From 32663ae021e4efe3c37195b9712285c14a65b3ba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Feb 2026 18:39:58 +0100 Subject: [PATCH] 6.6-stable patches added patches: f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch f2fs-fix-zoned-block-device-information-initialization.patch iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch --- ...-atomic-commit-and-checkpoint-writes.patch | 103 +++++++++++++ ...ng-wrong-physical-block-for-swapfile.patch | 145 ++++++++++++++++++ ...ix-to-avoid-uaf-in-f2fs_write_end_io.patch | 80 ++++++++++ ...ck-device-information-initialization.patch | 94 ++++++++++++ ...qcom-do-not-register-driver-in-probe.patch | 122 +++++++++++++++ queue-6.6/series | 5 + 6 files changed, 549 insertions(+) create mode 100644 queue-6.6/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch create mode 100644 queue-6.6/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch create mode 100644 queue-6.6/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch create mode 100644 queue-6.6/f2fs-fix-zoned-block-device-information-initialization.patch create mode 100644 queue-6.6/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch diff --git a/queue-6.6/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch b/queue-6.6/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch new file mode 100644 index 0000000000..99758cde04 --- /dev/null +++ b/queue-6.6/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch @@ -0,0 +1,103 @@ +From stable+bounces-216853-greg=kroah.com@vger.kernel.org Tue Feb 17 16:45:31 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:45:24 -0500 +Subject: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes +To: stable@vger.kernel.org +Cc: Yongpeng Yang , stable@kernel.org, Sheng Yong , Jinbao Liu , Chao Yu , Jaegeuk Kim , Sasha Levin +Message-ID: <20260217154524.3702838-1-sashal@kernel.org> + +From: Yongpeng Yang + +[ Upstream commit 7633a7387eb4d0259d6bea945e1d3469cd135bbc ] + +During SPO tests, when mounting F2FS, an -EINVAL error was returned from +f2fs_recover_inode_page. The issue occurred under the following scenario + +Thread A Thread B +f2fs_ioc_commit_atomic_write + - f2fs_do_sync_file // atomic = true + - f2fs_fsync_node_pages + : last_folio = inode folio + : schedule before folio_lock(last_folio) f2fs_write_checkpoint + - block_operations// writeback last_folio + - schedule before f2fs_flush_nat_entries + : set_fsync_mark(last_folio, 1) + : set_dentry_mark(last_folio, 1) + : folio_mark_dirty(last_folio) + - __write_node_folio(last_folio) + : f2fs_down_read(&sbi->node_write)//block + - f2fs_flush_nat_entries + : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED) + - unblock_operations + : f2fs_up_write(&sbi->node_write) + f2fs_write_checkpoint//return + : f2fs_do_write_node_page() +f2fs_ioc_commit_atomic_write//return + SPO + +Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has +already been written once. However, the {struct nat_entry}->flag did not +have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and +write last_folio again after Thread B finishes f2fs_write_checkpoint. + +After SPO and reboot, it was detected that {struct node_info}->blk_addr +was not NULL_ADDR because Thread B successfully write the checkpoint. + +This issue only occurs in atomic write scenarios. For regular file +fsync operations, the folio must be dirty. If +block_operations->f2fs_sync_node_pages successfully submit the folio +write, this path will not be executed. Otherwise, the +f2fs_write_checkpoint will need to wait for the folio write submission +to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the +situation where f2fs_need_dentry_mark checks that the {struct +nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has +already been submitted, will not occur. + +Therefore, for atomic file fsync, sbi->node_write should be acquired +through __write_node_folio to ensure that the IS_CHECKPOINTED flag +correctly indicates that the checkpoint write has been completed. + +Fixes: 608514deba38 ("f2fs: set fsync mark only for the last dnode") +Cc: stable@kernel.org +Signed-off-by: Sheng Yong +Signed-off-by: Jinbao Liu +Signed-off-by: Yongpeng Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ folio => page ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1696,8 +1696,13 @@ static int __write_node_page(struct page + goto redirty_out; + } + +- if (atomic && !test_opt(sbi, NOBARRIER) && !f2fs_sb_has_blkzoned(sbi)) +- fio.op_flags |= REQ_PREFLUSH | REQ_FUA; ++ if (atomic) { ++ if (!test_opt(sbi, NOBARRIER) && !f2fs_sb_has_blkzoned(sbi)) ++ fio.op_flags |= REQ_PREFLUSH | REQ_FUA; ++ if (IS_INODE(page)) ++ set_dentry_mark(page, ++ f2fs_need_dentry_mark(sbi, ino_of_node(page))); ++ } + + /* should add to global list before clearing PAGECACHE status */ + if (f2fs_in_warm_node_list(sbi, page)) { +@@ -1852,8 +1857,9 @@ continue_unlock: + if (is_inode_flag_set(inode, + FI_DIRTY_INODE)) + f2fs_update_inode(inode, page); +- set_dentry_mark(page, +- f2fs_need_dentry_mark(sbi, ino)); ++ if (!atomic) ++ set_dentry_mark(page, ++ f2fs_need_dentry_mark(sbi, ino)); + } + /* may be written by other thread */ + if (!PageDirty(page)) diff --git a/queue-6.6/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch b/queue-6.6/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch new file mode 100644 index 0000000000..1500c24b3d --- /dev/null +++ b/queue-6.6/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch @@ -0,0 +1,145 @@ +From stable+bounces-216851-greg=kroah.com@vger.kernel.org Tue Feb 17 16:20:41 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:20:32 -0500 +Subject: f2fs: fix to avoid mapping wrong physical block for swapfile +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, Daeho Jeong , Xiaolong Guo , Jaegeuk Kim , Sasha Levin +Message-ID: <20260217152032.3680679-2-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 5c145c03188bc9ba1c29e0bc4d527a5978fc47f9 ] + +Xiaolong Guo reported a f2fs bug in bugzilla [1] + +[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 + +Quoted: + +"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, +the system experiences data corruption leading to either: +1 dm-verity corruption errors and device reboot +2 F2FS node corruption errors and boot hangs + +The issue occurs specifically when: +1 Using F2FS filesystem (ext4 is unaffected) +2 Swapfile size is less than F2FS section size (2MB) +3 Swapfile has fragmented physical layout (multiple non-contiguous extents) +4 Kernel version is 6.6+ (6.1 is unaffected) + +The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the +first extent of a small swapfile (< 2MB) is not aligned to section boundaries, +the function incorrectly treats it as the last extent, failing to map +subsequent extents. This results in incorrect swap_extent creation where only +the first extent is mapped, causing subsequent swap writes to overwrite wrong +physical locations (other files' data). + +Steps to Reproduce +1 Setup a device with F2FS-formatted userdata partition +2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng +3 Run swap stress test: (Android devices) +adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60 +--swap 0" + +Log: +1 Ftrace shows in kernel 6.6, only first extent is mapped during second +f2fs_map_blocks call in check_swap_activate(): +stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start +blkaddr=0x43143, len=0x1 +(Only 4KB mapped, not the full swapfile) +2 in kernel 6.1, both extents are correctly mapped: +stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start +blkaddr=0x13cd4, len=0x1 +stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start +blkaddr=0x60c84b, len=0xff + +The problematic code is in check_swap_activate(): +if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || + nr_pblocks % blks_per_sec || + !f2fs_valid_pinned_area(sbi, pblock)) { + bool last_extent = false; + + not_aligned++; + + nr_pblocks = roundup(nr_pblocks, blks_per_sec); + if (cur_lblock + nr_pblocks > sis->max) + nr_pblocks -= blks_per_sec; + + /* this extent is last one */ + if (!nr_pblocks) { + nr_pblocks = last_lblock - cur_lblock; + last_extent = true; + } + + ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks); + if (ret) { + if (ret == -ENOENT) + ret = -EINVAL; + goto out; + } + + if (!last_extent) + goto retry; +} + +When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec) +exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The +code then incorrectly assumes this is the last extent, sets nr_pblocks = +last_lblock - cur_lblock (entire swapfile), and performs migration. After +migration, it doesn't retry mapping, so subsequent extents are never processed. +" + +In order to fix this issue, we need to lookup block mapping info after +we migrate all blocks in the tail of swapfile. + +Cc: stable@kernel.org +Fixes: 9703d69d9d15 ("f2fs: support file pinning for zoned devices") +Cc: Daeho Jeong +Reported-and-tested-by: Xiaolong Guo +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220951 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ f2fs_is_sequential_zone_area() => !f2fs_valid_pinned_area() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -3940,6 +3940,7 @@ static int check_swap_activate(struct sw + + while (cur_lblock < last_lblock && cur_lblock < sis->max) { + struct f2fs_map_blocks map; ++ bool last_extent = false; + retry: + cond_resched(); + +@@ -3965,11 +3966,10 @@ retry: + pblock = map.m_pblk; + nr_pblocks = map.m_len; + +- if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || +- nr_pblocks % blks_per_sec || +- !f2fs_valid_pinned_area(sbi, pblock)) { +- bool last_extent = false; +- ++ if (!last_extent && ++ ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || ++ nr_pblocks % blks_per_sec || ++ !f2fs_valid_pinned_area(sbi, pblock))) { + not_aligned++; + + nr_pblocks = roundup(nr_pblocks, blks_per_sec); +@@ -3990,8 +3990,8 @@ retry: + goto out; + } + +- if (!last_extent) +- goto retry; ++ /* lookup block mapping info after block migration */ ++ goto retry; + } + + if (cur_lblock + nr_pblocks >= sis->max) diff --git a/queue-6.6/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch b/queue-6.6/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch new file mode 100644 index 0000000000..5a24357f2b --- /dev/null +++ b/queue-6.6/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch @@ -0,0 +1,80 @@ +From stable+bounces-216852-greg=kroah.com@vger.kernel.org Tue Feb 17 16:36:44 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:35:47 -0500 +Subject: f2fs: fix to avoid UAF in f2fs_write_end_io() +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com, Jaegeuk Kim , Sasha Levin +Message-ID: <20260217153547.3695123-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit ce2739e482bce8d2c014d76c4531c877f382aa54 ] + +As syzbot reported an use-after-free issue in f2fs_write_end_io(). + +It is caused by below race condition: + +loop device umount +- worker_thread + - loop_process_work + - do_req_filebacked + - lo_rw_aio + - lo_rw_aio_complete + - blk_mq_end_request + - blk_update_request + - f2fs_write_end_io + - dec_page_count + - folio_end_writeback + - kill_f2fs_super + - kill_block_super + - f2fs_put_super + : free(sbi) + : get_pages(, F2FS_WB_CP_DATA) + accessed sbi which is freed + +In kill_f2fs_super(), we will drop all page caches of f2fs inodes before +call free(sbi), it guarantee that all folios should end its writeback, so +it should be safe to access sbi before last folio_end_writeback(). + +Let's relocate ckpt thread wakeup flow before folio_end_writeback() to +resolve this issue. + +Cc: stable@kernel.org +Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for better performance") +Reported-by: syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b4444e3c972a7a124187 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ folio => page ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -358,14 +358,20 @@ static void f2fs_write_end_io(struct bio + page->index != nid_of_node(page)); + + dec_page_count(sbi, type); ++ ++ /* ++ * we should access sbi before end_page_writeback() to ++ * avoid racing w/ kill_f2fs_super() ++ */ ++ if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) && ++ wq_has_sleeper(&sbi->cp_wait)) ++ wake_up(&sbi->cp_wait); ++ + if (f2fs_in_warm_node_list(sbi, page)) + f2fs_del_fsync_node_entry(sbi, page); + clear_page_private_gcing(page); + end_page_writeback(page); + } +- if (!get_pages(sbi, F2FS_WB_CP_DATA) && +- wq_has_sleeper(&sbi->cp_wait)) +- wake_up(&sbi->cp_wait); + + bio_put(bio); + } diff --git a/queue-6.6/f2fs-fix-zoned-block-device-information-initialization.patch b/queue-6.6/f2fs-fix-zoned-block-device-information-initialization.patch new file mode 100644 index 0000000000..ad68f3ce35 --- /dev/null +++ b/queue-6.6/f2fs-fix-zoned-block-device-information-initialization.patch @@ -0,0 +1,94 @@ +From stable+bounces-216850-greg=kroah.com@vger.kernel.org Tue Feb 17 16:20:42 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:20:31 -0500 +Subject: f2fs: fix zoned block device information initialization +To: stable@vger.kernel.org +Cc: Wenjie Qi , Chao Yu , Daeho Jeong , Jaegeuk Kim , Sasha Levin +Message-ID: <20260217152032.3680679-1-sashal@kernel.org> + +From: Wenjie Qi + +[ Upstream commit 0f9b12142be1af8555cfe53c6fbecb8e60a40dac ] + +If the max open zones of zoned devices are less than +the active logs of F2FS, the device may error due to +insufficient zone resources when multiple active logs +are being written at the same time. + +Signed-off-by: Wenjie Qi +Signed-off-by: Chao Yu +Reviewed-by: Daeho Jeong +Signed-off-by: Jaegeuk Kim +Stable-dep-of: 5c145c03188b ("f2fs: fix to avoid mapping wrong physical block for swapfile") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 1 + + fs/f2fs/super.c | 27 +++++++++++++++++++++++++++ + 2 files changed, 28 insertions(+) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1567,6 +1567,7 @@ struct f2fs_sb_info { + + #ifdef CONFIG_BLK_DEV_ZONED + unsigned int blocks_per_blkz; /* F2FS blocks per zone */ ++ unsigned int max_open_zones; /* max open zone resources of the zoned device */ + #endif + + /* for node-related operations */ +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2359,6 +2359,17 @@ static int f2fs_remount(struct super_blo + if (err) + goto restore_opts; + ++#ifdef CONFIG_BLK_DEV_ZONED ++ if (f2fs_sb_has_blkzoned(sbi) && ++ sbi->max_open_zones < F2FS_OPTION(sbi).active_logs) { ++ f2fs_err(sbi, ++ "zoned: max open zones %u is too small, need at least %u open zones", ++ sbi->max_open_zones, F2FS_OPTION(sbi).active_logs); ++ err = -EINVAL; ++ goto restore_opts; ++ } ++#endif ++ + /* flush outstanding errors before changing fs state */ + flush_work(&sbi->s_error_work); + +@@ -3902,11 +3913,24 @@ static int init_blkz_info(struct f2fs_sb + sector_t nr_sectors = bdev_nr_sectors(bdev); + struct f2fs_report_zones_args rep_zone_arg; + u64 zone_sectors; ++ unsigned int max_open_zones; + int ret; + + if (!f2fs_sb_has_blkzoned(sbi)) + return 0; + ++ if (bdev_is_zoned(FDEV(devi).bdev)) { ++ max_open_zones = bdev_max_open_zones(bdev); ++ if (max_open_zones && (max_open_zones < sbi->max_open_zones)) ++ sbi->max_open_zones = max_open_zones; ++ if (sbi->max_open_zones < F2FS_OPTION(sbi).active_logs) { ++ f2fs_err(sbi, ++ "zoned: max open zones %u is too small, need at least %u open zones", ++ sbi->max_open_zones, F2FS_OPTION(sbi).active_logs); ++ return -EINVAL; ++ } ++ } ++ + zone_sectors = bdev_zone_sectors(bdev); + if (sbi->blocks_per_blkz && sbi->blocks_per_blkz != + SECTOR_TO_BLOCK(zone_sectors)) +@@ -4188,6 +4212,9 @@ static int f2fs_scan_devices(struct f2fs + + logical_blksize = bdev_logical_block_size(sbi->sb->s_bdev); + sbi->aligned_blksize = true; ++#ifdef CONFIG_BLK_DEV_ZONED ++ sbi->max_open_zones = UINT_MAX; ++#endif + + for (i = 0; i < max_devices; i++) { + if (i == 0) diff --git a/queue-6.6/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch b/queue-6.6/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch new file mode 100644 index 0000000000..e212712b74 --- /dev/null +++ b/queue-6.6/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch @@ -0,0 +1,122 @@ +From ed1ac3c977dd6b119405fa36dd41f7151bd5b4de Mon Sep 17 00:00:00 2001 +From: Danilo Krummrich +Date: Wed, 21 Jan 2026 15:12:01 +0100 +Subject: iommu/arm-smmu-qcom: do not register driver in probe() + +From: Danilo Krummrich + +commit ed1ac3c977dd6b119405fa36dd41f7151bd5b4de upstream. + +Commit 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in +qcom_smmu_impl_init") intended to also probe the TBU driver when +CONFIG_ARM_SMMU_QCOM_DEBUG is disabled, but also moved the corresponding +platform_driver_register() call into qcom_smmu_impl_init() which is +called from arm_smmu_device_probe(). + +However, it neither makes sense to register drivers from probe() +callbacks of other drivers, nor does the driver core allow registering +drivers with a device lock already being held. + +The latter was revealed by commit dc23806a7c47 ("driver core: enforce +device_lock for driver_match_device()") leading to a deadlock condition +described in [1]. + +Additionally, it was noted by Robin that the current approach is +potentially racy with async probe [2]. + +Hence, fix this by registering the qcom_smmu_tbu_driver from +module_init(). Unfortunately, due to the vendoring of the driver, this +requires an indirection through arm-smmu-impl.c. + +Reported-by: Mark Brown +Closes: https://lore.kernel.org/lkml/7ae38e31-ef31-43ad-9106-7c76ea0e8596@sirena.org.uk/ +Link: https://lore.kernel.org/lkml/DFU7CEPUSG9A.1KKGVW4HIPMSH@kernel.org/ [1] +Link: https://lore.kernel.org/lkml/0c0d3707-9ea5-44f9-88a1-a65c62e3df8d@arm.com/ [2] +Fixes: dc23806a7c47 ("driver core: enforce device_lock for driver_match_device()") +Fixes: 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in qcom_smmu_impl_init") +Acked-by: Robin Murphy +Tested-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Acked-by: Konrad Dybcio +Reviewed-by: Greg Kroah-Hartman +Tested-by: Ioana Ciornei #LX2160ARDB +Tested-by: Wang Jiayue +Reviewed-by: Wang Jiayue +Tested-by: Mark Brown +Acked-by: Joerg Roedel +Link: https://patch.msgid.link/20260121141215.29658-1-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm/arm-smmu/arm-smmu-impl.c | 14 ++++++++++++++ + drivers/iommu/arm/arm-smmu/arm-smmu.c | 24 +++++++++++++++++++++++- + drivers/iommu/arm/arm-smmu/arm-smmu.h | 5 +++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c +@@ -227,3 +227,17 @@ struct arm_smmu_device *arm_smmu_impl_in + + return smmu; + } ++ ++int __init arm_smmu_impl_module_init(void) ++{ ++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM)) ++ return qcom_smmu_module_init(); ++ ++ return 0; ++} ++ ++void __exit arm_smmu_impl_module_exit(void) ++{ ++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM)) ++ qcom_smmu_module_exit(); ++} +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c +@@ -2307,7 +2307,29 @@ static struct platform_driver arm_smmu_d + .remove_new = arm_smmu_device_remove, + .shutdown = arm_smmu_device_shutdown, + }; +-module_platform_driver(arm_smmu_driver); ++ ++static int __init arm_smmu_init(void) ++{ ++ int ret; ++ ++ ret = platform_driver_register(&arm_smmu_driver); ++ if (ret) ++ return ret; ++ ++ ret = arm_smmu_impl_module_init(); ++ if (ret) ++ platform_driver_unregister(&arm_smmu_driver); ++ ++ return ret; ++} ++module_init(arm_smmu_init); ++ ++static void __exit arm_smmu_exit(void) ++{ ++ arm_smmu_impl_module_exit(); ++ platform_driver_unregister(&arm_smmu_driver); ++} ++module_exit(arm_smmu_exit); + + MODULE_DESCRIPTION("IOMMU API for ARM architected SMMU implementations"); + MODULE_AUTHOR("Will Deacon "); +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.h ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.h +@@ -528,6 +528,11 @@ struct arm_smmu_device *arm_smmu_impl_in + struct arm_smmu_device *nvidia_smmu_impl_init(struct arm_smmu_device *smmu); + struct arm_smmu_device *qcom_smmu_impl_init(struct arm_smmu_device *smmu); + ++int __init arm_smmu_impl_module_init(void); ++void __exit arm_smmu_impl_module_exit(void); ++int __init qcom_smmu_module_init(void); ++void __exit qcom_smmu_module_exit(void); ++ + void arm_smmu_write_context_bank(struct arm_smmu_device *smmu, int idx); + int arm_mmu500_reset(struct arm_smmu_device *smmu); + diff --git a/queue-6.6/series b/queue-6.6/series index cda7dee844..bc00ba60c2 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -31,3 +31,8 @@ fbdev-rivafb-fix-divide-error-in-nv3_arb.patch fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch +iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch +f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch +f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch +f2fs-fix-zoned-block-device-information-initialization.patch +f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch -- 2.47.3