From 77bb12728129fd9066eceb3a927a0fd370e6001d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 20 Jan 2026 12:07:59 +0100 Subject: [PATCH] 6.12-stable patches added patches: asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch bridge-mcast-fix-use-after-free-during-router-port-configuration.patch drm-amd-display-mark-static-functions-noinline_for_stack.patch hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch io_uring-move-local-task_work-in-exit-cancel-loop.patch --- ...a883x-fix-unnecessary-initialisation.patch | 77 ++++++++ ...ree-during-router-port-configuration.patch | 179 ++++++++++++++++++ ...-static-functions-noinline_for_stack.patch | 175 +++++++++++++++++ ...aper-over-wrong-bnumdescriptor-field.patch | 55 ++++++ ...-local-task_work-in-exit-cancel-loop.patch | 62 ++++++ queue-6.12/series | 5 + 6 files changed, 553 insertions(+) create mode 100644 queue-6.12/asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch create mode 100644 queue-6.12/bridge-mcast-fix-use-after-free-during-router-port-configuration.patch create mode 100644 queue-6.12/drm-amd-display-mark-static-functions-noinline_for_stack.patch create mode 100644 queue-6.12/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch create mode 100644 queue-6.12/io_uring-move-local-task_work-in-exit-cancel-loop.patch diff --git a/queue-6.12/asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch b/queue-6.12/asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch new file mode 100644 index 0000000000..54ee81191c --- /dev/null +++ b/queue-6.12/asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch @@ -0,0 +1,77 @@ +From 49aadf830eb048134d33ad7329d92ecff45d8dbb Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 2 Jan 2026 12:14:10 +0100 +Subject: ASoC: codecs: wsa883x: fix unnecessary initialisation + +From: Johan Hovold + +commit 49aadf830eb048134d33ad7329d92ecff45d8dbb upstream. + +The soundwire update_status() callback may be called multiple times with +the same ATTACHED status but initialisation should only be done when +transitioning from UNATTACHED to ATTACHED. + +This avoids repeated initialisation of the codecs during boot of +machines like the Lenovo ThinkPad X13s: + +[ 11.614523] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.618022] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.621377] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.624065] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.631382] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 +[ 11.634424] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 + +Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support") +Cc: stable@vger.kernel.org # 6.0 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260102111413.9605-2-johan@kernel.org +Signed-off-by: Mark Brown +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wsa883x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wsa883x.c ++++ b/sound/soc/codecs/wsa883x.c +@@ -441,6 +441,7 @@ struct wsa883x_priv { + int active_ports; + int dev_mode; + int comp_offset; ++ bool hw_init; + }; + + enum { +@@ -1002,6 +1003,9 @@ static int wsa883x_init(struct wsa883x_p + struct regmap *regmap = wsa883x->regmap; + int variant, version, ret; + ++ if (wsa883x->hw_init) ++ return 0; ++ + ret = regmap_read(regmap, WSA883X_OTP_REG_0, &variant); + if (ret) + return ret; +@@ -1044,6 +1048,8 @@ static int wsa883x_init(struct wsa883x_p + wsa883x->comp_offset); + } + ++ wsa883x->hw_init = true; ++ + return 0; + } + +@@ -1052,6 +1058,9 @@ static int wsa883x_update_status(struct + { + struct wsa883x_priv *wsa883x = dev_get_drvdata(&slave->dev); + ++ if (status == SDW_SLAVE_UNATTACHED) ++ wsa883x->hw_init = false; ++ + if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0) + return wsa883x_init(wsa883x); + diff --git a/queue-6.12/bridge-mcast-fix-use-after-free-during-router-port-configuration.patch b/queue-6.12/bridge-mcast-fix-use-after-free-during-router-port-configuration.patch new file mode 100644 index 0000000000..f70f36f01f --- /dev/null +++ b/queue-6.12/bridge-mcast-fix-use-after-free-during-router-port-configuration.patch @@ -0,0 +1,179 @@ +From 7544f3f5b0b58c396f374d060898b5939da31709 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Thu, 19 Jun 2025 21:22:28 +0300 +Subject: bridge: mcast: Fix use-after-free during router port configuration + +From: Ido Schimmel + +commit 7544f3f5b0b58c396f374d060898b5939da31709 upstream. + +The bridge maintains a global list of ports behind which a multicast +router resides. The list is consulted during forwarding to ensure +multicast packets are forwarded to these ports even if the ports are not +member in the matching MDB entry. + +When per-VLAN multicast snooping is enabled, the per-port multicast +context is disabled on each port and the port is removed from the global +router port list: + + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 + # ip link add name dummy1 up master br1 type dummy + # ip link set dev dummy1 type bridge_slave mcast_router 2 + $ bridge -d mdb show | grep router + router ports on br1: dummy1 + # ip link set dev br1 type bridge mcast_vlan_snooping 1 + $ bridge -d mdb show | grep router + +However, the port can be re-added to the global list even when per-VLAN +multicast snooping is enabled: + + # ip link set dev dummy1 type bridge_slave mcast_router 0 + # ip link set dev dummy1 type bridge_slave mcast_router 2 + $ bridge -d mdb show | grep router + router ports on br1: dummy1 + +Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement +br_multicast_{enable, disable}_port functions"), when per-VLAN multicast +snooping is enabled, multicast disablement on a port will disable the +per-{port, VLAN} multicast contexts and not the per-port one. As a +result, a port will remain in the global router port list even after it +is deleted. This will lead to a use-after-free [1] when the list is +traversed (when adding a new port to the list, for example): + + # ip link del dev dummy1 + # ip link add name dummy2 up master br1 type dummy + # ip link set dev dummy2 type bridge_slave mcast_router 2 + +Similarly, stale entries can also be found in the per-VLAN router port +list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} +contexts are disabled on each port and the port is removed from the +per-VLAN router port list: + + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 + # ip link add name dummy1 up master br1 type dummy + # bridge vlan add vid 2 dev dummy1 + # bridge vlan global set vid 2 dev br1 mcast_snooping 1 + # bridge vlan set vid 2 dev dummy1 mcast_router 2 + $ bridge vlan global show dev br1 vid 2 | grep router + router ports: dummy1 + # ip link set dev br1 type bridge mcast_vlan_snooping 0 + $ bridge vlan global show dev br1 vid 2 | grep router + +However, the port can be re-added to the per-VLAN list even when +per-VLAN multicast snooping is disabled: + + # bridge vlan set vid 2 dev dummy1 mcast_router 0 + # bridge vlan set vid 2 dev dummy1 mcast_router 2 + $ bridge vlan global show dev br1 vid 2 | grep router + router ports: dummy1 + +When the VLAN is deleted from the port, the per-{port, VLAN} multicast +context will not be disabled since multicast snooping is not enabled +on the VLAN. As a result, the port will remain in the per-VLAN router +port list even after it is no longer member in the VLAN. This will lead +to a use-after-free [2] when the list is traversed (when adding a new +port to the list, for example): + + # ip link add name dummy2 up master br1 type dummy + # bridge vlan add vid 2 dev dummy2 + # bridge vlan del vid 2 dev dummy1 + # bridge vlan set vid 2 dev dummy2 mcast_router 2 + +Fix these issues by removing the port from the relevant (global or +per-VLAN) router port list in br_multicast_port_ctx_deinit(). The +function is invoked during port deletion with the per-port multicast +context and during VLAN deletion with the per-{port, VLAN} multicast +context. + +Note that deleting the multicast router timer is not enough as it only +takes care of the temporary multicast router states (1 or 3) and not the +permanent one (2). + +[1] +BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 +Write of size 8 at addr ffff888004a67328 by task ip/384 +[...] +Call Trace: + + dump_stack_lvl+0x6f/0xa0 + print_address_description.constprop.0+0x6f/0x350 + print_report+0x108/0x205 + kasan_report+0xdf/0x110 + br_multicast_add_router.part.0+0x3f1/0x560 + br_multicast_set_port_router+0x74e/0xac0 + br_setport+0xa55/0x1870 + br_port_slave_changelink+0x95/0x120 + __rtnl_newlink+0x5e8/0xa40 + rtnl_newlink+0x627/0xb00 + rtnetlink_rcv_msg+0x6fb/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + __sys_sendmsg+0x124/0x1c0 + do_syscall_64+0xbb/0x360 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] +BUG: KASAN: slab-use-after-free in br_multicast_add_router.part.0+0x378/0x560 +Read of size 8 at addr ffff888009f00840 by task bridge/391 +[...] +Call Trace: + + dump_stack_lvl+0x6f/0xa0 + print_address_description.constprop.0+0x6f/0x350 + print_report+0x108/0x205 + kasan_report+0xdf/0x110 + br_multicast_add_router.part.0+0x378/0x560 + br_multicast_set_port_router+0x6f9/0xac0 + br_vlan_process_options+0x8b6/0x1430 + br_vlan_rtm_process_one+0x605/0xa30 + br_vlan_rtm_process+0x396/0x4c0 + rtnetlink_rcv_msg+0x2f7/0xb70 + netlink_rcv_skb+0x11f/0x350 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + __sys_sendmsg+0x124/0x1c0 + do_syscall_64+0xbb/0x360 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: 2796d846d74a ("net: bridge: vlan: convert mcast router global option to per-vlan entry") +Fixes: 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions") +Reported-by: syzbot+7bfa4b72c6a5da128d32@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/684c18bd.a00a0220.279073.000b.GAE@google.com/T/ +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250619182228.1656906-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2014,10 +2014,19 @@ void br_multicast_port_ctx_init(struct n + + void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx) + { ++ struct net_bridge *br = pmctx->port->br; ++ bool del = false; ++ + #if IS_ENABLED(CONFIG_IPV6) + del_timer_sync(&pmctx->ip6_mc_router_timer); + #endif + del_timer_sync(&pmctx->ip4_mc_router_timer); ++ ++ spin_lock_bh(&br->multicast_lock); ++ del |= br_ip6_multicast_rport_del(pmctx); ++ del |= br_ip4_multicast_rport_del(pmctx); ++ br_multicast_rport_del_notify(pmctx, del); ++ spin_unlock_bh(&br->multicast_lock); + } + + int br_multicast_add_port(struct net_bridge_port *port) diff --git a/queue-6.12/drm-amd-display-mark-static-functions-noinline_for_stack.patch b/queue-6.12/drm-amd-display-mark-static-functions-noinline_for_stack.patch new file mode 100644 index 0000000000..97102ac699 --- /dev/null +++ b/queue-6.12/drm-amd-display-mark-static-functions-noinline_for_stack.patch @@ -0,0 +1,175 @@ +From a8d42cd228ec41ad99c50a270db82f0dd9127a28 Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Thu, 9 Jan 2025 05:35:04 +0000 +Subject: drm/amd/display: mark static functions noinline_for_stack + +From: Tzung-Bi Shih + +commit a8d42cd228ec41ad99c50a270db82f0dd9127a28 upstream. + +When compiling allmodconfig (CONFIG_WERROR=y) with clang-19, see the +following errors: + +.../display/dc/dml2/display_mode_core.c:6268:13: warning: stack frame size (3128) exceeds limit (3072) in 'dml_prefetch_check' [-Wframe-larger-than] +.../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:7236:13: warning: stack frame size (3256) exceeds limit (3072) in 'dml_core_mode_support' [-Wframe-larger-than] + +Mark static functions called by dml_prefetch_check() and +dml_core_mode_support() noinline_for_stack to avoid them become huge +functions and thus exceed the frame size limit. + +A way to reproduce: +$ git checkout next-20250107 +$ mkdir build_dir +$ export PATH=/tmp/llvm-19.1.6-x86_64/bin:$PATH +$ make LLVM=1 O=build_dir allmodconfig +$ make LLVM=1 O=build_dir drivers/gpu/drm/ -j + +The way how it chose static functions to mark: +[0] Unset CONFIG_WERROR in build_dir/.config. +To get display_mode_core.o without errors. + +[1] Get a function list called by dml_prefetch_check(). +$ sed -n '6268,6711p' drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c \ + | sed -n -r 's/.*\W(\w+)\(.*/\1/p' | sort -u >/tmp/syms + +[2] Get the non-inline function list. +Objdump won't show the symbols if they are inline functions. + +$ make LLVM=1 O=build_dir drivers/gpu/drm/ -j +$ objdump -d build_dir/.../display_mode_core.o | \ + ./scripts/checkstack.pl x86_64 0 | \ + grep -f /tmp/syms | cut -d' ' -f2- >/tmp/orig + +[3] Get the full function list. +Append "-fno-inline" to `CFLAGS_.../display_mode_core.o` in +drivers/gpu/drm/amd/display/dc/dml2/Makefile. + +$ make LLVM=1 O=build_dir drivers/gpu/drm/ -j +$ objdump -d build_dir/.../display_mode_core.o | \ + ./scripts/checkstack.pl x86_64 0 | \ + grep -f /tmp/syms | cut -d' ' -f2- >/tmp/noinline + +[4] Get the inline function list. +If a symbol only in /tmp/noinline but not in /tmp/orig, it is a good +candidate to mark noinline. + +$ diff /tmp/orig /tmp/noinline + +Chosen functions and their stack sizes: +CalculateBandwidthAvailableForImmediateFlip [display_mode_core.o]:144 +CalculateExtraLatency [display_mode_core.o]:176 +CalculateTWait [display_mode_core.o]:64 +CalculateVActiveBandwithSupport [display_mode_core.o]:112 +set_calculate_prefetch_schedule_params [display_mode_core.o]:48 + +CheckGlobalPrefetchAdmissibility [dml2_core_dcn4_calcs.o]:544 +calculate_bandwidth_available [dml2_core_dcn4_calcs.o]:320 +calculate_vactive_det_fill_latency [dml2_core_dcn4_calcs.o]:272 +CalculateDCFCLKDeepSleep [dml2_core_dcn4_calcs.o]:208 +CalculateODMMode [dml2_core_dcn4_calcs.o]:208 +CalculateOutputLink [dml2_core_dcn4_calcs.o]:176 + +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Alex Deucher +[nathan: Fix conflicts in dml2_core_dcn4_calcs.c] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c | 12 +++++----- + drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 8 +++--- + 2 files changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c +@@ -1736,7 +1736,7 @@ static void CalculateBytePerPixelAndBloc + #endif + } // CalculateBytePerPixelAndBlockSizes + +-static dml_float_t CalculateTWait( ++static noinline_for_stack dml_float_t CalculateTWait( + dml_uint_t PrefetchMode, + enum dml_use_mall_for_pstate_change_mode UseMALLForPStateChange, + dml_bool_t SynchronizeDRRDisplaysForUCLKPStateChangeFinal, +@@ -4458,7 +4458,7 @@ static void CalculateSwathWidth( + } + } // CalculateSwathWidth + +-static dml_float_t CalculateExtraLatency( ++static noinline_for_stack dml_float_t CalculateExtraLatency( + dml_uint_t RoundTripPingLatencyCycles, + dml_uint_t ReorderingBytes, + dml_float_t DCFCLK, +@@ -5915,7 +5915,7 @@ static dml_uint_t DSCDelayRequirement( + return DSCDelayRequirement_val; + } + +-static dml_bool_t CalculateVActiveBandwithSupport(dml_uint_t NumberOfActiveSurfaces, ++static noinline_for_stack dml_bool_t CalculateVActiveBandwithSupport(dml_uint_t NumberOfActiveSurfaces, + dml_float_t ReturnBW, + dml_bool_t NotUrgentLatencyHiding[], + dml_float_t ReadBandwidthLuma[], +@@ -6019,7 +6019,7 @@ static void CalculatePrefetchBandwithSup + #endif + } + +-static dml_float_t CalculateBandwidthAvailableForImmediateFlip( ++static noinline_for_stack dml_float_t CalculateBandwidthAvailableForImmediateFlip( + dml_uint_t NumberOfActiveSurfaces, + dml_float_t ReturnBW, + dml_float_t ReadBandwidthLuma[], +@@ -6213,7 +6213,7 @@ static dml_uint_t CalculateMaxVStartup( + return max_vstartup_lines; + } + +-static void set_calculate_prefetch_schedule_params(struct display_mode_lib_st *mode_lib, ++static noinline_for_stack void set_calculate_prefetch_schedule_params(struct display_mode_lib_st *mode_lib, + struct CalculatePrefetchSchedule_params_st *CalculatePrefetchSchedule_params, + dml_uint_t j, + dml_uint_t k) +@@ -6265,7 +6265,7 @@ static void set_calculate_prefetch_sched + CalculatePrefetchSchedule_params->Tno_bw = &mode_lib->ms.Tno_bw[k]; + } + +-static void dml_prefetch_check(struct display_mode_lib_st *mode_lib) ++static noinline_for_stack void dml_prefetch_check(struct display_mode_lib_st *mode_lib) + { + struct dml_core_mode_support_locals_st *s = &mode_lib->scratch.dml_core_mode_support_locals; + struct CalculatePrefetchSchedule_params_st *CalculatePrefetchSchedule_params = &mode_lib->scratch.CalculatePrefetchSchedule_params; +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c +@@ -2774,7 +2774,7 @@ static double dml_get_return_bandwidth_a + return return_bw_mbps; + } + +-static void calculate_bandwidth_available( ++static noinline_for_stack void calculate_bandwidth_available( + double avg_bandwidth_available_min[dml2_core_internal_soc_state_max], + double avg_bandwidth_available[dml2_core_internal_soc_state_max][dml2_core_internal_bw_max], + double urg_bandwidth_available_min[dml2_core_internal_soc_state_max], // min between SDP and DRAM +@@ -4066,7 +4066,7 @@ static bool ValidateODMMode(enum dml2_od + return true; + } + +-static void CalculateODMMode( ++static noinline_for_stack void CalculateODMMode( + unsigned int MaximumPixelsPerLinePerDSCUnit, + unsigned int HActive, + enum dml2_output_format_class OutFormat, +@@ -4164,7 +4164,7 @@ static void CalculateODMMode( + #endif + } + +-static void CalculateOutputLink( ++static noinline_for_stack void CalculateOutputLink( + struct dml2_core_internal_scratch *s, + double PHYCLK, + double PHYCLKD18, +@@ -6731,7 +6731,7 @@ static void calculate_bytes_to_fetch_req + } + } + +-static void calculate_vactive_det_fill_latency( ++static noinline_for_stack void calculate_vactive_det_fill_latency( + const struct dml2_display_cfg *display_cfg, + unsigned int num_active_planes, + unsigned int bytes_required_l[], diff --git a/queue-6.12/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch b/queue-6.12/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch new file mode 100644 index 0000000000..9668ea493c --- /dev/null +++ b/queue-6.12/hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch @@ -0,0 +1,55 @@ +From f28beb69c51517aec7067dfb2074e7c751542384 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 15 Dec 2025 12:57:21 +0100 +Subject: HID: usbhid: paper over wrong bNumDescriptor field + +From: Benjamin Tissoires + +commit f28beb69c51517aec7067dfb2074e7c751542384 upstream. + +Some faulty devices (ZWO EFWmini) have a wrong optional HID class +descriptor count compared to the provided length. + +Given that we plainly ignore those optional descriptor, we can attempt +to fix the provided number so we do not lock out those devices. + +Signed-off-by: Benjamin Tissoires +Cc: Salvatore Bonaccorso +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/usbhid/hid-core.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -985,6 +985,7 @@ static int usbhid_parse(struct hid_devic + struct usb_device *dev = interface_to_usbdev (intf); + struct hid_descriptor *hdesc; + struct hid_class_descriptor *hcdesc; ++ __u8 fixed_opt_descriptors_size; + u32 quirks = 0; + unsigned int rsize = 0; + char *rdesc; +@@ -1015,7 +1016,21 @@ static int usbhid_parse(struct hid_devic + (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) { + dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n", + hdesc->bLength, hdesc->bNumDescriptors); +- return -EINVAL; ++ ++ /* ++ * Some devices may expose a wrong number of descriptors compared ++ * to the provided length. ++ * However, we ignore the optional hid class descriptors entirely ++ * so we can safely recompute the proper field. ++ */ ++ if (hdesc->bLength >= sizeof(*hdesc)) { ++ fixed_opt_descriptors_size = hdesc->bLength - sizeof(*hdesc); ++ ++ hid_warn(intf, "fixing wrong optional hid class descriptors count\n"); ++ hdesc->bNumDescriptors = fixed_opt_descriptors_size / sizeof(*hcdesc) + 1; ++ } else { ++ return -EINVAL; ++ } + } + + hid->version = le16_to_cpu(hdesc->bcdHID); diff --git a/queue-6.12/io_uring-move-local-task_work-in-exit-cancel-loop.patch b/queue-6.12/io_uring-move-local-task_work-in-exit-cancel-loop.patch new file mode 100644 index 0000000000..19537f6ce4 --- /dev/null +++ b/queue-6.12/io_uring-move-local-task_work-in-exit-cancel-loop.patch @@ -0,0 +1,62 @@ +From da579f05ef0faada3559e7faddf761c75cdf85e1 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 14 Jan 2026 16:54:05 +0800 +Subject: io_uring: move local task_work in exit cancel loop + +From: Ming Lei + +commit da579f05ef0faada3559e7faddf761c75cdf85e1 upstream. + +With IORING_SETUP_DEFER_TASKRUN, task work is queued to ctx->work_llist +(local work) rather than the fallback list. During io_ring_exit_work(), +io_move_task_work_from_local() was called once before the cancel loop, +moving work from work_llist to fallback_llist. + +However, task work can be added to work_llist during the cancel loop +itself. There are two cases: + +1) io_kill_timeouts() is called from io_uring_try_cancel_requests() to +cancel pending timeouts, and it adds task work via io_req_queue_tw_complete() +for each cancelled timeout: + +2) URING_CMD requests like ublk can be completed via +io_uring_cmd_complete_in_task() from ublk_queue_rq() during canceling, +given ublk request queue is only quiesced when canceling the 1st uring_cmd. + +Since io_allowed_defer_tw_run() returns false in io_ring_exit_work() +(kworker != submitter_task), io_run_local_work() is never invoked, +and the work_llist entries are never processed. This causes +io_uring_try_cancel_requests() to loop indefinitely, resulting in +100% CPU usage in kworker threads. + +Fix this by moving io_move_task_work_from_local() inside the cancel +loop, ensuring any work on work_llist is moved to fallback before +each cancel attempt. + +Cc: stable@vger.kernel.org +Fixes: c0e0d6ba25f1 ("io_uring: add IORING_SETUP_DEFER_TASKRUN") +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2904,11 +2904,11 @@ static __cold void io_ring_exit_work(str + mutex_unlock(&ctx->uring_lock); + } + +- if (ctx->flags & IORING_SETUP_DEFER_TASKRUN) +- io_move_task_work_from_local(ctx); +- +- while (io_uring_try_cancel_requests(ctx, NULL, true)) ++ do { ++ if (ctx->flags & IORING_SETUP_DEFER_TASKRUN) ++ io_move_task_work_from_local(ctx); + cond_resched(); ++ } while (io_uring_try_cancel_requests(ctx, NULL, true)); + + if (ctx->sq_data) { + struct io_sq_data *sqd = ctx->sq_data; diff --git a/queue-6.12/series b/queue-6.12/series index b14aacc9bc..a36bb5a32d 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -56,3 +56,8 @@ phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch selftests-landlock-properly-close-a-file-descriptor.patch dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch +hid-usbhid-paper-over-wrong-bnumdescriptor-field.patch +bridge-mcast-fix-use-after-free-during-router-port-configuration.patch +asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch +drm-amd-display-mark-static-functions-noinline_for_stack.patch +io_uring-move-local-task_work-in-exit-cancel-loop.patch -- 2.47.3