. It is no issue if this + * fails (KSM may be disabled for instance). +@@ -44,6 +70,44 @@ FIXTURE_TEARDOWN(merge) + prctl(PR_SET_MEMORY_MERGE, 0, 0, 0, 0); + } + ++FIXTURE(merge_with_fork) ++{ ++ unsigned int page_size; ++ char *carveout; ++ struct procmap_fd procmap; ++}; ++ ++FIXTURE_VARIANT(merge_with_fork) ++{ ++ bool forked; ++}; ++ ++FIXTURE_VARIANT_ADD(merge_with_fork, forked) ++{ ++ .forked = true, ++}; ++ ++FIXTURE_VARIANT_ADD(merge_with_fork, unforked) ++{ ++ .forked = false, ++}; ++ ++FIXTURE_SETUP(merge_with_fork) ++{ ++ self->page_size = psize(); ++ self->carveout = map_carveout(self->page_size); ++ ASSERT_NE(self->carveout, MAP_FAILED); ++ ASSERT_EQ(open_self_procmap(&self->procmap), 0); ++} ++ ++FIXTURE_TEARDOWN(merge_with_fork) ++{ ++ ASSERT_EQ(munmap(self->carveout, 30 * self->page_size), 0); ++ ASSERT_EQ(close_procmap(&self->procmap), 0); ++ /* See above. */ ++ prctl(PR_SET_MEMORY_MERGE, 0, 0, 0, 0); ++} ++ + TEST_F(merge, mprotect_unfaulted_left) + { + unsigned int page_size = self->page_size; +@@ -322,8 +386,8 @@ TEST_F(merge, forked_target_vma) + unsigned int page_size = self->page_size; + char *carveout = self->carveout; + struct procmap_fd *procmap = &self->procmap; +- pid_t pid; + char *ptr, *ptr2; ++ pid_t pid; + int i; + + /* +@@ -344,19 +408,10 @@ TEST_F(merge, forked_target_vma) + */ + ptr[0] = 'x'; + +- pid = fork(); ++ pid = do_fork(&self->procmap); + ASSERT_NE(pid, -1); +- +- if (pid != 0) { +- wait(NULL); ++ if (pid != 0) + return; +- } +- +- /* Child process below: */ +- +- /* Reopen for child. */ +- ASSERT_EQ(close_procmap(&self->procmap), 0); +- ASSERT_EQ(open_self_procmap(&self->procmap), 0); + + /* unCOWing everything does not cause the AVC to go away. */ + for (i = 0; i < 5 * page_size; i += page_size) +@@ -386,8 +441,8 @@ TEST_F(merge, forked_source_vma) + unsigned int page_size = self->page_size; + char *carveout = self->carveout; + struct procmap_fd *procmap = &self->procmap; +- pid_t pid; + char *ptr, *ptr2; ++ pid_t pid; + int i; + + /* +@@ -408,19 +463,10 @@ TEST_F(merge, forked_source_vma) + */ + ptr[0] = 'x'; + +- pid = fork(); ++ pid = do_fork(&self->procmap); + ASSERT_NE(pid, -1); +- +- if (pid != 0) { +- wait(NULL); ++ if (pid != 0) + return; +- } +- +- /* Child process below: */ +- +- /* Reopen for child. */ +- ASSERT_EQ(close_procmap(&self->procmap), 0); +- ASSERT_EQ(open_self_procmap(&self->procmap), 0); + + /* unCOWing everything does not cause the AVC to go away. */ + for (i = 0; i < 5 * page_size; i += page_size) +@@ -1171,10 +1217,11 @@ TEST_F(merge, mremap_correct_placed_faulted) + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr + 15 * page_size); + } + +-TEST_F(merge, mremap_faulted_to_unfaulted_prev) ++TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev) + { + struct procmap_fd *procmap = &self->procmap; + unsigned int page_size = self->page_size; ++ unsigned long offset; + char *ptr_a, *ptr_b; + + /* +@@ -1197,6 +1244,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev) + /* Fault it in. */ + ptr_a[0] = 'x'; + ++ if (variant->forked) { ++ pid_t pid = do_fork(&self->procmap); ++ ++ ASSERT_NE(pid, -1); ++ if (pid != 0) ++ return; ++ } ++ + /* + * Now move it out of the way so we can place VMA B in position, + * unfaulted. +@@ -1220,16 +1275,19 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev) + &self->carveout[page_size + 3 * page_size]); + ASSERT_NE(ptr_a, MAP_FAILED); + +- /* The VMAs should have merged. */ ++ /* The VMAs should have merged, if not forked. */ + ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); +- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size); ++ ++ offset = variant->forked ? 3 * page_size : 6 * page_size; ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + offset); + } + +-TEST_F(merge, mremap_faulted_to_unfaulted_next) ++TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_next) + { + struct procmap_fd *procmap = &self->procmap; + unsigned int page_size = self->page_size; ++ unsigned long offset; + char *ptr_a, *ptr_b; + + /* +@@ -1253,6 +1311,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_next) + /* Fault it in. */ + ptr_a[0] = 'x'; + ++ if (variant->forked) { ++ pid_t pid = do_fork(&self->procmap); ++ ++ ASSERT_NE(pid, -1); ++ if (pid != 0) ++ return; ++ } ++ + /* + * Now move it out of the way so we can place VMA B in position, + * unfaulted. +@@ -1276,16 +1342,18 @@ TEST_F(merge, mremap_faulted_to_unfaulted_next) + &self->carveout[page_size]); + ASSERT_NE(ptr_a, MAP_FAILED); + +- /* The VMAs should have merged. */ ++ /* The VMAs should have merged, if not forked. */ + ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); +- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 6 * page_size); ++ offset = variant->forked ? 3 * page_size : 6 * page_size; ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + offset); + } + +-TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next) ++TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev_unfaulted_next) + { + struct procmap_fd *procmap = &self->procmap; + unsigned int page_size = self->page_size; ++ unsigned long offset; + char *ptr_a, *ptr_b, *ptr_c; + + /* +@@ -1307,6 +1375,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next) + /* Fault it in. */ + ptr_b[0] = 'x'; + ++ if (variant->forked) { ++ pid_t pid = do_fork(&self->procmap); ++ ++ ASSERT_NE(pid, -1); ++ if (pid != 0) ++ return; ++ } ++ + /* + * Now move it out of the way so we can place VMAs A, C in position, + * unfaulted. +@@ -1337,13 +1413,21 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next) + &self->carveout[page_size + 3 * page_size]); + ASSERT_NE(ptr_b, MAP_FAILED); + +- /* The VMAs should have merged. */ ++ /* The VMAs should have merged, if not forked. */ + ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); +- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); ++ offset = variant->forked ? 3 * page_size : 9 * page_size; ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + offset); ++ ++ /* If forked, B and C should also not have merged. */ ++ if (variant->forked) { ++ ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); ++ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 3 * page_size); ++ } + } + +-TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next) ++TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev_faulted_next) + { + struct procmap_fd *procmap = &self->procmap; + unsigned int page_size = self->page_size; +@@ -1373,6 +1457,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next) + /* Fault it in. */ + ptr_bc[0] = 'x'; + ++ if (variant->forked) { ++ pid_t pid = do_fork(&self->procmap); ++ ++ ASSERT_NE(pid, -1); ++ if (pid != 0) ++ return; ++ } ++ + /* + * Now move VMA B out the way (splitting VMA BC) so we can place VMA A + * in position, unfaulted, and leave the remainder of the VMA we just +@@ -1397,10 +1489,16 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next) + &self->carveout[page_size + 3 * page_size]); + ASSERT_NE(ptr_b, MAP_FAILED); + +- /* The VMAs should have merged. */ +- ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); +- ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); +- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); ++ /* The VMAs should have merged. A,B,C if unforked, B, C if forked. */ ++ if (variant->forked) { ++ ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); ++ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size); ++ } else { ++ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); ++ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); ++ } + } + + TEST_HARNESS_MAIN +-- +2.52.0 + diff --git a/queue-6.18/tools-testing-selftests-add-tests-for-tgt-src-mremap-merges.patch b/queue-6.18/tools-testing-selftests-add-tests-for-tgt-src-mremap-merges.patch new file mode 100644 index 0000000000..1a25a1104c --- /dev/null +++ b/queue-6.18/tools-testing-selftests-add-tests-for-tgt-src-mremap-merges.patch @@ -0,0 +1,322 @@ +From 0ace8f2db6b3b4b0677e559d1a7ab7fd625d61ec Mon Sep 17 00:00:00 2001 +From: Lorenzo Stoakes +Date: Mon, 5 Jan 2026 20:11:48 +0000 +Subject: tools/testing/selftests: add tests for !tgt, src mremap() merges + +From: Lorenzo Stoakes + +commit 0ace8f2db6b3b4b0677e559d1a7ab7fd625d61ec upstream. + +Test that mremap()'ing a VMA into a position such that the target VMA on +merge is unfaulted and the source faulted is correctly performed. + +We cover 4 cases: + + 1. Previous VMA unfaulted: + + copied -----| + v + |-----------|.............| + | unfaulted |(faulted VMA)| + |-----------|.............| + prev + + target = prev, expand prev to cover. + + 2. Next VMA unfaulted: + + copied -----| + v + |.............|-----------| + |(faulted VMA)| unfaulted | + |.............|-----------| + next + + target = next, expand next to cover. + + 3. Both adjacent VMAs unfaulted: + + copied -----| + v + |-----------|.............|-----------| + | unfaulted |(faulted VMA)| unfaulted | + |-----------|.............|-----------| + prev next + + target = prev, expand prev to cover. + + 4. prev unfaulted, next faulted: + + copied -----| + v + |-----------|.............|-----------| + | unfaulted |(faulted VMA)| faulted | + |-----------|.............|-----------| + prev next + + target = prev, expand prev to cover. Essentially equivalent to 3, but + with additional requirement that next's anon_vma is the same as the + copied VMA's. + +Each of these are performed with MREMAP_DONTUNMAP set, which will cause a +KASAN assert for UAF or an assert on zero refcount anon_vma if a bug +exists with correctly propagating anon_vma state in each scenario. + +Link: https://lkml.kernel.org/r/f903af2930c7c2c6e0948c886b58d0f42d8e8ba3.1767638272.git.lorenzo.stoakes@oracle.com +Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") +Signed-off-by: Lorenzo Stoakes +Cc: David Hildenbrand (Red Hat) +Cc: Jann Horn +Cc: Jeongjun Park +Cc: Liam Howlett +Cc: Pedro Falcato +Cc: Rik van Riel +Cc: Vlastimil Babka +Cc: Yeoreum Yun +Cc: Harry Yoo +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/merge.c | 232 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 232 insertions(+) + +--- a/tools/testing/selftests/mm/merge.c ++++ b/tools/testing/selftests/mm/merge.c +@@ -1171,4 +1171,236 @@ TEST_F(merge, mremap_correct_placed_faul + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr + 15 * page_size); + } + ++TEST_F(merge, mremap_faulted_to_unfaulted_prev) ++{ ++ struct procmap_fd *procmap = &self->procmap; ++ unsigned int page_size = self->page_size; ++ char *ptr_a, *ptr_b; ++ ++ /* ++ * mremap() such that A and B merge: ++ * ++ * |------------| ++ * | \ | ++ * |-----------| | / |---------| ++ * | unfaulted | v \ | faulted | ++ * |-----------| / |---------| ++ * B \ A ++ */ ++ ++ /* Map VMA A into place. */ ++ ptr_a = mmap(&self->carveout[page_size + 3 * page_size], ++ 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ /* Fault it in. */ ++ ptr_a[0] = 'x'; ++ ++ /* ++ * Now move it out of the way so we can place VMA B in position, ++ * unfaulted. ++ */ ++ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ ++ /* Map VMA B into place. */ ++ ptr_b = mmap(&self->carveout[page_size], 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_b, MAP_FAILED); ++ ++ /* ++ * Now move VMA A into position with MREMAP_DONTUNMAP to catch incorrect ++ * anon_vma propagation. ++ */ ++ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, ++ &self->carveout[page_size + 3 * page_size]); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ ++ /* The VMAs should have merged. */ ++ ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); ++ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size); ++} ++ ++TEST_F(merge, mremap_faulted_to_unfaulted_next) ++{ ++ struct procmap_fd *procmap = &self->procmap; ++ unsigned int page_size = self->page_size; ++ char *ptr_a, *ptr_b; ++ ++ /* ++ * mremap() such that A and B merge: ++ * ++ * |---------------------------| ++ * | \ | ++ * | |-----------| / |---------| ++ * v | unfaulted | \ | faulted | ++ * |-----------| / |---------| ++ * B \ A ++ * ++ * Then unmap VMA A to trigger the bug. ++ */ ++ ++ /* Map VMA A into place. */ ++ ptr_a = mmap(&self->carveout[page_size], 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ /* Fault it in. */ ++ ptr_a[0] = 'x'; ++ ++ /* ++ * Now move it out of the way so we can place VMA B in position, ++ * unfaulted. ++ */ ++ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ ++ /* Map VMA B into place. */ ++ ptr_b = mmap(&self->carveout[page_size + 3 * page_size], 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_b, MAP_FAILED); ++ ++ /* ++ * Now move VMA A into position with MREMAP_DONTUNMAP to catch incorrect ++ * anon_vma propagation. ++ */ ++ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, ++ &self->carveout[page_size]); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ ++ /* The VMAs should have merged. */ ++ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); ++ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 6 * page_size); ++} ++ ++TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next) ++{ ++ struct procmap_fd *procmap = &self->procmap; ++ unsigned int page_size = self->page_size; ++ char *ptr_a, *ptr_b, *ptr_c; ++ ++ /* ++ * mremap() with MREMAP_DONTUNMAP such that A, B and C merge: ++ * ++ * |---------------------------| ++ * | \ | ++ * |-----------| | |-----------| / |---------| ++ * | unfaulted | v | unfaulted | \ | faulted | ++ * |-----------| |-----------| / |---------| ++ * A C \ B ++ */ ++ ++ /* Map VMA B into place. */ ++ ptr_b = mmap(&self->carveout[page_size + 3 * page_size], 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_b, MAP_FAILED); ++ /* Fault it in. */ ++ ptr_b[0] = 'x'; ++ ++ /* ++ * Now move it out of the way so we can place VMAs A, C in position, ++ * unfaulted. ++ */ ++ ptr_b = mremap(ptr_b, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); ++ ASSERT_NE(ptr_b, MAP_FAILED); ++ ++ /* Map VMA A into place. */ ++ ++ ptr_a = mmap(&self->carveout[page_size], 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ ++ /* Map VMA C into place. */ ++ ptr_c = mmap(&self->carveout[page_size + 3 * page_size + 3 * page_size], ++ 3 * page_size, PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_c, MAP_FAILED); ++ ++ /* ++ * Now move VMA B into position with MREMAP_DONTUNMAP to catch incorrect ++ * anon_vma propagation. ++ */ ++ ptr_b = mremap(ptr_b, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, ++ &self->carveout[page_size + 3 * page_size]); ++ ASSERT_NE(ptr_b, MAP_FAILED); ++ ++ /* The VMAs should have merged. */ ++ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); ++ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); ++} ++ ++TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next) ++{ ++ struct procmap_fd *procmap = &self->procmap; ++ unsigned int page_size = self->page_size; ++ char *ptr_a, *ptr_b, *ptr_bc; ++ ++ /* ++ * mremap() with MREMAP_DONTUNMAP such that A, B and C merge: ++ * ++ * |---------------------------| ++ * | \ | ++ * |-----------| | |-----------| / |---------| ++ * | unfaulted | v | faulted | \ | faulted | ++ * |-----------| |-----------| / |---------| ++ * A C \ B ++ */ ++ ++ /* ++ * Map VMA B and C into place. We have to map them together so their ++ * anon_vma is the same and the vma->vm_pgoff's are correctly aligned. ++ */ ++ ptr_bc = mmap(&self->carveout[page_size + 3 * page_size], ++ 3 * page_size + 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_bc, MAP_FAILED); ++ ++ /* Fault it in. */ ++ ptr_bc[0] = 'x'; ++ ++ /* ++ * Now move VMA B out the way (splitting VMA BC) so we can place VMA A ++ * in position, unfaulted, and leave the remainder of the VMA we just ++ * moved in place, faulted, as VMA C. ++ */ ++ ptr_b = mremap(ptr_bc, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); ++ ASSERT_NE(ptr_b, MAP_FAILED); ++ ++ /* Map VMA A into place. */ ++ ptr_a = mmap(&self->carveout[page_size], 3 * page_size, ++ PROT_READ | PROT_WRITE, ++ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); ++ ASSERT_NE(ptr_a, MAP_FAILED); ++ ++ /* ++ * Now move VMA B into position with MREMAP_DONTUNMAP to catch incorrect ++ * anon_vma propagation. ++ */ ++ ptr_b = mremap(ptr_b, 3 * page_size, 3 * page_size, ++ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, ++ &self->carveout[page_size + 3 * page_size]); ++ ASSERT_NE(ptr_b, MAP_FAILED); ++ ++ /* The VMAs should have merged. */ ++ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); ++ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); ++ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); ++} ++ + TEST_HARNESS_MAIN diff --git a/queue-6.18/tools-testing-selftests-fix-gup_longterm-for-unknown-fs.patch b/queue-6.18/tools-testing-selftests-fix-gup_longterm-for-unknown-fs.patch new file mode 100644 index 0000000000..8a2cbd13d7 --- /dev/null +++ b/queue-6.18/tools-testing-selftests-fix-gup_longterm-for-unknown-fs.patch @@ -0,0 +1,63 @@ +From 21c68ad1d9771d331198cc73cbf6e908d7915f35 Mon Sep 17 00:00:00 2001 +From: Lorenzo Stoakes +Date: Tue, 6 Jan 2026 15:45:47 +0000 +Subject: tools/testing/selftests: fix gup_longterm for unknown fs + +From: Lorenzo Stoakes + +commit 21c68ad1d9771d331198cc73cbf6e908d7915f35 upstream. + +Commit 66bce7afbaca ("selftests/mm: fix test result reporting in +gup_longterm") introduced a small bug causing unknown filesystems to +always result in a test failure. + +This is because do_test() was updated to use a common reporting path, but +this case appears to have been missed. + +This is problematic for e.g. virtme-ng which uses an overlayfs file +system, causing gup_longterm to appear to fail each time due to a test +count mismatch: + + # Planned tests != run tests (50 != 46) + # Totals: pass:24 fail:0 xfail:0 xpass:0 skip:22 error:0 + +The fix is to simply change the return into a break. + +Link: https://lkml.kernel.org/r/20260106154547.214907-1-lorenzo.stoakes@oracle.com +Fixes: 66bce7afbaca ("selftests/mm: fix test result reporting in gup_longterm") +Signed-off-by: Lorenzo Stoakes +Reviewed-by: David Hildenbrand (Red Hat) +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: Liam Howlett +Cc: "Liam R. Howlett" +Cc: Mark Brown +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Peter Xu +Cc: Shuah Khan +Cc: Suren Baghdasaryan +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/gup_longterm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/mm/gup_longterm.c b/tools/testing/selftests/mm/gup_longterm.c +index 6279893a0adc..f61150d28eb2 100644 +--- a/tools/testing/selftests/mm/gup_longterm.c ++++ b/tools/testing/selftests/mm/gup_longterm.c +@@ -179,7 +179,7 @@ static void do_test(int fd, size_t size, enum test_type type, bool shared) + if (rw && shared && fs_is_unknown(fs_type)) { + ksft_print_msg("Unknown filesystem\n"); + result = KSFT_SKIP; +- return; ++ break; + } + /* + * R/O pinning or pinning in a private mapping is always +-- +2.52.0 + diff --git a/queue-6.18/usb-core-add-usb_quirk_no_bos-for-devices-that-hang-on-bos-descriptor.patch b/queue-6.18/usb-core-add-usb_quirk_no_bos-for-devices-that-hang-on-bos-descriptor.patch new file mode 100644 index 0000000000..bac7bcfdd2 --- /dev/null +++ b/queue-6.18/usb-core-add-usb_quirk_no_bos-for-devices-that-hang-on-bos-descriptor.patch @@ -0,0 +1,65 @@ +From 2740ac33c87b3d0dfa022efd6ba04c6261b1abbd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Johannes=20Br=C3=BCderl?= +Date: Sun, 7 Dec 2025 10:02:20 +0100 +Subject: usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johannes Brüderl + +commit 2740ac33c87b3d0dfa022efd6ba04c6261b1abbd upstream. + +Add USB_QUIRK_NO_BOS quirk flag to skip requesting the BOS descriptor +for devices that cannot handle it. + +Add Elgato 4K X (0fd9:009b) to the quirk table. This device hangs when +the BOS descriptor is requested at SuperSpeed Plus (10Gbps). + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220027 +Cc: stable +Signed-off-by: Johannes Brüderl +Link: https://patch.msgid.link/20251207090220.14807-1-johannes.bruederl@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 5 +++++ + drivers/usb/core/quirks.c | 3 +++ + include/linux/usb/quirks.h | 3 +++ + 3 files changed, 11 insertions(+) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -1040,6 +1040,11 @@ int usb_get_bos_descriptor(struct usb_de + __u8 cap_type; + int ret; + ++ if (dev->quirks & USB_QUIRK_NO_BOS) { ++ dev_dbg(ddev, "skipping BOS descriptor\n"); ++ return -ENOMSG; ++ } ++ + bos = kzalloc(sizeof(*bos), GFP_KERNEL); + if (!bos) + return -ENOMEM; +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -450,6 +450,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0c45, 0x7056), .driver_info = + USB_QUIRK_IGNORE_REMOTE_WAKEUP }, + ++ /* Elgato 4K X - BOS descriptor fetch hangs at SuperSpeed Plus */ ++ { USB_DEVICE(0x0fd9, 0x009b), .driver_info = USB_QUIRK_NO_BOS }, ++ + /* Sony Xperia XZ1 Compact (lilac) smartphone in fastboot mode */ + { USB_DEVICE(0x0fce, 0x0dde), .driver_info = USB_QUIRK_NO_LPM }, + +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -75,4 +75,7 @@ + /* short SET_ADDRESS request timeout */ + #define USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT BIT(16) + ++/* skip BOS descriptor request */ ++#define USB_QUIRK_NO_BOS BIT(17) ++ + #endif /* __LINUX_USB_QUIRKS_H */ diff --git a/queue-6.18/usb-dwc3-check-for-usb4-ip_name.patch b/queue-6.18/usb-dwc3-check-for-usb4-ip_name.patch new file mode 100644 index 0000000000..1bce02d580 --- /dev/null +++ b/queue-6.18/usb-dwc3-check-for-usb4-ip_name.patch @@ -0,0 +1,44 @@ +From 0ed91d47959cb7573c17e06487f0fb891d59dfb3 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 2 Jan 2026 21:53:46 +0000 +Subject: usb: dwc3: Check for USB4 IP_NAME + +From: Thinh Nguyen + +commit 0ed91d47959cb7573c17e06487f0fb891d59dfb3 upstream. + +Synopsys renamed DWC_usb32 IP to DWC_usb4 as of IP version 1.30. No +functional change except checking for the IP_NAME here. The driver will +treat the new IP_NAME as if it's DWC_usb32. Additional features for USB4 +will be introduced and checked separately. + +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://patch.msgid.link/e6f1827754c7a7ddc5eb7382add20bfe3a9b312f.1767390747.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 2 ++ + drivers/usb/dwc3/core.h | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -991,6 +991,8 @@ static bool dwc3_core_is_valid(struct dw + + reg = dwc3_readl(dwc->regs, DWC3_GSNPSID); + dwc->ip = DWC3_GSNPS_ID(reg); ++ if (dwc->ip == DWC4_IP) ++ dwc->ip = DWC32_IP; + + /* This should read as U3 followed by revision number */ + if (DWC3_IP_IS(DWC3)) { +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -1265,6 +1265,7 @@ struct dwc3 { + #define DWC3_IP 0x5533 + #define DWC31_IP 0x3331 + #define DWC32_IP 0x3332 ++#define DWC4_IP 0x3430 + + u32 revision; + diff --git a/queue-6.18/usb-gadget-uvc-fix-interval_duration-calculation.patch b/queue-6.18/usb-gadget-uvc-fix-interval_duration-calculation.patch new file mode 100644 index 0000000000..9318507513 --- /dev/null +++ b/queue-6.18/usb-gadget-uvc-fix-interval_duration-calculation.patch @@ -0,0 +1,66 @@ +From 010dc57cb5163e5f4a32430dd5091cc29efd0471 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Tue, 13 Jan 2026 17:53:08 +0800 +Subject: usb: gadget: uvc: fix interval_duration calculation + +From: Xu Yang + +commit 010dc57cb5163e5f4a32430dd5091cc29efd0471 upstream. + +According to USB specification: + + For full-/high-speed isochronous endpoints, the bInterval value is + used as the exponent for a 2^(bInterval-1) value. + +To correctly convert bInterval as interval_duration: + interval_duration = 2^(bInterval-1) * frame_interval + +Because the unit of video->interval is 100ns, add a comment info to +make it clear. + +Fixes: 48dbe731171e ("usb: gadget: uvc: set req_size and n_requests based on the frame interval") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Xu Yang +Link: https://patch.msgid.link/20260113-uvc-gadget-fix-patch-v2-2-62950ef5bcb5@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/uvc.h | 2 +- + drivers/usb/gadget/function/uvc_video.c | 7 +++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/uvc.h ++++ b/drivers/usb/gadget/function/uvc.h +@@ -107,7 +107,7 @@ struct uvc_video { + unsigned int width; + unsigned int height; + unsigned int imagesize; +- unsigned int interval; ++ unsigned int interval; /* in 100ns units */ + struct mutex mutex; /* protects frame parameters */ + + unsigned int uvc_num_requests; +--- a/drivers/usb/gadget/function/uvc_video.c ++++ b/drivers/usb/gadget/function/uvc_video.c +@@ -499,7 +499,7 @@ uvc_video_prep_requests(struct uvc_video + { + struct uvc_device *uvc = container_of(video, struct uvc_device, video); + struct usb_composite_dev *cdev = uvc->func.config->cdev; +- unsigned int interval_duration = video->ep->desc->bInterval * 1250; ++ unsigned int interval_duration; + unsigned int max_req_size, req_size, header_size; + unsigned int nreq; + +@@ -515,8 +515,11 @@ uvc_video_prep_requests(struct uvc_video + return; + } + ++ interval_duration = 2 << (video->ep->desc->bInterval - 1); + if (cdev->gadget->speed < USB_SPEED_HIGH) +- interval_duration = video->ep->desc->bInterval * 10000; ++ interval_duration *= 10000; ++ else ++ interval_duration *= 1250; + + nreq = DIV_ROUND_UP(video->interval, interval_duration); + diff --git a/queue-6.18/usb-gadget-uvc-fix-req_payload_size-calculation.patch b/queue-6.18/usb-gadget-uvc-fix-req_payload_size-calculation.patch new file mode 100644 index 0000000000..9de5856952 --- /dev/null +++ b/queue-6.18/usb-gadget-uvc-fix-req_payload_size-calculation.patch @@ -0,0 +1,107 @@ +From 2edc1acb1a2512843425aa19d0c6060a0a924605 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Tue, 13 Jan 2026 17:53:07 +0800 +Subject: usb: gadget: uvc: fix req_payload_size calculation + +From: Xu Yang + +commit 2edc1acb1a2512843425aa19d0c6060a0a924605 upstream. + +Current req_payload_size calculation has 2 issue: + +(1) When the first time calculate req_payload_size for all the buffers, + reqs_per_frame = 0 will be the divisor of DIV_ROUND_UP(). So + the result is undefined. + This happens because VIDIOC_STREAMON is always executed after + VIDIOC_QBUF. So video->reqs_per_frame will be 0 until VIDIOC_STREAMON + is run. + +(2) The buf->req_payload_size may be bigger than max_req_size. + + Take YUYV pixel format as example: + If bInterval = 1, video->interval = 666666, high-speed: + video->reqs_per_frame = 666666 / 1250 = 534 + 720p: buf->req_payload_size = 1843200 / 534 = 3452 + 1080p: buf->req_payload_size = 4147200 / 534 = 7766 + + Based on such req_payload_size, the controller can't run normally. + +To fix above issue, assign max_req_size to buf->req_payload_size when +video->reqs_per_frame = 0. And limit buf->req_payload_size to +video->req_size if it's large than video->req_size. Since max_req_size +is used at many place, add it to struct uvc_video and set the value once +endpoint is enabled. + +Fixes: 98ad03291560 ("usb: gadget: uvc: set req_length based on payload by nreqs instead of req_size") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Xu Yang +Link: https://patch.msgid.link/20260113-uvc-gadget-fix-patch-v2-1-62950ef5bcb5@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uvc.c | 4 ++++ + drivers/usb/gadget/function/uvc.h | 1 + + drivers/usb/gadget/function/uvc_queue.c | 15 +++++++++++---- + drivers/usb/gadget/function/uvc_video.c | 4 +--- + 4 files changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -362,6 +362,10 @@ uvc_function_set_alt(struct usb_function + return ret; + usb_ep_enable(uvc->video.ep); + ++ uvc->video.max_req_size = uvc->video.ep->maxpacket ++ * max_t(unsigned int, uvc->video.ep->maxburst, 1) ++ * (uvc->video.ep->mult); ++ + memset(&v4l2_event, 0, sizeof(v4l2_event)); + v4l2_event.type = UVC_EVENT_STREAMON; + v4l2_event_queue(&uvc->vdev, &v4l2_event); +--- a/drivers/usb/gadget/function/uvc.h ++++ b/drivers/usb/gadget/function/uvc.h +@@ -117,6 +117,7 @@ struct uvc_video { + /* Requests */ + bool is_enabled; /* tracks whether video stream is enabled */ + unsigned int req_size; ++ unsigned int max_req_size; + struct list_head ureqs; /* all uvc_requests allocated by uvc_video */ + + /* USB requests that the video pump thread can encode into */ +--- a/drivers/usb/gadget/function/uvc_queue.c ++++ b/drivers/usb/gadget/function/uvc_queue.c +@@ -86,10 +86,17 @@ static int uvc_buffer_prepare(struct vb2 + buf->bytesused = 0; + } else { + buf->bytesused = vb2_get_plane_payload(vb, 0); +- buf->req_payload_size = +- DIV_ROUND_UP(buf->bytesused + +- (video->reqs_per_frame * UVCG_REQUEST_HEADER_LEN), +- video->reqs_per_frame); ++ ++ if (video->reqs_per_frame != 0) { ++ buf->req_payload_size = ++ DIV_ROUND_UP(buf->bytesused + ++ (video->reqs_per_frame * UVCG_REQUEST_HEADER_LEN), ++ video->reqs_per_frame); ++ if (buf->req_payload_size > video->req_size) ++ buf->req_payload_size = video->req_size; ++ } else { ++ buf->req_payload_size = video->max_req_size; ++ } + } + + return 0; +--- a/drivers/usb/gadget/function/uvc_video.c ++++ b/drivers/usb/gadget/function/uvc_video.c +@@ -503,9 +503,7 @@ uvc_video_prep_requests(struct uvc_video + unsigned int max_req_size, req_size, header_size; + unsigned int nreq; + +- max_req_size = video->ep->maxpacket +- * max_t(unsigned int, video->ep->maxburst, 1) +- * (video->ep->mult); ++ max_req_size = video->max_req_size; + + if (!usb_endpoint_xfer_isoc(video->ep->desc)) { + video->req_size = max_req_size; diff --git a/queue-6.18/usb-host-xhci-tegra-use-platform_get_irq_optional-for-wake-irqs.patch b/queue-6.18/usb-host-xhci-tegra-use-platform_get_irq_optional-for-wake-irqs.patch new file mode 100644 index 0000000000..031813f254 --- /dev/null +++ b/queue-6.18/usb-host-xhci-tegra-use-platform_get_irq_optional-for-wake-irqs.patch @@ -0,0 +1,44 @@ +From d13b6a128a12e528bb18f971f2969feb286f45c7 Mon Sep 17 00:00:00 2001 +From: Wayne Chang +Date: Mon, 12 Jan 2026 22:56:53 +0800 +Subject: usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs + +From: Wayne Chang + +commit d13b6a128a12e528bb18f971f2969feb286f45c7 upstream. + +When some wake IRQs are disabled in the device tree, the corresponding +interrupt entries are removed from DT. In such cases, the driver +currently calls platform_get_irq(), which returns -ENXIO and logs +an error like: + + tegra-xusb 3610000.usb: error -ENXIO: IRQ index 2 not found + +However, not all wake IRQs are mandatory. The hardware can operate +normally even if some wake sources are not defined in DT. To avoid this +false alarm and allow missing wake IRQs gracefully, use +platform_get_irq_optional() instead of platform_get_irq(). + +Fixes: 5df186e2ef11 ("usb: xhci: tegra: Support USB wakeup function for Tegra234") +Cc: stable +Signed-off-by: Wayne Chang +Signed-off-by: Wei-Cheng Chen +Reviewed-by: Jon Hunter +Tested-by: Jon Hunter +Link: https://patch.msgid.link/20260112145653.95691-1-weichengc@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -1564,7 +1564,7 @@ static int tegra_xusb_setup_wakeup(struc + for (i = 0; i < tegra->soc->max_num_wakes; i++) { + struct irq_data *data; + +- tegra->wake_irqs[i] = platform_get_irq(pdev, i + WAKE_IRQ_START_INDEX); ++ tegra->wake_irqs[i] = platform_get_irq_optional(pdev, i + WAKE_IRQ_START_INDEX); + if (tegra->wake_irqs[i] < 0) + break; + diff --git a/queue-6.18/usb-ohci-uhci-add-soft-dependencies-on-ehci_platform.patch b/queue-6.18/usb-ohci-uhci-add-soft-dependencies-on-ehci_platform.patch new file mode 100644 index 0000000000..a87998998c --- /dev/null +++ b/queue-6.18/usb-ohci-uhci-add-soft-dependencies-on-ehci_platform.patch @@ -0,0 +1,89 @@ +From 01ef7f1b8713a78ab1a9512cf8096d2474c70633 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Mon, 12 Jan 2026 16:48:02 +0800 +Subject: USB: OHCI/UHCI: Add soft dependencies on ehci_platform + +From: Huacai Chen + +commit 01ef7f1b8713a78ab1a9512cf8096d2474c70633 upstream. + +Commit 9beeee6584b9aa4f ("USB: EHCI: log a warning if ehci-hcd is not +loaded first") said that ehci-hcd should be loaded before ohci-hcd and +uhci-hcd. However, commit 05c92da0c52494ca ("usb: ohci/uhci - add soft +dependencies on ehci_pci") only makes ohci-pci/uhci-pci depend on ehci- +pci, which is not enough and we may still see the warnings in boot log. + +To eliminate the warnings we should make ohci-hcd/uhci-hcd depend on +ehci-hcd. But Alan said that the warning introduced by 9beeee6584b9aa4f +is bogus, we only need the soft dependencies in the PCI level rather +than the HCD level. + +However, there is really another neccessary soft dependencies between +ohci-platform/uhci-platform and ehci-platform, which is added by this +patch. The boot logs are below. + +1. ohci-platform loaded before ehci-platform: + + ohci-platform 1f058000.usb: Generic Platform OHCI controller + ohci-platform 1f058000.usb: new USB bus registered, assigned bus number 1 + ohci-platform 1f058000.usb: irq 28, io mem 0x1f058000 + hub 1-0:1.0: USB hub found + hub 1-0:1.0: 4 ports detected + Warning! ehci_hcd should always be loaded before uhci_hcd and ohci_hcd, not after + usb 1-4: new low-speed USB device number 2 using ohci-platform + ehci-platform 1f050000.usb: EHCI Host Controller + ehci-platform 1f050000.usb: new USB bus registered, assigned bus number 2 + ehci-platform 1f050000.usb: irq 29, io mem 0x1f050000 + ehci-platform 1f050000.usb: USB 2.0 started, EHCI 1.00 + usb 1-4: device descriptor read/all, error -62 + hub 2-0:1.0: USB hub found + hub 2-0:1.0: 4 ports detected + usb 1-4: new low-speed USB device number 3 using ohci-platform + input: YSPRINGTECH USB OPTICAL MOUSE as /devices/platform/bus@10000000/1f058000.usb/usb1/1-4/1-4:1.0/0003:10C4:8105.0001/input/input0 + hid-generic 0003:10C4:8105.0001: input,hidraw0: USB HID v1.11 Mouse [YSPRINGTECH USB OPTICAL MOUSE] on usb-1f058000.usb-4/input0 + +2. ehci-platform loaded before ohci-platform: + + ehci-platform 1f050000.usb: EHCI Host Controller + ehci-platform 1f050000.usb: new USB bus registered, assigned bus number 1 + ehci-platform 1f050000.usb: irq 28, io mem 0x1f050000 + ehci-platform 1f050000.usb: USB 2.0 started, EHCI 1.00 + hub 1-0:1.0: USB hub found + hub 1-0:1.0: 4 ports detected + ohci-platform 1f058000.usb: Generic Platform OHCI controller + ohci-platform 1f058000.usb: new USB bus registered, assigned bus number 2 + ohci-platform 1f058000.usb: irq 29, io mem 0x1f058000 + hub 2-0:1.0: USB hub found + hub 2-0:1.0: 4 ports detected + usb 2-4: new low-speed USB device number 2 using ohci-platform + input: YSPRINGTECH USB OPTICAL MOUSE as /devices/platform/bus@10000000/1f058000.usb/usb2/2-4/2-4:1.0/0003:10C4:8105.0001/input/input0 + hid-generic 0003:10C4:8105.0001: input,hidraw0: USB HID v1.11 Mouse [YSPRINGTECH USB OPTICAL MOUSE] on usb-1f058000.usb-4/input0 + +In the later case, there is no re-connection for USB-1.0/1.1 devices, +which is expected. + +Cc: stable +Reported-by: Shengwen Xiao +Signed-off-by: Huacai Chen +Reviewed-by: Alan Stern +Link: https://patch.msgid.link/20260112084802.1995923-1-chenhuacai@loongson.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ohci-platform.c | 1 + + drivers/usb/host/uhci-platform.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/host/ohci-platform.c ++++ b/drivers/usb/host/ohci-platform.c +@@ -376,3 +376,4 @@ MODULE_DESCRIPTION(DRIVER_DESC); + MODULE_AUTHOR("Hauke Mehrtens"); + MODULE_AUTHOR("Alan Stern"); + MODULE_LICENSE("GPL"); ++MODULE_SOFTDEP("pre: ehci_platform"); +--- a/drivers/usb/host/uhci-platform.c ++++ b/drivers/usb/host/uhci-platform.c +@@ -191,3 +191,4 @@ static struct platform_driver uhci_platf + .of_match_table = platform_uhci_ids, + }, + }; ++MODULE_SOFTDEP("pre: ehci_platform"); diff --git a/queue-6.18/usb-serial-ftdi_sio-add-support-for-picaxe-axe027-cable.patch b/queue-6.18/usb-serial-ftdi_sio-add-support-for-picaxe-axe027-cable.patch new file mode 100644 index 0000000000..1c96f0a56b --- /dev/null +++ b/queue-6.18/usb-serial-ftdi_sio-add-support-for-picaxe-axe027-cable.patch @@ -0,0 +1,43 @@ +From c0afe95e62984ceea171c3ea319beaf84a21181c Mon Sep 17 00:00:00 2001 +From: Ethan Nelson-Moore +Date: Wed, 10 Dec 2025 18:01:17 -0800 +Subject: USB: serial: ftdi_sio: add support for PICAXE AXE027 cable + +From: Ethan Nelson-Moore + +commit c0afe95e62984ceea171c3ea319beaf84a21181c upstream. + +The vendor provides instructions to write "0403 bd90" to +/sys/bus/usb-serial/drivers/ftdi_sio/new_id; see: +https://picaxe.com/docs/picaxe_linux_instructions.pdf + +Cc: stable@vger.kernel.org +Signed-off-by: Ethan Nelson-Moore +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -850,6 +850,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID, 1) }, + { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID, 1) }, ++ { USB_DEVICE(FTDI_VID, FTDI_AXE027_PID) }, + { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TURTELIZER_PID, 1) }, + { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) }, + { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -96,6 +96,8 @@ + #define LMI_LM3S_EVAL_BOARD_PID 0xbcd9 + #define LMI_LM3S_ICDI_BOARD_PID 0xbcda + ++#define FTDI_AXE027_PID 0xBD90 /* PICAXE AXE027 USB download cable */ ++ + #define FTDI_TURTELIZER_PID 0xBDC8 /* JTAG/RS-232 adapter by egnite GmbH */ + + /* OpenDCC (www.opendcc.de) product id */ diff --git a/queue-6.18/usb-serial-option-add-telit-le910-mbim-composition.patch b/queue-6.18/usb-serial-option-add-telit-le910-mbim-composition.patch new file mode 100644 index 0000000000..f6cc5f36bf --- /dev/null +++ b/queue-6.18/usb-serial-option-add-telit-le910-mbim-composition.patch @@ -0,0 +1,62 @@ +From 8af4274ab5999831f4757dfd5bd11665ba3b1569 Mon Sep 17 00:00:00 2001 +From: Ulrich Mohr +Date: Tue, 9 Dec 2025 21:08:41 +0100 +Subject: USB: serial: option: add Telit LE910 MBIM composition + +From: Ulrich Mohr + +commit 8af4274ab5999831f4757dfd5bd11665ba3b1569 upstream. + +Add support for Telit LE910 module when operating in MBIM composition +with additional ttys. This USB product ID is used by the module +when AT#USBCFG is set to 7. + +0x1252: MBIM + tty(NMEA) + tty(MODEM) + tty(MODEM) + SAP + +T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1252 Rev=03.18 +S: Manufacturer=Android +S: Product=LE910C1-EU +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +Signed-off-by: Ulrich Mohr +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1505,6 +1505,7 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */ + .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */ ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */ + { USB_DEVICE(TELIT_VENDOR_ID, 0x1260), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, 0x1261), diff --git a/queue-6.18/virtio-net-don-t-schedule-delayed-refill-worker.patch b/queue-6.18/virtio-net-don-t-schedule-delayed-refill-worker.patch new file mode 100644 index 0000000000..0aa0357e41 --- /dev/null +++ b/queue-6.18/virtio-net-don-t-schedule-delayed-refill-worker.patch @@ -0,0 +1,117 @@ +From fcdef3bcbb2c04e06ae89f8faff2cd6416b3a467 Mon Sep 17 00:00:00 2001 +From: Bui Quang Minh +Date: Tue, 6 Jan 2026 22:04:36 +0700 +Subject: virtio-net: don't schedule delayed refill worker + +From: Bui Quang Minh + +commit fcdef3bcbb2c04e06ae89f8faff2cd6416b3a467 upstream. + +When we fail to refill the receive buffers, we schedule a delayed worker +to retry later. However, this worker creates some concurrency issues. +For example, when the worker runs concurrently with virtnet_xdp_set, +both need to temporarily disable queue's NAPI before enabling again. +Without proper synchronization, a deadlock can happen when +napi_disable() is called on an already disabled NAPI. That +napi_disable() call will be stuck and so will the subsequent +napi_enable() call. + +To simplify the logic and avoid further problems, we will instead retry +refilling in the next NAPI poll. + +Fixes: 4bc12818b363 ("virtio-net: disable delayed refill when pausing rx") +Reported-by: Paolo Abeni +Closes: https://lore.kernel.org/526b5396-459d-4d02-8635-a222d07b46d7@redhat.com +Cc: stable@vger.kernel.org +Suggested-by: Xuan Zhuo +Signed-off-by: Bui Quang Minh +Acked-by: Michael S. Tsirkin +Link: https://patch.msgid.link/20260106150438.7425-2-minhquangbui99@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 47 ++++++++++++++++++++++++----------------------- + 1 file changed, 24 insertions(+), 23 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -3037,16 +3037,16 @@ static int virtnet_receive(struct receiv + else + packets = virtnet_receive_packets(vi, rq, budget, xdp_xmit, &stats); + ++ u64_stats_set(&stats.packets, packets); + if (rq->vq->num_free > min((unsigned int)budget, virtqueue_get_vring_size(rq->vq)) / 2) { +- if (!try_fill_recv(vi, rq, GFP_ATOMIC)) { +- spin_lock(&vi->refill_lock); +- if (vi->refill_enabled) +- schedule_delayed_work(&vi->refill, 0); +- spin_unlock(&vi->refill_lock); +- } ++ if (!try_fill_recv(vi, rq, GFP_ATOMIC)) ++ /* We need to retry refilling in the next NAPI poll so ++ * we must return budget to make sure the NAPI is ++ * repolled. ++ */ ++ packets = budget; + } + +- u64_stats_set(&stats.packets, packets); + u64_stats_update_begin(&rq->stats.syncp); + for (i = 0; i < ARRAY_SIZE(virtnet_rq_stats_desc); i++) { + size_t offset = virtnet_rq_stats_desc[i].offset; +@@ -3226,9 +3226,10 @@ static int virtnet_open(struct net_devic + + for (i = 0; i < vi->max_queue_pairs; i++) { + if (i < vi->curr_queue_pairs) +- /* Make sure we have some buffers: if oom use wq. */ +- if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL)) +- schedule_delayed_work(&vi->refill, 0); ++ /* Pre-fill rq agressively, to make sure we are ready to ++ * get packets immediately. ++ */ ++ try_fill_recv(vi, &vi->rq[i], GFP_KERNEL); + + err = virtnet_enable_queue_pair(vi, i); + if (err < 0) +@@ -3473,16 +3474,15 @@ static void __virtnet_rx_resume(struct v + struct receive_queue *rq, + bool refill) + { +- bool running = netif_running(vi->dev); +- bool schedule_refill = false; ++ if (netif_running(vi->dev)) { ++ /* Pre-fill rq agressively, to make sure we are ready to get ++ * packets immediately. ++ */ ++ if (refill) ++ try_fill_recv(vi, rq, GFP_KERNEL); + +- if (refill && !try_fill_recv(vi, rq, GFP_KERNEL)) +- schedule_refill = true; +- if (running) + virtnet_napi_enable(rq); +- +- if (schedule_refill) +- schedule_delayed_work(&vi->refill, 0); ++ } + } + + static void virtnet_rx_resume_all(struct virtnet_info *vi) +@@ -3827,11 +3827,12 @@ static int virtnet_set_queues(struct vir + } + succ: + vi->curr_queue_pairs = queue_pairs; +- /* virtnet_open() will refill when device is going to up. */ +- spin_lock_bh(&vi->refill_lock); +- if (dev->flags & IFF_UP && vi->refill_enabled) +- schedule_delayed_work(&vi->refill, 0); +- spin_unlock_bh(&vi->refill_lock); ++ if (dev->flags & IFF_UP) { ++ local_bh_disable(); ++ for (int i = 0; i < vi->curr_queue_pairs; ++i) ++ virtqueue_napi_schedule(&vi->rq[i].napi, vi->rq[i].vq); ++ local_bh_enable(); ++ } + + return 0; + } diff --git a/queue-6.18/x86-kaslr-recognize-all-zone_device-users-as-physaddr-consumers.patch b/queue-6.18/x86-kaslr-recognize-all-zone_device-users-as-physaddr-consumers.patch new file mode 100644 index 0000000000..e4cebe9350 --- /dev/null +++ b/queue-6.18/x86-kaslr-recognize-all-zone_device-users-as-physaddr-consumers.patch @@ -0,0 +1,111 @@ +From 269031b15c1433ff39e30fa7ea3ab8f0be9d6ae2 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 6 Nov 2025 15:13:50 -0800 +Subject: x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers + +From: Dan Williams + +commit 269031b15c1433ff39e30fa7ea3ab8f0be9d6ae2 upstream. + +Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems") +is too narrow. The effect being mitigated in that commit is caused by +ZONE_DEVICE which PCI_P2PDMA has a dependency. ZONE_DEVICE, in general, +lets any physical address be added to the direct-map. I.e. not only ACPI +hotplug ranges, CXL Memory Windows, or EFI Specific Purpose Memory, but +also any PCI MMIO range for the DEVICE_PRIVATE and PCI_P2PDMA cases. Update +the mitigation, limit KASLR entropy, to apply in all ZONE_DEVICE=y cases. + +Distro kernels typically have PCI_P2PDMA=y, so the practical exposure of +this problem is limited to the PCI_P2PDMA=n case. + +A potential path to recover entropy would be to walk ACPI and determine the +limits for hotplug and PCI MMIO before kernel_randomize_memory(). On +smaller systems that could yield some KASLR address bits. This needs +additional investigation to determine if some limited ACPI table scanning +can happen this early without an open coded solution like +arch/x86/boot/compressed/acpi.c needs to deploy. + +Cc: Ingo Molnar +Cc: Kees Cook +Cc: Bjorn Helgaas +Cc: Peter Zijlstra +Cc: Andy Lutomirski +Cc: Logan Gunthorpe +Cc: Andrew Morton +Cc: David Hildenbrand +Cc: Lorenzo Stoakes +Cc: "Liam R. Howlett" +Cc: Vlastimil Babka +Cc: Mike Rapoport +Cc: Suren Baghdasaryan +Cc: Michal Hocko +Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems") +Cc: +Signed-off-by: Dan Williams +Reviewed-by: Balbir Singh +Tested-by: Yasunori Goto +Acked-by: Dave Hansen +Link: http://patch.msgid.link/692e08b2516d4_261c1100a3@dwillia2-mobl4.notmuch +Signed-off-by: Dave Jiang +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/kaslr.c | 10 +++++----- + drivers/pci/Kconfig | 6 ------ + mm/Kconfig | 10 +++++++--- + 3 files changed, 12 insertions(+), 14 deletions(-) + +--- a/arch/x86/mm/kaslr.c ++++ b/arch/x86/mm/kaslr.c +@@ -115,12 +115,12 @@ void __init kernel_randomize_memory(void + + /* + * Adapt physical memory region size based on available memory, +- * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the +- * device BAR space assuming the direct map space is large enough +- * for creating a ZONE_DEVICE mapping in the direct map corresponding +- * to the physical BAR address. ++ * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map ++ * any physical address into the direct-map. KASLR wants to reliably ++ * steal some physical address bits. Those design choices are in direct ++ * conflict. + */ +- if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb)) ++ if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb)) + kaslr_regions[0].size_tb = memory_tb; + + /* +--- a/drivers/pci/Kconfig ++++ b/drivers/pci/Kconfig +@@ -207,12 +207,6 @@ config PCI_P2PDMA + P2P DMA transactions must be between devices behind the same root + port. + +- Enabling this option will reduce the entropy of x86 KASLR memory +- regions. For example - on a 46 bit system, the entropy goes down +- from 16 bits to 15 bits. The actual reduction in entropy depends +- on the physical address bits, on processor features, kernel config +- (5 level page table) and physical memory present on the system. +- + If unsure, say N. + + config PCI_LABEL +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -1135,10 +1135,14 @@ config ZONE_DEVICE + Device memory hotplug support allows for establishing pmem, + or other device driver discovered memory regions, in the + memmap. This allows pfn_to_page() lookups of otherwise +- "device-physical" addresses which is needed for using a DAX +- mapping in an O_DIRECT operation, among other things. ++ "device-physical" addresses which is needed for DAX, PCI_P2PDMA, and ++ DEVICE_PRIVATE features among others. + +- If FS_DAX is enabled, then say Y. ++ Enabling this option will reduce the entropy of x86 KASLR memory ++ regions. For example - on a 46 bit system, the entropy goes down ++ from 16 bits to 15 bits. The actual reduction in entropy depends ++ on the physical address bits, on processor features, kernel config ++ (5 level page table) and physical memory present on the system. + + # + # Helpers to mirror range of the CPU page tables of a process into device page diff --git a/queue-6.18/x86-resctrl-add-missing-resctrl-initialization-for-hygon.patch b/queue-6.18/x86-resctrl-add-missing-resctrl-initialization-for-hygon.patch new file mode 100644 index 0000000000..a3c7c7f0ce --- /dev/null +++ b/queue-6.18/x86-resctrl-add-missing-resctrl-initialization-for-hygon.patch @@ -0,0 +1,58 @@ +From 6ee98aabdc700b5705e4f1833e2edc82a826b53b Mon Sep 17 00:00:00 2001 +From: Xiaochen Shen +Date: Tue, 9 Dec 2025 14:26:49 +0800 +Subject: x86/resctrl: Add missing resctrl initialization for Hygon + +From: Xiaochen Shen + +commit 6ee98aabdc700b5705e4f1833e2edc82a826b53b upstream. + +Hygon CPUs supporting Platform QoS features currently undergo partial resctrl +initialization through resctrl_cpu_detect() in the Hygon BSP init helper and +AMD/Hygon common initialization code. However, several critical data +structures remain uninitialized for Hygon CPUs in the following paths: + + - get_mem_config()-> __rdt_get_mem_config_amd(): + rdt_resource::membw,alloc_capable + hw_res::num_closid + + - rdt_init_res_defs()->rdt_init_res_defs_amd(): + rdt_resource::cache + hw_res::msr_base,msr_update + +Add the missing AMD/Hygon common initialization to ensure proper Platform QoS +functionality on Hygon CPUs. + +Fixes: d8df126349da ("x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper") +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Reinette Chatre +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251209062650.1536952-2-shenxiaochen@open-hieco.net +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/resctrl/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/core.c ++++ b/arch/x86/kernel/cpu/resctrl/core.c +@@ -818,7 +818,8 @@ static __init bool get_mem_config(void) + + if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) + return __get_mem_config_intel(&hw_res->r_resctrl); +- else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) ++ else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || ++ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) + return __rdt_get_mem_config_amd(&hw_res->r_resctrl); + + return false; +@@ -978,7 +979,8 @@ static __init void rdt_init_res_defs(voi + { + if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) + rdt_init_res_defs_intel(); +- else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) ++ else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || ++ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) + rdt_init_res_defs_amd(); + } + diff --git a/queue-6.18/x86-resctrl-fix-memory-bandwidth-counter-width-for-hygon.patch b/queue-6.18/x86-resctrl-fix-memory-bandwidth-counter-width-for-hygon.patch new file mode 100644 index 0000000000..4713e6c6ed --- /dev/null +++ b/queue-6.18/x86-resctrl-fix-memory-bandwidth-counter-width-for-hygon.patch @@ -0,0 +1,74 @@ +From 7517e899e1b87b4c22a92c7e40d8733c48e4ec3c Mon Sep 17 00:00:00 2001 +From: Xiaochen Shen +Date: Tue, 9 Dec 2025 14:26:50 +0800 +Subject: x86/resctrl: Fix memory bandwidth counter width for Hygon + +From: Xiaochen Shen + +commit 7517e899e1b87b4c22a92c7e40d8733c48e4ec3c upstream. + +The memory bandwidth calculation relies on reading the hardware counter +and measuring the delta between samples. To ensure accurate measurement, +the software reads the counter frequently enough to prevent it from +rolling over twice between reads. + +The default Memory Bandwidth Monitoring (MBM) counter width is 24 bits. +Hygon CPUs provide a 32-bit width counter, but they do not support the +MBM capability CPUID leaf (0xF.[ECX=1]:EAX) to report the width offset +(from 24 bits). + +Consequently, the kernel falls back to the 24-bit default counter width, +which causes incorrect overflow handling on Hygon CPUs. + +Fix this by explicitly setting the counter width offset to 8 bits (resulting +in a 32-bit total counter width) for Hygon CPUs. + +Fixes: d8df126349da ("x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper") +Signed-off-by: Xiaochen Shen +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Tony Luck +Reviewed-by: Reinette Chatre +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251209062650.1536952-3-shenxiaochen@open-hieco.net +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/resctrl/core.c | 15 +++++++++++++-- + arch/x86/kernel/cpu/resctrl/internal.h | 3 +++ + 2 files changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/core.c ++++ b/arch/x86/kernel/cpu/resctrl/core.c +@@ -1012,8 +1012,19 @@ void resctrl_cpu_detect(struct cpuinfo_x + c->x86_cache_occ_scale = ebx; + c->x86_cache_mbm_width_offset = eax & 0xff; + +- if (c->x86_vendor == X86_VENDOR_AMD && !c->x86_cache_mbm_width_offset) +- c->x86_cache_mbm_width_offset = MBM_CNTR_WIDTH_OFFSET_AMD; ++ if (!c->x86_cache_mbm_width_offset) { ++ switch (c->x86_vendor) { ++ case X86_VENDOR_AMD: ++ c->x86_cache_mbm_width_offset = MBM_CNTR_WIDTH_OFFSET_AMD; ++ break; ++ case X86_VENDOR_HYGON: ++ c->x86_cache_mbm_width_offset = MBM_CNTR_WIDTH_OFFSET_HYGON; ++ break; ++ default: ++ /* Leave c->x86_cache_mbm_width_offset as 0 */ ++ break; ++ } ++ } + } + } + +--- a/arch/x86/kernel/cpu/resctrl/internal.h ++++ b/arch/x86/kernel/cpu/resctrl/internal.h +@@ -14,6 +14,9 @@ + + #define MBM_CNTR_WIDTH_OFFSET_AMD 20 + ++/* Hygon MBM counter width as an offset from MBM_CNTR_WIDTH_BASE */ ++#define MBM_CNTR_WIDTH_OFFSET_HYGON 8 ++ + #define RMID_VAL_ERROR BIT_ULL(63) + + #define RMID_VAL_UNAVAIL BIT_ULL(62) diff --git a/queue-6.18/xfs-fix-the-return-value-of-xfs_rtcopy_summary.patch b/queue-6.18/xfs-fix-the-return-value-of-xfs_rtcopy_summary.patch new file mode 100644 index 0000000000..b68d6d4293 --- /dev/null +++ b/queue-6.18/xfs-fix-the-return-value-of-xfs_rtcopy_summary.patch @@ -0,0 +1,35 @@ +From 6b2d155366581705a848833a9b626bfea41d5a8d Mon Sep 17 00:00:00 2001 +From: "Nirjhar Roy (IBM)" +Date: Mon, 12 Jan 2026 15:35:23 +0530 +Subject: xfs: Fix the return value of xfs_rtcopy_summary() + +From: Nirjhar Roy (IBM) + +commit 6b2d155366581705a848833a9b626bfea41d5a8d upstream. + +xfs_rtcopy_summary() should return the appropriate error code +instead of always returning 0. The caller of this function which is +xfs_growfs_rt_bmblock() is already handling the error. + +Fixes: e94b53ff699c ("xfs: cache last bitmap block in realtime allocator") +Signed-off-by: Nirjhar Roy (IBM) +Reviewed-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org # v6.7 +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_rtalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -126,7 +126,7 @@ xfs_rtcopy_summary( + error = 0; + out: + xfs_rtbuf_cache_relse(oargs); +- return 0; ++ return error; + } + /* + * Mark an extent specified by start and len allocated. diff --git a/queue-6.18/xfs-set-max_agbno-to-allow-sparse-alloc-of-last-full-inode-chunk.patch b/queue-6.18/xfs-set-max_agbno-to-allow-sparse-alloc-of-last-full-inode-chunk.patch new file mode 100644 index 0000000000..2b22391d66 --- /dev/null +++ b/queue-6.18/xfs-set-max_agbno-to-allow-sparse-alloc-of-last-full-inode-chunk.patch @@ -0,0 +1,81 @@ +From c360004c0160dbe345870f59f24595519008926f Mon Sep 17 00:00:00 2001 +From: Brian Foster +Date: Fri, 9 Jan 2026 12:49:05 -0500 +Subject: xfs: set max_agbno to allow sparse alloc of last full inode chunk + +From: Brian Foster + +commit c360004c0160dbe345870f59f24595519008926f upstream. + +Sparse inode cluster allocation sets min/max agbno values to avoid +allocating an inode cluster that might map to an invalid inode +chunk. For example, we can't have an inode record mapped to agbno 0 +or that extends past the end of a runt AG of misaligned size. + +The initial calculation of max_agbno is unnecessarily conservative, +however. This has triggered a corner case allocation failure where a +small runt AG (i.e. 2063 blocks) is mostly full save for an extent +to the EOFS boundary: [2050,13]. max_agbno is set to 2048 in this +case, which happens to be the offset of the last possible valid +inode chunk in the AG. In practice, we should be able to allocate +the 4-block cluster at agbno 2052 to map to the parent inode record +at agbno 2048, but the max_agbno value precludes it. + +Note that this can result in filesystem shutdown via dirty trans +cancel on stable kernels prior to commit 9eb775968b68 ("xfs: walk +all AGs if TRYLOCK passed to xfs_alloc_vextent_iterate_ags") because +the tail AG selection by the allocator sets t_highest_agno on the +transaction. If the inode allocator spins around and finds an inode +chunk with free inodes in an earlier AG, the subsequent dir name +creation path may still fail to allocate due to the AG restriction +and cancel. + +To avoid this problem, update the max_agbno calculation to the agbno +prior to the last chunk aligned agbno in the AG. This is not +necessarily the last valid allocation target for a sparse chunk, but +since inode chunks (i.e. records) are chunk aligned and sparse +allocs are cluster sized/aligned, this allows the sb_spino_align +alignment restriction to take over and round down the max effective +agbno to within the last valid inode chunk in the AG. + +Note that even though the allocator improvements in the +aforementioned commit seem to avoid this particular dirty trans +cancel situation, the max_agbno logic improvement still applies as +we should be able to allocate from an AG that has been appropriately +selected. The more important target for this patch however are +older/stable kernels prior to this allocator rework/improvement. + +Cc: stable@vger.kernel.org # v4.2 +Fixes: 56d1115c9bc7 ("xfs: allocate sparse inode chunks on full chunk allocation failure") +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/libxfs/xfs_ialloc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/xfs/libxfs/xfs_ialloc.c ++++ b/fs/xfs/libxfs/xfs_ialloc.c +@@ -848,15 +848,16 @@ sparse_alloc: + * invalid inode records, such as records that start at agbno 0 + * or extend beyond the AG. + * +- * Set min agbno to the first aligned, non-zero agbno and max to +- * the last aligned agbno that is at least one full chunk from +- * the end of the AG. ++ * Set min agbno to the first chunk aligned, non-zero agbno and ++ * max to one less than the last chunk aligned agbno from the ++ * end of the AG. We subtract 1 from max so that the cluster ++ * allocation alignment takes over and allows allocation within ++ * the last full inode chunk in the AG. + */ + args.min_agbno = args.mp->m_sb.sb_inoalignmt; + args.max_agbno = round_down(xfs_ag_block_count(args.mp, + pag_agno(pag)), +- args.mp->m_sb.sb_inoalignmt) - +- igeo->ialloc_blks; ++ args.mp->m_sb.sb_inoalignmt) - 1; + + error = xfs_alloc_vextent_near_bno(&args, + xfs_agbno_to_fsb(pag, diff --git a/queue-6.18/xhci-sideband-don-t-dereference-freed-ring-when-removing-sideband-endpoint.patch b/queue-6.18/xhci-sideband-don-t-dereference-freed-ring-when-removing-sideband-endpoint.patch new file mode 100644 index 0000000000..858dedfb3f --- /dev/null +++ b/queue-6.18/xhci-sideband-don-t-dereference-freed-ring-when-removing-sideband-endpoint.patch @@ -0,0 +1,91 @@ +From dd83dc1249737b837ac5d57c81f2b0977c613d9f Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 16 Jan 2026 01:37:58 +0200 +Subject: xhci: sideband: don't dereference freed ring when removing sideband endpoint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathias Nyman + +commit dd83dc1249737b837ac5d57c81f2b0977c613d9f upstream. + +xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is +running and has a valid transfer ring. + +Lianqin reported a crash during suspend/wake-up stress testing, and +found the cause to be dereferencing a non-existing transfer ring +'ep->ring' during xhci_sideband_remove_endpoint(). + +The endpoint and its ring may be in unknown state if this function +is called after xHCI was reinitialized in resume (lost power), or if +device is being re-enumerated, disconnected or endpoint already dropped. + +Fix this by both removing unnecessary ring access, and by checking +ep->ring exists before dereferencing it. Also make sure endpoint is +running before attempting to stop it. + +Remove the xhci_initialize_ring_info() call during sideband endpoint +removal as is it only initializes ring structure enqueue, dequeue and +cycle state values to their starting values without changing actual +hardware enqueue, dequeue and cycle state. Leaving them out of sync +is worse than leaving it as it is. The endpoint will get freed in after +this in most usecases. + +If the (audio) class driver want's to reuse the endpoint after offload +then it is up to the class driver to ensure endpoint is properly set up. + +Reported-by: 胡连勤 +Closes: https://lore.kernel.org/linux-usb/TYUPR06MB6217B105B059A7730C4F6EC8D2B9A@TYUPR06MB6217.apcprd06.prod.outlook.com/ +Tested-by: 胡连勤 +Fixes: de66754e9f80 ("xhci: sideband: add initial api to register a secondary interrupter entity") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://patch.msgid.link/20260115233758.364097-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-sideband.c | 1 - + drivers/usb/host/xhci.c | 15 ++++++++++++--- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-sideband.c ++++ b/drivers/usb/host/xhci-sideband.c +@@ -210,7 +210,6 @@ xhci_sideband_remove_endpoint(struct xhc + return -ENODEV; + + __xhci_sideband_remove_endpoint(sb, ep); +- xhci_initialize_ring_info(ep->ring); + + return 0; + } +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -2891,16 +2891,25 @@ int xhci_stop_endpoint_sync(struct xhci_ + gfp_t gfp_flags) + { + struct xhci_command *command; ++ struct xhci_ep_ctx *ep_ctx; + unsigned long flags; +- int ret; ++ int ret = -ENODEV; + + command = xhci_alloc_command(xhci, true, gfp_flags); + if (!command) + return -ENOMEM; + + spin_lock_irqsave(&xhci->lock, flags); +- ret = xhci_queue_stop_endpoint(xhci, command, ep->vdev->slot_id, +- ep->ep_index, suspend); ++ ++ /* make sure endpoint exists and is running before stopping it */ ++ if (ep->ring) { ++ ep_ctx = xhci_get_ep_ctx(xhci, ep->vdev->out_ctx, ep->ep_index); ++ if (GET_EP_CTX_STATE(ep_ctx) == EP_STATE_RUNNING) ++ ret = xhci_queue_stop_endpoint(xhci, command, ++ ep->vdev->slot_id, ++ ep->ep_index, suspend); ++ } ++ + if (ret < 0) { + spin_unlock_irqrestore(&xhci->lock, flags); + goto out; -- 2.47.3