From 82ba2110481e6a3eeacc0c94143baf4b0e67ae31 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 8 Feb 2026 08:56:11 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...-add-hp-laptop-15s-eq1xxx-mute-led-q.patch | 37 ++ ...-fix-headset-mic-for-tongfang-x6ar55.patch | 39 ++ ...fix-memory-leak-in-acp3x-pdm-dma-ops.patch | 37 ++ ...-fix-reference-leak-in-davinci_evm_p.patch | 113 ++++ ...40-propagate-error-codes-during-prob.patch | 43 ++ ...ix-aux-stat-accumulation-destination.patch | 36 + ...hid_quirk_always_poll-to-edifier-qr3.patch | 56 ++ ...d-reset-enum_devices_done-before-enu.patch | 49 ++ ...dd-mt_quirk_sticky_fingers-to-mt_cls.patch | 42 ++ ...nother-chicony-hp-5mp-cameras-to-hid.patch | 51 ++ ...-mark-occ_init_attribute-as-__printf.patch | 42 ++ ...r-recovery-in-macvlan_common_newlink.patch | 99 +++ ...-off-by-one-error-in-pf-setup_nic_de.patch | 61 ++ ...-off-by-one-error-in-vf-setup_nic_de.patch | 50 ++ ...tialize-netdev-pointer-before-queue-.patch | 98 +++ ...upport-devices-with-virtual-driver-c.patch | 44 ++ ...dd-an-helper-to-free-the-cmd-buffers.patch | 110 ++++ ...unds-checks-in-nvmet_tcp_build_pdu_i.patch | 77 +++ ...map-pages-which-can-t-come-from-high.patch | 192 ++++++ ...mory-leak-when-performing-a-controll.patch | 46 ++ ...egression-in-data_digest-calculation.patch | 87 +++ ...el_telemetry-fix-pss-event-register-.patch | 48 ++ ...hiba_haps-fix-memory-leaks-in-add-re.patch | 42 ++ ...d-softlockup-in-ring_buffer_resize-d.patch | 69 ++ ...i-fix-use-after-free-in-iscsit_dec_c.patch | 51 ++ ...i-fix-use-after-free-in-iscsit_dec_s.patch | 53 ++ queue-5.10/series | 32 + ...e_sensitive-for-session-key-material.patch | 51 ++ ...x-bitrate-calculation-overflow-for-h.patch | 59 ++ ...llect-station-statistics-earlier-whe.patch | 54 ++ ...n-t-increment-crypto_tx_tailroom_nee.patch | 49 ++ ...b-skip-rx_no_sta-when-interface-is-n.patch | 44 ++ ...-ensure-skb-headroom-before-skb_push.patch | 42 ++ ...-add-hp-laptop-15s-eq1xxx-mute-led-q.patch | 37 ++ ...-fix-headset-mic-for-tongfang-x6ar55.patch | 39 ++ ...fix-memory-leak-in-acp3x-pdm-dma-ops.patch | 37 ++ ...-fix-reference-leak-in-davinci_evm_p.patch | 113 ++++ ...40-propagate-error-codes-during-prob.patch | 43 ++ ...ix-aux-stat-accumulation-destination.patch | 36 + ...-bounds-check-for-if_id-in-irq-handl.patch | 47 ++ ...vent-zero_size_ptr-dereference-when-.patch | 55 ++ ...hid_quirk_always_poll-to-edifier-qr3.patch | 56 ++ ...d-reset-enum_devices_done-before-enu.patch | 49 ++ ...dd-mt_quirk_sticky_fingers-to-mt_cls.patch | 42 ++ ...center-initial-joystick-axes-to-prev.patch | 66 ++ ...nother-chicony-hp-5mp-cameras-to-hid.patch | 51 ++ ...-mark-occ_init_attribute-as-__printf.patch | 42 ++ ...r-recovery-in-macvlan_common_newlink.patch | 99 +++ ...-off-by-one-error-in-pf-setup_nic_de.patch | 61 ++ ...-off-by-one-error-in-vf-setup_nic_de.patch | 50 ++ ...tialize-netdev-pointer-before-queue-.patch | 98 +++ ...upport-devices-with-virtual-driver-c.patch | 44 ++ ...les-fix-inverted-genmask-check-in-nf.patch | 72 ++ .../netfilter-replace-eexist-with-ebusy.patch | 84 +++ ...dd-an-helper-to-free-the-cmd-buffers.patch | 110 ++++ ...unds-checks-in-nvmet_tcp_build_pdu_i.patch | 77 +++ ...map-pages-which-can-t-come-from-high.patch | 192 ++++++ ...mory-leak-when-performing-a-controll.patch | 46 ++ ...egression-in-data_digest-calculation.patch | 87 +++ ...el_telemetry-fix-pss-event-register-.patch | 48 ++ ...hiba_haps-fix-memory-leaks-in-add-re.patch | 42 ++ ...d-softlockup-in-ring_buffer_resize-d.patch | 69 ++ ...i-fix-use-after-free-in-iscsit_dec_c.patch | 51 ++ ...i-fix-use-after-free-in-iscsit_dec_s.patch | 53 ++ queue-5.15/series | 38 ++ ...ksmbd_session_rpc_close-on-error-pat.patch | 47 ++ ...e_sensitive-for-session-key-material.patch | 51 ++ ...x-bitrate-calculation-overflow-for-h.patch | 59 ++ ...llect-station-statistics-earlier-whe.patch | 54 ++ ...n-t-increment-crypto_tx_tailroom_nee.patch | 49 ++ ...b-skip-rx_no_sta-when-interface-is-n.patch | 44 ++ ...-ensure-skb-headroom-before-skb_push.patch | 42 ++ ...-add-hp-laptop-15s-eq1xxx-mute-led-q.patch | 37 ++ ...-fix-headset-mic-for-tongfang-x6ar55.patch | 39 ++ ...fix-memory-leak-in-acp3x-pdm-dma-ops.patch | 37 ++ ...-fix-reference-leak-in-davinci_evm_p.patch | 113 ++++ ...40-propagate-error-codes-during-prob.patch | 43 ++ ...ix-aux-stat-accumulation-destination.patch | 36 + ...ation-leak-in-some-error-paths-when-.patch | 70 ++ ...-bounds-check-for-if_id-in-irq-handl.patch | 47 ++ ...vent-zero_size_ptr-dereference-when-.patch | 55 ++ ...mgag200-fix-mgag200_bmc_stop_scanout.patch | 215 ++++++ ...hid_quirk_always_poll-to-edifier-qr3.patch | 56 ++ ...potential-buffer-overflow-in-i2c_hid.patch | 46 ++ ...d-reset-enum_devices_done-before-enu.patch | 49 ++ ...d-update-ishtp-bus-match-to-support-.patch | 49 ++ ...dd-mt_quirk_sticky_fingers-to-mt_cls.patch | 42 ++ ...center-initial-joystick-axes-to-prev.patch | 66 ++ ...nother-chicony-hp-5mp-cameras-to-hid.patch | 51 ++ ...-mark-occ_init_attribute-as-__printf.patch | 42 ++ ...-exception-fixup-for-specific-ade-su.patch | 58 ++ ...rrect-protection_map-for-vm_none-vm_.patch | 51 ++ ...r-recovery-in-macvlan_common_newlink.patch | 99 +++ ...ouch-dev-stats-in-bpf-redirect-paths.patch | 69 ++ ...-off-by-one-error-in-pf-setup_nic_de.patch | 61 ++ ...-off-by-one-error-in-vf-setup_nic_de.patch | 50 ++ ...tialize-netdev-pointer-before-queue-.patch | 98 +++ ...upport-devices-with-virtual-driver-c.patch | 44 ++ ...les-fix-inverted-genmask-check-in-nf.patch | 72 ++ .../netfilter-replace-eexist-with-ebusy.patch | 84 +++ ...c-release-admin-tagset-if-init-fails.patch | 52 ++ ...el_telemetry-fix-pss-event-register-.patch | 48 ++ ...hiba_haps-fix-memory-leaks-in-add-re.patch | 42 ++ ...d-softlockup-in-ring_buffer_resize-d.patch | 69 ++ ...i-fix-use-after-free-in-iscsit_dec_c.patch | 51 ++ ...i-fix-use-after-free-in-iscsit_dec_s.patch | 53 ++ queue-6.1/series | 42 ++ ...nt-fix-memory-leak-in-smb2_open_file.patch | 72 ++ ...ksmbd_session_rpc_close-on-error-pat.patch | 47 ++ ...e_sensitive-for-session-key-material.patch | 51 ++ ...x-bitrate-calculation-overflow-for-h.patch | 59 ++ ...llect-station-statistics-earlier-whe.patch | 54 ++ ...n-t-increment-crypto_tx_tailroom_nee.patch | 49 ++ ...b-skip-rx_no_sta-when-interface-is-n.patch | 44 ++ ...-ensure-skb-headroom-before-skb_push.patch | 42 ++ ...-add-hp-laptop-15s-eq1xxx-mute-led-q.patch | 37 ++ ...ek-add-quirk-for-acer-nitro-an517-55.patch | 38 ++ ...-alc269-fixup-for-lenovo-yoga-book-9.patch | 101 +++ ...-fix-headset-mic-for-tongfang-x6ar55.patch | 39 ++ ...ix-broken-logic-in-snd_audigy2nx_led.patch | 52 ++ ...fix-memory-leak-in-acp3x-pdm-dma-ops.patch | 37 ++ ...md-yc-fix-microphone-on-asus-m6500re.patch | 41 ++ ...-fix-reference-leak-in-davinci_evm_p.patch | 113 ++++ ...-utils-check-device-node-before-over.patch | 42 ++ ...40-propagate-error-codes-during-prob.patch | 43 ++ ...ix-aux-stat-accumulation-destination.patch | 36 + ...ation-leak-in-some-error-paths-when-.patch | 68 ++ ...-transactions-if-the-fs-is-fully-rea.patch | 144 ++++ ...-bounds-check-for-if_id-in-irq-handl.patch | 47 ++ ...vent-zero_size_ptr-dereference-when-.patch | 55 ++ ...fix-wrong-color-value-mapping-on-mcm.patch | 62 ++ ...le-mmio-access-during-smu-mode-1-res.patch | 92 +++ ...mgag200-fix-mgag200_bmc_stop_scanout.patch | 216 ++++++ ...void-missing-outer-rpm-warning-on-sy.patch | 59 ++ ...e-d3cold-for-bmg-only-on-specific-pl.patch | 61 ++ ...y-fix-topology-query-pointer-advance.patch | 47 ++ ...hid_quirk_always_poll-to-edifier-qr3.patch | 56 ++ ...potential-buffer-overflow-in-i2c_hid.patch | 46 ++ ...d-reset-enum_devices_done-before-enu.patch | 49 ++ ...d-update-ishtp-bus-match-to-support-.patch | 49 ++ ...-hid-support-for-logitech-mx-anywher.patch | 38 ++ ...dd-mt_quirk_sticky_fingers-to-mt_cls.patch | 42 ++ ...center-initial-joystick-axes-to-prev.patch | 66 ++ ...nother-chicony-hp-5mp-cameras-to-hid.patch | 51 ++ ...-mark-occ_init_attribute-as-__printf.patch | 42 ++ ...bling-count-mismatch-when-clearing-r.patch | 93 +++ ...-exception-fixup-for-specific-ade-su.patch | 58 ++ ...rrect-protection_map-for-vm_none-vm_.patch | 51 ++ ...r-recovery-in-macvlan_common_newlink.patch | 99 +++ ...-while-updating-raid_disks-via-sysfs.patch | 66 ++ ...dd-skb_header_pointer_careful-helper.patch | 50 ++ ...ouch-dev-stats-in-bpf-redirect-paths.patch | 69 ++ ...-adin1110-check-return-value-of-devm.patch | 48 ++ .../net-gro-fix-outer-network-offset.patch | 52 ++ ...-off-by-one-error-in-pf-setup_nic_de.patch | 61 ++ ...-off-by-one-error-in-vf-setup_nic_de.patch | 50 ++ ...tialize-netdev-pointer-before-queue-.patch | 98 +++ .../net-phy-add-phy_interface_copy.patch | 42 ++ .../net-phy-add-phy_interface_weight.patch | 38 ++ ...s_u32-use-skb_header_pointer_careful.patch | 70 ++ ...sfp-quirks-to-modify-struct-sfp_modu.patch | 160 +++++ ...k-for-ubiquiti-u-fiber-instant-sfp-m.patch | 55 ++ ...net-sfp-pre-parse-the-module-support.patch | 225 +++++++ ...-usb-r8152-fix-resume-reset-deadlock.patch | 107 +++ ...upport-devices-with-virtual-driver-c.patch | 44 ++ ...les-fix-inverted-genmask-check-in-nf.patch | 72 ++ .../netfilter-replace-eexist-with-ebusy.patch | 84 +++ ...c-release-admin-tagset-if-init-fails.patch | 52 ++ ...-hang-in-nvmet_tcp_listen_data_ready.patch | 51 ++ ...ove-aspm-l0s-support-for-msm8996-soc.patch | 61 ++ ...p-bioscfg-skip-empty-attribute-names.patch | 46 ++ ...el-tpmi-plr-make-the-file-domain-n-s.patch | 41 ++ ...el_telemetry-fix-pss-event-register-.patch | 48 ++ ...hiba_haps-fix-memory-leaks-in-add-re.patch | 42 ++ ...-free-entry-on-mas_store_gfp-failure.patch | 51 ++ ...d-softlockup-in-ring_buffer_resize-d.patch | 69 ++ ...yscall-table-indexing-under-speculat.patch | 41 ++ ...i-fix-use-after-free-in-iscsit_dec_c.patch | 51 ++ ...i-fix-use-after-free-in-iscsit_dec_s.patch | 53 ++ queue-6.12/series | 76 +++ ...nt-fix-memory-leak-in-smb2_open_file.patch | 72 ++ ...ksmbd_session_rpc_close-on-error-pat.patch | 47 ++ ...efcount-leak-in-parse_durable_handle.patch | 36 + ...erver-fix-refcount-leak-in-smb2_open.patch | 41 ++ ...-fixed-the-wrong-debugfs-node-name-i.patch | 49 ++ ...e_sensitive-for-session-key-material.patch | 51 ++ ...x-bitrate-calculation-overflow-for-h.patch | 59 ++ ...llect-station-statistics-earlier-whe.patch | 54 ++ ...211-correctly-check-if-csa-is-active.patch | 52 ++ ...n-t-increment-crypto_tx_tailroom_nee.patch | 49 ++ ...b-skip-rx_no_sta-when-interface-is-n.patch | 44 ++ ...-ensure-skb-headroom-before-skb_push.patch | 42 ++ ...-add-hp-laptop-15s-eq1xxx-mute-led-q.patch | 37 ++ ...ek-add-quirk-for-acer-nitro-an517-55.patch | 38 ++ ...-alc269-fixup-for-lenovo-yoga-book-9.patch | 101 +++ ...-fix-headset-mic-for-tongfang-x6ar55.patch | 39 ++ ...tas2781-add-newly-released-hp-laptop.patch | 45 ++ ...dd-delay-quirk-for-moondrop-moonrive.patch | 43 ++ ...ix-broken-logic-in-snd_audigy2nx_led.patch | 52 ++ ...o-prevent-excessive-number-of-frames.patch | 55 ++ ...fix-memory-leak-in-acp3x-pdm-dma-ops.patch | 37 ++ ...md-yc-fix-microphone-on-asus-m6500re.patch | 41 ++ ...-fix-reference-leak-in-davinci_evm_p.patch | 113 ++++ ...dw-add-new-quirks-for-ptl-on-dell-wi.patch | 43 ++ ...-utils-check-device-node-before-over.patch | 42 ++ ...40-propagate-error-codes-during-prob.patch | 43 ++ ...ix-aux-stat-accumulation-destination.patch | 36 + ...e-data-reservation-in-fallback-from-.patch | 47 ++ ...ation-leak-in-some-error-paths-when-.patch | 68 ++ ...-uninitialized-warning-in-replay_one.patch | 51 ++ ...-transactions-if-the-fs-is-fully-rea.patch | 144 ++++ ...c-read-disk-super-and-set-block-size.patch | 80 +++ ...ma-fix-race-condition-in-mmp_pdma_re.patch | 85 +++ ...-bounds-check-for-if_id-in-irq-handl.patch | 47 ++ ...vent-zero_size_ptr-dereference-when-.patch | 55 ++ ...fix-wrong-color-value-mapping-on-mcm.patch | 62 ++ ...reduce-number-of-arguments-of-dcn30-.patch | 613 ++++++++++++++++++ ...le-mmio-access-during-smu-mode-1-res.patch | 92 +++ ...mgag200-fix-mgag200_bmc_stop_scanout.patch | 216 ++++++ ...-fix-cfi-violation-in-debugfs-access.patch | 82 +++ ...e-d3cold-for-bmg-only-on-specific-pl.patch | 61 ++ ...y-fix-topology-query-pointer-advance.patch | 47 ++ ...factor-out-common-debugfs-string-rea.patch | 131 ++++ ...rate-limit-log-messages-in-kunit-bui.patch | 389 +++++++++++ ...bit-fix-incorrect-null-check-after-d.patch | 37 ++ ...hid_quirk_always_poll-to-edifier-qr3.patch | 56 ++ ...dd-support-for-elecom-m-xt3drbk-018c.patch | 120 ++++ ...potential-buffer-overflow-in-i2c_hid.patch | 46 ++ ...d-reset-enum_devices_done-before-enu.patch | 49 ++ ...d-update-ishtp-bus-match-to-support-.patch | 49 ++ ...d-intel-thc-add-safety-check-for-rea.patch | 40 ++ ...-hid-support-for-logitech-mx-anywher.patch | 38 ++ ...dd-mt_quirk_sticky_fingers-to-mt_cls.patch | 42 ++ ...center-initial-joystick-axes-to-prev.patch | 66 ++ ...nother-chicony-hp-5mp-cameras-to-hid.patch | 51 ++ ..._meter-fix-deadlocks-related-to-acpi.patch | 114 ++++ ...dd-dell-g15-5510-to-fan-control-whit.patch | 49 ++ ...-mark-occ_init_attribute-as-__printf.patch | 42 ++ ...nnel_get_rx_info-call-from-i40e_open.patch | 62 ++ ...unnel_get_rx_info-call-from-ndo_open.patch | 63 ++ ...tx-timestamps-interrupts-on-e825-dev.patch | 74 +++ ...-pointer-dereference-during-vsi-rebu.patch | 152 +++++ ...-missing-timestamps-on-e825-hardware.patch | 436 +++++++++++++ ...-potentially-allocated-iovec-on-cach.patch | 68 ++ ..._nowait-for-overflow-cqes-on-legacy-.patch | 39 ++ .../io_uring-zcrx-fix-page-array-leak.patch | 35 + ...bling-count-mismatch-when-clearing-r.patch | 93 +++ ...-__dev_put-in-callers-to-prevent-uaf.patch | 142 ++++ ...-exception-fixup-for-specific-ade-su.patch | 58 ++ ...rrect-protection_map-for-vm_none-vm_.patch | 51 ++ ...r-recovery-in-macvlan_common_newlink.patch | 99 +++ ...-while-updating-raid_disks-via-sysfs.patch | 66 ++ ...per-rcu-protection-to-proc-net-ptype.patch | 194 ++++++ ...dd-skb_header_pointer_careful-helper.patch | 50 ++ ...ouch-dev-stats-in-bpf-redirect-paths.patch | 69 ++ ...t-16-bit-register-reads-to-32-bit-fo.patch | 82 +++ ...t-16-bit-register-writes-to-32-bit-f.patch | 55 ++ ...-cbdr-cacheability-axi-settings-for-.patch | 45 ++ ...-si-bdr-cacheability-axi-settings-fo.patch | 52 ++ ...-adin1110-check-return-value-of-devm.patch | 48 ++ .../net-gro-fix-outer-network-offset.patch | 52 ++ ...-off-by-one-error-in-pf-setup_nic_de.patch | 61 ++ ...-off-by-one-error-in-vf-setup_nic_de.patch | 50 ++ ...tialize-netdev-pointer-before-queue-.patch | 98 +++ ...rting-rxh_xfrm_no_change-as-input_xf.patch | 88 +++ ...s_u32-use-skb_header_pointer_careful.patch | 70 ++ ...k-for-ubiquiti-u-fiber-instant-sfp-m.patch | 55 ++ ...-usb-r8152-fix-resume-reset-deadlock.patch | 107 +++ ...upport-devices-with-virtual-driver-c.patch | 44 ++ ...les-fix-inverted-genmask-check-in-nf.patch | 72 ++ .../netfilter-replace-eexist-with-ebusy.patch | 84 +++ ...c-release-admin-tagset-if-init-fails.patch | 52 ++ ...changing-device-dma-map-requirements.patch | 107 +++ ...-hang-in-nvmet_tcp_listen_data_ready.patch | 51 ++ ...ove-aspm-l0s-support-for-msm8996-soc.patch | 61 ++ ...x86-dell-lis3lv02d-add-latitude-5400.patch | 77 +++ ...p-bioscfg-skip-empty-attribute-names.patch | 46 ++ ...el-tpmi-plr-make-the-file-domain-n-s.patch | 41 ++ ...el_telemetry-fix-pss-event-register-.patch | 48 ++ ...hiba_haps-fix-memory-leaks-in-add-re.patch | 42 ++ ...-free-entry-on-mas_store_gfp-failure.patch | 51 ++ ...isplay-pause-the-workload-setting-in.patch | 77 +++ ...d-softlockup-in-ring_buffer_resize-d.patch | 69 ++ ...yscall-table-indexing-under-speculat.patch | 41 ++ ...fix-snapshot-deadlock-with-sbi-ecall.patch | 84 +++ ...-variable-for-output-in-__get_user_a.patch | 67 ++ ...i-fix-use-after-free-in-iscsit_dec_c.patch | 51 ++ ...i-fix-use-after-free-in-iscsit_dec_s.patch | 53 ++ queue-6.18/series | 115 ++++ ...nt-fix-memory-leak-in-smb2_open_file.patch | 72 ++ ...ksmbd_session_rpc_close-on-error-pat.patch | 47 ++ ...efcount-leak-in-parse_durable_handle.patch | 36 + ...erver-fix-refcount-leak-in-smb2_open.patch | 41 ++ ...-fixed-the-wrong-debugfs-node-name-i.patch | 49 ++ ...d-support-for-nova-lake-spi-serial-f.patch | 37 ++ ...e_sensitive-for-session-key-material.patch | 51 ++ ...id-possible-signed-64-bit-truncation.patch | 47 ++ ...x-bitrate-calculation-overflow-for-h.patch | 59 ++ ...lement-settime64-as-stub-for-mvm-mld.patch | 95 +++ ...iwlwifi-mld-cancel-mlo_scan_start_wk.patch | 58 ++ ...iwlwifi-mvm-pause-tcm-on-fast-resume.patch | 59 ++ ...llect-station-statistics-earlier-whe.patch | 54 ++ ...211-correctly-check-if-csa-is-active.patch | 52 ++ ...n-t-increment-crypto_tx_tailroom_nee.patch | 49 ++ ...n-t-warn-for-connections-on-invalid-.patch | 46 ++ ...b-skip-rx_no_sta-when-interface-is-n.patch | 44 ++ ...-ensure-skb-headroom-before-skb_push.patch | 42 ++ ...6-sev-disable-gcov-on-noinstr-object.patch | 43 ++ ...-add-hp-laptop-15s-eq1xxx-mute-led-q.patch | 37 ++ ...-fix-headset-mic-for-tongfang-x6ar55.patch | 39 ++ ...fix-memory-leak-in-acp3x-pdm-dma-ops.patch | 37 ++ ...md-yc-fix-microphone-on-asus-m6500re.patch | 41 ++ ...-fix-reference-leak-in-davinci_evm_p.patch | 113 ++++ ...40-propagate-error-codes-during-prob.patch | 43 ++ ...ix-aux-stat-accumulation-destination.patch | 36 + ...ation-leak-in-some-error-paths-when-.patch | 70 ++ ...-bounds-check-for-if_id-in-irq-handl.patch | 47 ++ ...vent-zero_size_ptr-dereference-when-.patch | 55 ++ ...mgag200-fix-mgag200_bmc_stop_scanout.patch | 215 ++++++ ...hid_quirk_always_poll-to-edifier-qr3.patch | 56 ++ ...potential-buffer-overflow-in-i2c_hid.patch | 46 ++ ...d-reset-enum_devices_done-before-enu.patch | 49 ++ ...d-update-ishtp-bus-match-to-support-.patch | 49 ++ ...dd-mt_quirk_sticky_fingers-to-mt_cls.patch | 42 ++ ...center-initial-joystick-axes-to-prev.patch | 66 ++ ...nother-chicony-hp-5mp-cameras-to-hid.patch | 51 ++ ...-mark-occ_init_attribute-as-__printf.patch | 42 ++ ...bling-count-mismatch-when-clearing-r.patch | 93 +++ ...-exception-fixup-for-specific-ade-su.patch | 58 ++ ...rrect-protection_map-for-vm_none-vm_.patch | 51 ++ ...r-recovery-in-macvlan_common_newlink.patch | 99 +++ ...dd-skb_header_pointer_careful-helper.patch | 50 ++ ...ouch-dev-stats-in-bpf-redirect-paths.patch | 69 ++ ...-adin1110-check-return-value-of-devm.patch | 48 ++ .../net-gro-fix-outer-network-offset.patch | 52 ++ ...-off-by-one-error-in-pf-setup_nic_de.patch | 61 ++ ...-off-by-one-error-in-vf-setup_nic_de.patch | 50 ++ ...tialize-netdev-pointer-before-queue-.patch | 98 +++ ...s_u32-use-skb_header_pointer_careful.patch | 70 ++ ...upport-devices-with-virtual-driver-c.patch | 44 ++ ...les-fix-inverted-genmask-check-in-nf.patch | 72 ++ .../netfilter-replace-eexist-with-ebusy.patch | 84 +++ ...c-release-admin-tagset-if-init-fails.patch | 52 ++ ...-hang-in-nvmet_tcp_listen_data_ready.patch | 51 ++ ...p-bioscfg-skip-empty-attribute-names.patch | 46 ++ ...el_telemetry-fix-pss-event-register-.patch | 48 ++ ...hiba_haps-fix-memory-leaks-in-add-re.patch | 42 ++ ...-free-entry-on-mas_store_gfp-failure.patch | 51 ++ ...d-softlockup-in-ring_buffer_resize-d.patch | 69 ++ ...i-fix-use-after-free-in-iscsit_dec_c.patch | 51 ++ ...i-fix-use-after-free-in-iscsit_dec_s.patch | 53 ++ queue-6.6/series | 55 ++ ...nt-fix-memory-leak-in-smb2_open_file.patch | 72 ++ ...ksmbd_session_rpc_close-on-error-pat.patch | 47 ++ ...efcount-leak-in-parse_durable_handle.patch | 36 + ...erver-fix-refcount-leak-in-smb2_open.patch | 41 ++ ...-fixed-the-wrong-debugfs-node-name-i.patch | 49 ++ ...e_sensitive-for-session-key-material.patch | 51 ++ ...x-bitrate-calculation-overflow-for-h.patch | 59 ++ ...llect-station-statistics-earlier-whe.patch | 54 ++ ...211-correctly-check-if-csa-is-active.patch | 52 ++ ...n-t-increment-crypto_tx_tailroom_nee.patch | 49 ++ ...b-skip-rx_no_sta-when-interface-is-n.patch | 44 ++ ...-ensure-skb-headroom-before-skb_push.patch | 42 ++ 364 files changed, 23785 insertions(+) create mode 100644 queue-5.10/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch create mode 100644 queue-5.10/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch create mode 100644 queue-5.10/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch create mode 100644 queue-5.10/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch create mode 100644 queue-5.10/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch create mode 100644 queue-5.10/block-bfq-fix-aux-stat-accumulation-destination.patch create mode 100644 queue-5.10/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch create mode 100644 queue-5.10/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch create mode 100644 queue-5.10/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch create mode 100644 queue-5.10/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch create mode 100644 queue-5.10/hwmon-occ-mark-occ_init_attribute-as-__printf.patch create mode 100644 queue-5.10/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch create mode 100644 queue-5.10/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch create mode 100644 queue-5.10/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch create mode 100644 queue-5.10/net-liquidio-initialize-netdev-pointer-before-queue-.patch create mode 100644 queue-5.10/net-usb-sr9700-support-devices-with-virtual-driver-c.patch create mode 100644 queue-5.10/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch create mode 100644 queue-5.10/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch create mode 100644 queue-5.10/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch create mode 100644 queue-5.10/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch create mode 100644 queue-5.10/nvmet-tcp-fix-regression-in-data_digest-calculation.patch create mode 100644 queue-5.10/platform-x86-intel_telemetry-fix-pss-event-register-.patch create mode 100644 queue-5.10/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch create mode 100644 queue-5.10/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch create mode 100644 queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch create mode 100644 queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch create mode 100644 queue-5.10/tipc-use-kfree_sensitive-for-session-key-material.patch create mode 100644 queue-5.10/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch create mode 100644 queue-5.10/wifi-mac80211-collect-station-statistics-earlier-whe.patch create mode 100644 queue-5.10/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch create mode 100644 queue-5.10/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch create mode 100644 queue-5.10/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch create mode 100644 queue-5.15/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch create mode 100644 queue-5.15/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch create mode 100644 queue-5.15/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch create mode 100644 queue-5.15/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch create mode 100644 queue-5.15/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch create mode 100644 queue-5.15/block-bfq-fix-aux-stat-accumulation-destination.patch create mode 100644 queue-5.15/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch create mode 100644 queue-5.15/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch create mode 100644 queue-5.15/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch create mode 100644 queue-5.15/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch create mode 100644 queue-5.15/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch create mode 100644 queue-5.15/hid-playstation-center-initial-joystick-axes-to-prev.patch create mode 100644 queue-5.15/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch create mode 100644 queue-5.15/hwmon-occ-mark-occ_init_attribute-as-__printf.patch create mode 100644 queue-5.15/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch create mode 100644 queue-5.15/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch create mode 100644 queue-5.15/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch create mode 100644 queue-5.15/net-liquidio-initialize-netdev-pointer-before-queue-.patch create mode 100644 queue-5.15/net-usb-sr9700-support-devices-with-virtual-driver-c.patch create mode 100644 queue-5.15/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch create mode 100644 queue-5.15/netfilter-replace-eexist-with-ebusy.patch create mode 100644 queue-5.15/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch create mode 100644 queue-5.15/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch create mode 100644 queue-5.15/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch create mode 100644 queue-5.15/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch create mode 100644 queue-5.15/nvmet-tcp-fix-regression-in-data_digest-calculation.patch create mode 100644 queue-5.15/platform-x86-intel_telemetry-fix-pss-event-register-.patch create mode 100644 queue-5.15/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch create mode 100644 queue-5.15/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch create mode 100644 queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch create mode 100644 queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch create mode 100644 queue-5.15/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch create mode 100644 queue-5.15/tipc-use-kfree_sensitive-for-session-key-material.patch create mode 100644 queue-5.15/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch create mode 100644 queue-5.15/wifi-mac80211-collect-station-statistics-earlier-whe.patch create mode 100644 queue-5.15/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch create mode 100644 queue-5.15/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch create mode 100644 queue-5.15/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch create mode 100644 queue-6.1/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch create mode 100644 queue-6.1/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch create mode 100644 queue-6.1/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch create mode 100644 queue-6.1/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch create mode 100644 queue-6.1/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch create mode 100644 queue-6.1/block-bfq-fix-aux-stat-accumulation-destination.patch create mode 100644 queue-6.1/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch create mode 100644 queue-6.1/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch create mode 100644 queue-6.1/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch create mode 100644 queue-6.1/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch create mode 100644 queue-6.1/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch create mode 100644 queue-6.1/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch create mode 100644 queue-6.1/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch create mode 100644 queue-6.1/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch create mode 100644 queue-6.1/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch create mode 100644 queue-6.1/hid-playstation-center-initial-joystick-axes-to-prev.patch create mode 100644 queue-6.1/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch create mode 100644 queue-6.1/hwmon-occ-mark-occ_init_attribute-as-__printf.patch create mode 100644 queue-6.1/loongarch-enable-exception-fixup-for-specific-ade-su.patch create mode 100644 queue-6.1/loongarch-set-correct-protection_map-for-vm_none-vm_.patch create mode 100644 queue-6.1/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch create mode 100644 queue-6.1/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch create mode 100644 queue-6.1/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch create mode 100644 queue-6.1/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch create mode 100644 queue-6.1/net-liquidio-initialize-netdev-pointer-before-queue-.patch create mode 100644 queue-6.1/net-usb-sr9700-support-devices-with-virtual-driver-c.patch create mode 100644 queue-6.1/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch create mode 100644 queue-6.1/netfilter-replace-eexist-with-ebusy.patch create mode 100644 queue-6.1/nvme-fc-release-admin-tagset-if-init-fails.patch create mode 100644 queue-6.1/platform-x86-intel_telemetry-fix-pss-event-register-.patch create mode 100644 queue-6.1/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch create mode 100644 queue-6.1/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch create mode 100644 queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch create mode 100644 queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch create mode 100644 queue-6.1/smb-client-fix-memory-leak-in-smb2_open_file.patch create mode 100644 queue-6.1/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch create mode 100644 queue-6.1/tipc-use-kfree_sensitive-for-session-key-material.patch create mode 100644 queue-6.1/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch create mode 100644 queue-6.1/wifi-mac80211-collect-station-statistics-earlier-whe.patch create mode 100644 queue-6.1/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch create mode 100644 queue-6.1/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch create mode 100644 queue-6.1/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch create mode 100644 queue-6.12/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch create mode 100644 queue-6.12/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch create mode 100644 queue-6.12/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch create mode 100644 queue-6.12/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch create mode 100644 queue-6.12/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch create mode 100644 queue-6.12/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch create mode 100644 queue-6.12/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch create mode 100644 queue-6.12/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch create mode 100644 queue-6.12/asoc-simple-card-utils-check-device-node-before-over.patch create mode 100644 queue-6.12/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch create mode 100644 queue-6.12/block-bfq-fix-aux-stat-accumulation-destination.patch create mode 100644 queue-6.12/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch create mode 100644 queue-6.12/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch create mode 100644 queue-6.12/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch create mode 100644 queue-6.12/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch create mode 100644 queue-6.12/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch create mode 100644 queue-6.12/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch create mode 100644 queue-6.12/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch create mode 100644 queue-6.12/drm-xe-pm-also-avoid-missing-outer-rpm-warning-on-sy.patch create mode 100644 queue-6.12/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch create mode 100644 queue-6.12/drm-xe-query-fix-topology-query-pointer-advance.patch create mode 100644 queue-6.12/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch create mode 100644 queue-6.12/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch create mode 100644 queue-6.12/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch create mode 100644 queue-6.12/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch create mode 100644 queue-6.12/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch create mode 100644 queue-6.12/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch create mode 100644 queue-6.12/hid-playstation-center-initial-joystick-axes-to-prev.patch create mode 100644 queue-6.12/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch create mode 100644 queue-6.12/hwmon-occ-mark-occ_init_attribute-as-__printf.patch create mode 100644 queue-6.12/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch create mode 100644 queue-6.12/loongarch-enable-exception-fixup-for-specific-ade-su.patch create mode 100644 queue-6.12/loongarch-set-correct-protection_map-for-vm_none-vm_.patch create mode 100644 queue-6.12/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch create mode 100644 queue-6.12/md-suspend-array-while-updating-raid_disks-via-sysfs.patch create mode 100644 queue-6.12/net-add-skb_header_pointer_careful-helper.patch create mode 100644 queue-6.12/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch create mode 100644 queue-6.12/net-ethernet-adi-adin1110-check-return-value-of-devm.patch create mode 100644 queue-6.12/net-gro-fix-outer-network-offset.patch create mode 100644 queue-6.12/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch create mode 100644 queue-6.12/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch create mode 100644 queue-6.12/net-liquidio-initialize-netdev-pointer-before-queue-.patch create mode 100644 queue-6.12/net-phy-add-phy_interface_copy.patch create mode 100644 queue-6.12/net-phy-add-phy_interface_weight.patch create mode 100644 queue-6.12/net-sched-cls_u32-use-skb_header_pointer_careful.patch create mode 100644 queue-6.12/net-sfp-convert-sfp-quirks-to-modify-struct-sfp_modu.patch create mode 100644 queue-6.12/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch create mode 100644 queue-6.12/net-sfp-pre-parse-the-module-support.patch create mode 100644 queue-6.12/net-usb-r8152-fix-resume-reset-deadlock.patch create mode 100644 queue-6.12/net-usb-sr9700-support-devices-with-virtual-driver-c.patch create mode 100644 queue-6.12/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch create mode 100644 queue-6.12/netfilter-replace-eexist-with-ebusy.patch create mode 100644 queue-6.12/nvme-fc-release-admin-tagset-if-init-fails.patch create mode 100644 queue-6.12/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch create mode 100644 queue-6.12/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch create mode 100644 queue-6.12/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch create mode 100644 queue-6.12/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch create mode 100644 queue-6.12/platform-x86-intel_telemetry-fix-pss-event-register-.patch create mode 100644 queue-6.12/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch create mode 100644 queue-6.12/regmap-maple-free-entry-on-mas_store_gfp-failure.patch create mode 100644 queue-6.12/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch create mode 100644 queue-6.12/riscv-sanitize-syscall-table-indexing-under-speculat.patch create mode 100644 queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch create mode 100644 queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch create mode 100644 queue-6.12/smb-client-fix-memory-leak-in-smb2_open_file.patch create mode 100644 queue-6.12/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch create mode 100644 queue-6.12/smb-server-fix-refcount-leak-in-parse_durable_handle.patch create mode 100644 queue-6.12/smb-server-fix-refcount-leak-in-smb2_open.patch create mode 100644 queue-6.12/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch create mode 100644 queue-6.12/tipc-use-kfree_sensitive-for-session-key-material.patch create mode 100644 queue-6.12/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch create mode 100644 queue-6.12/wifi-mac80211-collect-station-statistics-earlier-whe.patch create mode 100644 queue-6.12/wifi-mac80211-correctly-check-if-csa-is-active.patch create mode 100644 queue-6.12/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch create mode 100644 queue-6.12/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch create mode 100644 queue-6.12/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch create mode 100644 queue-6.18/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch create mode 100644 queue-6.18/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch create mode 100644 queue-6.18/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch create mode 100644 queue-6.18/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch create mode 100644 queue-6.18/alsa-hda-tas2781-add-newly-released-hp-laptop.patch create mode 100644 queue-6.18/alsa-usb-audio-add-delay-quirk-for-moondrop-moonrive.patch create mode 100644 queue-6.18/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch create mode 100644 queue-6.18/alsa-usb-audio-prevent-excessive-number-of-frames.patch create mode 100644 queue-6.18/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch create mode 100644 queue-6.18/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch create mode 100644 queue-6.18/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch create mode 100644 queue-6.18/asoc-intel-sof_sdw-add-new-quirks-for-ptl-on-dell-wi.patch create mode 100644 queue-6.18/asoc-simple-card-utils-check-device-node-before-over.patch create mode 100644 queue-6.18/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch create mode 100644 queue-6.18/block-bfq-fix-aux-stat-accumulation-destination.patch create mode 100644 queue-6.18/btrfs-do-not-free-data-reservation-in-fallback-from-.patch create mode 100644 queue-6.18/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch create mode 100644 queue-6.18/btrfs-fix-wmaybe-uninitialized-warning-in-replay_one.patch create mode 100644 queue-6.18/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch create mode 100644 queue-6.18/btrfs-sync-read-disk-super-and-set-block-size.patch create mode 100644 queue-6.18/dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_re.patch create mode 100644 queue-6.18/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch create mode 100644 queue-6.18/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch create mode 100644 queue-6.18/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch create mode 100644 queue-6.18/drm-amd-display-reduce-number-of-arguments-of-dcn30-.patch create mode 100644 queue-6.18/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch create mode 100644 queue-6.18/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch create mode 100644 queue-6.18/drm-xe-guc-fix-cfi-violation-in-debugfs-access.patch create mode 100644 queue-6.18/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch create mode 100644 queue-6.18/drm-xe-query-fix-topology-query-pointer-advance.patch create mode 100644 queue-6.18/firmware-cs_dsp-factor-out-common-debugfs-string-rea.patch create mode 100644 queue-6.18/firmware-cs_dsp-rate-limit-log-messages-in-kunit-bui.patch create mode 100644 queue-6.18/gpio-loongson-64bit-fix-incorrect-null-check-after-d.patch create mode 100644 queue-6.18/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch create mode 100644 queue-6.18/hid-elecom-add-support-for-elecom-m-xt3drbk-018c.patch create mode 100644 queue-6.18/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch create mode 100644 queue-6.18/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch create mode 100644 queue-6.18/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch create mode 100644 queue-6.18/hid-intel-thc-hid-intel-thc-add-safety-check-for-rea.patch create mode 100644 queue-6.18/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch create mode 100644 queue-6.18/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch create mode 100644 queue-6.18/hid-playstation-center-initial-joystick-axes-to-prev.patch create mode 100644 queue-6.18/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch create mode 100644 queue-6.18/hwmon-acpi_power_meter-fix-deadlocks-related-to-acpi.patch create mode 100644 queue-6.18/hwmon-dell-smm-add-dell-g15-5510-to-fan-control-whit.patch create mode 100644 queue-6.18/hwmon-occ-mark-occ_init_attribute-as-__printf.patch create mode 100644 queue-6.18/i40e-drop-udp_tunnel_get_rx_info-call-from-i40e_open.patch create mode 100644 queue-6.18/ice-drop-udp_tunnel_get_rx_info-call-from-ndo_open.patch create mode 100644 queue-6.18/ice-fix-missing-tx-timestamps-interrupts-on-e825-dev.patch create mode 100644 queue-6.18/ice-fix-ptp-null-pointer-dereference-during-vsi-rebu.patch create mode 100644 queue-6.18/ice-ptp-fix-missing-timestamps-on-e825-hardware.patch create mode 100644 queue-6.18/io_uring-rw-free-potentially-allocated-iovec-on-cach.patch create mode 100644 queue-6.18/io_uring-use-gfp_nowait-for-overflow-cqes-on-legacy-.patch create mode 100644 queue-6.18/io_uring-zcrx-fix-page-array-leak.patch create mode 100644 queue-6.18/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch create mode 100644 queue-6.18/linkwatch-use-__dev_put-in-callers-to-prevent-uaf.patch create mode 100644 queue-6.18/loongarch-enable-exception-fixup-for-specific-ade-su.patch create mode 100644 queue-6.18/loongarch-set-correct-protection_map-for-vm_none-vm_.patch create mode 100644 queue-6.18/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch create mode 100644 queue-6.18/md-suspend-array-while-updating-raid_disks-via-sysfs.patch create mode 100644 queue-6.18/net-add-proper-rcu-protection-to-proc-net-ptype.patch create mode 100644 queue-6.18/net-add-skb_header_pointer_careful-helper.patch create mode 100644 queue-6.18/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch create mode 100644 queue-6.18/net-enetc-convert-16-bit-register-reads-to-32-bit-fo.patch create mode 100644 queue-6.18/net-enetc-convert-16-bit-register-writes-to-32-bit-f.patch create mode 100644 queue-6.18/net-enetc-remove-cbdr-cacheability-axi-settings-for-.patch create mode 100644 queue-6.18/net-enetc-remove-si-bdr-cacheability-axi-settings-fo.patch create mode 100644 queue-6.18/net-ethernet-adi-adin1110-check-return-value-of-devm.patch create mode 100644 queue-6.18/net-gro-fix-outer-network-offset.patch create mode 100644 queue-6.18/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch create mode 100644 queue-6.18/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch create mode 100644 queue-6.18/net-liquidio-initialize-netdev-pointer-before-queue-.patch create mode 100644 queue-6.18/net-rss-fix-reporting-rxh_xfrm_no_change-as-input_xf.patch create mode 100644 queue-6.18/net-sched-cls_u32-use-skb_header_pointer_careful.patch create mode 100644 queue-6.18/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch create mode 100644 queue-6.18/net-usb-r8152-fix-resume-reset-deadlock.patch create mode 100644 queue-6.18/net-usb-sr9700-support-devices-with-virtual-driver-c.patch create mode 100644 queue-6.18/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch create mode 100644 queue-6.18/netfilter-replace-eexist-with-ebusy.patch create mode 100644 queue-6.18/nvme-fc-release-admin-tagset-if-init-fails.patch create mode 100644 queue-6.18/nvme-pci-handle-changing-device-dma-map-requirements.patch create mode 100644 queue-6.18/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch create mode 100644 queue-6.18/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch create mode 100644 queue-6.18/platform-x86-dell-lis3lv02d-add-latitude-5400.patch create mode 100644 queue-6.18/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch create mode 100644 queue-6.18/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch create mode 100644 queue-6.18/platform-x86-intel_telemetry-fix-pss-event-register-.patch create mode 100644 queue-6.18/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch create mode 100644 queue-6.18/regmap-maple-free-entry-on-mas_store_gfp-failure.patch create mode 100644 queue-6.18/revert-drm-amd-display-pause-the-workload-setting-in.patch create mode 100644 queue-6.18/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch create mode 100644 queue-6.18/riscv-sanitize-syscall-table-indexing-under-speculat.patch create mode 100644 queue-6.18/riscv-trace-fix-snapshot-deadlock-with-sbi-ecall.patch create mode 100644 queue-6.18/riscv-use-64-bit-variable-for-output-in-__get_user_a.patch create mode 100644 queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch create mode 100644 queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch create mode 100644 queue-6.18/smb-client-fix-memory-leak-in-smb2_open_file.patch create mode 100644 queue-6.18/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch create mode 100644 queue-6.18/smb-server-fix-refcount-leak-in-parse_durable_handle.patch create mode 100644 queue-6.18/smb-server-fix-refcount-leak-in-smb2_open.patch create mode 100644 queue-6.18/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch create mode 100644 queue-6.18/spi-intel-pci-add-support-for-nova-lake-spi-serial-f.patch create mode 100644 queue-6.18/tipc-use-kfree_sensitive-for-session-key-material.patch create mode 100644 queue-6.18/tracing-avoid-possible-signed-64-bit-truncation.patch create mode 100644 queue-6.18/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch create mode 100644 queue-6.18/wifi-iwlwifi-implement-settime64-as-stub-for-mvm-mld.patch create mode 100644 queue-6.18/wifi-iwlwifi-mld-cancel-mlo_scan_start_wk.patch create mode 100644 queue-6.18/wifi-iwlwifi-mvm-pause-tcm-on-fast-resume.patch create mode 100644 queue-6.18/wifi-mac80211-collect-station-statistics-earlier-whe.patch create mode 100644 queue-6.18/wifi-mac80211-correctly-check-if-csa-is-active.patch create mode 100644 queue-6.18/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch create mode 100644 queue-6.18/wifi-mac80211-don-t-warn-for-connections-on-invalid-.patch create mode 100644 queue-6.18/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch create mode 100644 queue-6.18/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch create mode 100644 queue-6.18/x86-sev-disable-gcov-on-noinstr-object.patch create mode 100644 queue-6.6/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch create mode 100644 queue-6.6/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch create mode 100644 queue-6.6/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch create mode 100644 queue-6.6/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch create mode 100644 queue-6.6/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch create mode 100644 queue-6.6/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch create mode 100644 queue-6.6/block-bfq-fix-aux-stat-accumulation-destination.patch create mode 100644 queue-6.6/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch create mode 100644 queue-6.6/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch create mode 100644 queue-6.6/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch create mode 100644 queue-6.6/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch create mode 100644 queue-6.6/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch create mode 100644 queue-6.6/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch create mode 100644 queue-6.6/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch create mode 100644 queue-6.6/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch create mode 100644 queue-6.6/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch create mode 100644 queue-6.6/hid-playstation-center-initial-joystick-axes-to-prev.patch create mode 100644 queue-6.6/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch create mode 100644 queue-6.6/hwmon-occ-mark-occ_init_attribute-as-__printf.patch create mode 100644 queue-6.6/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch create mode 100644 queue-6.6/loongarch-enable-exception-fixup-for-specific-ade-su.patch create mode 100644 queue-6.6/loongarch-set-correct-protection_map-for-vm_none-vm_.patch create mode 100644 queue-6.6/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch create mode 100644 queue-6.6/net-add-skb_header_pointer_careful-helper.patch create mode 100644 queue-6.6/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch create mode 100644 queue-6.6/net-ethernet-adi-adin1110-check-return-value-of-devm.patch create mode 100644 queue-6.6/net-gro-fix-outer-network-offset.patch create mode 100644 queue-6.6/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch create mode 100644 queue-6.6/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch create mode 100644 queue-6.6/net-liquidio-initialize-netdev-pointer-before-queue-.patch create mode 100644 queue-6.6/net-sched-cls_u32-use-skb_header_pointer_careful.patch create mode 100644 queue-6.6/net-usb-sr9700-support-devices-with-virtual-driver-c.patch create mode 100644 queue-6.6/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch create mode 100644 queue-6.6/netfilter-replace-eexist-with-ebusy.patch create mode 100644 queue-6.6/nvme-fc-release-admin-tagset-if-init-fails.patch create mode 100644 queue-6.6/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch create mode 100644 queue-6.6/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch create mode 100644 queue-6.6/platform-x86-intel_telemetry-fix-pss-event-register-.patch create mode 100644 queue-6.6/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch create mode 100644 queue-6.6/regmap-maple-free-entry-on-mas_store_gfp-failure.patch create mode 100644 queue-6.6/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch create mode 100644 queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch create mode 100644 queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch create mode 100644 queue-6.6/smb-client-fix-memory-leak-in-smb2_open_file.patch create mode 100644 queue-6.6/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch create mode 100644 queue-6.6/smb-server-fix-refcount-leak-in-parse_durable_handle.patch create mode 100644 queue-6.6/smb-server-fix-refcount-leak-in-smb2_open.patch create mode 100644 queue-6.6/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch create mode 100644 queue-6.6/tipc-use-kfree_sensitive-for-session-key-material.patch create mode 100644 queue-6.6/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch create mode 100644 queue-6.6/wifi-mac80211-collect-station-statistics-earlier-whe.patch create mode 100644 queue-6.6/wifi-mac80211-correctly-check-if-csa-is-active.patch create mode 100644 queue-6.6/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch create mode 100644 queue-6.6/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch create mode 100644 queue-6.6/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch diff --git a/queue-5.10/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch b/queue-5.10/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch new file mode 100644 index 0000000000..fdda101a11 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch @@ -0,0 +1,37 @@ +From cad280a021fc4a40b9239d76f064bd58f0e8efef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 02:53:36 +0300 +Subject: ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk + +From: Ruslan Krupitsa + +[ Upstream commit 9ed7a28225af02b74f61e7880d460db49db83758 ] + +HP Laptop 15s-eq1xxx with ALC236 codec does not enable the +mute LED automatically. This patch adds a quirk entry for +subsystem ID 0x8706 using the ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 +fixup, enabling correct mute LED behavior. + +Signed-off-by: Ruslan Krupitsa +Link: https://patch.msgid.link/AS8P194MB112895B8EC2D87D53A876085BBBAA@AS8P194MB1128.EURP194.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index a9c71f38710ed..a8f530037033e 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9270,6 +9270,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x863e, "HP Spectre x360 15-df1xxx", ALC285_FIXUP_HP_SPECTRE_X360_DF1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x8706, "HP Laptop 15s-eq1xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), +-- +2.51.0 + diff --git a/queue-5.10/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch b/queue-5.10/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch new file mode 100644 index 0000000000..7b86ca40ab --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch @@ -0,0 +1,39 @@ +From 301871891511231be84cc61494b47cedea705a1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:15:55 +0100 +Subject: ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU + +From: Tim Guttzeit + +[ Upstream commit b48fe9af1e60360baf09ca6b7a3cd6541f16e611 ] + +Add a PCI quirk to enable microphone detection on the headphone jack of +TongFang X6AR55xU devices. + +Signed-off-by: Tim Guttzeit +Signed-off-by: Werner Sembach +Link: https://patch.msgid.link/20260119151626.35481-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index a8f530037033e..b8c7f4c8593ba 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10052,6 +10052,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x19, 0x04a11030}, + {0x21, 0x04211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0274, 0x1d05, "TongFang", ALC274_FIXUP_HP_HEADSET_MIC, ++ {0x17, 0x90170110}, ++ {0x19, 0x03a11030}, ++ {0x21, 0x03211020}), + SND_HDA_PIN_QUIRK(0x10ec0282, 0x1025, "Acer", ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC282_STANDARD_PINS, + {0x12, 0x90a609c0}, +-- +2.51.0 + diff --git a/queue-5.10/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch b/queue-5.10/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch new file mode 100644 index 0000000000..cf080690eb --- /dev/null +++ b/queue-5.10/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch @@ -0,0 +1,37 @@ +From d4079c5f8cc2a9e8de480da8a4e7ea0ed3bd0598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 20:50:33 +0000 +Subject: ASoC: amd: fix memory leak in acp3x pdm dma ops + +From: Chris Bainbridge + +[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] + +Fixes: 4a767b1d039a8 ("ASoC: amd: add acp3x pdm driver dma ops") +Signed-off-by: Chris Bainbridge +Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/renoir/acp3x-pdm-dma.c b/sound/soc/amd/renoir/acp3x-pdm-dma.c +index 7dcca3674295e..ca794c2b272d6 100644 +--- a/sound/soc/amd/renoir/acp3x-pdm-dma.c ++++ b/sound/soc/amd/renoir/acp3x-pdm-dma.c +@@ -308,9 +308,11 @@ static int acp_pdm_dma_close(struct snd_soc_component *component, + struct snd_pcm_substream *substream) + { + struct pdm_dev_data *adata = dev_get_drvdata(component->dev); ++ struct pdm_stream_instance *rtd = substream->runtime->private_data; + + disable_pdm_interrupts(adata->acp_base); + adata->capture_stream = NULL; ++ kfree(rtd); + return 0; + } + +-- +2.51.0 + diff --git a/queue-5.10/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch b/queue-5.10/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch new file mode 100644 index 0000000000..b7a25b3df3 --- /dev/null +++ b/queue-5.10/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch @@ -0,0 +1,113 @@ +From 42ef91bb6608bbc644a77c9b67968d1ea298e257 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 23:48:37 +0800 +Subject: ASoC: davinci-evm: Fix reference leak in davinci_evm_probe + +From: Kery Qi + +[ Upstream commit 5b577d214fcc109707bcb77b4ae72a31cfd86798 ] + +The davinci_evm_probe() function calls of_parse_phandle() to acquire +device nodes for "ti,audio-codec" and "ti,mcasp-controller". These +functions return device nodes with incremented reference counts. + +However, in several error paths (e.g., when the second of_parse_phandle(), +snd_soc_of_parse_card_name(), or devm_snd_soc_register_card() fails), +the function returns directly without releasing the acquired nodes, +leading to reference leaks. + +This patch adds an error handling path 'err_put' to properly release +the device nodes using of_node_put() and clean up the pointers when +an error occurs. + +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260107154836.1521-2-qikeyu2017@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/davinci-evm.c | 39 ++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/ti/davinci-evm.c b/sound/soc/ti/davinci-evm.c +index 105e56ab9cdc2..745c79cf739df 100644 +--- a/sound/soc/ti/davinci-evm.c ++++ b/sound/soc/ti/davinci-evm.c +@@ -405,27 +405,32 @@ static int davinci_evm_probe(struct platform_device *pdev) + return -EINVAL; + + dai->cpus->of_node = of_parse_phandle(np, "ti,mcasp-controller", 0); +- if (!dai->cpus->of_node) +- return -EINVAL; ++ if (!dai->cpus->of_node) { ++ ret = -EINVAL; ++ goto err_put; ++ } + + dai->platforms->of_node = dai->cpus->of_node; + + evm_soc_card.dev = &pdev->dev; + ret = snd_soc_of_parse_card_name(&evm_soc_card, "ti,model"); + if (ret) +- return ret; ++ goto err_put; + + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (PTR_ERR(mclk) == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto err_put; + } else if (IS_ERR(mclk)) { + dev_dbg(&pdev->dev, "mclk not found.\n"); + mclk = NULL; + } + + drvdata = devm_kzalloc(&pdev->dev, sizeof(*drvdata), GFP_KERNEL); +- if (!drvdata) +- return -ENOMEM; ++ if (!drvdata) { ++ ret = -ENOMEM; ++ goto err_put; ++ } + + drvdata->mclk = mclk; + +@@ -435,7 +440,8 @@ static int davinci_evm_probe(struct platform_device *pdev) + if (!drvdata->mclk) { + dev_err(&pdev->dev, + "No clock or clock rate defined.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put; + } + drvdata->sysclk = clk_get_rate(drvdata->mclk); + } else if (drvdata->mclk) { +@@ -451,8 +457,25 @@ static int davinci_evm_probe(struct platform_device *pdev) + snd_soc_card_set_drvdata(&evm_soc_card, drvdata); + ret = devm_snd_soc_register_card(&pdev->dev, &evm_soc_card); + +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "snd_soc_register_card failed (%d)\n", ret); ++ goto err_put; ++ } ++ ++ return ret; ++ ++err_put: ++ dai->platforms->of_node = NULL; ++ ++ if (dai->cpus->of_node) { ++ of_node_put(dai->cpus->of_node); ++ dai->cpus->of_node = NULL; ++ } ++ ++ if (dai->codecs->of_node) { ++ of_node_put(dai->codecs->of_node); ++ dai->codecs->of_node = NULL; ++ } + + return ret; + } +-- +2.51.0 + diff --git a/queue-5.10/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch b/queue-5.10/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch new file mode 100644 index 0000000000..ee2f9d5e3c --- /dev/null +++ b/queue-5.10/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch @@ -0,0 +1,43 @@ +From dcda3debd94f3e17ae8adce98a7c854123145bd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:46 +0100 +Subject: ASoC: tlv320adcx140: Propagate error codes during probe + +From: Dimitrios Katsaros + +[ Upstream commit d89aad92cfd15edbd704746f44c98fe687f9366f ] + +When scanning for the reset pin, we could get an -EPROBE_DEFER. +The driver would assume that no reset pin had been defined, +which would mean that the chip would never be powered. + +Now we both respect any error we get from devm_gpiod_get_optional. +We also now properly report the missing GPIO definition when +'gpio_reset' is NULL. + +Signed-off-by: Dimitrios Katsaros +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-3-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index c7a591ee25900..6e4dbf93c6996 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -1096,6 +1096,9 @@ static int adcx140_i2c_probe(struct i2c_client *i2c, + adcx140->gpio_reset = devm_gpiod_get_optional(adcx140->dev, + "reset", GPIOD_OUT_LOW); + if (IS_ERR(adcx140->gpio_reset)) ++ return dev_err_probe(&i2c->dev, PTR_ERR(adcx140->gpio_reset), ++ "Failed to get Reset GPIO\n"); ++ if (!adcx140->gpio_reset) + dev_info(&i2c->dev, "Reset GPIO not defined\n"); + + adcx140->supply_areg = devm_regulator_get_optional(adcx140->dev, +-- +2.51.0 + diff --git a/queue-5.10/block-bfq-fix-aux-stat-accumulation-destination.patch b/queue-5.10/block-bfq-fix-aux-stat-accumulation-destination.patch new file mode 100644 index 0000000000..6df5fafb5c --- /dev/null +++ b/queue-5.10/block-bfq-fix-aux-stat-accumulation-destination.patch @@ -0,0 +1,36 @@ +From 28998ce67621558a43c80721a39a3f34a667a7bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:04:26 +0800 +Subject: block,bfq: fix aux stat accumulation destination + +From: shechenglong + +[ Upstream commit 04bdb1a04d8a2a89df504c1e34250cd3c6e31a1c ] + +Route bfqg_stats_add_aux() time accumulation into the destination +stats object instead of the source, aligning with other stat fields. + +Reviewed-by: Yu Kuai +Signed-off-by: shechenglong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 1f9ccc661d574..14341376702e6 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -387,7 +387,7 @@ static void bfqg_stats_add_aux(struct bfqg_stats *to, struct bfqg_stats *from) + blkg_rwstat_add_aux(&to->merged, &from->merged); + blkg_rwstat_add_aux(&to->service_time, &from->service_time); + blkg_rwstat_add_aux(&to->wait_time, &from->wait_time); +- bfq_stat_add_aux(&from->time, &from->time); ++ bfq_stat_add_aux(&to->time, &from->time); + bfq_stat_add_aux(&to->avg_queue_size_sum, &from->avg_queue_size_sum); + bfq_stat_add_aux(&to->avg_queue_size_samples, + &from->avg_queue_size_samples); +-- +2.51.0 + diff --git a/queue-5.10/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch b/queue-5.10/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch new file mode 100644 index 0000000000..d836bec147 --- /dev/null +++ b/queue-5.10/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch @@ -0,0 +1,56 @@ +From 2b9f2338fcae39f7af9ce6b5bf37a5f849264f51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 19:03:57 -0300 +Subject: HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodrigo Lugathe da Conceição Alves + +[ Upstream commit 85a866809333cd2bf8ddac93d9a3e3ba8e4f807d ] + +The USB speaker has a bug that causes it to reboot when changing the +brightness using the physical knob. + +Add a new vendor and product ID entry in hid-ids.h, and register +the corresponding device in hid-quirks.c with the required quirk. + +Signed-off-by: Rodrigo Lugathe da Conceição Alves +Reviewed-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index a933e8a94b1e3..174090489072d 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -397,6 +397,9 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002 + ++#define USB_VENDOR_ID_EDIFIER 0x2d99 ++#define USB_DEVICE_ID_EDIFIER_QR30 0xa101 /* EDIFIER Hal0 2.0 SE */ ++ + #define USB_VENDOR_ID_ELAN 0x04f3 + #define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401 + #define USB_DEVICE_ID_HP_X2 0x074d +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index dffec116b8fad..85d81b07b6d47 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -81,6 +81,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER), HID_QUIRK_MULTI_INPUT | HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_EDIFIER, USB_DEVICE_ID_EDIFIER_QR30), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II), HID_QUIRK_MULTI_INPUT }, +-- +2.51.0 + diff --git a/queue-5.10/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch b/queue-5.10/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch new file mode 100644 index 0000000000..7e20701503 --- /dev/null +++ b/queue-5.10/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch @@ -0,0 +1,49 @@ +From 6290841b30fe90e03cda9d5b7c62ba792f7612fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 10:51:50 +0800 +Subject: HID: intel-ish-hid: Reset enum_devices_done before enumeration + +From: Zhang Lixu + +[ Upstream commit 56e230723e3a818373bd62331bccb1c6d2b3881b ] + +Some systems have enabled ISH without any sensors. In this case sending +HOSTIF_DM_ENUM_DEVICES results in 0 sensors. This triggers ISH hardware +reset on subsequent enumeration after S3/S4 resume. + +The enum_devices_done flag was not reset before sending the +HOSTIF_DM_ENUM_DEVICES command. On subsequent enumeration calls (such as +after S3/S4 resume), this flag retains its previous true value, causing the +wait loop to be skipped and returning prematurely to hid_ishtp_cl_init(). +If 0 HID devices are found, hid_ishtp_cl_init() skips getting HID device +descriptors and sets init_done to true. When the delayed enumeration +response arrives with init_done already true, the driver treats it as a bad +packet and triggers an ISH hardware reset. + +Set enum_devices_done to false before sending the enumeration command, +consistent with similar functions like ishtp_get_hid_descriptor() and +ishtp_get_report_descriptor() which reset their respective flags. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +index 6ba944b40fdb4..751eec63cea42 100644 +--- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c ++++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +@@ -488,6 +488,7 @@ static int ishtp_enum_enum_devices(struct ishtp_cl *hid_ishtp_cl) + int rv; + + /* Send HOSTIF_DM_ENUM_DEVICES */ ++ client_data->enum_devices_done = false; + memset(&msg, 0, sizeof(struct hostif_msg)); + msg.hdr.command = HOSTIF_DM_ENUM_DEVICES; + rv = ishtp_cl_send(hid_ishtp_cl, (unsigned char *)&msg, +-- +2.51.0 + diff --git a/queue-5.10/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch b/queue-5.10/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch new file mode 100644 index 0000000000..c5972587ff --- /dev/null +++ b/queue-5.10/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch @@ -0,0 +1,42 @@ +From 6b4a1e096be8206feb740073f76fc9aa9250000f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 14:34:36 +0100 +Subject: HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL + +From: DaytonCL + +[ Upstream commit ff3f234ff1dcd6d626a989151db067a1b7f0f215 ] + +Some VTL-class touchpads (e.g. TOPS0102:00 35CC:0104) intermittently +fail to release a finger contact. A previous slot remains logically +active, accompanied by stale BTN_TOOL_DOUBLETAP state, causing +gestures to stay latched and resulting in stuck two-finger +scrolling and false right-clicks. + +Apply MT_QUIRK_STICKY_FINGERS to handle the unreleased contact correctly. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1225 +Suggested-by: Benjamin Tissoires +Tested-by: DaytonCL +Signed-off-by: DaytonCL +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 5d966acbb0fd4..1f1e4a383a85a 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -349,6 +349,7 @@ static const struct mt_class mt_classes[] = { + { .name = MT_CLS_VTL, + .quirks = MT_QUIRK_ALWAYS_VALID | + MT_QUIRK_CONTACT_CNT_ACCURATE | ++ MT_QUIRK_STICKY_FINGERS | + MT_QUIRK_FORCE_GET_FEATURE, + }, + { .name = MT_CLS_GOOGLE, +-- +2.51.0 + diff --git a/queue-5.10/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch b/queue-5.10/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch new file mode 100644 index 0000000000..f22db22b9e --- /dev/null +++ b/queue-5.10/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch @@ -0,0 +1,51 @@ +From 77f45d2d293ed9f1ad8b04ef30534ed54bd1054b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 06:56:43 +0000 +Subject: HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list + +From: Chris Chiu + +[ Upstream commit c06bc3557542307b9658fbd43cc946a14250347b ] + +Another Chicony Electronics HP 5MP Camera with USB ID 04F2:B882 +reports a HID sensor interface that is not actually implemented. + +Add the device to the HID ignore list so the bogus sensor is never +exposed to userspace. Then the system won't hang when runtime PM +tries to wake the unresponsive device. + +Signed-off-by: Chris Chiu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 8850a5e5ae0e9..a933e8a94b1e3 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -280,6 +280,7 @@ + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3 0xb882 + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 0d15148d52533..dffec116b8fad 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -738,6 +738,7 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +-- +2.51.0 + diff --git a/queue-5.10/hwmon-occ-mark-occ_init_attribute-as-__printf.patch b/queue-5.10/hwmon-occ-mark-occ_init_attribute-as-__printf.patch new file mode 100644 index 0000000000..ccc7220983 --- /dev/null +++ b/queue-5.10/hwmon-occ-mark-occ_init_attribute-as-__printf.patch @@ -0,0 +1,42 @@ +From 1b83b7ea63b08cc4fa79d6679d5ebe0b2d284477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 17:34:36 +0100 +Subject: hwmon: (occ) Mark occ_init_attribute() as __printf + +From: Arnd Bergmann + +[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] + +This is a printf-style function, which gcc -Werror=suggest-attribute=format +correctly points out: + +drivers/hwmon/occ/common.c: In function 'occ_init_attribute': +drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] + +Add the attribute to avoid this warning and ensure any incorrect +format strings are detected here. + +Fixes: 744c2fe950e9 ("hwmon: (occ) Rework attribute registration for stack usage") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index 479ea4ce451a5..1a6c8ebc32e16 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -755,6 +755,7 @@ static ssize_t occ_show_extended(struct device *dev, + * are dynamically allocated, we cannot use the existing kernel macros which + * stringify the name argument. + */ ++__printf(7, 8) + static void occ_init_attribute(struct occ_attribute *attr, int mode, + ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf), + ssize_t (*store)(struct device *dev, struct device_attribute *attr, +-- +2.51.0 + diff --git a/queue-5.10/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch b/queue-5.10/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch new file mode 100644 index 0000000000..218359bf5b --- /dev/null +++ b/queue-5.10/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch @@ -0,0 +1,99 @@ +From ddcc0c7f7d6c65e2b48f057cc55fc96479448664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:43:59 +0000 +Subject: macvlan: fix error recovery in macvlan_common_newlink() + +From: Eric Dumazet + +[ Upstream commit f8db6475a83649689c087a8f52486fcc53e627e9 ] + +valis provided a nice repro to crash the kernel: + +ip link add p1 type veth peer p2 +ip link set address 00:00:00:00:00:20 dev p1 +ip link set up dev p1 +ip link set up dev p2 + +ip link add mv0 link p2 type macvlan mode source +ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 + +ping -c1 -I p1 1.2.3.4 + +He also gave a very detailed analysis: + + + +The issue is triggered when a new macvlan link is created with +MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or +MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan +port and register_netdevice() called from macvlan_common_newlink() +fails (e.g. because of the invalid link name). + +In this case macvlan_hash_add_source is called from +macvlan_change_sources() / macvlan_common_newlink(): + +This adds a reference to vlan to the port's vlan_source_hash using +macvlan_source_entry. + +vlan is a pointer to the priv data of the link that is being created. + +When register_netdevice() fails, the error is returned from +macvlan_newlink() to rtnl_newlink_create(): + + if (ops->newlink) + err = ops->newlink(dev, ¶ms, extack); + else + err = register_netdevice(dev); + if (err < 0) { + free_netdev(dev); + goto out; + } + +and free_netdev() is called, causing a kvfree() on the struct +net_device that is still referenced in the source entry attached to +the lower device's macvlan port. + +Now all packets sent on the macvlan port with a matching source mac +address will trigger a use-after-free in macvlan_forward_source(). + + + +With all that, my fix is to make sure we call macvlan_flush_sources() +regardless of @create value whenever "goto destroy_macvlan_port;" +path is taken. + +Many thanks to valis for following up on this issue. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Eric Dumazet +Reported-by: valis +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Cc: Boudewijn van der Heide +Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 49f9f75f5c121..cae48b1b7020f 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1519,9 +1519,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) { ++ if (macvlan_port_get_rtnl(lowerdev)) { + macvlan_flush_sources(port, vlan); +- macvlan_port_destroy(port->dev); ++ if (create) ++ macvlan_port_destroy(port->dev); + } + return err; + } +-- +2.51.0 + diff --git a/queue-5.10/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch b/queue-5.10/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch new file mode 100644 index 0000000000..e85f287b77 --- /dev/null +++ b/queue-5.10/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch @@ -0,0 +1,61 @@ +From 2ba9aa22732436aa8edf27a56d767ea58bc1a3e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:39 +0000 +Subject: net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 8558aef4e8a1a83049ab906d21d391093cfa7e7f ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Also, decrement i in the devlink_alloc failure path to point to the +last successfully allocated index. + +Compile tested only. Issue found using code review. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-3-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 35e46245f1638..c72dbc7252f96 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3773,6 +3773,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + sizeof(struct lio_devlink_priv)); + if (!devlink) { + dev_err(&octeon_dev->pci_dev->dev, "devlink alloc failed\n"); ++ i--; + goto setup_nic_dev_free; + } + +@@ -3793,11 +3794,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-5.10/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch b/queue-5.10/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch new file mode 100644 index 0000000000..96ff9c9785 --- /dev/null +++ b/queue-5.10/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch @@ -0,0 +1,50 @@ +From a9e00b8a5af35bc5326fe95080eab98e8fb9a571 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:40 +0000 +Subject: net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Compile tested only. Issue found using code review. + +Fixes: 846b46873eeb ("liquidio CN23XX: VF offload features") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-4-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index 226a7842d2fdb..ff4346652e0f3 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -2232,11 +2232,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-5.10/net-liquidio-initialize-netdev-pointer-before-queue-.patch b/queue-5.10/net-liquidio-initialize-netdev-pointer-before-queue-.patch new file mode 100644 index 0000000000..5cd19aac6a --- /dev/null +++ b/queue-5.10/net-liquidio-initialize-netdev-pointer-before-queue-.patch @@ -0,0 +1,98 @@ +From c4fd3a8013f451095b491188888c626d731803a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:38 +0000 +Subject: net: liquidio: Initialize netdev pointer before queue setup + +From: Zilin Guan + +[ Upstream commit 926ede0c85e1e57c97d64d9612455267d597bb2c ] + +In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq(). +However, the pointer to this structure is stored in oct->props[i].netdev +only after the calls to netif_set_real_num_rx_queues() and +netif_set_real_num_tx_queues(). + +If either of these functions fails, setup_nic_devices() returns an error +without freeing the allocated netdev. Since oct->props[i].netdev is still +NULL at this point, the cleanup function liquidio_destroy_nic_device() +will fail to find and free the netdev, resulting in a memory leak. + +Fix this by initializing oct->props[i].netdev before calling the queue +setup functions. This ensures that the netdev is properly accessible for +cleanup in case of errors. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: c33c997346c3 ("liquidio: enhanced ethtool --set-channels feature") +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-2-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/liquidio/lio_main.c | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index eefb25bcf57ff..35e46245f1638 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3531,6 +3531,23 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + */ + netdev->netdev_ops = &lionetdevops; + ++ lio = GET_LIO(netdev); ++ ++ memset(lio, 0, sizeof(struct lio)); ++ ++ lio->ifidx = ifidx_or_pfnum; ++ ++ props = &octeon_dev->props[i]; ++ props->gmxport = resp->cfg_info.linfo.gmxport; ++ props->netdev = netdev; ++ ++ /* Point to the properties for octeon device to which this ++ * interface belongs. ++ */ ++ lio->oct_dev = octeon_dev; ++ lio->octprops = props; ++ lio->netdev = netdev; ++ + retval = netif_set_real_num_rx_queues(netdev, num_oqueues); + if (retval) { + dev_err(&octeon_dev->pci_dev->dev, +@@ -3547,16 +3564,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + goto setup_nic_dev_free; + } + +- lio = GET_LIO(netdev); +- +- memset(lio, 0, sizeof(struct lio)); +- +- lio->ifidx = ifidx_or_pfnum; +- +- props = &octeon_dev->props[i]; +- props->gmxport = resp->cfg_info.linfo.gmxport; +- props->netdev = netdev; +- + lio->linfo.num_rxpciq = num_oqueues; + lio->linfo.num_txpciq = num_iqueues; + for (j = 0; j < num_oqueues; j++) { +@@ -3622,13 +3629,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + netdev->min_mtu = LIO_MIN_MTU_SIZE; + netdev->max_mtu = LIO_MAX_MTU_SIZE; + +- /* Point to the properties for octeon device to which this +- * interface belongs. +- */ +- lio->oct_dev = octeon_dev; +- lio->octprops = props; +- lio->netdev = netdev; +- + dev_dbg(&octeon_dev->pci_dev->dev, + "if%d gmx: %d hw_addr: 0x%llx\n", i, + lio->linfo.gmxport, CVM_CAST64(lio->linfo.hw_addr)); +-- +2.51.0 + diff --git a/queue-5.10/net-usb-sr9700-support-devices-with-virtual-driver-c.patch b/queue-5.10/net-usb-sr9700-support-devices-with-virtual-driver-c.patch new file mode 100644 index 0000000000..e47c159c0b --- /dev/null +++ b/queue-5.10/net-usb-sr9700-support-devices-with-virtual-driver-c.patch @@ -0,0 +1,44 @@ +From a7a1fa4c8fb5aeb95c3e7dd2e3b0598d2508ca4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 22:24:51 -0800 +Subject: net: usb: sr9700: support devices with virtual driver CD + +From: Ethan Nelson-Moore + +[ Upstream commit bf4172bd870c3a34d3065cbb39192c22cbd7b18d ] + +Some SR9700 devices have an SPI flash chip containing a virtual driver +CD, in which case they appear as a device with two interfaces and +product ID 0x9702. Interface 0 is the driver CD and interface 1 is the +Ethernet device. + +Link: https://github.com/name-kurniawan/usb-lan +Link: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=2185 +Signed-off-by: Ethan Nelson-Moore +Link: https://patch.msgid.link/20251211062451.139036-1-enelsonmoore@gmail.com +[pabeni@redhat.com: fixes link tags] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index d4f0dfe1175ab..4d860d5bbcd73 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -538,6 +538,11 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x9700), /* SR9700 device */ + .driver_info = (unsigned long)&sr9700_driver_info, + }, ++ { ++ /* SR9700 with virtual driver CD-ROM - interface 0 is the CD-ROM device */ ++ USB_DEVICE_INTERFACE_NUMBER(0x0fe6, 0x9702, 1), ++ .driver_info = (unsigned long)&sr9700_driver_info, ++ }, + {}, /* END */ + }; + +-- +2.51.0 + diff --git a/queue-5.10/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch b/queue-5.10/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch new file mode 100644 index 0000000000..91afdf64f4 --- /dev/null +++ b/queue-5.10/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch @@ -0,0 +1,110 @@ +From bf743dadacd76e3c3afa926e9f0b853c7aa66e6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 16:49:19 +0100 +Subject: nvmet-tcp: add an helper to free the cmd buffers + +From: Maurizio Lombardi + +[ Upstream commit 69b85e1f1d1d1e49601ec3e85d2031188657cca2 ] + +Makes the code easier to read and to debug. + +Sets the freed pointers to NULL, it will be useful +when destroying the queues to understand if the commands' +buffers have been released already or not. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: John Meneghini +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 94ed4b5b725c7..3c0769d40edd3 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -155,6 +155,8 @@ static struct workqueue_struct *nvmet_tcp_wq; + static const struct nvmet_fabrics_ops nvmet_tcp_ops; + static void nvmet_tcp_free_cmd(struct nvmet_tcp_cmd *c); + static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd); ++static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd); ++static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd); + + static inline u16 nvmet_tcp_cmd_tag(struct nvmet_tcp_queue *queue, + struct nvmet_tcp_cmd *cmd) +@@ -286,6 +288,16 @@ static int nvmet_tcp_check_ddgst(struct nvmet_tcp_queue *queue, void *pdu) + return 0; + } + ++static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) ++{ ++ WARN_ON(unlikely(cmd->nr_mapped > 0)); ++ ++ kfree(cmd->iov); ++ sgl_free(cmd->req.sg); ++ cmd->iov = NULL; ++ cmd->req.sg = NULL; ++} ++ + static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd) + { + struct scatterlist *sg; +@@ -295,6 +307,8 @@ static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd) + + for (i = 0; i < cmd->nr_mapped; i++) + kunmap(sg_page(&sg[i])); ++ ++ cmd->nr_mapped = 0; + } + + static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) +@@ -377,7 +391,7 @@ static int nvmet_tcp_map_data(struct nvmet_tcp_cmd *cmd) + + return 0; + err: +- sgl_free(cmd->req.sg); ++ nvmet_tcp_free_cmd_buffers(cmd); + return NVME_SC_INTERNAL; + } + +@@ -628,10 +642,8 @@ static int nvmet_try_send_data(struct nvmet_tcp_cmd *cmd, bool last_in_batch) + } + } + +- if (queue->nvme_sq.sqhd_disabled) { +- kfree(cmd->iov); +- sgl_free(cmd->req.sg); +- } ++ if (queue->nvme_sq.sqhd_disabled) ++ nvmet_tcp_free_cmd_buffers(cmd); + + return 1; + +@@ -660,8 +672,7 @@ static int nvmet_try_send_response(struct nvmet_tcp_cmd *cmd, + if (left) + return -EAGAIN; + +- kfree(cmd->iov); +- sgl_free(cmd->req.sg); ++ nvmet_tcp_free_cmd_buffers(cmd); + cmd->queue->snd_cmd = NULL; + nvmet_tcp_put_cmd(cmd); + return 1; +@@ -1422,8 +1433,7 @@ static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd) + { + nvmet_req_uninit(&cmd->req); + nvmet_tcp_unmap_pdu_iovec(cmd); +- kfree(cmd->iov); +- sgl_free(cmd->req.sg); ++ nvmet_tcp_free_cmd_buffers(cmd); + } + + static void nvmet_tcp_uninit_data_in_cmds(struct nvmet_tcp_queue *queue) +-- +2.51.0 + diff --git a/queue-5.10/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch b/queue-5.10/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch new file mode 100644 index 0000000000..962e982c0f --- /dev/null +++ b/queue-5.10/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch @@ -0,0 +1,77 @@ +From 5acfe9ac667fffd495bce5431ff5a66f0d9f43c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 09:41:07 +0900 +Subject: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec + +From: YunJe Shin + +[ Upstream commit 52a0a98549344ca20ad81a4176d68d28e3c05a5c ] + +nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU +length or offset exceeds sg_cnt and then use bogus sg->length/offset +values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining +entries, and sg->length/offset before building the bvec. + +Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") +Signed-off-by: YunJe Shin +Reviewed-by: Sagi Grimberg +Reviewed-by: Joonkyo Jung +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 6fd4f74315f6c..a906507bad600 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -294,11 +294,14 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) + cmd->req.sg = NULL; + } + ++static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue); ++ + static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + { + struct bio_vec *iov = cmd->iov; + struct scatterlist *sg; + u32 length, offset, sg_offset; ++ unsigned int sg_remaining; + int nr_pages; + + length = cmd->pdu_len; +@@ -306,9 +309,22 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + offset = cmd->rbytes_done; + cmd->sg_idx = offset / PAGE_SIZE; + sg_offset = offset % PAGE_SIZE; ++ if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) { ++ nvmet_tcp_fatal_error(cmd->queue); ++ return; ++ } + sg = &cmd->req.sg[cmd->sg_idx]; ++ sg_remaining = cmd->req.sg_cnt - cmd->sg_idx; + + while (length) { ++ if (!sg_remaining) { ++ nvmet_tcp_fatal_error(cmd->queue); ++ return; ++ } ++ if (!sg->length || sg->length <= sg_offset) { ++ nvmet_tcp_fatal_error(cmd->queue); ++ return; ++ } + u32 iov_len = min_t(u32, length, sg->length - sg_offset); + + iov->bv_page = sg_page(sg); +@@ -317,6 +333,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + + length -= iov_len; + sg = sg_next(sg); ++ sg_remaining--; + iov++; + sg_offset = 0; + } +-- +2.51.0 + diff --git a/queue-5.10/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch b/queue-5.10/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch new file mode 100644 index 0000000000..f22aba8180 --- /dev/null +++ b/queue-5.10/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch @@ -0,0 +1,192 @@ +From c03ec5eaa7ed78a08a748bb10dc503fe32c3808b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 00:05:33 +0200 +Subject: nvmet-tcp: don't map pages which can't come from HIGHMEM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabio M. De Francesco + +[ Upstream commit 5bfaba275ae6486700194cad962574e3eb7ae60d ] + +kmap() is being deprecated in favor of kmap_local_page().[1] + +There are two main problems with kmap(): (1) It comes with an overhead as +mapping space is restricted and protected by a global lock for +synchronization and (2) it also requires global TLB invalidation when the +kmap’s pool wraps and it might block when the mapping space is fully +utilized until a slot becomes available. + +The pages which will be mapped are allocated in nvmet_tcp_map_data(), +using the GFP_KERNEL flag. This assures that they cannot come from +HIGHMEM. This imply that a straight page_address() can replace the kmap() +of sg_page(sg) in nvmet_tcp_map_pdu_iovec(). As a side effect, we might +also delete the field "nr_mapped" from struct "nvmet_tcp_cmd" because, +after removing the kmap() calls, there would be no longer any need of it. + +In addition, there is no reason to use a kvec for the command receive +data buffers iovec, use a bio_vec instead and let iov_iter handle the +buffer mapping and data copy. + +Test with blktests on a QEMU/KVM x86_32 VM, 6GB RAM, booting a kernel with +HIGHMEM64GB enabled. + +[1] "[PATCH] checkpatch: Add kmap and kmap_atomic to the deprecated +list" https://lore.kernel.org/all/20220813220034.806698-1-ira.weiny@intel.com/ + +Cc: Chaitanya Kulkarni +Cc: Keith Busch +Suggested-by: Ira Weiny +Signed-off-by: Fabio M. De Francesco +Suggested-by: Christoph Hellwig +Suggested-by: Al Viro +[sagi: added bio_vec plus minor naming changes] +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 44 ++++++++++++--------------------------- + 1 file changed, 13 insertions(+), 31 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index bc0e860a2887f..6fd4f74315f6c 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -68,9 +68,8 @@ struct nvmet_tcp_cmd { + u32 pdu_len; + u32 pdu_recv; + int sg_idx; +- int nr_mapped; + struct msghdr recv_msg; +- struct kvec *iov; ++ struct bio_vec *iov; + u32 flags; + + struct list_head entry; +@@ -156,7 +155,6 @@ static const struct nvmet_fabrics_ops nvmet_tcp_ops; + static void nvmet_tcp_free_cmd(struct nvmet_tcp_cmd *c); + static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd); + static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd); +-static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd); + + static inline u16 nvmet_tcp_cmd_tag(struct nvmet_tcp_queue *queue, + struct nvmet_tcp_cmd *cmd) +@@ -290,35 +288,21 @@ static int nvmet_tcp_check_ddgst(struct nvmet_tcp_queue *queue, void *pdu) + + static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) + { +- WARN_ON(unlikely(cmd->nr_mapped > 0)); +- + kfree(cmd->iov); + sgl_free(cmd->req.sg); + cmd->iov = NULL; + cmd->req.sg = NULL; + } + +-static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd) +-{ +- struct scatterlist *sg; +- int i; +- +- sg = &cmd->req.sg[cmd->sg_idx]; +- +- for (i = 0; i < cmd->nr_mapped; i++) +- kunmap(sg_page(&sg[i])); +- +- cmd->nr_mapped = 0; +-} +- +-static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) ++static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + { +- struct kvec *iov = cmd->iov; ++ struct bio_vec *iov = cmd->iov; + struct scatterlist *sg; + u32 length, offset, sg_offset; ++ int nr_pages; + + length = cmd->pdu_len; +- cmd->nr_mapped = DIV_ROUND_UP(length, PAGE_SIZE); ++ nr_pages = DIV_ROUND_UP(length, PAGE_SIZE); + offset = cmd->rbytes_done; + cmd->sg_idx = offset / PAGE_SIZE; + sg_offset = offset % PAGE_SIZE; +@@ -327,8 +311,9 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) + while (length) { + u32 iov_len = min_t(u32, length, sg->length - sg_offset); + +- iov->iov_base = kmap(sg_page(sg)) + sg->offset + sg_offset; +- iov->iov_len = iov_len; ++ iov->bv_page = sg_page(sg); ++ iov->bv_len = sg->length; ++ iov->bv_offset = sg->offset + sg_offset; + + length -= iov_len; + sg = sg_next(sg); +@@ -336,8 +321,8 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) + sg_offset = 0; + } + +- iov_iter_kvec(&cmd->recv_msg.msg_iter, READ, cmd->iov, +- cmd->nr_mapped, cmd->pdu_len); ++ iov_iter_bvec(&cmd->recv_msg.msg_iter, READ, cmd->iov, ++ nr_pages, cmd->pdu_len); + } + + static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) +@@ -913,7 +898,7 @@ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue, + } + + queue->rcv_state = NVMET_TCP_RECV_DATA; +- nvmet_tcp_map_pdu_iovec(cmd); ++ nvmet_tcp_build_pdu_iovec(cmd); + cmd->flags |= NVMET_TCP_F_INIT_FAILED; + } + +@@ -966,7 +951,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + goto err_proto; + } + cmd->pdu_recv = 0; +- nvmet_tcp_map_pdu_iovec(cmd); ++ nvmet_tcp_build_pdu_iovec(cmd); + queue->cmd = cmd; + queue->rcv_state = NVMET_TCP_RECV_DATA; + +@@ -1040,7 +1025,7 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue) + if (nvmet_tcp_need_data_in(queue->cmd)) { + if (nvmet_tcp_has_inline_data(queue->cmd)) { + queue->rcv_state = NVMET_TCP_RECV_DATA; +- nvmet_tcp_map_pdu_iovec(queue->cmd); ++ nvmet_tcp_build_pdu_iovec(queue->cmd); + return 0; + } + /* send back R2T */ +@@ -1160,7 +1145,6 @@ static int nvmet_tcp_try_recv_data(struct nvmet_tcp_queue *queue) + cmd->rbytes_done += ret; + } + +- nvmet_tcp_unmap_pdu_iovec(cmd); + if (queue->data_digest) { + nvmet_tcp_prep_recv_ddgst(cmd); + return 0; +@@ -1415,7 +1399,6 @@ static void nvmet_tcp_restore_socket_callbacks(struct nvmet_tcp_queue *queue) + static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd) + { + nvmet_req_uninit(&cmd->req); +- nvmet_tcp_unmap_pdu_iovec(cmd); + nvmet_tcp_free_cmd_buffers(cmd); + } + +@@ -1428,7 +1411,6 @@ static void nvmet_tcp_uninit_data_in_cmds(struct nvmet_tcp_queue *queue) + if (nvmet_tcp_need_data_in(cmd)) + nvmet_req_uninit(&cmd->req); + +- nvmet_tcp_unmap_pdu_iovec(cmd); + nvmet_tcp_free_cmd_buffers(cmd); + } + +-- +2.51.0 + diff --git a/queue-5.10/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch b/queue-5.10/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch new file mode 100644 index 0000000000..2404eafc7d --- /dev/null +++ b/queue-5.10/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch @@ -0,0 +1,46 @@ +From 63fb7d49dcafe86a9369e1cae923617fbe2f13c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 16:49:20 +0100 +Subject: nvmet-tcp: fix memory leak when performing a controller reset + +From: Maurizio Lombardi + +[ Upstream commit af21250bb503a02e705b461886321e394b300524 ] + +If a reset controller is executed while the initiator +is performing some I/O the driver may leak the memory allocated +for the commands' iovec. + +Make sure that nvmet_tcp_uninit_data_in_cmds() releases +all the memory. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: John Meneghini +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 3c0769d40edd3..bf34849c15a20 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -1443,7 +1443,10 @@ static void nvmet_tcp_uninit_data_in_cmds(struct nvmet_tcp_queue *queue) + + for (i = 0; i < queue->nr_cmds; i++, cmd++) { + if (nvmet_tcp_need_data_in(cmd)) +- nvmet_tcp_finish_cmd(cmd); ++ nvmet_req_uninit(&cmd->req); ++ ++ nvmet_tcp_unmap_pdu_iovec(cmd); ++ nvmet_tcp_free_cmd_buffers(cmd); + } + + if (!queue->nr_cmds && nvmet_tcp_need_data_in(&queue->connect)) { +-- +2.51.0 + diff --git a/queue-5.10/nvmet-tcp-fix-regression-in-data_digest-calculation.patch b/queue-5.10/nvmet-tcp-fix-regression-in-data_digest-calculation.patch new file mode 100644 index 0000000000..0c6729c71f --- /dev/null +++ b/queue-5.10/nvmet-tcp-fix-regression-in-data_digest-calculation.patch @@ -0,0 +1,87 @@ +From 43d5ff8a2c2240aeaa21a023c00ffffd500859c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 00:49:53 +0300 +Subject: nvmet-tcp: fix regression in data_digest calculation + +From: Sagi Grimberg + +[ Upstream commit ed0691cf55140ce0f3fb100225645d902cce904b ] + +Data digest calculation iterates over command mapped iovec. However +since commit bac04454ef9f we unmap the iovec before we handle the data +digest, and since commit 69b85e1f1d1d we clear nr_mapped when we unmap +the iov. + +Instead of open-coding the command iov traversal, simply call +crypto_ahash_digest with the command sg that is already allocated (we +already do that for the send path). Rename nvmet_tcp_send_ddgst to +nvmet_tcp_calc_ddgst and call it from send and recv paths. + +Fixes: 69b85e1f1d1d ("nvmet-tcp: add an helper to free the cmd buffers") +Fixes: bac04454ef9f ("nvmet-tcp: fix kmap leak when data digest in use") +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 23 +++-------------------- + 1 file changed, 3 insertions(+), 20 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index bf34849c15a20..bc0e860a2887f 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -395,7 +395,7 @@ static int nvmet_tcp_map_data(struct nvmet_tcp_cmd *cmd) + return NVME_SC_INTERNAL; + } + +-static void nvmet_tcp_send_ddgst(struct ahash_request *hash, ++static void nvmet_tcp_calc_ddgst(struct ahash_request *hash, + struct nvmet_tcp_cmd *cmd) + { + ahash_request_set_crypt(hash, cmd->req.sg, +@@ -403,23 +403,6 @@ static void nvmet_tcp_send_ddgst(struct ahash_request *hash, + crypto_ahash_digest(hash); + } + +-static void nvmet_tcp_recv_ddgst(struct ahash_request *hash, +- struct nvmet_tcp_cmd *cmd) +-{ +- struct scatterlist sg; +- struct kvec *iov; +- int i; +- +- crypto_ahash_init(hash); +- for (i = 0, iov = cmd->iov; i < cmd->nr_mapped; i++, iov++) { +- sg_init_one(&sg, iov->iov_base, iov->iov_len); +- ahash_request_set_crypt(hash, &sg, NULL, iov->iov_len); +- crypto_ahash_update(hash); +- } +- ahash_request_set_crypt(hash, NULL, (void *)&cmd->exp_ddgst, 0); +- crypto_ahash_final(hash); +-} +- + static void nvmet_setup_c2h_data_pdu(struct nvmet_tcp_cmd *cmd) + { + struct nvme_tcp_data_pdu *pdu = cmd->data_pdu; +@@ -444,7 +427,7 @@ static void nvmet_setup_c2h_data_pdu(struct nvmet_tcp_cmd *cmd) + + if (queue->data_digest) { + pdu->hdr.flags |= NVME_TCP_F_DDGST; +- nvmet_tcp_send_ddgst(queue->snd_hash, cmd); ++ nvmet_tcp_calc_ddgst(queue->snd_hash, cmd); + } + + if (cmd->queue->hdr_digest) { +@@ -1156,7 +1139,7 @@ static void nvmet_tcp_prep_recv_ddgst(struct nvmet_tcp_cmd *cmd) + { + struct nvmet_tcp_queue *queue = cmd->queue; + +- nvmet_tcp_recv_ddgst(queue->rcv_hash, cmd); ++ nvmet_tcp_calc_ddgst(queue->rcv_hash, cmd); + queue->offset = 0; + queue->left = NVME_TCP_DIGEST_LENGTH; + queue->rcv_state = NVMET_TCP_RECV_DDGST; +-- +2.51.0 + diff --git a/queue-5.10/platform-x86-intel_telemetry-fix-pss-event-register-.patch b/queue-5.10/platform-x86-intel_telemetry-fix-pss-event-register-.patch new file mode 100644 index 0000000000..8f04530404 --- /dev/null +++ b/queue-5.10/platform-x86-intel_telemetry-fix-pss-event-register-.patch @@ -0,0 +1,48 @@ +From 666ef12aa493b541fd4f232db381c89267e5b01f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 11:41:44 +0530 +Subject: platform/x86: intel_telemetry: Fix PSS event register mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kaushlendra Kumar + +[ Upstream commit 39e9c376ac42705af4ed4ae39eec028e8bced9b4 ] + +The PSS telemetry info parsing incorrectly applies +TELEM_INFO_SRAMEVTS_MASK when extracting event register +count from firmware response. This reads bits 15-8 instead +of the correct bits 7-0, causing misdetection of hardware +capabilities. + +The IOSS path correctly uses TELEM_INFO_NENABLES_MASK for +register count. Apply the same mask to PSS parsing for +consistency. + +Fixes: 9d16b482b059 ("platform:x86: Add Intel telemetry platform driver") +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20251224061144.3925519-1-kaushlendra.kumar@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_telemetry_pltdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel_telemetry_pltdrv.c b/drivers/platform/x86/intel_telemetry_pltdrv.c +index 405dea87de6bf..dd1ee2730b6a6 100644 +--- a/drivers/platform/x86/intel_telemetry_pltdrv.c ++++ b/drivers/platform/x86/intel_telemetry_pltdrv.c +@@ -610,7 +610,7 @@ static int telemetry_setup(struct platform_device *pdev) + /* Get telemetry Info */ + events = (read_buf & TELEM_INFO_SRAMEVTS_MASK) >> + TELEM_INFO_SRAMEVTS_SHIFT; +- event_regs = read_buf & TELEM_INFO_SRAMEVTS_MASK; ++ event_regs = read_buf & TELEM_INFO_NENABLES_MASK; + if ((events < TELEM_MAX_EVENTS_SRAM) || + (event_regs < TELEM_MAX_EVENTS_SRAM)) { + dev_err(&pdev->dev, "PSS:Insufficient Space for SRAM Trace\n"); +-- +2.51.0 + diff --git a/queue-5.10/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch b/queue-5.10/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch new file mode 100644 index 0000000000..d38dc677d5 --- /dev/null +++ b/queue-5.10/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch @@ -0,0 +1,42 @@ +From bb7b6eff3534fb46b97f27935feb07cccc21a62e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:38:45 +0200 +Subject: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines + +From: Rafael J. Wysocki + +[ Upstream commit 128497456756e1b952bd5a912cd073836465109d ] + +toshiba_haps_add() leaks the haps object allocated by it if it returns +an error after allocating that object successfully. + +toshiba_haps_remove() does not free the object pointed to by +toshiba_haps before clearing that pointer, so it becomes unreachable +allocated memory. + +Address these memory leaks by using devm_kzalloc() for allocating +the memory in question. + +Fixes: 23d0ba0c908a ("platform/x86: Toshiba HDD Active Protection Sensor") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_haps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/toshiba_haps.c b/drivers/platform/x86/toshiba_haps.c +index b237bd6b1ee54..e9ae102c0bfd7 100644 +--- a/drivers/platform/x86/toshiba_haps.c ++++ b/drivers/platform/x86/toshiba_haps.c +@@ -185,7 +185,7 @@ static int toshiba_haps_add(struct acpi_device *acpi_dev) + + pr_info("Toshiba HDD Active Protection Sensor device\n"); + +- haps = kzalloc(sizeof(struct toshiba_haps_dev), GFP_KERNEL); ++ haps = devm_kzalloc(&acpi_dev->dev, sizeof(*haps), GFP_KERNEL); + if (!haps) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-5.10/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch b/queue-5.10/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch new file mode 100644 index 0000000000..627a07d80b --- /dev/null +++ b/queue-5.10/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch @@ -0,0 +1,69 @@ +From be2f312894b4afaf089836d4212e00d08a7fff47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 14:50:07 +0800 +Subject: ring-buffer: Avoid softlockup in ring_buffer_resize() during memory + free + +From: Wupeng Ma + +[ Upstream commit 6435ffd6c7fcba330dfa91c58dc30aed2df3d0bf ] + +When user resize all trace ring buffer through file 'buffer_size_kb', +then in ring_buffer_resize(), kernel allocates buffer pages for each +cpu in a loop. + +If the kernel preemption model is PREEMPT_NONE and there are many cpus +and there are many buffer pages to be freed, it may not give up cpu +for a long time and finally cause a softlockup. + +To avoid it, call cond_resched() after each cpu buffer free as Commit +f6bd2c92488c ("ring-buffer: Avoid softlockup in ring_buffer_resize()") +does. + +Detailed call trace as follow: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 24-....: (14837 ticks this GP) idle=521c/1/0x4000000000000000 softirq=230597/230597 fqs=5329 + rcu: (t=15004 jiffies g=26003221 q=211022 ncpus=96) + CPU: 24 UID: 0 PID: 11253 Comm: bash Kdump: loaded Tainted: G EL 6.18.2+ #278 NONE + pc : arch_local_irq_restore+0x8/0x20 + arch_local_irq_restore+0x8/0x20 (P) + free_frozen_page_commit+0x28c/0x3b0 + __free_frozen_pages+0x1c0/0x678 + ___free_pages+0xc0/0xe0 + free_pages+0x3c/0x50 + ring_buffer_resize.part.0+0x6a8/0x880 + ring_buffer_resize+0x3c/0x58 + __tracing_resize_ring_buffer.part.0+0x34/0xd8 + tracing_resize_ring_buffer+0x8c/0xd0 + tracing_entries_write+0x74/0xd8 + vfs_write+0xcc/0x288 + ksys_write+0x74/0x118 + __arm64_sys_write+0x24/0x38 + +Cc: +Link: https://patch.msgid.link/20251228065008.2396573-1-mawupeng1@huawei.com +Signed-off-by: Wupeng Ma +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 225dbe4a56413..221895e036356 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2255,6 +2255,8 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, + list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); ++ ++ cond_resched(); + } + } + out_err_unlock: +-- +2.51.0 + diff --git a/queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch b/queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch new file mode 100644 index 0000000000..75a99bc956 --- /dev/null +++ b/queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch @@ -0,0 +1,51 @@ +From 9df7224254552462ec6ff661952abfc62bf21694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:51 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_conn_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 ] + +In iscsit_dec_conn_usage_count(), the function calls complete() while +holding the conn->conn_usage_lock. As soon as complete() is invoked, the +waiter (such as iscsit_close_connection()) may wake up and proceed to free +the iscsit_conn structure. + +If the waiter frees the memory before the current thread reaches +spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function +attempts to release a lock within the already-freed connection structure. + +Fix this by releasing the spinlock before calling complete(). + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 58b3eb589bc77..29ad78fcdd5f8 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -873,8 +873,11 @@ void iscsit_dec_conn_usage_count(struct iscsi_conn *conn) + spin_lock_bh(&conn->conn_usage_lock); + conn->conn_usage_count--; + +- if (!conn->conn_usage_count && conn->conn_waiting_on_uc) ++ if (!conn->conn_usage_count && conn->conn_waiting_on_uc) { ++ spin_unlock_bh(&conn->conn_usage_lock); + complete(&conn->conn_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&conn->conn_usage_lock); + } +-- +2.51.0 + diff --git a/queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch b/queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch new file mode 100644 index 0000000000..e9deb2c03b --- /dev/null +++ b/queue-5.10/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch @@ -0,0 +1,53 @@ +From e253739af27721c2641c0ef45a152a031bce6143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:52 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_session_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 84dc6037390b8607c5551047d3970336cb51ba9a ] + +In iscsit_dec_session_usage_count(), the function calls complete() while +holding the sess->session_usage_lock. Similar to the connection usage count +logic, the waiter signaled by complete() (e.g., in the session release +path) may wake up and free the iscsit_session structure immediately. + +This creates a race condition where the current thread may attempt to +execute spin_unlock_bh() on a session structure that has already been +deallocated, resulting in a KASAN slab-use-after-free. + +To resolve this, release the session_usage_lock before calling complete() +to ensure all dereferences of the sess pointer are finished before the +waiter is allowed to proceed with deallocation. + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 45ba07c6ec270..58b3eb589bc77 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -801,8 +801,11 @@ void iscsit_dec_session_usage_count(struct iscsi_session *sess) + spin_lock_bh(&sess->session_usage_lock); + sess->session_usage_count--; + +- if (!sess->session_usage_count && sess->session_waiting_on_uc) ++ if (!sess->session_usage_count && sess->session_waiting_on_uc) { ++ spin_unlock_bh(&sess->session_usage_lock); + complete(&sess->session_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&sess->session_usage_lock); + } +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 067220b73b..3bd2db27de 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -3,3 +3,35 @@ arm-9468-1-fix-memset64-on-big-endian.patch kvm-don-t-clobber-irqfd-routing-type-when-deassigning-irqfd.patch netfilter-nft_set_pipapo-clamp-maximum-map-bucket-size-to-int_max.patch binderfs-fix-ida_alloc_max-upper-bound.patch +wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch +wifi-wlcore-ensure-skb-headroom-before-skb_push.patch +net-usb-sr9700-support-devices-with-virtual-driver-c.patch +block-bfq-fix-aux-stat-accumulation-destination.patch +hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch +hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch +alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch +hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch +hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch +ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch +wifi-mac80211-collect-station-statistics-earlier-whe.patch +asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch +asoc-tlv320adcx140-propagate-error-codes-during-prob.patch +wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch +alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch +wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch +platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch +platform-x86-intel_telemetry-fix-pss-event-register-.patch +net-liquidio-initialize-netdev-pointer-before-queue-.patch +net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch +net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch +macvlan-fix-error-recovery-in-macvlan_common_newlink.patch +tipc-use-kfree_sensitive-for-session-key-material.patch +hwmon-occ-mark-occ_init_attribute-as-__printf.patch +nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch +nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch +nvmet-tcp-fix-regression-in-data_digest-calculation.patch +nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch +nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch +asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch diff --git a/queue-5.10/tipc-use-kfree_sensitive-for-session-key-material.patch b/queue-5.10/tipc-use-kfree_sensitive-for-session-key-material.patch new file mode 100644 index 0000000000..f7fd5d6e84 --- /dev/null +++ b/queue-5.10/tipc-use-kfree_sensitive-for-session-key-material.patch @@ -0,0 +1,51 @@ +From c7c537fe667beb1bab9e8711691d64f7fdd0fd2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 10:01:14 -0800 +Subject: tipc: use kfree_sensitive() for session key material + +From: Daniel Hodges + +[ Upstream commit 74d9391e8849e70ded5309222d09b0ed0edbd039 ] + +The rx->skey field contains a struct tipc_aead_key with GCM-AES +encryption keys used for TIPC cluster communication. Using plain +kfree() leaves this sensitive key material in freed memory pages +where it could potentially be recovered. + +Switch to kfree_sensitive() to ensure the key material is zeroed +before the memory is freed. + +Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") +Signed-off-by: Daniel Hodges +Link: https://patch.msgid.link/20260131180114.2121438-1-hodgesd@meta.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index cc409d55e1576..42e7d2bc78302 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1223,7 +1223,7 @@ void tipc_crypto_key_flush(struct tipc_crypto *c) + rx = c; + tx = tipc_net(rx->net)->crypto_tx; + if (cancel_delayed_work(&rx->work)) { +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + atomic_xchg(&rx->key_distr, 0); + tipc_node_put(rx->node); +@@ -2398,7 +2398,7 @@ static void tipc_crypto_work_rx(struct work_struct *work) + break; + default: + synchronize_rcu(); +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + break; + } +-- +2.51.0 + diff --git a/queue-5.10/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch b/queue-5.10/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch new file mode 100644 index 0000000000..5401058f50 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch @@ -0,0 +1,59 @@ +From 0cec50f1553baa95e367c948273d06aac684addf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:30:04 +0530 +Subject: wifi: cfg80211: Fix bitrate calculation overflow for HE rates + +From: Veerendranath Jakkam + +[ Upstream commit a3034bf0746d88a00cceda9541534a5721445a24 ] + +An integer overflow occurs in cfg80211_calculate_bitrate_he() when +calculating bitrates for high throughput HE configurations. +For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0, +the multiplication (result * rate->nss) overflows the 32-bit 'result' +variable before division by 8, leading to significantly underestimated +bitrate values. + +The overflow occurs because the NSS multiplication operates on a 32-bit +integer that cannot accommodate intermediate values exceeding +4,294,967,295. When overflow happens, the value wraps around, producing +incorrect bitrates for high MCS and NSS combinations. + +Fix this by utilizing the 64-bit 'tmp' variable for the NSS +multiplication and subsequent divisions via do_div(). This approach +preserves full precision throughout the entire calculation, with the +final value assigned to 'result' only after completing all operations. + +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 37719fc39f64d..29b8233d4a9c2 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1389,12 +1389,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate) + tmp = result; + tmp *= SCALE; + do_div(tmp, mcs_divisors[rate->mcs]); +- result = tmp; + + /* and take NSS, DCM into account */ +- result = (result * rate->nss) / 8; ++ tmp *= rate->nss; ++ do_div(tmp, 8); + if (rate->he_dcm) +- result /= 2; ++ do_div(tmp, 2); ++ ++ result = tmp; + + return result / 10000; + } +-- +2.51.0 + diff --git a/queue-5.10/wifi-mac80211-collect-station-statistics-earlier-whe.patch b/queue-5.10/wifi-mac80211-collect-station-statistics-earlier-whe.patch new file mode 100644 index 0000000000..6902a1a20b --- /dev/null +++ b/queue-5.10/wifi-mac80211-collect-station-statistics-earlier-whe.patch @@ -0,0 +1,54 @@ +From de5041f26c357924b23a94d9517d22341a21a1a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 10:29:07 +0800 +Subject: wifi: mac80211: collect station statistics earlier when disconnect + +From: Baochen Qiang + +[ Upstream commit a203dbeeca15a9b924f0d51f510921f4bae96801 ] + +In __sta_info_destroy_part2(), station statistics are requested after the +IEEE80211_STA_NONE -> IEEE80211_STA_NOTEXIST transition. This is +problematic because the driver may be unable to handle the request due to +the STA being in the NOTEXIST state (i.e. if the driver destroys the +underlying data when transitioning to NOTEXIST). + +Move the statistics collection to before the state transition to avoid +this issue. + +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20251222-mac80211-move-station-stats-collection-earlier-v1-1-12cd4e42c633@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 3bb7a3314788e..529f8701a54f7 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1105,6 +1105,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + } + } + ++ sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); ++ if (sinfo) ++ sta_set_sinfo(sta, sinfo, true); ++ + if (sta->uploaded) { + ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE, + IEEE80211_STA_NOTEXIST); +@@ -1113,9 +1117,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + + sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); + +- sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); +- if (sinfo) +- sta_set_sinfo(sta, sinfo, true); + cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); + kfree(sinfo); + +-- +2.51.0 + diff --git a/queue-5.10/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch b/queue-5.10/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch new file mode 100644 index 0000000000..1eff3bb061 --- /dev/null +++ b/queue-5.10/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch @@ -0,0 +1,49 @@ +From e5ef99600fe999b8a0d71cb14f9e81a1d0bd098b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:28:29 +0200 +Subject: wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice + +From: Miri Korenblit + +[ Upstream commit 3f3d8ff31496874a69b131866f62474eb24ed20a ] + +In reconfig, in case the driver asks to disconnect during the reconfig, +all the keys of the interface are marked as tainted. +Then ieee80211_reenable_keys will loop over all the interface keys, and +for each one it will +a) increment crypto_tx_tailroom_needed_cnt +b) call ieee80211_key_enable_hw_accel, which in turn will detect that +this key is tainted, so it will mark it as "not in hardware", which is +paired with crypto_tx_tailroom_needed_cnt incrementation, so we get two +incrementations for each tainted key. +Then we get a warning in ieee80211_free_keys. + +To fix it, don't increment the count in ieee80211_reenable_keys for +tainted keys + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118092821.4ca111fddcda.Id6e554f4b1c83760aa02d5a9e4e3080edb197aa2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 3df4695caef6c..d5b697701cff6 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -910,7 +910,8 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata) + + if (ieee80211_sdata_running(sdata)) { + list_for_each_entry(key, &sdata->key_list, list) { +- increment_tailroom_need_count(sdata); ++ if (!(key->flags & KEY_FLAG_TAINTED)) ++ increment_tailroom_need_count(sdata); + ieee80211_key_enable_hw_accel(key); + } + } +-- +2.51.0 + diff --git a/queue-5.10/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch b/queue-5.10/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch new file mode 100644 index 0000000000..20c82afd1d --- /dev/null +++ b/queue-5.10/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch @@ -0,0 +1,44 @@ +From a06148f128126b28af4e0d25959889cb95077b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 19:59:32 -0800 +Subject: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined + +From: Moon Hee Lee + +[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] + +ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only +present after JOIN_OCB. + +RX may run before JOIN_OCB is executed, in which case the OCB interface +is not operational. Skip RX peer handling when the interface is not +joined to avoid warnings in the RX path. + +Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 +Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ocb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c +index 7c1a735b9eee3..736e5c08bfd7b 100644 +--- a/net/mac80211/ocb.c ++++ b/net/mac80211/ocb.c +@@ -47,6 +47,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata, + struct sta_info *sta; + int band; + ++ if (!ifocb->joined) ++ return; ++ + /* XXX: Consider removing the least recently used entry and + * allow new one to be added. + */ +-- +2.51.0 + diff --git a/queue-5.10/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch b/queue-5.10/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch new file mode 100644 index 0000000000..feef235e24 --- /dev/null +++ b/queue-5.10/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch @@ -0,0 +1,42 @@ +From 3144b745326d43705e3626ccb6168655a8201966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 08:57:08 +0100 +Subject: wifi: wlcore: ensure skb headroom before skb_push +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Åstrand + +[ Upstream commit e75665dd096819b1184087ba5718bd93beafff51 ] + +This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is +less than needed (typically 110 - 94 = 16 bytes). + +Signed-off-by: Peter Astrand +Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index e20e18cd04aed..e86cc3425e997 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -210,6 +210,11 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + total_blocks = wlcore_hw_calc_tx_blocks(wl, total_len, spare_blocks); + + if (total_blocks <= wl->tx_blocks_available) { ++ if (skb_headroom(skb) < (total_len - skb->len) && ++ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { ++ wl1271_free_tx_id(wl, id); ++ return -EAGAIN; ++ } + desc = skb_push(skb, total_len - skb->len); + + wlcore_hw_set_tx_desc_blocks(wl, desc, total_blocks, +-- +2.51.0 + diff --git a/queue-5.15/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch b/queue-5.15/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch new file mode 100644 index 0000000000..bfabcd5cf6 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch @@ -0,0 +1,37 @@ +From 6d876f8230f07ba17e38b13835bf35dc97e319c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 02:53:36 +0300 +Subject: ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk + +From: Ruslan Krupitsa + +[ Upstream commit 9ed7a28225af02b74f61e7880d460db49db83758 ] + +HP Laptop 15s-eq1xxx with ALC236 codec does not enable the +mute LED automatically. This patch adds a quirk entry for +subsystem ID 0x8706 using the ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 +fixup, enabling correct mute LED behavior. + +Signed-off-by: Ruslan Krupitsa +Link: https://patch.msgid.link/AS8P194MB112895B8EC2D87D53A876085BBBAA@AS8P194MB1128.EURP194.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 10f7f807e706e..839a7e957d42a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9333,6 +9333,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x863e, "HP Spectre x360 15-df1xxx", ALC285_FIXUP_HP_SPECTRE_X360_DF1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x8706, "HP Laptop 15s-eq1xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), +-- +2.51.0 + diff --git a/queue-5.15/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch b/queue-5.15/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch new file mode 100644 index 0000000000..acb45f957a --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch @@ -0,0 +1,39 @@ +From 31c35e204ae40a075292fbd8a65afee887924695 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:15:55 +0100 +Subject: ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU + +From: Tim Guttzeit + +[ Upstream commit b48fe9af1e60360baf09ca6b7a3cd6541f16e611 ] + +Add a PCI quirk to enable microphone detection on the headphone jack of +TongFang X6AR55xU devices. + +Signed-off-by: Tim Guttzeit +Signed-off-by: Werner Sembach +Link: https://patch.msgid.link/20260119151626.35481-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 839a7e957d42a..72d9ea5171bbd 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10133,6 +10133,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x19, 0x04a11030}, + {0x21, 0x04211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0274, 0x1d05, "TongFang", ALC274_FIXUP_HP_HEADSET_MIC, ++ {0x17, 0x90170110}, ++ {0x19, 0x03a11030}, ++ {0x21, 0x03211020}), + SND_HDA_PIN_QUIRK(0x10ec0282, 0x1025, "Acer", ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC282_STANDARD_PINS, + {0x12, 0x90a609c0}, +-- +2.51.0 + diff --git a/queue-5.15/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch b/queue-5.15/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch new file mode 100644 index 0000000000..01c245af23 --- /dev/null +++ b/queue-5.15/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch @@ -0,0 +1,37 @@ +From c48cf68ab5b2434501f77b0a65b2a5fa4ec38f56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 20:50:33 +0000 +Subject: ASoC: amd: fix memory leak in acp3x pdm dma ops + +From: Chris Bainbridge + +[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] + +Fixes: 4a767b1d039a8 ("ASoC: amd: add acp3x pdm driver dma ops") +Signed-off-by: Chris Bainbridge +Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/renoir/acp3x-pdm-dma.c b/sound/soc/amd/renoir/acp3x-pdm-dma.c +index 9dd22a2fa2e5c..6b0f90e88a926 100644 +--- a/sound/soc/amd/renoir/acp3x-pdm-dma.c ++++ b/sound/soc/amd/renoir/acp3x-pdm-dma.c +@@ -295,9 +295,11 @@ static int acp_pdm_dma_close(struct snd_soc_component *component, + struct snd_pcm_substream *substream) + { + struct pdm_dev_data *adata = dev_get_drvdata(component->dev); ++ struct pdm_stream_instance *rtd = substream->runtime->private_data; + + disable_pdm_interrupts(adata->acp_base); + adata->capture_stream = NULL; ++ kfree(rtd); + return 0; + } + +-- +2.51.0 + diff --git a/queue-5.15/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch b/queue-5.15/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch new file mode 100644 index 0000000000..7b19aff1b6 --- /dev/null +++ b/queue-5.15/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch @@ -0,0 +1,113 @@ +From 8bd0a57b35f8de51ab1081030854eb80d427e3c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 23:48:37 +0800 +Subject: ASoC: davinci-evm: Fix reference leak in davinci_evm_probe + +From: Kery Qi + +[ Upstream commit 5b577d214fcc109707bcb77b4ae72a31cfd86798 ] + +The davinci_evm_probe() function calls of_parse_phandle() to acquire +device nodes for "ti,audio-codec" and "ti,mcasp-controller". These +functions return device nodes with incremented reference counts. + +However, in several error paths (e.g., when the second of_parse_phandle(), +snd_soc_of_parse_card_name(), or devm_snd_soc_register_card() fails), +the function returns directly without releasing the acquired nodes, +leading to reference leaks. + +This patch adds an error handling path 'err_put' to properly release +the device nodes using of_node_put() and clean up the pointers when +an error occurs. + +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260107154836.1521-2-qikeyu2017@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/davinci-evm.c | 39 ++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/ti/davinci-evm.c b/sound/soc/ti/davinci-evm.c +index b043a0070d201..b554e86280ceb 100644 +--- a/sound/soc/ti/davinci-evm.c ++++ b/sound/soc/ti/davinci-evm.c +@@ -404,27 +404,32 @@ static int davinci_evm_probe(struct platform_device *pdev) + return -EINVAL; + + dai->cpus->of_node = of_parse_phandle(np, "ti,mcasp-controller", 0); +- if (!dai->cpus->of_node) +- return -EINVAL; ++ if (!dai->cpus->of_node) { ++ ret = -EINVAL; ++ goto err_put; ++ } + + dai->platforms->of_node = dai->cpus->of_node; + + evm_soc_card.dev = &pdev->dev; + ret = snd_soc_of_parse_card_name(&evm_soc_card, "ti,model"); + if (ret) +- return ret; ++ goto err_put; + + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (PTR_ERR(mclk) == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto err_put; + } else if (IS_ERR(mclk)) { + dev_dbg(&pdev->dev, "mclk not found.\n"); + mclk = NULL; + } + + drvdata = devm_kzalloc(&pdev->dev, sizeof(*drvdata), GFP_KERNEL); +- if (!drvdata) +- return -ENOMEM; ++ if (!drvdata) { ++ ret = -ENOMEM; ++ goto err_put; ++ } + + drvdata->mclk = mclk; + +@@ -434,7 +439,8 @@ static int davinci_evm_probe(struct platform_device *pdev) + if (!drvdata->mclk) { + dev_err(&pdev->dev, + "No clock or clock rate defined.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put; + } + drvdata->sysclk = clk_get_rate(drvdata->mclk); + } else if (drvdata->mclk) { +@@ -450,8 +456,25 @@ static int davinci_evm_probe(struct platform_device *pdev) + snd_soc_card_set_drvdata(&evm_soc_card, drvdata); + ret = devm_snd_soc_register_card(&pdev->dev, &evm_soc_card); + +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "snd_soc_register_card failed (%d)\n", ret); ++ goto err_put; ++ } ++ ++ return ret; ++ ++err_put: ++ dai->platforms->of_node = NULL; ++ ++ if (dai->cpus->of_node) { ++ of_node_put(dai->cpus->of_node); ++ dai->cpus->of_node = NULL; ++ } ++ ++ if (dai->codecs->of_node) { ++ of_node_put(dai->codecs->of_node); ++ dai->codecs->of_node = NULL; ++ } + + return ret; + } +-- +2.51.0 + diff --git a/queue-5.15/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch b/queue-5.15/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch new file mode 100644 index 0000000000..02b17d080b --- /dev/null +++ b/queue-5.15/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch @@ -0,0 +1,43 @@ +From 4fcfcd25c85f82b1207bf4c88be861e4b8f2a68f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:46 +0100 +Subject: ASoC: tlv320adcx140: Propagate error codes during probe + +From: Dimitrios Katsaros + +[ Upstream commit d89aad92cfd15edbd704746f44c98fe687f9366f ] + +When scanning for the reset pin, we could get an -EPROBE_DEFER. +The driver would assume that no reset pin had been defined, +which would mean that the chip would never be powered. + +Now we both respect any error we get from devm_gpiod_get_optional. +We also now properly report the missing GPIO definition when +'gpio_reset' is NULL. + +Signed-off-by: Dimitrios Katsaros +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-3-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index f7fbe3795f98a..46560d5eb4b1d 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -1098,6 +1098,9 @@ static int adcx140_i2c_probe(struct i2c_client *i2c, + adcx140->gpio_reset = devm_gpiod_get_optional(adcx140->dev, + "reset", GPIOD_OUT_LOW); + if (IS_ERR(adcx140->gpio_reset)) ++ return dev_err_probe(&i2c->dev, PTR_ERR(adcx140->gpio_reset), ++ "Failed to get Reset GPIO\n"); ++ if (!adcx140->gpio_reset) + dev_info(&i2c->dev, "Reset GPIO not defined\n"); + + adcx140->supply_areg = devm_regulator_get_optional(adcx140->dev, +-- +2.51.0 + diff --git a/queue-5.15/block-bfq-fix-aux-stat-accumulation-destination.patch b/queue-5.15/block-bfq-fix-aux-stat-accumulation-destination.patch new file mode 100644 index 0000000000..497ce36853 --- /dev/null +++ b/queue-5.15/block-bfq-fix-aux-stat-accumulation-destination.patch @@ -0,0 +1,36 @@ +From 79fd6414966eca8c8fd57a11c610aeabc3b1bce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:04:26 +0800 +Subject: block,bfq: fix aux stat accumulation destination + +From: shechenglong + +[ Upstream commit 04bdb1a04d8a2a89df504c1e34250cd3c6e31a1c ] + +Route bfqg_stats_add_aux() time accumulation into the destination +stats object instead of the source, aligning with other stat fields. + +Reviewed-by: Yu Kuai +Signed-off-by: shechenglong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 53e275e377a73..2d804ab595dcb 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -387,7 +387,7 @@ static void bfqg_stats_add_aux(struct bfqg_stats *to, struct bfqg_stats *from) + blkg_rwstat_add_aux(&to->merged, &from->merged); + blkg_rwstat_add_aux(&to->service_time, &from->service_time); + blkg_rwstat_add_aux(&to->wait_time, &from->wait_time); +- bfq_stat_add_aux(&from->time, &from->time); ++ bfq_stat_add_aux(&to->time, &from->time); + bfq_stat_add_aux(&to->avg_queue_size_sum, &from->avg_queue_size_sum); + bfq_stat_add_aux(&to->avg_queue_size_samples, + &from->avg_queue_size_samples); +-- +2.51.0 + diff --git a/queue-5.15/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch b/queue-5.15/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch new file mode 100644 index 0000000000..bdff389abe --- /dev/null +++ b/queue-5.15/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch @@ -0,0 +1,47 @@ +From 2320e692501ab43608be41c5de1475097d596278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 00:55:13 +0800 +Subject: dpaa2-switch: add bounds check for if_id in IRQ handler + +From: Junrui Luo + +[ Upstream commit 31a7a0bbeb006bac2d9c81a2874825025214b6d8 ] + +The IRQ handler extracts if_id from the upper 16 bits of the hardware +status register and uses it to index into ethsw->ports[] without +validation. Since if_id can be any 16-bit value (0-65535) but the ports +array is only allocated with sw_attr.num_ifs elements, this can lead to +an out-of-bounds read potentially. + +Add a bounds check before accessing the array, consistent with the +existing validation in dpaa2_switch_rx(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 24ab724f8a46 ("dpaa2-switch: use the port index in the IRQ handler") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881D420AB43FF1A227B84AFAF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index dcb96c2b2820a..5c7055a4acc6f 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -1509,6 +1509,10 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg) + } + + if_id = (status & 0xFFFF0000) >> 16; ++ if (if_id >= ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id); ++ goto out; ++ } + port_priv = ethsw->ports[if_id]; + + if (status & DPSW_IRQ_EVENT_LINK_CHANGED) { +-- +2.51.0 + diff --git a/queue-5.15/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch b/queue-5.15/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch new file mode 100644 index 0000000000..ada9dd8889 --- /dev/null +++ b/queue-5.15/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch @@ -0,0 +1,55 @@ +From df3d565cde976059ff387c66a1a49911aad29dbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 16:07:34 +0800 +Subject: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero + +From: Junrui Luo + +[ Upstream commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66 ] + +The driver allocates arrays for ports, FDBs, and filter blocks using +kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the +device reports zero interfaces (either due to hardware configuration +or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) +instead of NULL. + +Later in dpaa2_switch_probe(), the NAPI initialization unconditionally +accesses ethsw->ports[0]->netdev, which attempts to dereference +ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. + +Add a check to ensure num_ifs is greater than zero after retrieving +device attributes. This prevents the zero-sized allocations and +subsequent invalid pointer dereference. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface") +Signed-off-by: Junrui Luo +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 1e6b29c047710..dcb96c2b2820a 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2972,6 +2972,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev) + goto err_close; + } + ++ if (!ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "DPSW device has no interfaces\n"); ++ err = -ENODEV; ++ goto err_close; ++ } ++ + err = dpsw_get_api_version(ethsw->mc_io, 0, + ðsw->major, + ðsw->minor); +-- +2.51.0 + diff --git a/queue-5.15/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch b/queue-5.15/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch new file mode 100644 index 0000000000..c5a947fb08 --- /dev/null +++ b/queue-5.15/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch @@ -0,0 +1,56 @@ +From b721589b3f1c2a719e17eba8fd98cf10c5f4e82a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 19:03:57 -0300 +Subject: HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodrigo Lugathe da Conceição Alves + +[ Upstream commit 85a866809333cd2bf8ddac93d9a3e3ba8e4f807d ] + +The USB speaker has a bug that causes it to reboot when changing the +brightness using the physical knob. + +Add a new vendor and product ID entry in hid-ids.h, and register +the corresponding device in hid-quirks.c with the required quirk. + +Signed-off-by: Rodrigo Lugathe da Conceição Alves +Reviewed-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index de62855d89f14..1dc28cabd71d5 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -401,6 +401,9 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002 + ++#define USB_VENDOR_ID_EDIFIER 0x2d99 ++#define USB_DEVICE_ID_EDIFIER_QR30 0xa101 /* EDIFIER Hal0 2.0 SE */ ++ + #define USB_VENDOR_ID_ELAN 0x04f3 + #define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401 + #define USB_DEVICE_ID_HP_X2 0x074d +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 445132b6f8c88..b4f4f6823c5f6 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -81,6 +81,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER), HID_QUIRK_MULTI_INPUT | HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_EDIFIER, USB_DEVICE_ID_EDIFIER_QR30), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II), HID_QUIRK_MULTI_INPUT }, +-- +2.51.0 + diff --git a/queue-5.15/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch b/queue-5.15/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch new file mode 100644 index 0000000000..8d38717af9 --- /dev/null +++ b/queue-5.15/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch @@ -0,0 +1,49 @@ +From 7a6a8292f8955cad7d8e72e5c8ddb7e0f6416fde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 10:51:50 +0800 +Subject: HID: intel-ish-hid: Reset enum_devices_done before enumeration + +From: Zhang Lixu + +[ Upstream commit 56e230723e3a818373bd62331bccb1c6d2b3881b ] + +Some systems have enabled ISH without any sensors. In this case sending +HOSTIF_DM_ENUM_DEVICES results in 0 sensors. This triggers ISH hardware +reset on subsequent enumeration after S3/S4 resume. + +The enum_devices_done flag was not reset before sending the +HOSTIF_DM_ENUM_DEVICES command. On subsequent enumeration calls (such as +after S3/S4 resume), this flag retains its previous true value, causing the +wait loop to be skipped and returning prematurely to hid_ishtp_cl_init(). +If 0 HID devices are found, hid_ishtp_cl_init() skips getting HID device +descriptors and sets init_done to true. When the delayed enumeration +response arrives with init_done already true, the driver treats it as a bad +packet and triggers an ISH hardware reset. + +Set enum_devices_done to false before sending the enumeration command, +consistent with similar functions like ishtp_get_hid_descriptor() and +ishtp_get_report_descriptor() which reset their respective flags. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +index 91bf4d01e91a7..34d2434504579 100644 +--- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c ++++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +@@ -493,6 +493,7 @@ static int ishtp_enum_enum_devices(struct ishtp_cl *hid_ishtp_cl) + int rv; + + /* Send HOSTIF_DM_ENUM_DEVICES */ ++ client_data->enum_devices_done = false; + memset(&msg, 0, sizeof(struct hostif_msg)); + msg.hdr.command = HOSTIF_DM_ENUM_DEVICES; + rv = ishtp_cl_send(hid_ishtp_cl, (unsigned char *)&msg, +-- +2.51.0 + diff --git a/queue-5.15/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch b/queue-5.15/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch new file mode 100644 index 0000000000..904e08e1a2 --- /dev/null +++ b/queue-5.15/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch @@ -0,0 +1,42 @@ +From 2a8eef10da53b085912461040791f7ad9a51c8f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 14:34:36 +0100 +Subject: HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL + +From: DaytonCL + +[ Upstream commit ff3f234ff1dcd6d626a989151db067a1b7f0f215 ] + +Some VTL-class touchpads (e.g. TOPS0102:00 35CC:0104) intermittently +fail to release a finger contact. A previous slot remains logically +active, accompanied by stale BTN_TOOL_DOUBLETAP state, causing +gestures to stay latched and resulting in stuck two-finger +scrolling and false right-clicks. + +Apply MT_QUIRK_STICKY_FINGERS to handle the unreleased contact correctly. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1225 +Suggested-by: Benjamin Tissoires +Tested-by: DaytonCL +Signed-off-by: DaytonCL +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 5dec035c5c1d3..5c40790b977ee 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -379,6 +379,7 @@ static const struct mt_class mt_classes[] = { + { .name = MT_CLS_VTL, + .quirks = MT_QUIRK_ALWAYS_VALID | + MT_QUIRK_CONTACT_CNT_ACCURATE | ++ MT_QUIRK_STICKY_FINGERS | + MT_QUIRK_FORCE_GET_FEATURE, + }, + { .name = MT_CLS_GOOGLE, +-- +2.51.0 + diff --git a/queue-5.15/hid-playstation-center-initial-joystick-axes-to-prev.patch b/queue-5.15/hid-playstation-center-initial-joystick-axes-to-prev.patch new file mode 100644 index 0000000000..653f0a1831 --- /dev/null +++ b/queue-5.15/hid-playstation-center-initial-joystick-axes-to-prev.patch @@ -0,0 +1,66 @@ +From 1a9de77791c4854e20beba1eae7722ed0d99546b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 15:45:19 -0800 +Subject: HID: playstation: Center initial joystick axes to prevent spurious + events + +From: Siarhei Vishniakou + +[ Upstream commit e9143268d259d98e111a649affa061acb8e13c5b ] + +When a new PlayStation gamepad (DualShock 4 or DualSense) is initialized, +the input subsystem sets the default value for its absolute axes (e.g., +ABS_X, ABS_Y) to 0. + +However, the hardware's actual neutral/resting state for these joysticks +is 128 (0x80). This creates a mismatch. + +When the first HID report arrives from the device, the driver sees the +resting value of 128. The kernel compares this to its initial state of 0 +and incorrectly interprets this as a delta (0 -> 128). Consequently, it +generates EV_ABS events for this initial, non-existent movement. + +This behavior can fail userspace 'sanity check' tests (e.g., in +Android CTS) that correctly assert no motion events should be generated +from a device that is already at rest. + +This patch fixes the issue by explicitly setting the initial value of the +main joystick axes (e.g., ABS_X, ABS_Y, ABS_RX, ABS_RY) to 128 (0x80) +in the common ps_gamepad_create() function. + +This aligns the kernel's initial state with the hardware's expected +neutral state, ensuring that the first report (at 128) produces no +delta and thus, no spurious event. + +Signed-off-by: Siarhei Vishniakou +Reviewed-by: Benjamin Tissoires +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-playstation.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c +index 944e5e5ff1348..69c16c9b8c5c9 100644 +--- a/drivers/hid/hid-playstation.c ++++ b/drivers/hid/hid-playstation.c +@@ -463,11 +463,16 @@ static struct input_dev *ps_gamepad_create(struct hid_device *hdev, + if (IS_ERR(gamepad)) + return ERR_CAST(gamepad); + ++ /* Set initial resting state for joysticks to 128 (center) */ + input_set_abs_params(gamepad, ABS_X, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_X].value = 128; + input_set_abs_params(gamepad, ABS_Y, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_Y].value = 128; + input_set_abs_params(gamepad, ABS_Z, 0, 255, 0, 0); + input_set_abs_params(gamepad, ABS_RX, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RX].value = 128; + input_set_abs_params(gamepad, ABS_RY, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RY].value = 128; + input_set_abs_params(gamepad, ABS_RZ, 0, 255, 0, 0); + + input_set_abs_params(gamepad, ABS_HAT0X, -1, 1, 0, 0); +-- +2.51.0 + diff --git a/queue-5.15/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch b/queue-5.15/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch new file mode 100644 index 0000000000..a5774dd612 --- /dev/null +++ b/queue-5.15/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch @@ -0,0 +1,51 @@ +From f930cb713512bd1bb11fb20e232287c9bc485379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 06:56:43 +0000 +Subject: HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list + +From: Chris Chiu + +[ Upstream commit c06bc3557542307b9658fbd43cc946a14250347b ] + +Another Chicony Electronics HP 5MP Camera with USB ID 04F2:B882 +reports a HID sensor interface that is not actually implemented. + +Add the device to the HID ignore list so the bogus sensor is never +exposed to userspace. Then the system won't hang when runtime PM +tries to wake the unresponsive device. + +Signed-off-by: Chris Chiu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index b68293a505518..de62855d89f14 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -285,6 +285,7 @@ + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3 0xb882 + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index cc2f462fced27..445132b6f8c88 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -740,6 +740,7 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +-- +2.51.0 + diff --git a/queue-5.15/hwmon-occ-mark-occ_init_attribute-as-__printf.patch b/queue-5.15/hwmon-occ-mark-occ_init_attribute-as-__printf.patch new file mode 100644 index 0000000000..97514c2ce5 --- /dev/null +++ b/queue-5.15/hwmon-occ-mark-occ_init_attribute-as-__printf.patch @@ -0,0 +1,42 @@ +From 83e6994ea586dd3d552c5314713fda3fffb88e28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 17:34:36 +0100 +Subject: hwmon: (occ) Mark occ_init_attribute() as __printf + +From: Arnd Bergmann + +[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] + +This is a printf-style function, which gcc -Werror=suggest-attribute=format +correctly points out: + +drivers/hwmon/occ/common.c: In function 'occ_init_attribute': +drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] + +Add the attribute to avoid this warning and ensure any incorrect +format strings are detected here. + +Fixes: 744c2fe950e9 ("hwmon: (occ) Rework attribute registration for stack usage") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index 8b8f50ef36aff..44007858c23fc 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -752,6 +752,7 @@ static ssize_t occ_show_extended(struct device *dev, + * are dynamically allocated, we cannot use the existing kernel macros which + * stringify the name argument. + */ ++__printf(7, 8) + static void occ_init_attribute(struct occ_attribute *attr, int mode, + ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf), + ssize_t (*store)(struct device *dev, struct device_attribute *attr, +-- +2.51.0 + diff --git a/queue-5.15/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch b/queue-5.15/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch new file mode 100644 index 0000000000..0e62613b32 --- /dev/null +++ b/queue-5.15/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch @@ -0,0 +1,99 @@ +From c32f64fc6947fad467af0b12b1420cdeb86cd748 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:43:59 +0000 +Subject: macvlan: fix error recovery in macvlan_common_newlink() + +From: Eric Dumazet + +[ Upstream commit f8db6475a83649689c087a8f52486fcc53e627e9 ] + +valis provided a nice repro to crash the kernel: + +ip link add p1 type veth peer p2 +ip link set address 00:00:00:00:00:20 dev p1 +ip link set up dev p1 +ip link set up dev p2 + +ip link add mv0 link p2 type macvlan mode source +ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 + +ping -c1 -I p1 1.2.3.4 + +He also gave a very detailed analysis: + + + +The issue is triggered when a new macvlan link is created with +MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or +MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan +port and register_netdevice() called from macvlan_common_newlink() +fails (e.g. because of the invalid link name). + +In this case macvlan_hash_add_source is called from +macvlan_change_sources() / macvlan_common_newlink(): + +This adds a reference to vlan to the port's vlan_source_hash using +macvlan_source_entry. + +vlan is a pointer to the priv data of the link that is being created. + +When register_netdevice() fails, the error is returned from +macvlan_newlink() to rtnl_newlink_create(): + + if (ops->newlink) + err = ops->newlink(dev, ¶ms, extack); + else + err = register_netdevice(dev); + if (err < 0) { + free_netdev(dev); + goto out; + } + +and free_netdev() is called, causing a kvfree() on the struct +net_device that is still referenced in the source entry attached to +the lower device's macvlan port. + +Now all packets sent on the macvlan port with a matching source mac +address will trigger a use-after-free in macvlan_forward_source(). + + + +With all that, my fix is to make sure we call macvlan_flush_sources() +regardless of @create value whenever "goto destroy_macvlan_port;" +path is taken. + +Many thanks to valis for following up on this issue. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Eric Dumazet +Reported-by: valis +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Cc: Boudewijn van der Heide +Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 0f863e72714ca..e92d7f2f28c17 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1527,9 +1527,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) { ++ if (macvlan_port_get_rtnl(lowerdev)) { + macvlan_flush_sources(port, vlan); +- macvlan_port_destroy(port->dev); ++ if (create) ++ macvlan_port_destroy(port->dev); + } + return err; + } +-- +2.51.0 + diff --git a/queue-5.15/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch b/queue-5.15/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch new file mode 100644 index 0000000000..4e553207f5 --- /dev/null +++ b/queue-5.15/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch @@ -0,0 +1,61 @@ +From 9097a4d664960c2e2ba79290a66d71e948369e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:39 +0000 +Subject: net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 8558aef4e8a1a83049ab906d21d391093cfa7e7f ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Also, decrement i in the devlink_alloc failure path to point to the +last successfully allocated index. + +Compile tested only. Issue found using code review. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-3-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 296e372f36f17..08326eca68bca 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3772,6 +3772,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + &octeon_dev->pci_dev->dev); + if (!devlink) { + dev_err(&octeon_dev->pci_dev->dev, "devlink alloc failed\n"); ++ i--; + goto setup_nic_dev_free; + } + +@@ -3792,11 +3793,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-5.15/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch b/queue-5.15/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch new file mode 100644 index 0000000000..ee6b3c955d --- /dev/null +++ b/queue-5.15/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch @@ -0,0 +1,50 @@ +From 78c03fa8cdfa103e5a3d0bcdb978c3870e9aad61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:40 +0000 +Subject: net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Compile tested only. Issue found using code review. + +Fixes: 846b46873eeb ("liquidio CN23XX: VF offload features") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-4-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index 8a969a9d4b637..650845b671c60 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -2230,11 +2230,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-5.15/net-liquidio-initialize-netdev-pointer-before-queue-.patch b/queue-5.15/net-liquidio-initialize-netdev-pointer-before-queue-.patch new file mode 100644 index 0000000000..418a9c4eaf --- /dev/null +++ b/queue-5.15/net-liquidio-initialize-netdev-pointer-before-queue-.patch @@ -0,0 +1,98 @@ +From 6b441fff2b22d7b0389a59eaa265466d9798706e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:38 +0000 +Subject: net: liquidio: Initialize netdev pointer before queue setup + +From: Zilin Guan + +[ Upstream commit 926ede0c85e1e57c97d64d9612455267d597bb2c ] + +In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq(). +However, the pointer to this structure is stored in oct->props[i].netdev +only after the calls to netif_set_real_num_rx_queues() and +netif_set_real_num_tx_queues(). + +If either of these functions fails, setup_nic_devices() returns an error +without freeing the allocated netdev. Since oct->props[i].netdev is still +NULL at this point, the cleanup function liquidio_destroy_nic_device() +will fail to find and free the netdev, resulting in a memory leak. + +Fix this by initializing oct->props[i].netdev before calling the queue +setup functions. This ensures that the netdev is properly accessible for +cleanup in case of errors. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: c33c997346c3 ("liquidio: enhanced ethtool --set-channels feature") +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-2-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/liquidio/lio_main.c | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 443755729d793..296e372f36f17 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3529,6 +3529,23 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + */ + netdev->netdev_ops = &lionetdevops; + ++ lio = GET_LIO(netdev); ++ ++ memset(lio, 0, sizeof(struct lio)); ++ ++ lio->ifidx = ifidx_or_pfnum; ++ ++ props = &octeon_dev->props[i]; ++ props->gmxport = resp->cfg_info.linfo.gmxport; ++ props->netdev = netdev; ++ ++ /* Point to the properties for octeon device to which this ++ * interface belongs. ++ */ ++ lio->oct_dev = octeon_dev; ++ lio->octprops = props; ++ lio->netdev = netdev; ++ + retval = netif_set_real_num_rx_queues(netdev, num_oqueues); + if (retval) { + dev_err(&octeon_dev->pci_dev->dev, +@@ -3545,16 +3562,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + goto setup_nic_dev_free; + } + +- lio = GET_LIO(netdev); +- +- memset(lio, 0, sizeof(struct lio)); +- +- lio->ifidx = ifidx_or_pfnum; +- +- props = &octeon_dev->props[i]; +- props->gmxport = resp->cfg_info.linfo.gmxport; +- props->netdev = netdev; +- + lio->linfo.num_rxpciq = num_oqueues; + lio->linfo.num_txpciq = num_iqueues; + for (j = 0; j < num_oqueues; j++) { +@@ -3620,13 +3627,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + netdev->min_mtu = LIO_MIN_MTU_SIZE; + netdev->max_mtu = LIO_MAX_MTU_SIZE; + +- /* Point to the properties for octeon device to which this +- * interface belongs. +- */ +- lio->oct_dev = octeon_dev; +- lio->octprops = props; +- lio->netdev = netdev; +- + dev_dbg(&octeon_dev->pci_dev->dev, + "if%d gmx: %d hw_addr: 0x%llx\n", i, + lio->linfo.gmxport, CVM_CAST64(lio->linfo.hw_addr)); +-- +2.51.0 + diff --git a/queue-5.15/net-usb-sr9700-support-devices-with-virtual-driver-c.patch b/queue-5.15/net-usb-sr9700-support-devices-with-virtual-driver-c.patch new file mode 100644 index 0000000000..9832b2a0a1 --- /dev/null +++ b/queue-5.15/net-usb-sr9700-support-devices-with-virtual-driver-c.patch @@ -0,0 +1,44 @@ +From dde359d271b3d34070060b9e27507ed5d3a37e93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 22:24:51 -0800 +Subject: net: usb: sr9700: support devices with virtual driver CD + +From: Ethan Nelson-Moore + +[ Upstream commit bf4172bd870c3a34d3065cbb39192c22cbd7b18d ] + +Some SR9700 devices have an SPI flash chip containing a virtual driver +CD, in which case they appear as a device with two interfaces and +product ID 0x9702. Interface 0 is the driver CD and interface 1 is the +Ethernet device. + +Link: https://github.com/name-kurniawan/usb-lan +Link: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=2185 +Signed-off-by: Ethan Nelson-Moore +Link: https://patch.msgid.link/20251211062451.139036-1-enelsonmoore@gmail.com +[pabeni@redhat.com: fixes link tags] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 90aed52ce9372..86d14fad318c3 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -539,6 +539,11 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x9700), /* SR9700 device */ + .driver_info = (unsigned long)&sr9700_driver_info, + }, ++ { ++ /* SR9700 with virtual driver CD-ROM - interface 0 is the CD-ROM device */ ++ USB_DEVICE_INTERFACE_NUMBER(0x0fe6, 0x9702, 1), ++ .driver_info = (unsigned long)&sr9700_driver_info, ++ }, + {}, /* END */ + }; + +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch b/queue-5.15/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch new file mode 100644 index 0000000000..1febe8d7ff --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch @@ -0,0 +1,72 @@ +From 4fcad26fa3796d154cb874decf374aef335b7ab2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 17:46:58 +0100 +Subject: netfilter: nf_tables: fix inverted genmask check in + nft_map_catchall_activate() + +From: Andrew Fasano + +[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ] + +nft_map_catchall_activate() has an inverted element activity check +compared to its non-catchall counterpart nft_mapelem_activate() and +compared to what is logically required. + +nft_map_catchall_activate() is called from the abort path to re-activate +catchall map elements that were deactivated during a failed transaction. +It should skip elements that are already active (they don't need +re-activation) and process elements that are inactive (they need to be +restored). Instead, the current code does the opposite: it skips inactive +elements and processes active ones. + +Compare the non-catchall activate callback, which is correct: + + nft_mapelem_activate(): + if (nft_set_elem_active(ext, iter->genmask)) + return 0; /* skip active, process inactive */ + +With the buggy catchall version: + + nft_map_catchall_activate(): + if (!nft_set_elem_active(ext, genmask)) + continue; /* skip inactive, process active */ + +The consequence is that when a DELSET operation is aborted, +nft_setelem_data_activate() is never called for the catchall element. +For NFT_GOTO verdict elements, this means nft_data_hold() is never +called to restore the chain->use reference count. Each abort cycle +permanently decrements chain->use. Once chain->use reaches zero, +DELCHAIN succeeds and frees the chain while catchall verdict elements +still reference it, resulting in a use-after-free. + +This is exploitable for local privilege escalation from an unprivileged +user via user namespaces + nftables on distributions that enable +CONFIG_USER_NS and CONFIG_NF_TABLES. + +Fix by removing the negation so the check matches nft_mapelem_activate(): +skip active elements, process inactive ones. + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Signed-off-by: Andrew Fasano +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e37d2ef9538e5..cbec5fc23719f 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5141,7 +5141,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + list_for_each_entry(catchall, &set->catchall_list, list) { + ext = nft_set_elem_ext(set, catchall->elem); +- if (!nft_set_elem_active(ext, genmask)) ++ if (nft_set_elem_active(ext, genmask)) + continue; + + elem.priv = catchall->elem; +-- +2.51.0 + diff --git a/queue-5.15/netfilter-replace-eexist-with-ebusy.patch b/queue-5.15/netfilter-replace-eexist-with-ebusy.patch new file mode 100644 index 0000000000..a72121d6bd --- /dev/null +++ b/queue-5.15/netfilter-replace-eexist-with-ebusy.patch @@ -0,0 +1,84 @@ +From e852076dfaf8c44106f932b11345e54fc005991b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 06:13:20 +0100 +Subject: netfilter: replace -EEXIST with -EBUSY + +From: Daniel Gomez + +[ Upstream commit 2bafeb8d2f380c3a81d98bd7b78b854b564f9cd4 ] + +The -EEXIST error code is reserved by the module loading infrastructure +to indicate that a module is already loaded. When a module's init +function returns -EEXIST, userspace tools like kmod interpret this as +"module already loaded" and treat the operation as successful, returning +0 to the user even though the module initialization actually failed. + +Replace -EEXIST with -EBUSY to ensure correct error reporting in the module +initialization path. + +Affected modules: + * ebtable_broute ebtable_filter ebtable_nat arptable_filter + * ip6table_filter ip6table_mangle ip6table_nat ip6table_raw + * ip6table_security iptable_filter iptable_mangle iptable_nat + * iptable_raw iptable_security + +Signed-off-by: Daniel Gomez +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 2 +- + net/netfilter/nf_log.c | 4 ++-- + net/netfilter/x_tables.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 2f3ea11785ad4..c74efcc2b4996 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne + list_for_each_entry(tmpl, &template_tables, list) { + if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) { + mutex_unlock(&ebt_mutex); +- return -EEXIST; ++ return -EBUSY; + } + } + +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index 8f5362a19b151..d15d2911a67e3 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + if (pf == NFPROTO_UNSPEC) { + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { + if (rcu_access_pointer(loggers[i][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + } +@@ -97,7 +97,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + rcu_assign_pointer(loggers[i][logger->type], logger); + } else { + if (rcu_access_pointer(loggers[pf][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + rcu_assign_pointer(loggers[pf][logger->type], logger); +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 9a579217763df..6303ba7a62a2f 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1761,7 +1761,7 @@ EXPORT_SYMBOL_GPL(xt_hook_ops_alloc); + int xt_register_template(const struct xt_table *table, + int (*table_init)(struct net *net)) + { +- int ret = -EEXIST, af = table->af; ++ int ret = -EBUSY, af = table->af; + struct xt_template *t; + + mutex_lock(&xt[af].mutex); +-- +2.51.0 + diff --git a/queue-5.15/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch b/queue-5.15/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch new file mode 100644 index 0000000000..fc1a08e549 --- /dev/null +++ b/queue-5.15/nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch @@ -0,0 +1,110 @@ +From cd5daddd8711ea4851e7088d80f433eafb131da4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 16:49:19 +0100 +Subject: nvmet-tcp: add an helper to free the cmd buffers + +From: Maurizio Lombardi + +[ Upstream commit 69b85e1f1d1d1e49601ec3e85d2031188657cca2 ] + +Makes the code easier to read and to debug. + +Sets the freed pointers to NULL, it will be useful +when destroying the queues to understand if the commands' +buffers have been released already or not. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: John Meneghini +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 051798ef7431c..7eb4d06f12294 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -167,6 +167,8 @@ static struct workqueue_struct *nvmet_tcp_wq; + static const struct nvmet_fabrics_ops nvmet_tcp_ops; + static void nvmet_tcp_free_cmd(struct nvmet_tcp_cmd *c); + static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd); ++static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd); ++static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd); + + static inline u16 nvmet_tcp_cmd_tag(struct nvmet_tcp_queue *queue, + struct nvmet_tcp_cmd *cmd) +@@ -298,6 +300,16 @@ static int nvmet_tcp_check_ddgst(struct nvmet_tcp_queue *queue, void *pdu) + return 0; + } + ++static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) ++{ ++ WARN_ON(unlikely(cmd->nr_mapped > 0)); ++ ++ kfree(cmd->iov); ++ sgl_free(cmd->req.sg); ++ cmd->iov = NULL; ++ cmd->req.sg = NULL; ++} ++ + static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd) + { + struct scatterlist *sg; +@@ -307,6 +319,8 @@ static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd) + + for (i = 0; i < cmd->nr_mapped; i++) + kunmap(sg_page(&sg[i])); ++ ++ cmd->nr_mapped = 0; + } + + static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) +@@ -389,7 +403,7 @@ static int nvmet_tcp_map_data(struct nvmet_tcp_cmd *cmd) + + return 0; + err: +- sgl_free(cmd->req.sg); ++ nvmet_tcp_free_cmd_buffers(cmd); + return NVME_SC_INTERNAL; + } + +@@ -640,10 +654,8 @@ static int nvmet_try_send_data(struct nvmet_tcp_cmd *cmd, bool last_in_batch) + } + } + +- if (queue->nvme_sq.sqhd_disabled) { +- kfree(cmd->iov); +- sgl_free(cmd->req.sg); +- } ++ if (queue->nvme_sq.sqhd_disabled) ++ nvmet_tcp_free_cmd_buffers(cmd); + + return 1; + +@@ -672,8 +684,7 @@ static int nvmet_try_send_response(struct nvmet_tcp_cmd *cmd, + if (left) + return -EAGAIN; + +- kfree(cmd->iov); +- sgl_free(cmd->req.sg); ++ nvmet_tcp_free_cmd_buffers(cmd); + cmd->queue->snd_cmd = NULL; + nvmet_tcp_put_cmd(cmd); + return 1; +@@ -1452,8 +1463,7 @@ static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd) + { + nvmet_req_uninit(&cmd->req); + nvmet_tcp_unmap_pdu_iovec(cmd); +- kfree(cmd->iov); +- sgl_free(cmd->req.sg); ++ nvmet_tcp_free_cmd_buffers(cmd); + } + + static void nvmet_tcp_uninit_data_in_cmds(struct nvmet_tcp_queue *queue) +-- +2.51.0 + diff --git a/queue-5.15/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch b/queue-5.15/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch new file mode 100644 index 0000000000..de634d8999 --- /dev/null +++ b/queue-5.15/nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch @@ -0,0 +1,77 @@ +From 8f4409db311618e327dfcab4052abaf7eb371c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 09:41:07 +0900 +Subject: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec + +From: YunJe Shin + +[ Upstream commit 52a0a98549344ca20ad81a4176d68d28e3c05a5c ] + +nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU +length or offset exceeds sg_cnt and then use bogus sg->length/offset +values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining +entries, and sg->length/offset before building the bvec. + +Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver") +Signed-off-by: YunJe Shin +Reviewed-by: Sagi Grimberg +Reviewed-by: Joonkyo Jung +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index d0fcce6aec93f..9264ce64ed834 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -306,11 +306,14 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) + cmd->req.sg = NULL; + } + ++static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue); ++ + static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + { + struct bio_vec *iov = cmd->iov; + struct scatterlist *sg; + u32 length, offset, sg_offset; ++ unsigned int sg_remaining; + int nr_pages; + + length = cmd->pdu_len; +@@ -318,9 +321,22 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + offset = cmd->rbytes_done; + cmd->sg_idx = offset / PAGE_SIZE; + sg_offset = offset % PAGE_SIZE; ++ if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) { ++ nvmet_tcp_fatal_error(cmd->queue); ++ return; ++ } + sg = &cmd->req.sg[cmd->sg_idx]; ++ sg_remaining = cmd->req.sg_cnt - cmd->sg_idx; + + while (length) { ++ if (!sg_remaining) { ++ nvmet_tcp_fatal_error(cmd->queue); ++ return; ++ } ++ if (!sg->length || sg->length <= sg_offset) { ++ nvmet_tcp_fatal_error(cmd->queue); ++ return; ++ } + u32 iov_len = min_t(u32, length, sg->length - sg_offset); + + iov->bv_page = sg_page(sg); +@@ -329,6 +345,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + + length -= iov_len; + sg = sg_next(sg); ++ sg_remaining--; + iov++; + sg_offset = 0; + } +-- +2.51.0 + diff --git a/queue-5.15/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch b/queue-5.15/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch new file mode 100644 index 0000000000..c27270ab26 --- /dev/null +++ b/queue-5.15/nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch @@ -0,0 +1,192 @@ +From aea557d292e8d5e78d0f7bb256d7793bc11cff72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 00:05:33 +0200 +Subject: nvmet-tcp: don't map pages which can't come from HIGHMEM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabio M. De Francesco + +[ Upstream commit 5bfaba275ae6486700194cad962574e3eb7ae60d ] + +kmap() is being deprecated in favor of kmap_local_page().[1] + +There are two main problems with kmap(): (1) It comes with an overhead as +mapping space is restricted and protected by a global lock for +synchronization and (2) it also requires global TLB invalidation when the +kmap’s pool wraps and it might block when the mapping space is fully +utilized until a slot becomes available. + +The pages which will be mapped are allocated in nvmet_tcp_map_data(), +using the GFP_KERNEL flag. This assures that they cannot come from +HIGHMEM. This imply that a straight page_address() can replace the kmap() +of sg_page(sg) in nvmet_tcp_map_pdu_iovec(). As a side effect, we might +also delete the field "nr_mapped" from struct "nvmet_tcp_cmd" because, +after removing the kmap() calls, there would be no longer any need of it. + +In addition, there is no reason to use a kvec for the command receive +data buffers iovec, use a bio_vec instead and let iov_iter handle the +buffer mapping and data copy. + +Test with blktests on a QEMU/KVM x86_32 VM, 6GB RAM, booting a kernel with +HIGHMEM64GB enabled. + +[1] "[PATCH] checkpatch: Add kmap and kmap_atomic to the deprecated +list" https://lore.kernel.org/all/20220813220034.806698-1-ira.weiny@intel.com/ + +Cc: Chaitanya Kulkarni +Cc: Keith Busch +Suggested-by: Ira Weiny +Signed-off-by: Fabio M. De Francesco +Suggested-by: Christoph Hellwig +Suggested-by: Al Viro +[sagi: added bio_vec plus minor naming changes] +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 44 ++++++++++++--------------------------- + 1 file changed, 13 insertions(+), 31 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 3b32f1e9c18c6..d0fcce6aec93f 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -78,9 +78,8 @@ struct nvmet_tcp_cmd { + u32 pdu_len; + u32 pdu_recv; + int sg_idx; +- int nr_mapped; + struct msghdr recv_msg; +- struct kvec *iov; ++ struct bio_vec *iov; + u32 flags; + + struct list_head entry; +@@ -168,7 +167,6 @@ static const struct nvmet_fabrics_ops nvmet_tcp_ops; + static void nvmet_tcp_free_cmd(struct nvmet_tcp_cmd *c); + static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd); + static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd); +-static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd); + + static inline u16 nvmet_tcp_cmd_tag(struct nvmet_tcp_queue *queue, + struct nvmet_tcp_cmd *cmd) +@@ -302,35 +300,21 @@ static int nvmet_tcp_check_ddgst(struct nvmet_tcp_queue *queue, void *pdu) + + static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd) + { +- WARN_ON(unlikely(cmd->nr_mapped > 0)); +- + kfree(cmd->iov); + sgl_free(cmd->req.sg); + cmd->iov = NULL; + cmd->req.sg = NULL; + } + +-static void nvmet_tcp_unmap_pdu_iovec(struct nvmet_tcp_cmd *cmd) +-{ +- struct scatterlist *sg; +- int i; +- +- sg = &cmd->req.sg[cmd->sg_idx]; +- +- for (i = 0; i < cmd->nr_mapped; i++) +- kunmap(sg_page(&sg[i])); +- +- cmd->nr_mapped = 0; +-} +- +-static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) ++static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd) + { +- struct kvec *iov = cmd->iov; ++ struct bio_vec *iov = cmd->iov; + struct scatterlist *sg; + u32 length, offset, sg_offset; ++ int nr_pages; + + length = cmd->pdu_len; +- cmd->nr_mapped = DIV_ROUND_UP(length, PAGE_SIZE); ++ nr_pages = DIV_ROUND_UP(length, PAGE_SIZE); + offset = cmd->rbytes_done; + cmd->sg_idx = offset / PAGE_SIZE; + sg_offset = offset % PAGE_SIZE; +@@ -339,8 +323,9 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) + while (length) { + u32 iov_len = min_t(u32, length, sg->length - sg_offset); + +- iov->iov_base = kmap(sg_page(sg)) + sg->offset + sg_offset; +- iov->iov_len = iov_len; ++ iov->bv_page = sg_page(sg); ++ iov->bv_len = sg->length; ++ iov->bv_offset = sg->offset + sg_offset; + + length -= iov_len; + sg = sg_next(sg); +@@ -348,8 +333,8 @@ static void nvmet_tcp_map_pdu_iovec(struct nvmet_tcp_cmd *cmd) + sg_offset = 0; + } + +- iov_iter_kvec(&cmd->recv_msg.msg_iter, READ, cmd->iov, +- cmd->nr_mapped, cmd->pdu_len); ++ iov_iter_bvec(&cmd->recv_msg.msg_iter, READ, cmd->iov, ++ nr_pages, cmd->pdu_len); + } + + static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) +@@ -925,7 +910,7 @@ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue, + } + + queue->rcv_state = NVMET_TCP_RECV_DATA; +- nvmet_tcp_map_pdu_iovec(cmd); ++ nvmet_tcp_build_pdu_iovec(cmd); + cmd->flags |= NVMET_TCP_F_INIT_FAILED; + } + +@@ -978,7 +963,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + goto err_proto; + } + cmd->pdu_recv = 0; +- nvmet_tcp_map_pdu_iovec(cmd); ++ nvmet_tcp_build_pdu_iovec(cmd); + queue->cmd = cmd; + queue->rcv_state = NVMET_TCP_RECV_DATA; + +@@ -1052,7 +1037,7 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue) + if (nvmet_tcp_need_data_in(queue->cmd)) { + if (nvmet_tcp_has_inline_data(queue->cmd)) { + queue->rcv_state = NVMET_TCP_RECV_DATA; +- nvmet_tcp_map_pdu_iovec(queue->cmd); ++ nvmet_tcp_build_pdu_iovec(queue->cmd); + return 0; + } + /* send back R2T */ +@@ -1172,7 +1157,6 @@ static int nvmet_tcp_try_recv_data(struct nvmet_tcp_queue *queue) + cmd->rbytes_done += ret; + } + +- nvmet_tcp_unmap_pdu_iovec(cmd); + if (queue->data_digest) { + nvmet_tcp_prep_recv_ddgst(cmd); + return 0; +@@ -1445,7 +1429,6 @@ static void nvmet_tcp_restore_socket_callbacks(struct nvmet_tcp_queue *queue) + static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd) + { + nvmet_req_uninit(&cmd->req); +- nvmet_tcp_unmap_pdu_iovec(cmd); + nvmet_tcp_free_cmd_buffers(cmd); + } + +@@ -1458,7 +1441,6 @@ static void nvmet_tcp_uninit_data_in_cmds(struct nvmet_tcp_queue *queue) + if (nvmet_tcp_need_data_in(cmd)) + nvmet_req_uninit(&cmd->req); + +- nvmet_tcp_unmap_pdu_iovec(cmd); + nvmet_tcp_free_cmd_buffers(cmd); + } + +-- +2.51.0 + diff --git a/queue-5.15/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch b/queue-5.15/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch new file mode 100644 index 0000000000..61c1e5f064 --- /dev/null +++ b/queue-5.15/nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch @@ -0,0 +1,46 @@ +From c6c04f8685892d823d0bed8aa7be6a43d18447ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 16:49:20 +0100 +Subject: nvmet-tcp: fix memory leak when performing a controller reset + +From: Maurizio Lombardi + +[ Upstream commit af21250bb503a02e705b461886321e394b300524 ] + +If a reset controller is executed while the initiator +is performing some I/O the driver may leak the memory allocated +for the commands' iovec. + +Make sure that nvmet_tcp_uninit_data_in_cmds() releases +all the memory. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: John Meneghini +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 7eb4d06f12294..bf3585652c681 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -1473,7 +1473,10 @@ static void nvmet_tcp_uninit_data_in_cmds(struct nvmet_tcp_queue *queue) + + for (i = 0; i < queue->nr_cmds; i++, cmd++) { + if (nvmet_tcp_need_data_in(cmd)) +- nvmet_tcp_finish_cmd(cmd); ++ nvmet_req_uninit(&cmd->req); ++ ++ nvmet_tcp_unmap_pdu_iovec(cmd); ++ nvmet_tcp_free_cmd_buffers(cmd); + } + + if (!queue->nr_cmds && nvmet_tcp_need_data_in(&queue->connect)) { +-- +2.51.0 + diff --git a/queue-5.15/nvmet-tcp-fix-regression-in-data_digest-calculation.patch b/queue-5.15/nvmet-tcp-fix-regression-in-data_digest-calculation.patch new file mode 100644 index 0000000000..751e1ef3e0 --- /dev/null +++ b/queue-5.15/nvmet-tcp-fix-regression-in-data_digest-calculation.patch @@ -0,0 +1,87 @@ +From b072d5b07e46e2dab5272ea37ba6b1d16d648bfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 00:49:53 +0300 +Subject: nvmet-tcp: fix regression in data_digest calculation + +From: Sagi Grimberg + +[ Upstream commit ed0691cf55140ce0f3fb100225645d902cce904b ] + +Data digest calculation iterates over command mapped iovec. However +since commit bac04454ef9f we unmap the iovec before we handle the data +digest, and since commit 69b85e1f1d1d we clear nr_mapped when we unmap +the iov. + +Instead of open-coding the command iov traversal, simply call +crypto_ahash_digest with the command sg that is already allocated (we +already do that for the send path). Rename nvmet_tcp_send_ddgst to +nvmet_tcp_calc_ddgst and call it from send and recv paths. + +Fixes: 69b85e1f1d1d ("nvmet-tcp: add an helper to free the cmd buffers") +Fixes: bac04454ef9f ("nvmet-tcp: fix kmap leak when data digest in use") +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Stable-dep-of: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 23 +++-------------------- + 1 file changed, 3 insertions(+), 20 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index bf3585652c681..3b32f1e9c18c6 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -407,7 +407,7 @@ static int nvmet_tcp_map_data(struct nvmet_tcp_cmd *cmd) + return NVME_SC_INTERNAL; + } + +-static void nvmet_tcp_send_ddgst(struct ahash_request *hash, ++static void nvmet_tcp_calc_ddgst(struct ahash_request *hash, + struct nvmet_tcp_cmd *cmd) + { + ahash_request_set_crypt(hash, cmd->req.sg, +@@ -415,23 +415,6 @@ static void nvmet_tcp_send_ddgst(struct ahash_request *hash, + crypto_ahash_digest(hash); + } + +-static void nvmet_tcp_recv_ddgst(struct ahash_request *hash, +- struct nvmet_tcp_cmd *cmd) +-{ +- struct scatterlist sg; +- struct kvec *iov; +- int i; +- +- crypto_ahash_init(hash); +- for (i = 0, iov = cmd->iov; i < cmd->nr_mapped; i++, iov++) { +- sg_init_one(&sg, iov->iov_base, iov->iov_len); +- ahash_request_set_crypt(hash, &sg, NULL, iov->iov_len); +- crypto_ahash_update(hash); +- } +- ahash_request_set_crypt(hash, NULL, (void *)&cmd->exp_ddgst, 0); +- crypto_ahash_final(hash); +-} +- + static void nvmet_setup_c2h_data_pdu(struct nvmet_tcp_cmd *cmd) + { + struct nvme_tcp_data_pdu *pdu = cmd->data_pdu; +@@ -456,7 +439,7 @@ static void nvmet_setup_c2h_data_pdu(struct nvmet_tcp_cmd *cmd) + + if (queue->data_digest) { + pdu->hdr.flags |= NVME_TCP_F_DDGST; +- nvmet_tcp_send_ddgst(queue->snd_hash, cmd); ++ nvmet_tcp_calc_ddgst(queue->snd_hash, cmd); + } + + if (cmd->queue->hdr_digest) { +@@ -1168,7 +1151,7 @@ static void nvmet_tcp_prep_recv_ddgst(struct nvmet_tcp_cmd *cmd) + { + struct nvmet_tcp_queue *queue = cmd->queue; + +- nvmet_tcp_recv_ddgst(queue->rcv_hash, cmd); ++ nvmet_tcp_calc_ddgst(queue->rcv_hash, cmd); + queue->offset = 0; + queue->left = NVME_TCP_DIGEST_LENGTH; + queue->rcv_state = NVMET_TCP_RECV_DDGST; +-- +2.51.0 + diff --git a/queue-5.15/platform-x86-intel_telemetry-fix-pss-event-register-.patch b/queue-5.15/platform-x86-intel_telemetry-fix-pss-event-register-.patch new file mode 100644 index 0000000000..631ab286df --- /dev/null +++ b/queue-5.15/platform-x86-intel_telemetry-fix-pss-event-register-.patch @@ -0,0 +1,48 @@ +From f82916a374371753c8fd2a866d52bdd909664e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 11:41:44 +0530 +Subject: platform/x86: intel_telemetry: Fix PSS event register mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kaushlendra Kumar + +[ Upstream commit 39e9c376ac42705af4ed4ae39eec028e8bced9b4 ] + +The PSS telemetry info parsing incorrectly applies +TELEM_INFO_SRAMEVTS_MASK when extracting event register +count from firmware response. This reads bits 15-8 instead +of the correct bits 7-0, causing misdetection of hardware +capabilities. + +The IOSS path correctly uses TELEM_INFO_NENABLES_MASK for +register count. Apply the same mask to PSS parsing for +consistency. + +Fixes: 9d16b482b059 ("platform:x86: Add Intel telemetry platform driver") +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20251224061144.3925519-1-kaushlendra.kumar@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/telemetry/pltdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/telemetry/pltdrv.c b/drivers/platform/x86/intel/telemetry/pltdrv.c +index 405dea87de6bf..dd1ee2730b6a6 100644 +--- a/drivers/platform/x86/intel/telemetry/pltdrv.c ++++ b/drivers/platform/x86/intel/telemetry/pltdrv.c +@@ -610,7 +610,7 @@ static int telemetry_setup(struct platform_device *pdev) + /* Get telemetry Info */ + events = (read_buf & TELEM_INFO_SRAMEVTS_MASK) >> + TELEM_INFO_SRAMEVTS_SHIFT; +- event_regs = read_buf & TELEM_INFO_SRAMEVTS_MASK; ++ event_regs = read_buf & TELEM_INFO_NENABLES_MASK; + if ((events < TELEM_MAX_EVENTS_SRAM) || + (event_regs < TELEM_MAX_EVENTS_SRAM)) { + dev_err(&pdev->dev, "PSS:Insufficient Space for SRAM Trace\n"); +-- +2.51.0 + diff --git a/queue-5.15/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch b/queue-5.15/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch new file mode 100644 index 0000000000..4348f8cded --- /dev/null +++ b/queue-5.15/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch @@ -0,0 +1,42 @@ +From aedbc41de0e7a68ac4f3642ba4f1cf8c36dfa238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:38:45 +0200 +Subject: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines + +From: Rafael J. Wysocki + +[ Upstream commit 128497456756e1b952bd5a912cd073836465109d ] + +toshiba_haps_add() leaks the haps object allocated by it if it returns +an error after allocating that object successfully. + +toshiba_haps_remove() does not free the object pointed to by +toshiba_haps before clearing that pointer, so it becomes unreachable +allocated memory. + +Address these memory leaks by using devm_kzalloc() for allocating +the memory in question. + +Fixes: 23d0ba0c908a ("platform/x86: Toshiba HDD Active Protection Sensor") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_haps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/toshiba_haps.c b/drivers/platform/x86/toshiba_haps.c +index 49e84095bb010..8a53f6119fed1 100644 +--- a/drivers/platform/x86/toshiba_haps.c ++++ b/drivers/platform/x86/toshiba_haps.c +@@ -185,7 +185,7 @@ static int toshiba_haps_add(struct acpi_device *acpi_dev) + + pr_info("Toshiba HDD Active Protection Sensor device\n"); + +- haps = kzalloc(sizeof(struct toshiba_haps_dev), GFP_KERNEL); ++ haps = devm_kzalloc(&acpi_dev->dev, sizeof(*haps), GFP_KERNEL); + if (!haps) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-5.15/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch b/queue-5.15/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch new file mode 100644 index 0000000000..5554b43ca6 --- /dev/null +++ b/queue-5.15/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch @@ -0,0 +1,69 @@ +From 0272b7a05ed9c4995aac32e13bd03fa899fa5333 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 14:50:07 +0800 +Subject: ring-buffer: Avoid softlockup in ring_buffer_resize() during memory + free + +From: Wupeng Ma + +[ Upstream commit 6435ffd6c7fcba330dfa91c58dc30aed2df3d0bf ] + +When user resize all trace ring buffer through file 'buffer_size_kb', +then in ring_buffer_resize(), kernel allocates buffer pages for each +cpu in a loop. + +If the kernel preemption model is PREEMPT_NONE and there are many cpus +and there are many buffer pages to be freed, it may not give up cpu +for a long time and finally cause a softlockup. + +To avoid it, call cond_resched() after each cpu buffer free as Commit +f6bd2c92488c ("ring-buffer: Avoid softlockup in ring_buffer_resize()") +does. + +Detailed call trace as follow: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 24-....: (14837 ticks this GP) idle=521c/1/0x4000000000000000 softirq=230597/230597 fqs=5329 + rcu: (t=15004 jiffies g=26003221 q=211022 ncpus=96) + CPU: 24 UID: 0 PID: 11253 Comm: bash Kdump: loaded Tainted: G EL 6.18.2+ #278 NONE + pc : arch_local_irq_restore+0x8/0x20 + arch_local_irq_restore+0x8/0x20 (P) + free_frozen_page_commit+0x28c/0x3b0 + __free_frozen_pages+0x1c0/0x678 + ___free_pages+0xc0/0xe0 + free_pages+0x3c/0x50 + ring_buffer_resize.part.0+0x6a8/0x880 + ring_buffer_resize+0x3c/0x58 + __tracing_resize_ring_buffer.part.0+0x34/0xd8 + tracing_resize_ring_buffer+0x8c/0xd0 + tracing_entries_write+0x74/0xd8 + vfs_write+0xcc/0x288 + ksys_write+0x74/0x118 + __arm64_sys_write+0x24/0x38 + +Cc: +Link: https://patch.msgid.link/20251228065008.2396573-1-mawupeng1@huawei.com +Signed-off-by: Wupeng Ma +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 90a8dd91e2eb0..d17ebe6a4ebfd 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2322,6 +2322,8 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, + list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); ++ ++ cond_resched(); + } + } + out_err_unlock: +-- +2.51.0 + diff --git a/queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch b/queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch new file mode 100644 index 0000000000..a7177035bf --- /dev/null +++ b/queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch @@ -0,0 +1,51 @@ +From 6fd2d51438c075f15b85899df871cfb90444775f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:51 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_conn_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 ] + +In iscsit_dec_conn_usage_count(), the function calls complete() while +holding the conn->conn_usage_lock. As soon as complete() is invoked, the +waiter (such as iscsit_close_connection()) may wake up and proceed to free +the iscsit_conn structure. + +If the waiter frees the memory before the current thread reaches +spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function +attempts to release a lock within the already-freed connection structure. + +Fix this by releasing the spinlock before calling complete(). + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 78aeaf67018f7..6998c0eec3d40 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -857,8 +857,11 @@ void iscsit_dec_conn_usage_count(struct iscsi_conn *conn) + spin_lock_bh(&conn->conn_usage_lock); + conn->conn_usage_count--; + +- if (!conn->conn_usage_count && conn->conn_waiting_on_uc) ++ if (!conn->conn_usage_count && conn->conn_waiting_on_uc) { ++ spin_unlock_bh(&conn->conn_usage_lock); + complete(&conn->conn_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&conn->conn_usage_lock); + } +-- +2.51.0 + diff --git a/queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch b/queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch new file mode 100644 index 0000000000..74be01daa7 --- /dev/null +++ b/queue-5.15/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch @@ -0,0 +1,53 @@ +From 0f9d814227aff500619368f594142002820ccccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:52 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_session_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 84dc6037390b8607c5551047d3970336cb51ba9a ] + +In iscsit_dec_session_usage_count(), the function calls complete() while +holding the sess->session_usage_lock. Similar to the connection usage count +logic, the waiter signaled by complete() (e.g., in the session release +path) may wake up and free the iscsit_session structure immediately. + +This creates a race condition where the current thread may attempt to +execute spin_unlock_bh() on a session structure that has already been +deallocated, resulting in a KASAN slab-use-after-free. + +To resolve this, release the session_usage_lock before calling complete() +to ensure all dereferences of the sess pointer are finished before the +waiter is allowed to proceed with deallocation. + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 6dd5810e2af16..78aeaf67018f7 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -785,8 +785,11 @@ void iscsit_dec_session_usage_count(struct iscsi_session *sess) + spin_lock_bh(&sess->session_usage_lock); + sess->session_usage_count--; + +- if (!sess->session_usage_count && sess->session_waiting_on_uc) ++ if (!sess->session_usage_count && sess->session_waiting_on_uc) { ++ spin_unlock_bh(&sess->session_usage_lock); + complete(&sess->session_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&sess->session_usage_lock); + } +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 4bb00ffe1d..5359d04e47 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -21,3 +21,41 @@ timers-update-the-documentation-to-reflect-on-the-new-timer_shutdown-api.patch bluetooth-hci_qca-fix-the-teardown-problem-for-real.patch timers-fix-null-function-pointer-race-in-timer_shutdown_sync.patch binderfs-fix-ida_alloc_max-upper-bound.patch +wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch +wifi-wlcore-ensure-skb-headroom-before-skb_push.patch +net-usb-sr9700-support-devices-with-virtual-driver-c.patch +block-bfq-fix-aux-stat-accumulation-destination.patch +smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch +hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch +hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch +hid-playstation-center-initial-joystick-axes-to-prev.patch +alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch +netfilter-replace-eexist-with-ebusy.patch +hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch +hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch +ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch +wifi-mac80211-collect-station-statistics-earlier-whe.patch +asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch +asoc-tlv320adcx140-propagate-error-codes-during-prob.patch +wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch +alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch +wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch +platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch +platform-x86-intel_telemetry-fix-pss-event-register-.patch +dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch +net-liquidio-initialize-netdev-pointer-before-queue-.patch +net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch +net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch +dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch +macvlan-fix-error-recovery-in-macvlan_common_newlink.patch +tipc-use-kfree_sensitive-for-session-key-material.patch +hwmon-occ-mark-occ_init_attribute-as-__printf.patch +netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch +nvmet-tcp-add-an-helper-to-free-the-cmd-buffers.patch +nvmet-tcp-fix-memory-leak-when-performing-a-controll.patch +nvmet-tcp-fix-regression-in-data_digest-calculation.patch +nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch +nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch +asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch diff --git a/queue-5.15/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch b/queue-5.15/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch new file mode 100644 index 0000000000..51124b72fb --- /dev/null +++ b/queue-5.15/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch @@ -0,0 +1,47 @@ +From 95271db2dc2b8cc61c082beac3a77fd5b609a83d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 22:51:01 +0800 +Subject: smb/server: call ksmbd_session_rpc_close() on error path in + create_smb2_pipe() + +From: ZhangGuoDong + +[ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ] + +When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index b4a1aa1bc960c..b5ff4c855f9cb 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -2263,7 +2263,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + { + struct smb2_create_rsp *rsp; + struct smb2_create_req *req; +- int id; ++ int id = -1; + int err; + char *name; + +@@ -2320,6 +2320,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + break; + } + ++ if (id >= 0) ++ ksmbd_session_rpc_close(work->sess, id); ++ + if (!IS_ERR(name)) + kfree(name); + +-- +2.51.0 + diff --git a/queue-5.15/tipc-use-kfree_sensitive-for-session-key-material.patch b/queue-5.15/tipc-use-kfree_sensitive-for-session-key-material.patch new file mode 100644 index 0000000000..6c16854f13 --- /dev/null +++ b/queue-5.15/tipc-use-kfree_sensitive-for-session-key-material.patch @@ -0,0 +1,51 @@ +From e9d6fc96ac41639f564df9e11e32076b2c0f8c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 10:01:14 -0800 +Subject: tipc: use kfree_sensitive() for session key material + +From: Daniel Hodges + +[ Upstream commit 74d9391e8849e70ded5309222d09b0ed0edbd039 ] + +The rx->skey field contains a struct tipc_aead_key with GCM-AES +encryption keys used for TIPC cluster communication. Using plain +kfree() leaves this sensitive key material in freed memory pages +where it could potentially be recovered. + +Switch to kfree_sensitive() to ensure the key material is zeroed +before the memory is freed. + +Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") +Signed-off-by: Daniel Hodges +Link: https://patch.msgid.link/20260131180114.2121438-1-hodgesd@meta.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index b525e6483881a..22c07a270ed40 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1230,7 +1230,7 @@ void tipc_crypto_key_flush(struct tipc_crypto *c) + rx = c; + tx = tipc_net(rx->net)->crypto_tx; + if (cancel_delayed_work(&rx->work)) { +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + atomic_xchg(&rx->key_distr, 0); + tipc_node_put(rx->node); +@@ -2405,7 +2405,7 @@ static void tipc_crypto_work_rx(struct work_struct *work) + break; + default: + synchronize_rcu(); +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + break; + } +-- +2.51.0 + diff --git a/queue-5.15/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch b/queue-5.15/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch new file mode 100644 index 0000000000..bbaea3d280 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch @@ -0,0 +1,59 @@ +From f11e2bac11321d89fd7f4edaabd9b87ad964e84d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:30:04 +0530 +Subject: wifi: cfg80211: Fix bitrate calculation overflow for HE rates + +From: Veerendranath Jakkam + +[ Upstream commit a3034bf0746d88a00cceda9541534a5721445a24 ] + +An integer overflow occurs in cfg80211_calculate_bitrate_he() when +calculating bitrates for high throughput HE configurations. +For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0, +the multiplication (result * rate->nss) overflows the 32-bit 'result' +variable before division by 8, leading to significantly underestimated +bitrate values. + +The overflow occurs because the NSS multiplication operates on a 32-bit +integer that cannot accommodate intermediate values exceeding +4,294,967,295. When overflow happens, the value wraps around, producing +incorrect bitrates for high MCS and NSS combinations. + +Fix this by utilizing the 64-bit 'tmp' variable for the NSS +multiplication and subsequent divisions via do_div(). This approach +preserves full precision throughout the entire calculation, with the +final value assigned to 'result' only after completing all operations. + +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 6ebc6567b2875..40548fe7e2635 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1418,12 +1418,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate) + tmp = result; + tmp *= SCALE; + do_div(tmp, mcs_divisors[rate->mcs]); +- result = tmp; + + /* and take NSS, DCM into account */ +- result = (result * rate->nss) / 8; ++ tmp *= rate->nss; ++ do_div(tmp, 8); + if (rate->he_dcm) +- result /= 2; ++ do_div(tmp, 2); ++ ++ result = tmp; + + return result / 10000; + } +-- +2.51.0 + diff --git a/queue-5.15/wifi-mac80211-collect-station-statistics-earlier-whe.patch b/queue-5.15/wifi-mac80211-collect-station-statistics-earlier-whe.patch new file mode 100644 index 0000000000..5cec15b804 --- /dev/null +++ b/queue-5.15/wifi-mac80211-collect-station-statistics-earlier-whe.patch @@ -0,0 +1,54 @@ +From fdeeef7489c71cf67cc80db23c45eaa01d5f7466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 10:29:07 +0800 +Subject: wifi: mac80211: collect station statistics earlier when disconnect + +From: Baochen Qiang + +[ Upstream commit a203dbeeca15a9b924f0d51f510921f4bae96801 ] + +In __sta_info_destroy_part2(), station statistics are requested after the +IEEE80211_STA_NONE -> IEEE80211_STA_NOTEXIST transition. This is +problematic because the driver may be unable to handle the request due to +the STA being in the NOTEXIST state (i.e. if the driver destroys the +underlying data when transitioning to NOTEXIST). + +Move the statistics collection to before the state transition to avoid +this issue. + +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20251222-mac80211-move-station-stats-collection-earlier-v1-1-12cd4e42c633@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index d1460b870ed5a..f9a5bda1f925d 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1101,6 +1101,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + } + } + ++ sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); ++ if (sinfo) ++ sta_set_sinfo(sta, sinfo, true); ++ + if (sta->uploaded) { + ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE, + IEEE80211_STA_NOTEXIST); +@@ -1109,9 +1113,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + + sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); + +- sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); +- if (sinfo) +- sta_set_sinfo(sta, sinfo, true); + cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); + kfree(sinfo); + +-- +2.51.0 + diff --git a/queue-5.15/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch b/queue-5.15/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch new file mode 100644 index 0000000000..b5a8d35058 --- /dev/null +++ b/queue-5.15/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch @@ -0,0 +1,49 @@ +From cf79097d15e10a942cef7080794d297aa91c5444 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:28:29 +0200 +Subject: wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice + +From: Miri Korenblit + +[ Upstream commit 3f3d8ff31496874a69b131866f62474eb24ed20a ] + +In reconfig, in case the driver asks to disconnect during the reconfig, +all the keys of the interface are marked as tainted. +Then ieee80211_reenable_keys will loop over all the interface keys, and +for each one it will +a) increment crypto_tx_tailroom_needed_cnt +b) call ieee80211_key_enable_hw_accel, which in turn will detect that +this key is tainted, so it will mark it as "not in hardware", which is +paired with crypto_tx_tailroom_needed_cnt incrementation, so we get two +incrementations for each tainted key. +Then we get a warning in ieee80211_free_keys. + +To fix it, don't increment the count in ieee80211_reenable_keys for +tainted keys + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118092821.4ca111fddcda.Id6e554f4b1c83760aa02d5a9e4e3080edb197aa2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index c755e3b332de0..88cf9e63dffe2 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -910,7 +910,8 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata) + + if (ieee80211_sdata_running(sdata)) { + list_for_each_entry(key, &sdata->key_list, list) { +- increment_tailroom_need_count(sdata); ++ if (!(key->flags & KEY_FLAG_TAINTED)) ++ increment_tailroom_need_count(sdata); + ieee80211_key_enable_hw_accel(key); + } + } +-- +2.51.0 + diff --git a/queue-5.15/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch b/queue-5.15/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch new file mode 100644 index 0000000000..3027cb7a56 --- /dev/null +++ b/queue-5.15/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch @@ -0,0 +1,44 @@ +From edf4b2575e7b45fa51ac926cc6e494e122abcaa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 19:59:32 -0800 +Subject: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined + +From: Moon Hee Lee + +[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] + +ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only +present after JOIN_OCB. + +RX may run before JOIN_OCB is executed, in which case the OCB interface +is not operational. Skip RX peer handling when the interface is not +joined to avoid warnings in the RX path. + +Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 +Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ocb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c +index 9713e53f11b1b..6688b1dd8aaa4 100644 +--- a/net/mac80211/ocb.c ++++ b/net/mac80211/ocb.c +@@ -47,6 +47,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata, + struct sta_info *sta; + int band; + ++ if (!ifocb->joined) ++ return; ++ + /* XXX: Consider removing the least recently used entry and + * allow new one to be added. + */ +-- +2.51.0 + diff --git a/queue-5.15/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch b/queue-5.15/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch new file mode 100644 index 0000000000..454351d96d --- /dev/null +++ b/queue-5.15/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch @@ -0,0 +1,42 @@ +From f6f7322dab3eec43fd5e5ef6abb453dc9b375260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 08:57:08 +0100 +Subject: wifi: wlcore: ensure skb headroom before skb_push +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Åstrand + +[ Upstream commit e75665dd096819b1184087ba5718bd93beafff51 ] + +This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is +less than needed (typically 110 - 94 = 16 bytes). + +Signed-off-by: Peter Astrand +Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index e20e18cd04aed..e86cc3425e997 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -210,6 +210,11 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + total_blocks = wlcore_hw_calc_tx_blocks(wl, total_len, spare_blocks); + + if (total_blocks <= wl->tx_blocks_available) { ++ if (skb_headroom(skb) < (total_len - skb->len) && ++ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { ++ wl1271_free_tx_id(wl, id); ++ return -EAGAIN; ++ } + desc = skb_push(skb, total_len - skb->len); + + wlcore_hw_set_tx_desc_blocks(wl, desc, total_blocks, +-- +2.51.0 + diff --git a/queue-6.1/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch b/queue-6.1/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch new file mode 100644 index 0000000000..d96ece2589 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch @@ -0,0 +1,37 @@ +From bb5fa54f19b4ecee2d8d327117c64398a37b746b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 02:53:36 +0300 +Subject: ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk + +From: Ruslan Krupitsa + +[ Upstream commit 9ed7a28225af02b74f61e7880d460db49db83758 ] + +HP Laptop 15s-eq1xxx with ALC236 codec does not enable the +mute LED automatically. This patch adds a quirk entry for +subsystem ID 0x8706 using the ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 +fixup, enabling correct mute LED behavior. + +Signed-off-by: Ruslan Krupitsa +Link: https://patch.msgid.link/AS8P194MB112895B8EC2D87D53A876085BBBAA@AS8P194MB1128.EURP194.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index ccbdb01ab6ece..4ab3feb5e5929 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9929,6 +9929,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x863e, "HP Spectre x360 15-df1xxx", ALC285_FIXUP_HP_SPECTRE_X360_DF1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x8706, "HP Laptop 15s-eq1xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), +-- +2.51.0 + diff --git a/queue-6.1/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch b/queue-6.1/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch new file mode 100644 index 0000000000..f1757c5c6c --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch @@ -0,0 +1,39 @@ +From 9363d675c91ad68aaea9c73bafb08e410bea9e33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:15:55 +0100 +Subject: ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU + +From: Tim Guttzeit + +[ Upstream commit b48fe9af1e60360baf09ca6b7a3cd6541f16e611 ] + +Add a PCI quirk to enable microphone detection on the headphone jack of +TongFang X6AR55xU devices. + +Signed-off-by: Tim Guttzeit +Signed-off-by: Werner Sembach +Link: https://patch.msgid.link/20260119151626.35481-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 4ab3feb5e5929..32543db09d8b2 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10905,6 +10905,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x19, 0x04a11030}, + {0x21, 0x04211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0274, 0x1d05, "TongFang", ALC274_FIXUP_HP_HEADSET_MIC, ++ {0x17, 0x90170110}, ++ {0x19, 0x03a11030}, ++ {0x21, 0x03211020}), + SND_HDA_PIN_QUIRK(0x10ec0282, 0x1025, "Acer", ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC282_STANDARD_PINS, + {0x12, 0x90a609c0}, +-- +2.51.0 + diff --git a/queue-6.1/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch b/queue-6.1/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch new file mode 100644 index 0000000000..5169398940 --- /dev/null +++ b/queue-6.1/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch @@ -0,0 +1,37 @@ +From 4a5199c8dd3c7042b8aef4e40341ab981348fdb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 20:50:33 +0000 +Subject: ASoC: amd: fix memory leak in acp3x pdm dma ops + +From: Chris Bainbridge + +[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] + +Fixes: 4a767b1d039a8 ("ASoC: amd: add acp3x pdm driver dma ops") +Signed-off-by: Chris Bainbridge +Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/renoir/acp3x-pdm-dma.c b/sound/soc/amd/renoir/acp3x-pdm-dma.c +index 7203c6488df0e..643deed487ab4 100644 +--- a/sound/soc/amd/renoir/acp3x-pdm-dma.c ++++ b/sound/soc/amd/renoir/acp3x-pdm-dma.c +@@ -295,9 +295,11 @@ static int acp_pdm_dma_close(struct snd_soc_component *component, + struct snd_pcm_substream *substream) + { + struct pdm_dev_data *adata = dev_get_drvdata(component->dev); ++ struct pdm_stream_instance *rtd = substream->runtime->private_data; + + disable_pdm_interrupts(adata->acp_base); + adata->capture_stream = NULL; ++ kfree(rtd); + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.1/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch b/queue-6.1/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch new file mode 100644 index 0000000000..7816bfae4c --- /dev/null +++ b/queue-6.1/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch @@ -0,0 +1,113 @@ +From 3a744a1bcb25e692a0da79938136afff058e7860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 23:48:37 +0800 +Subject: ASoC: davinci-evm: Fix reference leak in davinci_evm_probe + +From: Kery Qi + +[ Upstream commit 5b577d214fcc109707bcb77b4ae72a31cfd86798 ] + +The davinci_evm_probe() function calls of_parse_phandle() to acquire +device nodes for "ti,audio-codec" and "ti,mcasp-controller". These +functions return device nodes with incremented reference counts. + +However, in several error paths (e.g., when the second of_parse_phandle(), +snd_soc_of_parse_card_name(), or devm_snd_soc_register_card() fails), +the function returns directly without releasing the acquired nodes, +leading to reference leaks. + +This patch adds an error handling path 'err_put' to properly release +the device nodes using of_node_put() and clean up the pointers when +an error occurs. + +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260107154836.1521-2-qikeyu2017@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/davinci-evm.c | 39 ++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/ti/davinci-evm.c b/sound/soc/ti/davinci-evm.c +index 68d69e32681ad..c5ff68ee3e128 100644 +--- a/sound/soc/ti/davinci-evm.c ++++ b/sound/soc/ti/davinci-evm.c +@@ -404,27 +404,32 @@ static int davinci_evm_probe(struct platform_device *pdev) + return -EINVAL; + + dai->cpus->of_node = of_parse_phandle(np, "ti,mcasp-controller", 0); +- if (!dai->cpus->of_node) +- return -EINVAL; ++ if (!dai->cpus->of_node) { ++ ret = -EINVAL; ++ goto err_put; ++ } + + dai->platforms->of_node = dai->cpus->of_node; + + evm_soc_card.dev = &pdev->dev; + ret = snd_soc_of_parse_card_name(&evm_soc_card, "ti,model"); + if (ret) +- return ret; ++ goto err_put; + + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (PTR_ERR(mclk) == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto err_put; + } else if (IS_ERR(mclk)) { + dev_dbg(&pdev->dev, "mclk not found.\n"); + mclk = NULL; + } + + drvdata = devm_kzalloc(&pdev->dev, sizeof(*drvdata), GFP_KERNEL); +- if (!drvdata) +- return -ENOMEM; ++ if (!drvdata) { ++ ret = -ENOMEM; ++ goto err_put; ++ } + + drvdata->mclk = mclk; + +@@ -434,7 +439,8 @@ static int davinci_evm_probe(struct platform_device *pdev) + if (!drvdata->mclk) { + dev_err(&pdev->dev, + "No clock or clock rate defined.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put; + } + drvdata->sysclk = clk_get_rate(drvdata->mclk); + } else if (drvdata->mclk) { +@@ -450,8 +456,25 @@ static int davinci_evm_probe(struct platform_device *pdev) + snd_soc_card_set_drvdata(&evm_soc_card, drvdata); + ret = devm_snd_soc_register_card(&pdev->dev, &evm_soc_card); + +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "snd_soc_register_card failed (%d)\n", ret); ++ goto err_put; ++ } ++ ++ return ret; ++ ++err_put: ++ dai->platforms->of_node = NULL; ++ ++ if (dai->cpus->of_node) { ++ of_node_put(dai->cpus->of_node); ++ dai->cpus->of_node = NULL; ++ } ++ ++ if (dai->codecs->of_node) { ++ of_node_put(dai->codecs->of_node); ++ dai->codecs->of_node = NULL; ++ } + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.1/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch b/queue-6.1/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch new file mode 100644 index 0000000000..8850977b0d --- /dev/null +++ b/queue-6.1/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch @@ -0,0 +1,43 @@ +From 2b0ca667eaf06fbd1f8491d48aa45a7a07778a75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:46 +0100 +Subject: ASoC: tlv320adcx140: Propagate error codes during probe + +From: Dimitrios Katsaros + +[ Upstream commit d89aad92cfd15edbd704746f44c98fe687f9366f ] + +When scanning for the reset pin, we could get an -EPROBE_DEFER. +The driver would assume that no reset pin had been defined, +which would mean that the chip would never be powered. + +Now we both respect any error we get from devm_gpiod_get_optional. +We also now properly report the missing GPIO definition when +'gpio_reset' is NULL. + +Signed-off-by: Dimitrios Katsaros +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-3-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 67eef894d0c2d..0323d6341c9ae 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -1157,6 +1157,9 @@ static int adcx140_i2c_probe(struct i2c_client *i2c) + adcx140->gpio_reset = devm_gpiod_get_optional(adcx140->dev, + "reset", GPIOD_OUT_LOW); + if (IS_ERR(adcx140->gpio_reset)) ++ return dev_err_probe(&i2c->dev, PTR_ERR(adcx140->gpio_reset), ++ "Failed to get Reset GPIO\n"); ++ if (!adcx140->gpio_reset) + dev_info(&i2c->dev, "Reset GPIO not defined\n"); + + adcx140->supply_areg = devm_regulator_get_optional(adcx140->dev, +-- +2.51.0 + diff --git a/queue-6.1/block-bfq-fix-aux-stat-accumulation-destination.patch b/queue-6.1/block-bfq-fix-aux-stat-accumulation-destination.patch new file mode 100644 index 0000000000..8743917951 --- /dev/null +++ b/queue-6.1/block-bfq-fix-aux-stat-accumulation-destination.patch @@ -0,0 +1,36 @@ +From ce4b2be15f02d7d709dcbcba8fba5dbd5122d26f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:04:26 +0800 +Subject: block,bfq: fix aux stat accumulation destination + +From: shechenglong + +[ Upstream commit 04bdb1a04d8a2a89df504c1e34250cd3c6e31a1c ] + +Route bfqg_stats_add_aux() time accumulation into the destination +stats object instead of the source, aligning with other stat fields. + +Reviewed-by: Yu Kuai +Signed-off-by: shechenglong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index c202e2527d053..8e2478efd6695 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -382,7 +382,7 @@ static void bfqg_stats_add_aux(struct bfqg_stats *to, struct bfqg_stats *from) + blkg_rwstat_add_aux(&to->merged, &from->merged); + blkg_rwstat_add_aux(&to->service_time, &from->service_time); + blkg_rwstat_add_aux(&to->wait_time, &from->wait_time); +- bfq_stat_add_aux(&from->time, &from->time); ++ bfq_stat_add_aux(&to->time, &from->time); + bfq_stat_add_aux(&to->avg_queue_size_sum, &from->avg_queue_size_sum); + bfq_stat_add_aux(&to->avg_queue_size_samples, + &from->avg_queue_size_samples); +-- +2.51.0 + diff --git a/queue-6.1/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch b/queue-6.1/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch new file mode 100644 index 0000000000..9fb67b8e54 --- /dev/null +++ b/queue-6.1/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch @@ -0,0 +1,70 @@ +From fbc266b3b11d15a1cf1a122e3db00d813a87b2ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 17:18:25 +0000 +Subject: btrfs: fix reservation leak in some error paths when inserting inline + extent + +From: Filipe Manana + +[ Upstream commit c1c050f92d8f6aac4e17f7f2230160794fceef0c ] + +If we fail to allocate a path or join a transaction, we return from +__cow_file_range_inline() without freeing the reserved qgroup data, +resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data() +in such cases. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 78cd7b8ccfc85..c409fb3e55bf8 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -397,7 +397,7 @@ static noinline int cow_file_range_inline(struct btrfs_inode *inode, u64 size, + struct btrfs_drop_extents_args drop_args = { 0 }; + struct btrfs_root *root = inode->root; + struct btrfs_fs_info *fs_info = root->fs_info; +- struct btrfs_trans_handle *trans; ++ struct btrfs_trans_handle *trans = NULL; + u64 data_len = (compressed_size ?: size); + int ret; + struct btrfs_path *path; +@@ -415,13 +415,16 @@ static noinline int cow_file_range_inline(struct btrfs_inode *inode, u64 size, + return 1; + + path = btrfs_alloc_path(); +- if (!path) +- return -ENOMEM; ++ if (!path) { ++ ret = -ENOMEM; ++ goto out; ++ } + + trans = btrfs_join_transaction(root); + if (IS_ERR(trans)) { +- btrfs_free_path(path); +- return PTR_ERR(trans); ++ ret = PTR_ERR(trans); ++ trans = NULL; ++ goto out; + } + trans->block_rsv = &inode->block_rsv; + +@@ -468,7 +471,8 @@ static noinline int cow_file_range_inline(struct btrfs_inode *inode, u64 size, + */ + btrfs_qgroup_free_data(inode, NULL, 0, PAGE_SIZE, NULL); + btrfs_free_path(path); +- btrfs_end_transaction(trans); ++ if (trans) ++ btrfs_end_transaction(trans); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.1/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch b/queue-6.1/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch new file mode 100644 index 0000000000..f4551ac070 --- /dev/null +++ b/queue-6.1/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch @@ -0,0 +1,47 @@ +From 7ba2b28aea6fe3cfac24c6ff58645e43eb89e8e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 00:55:13 +0800 +Subject: dpaa2-switch: add bounds check for if_id in IRQ handler + +From: Junrui Luo + +[ Upstream commit 31a7a0bbeb006bac2d9c81a2874825025214b6d8 ] + +The IRQ handler extracts if_id from the upper 16 bits of the hardware +status register and uses it to index into ethsw->ports[] without +validation. Since if_id can be any 16-bit value (0-65535) but the ports +array is only allocated with sw_attr.num_ifs elements, this can lead to +an out-of-bounds read potentially. + +Add a bounds check before accessing the array, consistent with the +existing validation in dpaa2_switch_rx(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 24ab724f8a46 ("dpaa2-switch: use the port index in the IRQ handler") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881D420AB43FF1A227B84AFAF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 801956c048752..c08d8d5e47e12 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -1513,6 +1513,10 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg) + } + + if_id = (status & 0xFFFF0000) >> 16; ++ if (if_id >= ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id); ++ goto out; ++ } + port_priv = ethsw->ports[if_id]; + + if (status & DPSW_IRQ_EVENT_LINK_CHANGED) { +-- +2.51.0 + diff --git a/queue-6.1/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch b/queue-6.1/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch new file mode 100644 index 0000000000..6bff37ac46 --- /dev/null +++ b/queue-6.1/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch @@ -0,0 +1,55 @@ +From 75fa456e4d4105d727cb040e06d4d98a33584293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 16:07:34 +0800 +Subject: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero + +From: Junrui Luo + +[ Upstream commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66 ] + +The driver allocates arrays for ports, FDBs, and filter blocks using +kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the +device reports zero interfaces (either due to hardware configuration +or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) +instead of NULL. + +Later in dpaa2_switch_probe(), the NAPI initialization unconditionally +accesses ethsw->ports[0]->netdev, which attempts to dereference +ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. + +Add a check to ensure num_ifs is greater than zero after retrieving +device attributes. This prevents the zero-sized allocations and +subsequent invalid pointer dereference. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface") +Signed-off-by: Junrui Luo +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index e928fea16e841..801956c048752 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2970,6 +2970,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev) + goto err_close; + } + ++ if (!ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "DPSW device has no interfaces\n"); ++ err = -ENODEV; ++ goto err_close; ++ } ++ + err = dpsw_get_api_version(ethsw->mc_io, 0, + ðsw->major, + ðsw->minor); +-- +2.51.0 + diff --git a/queue-6.1/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch b/queue-6.1/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch new file mode 100644 index 0000000000..6037466683 --- /dev/null +++ b/queue-6.1/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch @@ -0,0 +1,215 @@ +From fb43bcc3bee7f9c890022babd4b596334ef73c18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 16:16:39 -0800 +Subject: drm/mgag200: fix mgag200_bmc_stop_scanout() + +From: Jacob Keller + +[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ] + +The mgag200_bmc_stop_scanout() function is called by the .atomic_disable() +handler for the MGA G200 VGA BMC encoder. This function performs a few +register writes to inform the BMC of an upcoming mode change, and then +polls to wait until the BMC actually stops. + +The polling is implemented using a busy loop with udelay() and an iteration +timeout of 300, resulting in the function blocking for 300 milliseconds. + +The function gets called ultimately by the output_poll_execute work thread +for the DRM output change polling thread of the mgag200 driver: + +kworker/0:0-mm_ 3528 [000] 4555.315364: + ffffffffaa0e25b3 delay_halt.part.0+0x33 + ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178 + ffffffffc087ae7a disable_outputs+0x12a + ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a + ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26 + ffffffffc087c9c1 commit_tail+0x91 + ffffffffc087d51b drm_atomic_helper_commit+0x11b + ffffffffc0509694 drm_atomic_commit+0xa4 + ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8 + ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56 + ffffffffc0510e24 drm_client_modeset_commit+0x24 + ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93 + ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3 + ffffffffc050f8aa drm_client_dev_hotplug+0x9a + ffffffffc088555a output_poll_execute+0x29a + ffffffffa9b35924 process_one_work+0x194 + ffffffffa9b364ee worker_thread+0x2fe + ffffffffa9b3ecad kthread+0xdd + ffffffffa9a08549 ret_from_fork+0x29 + +On a server running ptp4l with the mgag200 driver loaded, we found that +ptp4l would sometimes get blocked from execution because of this busy +waiting loop. + +Every so often, approximately once every 20 minutes -- though with large +variance -- the output_poll_execute() thread would detect some sort of +change that required performing a hotplug event which results in attempting +to stop the BMC scanout, resulting in a 300msec delay on one CPU. + +On this system, ptp4l was pinned to a single CPU. When the +output_poll_execute() thread ran on that CPU, it blocked ptp4l from +executing for its 300 millisecond duration. + +This resulted in PTP service disruptions such as failure to send a SYNC +message on time, failure to handle ANNOUNCE messages on time, and clock +check warnings from the application. All of this despite the application +being configured with FIFO_RT and a higher priority than the background +workqueue tasks. (However, note that the kernel did not use +CONFIG_PREEMPT...) + +It is unclear if the event is due to a faulty VGA connection, another bug, +or actual events causing a change in the connection. At least on the system +under test it is not a one-time event and consistently causes disruption to +the time sensitive applications. + +The function has some helpful comments explaining what steps it is +attempting to take. In particular, step 3a and 3b are explained as such: + + 3a - The third step is to verify if there is an active scan. We are + waiting on a 0 on remhsyncsts (. + + 3b - This step occurs only if the remove is actually scanning. We are + waiting for the end of the frame which is a 1 on remvsyncsts + (). + +The actual steps 3a and 3b are implemented as while loops with a +non-sleeping udelay(). The first step iterates while the tmp value at +position 0 is *not* set. That is, it keeps iterating as long as the bit is +zero. If the bit is already 0 (because there is no active scan), it will +iterate the entire 300 attempts which wastes 300 milliseconds in total. +This is opposite of what the description claims. + +The step 3b logic only executes if we do not iterate over the entire 300 +attempts in the first loop. If it does trigger, it is trying to check and +wait for a 1 on the remvsyncsts. However, again the condition is actually +inverted and it will loop as long as the bit is 1, stopping once it hits +zero (rather than the explained attempt to wait until we see a 1). + +Worse, both loops are implemented using non-sleeping waits which spin +instead of allowing the scheduler to run other processes. If the kernel is +not configured to allow arbitrary preemption, it will waste valuable CPU +time doing nothing. + +There does not appear to be any documentation for the BMC register +interface, beyond what is in the comments here. It seems more probable that +the comment here is correct and the implementation accidentally got +inverted from the intended logic. + +Reading through other DRM driver implementations, it does not appear that +the .atomic_enable or .atomic_disable handlers need to delay instead of +sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function +calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name +is referring to the atomic modesetting support, which is the support to +enable atomic configuration from userspace, and not to the "atomic context" +of the kernel. There is no reason to use udelay() here if a sleep would be +sufficient. + +Replace the while loops with a read_poll_timeout() based implementation +that will sleep between iterations, and which stops polling once the +condition is met (instead of looping as long as the condition is met). This +aligns with the commented behavior and avoids blocking on the CPU while +doing nothing. + +Note the RREG_DAC is implemented using a statement expression to allow +working properly with the read_poll_timeout family of functions. The other +RREG_ macros ought to be cleaned up to have better semantics, and +several places in the mgag200 driver could make use of RREG_DAC or similar +RREG_* macros should likely be cleaned up for better semantics as well, but +that task has been left as a future cleanup for a non-bugfix. + +Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)") +Suggested-by: Thomas Zimmermann +Signed-off-by: Jacob Keller +Reviewed-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mgag200/mgag200_bmc.c | 31 +++++++++++---------------- + drivers/gpu/drm/mgag200/mgag200_drv.h | 6 ++++++ + 2 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/mgag200/mgag200_bmc.c b/drivers/gpu/drm/mgag200/mgag200_bmc.c +index 2ba2e3c5086a5..852a82f6309ba 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_bmc.c ++++ b/drivers/gpu/drm/mgag200/mgag200_bmc.c +@@ -1,13 +1,14 @@ + // SPDX-License-Identifier: GPL-2.0-only + + #include ++#include + + #include "mgag200_drv.h" + + void mgag200_bmc_disable_vidrst(struct mga_device *mdev) + { + u8 tmp; +- int iter_max; ++ int ret; + + /* + * 1 - The first step is to inform the BMC of an upcoming mode +@@ -37,30 +38,22 @@ void mgag200_bmc_disable_vidrst(struct mga_device *mdev) + + /* + * 3a- The third step is to verify if there is an active scan. +- * We are waiting for a 0 on remhsyncsts ). ++ * We are waiting for a 0 on remhsyncsts (). + */ +- iter_max = 300; +- while (!(tmp & 0x1) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } ++ ret = read_poll_timeout(RREG_DAC, tmp, !(tmp & 0x1), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); ++ if (ret == -ETIMEDOUT) ++ return; + + /* +- * 3b- This step occurs only if the remove is actually ++ * 3b- This step occurs only if the remote BMC is actually + * scanning. We are waiting for the end of the frame which is + * a 1 on remvsyncsts (XSPAREREG<1>) + */ +- if (iter_max) { +- iter_max = 300; +- while ((tmp & 0x2) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } +- } ++ (void)read_poll_timeout(RREG_DAC, tmp, (tmp & 0x2), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); + } + + void mgag200_bmc_enable_vidrst(struct mga_device *mdev) +diff --git a/drivers/gpu/drm/mgag200/mgag200_drv.h b/drivers/gpu/drm/mgag200/mgag200_drv.h +index aebd09e2d4087..c84c3d0865345 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_drv.h ++++ b/drivers/gpu/drm/mgag200/mgag200_drv.h +@@ -116,6 +116,12 @@ + #define DAC_INDEX 0x3c00 + #define DAC_DATA 0x3c0a + ++#define RREG_DAC(reg) \ ++ ({ \ ++ WREG8(DAC_INDEX, reg); \ ++ RREG8(DAC_DATA); \ ++ }) \ ++ + #define WREG_DAC(reg, v) \ + do { \ + WREG8(DAC_INDEX, reg); \ +-- +2.51.0 + diff --git a/queue-6.1/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch b/queue-6.1/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch new file mode 100644 index 0000000000..87dfaffde3 --- /dev/null +++ b/queue-6.1/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch @@ -0,0 +1,56 @@ +From 76da98d38651ec47ca2f70c41f8d0b453c280bfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 19:03:57 -0300 +Subject: HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodrigo Lugathe da Conceição Alves + +[ Upstream commit 85a866809333cd2bf8ddac93d9a3e3ba8e4f807d ] + +The USB speaker has a bug that causes it to reboot when changing the +brightness using the physical knob. + +Add a new vendor and product ID entry in hid-ids.h, and register +the corresponding device in hid-quirks.c with the required quirk. + +Signed-off-by: Rodrigo Lugathe da Conceição Alves +Reviewed-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 4b2724f9db6ca..bac298a4930a4 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -418,6 +418,9 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002 + ++#define USB_VENDOR_ID_EDIFIER 0x2d99 ++#define USB_DEVICE_ID_EDIFIER_QR30 0xa101 /* EDIFIER Hal0 2.0 SE */ ++ + #define USB_VENDOR_ID_ELAN 0x04f3 + #define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401 + #define USB_DEVICE_ID_HP_X2 0x074d +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index e7f355068d0b4..457a52cfa17c6 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -81,6 +81,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER), HID_QUIRK_MULTI_INPUT | HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_EDIFIER, USB_DEVICE_ID_EDIFIER_QR30), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II), HID_QUIRK_MULTI_INPUT }, +-- +2.51.0 + diff --git a/queue-6.1/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch b/queue-6.1/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch new file mode 100644 index 0000000000..a8ed6d867e --- /dev/null +++ b/queue-6.1/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch @@ -0,0 +1,46 @@ +From a866a645690af639a637e03ed9adce9ec066e5bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jan 2026 02:18:26 +0800 +Subject: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() + +From: Kwok Kin Ming + +[ Upstream commit 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 ] + +`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data +into `ihid->rawbuf`. + +The former can come from the userspace in the hidraw driver and is only +bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set +`max_buffer_size` field of `struct hid_ll_driver` which we do not). + +The latter has size determined at runtime by the maximum size of +different report types you could receive on any particular device and +can be a much smaller value. + +Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. + +The impact is low since access to hidraw devices requires root. + +Signed-off-by: Kwok Kin Ming +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 8a7ac016b1abe..624d542df3a7d 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -257,6 +257,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid, + * In addition to report data device will supply data length + * in the first 2 bytes of the response, so adjust . + */ ++ recv_len = min(recv_len, ihid->bufsize - sizeof(__le16)); + error = i2c_hid_xfer(ihid, ihid->cmdbuf, length, + ihid->rawbuf, recv_len + sizeof(__le16)); + if (error) { +-- +2.51.0 + diff --git a/queue-6.1/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch b/queue-6.1/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch new file mode 100644 index 0000000000..bd823fcb98 --- /dev/null +++ b/queue-6.1/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch @@ -0,0 +1,49 @@ +From 39b16283fc682f5be8d35f63677a61c035df3db2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 10:51:50 +0800 +Subject: HID: intel-ish-hid: Reset enum_devices_done before enumeration + +From: Zhang Lixu + +[ Upstream commit 56e230723e3a818373bd62331bccb1c6d2b3881b ] + +Some systems have enabled ISH without any sensors. In this case sending +HOSTIF_DM_ENUM_DEVICES results in 0 sensors. This triggers ISH hardware +reset on subsequent enumeration after S3/S4 resume. + +The enum_devices_done flag was not reset before sending the +HOSTIF_DM_ENUM_DEVICES command. On subsequent enumeration calls (such as +after S3/S4 resume), this flag retains its previous true value, causing the +wait loop to be skipped and returning prematurely to hid_ishtp_cl_init(). +If 0 HID devices are found, hid_ishtp_cl_init() skips getting HID device +descriptors and sets init_done to true. When the delayed enumeration +response arrives with init_done already true, the driver treats it as a bad +packet and triggers an ISH hardware reset. + +Set enum_devices_done to false before sending the enumeration command, +consistent with similar functions like ishtp_get_hid_descriptor() and +ishtp_get_report_descriptor() which reset their respective flags. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +index e3d70c5460e96..a0c1dc0941497 100644 +--- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c ++++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +@@ -496,6 +496,7 @@ static int ishtp_enum_enum_devices(struct ishtp_cl *hid_ishtp_cl) + int rv; + + /* Send HOSTIF_DM_ENUM_DEVICES */ ++ client_data->enum_devices_done = false; + memset(&msg, 0, sizeof(struct hostif_msg)); + msg.hdr.command = HOSTIF_DM_ENUM_DEVICES; + rv = ishtp_cl_send(hid_ishtp_cl, (unsigned char *)&msg, +-- +2.51.0 + diff --git a/queue-6.1/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch b/queue-6.1/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch new file mode 100644 index 0000000000..9ba1c39752 --- /dev/null +++ b/queue-6.1/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch @@ -0,0 +1,49 @@ +From 7e5bd7df15cba302bbf823978f728f3444e1e1eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 10:53:28 +0800 +Subject: HID: intel-ish-hid: Update ishtp bus match to support device ID table + +From: Zhang Lixu + +[ Upstream commit daeed86b686855adda79f13729e0c9b0530990be ] + +The ishtp_cl_bus_match() function previously only checked the first entry +in the driver's device ID table. Update it to iterate over the entire +table, allowing proper matching for drivers with multiple supported +protocol GUIDs. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index d4296681cf720..67e3215a332e6 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -240,9 +240,17 @@ static int ishtp_cl_bus_match(struct device *dev, struct device_driver *drv) + { + struct ishtp_cl_device *device = to_ishtp_cl_device(dev); + struct ishtp_cl_driver *driver = to_ishtp_cl_driver(drv); ++ struct ishtp_fw_client *client = device->fw_client; ++ const struct ishtp_device_id *id; + +- return(device->fw_client ? guid_equal(&driver->id[0].guid, +- &device->fw_client->props.protocol_name) : 0); ++ if (client) { ++ for (id = driver->id; !guid_is_null(&id->guid); id++) { ++ if (guid_equal(&id->guid, &client->props.protocol_name)) ++ return 1; ++ } ++ } ++ ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.1/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch b/queue-6.1/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch new file mode 100644 index 0000000000..ae78c0c2f5 --- /dev/null +++ b/queue-6.1/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch @@ -0,0 +1,42 @@ +From 4db652f6d94cc8397b844d9e377cbd4d9c209ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 14:34:36 +0100 +Subject: HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL + +From: DaytonCL + +[ Upstream commit ff3f234ff1dcd6d626a989151db067a1b7f0f215 ] + +Some VTL-class touchpads (e.g. TOPS0102:00 35CC:0104) intermittently +fail to release a finger contact. A previous slot remains logically +active, accompanied by stale BTN_TOOL_DOUBLETAP state, causing +gestures to stay latched and resulting in stuck two-finger +scrolling and false right-clicks. + +Apply MT_QUIRK_STICKY_FINGERS to handle the unreleased contact correctly. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1225 +Suggested-by: Benjamin Tissoires +Tested-by: DaytonCL +Signed-off-by: DaytonCL +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index b9e67b408a4b9..6d9a85c5fc409 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -379,6 +379,7 @@ static const struct mt_class mt_classes[] = { + { .name = MT_CLS_VTL, + .quirks = MT_QUIRK_ALWAYS_VALID | + MT_QUIRK_CONTACT_CNT_ACCURATE | ++ MT_QUIRK_STICKY_FINGERS | + MT_QUIRK_FORCE_GET_FEATURE, + }, + { .name = MT_CLS_GOOGLE, +-- +2.51.0 + diff --git a/queue-6.1/hid-playstation-center-initial-joystick-axes-to-prev.patch b/queue-6.1/hid-playstation-center-initial-joystick-axes-to-prev.patch new file mode 100644 index 0000000000..44f3a118bf --- /dev/null +++ b/queue-6.1/hid-playstation-center-initial-joystick-axes-to-prev.patch @@ -0,0 +1,66 @@ +From 4de427c16a4aa040914b21d87d22c59f278f7689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 15:45:19 -0800 +Subject: HID: playstation: Center initial joystick axes to prevent spurious + events + +From: Siarhei Vishniakou + +[ Upstream commit e9143268d259d98e111a649affa061acb8e13c5b ] + +When a new PlayStation gamepad (DualShock 4 or DualSense) is initialized, +the input subsystem sets the default value for its absolute axes (e.g., +ABS_X, ABS_Y) to 0. + +However, the hardware's actual neutral/resting state for these joysticks +is 128 (0x80). This creates a mismatch. + +When the first HID report arrives from the device, the driver sees the +resting value of 128. The kernel compares this to its initial state of 0 +and incorrectly interprets this as a delta (0 -> 128). Consequently, it +generates EV_ABS events for this initial, non-existent movement. + +This behavior can fail userspace 'sanity check' tests (e.g., in +Android CTS) that correctly assert no motion events should be generated +from a device that is already at rest. + +This patch fixes the issue by explicitly setting the initial value of the +main joystick axes (e.g., ABS_X, ABS_Y, ABS_RX, ABS_RY) to 128 (0x80) +in the common ps_gamepad_create() function. + +This aligns the kernel's initial state with the hardware's expected +neutral state, ensuring that the first report (at 128) produces no +delta and thus, no spurious event. + +Signed-off-by: Siarhei Vishniakou +Reviewed-by: Benjamin Tissoires +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-playstation.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c +index 2228f6e4ba23f..38d5171dd25b2 100644 +--- a/drivers/hid/hid-playstation.c ++++ b/drivers/hid/hid-playstation.c +@@ -487,11 +487,16 @@ static struct input_dev *ps_gamepad_create(struct hid_device *hdev, + if (IS_ERR(gamepad)) + return ERR_CAST(gamepad); + ++ /* Set initial resting state for joysticks to 128 (center) */ + input_set_abs_params(gamepad, ABS_X, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_X].value = 128; + input_set_abs_params(gamepad, ABS_Y, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_Y].value = 128; + input_set_abs_params(gamepad, ABS_Z, 0, 255, 0, 0); + input_set_abs_params(gamepad, ABS_RX, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RX].value = 128; + input_set_abs_params(gamepad, ABS_RY, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RY].value = 128; + input_set_abs_params(gamepad, ABS_RZ, 0, 255, 0, 0); + + input_set_abs_params(gamepad, ABS_HAT0X, -1, 1, 0, 0); +-- +2.51.0 + diff --git a/queue-6.1/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch b/queue-6.1/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch new file mode 100644 index 0000000000..26adab46a8 --- /dev/null +++ b/queue-6.1/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch @@ -0,0 +1,51 @@ +From c90503e9554241aff535ff7f77ce6dde4160eedc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 06:56:43 +0000 +Subject: HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list + +From: Chris Chiu + +[ Upstream commit c06bc3557542307b9658fbd43cc946a14250347b ] + +Another Chicony Electronics HP 5MP Camera with USB ID 04F2:B882 +reports a HID sensor interface that is not actually implemented. + +Add the device to the HID ignore list so the bogus sensor is never +exposed to userspace. Then the system won't hang when runtime PM +tries to wake the unresponsive device. + +Signed-off-by: Chris Chiu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 524edddd84895..4b2724f9db6ca 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -299,6 +299,7 @@ + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3 0xb882 + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index b6bec3614cfea..e7f355068d0b4 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -751,6 +751,7 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +-- +2.51.0 + diff --git a/queue-6.1/hwmon-occ-mark-occ_init_attribute-as-__printf.patch b/queue-6.1/hwmon-occ-mark-occ_init_attribute-as-__printf.patch new file mode 100644 index 0000000000..874ebfc9bc --- /dev/null +++ b/queue-6.1/hwmon-occ-mark-occ_init_attribute-as-__printf.patch @@ -0,0 +1,42 @@ +From 6b7d2474e7d63c74c8e78fd6812e44a44654e2df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 17:34:36 +0100 +Subject: hwmon: (occ) Mark occ_init_attribute() as __printf + +From: Arnd Bergmann + +[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] + +This is a printf-style function, which gcc -Werror=suggest-attribute=format +correctly points out: + +drivers/hwmon/occ/common.c: In function 'occ_init_attribute': +drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] + +Add the attribute to avoid this warning and ensure any incorrect +format strings are detected here. + +Fixes: 744c2fe950e9 ("hwmon: (occ) Rework attribute registration for stack usage") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index 483f79b394298..755926fa0bf7d 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -749,6 +749,7 @@ static ssize_t occ_show_extended(struct device *dev, + * are dynamically allocated, we cannot use the existing kernel macros which + * stringify the name argument. + */ ++__printf(7, 8) + static void occ_init_attribute(struct occ_attribute *attr, int mode, + ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf), + ssize_t (*store)(struct device *dev, struct device_attribute *attr, +-- +2.51.0 + diff --git a/queue-6.1/loongarch-enable-exception-fixup-for-specific-ade-su.patch b/queue-6.1/loongarch-enable-exception-fixup-for-specific-ade-su.patch new file mode 100644 index 0000000000..d0e697f07f --- /dev/null +++ b/queue-6.1/loongarch-enable-exception-fixup-for-specific-ade-su.patch @@ -0,0 +1,58 @@ +From 4cecac0c65c7c3c86f49d67839d7734dacadf93d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:20 +0800 +Subject: LoongArch: Enable exception fixup for specific ADE subcode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenghao Duan + +[ Upstream commit 9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0 ] + +This patch allows the LoongArch BPF JIT to handle recoverable memory +access errors generated by BPF_PROBE_MEM* instructions. + +When a BPF program performs memory access operations, the instructions +it executes may trigger ADEM exceptions. The kernel’s built-in BPF +exception table mechanism (EX_TYPE_BPF) will generate corresponding +exception fixup entries in the JIT compilation phase; however, the +architecture-specific trap handling function needs to proactively call +the common fixup routine to achieve exception recovery. + +do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs, +ensure safe execution. + +Relevant test cases: illegal address access tests in module_attach and +subprogs_extable of selftests/bpf. + +Signed-off-by: Chenghao Duan +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/traps.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/loongarch/kernel/traps.c b/arch/loongarch/kernel/traps.c +index 12c726482d151..cad1e08ca3fbb 100644 +--- a/arch/loongarch/kernel/traps.c ++++ b/arch/loongarch/kernel/traps.c +@@ -361,10 +361,15 @@ asmlinkage void noinstr do_fpe(struct pt_regs *regs, unsigned long fcsr) + asmlinkage void noinstr do_ade(struct pt_regs *regs) + { + irqentry_state_t state = irqentry_enter(regs); ++ unsigned int esubcode = FIELD_GET(CSR_ESTAT_ESUBCODE, regs->csr_estat); ++ ++ if ((esubcode == EXSUBCODE_ADEM) && fixup_exception(regs)) ++ goto out; + + die_if_kernel("Kernel ade access", regs); + force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *)regs->csr_badvaddr); + ++out: + irqentry_exit(regs, state); + } + +-- +2.51.0 + diff --git a/queue-6.1/loongarch-set-correct-protection_map-for-vm_none-vm_.patch b/queue-6.1/loongarch-set-correct-protection_map-for-vm_none-vm_.patch new file mode 100644 index 0000000000..42807ceddd --- /dev/null +++ b/queue-6.1/loongarch-set-correct-protection_map-for-vm_none-vm_.patch @@ -0,0 +1,51 @@ +From 19636be8d345b670e48170ee465c401e0238521e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:10 +0800 +Subject: LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED + +From: Huacai Chen + +[ Upstream commit d5be446948b379f1d1a8e7bc6656d13f44c5c7b1 ] + +For 32BIT platform _PAGE_PROTNONE is 0, so set a VMA to be VM_NONE or +VM_SHARED will make pages non-present, then cause Oops with kernel page +fault. + +Fix it by set correct protection_map[] for VM_NONE/VM_SHARED, replacing +_PAGE_PROTNONE with _PAGE_PRESENT. + +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/mm/cache.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/loongarch/mm/cache.c b/arch/loongarch/mm/cache.c +index 72685a48eaf08..09a9209f2139c 100644 +--- a/arch/loongarch/mm/cache.c ++++ b/arch/loongarch/mm/cache.c +@@ -161,8 +161,8 @@ void cpu_cache_init(void) + + static const pgprot_t protection_map[16] = { + [VM_NONE] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +@@ -181,8 +181,8 @@ static const pgprot_t protection_map[16] = { + [VM_EXEC | VM_WRITE | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT), + [VM_SHARED] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_SHARED | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +-- +2.51.0 + diff --git a/queue-6.1/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch b/queue-6.1/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch new file mode 100644 index 0000000000..6186586278 --- /dev/null +++ b/queue-6.1/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch @@ -0,0 +1,99 @@ +From 4ed80537b7ac69a3ec3017de10840d6d0e56c934 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:43:59 +0000 +Subject: macvlan: fix error recovery in macvlan_common_newlink() + +From: Eric Dumazet + +[ Upstream commit f8db6475a83649689c087a8f52486fcc53e627e9 ] + +valis provided a nice repro to crash the kernel: + +ip link add p1 type veth peer p2 +ip link set address 00:00:00:00:00:20 dev p1 +ip link set up dev p1 +ip link set up dev p2 + +ip link add mv0 link p2 type macvlan mode source +ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 + +ping -c1 -I p1 1.2.3.4 + +He also gave a very detailed analysis: + + + +The issue is triggered when a new macvlan link is created with +MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or +MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan +port and register_netdevice() called from macvlan_common_newlink() +fails (e.g. because of the invalid link name). + +In this case macvlan_hash_add_source is called from +macvlan_change_sources() / macvlan_common_newlink(): + +This adds a reference to vlan to the port's vlan_source_hash using +macvlan_source_entry. + +vlan is a pointer to the priv data of the link that is being created. + +When register_netdevice() fails, the error is returned from +macvlan_newlink() to rtnl_newlink_create(): + + if (ops->newlink) + err = ops->newlink(dev, ¶ms, extack); + else + err = register_netdevice(dev); + if (err < 0) { + free_netdev(dev); + goto out; + } + +and free_netdev() is called, causing a kvfree() on the struct +net_device that is still referenced in the source entry attached to +the lower device's macvlan port. + +Now all packets sent on the macvlan port with a matching source mac +address will trigger a use-after-free in macvlan_forward_source(). + + + +With all that, my fix is to make sure we call macvlan_flush_sources() +regardless of @create value whenever "goto destroy_macvlan_port;" +path is taken. + +Many thanks to valis for following up on this issue. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Eric Dumazet +Reported-by: valis +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Cc: Boudewijn van der Heide +Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 428b139822cf6..5fb956adc4260 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1539,9 +1539,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) { ++ if (macvlan_port_get_rtnl(lowerdev)) { + macvlan_flush_sources(port, vlan); +- macvlan_port_destroy(port->dev); ++ if (create) ++ macvlan_port_destroy(port->dev); + } + return err; + } +-- +2.51.0 + diff --git a/queue-6.1/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch b/queue-6.1/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch new file mode 100644 index 0000000000..34885591d7 --- /dev/null +++ b/queue-6.1/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch @@ -0,0 +1,69 @@ +From cb4b8b6ebe9a3fb0b51cc8a9835174afabf9b28b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 19:38:27 -0800 +Subject: net: don't touch dev->stats in BPF redirect paths + +From: Jakub Kicinski + +[ Upstream commit fdf3f6800be36377e045e2448087f12132b88d2f ] + +Gal reports that BPF redirect increments dev->stats.tx_errors +on failure. This is not correct, most modern drivers completely +ignore dev->stats so these drops will be invisible to the user. +Core code should use the dedicated core stats which are folded +into device stats in dev_get_stats(). + +Note that we're switching from tx_errors to tx_dropped. +Core only has tx_dropped, hence presumably users already expect +that counter to increment for "stack" Tx issues. + +Reported-by: Gal Pressman +Link: https://lore.kernel.org/c5df3b60-246a-4030-9c9a-0a35cd1ca924@nvidia.com +Fixes: b4ab31414970 ("bpf: Add redirect_neigh helper as redirect drop-in") +Acked-by: Martin KaFai Lau +Acked-by: Daniel Borkmann +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260130033827.698841-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 305c38636b32b..e19bf63ad9a44 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2274,12 +2274,12 @@ static int __bpf_redirect_neigh_v6(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v6(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +@@ -2382,12 +2382,12 @@ static int __bpf_redirect_neigh_v4(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v4(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +-- +2.51.0 + diff --git a/queue-6.1/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch b/queue-6.1/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch new file mode 100644 index 0000000000..4fc952d369 --- /dev/null +++ b/queue-6.1/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch @@ -0,0 +1,61 @@ +From 1ef742e8abc8065571d4d58eebeeb4f600de5987 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:39 +0000 +Subject: net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 8558aef4e8a1a83049ab906d21d391093cfa7e7f ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Also, decrement i in the devlink_alloc failure path to point to the +last successfully allocated index. + +Compile tested only. Issue found using code review. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-3-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index f27393c84ba48..131996fd5406f 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3770,6 +3770,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + if (!devlink) { + device_unlock(&octeon_dev->pci_dev->dev); + dev_err(&octeon_dev->pci_dev->dev, "devlink alloc failed\n"); ++ i--; + goto setup_nic_dev_free; + } + +@@ -3785,11 +3786,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.1/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch b/queue-6.1/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch new file mode 100644 index 0000000000..44f9c48250 --- /dev/null +++ b/queue-6.1/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch @@ -0,0 +1,50 @@ +From 910d2fc8c90018b3072586c89a54ef8f21dff953 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:40 +0000 +Subject: net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Compile tested only. Issue found using code review. + +Fixes: 846b46873eeb ("liquidio CN23XX: VF offload features") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-4-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index ac196883f07eb..225ed333f4843 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -2227,11 +2227,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.1/net-liquidio-initialize-netdev-pointer-before-queue-.patch b/queue-6.1/net-liquidio-initialize-netdev-pointer-before-queue-.patch new file mode 100644 index 0000000000..29c3d7a96d --- /dev/null +++ b/queue-6.1/net-liquidio-initialize-netdev-pointer-before-queue-.patch @@ -0,0 +1,98 @@ +From 78c2256f773d928fdcd40665916c842cd46d08c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:38 +0000 +Subject: net: liquidio: Initialize netdev pointer before queue setup + +From: Zilin Guan + +[ Upstream commit 926ede0c85e1e57c97d64d9612455267d597bb2c ] + +In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq(). +However, the pointer to this structure is stored in oct->props[i].netdev +only after the calls to netif_set_real_num_rx_queues() and +netif_set_real_num_tx_queues(). + +If either of these functions fails, setup_nic_devices() returns an error +without freeing the allocated netdev. Since oct->props[i].netdev is still +NULL at this point, the cleanup function liquidio_destroy_nic_device() +will fail to find and free the netdev, resulting in a memory leak. + +Fix this by initializing oct->props[i].netdev before calling the queue +setup functions. This ensures that the netdev is properly accessible for +cleanup in case of errors. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: c33c997346c3 ("liquidio: enhanced ethtool --set-channels feature") +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-2-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/liquidio/lio_main.c | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index fd7c80edb6e8a..f27393c84ba48 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3525,6 +3525,23 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + */ + netdev->netdev_ops = &lionetdevops; + ++ lio = GET_LIO(netdev); ++ ++ memset(lio, 0, sizeof(struct lio)); ++ ++ lio->ifidx = ifidx_or_pfnum; ++ ++ props = &octeon_dev->props[i]; ++ props->gmxport = resp->cfg_info.linfo.gmxport; ++ props->netdev = netdev; ++ ++ /* Point to the properties for octeon device to which this ++ * interface belongs. ++ */ ++ lio->oct_dev = octeon_dev; ++ lio->octprops = props; ++ lio->netdev = netdev; ++ + retval = netif_set_real_num_rx_queues(netdev, num_oqueues); + if (retval) { + dev_err(&octeon_dev->pci_dev->dev, +@@ -3541,16 +3558,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + goto setup_nic_dev_free; + } + +- lio = GET_LIO(netdev); +- +- memset(lio, 0, sizeof(struct lio)); +- +- lio->ifidx = ifidx_or_pfnum; +- +- props = &octeon_dev->props[i]; +- props->gmxport = resp->cfg_info.linfo.gmxport; +- props->netdev = netdev; +- + lio->linfo.num_rxpciq = num_oqueues; + lio->linfo.num_txpciq = num_iqueues; + for (j = 0; j < num_oqueues; j++) { +@@ -3616,13 +3623,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + netdev->min_mtu = LIO_MIN_MTU_SIZE; + netdev->max_mtu = LIO_MAX_MTU_SIZE; + +- /* Point to the properties for octeon device to which this +- * interface belongs. +- */ +- lio->oct_dev = octeon_dev; +- lio->octprops = props; +- lio->netdev = netdev; +- + dev_dbg(&octeon_dev->pci_dev->dev, + "if%d gmx: %d hw_addr: 0x%llx\n", i, + lio->linfo.gmxport, CVM_CAST64(lio->linfo.hw_addr)); +-- +2.51.0 + diff --git a/queue-6.1/net-usb-sr9700-support-devices-with-virtual-driver-c.patch b/queue-6.1/net-usb-sr9700-support-devices-with-virtual-driver-c.patch new file mode 100644 index 0000000000..41bfa7e789 --- /dev/null +++ b/queue-6.1/net-usb-sr9700-support-devices-with-virtual-driver-c.patch @@ -0,0 +1,44 @@ +From b8a2aa3d071055dc5010c327a55789250061b168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 22:24:51 -0800 +Subject: net: usb: sr9700: support devices with virtual driver CD + +From: Ethan Nelson-Moore + +[ Upstream commit bf4172bd870c3a34d3065cbb39192c22cbd7b18d ] + +Some SR9700 devices have an SPI flash chip containing a virtual driver +CD, in which case they appear as a device with two interfaces and +product ID 0x9702. Interface 0 is the driver CD and interface 1 is the +Ethernet device. + +Link: https://github.com/name-kurniawan/usb-lan +Link: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=2185 +Signed-off-by: Ethan Nelson-Moore +Link: https://patch.msgid.link/20251211062451.139036-1-enelsonmoore@gmail.com +[pabeni@redhat.com: fixes link tags] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 9587eb98cdb3b..213b4817cfdf6 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -539,6 +539,11 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x9700), /* SR9700 device */ + .driver_info = (unsigned long)&sr9700_driver_info, + }, ++ { ++ /* SR9700 with virtual driver CD-ROM - interface 0 is the CD-ROM device */ ++ USB_DEVICE_INTERFACE_NUMBER(0x0fe6, 0x9702, 1), ++ .driver_info = (unsigned long)&sr9700_driver_info, ++ }, + {}, /* END */ + }; + +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch b/queue-6.1/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch new file mode 100644 index 0000000000..a2a777fd4d --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch @@ -0,0 +1,72 @@ +From a3b21acf3c42c84b90502086c7c4caab2e3e6421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 17:46:58 +0100 +Subject: netfilter: nf_tables: fix inverted genmask check in + nft_map_catchall_activate() + +From: Andrew Fasano + +[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ] + +nft_map_catchall_activate() has an inverted element activity check +compared to its non-catchall counterpart nft_mapelem_activate() and +compared to what is logically required. + +nft_map_catchall_activate() is called from the abort path to re-activate +catchall map elements that were deactivated during a failed transaction. +It should skip elements that are already active (they don't need +re-activation) and process elements that are inactive (they need to be +restored). Instead, the current code does the opposite: it skips inactive +elements and processes active ones. + +Compare the non-catchall activate callback, which is correct: + + nft_mapelem_activate(): + if (nft_set_elem_active(ext, iter->genmask)) + return 0; /* skip active, process inactive */ + +With the buggy catchall version: + + nft_map_catchall_activate(): + if (!nft_set_elem_active(ext, genmask)) + continue; /* skip inactive, process active */ + +The consequence is that when a DELSET operation is aborted, +nft_setelem_data_activate() is never called for the catchall element. +For NFT_GOTO verdict elements, this means nft_data_hold() is never +called to restore the chain->use reference count. Each abort cycle +permanently decrements chain->use. Once chain->use reaches zero, +DELCHAIN succeeds and frees the chain while catchall verdict elements +still reference it, resulting in a use-after-free. + +This is exploitable for local privilege escalation from an unprivileged +user via user namespaces + nftables on distributions that enable +CONFIG_USER_NS and CONFIG_NF_TABLES. + +Fix by removing the negation so the check matches nft_mapelem_activate(): +skip active elements, process inactive ones. + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Signed-off-by: Andrew Fasano +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index d154e3e0c9803..67729d7c913a4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5211,7 +5211,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + list_for_each_entry(catchall, &set->catchall_list, list) { + ext = nft_set_elem_ext(set, catchall->elem); +- if (!nft_set_elem_active(ext, genmask)) ++ if (nft_set_elem_active(ext, genmask)) + continue; + + elem.priv = catchall->elem; +-- +2.51.0 + diff --git a/queue-6.1/netfilter-replace-eexist-with-ebusy.patch b/queue-6.1/netfilter-replace-eexist-with-ebusy.patch new file mode 100644 index 0000000000..f028bd1f4c --- /dev/null +++ b/queue-6.1/netfilter-replace-eexist-with-ebusy.patch @@ -0,0 +1,84 @@ +From a0856fff05b3f6f8889bea74a41971c5b019e985 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 06:13:20 +0100 +Subject: netfilter: replace -EEXIST with -EBUSY + +From: Daniel Gomez + +[ Upstream commit 2bafeb8d2f380c3a81d98bd7b78b854b564f9cd4 ] + +The -EEXIST error code is reserved by the module loading infrastructure +to indicate that a module is already loaded. When a module's init +function returns -EEXIST, userspace tools like kmod interpret this as +"module already loaded" and treat the operation as successful, returning +0 to the user even though the module initialization actually failed. + +Replace -EEXIST with -EBUSY to ensure correct error reporting in the module +initialization path. + +Affected modules: + * ebtable_broute ebtable_filter ebtable_nat arptable_filter + * ip6table_filter ip6table_mangle ip6table_nat ip6table_raw + * ip6table_security iptable_filter iptable_mangle iptable_nat + * iptable_raw iptable_security + +Signed-off-by: Daniel Gomez +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 2 +- + net/netfilter/nf_log.c | 4 ++-- + net/netfilter/x_tables.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index ed62c1026fe93..f99e348c8f37f 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne + list_for_each_entry(tmpl, &template_tables, list) { + if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) { + mutex_unlock(&ebt_mutex); +- return -EEXIST; ++ return -EBUSY; + } + } + +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index be93a02497d6c..016e31452cbc4 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + if (pf == NFPROTO_UNSPEC) { + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { + if (rcu_access_pointer(loggers[i][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + } +@@ -97,7 +97,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + rcu_assign_pointer(loggers[i][logger->type], logger); + } else { + if (rcu_access_pointer(loggers[pf][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + rcu_assign_pointer(loggers[pf][logger->type], logger); +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index e8cc8eef0ab65..c842ec693dad4 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1761,7 +1761,7 @@ EXPORT_SYMBOL_GPL(xt_hook_ops_alloc); + int xt_register_template(const struct xt_table *table, + int (*table_init)(struct net *net)) + { +- int ret = -EEXIST, af = table->af; ++ int ret = -EBUSY, af = table->af; + struct xt_template *t; + + mutex_lock(&xt[af].mutex); +-- +2.51.0 + diff --git a/queue-6.1/nvme-fc-release-admin-tagset-if-init-fails.patch b/queue-6.1/nvme-fc-release-admin-tagset-if-init-fails.patch new file mode 100644 index 0000000000..9091d2f36d --- /dev/null +++ b/queue-6.1/nvme-fc-release-admin-tagset-if-init-fails.patch @@ -0,0 +1,52 @@ +From 6878858747235661d4a7ecda5b6eeb43a870b291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:18:42 -0800 +Subject: nvme-fc: release admin tagset if init fails + +From: Chaitanya Kulkarni + +[ Upstream commit d1877cc7270302081a315a81a0ee8331f19f95c8 ] + +nvme_fabrics creates an NVMe/FC controller in following path: + + nvmf_dev_write() + -> nvmf_create_ctrl() + -> nvme_fc_create_ctrl() + -> nvme_fc_init_ctrl() + +nvme_fc_init_ctrl() allocates the admin blk-mq resources right after +nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing +the controller state, scheduling connect work, etc.), we jump to the +fail_ctrl path, which tears down the controller references but never +frees the admin queue/tag set. The leaked blk-mq allocations match the +kmemleak report seen during blktests nvme/fc. + +Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call +nvme_remove_admin_tag_set() when it is set so that all admin queue +allocations are reclaimed whenever controller setup aborts. + +Reported-by: Yi Zhang +Reviewed-by: Justin Tee +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index dc84cade703db..63bef22095b41 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3563,6 +3563,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + ctrl->ctrl.opts = NULL; + ++ if (ctrl->ctrl.admin_tagset) ++ nvme_remove_admin_tag_set(&ctrl->ctrl); + /* initiate nvme ctrl ref counting teardown */ + nvme_uninit_ctrl(&ctrl->ctrl); + +-- +2.51.0 + diff --git a/queue-6.1/platform-x86-intel_telemetry-fix-pss-event-register-.patch b/queue-6.1/platform-x86-intel_telemetry-fix-pss-event-register-.patch new file mode 100644 index 0000000000..0b13ab4cce --- /dev/null +++ b/queue-6.1/platform-x86-intel_telemetry-fix-pss-event-register-.patch @@ -0,0 +1,48 @@ +From b30927e5edd07964ed7e8c04c6092695b471cd2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 11:41:44 +0530 +Subject: platform/x86: intel_telemetry: Fix PSS event register mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kaushlendra Kumar + +[ Upstream commit 39e9c376ac42705af4ed4ae39eec028e8bced9b4 ] + +The PSS telemetry info parsing incorrectly applies +TELEM_INFO_SRAMEVTS_MASK when extracting event register +count from firmware response. This reads bits 15-8 instead +of the correct bits 7-0, causing misdetection of hardware +capabilities. + +The IOSS path correctly uses TELEM_INFO_NENABLES_MASK for +register count. Apply the same mask to PSS parsing for +consistency. + +Fixes: 9d16b482b059 ("platform:x86: Add Intel telemetry platform driver") +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20251224061144.3925519-1-kaushlendra.kumar@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/telemetry/pltdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/telemetry/pltdrv.c b/drivers/platform/x86/intel/telemetry/pltdrv.c +index 405dea87de6bf..dd1ee2730b6a6 100644 +--- a/drivers/platform/x86/intel/telemetry/pltdrv.c ++++ b/drivers/platform/x86/intel/telemetry/pltdrv.c +@@ -610,7 +610,7 @@ static int telemetry_setup(struct platform_device *pdev) + /* Get telemetry Info */ + events = (read_buf & TELEM_INFO_SRAMEVTS_MASK) >> + TELEM_INFO_SRAMEVTS_SHIFT; +- event_regs = read_buf & TELEM_INFO_SRAMEVTS_MASK; ++ event_regs = read_buf & TELEM_INFO_NENABLES_MASK; + if ((events < TELEM_MAX_EVENTS_SRAM) || + (event_regs < TELEM_MAX_EVENTS_SRAM)) { + dev_err(&pdev->dev, "PSS:Insufficient Space for SRAM Trace\n"); +-- +2.51.0 + diff --git a/queue-6.1/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch b/queue-6.1/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch new file mode 100644 index 0000000000..0e391f338d --- /dev/null +++ b/queue-6.1/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch @@ -0,0 +1,42 @@ +From 291a0f91f751089751ac1008df4d9ba7d9f666b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:38:45 +0200 +Subject: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines + +From: Rafael J. Wysocki + +[ Upstream commit 128497456756e1b952bd5a912cd073836465109d ] + +toshiba_haps_add() leaks the haps object allocated by it if it returns +an error after allocating that object successfully. + +toshiba_haps_remove() does not free the object pointed to by +toshiba_haps before clearing that pointer, so it becomes unreachable +allocated memory. + +Address these memory leaks by using devm_kzalloc() for allocating +the memory in question. + +Fixes: 23d0ba0c908a ("platform/x86: Toshiba HDD Active Protection Sensor") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_haps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/toshiba_haps.c b/drivers/platform/x86/toshiba_haps.c +index 49e84095bb010..8a53f6119fed1 100644 +--- a/drivers/platform/x86/toshiba_haps.c ++++ b/drivers/platform/x86/toshiba_haps.c +@@ -185,7 +185,7 @@ static int toshiba_haps_add(struct acpi_device *acpi_dev) + + pr_info("Toshiba HDD Active Protection Sensor device\n"); + +- haps = kzalloc(sizeof(struct toshiba_haps_dev), GFP_KERNEL); ++ haps = devm_kzalloc(&acpi_dev->dev, sizeof(*haps), GFP_KERNEL); + if (!haps) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.1/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch b/queue-6.1/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch new file mode 100644 index 0000000000..39e6a2031b --- /dev/null +++ b/queue-6.1/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch @@ -0,0 +1,69 @@ +From 24bb572932287366163fc9aa6321086a97ce0e67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 14:50:07 +0800 +Subject: ring-buffer: Avoid softlockup in ring_buffer_resize() during memory + free + +From: Wupeng Ma + +[ Upstream commit 6435ffd6c7fcba330dfa91c58dc30aed2df3d0bf ] + +When user resize all trace ring buffer through file 'buffer_size_kb', +then in ring_buffer_resize(), kernel allocates buffer pages for each +cpu in a loop. + +If the kernel preemption model is PREEMPT_NONE and there are many cpus +and there are many buffer pages to be freed, it may not give up cpu +for a long time and finally cause a softlockup. + +To avoid it, call cond_resched() after each cpu buffer free as Commit +f6bd2c92488c ("ring-buffer: Avoid softlockup in ring_buffer_resize()") +does. + +Detailed call trace as follow: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 24-....: (14837 ticks this GP) idle=521c/1/0x4000000000000000 softirq=230597/230597 fqs=5329 + rcu: (t=15004 jiffies g=26003221 q=211022 ncpus=96) + CPU: 24 UID: 0 PID: 11253 Comm: bash Kdump: loaded Tainted: G EL 6.18.2+ #278 NONE + pc : arch_local_irq_restore+0x8/0x20 + arch_local_irq_restore+0x8/0x20 (P) + free_frozen_page_commit+0x28c/0x3b0 + __free_frozen_pages+0x1c0/0x678 + ___free_pages+0xc0/0xe0 + free_pages+0x3c/0x50 + ring_buffer_resize.part.0+0x6a8/0x880 + ring_buffer_resize+0x3c/0x58 + __tracing_resize_ring_buffer.part.0+0x34/0xd8 + tracing_resize_ring_buffer+0x8c/0xd0 + tracing_entries_write+0x74/0xd8 + vfs_write+0xcc/0x288 + ksys_write+0x74/0x118 + __arm64_sys_write+0x24/0x38 + +Cc: +Link: https://patch.msgid.link/20251228065008.2396573-1-mawupeng1@huawei.com +Signed-off-by: Wupeng Ma +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 21b7d044797e3..b141486801b14 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2356,6 +2356,8 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, + list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); ++ ++ cond_resched(); + } + } + out_err_unlock: +-- +2.51.0 + diff --git a/queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch b/queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch new file mode 100644 index 0000000000..e94ff34bdb --- /dev/null +++ b/queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch @@ -0,0 +1,51 @@ +From d7ab991b65341ed4b86d212191cba6db8b24d61b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:51 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_conn_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 ] + +In iscsit_dec_conn_usage_count(), the function calls complete() while +holding the conn->conn_usage_lock. As soon as complete() is invoked, the +waiter (such as iscsit_close_connection()) may wake up and proceed to free +the iscsit_conn structure. + +If the waiter frees the memory before the current thread reaches +spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function +attempts to release a lock within the already-freed connection structure. + +Fix this by releasing the spinlock before calling complete(). + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 61bcdc33f1230..438f6448cd67a 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -857,8 +857,11 @@ void iscsit_dec_conn_usage_count(struct iscsit_conn *conn) + spin_lock_bh(&conn->conn_usage_lock); + conn->conn_usage_count--; + +- if (!conn->conn_usage_count && conn->conn_waiting_on_uc) ++ if (!conn->conn_usage_count && conn->conn_waiting_on_uc) { ++ spin_unlock_bh(&conn->conn_usage_lock); + complete(&conn->conn_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&conn->conn_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch b/queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch new file mode 100644 index 0000000000..aeabcf4dcf --- /dev/null +++ b/queue-6.1/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch @@ -0,0 +1,53 @@ +From 695a75d1419a38ef4dc0673080adbb9dc9800e0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:52 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_session_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 84dc6037390b8607c5551047d3970336cb51ba9a ] + +In iscsit_dec_session_usage_count(), the function calls complete() while +holding the sess->session_usage_lock. Similar to the connection usage count +logic, the waiter signaled by complete() (e.g., in the session release +path) may wake up and free the iscsit_session structure immediately. + +This creates a race condition where the current thread may attempt to +execute spin_unlock_bh() on a session structure that has already been +deallocated, resulting in a KASAN slab-use-after-free. + +To resolve this, release the session_usage_lock before calling complete() +to ensure all dereferences of the sess pointer are finished before the +waiter is allowed to proceed with deallocation. + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 26dc8ed3045b6..61bcdc33f1230 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -785,8 +785,11 @@ void iscsit_dec_session_usage_count(struct iscsit_session *sess) + spin_lock_bh(&sess->session_usage_lock); + sess->session_usage_count--; + +- if (!sess->session_usage_count && sess->session_waiting_on_uc) ++ if (!sess->session_usage_count && sess->session_waiting_on_uc) { ++ spin_unlock_bh(&sess->session_usage_lock); + complete(&sess->session_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&sess->session_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 6ec363f507..10e99a3033 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -15,3 +15,45 @@ gve-fix-stats-report-corruption-on-queue-count-change.patch tracing-fix-ftrace-event-field-alignments.patch gve-correct-ethtool-rx_dropped-calculation.patch kvm-selftests-add-u_fortify_source-to-avoid-some-unpredictable-test-failures.patch +wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch +wifi-wlcore-ensure-skb-headroom-before-skb_push.patch +net-usb-sr9700-support-devices-with-virtual-driver-c.patch +block-bfq-fix-aux-stat-accumulation-destination.patch +smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch +loongarch-set-correct-protection_map-for-vm_none-vm_.patch +loongarch-enable-exception-fixup-for-specific-ade-su.patch +hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch +hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch +btrfs-fix-reservation-leak-in-some-error-paths-when-.patch +hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch +hid-playstation-center-initial-joystick-axes-to-prev.patch +alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch +netfilter-replace-eexist-with-ebusy.patch +hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch +hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch +hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch +ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch +wifi-mac80211-collect-station-statistics-earlier-whe.patch +asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch +nvme-fc-release-admin-tagset-if-init-fails.patch +asoc-tlv320adcx140-propagate-error-codes-during-prob.patch +wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch +alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch +wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch +platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch +platform-x86-intel_telemetry-fix-pss-event-register-.patch +smb-client-fix-memory-leak-in-smb2_open_file.patch +dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch +net-liquidio-initialize-netdev-pointer-before-queue-.patch +net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch +net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch +dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch +macvlan-fix-error-recovery-in-macvlan_common_newlink.patch +net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch +tipc-use-kfree_sensitive-for-session-key-material.patch +drm-mgag200-fix-mgag200_bmc_stop_scanout.patch +hwmon-occ-mark-occ_init_attribute-as-__printf.patch +netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch +asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch diff --git a/queue-6.1/smb-client-fix-memory-leak-in-smb2_open_file.patch b/queue-6.1/smb-client-fix-memory-leak-in-smb2_open_file.patch new file mode 100644 index 0000000000..33bce13850 --- /dev/null +++ b/queue-6.1/smb-client-fix-memory-leak-in-smb2_open_file.patch @@ -0,0 +1,72 @@ +From 265b655a05261070d8db47eabdeb891772cf64a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 08:24:07 +0000 +Subject: smb/client: fix memory leak in smb2_open_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: ChenXiaoSong + +[ Upstream commit e3a43633023e3cacaca60d4b8972d084a2b06236 ] + +Reproducer: + + 1. server: directories are exported read-only + 2. client: mount -t cifs //${server_ip}/export /mnt + 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct + 4. client: umount /mnt + 5. client: sleep 1 + 6. client: modprobe -r cifs + +The error message is as follows: + + ============================================================================= + BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown() + ----------------------------------------------------------------------------- + + Object 0x00000000d47521be @offset=14336 + ... + WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577 + ... + Call Trace: + + kmem_cache_destroy+0x94/0x190 + cifs_destroy_request_bufs+0x3e/0x50 [cifs] + cleanup_module+0x4e/0x540 [cifs] + __se_sys_delete_module+0x278/0x400 + __x64_sys_delete_module+0x5f/0x70 + x64_sys_call+0x2299/0x2ff0 + do_syscall_64+0x89/0x350 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + ... + kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs] + WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577 + +Link: https://lore.kernel.org/linux-cifs/9751f02d-d1df-4265-a7d6-b19761b21834@linux.dev/T/#mf14808c144448b715f711ce5f0477a071f08eaf6 +Fixes: e255612b5ed9 ("cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES") +Reported-by: Paulo Alcantara +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: ChenXiaoSong +Reviewed-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c +index afdc78e92ee9b..7fc7fcabce80c 100644 +--- a/fs/smb/client/smb2file.c ++++ b/fs/smb/client/smb2file.c +@@ -123,6 +123,7 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); + if (rc == -EACCES && retry_without_read_attributes) { ++ free_rsp_buf(err_buftype, err_iov.iov_base); + oparms->desired_access &= ~FILE_READ_ATTRIBUTES; + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); +-- +2.51.0 + diff --git a/queue-6.1/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch b/queue-6.1/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch new file mode 100644 index 0000000000..3c20dfa04b --- /dev/null +++ b/queue-6.1/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch @@ -0,0 +1,47 @@ +From 11bfb47450b5bd14175a3dc3747cc0cd8ca34463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 22:51:01 +0800 +Subject: smb/server: call ksmbd_session_rpc_close() on error path in + create_smb2_pipe() + +From: ZhangGuoDong + +[ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ] + +When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 100016298f87e..14d46c52ee748 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2272,7 +2272,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + { + struct smb2_create_rsp *rsp; + struct smb2_create_req *req; +- int id; ++ int id = -1; + int err; + char *name; + +@@ -2329,6 +2329,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + break; + } + ++ if (id >= 0) ++ ksmbd_session_rpc_close(work->sess, id); ++ + if (!IS_ERR(name)) + kfree(name); + +-- +2.51.0 + diff --git a/queue-6.1/tipc-use-kfree_sensitive-for-session-key-material.patch b/queue-6.1/tipc-use-kfree_sensitive-for-session-key-material.patch new file mode 100644 index 0000000000..28fe0a60b2 --- /dev/null +++ b/queue-6.1/tipc-use-kfree_sensitive-for-session-key-material.patch @@ -0,0 +1,51 @@ +From d3d1206fcfcbd91ad8d4e63511122997765e2678 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 10:01:14 -0800 +Subject: tipc: use kfree_sensitive() for session key material + +From: Daniel Hodges + +[ Upstream commit 74d9391e8849e70ded5309222d09b0ed0edbd039 ] + +The rx->skey field contains a struct tipc_aead_key with GCM-AES +encryption keys used for TIPC cluster communication. Using plain +kfree() leaves this sensitive key material in freed memory pages +where it could potentially be recovered. + +Switch to kfree_sensitive() to ensure the key material is zeroed +before the memory is freed. + +Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") +Signed-off-by: Daniel Hodges +Link: https://patch.msgid.link/20260131180114.2121438-1-hodgesd@meta.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index d52829c6aa472..0e84d86f75fe4 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1219,7 +1219,7 @@ void tipc_crypto_key_flush(struct tipc_crypto *c) + rx = c; + tx = tipc_net(rx->net)->crypto_tx; + if (cancel_delayed_work(&rx->work)) { +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + atomic_xchg(&rx->key_distr, 0); + tipc_node_put(rx->node); +@@ -2394,7 +2394,7 @@ static void tipc_crypto_work_rx(struct work_struct *work) + break; + default: + synchronize_rcu(); +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + break; + } +-- +2.51.0 + diff --git a/queue-6.1/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch b/queue-6.1/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch new file mode 100644 index 0000000000..9cb9bc5988 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch @@ -0,0 +1,59 @@ +From 33ad8539d909c7334cdec633befe7351cc1ebdbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:30:04 +0530 +Subject: wifi: cfg80211: Fix bitrate calculation overflow for HE rates + +From: Veerendranath Jakkam + +[ Upstream commit a3034bf0746d88a00cceda9541534a5721445a24 ] + +An integer overflow occurs in cfg80211_calculate_bitrate_he() when +calculating bitrates for high throughput HE configurations. +For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0, +the multiplication (result * rate->nss) overflows the 32-bit 'result' +variable before division by 8, leading to significantly underestimated +bitrate values. + +The overflow occurs because the NSS multiplication operates on a 32-bit +integer that cannot accommodate intermediate values exceeding +4,294,967,295. When overflow happens, the value wraps around, producing +incorrect bitrates for high MCS and NSS combinations. + +Fix this by utilizing the 64-bit 'tmp' variable for the NSS +multiplication and subsequent divisions via do_div(). This approach +preserves full precision throughout the entire calculation, with the +final value assigned to 'result' only after completing all operations. + +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index b513e24572a3f..f59985e80e20d 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1553,12 +1553,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate) + tmp = result; + tmp *= SCALE; + do_div(tmp, mcs_divisors[rate->mcs]); +- result = tmp; + + /* and take NSS, DCM into account */ +- result = (result * rate->nss) / 8; ++ tmp *= rate->nss; ++ do_div(tmp, 8); + if (rate->he_dcm) +- result /= 2; ++ do_div(tmp, 2); ++ ++ result = tmp; + + return result / 10000; + } +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-collect-station-statistics-earlier-whe.patch b/queue-6.1/wifi-mac80211-collect-station-statistics-earlier-whe.patch new file mode 100644 index 0000000000..abdf4343a1 --- /dev/null +++ b/queue-6.1/wifi-mac80211-collect-station-statistics-earlier-whe.patch @@ -0,0 +1,54 @@ +From 81847114f5b2f4d1f40c18ad045ed368f6db0774 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 10:29:07 +0800 +Subject: wifi: mac80211: collect station statistics earlier when disconnect + +From: Baochen Qiang + +[ Upstream commit a203dbeeca15a9b924f0d51f510921f4bae96801 ] + +In __sta_info_destroy_part2(), station statistics are requested after the +IEEE80211_STA_NONE -> IEEE80211_STA_NOTEXIST transition. This is +problematic because the driver may be unable to handle the request due to +the STA being in the NOTEXIST state (i.e. if the driver destroys the +underlying data when transitioning to NOTEXIST). + +Move the statistics collection to before the state transition to avoid +this issue. + +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20251222-mac80211-move-station-stats-collection-earlier-v1-1-12cd4e42c633@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index e9ae920947944..8a92077da1536 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1314,6 +1314,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + } + } + ++ sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); ++ if (sinfo) ++ sta_set_sinfo(sta, sinfo, true); ++ + if (sta->uploaded) { + ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE, + IEEE80211_STA_NOTEXIST); +@@ -1322,9 +1326,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta) + + sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); + +- sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); +- if (sinfo) +- sta_set_sinfo(sta, sinfo, true); + cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); + kfree(sinfo); + +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch b/queue-6.1/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch new file mode 100644 index 0000000000..dd97514945 --- /dev/null +++ b/queue-6.1/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch @@ -0,0 +1,49 @@ +From 98d6a1a1f7d3397c116a6396ad6fceb7b33140bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:28:29 +0200 +Subject: wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice + +From: Miri Korenblit + +[ Upstream commit 3f3d8ff31496874a69b131866f62474eb24ed20a ] + +In reconfig, in case the driver asks to disconnect during the reconfig, +all the keys of the interface are marked as tainted. +Then ieee80211_reenable_keys will loop over all the interface keys, and +for each one it will +a) increment crypto_tx_tailroom_needed_cnt +b) call ieee80211_key_enable_hw_accel, which in turn will detect that +this key is tainted, so it will mark it as "not in hardware", which is +paired with crypto_tx_tailroom_needed_cnt incrementation, so we get two +incrementations for each tainted key. +Then we get a warning in ieee80211_free_keys. + +To fix it, don't increment the count in ieee80211_reenable_keys for +tainted keys + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118092821.4ca111fddcda.Id6e554f4b1c83760aa02d5a9e4e3080edb197aa2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 585de86fce840..eb1512f1b0071 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -968,7 +968,8 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata) + + if (ieee80211_sdata_running(sdata)) { + list_for_each_entry(key, &sdata->key_list, list) { +- increment_tailroom_need_count(sdata); ++ if (!(key->flags & KEY_FLAG_TAINTED)) ++ increment_tailroom_need_count(sdata); + ieee80211_key_enable_hw_accel(key); + } + } +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch b/queue-6.1/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch new file mode 100644 index 0000000000..03d45307de --- /dev/null +++ b/queue-6.1/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch @@ -0,0 +1,44 @@ +From e11a9da7bfc5d054dc550dc61fd18c5da8aa3609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 19:59:32 -0800 +Subject: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined + +From: Moon Hee Lee + +[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] + +ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only +present after JOIN_OCB. + +RX may run before JOIN_OCB is executed, in which case the OCB interface +is not operational. Skip RX peer handling when the interface is not +joined to avoid warnings in the RX path. + +Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 +Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ocb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c +index fcc326913391d..1e1bfaf12b1aa 100644 +--- a/net/mac80211/ocb.c ++++ b/net/mac80211/ocb.c +@@ -48,6 +48,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata, + struct sta_info *sta; + int band; + ++ if (!ifocb->joined) ++ return; ++ + /* XXX: Consider removing the least recently used entry and + * allow new one to be added. + */ +-- +2.51.0 + diff --git a/queue-6.1/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch b/queue-6.1/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch new file mode 100644 index 0000000000..3ff613b614 --- /dev/null +++ b/queue-6.1/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch @@ -0,0 +1,42 @@ +From 379ab25785f8db2a0ab2c7fdd836a8b9998c4de9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 08:57:08 +0100 +Subject: wifi: wlcore: ensure skb headroom before skb_push +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Åstrand + +[ Upstream commit e75665dd096819b1184087ba5718bd93beafff51 ] + +This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is +less than needed (typically 110 - 94 = 16 bytes). + +Signed-off-by: Peter Astrand +Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 7bd3ce2f08044..75ad096676561 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -210,6 +210,11 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + total_blocks = wlcore_hw_calc_tx_blocks(wl, total_len, spare_blocks); + + if (total_blocks <= wl->tx_blocks_available) { ++ if (skb_headroom(skb) < (total_len - skb->len) && ++ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { ++ wl1271_free_tx_id(wl, id); ++ return -EAGAIN; ++ } + desc = skb_push(skb, total_len - skb->len); + + wlcore_hw_set_tx_desc_blocks(wl, desc, total_blocks, +-- +2.51.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch b/queue-6.12/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch new file mode 100644 index 0000000000..841b36708c --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch @@ -0,0 +1,37 @@ +From 1fcb83f74b9ec2f75d125227cf67fece16a13af8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 02:53:36 +0300 +Subject: ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk + +From: Ruslan Krupitsa + +[ Upstream commit 9ed7a28225af02b74f61e7880d460db49db83758 ] + +HP Laptop 15s-eq1xxx with ALC236 codec does not enable the +mute LED automatically. This patch adds a quirk entry for +subsystem ID 0x8706 using the ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 +fixup, enabling correct mute LED behavior. + +Signed-off-by: Ruslan Krupitsa +Link: https://patch.msgid.link/AS8P194MB112895B8EC2D87D53A876085BBBAA@AS8P194MB1128.EURP194.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index dab42dee93018..b99be4602ee7b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10601,6 +10601,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x863e, "HP Spectre x360 15-df1xxx", ALC285_FIXUP_HP_SPECTRE_X360_DF1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x8706, "HP Laptop 15s-eq1xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), +-- +2.51.0 + diff --git a/queue-6.12/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch b/queue-6.12/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch new file mode 100644 index 0000000000..228f702249 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch @@ -0,0 +1,38 @@ +From f42c29447b6ff818a514381482ba45699d1d3295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 18:12:07 +0100 +Subject: ALSA: hda/realtek: Add quirk for Acer Nitro AN517-55 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: MatouÅ¡ Lánský + +[ Upstream commit 9be25402d8522e16e5ebe84f2b1b6c5de082a388 ] + +Add headset mic quirk for Acer Nitro AN517-55. This laptop uses +the same audio configuration as the AN515-58 model. + +Signed-off-by: MatouÅ¡ Lánský +Link: https://patch.msgid.link/20251231171207.76943-1-matouslansky@post.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 7b3658e01c95e..dab42dee93018 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10418,6 +10418,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1025, 0x1466, "Acer Aspire A515-56", ALC255_FIXUP_ACER_HEADPHONE_AND_MIC), + SND_PCI_QUIRK(0x1025, 0x1534, "Acer Predator PH315-54", ALC255_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x159c, "Acer Nitro 5 AN515-58", ALC2XX_FIXUP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1025, 0x1597, "Acer Nitro 5 AN517-55", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x169a, "Acer Swift SFG16", ALC256_FIXUP_ACER_SFG16_MICMUTE_LED), + SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z), + SND_PCI_QUIRK(0x1028, 0x053c, "Dell Latitude E5430", ALC292_FIXUP_DELL_E7X), +-- +2.51.0 + diff --git a/queue-6.12/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch b/queue-6.12/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch new file mode 100644 index 0000000000..1e3bf87e12 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch @@ -0,0 +1,101 @@ +From de56aa27f27b196f1b11f99c5cf26e10adbd8bf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 02:51:18 +0000 +Subject: ALSA: hda/realtek: ALC269 fixup for Lenovo Yoga Book 9i 13IRU8 audio + +From: Martin Hamilton + +[ Upstream commit 64e0924ed3b446fdd758dfab582e0e961863a116 ] + +The amp/speakers on the Lenovo Yoga Book 9i 13IRU8 laptop aren't +fully powered up, resulting in horrible tinny sound by default. + +The kernel has an existing quirk for PCI SSID 0x17aa3843 which +matches this machine and several others. The quirk applies the +ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP fixup, however the fixup does not +work on this machine. + +This patch modifies the existing quirk by adding a check for the +subsystem ID 0x17aa3881. If present, ALC287_FIXUP_TAS2781_I2C will +be applied instead of ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP. With this +change the TAS2781 amp is powered up, firmware is downloaded and +recognised by HDA/SOF - i.e. all is good, and we can boogie. + +Code is re-used from alc298_fixup_lenovo_c940_duet7(), which fixes a +similar problem with two other Lenovo laptops. + +Cross checked against ALSA cardinfo database for potential clashes. +Tested against 6.18.5 kernel built with Arch Linux default options. +Tested in HDA mode and SOF mode. + +Note: Possible further work required to address quality of life issues +caused by the firmware's agressive power saving, and to improve ALSA +control mappings. + +Signed-off-by: Martin Hamilton +Link: https://patch.msgid.link/20260122-alc269-yogabook9i-fixup-v1-1-a6883429400f@martinh.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 8077cdb2987ab..0026c19a10251 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7951,6 +7951,7 @@ enum { + ALC287_FIXUP_LEGION_15IMHG05_AUTOMUTE, + ALC287_FIXUP_YOGA7_14ITL_SPEAKERS, + ALC298_FIXUP_LENOVO_C940_DUET7, ++ ALC287_FIXUP_LENOVO_YOGA_BOOK_9I, + ALC287_FIXUP_13S_GEN2_SPEAKERS, + ALC256_FIXUP_SET_COEF_DEFAULTS, + ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, +@@ -8023,6 +8024,23 @@ static void alc298_fixup_lenovo_c940_duet7(struct hda_codec *codec, + __snd_hda_apply_fixup(codec, id, action, 0); + } + ++/* A special fixup for Lenovo Yoga 9i and Yoga Book 9i 13IRU8 ++ * both have the very same PCI SSID and vendor ID, so we need ++ * to apply different fixups depending on the subsystem ID ++ */ ++static void alc287_fixup_lenovo_yoga_book_9i(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ int id; ++ ++ if (codec->core.subsystem_id == 0x17aa3881) ++ id = ALC287_FIXUP_TAS2781_I2C; /* Yoga Book 9i 13IRU8 */ ++ else ++ id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP; /* Yoga 9i */ ++ __snd_hda_apply_fixup(codec, id, action, 0); ++} ++ + static const struct hda_fixup alc269_fixups[] = { + [ALC269_FIXUP_GPIO2] = { + .type = HDA_FIXUP_FUNC, +@@ -10003,6 +10021,10 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc298_fixup_lenovo_c940_duet7, + }, ++ [ALC287_FIXUP_LENOVO_YOGA_BOOK_9I] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc287_fixup_lenovo_yoga_book_9i, ++ }, + [ALC287_FIXUP_13S_GEN2_SPEAKERS] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -11227,7 +11249,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3827, "Ideapad S740", ALC285_FIXUP_IDEAPAD_S740_COEF), + SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS), +- SND_PCI_QUIRK(0x17aa, 0x3843, "Yoga 9i", ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP), ++ SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I), + SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6), + SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), +-- +2.51.0 + diff --git a/queue-6.12/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch b/queue-6.12/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch new file mode 100644 index 0000000000..0f2dfdaeba --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch @@ -0,0 +1,39 @@ +From f1879ff6521299114a8ac8256cdf8bae9bc96d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:15:55 +0100 +Subject: ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU + +From: Tim Guttzeit + +[ Upstream commit b48fe9af1e60360baf09ca6b7a3cd6541f16e611 ] + +Add a PCI quirk to enable microphone detection on the headphone jack of +TongFang X6AR55xU devices. + +Signed-off-by: Tim Guttzeit +Signed-off-by: Werner Sembach +Link: https://patch.msgid.link/20260119151626.35481-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index b99be4602ee7b..8077cdb2987ab 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11812,6 +11812,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x19, 0x04a11030}, + {0x21, 0x04211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0274, 0x1d05, "TongFang", ALC274_FIXUP_HP_HEADSET_MIC, ++ {0x17, 0x90170110}, ++ {0x19, 0x03a11030}, ++ {0x21, 0x03211020}), + SND_HDA_PIN_QUIRK(0x10ec0282, 0x1025, "Acer", ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC282_STANDARD_PINS, + {0x12, 0x90a609c0}, +-- +2.51.0 + diff --git a/queue-6.12/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch b/queue-6.12/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch new file mode 100644 index 0000000000..893993bc1e --- /dev/null +++ b/queue-6.12/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch @@ -0,0 +1,52 @@ +From fed863886b89b6fb592c59470ad0c4fd2398fbed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:15:57 +0300 +Subject: ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() + +From: Sergey Shtylyov + +[ Upstream commit 124bdc6eccc8c5cba68fee00e01c084c116c4360 ] + +When the support for the Sound Blaster X-Fi Surround 5.1 Pro was added, +the existing logic for the X-Fi Surround 5.1 in snd_audigy2nx_led_put() +was broken due to missing *else* before the added *if*: snd_usb_ctl_msg() +became incorrectly called twice and an error from first snd_usb_ctl_msg() +call ignored. As the added snd_usb_ctl_msg() call was totally identical +to the existing one for the "plain" X-Fi Surround 5.1, just merge those +two *if* statements while fixing the broken logic... + +Found by Linux Verification Center (linuxtesting.org) with the Svace static +analysis tool. + +Fixes: 7cdd8d73139e ("ALSA: usb-audio - Add support for USB X-Fi S51 Pro") +Signed-off-by: Sergey Shtylyov +Link: https://patch.msgid.link/20260203161558.18680-1-s.shtylyov@auroraos.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_quirks.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index b663764644cd8..6d6308ca4fa82 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -310,13 +310,8 @@ static int snd_audigy2nx_led_update(struct usb_mixer_interface *mixer, + if (err < 0) + return err; + +- if (chip->usb_id == USB_ID(0x041e, 0x3042)) +- err = snd_usb_ctl_msg(chip->dev, +- usb_sndctrlpipe(chip->dev, 0), 0x24, +- USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER, +- !value, 0, NULL, 0); +- /* USB X-Fi S51 Pro */ +- if (chip->usb_id == USB_ID(0x041e, 0x30df)) ++ if (chip->usb_id == USB_ID(0x041e, 0x3042) || /* USB X-Fi S51 */ ++ chip->usb_id == USB_ID(0x041e, 0x30df)) /* USB X-Fi S51 Pro */ + err = snd_usb_ctl_msg(chip->dev, + usb_sndctrlpipe(chip->dev, 0), 0x24, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER, +-- +2.51.0 + diff --git a/queue-6.12/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch b/queue-6.12/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch new file mode 100644 index 0000000000..cf03cf1fd9 --- /dev/null +++ b/queue-6.12/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch @@ -0,0 +1,37 @@ +From 05f6696f90813017804cf74d038fa809d21f98fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 20:50:33 +0000 +Subject: ASoC: amd: fix memory leak in acp3x pdm dma ops + +From: Chris Bainbridge + +[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] + +Fixes: 4a767b1d039a8 ("ASoC: amd: add acp3x pdm driver dma ops") +Signed-off-by: Chris Bainbridge +Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/renoir/acp3x-pdm-dma.c b/sound/soc/amd/renoir/acp3x-pdm-dma.c +index 95ac8c6800375..a560d06097d5e 100644 +--- a/sound/soc/amd/renoir/acp3x-pdm-dma.c ++++ b/sound/soc/amd/renoir/acp3x-pdm-dma.c +@@ -301,9 +301,11 @@ static int acp_pdm_dma_close(struct snd_soc_component *component, + struct snd_pcm_substream *substream) + { + struct pdm_dev_data *adata = dev_get_drvdata(component->dev); ++ struct pdm_stream_instance *rtd = substream->runtime->private_data; + + disable_pdm_interrupts(adata->acp_base); + adata->capture_stream = NULL; ++ kfree(rtd); + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.12/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch b/queue-6.12/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch new file mode 100644 index 0000000000..8ba02f2ecd --- /dev/null +++ b/queue-6.12/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch @@ -0,0 +1,41 @@ +From b5d33a764281d3372ac4f6dfa240f7a0bf20a386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 21:38:14 +0100 +Subject: ASoC: amd: yc: Fix microphone on ASUS M6500RE + +From: Radhi Bajahaw + +[ Upstream commit 8e29db1b08808f709231e6fd4c79dcdee5b17a17 ] + +Add DMI match for ASUSTeK COMPUTER INC. M6500RE to enable the +internal microphone. + +Signed-off-by: Radhi Bajahaw +Link: https://patch.msgid.link/20260112203814.155-1-bajahawradhi@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 85b3310fdaaa3..346e200613031 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -409,6 +409,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "M6500RC"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "M6500RE"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.51.0 + diff --git a/queue-6.12/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch b/queue-6.12/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch new file mode 100644 index 0000000000..37ff76a8b0 --- /dev/null +++ b/queue-6.12/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch @@ -0,0 +1,113 @@ +From e0687f8364ea11b0feeb6dc122b004fbfb8ef246 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 23:48:37 +0800 +Subject: ASoC: davinci-evm: Fix reference leak in davinci_evm_probe + +From: Kery Qi + +[ Upstream commit 5b577d214fcc109707bcb77b4ae72a31cfd86798 ] + +The davinci_evm_probe() function calls of_parse_phandle() to acquire +device nodes for "ti,audio-codec" and "ti,mcasp-controller". These +functions return device nodes with incremented reference counts. + +However, in several error paths (e.g., when the second of_parse_phandle(), +snd_soc_of_parse_card_name(), or devm_snd_soc_register_card() fails), +the function returns directly without releasing the acquired nodes, +leading to reference leaks. + +This patch adds an error handling path 'err_put' to properly release +the device nodes using of_node_put() and clean up the pointers when +an error occurs. + +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260107154836.1521-2-qikeyu2017@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/davinci-evm.c | 39 ++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/ti/davinci-evm.c b/sound/soc/ti/davinci-evm.c +index 1bf333d2740d1..5b2b3a072b4a4 100644 +--- a/sound/soc/ti/davinci-evm.c ++++ b/sound/soc/ti/davinci-evm.c +@@ -193,27 +193,32 @@ static int davinci_evm_probe(struct platform_device *pdev) + return -EINVAL; + + dai->cpus->of_node = of_parse_phandle(np, "ti,mcasp-controller", 0); +- if (!dai->cpus->of_node) +- return -EINVAL; ++ if (!dai->cpus->of_node) { ++ ret = -EINVAL; ++ goto err_put; ++ } + + dai->platforms->of_node = dai->cpus->of_node; + + evm_soc_card.dev = &pdev->dev; + ret = snd_soc_of_parse_card_name(&evm_soc_card, "ti,model"); + if (ret) +- return ret; ++ goto err_put; + + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (PTR_ERR(mclk) == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto err_put; + } else if (IS_ERR(mclk)) { + dev_dbg(&pdev->dev, "mclk not found.\n"); + mclk = NULL; + } + + drvdata = devm_kzalloc(&pdev->dev, sizeof(*drvdata), GFP_KERNEL); +- if (!drvdata) +- return -ENOMEM; ++ if (!drvdata) { ++ ret = -ENOMEM; ++ goto err_put; ++ } + + drvdata->mclk = mclk; + +@@ -223,7 +228,8 @@ static int davinci_evm_probe(struct platform_device *pdev) + if (!drvdata->mclk) { + dev_err(&pdev->dev, + "No clock or clock rate defined.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put; + } + drvdata->sysclk = clk_get_rate(drvdata->mclk); + } else if (drvdata->mclk) { +@@ -239,8 +245,25 @@ static int davinci_evm_probe(struct platform_device *pdev) + snd_soc_card_set_drvdata(&evm_soc_card, drvdata); + ret = devm_snd_soc_register_card(&pdev->dev, &evm_soc_card); + +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "snd_soc_register_card failed (%d)\n", ret); ++ goto err_put; ++ } ++ ++ return ret; ++ ++err_put: ++ dai->platforms->of_node = NULL; ++ ++ if (dai->cpus->of_node) { ++ of_node_put(dai->cpus->of_node); ++ dai->cpus->of_node = NULL; ++ } ++ ++ if (dai->codecs->of_node) { ++ of_node_put(dai->codecs->of_node); ++ dai->codecs->of_node = NULL; ++ } + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.12/asoc-simple-card-utils-check-device-node-before-over.patch b/queue-6.12/asoc-simple-card-utils-check-device-node-before-over.patch new file mode 100644 index 0000000000..438dad7d07 --- /dev/null +++ b/queue-6.12/asoc-simple-card-utils-check-device-node-before-over.patch @@ -0,0 +1,42 @@ +From 11ae2e93d64acf7841c471b0ce2da164af5fe291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 17:04:32 +0800 +Subject: ASoC: simple-card-utils: Check device node before overwrite direction + +From: Shengjiu Wang + +[ Upstream commit 22a507d7680f2c3499c133f6384349f62f916176 ] + +Even the device node don't exist, the graph_util_parse_link_direction() +will overwrite the playback_only and capture_only to be zero. Which +cause the playback_only and capture_only are not correct, so check device +node exist or not before update the value. + +Signed-off-by: Shengjiu Wang +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20251229090432.3964848-1-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index 809dbb9ded365..47933afdb7261 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -1150,9 +1150,9 @@ void graph_util_parse_link_direction(struct device_node *np, + bool is_playback_only = of_property_read_bool(np, "playback-only"); + bool is_capture_only = of_property_read_bool(np, "capture-only"); + +- if (playback_only) ++ if (np && playback_only) + *playback_only = is_playback_only; +- if (capture_only) ++ if (np && capture_only) + *capture_only = is_capture_only; + } + EXPORT_SYMBOL_GPL(graph_util_parse_link_direction); +-- +2.51.0 + diff --git a/queue-6.12/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch b/queue-6.12/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch new file mode 100644 index 0000000000..8c6d7dbc7c --- /dev/null +++ b/queue-6.12/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch @@ -0,0 +1,43 @@ +From 8af01dbcbbd9903fdd205d4aa900411563546a06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:46 +0100 +Subject: ASoC: tlv320adcx140: Propagate error codes during probe + +From: Dimitrios Katsaros + +[ Upstream commit d89aad92cfd15edbd704746f44c98fe687f9366f ] + +When scanning for the reset pin, we could get an -EPROBE_DEFER. +The driver would assume that no reset pin had been defined, +which would mean that the chip would never be powered. + +Now we both respect any error we get from devm_gpiod_get_optional. +We also now properly report the missing GPIO definition when +'gpio_reset' is NULL. + +Signed-off-by: Dimitrios Katsaros +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-3-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 62d936c2838c9..1565727ca2f3d 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -1156,6 +1156,9 @@ static int adcx140_i2c_probe(struct i2c_client *i2c) + adcx140->gpio_reset = devm_gpiod_get_optional(adcx140->dev, + "reset", GPIOD_OUT_LOW); + if (IS_ERR(adcx140->gpio_reset)) ++ return dev_err_probe(&i2c->dev, PTR_ERR(adcx140->gpio_reset), ++ "Failed to get Reset GPIO\n"); ++ if (!adcx140->gpio_reset) + dev_info(&i2c->dev, "Reset GPIO not defined\n"); + + adcx140->supply_areg = devm_regulator_get_optional(adcx140->dev, +-- +2.51.0 + diff --git a/queue-6.12/block-bfq-fix-aux-stat-accumulation-destination.patch b/queue-6.12/block-bfq-fix-aux-stat-accumulation-destination.patch new file mode 100644 index 0000000000..746dd0cc05 --- /dev/null +++ b/queue-6.12/block-bfq-fix-aux-stat-accumulation-destination.patch @@ -0,0 +1,36 @@ +From 3e2e9b225f32aecd92ab345c84eece6f43c8352c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:04:26 +0800 +Subject: block,bfq: fix aux stat accumulation destination + +From: shechenglong + +[ Upstream commit 04bdb1a04d8a2a89df504c1e34250cd3c6e31a1c ] + +Route bfqg_stats_add_aux() time accumulation into the destination +stats object instead of the source, aligning with other stat fields. + +Reviewed-by: Yu Kuai +Signed-off-by: shechenglong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 9fb9f35331502..6a75fe1c7a5c0 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -380,7 +380,7 @@ static void bfqg_stats_add_aux(struct bfqg_stats *to, struct bfqg_stats *from) + blkg_rwstat_add_aux(&to->merged, &from->merged); + blkg_rwstat_add_aux(&to->service_time, &from->service_time); + blkg_rwstat_add_aux(&to->wait_time, &from->wait_time); +- bfq_stat_add_aux(&from->time, &from->time); ++ bfq_stat_add_aux(&to->time, &from->time); + bfq_stat_add_aux(&to->avg_queue_size_sum, &from->avg_queue_size_sum); + bfq_stat_add_aux(&to->avg_queue_size_samples, + &from->avg_queue_size_samples); +-- +2.51.0 + diff --git a/queue-6.12/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch b/queue-6.12/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch new file mode 100644 index 0000000000..f481e3622f --- /dev/null +++ b/queue-6.12/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch @@ -0,0 +1,68 @@ +From 6ae776682b5cfd2317df9668f96c14d5f85e70ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 17:18:25 +0000 +Subject: btrfs: fix reservation leak in some error paths when inserting inline + extent + +From: Filipe Manana + +[ Upstream commit c1c050f92d8f6aac4e17f7f2230160794fceef0c ] + +If we fail to allocate a path or join a transaction, we return from +__cow_file_range_inline() without freeing the reserved qgroup data, +resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data() +in such cases. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index b1d450459f736..b1d9595762ef6 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -658,19 +658,22 @@ static noinline int __cow_file_range_inline(struct btrfs_inode *inode, u64 offse + struct btrfs_drop_extents_args drop_args = { 0 }; + struct btrfs_root *root = inode->root; + struct btrfs_fs_info *fs_info = root->fs_info; +- struct btrfs_trans_handle *trans; ++ struct btrfs_trans_handle *trans = NULL; + u64 data_len = (compressed_size ?: size); + int ret; + struct btrfs_path *path; + + path = btrfs_alloc_path(); +- if (!path) +- return -ENOMEM; ++ if (!path) { ++ ret = -ENOMEM; ++ goto out; ++ } + + trans = btrfs_join_transaction(root); + if (IS_ERR(trans)) { +- btrfs_free_path(path); +- return PTR_ERR(trans); ++ ret = PTR_ERR(trans); ++ trans = NULL; ++ goto out; + } + trans->block_rsv = &inode->block_rsv; + +@@ -717,7 +720,8 @@ static noinline int __cow_file_range_inline(struct btrfs_inode *inode, u64 offse + */ + btrfs_qgroup_free_data(inode, NULL, 0, PAGE_SIZE, NULL); + btrfs_free_path(path); +- btrfs_end_transaction(trans); ++ if (trans) ++ btrfs_end_transaction(trans); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.12/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch b/queue-6.12/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch new file mode 100644 index 0000000000..32d12e9786 --- /dev/null +++ b/queue-6.12/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch @@ -0,0 +1,144 @@ +From 700529e75ae10103661caa7e7c0a6fe6607f5e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 07:28:28 +1030 +Subject: btrfs: reject new transactions if the fs is fully read-only + +From: Qu Wenruo + +[ Upstream commit 1972f44c189c8aacde308fa9284e474c1a5cbd9f ] + +[BUG] +There is a bug report where a heavily fuzzed fs is mounted with all +rescue mount options, which leads to the following warnings during +unmount: + + BTRFS: Transaction aborted (error -22) + Modules linked in: + CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted + 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline] + RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611 + Call Trace: + + btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705 + btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157 + btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517 + btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708 + btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130 + btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499 + btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628 + evict+0x5f4/0xae0 fs/inode.c:837 + __dentry_kill+0x209/0x660 fs/dcache.c:670 + finish_dput+0xc9/0x480 fs/dcache.c:879 + shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661 + generic_shutdown_super+0x67/0x2c0 fs/super.c:621 + kill_anon_super+0x3b/0x70 fs/super.c:1289 + btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127 + deactivate_locked_super+0xbc/0x130 fs/super.c:474 + cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318 + task_work_run+0x1d4/0x260 kernel/task_work.c:233 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0x694/0x22f0 kernel/exit.c:971 + do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 + __do_sys_exit_group kernel/exit.c:1123 [inline] + __se_sys_exit_group kernel/exit.c:1121 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121 + x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x44f639 + Code: Unable to access opcode bytes at 0x44f60f. + RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 + RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639 + RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 + RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0 + R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 + + +Since rescue mount options will mark the full fs read-only, there should +be no new transaction triggered. + +But during unmount we will evict all inodes, which can trigger a new +transaction, and triggers warnings on a heavily corrupted fs. + +[CAUSE] +Btrfs allows new transaction even on a read-only fs, this is to allow +log replay happen even on read-only mounts, just like what ext4/xfs do. + +However with rescue mount options, the fs is fully read-only and cannot +be remounted read-write, thus in that case we should also reject any new +transactions. + +[FIX] +If we find the fs has rescue mount options, we should treat the fs as +error, so that no new transaction can be started. + +Reported-by: Jiaming Zhang +Link: https://lore.kernel.org/linux-btrfs/CANypQFYw8Nt8stgbhoycFojOoUmt+BoZ-z8WJOZVxcogDdwm=Q@mail.gmail.com/ +Reviewed-by: Boris Burkov +Reviewed-by: Johannes Thumshirn +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 13 +++++++++++++ + fs/btrfs/fs.h | 8 ++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 93300c3fe0cab..034cd7b1d0f5f 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3202,6 +3202,15 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount) + return 0; + } + ++static bool fs_is_full_ro(const struct btrfs_fs_info *fs_info) ++{ ++ if (!sb_rdonly(fs_info->sb)) ++ return false; ++ if (unlikely(fs_info->mount_opt & BTRFS_MOUNT_FULL_RO_MASK)) ++ return true; ++ return false; ++} ++ + int __cold open_ctree(struct super_block *sb, struct btrfs_fs_devices *fs_devices) + { + u32 sectorsize; +@@ -3310,6 +3319,10 @@ int __cold open_ctree(struct super_block *sb, struct btrfs_fs_devices *fs_device + if (btrfs_super_flags(disk_super) & BTRFS_SUPER_FLAG_ERROR) + WRITE_ONCE(fs_info->fs_error, -EUCLEAN); + ++ /* If the fs has any rescue options, no transaction is allowed. */ ++ if (fs_is_full_ro(fs_info)) ++ WRITE_ONCE(fs_info->fs_error, -EROFS); ++ + /* Set up fs_info before parsing mount options */ + nodesize = btrfs_super_nodesize(disk_super); + sectorsize = btrfs_super_sectorsize(disk_super); +diff --git a/fs/btrfs/fs.h b/fs/btrfs/fs.h +index 5c8d6149e1421..93ff1db75af48 100644 +--- a/fs/btrfs/fs.h ++++ b/fs/btrfs/fs.h +@@ -230,6 +230,14 @@ enum { + BTRFS_MOUNT_IGNORESUPERFLAGS = (1ULL << 32), + }; + ++/* These mount options require a full read-only fs, no new transaction is allowed. */ ++#define BTRFS_MOUNT_FULL_RO_MASK \ ++ (BTRFS_MOUNT_NOLOGREPLAY | \ ++ BTRFS_MOUNT_IGNOREBADROOTS | \ ++ BTRFS_MOUNT_IGNOREDATACSUMS | \ ++ BTRFS_MOUNT_IGNOREMETACSUMS | \ ++ BTRFS_MOUNT_IGNORESUPERFLAGS) ++ + /* + * Compat flags that we support. If any incompat flags are set other than the + * ones specified below then we will fail to mount +-- +2.51.0 + diff --git a/queue-6.12/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch b/queue-6.12/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch new file mode 100644 index 0000000000..0892273bfb --- /dev/null +++ b/queue-6.12/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch @@ -0,0 +1,47 @@ +From 16418d0c00bb116d93961fc1e8587a111be31494 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 00:55:13 +0800 +Subject: dpaa2-switch: add bounds check for if_id in IRQ handler + +From: Junrui Luo + +[ Upstream commit 31a7a0bbeb006bac2d9c81a2874825025214b6d8 ] + +The IRQ handler extracts if_id from the upper 16 bits of the hardware +status register and uses it to index into ethsw->ports[] without +validation. Since if_id can be any 16-bit value (0-65535) but the ports +array is only allocated with sw_attr.num_ifs elements, this can lead to +an out-of-bounds read potentially. + +Add a bounds check before accessing the array, consistent with the +existing validation in dpaa2_switch_rx(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 24ab724f8a46 ("dpaa2-switch: use the port index in the IRQ handler") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881D420AB43FF1A227B84AFAF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 84c7079d8672d..6ea58fc22783f 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -1530,6 +1530,10 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg) + } + + if_id = (status & 0xFFFF0000) >> 16; ++ if (if_id >= ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id); ++ goto out; ++ } + port_priv = ethsw->ports[if_id]; + + if (status & DPSW_IRQ_EVENT_LINK_CHANGED) +-- +2.51.0 + diff --git a/queue-6.12/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch b/queue-6.12/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch new file mode 100644 index 0000000000..3de1e7ee39 --- /dev/null +++ b/queue-6.12/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch @@ -0,0 +1,55 @@ +From f744eac0c7b1e1e59f7bd4359f17a784b963f3e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 16:07:34 +0800 +Subject: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero + +From: Junrui Luo + +[ Upstream commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66 ] + +The driver allocates arrays for ports, FDBs, and filter blocks using +kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the +device reports zero interfaces (either due to hardware configuration +or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) +instead of NULL. + +Later in dpaa2_switch_probe(), the NAPI initialization unconditionally +accesses ethsw->ports[0]->netdev, which attempts to dereference +ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. + +Add a check to ensure num_ifs is greater than zero after retrieving +device attributes. This prevents the zero-sized allocations and +subsequent invalid pointer dereference. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface") +Signed-off-by: Junrui Luo +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 980daecab8ea3..84c7079d8672d 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -3023,6 +3023,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev) + goto err_close; + } + ++ if (!ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "DPSW device has no interfaces\n"); ++ err = -ENODEV; ++ goto err_close; ++ } ++ + err = dpsw_get_api_version(ethsw->mc_io, 0, + ðsw->major, + ðsw->minor); +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch b/queue-6.12/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch new file mode 100644 index 0000000000..a6cc5e5bc0 --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch @@ -0,0 +1,62 @@ +From 2462c56a2c5a11264feabda48e57f3e6c51dc912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 12:20:29 -0300 +Subject: drm/amd/display: fix wrong color value mapping on MCM shaper LUT + +From: Melissa Wen + +[ Upstream commit 8f959d37c1f2efec6dac55915ee82302e98101fb ] + +Some shimmer/colorful points appears when using the steamOS color +pipeline for HDR on gaming with DCN32. These points look like black +values being wrongly mapped to red/blue/green values. It was caused +because the number of hw points in regular LUTs and in a shaper LUT was +treated as the same. + +DCN3+ regular LUTs have 257 bases and implicit deltas (i.e. HW +calculates them), but shaper LUT is a special case: it has 256 bases and +256 deltas, as in DCN1-2 regular LUTs, and outputs 14-bit values. + +Fix that by setting by decreasing in 1 the number of HW points computed +in the LUT segmentation so that shaper LUT (i.e. fixpoint == true) keeps +the same DCN10 CM logic and regular LUTs go with `hw_points + 1`. + +CC: Krunoslav Kovac +Fixes: 4d5fd3d08ea9 ("drm/amd/display: PQ tail accuracy") +Signed-off-by: Melissa Wen +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 5006505b19a2119e71c008044d59f6d753c858b9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +index f31f0e3abfc0f..f299d9455f510 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +@@ -168,6 +168,11 @@ bool cm3_helper_translate_curve_to_hw_format( + hw_points += (1 << seg_distr[k]); + } + ++ // DCN3+ have 257 pts in lieu of no separate slope registers ++ // Prior HW had 256 base+slope pairs ++ // Shaper LUT (i.e. fixpoint == true) is still 256 bases and 256 deltas ++ hw_points = fixpoint ? (hw_points - 1) : hw_points; ++ + j = 0; + for (k = 0; k < (region_end - region_start); k++) { + increment = NUMBER_SW_SEGMENTS / (1 << seg_distr[k]); +@@ -228,8 +233,6 @@ bool cm3_helper_translate_curve_to_hw_format( + corner_points[1].green.slope = dc_fixpt_zero; + corner_points[1].blue.slope = dc_fixpt_zero; + +- // DCN3+ have 257 pts in lieu of no separate slope registers +- // Prior HW had 256 base+slope pairs + lut_params->hw_points_num = hw_points + 1; + + k = 0; +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch b/queue-6.12/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch new file mode 100644 index 0000000000..efc998bc18 --- /dev/null +++ b/queue-6.12/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch @@ -0,0 +1,92 @@ +From aaeb3434ba66576c5b4d781ce5982d6032ed0aa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 16:43:49 +0800 +Subject: drm/amd/pm: Disable MMIO access during SMU Mode 1 reset + +From: Perry Yuan + +[ Upstream commit 0de604d0357d0d22cbf03af1077d174b641707b6 ] + +During Mode 1 reset, the ASIC undergoes a reset cycle and becomes +temporarily inaccessible via PCIe. Any attempt to access MMIO registers +during this window (e.g., from interrupt handlers or other driver threads) +can result in uncompleted PCIe transactions, leading to NMI panics or +system hangs. + +To prevent this, set the `no_hw_access` flag to true immediately after +triggering the reset. This signals other driver components to skip +register accesses while the device is offline. + +A memory barrier `smp_mb()` is added to ensure the flag update is +globally visible to all cores before the driver enters the sleep/wait +state. + +Signed-off-by: Perry Yuan +Reviewed-by: Yifan Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +++ + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 7 ++++++- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 +++++++-- + 3 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index fb5d2de035df0..1cf90557b310b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -5325,6 +5325,9 @@ int amdgpu_device_mode1_reset(struct amdgpu_device *adev) + if (ret) + goto mode1_reset_failed; + ++ /* enable mmio access after mode 1 reset completed */ ++ adev->no_hw_access = false; ++ + amdgpu_device_load_pci_state(adev->pdev); + ret = amdgpu_psp_wait_for_bootloader(adev); + if (ret) +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +index 5a0a10144a73f..d83f04b282534 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -2853,8 +2853,13 @@ static int smu_v13_0_0_mode1_reset(struct smu_context *smu) + break; + } + +- if (!ret) ++ if (!ret) { ++ /* disable mmio access while doing mode 1 reset*/ ++ smu->adev->no_hw_access = true; ++ /* ensure no_hw_access is globally visible before any MMIO */ ++ smp_mb(); + msleep(SMU13_MODE1_RESET_WAIT_TIME_IN_MS); ++ } + + return ret; + } +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +index f34cef26b382c..3bab8269a46aa 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -2129,10 +2129,15 @@ static int smu_v14_0_2_mode1_reset(struct smu_context *smu) + + ret = smu_cmn_send_debug_smc_msg(smu, DEBUGSMC_MSG_Mode1Reset); + if (!ret) { +- if (amdgpu_emu_mode == 1) ++ if (amdgpu_emu_mode == 1) { + msleep(50000); +- else ++ } else { ++ /* disable mmio access while doing mode 1 reset*/ ++ smu->adev->no_hw_access = true; ++ /* ensure no_hw_access is globally visible before any MMIO */ ++ smp_mb(); + msleep(1000); ++ } + } + + return ret; +-- +2.51.0 + diff --git a/queue-6.12/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch b/queue-6.12/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch new file mode 100644 index 0000000000..e9d55358f1 --- /dev/null +++ b/queue-6.12/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch @@ -0,0 +1,216 @@ +From 99a2956e2aeada9c1cc9c10c72dae84e28e6fbe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 16:16:39 -0800 +Subject: drm/mgag200: fix mgag200_bmc_stop_scanout() + +From: Jacob Keller + +[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ] + +The mgag200_bmc_stop_scanout() function is called by the .atomic_disable() +handler for the MGA G200 VGA BMC encoder. This function performs a few +register writes to inform the BMC of an upcoming mode change, and then +polls to wait until the BMC actually stops. + +The polling is implemented using a busy loop with udelay() and an iteration +timeout of 300, resulting in the function blocking for 300 milliseconds. + +The function gets called ultimately by the output_poll_execute work thread +for the DRM output change polling thread of the mgag200 driver: + +kworker/0:0-mm_ 3528 [000] 4555.315364: + ffffffffaa0e25b3 delay_halt.part.0+0x33 + ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178 + ffffffffc087ae7a disable_outputs+0x12a + ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a + ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26 + ffffffffc087c9c1 commit_tail+0x91 + ffffffffc087d51b drm_atomic_helper_commit+0x11b + ffffffffc0509694 drm_atomic_commit+0xa4 + ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8 + ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56 + ffffffffc0510e24 drm_client_modeset_commit+0x24 + ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93 + ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3 + ffffffffc050f8aa drm_client_dev_hotplug+0x9a + ffffffffc088555a output_poll_execute+0x29a + ffffffffa9b35924 process_one_work+0x194 + ffffffffa9b364ee worker_thread+0x2fe + ffffffffa9b3ecad kthread+0xdd + ffffffffa9a08549 ret_from_fork+0x29 + +On a server running ptp4l with the mgag200 driver loaded, we found that +ptp4l would sometimes get blocked from execution because of this busy +waiting loop. + +Every so often, approximately once every 20 minutes -- though with large +variance -- the output_poll_execute() thread would detect some sort of +change that required performing a hotplug event which results in attempting +to stop the BMC scanout, resulting in a 300msec delay on one CPU. + +On this system, ptp4l was pinned to a single CPU. When the +output_poll_execute() thread ran on that CPU, it blocked ptp4l from +executing for its 300 millisecond duration. + +This resulted in PTP service disruptions such as failure to send a SYNC +message on time, failure to handle ANNOUNCE messages on time, and clock +check warnings from the application. All of this despite the application +being configured with FIFO_RT and a higher priority than the background +workqueue tasks. (However, note that the kernel did not use +CONFIG_PREEMPT...) + +It is unclear if the event is due to a faulty VGA connection, another bug, +or actual events causing a change in the connection. At least on the system +under test it is not a one-time event and consistently causes disruption to +the time sensitive applications. + +The function has some helpful comments explaining what steps it is +attempting to take. In particular, step 3a and 3b are explained as such: + + 3a - The third step is to verify if there is an active scan. We are + waiting on a 0 on remhsyncsts (. + + 3b - This step occurs only if the remove is actually scanning. We are + waiting for the end of the frame which is a 1 on remvsyncsts + (). + +The actual steps 3a and 3b are implemented as while loops with a +non-sleeping udelay(). The first step iterates while the tmp value at +position 0 is *not* set. That is, it keeps iterating as long as the bit is +zero. If the bit is already 0 (because there is no active scan), it will +iterate the entire 300 attempts which wastes 300 milliseconds in total. +This is opposite of what the description claims. + +The step 3b logic only executes if we do not iterate over the entire 300 +attempts in the first loop. If it does trigger, it is trying to check and +wait for a 1 on the remvsyncsts. However, again the condition is actually +inverted and it will loop as long as the bit is 1, stopping once it hits +zero (rather than the explained attempt to wait until we see a 1). + +Worse, both loops are implemented using non-sleeping waits which spin +instead of allowing the scheduler to run other processes. If the kernel is +not configured to allow arbitrary preemption, it will waste valuable CPU +time doing nothing. + +There does not appear to be any documentation for the BMC register +interface, beyond what is in the comments here. It seems more probable that +the comment here is correct and the implementation accidentally got +inverted from the intended logic. + +Reading through other DRM driver implementations, it does not appear that +the .atomic_enable or .atomic_disable handlers need to delay instead of +sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function +calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name +is referring to the atomic modesetting support, which is the support to +enable atomic configuration from userspace, and not to the "atomic context" +of the kernel. There is no reason to use udelay() here if a sleep would be +sufficient. + +Replace the while loops with a read_poll_timeout() based implementation +that will sleep between iterations, and which stops polling once the +condition is met (instead of looping as long as the condition is met). This +aligns with the commented behavior and avoids blocking on the CPU while +doing nothing. + +Note the RREG_DAC is implemented using a statement expression to allow +working properly with the read_poll_timeout family of functions. The other +RREG_ macros ought to be cleaned up to have better semantics, and +several places in the mgag200 driver could make use of RREG_DAC or similar +RREG_* macros should likely be cleaned up for better semantics as well, but +that task has been left as a future cleanup for a non-bugfix. + +Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)") +Suggested-by: Thomas Zimmermann +Signed-off-by: Jacob Keller +Reviewed-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mgag200/mgag200_bmc.c | 31 +++++++++++---------------- + drivers/gpu/drm/mgag200/mgag200_drv.h | 6 ++++++ + 2 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/mgag200/mgag200_bmc.c b/drivers/gpu/drm/mgag200/mgag200_bmc.c +index a689c71ff1653..bbdeb791c5b38 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_bmc.c ++++ b/drivers/gpu/drm/mgag200/mgag200_bmc.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only + + #include ++#include + + #include + #include +@@ -12,7 +13,7 @@ + void mgag200_bmc_stop_scanout(struct mga_device *mdev) + { + u8 tmp; +- int iter_max; ++ int ret; + + /* + * 1 - The first step is to inform the BMC of an upcoming mode +@@ -42,30 +43,22 @@ void mgag200_bmc_stop_scanout(struct mga_device *mdev) + + /* + * 3a- The third step is to verify if there is an active scan. +- * We are waiting for a 0 on remhsyncsts ). ++ * We are waiting for a 0 on remhsyncsts (). + */ +- iter_max = 300; +- while (!(tmp & 0x1) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } ++ ret = read_poll_timeout(RREG_DAC, tmp, !(tmp & 0x1), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); ++ if (ret == -ETIMEDOUT) ++ return; + + /* +- * 3b- This step occurs only if the remove is actually ++ * 3b- This step occurs only if the remote BMC is actually + * scanning. We are waiting for the end of the frame which is + * a 1 on remvsyncsts (XSPAREREG<1>) + */ +- if (iter_max) { +- iter_max = 300; +- while ((tmp & 0x2) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } +- } ++ (void)read_poll_timeout(RREG_DAC, tmp, (tmp & 0x2), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); + } + + void mgag200_bmc_start_scanout(struct mga_device *mdev) +diff --git a/drivers/gpu/drm/mgag200/mgag200_drv.h b/drivers/gpu/drm/mgag200/mgag200_drv.h +index 988967eafbf24..c670073481428 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_drv.h ++++ b/drivers/gpu/drm/mgag200/mgag200_drv.h +@@ -112,6 +112,12 @@ + #define DAC_INDEX 0x3c00 + #define DAC_DATA 0x3c0a + ++#define RREG_DAC(reg) \ ++ ({ \ ++ WREG8(DAC_INDEX, reg); \ ++ RREG8(DAC_DATA); \ ++ }) \ ++ + #define WREG_DAC(reg, v) \ + do { \ + WREG8(DAC_INDEX, reg); \ +-- +2.51.0 + diff --git a/queue-6.12/drm-xe-pm-also-avoid-missing-outer-rpm-warning-on-sy.patch b/queue-6.12/drm-xe-pm-also-avoid-missing-outer-rpm-warning-on-sy.patch new file mode 100644 index 0000000000..b13503f2df --- /dev/null +++ b/queue-6.12/drm-xe-pm-also-avoid-missing-outer-rpm-warning-on-sy.patch @@ -0,0 +1,59 @@ +From 39fd06b4de7545aa381ff5cb2b93077640f28f6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 18:05:47 -0500 +Subject: drm/xe/pm: Also avoid missing outer rpm warning on system suspend + +From: Rodrigo Vivi + +[ Upstream commit f2eedadf19979109415928f5ea9ba9a73262aa8f ] + +Fix the false-positive "Missing outer runtime PM protection" warning +triggered by +release_async_domains() -> intel_runtime_pm_get_noresume() -> +xe_pm_runtime_get_noresume() +during system suspend. + +xe_pm_runtime_get_noresume() is supposed to warn if the device is not in +the runtime resumed state, using xe_pm_runtime_get_if_in_use() for this. +However the latter function will fail if called during runtime or system +suspend/resume, regardless of whether the device is runtime resumed or +not. + +Based on the above suppress the warning during system suspend/resume, +similarly to how this is done during runtime suspend/resume. + +Suggested-by: Imre Deak +Reviewed-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20241217230547.1667561-1-rodrigo.vivi@intel.com +Signed-off-by: Rodrigo Vivi +Stable-dep-of: bb36170d959f ("drm/xe/pm: Disable D3Cold for BMG only on specific platforms") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c +index f8fad9e56805b..1012925aa4816 100644 +--- a/drivers/gpu/drm/xe/xe_pm.c ++++ b/drivers/gpu/drm/xe/xe_pm.c +@@ -6,6 +6,7 @@ + #include "xe_pm.h" + + #include ++#include + + #include + #include +@@ -622,7 +623,8 @@ static bool xe_pm_suspending_or_resuming(struct xe_device *xe) + struct device *dev = xe->drm.dev; + + return dev->power.runtime_status == RPM_SUSPENDING || +- dev->power.runtime_status == RPM_RESUMING; ++ dev->power.runtime_status == RPM_RESUMING || ++ pm_suspend_target_state != PM_SUSPEND_ON; + #else + return false; + #endif +-- +2.51.0 + diff --git a/queue-6.12/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch b/queue-6.12/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch new file mode 100644 index 0000000000..fe72c21ca1 --- /dev/null +++ b/queue-6.12/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch @@ -0,0 +1,61 @@ +From f5a01cf82b0380900f05a5b5b136fe40716053f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 23:02:38 +0530 +Subject: drm/xe/pm: Disable D3Cold for BMG only on specific platforms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Karthik Poosa + +[ Upstream commit bb36170d959fad7f663f91eb9c32a84dd86bef2b ] + +Restrict D3Cold disablement for BMG to unsupported NUC platforms, +instead of disabling it on all platforms. + +Signed-off-by: Karthik Poosa +Fixes: 3e331a6715ee ("drm/xe/pm: Temporarily disable D3Cold on BMG") +Link: https://patch.msgid.link/20260123173238.1642383-1-karthik.poosa@intel.com +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 39125eaf8863ab09d70c4b493f58639b08d5a897) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pm.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c +index 1012925aa4816..cab80b947c755 100644 +--- a/drivers/gpu/drm/xe/xe_pm.c ++++ b/drivers/gpu/drm/xe/xe_pm.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + + #include + #include +@@ -270,9 +271,15 @@ int xe_pm_init_early(struct xe_device *xe) + + static u32 vram_threshold_value(struct xe_device *xe) + { +- /* FIXME: D3Cold temporarily disabled by default on BMG */ +- if (xe->info.platform == XE_BATTLEMAGE) +- return 0; ++ if (xe->info.platform == XE_BATTLEMAGE) { ++ const char *product_name; ++ ++ product_name = dmi_get_system_info(DMI_PRODUCT_NAME); ++ if (product_name && strstr(product_name, "NUC13RNG")) { ++ drm_warn(&xe->drm, "BMG + D3Cold not supported on this platform\n"); ++ return 0; ++ } ++ } + + return DEFAULT_VRAM_THRESHOLD; + } +-- +2.51.0 + diff --git a/queue-6.12/drm-xe-query-fix-topology-query-pointer-advance.patch b/queue-6.12/drm-xe-query-fix-topology-query-pointer-advance.patch new file mode 100644 index 0000000000..bec727b62f --- /dev/null +++ b/queue-6.12/drm-xe-query-fix-topology-query-pointer-advance.patch @@ -0,0 +1,47 @@ +From 5ce79d4440640fd7a407e9e58a93d933bb513d72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 04:39:08 +0000 +Subject: drm/xe/query: Fix topology query pointer advance +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuicheng Lin + +[ Upstream commit 7ee9b3e091c63da71e15c72003f1f07e467f5158 ] + +The topology query helper advanced the user pointer by the size +of the pointer, not the size of the structure. This can misalign +the output blob and corrupt the following mask. Fix the increment +to use sizeof(*topo). +There is no issue currently, as sizeof(*topo) happens to be equal +to sizeof(topo) on 64-bit systems (both evaluate to 8 bytes). + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Signed-off-by: Shuicheng Lin +Reviewed-by: Matt Roper +Link: https://patch.msgid.link/20260130043907.465128-2-shuicheng.lin@intel.com +Signed-off-by: Matt Roper +(cherry picked from commit c2a6859138e7f73ad904be17dd7d1da6cc7f06b3) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_query.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c +index 71a5e852fbac7..46e37957fb493 100644 +--- a/drivers/gpu/drm/xe/xe_query.c ++++ b/drivers/gpu/drm/xe/xe_query.c +@@ -487,7 +487,7 @@ static int copy_mask(void __user **ptr, + + if (copy_to_user(*ptr, topo, sizeof(*topo))) + return -EFAULT; +- *ptr += sizeof(topo); ++ *ptr += sizeof(*topo); + + if (copy_to_user(*ptr, mask, mask_size)) + return -EFAULT; +-- +2.51.0 + diff --git a/queue-6.12/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch b/queue-6.12/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch new file mode 100644 index 0000000000..7d544ffe95 --- /dev/null +++ b/queue-6.12/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch @@ -0,0 +1,56 @@ +From d5520ed677c39e7fb1473af849349781e35b2f38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 19:03:57 -0300 +Subject: HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodrigo Lugathe da Conceição Alves + +[ Upstream commit 85a866809333cd2bf8ddac93d9a3e3ba8e4f807d ] + +The USB speaker has a bug that causes it to reboot when changing the +brightness using the physical knob. + +Add a new vendor and product ID entry in hid-ids.h, and register +the corresponding device in hid-quirks.c with the required quirk. + +Signed-off-by: Rodrigo Lugathe da Conceição Alves +Reviewed-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index c34d4ce211e34..9d0a97a3b06a2 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -435,6 +435,9 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002 + ++#define USB_VENDOR_ID_EDIFIER 0x2d99 ++#define USB_DEVICE_ID_EDIFIER_QR30 0xa101 /* EDIFIER Hal0 2.0 SE */ ++ + #define USB_VENDOR_ID_ELAN 0x04f3 + #define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401 + #define USB_DEVICE_ID_HP_X2 0x074d +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index b2a3ce7bfb6b6..1f531626192cd 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -81,6 +81,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER), HID_QUIRK_MULTI_INPUT | HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_EDIFIER, USB_DEVICE_ID_EDIFIER_QR30), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II), HID_QUIRK_MULTI_INPUT }, +-- +2.51.0 + diff --git a/queue-6.12/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch b/queue-6.12/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch new file mode 100644 index 0000000000..5553b76cc3 --- /dev/null +++ b/queue-6.12/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch @@ -0,0 +1,46 @@ +From 5d61c5c2e2f44174fc409300675452bf9039b79c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jan 2026 02:18:26 +0800 +Subject: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() + +From: Kwok Kin Ming + +[ Upstream commit 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 ] + +`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data +into `ihid->rawbuf`. + +The former can come from the userspace in the hidraw driver and is only +bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set +`max_buffer_size` field of `struct hid_ll_driver` which we do not). + +The latter has size determined at runtime by the maximum size of +different report types you could receive on any particular device and +can be a much smaller value. + +Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. + +The impact is low since access to hidraw devices requires root. + +Signed-off-by: Kwok Kin Ming +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 276490547378d..cf8ae0df0cda9 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -280,6 +280,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid, + * In addition to report data device will supply data length + * in the first 2 bytes of the response, so adjust . + */ ++ recv_len = min(recv_len, ihid->bufsize - sizeof(__le16)); + error = i2c_hid_xfer(ihid, ihid->cmdbuf, length, + ihid->rawbuf, recv_len + sizeof(__le16)); + if (error) { +-- +2.51.0 + diff --git a/queue-6.12/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch b/queue-6.12/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch new file mode 100644 index 0000000000..e7687e8ab0 --- /dev/null +++ b/queue-6.12/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch @@ -0,0 +1,49 @@ +From 6c3267979bdb72851fd62c7f8df88aad557c63ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 10:51:50 +0800 +Subject: HID: intel-ish-hid: Reset enum_devices_done before enumeration + +From: Zhang Lixu + +[ Upstream commit 56e230723e3a818373bd62331bccb1c6d2b3881b ] + +Some systems have enabled ISH without any sensors. In this case sending +HOSTIF_DM_ENUM_DEVICES results in 0 sensors. This triggers ISH hardware +reset on subsequent enumeration after S3/S4 resume. + +The enum_devices_done flag was not reset before sending the +HOSTIF_DM_ENUM_DEVICES command. On subsequent enumeration calls (such as +after S3/S4 resume), this flag retains its previous true value, causing the +wait loop to be skipped and returning prematurely to hid_ishtp_cl_init(). +If 0 HID devices are found, hid_ishtp_cl_init() skips getting HID device +descriptors and sets init_done to true. When the delayed enumeration +response arrives with init_done already true, the driver treats it as a bad +packet and triggers an ISH hardware reset. + +Set enum_devices_done to false before sending the enumeration command, +consistent with similar functions like ishtp_get_hid_descriptor() and +ishtp_get_report_descriptor() which reset their respective flags. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +index 89b954a195343..afc8d9bbd8866 100644 +--- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c ++++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +@@ -496,6 +496,7 @@ static int ishtp_enum_enum_devices(struct ishtp_cl *hid_ishtp_cl) + int rv; + + /* Send HOSTIF_DM_ENUM_DEVICES */ ++ client_data->enum_devices_done = false; + memset(&msg, 0, sizeof(struct hostif_msg)); + msg.hdr.command = HOSTIF_DM_ENUM_DEVICES; + rv = ishtp_cl_send(hid_ishtp_cl, (unsigned char *)&msg, +-- +2.51.0 + diff --git a/queue-6.12/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch b/queue-6.12/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch new file mode 100644 index 0000000000..176a99186a --- /dev/null +++ b/queue-6.12/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch @@ -0,0 +1,49 @@ +From 0fa20febd61b828342e7642ebfdcdb6fa4f166b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 10:53:28 +0800 +Subject: HID: intel-ish-hid: Update ishtp bus match to support device ID table + +From: Zhang Lixu + +[ Upstream commit daeed86b686855adda79f13729e0c9b0530990be ] + +The ishtp_cl_bus_match() function previously only checked the first entry +in the driver's device ID table. Update it to iterate over the entire +table, allowing proper matching for drivers with multiple supported +protocol GUIDs. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index 1ff63fa89fd82..fddc1c4b6cedb 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -240,9 +240,17 @@ static int ishtp_cl_bus_match(struct device *dev, const struct device_driver *dr + { + struct ishtp_cl_device *device = to_ishtp_cl_device(dev); + struct ishtp_cl_driver *driver = to_ishtp_cl_driver(drv); ++ struct ishtp_fw_client *client = device->fw_client; ++ const struct ishtp_device_id *id; + +- return(device->fw_client ? guid_equal(&driver->id[0].guid, +- &device->fw_client->props.protocol_name) : 0); ++ if (client) { ++ for (id = driver->id; !guid_is_null(&id->guid); id++) { ++ if (guid_equal(&id->guid, &client->props.protocol_name)) ++ return 1; ++ } ++ } ++ ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.12/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch b/queue-6.12/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch new file mode 100644 index 0000000000..2d98c514da --- /dev/null +++ b/queue-6.12/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch @@ -0,0 +1,38 @@ +From 58adce37b4de4dd4d0e971c8fb1523fdfe3f0762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 13:00:51 +0000 +Subject: HID: logitech: add HID++ support for Logitech MX Anywhere 3S + +From: Dennis Marttinen + +[ Upstream commit d7f6629bffdcb962d383ef8c9a30afef81e997fe ] + +I've acquired a Logitech MX Anywhere 3S mouse, which supports HID++ over +Bluetooth. Adding its PID 0xb037 to the allowlist enables the additional +features, such as high-resolution scrolling. Tested working across multiple +machines, with a mix of Intel and Mediatek Bluetooth chips. + +[jkosina@suse.com: standardize shortlog] +Signed-off-by: Dennis Marttinen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 7d5bf5991fc6a..c470b4f0e9211 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -4689,6 +4689,8 @@ static const struct hid_device_id hidpp_devices[] = { + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb025) }, + { /* MX Master 3S mouse over Bluetooth */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb034) }, ++ { /* MX Anywhere 3S mouse over Bluetooth */ ++ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb037) }, + { /* MX Anywhere 3SB mouse over Bluetooth */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb038) }, + {} +-- +2.51.0 + diff --git a/queue-6.12/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch b/queue-6.12/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch new file mode 100644 index 0000000000..e428999adb --- /dev/null +++ b/queue-6.12/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch @@ -0,0 +1,42 @@ +From b38b0c2275cf5736f10319368e169cb8ebbbfef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 14:34:36 +0100 +Subject: HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL + +From: DaytonCL + +[ Upstream commit ff3f234ff1dcd6d626a989151db067a1b7f0f215 ] + +Some VTL-class touchpads (e.g. TOPS0102:00 35CC:0104) intermittently +fail to release a finger contact. A previous slot remains logically +active, accompanied by stale BTN_TOOL_DOUBLETAP state, causing +gestures to stay latched and resulting in stuck two-finger +scrolling and false right-clicks. + +Apply MT_QUIRK_STICKY_FINGERS to handle the unreleased contact correctly. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1225 +Suggested-by: Benjamin Tissoires +Tested-by: DaytonCL +Signed-off-by: DaytonCL +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 0e4cb0e668eb5..fcfc508d1b54d 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -379,6 +379,7 @@ static const struct mt_class mt_classes[] = { + { .name = MT_CLS_VTL, + .quirks = MT_QUIRK_ALWAYS_VALID | + MT_QUIRK_CONTACT_CNT_ACCURATE | ++ MT_QUIRK_STICKY_FINGERS | + MT_QUIRK_FORCE_GET_FEATURE, + }, + { .name = MT_CLS_GOOGLE, +-- +2.51.0 + diff --git a/queue-6.12/hid-playstation-center-initial-joystick-axes-to-prev.patch b/queue-6.12/hid-playstation-center-initial-joystick-axes-to-prev.patch new file mode 100644 index 0000000000..30dc0a359c --- /dev/null +++ b/queue-6.12/hid-playstation-center-initial-joystick-axes-to-prev.patch @@ -0,0 +1,66 @@ +From 637bfabb89b1b46c8d10426c5ca07531b59a7ff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 15:45:19 -0800 +Subject: HID: playstation: Center initial joystick axes to prevent spurious + events + +From: Siarhei Vishniakou + +[ Upstream commit e9143268d259d98e111a649affa061acb8e13c5b ] + +When a new PlayStation gamepad (DualShock 4 or DualSense) is initialized, +the input subsystem sets the default value for its absolute axes (e.g., +ABS_X, ABS_Y) to 0. + +However, the hardware's actual neutral/resting state for these joysticks +is 128 (0x80). This creates a mismatch. + +When the first HID report arrives from the device, the driver sees the +resting value of 128. The kernel compares this to its initial state of 0 +and incorrectly interprets this as a delta (0 -> 128). Consequently, it +generates EV_ABS events for this initial, non-existent movement. + +This behavior can fail userspace 'sanity check' tests (e.g., in +Android CTS) that correctly assert no motion events should be generated +from a device that is already at rest. + +This patch fixes the issue by explicitly setting the initial value of the +main joystick axes (e.g., ABS_X, ABS_Y, ABS_RX, ABS_RY) to 128 (0x80) +in the common ps_gamepad_create() function. + +This aligns the kernel's initial state with the hardware's expected +neutral state, ensuring that the first report (at 128) produces no +delta and thus, no spurious event. + +Signed-off-by: Siarhei Vishniakou +Reviewed-by: Benjamin Tissoires +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-playstation.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c +index 657e9ae1be1ee..71a8d4ec9913b 100644 +--- a/drivers/hid/hid-playstation.c ++++ b/drivers/hid/hid-playstation.c +@@ -718,11 +718,16 @@ static struct input_dev *ps_gamepad_create(struct hid_device *hdev, + if (IS_ERR(gamepad)) + return ERR_CAST(gamepad); + ++ /* Set initial resting state for joysticks to 128 (center) */ + input_set_abs_params(gamepad, ABS_X, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_X].value = 128; + input_set_abs_params(gamepad, ABS_Y, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_Y].value = 128; + input_set_abs_params(gamepad, ABS_Z, 0, 255, 0, 0); + input_set_abs_params(gamepad, ABS_RX, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RX].value = 128; + input_set_abs_params(gamepad, ABS_RY, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RY].value = 128; + input_set_abs_params(gamepad, ABS_RZ, 0, 255, 0, 0); + + input_set_abs_params(gamepad, ABS_HAT0X, -1, 1, 0, 0); +-- +2.51.0 + diff --git a/queue-6.12/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch b/queue-6.12/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch new file mode 100644 index 0000000000..08cc54485d --- /dev/null +++ b/queue-6.12/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch @@ -0,0 +1,51 @@ +From 398f8b044e1f88bcb1df1ce29daa954065941e1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 06:56:43 +0000 +Subject: HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list + +From: Chris Chiu + +[ Upstream commit c06bc3557542307b9658fbd43cc946a14250347b ] + +Another Chicony Electronics HP 5MP Camera with USB ID 04F2:B882 +reports a HID sensor interface that is not actually implemented. + +Add the device to the HID ignore list so the bogus sensor is never +exposed to userspace. Then the system won't hang when runtime PM +tries to wake the unresponsive device. + +Signed-off-by: Chris Chiu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index e0ac6dc07da09..c34d4ce211e34 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -313,6 +313,7 @@ + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3 0xb882 + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 192b8f63baaab..b2a3ce7bfb6b6 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -763,6 +763,7 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +-- +2.51.0 + diff --git a/queue-6.12/hwmon-occ-mark-occ_init_attribute-as-__printf.patch b/queue-6.12/hwmon-occ-mark-occ_init_attribute-as-__printf.patch new file mode 100644 index 0000000000..807f23f906 --- /dev/null +++ b/queue-6.12/hwmon-occ-mark-occ_init_attribute-as-__printf.patch @@ -0,0 +1,42 @@ +From 49b31d9b60becb6563d2e7e9776cce8e394d7284 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 17:34:36 +0100 +Subject: hwmon: (occ) Mark occ_init_attribute() as __printf + +From: Arnd Bergmann + +[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] + +This is a printf-style function, which gcc -Werror=suggest-attribute=format +correctly points out: + +drivers/hwmon/occ/common.c: In function 'occ_init_attribute': +drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] + +Add the attribute to avoid this warning and ensure any incorrect +format strings are detected here. + +Fixes: 744c2fe950e9 ("hwmon: (occ) Rework attribute registration for stack usage") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index b3694a4209b97..89928d38831b6 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -749,6 +749,7 @@ static ssize_t occ_show_extended(struct device *dev, + * are dynamically allocated, we cannot use the existing kernel macros which + * stringify the name argument. + */ ++__printf(7, 8) + static void occ_init_attribute(struct occ_attribute *attr, int mode, + ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf), + ssize_t (*store)(struct device *dev, struct device_attribute *attr, +-- +2.51.0 + diff --git a/queue-6.12/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch b/queue-6.12/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch new file mode 100644 index 0000000000..d69b90784b --- /dev/null +++ b/queue-6.12/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch @@ -0,0 +1,93 @@ +From b4797ddd117cfb41ecaf2f5ae7ec70e801dc2316 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 18:58:37 +0900 +Subject: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF + +From: Shigeru Yoshida + +[ Upstream commit bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 ] + +syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 +route. [0] + +Commit f72514b3c569 ("ipv6: clear RA flags when adding a static +route") introduced logic to clear RTF_ADDRCONF from existing routes +when a static route with the same nexthop is added. However, this +causes a problem when the existing route has a gateway. + +When RTF_ADDRCONF is cleared from a route that has a gateway, that +route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns +true. The issue is that this route was never added to the +fib6_siblings list. + +This leads to a mismatch between the following counts: + +- The sibling count computed by iterating fib6_next chain, which + includes the newly ECMP-eligible route + +- The actual siblings in fib6_siblings list, which does not include + that route + +When a subsequent ECMP route is added, fib6_add_rt2node() hits +BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the +counts don't match. + +Fix this by only clearing RTF_ADDRCONF when the existing route does +not have a gateway. Routes without a gateway cannot qualify for ECMP +anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing +RTF_ADDRCONF on them is safe and matches the original intent of the +commit. + +[0]: +kernel BUG at net/ipv6/ip6_fib.c:1217! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217 +[...] +Call Trace: + + fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532 + __ip6_ins_rt net/ipv6/route.c:1351 [inline] + ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946 + ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571 + inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577 + sock_do_ioctl+0xdc/0x300 net/socket.c:1245 + sock_ioctl+0x576/0x790 net/socket.c:1366 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: f72514b3c569 ("ipv6: clear RA flags when adding a static route") +Reported-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cb809def1baaac68ab92 +Tested-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260204095837.1285552-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index ebfe2b9b11b7e..d83430f4a0eff 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1138,7 +1138,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + fib6_set_expires(iter, rt->expires); + fib6_add_gc_list(iter); + } +- if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT))) { ++ if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && ++ !iter->fib6_nh->fib_nh_gw_family) { + iter->fib6_flags &= ~RTF_ADDRCONF; + iter->fib6_flags &= ~RTF_PREFIX_RT; + } +-- +2.51.0 + diff --git a/queue-6.12/loongarch-enable-exception-fixup-for-specific-ade-su.patch b/queue-6.12/loongarch-enable-exception-fixup-for-specific-ade-su.patch new file mode 100644 index 0000000000..e2d12ce04c --- /dev/null +++ b/queue-6.12/loongarch-enable-exception-fixup-for-specific-ade-su.patch @@ -0,0 +1,58 @@ +From 0529d479bfbb2ab41265884e669c5253caf23124 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:20 +0800 +Subject: LoongArch: Enable exception fixup for specific ADE subcode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenghao Duan + +[ Upstream commit 9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0 ] + +This patch allows the LoongArch BPF JIT to handle recoverable memory +access errors generated by BPF_PROBE_MEM* instructions. + +When a BPF program performs memory access operations, the instructions +it executes may trigger ADEM exceptions. The kernel’s built-in BPF +exception table mechanism (EX_TYPE_BPF) will generate corresponding +exception fixup entries in the JIT compilation phase; however, the +architecture-specific trap handling function needs to proactively call +the common fixup routine to achieve exception recovery. + +do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs, +ensure safe execution. + +Relevant test cases: illegal address access tests in module_attach and +subprogs_extable of selftests/bpf. + +Signed-off-by: Chenghao Duan +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/traps.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/loongarch/kernel/traps.c b/arch/loongarch/kernel/traps.c +index d827ed3178b02..40c162fb645a3 100644 +--- a/arch/loongarch/kernel/traps.c ++++ b/arch/loongarch/kernel/traps.c +@@ -534,10 +534,15 @@ asmlinkage void noinstr do_fpe(struct pt_regs *regs, unsigned long fcsr) + asmlinkage void noinstr do_ade(struct pt_regs *regs) + { + irqentry_state_t state = irqentry_enter(regs); ++ unsigned int esubcode = FIELD_GET(CSR_ESTAT_ESUBCODE, regs->csr_estat); ++ ++ if ((esubcode == EXSUBCODE_ADEM) && fixup_exception(regs)) ++ goto out; + + die_if_kernel("Kernel ade access", regs); + force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *)regs->csr_badvaddr); + ++out: + irqentry_exit(regs, state); + } + +-- +2.51.0 + diff --git a/queue-6.12/loongarch-set-correct-protection_map-for-vm_none-vm_.patch b/queue-6.12/loongarch-set-correct-protection_map-for-vm_none-vm_.patch new file mode 100644 index 0000000000..cc6ed8aa29 --- /dev/null +++ b/queue-6.12/loongarch-set-correct-protection_map-for-vm_none-vm_.patch @@ -0,0 +1,51 @@ +From 0e8de399f3e488111fee4e2894fc695f05caa241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:10 +0800 +Subject: LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED + +From: Huacai Chen + +[ Upstream commit d5be446948b379f1d1a8e7bc6656d13f44c5c7b1 ] + +For 32BIT platform _PAGE_PROTNONE is 0, so set a VMA to be VM_NONE or +VM_SHARED will make pages non-present, then cause Oops with kernel page +fault. + +Fix it by set correct protection_map[] for VM_NONE/VM_SHARED, replacing +_PAGE_PROTNONE with _PAGE_PRESENT. + +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/mm/cache.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/loongarch/mm/cache.c b/arch/loongarch/mm/cache.c +index 6be04d36ca076..496916845ff76 100644 +--- a/arch/loongarch/mm/cache.c ++++ b/arch/loongarch/mm/cache.c +@@ -160,8 +160,8 @@ void cpu_cache_init(void) + + static const pgprot_t protection_map[16] = { + [VM_NONE] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +@@ -180,8 +180,8 @@ static const pgprot_t protection_map[16] = { + [VM_EXEC | VM_WRITE | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT), + [VM_SHARED] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_SHARED | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +-- +2.51.0 + diff --git a/queue-6.12/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch b/queue-6.12/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch new file mode 100644 index 0000000000..4b18e75b44 --- /dev/null +++ b/queue-6.12/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch @@ -0,0 +1,99 @@ +From b7d615e363f3e0384d98940bb3ee3db220d6e7d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:43:59 +0000 +Subject: macvlan: fix error recovery in macvlan_common_newlink() + +From: Eric Dumazet + +[ Upstream commit f8db6475a83649689c087a8f52486fcc53e627e9 ] + +valis provided a nice repro to crash the kernel: + +ip link add p1 type veth peer p2 +ip link set address 00:00:00:00:00:20 dev p1 +ip link set up dev p1 +ip link set up dev p2 + +ip link add mv0 link p2 type macvlan mode source +ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 + +ping -c1 -I p1 1.2.3.4 + +He also gave a very detailed analysis: + + + +The issue is triggered when a new macvlan link is created with +MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or +MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan +port and register_netdevice() called from macvlan_common_newlink() +fails (e.g. because of the invalid link name). + +In this case macvlan_hash_add_source is called from +macvlan_change_sources() / macvlan_common_newlink(): + +This adds a reference to vlan to the port's vlan_source_hash using +macvlan_source_entry. + +vlan is a pointer to the priv data of the link that is being created. + +When register_netdevice() fails, the error is returned from +macvlan_newlink() to rtnl_newlink_create(): + + if (ops->newlink) + err = ops->newlink(dev, ¶ms, extack); + else + err = register_netdevice(dev); + if (err < 0) { + free_netdev(dev); + goto out; + } + +and free_netdev() is called, causing a kvfree() on the struct +net_device that is still referenced in the source entry attached to +the lower device's macvlan port. + +Now all packets sent on the macvlan port with a matching source mac +address will trigger a use-after-free in macvlan_forward_source(). + + + +With all that, my fix is to make sure we call macvlan_flush_sources() +regardless of @create value whenever "goto destroy_macvlan_port;" +path is taken. + +Many thanks to valis for following up on this issue. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Eric Dumazet +Reported-by: valis +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Cc: Boudewijn van der Heide +Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index ee59b57dfb53a..aaf7d755fc8a1 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1563,9 +1563,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) { ++ if (macvlan_port_get_rtnl(lowerdev)) { + macvlan_flush_sources(port, vlan); +- macvlan_port_destroy(port->dev); ++ if (create) ++ macvlan_port_destroy(port->dev); + } + return err; + } +-- +2.51.0 + diff --git a/queue-6.12/md-suspend-array-while-updating-raid_disks-via-sysfs.patch b/queue-6.12/md-suspend-array-while-updating-raid_disks-via-sysfs.patch new file mode 100644 index 0000000000..3b184f36ed --- /dev/null +++ b/queue-6.12/md-suspend-array-while-updating-raid_disks-via-sysfs.patch @@ -0,0 +1,66 @@ +From 9bc4d052a2e9bc747a1b100e51846ff7db579b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 18:18:16 +0800 +Subject: md: suspend array while updating raid_disks via sysfs + +From: FengWei Shih + +[ Upstream commit 2cc583653bbe050bacd1cadcc9776d39bf449740 ] + +In raid1_reshape(), freeze_array() is called before modifying the r1bio +memory pool (conf->r1bio_pool) and conf->raid_disks, and +unfreeze_array() is called after the update is completed. + +However, freeze_array() only waits until nr_sync_pending and +(nr_pending - nr_queued) of all buckets reaches zero. When an I/O error +occurs, nr_queued is increased and the corresponding r1bio is queued to +either retry_list or bio_end_io_list. As a result, freeze_array() may +unblock before these r1bios are released. + +This can lead to a situation where conf->raid_disks and the mempool have +already been updated while queued r1bios, allocated with the old +raid_disks value, are later released. Consequently, free_r1bio() may +access memory out of bounds in put_all_bios() and release r1bios of the +wrong size to the new mempool, potentially causing issues with the +mempool as well. + +Since only normal I/O might increase nr_queued while an I/O error occurs, +suspending the array avoids this issue. + +Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends +the array. Therefore, we suspend the array when updating raid_disks +via sysfs to avoid this issue too. + +Signed-off-by: FengWei Shih +Link: https://lore.kernel.org/linux-raid/20251226101816.4506-1-dannyshih@synology.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 26056d53f40c9..526390acd39e0 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4175,7 +4175,7 @@ raid_disks_store(struct mddev *mddev, const char *buf, size_t len) + if (err < 0) + return err; + +- err = mddev_lock(mddev); ++ err = mddev_suspend_and_lock(mddev); + if (err) + return err; + if (mddev->pers) +@@ -4200,7 +4200,7 @@ raid_disks_store(struct mddev *mddev, const char *buf, size_t len) + } else + mddev->raid_disks = n; + out_unlock: +- mddev_unlock(mddev); ++ mddev_unlock_and_resume(mddev); + return err ? err : len; + } + static struct md_sysfs_entry md_raid_disks = +-- +2.51.0 + diff --git a/queue-6.12/net-add-skb_header_pointer_careful-helper.patch b/queue-6.12/net-add-skb_header_pointer_careful-helper.patch new file mode 100644 index 0000000000..807bbafad0 --- /dev/null +++ b/queue-6.12/net-add-skb_header_pointer_careful-helper.patch @@ -0,0 +1,50 @@ +From 5e8e4c355d3006d2380d3c9a143dac99b260646b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 14:15:38 +0000 +Subject: net: add skb_header_pointer_careful() helper + +From: Eric Dumazet + +[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ] + +This variant of skb_header_pointer() should be used in contexts +where @offset argument is user-controlled and could be negative. + +Negative offsets are supported, as long as the zone starts +between skb->head and skb->data. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: cabd1a976375 ("net/sched: cls_u32: use skb_header_pointer_careful()") +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 1e07a54602032..2e26a054d260c 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4202,6 +4202,18 @@ skb_header_pointer(const struct sk_buff *skb, int offset, int len, void *buffer) + skb_headlen(skb), buffer); + } + ++/* Variant of skb_header_pointer() where @offset is user-controlled ++ * and potentially negative. ++ */ ++static inline void * __must_check ++skb_header_pointer_careful(const struct sk_buff *skb, int offset, ++ int len, void *buffer) ++{ ++ if (unlikely(offset < 0 && -offset > skb_headroom(skb))) ++ return NULL; ++ return skb_header_pointer(skb, offset, len, buffer); ++} ++ + static inline void * __must_check + skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len) + { +-- +2.51.0 + diff --git a/queue-6.12/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch b/queue-6.12/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch new file mode 100644 index 0000000000..b4bf43fc47 --- /dev/null +++ b/queue-6.12/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch @@ -0,0 +1,69 @@ +From a86c14de3ab75c55d34c72be9423f1bba92bd60c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 19:38:27 -0800 +Subject: net: don't touch dev->stats in BPF redirect paths + +From: Jakub Kicinski + +[ Upstream commit fdf3f6800be36377e045e2448087f12132b88d2f ] + +Gal reports that BPF redirect increments dev->stats.tx_errors +on failure. This is not correct, most modern drivers completely +ignore dev->stats so these drops will be invisible to the user. +Core code should use the dedicated core stats which are folded +into device stats in dev_get_stats(). + +Note that we're switching from tx_errors to tx_dropped. +Core only has tx_dropped, hence presumably users already expect +that counter to increment for "stack" Tx issues. + +Reported-by: Gal Pressman +Link: https://lore.kernel.org/c5df3b60-246a-4030-9c9a-0a35cd1ca924@nvidia.com +Fixes: b4ab31414970 ("bpf: Add redirect_neigh helper as redirect drop-in") +Acked-by: Martin KaFai Lau +Acked-by: Daniel Borkmann +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260130033827.698841-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index bc61ad5f4e054..06e179865a21b 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2297,12 +2297,12 @@ static int __bpf_redirect_neigh_v6(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v6(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +@@ -2404,12 +2404,12 @@ static int __bpf_redirect_neigh_v4(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v4(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +-- +2.51.0 + diff --git a/queue-6.12/net-ethernet-adi-adin1110-check-return-value-of-devm.patch b/queue-6.12/net-ethernet-adi-adin1110-check-return-value-of-devm.patch new file mode 100644 index 0000000000..9d22df143c --- /dev/null +++ b/queue-6.12/net-ethernet-adi-adin1110-check-return-value-of-devm.patch @@ -0,0 +1,48 @@ +From 089b22e714be237d1f96c0cf9e523874ee943db7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 12:02:28 +0800 +Subject: net: ethernet: adi: adin1110: Check return value of + devm_gpiod_get_optional() in adin1110_check_spi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ni + +[ Upstream commit 78211543d2e44f84093049b4ef5f5bfa535f4645 ] + +The devm_gpiod_get_optional() function may return an ERR_PTR in case of +genuine GPIO acquisition errors, not just NULL which indicates the +legitimate absence of an optional GPIO. + +Add an IS_ERR() check after the call in adin1110_check_spi(). On error, +return the error code to ensure proper failure handling rather than +proceeding with invalid pointers. + +Fixes: 36934cac7aaf ("net: ethernet: adi: adin1110: add reset GPIO") +Signed-off-by: Chen Ni +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20260202040228.4129097-1-nichen@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index 68fad5575fd4f..4352444ec6f6f 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -1089,6 +1089,9 @@ static int adin1110_check_spi(struct adin1110_priv *priv) + + reset_gpio = devm_gpiod_get_optional(&priv->spidev->dev, "reset", + GPIOD_OUT_LOW); ++ if (IS_ERR(reset_gpio)) ++ return dev_err_probe(&priv->spidev->dev, PTR_ERR(reset_gpio), ++ "failed to get reset gpio\n"); + if (reset_gpio) { + /* MISO pin is used for internal configuration, can't have + * anyone else disturbing the SDO line. +-- +2.51.0 + diff --git a/queue-6.12/net-gro-fix-outer-network-offset.patch b/queue-6.12/net-gro-fix-outer-network-offset.patch new file mode 100644 index 0000000000..9576bb4763 --- /dev/null +++ b/queue-6.12/net-gro-fix-outer-network-offset.patch @@ -0,0 +1,52 @@ +From be27870c0459577a5f65ce3300824d54b8a029e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 12:43:14 +0100 +Subject: net: gro: fix outer network offset + +From: Paolo Abeni + +[ Upstream commit 5c2c3c38be396257a6a2e55bd601a12bb9781507 ] + +The udp GRO complete stage assumes that all the packets inserted the RX +have the `encapsulation` flag zeroed. Such assumption is not true, as a +few H/W NICs can set such flag when H/W offloading the checksum for +an UDP encapsulated traffic, the tun driver can inject GSO packets with +UDP encapsulation and the problematic layout can also be created via +a veth based setup. + +Due to the above, in the problematic scenarios, udp4_gro_complete() uses +the wrong network offset (inner instead of outer) to compute the outer +UDP header pseudo checksum, leading to csum validation errors later on +in packet processing. + +Address the issue always clearing the encapsulation flag at GRO completion +time. Such flag will be set again as needed for encapsulated packets by +udp_gro_complete(). + +Fixes: 5ef31ea5d053 ("net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb") +Reviewed-by: Willem de Bruijn +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/562638dbebb3b15424220e26a180274b387e2a88.1770032084.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/gro.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/gro.c b/net/core/gro.c +index 0ad549b07e039..40aaac4e04f34 100644 +--- a/net/core/gro.c ++++ b/net/core/gro.c +@@ -265,6 +265,8 @@ static void napi_gro_complete(struct napi_struct *napi, struct sk_buff *skb) + goto out; + } + ++ /* NICs can feed encapsulated packets into GRO */ ++ skb->encapsulation = 0; + rcu_read_lock(); + list_for_each_entry_rcu(ptype, head, list) { + if (ptype->type != type || !ptype->callbacks.gro_complete) +-- +2.51.0 + diff --git a/queue-6.12/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch b/queue-6.12/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch new file mode 100644 index 0000000000..83526ce18a --- /dev/null +++ b/queue-6.12/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch @@ -0,0 +1,61 @@ +From fe2100297c0657bab425b93f1618d2fa6ed858a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:39 +0000 +Subject: net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 8558aef4e8a1a83049ab906d21d391093cfa7e7f ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Also, decrement i in the devlink_alloc failure path to point to the +last successfully allocated index. + +Compile tested only. Issue found using code review. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-3-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index eba0740782379..ebb82767b6e53 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3758,6 +3758,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + if (!devlink) { + device_unlock(&octeon_dev->pci_dev->dev); + dev_err(&octeon_dev->pci_dev->dev, "devlink alloc failed\n"); ++ i--; + goto setup_nic_dev_free; + } + +@@ -3773,11 +3774,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.12/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch b/queue-6.12/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch new file mode 100644 index 0000000000..86316a8110 --- /dev/null +++ b/queue-6.12/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch @@ -0,0 +1,50 @@ +From c248528e2504ed609ff25d5e3eb47bdcd23a4ab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:40 +0000 +Subject: net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Compile tested only. Issue found using code review. + +Fixes: 846b46873eeb ("liquidio CN23XX: VF offload features") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-4-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index 62c2eadc33e35..15ef647e8aad3 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -2221,11 +2221,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.12/net-liquidio-initialize-netdev-pointer-before-queue-.patch b/queue-6.12/net-liquidio-initialize-netdev-pointer-before-queue-.patch new file mode 100644 index 0000000000..47eb07f5c9 --- /dev/null +++ b/queue-6.12/net-liquidio-initialize-netdev-pointer-before-queue-.patch @@ -0,0 +1,98 @@ +From 8087a346fa4b69614a0c406bcac203a3a8bdaacc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:38 +0000 +Subject: net: liquidio: Initialize netdev pointer before queue setup + +From: Zilin Guan + +[ Upstream commit 926ede0c85e1e57c97d64d9612455267d597bb2c ] + +In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq(). +However, the pointer to this structure is stored in oct->props[i].netdev +only after the calls to netif_set_real_num_rx_queues() and +netif_set_real_num_tx_queues(). + +If either of these functions fails, setup_nic_devices() returns an error +without freeing the allocated netdev. Since oct->props[i].netdev is still +NULL at this point, the cleanup function liquidio_destroy_nic_device() +will fail to find and free the netdev, resulting in a memory leak. + +Fix this by initializing oct->props[i].netdev before calling the queue +setup functions. This ensures that the netdev is properly accessible for +cleanup in case of errors. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: c33c997346c3 ("liquidio: enhanced ethtool --set-channels feature") +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-2-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/liquidio/lio_main.c | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 1d79f6eaa41f6..eba0740782379 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3513,6 +3513,23 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + */ + netdev->netdev_ops = &lionetdevops; + ++ lio = GET_LIO(netdev); ++ ++ memset(lio, 0, sizeof(struct lio)); ++ ++ lio->ifidx = ifidx_or_pfnum; ++ ++ props = &octeon_dev->props[i]; ++ props->gmxport = resp->cfg_info.linfo.gmxport; ++ props->netdev = netdev; ++ ++ /* Point to the properties for octeon device to which this ++ * interface belongs. ++ */ ++ lio->oct_dev = octeon_dev; ++ lio->octprops = props; ++ lio->netdev = netdev; ++ + retval = netif_set_real_num_rx_queues(netdev, num_oqueues); + if (retval) { + dev_err(&octeon_dev->pci_dev->dev, +@@ -3529,16 +3546,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + goto setup_nic_dev_free; + } + +- lio = GET_LIO(netdev); +- +- memset(lio, 0, sizeof(struct lio)); +- +- lio->ifidx = ifidx_or_pfnum; +- +- props = &octeon_dev->props[i]; +- props->gmxport = resp->cfg_info.linfo.gmxport; +- props->netdev = netdev; +- + lio->linfo.num_rxpciq = num_oqueues; + lio->linfo.num_txpciq = num_iqueues; + for (j = 0; j < num_oqueues; j++) { +@@ -3604,13 +3611,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + netdev->min_mtu = LIO_MIN_MTU_SIZE; + netdev->max_mtu = LIO_MAX_MTU_SIZE; + +- /* Point to the properties for octeon device to which this +- * interface belongs. +- */ +- lio->oct_dev = octeon_dev; +- lio->octprops = props; +- lio->netdev = netdev; +- + dev_dbg(&octeon_dev->pci_dev->dev, + "if%d gmx: %d hw_addr: 0x%llx\n", i, + lio->linfo.gmxport, CVM_CAST64(lio->linfo.hw_addr)); +-- +2.51.0 + diff --git a/queue-6.12/net-phy-add-phy_interface_copy.patch b/queue-6.12/net-phy-add-phy_interface_copy.patch new file mode 100644 index 0000000000..b50a7e94ed --- /dev/null +++ b/queue-6.12/net-phy-add-phy_interface_copy.patch @@ -0,0 +1,42 @@ +From 1c423af04847f1c6491352b030d8dda965b80ce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 22:46:36 +0100 +Subject: net: phy: add phy_interface_copy() + +From: Russell King (Oracle) + +[ Upstream commit a571f08d3db215dd6ec294d8faac8cc4184bc4e4 ] + +Add a helper for copying PHY interface bitmasks. This will be used by +the SFP bus code, which will then be moved to phylink in the subsequent +patches. + +Reviewed-by: Andrew Lunn +Signed-off-by: Russell King (Oracle) +Link: https://patch.msgid.link/E1uydVU-000000061W8-2IDT@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: adcbadfd8e05 ("net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module") +Signed-off-by: Sasha Levin +--- + include/linux/phy.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/include/linux/phy.h b/include/linux/phy.h +index 6fe5d564beed4..49283facf9320 100644 +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -187,6 +187,11 @@ static inline bool phy_interface_empty(const unsigned long *intf) + return bitmap_empty(intf, PHY_INTERFACE_MODE_MAX); + } + ++static inline void phy_interface_copy(unsigned long *d, const unsigned long *s) ++{ ++ bitmap_copy(d, s, PHY_INTERFACE_MODE_MAX); ++} ++ + static inline unsigned int phy_interface_weight(const unsigned long *intf) + { + return bitmap_weight(intf, PHY_INTERFACE_MODE_MAX); +-- +2.51.0 + diff --git a/queue-6.12/net-phy-add-phy_interface_weight.patch b/queue-6.12/net-phy-add-phy_interface_weight.patch new file mode 100644 index 0000000000..c7ad8723dc --- /dev/null +++ b/queue-6.12/net-phy-add-phy_interface_weight.patch @@ -0,0 +1,38 @@ +From 2de6102a0dba18efd3b0cddb02743440f9560e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Aug 2025 18:34:33 +0100 +Subject: net: phy: add phy_interface_weight() + +From: Russell King (Oracle) + +[ Upstream commit 4beb44a2d62dddfe450f310aa1a950901731cb3a ] + +Signed-off-by: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/E1uslwn-00000001SOx-0a7H@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: adcbadfd8e05 ("net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module") +Signed-off-by: Sasha Levin +--- + include/linux/phy.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/include/linux/phy.h b/include/linux/phy.h +index dfc7b97f9648d..6fe5d564beed4 100644 +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -187,6 +187,11 @@ static inline bool phy_interface_empty(const unsigned long *intf) + return bitmap_empty(intf, PHY_INTERFACE_MODE_MAX); + } + ++static inline unsigned int phy_interface_weight(const unsigned long *intf) ++{ ++ return bitmap_weight(intf, PHY_INTERFACE_MODE_MAX); ++} ++ + static inline void phy_interface_and(unsigned long *dst, const unsigned long *a, + const unsigned long *b) + { +-- +2.51.0 + diff --git a/queue-6.12/net-sched-cls_u32-use-skb_header_pointer_careful.patch b/queue-6.12/net-sched-cls_u32-use-skb_header_pointer_careful.patch new file mode 100644 index 0000000000..554f4dc155 --- /dev/null +++ b/queue-6.12/net-sched-cls_u32-use-skb_header_pointer_careful.patch @@ -0,0 +1,70 @@ +From 4dee7360ce82289cb679eb2bf3a97a528bf1fc20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 14:15:39 +0000 +Subject: net/sched: cls_u32: use skb_header_pointer_careful() + +From: Eric Dumazet + +[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ] + +skb_header_pointer() does not fully validate negative @offset values. + +Use skb_header_pointer_careful() instead. + +GangMin Kim provided a report and a repro fooling u32_classify(): + +BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 +net/sched/cls_u32.c:221 + +Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely") +Reported-by: GangMin Kim +Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/ +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 2a1c00048fd6f..58e849c0acf41 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -161,10 +161,8 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + int toff = off + key->off + (off2 & key->offmask); + __be32 *data, hdata; + +- if (skb_headroom(skb) + toff > INT_MAX) +- goto out; +- +- data = skb_header_pointer(skb, toff, 4, &hdata); ++ data = skb_header_pointer_careful(skb, toff, 4, ++ &hdata); + if (!data) + goto out; + if ((*data ^ key->val) & key->mask) { +@@ -214,8 +212,9 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + if (ht->divisor) { + __be32 *data, hdata; + +- data = skb_header_pointer(skb, off + n->sel.hoff, 4, +- &hdata); ++ data = skb_header_pointer_careful(skb, ++ off + n->sel.hoff, ++ 4, &hdata); + if (!data) + goto out; + sel = ht->divisor & u32_hash_fold(*data, &n->sel, +@@ -229,7 +228,7 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + if (n->sel.flags & TC_U32_VAROFFSET) { + __be16 *data, hdata; + +- data = skb_header_pointer(skb, ++ data = skb_header_pointer_careful(skb, + off + n->sel.offoff, + 2, &hdata); + if (!data) +-- +2.51.0 + diff --git a/queue-6.12/net-sfp-convert-sfp-quirks-to-modify-struct-sfp_modu.patch b/queue-6.12/net-sfp-convert-sfp-quirks-to-modify-struct-sfp_modu.patch new file mode 100644 index 0000000000..aeaf97b989 --- /dev/null +++ b/queue-6.12/net-sfp-convert-sfp-quirks-to-modify-struct-sfp_modu.patch @@ -0,0 +1,160 @@ +From 672cd6e56f069102fc3da2572d7e72185a6ab02d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 22:46:46 +0100 +Subject: net: sfp: convert sfp quirks to modify struct sfp_module_support + +From: Russell King (Oracle) + +[ Upstream commit a7dc35a9e49b103ff2a8a96519c47e149d733ccd ] + +In order to provide extensible module support properties, arrange for +the SFP quirks to modify any member of the sfp_module_support struct, +rather than just the ethtool link modes and interfaces. + +Signed-off-by: Russell King (Oracle) +Link: https://patch.msgid.link/E1uydVe-000000061WK-3KwI@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: adcbadfd8e05 ("net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp-bus.c | 5 ++-- + drivers/net/phy/sfp.c | 49 +++++++++++++++++++-------------------- + drivers/net/phy/sfp.h | 4 ++-- + 3 files changed, 28 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/phy/sfp-bus.c b/drivers/net/phy/sfp-bus.c +index 35030c527fbed..b77190494b045 100644 +--- a/drivers/net/phy/sfp-bus.c ++++ b/drivers/net/phy/sfp-bus.c +@@ -373,9 +373,8 @@ static void sfp_init_module(struct sfp_bus *bus, + sfp_module_parse_port(bus, id); + sfp_module_parse_may_have_phy(bus, id); + +- if (quirk && quirk->modes) +- quirk->modes(id, bus->caps.link_modes, +- bus->caps.interfaces); ++ if (quirk && quirk->support) ++ quirk->support(id, &bus->caps); + } + + /** +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 90bb5559af5bf..05dd0cf093482 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -439,45 +439,44 @@ static void sfp_fixup_rollball_cc(struct sfp *sfp) + } + + static void sfp_quirk_2500basex(const struct sfp_eeprom_id *id, +- unsigned long *modes, +- unsigned long *interfaces) ++ struct sfp_module_caps *caps) + { +- linkmode_set_bit(ETHTOOL_LINK_MODE_2500baseX_Full_BIT, modes); +- __set_bit(PHY_INTERFACE_MODE_2500BASEX, interfaces); ++ linkmode_set_bit(ETHTOOL_LINK_MODE_2500baseX_Full_BIT, ++ caps->link_modes); ++ __set_bit(PHY_INTERFACE_MODE_2500BASEX, caps->interfaces); + } + + static void sfp_quirk_disable_autoneg(const struct sfp_eeprom_id *id, +- unsigned long *modes, +- unsigned long *interfaces) ++ struct sfp_module_caps *caps) + { +- linkmode_clear_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, modes); ++ linkmode_clear_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, caps->link_modes); + } + + static void sfp_quirk_oem_2_5g(const struct sfp_eeprom_id *id, +- unsigned long *modes, +- unsigned long *interfaces) ++ struct sfp_module_caps *caps) + { + /* Copper 2.5G SFP */ +- linkmode_set_bit(ETHTOOL_LINK_MODE_2500baseT_Full_BIT, modes); +- __set_bit(PHY_INTERFACE_MODE_2500BASEX, interfaces); +- sfp_quirk_disable_autoneg(id, modes, interfaces); ++ linkmode_set_bit(ETHTOOL_LINK_MODE_2500baseT_Full_BIT, ++ caps->link_modes); ++ __set_bit(PHY_INTERFACE_MODE_2500BASEX, caps->interfaces); ++ sfp_quirk_disable_autoneg(id, caps); + } + + static void sfp_quirk_ubnt_uf_instant(const struct sfp_eeprom_id *id, +- unsigned long *modes, +- unsigned long *interfaces) ++ struct sfp_module_caps *caps) + { + /* Ubiquiti U-Fiber Instant module claims that support all transceiver + * types including 10G Ethernet which is not truth. So clear all claimed + * modes and set only one mode which module supports: 1000baseX_Full. + */ +- linkmode_zero(modes); +- linkmode_set_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT, modes); ++ linkmode_zero(caps->link_modes); ++ linkmode_set_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT, ++ caps->link_modes); + } + +-#define SFP_QUIRK(_v, _p, _m, _f) \ +- { .vendor = _v, .part = _p, .modes = _m, .fixup = _f, } +-#define SFP_QUIRK_M(_v, _p, _m) SFP_QUIRK(_v, _p, _m, NULL) ++#define SFP_QUIRK(_v, _p, _s, _f) \ ++ { .vendor = _v, .part = _p, .support = _s, .fixup = _f, } ++#define SFP_QUIRK_S(_v, _p, _s) SFP_QUIRK(_v, _p, _s, NULL) + #define SFP_QUIRK_F(_v, _p, _f) SFP_QUIRK(_v, _p, NULL, _f) + + static const struct sfp_quirk sfp_quirks[] = { +@@ -517,7 +516,7 @@ static const struct sfp_quirk sfp_quirks[] = { + + // HG MXPD-483II-F 2.5G supports 2500Base-X, but incorrectly reports + // 2600MBd in their EERPOM +- SFP_QUIRK_M("HG GENUINE", "MXPD-483II", sfp_quirk_2500basex), ++ SFP_QUIRK_S("HG GENUINE", "MXPD-483II", sfp_quirk_2500basex), + + // Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in + // their EEPROM +@@ -526,9 +525,9 @@ static const struct sfp_quirk sfp_quirks[] = { + + // Lantech 8330-262D-E can operate at 2500base-X, but incorrectly report + // 2500MBd NRZ in their EEPROM +- SFP_QUIRK_M("Lantech", "8330-262D-E", sfp_quirk_2500basex), ++ SFP_QUIRK_S("Lantech", "8330-262D-E", sfp_quirk_2500basex), + +- SFP_QUIRK_M("UBNT", "UF-INSTANT", sfp_quirk_ubnt_uf_instant), ++ SFP_QUIRK_S("UBNT", "UF-INSTANT", sfp_quirk_ubnt_uf_instant), + + // Walsun HXSX-ATR[CI]-1 don't identify as copper, and use the + // Rollball protocol to talk to the PHY. +@@ -541,9 +540,9 @@ static const struct sfp_quirk sfp_quirks[] = { + SFP_QUIRK_F("OEM", "SFP-GE-T", sfp_fixup_ignore_tx_fault), + + SFP_QUIRK_F("OEM", "SFP-10G-T", sfp_fixup_rollball_cc), +- SFP_QUIRK_M("OEM", "SFP-2.5G-T", sfp_quirk_oem_2_5g), +- SFP_QUIRK_M("OEM", "SFP-2.5G-BX10-D", sfp_quirk_2500basex), +- SFP_QUIRK_M("OEM", "SFP-2.5G-BX10-U", sfp_quirk_2500basex), ++ SFP_QUIRK_S("OEM", "SFP-2.5G-T", sfp_quirk_oem_2_5g), ++ SFP_QUIRK_S("OEM", "SFP-2.5G-BX10-D", sfp_quirk_2500basex), ++ SFP_QUIRK_S("OEM", "SFP-2.5G-BX10-U", sfp_quirk_2500basex), + SFP_QUIRK_F("OEM", "RTSFP-10", sfp_fixup_rollball_cc), + SFP_QUIRK_F("OEM", "RTSFP-10G", sfp_fixup_rollball_cc), + SFP_QUIRK_F("Turris", "RTSFP-2.5G", sfp_fixup_rollball), +diff --git a/drivers/net/phy/sfp.h b/drivers/net/phy/sfp.h +index 1fd097dccb9fc..879dff7afe6a4 100644 +--- a/drivers/net/phy/sfp.h ++++ b/drivers/net/phy/sfp.h +@@ -9,8 +9,8 @@ struct sfp; + struct sfp_quirk { + const char *vendor; + const char *part; +- void (*modes)(const struct sfp_eeprom_id *id, unsigned long *modes, +- unsigned long *interfaces); ++ void (*support)(const struct sfp_eeprom_id *id, ++ struct sfp_module_caps *caps); + void (*fixup)(struct sfp *sfp); + }; + +-- +2.51.0 + diff --git a/queue-6.12/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch b/queue-6.12/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch new file mode 100644 index 0000000000..e1f97fa0fd --- /dev/null +++ b/queue-6.12/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch @@ -0,0 +1,55 @@ +From 71118fd4d9c421ca92ffa20c3dde8416c29d25a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 09:22:27 +0100 +Subject: net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit adcbadfd8e05d3558c9cfaa783f17c645181165f ] + +Commit fd580c9830316eda ("net: sfp: augment SFP parsing with +phy_interface_t bitmap") did not add augumentation for the interface +bitmap in the quirk for Ubiquiti U-Fiber Instant. + +The subsequent commit f81fa96d8a6c7a77 ("net: phylink: use +phy_interface_t bitmaps for optical modules") then changed phylink code +for selection of SFP interface: instead of using link mode bitmap, the +interface bitmap is used, and the fastest interface mode supported by +both SFP module and MAC is chosen. + +Since the interface bitmap contains also modes faster than 1000base-x, +this caused a regression wherein this module stopped working +out-of-the-box. + +Fix this. + +Fixes: fd580c9830316eda ("net: sfp: augment SFP parsing with phy_interface_t bitmap") +Signed-off-by: Marek Behún +Reviewed-by: Maxime Chevallier +Reviewed-by: Russell King (Oracle) +Link: https://patch.msgid.link/20260129082227.17443-1-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 05dd0cf093482..6153a35af1070 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -472,6 +472,8 @@ static void sfp_quirk_ubnt_uf_instant(const struct sfp_eeprom_id *id, + linkmode_zero(caps->link_modes); + linkmode_set_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT, + caps->link_modes); ++ phy_interface_zero(caps->interfaces); ++ __set_bit(PHY_INTERFACE_MODE_1000BASEX, caps->interfaces); + } + + #define SFP_QUIRK(_v, _p, _s, _f) \ +-- +2.51.0 + diff --git a/queue-6.12/net-sfp-pre-parse-the-module-support.patch b/queue-6.12/net-sfp-pre-parse-the-module-support.patch new file mode 100644 index 0000000000..37537d3d1a --- /dev/null +++ b/queue-6.12/net-sfp-pre-parse-the-module-support.patch @@ -0,0 +1,225 @@ +From f5fd876d107bd6fc0ce9c7bf9b9e56d8151d4b2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 22:46:41 +0100 +Subject: net: sfp: pre-parse the module support + +From: Russell King (Oracle) + +[ Upstream commit ddae6127afbba46e32af3b31eb7bba939e1fad96 ] + +Pre-parse the module support on insert rather than when the upstream +requests the data. This will allow more flexible and extensible +parsing. + +Signed-off-by: Russell King (Oracle) +Link: https://patch.msgid.link/E1uydVZ-000000061WE-2pXD@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: adcbadfd8e05 ("net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp-bus.c | 80 +++++++++++++++++++++++++++------------ + include/linux/sfp.h | 22 +++++++++++ + 2 files changed, 77 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/phy/sfp-bus.c b/drivers/net/phy/sfp-bus.c +index f13c00b5b449c..35030c527fbed 100644 +--- a/drivers/net/phy/sfp-bus.c ++++ b/drivers/net/phy/sfp-bus.c +@@ -22,7 +22,6 @@ struct sfp_bus { + const struct sfp_socket_ops *socket_ops; + struct device *sfp_dev; + struct sfp *sfp; +- const struct sfp_quirk *sfp_quirk; + + const struct sfp_upstream_ops *upstream_ops; + void *upstream; +@@ -30,6 +29,8 @@ struct sfp_bus { + + bool registered; + bool started; ++ ++ struct sfp_module_caps caps; + }; + + /** +@@ -48,6 +49,13 @@ struct sfp_bus { + */ + int sfp_parse_port(struct sfp_bus *bus, const struct sfp_eeprom_id *id, + unsigned long *support) ++{ ++ return bus->caps.port; ++} ++EXPORT_SYMBOL_GPL(sfp_parse_port); ++ ++static void sfp_module_parse_port(struct sfp_bus *bus, ++ const struct sfp_eeprom_id *id) + { + int port; + +@@ -91,21 +99,18 @@ int sfp_parse_port(struct sfp_bus *bus, const struct sfp_eeprom_id *id, + break; + } + +- if (support) { +- switch (port) { +- case PORT_FIBRE: +- phylink_set(support, FIBRE); +- break; ++ switch (port) { ++ case PORT_FIBRE: ++ phylink_set(bus->caps.link_modes, FIBRE); ++ break; + +- case PORT_TP: +- phylink_set(support, TP); +- break; +- } ++ case PORT_TP: ++ phylink_set(bus->caps.link_modes, TP); ++ break; + } + +- return port; ++ bus->caps.port = port; + } +-EXPORT_SYMBOL_GPL(sfp_parse_port); + + /** + * sfp_may_have_phy() - indicate whether the module may have a PHY +@@ -117,8 +122,17 @@ EXPORT_SYMBOL_GPL(sfp_parse_port); + */ + bool sfp_may_have_phy(struct sfp_bus *bus, const struct sfp_eeprom_id *id) + { +- if (id->base.e1000_base_t) +- return true; ++ return bus->caps.may_have_phy; ++} ++EXPORT_SYMBOL_GPL(sfp_may_have_phy); ++ ++static void sfp_module_parse_may_have_phy(struct sfp_bus *bus, ++ const struct sfp_eeprom_id *id) ++{ ++ if (id->base.e1000_base_t) { ++ bus->caps.may_have_phy = true; ++ return; ++ } + + if (id->base.phys_id != SFF8024_ID_DWDM_SFP) { + switch (id->base.extended_cc) { +@@ -126,13 +140,13 @@ bool sfp_may_have_phy(struct sfp_bus *bus, const struct sfp_eeprom_id *id) + case SFF8024_ECC_10GBASE_T_SR: + case SFF8024_ECC_5GBASE_T: + case SFF8024_ECC_2_5GBASE_T: +- return true; ++ bus->caps.may_have_phy = true; ++ return; + } + } + +- return false; ++ bus->caps.may_have_phy = false; + } +-EXPORT_SYMBOL_GPL(sfp_may_have_phy); + + /** + * sfp_parse_support() - Parse the eeprom id for supported link modes +@@ -148,8 +162,17 @@ EXPORT_SYMBOL_GPL(sfp_may_have_phy); + void sfp_parse_support(struct sfp_bus *bus, const struct sfp_eeprom_id *id, + unsigned long *support, unsigned long *interfaces) + { ++ linkmode_or(support, support, bus->caps.link_modes); ++ phy_interface_copy(interfaces, bus->caps.interfaces); ++} ++EXPORT_SYMBOL_GPL(sfp_parse_support); ++ ++static void sfp_module_parse_support(struct sfp_bus *bus, ++ const struct sfp_eeprom_id *id) ++{ ++ unsigned long *interfaces = bus->caps.interfaces; ++ unsigned long *modes = bus->caps.link_modes; + unsigned int br_min, br_nom, br_max; +- __ETHTOOL_DECLARE_LINK_MODE_MASK(modes) = { 0, }; + + /* Decode the bitrate information to MBd */ + br_min = br_nom = br_max = 0; +@@ -338,13 +361,22 @@ void sfp_parse_support(struct sfp_bus *bus, const struct sfp_eeprom_id *id, + phylink_set(modes, Autoneg); + phylink_set(modes, Pause); + phylink_set(modes, Asym_Pause); ++} ++ ++static void sfp_init_module(struct sfp_bus *bus, ++ const struct sfp_eeprom_id *id, ++ const struct sfp_quirk *quirk) ++{ ++ memset(&bus->caps, 0, sizeof(bus->caps)); + +- if (bus->sfp_quirk && bus->sfp_quirk->modes) +- bus->sfp_quirk->modes(id, modes, interfaces); ++ sfp_module_parse_support(bus, id); ++ sfp_module_parse_port(bus, id); ++ sfp_module_parse_may_have_phy(bus, id); + +- linkmode_or(support, support, modes); ++ if (quirk && quirk->modes) ++ quirk->modes(id, bus->caps.link_modes, ++ bus->caps.interfaces); + } +-EXPORT_SYMBOL_GPL(sfp_parse_support); + + /** + * sfp_select_interface() - Select appropriate phy_interface_t mode +@@ -794,7 +826,7 @@ int sfp_module_insert(struct sfp_bus *bus, const struct sfp_eeprom_id *id, + const struct sfp_upstream_ops *ops = sfp_get_upstream_ops(bus); + int ret = 0; + +- bus->sfp_quirk = quirk; ++ sfp_init_module(bus, id, quirk); + + if (ops && ops->module_insert) + ret = ops->module_insert(bus->upstream, id); +@@ -809,8 +841,6 @@ void sfp_module_remove(struct sfp_bus *bus) + + if (ops && ops->module_remove) + ops->module_remove(bus->upstream); +- +- bus->sfp_quirk = NULL; + } + EXPORT_SYMBOL_GPL(sfp_module_remove); + +diff --git a/include/linux/sfp.h b/include/linux/sfp.h +index 60c65cea74f62..5fb59cf49882c 100644 +--- a/include/linux/sfp.h ++++ b/include/linux/sfp.h +@@ -521,6 +521,28 @@ struct ethtool_eeprom; + struct ethtool_modinfo; + struct sfp_bus; + ++/** ++ * struct sfp_module_caps - sfp module capabilities ++ * @interfaces: bitmap of interfaces that the module may support ++ * @link_modes: bitmap of ethtool link modes that the module may support ++ */ ++struct sfp_module_caps { ++ DECLARE_PHY_INTERFACE_MASK(interfaces); ++ __ETHTOOL_DECLARE_LINK_MODE_MASK(link_modes); ++ /** ++ * @may_have_phy: indicate whether the module may have an ethernet PHY ++ * There is no way to be sure that a module has a PHY as the EEPROM ++ * doesn't contain this information. When set, this does not mean that ++ * the module definitely has a PHY. ++ */ ++ bool may_have_phy; ++ /** ++ * @port: one of ethtool %PORT_* definitions, parsed from the module ++ * EEPROM, or %PORT_OTHER if the port type is not known. ++ */ ++ u8 port; ++}; ++ + /** + * struct sfp_upstream_ops - upstream operations structure + * @attach: called when the sfp socket driver is bound to the upstream +-- +2.51.0 + diff --git a/queue-6.12/net-usb-r8152-fix-resume-reset-deadlock.patch b/queue-6.12/net-usb-r8152-fix-resume-reset-deadlock.patch new file mode 100644 index 0000000000..510a032c71 --- /dev/null +++ b/queue-6.12/net-usb-r8152-fix-resume-reset-deadlock.patch @@ -0,0 +1,107 @@ +From 78551346a8796c681f887aeff7b0acc74bd930b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 12:10:30 +0900 +Subject: net: usb: r8152: fix resume reset deadlock + +From: Sergey Senozhatsky + +[ Upstream commit 6d06bc83a5ae8777a5f7a81c32dd75b8d9b2fe04 ] + +rtl8152 can trigger device reset during reset which +potentially can result in a deadlock: + + **** DPM device timeout after 10 seconds; 15 seconds until panic **** + Call Trace: + + schedule+0x483/0x1370 + schedule_preempt_disabled+0x15/0x30 + __mutex_lock_common+0x1fd/0x470 + __rtl8152_set_mac_address+0x80/0x1f0 + dev_set_mac_address+0x7f/0x150 + rtl8152_post_reset+0x72/0x150 + usb_reset_device+0x1d0/0x220 + rtl8152_resume+0x99/0xc0 + usb_resume_interface+0x3e/0xc0 + usb_resume_both+0x104/0x150 + usb_resume+0x22/0x110 + +The problem is that rtl8152 resume calls reset under +tp->control mutex while reset basically re-enters rtl8152 +and attempts to acquire the same tp->control lock once +again. + +Reset INACCESSIBLE device outside of tp->control mutex +scope to avoid recursive mutex_lock() deadlock. + +Fixes: 4933b066fefb ("r8152: If inaccessible at resume time, issue a reset") +Reviewed-by: Douglas Anderson +Signed-off-by: Sergey Senozhatsky +Link: https://patch.msgid.link/20260129031106.3805887-1-senozhatsky@chromium.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 3fcd2b736c5e3..d27e62939bf13 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -8565,19 +8565,6 @@ static int rtl8152_system_resume(struct r8152 *tp) + usb_submit_urb(tp->intr_urb, GFP_NOIO); + } + +- /* If the device is RTL8152_INACCESSIBLE here then we should do a +- * reset. This is important because the usb_lock_device_for_reset() +- * that happens as a result of usb_queue_reset_device() will silently +- * fail if the device was suspended or if too much time passed. +- * +- * NOTE: The device is locked here so we can directly do the reset. +- * We don't need usb_lock_device_for_reset() because that's just a +- * wrapper over device_lock() and device_resume() (which calls us) +- * does that for us. +- */ +- if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) +- usb_reset_device(tp->udev); +- + return 0; + } + +@@ -8688,19 +8675,33 @@ static int rtl8152_suspend(struct usb_interface *intf, pm_message_t message) + static int rtl8152_resume(struct usb_interface *intf) + { + struct r8152 *tp = usb_get_intfdata(intf); ++ bool runtime_resume = test_bit(SELECTIVE_SUSPEND, &tp->flags); + int ret; + + mutex_lock(&tp->control); + + rtl_reset_ocp_base(tp); + +- if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) ++ if (runtime_resume) + ret = rtl8152_runtime_resume(tp); + else + ret = rtl8152_system_resume(tp); + + mutex_unlock(&tp->control); + ++ /* If the device is RTL8152_INACCESSIBLE here then we should do a ++ * reset. This is important because the usb_lock_device_for_reset() ++ * that happens as a result of usb_queue_reset_device() will silently ++ * fail if the device was suspended or if too much time passed. ++ * ++ * NOTE: The device is locked here so we can directly do the reset. ++ * We don't need usb_lock_device_for_reset() because that's just a ++ * wrapper over device_lock() and device_resume() (which calls us) ++ * does that for us. ++ */ ++ if (!runtime_resume && test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ usb_reset_device(tp->udev); ++ + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.12/net-usb-sr9700-support-devices-with-virtual-driver-c.patch b/queue-6.12/net-usb-sr9700-support-devices-with-virtual-driver-c.patch new file mode 100644 index 0000000000..d3d16b878f --- /dev/null +++ b/queue-6.12/net-usb-sr9700-support-devices-with-virtual-driver-c.patch @@ -0,0 +1,44 @@ +From 39ce96f88a70b955403c382c3be5dc3994dc56ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 22:24:51 -0800 +Subject: net: usb: sr9700: support devices with virtual driver CD + +From: Ethan Nelson-Moore + +[ Upstream commit bf4172bd870c3a34d3065cbb39192c22cbd7b18d ] + +Some SR9700 devices have an SPI flash chip containing a virtual driver +CD, in which case they appear as a device with two interfaces and +product ID 0x9702. Interface 0 is the driver CD and interface 1 is the +Ethernet device. + +Link: https://github.com/name-kurniawan/usb-lan +Link: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=2185 +Signed-off-by: Ethan Nelson-Moore +Link: https://patch.msgid.link/20251211062451.139036-1-enelsonmoore@gmail.com +[pabeni@redhat.com: fixes link tags] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 9587eb98cdb3b..213b4817cfdf6 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -539,6 +539,11 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x9700), /* SR9700 device */ + .driver_info = (unsigned long)&sr9700_driver_info, + }, ++ { ++ /* SR9700 with virtual driver CD-ROM - interface 0 is the CD-ROM device */ ++ USB_DEVICE_INTERFACE_NUMBER(0x0fe6, 0x9702, 1), ++ .driver_info = (unsigned long)&sr9700_driver_info, ++ }, + {}, /* END */ + }; + +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch b/queue-6.12/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch new file mode 100644 index 0000000000..a65ffc5c25 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch @@ -0,0 +1,72 @@ +From 15dd83d50c46b3bb8fe4dae4b2babb7de1b54215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 17:46:58 +0100 +Subject: netfilter: nf_tables: fix inverted genmask check in + nft_map_catchall_activate() + +From: Andrew Fasano + +[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ] + +nft_map_catchall_activate() has an inverted element activity check +compared to its non-catchall counterpart nft_mapelem_activate() and +compared to what is logically required. + +nft_map_catchall_activate() is called from the abort path to re-activate +catchall map elements that were deactivated during a failed transaction. +It should skip elements that are already active (they don't need +re-activation) and process elements that are inactive (they need to be +restored). Instead, the current code does the opposite: it skips inactive +elements and processes active ones. + +Compare the non-catchall activate callback, which is correct: + + nft_mapelem_activate(): + if (nft_set_elem_active(ext, iter->genmask)) + return 0; /* skip active, process inactive */ + +With the buggy catchall version: + + nft_map_catchall_activate(): + if (!nft_set_elem_active(ext, genmask)) + continue; /* skip inactive, process active */ + +The consequence is that when a DELSET operation is aborted, +nft_setelem_data_activate() is never called for the catchall element. +For NFT_GOTO verdict elements, this means nft_data_hold() is never +called to restore the chain->use reference count. Each abort cycle +permanently decrements chain->use. Once chain->use reaches zero, +DELCHAIN succeeds and frees the chain while catchall verdict elements +still reference it, resulting in a use-after-free. + +This is exploitable for local privilege escalation from an unprivileged +user via user namespaces + nftables on distributions that enable +CONFIG_USER_NS and CONFIG_NF_TABLES. + +Fix by removing the negation so the check matches nft_mapelem_activate(): +skip active elements, process inactive ones. + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Signed-off-by: Andrew Fasano +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c3613d8e7d725..3bf88c137868a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5700,7 +5700,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + list_for_each_entry(catchall, &set->catchall_list, list) { + ext = nft_set_elem_ext(set, catchall->elem); +- if (!nft_set_elem_active(ext, genmask)) ++ if (nft_set_elem_active(ext, genmask)) + continue; + + nft_clear(ctx->net, ext); +-- +2.51.0 + diff --git a/queue-6.12/netfilter-replace-eexist-with-ebusy.patch b/queue-6.12/netfilter-replace-eexist-with-ebusy.patch new file mode 100644 index 0000000000..e0c9a7394f --- /dev/null +++ b/queue-6.12/netfilter-replace-eexist-with-ebusy.patch @@ -0,0 +1,84 @@ +From d7c8d607f283b961065897b1880ee236c10c42cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 06:13:20 +0100 +Subject: netfilter: replace -EEXIST with -EBUSY + +From: Daniel Gomez + +[ Upstream commit 2bafeb8d2f380c3a81d98bd7b78b854b564f9cd4 ] + +The -EEXIST error code is reserved by the module loading infrastructure +to indicate that a module is already loaded. When a module's init +function returns -EEXIST, userspace tools like kmod interpret this as +"module already loaded" and treat the operation as successful, returning +0 to the user even though the module initialization actually failed. + +Replace -EEXIST with -EBUSY to ensure correct error reporting in the module +initialization path. + +Affected modules: + * ebtable_broute ebtable_filter ebtable_nat arptable_filter + * ip6table_filter ip6table_mangle ip6table_nat ip6table_raw + * ip6table_security iptable_filter iptable_mangle iptable_nat + * iptable_raw iptable_security + +Signed-off-by: Daniel Gomez +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 2 +- + net/netfilter/nf_log.c | 4 ++-- + net/netfilter/x_tables.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 3e67d4aff419b..a461c59ad2859 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne + list_for_each_entry(tmpl, &template_tables, list) { + if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) { + mutex_unlock(&ebt_mutex); +- return -EEXIST; ++ return -EBUSY; + } + } + +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index 6dd0de33eebd8..e684ab7198c72 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + if (pf == NFPROTO_UNSPEC) { + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { + if (rcu_access_pointer(loggers[i][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + } +@@ -97,7 +97,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + rcu_assign_pointer(loggers[i][logger->type], logger); + } else { + if (rcu_access_pointer(loggers[pf][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + rcu_assign_pointer(loggers[pf][logger->type], logger); +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 709840612f0df..ada27e24f7021 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1762,7 +1762,7 @@ EXPORT_SYMBOL_GPL(xt_hook_ops_alloc); + int xt_register_template(const struct xt_table *table, + int (*table_init)(struct net *net)) + { +- int ret = -EEXIST, af = table->af; ++ int ret = -EBUSY, af = table->af; + struct xt_template *t; + + mutex_lock(&xt[af].mutex); +-- +2.51.0 + diff --git a/queue-6.12/nvme-fc-release-admin-tagset-if-init-fails.patch b/queue-6.12/nvme-fc-release-admin-tagset-if-init-fails.patch new file mode 100644 index 0000000000..552a4311ac --- /dev/null +++ b/queue-6.12/nvme-fc-release-admin-tagset-if-init-fails.patch @@ -0,0 +1,52 @@ +From 3a7037953f35775a028b5cee28534ec1e9ad4c62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:18:42 -0800 +Subject: nvme-fc: release admin tagset if init fails + +From: Chaitanya Kulkarni + +[ Upstream commit d1877cc7270302081a315a81a0ee8331f19f95c8 ] + +nvme_fabrics creates an NVMe/FC controller in following path: + + nvmf_dev_write() + -> nvmf_create_ctrl() + -> nvme_fc_create_ctrl() + -> nvme_fc_init_ctrl() + +nvme_fc_init_ctrl() allocates the admin blk-mq resources right after +nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing +the controller state, scheduling connect work, etc.), we jump to the +fail_ctrl path, which tears down the controller references but never +frees the admin queue/tag set. The leaked blk-mq allocations match the +kmemleak report seen during blktests nvme/fc. + +Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call +nvme_remove_admin_tag_set() when it is set so that all admin queue +allocations are reclaimed whenever controller setup aborts. + +Reported-by: Yi Zhang +Reviewed-by: Justin Tee +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 3d90ace0b537e..9e2d370b4ca81 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3578,6 +3578,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + ctrl->ctrl.opts = NULL; + ++ if (ctrl->ctrl.admin_tagset) ++ nvme_remove_admin_tag_set(&ctrl->ctrl); + /* initiate nvme ctrl ref counting teardown */ + nvme_uninit_ctrl(&ctrl->ctrl); + +-- +2.51.0 + diff --git a/queue-6.12/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch b/queue-6.12/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch new file mode 100644 index 0000000000..5ba8623c5e --- /dev/null +++ b/queue-6.12/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch @@ -0,0 +1,51 @@ +From f66afbd9e79718381eef85466e30e230b495805d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 11:32:45 +0200 +Subject: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() + +From: Hannes Reinecke + +[ Upstream commit 2fa8961d3a6a1c2395d8d560ffed2c782681bade ] + +When the socket is closed while in TCP_LISTEN a callback is run to +flush all outstanding packets, which in turns calls +nvmet_tcp_listen_data_ready() with the sk_callback_lock held. +So we need to check if we are in TCP_LISTEN before attempting +to get the sk_callback_lock() to avoid a deadlock. + +Link: https://lore.kernel.org/linux-nvme/CAHj4cs-zu7eVB78yUpFjVe2UqMWFkLk8p+DaS3qj+uiGCXBAoA@mail.gmail.com/ +Tested-by: Yi Zhang +Reviewed-by: Sagi Grimberg +Signed-off-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index c1cc8ed090bfd..0ca261cb1823c 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -2033,14 +2033,13 @@ static void nvmet_tcp_listen_data_ready(struct sock *sk) + + trace_sk_data_ready(sk); + ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ + read_lock_bh(&sk->sk_callback_lock); + port = sk->sk_user_data; +- if (!port) +- goto out; +- +- if (sk->sk_state == TCP_LISTEN) ++ if (port) + queue_work(nvmet_wq, &port->accept_work); +-out: + read_unlock_bh(&sk->sk_callback_lock); + } + +-- +2.51.0 + diff --git a/queue-6.12/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch b/queue-6.12/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch new file mode 100644 index 0000000000..5e9e0d2e50 --- /dev/null +++ b/queue-6.12/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch @@ -0,0 +1,61 @@ +From 1aacbf2cdb2664533f2c2b92d0fceeddc71a1963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 13:47:18 +0530 +Subject: PCI: qcom: Remove ASPM L0s support for MSM8996 SoC + +From: Manivannan Sadhasivam + +[ Upstream commit 0cc13256b60510936c34098ee7b929098eed823b ] + +Though I couldn't confirm ASPM L0s support with the Qcom hardware team, a +bug report from Dmitry suggests that L0s is broken on this legacy SoC. +Hence, remove L0s support from the Root Port Link Capabilities in this SoC. + +Since qcom_pcie_clear_aspm_l0s() is now used by more than one SoC config, +call it from qcom_pcie_host_init() instead. + +Reported-by: Dmitry Baryshkov +Closes: https://lore.kernel.org/linux-pci/4cp5pzmlkkht2ni7us6p3edidnk25l45xrp6w3fxguqcvhq2id@wjqqrdpkypkf +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Tested-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://patch.msgid.link/20251126081718.8239-1-mani@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-qcom.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c +index 4c141e05f84e9..2fca35dd72a76 100644 +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1010,7 +1010,6 @@ static int qcom_pcie_post_init_2_7_0(struct qcom_pcie *pcie) + writel(WR_NO_SNOOP_OVERIDE_EN | RD_NO_SNOOP_OVERIDE_EN, + pcie->parf + PARF_NO_SNOOP_OVERIDE); + +- qcom_pcie_clear_aspm_l0s(pcie->pci); + qcom_pcie_clear_hpc(pcie->pci); + + return 0; +@@ -1255,6 +1254,8 @@ static int qcom_pcie_host_init(struct dw_pcie_rp *pp) + goto err_disable_phy; + } + ++ qcom_pcie_clear_aspm_l0s(pcie->pci); ++ + qcom_ep_reset_deassert(pcie); + + if (pcie->cfg->ops->config_sid) { +@@ -1393,6 +1394,7 @@ static const struct qcom_pcie_cfg cfg_2_1_0 = { + + static const struct qcom_pcie_cfg cfg_2_3_2 = { + .ops = &ops_2_3_2, ++ .no_l0s = true, + }; + + static const struct qcom_pcie_cfg cfg_2_3_3 = { +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch b/queue-6.12/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch new file mode 100644 index 0000000000..f4d89878ae --- /dev/null +++ b/queue-6.12/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch @@ -0,0 +1,46 @@ +From ab5f040404ff65d5bf72db07b5b818aec81a94b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 13:04:45 -0600 +Subject: platform/x86: hp-bioscfg: Skip empty attribute names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 6222883af286e2feb3c9ff2bf9fd8fdf4220c55a ] + +Avoid registering kobjects with empty names when a BIOS attribute +name decodes to an empty string. + +Fixes: a34fc329b1895 ("platform/x86: hp-bioscfg: bioscfg") +Reported-by: Alain Cousinie +Closes: https://lore.kernel.org/platform-driver-x86/22ed5f78-c8bf-4ab4-8c38-420cc0201e7e@laposte.net/ +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260128190501.2170068-1-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +index 405b248442ab0..3571780f5ef89 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +@@ -699,6 +699,11 @@ static int hp_init_bios_package_attribute(enum hp_wmi_data_type attr_type, + return ret; + } + ++ if (!str_value || !str_value[0]) { ++ pr_debug("Ignoring attribute with empty name\n"); ++ goto pack_attr_exit; ++ } ++ + /* All duplicate attributes found are ignored */ + duplicate = kset_find_obj(temp_kset, str_value); + if (duplicate) { +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch b/queue-6.12/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch new file mode 100644 index 0000000000..bac5656ef9 --- /dev/null +++ b/queue-6.12/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch @@ -0,0 +1,41 @@ +From 4e2ffd7388199ff6486cb00d999a8ac8e9f54ec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 15:45:40 -0800 +Subject: platform/x86/intel/tpmi/plr: Make the file domain/status writeable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Neri + +[ Upstream commit 008bec8ffe6e7746588d1e12c5b3865fa478fc91 ] + +The file sys/kernel/debug/tpmi-/plr/domain/status has store and show +callbacks. Make it writeable. + +Fixes: 811f67c51636d ("platform/x86/intel/tpmi: Add new auxiliary driver for performance limits") +Signed-off-by: Ricardo Neri +Link: https://patch.msgid.link/20260127-plr-debugfs-write-v1-1-1fffbc370b1e@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/intel_plr_tpmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/intel_plr_tpmi.c b/drivers/platform/x86/intel/intel_plr_tpmi.c +index 69ace6a629bc7..ffb2f7ffc7b51 100644 +--- a/drivers/platform/x86/intel/intel_plr_tpmi.c ++++ b/drivers/platform/x86/intel/intel_plr_tpmi.c +@@ -315,7 +315,7 @@ static int intel_plr_probe(struct auxiliary_device *auxdev, const struct auxilia + snprintf(name, sizeof(name), "domain%d", i); + + dentry = debugfs_create_dir(name, plr->dbgfs_dir); +- debugfs_create_file("status", 0444, dentry, &plr->die_info[i], ++ debugfs_create_file("status", 0644, dentry, &plr->die_info[i], + &plr_status_fops); + } + +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-intel_telemetry-fix-pss-event-register-.patch b/queue-6.12/platform-x86-intel_telemetry-fix-pss-event-register-.patch new file mode 100644 index 0000000000..172df082c5 --- /dev/null +++ b/queue-6.12/platform-x86-intel_telemetry-fix-pss-event-register-.patch @@ -0,0 +1,48 @@ +From ad7ab17a611263c9665e818b7a890d4a29c72bf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 11:41:44 +0530 +Subject: platform/x86: intel_telemetry: Fix PSS event register mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kaushlendra Kumar + +[ Upstream commit 39e9c376ac42705af4ed4ae39eec028e8bced9b4 ] + +The PSS telemetry info parsing incorrectly applies +TELEM_INFO_SRAMEVTS_MASK when extracting event register +count from firmware response. This reads bits 15-8 instead +of the correct bits 7-0, causing misdetection of hardware +capabilities. + +The IOSS path correctly uses TELEM_INFO_NENABLES_MASK for +register count. Apply the same mask to PSS parsing for +consistency. + +Fixes: 9d16b482b059 ("platform:x86: Add Intel telemetry platform driver") +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20251224061144.3925519-1-kaushlendra.kumar@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/telemetry/pltdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/telemetry/pltdrv.c b/drivers/platform/x86/intel/telemetry/pltdrv.c +index 767a0bc6c7ad5..29991bc80dada 100644 +--- a/drivers/platform/x86/intel/telemetry/pltdrv.c ++++ b/drivers/platform/x86/intel/telemetry/pltdrv.c +@@ -610,7 +610,7 @@ static int telemetry_setup(struct platform_device *pdev) + /* Get telemetry Info */ + events = (read_buf & TELEM_INFO_SRAMEVTS_MASK) >> + TELEM_INFO_SRAMEVTS_SHIFT; +- event_regs = read_buf & TELEM_INFO_SRAMEVTS_MASK; ++ event_regs = read_buf & TELEM_INFO_NENABLES_MASK; + if ((events < TELEM_MAX_EVENTS_SRAM) || + (event_regs < TELEM_MAX_EVENTS_SRAM)) { + dev_err(&pdev->dev, "PSS:Insufficient Space for SRAM Trace\n"); +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch b/queue-6.12/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch new file mode 100644 index 0000000000..24373f5274 --- /dev/null +++ b/queue-6.12/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch @@ -0,0 +1,42 @@ +From 856317fff139b763878c9a7f97efff7011d455a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:38:45 +0200 +Subject: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines + +From: Rafael J. Wysocki + +[ Upstream commit 128497456756e1b952bd5a912cd073836465109d ] + +toshiba_haps_add() leaks the haps object allocated by it if it returns +an error after allocating that object successfully. + +toshiba_haps_remove() does not free the object pointed to by +toshiba_haps before clearing that pointer, so it becomes unreachable +allocated memory. + +Address these memory leaks by using devm_kzalloc() for allocating +the memory in question. + +Fixes: 23d0ba0c908a ("platform/x86: Toshiba HDD Active Protection Sensor") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_haps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/toshiba_haps.c b/drivers/platform/x86/toshiba_haps.c +index 03dfddeee0c0a..e9324bf16aea4 100644 +--- a/drivers/platform/x86/toshiba_haps.c ++++ b/drivers/platform/x86/toshiba_haps.c +@@ -183,7 +183,7 @@ static int toshiba_haps_add(struct acpi_device *acpi_dev) + + pr_info("Toshiba HDD Active Protection Sensor device\n"); + +- haps = kzalloc(sizeof(struct toshiba_haps_dev), GFP_KERNEL); ++ haps = devm_kzalloc(&acpi_dev->dev, sizeof(*haps), GFP_KERNEL); + if (!haps) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.12/regmap-maple-free-entry-on-mas_store_gfp-failure.patch b/queue-6.12/regmap-maple-free-entry-on-mas_store_gfp-failure.patch new file mode 100644 index 0000000000..d1fdd5a3e7 --- /dev/null +++ b/queue-6.12/regmap-maple-free-entry-on-mas_store_gfp-failure.patch @@ -0,0 +1,51 @@ +From 657296fa405bfd155edf6a412997167ebaa2b40c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 08:48:20 +0530 +Subject: regmap: maple: free entry on mas_store_gfp() failure + +From: Kaushlendra Kumar + +[ Upstream commit f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8 ] + +regcache_maple_write() allocates a new block ('entry') to merge +adjacent ranges and then stores it with mas_store_gfp(). +When mas_store_gfp() fails, the new 'entry' remains allocated and +is never freed, leaking memory. + +Free 'entry' on the failure path; on success continue freeing the +replaced neighbor blocks ('lower', 'upper'). + +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20260105031820.260119-1-kaushlendra.kumar@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache-maple.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/regmap/regcache-maple.c b/drivers/base/regmap/regcache-maple.c +index 23da7b31d7153..34440e188f925 100644 +--- a/drivers/base/regmap/regcache-maple.c ++++ b/drivers/base/regmap/regcache-maple.c +@@ -96,12 +96,13 @@ static int regcache_maple_write(struct regmap *map, unsigned int reg, + + mas_unlock(&mas); + +- if (ret == 0) { +- kfree(lower); +- kfree(upper); ++ if (ret) { ++ kfree(entry); ++ return ret; + } +- +- return ret; ++ kfree(lower); ++ kfree(upper); ++ return 0; + } + + static int regcache_maple_drop(struct regmap *map, unsigned int min, +-- +2.51.0 + diff --git a/queue-6.12/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch b/queue-6.12/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch new file mode 100644 index 0000000000..3aad30de38 --- /dev/null +++ b/queue-6.12/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch @@ -0,0 +1,69 @@ +From 89c3f91227bd2c5eb5636e671bc4c116feeaebe4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 14:50:07 +0800 +Subject: ring-buffer: Avoid softlockup in ring_buffer_resize() during memory + free + +From: Wupeng Ma + +[ Upstream commit 6435ffd6c7fcba330dfa91c58dc30aed2df3d0bf ] + +When user resize all trace ring buffer through file 'buffer_size_kb', +then in ring_buffer_resize(), kernel allocates buffer pages for each +cpu in a loop. + +If the kernel preemption model is PREEMPT_NONE and there are many cpus +and there are many buffer pages to be freed, it may not give up cpu +for a long time and finally cause a softlockup. + +To avoid it, call cond_resched() after each cpu buffer free as Commit +f6bd2c92488c ("ring-buffer: Avoid softlockup in ring_buffer_resize()") +does. + +Detailed call trace as follow: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 24-....: (14837 ticks this GP) idle=521c/1/0x4000000000000000 softirq=230597/230597 fqs=5329 + rcu: (t=15004 jiffies g=26003221 q=211022 ncpus=96) + CPU: 24 UID: 0 PID: 11253 Comm: bash Kdump: loaded Tainted: G EL 6.18.2+ #278 NONE + pc : arch_local_irq_restore+0x8/0x20 + arch_local_irq_restore+0x8/0x20 (P) + free_frozen_page_commit+0x28c/0x3b0 + __free_frozen_pages+0x1c0/0x678 + ___free_pages+0xc0/0xe0 + free_pages+0x3c/0x50 + ring_buffer_resize.part.0+0x6a8/0x880 + ring_buffer_resize+0x3c/0x58 + __tracing_resize_ring_buffer.part.0+0x34/0xd8 + tracing_resize_ring_buffer+0x8c/0xd0 + tracing_entries_write+0x74/0xd8 + vfs_write+0xcc/0x288 + ksys_write+0x74/0x118 + __arm64_sys_write+0x24/0x38 + +Cc: +Link: https://patch.msgid.link/20251228065008.2396573-1-mawupeng1@huawei.com +Signed-off-by: Wupeng Ma +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index a785cc3839338..2c42e26ced6b6 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2974,6 +2974,8 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, + list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); ++ ++ cond_resched(); + } + } + out_err_unlock: +-- +2.51.0 + diff --git a/queue-6.12/riscv-sanitize-syscall-table-indexing-under-speculat.patch b/queue-6.12/riscv-sanitize-syscall-table-indexing-under-speculat.patch new file mode 100644 index 0000000000..faa0cbff96 --- /dev/null +++ b/queue-6.12/riscv-sanitize-syscall-table-indexing-under-speculat.patch @@ -0,0 +1,41 @@ +From ed298b7f3e2d7098b0ba73e3ce03f1bfcbaa1570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 20:13:32 +0100 +Subject: riscv: Sanitize syscall table indexing under speculation + +From: Lukas Gerlach + +[ Upstream commit 25fd7ee7bf58ac3ec7be3c9f82ceff153451946c ] + +The syscall number is a user-controlled value used to index into the +syscall table. Use array_index_nospec() to clamp this value after the +bounds check to prevent speculative out-of-bounds access and subsequent +data leakage via cache side channels. + +Signed-off-by: Lukas Gerlach +Link: https://patch.msgid.link/20251218191332.35849-3-lukas.gerlach@cispa.de +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/traps.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c +index 80230de167def..47afea4ff1a8d 100644 +--- a/arch/riscv/kernel/traps.c ++++ b/arch/riscv/kernel/traps.c +@@ -339,8 +339,10 @@ void do_trap_ecall_u(struct pt_regs *regs) + + add_random_kstack_offset(); + +- if (syscall >= 0 && syscall < NR_syscalls) ++ if (syscall >= 0 && syscall < NR_syscalls) { ++ syscall = array_index_nospec(syscall, NR_syscalls); + syscall_handler(regs, syscall); ++ } + + /* + * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), +-- +2.51.0 + diff --git a/queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch b/queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch new file mode 100644 index 0000000000..c0e1128599 --- /dev/null +++ b/queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch @@ -0,0 +1,51 @@ +From 50617558a9379f67062186f61f5bc1a7885890d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:51 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_conn_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 ] + +In iscsit_dec_conn_usage_count(), the function calls complete() while +holding the conn->conn_usage_lock. As soon as complete() is invoked, the +waiter (such as iscsit_close_connection()) may wake up and proceed to free +the iscsit_conn structure. + +If the waiter frees the memory before the current thread reaches +spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function +attempts to release a lock within the already-freed connection structure. + +Fix this by releasing the spinlock before calling complete(). + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index ee0cf2c74952a..b7fa8eed213bb 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -857,8 +857,11 @@ void iscsit_dec_conn_usage_count(struct iscsit_conn *conn) + spin_lock_bh(&conn->conn_usage_lock); + conn->conn_usage_count--; + +- if (!conn->conn_usage_count && conn->conn_waiting_on_uc) ++ if (!conn->conn_usage_count && conn->conn_waiting_on_uc) { ++ spin_unlock_bh(&conn->conn_usage_lock); + complete(&conn->conn_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&conn->conn_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch b/queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch new file mode 100644 index 0000000000..0200f4ae21 --- /dev/null +++ b/queue-6.12/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch @@ -0,0 +1,53 @@ +From f25f3f89a10873ff26c4ffb5e979cd11b3dd1433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:52 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_session_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 84dc6037390b8607c5551047d3970336cb51ba9a ] + +In iscsit_dec_session_usage_count(), the function calls complete() while +holding the sess->session_usage_lock. Similar to the connection usage count +logic, the waiter signaled by complete() (e.g., in the session release +path) may wake up and free the iscsit_session structure immediately. + +This creates a race condition where the current thread may attempt to +execute spin_unlock_bh() on a session structure that has already been +deallocated, resulting in a KASAN slab-use-after-free. + +To resolve this, release the session_usage_lock before calling complete() +to ensure all dereferences of the sess pointer are finished before the +waiter is allowed to proceed with deallocation. + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 91a75a4a7cc1a..ee0cf2c74952a 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -785,8 +785,11 @@ void iscsit_dec_session_usage_count(struct iscsit_session *sess) + spin_lock_bh(&sess->session_usage_lock); + sess->session_usage_count--; + +- if (!sess->session_usage_count && sess->session_waiting_on_uc) ++ if (!sess->session_usage_count && sess->session_waiting_on_uc) { ++ spin_unlock_bh(&sess->session_usage_lock); + complete(&sess->session_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&sess->session_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 6a9ad840b7..db789e72f9 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -27,3 +27,79 @@ binderfs-fix-ida_alloc_max-upper-bound.patch kvm-selftests-add-u_fortify_source-to-avoid-some-unpredictable-test-failures.patch procfs-avoid-fetching-build-id-while-holding-vma-lock.patch tracing-fix-ftrace-event-field-alignments.patch +wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch +wifi-wlcore-ensure-skb-headroom-before-skb_push.patch +net-usb-sr9700-support-devices-with-virtual-driver-c.patch +block-bfq-fix-aux-stat-accumulation-destination.patch +smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch +loongarch-set-correct-protection_map-for-vm_none-vm_.patch +md-suspend-array-while-updating-raid_disks-via-sysfs.patch +smb-server-fix-refcount-leak-in-smb2_open.patch +loongarch-enable-exception-fixup-for-specific-ade-su.patch +smb-server-fix-refcount-leak-in-parse_durable_handle.patch +hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch +hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch +btrfs-fix-reservation-leak-in-some-error-paths-when-.patch +riscv-sanitize-syscall-table-indexing-under-speculat.patch +hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch +hid-playstation-center-initial-joystick-axes-to-prev.patch +alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch +alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch +pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch +netfilter-replace-eexist-with-ebusy.patch +hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch +hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch +hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch +drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch +ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch +hid-logitech-add-hid-support-for-logitech-mx-anywher.patch +wifi-mac80211-collect-station-statistics-earlier-whe.patch +asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch +asoc-simple-card-utils-check-device-node-before-over.patch +nvme-fc-release-admin-tagset-if-init-fails.patch +nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch +asoc-amd-yc-fix-microphone-on-asus-m6500re.patch +asoc-tlv320adcx140-propagate-error-codes-during-prob.patch +spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch +regmap-maple-free-entry-on-mas_store_gfp-failure.patch +wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch +alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch +wifi-mac80211-correctly-check-if-csa-is-active.patch +wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch +btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch +alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch +platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch +platform-x86-intel_telemetry-fix-pss-event-register-.patch +platform-x86-hp-bioscfg-skip-empty-attribute-names.patch +platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch +smb-client-fix-memory-leak-in-smb2_open_file.patch +net-add-skb_header_pointer_careful-helper.patch +net-sched-cls_u32-use-skb_header_pointer_careful.patch +dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch +net-liquidio-initialize-netdev-pointer-before-queue-.patch +net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch +net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch +dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch +net-phy-add-phy_interface_weight.patch +net-phy-add-phy_interface_copy.patch +net-sfp-pre-parse-the-module-support.patch +net-sfp-convert-sfp-quirks-to-modify-struct-sfp_modu.patch +net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch +macvlan-fix-error-recovery-in-macvlan_common_newlink.patch +net-usb-r8152-fix-resume-reset-deadlock.patch +net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch +tipc-use-kfree_sensitive-for-session-key-material.patch +drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch +net-ethernet-adi-adin1110-check-return-value-of-devm.patch +net-gro-fix-outer-network-offset.patch +drm-mgag200-fix-mgag200_bmc_stop_scanout.patch +drm-xe-query-fix-topology-query-pointer-advance.patch +drm-xe-pm-also-avoid-missing-outer-rpm-warning-on-sy.patch +drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch +hwmon-occ-mark-occ_init_attribute-as-__printf.patch +netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch +ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch +alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch +asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch diff --git a/queue-6.12/smb-client-fix-memory-leak-in-smb2_open_file.patch b/queue-6.12/smb-client-fix-memory-leak-in-smb2_open_file.patch new file mode 100644 index 0000000000..910715bf8f --- /dev/null +++ b/queue-6.12/smb-client-fix-memory-leak-in-smb2_open_file.patch @@ -0,0 +1,72 @@ +From e601c4b91dc99d318d9f1121e72154d8e9f9b48e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 08:24:07 +0000 +Subject: smb/client: fix memory leak in smb2_open_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: ChenXiaoSong + +[ Upstream commit e3a43633023e3cacaca60d4b8972d084a2b06236 ] + +Reproducer: + + 1. server: directories are exported read-only + 2. client: mount -t cifs //${server_ip}/export /mnt + 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct + 4. client: umount /mnt + 5. client: sleep 1 + 6. client: modprobe -r cifs + +The error message is as follows: + + ============================================================================= + BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown() + ----------------------------------------------------------------------------- + + Object 0x00000000d47521be @offset=14336 + ... + WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577 + ... + Call Trace: + + kmem_cache_destroy+0x94/0x190 + cifs_destroy_request_bufs+0x3e/0x50 [cifs] + cleanup_module+0x4e/0x540 [cifs] + __se_sys_delete_module+0x278/0x400 + __x64_sys_delete_module+0x5f/0x70 + x64_sys_call+0x2299/0x2ff0 + do_syscall_64+0x89/0x350 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + ... + kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs] + WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577 + +Link: https://lore.kernel.org/linux-cifs/9751f02d-d1df-4265-a7d6-b19761b21834@linux.dev/T/#mf14808c144448b715f711ce5f0477a071f08eaf6 +Fixes: e255612b5ed9 ("cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES") +Reported-by: Paulo Alcantara +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: ChenXiaoSong +Reviewed-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c +index b313c128ffbab..414242a33d61a 100644 +--- a/fs/smb/client/smb2file.c ++++ b/fs/smb/client/smb2file.c +@@ -122,6 +122,7 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); + if (rc == -EACCES && retry_without_read_attributes) { ++ free_rsp_buf(err_buftype, err_iov.iov_base); + oparms->desired_access &= ~FILE_READ_ATTRIBUTES; + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); +-- +2.51.0 + diff --git a/queue-6.12/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch b/queue-6.12/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch new file mode 100644 index 0000000000..9be17d9663 --- /dev/null +++ b/queue-6.12/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch @@ -0,0 +1,47 @@ +From fdc130edf3e2a5f1bc69e0b0eff1ebe6c6022ebb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 22:51:01 +0800 +Subject: smb/server: call ksmbd_session_rpc_close() on error path in + create_smb2_pipe() + +From: ZhangGuoDong + +[ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ] + +When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index e2cde9723001e..a3c0754e3822b 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2281,7 +2281,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + { + struct smb2_create_rsp *rsp; + struct smb2_create_req *req; +- int id; ++ int id = -1; + int err; + char *name; + +@@ -2338,6 +2338,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + break; + } + ++ if (id >= 0) ++ ksmbd_session_rpc_close(work->sess, id); ++ + if (!IS_ERR(name)) + kfree(name); + +-- +2.51.0 + diff --git a/queue-6.12/smb-server-fix-refcount-leak-in-parse_durable_handle.patch b/queue-6.12/smb-server-fix-refcount-leak-in-parse_durable_handle.patch new file mode 100644 index 0000000000..a95d920d78 --- /dev/null +++ b/queue-6.12/smb-server-fix-refcount-leak-in-parse_durable_handle.patch @@ -0,0 +1,36 @@ +From 50fc92f784bba86f56eab91461b7b4c324e484b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:13:29 +0800 +Subject: smb/server: fix refcount leak in parse_durable_handle_context() + +From: ZhangGuoDong + +[ Upstream commit 3296c3012a9d9a27e81e34910384e55a6ff3cff0 ] + +When the command is a replay operation and -ENOEXEC is returned, +the refcount of ksmbd_file must be released. + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 5641faa1f8952..ac8248479cba2 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2812,6 +2812,7 @@ static int parse_durable_handle_context(struct ksmbd_work *work, + SMB2_CLIENT_GUID_SIZE)) { + if (!(req->hdr.Flags & SMB2_FLAGS_REPLAY_OPERATION)) { + err = -ENOEXEC; ++ ksmbd_put_durable_fd(dh_info->fp); + goto out; + } + +-- +2.51.0 + diff --git a/queue-6.12/smb-server-fix-refcount-leak-in-smb2_open.patch b/queue-6.12/smb-server-fix-refcount-leak-in-smb2_open.patch new file mode 100644 index 0000000000..fb77164177 --- /dev/null +++ b/queue-6.12/smb-server-fix-refcount-leak-in-smb2_open.patch @@ -0,0 +1,41 @@ +From 7e4b9d0faa1fc3639bc43e2f27c81c2c54b420db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 11:15:18 +0800 +Subject: smb/server: fix refcount leak in smb2_open() + +From: ZhangGuoDong + +[ Upstream commit f416c556997aa56ec4384c6b6efd6a0e6ac70aa7 ] + +When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file +must be released. + +Suggested-by: Namjae Jeon +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index a3c0754e3822b..5641faa1f8952 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3006,10 +3006,10 @@ int smb2_open(struct ksmbd_work *work) + file_info = FILE_OPENED; + + rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat); ++ ksmbd_put_durable_fd(fp); + if (rc) + goto err_out2; + +- ksmbd_put_durable_fd(fp); + goto reconnected_fp; + } + } else if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) +-- +2.51.0 + diff --git a/queue-6.12/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch b/queue-6.12/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch new file mode 100644 index 0000000000..ad54f08bfb --- /dev/null +++ b/queue-6.12/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch @@ -0,0 +1,49 @@ +From af0b13d684a9473987f14bf2809edaa8b0d5c3c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 15:53:23 +0800 +Subject: spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi + debugfs initialization + +From: Devyn Liu + +[ Upstream commit b062a899c997df7b9ce29c62164888baa7a85833 ] + +In hisi_spi_debugfs_init, spi controller pointer is calculated +by container_of macro, and the member is hs->dev. But the host +cannot be calculated offset directly by this. (hs->dev) points +to (pdev->dev), and it is the (host->dev.parent) rather than +(host->dev) points to the (pdev->dev), which is set in +__spi_alloc_controller. + +In this patch, this issues is fixed by getting the spi_controller +data from pdev->dev by dev_get_drvdata() directly. (dev->driver_data) +points to the spi controller data in the probe stage. + +Signed-off-by: Devyn Liu +Reviewed-by: Yang Shen +Link: https://patch.msgid.link/20260108075323.3831574-1-liudingyuan@h-partners.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-hisi-kunpeng.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-hisi-kunpeng.c b/drivers/spi/spi-hisi-kunpeng.c +index 16054695bdb04..f0a50f40a3ba1 100644 +--- a/drivers/spi/spi-hisi-kunpeng.c ++++ b/drivers/spi/spi-hisi-kunpeng.c +@@ -161,10 +161,8 @@ static const struct debugfs_reg32 hisi_spi_regs[] = { + static int hisi_spi_debugfs_init(struct hisi_spi *hs) + { + char name[32]; ++ struct spi_controller *host = dev_get_drvdata(hs->dev); + +- struct spi_controller *host; +- +- host = container_of(hs->dev, struct spi_controller, dev); + snprintf(name, 32, "hisi_spi%d", host->bus_num); + hs->debugfs = debugfs_create_dir(name, NULL); + if (IS_ERR(hs->debugfs)) +-- +2.51.0 + diff --git a/queue-6.12/tipc-use-kfree_sensitive-for-session-key-material.patch b/queue-6.12/tipc-use-kfree_sensitive-for-session-key-material.patch new file mode 100644 index 0000000000..055caee2b7 --- /dev/null +++ b/queue-6.12/tipc-use-kfree_sensitive-for-session-key-material.patch @@ -0,0 +1,51 @@ +From d29516c7818bbb7ec8349106a9e793e1b76a7777 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 10:01:14 -0800 +Subject: tipc: use kfree_sensitive() for session key material + +From: Daniel Hodges + +[ Upstream commit 74d9391e8849e70ded5309222d09b0ed0edbd039 ] + +The rx->skey field contains a struct tipc_aead_key with GCM-AES +encryption keys used for TIPC cluster communication. Using plain +kfree() leaves this sensitive key material in freed memory pages +where it could potentially be recovered. + +Switch to kfree_sensitive() to ensure the key material is zeroed +before the memory is freed. + +Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") +Signed-off-by: Daniel Hodges +Link: https://patch.msgid.link/20260131180114.2121438-1-hodgesd@meta.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index ea5bb131ebd06..2721baf9fd2b3 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1219,7 +1219,7 @@ void tipc_crypto_key_flush(struct tipc_crypto *c) + rx = c; + tx = tipc_net(rx->net)->crypto_tx; + if (cancel_delayed_work(&rx->work)) { +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + atomic_xchg(&rx->key_distr, 0); + tipc_node_put(rx->node); +@@ -2394,7 +2394,7 @@ static void tipc_crypto_work_rx(struct work_struct *work) + break; + default: + synchronize_rcu(); +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + break; + } +-- +2.51.0 + diff --git a/queue-6.12/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch b/queue-6.12/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch new file mode 100644 index 0000000000..9206930305 --- /dev/null +++ b/queue-6.12/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch @@ -0,0 +1,59 @@ +From 1c1705a76776b1245bf51f6c717758ec65f5233e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:30:04 +0530 +Subject: wifi: cfg80211: Fix bitrate calculation overflow for HE rates + +From: Veerendranath Jakkam + +[ Upstream commit a3034bf0746d88a00cceda9541534a5721445a24 ] + +An integer overflow occurs in cfg80211_calculate_bitrate_he() when +calculating bitrates for high throughput HE configurations. +For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0, +the multiplication (result * rate->nss) overflows the 32-bit 'result' +variable before division by 8, leading to significantly underestimated +bitrate values. + +The overflow occurs because the NSS multiplication operates on a 32-bit +integer that cannot accommodate intermediate values exceeding +4,294,967,295. When overflow happens, the value wraps around, producing +incorrect bitrates for high MCS and NSS combinations. + +Fix this by utilizing the 64-bit 'tmp' variable for the NSS +multiplication and subsequent divisions via do_div(). This approach +preserves full precision throughout the entire calculation, with the +final value assigned to 'result' only after completing all operations. + +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 6aff651a9b68d..5be4ccb871411 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1588,12 +1588,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate) + tmp = result; + tmp *= SCALE; + do_div(tmp, mcs_divisors[rate->mcs]); +- result = tmp; + + /* and take NSS, DCM into account */ +- result = (result * rate->nss) / 8; ++ tmp *= rate->nss; ++ do_div(tmp, 8); + if (rate->he_dcm) +- result /= 2; ++ do_div(tmp, 2); ++ ++ result = tmp; + + return result / 10000; + } +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-collect-station-statistics-earlier-whe.patch b/queue-6.12/wifi-mac80211-collect-station-statistics-earlier-whe.patch new file mode 100644 index 0000000000..647fed18f5 --- /dev/null +++ b/queue-6.12/wifi-mac80211-collect-station-statistics-earlier-whe.patch @@ -0,0 +1,54 @@ +From 0ef74b7a750316429a2cc78ed504031a20e58d53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 10:29:07 +0800 +Subject: wifi: mac80211: collect station statistics earlier when disconnect + +From: Baochen Qiang + +[ Upstream commit a203dbeeca15a9b924f0d51f510921f4bae96801 ] + +In __sta_info_destroy_part2(), station statistics are requested after the +IEEE80211_STA_NONE -> IEEE80211_STA_NOTEXIST transition. This is +problematic because the driver may be unable to handle the request due to +the STA being in the NOTEXIST state (i.e. if the driver destroys the +underlying data when transitioning to NOTEXIST). + +Move the statistics collection to before the state transition to avoid +this issue. + +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20251222-mac80211-move-station-stats-collection-earlier-v1-1-12cd4e42c633@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 4eb45e08b97e7..637756516cf56 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1466,6 +1466,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) + } + } + ++ sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); ++ if (sinfo) ++ sta_set_sinfo(sta, sinfo, true); ++ + if (sta->uploaded) { + ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE, + IEEE80211_STA_NOTEXIST); +@@ -1474,9 +1478,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) + + sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); + +- sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); +- if (sinfo) +- sta_set_sinfo(sta, sinfo, true); + cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); + kfree(sinfo); + +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-correctly-check-if-csa-is-active.patch b/queue-6.12/wifi-mac80211-correctly-check-if-csa-is-active.patch new file mode 100644 index 0000000000..1d26f765f7 --- /dev/null +++ b/queue-6.12/wifi-mac80211-correctly-check-if-csa-is-active.patch @@ -0,0 +1,52 @@ +From 836148b008f96e046f829b64f18bc683f848da2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 19:19:30 +0200 +Subject: wifi: mac80211: correctly check if CSA is active + +From: Miri Korenblit + +[ Upstream commit db1d0b6ab11f612ea8a327663a578c8946efeee9 ] + +We are not adding an interface if an existing one is doing CSA. +But the check won't work for MLO station interfaces, since for those, +vif->bss_conf is zeroed out. +Fix this by checking if any link of the vif has an active CSA. + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260111191912.7ceff62fc561.Ia38d27f42684d1cfd82d930d232bd5dea6ab9282@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 50108fdb9361d..7e1b6a9d9f3ad 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -354,6 +354,8 @@ static int ieee80211_check_concurrent_iface(struct ieee80211_sub_if_data *sdata, + /* we hold the RTNL here so can safely walk the list */ + list_for_each_entry(nsdata, &local->interfaces, list) { + if (nsdata != sdata && ieee80211_sdata_running(nsdata)) { ++ struct ieee80211_link_data *link; ++ + /* + * Only OCB and monitor mode may coexist + */ +@@ -380,8 +382,10 @@ static int ieee80211_check_concurrent_iface(struct ieee80211_sub_if_data *sdata, + * will not add another interface while any channel + * switch is active. + */ +- if (nsdata->vif.bss_conf.csa_active) +- return -EBUSY; ++ for_each_link_data(nsdata, link) { ++ if (link->conf->csa_active) ++ return -EBUSY; ++ } + + /* + * The remaining checks are only performed for interfaces +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch b/queue-6.12/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch new file mode 100644 index 0000000000..d882d008e1 --- /dev/null +++ b/queue-6.12/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch @@ -0,0 +1,49 @@ +From 17d07630b6896f80fca1a709161a397a692734d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:28:29 +0200 +Subject: wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice + +From: Miri Korenblit + +[ Upstream commit 3f3d8ff31496874a69b131866f62474eb24ed20a ] + +In reconfig, in case the driver asks to disconnect during the reconfig, +all the keys of the interface are marked as tainted. +Then ieee80211_reenable_keys will loop over all the interface keys, and +for each one it will +a) increment crypto_tx_tailroom_needed_cnt +b) call ieee80211_key_enable_hw_accel, which in turn will detect that +this key is tainted, so it will mark it as "not in hardware", which is +paired with crypto_tx_tailroom_needed_cnt incrementation, so we get two +incrementations for each tainted key. +Then we get a warning in ieee80211_free_keys. + +To fix it, don't increment the count in ieee80211_reenable_keys for +tainted keys + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118092821.4ca111fddcda.Id6e554f4b1c83760aa02d5a9e4e3080edb197aa2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index b679ef23d28fd..66fff8e19ca24 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -987,7 +987,8 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata) + + if (ieee80211_sdata_running(sdata)) { + list_for_each_entry(key, &sdata->key_list, list) { +- increment_tailroom_need_count(sdata); ++ if (!(key->flags & KEY_FLAG_TAINTED)) ++ increment_tailroom_need_count(sdata); + ieee80211_key_enable_hw_accel(key); + } + } +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch b/queue-6.12/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch new file mode 100644 index 0000000000..056baf6fb5 --- /dev/null +++ b/queue-6.12/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch @@ -0,0 +1,44 @@ +From 025d31a98358683b053b36d520c2b15ffe6022f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 19:59:32 -0800 +Subject: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined + +From: Moon Hee Lee + +[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] + +ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only +present after JOIN_OCB. + +RX may run before JOIN_OCB is executed, in which case the OCB interface +is not operational. Skip RX peer handling when the interface is not +joined to avoid warnings in the RX path. + +Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 +Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ocb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c +index f4c51e4a1e29a..b76792a7b3272 100644 +--- a/net/mac80211/ocb.c ++++ b/net/mac80211/ocb.c +@@ -47,6 +47,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata, + struct sta_info *sta; + int band; + ++ if (!ifocb->joined) ++ return; ++ + /* XXX: Consider removing the least recently used entry and + * allow new one to be added. + */ +-- +2.51.0 + diff --git a/queue-6.12/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch b/queue-6.12/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch new file mode 100644 index 0000000000..8709f567af --- /dev/null +++ b/queue-6.12/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch @@ -0,0 +1,42 @@ +From c66e9aceb69fcc0cdfb50142ccfadc00e9649593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 08:57:08 +0100 +Subject: wifi: wlcore: ensure skb headroom before skb_push +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Åstrand + +[ Upstream commit e75665dd096819b1184087ba5718bd93beafff51 ] + +This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is +less than needed (typically 110 - 94 = 16 bytes). + +Signed-off-by: Peter Astrand +Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 464587d16ab20..f251627c24c6e 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -207,6 +207,11 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + total_blocks = wlcore_hw_calc_tx_blocks(wl, total_len, spare_blocks); + + if (total_blocks <= wl->tx_blocks_available) { ++ if (skb_headroom(skb) < (total_len - skb->len) && ++ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { ++ wl1271_free_tx_id(wl, id); ++ return -EAGAIN; ++ } + desc = skb_push(skb, total_len - skb->len); + + wlcore_hw_set_tx_desc_blocks(wl, desc, total_blocks, +-- +2.51.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch b/queue-6.18/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch new file mode 100644 index 0000000000..80008405e6 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch @@ -0,0 +1,37 @@ +From d1d136c6a89c65a9e6310786257c1d7d834e7aed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 02:53:36 +0300 +Subject: ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk + +From: Ruslan Krupitsa + +[ Upstream commit 9ed7a28225af02b74f61e7880d460db49db83758 ] + +HP Laptop 15s-eq1xxx with ALC236 codec does not enable the +mute LED automatically. This patch adds a quirk entry for +subsystem ID 0x8706 using the ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 +fixup, enabling correct mute LED behavior. + +Signed-off-by: Ruslan Krupitsa +Link: https://patch.msgid.link/AS8P194MB112895B8EC2D87D53A876085BBBAA@AS8P194MB1128.EURP194.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 28a390f8636dc..dc2e3ede7a23b 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6427,6 +6427,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x863e, "HP Spectre x360 15-df1xxx", ALC285_FIXUP_HP_SPECTRE_X360_DF1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x8706, "HP Laptop 15s-eq1xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), +-- +2.51.0 + diff --git a/queue-6.18/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch b/queue-6.18/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch new file mode 100644 index 0000000000..bda0a8babd --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch @@ -0,0 +1,38 @@ +From a178132585879aea767031d45554c1883d9743ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 18:12:07 +0100 +Subject: ALSA: hda/realtek: Add quirk for Acer Nitro AN517-55 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: MatouÅ¡ Lánský + +[ Upstream commit 9be25402d8522e16e5ebe84f2b1b6c5de082a388 ] + +Add headset mic quirk for Acer Nitro AN517-55. This laptop uses +the same audio configuration as the AN515-58 model. + +Signed-off-by: MatouÅ¡ Lánský +Link: https://patch.msgid.link/20251231171207.76943-1-matouslansky@post.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 9097de7d2e3d7..28a390f8636dc 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6239,6 +6239,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1025, 0x1466, "Acer Aspire A515-56", ALC255_FIXUP_ACER_HEADPHONE_AND_MIC), + SND_PCI_QUIRK(0x1025, 0x1534, "Acer Predator PH315-54", ALC255_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x159c, "Acer Nitro 5 AN515-58", ALC2XX_FIXUP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1025, 0x1597, "Acer Nitro 5 AN517-55", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x169a, "Acer Swift SFG16", ALC256_FIXUP_ACER_SFG16_MICMUTE_LED), + SND_PCI_QUIRK(0x1025, 0x1826, "Acer Helios ZPC", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1025, 0x182c, "Acer Helios ZPD", ALC287_FIXUP_PREDATOR_SPK_CS35L41_I2C_2), +-- +2.51.0 + diff --git a/queue-6.18/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch b/queue-6.18/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch new file mode 100644 index 0000000000..a41ce93a39 --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch @@ -0,0 +1,101 @@ +From b818e052608ba257868094e1f6ee371eb622d718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 02:51:18 +0000 +Subject: ALSA: hda/realtek: ALC269 fixup for Lenovo Yoga Book 9i 13IRU8 audio + +From: Martin Hamilton + +[ Upstream commit 64e0924ed3b446fdd758dfab582e0e961863a116 ] + +The amp/speakers on the Lenovo Yoga Book 9i 13IRU8 laptop aren't +fully powered up, resulting in horrible tinny sound by default. + +The kernel has an existing quirk for PCI SSID 0x17aa3843 which +matches this machine and several others. The quirk applies the +ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP fixup, however the fixup does not +work on this machine. + +This patch modifies the existing quirk by adding a check for the +subsystem ID 0x17aa3881. If present, ALC287_FIXUP_TAS2781_I2C will +be applied instead of ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP. With this +change the TAS2781 amp is powered up, firmware is downloaded and +recognised by HDA/SOF - i.e. all is good, and we can boogie. + +Code is re-used from alc298_fixup_lenovo_c940_duet7(), which fixes a +similar problem with two other Lenovo laptops. + +Cross checked against ALSA cardinfo database for potential clashes. +Tested against 6.18.5 kernel built with Arch Linux default options. +Tested in HDA mode and SOF mode. + +Note: Possible further work required to address quality of life issues +caused by the firmware's agressive power saving, and to improve ALSA +control mappings. + +Signed-off-by: Martin Hamilton +Link: https://patch.msgid.link/20260122-alc269-yogabook9i-fixup-v1-1-a6883429400f@martinh.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index e9022f751c959..ddfad56b30af5 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -3674,6 +3674,7 @@ enum { + ALC287_FIXUP_LEGION_15IMHG05_AUTOMUTE, + ALC287_FIXUP_YOGA7_14ITL_SPEAKERS, + ALC298_FIXUP_LENOVO_C940_DUET7, ++ ALC287_FIXUP_LENOVO_YOGA_BOOK_9I, + ALC287_FIXUP_13S_GEN2_SPEAKERS, + ALC256_FIXUP_SET_COEF_DEFAULTS, + ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, +@@ -3757,6 +3758,23 @@ static void alc298_fixup_lenovo_c940_duet7(struct hda_codec *codec, + __snd_hda_apply_fixup(codec, id, action, 0); + } + ++/* A special fixup for Lenovo Yoga 9i and Yoga Book 9i 13IRU8 ++ * both have the very same PCI SSID and vendor ID, so we need ++ * to apply different fixups depending on the subsystem ID ++ */ ++static void alc287_fixup_lenovo_yoga_book_9i(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ int id; ++ ++ if (codec->core.subsystem_id == 0x17aa3881) ++ id = ALC287_FIXUP_TAS2781_I2C; /* Yoga Book 9i 13IRU8 */ ++ else ++ id = ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP; /* Yoga 9i */ ++ __snd_hda_apply_fixup(codec, id, action, 0); ++} ++ + static const struct hda_fixup alc269_fixups[] = { + [ALC269_FIXUP_GPIO2] = { + .type = HDA_FIXUP_FUNC, +@@ -5764,6 +5782,10 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc298_fixup_lenovo_c940_duet7, + }, ++ [ALC287_FIXUP_LENOVO_YOGA_BOOK_9I] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc287_fixup_lenovo_yoga_book_9i, ++ }, + [ALC287_FIXUP_13S_GEN2_SPEAKERS] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -7088,7 +7110,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3827, "Ideapad S740", ALC285_FIXUP_IDEAPAD_S740_COEF), + SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x383d, "Legion Y9000X 2019", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS), +- SND_PCI_QUIRK(0x17aa, 0x3843, "Yoga 9i", ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP), ++ SND_PCI_QUIRK(0x17aa, 0x3843, "Lenovo Yoga 9i / Yoga Book 9i", ALC287_FIXUP_LENOVO_YOGA_BOOK_9I), + SND_PCI_QUIRK(0x17aa, 0x3847, "Legion 7 16ACHG6", ALC287_FIXUP_LEGION_16ACHG6), + SND_PCI_QUIRK(0x17aa, 0x384a, "Lenovo Yoga 7 15ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), + SND_PCI_QUIRK(0x17aa, 0x3852, "Lenovo Yoga 7 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS), +-- +2.51.0 + diff --git a/queue-6.18/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch b/queue-6.18/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch new file mode 100644 index 0000000000..1b6fa343ea --- /dev/null +++ b/queue-6.18/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch @@ -0,0 +1,39 @@ +From dd0e9f3bb4e612ddb20ef764d5621dbf30d081d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:15:55 +0100 +Subject: ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU + +From: Tim Guttzeit + +[ Upstream commit b48fe9af1e60360baf09ca6b7a3cd6541f16e611 ] + +Add a PCI quirk to enable microphone detection on the headphone jack of +TongFang X6AR55xU devices. + +Signed-off-by: Tim Guttzeit +Signed-off-by: Werner Sembach +Link: https://patch.msgid.link/20260119151626.35481-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index dc2e3ede7a23b..e9022f751c959 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7679,6 +7679,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x19, 0x04a11030}, + {0x21, 0x04211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0274, 0x1d05, "TongFang", ALC274_FIXUP_HP_HEADSET_MIC, ++ {0x17, 0x90170110}, ++ {0x19, 0x03a11030}, ++ {0x21, 0x03211020}), + SND_HDA_PIN_QUIRK(0x10ec0282, 0x1025, "Acer", ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC282_STANDARD_PINS, + {0x12, 0x90a609c0}, +-- +2.51.0 + diff --git a/queue-6.18/alsa-hda-tas2781-add-newly-released-hp-laptop.patch b/queue-6.18/alsa-hda-tas2781-add-newly-released-hp-laptop.patch new file mode 100644 index 0000000000..2ea2b05364 --- /dev/null +++ b/queue-6.18/alsa-hda-tas2781-add-newly-released-hp-laptop.patch @@ -0,0 +1,45 @@ +From 9529df8e7e46163a7c40e10c71030cfbc516644a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 20:49:06 +0800 +Subject: ALSA: hda/tas2781: Add newly-released HP laptop + +From: Shenghao Ding + +[ Upstream commit 46b8d0888f01f250fbd24d00ff80b755c3c42cd4 ] + +HP released the new laptop with the subid 0x103C. + +Signed-off-by: Shenghao Ding +Link: https://patch.msgid.link/20260115124907.629-1-shenghao-ding@ti.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c +index 0e4bda3a544ea..624a822341bb7 100644 +--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c ++++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c +@@ -2,7 +2,7 @@ + // + // TAS2781 HDA I2C driver + // +-// Copyright 2023 - 2025 Texas Instruments, Inc. ++// Copyright 2023 - 2026 Texas Instruments, Inc. + // + // Author: Shenghao Ding + // Current maintainer: Baojun Xu +@@ -571,6 +571,9 @@ static int tas2781_hda_bind(struct device *dev, struct device *master, + case 0x1028: + tas_hda->catlog_id = DELL; + break; ++ case 0x103C: ++ tas_hda->catlog_id = HP; ++ break; + default: + tas_hda->catlog_id = LENOVO; + break; +-- +2.51.0 + diff --git a/queue-6.18/alsa-usb-audio-add-delay-quirk-for-moondrop-moonrive.patch b/queue-6.18/alsa-usb-audio-add-delay-quirk-for-moondrop-moonrive.patch new file mode 100644 index 0000000000..cac5619a28 --- /dev/null +++ b/queue-6.18/alsa-usb-audio-add-delay-quirk-for-moondrop-moonrive.patch @@ -0,0 +1,43 @@ +From fa6fd6d44114484fb4ff2db115d3b36325670731 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 06:33:03 +0000 +Subject: ALSA: usb-audio: Add delay quirk for MOONDROP Moonriver2 Ti + +From: Lianqin Hu + +[ Upstream commit 49985bc466b51af88d534485631c8cd8c9c65f43 ] + +Audio control requests that sets sampling frequency sometimes fail on +this card. Adding delay between control messages eliminates that problem. + +usb 1-1: New USB device found, idVendor=2fc6, idProduct=f06b +usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +usb 1-1: Product: MOONDROP Moonriver2 Ti +usb 1-1: Manufacturer: MOONDROP +usb 1-1: SerialNumber: MOONDROP Moonriver2 Ti + +Signed-off-by: Lianqin Hu +Reviewed-by: Cryolitia PukNgae +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/TYUPR06MB6217911EFC7E9224935FA507D28DA@TYUPR06MB6217.apcprd06.prod.outlook.com +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 94a8fdc9c6d3c..8a646891ebb44 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2390,6 +2390,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_CTL_MSG_DELAY_1M), + DEVICE_FLG(0x2d99, 0x0026, /* HECATE G2 GAMING HEADSET */ + QUIRK_FLAG_MIXER_PLAYBACK_MIN_MUTE), ++ DEVICE_FLG(0x2fc6, 0xf06b, /* MOONDROP Moonriver2 Ti */ ++ QUIRK_FLAG_CTL_MSG_DELAY), + DEVICE_FLG(0x2fc6, 0xf0b7, /* iBasso DC07 Pro */ + QUIRK_FLAG_CTL_MSG_DELAY_1M), + DEVICE_FLG(0x30be, 0x0101, /* Schiit Hel */ +-- +2.51.0 + diff --git a/queue-6.18/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch b/queue-6.18/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch new file mode 100644 index 0000000000..8caf42ba41 --- /dev/null +++ b/queue-6.18/alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch @@ -0,0 +1,52 @@ +From d1387852ebe8ca73f69ab4025ce6daef7b9dbad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:15:57 +0300 +Subject: ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() + +From: Sergey Shtylyov + +[ Upstream commit 124bdc6eccc8c5cba68fee00e01c084c116c4360 ] + +When the support for the Sound Blaster X-Fi Surround 5.1 Pro was added, +the existing logic for the X-Fi Surround 5.1 in snd_audigy2nx_led_put() +was broken due to missing *else* before the added *if*: snd_usb_ctl_msg() +became incorrectly called twice and an error from first snd_usb_ctl_msg() +call ignored. As the added snd_usb_ctl_msg() call was totally identical +to the existing one for the "plain" X-Fi Surround 5.1, just merge those +two *if* statements while fixing the broken logic... + +Found by Linux Verification Center (linuxtesting.org) with the Svace static +analysis tool. + +Fixes: 7cdd8d73139e ("ALSA: usb-audio - Add support for USB X-Fi S51 Pro") +Signed-off-by: Sergey Shtylyov +Link: https://patch.msgid.link/20260203161558.18680-1-s.shtylyov@auroraos.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_quirks.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index 828af3095b86e..4873b5e748016 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -311,13 +311,8 @@ static int snd_audigy2nx_led_update(struct usb_mixer_interface *mixer, + if (pm.err < 0) + return pm.err; + +- if (chip->usb_id == USB_ID(0x041e, 0x3042)) +- err = snd_usb_ctl_msg(chip->dev, +- usb_sndctrlpipe(chip->dev, 0), 0x24, +- USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER, +- !value, 0, NULL, 0); +- /* USB X-Fi S51 Pro */ +- if (chip->usb_id == USB_ID(0x041e, 0x30df)) ++ if (chip->usb_id == USB_ID(0x041e, 0x3042) || /* USB X-Fi S51 */ ++ chip->usb_id == USB_ID(0x041e, 0x30df)) /* USB X-Fi S51 Pro */ + err = snd_usb_ctl_msg(chip->dev, + usb_sndctrlpipe(chip->dev, 0), 0x24, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER, +-- +2.51.0 + diff --git a/queue-6.18/alsa-usb-audio-prevent-excessive-number-of-frames.patch b/queue-6.18/alsa-usb-audio-prevent-excessive-number-of-frames.patch new file mode 100644 index 0000000000..70b1db8bc8 --- /dev/null +++ b/queue-6.18/alsa-usb-audio-prevent-excessive-number-of-frames.patch @@ -0,0 +1,55 @@ +From 93aa2d37078cf798f224f7c73b4ab3cb50ddeee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 16:29:23 +0800 +Subject: ALSA: usb-audio: Prevent excessive number of frames + +From: Edward Adam Davis + +[ Upstream commit ef5749ef8b307bf8717945701b1b79d036af0a15 ] + +In this case, the user constructed the parameters with maxpacksize 40 +for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer +size for each data URB is maxpacksize * packets, which in this example +is 40 * 6 = 240; When the user performs a write operation to send audio +data into the ALSA PCM playback stream, the calculated number of frames +is packsize[0] * packets = 264, which exceeds the allocated URB buffer +size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. + +Added a check for the number of single data URB frames when calculating +the number of frames to prevent [1]. + +[1] +BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 +Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 +Call Trace: + copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 + prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 + prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333 + +Reported-by: syzbot+6db0415d6d5c635f72cb@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6db0415d6d5c635f72cb +Tested-by: syzbot+6db0415d6d5c635f72cb@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://patch.msgid.link/tencent_9AECE6CD2C7A826D902D696C289724E8120A@qq.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 54d01dfd820fa..263abb36bb2d1 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1553,7 +1553,7 @@ static int prepare_playback_urb(struct snd_usb_substream *subs, + + for (i = 0; i < ctx->packets; i++) { + counts = snd_usb_endpoint_next_packet_size(ep, ctx, i, avail); +- if (counts < 0) ++ if (counts < 0 || frames + counts >= ep->max_urb_frames) + break; + /* set up descriptor */ + urb->iso_frame_desc[i].offset = frames * stride; +-- +2.51.0 + diff --git a/queue-6.18/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch b/queue-6.18/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch new file mode 100644 index 0000000000..b861823ba1 --- /dev/null +++ b/queue-6.18/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch @@ -0,0 +1,37 @@ +From 0dac35ed6a172d2171fce2f7d65d5c3dc7744c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 20:50:33 +0000 +Subject: ASoC: amd: fix memory leak in acp3x pdm dma ops + +From: Chris Bainbridge + +[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] + +Fixes: 4a767b1d039a8 ("ASoC: amd: add acp3x pdm driver dma ops") +Signed-off-by: Chris Bainbridge +Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/renoir/acp3x-pdm-dma.c b/sound/soc/amd/renoir/acp3x-pdm-dma.c +index 95ac8c6800375..a560d06097d5e 100644 +--- a/sound/soc/amd/renoir/acp3x-pdm-dma.c ++++ b/sound/soc/amd/renoir/acp3x-pdm-dma.c +@@ -301,9 +301,11 @@ static int acp_pdm_dma_close(struct snd_soc_component *component, + struct snd_pcm_substream *substream) + { + struct pdm_dev_data *adata = dev_get_drvdata(component->dev); ++ struct pdm_stream_instance *rtd = substream->runtime->private_data; + + disable_pdm_interrupts(adata->acp_base); + adata->capture_stream = NULL; ++ kfree(rtd); + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.18/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch b/queue-6.18/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch new file mode 100644 index 0000000000..c87ca24a4d --- /dev/null +++ b/queue-6.18/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch @@ -0,0 +1,41 @@ +From de8d70f844a01601cdc1e5c81925d43ae4b21fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 21:38:14 +0100 +Subject: ASoC: amd: yc: Fix microphone on ASUS M6500RE + +From: Radhi Bajahaw + +[ Upstream commit 8e29db1b08808f709231e6fd4c79dcdee5b17a17 ] + +Add DMI match for ASUSTeK COMPUTER INC. M6500RE to enable the +internal microphone. + +Signed-off-by: Radhi Bajahaw +Link: https://patch.msgid.link/20260112203814.155-1-bajahawradhi@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index c0a8afb42e165..c4a4a06528b45 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -416,6 +416,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "M6500RC"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "M6500RE"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.51.0 + diff --git a/queue-6.18/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch b/queue-6.18/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch new file mode 100644 index 0000000000..b1e487ddc6 --- /dev/null +++ b/queue-6.18/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch @@ -0,0 +1,113 @@ +From 4ba71b4eca55be62be0ce4ca3fe3b8ac5ccd297e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 23:48:37 +0800 +Subject: ASoC: davinci-evm: Fix reference leak in davinci_evm_probe + +From: Kery Qi + +[ Upstream commit 5b577d214fcc109707bcb77b4ae72a31cfd86798 ] + +The davinci_evm_probe() function calls of_parse_phandle() to acquire +device nodes for "ti,audio-codec" and "ti,mcasp-controller". These +functions return device nodes with incremented reference counts. + +However, in several error paths (e.g., when the second of_parse_phandle(), +snd_soc_of_parse_card_name(), or devm_snd_soc_register_card() fails), +the function returns directly without releasing the acquired nodes, +leading to reference leaks. + +This patch adds an error handling path 'err_put' to properly release +the device nodes using of_node_put() and clean up the pointers when +an error occurs. + +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260107154836.1521-2-qikeyu2017@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/davinci-evm.c | 39 ++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/ti/davinci-evm.c b/sound/soc/ti/davinci-evm.c +index 2a2f5bc95576e..a55a369ce71c2 100644 +--- a/sound/soc/ti/davinci-evm.c ++++ b/sound/soc/ti/davinci-evm.c +@@ -193,27 +193,32 @@ static int davinci_evm_probe(struct platform_device *pdev) + return -EINVAL; + + dai->cpus->of_node = of_parse_phandle(np, "ti,mcasp-controller", 0); +- if (!dai->cpus->of_node) +- return -EINVAL; ++ if (!dai->cpus->of_node) { ++ ret = -EINVAL; ++ goto err_put; ++ } + + dai->platforms->of_node = dai->cpus->of_node; + + evm_soc_card.dev = &pdev->dev; + ret = snd_soc_of_parse_card_name(&evm_soc_card, "ti,model"); + if (ret) +- return ret; ++ goto err_put; + + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (PTR_ERR(mclk) == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto err_put; + } else if (IS_ERR(mclk)) { + dev_dbg(&pdev->dev, "mclk not found.\n"); + mclk = NULL; + } + + drvdata = devm_kzalloc(&pdev->dev, sizeof(*drvdata), GFP_KERNEL); +- if (!drvdata) +- return -ENOMEM; ++ if (!drvdata) { ++ ret = -ENOMEM; ++ goto err_put; ++ } + + drvdata->mclk = mclk; + +@@ -223,7 +228,8 @@ static int davinci_evm_probe(struct platform_device *pdev) + if (!drvdata->mclk) { + dev_err(&pdev->dev, + "No clock or clock rate defined.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put; + } + drvdata->sysclk = clk_get_rate(drvdata->mclk); + } else if (drvdata->mclk) { +@@ -239,8 +245,25 @@ static int davinci_evm_probe(struct platform_device *pdev) + snd_soc_card_set_drvdata(&evm_soc_card, drvdata); + ret = devm_snd_soc_register_card(&pdev->dev, &evm_soc_card); + +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "snd_soc_register_card failed (%d)\n", ret); ++ goto err_put; ++ } ++ ++ return ret; ++ ++err_put: ++ dai->platforms->of_node = NULL; ++ ++ if (dai->cpus->of_node) { ++ of_node_put(dai->cpus->of_node); ++ dai->cpus->of_node = NULL; ++ } ++ ++ if (dai->codecs->of_node) { ++ of_node_put(dai->codecs->of_node); ++ dai->codecs->of_node = NULL; ++ } + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.18/asoc-intel-sof_sdw-add-new-quirks-for-ptl-on-dell-wi.patch b/queue-6.18/asoc-intel-sof_sdw-add-new-quirks-for-ptl-on-dell-wi.patch new file mode 100644 index 0000000000..305401fcbd --- /dev/null +++ b/queue-6.18/asoc-intel-sof_sdw-add-new-quirks-for-ptl-on-dell-wi.patch @@ -0,0 +1,43 @@ +From 318f63c3c48a4a38d47daaf3d798ea435ccc5dcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 15:21:24 +0000 +Subject: ASoC: Intel: sof_sdw: Add new quirks for PTL on Dell with CS42L43 + +From: Deep Harsora + +[ Upstream commit 12cacdfb023d1b2f6c4e5af471f2d5b6f0cbf909 ] + +Add missing quirks for some new Dell laptops using cs42l43's speaker +outputs. + +Signed-off-by: Deep Harsora +Signed-off-by: Maciej Strozek +Link: https://patch.msgid.link/20260102152132.3053106-1-mstrozek@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_sdw.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c +index c013e31d098e7..92fac7ed782f7 100644 +--- a/sound/soc/intel/boards/sof_sdw.c ++++ b/sound/soc/intel/boards/sof_sdw.c +@@ -750,6 +750,14 @@ static const struct dmi_system_id sof_sdw_quirk_table[] = { + .driver_data = (void *)(SOC_SDW_CODEC_SPKR), + }, + /* Pantherlake devices*/ ++ { ++ .callback = sof_sdw_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "0DD6") ++ }, ++ .driver_data = (void *)(SOC_SDW_SIDECAR_AMPS), ++ }, + { + .callback = sof_sdw_quirk_cb, + .matches = { +-- +2.51.0 + diff --git a/queue-6.18/asoc-simple-card-utils-check-device-node-before-over.patch b/queue-6.18/asoc-simple-card-utils-check-device-node-before-over.patch new file mode 100644 index 0000000000..6aad46e4bf --- /dev/null +++ b/queue-6.18/asoc-simple-card-utils-check-device-node-before-over.patch @@ -0,0 +1,42 @@ +From c65b1afe28f4ad96a9bc491d1b6f465577dc85ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 17:04:32 +0800 +Subject: ASoC: simple-card-utils: Check device node before overwrite direction + +From: Shengjiu Wang + +[ Upstream commit 22a507d7680f2c3499c133f6384349f62f916176 ] + +Even the device node don't exist, the graph_util_parse_link_direction() +will overwrite the playback_only and capture_only to be zero. Which +cause the playback_only and capture_only are not correct, so check device +node exist or not before update the value. + +Signed-off-by: Shengjiu Wang +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20251229090432.3964848-1-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index 355f7ec8943c2..bdc02e85b089f 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -1179,9 +1179,9 @@ void graph_util_parse_link_direction(struct device_node *np, + bool is_playback_only = of_property_read_bool(np, "playback-only"); + bool is_capture_only = of_property_read_bool(np, "capture-only"); + +- if (playback_only) ++ if (np && playback_only) + *playback_only = is_playback_only; +- if (capture_only) ++ if (np && capture_only) + *capture_only = is_capture_only; + } + EXPORT_SYMBOL_GPL(graph_util_parse_link_direction); +-- +2.51.0 + diff --git a/queue-6.18/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch b/queue-6.18/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch new file mode 100644 index 0000000000..1402a38936 --- /dev/null +++ b/queue-6.18/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch @@ -0,0 +1,43 @@ +From 77b1d3cc7c8f566ede82ee4f508421d461352db9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:46 +0100 +Subject: ASoC: tlv320adcx140: Propagate error codes during probe + +From: Dimitrios Katsaros + +[ Upstream commit d89aad92cfd15edbd704746f44c98fe687f9366f ] + +When scanning for the reset pin, we could get an -EPROBE_DEFER. +The driver would assume that no reset pin had been defined, +which would mean that the chip would never be powered. + +Now we both respect any error we get from devm_gpiod_get_optional. +We also now properly report the missing GPIO definition when +'gpio_reset' is NULL. + +Signed-off-by: Dimitrios Katsaros +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-3-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 62d936c2838c9..1565727ca2f3d 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -1156,6 +1156,9 @@ static int adcx140_i2c_probe(struct i2c_client *i2c) + adcx140->gpio_reset = devm_gpiod_get_optional(adcx140->dev, + "reset", GPIOD_OUT_LOW); + if (IS_ERR(adcx140->gpio_reset)) ++ return dev_err_probe(&i2c->dev, PTR_ERR(adcx140->gpio_reset), ++ "Failed to get Reset GPIO\n"); ++ if (!adcx140->gpio_reset) + dev_info(&i2c->dev, "Reset GPIO not defined\n"); + + adcx140->supply_areg = devm_regulator_get_optional(adcx140->dev, +-- +2.51.0 + diff --git a/queue-6.18/block-bfq-fix-aux-stat-accumulation-destination.patch b/queue-6.18/block-bfq-fix-aux-stat-accumulation-destination.patch new file mode 100644 index 0000000000..c57ba25a28 --- /dev/null +++ b/queue-6.18/block-bfq-fix-aux-stat-accumulation-destination.patch @@ -0,0 +1,36 @@ +From 08643a9ccde8e3c2082a37524590833ab34ddd55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:04:26 +0800 +Subject: block,bfq: fix aux stat accumulation destination + +From: shechenglong + +[ Upstream commit 04bdb1a04d8a2a89df504c1e34250cd3c6e31a1c ] + +Route bfqg_stats_add_aux() time accumulation into the destination +stats object instead of the source, aligning with other stat fields. + +Reviewed-by: Yu Kuai +Signed-off-by: shechenglong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 9fb9f35331502..6a75fe1c7a5c0 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -380,7 +380,7 @@ static void bfqg_stats_add_aux(struct bfqg_stats *to, struct bfqg_stats *from) + blkg_rwstat_add_aux(&to->merged, &from->merged); + blkg_rwstat_add_aux(&to->service_time, &from->service_time); + blkg_rwstat_add_aux(&to->wait_time, &from->wait_time); +- bfq_stat_add_aux(&from->time, &from->time); ++ bfq_stat_add_aux(&to->time, &from->time); + bfq_stat_add_aux(&to->avg_queue_size_sum, &from->avg_queue_size_sum); + bfq_stat_add_aux(&to->avg_queue_size_samples, + &from->avg_queue_size_samples); +-- +2.51.0 + diff --git a/queue-6.18/btrfs-do-not-free-data-reservation-in-fallback-from-.patch b/queue-6.18/btrfs-do-not-free-data-reservation-in-fallback-from-.patch new file mode 100644 index 0000000000..220cdd5e4c --- /dev/null +++ b/queue-6.18/btrfs-do-not-free-data-reservation-in-fallback-from-.patch @@ -0,0 +1,47 @@ +From b64b71c4beb36953a72e6073693874e4ca809c7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 17:10:10 +0000 +Subject: btrfs: do not free data reservation in fallback from inline due to + -ENOSPC + +From: Filipe Manana + +[ Upstream commit f8da41de0bff9eb1d774a7253da0c9f637c4470a ] + +If we fail to create an inline extent due to -ENOSPC, we will attempt to +go through the normal COW path, reserve an extent, create an ordered +extent, etc. However we were always freeing the reserved qgroup data, +which is wrong since we will use data. Fix this by freeing the reserved +qgroup data in __cow_file_range_inline() only if we are not doing the +fallback (ret is <= 0). + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 1af9b05328ce8..e72c69f77ce4b 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -670,8 +670,12 @@ static noinline int __cow_file_range_inline(struct btrfs_inode *inode, + * it won't count as data extent, free them directly here. + * And at reserve time, it's always aligned to page size, so + * just free one page here. ++ * ++ * If we fallback to non-inline (ret == 1) due to -ENOSPC, then we need ++ * to keep the data reservation. + */ +- btrfs_qgroup_free_data(inode, NULL, 0, fs_info->sectorsize, NULL); ++ if (ret <= 0) ++ btrfs_qgroup_free_data(inode, NULL, 0, fs_info->sectorsize, NULL); + btrfs_free_path(path); + btrfs_end_transaction(trans); + return ret; +-- +2.51.0 + diff --git a/queue-6.18/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch b/queue-6.18/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch new file mode 100644 index 0000000000..49b734aa08 --- /dev/null +++ b/queue-6.18/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch @@ -0,0 +1,68 @@ +From 9416e0539fd624c24e804e3870a27081aae137c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 17:18:25 +0000 +Subject: btrfs: fix reservation leak in some error paths when inserting inline + extent + +From: Filipe Manana + +[ Upstream commit c1c050f92d8f6aac4e17f7f2230160794fceef0c ] + +If we fail to allocate a path or join a transaction, we return from +__cow_file_range_inline() without freeing the reserved qgroup data, +resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data() +in such cases. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index e72c69f77ce4b..76a66c74249a2 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -614,19 +614,22 @@ static noinline int __cow_file_range_inline(struct btrfs_inode *inode, + struct btrfs_drop_extents_args drop_args = { 0 }; + struct btrfs_root *root = inode->root; + struct btrfs_fs_info *fs_info = root->fs_info; +- struct btrfs_trans_handle *trans; ++ struct btrfs_trans_handle *trans = NULL; + u64 data_len = (compressed_size ?: size); + int ret; + struct btrfs_path *path; + + path = btrfs_alloc_path(); +- if (!path) +- return -ENOMEM; ++ if (!path) { ++ ret = -ENOMEM; ++ goto out; ++ } + + trans = btrfs_join_transaction(root); + if (IS_ERR(trans)) { +- btrfs_free_path(path); +- return PTR_ERR(trans); ++ ret = PTR_ERR(trans); ++ trans = NULL; ++ goto out; + } + trans->block_rsv = &inode->block_rsv; + +@@ -677,7 +680,8 @@ static noinline int __cow_file_range_inline(struct btrfs_inode *inode, + if (ret <= 0) + btrfs_qgroup_free_data(inode, NULL, 0, fs_info->sectorsize, NULL); + btrfs_free_path(path); +- btrfs_end_transaction(trans); ++ if (trans) ++ btrfs_end_transaction(trans); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.18/btrfs-fix-wmaybe-uninitialized-warning-in-replay_one.patch b/queue-6.18/btrfs-fix-wmaybe-uninitialized-warning-in-replay_one.patch new file mode 100644 index 0000000000..3b97145e1a --- /dev/null +++ b/queue-6.18/btrfs-fix-wmaybe-uninitialized-warning-in-replay_one.patch @@ -0,0 +1,51 @@ +From 92d0a071339f14f3d8b4483f695ca285bc8c8562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 16:16:18 +0800 +Subject: btrfs: fix Wmaybe-uninitialized warning in replay_one_buffer() + +From: Qiang Ma + +[ Upstream commit 9c7e71c97c8cd086b148d0d3d1cd84a1deab023c ] + +Warning was found when compiling using loongarch64-gcc 12.3.1: + + $ make CFLAGS_tree-log.o=-Wmaybe-uninitialized + + In file included from fs/btrfs/ctree.h:21, + from fs/btrfs/tree-log.c:12: + fs/btrfs/accessors.h: In function 'replay_one_buffer': + fs/btrfs/accessors.h:66:16: warning: 'inode_item' may be used uninitialized [-Wmaybe-uninitialized] + 66 | return btrfs_get_##bits(eb, s, offsetof(type, member)); \ + | ^~~~~~~~~~ + fs/btrfs/tree-log.c:2803:42: note: 'inode_item' declared here + 2803 | struct btrfs_inode_item *inode_item; + | ^~~~~~~~~~ + +Initialize the inode_item to NULL, the compiler does not seem to see the +relation between the first 'wc->log_key.type == BTRFS_INODE_ITEM_KEY' +check and the other one that also checks the replay phase. + +Signed-off-by: Qiang Ma +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 1444857de9fe8..ae2e035d013e2 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2800,7 +2800,7 @@ static int replay_one_buffer(struct extent_buffer *eb, + + nritems = btrfs_header_nritems(eb); + for (wc->log_slot = 0; wc->log_slot < nritems; wc->log_slot++) { +- struct btrfs_inode_item *inode_item; ++ struct btrfs_inode_item *inode_item = NULL; + + btrfs_item_key_to_cpu(eb, &wc->log_key, wc->log_slot); + +-- +2.51.0 + diff --git a/queue-6.18/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch b/queue-6.18/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch new file mode 100644 index 0000000000..53bebac932 --- /dev/null +++ b/queue-6.18/btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch @@ -0,0 +1,144 @@ +From 7f92ee36a5fdce1d206302a141c4c34e2891c0d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 07:28:28 +1030 +Subject: btrfs: reject new transactions if the fs is fully read-only + +From: Qu Wenruo + +[ Upstream commit 1972f44c189c8aacde308fa9284e474c1a5cbd9f ] + +[BUG] +There is a bug report where a heavily fuzzed fs is mounted with all +rescue mount options, which leads to the following warnings during +unmount: + + BTRFS: Transaction aborted (error -22) + Modules linked in: + CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted + 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline] + RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611 + Call Trace: + + btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705 + btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157 + btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517 + btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708 + btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130 + btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499 + btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628 + evict+0x5f4/0xae0 fs/inode.c:837 + __dentry_kill+0x209/0x660 fs/dcache.c:670 + finish_dput+0xc9/0x480 fs/dcache.c:879 + shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661 + generic_shutdown_super+0x67/0x2c0 fs/super.c:621 + kill_anon_super+0x3b/0x70 fs/super.c:1289 + btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127 + deactivate_locked_super+0xbc/0x130 fs/super.c:474 + cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318 + task_work_run+0x1d4/0x260 kernel/task_work.c:233 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0x694/0x22f0 kernel/exit.c:971 + do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 + __do_sys_exit_group kernel/exit.c:1123 [inline] + __se_sys_exit_group kernel/exit.c:1121 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121 + x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x44f639 + Code: Unable to access opcode bytes at 0x44f60f. + RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 + RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639 + RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 + RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0 + R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 + + +Since rescue mount options will mark the full fs read-only, there should +be no new transaction triggered. + +But during unmount we will evict all inodes, which can trigger a new +transaction, and triggers warnings on a heavily corrupted fs. + +[CAUSE] +Btrfs allows new transaction even on a read-only fs, this is to allow +log replay happen even on read-only mounts, just like what ext4/xfs do. + +However with rescue mount options, the fs is fully read-only and cannot +be remounted read-write, thus in that case we should also reject any new +transactions. + +[FIX] +If we find the fs has rescue mount options, we should treat the fs as +error, so that no new transaction can be started. + +Reported-by: Jiaming Zhang +Link: https://lore.kernel.org/linux-btrfs/CANypQFYw8Nt8stgbhoycFojOoUmt+BoZ-z8WJOZVxcogDdwm=Q@mail.gmail.com/ +Reviewed-by: Boris Burkov +Reviewed-by: Johannes Thumshirn +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 13 +++++++++++++ + fs/btrfs/fs.h | 8 ++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 19d8c8fc45951..745ae698bbc8a 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3248,6 +3248,15 @@ int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount) + return 0; + } + ++static bool fs_is_full_ro(const struct btrfs_fs_info *fs_info) ++{ ++ if (!sb_rdonly(fs_info->sb)) ++ return false; ++ if (unlikely(fs_info->mount_opt & BTRFS_MOUNT_FULL_RO_MASK)) ++ return true; ++ return false; ++} ++ + int __cold open_ctree(struct super_block *sb, struct btrfs_fs_devices *fs_devices) + { + u32 sectorsize; +@@ -3356,6 +3365,10 @@ int __cold open_ctree(struct super_block *sb, struct btrfs_fs_devices *fs_device + if (btrfs_super_flags(disk_super) & BTRFS_SUPER_FLAG_ERROR) + WRITE_ONCE(fs_info->fs_error, -EUCLEAN); + ++ /* If the fs has any rescue options, no transaction is allowed. */ ++ if (fs_is_full_ro(fs_info)) ++ WRITE_ONCE(fs_info->fs_error, -EROFS); ++ + /* Set up fs_info before parsing mount options */ + nodesize = btrfs_super_nodesize(disk_super); + sectorsize = btrfs_super_sectorsize(disk_super); +diff --git a/fs/btrfs/fs.h b/fs/btrfs/fs.h +index 814bbc9417d2a..37aa8d141a83d 100644 +--- a/fs/btrfs/fs.h ++++ b/fs/btrfs/fs.h +@@ -250,6 +250,14 @@ enum { + BTRFS_MOUNT_REF_TRACKER = (1ULL << 33), + }; + ++/* These mount options require a full read-only fs, no new transaction is allowed. */ ++#define BTRFS_MOUNT_FULL_RO_MASK \ ++ (BTRFS_MOUNT_NOLOGREPLAY | \ ++ BTRFS_MOUNT_IGNOREBADROOTS | \ ++ BTRFS_MOUNT_IGNOREDATACSUMS | \ ++ BTRFS_MOUNT_IGNOREMETACSUMS | \ ++ BTRFS_MOUNT_IGNORESUPERFLAGS) ++ + /* + * Compat flags that we support. If any incompat flags are set other than the + * ones specified below then we will fail to mount +-- +2.51.0 + diff --git a/queue-6.18/btrfs-sync-read-disk-super-and-set-block-size.patch b/queue-6.18/btrfs-sync-read-disk-super-and-set-block-size.patch new file mode 100644 index 0000000000..7bd68a2623 --- /dev/null +++ b/queue-6.18/btrfs-sync-read-disk-super-and-set-block-size.patch @@ -0,0 +1,80 @@ +From c1aeaa025ea549b807fddca943e36334ab3de54e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 21:02:02 +0800 +Subject: btrfs: sync read disk super and set block size + +From: Edward Adam Davis + +[ Upstream commit 3f29d661e5686f3aa14e6f11537ff5c49846f2e2 ] + +When the user performs a btrfs mount, the block device is not set +correctly. The user sets the block size of the block device to 0x4000 +by executing the BLKBSZSET command. +Since the block size change also changes the mapping->flags value, this +further affects the result of the mapping_min_folio_order() calculation. + +Let's analyze the following two scenarios: + +Scenario 1: Without executing the BLKBSZSET command, the block size is +0x1000, and mapping_min_folio_order() returns 0; + +Scenario 2: After executing the BLKBSZSET command, the block size is +0x4000, and mapping_min_folio_order() returns 2. + +do_read_cache_folio() allocates a folio before the BLKBSZSET command +is executed. This results in the allocated folio having an order value +of 0. Later, after BLKBSZSET is executed, the block size increases to +0x4000, and the mapping_min_folio_order() calculation result becomes 2. + +This leads to two undesirable consequences: + +1. filemap_add_folio() triggers a VM_BUG_ON_FOLIO(folio_order(folio) < +mapping_min_folio_order(mapping)) assertion. + +2. The syzbot report [1] shows a null pointer dereference in +create_empty_buffers() due to a buffer head allocation failure. + +Synchronization should be established based on the inode between the +BLKBSZSET command and read cache page to prevent inconsistencies in +block size or mapping flags before and after folio allocation. + +[1] +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +RIP: 0010:create_empty_buffers+0x4d/0x480 fs/buffer.c:1694 +Call Trace: + folio_create_buffers+0x109/0x150 fs/buffer.c:1802 + block_read_full_folio+0x14c/0x850 fs/buffer.c:2403 + filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496 + do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096 + do_read_cache_page mm/filemap.c:4162 [inline] + read_cache_page_gfp+0x29/0x120 mm/filemap.c:4195 + btrfs_read_disk_super+0x192/0x500 fs/btrfs/volumes.c:1367 + +Reported-by: syzbot+b4a2af3000eaa84d95d5@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b4a2af3000eaa84d95d5 +Signed-off-by: Edward Adam Davis +Reviewed-by: Filipe Manana +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 48e717c105c35..8e7dcb12af4c4 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1365,7 +1365,9 @@ struct btrfs_super_block *btrfs_read_disk_super(struct block_device *bdev, + (bytenr + BTRFS_SUPER_INFO_SIZE) >> PAGE_SHIFT); + } + ++ filemap_invalidate_lock(mapping); + page = read_cache_page_gfp(mapping, bytenr >> PAGE_SHIFT, GFP_NOFS); ++ filemap_invalidate_unlock(mapping); + if (IS_ERR(page)) + return ERR_CAST(page); + +-- +2.51.0 + diff --git a/queue-6.18/dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_re.patch b/queue-6.18/dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_re.patch new file mode 100644 index 0000000000..9d532ac644 --- /dev/null +++ b/queue-6.18/dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_re.patch @@ -0,0 +1,85 @@ +From a6bd938e1a8243e091f84b9ec5a3d44c8c09e477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 22:10:06 +0800 +Subject: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() + +From: Guodong Xu + +[ Upstream commit a143545855bc2c6e1330f6f57ae375ac44af00a7 ] + +Add proper locking in mmp_pdma_residue() to prevent use-after-free when +accessing descriptor list and descriptor contents. + +The race occurs when multiple threads call tx_status() while the tasklet +on another CPU is freeing completed descriptors: + +CPU 0 CPU 1 +----- ----- +mmp_pdma_tx_status() +mmp_pdma_residue() + -> NO LOCK held + list_for_each_entry(sw, ..) + DMA interrupt + dma_do_tasklet() + -> spin_lock(&desc_lock) + list_move(sw->node, ...) + spin_unlock(&desc_lock) + | dma_pool_free(sw) <- FREED! + -> access sw->desc <- UAF! + +This issue can be reproduced when running dmatest on the same channel with +multiple threads (threads_per_chan > 1). + +Fix by protecting the chain_running list iteration and descriptor access +with the chan->desc_lock spinlock. + +Signed-off-by: Juan Li +Signed-off-by: Guodong Xu +Link: https://patch.msgid.link/20251216-mmp-pdma-race-v1-1-976a224bb622@riscstar.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_pdma.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c +index 86661eb3cde1f..d12e729ee12c5 100644 +--- a/drivers/dma/mmp_pdma.c ++++ b/drivers/dma/mmp_pdma.c +@@ -928,6 +928,7 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_chan *chan, + { + struct mmp_pdma_desc_sw *sw; + struct mmp_pdma_device *pdev = to_mmp_pdma_dev(chan->chan.device); ++ unsigned long flags; + u64 curr; + u32 residue = 0; + bool passed = false; +@@ -945,6 +946,8 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_chan *chan, + else + curr = pdev->ops->read_src_addr(chan->phy); + ++ spin_lock_irqsave(&chan->desc_lock, flags); ++ + list_for_each_entry(sw, &chan->chain_running, node) { + u64 start, end; + u32 len; +@@ -989,6 +992,7 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_chan *chan, + continue; + + if (sw->async_tx.cookie == cookie) { ++ spin_unlock_irqrestore(&chan->desc_lock, flags); + return residue; + } else { + residue = 0; +@@ -996,6 +1000,8 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_chan *chan, + } + } + ++ spin_unlock_irqrestore(&chan->desc_lock, flags); ++ + /* We should only get here in case of cyclic transactions */ + return residue; + } +-- +2.51.0 + diff --git a/queue-6.18/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch b/queue-6.18/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch new file mode 100644 index 0000000000..39b6925c83 --- /dev/null +++ b/queue-6.18/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch @@ -0,0 +1,47 @@ +From 4cbe65bd7ab7475c734949eb3b27e5fb7699233f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 00:55:13 +0800 +Subject: dpaa2-switch: add bounds check for if_id in IRQ handler + +From: Junrui Luo + +[ Upstream commit 31a7a0bbeb006bac2d9c81a2874825025214b6d8 ] + +The IRQ handler extracts if_id from the upper 16 bits of the hardware +status register and uses it to index into ethsw->ports[] without +validation. Since if_id can be any 16-bit value (0-65535) but the ports +array is only allocated with sw_attr.num_ifs elements, this can lead to +an out-of-bounds read potentially. + +Add a bounds check before accessing the array, consistent with the +existing validation in dpaa2_switch_rx(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 24ab724f8a46 ("dpaa2-switch: use the port index in the IRQ handler") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881D420AB43FF1A227B84AFAF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 0ff234f6a3ed9..66240c340492c 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -1531,6 +1531,10 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg) + } + + if_id = (status & 0xFFFF0000) >> 16; ++ if (if_id >= ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id); ++ goto out; ++ } + port_priv = ethsw->ports[if_id]; + + if (status & DPSW_IRQ_EVENT_LINK_CHANGED) +-- +2.51.0 + diff --git a/queue-6.18/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch b/queue-6.18/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch new file mode 100644 index 0000000000..f5903a217d --- /dev/null +++ b/queue-6.18/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch @@ -0,0 +1,55 @@ +From 44890fd63561007abeaf54fbb7a17a34e1a0b6a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 16:07:34 +0800 +Subject: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero + +From: Junrui Luo + +[ Upstream commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66 ] + +The driver allocates arrays for ports, FDBs, and filter blocks using +kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the +device reports zero interfaces (either due to hardware configuration +or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) +instead of NULL. + +Later in dpaa2_switch_probe(), the NAPI initialization unconditionally +accesses ethsw->ports[0]->netdev, which attempts to dereference +ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. + +Add a check to ensure num_ifs is greater than zero after retrieving +device attributes. This prevents the zero-sized allocations and +subsequent invalid pointer dereference. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface") +Signed-off-by: Junrui Luo +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index b1e1ad9e4b48e..0ff234f6a3ed9 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -3024,6 +3024,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev) + goto err_close; + } + ++ if (!ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "DPSW device has no interfaces\n"); ++ err = -ENODEV; ++ goto err_close; ++ } ++ + err = dpsw_get_api_version(ethsw->mc_io, 0, + ðsw->major, + ðsw->minor); +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch b/queue-6.18/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch new file mode 100644 index 0000000000..7655c6b082 --- /dev/null +++ b/queue-6.18/drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch @@ -0,0 +1,62 @@ +From 3ca5c99cc670962d26ec7b548911847d168e8129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 12:20:29 -0300 +Subject: drm/amd/display: fix wrong color value mapping on MCM shaper LUT + +From: Melissa Wen + +[ Upstream commit 8f959d37c1f2efec6dac55915ee82302e98101fb ] + +Some shimmer/colorful points appears when using the steamOS color +pipeline for HDR on gaming with DCN32. These points look like black +values being wrongly mapped to red/blue/green values. It was caused +because the number of hw points in regular LUTs and in a shaper LUT was +treated as the same. + +DCN3+ regular LUTs have 257 bases and implicit deltas (i.e. HW +calculates them), but shaper LUT is a special case: it has 256 bases and +256 deltas, as in DCN1-2 regular LUTs, and outputs 14-bit values. + +Fix that by setting by decreasing in 1 the number of HW points computed +in the LUT segmentation so that shaper LUT (i.e. fixpoint == true) keeps +the same DCN10 CM logic and regular LUTs go with `hw_points + 1`. + +CC: Krunoslav Kovac +Fixes: 4d5fd3d08ea9 ("drm/amd/display: PQ tail accuracy") +Signed-off-by: Melissa Wen +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 5006505b19a2119e71c008044d59f6d753c858b9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +index 0690c346f2c52..a4f14b16564c2 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c +@@ -163,6 +163,11 @@ bool cm3_helper_translate_curve_to_hw_format( + hw_points += (1 << seg_distr[k]); + } + ++ // DCN3+ have 257 pts in lieu of no separate slope registers ++ // Prior HW had 256 base+slope pairs ++ // Shaper LUT (i.e. fixpoint == true) is still 256 bases and 256 deltas ++ hw_points = fixpoint ? (hw_points - 1) : hw_points; ++ + j = 0; + for (k = 0; k < (region_end - region_start); k++) { + increment = NUMBER_SW_SEGMENTS / (1 << seg_distr[k]); +@@ -223,8 +228,6 @@ bool cm3_helper_translate_curve_to_hw_format( + corner_points[1].green.slope = dc_fixpt_zero; + corner_points[1].blue.slope = dc_fixpt_zero; + +- // DCN3+ have 257 pts in lieu of no separate slope registers +- // Prior HW had 256 base+slope pairs + lut_params->hw_points_num = hw_points + 1; + + k = 0; +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-display-reduce-number-of-arguments-of-dcn30-.patch b/queue-6.18/drm-amd-display-reduce-number-of-arguments-of-dcn30-.patch new file mode 100644 index 0000000000..72719d049e --- /dev/null +++ b/queue-6.18/drm-amd-display-reduce-number-of-arguments-of-dcn30-.patch @@ -0,0 +1,613 @@ +From 4130649a9e49c438c5d4a7f8f2f8c50025385d93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 19:58:10 +0900 +Subject: drm/amd/display: Reduce number of arguments of dcn30's + CalculatePrefetchSchedule() + +From: Nathan Chancellor + +[ Upstream commit f54a91f5337cd918eb86cf600320d25b6cfd8209 ] + +After an innocuous optimization change in clang-22, +dml30_ModeSupportAndSystemConfigurationFull() is over the 2048 byte +stack limit for display_mode_vba_30.c. + + drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn30/display_mode_vba_30.c:3529:6: warning: stack frame size (2096) exceeds limit (2048) in 'dml30_ModeSupportAndSystemConfigurationFull' [-Wframe-larger-than] + 3529 | void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) + | ^ + +With clang-21, this function was already close to the limit: + + drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn30/display_mode_vba_30.c:3529:6: warning: stack frame size (1912) exceeds limit (1586) in 'dml30_ModeSupportAndSystemConfigurationFull' [-Wframe-larger-than] + 3529 | void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) + | ^ + +CalculatePrefetchSchedule() has a large number of parameters, which must +be passed on the stack. Most of the parameters between the two callsites +are the same, so they can be accessed through the existing mode_lib +pointer, instead of being passed as explicit arguments. Doing this +reduces the stack size of dml30_ModeSupportAndSystemConfigurationFull() +from 2096 bytes to 1912 bytes with clang-22. + +Closes: https://github.com/ClangBuiltLinux/linux/issues/2117 +Signed-off-by: Nathan Chancellor +Signed-off-by: Alex Deucher +(cherry picked from commit b20b3fc4210f83089f835cdb91deec4b0778761a) +Signed-off-by: Sasha Levin +--- + .../dc/dml/dcn30/display_mode_vba_30.c | 258 +++++------------- + 1 file changed, 73 insertions(+), 185 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +index 8d24763938ea6..2d19bb8de59c8 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +@@ -77,32 +77,14 @@ static unsigned int dscceComputeDelay( + static unsigned int dscComputeDelay( + enum output_format_class pixelFormat, + enum output_encoder_class Output); +-// Super monster function with some 45 argument + static bool CalculatePrefetchSchedule( + struct display_mode_lib *mode_lib, +- double PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyPixelMixedWithVMData, +- double PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyVMDataOnly, ++ unsigned int k, + Pipe *myPipe, + unsigned int DSCDelay, +- double DPPCLKDelaySubtotalPlusCNVCFormater, +- double DPPCLKDelaySCL, +- double DPPCLKDelaySCLLBOnly, +- double DPPCLKDelayCNVCCursor, +- double DISPCLKDelaySubtotal, + unsigned int DPP_RECOUT_WIDTH, +- enum output_format_class OutputFormat, +- unsigned int MaxInterDCNTileRepeaters, + unsigned int VStartup, + unsigned int MaxVStartup, +- unsigned int GPUVMPageTableLevels, +- bool GPUVMEnable, +- bool HostVMEnable, +- unsigned int HostVMMaxNonCachedPageTableLevels, +- double HostVMMinPageSize, +- bool DynamicMetadataEnable, +- bool DynamicMetadataVMEnabled, +- int DynamicMetadataLinesBeforeActiveRequired, +- unsigned int DynamicMetadataTransmittedBytes, + double UrgentLatency, + double UrgentExtraLatency, + double TCalc, +@@ -116,7 +98,6 @@ static bool CalculatePrefetchSchedule( + unsigned int MaxNumSwathY, + double PrefetchSourceLinesC, + unsigned int SwathWidthC, +- int BytePerPixelC, + double VInitPreFillC, + unsigned int MaxNumSwathC, + long swath_width_luma_ub, +@@ -124,9 +105,6 @@ static bool CalculatePrefetchSchedule( + unsigned int SwathHeightY, + unsigned int SwathHeightC, + double TWait, +- bool ProgressiveToInterlaceUnitInOPP, +- double *DSTXAfterScaler, +- double *DSTYAfterScaler, + double *DestinationLinesForPrefetch, + double *PrefetchBandwidth, + double *DestinationLinesToRequestVMInVBlank, +@@ -135,14 +113,7 @@ static bool CalculatePrefetchSchedule( + double *VRatioPrefetchC, + double *RequiredPrefetchPixDataBWLuma, + double *RequiredPrefetchPixDataBWChroma, +- bool *NotEnoughTimeForDynamicMetadata, +- double *Tno_bw, +- double *prefetch_vmrow_bw, +- double *Tdmdl_vm, +- double *Tdmdl, +- unsigned int *VUpdateOffsetPix, +- double *VUpdateWidthPix, +- double *VReadyOffsetPix); ++ bool *NotEnoughTimeForDynamicMetadata); + static double RoundToDFSGranularityUp(double Clock, double VCOSpeed); + static double RoundToDFSGranularityDown(double Clock, double VCOSpeed); + static void CalculateDCCConfiguration( +@@ -810,29 +781,12 @@ static unsigned int dscComputeDelay(enum output_format_class pixelFormat, enum o + + static bool CalculatePrefetchSchedule( + struct display_mode_lib *mode_lib, +- double PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyPixelMixedWithVMData, +- double PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyVMDataOnly, ++ unsigned int k, + Pipe *myPipe, + unsigned int DSCDelay, +- double DPPCLKDelaySubtotalPlusCNVCFormater, +- double DPPCLKDelaySCL, +- double DPPCLKDelaySCLLBOnly, +- double DPPCLKDelayCNVCCursor, +- double DISPCLKDelaySubtotal, + unsigned int DPP_RECOUT_WIDTH, +- enum output_format_class OutputFormat, +- unsigned int MaxInterDCNTileRepeaters, + unsigned int VStartup, + unsigned int MaxVStartup, +- unsigned int GPUVMPageTableLevels, +- bool GPUVMEnable, +- bool HostVMEnable, +- unsigned int HostVMMaxNonCachedPageTableLevels, +- double HostVMMinPageSize, +- bool DynamicMetadataEnable, +- bool DynamicMetadataVMEnabled, +- int DynamicMetadataLinesBeforeActiveRequired, +- unsigned int DynamicMetadataTransmittedBytes, + double UrgentLatency, + double UrgentExtraLatency, + double TCalc, +@@ -846,7 +800,6 @@ static bool CalculatePrefetchSchedule( + unsigned int MaxNumSwathY, + double PrefetchSourceLinesC, + unsigned int SwathWidthC, +- int BytePerPixelC, + double VInitPreFillC, + unsigned int MaxNumSwathC, + long swath_width_luma_ub, +@@ -854,9 +807,6 @@ static bool CalculatePrefetchSchedule( + unsigned int SwathHeightY, + unsigned int SwathHeightC, + double TWait, +- bool ProgressiveToInterlaceUnitInOPP, +- double *DSTXAfterScaler, +- double *DSTYAfterScaler, + double *DestinationLinesForPrefetch, + double *PrefetchBandwidth, + double *DestinationLinesToRequestVMInVBlank, +@@ -865,15 +815,10 @@ static bool CalculatePrefetchSchedule( + double *VRatioPrefetchC, + double *RequiredPrefetchPixDataBWLuma, + double *RequiredPrefetchPixDataBWChroma, +- bool *NotEnoughTimeForDynamicMetadata, +- double *Tno_bw, +- double *prefetch_vmrow_bw, +- double *Tdmdl_vm, +- double *Tdmdl, +- unsigned int *VUpdateOffsetPix, +- double *VUpdateWidthPix, +- double *VReadyOffsetPix) ++ bool *NotEnoughTimeForDynamicMetadata) + { ++ struct vba_vars_st *v = &mode_lib->vba; ++ double DPPCLKDelaySubtotalPlusCNVCFormater = v->DPPCLKDelaySubtotal + v->DPPCLKDelayCNVCFormater; + bool MyError = false; + unsigned int DPPCycles = 0, DISPCLKCycles = 0; + double DSTTotalPixelsAfterScaler = 0; +@@ -905,26 +850,26 @@ static bool CalculatePrefetchSchedule( + double Tdmec = 0; + double Tdmsks = 0; + +- if (GPUVMEnable == true && HostVMEnable == true) { +- HostVMInefficiencyFactor = PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyPixelMixedWithVMData / PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyVMDataOnly; +- HostVMDynamicLevelsTrips = HostVMMaxNonCachedPageTableLevels; ++ if (v->GPUVMEnable == true && v->HostVMEnable == true) { ++ HostVMInefficiencyFactor = v->PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyPixelMixedWithVMData / v->PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyVMDataOnly; ++ HostVMDynamicLevelsTrips = v->HostVMMaxNonCachedPageTableLevels; + } else { + HostVMInefficiencyFactor = 1; + HostVMDynamicLevelsTrips = 0; + } + + CalculateDynamicMetadataParameters( +- MaxInterDCNTileRepeaters, ++ v->MaxInterDCNTileRepeaters, + myPipe->DPPCLK, + myPipe->DISPCLK, + myPipe->DCFCLKDeepSleep, + myPipe->PixelClock, + myPipe->HTotal, + myPipe->VBlank, +- DynamicMetadataTransmittedBytes, +- DynamicMetadataLinesBeforeActiveRequired, ++ v->DynamicMetadataTransmittedBytes[k], ++ v->DynamicMetadataLinesBeforeActiveRequired[k], + myPipe->InterlaceEnable, +- ProgressiveToInterlaceUnitInOPP, ++ v->ProgressiveToInterlaceUnitInOPP, + &Tsetup, + &Tdmbf, + &Tdmec, +@@ -932,16 +877,16 @@ static bool CalculatePrefetchSchedule( + + LineTime = myPipe->HTotal / myPipe->PixelClock; + trip_to_mem = UrgentLatency; +- Tvm_trips = UrgentExtraLatency + trip_to_mem * (GPUVMPageTableLevels * (HostVMDynamicLevelsTrips + 1) - 1); ++ Tvm_trips = UrgentExtraLatency + trip_to_mem * (v->GPUVMMaxPageTableLevels * (HostVMDynamicLevelsTrips + 1) - 1); + +- if (DynamicMetadataVMEnabled == true && GPUVMEnable == true) { +- *Tdmdl = TWait + Tvm_trips + trip_to_mem; ++ if (v->DynamicMetadataVMEnabled == true && v->GPUVMEnable == true) { ++ v->Tdmdl[k] = TWait + Tvm_trips + trip_to_mem; + } else { +- *Tdmdl = TWait + UrgentExtraLatency; ++ v->Tdmdl[k] = TWait + UrgentExtraLatency; + } + +- if (DynamicMetadataEnable == true) { +- if (VStartup * LineTime < Tsetup + *Tdmdl + Tdmbf + Tdmec + Tdmsks) { ++ if (v->DynamicMetadataEnable[k] == true) { ++ if (VStartup * LineTime < Tsetup + v->Tdmdl[k] + Tdmbf + Tdmec + Tdmsks) { + *NotEnoughTimeForDynamicMetadata = true; + } else { + *NotEnoughTimeForDynamicMetadata = false; +@@ -949,39 +894,39 @@ static bool CalculatePrefetchSchedule( + dml_print("DML: Tdmbf: %fus - time for dmd transfer from dchub to dio output buffer\n", Tdmbf); + dml_print("DML: Tdmec: %fus - time dio takes to transfer dmd\n", Tdmec); + dml_print("DML: Tdmsks: %fus - time before active dmd must complete transmission at dio\n", Tdmsks); +- dml_print("DML: Tdmdl: %fus - time for fabric to become ready and fetch dmd \n", *Tdmdl); ++ dml_print("DML: Tdmdl: %fus - time for fabric to become ready and fetch dmd \n", v->Tdmdl[k]); + } + } else { + *NotEnoughTimeForDynamicMetadata = false; + } + +- *Tdmdl_vm = (DynamicMetadataEnable == true && DynamicMetadataVMEnabled == true && GPUVMEnable == true ? TWait + Tvm_trips : 0); ++ v->Tdmdl_vm[k] = (v->DynamicMetadataEnable[k] == true && v->DynamicMetadataVMEnabled == true && v->GPUVMEnable == true ? TWait + Tvm_trips : 0); + + if (myPipe->ScalerEnabled) +- DPPCycles = DPPCLKDelaySubtotalPlusCNVCFormater + DPPCLKDelaySCL; ++ DPPCycles = DPPCLKDelaySubtotalPlusCNVCFormater + v->DPPCLKDelaySCL; + else +- DPPCycles = DPPCLKDelaySubtotalPlusCNVCFormater + DPPCLKDelaySCLLBOnly; ++ DPPCycles = DPPCLKDelaySubtotalPlusCNVCFormater + v->DPPCLKDelaySCLLBOnly; + +- DPPCycles = DPPCycles + myPipe->NumberOfCursors * DPPCLKDelayCNVCCursor; ++ DPPCycles = DPPCycles + myPipe->NumberOfCursors * v->DPPCLKDelayCNVCCursor; + +- DISPCLKCycles = DISPCLKDelaySubtotal; ++ DISPCLKCycles = v->DISPCLKDelaySubtotal; + + if (myPipe->DPPCLK == 0.0 || myPipe->DISPCLK == 0.0) + return true; + +- *DSTXAfterScaler = DPPCycles * myPipe->PixelClock / myPipe->DPPCLK + DISPCLKCycles * myPipe->PixelClock / myPipe->DISPCLK ++ v->DSTXAfterScaler[k] = DPPCycles * myPipe->PixelClock / myPipe->DPPCLK + DISPCLKCycles * myPipe->PixelClock / myPipe->DISPCLK + + DSCDelay; + +- *DSTXAfterScaler = *DSTXAfterScaler + ((myPipe->ODMCombineEnabled)?18:0) + (myPipe->DPPPerPlane - 1) * DPP_RECOUT_WIDTH; ++ v->DSTXAfterScaler[k] = v->DSTXAfterScaler[k] + ((myPipe->ODMCombineEnabled)?18:0) + (myPipe->DPPPerPlane - 1) * DPP_RECOUT_WIDTH; + +- if (OutputFormat == dm_420 || (myPipe->InterlaceEnable && ProgressiveToInterlaceUnitInOPP)) +- *DSTYAfterScaler = 1; ++ if (v->OutputFormat[k] == dm_420 || (myPipe->InterlaceEnable && v->ProgressiveToInterlaceUnitInOPP)) ++ v->DSTYAfterScaler[k] = 1; + else +- *DSTYAfterScaler = 0; ++ v->DSTYAfterScaler[k] = 0; + +- DSTTotalPixelsAfterScaler = *DSTYAfterScaler * myPipe->HTotal + *DSTXAfterScaler; +- *DSTYAfterScaler = dml_floor(DSTTotalPixelsAfterScaler / myPipe->HTotal, 1); +- *DSTXAfterScaler = DSTTotalPixelsAfterScaler - ((double) (*DSTYAfterScaler * myPipe->HTotal)); ++ DSTTotalPixelsAfterScaler = v->DSTYAfterScaler[k] * myPipe->HTotal + v->DSTXAfterScaler[k]; ++ v->DSTYAfterScaler[k] = dml_floor(DSTTotalPixelsAfterScaler / myPipe->HTotal, 1); ++ v->DSTXAfterScaler[k] = DSTTotalPixelsAfterScaler - ((double) (v->DSTYAfterScaler[k] * myPipe->HTotal)); + + MyError = false; + +@@ -990,33 +935,33 @@ static bool CalculatePrefetchSchedule( + Tvm_trips_rounded = dml_ceil(4.0 * Tvm_trips / LineTime, 1) / 4 * LineTime; + Tr0_trips_rounded = dml_ceil(4.0 * Tr0_trips / LineTime, 1) / 4 * LineTime; + +- if (GPUVMEnable) { +- if (GPUVMPageTableLevels >= 3) { +- *Tno_bw = UrgentExtraLatency + trip_to_mem * ((GPUVMPageTableLevels - 2) - 1); ++ if (v->GPUVMEnable) { ++ if (v->GPUVMMaxPageTableLevels >= 3) { ++ v->Tno_bw[k] = UrgentExtraLatency + trip_to_mem * ((v->GPUVMMaxPageTableLevels - 2) - 1); + } else +- *Tno_bw = 0; ++ v->Tno_bw[k] = 0; + } else if (!myPipe->DCCEnable) +- *Tno_bw = LineTime; ++ v->Tno_bw[k] = LineTime; + else +- *Tno_bw = LineTime / 4; ++ v->Tno_bw[k] = LineTime / 4; + +- dst_y_prefetch_equ = VStartup - (Tsetup + dml_max(TWait + TCalc, *Tdmdl)) / LineTime +- - (*DSTYAfterScaler + *DSTXAfterScaler / myPipe->HTotal); ++ dst_y_prefetch_equ = VStartup - (Tsetup + dml_max(TWait + TCalc, v->Tdmdl[k])) / LineTime ++ - (v->DSTYAfterScaler[k] + v->DSTXAfterScaler[k] / myPipe->HTotal); + dst_y_prefetch_equ = dml_min(dst_y_prefetch_equ, 63.75); // limit to the reg limit of U6.2 for DST_Y_PREFETCH + + Lsw_oto = dml_max(PrefetchSourceLinesY, PrefetchSourceLinesC); + Tsw_oto = Lsw_oto * LineTime; + +- prefetch_bw_oto = (PrefetchSourceLinesY * swath_width_luma_ub * BytePerPixelY + PrefetchSourceLinesC * swath_width_chroma_ub * BytePerPixelC) / Tsw_oto; ++ prefetch_bw_oto = (PrefetchSourceLinesY * swath_width_luma_ub * BytePerPixelY + PrefetchSourceLinesC * swath_width_chroma_ub * v->BytePerPixelC[k]) / Tsw_oto; + +- if (GPUVMEnable == true) { +- Tvm_oto = dml_max3(*Tno_bw + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / prefetch_bw_oto, ++ if (v->GPUVMEnable == true) { ++ Tvm_oto = dml_max3(v->Tno_bw[k] + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / prefetch_bw_oto, + Tvm_trips, + LineTime / 4.0); + } else + Tvm_oto = LineTime / 4.0; + +- if ((GPUVMEnable == true || myPipe->DCCEnable == true)) { ++ if ((v->GPUVMEnable == true || myPipe->DCCEnable == true)) { + Tr0_oto = dml_max3( + (MetaRowByte + PixelPTEBytesPerRow * HostVMInefficiencyFactor) / prefetch_bw_oto, + LineTime - Tvm_oto, LineTime / 4); +@@ -1042,10 +987,10 @@ static bool CalculatePrefetchSchedule( + dml_print("DML: Tdmbf: %fus - time for dmd transfer from dchub to dio output buffer\n", Tdmbf); + dml_print("DML: Tdmec: %fus - time dio takes to transfer dmd\n", Tdmec); + dml_print("DML: Tdmsks: %fus - time before active dmd must complete transmission at dio\n", Tdmsks); +- dml_print("DML: Tdmdl_vm: %fus - time for vm stages of dmd \n", *Tdmdl_vm); +- dml_print("DML: Tdmdl: %fus - time for fabric to become ready and fetch dmd \n", *Tdmdl); +- dml_print("DML: dst_x_after_scl: %f pixels - number of pixel clocks pipeline and buffer delay after scaler \n", *DSTXAfterScaler); +- dml_print("DML: dst_y_after_scl: %d lines - number of lines of pipeline and buffer delay after scaler \n", (int)*DSTYAfterScaler); ++ dml_print("DML: Tdmdl_vm: %fus - time for vm stages of dmd \n", v->Tdmdl_vm[k]); ++ dml_print("DML: Tdmdl: %fus - time for fabric to become ready and fetch dmd \n", v->Tdmdl[k]); ++ dml_print("DML: dst_x_after_scl: %f pixels - number of pixel clocks pipeline and buffer delay after scaler \n", v->DSTXAfterScaler[k]); ++ dml_print("DML: dst_y_after_scl: %d lines - number of lines of pipeline and buffer delay after scaler \n", (int)v->DSTYAfterScaler[k]); + + *PrefetchBandwidth = 0; + *DestinationLinesToRequestVMInVBlank = 0; +@@ -1059,26 +1004,26 @@ static bool CalculatePrefetchSchedule( + double PrefetchBandwidth3 = 0; + double PrefetchBandwidth4 = 0; + +- if (Tpre_rounded - *Tno_bw > 0) ++ if (Tpre_rounded - v->Tno_bw[k] > 0) + PrefetchBandwidth1 = (PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor + 2 * MetaRowByte + + 2 * PixelPTEBytesPerRow * HostVMInefficiencyFactor + + PrefetchSourceLinesY * swath_width_luma_ub * BytePerPixelY +- + PrefetchSourceLinesC * swath_width_chroma_ub * BytePerPixelC) +- / (Tpre_rounded - *Tno_bw); ++ + PrefetchSourceLinesC * swath_width_chroma_ub * v->BytePerPixelC[k]) ++ / (Tpre_rounded - v->Tno_bw[k]); + else + PrefetchBandwidth1 = 0; + +- if (VStartup == MaxVStartup && (PrefetchBandwidth1 > 4 * prefetch_bw_oto) && (Tpre_rounded - Tsw_oto / 4 - 0.75 * LineTime - *Tno_bw) > 0) { +- PrefetchBandwidth1 = (PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor + 2 * MetaRowByte + 2 * PixelPTEBytesPerRow * HostVMInefficiencyFactor) / (Tpre_rounded - Tsw_oto / 4 - 0.75 * LineTime - *Tno_bw); ++ if (VStartup == MaxVStartup && (PrefetchBandwidth1 > 4 * prefetch_bw_oto) && (Tpre_rounded - Tsw_oto / 4 - 0.75 * LineTime - v->Tno_bw[k]) > 0) { ++ PrefetchBandwidth1 = (PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor + 2 * MetaRowByte + 2 * PixelPTEBytesPerRow * HostVMInefficiencyFactor) / (Tpre_rounded - Tsw_oto / 4 - 0.75 * LineTime - v->Tno_bw[k]); + } + +- if (Tpre_rounded - *Tno_bw - 2 * Tr0_trips_rounded > 0) ++ if (Tpre_rounded - v->Tno_bw[k] - 2 * Tr0_trips_rounded > 0) + PrefetchBandwidth2 = (PDEAndMetaPTEBytesFrame * + HostVMInefficiencyFactor + PrefetchSourceLinesY * + swath_width_luma_ub * BytePerPixelY + + PrefetchSourceLinesC * swath_width_chroma_ub * +- BytePerPixelC) / +- (Tpre_rounded - *Tno_bw - 2 * Tr0_trips_rounded); ++ v->BytePerPixelC[k]) / ++ (Tpre_rounded - v->Tno_bw[k] - 2 * Tr0_trips_rounded); + else + PrefetchBandwidth2 = 0; + +@@ -1086,7 +1031,7 @@ static bool CalculatePrefetchSchedule( + PrefetchBandwidth3 = (2 * MetaRowByte + 2 * PixelPTEBytesPerRow * + HostVMInefficiencyFactor + PrefetchSourceLinesY * + swath_width_luma_ub * BytePerPixelY + PrefetchSourceLinesC * +- swath_width_chroma_ub * BytePerPixelC) / (Tpre_rounded - ++ swath_width_chroma_ub * v->BytePerPixelC[k]) / (Tpre_rounded - + Tvm_trips_rounded); + else + PrefetchBandwidth3 = 0; +@@ -1096,7 +1041,7 @@ static bool CalculatePrefetchSchedule( + } + + if (Tpre_rounded - Tvm_trips_rounded - 2 * Tr0_trips_rounded > 0) +- PrefetchBandwidth4 = (PrefetchSourceLinesY * swath_width_luma_ub * BytePerPixelY + PrefetchSourceLinesC * swath_width_chroma_ub * BytePerPixelC) ++ PrefetchBandwidth4 = (PrefetchSourceLinesY * swath_width_luma_ub * BytePerPixelY + PrefetchSourceLinesC * swath_width_chroma_ub * v->BytePerPixelC[k]) + / (Tpre_rounded - Tvm_trips_rounded - 2 * Tr0_trips_rounded); + else + PrefetchBandwidth4 = 0; +@@ -1107,7 +1052,7 @@ static bool CalculatePrefetchSchedule( + bool Case3OK; + + if (PrefetchBandwidth1 > 0) { +- if (*Tno_bw + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / PrefetchBandwidth1 ++ if (v->Tno_bw[k] + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / PrefetchBandwidth1 + >= Tvm_trips_rounded && (MetaRowByte + PixelPTEBytesPerRow * HostVMInefficiencyFactor) / PrefetchBandwidth1 >= Tr0_trips_rounded) { + Case1OK = true; + } else { +@@ -1118,7 +1063,7 @@ static bool CalculatePrefetchSchedule( + } + + if (PrefetchBandwidth2 > 0) { +- if (*Tno_bw + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / PrefetchBandwidth2 ++ if (v->Tno_bw[k] + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / PrefetchBandwidth2 + >= Tvm_trips_rounded && (MetaRowByte + PixelPTEBytesPerRow * HostVMInefficiencyFactor) / PrefetchBandwidth2 < Tr0_trips_rounded) { + Case2OK = true; + } else { +@@ -1129,7 +1074,7 @@ static bool CalculatePrefetchSchedule( + } + + if (PrefetchBandwidth3 > 0) { +- if (*Tno_bw + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / PrefetchBandwidth3 ++ if (v->Tno_bw[k] + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / PrefetchBandwidth3 + < Tvm_trips_rounded && (MetaRowByte + PixelPTEBytesPerRow * HostVMInefficiencyFactor) / PrefetchBandwidth3 >= Tr0_trips_rounded) { + Case3OK = true; + } else { +@@ -1152,13 +1097,13 @@ static bool CalculatePrefetchSchedule( + dml_print("DML: prefetch_bw_equ: %f\n", prefetch_bw_equ); + + if (prefetch_bw_equ > 0) { +- if (GPUVMEnable) { +- Tvm_equ = dml_max3(*Tno_bw + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / prefetch_bw_equ, Tvm_trips, LineTime / 4); ++ if (v->GPUVMEnable) { ++ Tvm_equ = dml_max3(v->Tno_bw[k] + PDEAndMetaPTEBytesFrame * HostVMInefficiencyFactor / prefetch_bw_equ, Tvm_trips, LineTime / 4); + } else { + Tvm_equ = LineTime / 4; + } + +- if ((GPUVMEnable || myPipe->DCCEnable)) { ++ if ((v->GPUVMEnable || myPipe->DCCEnable)) { + Tr0_equ = dml_max4( + (MetaRowByte + PixelPTEBytesPerRow * HostVMInefficiencyFactor) / prefetch_bw_equ, + Tr0_trips, +@@ -1227,7 +1172,7 @@ static bool CalculatePrefetchSchedule( + } + + *RequiredPrefetchPixDataBWLuma = (double) PrefetchSourceLinesY / LinesToRequestPrefetchPixelData * BytePerPixelY * swath_width_luma_ub / LineTime; +- *RequiredPrefetchPixDataBWChroma = (double) PrefetchSourceLinesC / LinesToRequestPrefetchPixelData * BytePerPixelC * swath_width_chroma_ub / LineTime; ++ *RequiredPrefetchPixDataBWChroma = (double) PrefetchSourceLinesC / LinesToRequestPrefetchPixelData * v->BytePerPixelC[k] * swath_width_chroma_ub / LineTime; + } else { + MyError = true; + dml_print("DML: MyErr set %s:%d\n", __FILE__, __LINE__); +@@ -1243,9 +1188,9 @@ static bool CalculatePrefetchSchedule( + dml_print("DML: Tr0: %fus - time to fetch first row of data pagetables and first row of meta data (done in parallel)\n", TimeForFetchingRowInVBlank); + dml_print("DML: Tr1: %fus - time to fetch second row of data pagetables and second row of meta data (done in parallel)\n", TimeForFetchingRowInVBlank); + dml_print("DML: Tsw: %fus = time to fetch enough pixel data and cursor data to feed the scalers init position and detile\n", (double)LinesToRequestPrefetchPixelData * LineTime); +- dml_print("DML: To: %fus - time for propagation from scaler to optc\n", (*DSTYAfterScaler + ((*DSTXAfterScaler) / (double) myPipe->HTotal)) * LineTime); ++ dml_print("DML: To: %fus - time for propagation from scaler to optc\n", (v->DSTYAfterScaler[k] + ((v->DSTXAfterScaler[k]) / (double) myPipe->HTotal)) * LineTime); + dml_print("DML: Tvstartup - Tsetup - Tcalc - Twait - Tpre - To > 0\n"); +- dml_print("DML: Tslack(pre): %fus - time left over in schedule\n", VStartup * LineTime - TimeForFetchingMetaPTE - 2 * TimeForFetchingRowInVBlank - (*DSTYAfterScaler + ((*DSTXAfterScaler) / (double) myPipe->HTotal)) * LineTime - TWait - TCalc - Tsetup); ++ dml_print("DML: Tslack(pre): %fus - time left over in schedule\n", VStartup * LineTime - TimeForFetchingMetaPTE - 2 * TimeForFetchingRowInVBlank - (v->DSTYAfterScaler[k] + ((v->DSTXAfterScaler[k]) / (double) myPipe->HTotal)) * LineTime - TWait - TCalc - Tsetup); + dml_print("DML: row_bytes = dpte_row_bytes (per_pipe) = PixelPTEBytesPerRow = : %d\n", PixelPTEBytesPerRow); + + } else { +@@ -1276,7 +1221,7 @@ static bool CalculatePrefetchSchedule( + dml_print("DML: MyErr set %s:%d\n", __FILE__, __LINE__); + } + +- *prefetch_vmrow_bw = dml_max(prefetch_vm_bw, prefetch_row_bw); ++ v->prefetch_vmrow_bw[k] = dml_max(prefetch_vm_bw, prefetch_row_bw); + } + + if (MyError) { +@@ -2437,30 +2382,12 @@ static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerforman + + v->ErrorResult[k] = CalculatePrefetchSchedule( + mode_lib, +- v->PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyPixelMixedWithVMData, +- v->PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyVMDataOnly, ++ k, + &myPipe, + v->DSCDelay[k], +- v->DPPCLKDelaySubtotal +- + v->DPPCLKDelayCNVCFormater, +- v->DPPCLKDelaySCL, +- v->DPPCLKDelaySCLLBOnly, +- v->DPPCLKDelayCNVCCursor, +- v->DISPCLKDelaySubtotal, + (unsigned int) (v->SwathWidthY[k] / v->HRatio[k]), +- v->OutputFormat[k], +- v->MaxInterDCNTileRepeaters, + dml_min(v->VStartupLines, v->MaxVStartupLines[k]), + v->MaxVStartupLines[k], +- v->GPUVMMaxPageTableLevels, +- v->GPUVMEnable, +- v->HostVMEnable, +- v->HostVMMaxNonCachedPageTableLevels, +- v->HostVMMinPageSize, +- v->DynamicMetadataEnable[k], +- v->DynamicMetadataVMEnabled, +- v->DynamicMetadataLinesBeforeActiveRequired[k], +- v->DynamicMetadataTransmittedBytes[k], + v->UrgentLatency, + v->UrgentExtraLatency, + v->TCalc, +@@ -2474,7 +2401,6 @@ static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerforman + v->MaxNumSwathY[k], + v->PrefetchSourceLinesC[k], + v->SwathWidthC[k], +- v->BytePerPixelC[k], + v->VInitPreFillC[k], + v->MaxNumSwathC[k], + v->swath_width_luma_ub[k], +@@ -2482,9 +2408,6 @@ static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerforman + v->SwathHeightY[k], + v->SwathHeightC[k], + TWait, +- v->ProgressiveToInterlaceUnitInOPP, +- &v->DSTXAfterScaler[k], +- &v->DSTYAfterScaler[k], + &v->DestinationLinesForPrefetch[k], + &v->PrefetchBandwidth[k], + &v->DestinationLinesToRequestVMInVBlank[k], +@@ -2493,14 +2416,7 @@ static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerforman + &v->VRatioPrefetchC[k], + &v->RequiredPrefetchPixDataBWLuma[k], + &v->RequiredPrefetchPixDataBWChroma[k], +- &v->NotEnoughTimeForDynamicMetadata[k], +- &v->Tno_bw[k], +- &v->prefetch_vmrow_bw[k], +- &v->Tdmdl_vm[k], +- &v->Tdmdl[k], +- &v->VUpdateOffsetPix[k], +- &v->VUpdateWidthPix[k], +- &v->VReadyOffsetPix[k]); ++ &v->NotEnoughTimeForDynamicMetadata[k]); + if (v->BlendingAndTiming[k] == k) { + double TotalRepeaterDelayTime = v->MaxInterDCNTileRepeaters * (2 / v->DPPCLK[k] + 3 / v->DISPCLK); + v->VUpdateWidthPix[k] = (14 / v->DCFCLKDeepSleep + 12 / v->DPPCLK[k] + TotalRepeaterDelayTime) * v->PixelClock[k]; +@@ -4770,29 +4686,12 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + + v->NoTimeForPrefetch[i][j][k] = CalculatePrefetchSchedule( + mode_lib, +- v->PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyPixelMixedWithVMData, +- v->PercentOfIdealDRAMFabricAndSDPPortBWReceivedAfterUrgLatencyVMDataOnly, ++ k, + &myPipe, + v->DSCDelayPerState[i][k], +- v->DPPCLKDelaySubtotal + v->DPPCLKDelayCNVCFormater, +- v->DPPCLKDelaySCL, +- v->DPPCLKDelaySCLLBOnly, +- v->DPPCLKDelayCNVCCursor, +- v->DISPCLKDelaySubtotal, + v->SwathWidthYThisState[k] / v->HRatio[k], +- v->OutputFormat[k], +- v->MaxInterDCNTileRepeaters, + dml_min(v->MaxVStartup, v->MaximumVStartup[i][j][k]), + v->MaximumVStartup[i][j][k], +- v->GPUVMMaxPageTableLevels, +- v->GPUVMEnable, +- v->HostVMEnable, +- v->HostVMMaxNonCachedPageTableLevels, +- v->HostVMMinPageSize, +- v->DynamicMetadataEnable[k], +- v->DynamicMetadataVMEnabled, +- v->DynamicMetadataLinesBeforeActiveRequired[k], +- v->DynamicMetadataTransmittedBytes[k], + v->UrgLatency[i], + v->ExtraLatency, + v->TimeCalc, +@@ -4806,7 +4705,6 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + v->MaxNumSwY[k], + v->PrefetchLinesC[i][j][k], + v->SwathWidthCThisState[k], +- v->BytePerPixelC[k], + v->PrefillC[k], + v->MaxNumSwC[k], + v->swath_width_luma_ub_this_state[k], +@@ -4814,9 +4712,6 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + v->SwathHeightYThisState[k], + v->SwathHeightCThisState[k], + v->TWait, +- v->ProgressiveToInterlaceUnitInOPP, +- &v->DSTXAfterScaler[k], +- &v->DSTYAfterScaler[k], + &v->LineTimesForPrefetch[k], + &v->PrefetchBW[k], + &v->LinesForMetaPTE[k], +@@ -4825,14 +4720,7 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + &v->VRatioPreC[i][j][k], + &v->RequiredPrefetchPixelDataBWLuma[i][j][k], + &v->RequiredPrefetchPixelDataBWChroma[i][j][k], +- &v->NoTimeForDynamicMetadata[i][j][k], +- &v->Tno_bw[k], +- &v->prefetch_vmrow_bw[k], +- &v->Tdmdl_vm[k], +- &v->Tdmdl[k], +- &v->VUpdateOffsetPix[k], +- &v->VUpdateWidthPix[k], +- &v->VReadyOffsetPix[k]); ++ &v->NoTimeForDynamicMetadata[i][j][k]); + } + + for (k = 0; k <= v->NumberOfActivePlanes - 1; k++) { +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch b/queue-6.18/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch new file mode 100644 index 0000000000..3713f6010f --- /dev/null +++ b/queue-6.18/drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch @@ -0,0 +1,92 @@ +From 289c2ac42060bbd82ba999b9955f3d62b8a82aba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 16:43:49 +0800 +Subject: drm/amd/pm: Disable MMIO access during SMU Mode 1 reset + +From: Perry Yuan + +[ Upstream commit 0de604d0357d0d22cbf03af1077d174b641707b6 ] + +During Mode 1 reset, the ASIC undergoes a reset cycle and becomes +temporarily inaccessible via PCIe. Any attempt to access MMIO registers +during this window (e.g., from interrupt handlers or other driver threads) +can result in uncompleted PCIe transactions, leading to NMI panics or +system hangs. + +To prevent this, set the `no_hw_access` flag to true immediately after +triggering the reset. This signals other driver components to skip +register accesses while the device is offline. + +A memory barrier `smp_mb()` is added to ensure the flag update is +globally visible to all cores before the driver enters the sleep/wait +state. + +Signed-off-by: Perry Yuan +Reviewed-by: Yifan Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit 7edb503fe4b6d67f47d8bb0dfafb8e699bb0f8a4) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +++ + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 7 ++++++- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 +++++++-- + 3 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 49107475af619..53b33a636971a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -5739,6 +5739,9 @@ int amdgpu_device_mode1_reset(struct amdgpu_device *adev) + if (ret) + goto mode1_reset_failed; + ++ /* enable mmio access after mode 1 reset completed */ ++ adev->no_hw_access = false; ++ + amdgpu_device_load_pci_state(adev->pdev); + ret = amdgpu_psp_wait_for_bootloader(adev); + if (ret) +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +index c1062e5f03936..8d070a9ea2c10 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -2922,8 +2922,13 @@ static int smu_v13_0_0_mode1_reset(struct smu_context *smu) + break; + } + +- if (!ret) ++ if (!ret) { ++ /* disable mmio access while doing mode 1 reset*/ ++ smu->adev->no_hw_access = true; ++ /* ensure no_hw_access is globally visible before any MMIO */ ++ smp_mb(); + msleep(SMU13_MODE1_RESET_WAIT_TIME_IN_MS); ++ } + + return ret; + } +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +index e735da7ab6126..bad8dd786bff2 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -2143,10 +2143,15 @@ static int smu_v14_0_2_mode1_reset(struct smu_context *smu) + + ret = smu_cmn_send_debug_smc_msg(smu, DEBUGSMC_MSG_Mode1Reset); + if (!ret) { +- if (amdgpu_emu_mode == 1) ++ if (amdgpu_emu_mode == 1) { + msleep(50000); +- else ++ } else { ++ /* disable mmio access while doing mode 1 reset*/ ++ smu->adev->no_hw_access = true; ++ /* ensure no_hw_access is globally visible before any MMIO */ ++ smp_mb(); + msleep(1000); ++ } + } + + return ret; +-- +2.51.0 + diff --git a/queue-6.18/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch b/queue-6.18/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch new file mode 100644 index 0000000000..73a9a5ab18 --- /dev/null +++ b/queue-6.18/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch @@ -0,0 +1,216 @@ +From 82652412aaf319faa1db4a00f82880d2e2b7fb6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 16:16:39 -0800 +Subject: drm/mgag200: fix mgag200_bmc_stop_scanout() + +From: Jacob Keller + +[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ] + +The mgag200_bmc_stop_scanout() function is called by the .atomic_disable() +handler for the MGA G200 VGA BMC encoder. This function performs a few +register writes to inform the BMC of an upcoming mode change, and then +polls to wait until the BMC actually stops. + +The polling is implemented using a busy loop with udelay() and an iteration +timeout of 300, resulting in the function blocking for 300 milliseconds. + +The function gets called ultimately by the output_poll_execute work thread +for the DRM output change polling thread of the mgag200 driver: + +kworker/0:0-mm_ 3528 [000] 4555.315364: + ffffffffaa0e25b3 delay_halt.part.0+0x33 + ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178 + ffffffffc087ae7a disable_outputs+0x12a + ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a + ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26 + ffffffffc087c9c1 commit_tail+0x91 + ffffffffc087d51b drm_atomic_helper_commit+0x11b + ffffffffc0509694 drm_atomic_commit+0xa4 + ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8 + ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56 + ffffffffc0510e24 drm_client_modeset_commit+0x24 + ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93 + ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3 + ffffffffc050f8aa drm_client_dev_hotplug+0x9a + ffffffffc088555a output_poll_execute+0x29a + ffffffffa9b35924 process_one_work+0x194 + ffffffffa9b364ee worker_thread+0x2fe + ffffffffa9b3ecad kthread+0xdd + ffffffffa9a08549 ret_from_fork+0x29 + +On a server running ptp4l with the mgag200 driver loaded, we found that +ptp4l would sometimes get blocked from execution because of this busy +waiting loop. + +Every so often, approximately once every 20 minutes -- though with large +variance -- the output_poll_execute() thread would detect some sort of +change that required performing a hotplug event which results in attempting +to stop the BMC scanout, resulting in a 300msec delay on one CPU. + +On this system, ptp4l was pinned to a single CPU. When the +output_poll_execute() thread ran on that CPU, it blocked ptp4l from +executing for its 300 millisecond duration. + +This resulted in PTP service disruptions such as failure to send a SYNC +message on time, failure to handle ANNOUNCE messages on time, and clock +check warnings from the application. All of this despite the application +being configured with FIFO_RT and a higher priority than the background +workqueue tasks. (However, note that the kernel did not use +CONFIG_PREEMPT...) + +It is unclear if the event is due to a faulty VGA connection, another bug, +or actual events causing a change in the connection. At least on the system +under test it is not a one-time event and consistently causes disruption to +the time sensitive applications. + +The function has some helpful comments explaining what steps it is +attempting to take. In particular, step 3a and 3b are explained as such: + + 3a - The third step is to verify if there is an active scan. We are + waiting on a 0 on remhsyncsts (. + + 3b - This step occurs only if the remove is actually scanning. We are + waiting for the end of the frame which is a 1 on remvsyncsts + (). + +The actual steps 3a and 3b are implemented as while loops with a +non-sleeping udelay(). The first step iterates while the tmp value at +position 0 is *not* set. That is, it keeps iterating as long as the bit is +zero. If the bit is already 0 (because there is no active scan), it will +iterate the entire 300 attempts which wastes 300 milliseconds in total. +This is opposite of what the description claims. + +The step 3b logic only executes if we do not iterate over the entire 300 +attempts in the first loop. If it does trigger, it is trying to check and +wait for a 1 on the remvsyncsts. However, again the condition is actually +inverted and it will loop as long as the bit is 1, stopping once it hits +zero (rather than the explained attempt to wait until we see a 1). + +Worse, both loops are implemented using non-sleeping waits which spin +instead of allowing the scheduler to run other processes. If the kernel is +not configured to allow arbitrary preemption, it will waste valuable CPU +time doing nothing. + +There does not appear to be any documentation for the BMC register +interface, beyond what is in the comments here. It seems more probable that +the comment here is correct and the implementation accidentally got +inverted from the intended logic. + +Reading through other DRM driver implementations, it does not appear that +the .atomic_enable or .atomic_disable handlers need to delay instead of +sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function +calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name +is referring to the atomic modesetting support, which is the support to +enable atomic configuration from userspace, and not to the "atomic context" +of the kernel. There is no reason to use udelay() here if a sleep would be +sufficient. + +Replace the while loops with a read_poll_timeout() based implementation +that will sleep between iterations, and which stops polling once the +condition is met (instead of looping as long as the condition is met). This +aligns with the commented behavior and avoids blocking on the CPU while +doing nothing. + +Note the RREG_DAC is implemented using a statement expression to allow +working properly with the read_poll_timeout family of functions. The other +RREG_ macros ought to be cleaned up to have better semantics, and +several places in the mgag200 driver could make use of RREG_DAC or similar +RREG_* macros should likely be cleaned up for better semantics as well, but +that task has been left as a future cleanup for a non-bugfix. + +Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)") +Suggested-by: Thomas Zimmermann +Signed-off-by: Jacob Keller +Reviewed-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mgag200/mgag200_bmc.c | 31 +++++++++++---------------- + drivers/gpu/drm/mgag200/mgag200_drv.h | 6 ++++++ + 2 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/mgag200/mgag200_bmc.c b/drivers/gpu/drm/mgag200/mgag200_bmc.c +index a689c71ff1653..bbdeb791c5b38 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_bmc.c ++++ b/drivers/gpu/drm/mgag200/mgag200_bmc.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only + + #include ++#include + + #include + #include +@@ -12,7 +13,7 @@ + void mgag200_bmc_stop_scanout(struct mga_device *mdev) + { + u8 tmp; +- int iter_max; ++ int ret; + + /* + * 1 - The first step is to inform the BMC of an upcoming mode +@@ -42,30 +43,22 @@ void mgag200_bmc_stop_scanout(struct mga_device *mdev) + + /* + * 3a- The third step is to verify if there is an active scan. +- * We are waiting for a 0 on remhsyncsts ). ++ * We are waiting for a 0 on remhsyncsts (). + */ +- iter_max = 300; +- while (!(tmp & 0x1) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } ++ ret = read_poll_timeout(RREG_DAC, tmp, !(tmp & 0x1), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); ++ if (ret == -ETIMEDOUT) ++ return; + + /* +- * 3b- This step occurs only if the remove is actually ++ * 3b- This step occurs only if the remote BMC is actually + * scanning. We are waiting for the end of the frame which is + * a 1 on remvsyncsts (XSPAREREG<1>) + */ +- if (iter_max) { +- iter_max = 300; +- while ((tmp & 0x2) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } +- } ++ (void)read_poll_timeout(RREG_DAC, tmp, (tmp & 0x2), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); + } + + void mgag200_bmc_start_scanout(struct mga_device *mdev) +diff --git a/drivers/gpu/drm/mgag200/mgag200_drv.h b/drivers/gpu/drm/mgag200/mgag200_drv.h +index f4bf40cd7c88a..a875c4bf8cbe4 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_drv.h ++++ b/drivers/gpu/drm/mgag200/mgag200_drv.h +@@ -111,6 +111,12 @@ + #define DAC_INDEX 0x3c00 + #define DAC_DATA 0x3c0a + ++#define RREG_DAC(reg) \ ++ ({ \ ++ WREG8(DAC_INDEX, reg); \ ++ RREG8(DAC_DATA); \ ++ }) \ ++ + #define WREG_DAC(reg, v) \ + do { \ + WREG8(DAC_INDEX, reg); \ +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-guc-fix-cfi-violation-in-debugfs-access.patch b/queue-6.18/drm-xe-guc-fix-cfi-violation-in-debugfs-access.patch new file mode 100644 index 0000000000..8abe4a5c1b --- /dev/null +++ b/queue-6.18/drm-xe-guc-fix-cfi-violation-in-debugfs-access.patch @@ -0,0 +1,82 @@ +From 36b4a9417299d65be0eac145432a23869536dfc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 10:25:48 -0800 +Subject: drm/xe/guc: Fix CFI violation in debugfs access. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniele Ceraolo Spurio + +[ Upstream commit 4cb1b327135dddf3d0ec2544ea36ed05ba2252bc ] + +xe_guc_print_info is void-returning, but the function pointer it is +assigned to expects an int-returning function, leading to the following +CFI error: + +[ 206.873690] CFI failure at guc_debugfs_show+0xa1/0xf0 [xe] +(target: xe_guc_print_info+0x0/0x370 [xe]; expected type: 0xbe3bc66a) + +Fix this by updating xe_guc_print_info to return an integer. + +Fixes: e15826bb3c2c ("drm/xe/guc: Refactor GuC debugfs initialization") +Signed-off-by: Daniele Ceraolo Spurio +Cc: Michal Wajdeczko +Cc: George D Sworo +Reviewed-by: Michal Wajdeczko +Link: https://patch.msgid.link/20260129182547.32899-2-daniele.ceraolospurio@intel.com +(cherry picked from commit dd8ea2f2ab71b98887fdc426b0651dbb1d1ea760) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_guc.c | 6 ++++-- + drivers/gpu/drm/xe/xe_guc.h | 2 +- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_guc.c b/drivers/gpu/drm/xe/xe_guc.c +index 00789844ea4d0..ae0c88da422b2 100644 +--- a/drivers/gpu/drm/xe/xe_guc.c ++++ b/drivers/gpu/drm/xe/xe_guc.c +@@ -1632,7 +1632,7 @@ int xe_guc_start(struct xe_guc *guc) + return xe_guc_submit_start(guc); + } + +-void xe_guc_print_info(struct xe_guc *guc, struct drm_printer *p) ++int xe_guc_print_info(struct xe_guc *guc, struct drm_printer *p) + { + struct xe_gt *gt = guc_to_gt(guc); + unsigned int fw_ref; +@@ -1644,7 +1644,7 @@ void xe_guc_print_info(struct xe_guc *guc, struct drm_printer *p) + if (!IS_SRIOV_VF(gt_to_xe(gt))) { + fw_ref = xe_force_wake_get(gt_to_fw(gt), XE_FW_GT); + if (!fw_ref) +- return; ++ return -EIO; + + status = xe_mmio_read32(>->mmio, GUC_STATUS); + +@@ -1672,6 +1672,8 @@ void xe_guc_print_info(struct xe_guc *guc, struct drm_printer *p) + + drm_puts(p, "\n"); + xe_guc_submit_print(guc, p); ++ ++ return 0; + } + + /** +diff --git a/drivers/gpu/drm/xe/xe_guc.h b/drivers/gpu/drm/xe/xe_guc.h +index 1cca05967e621..3b858933749bd 100644 +--- a/drivers/gpu/drm/xe/xe_guc.h ++++ b/drivers/gpu/drm/xe/xe_guc.h +@@ -45,7 +45,7 @@ int xe_guc_self_cfg32(struct xe_guc *guc, u16 key, u32 val); + int xe_guc_self_cfg64(struct xe_guc *guc, u16 key, u64 val); + void xe_guc_irq_handler(struct xe_guc *guc, const u16 iir); + void xe_guc_sanitize(struct xe_guc *guc); +-void xe_guc_print_info(struct xe_guc *guc, struct drm_printer *p); ++int xe_guc_print_info(struct xe_guc *guc, struct drm_printer *p); + int xe_guc_reset_prepare(struct xe_guc *guc); + void xe_guc_reset_wait(struct xe_guc *guc); + void xe_guc_stop_prepare(struct xe_guc *guc); +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch b/queue-6.18/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch new file mode 100644 index 0000000000..11f98abb98 --- /dev/null +++ b/queue-6.18/drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch @@ -0,0 +1,61 @@ +From 02b95eaaa6534f44ab58056943344efd56019077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 23:02:38 +0530 +Subject: drm/xe/pm: Disable D3Cold for BMG only on specific platforms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Karthik Poosa + +[ Upstream commit bb36170d959fad7f663f91eb9c32a84dd86bef2b ] + +Restrict D3Cold disablement for BMG to unsupported NUC platforms, +instead of disabling it on all platforms. + +Signed-off-by: Karthik Poosa +Fixes: 3e331a6715ee ("drm/xe/pm: Temporarily disable D3Cold on BMG") +Link: https://patch.msgid.link/20260123173238.1642383-1-karthik.poosa@intel.com +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 39125eaf8863ab09d70c4b493f58639b08d5a897) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pm.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c +index a58bf004aee73..a74e800846ffa 100644 +--- a/drivers/gpu/drm/xe/xe_pm.c ++++ b/drivers/gpu/drm/xe/xe_pm.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -300,9 +301,15 @@ ALLOW_ERROR_INJECTION(xe_pm_init_early, ERRNO); /* See xe_pci_probe() */ + + static u32 vram_threshold_value(struct xe_device *xe) + { +- /* FIXME: D3Cold temporarily disabled by default on BMG */ +- if (xe->info.platform == XE_BATTLEMAGE) +- return 0; ++ if (xe->info.platform == XE_BATTLEMAGE) { ++ const char *product_name; ++ ++ product_name = dmi_get_system_info(DMI_PRODUCT_NAME); ++ if (product_name && strstr(product_name, "NUC13RNG")) { ++ drm_warn(&xe->drm, "BMG + D3Cold not supported on this platform\n"); ++ return 0; ++ } ++ } + + return DEFAULT_VRAM_THRESHOLD; + } +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-query-fix-topology-query-pointer-advance.patch b/queue-6.18/drm-xe-query-fix-topology-query-pointer-advance.patch new file mode 100644 index 0000000000..25d58b37b5 --- /dev/null +++ b/queue-6.18/drm-xe-query-fix-topology-query-pointer-advance.patch @@ -0,0 +1,47 @@ +From 9d2cf2c5d04ace01ed262260dd9481f46caaef91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 04:39:08 +0000 +Subject: drm/xe/query: Fix topology query pointer advance +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuicheng Lin + +[ Upstream commit 7ee9b3e091c63da71e15c72003f1f07e467f5158 ] + +The topology query helper advanced the user pointer by the size +of the pointer, not the size of the structure. This can misalign +the output blob and corrupt the following mask. Fix the increment +to use sizeof(*topo). +There is no issue currently, as sizeof(*topo) happens to be equal +to sizeof(topo) on 64-bit systems (both evaluate to 8 bytes). + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Signed-off-by: Shuicheng Lin +Reviewed-by: Matt Roper +Link: https://patch.msgid.link/20260130043907.465128-2-shuicheng.lin@intel.com +Signed-off-by: Matt Roper +(cherry picked from commit c2a6859138e7f73ad904be17dd7d1da6cc7f06b3) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_query.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c +index 2e9ff33ed2fe2..856089f64c341 100644 +--- a/drivers/gpu/drm/xe/xe_query.c ++++ b/drivers/gpu/drm/xe/xe_query.c +@@ -491,7 +491,7 @@ static int copy_mask(void __user **ptr, + + if (copy_to_user(*ptr, topo, sizeof(*topo))) + return -EFAULT; +- *ptr += sizeof(topo); ++ *ptr += sizeof(*topo); + + if (copy_to_user(*ptr, mask, mask_size)) + return -EFAULT; +-- +2.51.0 + diff --git a/queue-6.18/firmware-cs_dsp-factor-out-common-debugfs-string-rea.patch b/queue-6.18/firmware-cs_dsp-factor-out-common-debugfs-string-rea.patch new file mode 100644 index 0000000000..e76115141d --- /dev/null +++ b/queue-6.18/firmware-cs_dsp-factor-out-common-debugfs-string-rea.patch @@ -0,0 +1,131 @@ +From e036fd15a4cc4a98e8d5a46c7867bd2808f4a588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:06:39 +0000 +Subject: firmware: cs_dsp: Factor out common debugfs string read + +From: Richard Fitzgerald + +[ Upstream commit 78cfd833bc04c0398ca4cfc64704350aebe4d4c2 ] + +cs_dsp_debugfs_wmfw_read() and cs_dsp_debugfs_bin_read() were identical +except for which struct member they printed. Move all this duplicated +code into a common function cs_dsp_debugfs_string_read(). + +The check for dsp->booted has been removed because this is redundant. +The two strings are set when the DSP is booted and cleared when the +DSP is powered-down. + +Access to the string char * must be protected by the pwr_lock mutex. The +string is passed into cs_dsp_debugfs_string_read() as a pointer to the +char * so that the mutex lock can also be factored out into +cs_dsp_debugfs_string_read(). + +wmfw_file_name and bin_file_name members of struct cs_dsp have been +changed to const char *. It makes for a better API to pass a const +pointer into cs_dsp_debugfs_string_read(). + +Signed-off-by: Richard Fitzgerald +Link: https://patch.msgid.link/20251120130640.1169780-2-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Stable-dep-of: 10db9f6899dd ("firmware: cs_dsp: rate-limit log messages in KUnit builds") +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 45 ++++++++++++-------------- + include/linux/firmware/cirrus/cs_dsp.h | 4 +-- + 2 files changed, 23 insertions(+), 26 deletions(-) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index f51047d8ea64f..58e41751dbc19 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -9,6 +9,7 @@ + * Cirrus Logic International Semiconductor Ltd. + */ + ++#include + #include + #include + #include +@@ -410,24 +411,30 @@ static void cs_dsp_debugfs_clear(struct cs_dsp *dsp) + dsp->bin_file_name = NULL; + } + ++static ssize_t cs_dsp_debugfs_string_read(struct cs_dsp *dsp, ++ char __user *user_buf, ++ size_t count, loff_t *ppos, ++ const char **pstr) ++{ ++ const char *str; ++ ++ scoped_guard(mutex, &dsp->pwr_lock) { ++ str = *pstr; ++ if (!str) ++ return 0; ++ ++ return simple_read_from_buffer(user_buf, count, ppos, str, strlen(str)); ++ } ++} ++ + static ssize_t cs_dsp_debugfs_wmfw_read(struct file *file, + char __user *user_buf, + size_t count, loff_t *ppos) + { + struct cs_dsp *dsp = file->private_data; +- ssize_t ret; + +- mutex_lock(&dsp->pwr_lock); +- +- if (!dsp->wmfw_file_name || !dsp->booted) +- ret = 0; +- else +- ret = simple_read_from_buffer(user_buf, count, ppos, +- dsp->wmfw_file_name, +- strlen(dsp->wmfw_file_name)); +- +- mutex_unlock(&dsp->pwr_lock); +- return ret; ++ return cs_dsp_debugfs_string_read(dsp, user_buf, count, ppos, ++ &dsp->wmfw_file_name); + } + + static ssize_t cs_dsp_debugfs_bin_read(struct file *file, +@@ -435,19 +442,9 @@ static ssize_t cs_dsp_debugfs_bin_read(struct file *file, + size_t count, loff_t *ppos) + { + struct cs_dsp *dsp = file->private_data; +- ssize_t ret; +- +- mutex_lock(&dsp->pwr_lock); + +- if (!dsp->bin_file_name || !dsp->booted) +- ret = 0; +- else +- ret = simple_read_from_buffer(user_buf, count, ppos, +- dsp->bin_file_name, +- strlen(dsp->bin_file_name)); +- +- mutex_unlock(&dsp->pwr_lock); +- return ret; ++ return cs_dsp_debugfs_string_read(dsp, user_buf, count, ppos, ++ &dsp->bin_file_name); + } + + static const struct { +diff --git a/include/linux/firmware/cirrus/cs_dsp.h b/include/linux/firmware/cirrus/cs_dsp.h +index a66eb7624730c..69959032f8f51 100644 +--- a/include/linux/firmware/cirrus/cs_dsp.h ++++ b/include/linux/firmware/cirrus/cs_dsp.h +@@ -188,8 +188,8 @@ struct cs_dsp { + + #ifdef CONFIG_DEBUG_FS + struct dentry *debugfs_root; +- char *wmfw_file_name; +- char *bin_file_name; ++ const char *wmfw_file_name; ++ const char *bin_file_name; + #endif + }; + +-- +2.51.0 + diff --git a/queue-6.18/firmware-cs_dsp-rate-limit-log-messages-in-kunit-bui.patch b/queue-6.18/firmware-cs_dsp-rate-limit-log-messages-in-kunit-bui.patch new file mode 100644 index 0000000000..1d3f1b766f --- /dev/null +++ b/queue-6.18/firmware-cs_dsp-rate-limit-log-messages-in-kunit-bui.patch @@ -0,0 +1,389 @@ +From 95012cf69d5610c8d8346155919525245d3e52ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 17:12:56 +0000 +Subject: firmware: cs_dsp: rate-limit log messages in KUnit builds + +From: Richard Fitzgerald + +[ Upstream commit 10db9f6899dd3a2dfd26efd40afd308891dc44a8 ] + +Use the dev_*_ratelimit() macros if the cs_dsp KUnit tests are enabled +in the build, and allow the KUnit tests to disable message output. + +Some of the KUnit tests cause a very large number of log messages from +cs_dsp, because the tests perform many different test cases. This could +cause some lines to be dropped from the kernel log. Dropped lines can +prevent the KUnit wrappers from parsing the ktap output in the dmesg log. + +The KUnit builds of cs_dsp export three bools that the KUnit tests can +use to entirely disable log output of err, warn and info messages. Some +tests have been updated to use this, replacing the previous fudge of a +usleep() in the exit handler of each test. We don't necessarily want to +disable all log messages if they aren't expected to be excessive, +so the rate-limiting allows leaving some logging enabled. + +The rate-limited macros are not used in normal builds because it is not +appropriate to rate-limit every message. That could cause important +messages to be dropped, and there wouldn't be such a high rate of +messages in normal operation. + +Signed-off-by: Richard Fitzgerald +Reported-by: Mark Brown +Closes: https://lore.kernel.org/linux-sound/af393f08-facb-4c44-a054-1f61254803ec@opensource.cirrus.com/T/#t +Fixes: cd8c058499b6 ("firmware: cs_dsp: Add KUnit testing of bin error cases") +Link: https://patch.msgid.link/20260130171256.863152-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 37 +++++++++++++++++++ + drivers/firmware/cirrus/cs_dsp.h | 18 +++++++++ + .../firmware/cirrus/test/cs_dsp_test_bin.c | 22 ++++++++++- + .../cirrus/test/cs_dsp_test_bin_error.c | 24 +++++++++--- + .../firmware/cirrus/test/cs_dsp_test_wmfw.c | 26 ++++++++++++- + .../cirrus/test/cs_dsp_test_wmfw_error.c | 24 +++++++++--- + drivers/firmware/cirrus/test/cs_dsp_tests.c | 1 + + 7 files changed, 138 insertions(+), 14 deletions(-) + create mode 100644 drivers/firmware/cirrus/cs_dsp.h + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index 58e41751dbc19..7ca56777a1da5 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -9,6 +9,7 @@ + * Cirrus Logic International Semiconductor Ltd. + */ + ++#include + #include + #include + #include +@@ -23,6 +24,41 @@ + #include + #include + ++#include "cs_dsp.h" ++ ++/* ++ * When the KUnit test is running the error-case tests will cause a lot ++ * of messages. Rate-limit to prevent overflowing the kernel log buffer ++ * during KUnit test runs. ++ */ ++#if IS_ENABLED(CONFIG_FW_CS_DSP_KUNIT_TEST) ++bool cs_dsp_suppress_err_messages; ++EXPORT_SYMBOL_IF_KUNIT(cs_dsp_suppress_err_messages); ++ ++bool cs_dsp_suppress_warn_messages; ++EXPORT_SYMBOL_IF_KUNIT(cs_dsp_suppress_warn_messages); ++ ++bool cs_dsp_suppress_info_messages; ++EXPORT_SYMBOL_IF_KUNIT(cs_dsp_suppress_info_messages); ++ ++#define cs_dsp_err(_dsp, fmt, ...) \ ++ do { \ ++ if (!cs_dsp_suppress_err_messages) \ ++ dev_err_ratelimited(_dsp->dev, "%s: " fmt, _dsp->name, ##__VA_ARGS__); \ ++ } while (false) ++#define cs_dsp_warn(_dsp, fmt, ...) \ ++ do { \ ++ if (!cs_dsp_suppress_warn_messages) \ ++ dev_warn_ratelimited(_dsp->dev, "%s: " fmt, _dsp->name, ##__VA_ARGS__); \ ++ } while (false) ++#define cs_dsp_info(_dsp, fmt, ...) \ ++ do { \ ++ if (!cs_dsp_suppress_info_messages) \ ++ dev_info_ratelimited(_dsp->dev, "%s: " fmt, _dsp->name, ##__VA_ARGS__); \ ++ } while (false) ++#define cs_dsp_dbg(_dsp, fmt, ...) \ ++ dev_dbg_ratelimited(_dsp->dev, "%s: " fmt, _dsp->name, ##__VA_ARGS__) ++#else + #define cs_dsp_err(_dsp, fmt, ...) \ + dev_err(_dsp->dev, "%s: " fmt, _dsp->name, ##__VA_ARGS__) + #define cs_dsp_warn(_dsp, fmt, ...) \ +@@ -31,6 +67,7 @@ + dev_info(_dsp->dev, "%s: " fmt, _dsp->name, ##__VA_ARGS__) + #define cs_dsp_dbg(_dsp, fmt, ...) \ + dev_dbg(_dsp->dev, "%s: " fmt, _dsp->name, ##__VA_ARGS__) ++#endif + + #define ADSP1_CONTROL_1 0x00 + #define ADSP1_CONTROL_2 0x02 +diff --git a/drivers/firmware/cirrus/cs_dsp.h b/drivers/firmware/cirrus/cs_dsp.h +new file mode 100644 +index 0000000000000..adf543004aea3 +--- /dev/null ++++ b/drivers/firmware/cirrus/cs_dsp.h +@@ -0,0 +1,18 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * cs_dsp.h -- Private header for cs_dsp driver. ++ * ++ * Copyright (C) 2026 Cirrus Logic, Inc. and ++ * Cirrus Logic International Semiconductor Ltd. ++ */ ++ ++#ifndef FW_CS_DSP_H ++#define FW_CS_DSP_H ++ ++#if IS_ENABLED(CONFIG_KUNIT) ++extern bool cs_dsp_suppress_err_messages; ++extern bool cs_dsp_suppress_warn_messages; ++extern bool cs_dsp_suppress_info_messages; ++#endif ++ ++#endif /* ifndef FW_CS_DSP_H */ +diff --git a/drivers/firmware/cirrus/test/cs_dsp_test_bin.c b/drivers/firmware/cirrus/test/cs_dsp_test_bin.c +index 163b7faecff46..2c6486fa95758 100644 +--- a/drivers/firmware/cirrus/test/cs_dsp_test_bin.c ++++ b/drivers/firmware/cirrus/test/cs_dsp_test_bin.c +@@ -17,6 +17,8 @@ + #include + #include + ++#include "../cs_dsp.h" ++ + /* + * Test method is: + * +@@ -2224,7 +2226,22 @@ static int cs_dsp_bin_test_common_init(struct kunit *test, struct cs_dsp *dsp) + return ret; + + /* Automatically call cs_dsp_remove() when test case ends */ +- return kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ ret = kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ if (ret) ++ return ret; ++ ++ /* ++ * The large number of test cases will cause an unusually large amount ++ * of dev_info() messages from cs_dsp, so suppress these. ++ */ ++ cs_dsp_suppress_info_messages = true; ++ ++ return 0; ++} ++ ++static void cs_dsp_bin_test_exit(struct kunit *test) ++{ ++ cs_dsp_suppress_info_messages = false; + } + + static int cs_dsp_bin_test_halo_init(struct kunit *test) +@@ -2536,18 +2553,21 @@ static struct kunit_case cs_dsp_bin_test_cases_adsp2[] = { + static struct kunit_suite cs_dsp_bin_test_halo = { + .name = "cs_dsp_bin_halo", + .init = cs_dsp_bin_test_halo_init, ++ .exit = cs_dsp_bin_test_exit, + .test_cases = cs_dsp_bin_test_cases_halo, + }; + + static struct kunit_suite cs_dsp_bin_test_adsp2_32bit = { + .name = "cs_dsp_bin_adsp2_32bit", + .init = cs_dsp_bin_test_adsp2_32bit_init, ++ .exit = cs_dsp_bin_test_exit, + .test_cases = cs_dsp_bin_test_cases_adsp2, + }; + + static struct kunit_suite cs_dsp_bin_test_adsp2_16bit = { + .name = "cs_dsp_bin_adsp2_16bit", + .init = cs_dsp_bin_test_adsp2_16bit_init, ++ .exit = cs_dsp_bin_test_exit, + .test_cases = cs_dsp_bin_test_cases_adsp2, + }; + +diff --git a/drivers/firmware/cirrus/test/cs_dsp_test_bin_error.c b/drivers/firmware/cirrus/test/cs_dsp_test_bin_error.c +index a7ec956d27249..631b9cb9eb250 100644 +--- a/drivers/firmware/cirrus/test/cs_dsp_test_bin_error.c ++++ b/drivers/firmware/cirrus/test/cs_dsp_test_bin_error.c +@@ -18,6 +18,8 @@ + #include + #include + ++#include "../cs_dsp.h" ++ + KUNIT_DEFINE_ACTION_WRAPPER(_put_device_wrapper, put_device, struct device *); + KUNIT_DEFINE_ACTION_WRAPPER(_cs_dsp_remove_wrapper, cs_dsp_remove, struct cs_dsp *); + +@@ -380,11 +382,9 @@ static void bin_block_payload_len_garbage(struct kunit *test) + + static void cs_dsp_bin_err_test_exit(struct kunit *test) + { +- /* +- * Testing error conditions can produce a lot of log output +- * from cs_dsp error messages, so rate limit the test cases. +- */ +- usleep_range(200, 500); ++ cs_dsp_suppress_err_messages = false; ++ cs_dsp_suppress_warn_messages = false; ++ cs_dsp_suppress_info_messages = false; + } + + static int cs_dsp_bin_err_test_common_init(struct kunit *test, struct cs_dsp *dsp, +@@ -474,7 +474,19 @@ static int cs_dsp_bin_err_test_common_init(struct kunit *test, struct cs_dsp *ds + return ret; + + /* Automatically call cs_dsp_remove() when test case ends */ +- return kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ ret = kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ if (ret) ++ return ret; ++ ++ /* ++ * Testing error conditions can produce a lot of log output ++ * from cs_dsp error messages, so suppress messages. ++ */ ++ cs_dsp_suppress_err_messages = true; ++ cs_dsp_suppress_warn_messages = true; ++ cs_dsp_suppress_info_messages = true; ++ ++ return 0; + } + + static int cs_dsp_bin_err_test_halo_init(struct kunit *test) +diff --git a/drivers/firmware/cirrus/test/cs_dsp_test_wmfw.c b/drivers/firmware/cirrus/test/cs_dsp_test_wmfw.c +index 9e997c4ee2d67..f02cb6cf76386 100644 +--- a/drivers/firmware/cirrus/test/cs_dsp_test_wmfw.c ++++ b/drivers/firmware/cirrus/test/cs_dsp_test_wmfw.c +@@ -18,6 +18,8 @@ + #include + #include + ++#include "../cs_dsp.h" ++ + /* + * Test method is: + * +@@ -1853,7 +1855,22 @@ static int cs_dsp_wmfw_test_common_init(struct kunit *test, struct cs_dsp *dsp, + return ret; + + /* Automatically call cs_dsp_remove() when test case ends */ +- return kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ ret = kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ if (ret) ++ return ret; ++ ++ /* ++ * The large number of test cases will cause an unusually large amount ++ * of dev_info() messages from cs_dsp, so suppress these. ++ */ ++ cs_dsp_suppress_info_messages = true; ++ ++ return 0; ++} ++ ++static void cs_dsp_wmfw_test_exit(struct kunit *test) ++{ ++ cs_dsp_suppress_info_messages = false; + } + + static int cs_dsp_wmfw_test_halo_init(struct kunit *test) +@@ -2163,42 +2180,49 @@ static struct kunit_case cs_dsp_wmfw_test_cases_adsp2[] = { + static struct kunit_suite cs_dsp_wmfw_test_halo = { + .name = "cs_dsp_wmfwV3_halo", + .init = cs_dsp_wmfw_test_halo_init, ++ .exit = cs_dsp_wmfw_test_exit, + .test_cases = cs_dsp_wmfw_test_cases_halo, + }; + + static struct kunit_suite cs_dsp_wmfw_test_adsp2_32bit_wmfw0 = { + .name = "cs_dsp_wmfwV0_adsp2_32bit", + .init = cs_dsp_wmfw_test_adsp2_32bit_wmfw0_init, ++ .exit = cs_dsp_wmfw_test_exit, + .test_cases = cs_dsp_wmfw_test_cases_adsp2, + }; + + static struct kunit_suite cs_dsp_wmfw_test_adsp2_32bit_wmfw1 = { + .name = "cs_dsp_wmfwV1_adsp2_32bit", + .init = cs_dsp_wmfw_test_adsp2_32bit_wmfw1_init, ++ .exit = cs_dsp_wmfw_test_exit, + .test_cases = cs_dsp_wmfw_test_cases_adsp2, + }; + + static struct kunit_suite cs_dsp_wmfw_test_adsp2_32bit_wmfw2 = { + .name = "cs_dsp_wmfwV2_adsp2_32bit", + .init = cs_dsp_wmfw_test_adsp2_32bit_wmfw2_init, ++ .exit = cs_dsp_wmfw_test_exit, + .test_cases = cs_dsp_wmfw_test_cases_adsp2, + }; + + static struct kunit_suite cs_dsp_wmfw_test_adsp2_16bit_wmfw0 = { + .name = "cs_dsp_wmfwV0_adsp2_16bit", + .init = cs_dsp_wmfw_test_adsp2_16bit_wmfw0_init, ++ .exit = cs_dsp_wmfw_test_exit, + .test_cases = cs_dsp_wmfw_test_cases_adsp2, + }; + + static struct kunit_suite cs_dsp_wmfw_test_adsp2_16bit_wmfw1 = { + .name = "cs_dsp_wmfwV1_adsp2_16bit", + .init = cs_dsp_wmfw_test_adsp2_16bit_wmfw1_init, ++ .exit = cs_dsp_wmfw_test_exit, + .test_cases = cs_dsp_wmfw_test_cases_adsp2, + }; + + static struct kunit_suite cs_dsp_wmfw_test_adsp2_16bit_wmfw2 = { + .name = "cs_dsp_wmfwV2_adsp2_16bit", + .init = cs_dsp_wmfw_test_adsp2_16bit_wmfw2_init, ++ .exit = cs_dsp_wmfw_test_exit, + .test_cases = cs_dsp_wmfw_test_cases_adsp2, + }; + +diff --git a/drivers/firmware/cirrus/test/cs_dsp_test_wmfw_error.c b/drivers/firmware/cirrus/test/cs_dsp_test_wmfw_error.c +index c309843261d72..37162d12e2fa7 100644 +--- a/drivers/firmware/cirrus/test/cs_dsp_test_wmfw_error.c ++++ b/drivers/firmware/cirrus/test/cs_dsp_test_wmfw_error.c +@@ -18,6 +18,8 @@ + #include + #include + ++#include "../cs_dsp.h" ++ + KUNIT_DEFINE_ACTION_WRAPPER(_put_device_wrapper, put_device, struct device *); + KUNIT_DEFINE_ACTION_WRAPPER(_cs_dsp_remove_wrapper, cs_dsp_remove, struct cs_dsp *); + +@@ -989,11 +991,9 @@ static void wmfw_v2_coeff_description_exceeds_block(struct kunit *test) + + static void cs_dsp_wmfw_err_test_exit(struct kunit *test) + { +- /* +- * Testing error conditions can produce a lot of log output +- * from cs_dsp error messages, so rate limit the test cases. +- */ +- usleep_range(200, 500); ++ cs_dsp_suppress_err_messages = false; ++ cs_dsp_suppress_warn_messages = false; ++ cs_dsp_suppress_info_messages = false; + } + + static int cs_dsp_wmfw_err_test_common_init(struct kunit *test, struct cs_dsp *dsp, +@@ -1072,7 +1072,19 @@ static int cs_dsp_wmfw_err_test_common_init(struct kunit *test, struct cs_dsp *d + return ret; + + /* Automatically call cs_dsp_remove() when test case ends */ +- return kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ ret = kunit_add_action_or_reset(priv->test, _cs_dsp_remove_wrapper, dsp); ++ if (ret) ++ return ret; ++ ++ /* ++ * Testing error conditions can produce a lot of log output ++ * from cs_dsp error messages, so suppress messages. ++ */ ++ cs_dsp_suppress_err_messages = true; ++ cs_dsp_suppress_warn_messages = true; ++ cs_dsp_suppress_info_messages = true; ++ ++ return 0; + } + + static int cs_dsp_wmfw_err_test_halo_init(struct kunit *test) +diff --git a/drivers/firmware/cirrus/test/cs_dsp_tests.c b/drivers/firmware/cirrus/test/cs_dsp_tests.c +index 7b829a03ca529..288675fdbdc53 100644 +--- a/drivers/firmware/cirrus/test/cs_dsp_tests.c ++++ b/drivers/firmware/cirrus/test/cs_dsp_tests.c +@@ -12,3 +12,4 @@ MODULE_AUTHOR("Richard Fitzgerald "); + MODULE_LICENSE("GPL"); + MODULE_IMPORT_NS("FW_CS_DSP"); + MODULE_IMPORT_NS("FW_CS_DSP_KUNIT_TEST_UTILS"); ++MODULE_IMPORT_NS("EXPORTED_FOR_KUNIT_TESTING"); +-- +2.51.0 + diff --git a/queue-6.18/gpio-loongson-64bit-fix-incorrect-null-check-after-d.patch b/queue-6.18/gpio-loongson-64bit-fix-incorrect-null-check-after-d.patch new file mode 100644 index 0000000000..9e465a736a --- /dev/null +++ b/queue-6.18/gpio-loongson-64bit-fix-incorrect-null-check-after-d.patch @@ -0,0 +1,37 @@ +From 20d1cf7a2ebce92948412b5f0fc2db9e2f5a1453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Feb 2026 15:26:49 +0800 +Subject: gpio: loongson-64bit: Fix incorrect NULL check after devm_kcalloc() + +From: Chen Ni + +[ Upstream commit e34f77b09080c86c929153e2a72da26b4f8947ff ] + +Fix incorrect NULL check in loongson_gpio_init_irqchip(). +The function checks chip->parent instead of chip->irq.parents. + +Fixes: 03c146cb6cd1 ("gpio: loongson-64bit: Add support for Loongson-2K0300 SoC") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260205072649.3271158-1-nichen@iscas.ac.cn +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-loongson-64bit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-loongson-64bit.c b/drivers/gpio/gpio-loongson-64bit.c +index 82d4c3aa4d2fc..d5573fb0616ce 100644 +--- a/drivers/gpio/gpio-loongson-64bit.c ++++ b/drivers/gpio/gpio-loongson-64bit.c +@@ -263,7 +263,7 @@ static int loongson_gpio_init_irqchip(struct platform_device *pdev, + chip->irq.num_parents = data->intr_num; + chip->irq.parents = devm_kcalloc(&pdev->dev, data->intr_num, + sizeof(*chip->irq.parents), GFP_KERNEL); +- if (!chip->parent) ++ if (!chip->irq.parents) + return -ENOMEM; + + for (i = 0; i < data->intr_num; i++) { +-- +2.51.0 + diff --git a/queue-6.18/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch b/queue-6.18/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch new file mode 100644 index 0000000000..475ee08cb0 --- /dev/null +++ b/queue-6.18/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch @@ -0,0 +1,56 @@ +From ce2c9e9cd78d74e4ab5baab5ef91ad806c185b3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 19:03:57 -0300 +Subject: HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodrigo Lugathe da Conceição Alves + +[ Upstream commit 85a866809333cd2bf8ddac93d9a3e3ba8e4f807d ] + +The USB speaker has a bug that causes it to reboot when changing the +brightness using the physical knob. + +Add a new vendor and product ID entry in hid-ids.h, and register +the corresponding device in hid-quirks.c with the required quirk. + +Signed-off-by: Rodrigo Lugathe da Conceição Alves +Reviewed-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 3a22129fb7075..bec913a005a5d 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -439,6 +439,9 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002 + ++#define USB_VENDOR_ID_EDIFIER 0x2d99 ++#define USB_DEVICE_ID_EDIFIER_QR30 0xa101 /* EDIFIER Hal0 2.0 SE */ ++ + #define USB_VENDOR_ID_ELAN 0x04f3 + #define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401 + #define USB_DEVICE_ID_HP_X2 0x074d +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 1d5537c0f40d8..31b2a5d1cd98f 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -81,6 +81,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER), HID_QUIRK_MULTI_INPUT | HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_EDIFIER, USB_DEVICE_ID_EDIFIER_QR30), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II), HID_QUIRK_MULTI_INPUT }, +-- +2.51.0 + diff --git a/queue-6.18/hid-elecom-add-support-for-elecom-m-xt3drbk-018c.patch b/queue-6.18/hid-elecom-add-support-for-elecom-m-xt3drbk-018c.patch new file mode 100644 index 0000000000..65761bc07f --- /dev/null +++ b/queue-6.18/hid-elecom-add-support-for-elecom-m-xt3drbk-018c.patch @@ -0,0 +1,120 @@ +From b8907b383c7788981aaccb93b325e7d44e5b6f95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Dec 2025 03:43:19 +0100 +Subject: HID: Elecom: Add support for ELECOM M-XT3DRBK (018C) + +From: Arnoud Willemsen + +[ Upstream commit 12adb969658ec39265eb8c7ea9e1856867fb9ceb ] + +Wireless/new version of the Elecom trackball mouse M-XT3DRBK has a +product id that differs from the existing M-XT3DRBK. +The report descriptor format also seems to have changed and matches +other (newer?) models instead (except for six buttons instead of eight). +This patch follows the same format as the patch for the M-XT3URBK (018F) +by Naoki Ueki (Nov 3rd 2025) to enable the sixth mouse button. + +dmesg output: +[ 292.074664] usb 1-2: new full-speed USB device number 7 using xhci_hcd +[ 292.218667] usb 1-2: New USB device found, idVendor=056e, idProduct=018c, bcdDevice= 1.00 +[ 292.218676] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 +[ 292.218679] usb 1-2: Product: ELECOM TrackBall Mouse +[ 292.218681] usb 1-2: Manufacturer: ELECOM + +usbhid-dump output: +001:006:000:DESCRIPTOR 1765072638.050578 + 05 01 09 02 A1 01 09 01 A1 00 85 01 05 09 19 01 + 29 05 15 00 25 01 95 08 75 01 81 02 95 01 75 00 + 81 01 05 01 09 30 09 31 16 00 80 26 FF 7F 75 10 + 95 02 81 06 C0 A1 00 05 01 09 38 15 81 25 7F 75 + 08 95 01 81 06 C0 A1 00 05 0C 0A 38 02 95 01 75 + 08 15 81 25 7F 81 06 C0 C0 06 01 FF 09 00 A1 01 + 85 02 09 00 15 00 26 FF 00 75 08 95 07 81 02 C0 + 05 0C 09 01 A1 01 85 05 15 00 26 3C 02 19 00 2A + 3C 02 75 10 95 01 81 00 C0 05 01 09 80 A1 01 85 + 03 19 81 29 83 15 00 25 01 95 03 75 01 81 02 95 + 01 75 05 81 01 C0 06 BC FF 09 88 A1 01 85 04 95 + 01 75 08 15 00 26 FF 00 19 00 2A FF 00 81 00 C0 + 06 02 FF 09 02 A1 01 85 06 09 02 15 00 26 FF 00 + 75 08 95 07 B1 02 C0 + +Signed-off-by: Arnoud Willemsen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-elecom.c | 15 +++++++++++++-- + drivers/hid/hid-ids.h | 3 ++- + drivers/hid/hid-quirks.c | 3 ++- + 3 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-elecom.c b/drivers/hid/hid-elecom.c +index 981d1b6e96589..2003d2dcda7cc 100644 +--- a/drivers/hid/hid-elecom.c ++++ b/drivers/hid/hid-elecom.c +@@ -77,7 +77,7 @@ static const __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc, + break; + case USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB: + case USB_DEVICE_ID_ELECOM_M_XT3URBK_018F: +- case USB_DEVICE_ID_ELECOM_M_XT3DRBK: ++ case USB_DEVICE_ID_ELECOM_M_XT3DRBK_00FC: + case USB_DEVICE_ID_ELECOM_M_XT4DRBK: + /* + * Report descriptor format: +@@ -102,6 +102,16 @@ static const __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc, + */ + mouse_button_fixup(hdev, rdesc, *rsize, 12, 30, 14, 20, 8); + break; ++ case USB_DEVICE_ID_ELECOM_M_XT3DRBK_018C: ++ /* ++ * Report descriptor format: ++ * 22: button bit count ++ * 30: padding bit count ++ * 24: button report size ++ * 16: button usage maximum ++ */ ++ mouse_button_fixup(hdev, rdesc, *rsize, 22, 30, 24, 16, 6); ++ break; + case USB_DEVICE_ID_ELECOM_M_DT2DRBK: + case USB_DEVICE_ID_ELECOM_M_HT1DRBK_011C: + /* +@@ -122,7 +132,8 @@ static const struct hid_device_id elecom_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XGL20DLBK) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_018F) }, +- { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK_00FC) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK_018C) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT4DRBK) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1URBK) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1DRBK) }, +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index bec913a005a5d..b75d9d2f4dc73 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -455,7 +455,8 @@ + #define USB_DEVICE_ID_ELECOM_M_XGL20DLBK 0x00e6 + #define USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB 0x00fb + #define USB_DEVICE_ID_ELECOM_M_XT3URBK_018F 0x018f +-#define USB_DEVICE_ID_ELECOM_M_XT3DRBK 0x00fc ++#define USB_DEVICE_ID_ELECOM_M_XT3DRBK_00FC 0x00fc ++#define USB_DEVICE_ID_ELECOM_M_XT3DRBK_018C 0x018c + #define USB_DEVICE_ID_ELECOM_M_XT4DRBK 0x00fd + #define USB_DEVICE_ID_ELECOM_M_DT1URBK 0x00fe + #define USB_DEVICE_ID_ELECOM_M_DT1DRBK 0x00ff +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 31b2a5d1cd98f..11438039cdb7f 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -422,7 +422,8 @@ static const struct hid_device_id hid_have_special_driver[] = { + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XGL20DLBK) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_018F) }, +- { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK_00FC) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK_018C) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT4DRBK) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1URBK) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1DRBK) }, +-- +2.51.0 + diff --git a/queue-6.18/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch b/queue-6.18/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch new file mode 100644 index 0000000000..f6ee785812 --- /dev/null +++ b/queue-6.18/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch @@ -0,0 +1,46 @@ +From b35a30935d6ffbe5ac5a3d864ce940ac75840781 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jan 2026 02:18:26 +0800 +Subject: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() + +From: Kwok Kin Ming + +[ Upstream commit 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 ] + +`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data +into `ihid->rawbuf`. + +The former can come from the userspace in the hidraw driver and is only +bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set +`max_buffer_size` field of `struct hid_ll_driver` which we do not). + +The latter has size determined at runtime by the maximum size of +different report types you could receive on any particular device and +can be a much smaller value. + +Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. + +The impact is low since access to hidraw devices requires root. + +Signed-off-by: Kwok Kin Ming +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 63f46a2e57882..5a183af3d5c6a 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -286,6 +286,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid, + * In addition to report data device will supply data length + * in the first 2 bytes of the response, so adjust . + */ ++ recv_len = min(recv_len, ihid->bufsize - sizeof(__le16)); + error = i2c_hid_xfer(ihid, ihid->cmdbuf, length, + ihid->rawbuf, recv_len + sizeof(__le16)); + if (error) { +-- +2.51.0 + diff --git a/queue-6.18/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch b/queue-6.18/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch new file mode 100644 index 0000000000..3f3dec2651 --- /dev/null +++ b/queue-6.18/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch @@ -0,0 +1,49 @@ +From 15c4dd82d7078a3922cfbd5bf2887efaba3e7699 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 10:51:50 +0800 +Subject: HID: intel-ish-hid: Reset enum_devices_done before enumeration + +From: Zhang Lixu + +[ Upstream commit 56e230723e3a818373bd62331bccb1c6d2b3881b ] + +Some systems have enabled ISH without any sensors. In this case sending +HOSTIF_DM_ENUM_DEVICES results in 0 sensors. This triggers ISH hardware +reset on subsequent enumeration after S3/S4 resume. + +The enum_devices_done flag was not reset before sending the +HOSTIF_DM_ENUM_DEVICES command. On subsequent enumeration calls (such as +after S3/S4 resume), this flag retains its previous true value, causing the +wait loop to be skipped and returning prematurely to hid_ishtp_cl_init(). +If 0 HID devices are found, hid_ishtp_cl_init() skips getting HID device +descriptors and sets init_done to true. When the delayed enumeration +response arrives with init_done already true, the driver treats it as a bad +packet and triggers an ISH hardware reset. + +Set enum_devices_done to false before sending the enumeration command, +consistent with similar functions like ishtp_get_hid_descriptor() and +ishtp_get_report_descriptor() which reset their respective flags. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +index f61add862b6b3..12a43c64e8156 100644 +--- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c ++++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +@@ -495,6 +495,7 @@ static int ishtp_enum_enum_devices(struct ishtp_cl *hid_ishtp_cl) + int rv; + + /* Send HOSTIF_DM_ENUM_DEVICES */ ++ client_data->enum_devices_done = false; + memset(&msg, 0, sizeof(struct hostif_msg)); + msg.hdr.command = HOSTIF_DM_ENUM_DEVICES; + rv = ishtp_cl_send(hid_ishtp_cl, (unsigned char *)&msg, +-- +2.51.0 + diff --git a/queue-6.18/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch b/queue-6.18/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch new file mode 100644 index 0000000000..471da63afb --- /dev/null +++ b/queue-6.18/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch @@ -0,0 +1,49 @@ +From dde61fedc1b4fbac3175575a129219cfd5562697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 10:53:28 +0800 +Subject: HID: intel-ish-hid: Update ishtp bus match to support device ID table + +From: Zhang Lixu + +[ Upstream commit daeed86b686855adda79f13729e0c9b0530990be ] + +The ishtp_cl_bus_match() function previously only checked the first entry +in the driver's device ID table. Update it to iterate over the entire +table, allowing proper matching for drivers with multiple supported +protocol GUIDs. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index c6ce37244e497..c3915f3a060ea 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -240,9 +240,17 @@ static int ishtp_cl_bus_match(struct device *dev, const struct device_driver *dr + { + struct ishtp_cl_device *device = to_ishtp_cl_device(dev); + struct ishtp_cl_driver *driver = to_ishtp_cl_driver(drv); ++ struct ishtp_fw_client *client = device->fw_client; ++ const struct ishtp_device_id *id; + +- return(device->fw_client ? guid_equal(&driver->id[0].guid, +- &device->fw_client->props.protocol_name) : 0); ++ if (client) { ++ for (id = driver->id; !guid_is_null(&id->guid); id++) { ++ if (guid_equal(&id->guid, &client->props.protocol_name)) ++ return 1; ++ } ++ } ++ ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.18/hid-intel-thc-hid-intel-thc-add-safety-check-for-rea.patch b/queue-6.18/hid-intel-thc-hid-intel-thc-add-safety-check-for-rea.patch new file mode 100644 index 0000000000..584fbd1b14 --- /dev/null +++ b/queue-6.18/hid-intel-thc-hid-intel-thc-add-safety-check-for-rea.patch @@ -0,0 +1,40 @@ +From 6a669e57292f41cd7ccece0225ac6e79c8a2081b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 11:39:53 +0800 +Subject: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA + buffer + +From: Even Xu + +[ Upstream commit a9a917998d172ec117f9e9de1919174153c0ace4 ] + +Add DMA buffer readiness check before reading DMA buffer to avoid +unexpected NULL pointer accessing. + +Signed-off-by: Even Xu +Tested-by: Rui Zhang +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c +index a0c368aa7979c..6ee675e0a7384 100644 +--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c ++++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c +@@ -575,6 +575,11 @@ static int read_dma_buffer(struct thc_device *dev, + return -EINVAL; + } + ++ if (!read_config->prd_tbls || !read_config->sgls[prd_table_index]) { ++ dev_err_once(dev->dev, "PRD tables are not ready yet\n"); ++ return -EINVAL; ++ } ++ + prd_tbl = &read_config->prd_tbls[prd_table_index]; + mes_len = calc_message_len(prd_tbl, &nent); + if (mes_len > read_config->max_packet_size) { +-- +2.51.0 + diff --git a/queue-6.18/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch b/queue-6.18/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch new file mode 100644 index 0000000000..8cae37d634 --- /dev/null +++ b/queue-6.18/hid-logitech-add-hid-support-for-logitech-mx-anywher.patch @@ -0,0 +1,38 @@ +From cc9f3f190dd1ce23fb7a8998f30fbace1ac041c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 13:00:51 +0000 +Subject: HID: logitech: add HID++ support for Logitech MX Anywhere 3S + +From: Dennis Marttinen + +[ Upstream commit d7f6629bffdcb962d383ef8c9a30afef81e997fe ] + +I've acquired a Logitech MX Anywhere 3S mouse, which supports HID++ over +Bluetooth. Adding its PID 0xb037 to the allowlist enables the additional +features, such as high-resolution scrolling. Tested working across multiple +machines, with a mix of Intel and Mediatek Bluetooth chips. + +[jkosina@suse.com: standardize shortlog] +Signed-off-by: Dennis Marttinen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index a88f2e5f791c6..9b612f62d0fba 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -4661,6 +4661,8 @@ static const struct hid_device_id hidpp_devices[] = { + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb025) }, + { /* MX Master 3S mouse over Bluetooth */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb034) }, ++ { /* MX Anywhere 3S mouse over Bluetooth */ ++ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb037) }, + { /* MX Anywhere 3SB mouse over Bluetooth */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb038) }, + {} +-- +2.51.0 + diff --git a/queue-6.18/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch b/queue-6.18/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch new file mode 100644 index 0000000000..17f3a148d4 --- /dev/null +++ b/queue-6.18/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch @@ -0,0 +1,42 @@ +From 2d933fe399e0907dc8ad9a6e572023b15899e837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 14:34:36 +0100 +Subject: HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL + +From: DaytonCL + +[ Upstream commit ff3f234ff1dcd6d626a989151db067a1b7f0f215 ] + +Some VTL-class touchpads (e.g. TOPS0102:00 35CC:0104) intermittently +fail to release a finger contact. A previous slot remains logically +active, accompanied by stale BTN_TOOL_DOUBLETAP state, causing +gestures to stay latched and resulting in stuck two-finger +scrolling and false right-clicks. + +Apply MT_QUIRK_STICKY_FINGERS to handle the unreleased contact correctly. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1225 +Suggested-by: Benjamin Tissoires +Tested-by: DaytonCL +Signed-off-by: DaytonCL +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 179dc316b4b51..a0c1ad5acb670 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -393,6 +393,7 @@ static const struct mt_class mt_classes[] = { + { .name = MT_CLS_VTL, + .quirks = MT_QUIRK_ALWAYS_VALID | + MT_QUIRK_CONTACT_CNT_ACCURATE | ++ MT_QUIRK_STICKY_FINGERS | + MT_QUIRK_FORCE_GET_FEATURE, + }, + { .name = MT_CLS_GOOGLE, +-- +2.51.0 + diff --git a/queue-6.18/hid-playstation-center-initial-joystick-axes-to-prev.patch b/queue-6.18/hid-playstation-center-initial-joystick-axes-to-prev.patch new file mode 100644 index 0000000000..d1da2e05db --- /dev/null +++ b/queue-6.18/hid-playstation-center-initial-joystick-axes-to-prev.patch @@ -0,0 +1,66 @@ +From b1b4b2255c7723cb8c69052c49418d5359acdd4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 15:45:19 -0800 +Subject: HID: playstation: Center initial joystick axes to prevent spurious + events + +From: Siarhei Vishniakou + +[ Upstream commit e9143268d259d98e111a649affa061acb8e13c5b ] + +When a new PlayStation gamepad (DualShock 4 or DualSense) is initialized, +the input subsystem sets the default value for its absolute axes (e.g., +ABS_X, ABS_Y) to 0. + +However, the hardware's actual neutral/resting state for these joysticks +is 128 (0x80). This creates a mismatch. + +When the first HID report arrives from the device, the driver sees the +resting value of 128. The kernel compares this to its initial state of 0 +and incorrectly interprets this as a delta (0 -> 128). Consequently, it +generates EV_ABS events for this initial, non-existent movement. + +This behavior can fail userspace 'sanity check' tests (e.g., in +Android CTS) that correctly assert no motion events should be generated +from a device that is already at rest. + +This patch fixes the issue by explicitly setting the initial value of the +main joystick axes (e.g., ABS_X, ABS_Y, ABS_RX, ABS_RY) to 128 (0x80) +in the common ps_gamepad_create() function. + +This aligns the kernel's initial state with the hardware's expected +neutral state, ensuring that the first report (at 128) produces no +delta and thus, no spurious event. + +Signed-off-by: Siarhei Vishniakou +Reviewed-by: Benjamin Tissoires +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-playstation.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c +index 128aa6abd10be..e4dfcf26b04e7 100644 +--- a/drivers/hid/hid-playstation.c ++++ b/drivers/hid/hid-playstation.c +@@ -753,11 +753,16 @@ ps_gamepad_create(struct hid_device *hdev, + if (IS_ERR(gamepad)) + return ERR_CAST(gamepad); + ++ /* Set initial resting state for joysticks to 128 (center) */ + input_set_abs_params(gamepad, ABS_X, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_X].value = 128; + input_set_abs_params(gamepad, ABS_Y, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_Y].value = 128; + input_set_abs_params(gamepad, ABS_Z, 0, 255, 0, 0); + input_set_abs_params(gamepad, ABS_RX, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RX].value = 128; + input_set_abs_params(gamepad, ABS_RY, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RY].value = 128; + input_set_abs_params(gamepad, ABS_RZ, 0, 255, 0, 0); + + input_set_abs_params(gamepad, ABS_HAT0X, -1, 1, 0, 0); +-- +2.51.0 + diff --git a/queue-6.18/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch b/queue-6.18/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch new file mode 100644 index 0000000000..6b97dc7747 --- /dev/null +++ b/queue-6.18/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch @@ -0,0 +1,51 @@ +From c91ec69428c2443ae8c742ed5228f29a750da86f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 06:56:43 +0000 +Subject: HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list + +From: Chris Chiu + +[ Upstream commit c06bc3557542307b9658fbd43cc946a14250347b ] + +Another Chicony Electronics HP 5MP Camera with USB ID 04F2:B882 +reports a HID sensor interface that is not actually implemented. + +Add the device to the HID ignore list so the bogus sensor is never +exposed to userspace. Then the system won't hang when runtime PM +tries to wake the unresponsive device. + +Signed-off-by: Chris Chiu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index c4589075a5ed6..3a22129fb7075 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -317,6 +317,7 @@ + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3 0xb882 + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 6a8a7ca3d8047..1d5537c0f40d8 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -778,6 +778,7 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +-- +2.51.0 + diff --git a/queue-6.18/hwmon-acpi_power_meter-fix-deadlocks-related-to-acpi.patch b/queue-6.18/hwmon-acpi_power_meter-fix-deadlocks-related-to-acpi.patch new file mode 100644 index 0000000000..708b69c96b --- /dev/null +++ b/queue-6.18/hwmon-acpi_power_meter-fix-deadlocks-related-to-acpi.patch @@ -0,0 +1,114 @@ +From da347349de88af12d7a08a112f58d702e52ae280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 07:23:28 -0800 +Subject: hwmon: (acpi_power_meter) Fix deadlocks related to + acpi_power_meter_notify() + +From: Rafael J. Wysocki + +[ Upstream commit 615901b57b7ef8eb655f71358f7e956e42bcd16b ] + +The acpi_power_meter driver's .notify() callback function, +acpi_power_meter_notify(), calls hwmon_device_unregister() under a lock +that is also acquired by callbacks in sysfs attributes of the device +being unregistered which is prone to deadlocks between sysfs access and +device removal. + +Address this by moving the hwmon device removal in +acpi_power_meter_notify() outside the lock in question, but notice +that doing it alone is not sufficient because two concurrent +METER_NOTIFY_CONFIG notifications may be attempting to remove the +same device at the same time. To prevent that from happening, add a +new lock serializing the execution of the switch () statement in +acpi_power_meter_notify(). For simplicity, it is a static mutex +which should not be a problem from the performance perspective. + +The new lock also allows the hwmon_device_register_with_info() +in acpi_power_meter_notify() to be called outside the inner lock +because it prevents the other notifications handled by that function +from manipulating the "resource" object while the hwmon device based +on it is being registered. The sending of ACPI netlink messages from +acpi_power_meter_notify() is serialized by the new lock too which +generally helps to ensure that the order of handling firmware +notifications is the same as the order of sending netlink messages +related to them. + +In addition, notice that hwmon_device_register_with_info() may fail +in which case resource->hwmon_dev will become an error pointer, +so add checks to avoid attempting to unregister the hwmon device +pointer to by it in that case to acpi_power_meter_notify() and +acpi_power_meter_remove(). + +Fixes: 16746ce8adfe ("hwmon: (acpi_power_meter) Replace the deprecated hwmon_device_register") +Closes: https://lore.kernel.org/linux-hwmon/CAK8fFZ58fidGUCHi5WFX0uoTPzveUUDzT=k=AAm4yWo3bAuCFg@mail.gmail.com/ +Reported-by: Jaroslav Pulchart +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/acpi_power_meter.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/acpi_power_meter.c b/drivers/hwmon/acpi_power_meter.c +index 29ccdc2fb7ff8..de408df0c4d78 100644 +--- a/drivers/hwmon/acpi_power_meter.c ++++ b/drivers/hwmon/acpi_power_meter.c +@@ -47,6 +47,8 @@ + static int cap_in_hardware; + static bool force_cap_on; + ++static DEFINE_MUTEX(acpi_notify_lock); ++ + static int can_cap_in_hardware(void) + { + return force_cap_on || cap_in_hardware; +@@ -823,18 +825,26 @@ static void acpi_power_meter_notify(struct acpi_device *device, u32 event) + + resource = acpi_driver_data(device); + ++ guard(mutex)(&acpi_notify_lock); ++ + switch (event) { + case METER_NOTIFY_CONFIG: ++ if (!IS_ERR(resource->hwmon_dev)) ++ hwmon_device_unregister(resource->hwmon_dev); ++ + mutex_lock(&resource->lock); ++ + free_capabilities(resource); + remove_domain_devices(resource); +- hwmon_device_unregister(resource->hwmon_dev); + res = read_capabilities(resource); + if (res) + dev_err_once(&device->dev, "read capabilities failed.\n"); + res = read_domain_devices(resource); + if (res && res != -ENODEV) + dev_err_once(&device->dev, "read domain devices failed.\n"); ++ ++ mutex_unlock(&resource->lock); ++ + resource->hwmon_dev = + hwmon_device_register_with_info(&device->dev, + ACPI_POWER_METER_NAME, +@@ -843,7 +853,7 @@ static void acpi_power_meter_notify(struct acpi_device *device, u32 event) + power_extra_groups); + if (IS_ERR(resource->hwmon_dev)) + dev_err_once(&device->dev, "register hwmon device failed.\n"); +- mutex_unlock(&resource->lock); ++ + break; + case METER_NOTIFY_TRIP: + sysfs_notify(&device->dev.kobj, NULL, POWER_AVERAGE_NAME); +@@ -953,7 +963,8 @@ static void acpi_power_meter_remove(struct acpi_device *device) + return; + + resource = acpi_driver_data(device); +- hwmon_device_unregister(resource->hwmon_dev); ++ if (!IS_ERR(resource->hwmon_dev)) ++ hwmon_device_unregister(resource->hwmon_dev); + + remove_domain_devices(resource); + free_capabilities(resource); +-- +2.51.0 + diff --git a/queue-6.18/hwmon-dell-smm-add-dell-g15-5510-to-fan-control-whit.patch b/queue-6.18/hwmon-dell-smm-add-dell-g15-5510-to-fan-control-whit.patch new file mode 100644 index 0000000000..6ce7080fa8 --- /dev/null +++ b/queue-6.18/hwmon-dell-smm-add-dell-g15-5510-to-fan-control-whit.patch @@ -0,0 +1,49 @@ +From 69bac6041bd4b252c92b1e9099e717f5fad942d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 20:53:15 -0500 +Subject: hwmon: (dell-smm) Add Dell G15 5510 to fan control whitelist + +From: leobannocloutier@gmail.com + +[ Upstream commit 830e0bef79aaaea8b1ef426b8032e70c63a58653 ] + +On the Dell G15 5510, fans spin at maximum speed when AC power is +connected. This behavior has been observed as a regression in recent +kernels (v6.18+). + +Add the Dell G15 5510 to the fan control whitelist to enable manual fan +control and resolve the issue. This model requires the same fan control +configuration as the Dell G15 5511. + +Fixes: 1c1658058c99 ("hwmon: (dell-smm) Add support for automatic fan mode") +Signed-off-by: Leo Banno-Cloutier +Link: https://lore.kernel.org/r/20260117015315.214569-2-leobannocloutier@gmail.com +[groeck: Updated patch description to follow guidance] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/dell-smm-hwmon.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c +index 8cf12b9bae2a7..f3d484a9f708b 100644 +--- a/drivers/hwmon/dell-smm-hwmon.c ++++ b/drivers/hwmon/dell-smm-hwmon.c +@@ -1630,6 +1630,14 @@ static const struct dmi_system_id i8k_whitelist_fan_control[] __initconst = { + }, + .driver_data = (void *)&i8k_fan_control_data[I8K_FAN_30A3_31A3], + }, ++ { ++ .ident = "Dell G15 5510", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Dell G15 5510"), ++ }, ++ .driver_data = (void *)&i8k_fan_control_data[I8K_FAN_30A3_31A3], ++ }, + { + .ident = "Dell G15 5511", + .matches = { +-- +2.51.0 + diff --git a/queue-6.18/hwmon-occ-mark-occ_init_attribute-as-__printf.patch b/queue-6.18/hwmon-occ-mark-occ_init_attribute-as-__printf.patch new file mode 100644 index 0000000000..3b45253601 --- /dev/null +++ b/queue-6.18/hwmon-occ-mark-occ_init_attribute-as-__printf.patch @@ -0,0 +1,42 @@ +From af990784525573eee287882c0628f80119ad8941 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 17:34:36 +0100 +Subject: hwmon: (occ) Mark occ_init_attribute() as __printf + +From: Arnd Bergmann + +[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] + +This is a printf-style function, which gcc -Werror=suggest-attribute=format +correctly points out: + +drivers/hwmon/occ/common.c: In function 'occ_init_attribute': +drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] + +Add the attribute to avoid this warning and ensure any incorrect +format strings are detected here. + +Fixes: 744c2fe950e9 ("hwmon: (occ) Rework attribute registration for stack usage") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index b3694a4209b97..89928d38831b6 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -749,6 +749,7 @@ static ssize_t occ_show_extended(struct device *dev, + * are dynamically allocated, we cannot use the existing kernel macros which + * stringify the name argument. + */ ++__printf(7, 8) + static void occ_init_attribute(struct occ_attribute *attr, int mode, + ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf), + ssize_t (*store)(struct device *dev, struct device_attribute *attr, +-- +2.51.0 + diff --git a/queue-6.18/i40e-drop-udp_tunnel_get_rx_info-call-from-i40e_open.patch b/queue-6.18/i40e-drop-udp_tunnel_get_rx_info-call-from-i40e_open.patch new file mode 100644 index 0000000000..a4be54b85c --- /dev/null +++ b/queue-6.18/i40e-drop-udp_tunnel_get_rx_info-call-from-i40e_open.patch @@ -0,0 +1,62 @@ +From 26d931006357c2b27640f9b1de0b481b235187c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:40:20 +0200 +Subject: i40e: drop udp_tunnel_get_rx_info() call from i40e_open() + +From: Mohammad Heib + +[ Upstream commit 40857194956dcaf3d2b66d6bd113d844c93bef54 ] + +The i40e driver calls udp_tunnel_get_rx_info() during i40e_open(). +This is redundant because UDP tunnel RX offload state is preserved +across device down/up cycles. The udp_tunnel core handles +synchronization automatically when required. + +Furthermore, recent changes in the udp_tunnel infrastructure require +querying RX info while holding the udp_tunnel lock. Calling it +directly from the ndo_open path violates this requirement, +triggering the following lockdep warning: + + Call Trace: + + ? __udp_tunnel_nic_assert_locked+0x39/0x40 [udp_tunnel] + i40e_open+0x135/0x14f [i40e] + __dev_open+0x121/0x2e0 + __dev_change_flags+0x227/0x270 + dev_change_flags+0x3d/0xb0 + devinet_ioctl+0x56f/0x860 + sock_do_ioctl+0x7b/0x130 + __x64_sys_ioctl+0x91/0xd0 + do_syscall_64+0x90/0x170 + ... + + +Remove the redundant and unsafe call to udp_tunnel_get_rx_info() from +i40e_open() resolve the locking violation. + +Fixes: 1ead7501094c ("udp_tunnel: remove rtnl_lock dependency") +Signed-off-by: Mohammad Heib +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 0b1cc0481027a..d3bc3207054f9 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -9030,7 +9030,6 @@ int i40e_open(struct net_device *netdev) + TCP_FLAG_FIN | + TCP_FLAG_CWR) >> 16); + wr32(&pf->hw, I40E_GLLAN_TSOMSK_L, be32_to_cpu(TCP_FLAG_CWR) >> 16); +- udp_tunnel_get_rx_info(netdev); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/ice-drop-udp_tunnel_get_rx_info-call-from-ndo_open.patch b/queue-6.18/ice-drop-udp_tunnel_get_rx_info-call-from-ndo_open.patch new file mode 100644 index 0000000000..171727bd9e --- /dev/null +++ b/queue-6.18/ice-drop-udp_tunnel_get_rx_info-call-from-ndo_open.patch @@ -0,0 +1,63 @@ +From 868dd895641aafd5be1abe5793d38f591aa6f768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:40:21 +0200 +Subject: ice: drop udp_tunnel_get_rx_info() call from ndo_open() + +From: Mohammad Heib + +[ Upstream commit 234e615bfece9e3e91c50fe49ab9e68ee37c791a ] + +The ice driver calls udp_tunnel_get_rx_info() during ice_open_internal(). +This is redundant because UDP tunnel RX offload state is preserved +across device down/up cycles. The udp_tunnel core handles +synchronization automatically when required. + +Furthermore, recent changes in the udp_tunnel infrastructure require +querying RX info while holding the udp_tunnel lock. Calling it +directly from the ndo_open path violates this requirement, +triggering the following lockdep warning: + +Call Trace: + + ice_open_internal+0x253/0x350 [ice] + __udp_tunnel_nic_assert_locked+0x86/0xb0 [udp_tunnel] + __dev_open+0x2f5/0x880 + __dev_change_flags+0x44c/0x660 + netif_change_flags+0x80/0x160 + devinet_ioctl+0xd21/0x15f0 + inet_ioctl+0x311/0x350 + sock_ioctl+0x114/0x220 + __x64_sys_ioctl+0x131/0x1a0 + ... + + +Remove the redundant and unsafe call to udp_tunnel_get_rx_info() from +ice_open_internal() to resolve the locking violation + +Fixes: 1ead7501094c ("udp_tunnel: remove rtnl_lock dependency") +Signed-off-by: Mohammad Heib +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index d34a32a09bf87..f2b91f7f87861 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -9678,9 +9678,6 @@ int ice_open_internal(struct net_device *netdev) + netdev_err(netdev, "Failed to open VSI 0x%04X on switch 0x%04X\n", + vsi->vsi_num, vsi->vsw->sw_id); + +- /* Update existing tunnels information */ +- udp_tunnel_get_rx_info(netdev); +- + return err; + } + +-- +2.51.0 + diff --git a/queue-6.18/ice-fix-missing-tx-timestamps-interrupts-on-e825-dev.patch b/queue-6.18/ice-fix-missing-tx-timestamps-interrupts-on-e825-dev.patch new file mode 100644 index 0000000000..4a73da2f0c --- /dev/null +++ b/queue-6.18/ice-fix-missing-tx-timestamps-interrupts-on-e825-dev.patch @@ -0,0 +1,74 @@ +From 874ba3473246c2b2b938b4246bce3b05417114ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 10:25:58 +0100 +Subject: ice: fix missing TX timestamps interrupts on E825 devices + +From: Grzegorz Nitka + +[ Upstream commit 99854c167cfc113ad863832b1601c4ca1a639cfe ] + +Modify PTP (Precision Time Protocol) configuration on link down flow. +Previously, PHY_REG_TX_OFFSET_READY register was cleared in such case. +This register is used to determine if the timestamp is valid or not on +the hardware side. +However, there is a possibility that there is still the packet in the +HW queue which originally was supposed to be timestamped but the link +is already down and given register is cleared. +This potentially might lead to the situation in which that 'delayed' +packet's timestamp is treated as invalid one when the link is up +again. +This in turn leads to the situation in which the driver is not able to +effectively clean timestamp memory and interrupt configuration. +From the hardware perspective, that 'old' interrupt was not handled +properly and even if new timestamp packets are processed, no new +interrupts is generated. As a result, providing timestamps to the user +applications (like ptp4l) is not possible. +The solution for this problem is implemented at the driver level rather +than the firmware, and maintains the tx_ready bit high, even during +link down events. This avoids entering a potential inconsistent state +between the driver and the timestamp hardware. + +Testing hints: +- run PTP traffic at higher rate (like 16 PTP messages per second) +- observe ptp4l behaviour at the client side in the following + conditions: + a) trigger link toggle events. It needs to be physiscal + link down/up events + b) link speed change +In all above cases, PTP processing at ptp4l application should resume +always. In failure case, the following permanent error message in ptp4l +log was observed: +controller-0 ptp4l: err [6175.116] ptp4l-legacy timed out while polling + for tx timestamp + +Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Grzegorz Nitka +Tested-by: Sunitha Mekala (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index 8ec0f7d0fcebd..4aa88bac759f8 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -1338,9 +1338,12 @@ void ice_ptp_link_change(struct ice_pf *pf, bool linkup) + /* Do not reconfigure E810 or E830 PHY */ + return; + case ICE_MAC_GENERIC: +- case ICE_MAC_GENERIC_3K_E825: + ice_ptp_port_phy_restart(ptp_port); + return; ++ case ICE_MAC_GENERIC_3K_E825: ++ if (linkup) ++ ice_ptp_port_phy_restart(ptp_port); ++ return; + default: + dev_warn(ice_pf_to_dev(pf), "%s: Unknown PHY type\n", __func__); + } +-- +2.51.0 + diff --git a/queue-6.18/ice-fix-ptp-null-pointer-dereference-during-vsi-rebu.patch b/queue-6.18/ice-fix-ptp-null-pointer-dereference-during-vsi-rebu.patch new file mode 100644 index 0000000000..e71c40cea6 --- /dev/null +++ b/queue-6.18/ice-fix-ptp-null-pointer-dereference-during-vsi-rebu.patch @@ -0,0 +1,152 @@ +From 17499d5a7fd125b8c3877a2fd9cfd3e4937d9712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 15:51:06 +0800 +Subject: ice: Fix PTP NULL pointer dereference during VSI rebuild + +From: Aaron Ma + +[ Upstream commit fc6f36eaaedcf4b81af6fe1a568f018ffd530660 ] + +Fix race condition where PTP periodic work runs while VSI is being +rebuilt, accessing NULL vsi->rx_rings. + +The sequence was: +1. ice_ptp_prepare_for_reset() cancels PTP work +2. ice_ptp_rebuild() immediately queues PTP work +3. VSI rebuild happens AFTER ice_ptp_rebuild() +4. PTP work runs and accesses NULL vsi->rx_rings + +Fix: Keep PTP work cancelled during rebuild, only queue it after +VSI rebuild completes in ice_rebuild(). + +Added ice_ptp_queue_work() helper function to encapsulate the logic +for queuing PTP work, ensuring it's only queued when PTP is supported +and the state is ICE_PTP_READY. + +Error log: +[ 121.392544] ice 0000:60:00.1: PTP reset successful +[ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 121.392712] #PF: supervisor read access in kernel mode +[ 121.392720] #PF: error_code(0x0000) - not-present page +[ 121.392727] PGD 0 +[ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI +[ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary) +[ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC +[ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice] +[ 121.393042] Call Trace: +[ 121.393047] +[ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice] +[ 121.393202] kthread_worker_fn+0xa2/0x260 +[ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice] +[ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10 +[ 121.393371] kthread+0x10d/0x230 +[ 121.393382] ? __pfx_kthread+0x10/0x10 +[ 121.393393] ret_from_fork+0x273/0x2b0 +[ 121.393407] ? __pfx_kthread+0x10/0x10 +[ 121.393417] ret_from_fork_asm+0x1a/0x30 +[ 121.393432] + +Fixes: 803bef817807d ("ice: factor out ice_ptp_rebuild_owner()") +Signed-off-by: Aaron Ma +Tested-by: Sunitha Mekala (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 3 +++ + drivers/net/ethernet/intel/ice/ice_ptp.c | 26 ++++++++++++++++++----- + drivers/net/ethernet/intel/ice/ice_ptp.h | 5 +++++ + 3 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 7a59c9dd07cb1..d34a32a09bf87 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -7815,6 +7815,9 @@ static void ice_rebuild(struct ice_pf *pf, enum ice_reset_req reset_type) + + /* Restore timestamp mode settings after VSI rebuild */ + ice_ptp_restore_timestamp_mode(pf); ++ ++ /* Start PTP periodic work after VSI is fully rebuilt */ ++ ice_ptp_queue_work(pf); + return; + + err_vsi_rebuild: +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index 44c1ca58b8806..df38345b12d72 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -2832,6 +2832,20 @@ static void ice_ptp_periodic_work(struct kthread_work *work) + msecs_to_jiffies(err ? 10 : 500)); + } + ++/** ++ * ice_ptp_queue_work - Queue PTP periodic work for a PF ++ * @pf: Board private structure ++ * ++ * Helper function to queue PTP periodic work after VSI rebuild completes. ++ * This ensures that PTP work only runs when VSI structures are ready. ++ */ ++void ice_ptp_queue_work(struct ice_pf *pf) ++{ ++ if (test_bit(ICE_FLAG_PTP_SUPPORTED, pf->flags) && ++ pf->ptp.state == ICE_PTP_READY) ++ kthread_queue_delayed_work(pf->ptp.kworker, &pf->ptp.work, 0); ++} ++ + /** + * ice_ptp_prepare_rebuild_sec - Prepare second NAC for PTP reset or rebuild + * @pf: Board private structure +@@ -2850,10 +2864,15 @@ static void ice_ptp_prepare_rebuild_sec(struct ice_pf *pf, bool rebuild, + struct ice_pf *peer_pf = ptp_port_to_pf(port); + + if (!ice_is_primary(&peer_pf->hw)) { +- if (rebuild) ++ if (rebuild) { ++ /* TODO: When implementing rebuild=true: ++ * 1. Ensure secondary PFs' VSIs are rebuilt ++ * 2. Call ice_ptp_queue_work(peer_pf) after VSI rebuild ++ */ + ice_ptp_rebuild(peer_pf, reset_type); +- else ++ } else { + ice_ptp_prepare_for_reset(peer_pf, reset_type); ++ } + } + } + } +@@ -2999,9 +3018,6 @@ void ice_ptp_rebuild(struct ice_pf *pf, enum ice_reset_req reset_type) + + ptp->state = ICE_PTP_READY; + +- /* Start periodic work going */ +- kthread_queue_delayed_work(ptp->kworker, &ptp->work, 0); +- + dev_info(ice_pf_to_dev(pf), "PTP reset successful\n"); + return; + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.h b/drivers/net/ethernet/intel/ice/ice_ptp.h +index 46005642ef419..4e02f922c1ff8 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.h ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.h +@@ -316,6 +316,7 @@ void ice_ptp_prepare_for_reset(struct ice_pf *pf, + void ice_ptp_init(struct ice_pf *pf); + void ice_ptp_release(struct ice_pf *pf); + void ice_ptp_link_change(struct ice_pf *pf, bool linkup); ++void ice_ptp_queue_work(struct ice_pf *pf); + #else /* IS_ENABLED(CONFIG_PTP_1588_CLOCK) */ + + static inline int ice_ptp_hwtstamp_get(struct net_device *netdev, +@@ -384,6 +385,10 @@ static inline void ice_ptp_link_change(struct ice_pf *pf, bool linkup) + { + } + ++static inline void ice_ptp_queue_work(struct ice_pf *pf) ++{ ++} ++ + static inline int ice_ptp_clock_index(struct ice_pf *pf) + { + return -1; +-- +2.51.0 + diff --git a/queue-6.18/ice-ptp-fix-missing-timestamps-on-e825-hardware.patch b/queue-6.18/ice-ptp-fix-missing-timestamps-on-e825-hardware.patch new file mode 100644 index 0000000000..63dc9c4746 --- /dev/null +++ b/queue-6.18/ice-ptp-fix-missing-timestamps-on-e825-hardware.patch @@ -0,0 +1,436 @@ +From 34cde76ebdf5e33d7fcbdcd022044969bcb3d91c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:44:19 -0800 +Subject: ice: PTP: fix missing timestamps on E825 hardware +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jacob Keller + +[ Upstream commit 88b68f35eb43ad5ac77ac1107059040b04e6f477 ] + +The E825 hardware currently has each PF handle the PFINT_TSYN_TX cause of +the miscellaneous OICR interrupt vector. The actual interrupt cause +underlying this is shared by all ports on the same quad: + + ┌─────────────────────────────────┐ + │ │ + │ ┌────┐ ┌────┐ ┌────┐ ┌────┐ │ + │ │PF 0│ │PF 1│ │PF 2│ │PF 3│ │ + │ └────┘ └────┘ └────┘ └────┘ │ + │ │ + └────────────────▲────────────────┘ + │ + │ + ┌────────────────┼────────────────┐ + │ PHY QUAD │ + └───▲────────▲────────▲────────▲──┘ + │ │ │ │ + ┌───┼──┐ ┌───┴──┐ ┌───┼──┐ ┌───┼──┐ + │Port 0│ │Port 1│ │Port 2│ │Port 3│ + └──────┘ └──────┘ └──────┘ └──────┘ + +If multiple PFs issue Tx timestamp requests near simultaneously, it is +possible that the correct PF will not be interrupted and will miss its +timestamp. Understanding why is somewhat complex. + +Consider the following sequence of events: + + CPU 0: + Send Tx packet on PF 0 + ... + PF 0 enqueues packet with Tx request CPU 1, PF1: + ... Send Tx packet on PF1 + ... PF 1 enqueues packet with Tx request + + HW: + PHY Port 0 sends packet + PHY raises Tx timestamp event interrupt + MAC raises each PF interrupt + + CPU 0, PF0: CPU 1, PF1: + ice_misc_intr() checks for Tx timestamps ice_misc_intr() checks for Tx timestamp + Sees packet ready bit set Sees nothing available + ... Exits + ... + ... + HW: + PHY port 1 sends packet + PHY interrupt ignored because not all packet timestamps read yet. + ... + Read timestamp, report to stack + +Because the interrupt event is shared for all ports on the same quad, the +PHY will not raise a new interrupt for any PF until all timestamps are +read. + +In the example above, the second timestamp comes in for port 1 before the +timestamp from port 0 is read. At this point, there is no longer an +interrupt thread running that will read the timestamps, because each PF has +checked and found that there was no work to do. Applications such as ptp4l +will timeout after waiting a few milliseconds. Eventually, the watchdog +service task will re-check for all quads and notice that there are +outstanding timestamps, and issue a software interrupt to recover. However, +by this point it is far too late, and applications have already failed. + +All of this occurs because of the underlying hardware behavior. The PHY +cannot raise a new interrupt signal until all outstanding timestamps have +been read. + +As a first step to fix this, switch the E825C hardware to the +ICE_PTP_TX_INTERRUPT_ALL mode. In this mode, only the clock owner PF will +respond to the PFINT_TSYN_TX cause. Other PFs disable this cause and will +not wake. In this mode, the clock owner will iterate over all ports and +handle timestamps for each connected port. + +This matches the E822 behavior, and is a necessary but insufficient step to +resolve the missing timestamps. + +Even with use of the ICE_PTP_TX_INTERRUPT_ALL mode, we still sometimes miss +a timestamp event. The ice_ptp_tx_tstamp_owner() does re-check the ready +bitmap, but does so before re-enabling the OICR interrupt vector. It also +only checks the ready bitmap, but not the software Tx timestamp tracker. + +To avoid risk of losing a timestamp, refactor the logic to check both the +software Tx timestamp tracker bitmap *and* the hardware ready bitmap. +Additionally, do this outside of ice_ptp_process_ts() after we have already +re-enabled the OICR interrupt. + +Remove the checks from the ice_ptp_tx_tstamp(), ice_ptp_tx_tstamp_owner(), +and the ice_ptp_process_ts() functions. This results in ice_ptp_tx_tstamp() +being nothing more than a wrapper around ice_ptp_process_tx_tstamp() so we +can remove it. + +Add the ice_ptp_tx_tstamps_pending() function which returns a boolean +indicating if there are any pending Tx timestamps. First, check the +software timestamp tracker bitmap. In ICE_PTP_TX_INTERRUPT_ALL mode, check +*all* ports software trackers. If a tracker has outstanding timestamp +requests, return true. Additionally, check the PHY ready bitmap to confirm +if the PHY indicates any outstanding timestamps. + +In the ice_misc_thread_fn(), call ice_ptp_tx_tstamps_pending() just before +returning from the IRQ thread handler. If it returns true, write to +PFINT_OICR to trigger a PFINT_OICR_TSYN_TX_M software interrupt. This will +force the handler to interrupt again and complete the work even if the PHY +hardware did not interrupt for any reason. + +This results in the following new flow for handling Tx timestamps: + +1) send Tx packet +2) PHY captures timestamp +3) PHY triggers MAC interrupt +4) clock owner executes ice_misc_intr() with PFINT_OICR_TSYN_TX flag set +5) ice_ptp_ts_irq() returns IRQ_WAKE_THREAD +7) The interrupt thread wakes up and kernel calls ice_misc_intr_thread_fn() +8) ice_ptp_process_ts() is called to handle any outstanding timestamps +9) ice_irq_dynamic_ena() is called to re-enable the OICR hardware interrupt + cause +10) ice_ptp_tx_tstamps_pending() is called to check if we missed any more + outstanding timestamps, checking both software and hardware indicators. + +With this change, it should no longer be possible for new timestamps to +come in such a way that we lose an interrupt. If a timestamp comes in +before the ice_ptp_tx_tstamps_pending() call, it will be noticed by at +least one of the software bitmap check or the hardware bitmap check. If the +timestamp comes in *after* this check, it should cause a timestamp +interrupt as we have already read all timestamps from the PHY and the OICR +vector has been re-enabled. + +Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products") +Signed-off-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemyslaw Korba +Tested-by: Vitaly Grinberg +Tested-by: Sunitha Mekala (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 20 +-- + drivers/net/ethernet/intel/ice/ice_ptp.c | 148 ++++++++++++---------- + drivers/net/ethernet/intel/ice/ice_ptp.h | 13 +- + 3 files changed, 103 insertions(+), 78 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index c52324d999eb4..7a59c9dd07cb1 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3323,18 +3323,20 @@ static irqreturn_t ice_misc_intr_thread_fn(int __always_unused irq, void *data) + if (ice_is_reset_in_progress(pf->state)) + goto skip_irq; + +- if (test_and_clear_bit(ICE_MISC_THREAD_TX_TSTAMP, pf->misc_thread)) { +- /* Process outstanding Tx timestamps. If there is more work, +- * re-arm the interrupt to trigger again. +- */ +- if (ice_ptp_process_ts(pf) == ICE_TX_TSTAMP_WORK_PENDING) { +- wr32(hw, PFINT_OICR, PFINT_OICR_TSYN_TX_M); +- ice_flush(hw); +- } +- } ++ if (test_and_clear_bit(ICE_MISC_THREAD_TX_TSTAMP, pf->misc_thread)) ++ ice_ptp_process_ts(pf); + + skip_irq: + ice_irq_dynamic_ena(hw, NULL, NULL); ++ ice_flush(hw); ++ ++ if (ice_ptp_tx_tstamps_pending(pf)) { ++ /* If any new Tx timestamps happened while in interrupt, ++ * re-arm the interrupt to trigger it again. ++ */ ++ wr32(hw, PFINT_OICR, PFINT_OICR_TSYN_TX_M); ++ ice_flush(hw); ++ } + + return IRQ_HANDLED; + } +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index 4aa88bac759f8..44c1ca58b8806 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -569,6 +569,9 @@ static void ice_ptp_process_tx_tstamp(struct ice_ptp_tx *tx) + pf = ptp_port_to_pf(ptp_port); + hw = &pf->hw; + ++ if (!tx->init) ++ return; ++ + /* Read the Tx ready status first */ + if (tx->has_ready_bitmap) { + err = ice_get_phy_tx_tstamp_ready(hw, tx->block, &tstamp_ready); +@@ -665,14 +668,9 @@ static void ice_ptp_process_tx_tstamp(struct ice_ptp_tx *tx) + } + } + +-/** +- * ice_ptp_tx_tstamp_owner - Process Tx timestamps for all ports on the device +- * @pf: Board private structure +- */ +-static enum ice_tx_tstamp_work ice_ptp_tx_tstamp_owner(struct ice_pf *pf) ++static void ice_ptp_tx_tstamp_owner(struct ice_pf *pf) + { + struct ice_ptp_port *port; +- unsigned int i; + + mutex_lock(&pf->adapter->ports.lock); + list_for_each_entry(port, &pf->adapter->ports.ports, list_node) { +@@ -684,49 +682,6 @@ static enum ice_tx_tstamp_work ice_ptp_tx_tstamp_owner(struct ice_pf *pf) + ice_ptp_process_tx_tstamp(tx); + } + mutex_unlock(&pf->adapter->ports.lock); +- +- for (i = 0; i < ICE_GET_QUAD_NUM(pf->hw.ptp.num_lports); i++) { +- u64 tstamp_ready; +- int err; +- +- /* Read the Tx ready status first */ +- err = ice_get_phy_tx_tstamp_ready(&pf->hw, i, &tstamp_ready); +- if (err) +- break; +- else if (tstamp_ready) +- return ICE_TX_TSTAMP_WORK_PENDING; +- } +- +- return ICE_TX_TSTAMP_WORK_DONE; +-} +- +-/** +- * ice_ptp_tx_tstamp - Process Tx timestamps for this function. +- * @tx: Tx tracking structure to initialize +- * +- * Returns: ICE_TX_TSTAMP_WORK_PENDING if there are any outstanding incomplete +- * Tx timestamps, or ICE_TX_TSTAMP_WORK_DONE otherwise. +- */ +-static enum ice_tx_tstamp_work ice_ptp_tx_tstamp(struct ice_ptp_tx *tx) +-{ +- bool more_timestamps; +- unsigned long flags; +- +- if (!tx->init) +- return ICE_TX_TSTAMP_WORK_DONE; +- +- /* Process the Tx timestamp tracker */ +- ice_ptp_process_tx_tstamp(tx); +- +- /* Check if there are outstanding Tx timestamps */ +- spin_lock_irqsave(&tx->lock, flags); +- more_timestamps = tx->init && !bitmap_empty(tx->in_use, tx->len); +- spin_unlock_irqrestore(&tx->lock, flags); +- +- if (more_timestamps) +- return ICE_TX_TSTAMP_WORK_PENDING; +- +- return ICE_TX_TSTAMP_WORK_DONE; + } + + /** +@@ -2659,30 +2614,92 @@ s8 ice_ptp_request_ts(struct ice_ptp_tx *tx, struct sk_buff *skb) + return idx + tx->offset; + } + +-/** +- * ice_ptp_process_ts - Process the PTP Tx timestamps +- * @pf: Board private structure +- * +- * Returns: ICE_TX_TSTAMP_WORK_PENDING if there are any outstanding Tx +- * timestamps that need processing, and ICE_TX_TSTAMP_WORK_DONE otherwise. +- */ +-enum ice_tx_tstamp_work ice_ptp_process_ts(struct ice_pf *pf) ++void ice_ptp_process_ts(struct ice_pf *pf) + { + switch (pf->ptp.tx_interrupt_mode) { + case ICE_PTP_TX_INTERRUPT_NONE: + /* This device has the clock owner handle timestamps for it */ +- return ICE_TX_TSTAMP_WORK_DONE; ++ return; + case ICE_PTP_TX_INTERRUPT_SELF: + /* This device handles its own timestamps */ +- return ice_ptp_tx_tstamp(&pf->ptp.port.tx); ++ ice_ptp_process_tx_tstamp(&pf->ptp.port.tx); ++ return; + case ICE_PTP_TX_INTERRUPT_ALL: + /* This device handles timestamps for all ports */ +- return ice_ptp_tx_tstamp_owner(pf); ++ ice_ptp_tx_tstamp_owner(pf); ++ return; ++ default: ++ WARN_ONCE(1, "Unexpected Tx timestamp interrupt mode %u\n", ++ pf->ptp.tx_interrupt_mode); ++ return; ++ } ++} ++ ++static bool ice_port_has_timestamps(struct ice_ptp_tx *tx) ++{ ++ bool more_timestamps; ++ ++ scoped_guard(spinlock_irqsave, &tx->lock) { ++ if (!tx->init) ++ return false; ++ ++ more_timestamps = !bitmap_empty(tx->in_use, tx->len); ++ } ++ ++ return more_timestamps; ++} ++ ++static bool ice_any_port_has_timestamps(struct ice_pf *pf) ++{ ++ struct ice_ptp_port *port; ++ ++ scoped_guard(mutex, &pf->adapter->ports.lock) { ++ list_for_each_entry(port, &pf->adapter->ports.ports, ++ list_node) { ++ struct ice_ptp_tx *tx = &port->tx; ++ ++ if (ice_port_has_timestamps(tx)) ++ return true; ++ } ++ } ++ ++ return false; ++} ++ ++bool ice_ptp_tx_tstamps_pending(struct ice_pf *pf) ++{ ++ struct ice_hw *hw = &pf->hw; ++ unsigned int i; ++ ++ /* Check software indicator */ ++ switch (pf->ptp.tx_interrupt_mode) { ++ case ICE_PTP_TX_INTERRUPT_NONE: ++ return false; ++ case ICE_PTP_TX_INTERRUPT_SELF: ++ if (ice_port_has_timestamps(&pf->ptp.port.tx)) ++ return true; ++ break; ++ case ICE_PTP_TX_INTERRUPT_ALL: ++ if (ice_any_port_has_timestamps(pf)) ++ return true; ++ break; + default: + WARN_ONCE(1, "Unexpected Tx timestamp interrupt mode %u\n", + pf->ptp.tx_interrupt_mode); +- return ICE_TX_TSTAMP_WORK_DONE; ++ break; ++ } ++ ++ /* Check hardware indicator */ ++ for (i = 0; i < ICE_GET_QUAD_NUM(hw->ptp.num_lports); i++) { ++ u64 tstamp_ready = 0; ++ int err; ++ ++ err = ice_get_phy_tx_tstamp_ready(&pf->hw, i, &tstamp_ready); ++ if (err || tstamp_ready) ++ return true; + } ++ ++ return false; + } + + /** +@@ -2734,7 +2751,9 @@ irqreturn_t ice_ptp_ts_irq(struct ice_pf *pf) + return IRQ_WAKE_THREAD; + case ICE_MAC_E830: + /* E830 can read timestamps in the top half using rd32() */ +- if (ice_ptp_process_ts(pf) == ICE_TX_TSTAMP_WORK_PENDING) { ++ ice_ptp_process_ts(pf); ++ ++ if (ice_ptp_tx_tstamps_pending(pf)) { + /* Process outstanding Tx timestamps. If there + * is more work, re-arm the interrupt to trigger again. + */ +@@ -3187,8 +3206,9 @@ static void ice_ptp_init_tx_interrupt_mode(struct ice_pf *pf) + { + switch (pf->hw.mac_type) { + case ICE_MAC_GENERIC: +- /* E822 based PHY has the clock owner process the interrupt +- * for all ports. ++ case ICE_MAC_GENERIC_3K_E825: ++ /* E82x hardware has the clock owner process timestamps for ++ * all ports. + */ + if (ice_pf_src_tmr_owned(pf)) + pf->ptp.tx_interrupt_mode = ICE_PTP_TX_INTERRUPT_ALL; +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.h b/drivers/net/ethernet/intel/ice/ice_ptp.h +index 137f2070a2d99..46005642ef419 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.h ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.h +@@ -302,8 +302,9 @@ void ice_ptp_extts_event(struct ice_pf *pf); + s8 ice_ptp_request_ts(struct ice_ptp_tx *tx, struct sk_buff *skb); + void ice_ptp_req_tx_single_tstamp(struct ice_ptp_tx *tx, u8 idx); + void ice_ptp_complete_tx_single_tstamp(struct ice_ptp_tx *tx); +-enum ice_tx_tstamp_work ice_ptp_process_ts(struct ice_pf *pf); ++void ice_ptp_process_ts(struct ice_pf *pf); + irqreturn_t ice_ptp_ts_irq(struct ice_pf *pf); ++bool ice_ptp_tx_tstamps_pending(struct ice_pf *pf); + u64 ice_ptp_read_src_clk_reg(struct ice_pf *pf, + struct ptp_system_timestamp *sts); + +@@ -343,16 +344,18 @@ static inline void ice_ptp_req_tx_single_tstamp(struct ice_ptp_tx *tx, u8 idx) + + static inline void ice_ptp_complete_tx_single_tstamp(struct ice_ptp_tx *tx) { } + +-static inline bool ice_ptp_process_ts(struct ice_pf *pf) +-{ +- return true; +-} ++static inline void ice_ptp_process_ts(struct ice_pf *pf) { } + + static inline irqreturn_t ice_ptp_ts_irq(struct ice_pf *pf) + { + return IRQ_HANDLED; + } + ++static inline bool ice_ptp_tx_tstamps_pending(struct ice_pf *pf) ++{ ++ return false; ++} ++ + static inline u64 ice_ptp_read_src_clk_reg(struct ice_pf *pf, + struct ptp_system_timestamp *sts) + { +-- +2.51.0 + diff --git a/queue-6.18/io_uring-rw-free-potentially-allocated-iovec-on-cach.patch b/queue-6.18/io_uring-rw-free-potentially-allocated-iovec-on-cach.patch new file mode 100644 index 0000000000..7e738b7a84 --- /dev/null +++ b/queue-6.18/io_uring-rw-free-potentially-allocated-iovec-on-cach.patch @@ -0,0 +1,68 @@ +From 248dbb4eff9dce3914313d8146e8f15631744f35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 19:48:01 -0700 +Subject: io_uring/rw: free potentially allocated iovec on cache put failure + +From: Jens Axboe + +[ Upstream commit 4b9748055457ac3a0710bf210c229d01ea1b01b9 ] + +If a read/write request goes through io_req_rw_cleanup() and has an +allocated iovec attached and fails to put to the rw_cache, then it may +end up with an unaccounted iovec pointer. Have io_rw_recycle() return +whether it recycled the request or not, and use that to gauge whether to +free a potential iovec or not. + +Reviewed-by: Nitesh Shetty +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/rw.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/io_uring/rw.c b/io_uring/rw.c +index abe68ba9c9dc8..d7388a4a3ea5e 100644 +--- a/io_uring/rw.c ++++ b/io_uring/rw.c +@@ -144,19 +144,22 @@ static inline int io_import_rw_buffer(int rw, struct io_kiocb *req, + return 0; + } + +-static void io_rw_recycle(struct io_kiocb *req, unsigned int issue_flags) ++static bool io_rw_recycle(struct io_kiocb *req, unsigned int issue_flags) + { + struct io_async_rw *rw = req->async_data; + + if (unlikely(issue_flags & IO_URING_F_UNLOCKED)) +- return; ++ return false; + + io_alloc_cache_vec_kasan(&rw->vec); + if (rw->vec.nr > IO_VEC_CACHE_SOFT_CAP) + io_vec_free(&rw->vec); + +- if (io_alloc_cache_put(&req->ctx->rw_cache, rw)) ++ if (io_alloc_cache_put(&req->ctx->rw_cache, rw)) { + io_req_async_data_clear(req, 0); ++ return true; ++ } ++ return false; + } + + static void io_req_rw_cleanup(struct io_kiocb *req, unsigned int issue_flags) +@@ -190,7 +193,11 @@ static void io_req_rw_cleanup(struct io_kiocb *req, unsigned int issue_flags) + */ + if (!(req->flags & (REQ_F_REISSUE | REQ_F_REFCOUNT))) { + req->flags &= ~REQ_F_NEED_CLEANUP; +- io_rw_recycle(req, issue_flags); ++ if (!io_rw_recycle(req, issue_flags)) { ++ struct io_async_rw *rw = req->async_data; ++ ++ io_vec_free(&rw->vec); ++ } + } + } + +-- +2.51.0 + diff --git a/queue-6.18/io_uring-use-gfp_nowait-for-overflow-cqes-on-legacy-.patch b/queue-6.18/io_uring-use-gfp_nowait-for-overflow-cqes-on-legacy-.patch new file mode 100644 index 0000000000..f22ee3aeae --- /dev/null +++ b/queue-6.18/io_uring-use-gfp_nowait-for-overflow-cqes-on-legacy-.patch @@ -0,0 +1,39 @@ +From b74dc485d2490fe129bc6c99b2f26241a6547d67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 19:57:28 +0100 +Subject: io_uring: use GFP_NOWAIT for overflow CQEs on legacy rings + +From: Alexandre Negrel + +[ Upstream commit fc5ff2500976cd2710a7acecffd12d95ee4f98fc ] + +Allocate the overflowing CQE with GFP_NOWAIT instead of GFP_ATOMIC. This +changes causes allocations to fail earlier in out-of-memory situations, +rather than being deferred. Using GFP_ATOMIC allows a process to exceed +memory limits. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220794 +Signed-off-by: Alexandre Negrel +Link: https://lore.kernel.org/io-uring/20251229201933.515797-1-alexandre@negrel.dev/ +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index e97c495c18065..104192bcc8e4b 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -897,7 +897,7 @@ static __cold bool io_cqe_overflow_locked(struct io_ring_ctx *ctx, + { + struct io_overflow_cqe *ocqe; + +- ocqe = io_alloc_ocqe(ctx, cqe, big_cqe, GFP_ATOMIC); ++ ocqe = io_alloc_ocqe(ctx, cqe, big_cqe, GFP_NOWAIT); + return io_cqring_add_overflow(ctx, ocqe); + } + +-- +2.51.0 + diff --git a/queue-6.18/io_uring-zcrx-fix-page-array-leak.patch b/queue-6.18/io_uring-zcrx-fix-page-array-leak.patch new file mode 100644 index 0000000000..d9c37d1448 --- /dev/null +++ b/queue-6.18/io_uring-zcrx-fix-page-array-leak.patch @@ -0,0 +1,35 @@ +From 78416a14566260ce306a6cb5b6b80eb70e934787 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Feb 2026 21:18:53 +0000 +Subject: io_uring/zcrx: fix page array leak + +From: Pavel Begunkov + +[ Upstream commit 0ae91d8ab70922fb74c22c20bedcb69459579b1c ] + +d9f595b9a65e ("io_uring/zcrx: fix leaking pages on sg init fail") fixed +a page leakage but didn't free the page array, release it as well. + +Fixes: b84621d96ee02 ("io_uring/zcrx: allocate sgtable for umem areas") +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/zcrx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c +index 875ad40cf6591..03396769c775d 100644 +--- a/io_uring/zcrx.c ++++ b/io_uring/zcrx.c +@@ -196,6 +196,7 @@ static int io_import_umem(struct io_zcrx_ifq *ifq, + GFP_KERNEL_ACCOUNT); + if (ret) { + unpin_user_pages(pages, nr_pages); ++ kvfree(pages); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.18/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch b/queue-6.18/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch new file mode 100644 index 0000000000..07e30d840a --- /dev/null +++ b/queue-6.18/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch @@ -0,0 +1,93 @@ +From 0eec15de89ebcaef68581c1061226765190ed577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 18:58:37 +0900 +Subject: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF + +From: Shigeru Yoshida + +[ Upstream commit bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 ] + +syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 +route. [0] + +Commit f72514b3c569 ("ipv6: clear RA flags when adding a static +route") introduced logic to clear RTF_ADDRCONF from existing routes +when a static route with the same nexthop is added. However, this +causes a problem when the existing route has a gateway. + +When RTF_ADDRCONF is cleared from a route that has a gateway, that +route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns +true. The issue is that this route was never added to the +fib6_siblings list. + +This leads to a mismatch between the following counts: + +- The sibling count computed by iterating fib6_next chain, which + includes the newly ECMP-eligible route + +- The actual siblings in fib6_siblings list, which does not include + that route + +When a subsequent ECMP route is added, fib6_add_rt2node() hits +BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the +counts don't match. + +Fix this by only clearing RTF_ADDRCONF when the existing route does +not have a gateway. Routes without a gateway cannot qualify for ECMP +anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing +RTF_ADDRCONF on them is safe and matches the original intent of the +commit. + +[0]: +kernel BUG at net/ipv6/ip6_fib.c:1217! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217 +[...] +Call Trace: + + fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532 + __ip6_ins_rt net/ipv6/route.c:1351 [inline] + ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946 + ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571 + inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577 + sock_do_ioctl+0xdc/0x300 net/socket.c:1245 + sock_ioctl+0x576/0x790 net/socket.c:1366 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: f72514b3c569 ("ipv6: clear RA flags when adding a static route") +Reported-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cb809def1baaac68ab92 +Tested-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260204095837.1285552-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 2111af022d946..c6439e30e892a 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1138,7 +1138,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + fib6_set_expires(iter, rt->expires); + fib6_add_gc_list(iter); + } +- if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT))) { ++ if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && ++ !iter->fib6_nh->fib_nh_gw_family) { + iter->fib6_flags &= ~RTF_ADDRCONF; + iter->fib6_flags &= ~RTF_PREFIX_RT; + } +-- +2.51.0 + diff --git a/queue-6.18/linkwatch-use-__dev_put-in-callers-to-prevent-uaf.patch b/queue-6.18/linkwatch-use-__dev_put-in-callers-to-prevent-uaf.patch new file mode 100644 index 0000000000..6a105c05a0 --- /dev/null +++ b/queue-6.18/linkwatch-use-__dev_put-in-callers-to-prevent-uaf.patch @@ -0,0 +1,142 @@ +From 37f37c3d39f1571ae749b0a28bcd2fd5e3703806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Feb 2026 21:59:10 +0800 +Subject: linkwatch: use __dev_put() in callers to prevent UAF + +From: Jiayuan Chen + +[ Upstream commit 83b67cc9be9223183caf91826d9c194d7fb128fa ] + +After linkwatch_do_dev() calls __dev_put() to release the linkwatch +reference, the device refcount may drop to 1. At this point, +netdev_run_todo() can proceed (since linkwatch_sync_dev() sees an +empty list and returns without blocking), wait for the refcount to +become 1 via netdev_wait_allrefs_any(), and then free the device +via kobject_put(). + +This creates a use-after-free when __linkwatch_run_queue() tries to +call netdev_unlock_ops() on the already-freed device. + +Note that adding netdev_lock_ops()/netdev_unlock_ops() pair in +netdev_run_todo() before kobject_put() would not work, because +netdev_lock_ops() is conditional - it only locks when +netdev_need_ops_lock() returns true. If the device doesn't require +ops_lock, linkwatch won't hold any lock, and netdev_run_todo() +acquiring the lock won't provide synchronization. + +Fix this by moving __dev_put() from linkwatch_do_dev() to its +callers. The device reference logically pairs with de-listing the +device, so it's reasonable for the caller that did the de-listing +to release it. This allows placing __dev_put() after all device +accesses are complete, preventing UAF. + +The bug can be reproduced by adding mdelay(2000) after +linkwatch_do_dev() in __linkwatch_run_queue(), then running: + + ip tuntap add mode tun name tun_test + ip link set tun_test up + ip link set tun_test carrier off + ip link set tun_test carrier on + sleep 0.5 + ip tuntap del mode tun name tun_test + +KASAN report: + + ================================================================== + BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:33 [inline] + BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline] + BUG: KASAN: use-after-free in __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245 + Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123 + + CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Workqueue: events_unbound linkwatch_event + Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x156/0x4c9 mm/kasan/report.c:482 + kasan_report+0xdf/0x1a0 mm/kasan/report.c:595 + netdev_need_ops_lock include/net/netdev_lock.h:33 [inline] + netdev_unlock_ops include/net/netdev_lock.h:47 [inline] + __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245 + linkwatch_event+0x8f/0xc0 net/core/link_watch.c:304 + process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x5da/0xe40 kernel/workqueue.c:3421 + kthread+0x3b3/0x730 kernel/kthread.c:463 + ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + ================================================================== + +Fixes: 04efcee6ef8d ("net: hold instance lock during NETDEV_CHANGE") +Reported-by: syzbot+1ec2f6a450f0b54af8c8@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6824d064.a70a0220.3e9d8.001a.GAE@google.com/T/ +Signed-off-by: Jiayuan Chen +Signed-off-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260201135915.393451-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/link_watch.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/net/core/link_watch.c b/net/core/link_watch.c +index 212cde35affa7..25c455c10a01c 100644 +--- a/net/core/link_watch.c ++++ b/net/core/link_watch.c +@@ -185,10 +185,6 @@ static void linkwatch_do_dev(struct net_device *dev) + + netif_state_change(dev); + } +- /* Note: our callers are responsible for calling netdev_tracker_free(). +- * This is the reason we use __dev_put() instead of dev_put(). +- */ +- __dev_put(dev); + } + + static void __linkwatch_run_queue(int urgent_only) +@@ -243,6 +239,11 @@ static void __linkwatch_run_queue(int urgent_only) + netdev_lock_ops(dev); + linkwatch_do_dev(dev); + netdev_unlock_ops(dev); ++ /* Use __dev_put() because netdev_tracker_free() was already ++ * called above. Must be after netdev_unlock_ops() to prevent ++ * netdev_run_todo() from freeing the device while still in use. ++ */ ++ __dev_put(dev); + do_dev--; + spin_lock_irq(&lweventlist_lock); + } +@@ -278,8 +279,13 @@ void __linkwatch_sync_dev(struct net_device *dev) + { + netdev_ops_assert_locked(dev); + +- if (linkwatch_clean_dev(dev)) ++ if (linkwatch_clean_dev(dev)) { + linkwatch_do_dev(dev); ++ /* Use __dev_put() because netdev_tracker_free() was already ++ * called inside linkwatch_clean_dev(). ++ */ ++ __dev_put(dev); ++ } + } + + void linkwatch_sync_dev(struct net_device *dev) +@@ -288,6 +294,10 @@ void linkwatch_sync_dev(struct net_device *dev) + netdev_lock_ops(dev); + linkwatch_do_dev(dev); + netdev_unlock_ops(dev); ++ /* Use __dev_put() because netdev_tracker_free() was already ++ * called inside linkwatch_clean_dev(). ++ */ ++ __dev_put(dev); + } + } + +-- +2.51.0 + diff --git a/queue-6.18/loongarch-enable-exception-fixup-for-specific-ade-su.patch b/queue-6.18/loongarch-enable-exception-fixup-for-specific-ade-su.patch new file mode 100644 index 0000000000..9b3c3ff3de --- /dev/null +++ b/queue-6.18/loongarch-enable-exception-fixup-for-specific-ade-su.patch @@ -0,0 +1,58 @@ +From 10b03f53b03e20a602053242c21b5aa293f99cc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:20 +0800 +Subject: LoongArch: Enable exception fixup for specific ADE subcode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenghao Duan + +[ Upstream commit 9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0 ] + +This patch allows the LoongArch BPF JIT to handle recoverable memory +access errors generated by BPF_PROBE_MEM* instructions. + +When a BPF program performs memory access operations, the instructions +it executes may trigger ADEM exceptions. The kernel’s built-in BPF +exception table mechanism (EX_TYPE_BPF) will generate corresponding +exception fixup entries in the JIT compilation phase; however, the +architecture-specific trap handling function needs to proactively call +the common fixup routine to achieve exception recovery. + +do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs, +ensure safe execution. + +Relevant test cases: illegal address access tests in module_attach and +subprogs_extable of selftests/bpf. + +Signed-off-by: Chenghao Duan +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/traps.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/loongarch/kernel/traps.c b/arch/loongarch/kernel/traps.c +index da5926fead4af..8e51ce004572c 100644 +--- a/arch/loongarch/kernel/traps.c ++++ b/arch/loongarch/kernel/traps.c +@@ -535,10 +535,15 @@ asmlinkage void noinstr do_fpe(struct pt_regs *regs, unsigned long fcsr) + asmlinkage void noinstr do_ade(struct pt_regs *regs) + { + irqentry_state_t state = irqentry_enter(regs); ++ unsigned int esubcode = FIELD_GET(CSR_ESTAT_ESUBCODE, regs->csr_estat); ++ ++ if ((esubcode == EXSUBCODE_ADEM) && fixup_exception(regs)) ++ goto out; + + die_if_kernel("Kernel ade access", regs); + force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *)regs->csr_badvaddr); + ++out: + irqentry_exit(regs, state); + } + +-- +2.51.0 + diff --git a/queue-6.18/loongarch-set-correct-protection_map-for-vm_none-vm_.patch b/queue-6.18/loongarch-set-correct-protection_map-for-vm_none-vm_.patch new file mode 100644 index 0000000000..26fd19d1bf --- /dev/null +++ b/queue-6.18/loongarch-set-correct-protection_map-for-vm_none-vm_.patch @@ -0,0 +1,51 @@ +From 1b47cf8556b15cef87d1008d96119ae9371fc8fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:10 +0800 +Subject: LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED + +From: Huacai Chen + +[ Upstream commit d5be446948b379f1d1a8e7bc6656d13f44c5c7b1 ] + +For 32BIT platform _PAGE_PROTNONE is 0, so set a VMA to be VM_NONE or +VM_SHARED will make pages non-present, then cause Oops with kernel page +fault. + +Fix it by set correct protection_map[] for VM_NONE/VM_SHARED, replacing +_PAGE_PROTNONE with _PAGE_PRESENT. + +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/mm/cache.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/loongarch/mm/cache.c b/arch/loongarch/mm/cache.c +index 6be04d36ca076..496916845ff76 100644 +--- a/arch/loongarch/mm/cache.c ++++ b/arch/loongarch/mm/cache.c +@@ -160,8 +160,8 @@ void cpu_cache_init(void) + + static const pgprot_t protection_map[16] = { + [VM_NONE] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +@@ -180,8 +180,8 @@ static const pgprot_t protection_map[16] = { + [VM_EXEC | VM_WRITE | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT), + [VM_SHARED] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_SHARED | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +-- +2.51.0 + diff --git a/queue-6.18/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch b/queue-6.18/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch new file mode 100644 index 0000000000..3028b21229 --- /dev/null +++ b/queue-6.18/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch @@ -0,0 +1,99 @@ +From f3c684d7812ddf7a2417cc7ec6ed96ad52da5d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:43:59 +0000 +Subject: macvlan: fix error recovery in macvlan_common_newlink() + +From: Eric Dumazet + +[ Upstream commit f8db6475a83649689c087a8f52486fcc53e627e9 ] + +valis provided a nice repro to crash the kernel: + +ip link add p1 type veth peer p2 +ip link set address 00:00:00:00:00:20 dev p1 +ip link set up dev p1 +ip link set up dev p2 + +ip link add mv0 link p2 type macvlan mode source +ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 + +ping -c1 -I p1 1.2.3.4 + +He also gave a very detailed analysis: + + + +The issue is triggered when a new macvlan link is created with +MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or +MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan +port and register_netdevice() called from macvlan_common_newlink() +fails (e.g. because of the invalid link name). + +In this case macvlan_hash_add_source is called from +macvlan_change_sources() / macvlan_common_newlink(): + +This adds a reference to vlan to the port's vlan_source_hash using +macvlan_source_entry. + +vlan is a pointer to the priv data of the link that is being created. + +When register_netdevice() fails, the error is returned from +macvlan_newlink() to rtnl_newlink_create(): + + if (ops->newlink) + err = ops->newlink(dev, ¶ms, extack); + else + err = register_netdevice(dev); + if (err < 0) { + free_netdev(dev); + goto out; + } + +and free_netdev() is called, causing a kvfree() on the struct +net_device that is still referenced in the source entry attached to +the lower device's macvlan port. + +Now all packets sent on the macvlan port with a matching source mac +address will trigger a use-after-free in macvlan_forward_source(). + + + +With all that, my fix is to make sure we call macvlan_flush_sources() +regardless of @create value whenever "goto destroy_macvlan_port;" +path is taken. + +Many thanks to valis for following up on this issue. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Eric Dumazet +Reported-by: valis +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Cc: Boudewijn van der Heide +Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index b4df7e184791d..c509228be84d1 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1567,9 +1567,10 @@ int macvlan_common_newlink(struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) { ++ if (macvlan_port_get_rtnl(lowerdev)) { + macvlan_flush_sources(port, vlan); +- macvlan_port_destroy(port->dev); ++ if (create) ++ macvlan_port_destroy(port->dev); + } + return err; + } +-- +2.51.0 + diff --git a/queue-6.18/md-suspend-array-while-updating-raid_disks-via-sysfs.patch b/queue-6.18/md-suspend-array-while-updating-raid_disks-via-sysfs.patch new file mode 100644 index 0000000000..e1c06a1bc9 --- /dev/null +++ b/queue-6.18/md-suspend-array-while-updating-raid_disks-via-sysfs.patch @@ -0,0 +1,66 @@ +From c1c9b04901b0dd7afcbd066389a2201c126a486a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 18:18:16 +0800 +Subject: md: suspend array while updating raid_disks via sysfs + +From: FengWei Shih + +[ Upstream commit 2cc583653bbe050bacd1cadcc9776d39bf449740 ] + +In raid1_reshape(), freeze_array() is called before modifying the r1bio +memory pool (conf->r1bio_pool) and conf->raid_disks, and +unfreeze_array() is called after the update is completed. + +However, freeze_array() only waits until nr_sync_pending and +(nr_pending - nr_queued) of all buckets reaches zero. When an I/O error +occurs, nr_queued is increased and the corresponding r1bio is queued to +either retry_list or bio_end_io_list. As a result, freeze_array() may +unblock before these r1bios are released. + +This can lead to a situation where conf->raid_disks and the mempool have +already been updated while queued r1bios, allocated with the old +raid_disks value, are later released. Consequently, free_r1bio() may +access memory out of bounds in put_all_bios() and release r1bios of the +wrong size to the new mempool, potentially causing issues with the +mempool as well. + +Since only normal I/O might increase nr_queued while an I/O error occurs, +suspending the array avoids this issue. + +Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends +the array. Therefore, we suspend the array when updating raid_disks +via sysfs to avoid this issue too. + +Signed-off-by: FengWei Shih +Link: https://lore.kernel.org/linux-raid/20251226101816.4506-1-dannyshih@synology.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 7b1365143f58d..e04ddcb03981c 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4396,7 +4396,7 @@ raid_disks_store(struct mddev *mddev, const char *buf, size_t len) + if (err < 0) + return err; + +- err = mddev_lock(mddev); ++ err = mddev_suspend_and_lock(mddev); + if (err) + return err; + if (mddev->pers) +@@ -4421,7 +4421,7 @@ raid_disks_store(struct mddev *mddev, const char *buf, size_t len) + } else + mddev->raid_disks = n; + out_unlock: +- mddev_unlock(mddev); ++ mddev_unlock_and_resume(mddev); + return err ? err : len; + } + static struct md_sysfs_entry md_raid_disks = +-- +2.51.0 + diff --git a/queue-6.18/net-add-proper-rcu-protection-to-proc-net-ptype.patch b/queue-6.18/net-add-proper-rcu-protection-to-proc-net-ptype.patch new file mode 100644 index 0000000000..3e8b21b00e --- /dev/null +++ b/queue-6.18/net-add-proper-rcu-protection-to-proc-net-ptype.patch @@ -0,0 +1,194 @@ +From 37b29f44feb38ae53283c06882602dbd7013752b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 20:52:17 +0000 +Subject: net: add proper RCU protection to /proc/net/ptype + +From: Eric Dumazet + +[ Upstream commit f613e8b4afea0cd17c7168e8b00e25bc8d33175d ] + +Yin Fengwei reported an RCU stall in ptype_seq_show() and provided +a patch. + +Real issue is that ptype_seq_next() and ptype_seq_show() violate +RCU rules. + +ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev +to get device name without any barrier. + +At the same time, concurrent writers can remove a packet_type structure +(which is correctly freed after an RCU grace period) and clear pt->dev +without an RCU grace period. + +Define ptype_iter_state to carry a dev pointer along seq_net_private: + +struct ptype_iter_state { + struct seq_net_private p; + struct net_device *dev; // added in this patch +}; + +We need to record the device pointer in ptype_get_idx() and +ptype_seq_next() so that ptype_seq_show() is safe against +concurrent pt->dev changes. + +We also need to add full RCU protection in ptype_seq_next(). +(Missing READ_ONCE() when reading list.next values) + +Many thanks to Dong Chenchen for providing a repro. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 1d10f8a1f40b ("net-procfs: show net devices bound packet types") +Fixes: c353e8983e0d ("net: introduce per netns packet chains") +Reported-by: Yin Fengwei +Reported-by: Dong Chenchen +Closes: https://lore.kernel.org/netdev/CANn89iKRRKPnWjJmb-_3a=sq+9h6DvTQM4DBZHT5ZRGPMzQaiA@mail.gmail.com/T/#m7b80b9fc9b9267f90e0b7aad557595f686f9c50d + +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Tested-by: Yin Fengwei +Link: https://patch.msgid.link/20260202205217.2881198-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/net-procfs.c | 50 +++++++++++++++++++++++++++++-------------- + 1 file changed, 34 insertions(+), 16 deletions(-) + +diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c +index 70e0e9a3b650c..7dbfa6109f0b8 100644 +--- a/net/core/net-procfs.c ++++ b/net/core/net-procfs.c +@@ -170,8 +170,14 @@ static const struct seq_operations softnet_seq_ops = { + .show = softnet_seq_show, + }; + ++struct ptype_iter_state { ++ struct seq_net_private p; ++ struct net_device *dev; ++}; ++ + static void *ptype_get_idx(struct seq_file *seq, loff_t pos) + { ++ struct ptype_iter_state *iter = seq->private; + struct list_head *ptype_list = NULL; + struct packet_type *pt = NULL; + struct net_device *dev; +@@ -181,12 +187,16 @@ static void *ptype_get_idx(struct seq_file *seq, loff_t pos) + for_each_netdev_rcu(seq_file_net(seq), dev) { + ptype_list = &dev->ptype_all; + list_for_each_entry_rcu(pt, ptype_list, list) { +- if (i == pos) ++ if (i == pos) { ++ iter->dev = dev; + return pt; ++ } + ++i; + } + } + ++ iter->dev = NULL; ++ + list_for_each_entry_rcu(pt, &seq_file_net(seq)->ptype_all, list) { + if (i == pos) + return pt; +@@ -218,6 +228,7 @@ static void *ptype_seq_start(struct seq_file *seq, loff_t *pos) + + static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { ++ struct ptype_iter_state *iter = seq->private; + struct net *net = seq_file_net(seq); + struct net_device *dev; + struct packet_type *pt; +@@ -229,19 +240,21 @@ static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) + return ptype_get_idx(seq, 0); + + pt = v; +- nxt = pt->list.next; +- if (pt->dev) { +- if (nxt != &pt->dev->ptype_all) ++ nxt = READ_ONCE(pt->list.next); ++ dev = iter->dev; ++ if (dev) { ++ if (nxt != &dev->ptype_all) + goto found; + +- dev = pt->dev; + for_each_netdev_continue_rcu(seq_file_net(seq), dev) { +- if (!list_empty(&dev->ptype_all)) { +- nxt = dev->ptype_all.next; ++ nxt = READ_ONCE(dev->ptype_all.next); ++ if (nxt != &dev->ptype_all) { ++ iter->dev = dev; + goto found; + } + } +- nxt = net->ptype_all.next; ++ iter->dev = NULL; ++ nxt = READ_ONCE(net->ptype_all.next); + goto net_ptype_all; + } + +@@ -252,20 +265,20 @@ static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) + + if (nxt == &net->ptype_all) { + /* continue with ->ptype_specific if it's not empty */ +- nxt = net->ptype_specific.next; ++ nxt = READ_ONCE(net->ptype_specific.next); + if (nxt != &net->ptype_specific) + goto found; + } + + hash = 0; +- nxt = ptype_base[0].next; ++ nxt = READ_ONCE(ptype_base[0].next); + } else + hash = ntohs(pt->type) & PTYPE_HASH_MASK; + + while (nxt == &ptype_base[hash]) { + if (++hash >= PTYPE_HASH_SIZE) + return NULL; +- nxt = ptype_base[hash].next; ++ nxt = READ_ONCE(ptype_base[hash].next); + } + found: + return list_entry(nxt, struct packet_type, list); +@@ -279,19 +292,24 @@ static void ptype_seq_stop(struct seq_file *seq, void *v) + + static int ptype_seq_show(struct seq_file *seq, void *v) + { ++ struct ptype_iter_state *iter = seq->private; + struct packet_type *pt = v; ++ struct net_device *dev; + +- if (v == SEQ_START_TOKEN) ++ if (v == SEQ_START_TOKEN) { + seq_puts(seq, "Type Device Function\n"); +- else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && +- (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) { ++ return 0; ++ } ++ dev = iter->dev; ++ if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && ++ (!dev || net_eq(dev_net(dev), seq_file_net(seq)))) { + if (pt->type == htons(ETH_P_ALL)) + seq_puts(seq, "ALL "); + else + seq_printf(seq, "%04x", ntohs(pt->type)); + + seq_printf(seq, " %-8s %ps\n", +- pt->dev ? pt->dev->name : "", pt->func); ++ dev ? dev->name : "", pt->func); + } + + return 0; +@@ -315,7 +333,7 @@ static int __net_init dev_proc_net_init(struct net *net) + &softnet_seq_ops)) + goto out_dev; + if (!proc_create_net("ptype", 0444, net->proc_net, &ptype_seq_ops, +- sizeof(struct seq_net_private))) ++ sizeof(struct ptype_iter_state))) + goto out_softnet; + + if (wext_proc_init(net)) +-- +2.51.0 + diff --git a/queue-6.18/net-add-skb_header_pointer_careful-helper.patch b/queue-6.18/net-add-skb_header_pointer_careful-helper.patch new file mode 100644 index 0000000000..5a0a4ff808 --- /dev/null +++ b/queue-6.18/net-add-skb_header_pointer_careful-helper.patch @@ -0,0 +1,50 @@ +From a057619e00f7d9841ccb7ccb388cb67a28b94b00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 14:15:38 +0000 +Subject: net: add skb_header_pointer_careful() helper + +From: Eric Dumazet + +[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ] + +This variant of skb_header_pointer() should be used in contexts +where @offset argument is user-controlled and could be negative. + +Negative offsets are supported, as long as the zone starts +between skb->head and skb->data. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: cabd1a976375 ("net/sched: cls_u32: use skb_header_pointer_careful()") +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index a7cc3d1f4fd11..50f127451dc65 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4301,6 +4301,18 @@ skb_header_pointer(const struct sk_buff *skb, int offset, int len, void *buffer) + skb_headlen(skb), buffer); + } + ++/* Variant of skb_header_pointer() where @offset is user-controlled ++ * and potentially negative. ++ */ ++static inline void * __must_check ++skb_header_pointer_careful(const struct sk_buff *skb, int offset, ++ int len, void *buffer) ++{ ++ if (unlikely(offset < 0 && -offset > skb_headroom(skb))) ++ return NULL; ++ return skb_header_pointer(skb, offset, len, buffer); ++} ++ + static inline void * __must_check + skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len) + { +-- +2.51.0 + diff --git a/queue-6.18/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch b/queue-6.18/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch new file mode 100644 index 0000000000..a763f441ca --- /dev/null +++ b/queue-6.18/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch @@ -0,0 +1,69 @@ +From c8c7038d02dfdeddafcb4882071b3c4bdaa4cd47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 19:38:27 -0800 +Subject: net: don't touch dev->stats in BPF redirect paths + +From: Jakub Kicinski + +[ Upstream commit fdf3f6800be36377e045e2448087f12132b88d2f ] + +Gal reports that BPF redirect increments dev->stats.tx_errors +on failure. This is not correct, most modern drivers completely +ignore dev->stats so these drops will be invisible to the user. +Core code should use the dedicated core stats which are folded +into device stats in dev_get_stats(). + +Note that we're switching from tx_errors to tx_dropped. +Core only has tx_dropped, hence presumably users already expect +that counter to increment for "stack" Tx issues. + +Reported-by: Gal Pressman +Link: https://lore.kernel.org/c5df3b60-246a-4030-9c9a-0a35cd1ca924@nvidia.com +Fixes: b4ab31414970 ("bpf: Add redirect_neigh helper as redirect drop-in") +Acked-by: Martin KaFai Lau +Acked-by: Daniel Borkmann +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260130033827.698841-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 6431ef3e9f7dd..88b265f6ccf89 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2289,12 +2289,12 @@ static int __bpf_redirect_neigh_v6(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v6(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +@@ -2396,12 +2396,12 @@ static int __bpf_redirect_neigh_v4(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v4(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +-- +2.51.0 + diff --git a/queue-6.18/net-enetc-convert-16-bit-register-reads-to-32-bit-fo.patch b/queue-6.18/net-enetc-convert-16-bit-register-reads-to-32-bit-fo.patch new file mode 100644 index 0000000000..cf93f1499c --- /dev/null +++ b/queue-6.18/net-enetc-convert-16-bit-register-reads-to-32-bit-fo.patch @@ -0,0 +1,82 @@ +From 37dd2cde116521dceb611b18190d64b37d86a1db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 16:10:35 +0200 +Subject: net: enetc: Convert 16-bit register reads to 32-bit for ENETC v4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Claudiu Manoil + +[ Upstream commit c28d765ec5da160d3a48d0928528084cef97bf19 ] + +It is not recommended to access the 32‑bit registers of this hardware IP +using lower‑width accessors (i.e. 16‑bit), and the only exception to +this rule was introduced in the initial ENETC v1 driver for the PMAR1 +register, which holds the lower 16 bits of the primary MAC address of +an SI. Meanwhile, this exception has been replicated in the v4 driver +code as well. + +Since LS1028 (the only SoC with ENETC v1) is not affected by this issue, +the current patch converts the 16‑bit reads from PMAR1 starting with +ENETC v4. + +Fixes: 99100d0d9922 ("net: enetc: add preliminary support for i.MX95 ENETC PF") +Signed-off-by: Claudiu Manoil +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20260130141035.272471-5-claudiu.manoil@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/freescale/enetc/enetc4_pf.c | 2 +- + drivers/net/ethernet/freescale/enetc/enetc_hw.h | 17 ++++++++++++++--- + 2 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc4_pf.c b/drivers/net/ethernet/freescale/enetc/enetc4_pf.c +index b270a01f5b718..7dbfbc6fbdcb0 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc4_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc4_pf.c +@@ -63,7 +63,7 @@ static void enetc4_pf_get_si_primary_mac(struct enetc_hw *hw, int si, + u16 lower; + + upper = __raw_readl(hw->port + ENETC4_PSIPMAR0(si)); +- lower = __raw_readw(hw->port + ENETC4_PSIPMAR1(si)); ++ lower = __raw_readl(hw->port + ENETC4_PSIPMAR1(si)); + + put_unaligned_le32(upper, addr); + put_unaligned_le16(lower, addr + 4); +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_hw.h b/drivers/net/ethernet/freescale/enetc/enetc_hw.h +index 377c963258147..d382220ef2f0d 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_hw.h ++++ b/drivers/net/ethernet/freescale/enetc/enetc_hw.h +@@ -707,13 +707,24 @@ struct enetc_cmd_rfse { + #define ENETC_RFSE_EN BIT(15) + #define ENETC_RFSE_MODE_BD 2 + ++static inline void enetc_get_primary_mac_addr(struct enetc_hw *hw, u8 *addr) ++{ ++ u32 upper; ++ u16 lower; ++ ++ upper = __raw_readl(hw->reg + ENETC_SIPMAR0); ++ lower = __raw_readl(hw->reg + ENETC_SIPMAR1); ++ ++ put_unaligned_le32(upper, addr); ++ put_unaligned_le16(lower, addr + 4); ++} ++ + static inline void enetc_load_primary_mac_addr(struct enetc_hw *hw, + struct net_device *ndev) + { +- u8 addr[ETH_ALEN] __aligned(4); ++ u8 addr[ETH_ALEN]; + +- *(u32 *)addr = __raw_readl(hw->reg + ENETC_SIPMAR0); +- *(u16 *)(addr + 4) = __raw_readw(hw->reg + ENETC_SIPMAR1); ++ enetc_get_primary_mac_addr(hw, addr); + eth_hw_addr_set(ndev, addr); + } + +-- +2.51.0 + diff --git a/queue-6.18/net-enetc-convert-16-bit-register-writes-to-32-bit-f.patch b/queue-6.18/net-enetc-convert-16-bit-register-writes-to-32-bit-f.patch new file mode 100644 index 0000000000..ac273c943c --- /dev/null +++ b/queue-6.18/net-enetc-convert-16-bit-register-writes-to-32-bit-f.patch @@ -0,0 +1,55 @@ +From b9b912c0d4775965ec272db727bcc3d6f3234435 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 16:10:34 +0200 +Subject: net: enetc: Convert 16-bit register writes to 32-bit for ENETC v4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Claudiu Manoil + +[ Upstream commit 21d0fc95b5920ae8e69a2c0394bef82b8392bcc9 ] + +For ENETC v4, which is integrated into more complex SoCs (compared to v1), +16‑bit register writes are blocked in the SoC interconnect on some chips. + +To be fair, it is not recommended to access 32‑bit registers of this IP +using lower‑width accessors (i.e. 16‑bit), and the only exception to +this rule was introduced by me in the initial ENETC v1 driver for the +PMAR1 register, which holds the lower 16 bits of the primary MAC address +of an SI. Meanwhile, this exception has been replicated for v4 as well. + +Since LS1028 (the only SoC with ENETC v1) is not affected by this issue, +the current patch fixes the 16‑bit writes to PMAR1 starting with ENETC +v4. + +Fixes: 99100d0d9922 ("net: enetc: add preliminary support for i.MX95 ENETC PF") +Signed-off-by: Claudiu Manoil +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20260130141035.272471-4-claudiu.manoil@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc4_pf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc4_pf.c b/drivers/net/ethernet/freescale/enetc/enetc4_pf.c +index 82c443b28b154..b270a01f5b718 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc4_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc4_pf.c +@@ -49,10 +49,10 @@ static void enetc4_pf_set_si_primary_mac(struct enetc_hw *hw, int si, + + if (si != 0) { + __raw_writel(upper, hw->port + ENETC4_PSIPMAR0(si)); +- __raw_writew(lower, hw->port + ENETC4_PSIPMAR1(si)); ++ __raw_writel(lower, hw->port + ENETC4_PSIPMAR1(si)); + } else { + __raw_writel(upper, hw->port + ENETC4_PMAR0); +- __raw_writew(lower, hw->port + ENETC4_PMAR1); ++ __raw_writel(lower, hw->port + ENETC4_PMAR1); + } + } + +-- +2.51.0 + diff --git a/queue-6.18/net-enetc-remove-cbdr-cacheability-axi-settings-for-.patch b/queue-6.18/net-enetc-remove-cbdr-cacheability-axi-settings-for-.patch new file mode 100644 index 0000000000..c5d5814e18 --- /dev/null +++ b/queue-6.18/net-enetc-remove-cbdr-cacheability-axi-settings-for-.patch @@ -0,0 +1,45 @@ +From 7a9dd34ca45e4031f2ff9788d7e18dff9f485039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 16:10:33 +0200 +Subject: net: enetc: Remove CBDR cacheability AXI settings for ENETC v4 + +From: Claudiu Manoil + +[ Upstream commit 9ae13b2e64fcd2ca00a76b7d60fc4641a6b9209d ] + +For ENETC v4 these settings are controlled by the global ENETC +command cache attribute registers (EnCAR), from the IERB register +block. + +The hardcoded CDBR cacheability settings were inherited from LS1028A, +and should be removed from the ENETC v4 driver as they conflict +with the global IERB settings. + +Fixes: e3f4a0a8ddb4 ("net: enetc: add command BD ring support for i.MX95 ENETC") +Signed-off-by: Claudiu Manoil +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20260130141035.272471-3-claudiu.manoil@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc_cbdr.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_cbdr.c b/drivers/net/ethernet/freescale/enetc/enetc_cbdr.c +index 3d5f31879d5c6..a635bfdc30afc 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_cbdr.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_cbdr.c +@@ -74,10 +74,6 @@ int enetc4_setup_cbdr(struct enetc_si *si) + if (!user->ring) + return -ENOMEM; + +- /* set CBDR cache attributes */ +- enetc_wr(hw, ENETC_SICAR2, +- ENETC_SICAR_RD_COHERENT | ENETC_SICAR_WR_COHERENT); +- + regs.pir = hw->reg + ENETC_SICBDRPIR; + regs.cir = hw->reg + ENETC_SICBDRCIR; + regs.mr = hw->reg + ENETC_SICBDRMR; +-- +2.51.0 + diff --git a/queue-6.18/net-enetc-remove-si-bdr-cacheability-axi-settings-fo.patch b/queue-6.18/net-enetc-remove-si-bdr-cacheability-axi-settings-fo.patch new file mode 100644 index 0000000000..2f7ff9c996 --- /dev/null +++ b/queue-6.18/net-enetc-remove-si-bdr-cacheability-axi-settings-fo.patch @@ -0,0 +1,52 @@ +From 3db5796380457a47c59d917ccdc92bf7b03deec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 16:10:32 +0200 +Subject: net: enetc: Remove SI/BDR cacheability AXI settings for ENETC v4 + +From: Claudiu Manoil + +[ Upstream commit a69c17230cab07bd156f894fdc82bd78b43ea72f ] + +For ENETC v4 these settings are controlled by the global ENETC +message and buffer cache attribute registers (EnBCAR and EnMCAR), +from the IERB register block. + +The hardcoded cacheability settings were inherited from LS1028A, +and should be removed from the ENETC v4 driver as they conflict +with the global IERB settings. + +Fixes: 99100d0d9922 ("net: enetc: add preliminary support for i.MX95 ENETC PF") +Signed-off-by: Claudiu Manoil +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20260130141035.272471-2-claudiu.manoil@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/enetc.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c +index f410c245ea918..b6e3fb0401619 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc.c +@@ -2503,10 +2503,13 @@ int enetc_configure_si(struct enetc_ndev_priv *priv) + struct enetc_hw *hw = &si->hw; + int err; + +- /* set SI cache attributes */ +- enetc_wr(hw, ENETC_SICAR0, +- ENETC_SICAR_RD_COHERENT | ENETC_SICAR_WR_COHERENT); +- enetc_wr(hw, ENETC_SICAR1, ENETC_SICAR_MSI); ++ if (is_enetc_rev1(si)) { ++ /* set SI cache attributes */ ++ enetc_wr(hw, ENETC_SICAR0, ++ ENETC_SICAR_RD_COHERENT | ENETC_SICAR_WR_COHERENT); ++ enetc_wr(hw, ENETC_SICAR1, ENETC_SICAR_MSI); ++ } ++ + /* enable SI */ + enetc_wr(hw, ENETC_SIMR, ENETC_SIMR_EN); + +-- +2.51.0 + diff --git a/queue-6.18/net-ethernet-adi-adin1110-check-return-value-of-devm.patch b/queue-6.18/net-ethernet-adi-adin1110-check-return-value-of-devm.patch new file mode 100644 index 0000000000..6c5581a20b --- /dev/null +++ b/queue-6.18/net-ethernet-adi-adin1110-check-return-value-of-devm.patch @@ -0,0 +1,48 @@ +From da99ba3c423a36d039d37a627df62f8844021ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 12:02:28 +0800 +Subject: net: ethernet: adi: adin1110: Check return value of + devm_gpiod_get_optional() in adin1110_check_spi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ni + +[ Upstream commit 78211543d2e44f84093049b4ef5f5bfa535f4645 ] + +The devm_gpiod_get_optional() function may return an ERR_PTR in case of +genuine GPIO acquisition errors, not just NULL which indicates the +legitimate absence of an optional GPIO. + +Add an IS_ERR() check after the call in adin1110_check_spi(). On error, +return the error code to ensure proper failure handling rather than +proceeding with invalid pointers. + +Fixes: 36934cac7aaf ("net: ethernet: adi: adin1110: add reset GPIO") +Signed-off-by: Chen Ni +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20260202040228.4129097-1-nichen@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index 30f9d271e5953..71a2397edf2bb 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -1089,6 +1089,9 @@ static int adin1110_check_spi(struct adin1110_priv *priv) + + reset_gpio = devm_gpiod_get_optional(&priv->spidev->dev, "reset", + GPIOD_OUT_LOW); ++ if (IS_ERR(reset_gpio)) ++ return dev_err_probe(&priv->spidev->dev, PTR_ERR(reset_gpio), ++ "failed to get reset gpio\n"); + if (reset_gpio) { + /* MISO pin is used for internal configuration, can't have + * anyone else disturbing the SDO line. +-- +2.51.0 + diff --git a/queue-6.18/net-gro-fix-outer-network-offset.patch b/queue-6.18/net-gro-fix-outer-network-offset.patch new file mode 100644 index 0000000000..d4dce1610c --- /dev/null +++ b/queue-6.18/net-gro-fix-outer-network-offset.patch @@ -0,0 +1,52 @@ +From 8addeeaf22d2aa092864a5f412dfdee07db55c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 12:43:14 +0100 +Subject: net: gro: fix outer network offset + +From: Paolo Abeni + +[ Upstream commit 5c2c3c38be396257a6a2e55bd601a12bb9781507 ] + +The udp GRO complete stage assumes that all the packets inserted the RX +have the `encapsulation` flag zeroed. Such assumption is not true, as a +few H/W NICs can set such flag when H/W offloading the checksum for +an UDP encapsulated traffic, the tun driver can inject GSO packets with +UDP encapsulation and the problematic layout can also be created via +a veth based setup. + +Due to the above, in the problematic scenarios, udp4_gro_complete() uses +the wrong network offset (inner instead of outer) to compute the outer +UDP header pseudo checksum, leading to csum validation errors later on +in packet processing. + +Address the issue always clearing the encapsulation flag at GRO completion +time. Such flag will be set again as needed for encapsulated packets by +udp_gro_complete(). + +Fixes: 5ef31ea5d053 ("net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb") +Reviewed-by: Willem de Bruijn +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/562638dbebb3b15424220e26a180274b387e2a88.1770032084.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/gro.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/gro.c b/net/core/gro.c +index 76f9c37124221..482fa7d7f5981 100644 +--- a/net/core/gro.c ++++ b/net/core/gro.c +@@ -265,6 +265,8 @@ static void gro_complete(struct gro_node *gro, struct sk_buff *skb) + goto out; + } + ++ /* NICs can feed encapsulated packets into GRO */ ++ skb->encapsulation = 0; + rcu_read_lock(); + list_for_each_entry_rcu(ptype, head, list) { + if (ptype->type != type || !ptype->callbacks.gro_complete) +-- +2.51.0 + diff --git a/queue-6.18/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch b/queue-6.18/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch new file mode 100644 index 0000000000..e1a0ef3637 --- /dev/null +++ b/queue-6.18/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch @@ -0,0 +1,61 @@ +From 3f15707ad2f0d4941251fa7d89abca95da3c423b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:39 +0000 +Subject: net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 8558aef4e8a1a83049ab906d21d391093cfa7e7f ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Also, decrement i in the devlink_alloc failure path to point to the +last successfully allocated index. + +Compile tested only. Issue found using code review. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-3-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 925512c077a0c..eb620e8544cf1 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3760,6 +3760,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + if (!devlink) { + device_unlock(&octeon_dev->pci_dev->dev); + dev_err(&octeon_dev->pci_dev->dev, "devlink alloc failed\n"); ++ i--; + goto setup_nic_dev_free; + } + +@@ -3775,11 +3776,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.18/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch b/queue-6.18/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch new file mode 100644 index 0000000000..c2f02ab18c --- /dev/null +++ b/queue-6.18/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch @@ -0,0 +1,50 @@ +From 81af510a17e03cd73e3a6bc91418b63ed4b3b2c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:40 +0000 +Subject: net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Compile tested only. Issue found using code review. + +Fixes: 846b46873eeb ("liquidio CN23XX: VF offload features") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-4-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index 3230dff5ba056..5c177146b35b1 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -2222,11 +2222,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.18/net-liquidio-initialize-netdev-pointer-before-queue-.patch b/queue-6.18/net-liquidio-initialize-netdev-pointer-before-queue-.patch new file mode 100644 index 0000000000..aecd0bb524 --- /dev/null +++ b/queue-6.18/net-liquidio-initialize-netdev-pointer-before-queue-.patch @@ -0,0 +1,98 @@ +From becc3ffbdbbb53da6b7e00dd9a20a141f14d7b30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:38 +0000 +Subject: net: liquidio: Initialize netdev pointer before queue setup + +From: Zilin Guan + +[ Upstream commit 926ede0c85e1e57c97d64d9612455267d597bb2c ] + +In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq(). +However, the pointer to this structure is stored in oct->props[i].netdev +only after the calls to netif_set_real_num_rx_queues() and +netif_set_real_num_tx_queues(). + +If either of these functions fails, setup_nic_devices() returns an error +without freeing the allocated netdev. Since oct->props[i].netdev is still +NULL at this point, the cleanup function liquidio_destroy_nic_device() +will fail to find and free the netdev, resulting in a memory leak. + +Fix this by initializing oct->props[i].netdev before calling the queue +setup functions. This ensures that the netdev is properly accessible for +cleanup in case of errors. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: c33c997346c3 ("liquidio: enhanced ethtool --set-channels feature") +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-2-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/liquidio/lio_main.c | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 8e2fcec26ea13..925512c077a0c 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3515,6 +3515,23 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + */ + netdev->netdev_ops = &lionetdevops; + ++ lio = GET_LIO(netdev); ++ ++ memset(lio, 0, sizeof(struct lio)); ++ ++ lio->ifidx = ifidx_or_pfnum; ++ ++ props = &octeon_dev->props[i]; ++ props->gmxport = resp->cfg_info.linfo.gmxport; ++ props->netdev = netdev; ++ ++ /* Point to the properties for octeon device to which this ++ * interface belongs. ++ */ ++ lio->oct_dev = octeon_dev; ++ lio->octprops = props; ++ lio->netdev = netdev; ++ + retval = netif_set_real_num_rx_queues(netdev, num_oqueues); + if (retval) { + dev_err(&octeon_dev->pci_dev->dev, +@@ -3531,16 +3548,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + goto setup_nic_dev_free; + } + +- lio = GET_LIO(netdev); +- +- memset(lio, 0, sizeof(struct lio)); +- +- lio->ifidx = ifidx_or_pfnum; +- +- props = &octeon_dev->props[i]; +- props->gmxport = resp->cfg_info.linfo.gmxport; +- props->netdev = netdev; +- + lio->linfo.num_rxpciq = num_oqueues; + lio->linfo.num_txpciq = num_iqueues; + for (j = 0; j < num_oqueues; j++) { +@@ -3606,13 +3613,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + netdev->min_mtu = LIO_MIN_MTU_SIZE; + netdev->max_mtu = LIO_MAX_MTU_SIZE; + +- /* Point to the properties for octeon device to which this +- * interface belongs. +- */ +- lio->oct_dev = octeon_dev; +- lio->octprops = props; +- lio->netdev = netdev; +- + dev_dbg(&octeon_dev->pci_dev->dev, + "if%d gmx: %d hw_addr: 0x%llx\n", i, + lio->linfo.gmxport, CVM_CAST64(lio->linfo.hw_addr)); +-- +2.51.0 + diff --git a/queue-6.18/net-rss-fix-reporting-rxh_xfrm_no_change-as-input_xf.patch b/queue-6.18/net-rss-fix-reporting-rxh_xfrm_no_change-as-input_xf.patch new file mode 100644 index 0000000000..25e9850770 --- /dev/null +++ b/queue-6.18/net-rss-fix-reporting-rxh_xfrm_no_change-as-input_xf.patch @@ -0,0 +1,88 @@ +From 6b17be6cb3e094cc50e1242c0379595ce8b2e278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jan 2026 11:03:11 -0800 +Subject: net: rss: fix reporting RXH_XFRM_NO_CHANGE as input_xfrm for contexts + +From: Jakub Kicinski + +[ Upstream commit 1c172febdf065375359b2b95156e476bfee30b60 ] + +Initializing input_xfrm to RXH_XFRM_NO_CHANGE in RSS contexts is +problematic. I think I did this to make it clear that the context +does not have its own settings applied. But unlike ETH_RSS_HASH_NO_CHANGE +which is zero, RXH_XFRM_NO_CHANGE is 0xff. We need to be careful +when reading the value back, and remember to treat 0xff as 0. + +Remove the initialization and switch to storing 0. This lets us +also remove the workaround in ethnl_rss_set(). Get side does not +need any adjustments and context get no longer reports: + + RSS input transformation: + symmetric-xor: on + symmetric-or-xor: on + Unknown bits in RSS input transformation: 0xfc + +for NICs which don't support input_xfrm. + +Remove the init of hfunc to ETH_RSS_HASH_NO_CHANGE while at it. +As already mentioned this is a noop since ETH_RSS_HASH_NO_CHANGE +is 0 and struct is zalloc'd. But as this fix exemplifies storing +NO_CHANGE as state is fragile. + +This issue is implicitly caught by running our selftests because +YNL in selftests errors out on unknown bits. + +Fixes: d3e2c7bab124 ("ethtool: rss: support setting input-xfrm via Netlink") +Link: https://patch.msgid.link/20260130190311.811129-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/common.c | 3 --- + net/ethtool/rss.c | 9 ++------- + 2 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/net/ethtool/common.c b/net/ethtool/common.c +index 55223ebc2a7e6..146c7eaedc5ac 100644 +--- a/net/ethtool/common.c ++++ b/net/ethtool/common.c +@@ -854,9 +854,6 @@ ethtool_rxfh_ctx_alloc(const struct ethtool_ops *ops, + ctx->key_off = key_off; + ctx->priv_size = ops->rxfh_priv_size; + +- ctx->hfunc = ETH_RSS_HASH_NO_CHANGE; +- ctx->input_xfrm = RXH_XFRM_NO_CHANGE; +- + return ctx; + } + +diff --git a/net/ethtool/rss.c b/net/ethtool/rss.c +index 4dced53be4b3b..da5934cceb075 100644 +--- a/net/ethtool/rss.c ++++ b/net/ethtool/rss.c +@@ -824,8 +824,8 @@ rss_set_ctx_update(struct ethtool_rxfh_context *ctx, struct nlattr **tb, + static int + ethnl_rss_set(struct ethnl_req_info *req_info, struct genl_info *info) + { +- bool indir_reset = false, indir_mod, xfrm_sym = false; + struct rss_req_info *request = RSS_REQINFO(req_info); ++ bool indir_reset = false, indir_mod, xfrm_sym; + struct ethtool_rxfh_context *ctx = NULL; + struct net_device *dev = req_info->dev; + bool mod = false, fields_mod = false; +@@ -860,12 +860,7 @@ ethnl_rss_set(struct ethnl_req_info *req_info, struct genl_info *info) + + rxfh.input_xfrm = data.input_xfrm; + ethnl_update_u8(&rxfh.input_xfrm, tb[ETHTOOL_A_RSS_INPUT_XFRM], &mod); +- /* For drivers which don't support input_xfrm it will be set to 0xff +- * in the RSS context info. In all other case input_xfrm != 0 means +- * symmetric hashing is requested. +- */ +- if (!request->rss_context || ops->rxfh_per_ctx_key) +- xfrm_sym = rxfh.input_xfrm || data.input_xfrm; ++ xfrm_sym = rxfh.input_xfrm || data.input_xfrm; + if (rxfh.input_xfrm == data.input_xfrm) + rxfh.input_xfrm = RXH_XFRM_NO_CHANGE; + +-- +2.51.0 + diff --git a/queue-6.18/net-sched-cls_u32-use-skb_header_pointer_careful.patch b/queue-6.18/net-sched-cls_u32-use-skb_header_pointer_careful.patch new file mode 100644 index 0000000000..1d7bb290c4 --- /dev/null +++ b/queue-6.18/net-sched-cls_u32-use-skb_header_pointer_careful.patch @@ -0,0 +1,70 @@ +From 31c98b49e9a21bcafe1820bfbb29148e3960317c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 14:15:39 +0000 +Subject: net/sched: cls_u32: use skb_header_pointer_careful() + +From: Eric Dumazet + +[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ] + +skb_header_pointer() does not fully validate negative @offset values. + +Use skb_header_pointer_careful() instead. + +GangMin Kim provided a report and a repro fooling u32_classify(): + +BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 +net/sched/cls_u32.c:221 + +Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely") +Reported-by: GangMin Kim +Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/ +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 2a1c00048fd6f..58e849c0acf41 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -161,10 +161,8 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + int toff = off + key->off + (off2 & key->offmask); + __be32 *data, hdata; + +- if (skb_headroom(skb) + toff > INT_MAX) +- goto out; +- +- data = skb_header_pointer(skb, toff, 4, &hdata); ++ data = skb_header_pointer_careful(skb, toff, 4, ++ &hdata); + if (!data) + goto out; + if ((*data ^ key->val) & key->mask) { +@@ -214,8 +212,9 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + if (ht->divisor) { + __be32 *data, hdata; + +- data = skb_header_pointer(skb, off + n->sel.hoff, 4, +- &hdata); ++ data = skb_header_pointer_careful(skb, ++ off + n->sel.hoff, ++ 4, &hdata); + if (!data) + goto out; + sel = ht->divisor & u32_hash_fold(*data, &n->sel, +@@ -229,7 +228,7 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + if (n->sel.flags & TC_U32_VAROFFSET) { + __be16 *data, hdata; + +- data = skb_header_pointer(skb, ++ data = skb_header_pointer_careful(skb, + off + n->sel.offoff, + 2, &hdata); + if (!data) +-- +2.51.0 + diff --git a/queue-6.18/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch b/queue-6.18/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch new file mode 100644 index 0000000000..2736a6255e --- /dev/null +++ b/queue-6.18/net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch @@ -0,0 +1,55 @@ +From e59317325022c409075448f9f76c8e82875dd6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 09:22:27 +0100 +Subject: net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit adcbadfd8e05d3558c9cfaa783f17c645181165f ] + +Commit fd580c9830316eda ("net: sfp: augment SFP parsing with +phy_interface_t bitmap") did not add augumentation for the interface +bitmap in the quirk for Ubiquiti U-Fiber Instant. + +The subsequent commit f81fa96d8a6c7a77 ("net: phylink: use +phy_interface_t bitmaps for optical modules") then changed phylink code +for selection of SFP interface: instead of using link mode bitmap, the +interface bitmap is used, and the fastest interface mode supported by +both SFP module and MAC is chosen. + +Since the interface bitmap contains also modes faster than 1000base-x, +this caused a regression wherein this module stopped working +out-of-the-box. + +Fix this. + +Fixes: fd580c9830316eda ("net: sfp: augment SFP parsing with phy_interface_t bitmap") +Signed-off-by: Marek Behún +Reviewed-by: Maxime Chevallier +Reviewed-by: Russell King (Oracle) +Link: https://patch.msgid.link/20260129082227.17443-1-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 47f095bd91cea..3e023723887c4 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -479,6 +479,8 @@ static void sfp_quirk_ubnt_uf_instant(const struct sfp_eeprom_id *id, + linkmode_zero(caps->link_modes); + linkmode_set_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT, + caps->link_modes); ++ phy_interface_zero(caps->interfaces); ++ __set_bit(PHY_INTERFACE_MODE_1000BASEX, caps->interfaces); + } + + #define SFP_QUIRK(_v, _p, _s, _f) \ +-- +2.51.0 + diff --git a/queue-6.18/net-usb-r8152-fix-resume-reset-deadlock.patch b/queue-6.18/net-usb-r8152-fix-resume-reset-deadlock.patch new file mode 100644 index 0000000000..bd6fbaa8c6 --- /dev/null +++ b/queue-6.18/net-usb-r8152-fix-resume-reset-deadlock.patch @@ -0,0 +1,107 @@ +From 6b9a9e79add76c44532a1e5005a450efe964a73a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 12:10:30 +0900 +Subject: net: usb: r8152: fix resume reset deadlock + +From: Sergey Senozhatsky + +[ Upstream commit 6d06bc83a5ae8777a5f7a81c32dd75b8d9b2fe04 ] + +rtl8152 can trigger device reset during reset which +potentially can result in a deadlock: + + **** DPM device timeout after 10 seconds; 15 seconds until panic **** + Call Trace: + + schedule+0x483/0x1370 + schedule_preempt_disabled+0x15/0x30 + __mutex_lock_common+0x1fd/0x470 + __rtl8152_set_mac_address+0x80/0x1f0 + dev_set_mac_address+0x7f/0x150 + rtl8152_post_reset+0x72/0x150 + usb_reset_device+0x1d0/0x220 + rtl8152_resume+0x99/0xc0 + usb_resume_interface+0x3e/0xc0 + usb_resume_both+0x104/0x150 + usb_resume+0x22/0x110 + +The problem is that rtl8152 resume calls reset under +tp->control mutex while reset basically re-enters rtl8152 +and attempts to acquire the same tp->control lock once +again. + +Reset INACCESSIBLE device outside of tp->control mutex +scope to avoid recursive mutex_lock() deadlock. + +Fixes: 4933b066fefb ("r8152: If inaccessible at resume time, issue a reset") +Reviewed-by: Douglas Anderson +Signed-off-by: Sergey Senozhatsky +Link: https://patch.msgid.link/20260129031106.3805887-1-senozhatsky@chromium.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index a22d4bb2cf3b5..6a43054d5171f 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -8535,19 +8535,6 @@ static int rtl8152_system_resume(struct r8152 *tp) + usb_submit_urb(tp->intr_urb, GFP_NOIO); + } + +- /* If the device is RTL8152_INACCESSIBLE here then we should do a +- * reset. This is important because the usb_lock_device_for_reset() +- * that happens as a result of usb_queue_reset_device() will silently +- * fail if the device was suspended or if too much time passed. +- * +- * NOTE: The device is locked here so we can directly do the reset. +- * We don't need usb_lock_device_for_reset() because that's just a +- * wrapper over device_lock() and device_resume() (which calls us) +- * does that for us. +- */ +- if (test_bit(RTL8152_INACCESSIBLE, &tp->flags)) +- usb_reset_device(tp->udev); +- + return 0; + } + +@@ -8658,19 +8645,33 @@ static int rtl8152_suspend(struct usb_interface *intf, pm_message_t message) + static int rtl8152_resume(struct usb_interface *intf) + { + struct r8152 *tp = usb_get_intfdata(intf); ++ bool runtime_resume = test_bit(SELECTIVE_SUSPEND, &tp->flags); + int ret; + + mutex_lock(&tp->control); + + rtl_reset_ocp_base(tp); + +- if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) ++ if (runtime_resume) + ret = rtl8152_runtime_resume(tp); + else + ret = rtl8152_system_resume(tp); + + mutex_unlock(&tp->control); + ++ /* If the device is RTL8152_INACCESSIBLE here then we should do a ++ * reset. This is important because the usb_lock_device_for_reset() ++ * that happens as a result of usb_queue_reset_device() will silently ++ * fail if the device was suspended or if too much time passed. ++ * ++ * NOTE: The device is locked here so we can directly do the reset. ++ * We don't need usb_lock_device_for_reset() because that's just a ++ * wrapper over device_lock() and device_resume() (which calls us) ++ * does that for us. ++ */ ++ if (!runtime_resume && test_bit(RTL8152_INACCESSIBLE, &tp->flags)) ++ usb_reset_device(tp->udev); ++ + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.18/net-usb-sr9700-support-devices-with-virtual-driver-c.patch b/queue-6.18/net-usb-sr9700-support-devices-with-virtual-driver-c.patch new file mode 100644 index 0000000000..4b1d3d500b --- /dev/null +++ b/queue-6.18/net-usb-sr9700-support-devices-with-virtual-driver-c.patch @@ -0,0 +1,44 @@ +From 2b46f8df55ef2966368db96749d64b46707fb489 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 22:24:51 -0800 +Subject: net: usb: sr9700: support devices with virtual driver CD + +From: Ethan Nelson-Moore + +[ Upstream commit bf4172bd870c3a34d3065cbb39192c22cbd7b18d ] + +Some SR9700 devices have an SPI flash chip containing a virtual driver +CD, in which case they appear as a device with two interfaces and +product ID 0x9702. Interface 0 is the driver CD and interface 1 is the +Ethernet device. + +Link: https://github.com/name-kurniawan/usb-lan +Link: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=2185 +Signed-off-by: Ethan Nelson-Moore +Link: https://patch.msgid.link/20251211062451.139036-1-enelsonmoore@gmail.com +[pabeni@redhat.com: fixes link tags] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 5d97e95a17b0d..820c4c5069792 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -539,6 +539,11 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x9700), /* SR9700 device */ + .driver_info = (unsigned long)&sr9700_driver_info, + }, ++ { ++ /* SR9700 with virtual driver CD-ROM - interface 0 is the CD-ROM device */ ++ USB_DEVICE_INTERFACE_NUMBER(0x0fe6, 0x9702, 1), ++ .driver_info = (unsigned long)&sr9700_driver_info, ++ }, + {}, /* END */ + }; + +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch b/queue-6.18/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch new file mode 100644 index 0000000000..ae54fe032c --- /dev/null +++ b/queue-6.18/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch @@ -0,0 +1,72 @@ +From 16f19389de5e2dfbae803afac953b5e100f600cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 17:46:58 +0100 +Subject: netfilter: nf_tables: fix inverted genmask check in + nft_map_catchall_activate() + +From: Andrew Fasano + +[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ] + +nft_map_catchall_activate() has an inverted element activity check +compared to its non-catchall counterpart nft_mapelem_activate() and +compared to what is logically required. + +nft_map_catchall_activate() is called from the abort path to re-activate +catchall map elements that were deactivated during a failed transaction. +It should skip elements that are already active (they don't need +re-activation) and process elements that are inactive (they need to be +restored). Instead, the current code does the opposite: it skips inactive +elements and processes active ones. + +Compare the non-catchall activate callback, which is correct: + + nft_mapelem_activate(): + if (nft_set_elem_active(ext, iter->genmask)) + return 0; /* skip active, process inactive */ + +With the buggy catchall version: + + nft_map_catchall_activate(): + if (!nft_set_elem_active(ext, genmask)) + continue; /* skip inactive, process active */ + +The consequence is that when a DELSET operation is aborted, +nft_setelem_data_activate() is never called for the catchall element. +For NFT_GOTO verdict elements, this means nft_data_hold() is never +called to restore the chain->use reference count. Each abort cycle +permanently decrements chain->use. Once chain->use reaches zero, +DELCHAIN succeeds and frees the chain while catchall verdict elements +still reference it, resulting in a use-after-free. + +This is exploitable for local privilege escalation from an unprivileged +user via user namespaces + nftables on distributions that enable +CONFIG_USER_NS and CONFIG_NF_TABLES. + +Fix by removing the negation so the check matches nft_mapelem_activate(): +skip active elements, process inactive ones. + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Signed-off-by: Andrew Fasano +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 3cbf2573b9e90..6059a299004d4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5917,7 +5917,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + list_for_each_entry(catchall, &set->catchall_list, list) { + ext = nft_set_elem_ext(set, catchall->elem); +- if (!nft_set_elem_active(ext, genmask)) ++ if (nft_set_elem_active(ext, genmask)) + continue; + + nft_clear(ctx->net, ext); +-- +2.51.0 + diff --git a/queue-6.18/netfilter-replace-eexist-with-ebusy.patch b/queue-6.18/netfilter-replace-eexist-with-ebusy.patch new file mode 100644 index 0000000000..55cecda53f --- /dev/null +++ b/queue-6.18/netfilter-replace-eexist-with-ebusy.patch @@ -0,0 +1,84 @@ +From 77b51c2bd94aab1806c6a8b0ea1e5164ea6575c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 06:13:20 +0100 +Subject: netfilter: replace -EEXIST with -EBUSY + +From: Daniel Gomez + +[ Upstream commit 2bafeb8d2f380c3a81d98bd7b78b854b564f9cd4 ] + +The -EEXIST error code is reserved by the module loading infrastructure +to indicate that a module is already loaded. When a module's init +function returns -EEXIST, userspace tools like kmod interpret this as +"module already loaded" and treat the operation as successful, returning +0 to the user even though the module initialization actually failed. + +Replace -EEXIST with -EBUSY to ensure correct error reporting in the module +initialization path. + +Affected modules: + * ebtable_broute ebtable_filter ebtable_nat arptable_filter + * ip6table_filter ip6table_mangle ip6table_nat ip6table_raw + * ip6table_security iptable_filter iptable_mangle iptable_nat + * iptable_raw iptable_security + +Signed-off-by: Daniel Gomez +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 2 +- + net/netfilter/nf_log.c | 4 ++-- + net/netfilter/x_tables.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 5697e3949a365..a04fc17575289 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne + list_for_each_entry(tmpl, &template_tables, list) { + if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) { + mutex_unlock(&ebt_mutex); +- return -EEXIST; ++ return -EBUSY; + } + } + +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index 74cef8bf554c5..62cf6a30875e3 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + if (pf == NFPROTO_UNSPEC) { + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { + if (rcu_access_pointer(loggers[i][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + } +@@ -97,7 +97,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + rcu_assign_pointer(loggers[i][logger->type], logger); + } else { + if (rcu_access_pointer(loggers[pf][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + rcu_assign_pointer(loggers[pf][logger->type], logger); +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 90b7630421c44..48105ea3df152 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1764,7 +1764,7 @@ EXPORT_SYMBOL_GPL(xt_hook_ops_alloc); + int xt_register_template(const struct xt_table *table, + int (*table_init)(struct net *net)) + { +- int ret = -EEXIST, af = table->af; ++ int ret = -EBUSY, af = table->af; + struct xt_template *t; + + mutex_lock(&xt[af].mutex); +-- +2.51.0 + diff --git a/queue-6.18/nvme-fc-release-admin-tagset-if-init-fails.patch b/queue-6.18/nvme-fc-release-admin-tagset-if-init-fails.patch new file mode 100644 index 0000000000..303fac8e35 --- /dev/null +++ b/queue-6.18/nvme-fc-release-admin-tagset-if-init-fails.patch @@ -0,0 +1,52 @@ +From 04ee627c5b8f43704e15f710a09f3c2340a0629f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:18:42 -0800 +Subject: nvme-fc: release admin tagset if init fails + +From: Chaitanya Kulkarni + +[ Upstream commit d1877cc7270302081a315a81a0ee8331f19f95c8 ] + +nvme_fabrics creates an NVMe/FC controller in following path: + + nvmf_dev_write() + -> nvmf_create_ctrl() + -> nvme_fc_create_ctrl() + -> nvme_fc_init_ctrl() + +nvme_fc_init_ctrl() allocates the admin blk-mq resources right after +nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing +the controller state, scheduling connect work, etc.), we jump to the +fail_ctrl path, which tears down the controller references but never +frees the admin queue/tag set. The leaked blk-mq allocations match the +kmemleak report seen during blktests nvme/fc. + +Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call +nvme_remove_admin_tag_set() when it is set so that all admin queue +allocations are reclaimed whenever controller setup aborts. + +Reported-by: Yi Zhang +Reviewed-by: Justin Tee +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 8324230c53719..bf78faf1a4ffa 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3584,6 +3584,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + ctrl->ctrl.opts = NULL; + ++ if (ctrl->ctrl.admin_tagset) ++ nvme_remove_admin_tag_set(&ctrl->ctrl); + /* initiate nvme ctrl ref counting teardown */ + nvme_uninit_ctrl(&ctrl->ctrl); + +-- +2.51.0 + diff --git a/queue-6.18/nvme-pci-handle-changing-device-dma-map-requirements.patch b/queue-6.18/nvme-pci-handle-changing-device-dma-map-requirements.patch new file mode 100644 index 0000000000..be3735b42b --- /dev/null +++ b/queue-6.18/nvme-pci-handle-changing-device-dma-map-requirements.patch @@ -0,0 +1,107 @@ +From c9903e2486adee934f6c903a6ba327b46bfc91d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 06:29:11 -0800 +Subject: nvme-pci: handle changing device dma map requirements + +From: Keith Busch + +[ Upstream commit 071be3b0b6575d45be9df9c5b612f5882bfc5e88 ] + +The initial state of dma_needs_unmap may be false, but change to true +while mapping the data iterator. Enabling swiotlb is one such case that +can change the result. The nvme driver needs to save the mapped dma +vectors to be unmapped later, so allocate as needed during iteration +rather than assume it was always allocated at the beginning. This fixes +a NULL dereference from accessing an uninitialized dma_vecs when the +device dma unmapping requirements change mid-iteration. + +Fixes: b8b7570a7ec8 ("nvme-pci: fix dma unmapping when using PRPs and not using the IOVA mapping") +Link: https://lore.kernel.org/linux-nvme/20260202125738.1194899-1-pradeep.pragallapati@oss.qualcomm.com/ +Reported-by: Pradeep P V K +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 45 +++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 15 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 28f638413e122..391c854428d3e 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -771,6 +771,32 @@ static void nvme_unmap_data(struct request *req) + nvme_free_descriptors(req); + } + ++static bool nvme_pci_prp_save_mapping(struct request *req, ++ struct device *dma_dev, ++ struct blk_dma_iter *iter) ++{ ++ struct nvme_iod *iod = blk_mq_rq_to_pdu(req); ++ ++ if (dma_use_iova(&iod->dma_state) || !dma_need_unmap(dma_dev)) ++ return true; ++ ++ if (!iod->nr_dma_vecs) { ++ struct nvme_queue *nvmeq = req->mq_hctx->driver_data; ++ ++ iod->dma_vecs = mempool_alloc(nvmeq->dev->dmavec_mempool, ++ GFP_ATOMIC); ++ if (!iod->dma_vecs) { ++ iter->status = BLK_STS_RESOURCE; ++ return false; ++ } ++ } ++ ++ iod->dma_vecs[iod->nr_dma_vecs].addr = iter->addr; ++ iod->dma_vecs[iod->nr_dma_vecs].len = iter->len; ++ iod->nr_dma_vecs++; ++ return true; ++} ++ + static bool nvme_pci_prp_iter_next(struct request *req, struct device *dma_dev, + struct blk_dma_iter *iter) + { +@@ -780,12 +806,7 @@ static bool nvme_pci_prp_iter_next(struct request *req, struct device *dma_dev, + return true; + if (!blk_rq_dma_map_iter_next(req, dma_dev, &iod->dma_state, iter)) + return false; +- if (!dma_use_iova(&iod->dma_state) && dma_need_unmap(dma_dev)) { +- iod->dma_vecs[iod->nr_dma_vecs].addr = iter->addr; +- iod->dma_vecs[iod->nr_dma_vecs].len = iter->len; +- iod->nr_dma_vecs++; +- } +- return true; ++ return nvme_pci_prp_save_mapping(req, dma_dev, iter); + } + + static blk_status_t nvme_pci_setup_data_prp(struct request *req, +@@ -798,15 +819,8 @@ static blk_status_t nvme_pci_setup_data_prp(struct request *req, + unsigned int prp_len, i; + __le64 *prp_list; + +- if (!dma_use_iova(&iod->dma_state) && dma_need_unmap(nvmeq->dev->dev)) { +- iod->dma_vecs = mempool_alloc(nvmeq->dev->dmavec_mempool, +- GFP_ATOMIC); +- if (!iod->dma_vecs) +- return BLK_STS_RESOURCE; +- iod->dma_vecs[0].addr = iter->addr; +- iod->dma_vecs[0].len = iter->len; +- iod->nr_dma_vecs = 1; +- } ++ if (!nvme_pci_prp_save_mapping(req, nvmeq->dev->dev, iter)) ++ return iter->status; + + /* + * PRP1 always points to the start of the DMA transfers. +@@ -1148,6 +1162,7 @@ static blk_status_t nvme_prep_rq(struct request *req) + iod->nr_descriptors = 0; + iod->total_len = 0; + iod->meta_total_len = 0; ++ iod->nr_dma_vecs = 0; + + ret = nvme_setup_cmd(req->q->queuedata, req); + if (ret) +-- +2.51.0 + diff --git a/queue-6.18/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch b/queue-6.18/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch new file mode 100644 index 0000000000..4d65ca8408 --- /dev/null +++ b/queue-6.18/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch @@ -0,0 +1,51 @@ +From cf9e162201dc18c8c51f48dc1d78ed9ad49aa305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 11:32:45 +0200 +Subject: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() + +From: Hannes Reinecke + +[ Upstream commit 2fa8961d3a6a1c2395d8d560ffed2c782681bade ] + +When the socket is closed while in TCP_LISTEN a callback is run to +flush all outstanding packets, which in turns calls +nvmet_tcp_listen_data_ready() with the sk_callback_lock held. +So we need to check if we are in TCP_LISTEN before attempting +to get the sk_callback_lock() to avoid a deadlock. + +Link: https://lore.kernel.org/linux-nvme/CAHj4cs-zu7eVB78yUpFjVe2UqMWFkLk8p+DaS3qj+uiGCXBAoA@mail.gmail.com/ +Tested-by: Yi Zhang +Reviewed-by: Sagi Grimberg +Signed-off-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index f0572fc0b6598..5c8d17bcc49bd 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -2021,14 +2021,13 @@ static void nvmet_tcp_listen_data_ready(struct sock *sk) + + trace_sk_data_ready(sk); + ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ + read_lock_bh(&sk->sk_callback_lock); + port = sk->sk_user_data; +- if (!port) +- goto out; +- +- if (sk->sk_state == TCP_LISTEN) ++ if (port) + queue_work(nvmet_wq, &port->accept_work); +-out: + read_unlock_bh(&sk->sk_callback_lock); + } + +-- +2.51.0 + diff --git a/queue-6.18/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch b/queue-6.18/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch new file mode 100644 index 0000000000..392cdace10 --- /dev/null +++ b/queue-6.18/pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch @@ -0,0 +1,61 @@ +From 213dd15b8d8ccb86f0112ca75ee52b6d35d1d393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 13:47:18 +0530 +Subject: PCI: qcom: Remove ASPM L0s support for MSM8996 SoC + +From: Manivannan Sadhasivam + +[ Upstream commit 0cc13256b60510936c34098ee7b929098eed823b ] + +Though I couldn't confirm ASPM L0s support with the Qcom hardware team, a +bug report from Dmitry suggests that L0s is broken on this legacy SoC. +Hence, remove L0s support from the Root Port Link Capabilities in this SoC. + +Since qcom_pcie_clear_aspm_l0s() is now used by more than one SoC config, +call it from qcom_pcie_host_init() instead. + +Reported-by: Dmitry Baryshkov +Closes: https://lore.kernel.org/linux-pci/4cp5pzmlkkht2ni7us6p3edidnk25l45xrp6w3fxguqcvhq2id@wjqqrdpkypkf +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Tested-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://patch.msgid.link/20251126081718.8239-1-mani@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-qcom.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c +index c48a20602d7fa..6e820595ba32a 100644 +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1033,7 +1033,6 @@ static int qcom_pcie_post_init_2_7_0(struct qcom_pcie *pcie) + writel(WR_NO_SNOOP_OVERRIDE_EN | RD_NO_SNOOP_OVERRIDE_EN, + pcie->parf + PARF_NO_SNOOP_OVERRIDE); + +- qcom_pcie_clear_aspm_l0s(pcie->pci); + qcom_pcie_clear_hpc(pcie->pci); + + return 0; +@@ -1302,6 +1301,8 @@ static int qcom_pcie_host_init(struct dw_pcie_rp *pp) + goto err_disable_phy; + } + ++ qcom_pcie_clear_aspm_l0s(pcie->pci); ++ + qcom_ep_reset_deassert(pcie); + + if (pcie->cfg->ops->config_sid) { +@@ -1450,6 +1451,7 @@ static const struct qcom_pcie_cfg cfg_2_1_0 = { + + static const struct qcom_pcie_cfg cfg_2_3_2 = { + .ops = &ops_2_3_2, ++ .no_l0s = true, + }; + + static const struct qcom_pcie_cfg cfg_2_3_3 = { +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-dell-lis3lv02d-add-latitude-5400.patch b/queue-6.18/platform-x86-dell-lis3lv02d-add-latitude-5400.patch new file mode 100644 index 0000000000..7250b1722d --- /dev/null +++ b/queue-6.18/platform-x86-dell-lis3lv02d-add-latitude-5400.patch @@ -0,0 +1,77 @@ +From dde0f2b610dadfd54fcaeda3b5f4ce73cd905640 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Nov 2025 18:15:23 +0200 +Subject: platform/x86: dell-lis3lv02d: Add Latitude 5400 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmytro Bagrii + +[ Upstream commit a5b9fdd33c59a964a26d12c39b636ef85a25b074 ] + +Add accelerometer address 0x29 for Dell Latitude 5400. + +The address is verified as below: + + $ cat /sys/class/dmi/id/product_name + Latitude 5400 + + $ grep -H '' /sys/bus/pci/drivers/i801_smbus/0000\:00*/i2c-*/name + /sys/bus/pci/drivers/i801_smbus/0000:00:1f.4/i2c-10/name:SMBus I801 adapter at 0000:00:1f.4 + + $ i2cdetect 10 + WARNING! This program can confuse your I2C bus, cause data loss and worse! + I will probe file /dev/i2c-10. + I will probe address range 0x08-0x77. + Continue? [Y/n] Y + 0 1 2 3 4 5 6 7 8 9 a b c d e f + 00: 08 -- -- -- -- -- -- -- + 10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + 20: -- -- -- -- -- -- -- -- -- UU -- -- -- -- -- -- + 30: 30 -- -- -- -- 35 UU UU -- -- -- -- -- -- -- -- + 40: -- -- -- -- 44 -- -- -- -- -- -- -- -- -- -- -- + 50: UU -- 52 -- -- -- -- -- -- -- -- -- -- -- -- -- + 60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + 70: -- -- -- -- -- -- -- -- + + $ xargs -n1 -a /proc/cmdline | grep ^dell_lis3lv02d + dell_lis3lv02d.probe_i2c_addr=1 + + $ dmesg | grep lis3lv02d + ... + [ 206.012411] i2c i2c-10: Probing for lis3lv02d on address 0x29 + [ 206.013727] i2c i2c-10: Detected lis3lv02d on address 0x29, please report this upstream to platform-driver-x86@vger.kernel.org so that a quirk can be added + [ 206.240841] lis3lv02d_i2c 10-0029: supply Vdd not found, using dummy regulator + [ 206.240868] lis3lv02d_i2c 10-0029: supply Vdd_IO not found, using dummy regulator + [ 206.261258] lis3lv02d: 8 bits 3DC sensor found + [ 206.346722] input: ST LIS3LV02DL Accelerometer as /devices/faux/lis3lv02d/input/input17 + + $ cat /sys/class/input/input17/name + ST LIS3LV02DL Accelerometer + +Signed-off-by: Dmytro Bagrii +Reviewed-by: Hans de Goede +Link: https://patch.msgid.link/20251128161523.6224-1-dimich.dmb@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell-lis3lv02d.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/dell/dell-lis3lv02d.c b/drivers/platform/x86/dell/dell-lis3lv02d.c +index 77905a9ddde9d..fe52bcd896f78 100644 +--- a/drivers/platform/x86/dell/dell-lis3lv02d.c ++++ b/drivers/platform/x86/dell/dell-lis3lv02d.c +@@ -44,6 +44,7 @@ static const struct dmi_system_id lis3lv02d_devices[] __initconst = { + /* + * Additional individual entries were added after verification. + */ ++ DELL_LIS3LV02D_DMI_ENTRY("Latitude 5400", 0x29), + DELL_LIS3LV02D_DMI_ENTRY("Latitude 5480", 0x29), + DELL_LIS3LV02D_DMI_ENTRY("Latitude 5500", 0x29), + DELL_LIS3LV02D_DMI_ENTRY("Latitude E6330", 0x29), +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch b/queue-6.18/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch new file mode 100644 index 0000000000..fa28e273d3 --- /dev/null +++ b/queue-6.18/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch @@ -0,0 +1,46 @@ +From bb2b4c286258f1b8207bf761ec923626b28a6524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 13:04:45 -0600 +Subject: platform/x86: hp-bioscfg: Skip empty attribute names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 6222883af286e2feb3c9ff2bf9fd8fdf4220c55a ] + +Avoid registering kobjects with empty names when a BIOS attribute +name decodes to an empty string. + +Fixes: a34fc329b1895 ("platform/x86: hp-bioscfg: bioscfg") +Reported-by: Alain Cousinie +Closes: https://lore.kernel.org/platform-driver-x86/22ed5f78-c8bf-4ab4-8c38-420cc0201e7e@laposte.net/ +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260128190501.2170068-1-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +index dbe096eefa758..51e8977d3eb4a 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +@@ -696,6 +696,11 @@ static int hp_init_bios_package_attribute(enum hp_wmi_data_type attr_type, + return ret; + } + ++ if (!str_value || !str_value[0]) { ++ pr_debug("Ignoring attribute with empty name\n"); ++ goto pack_attr_exit; ++ } ++ + /* All duplicate attributes found are ignored */ + duplicate = kset_find_obj(temp_kset, str_value); + if (duplicate) { +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch b/queue-6.18/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch new file mode 100644 index 0000000000..6a8eed23bd --- /dev/null +++ b/queue-6.18/platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch @@ -0,0 +1,41 @@ +From 35cc1cfc1f235118ea729771cb5e86fe8bff121c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 15:45:40 -0800 +Subject: platform/x86/intel/tpmi/plr: Make the file domain/status writeable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Neri + +[ Upstream commit 008bec8ffe6e7746588d1e12c5b3865fa478fc91 ] + +The file sys/kernel/debug/tpmi-/plr/domain/status has store and show +callbacks. Make it writeable. + +Fixes: 811f67c51636d ("platform/x86/intel/tpmi: Add new auxiliary driver for performance limits") +Signed-off-by: Ricardo Neri +Link: https://patch.msgid.link/20260127-plr-debugfs-write-v1-1-1fffbc370b1e@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/plr_tpmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/plr_tpmi.c b/drivers/platform/x86/intel/plr_tpmi.c +index 58132da477457..05727169f49c1 100644 +--- a/drivers/platform/x86/intel/plr_tpmi.c ++++ b/drivers/platform/x86/intel/plr_tpmi.c +@@ -316,7 +316,7 @@ static int intel_plr_probe(struct auxiliary_device *auxdev, const struct auxilia + snprintf(name, sizeof(name), "domain%d", i); + + dentry = debugfs_create_dir(name, plr->dbgfs_dir); +- debugfs_create_file("status", 0444, dentry, &plr->die_info[i], ++ debugfs_create_file("status", 0644, dentry, &plr->die_info[i], + &plr_status_fops); + } + +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-intel_telemetry-fix-pss-event-register-.patch b/queue-6.18/platform-x86-intel_telemetry-fix-pss-event-register-.patch new file mode 100644 index 0000000000..c5b8c231a1 --- /dev/null +++ b/queue-6.18/platform-x86-intel_telemetry-fix-pss-event-register-.patch @@ -0,0 +1,48 @@ +From 06dac647ec6d051755728ff2d417b7fffb5e4e30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 11:41:44 +0530 +Subject: platform/x86: intel_telemetry: Fix PSS event register mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kaushlendra Kumar + +[ Upstream commit 39e9c376ac42705af4ed4ae39eec028e8bced9b4 ] + +The PSS telemetry info parsing incorrectly applies +TELEM_INFO_SRAMEVTS_MASK when extracting event register +count from firmware response. This reads bits 15-8 instead +of the correct bits 7-0, causing misdetection of hardware +capabilities. + +The IOSS path correctly uses TELEM_INFO_NENABLES_MASK for +register count. Apply the same mask to PSS parsing for +consistency. + +Fixes: 9d16b482b059 ("platform:x86: Add Intel telemetry platform driver") +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20251224061144.3925519-1-kaushlendra.kumar@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/telemetry/pltdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/telemetry/pltdrv.c b/drivers/platform/x86/intel/telemetry/pltdrv.c +index f23c170a55dc6..d9aa349f81e41 100644 +--- a/drivers/platform/x86/intel/telemetry/pltdrv.c ++++ b/drivers/platform/x86/intel/telemetry/pltdrv.c +@@ -610,7 +610,7 @@ static int telemetry_setup(struct platform_device *pdev) + /* Get telemetry Info */ + events = (read_buf & TELEM_INFO_SRAMEVTS_MASK) >> + TELEM_INFO_SRAMEVTS_SHIFT; +- event_regs = read_buf & TELEM_INFO_SRAMEVTS_MASK; ++ event_regs = read_buf & TELEM_INFO_NENABLES_MASK; + if ((events < TELEM_MAX_EVENTS_SRAM) || + (event_regs < TELEM_MAX_EVENTS_SRAM)) { + dev_err(&pdev->dev, "PSS:Insufficient Space for SRAM Trace\n"); +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch b/queue-6.18/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch new file mode 100644 index 0000000000..b41265e9df --- /dev/null +++ b/queue-6.18/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch @@ -0,0 +1,42 @@ +From 28c98a584238b30f0b8bbc5526148d6f9f24d5d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:38:45 +0200 +Subject: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines + +From: Rafael J. Wysocki + +[ Upstream commit 128497456756e1b952bd5a912cd073836465109d ] + +toshiba_haps_add() leaks the haps object allocated by it if it returns +an error after allocating that object successfully. + +toshiba_haps_remove() does not free the object pointed to by +toshiba_haps before clearing that pointer, so it becomes unreachable +allocated memory. + +Address these memory leaks by using devm_kzalloc() for allocating +the memory in question. + +Fixes: 23d0ba0c908a ("platform/x86: Toshiba HDD Active Protection Sensor") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_haps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/toshiba_haps.c b/drivers/platform/x86/toshiba_haps.c +index 03dfddeee0c0a..e9324bf16aea4 100644 +--- a/drivers/platform/x86/toshiba_haps.c ++++ b/drivers/platform/x86/toshiba_haps.c +@@ -183,7 +183,7 @@ static int toshiba_haps_add(struct acpi_device *acpi_dev) + + pr_info("Toshiba HDD Active Protection Sensor device\n"); + +- haps = kzalloc(sizeof(struct toshiba_haps_dev), GFP_KERNEL); ++ haps = devm_kzalloc(&acpi_dev->dev, sizeof(*haps), GFP_KERNEL); + if (!haps) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.18/regmap-maple-free-entry-on-mas_store_gfp-failure.patch b/queue-6.18/regmap-maple-free-entry-on-mas_store_gfp-failure.patch new file mode 100644 index 0000000000..486d3d9ee6 --- /dev/null +++ b/queue-6.18/regmap-maple-free-entry-on-mas_store_gfp-failure.patch @@ -0,0 +1,51 @@ +From 58308c3501cb77c7f4f0cd719d49915d2b5ea6d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 08:48:20 +0530 +Subject: regmap: maple: free entry on mas_store_gfp() failure + +From: Kaushlendra Kumar + +[ Upstream commit f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8 ] + +regcache_maple_write() allocates a new block ('entry') to merge +adjacent ranges and then stores it with mas_store_gfp(). +When mas_store_gfp() fails, the new 'entry' remains allocated and +is never freed, leaking memory. + +Free 'entry' on the failure path; on success continue freeing the +replaced neighbor blocks ('lower', 'upper'). + +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20260105031820.260119-1-kaushlendra.kumar@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache-maple.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/regmap/regcache-maple.c b/drivers/base/regmap/regcache-maple.c +index 2319c30283a6d..9cf0384ce7b95 100644 +--- a/drivers/base/regmap/regcache-maple.c ++++ b/drivers/base/regmap/regcache-maple.c +@@ -95,12 +95,13 @@ static int regcache_maple_write(struct regmap *map, unsigned int reg, + + mas_unlock(&mas); + +- if (ret == 0) { +- kfree(lower); +- kfree(upper); ++ if (ret) { ++ kfree(entry); ++ return ret; + } +- +- return ret; ++ kfree(lower); ++ kfree(upper); ++ return 0; + } + + static int regcache_maple_drop(struct regmap *map, unsigned int min, +-- +2.51.0 + diff --git a/queue-6.18/revert-drm-amd-display-pause-the-workload-setting-in.patch b/queue-6.18/revert-drm-amd-display-pause-the-workload-setting-in.patch new file mode 100644 index 0000000000..f6a2675698 --- /dev/null +++ b/queue-6.18/revert-drm-amd-display-pause-the-workload-setting-in.patch @@ -0,0 +1,77 @@ +From 625d55256ae6934b3e5593bc2555bccc8eda891d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 18:10:04 -0500 +Subject: Revert "drm/amd/display: pause the workload setting in dm" + +From: Alex Deucher + +[ Upstream commit f377ea0561c9576cdb7e3890bcf6b8168d455464 ] + +This reverts commit bc6d54ac7e7436721a19443265f971f890c13cc5. + +The workload profile needs to be in the default state when +the dc idle optimizaion state is entered. However, when +jobs come in for video or GFX or compute, the profile may +be set to a non-default profile resulting in the dc idle +optimizations not taking affect and resulting in higher +power usage. As such we need to pause the workload profile +changes during this transition. When this patch was originally +committed, it caused a regression with a Dell U3224KB display, +but no other problems were reported at the time. When it +was reapplied (this patch) to address increased power usage, it +seems to have caused additional regressions. This change seems +to have a number of side affects (audio issues, stuttering, +etc.). I suspect the pause should only happen when all displays +are off or in static screen mode, but I think this call site +gets called more often than that which results in idle state +entry more often than intended. For now revert. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4894 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4717 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4725 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4517 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4806 +Cc: Yang Wang +Cc: Kenneth Feng +Cc: Roman Li +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +(cherry picked from commit 1412482b714358ffa30d38fd3dd0b05795163648) +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +index 38f9ea313dcbb..2e7ee77c010e1 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +@@ -248,8 +248,6 @@ static void amdgpu_dm_crtc_vblank_control_worker(struct work_struct *work) + struct vblank_control_work *vblank_work = + container_of(work, struct vblank_control_work, work); + struct amdgpu_display_manager *dm = vblank_work->dm; +- struct amdgpu_device *adev = drm_to_adev(dm->ddev); +- int r; + + mutex_lock(&dm->dc_lock); + +@@ -279,16 +277,7 @@ static void amdgpu_dm_crtc_vblank_control_worker(struct work_struct *work) + + if (dm->active_vblank_irq_count == 0) { + dc_post_update_surfaces_to_stream(dm->dc); +- +- r = amdgpu_dpm_pause_power_profile(adev, true); +- if (r) +- dev_warn(adev->dev, "failed to set default power profile mode\n"); +- + dc_allow_idle_optimizations(dm->dc, true); +- +- r = amdgpu_dpm_pause_power_profile(adev, false); +- if (r) +- dev_warn(adev->dev, "failed to restore the power profile mode\n"); + } + + mutex_unlock(&dm->dc_lock); +-- +2.51.0 + diff --git a/queue-6.18/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch b/queue-6.18/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch new file mode 100644 index 0000000000..10c5db2b16 --- /dev/null +++ b/queue-6.18/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch @@ -0,0 +1,69 @@ +From 2e97bbc965acd5a140b9a501fe8d65f7198bc719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 14:50:07 +0800 +Subject: ring-buffer: Avoid softlockup in ring_buffer_resize() during memory + free + +From: Wupeng Ma + +[ Upstream commit 6435ffd6c7fcba330dfa91c58dc30aed2df3d0bf ] + +When user resize all trace ring buffer through file 'buffer_size_kb', +then in ring_buffer_resize(), kernel allocates buffer pages for each +cpu in a loop. + +If the kernel preemption model is PREEMPT_NONE and there are many cpus +and there are many buffer pages to be freed, it may not give up cpu +for a long time and finally cause a softlockup. + +To avoid it, call cond_resched() after each cpu buffer free as Commit +f6bd2c92488c ("ring-buffer: Avoid softlockup in ring_buffer_resize()") +does. + +Detailed call trace as follow: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 24-....: (14837 ticks this GP) idle=521c/1/0x4000000000000000 softirq=230597/230597 fqs=5329 + rcu: (t=15004 jiffies g=26003221 q=211022 ncpus=96) + CPU: 24 UID: 0 PID: 11253 Comm: bash Kdump: loaded Tainted: G EL 6.18.2+ #278 NONE + pc : arch_local_irq_restore+0x8/0x20 + arch_local_irq_restore+0x8/0x20 (P) + free_frozen_page_commit+0x28c/0x3b0 + __free_frozen_pages+0x1c0/0x678 + ___free_pages+0xc0/0xe0 + free_pages+0x3c/0x50 + ring_buffer_resize.part.0+0x6a8/0x880 + ring_buffer_resize+0x3c/0x58 + __tracing_resize_ring_buffer.part.0+0x34/0xd8 + tracing_resize_ring_buffer+0x8c/0xd0 + tracing_entries_write+0x74/0xd8 + vfs_write+0xcc/0x288 + ksys_write+0x74/0x118 + __arm64_sys_write+0x24/0x38 + +Cc: +Link: https://patch.msgid.link/20251228065008.2396573-1-mawupeng1@huawei.com +Signed-off-by: Wupeng Ma +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index afcd3747264d2..3ba08fc1b7d05 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -3121,6 +3121,8 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, + list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); ++ ++ cond_resched(); + } + } + out_err_unlock: +-- +2.51.0 + diff --git a/queue-6.18/riscv-sanitize-syscall-table-indexing-under-speculat.patch b/queue-6.18/riscv-sanitize-syscall-table-indexing-under-speculat.patch new file mode 100644 index 0000000000..3e4d417a9c --- /dev/null +++ b/queue-6.18/riscv-sanitize-syscall-table-indexing-under-speculat.patch @@ -0,0 +1,41 @@ +From 7c1fe32ae7d03f4c4349dd7a6287d187d85c2da8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 20:13:32 +0100 +Subject: riscv: Sanitize syscall table indexing under speculation + +From: Lukas Gerlach + +[ Upstream commit 25fd7ee7bf58ac3ec7be3c9f82ceff153451946c ] + +The syscall number is a user-controlled value used to index into the +syscall table. Use array_index_nospec() to clamp this value after the +bounds check to prevent speculative out-of-bounds access and subsequent +data leakage via cache side channels. + +Signed-off-by: Lukas Gerlach +Link: https://patch.msgid.link/20251218191332.35849-3-lukas.gerlach@cispa.de +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/traps.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c +index 80230de167def..47afea4ff1a8d 100644 +--- a/arch/riscv/kernel/traps.c ++++ b/arch/riscv/kernel/traps.c +@@ -339,8 +339,10 @@ void do_trap_ecall_u(struct pt_regs *regs) + + add_random_kstack_offset(); + +- if (syscall >= 0 && syscall < NR_syscalls) ++ if (syscall >= 0 && syscall < NR_syscalls) { ++ syscall = array_index_nospec(syscall, NR_syscalls); + syscall_handler(regs, syscall); ++ } + + /* + * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), +-- +2.51.0 + diff --git a/queue-6.18/riscv-trace-fix-snapshot-deadlock-with-sbi-ecall.patch b/queue-6.18/riscv-trace-fix-snapshot-deadlock-with-sbi-ecall.patch new file mode 100644 index 0000000000..25e69276a8 --- /dev/null +++ b/queue-6.18/riscv-trace-fix-snapshot-deadlock-with-sbi-ecall.patch @@ -0,0 +1,84 @@ +From 02de498325d091d16da84e4933557eb51a138bc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 14:50:06 +0100 +Subject: riscv: trace: fix snapshot deadlock with sbi ecall + +From: Martin Kaiser + +[ Upstream commit b0d7f5f0c9f05f1b6d4ee7110f15bef9c11f9df0 ] + +If sbi_ecall.c's functions are traceable, + +echo "__sbi_ecall:snapshot" > /sys/kernel/tracing/set_ftrace_filter + +may get the kernel into a deadlock. + +(Functions in sbi_ecall.c are excluded from tracing if +CONFIG_RISCV_ALTERNATIVE_EARLY is set.) + +__sbi_ecall triggers a snapshot of the ringbuffer. The snapshot code +raises an IPI interrupt, which results in another call to __sbi_ecall +and another snapshot... + +All it takes to get into this endless loop is one initial __sbi_ecall. +On RISC-V systems without SSTC extension, the clock events in +timer-riscv.c issue periodic sbi ecalls, making the problem easy to +trigger. + +Always exclude the sbi_ecall.c functions from tracing to fix the +potential deadlock. + +sbi ecalls can easiliy be logged via trace events, excluding ecall +functions from function tracing is not a big limitation. + +Signed-off-by: Martin Kaiser +Link: https://patch.msgid.link/20251223135043.1336524-1-martin@kaiser.cx +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/Makefile | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile +index f60fce69b7259..a01f6439d62b1 100644 +--- a/arch/riscv/kernel/Makefile ++++ b/arch/riscv/kernel/Makefile +@@ -3,12 +3,6 @@ + # Makefile for the RISC-V Linux kernel + # + +-ifdef CONFIG_FTRACE +-CFLAGS_REMOVE_ftrace.o = $(CC_FLAGS_FTRACE) +-CFLAGS_REMOVE_patch.o = $(CC_FLAGS_FTRACE) +-CFLAGS_REMOVE_sbi.o = $(CC_FLAGS_FTRACE) +-CFLAGS_REMOVE_return_address.o = $(CC_FLAGS_FTRACE) +-endif + CFLAGS_syscall_table.o += $(call cc-disable-warning, override-init) + CFLAGS_compat_syscall_table.o += $(call cc-disable-warning, override-init) + +@@ -24,7 +18,6 @@ CFLAGS_sbi_ecall.o := -mcmodel=medany + ifdef CONFIG_FTRACE + CFLAGS_REMOVE_alternative.o = $(CC_FLAGS_FTRACE) + CFLAGS_REMOVE_cpufeature.o = $(CC_FLAGS_FTRACE) +-CFLAGS_REMOVE_sbi_ecall.o = $(CC_FLAGS_FTRACE) + endif + ifdef CONFIG_RELOCATABLE + CFLAGS_alternative.o += -fno-pie +@@ -43,6 +36,14 @@ CFLAGS_sbi_ecall.o += -D__NO_FORTIFY + endif + endif + ++ifdef CONFIG_FTRACE ++CFLAGS_REMOVE_ftrace.o = $(CC_FLAGS_FTRACE) ++CFLAGS_REMOVE_patch.o = $(CC_FLAGS_FTRACE) ++CFLAGS_REMOVE_sbi.o = $(CC_FLAGS_FTRACE) ++CFLAGS_REMOVE_return_address.o = $(CC_FLAGS_FTRACE) ++CFLAGS_REMOVE_sbi_ecall.o = $(CC_FLAGS_FTRACE) ++endif ++ + always-$(KBUILD_BUILTIN) += vmlinux.lds + + obj-y += head.o +-- +2.51.0 + diff --git a/queue-6.18/riscv-use-64-bit-variable-for-output-in-__get_user_a.patch b/queue-6.18/riscv-use-64-bit-variable-for-output-in-__get_user_a.patch new file mode 100644 index 0000000000..128b7731fb --- /dev/null +++ b/queue-6.18/riscv-use-64-bit-variable-for-output-in-__get_user_a.patch @@ -0,0 +1,67 @@ +From af0622cb361edbcd3c09c63bdcb8e1bc2edf7de0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 15:44:34 -0700 +Subject: riscv: Use 64-bit variable for output in __get_user_asm + +From: Nathan Chancellor + +[ Upstream commit bdce162f2e57a969803e5e9375999a3e0546905f ] + +After commit f6bff7827a48 ("riscv: uaccess: use 'asm_goto_output' for +get_user()"), which was the first commit that started using asm goto +with outputs on RISC-V, builds of clang built with assertions enabled +start crashing in certain files that use get_user() with: + + clang: llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:12743: Register FollowCopyChain(MachineRegisterInfo &, Register): Assertion `MI->getOpcode() == TargetOpcode::COPY && "start of copy chain MUST be COPY"' failed. + +Internally, LLVM generates an addiw instruction when the output of the +inline asm (which may be any scalar type) needs to be sign extended for +ABI reasons, such as a later function call, so that basic block does not +have to do it. + +Use a temporary 64-bit variable as the output of the inline assembly in +__get_user_asm() and explicitly cast it to truncate it if necessary, +avoiding the addiw that triggers the assertion. + +Link: https://github.com/ClangBuiltLinux/linux/issues/2092 +Signed-off-by: Nathan Chancellor +Link: https://patch.msgid.link/20260116-riscv-wa-llvm-asm-goto-outputs-assertion-failure-v3-1-55b5775f989b@kernel.org +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/uaccess.h | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h +index f5f4f7f85543f..1029c31026dcf 100644 +--- a/arch/riscv/include/asm/uaccess.h ++++ b/arch/riscv/include/asm/uaccess.h +@@ -97,13 +97,23 @@ static inline unsigned long __untagged_addr_remote(struct mm_struct *mm, unsigne + */ + + #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT ++/* ++ * Use a temporary variable for the output of the asm goto to avoid a ++ * triggering an LLVM assertion due to sign extending the output when ++ * it is used in later function calls: ++ * https://github.com/llvm/llvm-project/issues/143795 ++ */ + #define __get_user_asm(insn, x, ptr, label) \ ++do { \ ++ u64 __tmp; \ + asm_goto_output( \ + "1:\n" \ + " " insn " %0, %1\n" \ + _ASM_EXTABLE_UACCESS_ERR(1b, %l2, %0) \ +- : "=&r" (x) \ +- : "m" (*(ptr)) : : label) ++ : "=&r" (__tmp) \ ++ : "m" (*(ptr)) : : label); \ ++ (x) = (__typeof__(x))__tmp; \ ++} while (0) + #else /* !CONFIG_CC_HAS_ASM_GOTO_OUTPUT */ + #define __get_user_asm(insn, x, ptr, label) \ + do { \ +-- +2.51.0 + diff --git a/queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch b/queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch new file mode 100644 index 0000000000..258e6f0c6f --- /dev/null +++ b/queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch @@ -0,0 +1,51 @@ +From 5c75c861c4e23f0393845c33bf2882594bf43e85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:51 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_conn_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 ] + +In iscsit_dec_conn_usage_count(), the function calls complete() while +holding the conn->conn_usage_lock. As soon as complete() is invoked, the +waiter (such as iscsit_close_connection()) may wake up and proceed to free +the iscsit_conn structure. + +If the waiter frees the memory before the current thread reaches +spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function +attempts to release a lock within the already-freed connection structure. + +Fix this by releasing the spinlock before calling complete(). + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 262a3e76b4b1c..c1888c42afdd5 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -813,8 +813,11 @@ void iscsit_dec_conn_usage_count(struct iscsit_conn *conn) + spin_lock_bh(&conn->conn_usage_lock); + conn->conn_usage_count--; + +- if (!conn->conn_usage_count && conn->conn_waiting_on_uc) ++ if (!conn->conn_usage_count && conn->conn_waiting_on_uc) { ++ spin_unlock_bh(&conn->conn_usage_lock); + complete(&conn->conn_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&conn->conn_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch b/queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch new file mode 100644 index 0000000000..65f3cf17d2 --- /dev/null +++ b/queue-6.18/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch @@ -0,0 +1,53 @@ +From e7f0890d09318899d85739f5660b6edf169820c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:52 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_session_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 84dc6037390b8607c5551047d3970336cb51ba9a ] + +In iscsit_dec_session_usage_count(), the function calls complete() while +holding the sess->session_usage_lock. Similar to the connection usage count +logic, the waiter signaled by complete() (e.g., in the session release +path) may wake up and free the iscsit_session structure immediately. + +This creates a race condition where the current thread may attempt to +execute spin_unlock_bh() on a session structure that has already been +deallocated, resulting in a KASAN slab-use-after-free. + +To resolve this, release the session_usage_lock before calling complete() +to ensure all dereferences of the sess pointer are finished before the +waiter is allowed to proceed with deallocation. + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 5e6cf34929b55..262a3e76b4b1c 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -741,8 +741,11 @@ void iscsit_dec_session_usage_count(struct iscsit_session *sess) + spin_lock_bh(&sess->session_usage_lock); + sess->session_usage_count--; + +- if (!sess->session_usage_count && sess->session_waiting_on_uc) ++ if (!sess->session_usage_count && sess->session_waiting_on_uc) { ++ spin_unlock_bh(&sess->session_usage_lock); + complete(&sess->session_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&sess->session_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 351406aaaa..2f973d848f 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -45,3 +45,118 @@ binder-fix-uaf-in-binder_netlink_report.patch binder-fix-br_frozen_reply-error-log.patch binderfs-fix-ida_alloc_max-upper-bound.patch tracing-fix-ftrace-event-field-alignments.patch +wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch +wifi-wlcore-ensure-skb-headroom-before-skb_push.patch +wifi-mac80211-don-t-warn-for-connections-on-invalid-.patch +net-usb-sr9700-support-devices-with-virtual-driver-c.patch +wifi-iwlwifi-implement-settime64-as-stub-for-mvm-mld.patch +platform-x86-dell-lis3lv02d-add-latitude-5400.patch +block-bfq-fix-aux-stat-accumulation-destination.patch +smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch +loongarch-set-correct-protection_map-for-vm_none-vm_.patch +md-suspend-array-while-updating-raid_disks-via-sysfs.patch +smb-server-fix-refcount-leak-in-smb2_open.patch +io_uring-use-gfp_nowait-for-overflow-cqes-on-legacy-.patch +loongarch-enable-exception-fixup-for-specific-ade-su.patch +smb-server-fix-refcount-leak-in-parse_durable_handle.patch +btrfs-do-not-free-data-reservation-in-fallback-from-.patch +hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch +hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch +btrfs-fix-reservation-leak-in-some-error-paths-when-.patch +riscv-sanitize-syscall-table-indexing-under-speculat.patch +hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch +hid-playstation-center-initial-joystick-axes-to-prev.patch +alsa-hda-realtek-add-quirk-for-acer-nitro-an517-55.patch +x86-sev-disable-gcov-on-noinstr-object.patch +alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch +pci-qcom-remove-aspm-l0s-support-for-msm8996-soc.patch +netfilter-replace-eexist-with-ebusy.patch +drm-amd-display-reduce-number-of-arguments-of-dcn30-.patch +hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch +hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch +hid-intel-thc-hid-intel-thc-add-safety-check-for-rea.patch +hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch +drm-amd-pm-disable-mmio-access-during-smu-mode-1-res.patch +ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch +riscv-trace-fix-snapshot-deadlock-with-sbi-ecall.patch +hid-logitech-add-hid-support-for-logitech-mx-anywher.patch +hid-elecom-add-support-for-elecom-m-xt3drbk-018c.patch +wifi-mac80211-collect-station-statistics-earlier-whe.patch +asoc-intel-sof_sdw-add-new-quirks-for-ptl-on-dell-wi.patch +dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_re.patch +asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch +asoc-simple-card-utils-check-device-node-before-over.patch +nvme-fc-release-admin-tagset-if-init-fails.patch +alsa-usb-audio-prevent-excessive-number-of-frames.patch +nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch +asoc-amd-yc-fix-microphone-on-asus-m6500re.patch +asoc-tlv320adcx140-propagate-error-codes-during-prob.patch +alsa-hda-tas2781-add-newly-released-hp-laptop.patch +spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch +regmap-maple-free-entry-on-mas_store_gfp-failure.patch +alsa-usb-audio-add-delay-quirk-for-moondrop-moonrive.patch +spi-intel-pci-add-support-for-nova-lake-spi-serial-f.patch +wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch +riscv-use-64-bit-variable-for-output-in-__get_user_a.patch +io_uring-rw-free-potentially-allocated-iovec-on-cach.patch +alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch +btrfs-fix-wmaybe-uninitialized-warning-in-replay_one.patch +wifi-mac80211-correctly-check-if-csa-is-active.patch +btrfs-sync-read-disk-super-and-set-block-size.patch +wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch +btrfs-reject-new-transactions-if-the-fs-is-fully-rea.patch +alsa-hda-realtek-alc269-fixup-for-lenovo-yoga-book-9.patch +tracing-avoid-possible-signed-64-bit-truncation.patch +revert-drm-amd-display-pause-the-workload-setting-in.patch +platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch +platform-x86-intel_telemetry-fix-pss-event-register-.patch +platform-x86-hp-bioscfg-skip-empty-attribute-names.patch +platform-x86-intel-tpmi-plr-make-the-file-domain-n-s.patch +smb-client-fix-memory-leak-in-smb2_open_file.patch +hwmon-dell-smm-add-dell-g15-5510-to-fan-control-whit.patch +net-add-skb_header_pointer_careful-helper.patch +net-sched-cls_u32-use-skb_header_pointer_careful.patch +dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch +net-liquidio-initialize-netdev-pointer-before-queue-.patch +net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch +net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch +dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch +ice-fix-missing-tx-timestamps-interrupts-on-e825-dev.patch +ice-ptp-fix-missing-timestamps-on-e825-hardware.patch +ice-fix-ptp-null-pointer-dereference-during-vsi-rebu.patch +ice-drop-udp_tunnel_get_rx_info-call-from-ndo_open.patch +i40e-drop-udp_tunnel_get_rx_info-call-from-i40e_open.patch +net-sfp-fix-quirk-for-ubiquiti-u-fiber-instant-sfp-m.patch +macvlan-fix-error-recovery-in-macvlan_common_newlink.patch +net-usb-r8152-fix-resume-reset-deadlock.patch +hwmon-acpi_power_meter-fix-deadlocks-related-to-acpi.patch +net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch +io_uring-zcrx-fix-page-array-leak.patch +linkwatch-use-__dev_put-in-callers-to-prevent-uaf.patch +net-rss-fix-reporting-rxh_xfrm_no_change-as-input_xf.patch +tipc-use-kfree_sensitive-for-session-key-material.patch +net-enetc-remove-si-bdr-cacheability-axi-settings-fo.patch +net-enetc-remove-cbdr-cacheability-axi-settings-for-.patch +net-enetc-convert-16-bit-register-writes-to-32-bit-f.patch +net-enetc-convert-16-bit-register-reads-to-32-bit-fo.patch +wifi-iwlwifi-mld-cancel-mlo_scan_start_wk.patch +wifi-iwlwifi-mvm-pause-tcm-on-fast-resume.patch +drm-amd-display-fix-wrong-color-value-mapping-on-mcm.patch +net-ethernet-adi-adin1110-check-return-value-of-devm.patch +net-add-proper-rcu-protection-to-proc-net-ptype.patch +net-gro-fix-outer-network-offset.patch +drm-mgag200-fix-mgag200_bmc_stop_scanout.patch +drm-xe-query-fix-topology-query-pointer-advance.patch +drm-xe-pm-disable-d3cold-for-bmg-only-on-specific-pl.patch +hwmon-occ-mark-occ_init_attribute-as-__printf.patch +netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch +drm-xe-guc-fix-cfi-violation-in-debugfs-access.patch +nvme-pci-handle-changing-device-dma-map-requirements.patch +ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch +firmware-cs_dsp-factor-out-common-debugfs-string-rea.patch +firmware-cs_dsp-rate-limit-log-messages-in-kunit-bui.patch +alsa-usb-audio-fix-broken-logic-in-snd_audigy2nx_led.patch +asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch +gpio-loongson-64bit-fix-incorrect-null-check-after-d.patch diff --git a/queue-6.18/smb-client-fix-memory-leak-in-smb2_open_file.patch b/queue-6.18/smb-client-fix-memory-leak-in-smb2_open_file.patch new file mode 100644 index 0000000000..e121097b5f --- /dev/null +++ b/queue-6.18/smb-client-fix-memory-leak-in-smb2_open_file.patch @@ -0,0 +1,72 @@ +From ea14cf483fd414af9fb895e93a0bb1d5785774e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 08:24:07 +0000 +Subject: smb/client: fix memory leak in smb2_open_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: ChenXiaoSong + +[ Upstream commit e3a43633023e3cacaca60d4b8972d084a2b06236 ] + +Reproducer: + + 1. server: directories are exported read-only + 2. client: mount -t cifs //${server_ip}/export /mnt + 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct + 4. client: umount /mnt + 5. client: sleep 1 + 6. client: modprobe -r cifs + +The error message is as follows: + + ============================================================================= + BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown() + ----------------------------------------------------------------------------- + + Object 0x00000000d47521be @offset=14336 + ... + WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577 + ... + Call Trace: + + kmem_cache_destroy+0x94/0x190 + cifs_destroy_request_bufs+0x3e/0x50 [cifs] + cleanup_module+0x4e/0x540 [cifs] + __se_sys_delete_module+0x278/0x400 + __x64_sys_delete_module+0x5f/0x70 + x64_sys_call+0x2299/0x2ff0 + do_syscall_64+0x89/0x350 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + ... + kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs] + WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577 + +Link: https://lore.kernel.org/linux-cifs/9751f02d-d1df-4265-a7d6-b19761b21834@linux.dev/T/#mf14808c144448b715f711ce5f0477a071f08eaf6 +Fixes: e255612b5ed9 ("cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES") +Reported-by: Paulo Alcantara +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: ChenXiaoSong +Reviewed-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c +index a7f6292388306..03f90553d8319 100644 +--- a/fs/smb/client/smb2file.c ++++ b/fs/smb/client/smb2file.c +@@ -177,6 +177,7 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); + if (rc == -EACCES && retry_without_read_attributes) { ++ free_rsp_buf(err_buftype, err_iov.iov_base); + oparms->desired_access &= ~FILE_READ_ATTRIBUTES; + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); +-- +2.51.0 + diff --git a/queue-6.18/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch b/queue-6.18/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch new file mode 100644 index 0000000000..aac7a6aa87 --- /dev/null +++ b/queue-6.18/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch @@ -0,0 +1,47 @@ +From fdd43da93db71602b3f2a6568557d054c286f208 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 22:51:01 +0800 +Subject: smb/server: call ksmbd_session_rpc_close() on error path in + create_smb2_pipe() + +From: ZhangGuoDong + +[ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ] + +When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 2b59c282cda59..10d58e3094423 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2291,7 +2291,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + { + struct smb2_create_rsp *rsp; + struct smb2_create_req *req; +- int id; ++ int id = -1; + int err; + char *name; + +@@ -2348,6 +2348,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + break; + } + ++ if (id >= 0) ++ ksmbd_session_rpc_close(work->sess, id); ++ + if (!IS_ERR(name)) + kfree(name); + +-- +2.51.0 + diff --git a/queue-6.18/smb-server-fix-refcount-leak-in-parse_durable_handle.patch b/queue-6.18/smb-server-fix-refcount-leak-in-parse_durable_handle.patch new file mode 100644 index 0000000000..6484ab2f9f --- /dev/null +++ b/queue-6.18/smb-server-fix-refcount-leak-in-parse_durable_handle.patch @@ -0,0 +1,36 @@ +From 84b938fcd241952706ca29363fbc6414a645833e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:13:29 +0800 +Subject: smb/server: fix refcount leak in parse_durable_handle_context() + +From: ZhangGuoDong + +[ Upstream commit 3296c3012a9d9a27e81e34910384e55a6ff3cff0 ] + +When the command is a replay operation and -ENOEXEC is returned, +the refcount of ksmbd_file must be released. + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 244a5665f26df..470b274f4cc98 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2822,6 +2822,7 @@ static int parse_durable_handle_context(struct ksmbd_work *work, + SMB2_CLIENT_GUID_SIZE)) { + if (!(req->hdr.Flags & SMB2_FLAGS_REPLAY_OPERATION)) { + err = -ENOEXEC; ++ ksmbd_put_durable_fd(dh_info->fp); + goto out; + } + +-- +2.51.0 + diff --git a/queue-6.18/smb-server-fix-refcount-leak-in-smb2_open.patch b/queue-6.18/smb-server-fix-refcount-leak-in-smb2_open.patch new file mode 100644 index 0000000000..e7eaca466c --- /dev/null +++ b/queue-6.18/smb-server-fix-refcount-leak-in-smb2_open.patch @@ -0,0 +1,41 @@ +From 2f2f2639252ad7897f6bcaf6a588a54c8736fc4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 11:15:18 +0800 +Subject: smb/server: fix refcount leak in smb2_open() + +From: ZhangGuoDong + +[ Upstream commit f416c556997aa56ec4384c6b6efd6a0e6ac70aa7 ] + +When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file +must be released. + +Suggested-by: Namjae Jeon +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 10d58e3094423..244a5665f26df 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3019,10 +3019,10 @@ int smb2_open(struct ksmbd_work *work) + file_info = FILE_OPENED; + + rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat); ++ ksmbd_put_durable_fd(fp); + if (rc) + goto err_out2; + +- ksmbd_put_durable_fd(fp); + goto reconnected_fp; + } + } else if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) +-- +2.51.0 + diff --git a/queue-6.18/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch b/queue-6.18/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch new file mode 100644 index 0000000000..1c0d8af257 --- /dev/null +++ b/queue-6.18/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch @@ -0,0 +1,49 @@ +From b9a60a9d377ca8ebad428e771fbea8b9bf2ec62b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 15:53:23 +0800 +Subject: spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi + debugfs initialization + +From: Devyn Liu + +[ Upstream commit b062a899c997df7b9ce29c62164888baa7a85833 ] + +In hisi_spi_debugfs_init, spi controller pointer is calculated +by container_of macro, and the member is hs->dev. But the host +cannot be calculated offset directly by this. (hs->dev) points +to (pdev->dev), and it is the (host->dev.parent) rather than +(host->dev) points to the (pdev->dev), which is set in +__spi_alloc_controller. + +In this patch, this issues is fixed by getting the spi_controller +data from pdev->dev by dev_get_drvdata() directly. (dev->driver_data) +points to the spi controller data in the probe stage. + +Signed-off-by: Devyn Liu +Reviewed-by: Yang Shen +Link: https://patch.msgid.link/20260108075323.3831574-1-liudingyuan@h-partners.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-hisi-kunpeng.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-hisi-kunpeng.c b/drivers/spi/spi-hisi-kunpeng.c +index dadf558dd9c0c..80a1a15de0bc3 100644 +--- a/drivers/spi/spi-hisi-kunpeng.c ++++ b/drivers/spi/spi-hisi-kunpeng.c +@@ -161,10 +161,8 @@ static const struct debugfs_reg32 hisi_spi_regs[] = { + static int hisi_spi_debugfs_init(struct hisi_spi *hs) + { + char name[32]; ++ struct spi_controller *host = dev_get_drvdata(hs->dev); + +- struct spi_controller *host; +- +- host = container_of(hs->dev, struct spi_controller, dev); + snprintf(name, 32, "hisi_spi%d", host->bus_num); + hs->debugfs = debugfs_create_dir(name, NULL); + if (IS_ERR(hs->debugfs)) +-- +2.51.0 + diff --git a/queue-6.18/spi-intel-pci-add-support-for-nova-lake-spi-serial-f.patch b/queue-6.18/spi-intel-pci-add-support-for-nova-lake-spi-serial-f.patch new file mode 100644 index 0000000000..ff02817790 --- /dev/null +++ b/queue-6.18/spi-intel-pci-add-support-for-nova-lake-spi-serial-f.patch @@ -0,0 +1,37 @@ +From 849697db6caea194d61029a09a8e65b5763ff8bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 13:03:05 +0100 +Subject: spi: intel-pci: Add support for Nova Lake SPI serial flash + +From: Alan Borzeszkowski + +[ Upstream commit caa329649259d0f90c0056c9860ca659d4ba3211 ] + +Add Intel Nova Lake PCH-S SPI serial flash PCI ID to the list of +supported devices. This is the same controller found in previous +generations. + +Signed-off-by: Alan Borzeszkowski +Acked-by: Mika Westerberg +Link: https://patch.msgid.link/20260115120305.10080-1-alan.borzeszkowski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-intel-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-intel-pci.c b/drivers/spi/spi-intel-pci.c +index b8c572394aac2..bce3d149bea18 100644 +--- a/drivers/spi/spi-intel-pci.c ++++ b/drivers/spi/spi-intel-pci.c +@@ -81,6 +81,7 @@ static const struct pci_device_id intel_spi_pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x54a4), (unsigned long)&cnl_info }, + { PCI_VDEVICE(INTEL, 0x5794), (unsigned long)&cnl_info }, + { PCI_VDEVICE(INTEL, 0x5825), (unsigned long)&cnl_info }, ++ { PCI_VDEVICE(INTEL, 0x6e24), (unsigned long)&cnl_info }, + { PCI_VDEVICE(INTEL, 0x7723), (unsigned long)&cnl_info }, + { PCI_VDEVICE(INTEL, 0x7a24), (unsigned long)&cnl_info }, + { PCI_VDEVICE(INTEL, 0x7aa4), (unsigned long)&cnl_info }, +-- +2.51.0 + diff --git a/queue-6.18/tipc-use-kfree_sensitive-for-session-key-material.patch b/queue-6.18/tipc-use-kfree_sensitive-for-session-key-material.patch new file mode 100644 index 0000000000..b0339e4949 --- /dev/null +++ b/queue-6.18/tipc-use-kfree_sensitive-for-session-key-material.patch @@ -0,0 +1,51 @@ +From 803c71cbed71464215f0cedd7d5e0247d30a3aa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 10:01:14 -0800 +Subject: tipc: use kfree_sensitive() for session key material + +From: Daniel Hodges + +[ Upstream commit 74d9391e8849e70ded5309222d09b0ed0edbd039 ] + +The rx->skey field contains a struct tipc_aead_key with GCM-AES +encryption keys used for TIPC cluster communication. Using plain +kfree() leaves this sensitive key material in freed memory pages +where it could potentially be recovered. + +Switch to kfree_sensitive() to ensure the key material is zeroed +before the memory is freed. + +Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") +Signed-off-by: Daniel Hodges +Link: https://patch.msgid.link/20260131180114.2121438-1-hodgesd@meta.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 751904f10aab0..970db62bd029b 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1219,7 +1219,7 @@ void tipc_crypto_key_flush(struct tipc_crypto *c) + rx = c; + tx = tipc_net(rx->net)->crypto_tx; + if (cancel_delayed_work(&rx->work)) { +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + atomic_xchg(&rx->key_distr, 0); + tipc_node_put(rx->node); +@@ -2394,7 +2394,7 @@ static void tipc_crypto_work_rx(struct work_struct *work) + break; + default: + synchronize_rcu(); +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + break; + } +-- +2.51.0 + diff --git a/queue-6.18/tracing-avoid-possible-signed-64-bit-truncation.patch b/queue-6.18/tracing-avoid-possible-signed-64-bit-truncation.patch new file mode 100644 index 0000000000..9ceeaebfac --- /dev/null +++ b/queue-6.18/tracing-avoid-possible-signed-64-bit-truncation.patch @@ -0,0 +1,47 @@ +From f949ee4e2d7dcc18f408f5eaf81952e796e17511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:26:25 -0800 +Subject: tracing: Avoid possible signed 64-bit truncation + +From: Ian Rogers + +[ Upstream commit 00f13e28a9c3acd40f0551cde7e9d2d1a41585bf ] + +64-bit truncation to 32-bit can result in the sign of the truncated +value changing. The cmp_mod_entry is used in bsearch and so the +truncation could result in an invalid search order. This would only +happen were the addresses more than 2GB apart and so unlikely, but +let's fix the potentially broken compare anyway. + +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/20260108002625.333331-1-irogers@google.com +Signed-off-by: Ian Rogers +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 142e3b737f0bc..907923d5f8bbb 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6061,10 +6061,10 @@ static int cmp_mod_entry(const void *key, const void *pivot) + unsigned long addr = (unsigned long)key; + const struct trace_mod_entry *ent = pivot; + +- if (addr >= ent[0].mod_addr && addr < ent[1].mod_addr) +- return 0; +- else +- return addr - ent->mod_addr; ++ if (addr < ent[0].mod_addr) ++ return -1; ++ ++ return addr >= ent[1].mod_addr; + } + + /** +-- +2.51.0 + diff --git a/queue-6.18/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch b/queue-6.18/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch new file mode 100644 index 0000000000..4693c1cd44 --- /dev/null +++ b/queue-6.18/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch @@ -0,0 +1,59 @@ +From dc25be2ee68d571c91bd4dcbcea519c5a31f16f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:30:04 +0530 +Subject: wifi: cfg80211: Fix bitrate calculation overflow for HE rates + +From: Veerendranath Jakkam + +[ Upstream commit a3034bf0746d88a00cceda9541534a5721445a24 ] + +An integer overflow occurs in cfg80211_calculate_bitrate_he() when +calculating bitrates for high throughput HE configurations. +For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0, +the multiplication (result * rate->nss) overflows the 32-bit 'result' +variable before division by 8, leading to significantly underestimated +bitrate values. + +The overflow occurs because the NSS multiplication operates on a 32-bit +integer that cannot accommodate intermediate values exceeding +4,294,967,295. When overflow happens, the value wraps around, producing +incorrect bitrates for high MCS and NSS combinations. + +Fix this by utilizing the 64-bit 'tmp' variable for the NSS +multiplication and subsequent divisions via do_div(). This approach +preserves full precision throughout the entire calculation, with the +final value assigned to 'result' only after completing all operations. + +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 4eb028ad16836..81d6d27d273cc 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1561,12 +1561,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate) + tmp = result; + tmp *= SCALE; + do_div(tmp, mcs_divisors[rate->mcs]); +- result = tmp; + + /* and take NSS, DCM into account */ +- result = (result * rate->nss) / 8; ++ tmp *= rate->nss; ++ do_div(tmp, 8); + if (rate->he_dcm) +- result /= 2; ++ do_div(tmp, 2); ++ ++ result = tmp; + + return result / 10000; + } +-- +2.51.0 + diff --git a/queue-6.18/wifi-iwlwifi-implement-settime64-as-stub-for-mvm-mld.patch b/queue-6.18/wifi-iwlwifi-implement-settime64-as-stub-for-mvm-mld.patch new file mode 100644 index 0000000000..444dcbbc70 --- /dev/null +++ b/queue-6.18/wifi-iwlwifi-implement-settime64-as-stub-for-mvm-mld.patch @@ -0,0 +1,95 @@ +From cea8b4c5f6cd4a2eb62fdad8cd138df7737e9649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 12:32:04 +0000 +Subject: wifi: iwlwifi: Implement settime64 as stub for MVM/MLD PTP + +From: Yao Zi + +[ Upstream commit 81d90d93d22ca4f61833cba921dce9a0bd82218f ] + +Since commit dfb073d32cac ("ptp: Return -EINVAL on ptp_clock_register if +required ops are NULL"), PTP clock registered through ptp_clock_register +is required to have ptp_clock_info.settime64 set, however, neither MVM +nor MLD's PTP clock implementation sets it, resulting in warnings when +the interface starts up, like + +WARNING: drivers/ptp/ptp_clock.c:325 at ptp_clock_register+0x2c8/0x6b8, CPU#1: wpa_supplicant/469 +CPU: 1 UID: 0 PID: 469 Comm: wpa_supplicant Not tainted 6.18.0+ #101 PREEMPT(full) +ra: ffff800002732cd4 iwl_mvm_ptp_init+0x114/0x188 [iwlmvm] +ERA: 9000000002fdc468 ptp_clock_register+0x2c8/0x6b8 +iwlwifi 0000:01:00.0: Failed to register PHC clock (-22) + +I don't find an appropriate firmware interface to implement settime64() +for iwlwifi MLD/MVM, thus instead create a stub that returns +-EOPTNOTSUPP only, suppressing the warning and allowing the PTP clock to +be registered. + +Reported-by: Nathan Chancellor +Closes: https://lore.kernel.org/all/20251108044822.GA3262936@ax162/ +Signed-off-by: Yao Zi +Tested-by: Nathan Chancellor +Reviewed-by: Simon Horman +tested-by: damian Tometzki damian@riscv-rocks.de +Tested-by: Oliver Hartkopp +Acked-by: Miri Korenblit +Link: https://patch.msgid.link/20251204123204.9316-1-ziyao@disroot.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 7 +++++++ + drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c +index ffeb37a7f830e..231920425c066 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c ++++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c +@@ -121,6 +121,12 @@ static int iwl_mld_ptp_gettime(struct ptp_clock_info *ptp, + return 0; + } + ++static int iwl_mld_ptp_settime(struct ptp_clock_info *ptp, ++ const struct timespec64 *ts) ++{ ++ return -EOPNOTSUPP; ++} ++ + static int iwl_mld_ptp_adjtime(struct ptp_clock_info *ptp, s64 delta) + { + struct iwl_mld *mld = container_of(ptp, struct iwl_mld, +@@ -279,6 +285,7 @@ void iwl_mld_ptp_init(struct iwl_mld *mld) + + mld->ptp_data.ptp_clock_info.owner = THIS_MODULE; + mld->ptp_data.ptp_clock_info.gettime64 = iwl_mld_ptp_gettime; ++ mld->ptp_data.ptp_clock_info.settime64 = iwl_mld_ptp_settime; + mld->ptp_data.ptp_clock_info.max_adj = 0x7fffffff; + mld->ptp_data.ptp_clock_info.adjtime = iwl_mld_ptp_adjtime; + mld->ptp_data.ptp_clock_info.adjfine = iwl_mld_ptp_adjfine; +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c +index 06a4c9f74797a..ad156b82eaa94 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c +@@ -220,6 +220,12 @@ static int iwl_mvm_ptp_gettime(struct ptp_clock_info *ptp, + return 0; + } + ++static int iwl_mvm_ptp_settime(struct ptp_clock_info *ptp, ++ const struct timespec64 *ts) ++{ ++ return -EOPNOTSUPP; ++} ++ + static int iwl_mvm_ptp_adjtime(struct ptp_clock_info *ptp, s64 delta) + { + struct iwl_mvm *mvm = container_of(ptp, struct iwl_mvm, +@@ -281,6 +287,7 @@ void iwl_mvm_ptp_init(struct iwl_mvm *mvm) + mvm->ptp_data.ptp_clock_info.adjfine = iwl_mvm_ptp_adjfine; + mvm->ptp_data.ptp_clock_info.adjtime = iwl_mvm_ptp_adjtime; + mvm->ptp_data.ptp_clock_info.gettime64 = iwl_mvm_ptp_gettime; ++ mvm->ptp_data.ptp_clock_info.settime64 = iwl_mvm_ptp_settime; + mvm->ptp_data.scaled_freq = SCALE_FACTOR; + + /* Give a short 'friendly name' to identify the PHC clock */ +-- +2.51.0 + diff --git a/queue-6.18/wifi-iwlwifi-mld-cancel-mlo_scan_start_wk.patch b/queue-6.18/wifi-iwlwifi-mld-cancel-mlo_scan_start_wk.patch new file mode 100644 index 0000000000..0a1dda3c75 --- /dev/null +++ b/queue-6.18/wifi-iwlwifi-mld-cancel-mlo_scan_start_wk.patch @@ -0,0 +1,58 @@ +From b4cf59d45e1dc3341b61c1861595b7318e12a80d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 21:27:09 +0200 +Subject: wifi: iwlwifi: mld: cancel mlo_scan_start_wk + +From: Miri Korenblit + +[ Upstream commit 5ff641011ab7fb63ea101251087745d9826e8ef5 ] + +mlo_scan_start_wk is not canceled on disconnection. In fact, it is not +canceled anywhere except in the restart cleanup, where we don't really +have to. + +This can cause an init-after-queue issue: if, for example, the work was +queued and then drv_change_interface got executed. + +This can also cause use-after-free: if the work is executed after the +vif is freed. + +Fixes: 9748ad82a9d9 ("wifi: iwlwifi: defer MLO scan after link activation") +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260129212650.a36482a60719.I5bf64a108ca39dacb5ca0dcd8b7258a3ce8db74c@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mld/iface.c | 2 -- + drivers/net/wireless/intel/iwlwifi/mld/mac80211.c | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mld/iface.c b/drivers/net/wireless/intel/iwlwifi/mld/iface.c +index ed379825a9236..240ce19996b34 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mld/iface.c ++++ b/drivers/net/wireless/intel/iwlwifi/mld/iface.c +@@ -55,8 +55,6 @@ void iwl_mld_cleanup_vif(void *data, u8 *mac, struct ieee80211_vif *vif) + + ieee80211_iter_keys(mld->hw, vif, iwl_mld_cleanup_keys_iter, NULL); + +- wiphy_delayed_work_cancel(mld->wiphy, &mld_vif->mlo_scan_start_wk); +- + CLEANUP_STRUCT(mld_vif); + } + +diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c +index 5725104a53bf0..2a7e7417d7d84 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c +@@ -1755,6 +1755,8 @@ static int iwl_mld_move_sta_state_down(struct iwl_mld *mld, + wiphy_work_cancel(mld->wiphy, &mld_vif->emlsr.unblock_tpt_wk); + wiphy_delayed_work_cancel(mld->wiphy, + &mld_vif->emlsr.check_tpt_wk); ++ wiphy_delayed_work_cancel(mld->wiphy, ++ &mld_vif->mlo_scan_start_wk); + + iwl_mld_reset_cca_40mhz_workaround(mld, vif); + iwl_mld_smps_workaround(mld, vif, true); +-- +2.51.0 + diff --git a/queue-6.18/wifi-iwlwifi-mvm-pause-tcm-on-fast-resume.patch b/queue-6.18/wifi-iwlwifi-mvm-pause-tcm-on-fast-resume.patch new file mode 100644 index 0000000000..cd7e943805 --- /dev/null +++ b/queue-6.18/wifi-iwlwifi-mvm-pause-tcm-on-fast-resume.patch @@ -0,0 +1,59 @@ +From fea1476a7d73d493a7b8d507a734ba89dec72a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 21:27:10 +0200 +Subject: wifi: iwlwifi: mvm: pause TCM on fast resume + +From: Miri Korenblit + +[ Upstream commit fb7f54aa2a99b07945911152c5d3d4a6eb39f797 ] + +Not pausing it means that we can have the TCM work queued into a +non-freezable workqueue, which, in resume, is re-activated before the +driver's resume is called. +The TCM work might send commands to the FW before we resumed the device, +leading to an assert. + +Closes: https://lore.kernel.org/linux-wireless/aTDoDiD55qlUZ0pn@debian.local/ +Tested-by: Chris Bainbridge +Fixes: e8bb19c1d590 ("wifi: iwlwifi: support fast resume") +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260129212650.05621f3faedb.I44df9cf9183b5143df8078131e0d87c0fd7e1763@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +index 07f1a84c274ef..af1a45845999b 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + /* +- * Copyright (C) 2012-2014, 2018-2025 Intel Corporation ++ * Copyright (C) 2012-2014, 2018-2026 Intel Corporation + * Copyright (C) 2013-2015 Intel Mobile Communications GmbH + * Copyright (C) 2016-2017 Intel Deutschland GmbH + */ +@@ -3239,6 +3239,8 @@ void iwl_mvm_fast_suspend(struct iwl_mvm *mvm) + + IWL_DEBUG_WOWLAN(mvm, "Starting fast suspend flow\n"); + ++ iwl_mvm_pause_tcm(mvm, true); ++ + mvm->fast_resume = true; + set_bit(IWL_MVM_STATUS_IN_D3, &mvm->status); + +@@ -3295,6 +3297,8 @@ int iwl_mvm_fast_resume(struct iwl_mvm *mvm) + mvm->trans->state = IWL_TRANS_NO_FW; + } + ++ iwl_mvm_resume_tcm(mvm); ++ + out: + clear_bit(IWL_MVM_STATUS_IN_D3, &mvm->status); + mvm->fast_resume = false; +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-collect-station-statistics-earlier-whe.patch b/queue-6.18/wifi-mac80211-collect-station-statistics-earlier-whe.patch new file mode 100644 index 0000000000..e51c9a77da --- /dev/null +++ b/queue-6.18/wifi-mac80211-collect-station-statistics-earlier-whe.patch @@ -0,0 +1,54 @@ +From d7a902406e6861fc724990b01a23f864dad920f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 10:29:07 +0800 +Subject: wifi: mac80211: collect station statistics earlier when disconnect + +From: Baochen Qiang + +[ Upstream commit a203dbeeca15a9b924f0d51f510921f4bae96801 ] + +In __sta_info_destroy_part2(), station statistics are requested after the +IEEE80211_STA_NONE -> IEEE80211_STA_NOTEXIST transition. This is +problematic because the driver may be unable to handle the request due to +the STA being in the NOTEXIST state (i.e. if the driver destroys the +underlying data when transitioning to NOTEXIST). + +Move the statistics collection to before the state transition to avoid +this issue. + +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20251222-mac80211-move-station-stats-collection-earlier-v1-1-12cd4e42c633@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index f4d3b67fda062..1a995bc301b19 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1533,6 +1533,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) + } + } + ++ sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); ++ if (sinfo) ++ sta_set_sinfo(sta, sinfo, true); ++ + if (sta->uploaded) { + ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE, + IEEE80211_STA_NOTEXIST); +@@ -1541,9 +1545,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) + + sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); + +- sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); +- if (sinfo) +- sta_set_sinfo(sta, sinfo, true); + cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); + kfree(sinfo); + +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-correctly-check-if-csa-is-active.patch b/queue-6.18/wifi-mac80211-correctly-check-if-csa-is-active.patch new file mode 100644 index 0000000000..2f56032bd9 --- /dev/null +++ b/queue-6.18/wifi-mac80211-correctly-check-if-csa-is-active.patch @@ -0,0 +1,52 @@ +From 987c6289db9a35326ffa420b8ca35a39ef9496de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 19:19:30 +0200 +Subject: wifi: mac80211: correctly check if CSA is active + +From: Miri Korenblit + +[ Upstream commit db1d0b6ab11f612ea8a327663a578c8946efeee9 ] + +We are not adding an interface if an existing one is doing CSA. +But the check won't work for MLO station interfaces, since for those, +vif->bss_conf is zeroed out. +Fix this by checking if any link of the vif has an active CSA. + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260111191912.7ceff62fc561.Ia38d27f42684d1cfd82d930d232bd5dea6ab9282@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 0ca55b9655a7f..72c129478da08 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -350,6 +350,8 @@ static int ieee80211_check_concurrent_iface(struct ieee80211_sub_if_data *sdata, + /* we hold the RTNL here so can safely walk the list */ + list_for_each_entry(nsdata, &local->interfaces, list) { + if (nsdata != sdata && ieee80211_sdata_running(nsdata)) { ++ struct ieee80211_link_data *link; ++ + /* + * Only OCB and monitor mode may coexist + */ +@@ -376,8 +378,10 @@ static int ieee80211_check_concurrent_iface(struct ieee80211_sub_if_data *sdata, + * will not add another interface while any channel + * switch is active. + */ +- if (nsdata->vif.bss_conf.csa_active) +- return -EBUSY; ++ for_each_link_data(nsdata, link) { ++ if (link->conf->csa_active) ++ return -EBUSY; ++ } + + /* + * The remaining checks are only performed for interfaces +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch b/queue-6.18/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch new file mode 100644 index 0000000000..50015a44fd --- /dev/null +++ b/queue-6.18/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch @@ -0,0 +1,49 @@ +From 7630b9132a4a332504a2e786d6435221908ab381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:28:29 +0200 +Subject: wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice + +From: Miri Korenblit + +[ Upstream commit 3f3d8ff31496874a69b131866f62474eb24ed20a ] + +In reconfig, in case the driver asks to disconnect during the reconfig, +all the keys of the interface are marked as tainted. +Then ieee80211_reenable_keys will loop over all the interface keys, and +for each one it will +a) increment crypto_tx_tailroom_needed_cnt +b) call ieee80211_key_enable_hw_accel, which in turn will detect that +this key is tainted, so it will mark it as "not in hardware", which is +paired with crypto_tx_tailroom_needed_cnt incrementation, so we get two +incrementations for each tainted key. +Then we get a warning in ieee80211_free_keys. + +To fix it, don't increment the count in ieee80211_reenable_keys for +tainted keys + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118092821.4ca111fddcda.Id6e554f4b1c83760aa02d5a9e4e3080edb197aa2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index d5da7ccea66e0..04c8809173d7f 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -987,7 +987,8 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata) + + if (ieee80211_sdata_running(sdata)) { + list_for_each_entry(key, &sdata->key_list, list) { +- increment_tailroom_need_count(sdata); ++ if (!(key->flags & KEY_FLAG_TAINTED)) ++ increment_tailroom_need_count(sdata); + ieee80211_key_enable_hw_accel(key); + } + } +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-don-t-warn-for-connections-on-invalid-.patch b/queue-6.18/wifi-mac80211-don-t-warn-for-connections-on-invalid-.patch new file mode 100644 index 0000000000..ac5e28288a --- /dev/null +++ b/queue-6.18/wifi-mac80211-don-t-warn-for-connections-on-invalid-.patch @@ -0,0 +1,46 @@ +From ce839958a646ce3b15b22b50cd9dd0688aab63c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 10:25:11 +0100 +Subject: wifi: mac80211: don't WARN for connections on invalid channels + +From: Johannes Berg + +[ Upstream commit 99067b58a408a384d2a45c105eb3dce980a862ce ] + +It's not clear (to me) how exactly syzbot managed to hit this, +but it seems conceivable that e.g. regulatory changed and has +disabled a channel between scanning (channel is checked to be +usable by cfg80211_get_ies_channel_number) and connecting on +the channel later. + +With one scenario that isn't covered elsewhere described above, +the warning isn't good, replace it with a (more informative) +error message. + +Reported-by: syzbot+639af5aa411f2581ad38@syzkaller.appspotmail.com +Link: https://patch.msgid.link/20251202102511.5a8fb5184fa3.I961ee41b8f10538a54b8565dbf03ec1696e80e03@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index dca47a533392a..8ba199cd38c0f 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1126,7 +1126,10 @@ ieee80211_determine_chan_mode(struct ieee80211_sub_if_data *sdata, + + while (!ieee80211_chandef_usable(sdata, &chanreq->oper, + IEEE80211_CHAN_DISABLED)) { +- if (WARN_ON(chanreq->oper.width == NL80211_CHAN_WIDTH_20_NOHT)) { ++ if (chanreq->oper.width == NL80211_CHAN_WIDTH_20_NOHT) { ++ link_id_info(sdata, link_id, ++ "unusable channel (%d MHz) for connection\n", ++ chanreq->oper.chan->center_freq); + ret = -EINVAL; + goto free; + } +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch b/queue-6.18/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch new file mode 100644 index 0000000000..7f5c866dea --- /dev/null +++ b/queue-6.18/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch @@ -0,0 +1,44 @@ +From f509205c2a8510e388ef1fb22087cebe4526839a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 19:59:32 -0800 +Subject: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined + +From: Moon Hee Lee + +[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] + +ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only +present after JOIN_OCB. + +RX may run before JOIN_OCB is executed, in which case the OCB interface +is not operational. Skip RX peer handling when the interface is not +joined to avoid warnings in the RX path. + +Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 +Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ocb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c +index a5d4358f122ae..ebb4f4d88c237 100644 +--- a/net/mac80211/ocb.c ++++ b/net/mac80211/ocb.c +@@ -47,6 +47,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata, + struct sta_info *sta; + int band; + ++ if (!ifocb->joined) ++ return; ++ + /* XXX: Consider removing the least recently used entry and + * allow new one to be added. + */ +-- +2.51.0 + diff --git a/queue-6.18/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch b/queue-6.18/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch new file mode 100644 index 0000000000..3243cdd0d1 --- /dev/null +++ b/queue-6.18/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch @@ -0,0 +1,42 @@ +From 3a22545190c9b13eabca3d216e8f4c31e5e43cf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 08:57:08 +0100 +Subject: wifi: wlcore: ensure skb headroom before skb_push +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Åstrand + +[ Upstream commit e75665dd096819b1184087ba5718bd93beafff51 ] + +This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is +less than needed (typically 110 - 94 = 16 bytes). + +Signed-off-by: Peter Astrand +Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 464587d16ab20..f251627c24c6e 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -207,6 +207,11 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + total_blocks = wlcore_hw_calc_tx_blocks(wl, total_len, spare_blocks); + + if (total_blocks <= wl->tx_blocks_available) { ++ if (skb_headroom(skb) < (total_len - skb->len) && ++ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { ++ wl1271_free_tx_id(wl, id); ++ return -EAGAIN; ++ } + desc = skb_push(skb, total_len - skb->len); + + wlcore_hw_set_tx_desc_blocks(wl, desc, total_blocks, +-- +2.51.0 + diff --git a/queue-6.18/x86-sev-disable-gcov-on-noinstr-object.patch b/queue-6.18/x86-sev-disable-gcov-on-noinstr-object.patch new file mode 100644 index 0000000000..a1047599fd --- /dev/null +++ b/queue-6.18/x86-sev-disable-gcov-on-noinstr-object.patch @@ -0,0 +1,43 @@ +From fe48b30709acd5893f203f0f1d7a110ae146e4f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 10:16:36 +0000 +Subject: x86/sev: Disable GCOV on noinstr object + +From: Brendan Jackman + +[ Upstream commit 9efb74f84ba82a9de81fc921baf3c5e2decf8256 ] + +With Debian clang version 19.1.7 (3+build5) there are calls to +kasan_check_write() from __sev_es_nmi_complete(), which violates noinstr. Fix +it by disabling GCOV for the noinstr object, as has been done for previous +such instrumentation issues. + +Note that this file already disables __SANITIZE_ADDRESS__ and +__SANITIZE_THREAD__, thus calls like kasan_check_write() ought to be nops +regardless of GCOV. This has been fixed in other patches. However, to avoid +any other accidental instrumentation showing up, (and since, in principle GCOV +is instrumentation and hence should be disabled for noinstr code anyway), +disable GCOV overall as well. + +Signed-off-by: Brendan Jackman +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Marco Elver +Link: https://patch.msgid.link/20251216-gcov-inline-noinstr-v3-3-10244d154451@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/coco/sev/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/coco/sev/Makefile b/arch/x86/coco/sev/Makefile +index 3b8ae214a6a64..b2e9ec2f69014 100644 +--- a/arch/x86/coco/sev/Makefile ++++ b/arch/x86/coco/sev/Makefile +@@ -8,3 +8,5 @@ UBSAN_SANITIZE_noinstr.o := n + # GCC may fail to respect __no_sanitize_address or __no_kcsan when inlining + KASAN_SANITIZE_noinstr.o := n + KCSAN_SANITIZE_noinstr.o := n ++ ++GCOV_PROFILE_noinstr.o := n +-- +2.51.0 + diff --git a/queue-6.6/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch b/queue-6.6/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch new file mode 100644 index 0000000000..6cc9d53552 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch @@ -0,0 +1,37 @@ +From 01aec0212db606f1372d78e31de80dc7cc4cc489 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 02:53:36 +0300 +Subject: ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk + +From: Ruslan Krupitsa + +[ Upstream commit 9ed7a28225af02b74f61e7880d460db49db83758 ] + +HP Laptop 15s-eq1xxx with ALC236 codec does not enable the +mute LED automatically. This patch adds a quirk entry for +subsystem ID 0x8706 using the ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 +fixup, enabling correct mute LED behavior. + +Signed-off-by: Ruslan Krupitsa +Link: https://patch.msgid.link/AS8P194MB112895B8EC2D87D53A876085BBBAA@AS8P194MB1128.EURP194.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 65c9d47f03af5..e7f6bba3e02b3 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10085,6 +10085,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x863e, "HP Spectre x360 15-df1xxx", ALC285_FIXUP_HP_SPECTRE_X360_DF1), + SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1), + SND_PCI_QUIRK(0x103c, 0x86f9, "HP Spectre x360 13-aw0xxx", ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED), ++ SND_PCI_QUIRK(0x103c, 0x8706, "HP Laptop 15s-eq1xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), +-- +2.51.0 + diff --git a/queue-6.6/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch b/queue-6.6/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch new file mode 100644 index 0000000000..4bb39527a7 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch @@ -0,0 +1,39 @@ +From d368f19de4c3edb69d9dde2a77a274b275645ea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 16:15:55 +0100 +Subject: ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU + +From: Tim Guttzeit + +[ Upstream commit b48fe9af1e60360baf09ca6b7a3cd6541f16e611 ] + +Add a PCI quirk to enable microphone detection on the headphone jack of +TongFang X6AR55xU devices. + +Signed-off-by: Tim Guttzeit +Signed-off-by: Werner Sembach +Link: https://patch.msgid.link/20260119151626.35481-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e7f6bba3e02b3..908672bab29e3 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11101,6 +11101,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x19, 0x04a11030}, + {0x21, 0x04211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0274, 0x1d05, "TongFang", ALC274_FIXUP_HP_HEADSET_MIC, ++ {0x17, 0x90170110}, ++ {0x19, 0x03a11030}, ++ {0x21, 0x03211020}), + SND_HDA_PIN_QUIRK(0x10ec0282, 0x1025, "Acer", ALC282_FIXUP_ACER_DISABLE_LINEOUT, + ALC282_STANDARD_PINS, + {0x12, 0x90a609c0}, +-- +2.51.0 + diff --git a/queue-6.6/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch b/queue-6.6/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch new file mode 100644 index 0000000000..a64046190b --- /dev/null +++ b/queue-6.6/asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch @@ -0,0 +1,37 @@ +From a4e23874a78dcfb9fa50e9756bb2be867665ee1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 20:50:33 +0000 +Subject: ASoC: amd: fix memory leak in acp3x pdm dma ops + +From: Chris Bainbridge + +[ Upstream commit 7f67ba5413f98d93116a756e7f17cd2c1d6c2bd6 ] + +Fixes: 4a767b1d039a8 ("ASoC: amd: add acp3x pdm driver dma ops") +Signed-off-by: Chris Bainbridge +Link: https://patch.msgid.link/20260202205034.7697-1-chris.bainbridge@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/renoir/acp3x-pdm-dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/amd/renoir/acp3x-pdm-dma.c b/sound/soc/amd/renoir/acp3x-pdm-dma.c +index c3b47e9bd2392..39223ff37b14e 100644 +--- a/sound/soc/amd/renoir/acp3x-pdm-dma.c ++++ b/sound/soc/amd/renoir/acp3x-pdm-dma.c +@@ -301,9 +301,11 @@ static int acp_pdm_dma_close(struct snd_soc_component *component, + struct snd_pcm_substream *substream) + { + struct pdm_dev_data *adata = dev_get_drvdata(component->dev); ++ struct pdm_stream_instance *rtd = substream->runtime->private_data; + + disable_pdm_interrupts(adata->acp_base); + adata->capture_stream = NULL; ++ kfree(rtd); + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.6/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch b/queue-6.6/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch new file mode 100644 index 0000000000..71a4379f18 --- /dev/null +++ b/queue-6.6/asoc-amd-yc-fix-microphone-on-asus-m6500re.patch @@ -0,0 +1,41 @@ +From 5443eb566219d28e8257163c37bbbc8a13b8506b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 21:38:14 +0100 +Subject: ASoC: amd: yc: Fix microphone on ASUS M6500RE + +From: Radhi Bajahaw + +[ Upstream commit 8e29db1b08808f709231e6fd4c79dcdee5b17a17 ] + +Add DMI match for ASUSTeK COMPUTER INC. M6500RE to enable the +internal microphone. + +Signed-off-by: Radhi Bajahaw +Link: https://patch.msgid.link/20260112203814.155-1-bajahawradhi@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 00e4ffeb6fb00..b0456be5d921a 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -409,6 +409,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "M6500RC"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "M6500RE"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.51.0 + diff --git a/queue-6.6/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch b/queue-6.6/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch new file mode 100644 index 0000000000..b528e48483 --- /dev/null +++ b/queue-6.6/asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch @@ -0,0 +1,113 @@ +From c2db87b739e37a285c3c64e33607f1de22d79af9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 23:48:37 +0800 +Subject: ASoC: davinci-evm: Fix reference leak in davinci_evm_probe + +From: Kery Qi + +[ Upstream commit 5b577d214fcc109707bcb77b4ae72a31cfd86798 ] + +The davinci_evm_probe() function calls of_parse_phandle() to acquire +device nodes for "ti,audio-codec" and "ti,mcasp-controller". These +functions return device nodes with incremented reference counts. + +However, in several error paths (e.g., when the second of_parse_phandle(), +snd_soc_of_parse_card_name(), or devm_snd_soc_register_card() fails), +the function returns directly without releasing the acquired nodes, +leading to reference leaks. + +This patch adds an error handling path 'err_put' to properly release +the device nodes using of_node_put() and clean up the pointers when +an error occurs. + +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260107154836.1521-2-qikeyu2017@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/davinci-evm.c | 39 ++++++++++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/ti/davinci-evm.c b/sound/soc/ti/davinci-evm.c +index 544cb3da50eb0..7cf900289dc79 100644 +--- a/sound/soc/ti/davinci-evm.c ++++ b/sound/soc/ti/davinci-evm.c +@@ -196,27 +196,32 @@ static int davinci_evm_probe(struct platform_device *pdev) + return -EINVAL; + + dai->cpus->of_node = of_parse_phandle(np, "ti,mcasp-controller", 0); +- if (!dai->cpus->of_node) +- return -EINVAL; ++ if (!dai->cpus->of_node) { ++ ret = -EINVAL; ++ goto err_put; ++ } + + dai->platforms->of_node = dai->cpus->of_node; + + evm_soc_card.dev = &pdev->dev; + ret = snd_soc_of_parse_card_name(&evm_soc_card, "ti,model"); + if (ret) +- return ret; ++ goto err_put; + + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (PTR_ERR(mclk) == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto err_put; + } else if (IS_ERR(mclk)) { + dev_dbg(&pdev->dev, "mclk not found.\n"); + mclk = NULL; + } + + drvdata = devm_kzalloc(&pdev->dev, sizeof(*drvdata), GFP_KERNEL); +- if (!drvdata) +- return -ENOMEM; ++ if (!drvdata) { ++ ret = -ENOMEM; ++ goto err_put; ++ } + + drvdata->mclk = mclk; + +@@ -226,7 +231,8 @@ static int davinci_evm_probe(struct platform_device *pdev) + if (!drvdata->mclk) { + dev_err(&pdev->dev, + "No clock or clock rate defined.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put; + } + drvdata->sysclk = clk_get_rate(drvdata->mclk); + } else if (drvdata->mclk) { +@@ -242,8 +248,25 @@ static int davinci_evm_probe(struct platform_device *pdev) + snd_soc_card_set_drvdata(&evm_soc_card, drvdata); + ret = devm_snd_soc_register_card(&pdev->dev, &evm_soc_card); + +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "snd_soc_register_card failed (%d)\n", ret); ++ goto err_put; ++ } ++ ++ return ret; ++ ++err_put: ++ dai->platforms->of_node = NULL; ++ ++ if (dai->cpus->of_node) { ++ of_node_put(dai->cpus->of_node); ++ dai->cpus->of_node = NULL; ++ } ++ ++ if (dai->codecs->of_node) { ++ of_node_put(dai->codecs->of_node); ++ dai->codecs->of_node = NULL; ++ } + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.6/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch b/queue-6.6/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch new file mode 100644 index 0000000000..e3cb2d1fc7 --- /dev/null +++ b/queue-6.6/asoc-tlv320adcx140-propagate-error-codes-during-prob.patch @@ -0,0 +1,43 @@ +From 24087fb267b0299c1a2ef92d281ccb2a28b36c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:46 +0100 +Subject: ASoC: tlv320adcx140: Propagate error codes during probe + +From: Dimitrios Katsaros + +[ Upstream commit d89aad92cfd15edbd704746f44c98fe687f9366f ] + +When scanning for the reset pin, we could get an -EPROBE_DEFER. +The driver would assume that no reset pin had been defined, +which would mean that the chip would never be powered. + +Now we both respect any error we get from devm_gpiod_get_optional. +We also now properly report the missing GPIO definition when +'gpio_reset' is NULL. + +Signed-off-by: Dimitrios Katsaros +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-3-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 78d95b8be2f29..c4ffbc573412e 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -1157,6 +1157,9 @@ static int adcx140_i2c_probe(struct i2c_client *i2c) + adcx140->gpio_reset = devm_gpiod_get_optional(adcx140->dev, + "reset", GPIOD_OUT_LOW); + if (IS_ERR(adcx140->gpio_reset)) ++ return dev_err_probe(&i2c->dev, PTR_ERR(adcx140->gpio_reset), ++ "Failed to get Reset GPIO\n"); ++ if (!adcx140->gpio_reset) + dev_info(&i2c->dev, "Reset GPIO not defined\n"); + + adcx140->supply_areg = devm_regulator_get_optional(adcx140->dev, +-- +2.51.0 + diff --git a/queue-6.6/block-bfq-fix-aux-stat-accumulation-destination.patch b/queue-6.6/block-bfq-fix-aux-stat-accumulation-destination.patch new file mode 100644 index 0000000000..ded40e4559 --- /dev/null +++ b/queue-6.6/block-bfq-fix-aux-stat-accumulation-destination.patch @@ -0,0 +1,36 @@ +From 8ace708be57e90f6882e911b35da4f007a6dfbd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 21:04:26 +0800 +Subject: block,bfq: fix aux stat accumulation destination + +From: shechenglong + +[ Upstream commit 04bdb1a04d8a2a89df504c1e34250cd3c6e31a1c ] + +Route bfqg_stats_add_aux() time accumulation into the destination +stats object instead of the source, aligning with other stat fields. + +Reviewed-by: Yu Kuai +Signed-off-by: shechenglong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 2c90e5de0acd9..cb2a381193d13 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -380,7 +380,7 @@ static void bfqg_stats_add_aux(struct bfqg_stats *to, struct bfqg_stats *from) + blkg_rwstat_add_aux(&to->merged, &from->merged); + blkg_rwstat_add_aux(&to->service_time, &from->service_time); + blkg_rwstat_add_aux(&to->wait_time, &from->wait_time); +- bfq_stat_add_aux(&from->time, &from->time); ++ bfq_stat_add_aux(&to->time, &from->time); + bfq_stat_add_aux(&to->avg_queue_size_sum, &from->avg_queue_size_sum); + bfq_stat_add_aux(&to->avg_queue_size_samples, + &from->avg_queue_size_samples); +-- +2.51.0 + diff --git a/queue-6.6/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch b/queue-6.6/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch new file mode 100644 index 0000000000..4c4c08a4ab --- /dev/null +++ b/queue-6.6/btrfs-fix-reservation-leak-in-some-error-paths-when-.patch @@ -0,0 +1,70 @@ +From 831699198570d57164185f33d46732884a0a5d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 17:18:25 +0000 +Subject: btrfs: fix reservation leak in some error paths when inserting inline + extent + +From: Filipe Manana + +[ Upstream commit c1c050f92d8f6aac4e17f7f2230160794fceef0c ] + +If we fail to allocate a path or join a transaction, we return from +__cow_file_range_inline() without freeing the reserved qgroup data, +resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data() +in such cases. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 68bb5079aef74..96edac307408c 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -619,7 +619,7 @@ static noinline int cow_file_range_inline(struct btrfs_inode *inode, u64 size, + struct btrfs_drop_extents_args drop_args = { 0 }; + struct btrfs_root *root = inode->root; + struct btrfs_fs_info *fs_info = root->fs_info; +- struct btrfs_trans_handle *trans; ++ struct btrfs_trans_handle *trans = NULL; + u64 data_len = (compressed_size ?: size); + int ret; + struct btrfs_path *path; +@@ -637,13 +637,16 @@ static noinline int cow_file_range_inline(struct btrfs_inode *inode, u64 size, + return 1; + + path = btrfs_alloc_path(); +- if (!path) +- return -ENOMEM; ++ if (!path) { ++ ret = -ENOMEM; ++ goto out; ++ } + + trans = btrfs_join_transaction(root); + if (IS_ERR(trans)) { +- btrfs_free_path(path); +- return PTR_ERR(trans); ++ ret = PTR_ERR(trans); ++ trans = NULL; ++ goto out; + } + trans->block_rsv = &inode->block_rsv; + +@@ -690,7 +693,8 @@ static noinline int cow_file_range_inline(struct btrfs_inode *inode, u64 size, + */ + btrfs_qgroup_free_data(inode, NULL, 0, PAGE_SIZE, NULL); + btrfs_free_path(path); +- btrfs_end_transaction(trans); ++ if (trans) ++ btrfs_end_transaction(trans); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.6/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch b/queue-6.6/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch new file mode 100644 index 0000000000..caef309c85 --- /dev/null +++ b/queue-6.6/dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch @@ -0,0 +1,47 @@ +From d43c50e73be0cc7b3c429e25fd2920f374a02f6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 00:55:13 +0800 +Subject: dpaa2-switch: add bounds check for if_id in IRQ handler + +From: Junrui Luo + +[ Upstream commit 31a7a0bbeb006bac2d9c81a2874825025214b6d8 ] + +The IRQ handler extracts if_id from the upper 16 bits of the hardware +status register and uses it to index into ethsw->ports[] without +validation. Since if_id can be any 16-bit value (0-65535) but the ports +array is only allocated with sw_attr.num_ifs elements, this can lead to +an out-of-bounds read potentially. + +Add a bounds check before accessing the array, consistent with the +existing validation in dpaa2_switch_rx(). + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 24ab724f8a46 ("dpaa2-switch: use the port index in the IRQ handler") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881D420AB43FF1A227B84AFAF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 6e3f65e3e8821..37e3224262ed4 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -1530,6 +1530,10 @@ static irqreturn_t dpaa2_switch_irq0_handler_thread(int irq_num, void *arg) + } + + if_id = (status & 0xFFFF0000) >> 16; ++ if (if_id >= ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "Invalid if_id %d in IRQ status\n", if_id); ++ goto out; ++ } + port_priv = ethsw->ports[if_id]; + + if (status & DPSW_IRQ_EVENT_LINK_CHANGED) { +-- +2.51.0 + diff --git a/queue-6.6/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch b/queue-6.6/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch new file mode 100644 index 0000000000..b9dc396d3c --- /dev/null +++ b/queue-6.6/dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch @@ -0,0 +1,55 @@ +From 2833263ed34c581c6e373d1fd2cc9b4dd07084a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 16:07:34 +0800 +Subject: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero + +From: Junrui Luo + +[ Upstream commit ed48a84a72fefb20a82dd90a7caa7807e90c6f66 ] + +The driver allocates arrays for ports, FDBs, and filter blocks using +kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the +device reports zero interfaces (either due to hardware configuration +or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) +instead of NULL. + +Later in dpaa2_switch_probe(), the NAPI initialization unconditionally +accesses ethsw->ports[0]->netdev, which attempts to dereference +ZERO_SIZE_PTR (address 0x10), resulting in a kernel panic. + +Add a check to ensure num_ifs is greater than zero after retrieving +device attributes. This prevents the zero-sized allocations and +subsequent invalid pointer dereference. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface") +Signed-off-by: Junrui Luo +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/SYBPR01MB7881BEABA8DA896947962470AF91A@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index cdab37e9634d4..6e3f65e3e8821 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2988,6 +2988,12 @@ static int dpaa2_switch_init(struct fsl_mc_device *sw_dev) + goto err_close; + } + ++ if (!ethsw->sw_attr.num_ifs) { ++ dev_err(dev, "DPSW device has no interfaces\n"); ++ err = -ENODEV; ++ goto err_close; ++ } ++ + err = dpsw_get_api_version(ethsw->mc_io, 0, + ðsw->major, + ðsw->minor); +-- +2.51.0 + diff --git a/queue-6.6/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch b/queue-6.6/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch new file mode 100644 index 0000000000..3467eb9600 --- /dev/null +++ b/queue-6.6/drm-mgag200-fix-mgag200_bmc_stop_scanout.patch @@ -0,0 +1,215 @@ +From 9294bcf9d09f1f02e406d16dd5fe8b965954863e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 16:16:39 -0800 +Subject: drm/mgag200: fix mgag200_bmc_stop_scanout() + +From: Jacob Keller + +[ Upstream commit 0e0c8f4d16de92520623aa1ea485cadbf64e6929 ] + +The mgag200_bmc_stop_scanout() function is called by the .atomic_disable() +handler for the MGA G200 VGA BMC encoder. This function performs a few +register writes to inform the BMC of an upcoming mode change, and then +polls to wait until the BMC actually stops. + +The polling is implemented using a busy loop with udelay() and an iteration +timeout of 300, resulting in the function blocking for 300 milliseconds. + +The function gets called ultimately by the output_poll_execute work thread +for the DRM output change polling thread of the mgag200 driver: + +kworker/0:0-mm_ 3528 [000] 4555.315364: + ffffffffaa0e25b3 delay_halt.part.0+0x33 + ffffffffc03f6188 mgag200_bmc_stop_scanout+0x178 + ffffffffc087ae7a disable_outputs+0x12a + ffffffffc087c12a drm_atomic_helper_commit_tail+0x1a + ffffffffc03fa7b6 mgag200_mode_config_helper_atomic_commit_tail+0x26 + ffffffffc087c9c1 commit_tail+0x91 + ffffffffc087d51b drm_atomic_helper_commit+0x11b + ffffffffc0509694 drm_atomic_commit+0xa4 + ffffffffc05105e8 drm_client_modeset_commit_atomic+0x1e8 + ffffffffc0510ce6 drm_client_modeset_commit_locked+0x56 + ffffffffc0510e24 drm_client_modeset_commit+0x24 + ffffffffc088a743 __drm_fb_helper_restore_fbdev_mode_unlocked+0x93 + ffffffffc088a683 drm_fb_helper_hotplug_event+0xe3 + ffffffffc050f8aa drm_client_dev_hotplug+0x9a + ffffffffc088555a output_poll_execute+0x29a + ffffffffa9b35924 process_one_work+0x194 + ffffffffa9b364ee worker_thread+0x2fe + ffffffffa9b3ecad kthread+0xdd + ffffffffa9a08549 ret_from_fork+0x29 + +On a server running ptp4l with the mgag200 driver loaded, we found that +ptp4l would sometimes get blocked from execution because of this busy +waiting loop. + +Every so often, approximately once every 20 minutes -- though with large +variance -- the output_poll_execute() thread would detect some sort of +change that required performing a hotplug event which results in attempting +to stop the BMC scanout, resulting in a 300msec delay on one CPU. + +On this system, ptp4l was pinned to a single CPU. When the +output_poll_execute() thread ran on that CPU, it blocked ptp4l from +executing for its 300 millisecond duration. + +This resulted in PTP service disruptions such as failure to send a SYNC +message on time, failure to handle ANNOUNCE messages on time, and clock +check warnings from the application. All of this despite the application +being configured with FIFO_RT and a higher priority than the background +workqueue tasks. (However, note that the kernel did not use +CONFIG_PREEMPT...) + +It is unclear if the event is due to a faulty VGA connection, another bug, +or actual events causing a change in the connection. At least on the system +under test it is not a one-time event and consistently causes disruption to +the time sensitive applications. + +The function has some helpful comments explaining what steps it is +attempting to take. In particular, step 3a and 3b are explained as such: + + 3a - The third step is to verify if there is an active scan. We are + waiting on a 0 on remhsyncsts (. + + 3b - This step occurs only if the remove is actually scanning. We are + waiting for the end of the frame which is a 1 on remvsyncsts + (). + +The actual steps 3a and 3b are implemented as while loops with a +non-sleeping udelay(). The first step iterates while the tmp value at +position 0 is *not* set. That is, it keeps iterating as long as the bit is +zero. If the bit is already 0 (because there is no active scan), it will +iterate the entire 300 attempts which wastes 300 milliseconds in total. +This is opposite of what the description claims. + +The step 3b logic only executes if we do not iterate over the entire 300 +attempts in the first loop. If it does trigger, it is trying to check and +wait for a 1 on the remvsyncsts. However, again the condition is actually +inverted and it will loop as long as the bit is 1, stopping once it hits +zero (rather than the explained attempt to wait until we see a 1). + +Worse, both loops are implemented using non-sleeping waits which spin +instead of allowing the scheduler to run other processes. If the kernel is +not configured to allow arbitrary preemption, it will waste valuable CPU +time doing nothing. + +There does not appear to be any documentation for the BMC register +interface, beyond what is in the comments here. It seems more probable that +the comment here is correct and the implementation accidentally got +inverted from the intended logic. + +Reading through other DRM driver implementations, it does not appear that +the .atomic_enable or .atomic_disable handlers need to delay instead of +sleep. For example, the ast_astdp_encoder_helper_atomic_disable() function +calls ast_dp_set_phy_sleep() which uses msleep(). The "atomic" in the name +is referring to the atomic modesetting support, which is the support to +enable atomic configuration from userspace, and not to the "atomic context" +of the kernel. There is no reason to use udelay() here if a sleep would be +sufficient. + +Replace the while loops with a read_poll_timeout() based implementation +that will sleep between iterations, and which stops polling once the +condition is met (instead of looping as long as the condition is met). This +aligns with the commented behavior and avoids blocking on the CPU while +doing nothing. + +Note the RREG_DAC is implemented using a statement expression to allow +working properly with the read_poll_timeout family of functions. The other +RREG_ macros ought to be cleaned up to have better semantics, and +several places in the mgag200 driver could make use of RREG_DAC or similar +RREG_* macros should likely be cleaned up for better semantics as well, but +that task has been left as a future cleanup for a non-bugfix. + +Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)") +Suggested-by: Thomas Zimmermann +Signed-off-by: Jacob Keller +Reviewed-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260202-jk-mgag200-fix-bad-udelay-v2-1-ce1e9665987d@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mgag200/mgag200_bmc.c | 31 +++++++++++---------------- + drivers/gpu/drm/mgag200/mgag200_drv.h | 6 ++++++ + 2 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/mgag200/mgag200_bmc.c b/drivers/gpu/drm/mgag200/mgag200_bmc.c +index 2ba2e3c5086a5..852a82f6309ba 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_bmc.c ++++ b/drivers/gpu/drm/mgag200/mgag200_bmc.c +@@ -1,13 +1,14 @@ + // SPDX-License-Identifier: GPL-2.0-only + + #include ++#include + + #include "mgag200_drv.h" + + void mgag200_bmc_disable_vidrst(struct mga_device *mdev) + { + u8 tmp; +- int iter_max; ++ int ret; + + /* + * 1 - The first step is to inform the BMC of an upcoming mode +@@ -37,30 +38,22 @@ void mgag200_bmc_disable_vidrst(struct mga_device *mdev) + + /* + * 3a- The third step is to verify if there is an active scan. +- * We are waiting for a 0 on remhsyncsts ). ++ * We are waiting for a 0 on remhsyncsts (). + */ +- iter_max = 300; +- while (!(tmp & 0x1) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } ++ ret = read_poll_timeout(RREG_DAC, tmp, !(tmp & 0x1), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); ++ if (ret == -ETIMEDOUT) ++ return; + + /* +- * 3b- This step occurs only if the remove is actually ++ * 3b- This step occurs only if the remote BMC is actually + * scanning. We are waiting for the end of the frame which is + * a 1 on remvsyncsts (XSPAREREG<1>) + */ +- if (iter_max) { +- iter_max = 300; +- while ((tmp & 0x2) && iter_max) { +- WREG8(DAC_INDEX, MGA1064_SPAREREG); +- tmp = RREG8(DAC_DATA); +- udelay(1000); +- iter_max--; +- } +- } ++ (void)read_poll_timeout(RREG_DAC, tmp, (tmp & 0x2), ++ 1000, 300000, false, ++ MGA1064_SPAREREG); + } + + void mgag200_bmc_enable_vidrst(struct mga_device *mdev) +diff --git a/drivers/gpu/drm/mgag200/mgag200_drv.h b/drivers/gpu/drm/mgag200/mgag200_drv.h +index 765e49fd89111..44281713db462 100644 +--- a/drivers/gpu/drm/mgag200/mgag200_drv.h ++++ b/drivers/gpu/drm/mgag200/mgag200_drv.h +@@ -115,6 +115,12 @@ + #define DAC_INDEX 0x3c00 + #define DAC_DATA 0x3c0a + ++#define RREG_DAC(reg) \ ++ ({ \ ++ WREG8(DAC_INDEX, reg); \ ++ RREG8(DAC_DATA); \ ++ }) \ ++ + #define WREG_DAC(reg, v) \ + do { \ + WREG8(DAC_INDEX, reg); \ +-- +2.51.0 + diff --git a/queue-6.6/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch b/queue-6.6/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch new file mode 100644 index 0000000000..6310b3cfd0 --- /dev/null +++ b/queue-6.6/hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch @@ -0,0 +1,56 @@ +From 377a680c521bd60e1dd4a0add2f487454d1bbeac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 19:03:57 -0300 +Subject: HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodrigo Lugathe da Conceição Alves + +[ Upstream commit 85a866809333cd2bf8ddac93d9a3e3ba8e4f807d ] + +The USB speaker has a bug that causes it to reboot when changing the +brightness using the physical knob. + +Add a new vendor and product ID entry in hid-ids.h, and register +the corresponding device in hid-quirks.c with the required quirk. + +Signed-off-by: Rodrigo Lugathe da Conceição Alves +Reviewed-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index fbbd1dc5582eb..931746cf36302 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -429,6 +429,9 @@ + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001 + #define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_C002 0xc002 + ++#define USB_VENDOR_ID_EDIFIER 0x2d99 ++#define USB_DEVICE_ID_EDIFIER_QR30 0xa101 /* EDIFIER Hal0 2.0 SE */ ++ + #define USB_VENDOR_ID_ELAN 0x04f3 + #define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401 + #define USB_DEVICE_ID_HP_X2 0x074d +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index b2a3ce7bfb6b6..1f531626192cd 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -81,6 +81,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_DWAV, USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER), HID_QUIRK_MULTI_INPUT | HID_QUIRK_NOGET }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_EDIFIER, USB_DEVICE_ID_EDIFIER_QR30), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_EMS, USB_DEVICE_ID_EMS_TRIO_LINKER_PLUS_II), HID_QUIRK_MULTI_INPUT }, +-- +2.51.0 + diff --git a/queue-6.6/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch b/queue-6.6/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch new file mode 100644 index 0000000000..6f461654a4 --- /dev/null +++ b/queue-6.6/hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch @@ -0,0 +1,46 @@ +From 0a473e061e4ba468ef50e2361827cd13499f36ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jan 2026 02:18:26 +0800 +Subject: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() + +From: Kwok Kin Ming + +[ Upstream commit 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 ] + +`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data +into `ihid->rawbuf`. + +The former can come from the userspace in the hidraw driver and is only +bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set +`max_buffer_size` field of `struct hid_ll_driver` which we do not). + +The latter has size determined at runtime by the maximum size of +different report types you could receive on any particular device and +can be a much smaller value. + +Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. + +The impact is low since access to hidraw devices requires root. + +Signed-off-by: Kwok Kin Ming +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 172b783274201..0a350780407ec 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -254,6 +254,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid, + * In addition to report data device will supply data length + * in the first 2 bytes of the response, so adjust . + */ ++ recv_len = min(recv_len, ihid->bufsize - sizeof(__le16)); + error = i2c_hid_xfer(ihid, ihid->cmdbuf, length, + ihid->rawbuf, recv_len + sizeof(__le16)); + if (error) { +-- +2.51.0 + diff --git a/queue-6.6/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch b/queue-6.6/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch new file mode 100644 index 0000000000..966f3a6bba --- /dev/null +++ b/queue-6.6/hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch @@ -0,0 +1,49 @@ +From f7cbfa17130bfbc7dfda5cf69d91c6672915c4fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 10:51:50 +0800 +Subject: HID: intel-ish-hid: Reset enum_devices_done before enumeration + +From: Zhang Lixu + +[ Upstream commit 56e230723e3a818373bd62331bccb1c6d2b3881b ] + +Some systems have enabled ISH without any sensors. In this case sending +HOSTIF_DM_ENUM_DEVICES results in 0 sensors. This triggers ISH hardware +reset on subsequent enumeration after S3/S4 resume. + +The enum_devices_done flag was not reset before sending the +HOSTIF_DM_ENUM_DEVICES command. On subsequent enumeration calls (such as +after S3/S4 resume), this flag retains its previous true value, causing the +wait loop to be skipped and returning prematurely to hid_ishtp_cl_init(). +If 0 HID devices are found, hid_ishtp_cl_init() skips getting HID device +descriptors and sets init_done to true. When the delayed enumeration +response arrives with init_done already true, the driver treats it as a bad +packet and triggers an ISH hardware reset. + +Set enum_devices_done to false before sending the enumeration command, +consistent with similar functions like ishtp_get_hid_descriptor() and +ishtp_get_report_descriptor() which reset their respective flags. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp-hid-client.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +index e3d70c5460e96..a0c1dc0941497 100644 +--- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c ++++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c +@@ -496,6 +496,7 @@ static int ishtp_enum_enum_devices(struct ishtp_cl *hid_ishtp_cl) + int rv; + + /* Send HOSTIF_DM_ENUM_DEVICES */ ++ client_data->enum_devices_done = false; + memset(&msg, 0, sizeof(struct hostif_msg)); + msg.hdr.command = HOSTIF_DM_ENUM_DEVICES; + rv = ishtp_cl_send(hid_ishtp_cl, (unsigned char *)&msg, +-- +2.51.0 + diff --git a/queue-6.6/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch b/queue-6.6/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch new file mode 100644 index 0000000000..66be1b1ce7 --- /dev/null +++ b/queue-6.6/hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch @@ -0,0 +1,49 @@ +From a2fdd4411871f74de279e89dee8f62b949372092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 10:53:28 +0800 +Subject: HID: intel-ish-hid: Update ishtp bus match to support device ID table + +From: Zhang Lixu + +[ Upstream commit daeed86b686855adda79f13729e0c9b0530990be ] + +The ishtp_cl_bus_match() function previously only checked the first entry +in the driver's device ID table. Update it to iterate over the entire +table, allowing proper matching for drivers with multiple supported +protocol GUIDs. + +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index 7fc738a223755..4d97d043aae4b 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -240,9 +240,17 @@ static int ishtp_cl_bus_match(struct device *dev, struct device_driver *drv) + { + struct ishtp_cl_device *device = to_ishtp_cl_device(dev); + struct ishtp_cl_driver *driver = to_ishtp_cl_driver(drv); ++ struct ishtp_fw_client *client = device->fw_client; ++ const struct ishtp_device_id *id; + +- return(device->fw_client ? guid_equal(&driver->id[0].guid, +- &device->fw_client->props.protocol_name) : 0); ++ if (client) { ++ for (id = driver->id; !guid_is_null(&id->guid); id++) { ++ if (guid_equal(&id->guid, &client->props.protocol_name)) ++ return 1; ++ } ++ } ++ ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.6/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch b/queue-6.6/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch new file mode 100644 index 0000000000..e390adc1fc --- /dev/null +++ b/queue-6.6/hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch @@ -0,0 +1,42 @@ +From d069e2a0d3a5a6649912092b1541cef39ecc0e73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 14:34:36 +0100 +Subject: HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL + +From: DaytonCL + +[ Upstream commit ff3f234ff1dcd6d626a989151db067a1b7f0f215 ] + +Some VTL-class touchpads (e.g. TOPS0102:00 35CC:0104) intermittently +fail to release a finger contact. A previous slot remains logically +active, accompanied by stale BTN_TOOL_DOUBLETAP state, causing +gestures to stay latched and resulting in stuck two-finger +scrolling and false right-clicks. + +Apply MT_QUIRK_STICKY_FINGERS to handle the unreleased contact correctly. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1225 +Suggested-by: Benjamin Tissoires +Tested-by: DaytonCL +Signed-off-by: DaytonCL +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index b9e67b408a4b9..6d9a85c5fc409 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -379,6 +379,7 @@ static const struct mt_class mt_classes[] = { + { .name = MT_CLS_VTL, + .quirks = MT_QUIRK_ALWAYS_VALID | + MT_QUIRK_CONTACT_CNT_ACCURATE | ++ MT_QUIRK_STICKY_FINGERS | + MT_QUIRK_FORCE_GET_FEATURE, + }, + { .name = MT_CLS_GOOGLE, +-- +2.51.0 + diff --git a/queue-6.6/hid-playstation-center-initial-joystick-axes-to-prev.patch b/queue-6.6/hid-playstation-center-initial-joystick-axes-to-prev.patch new file mode 100644 index 0000000000..c1d8cd39b1 --- /dev/null +++ b/queue-6.6/hid-playstation-center-initial-joystick-axes-to-prev.patch @@ -0,0 +1,66 @@ +From eb50ed53ecc9aeb1a6ce8ef60b8e6489ccb9c39d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 15:45:19 -0800 +Subject: HID: playstation: Center initial joystick axes to prevent spurious + events + +From: Siarhei Vishniakou + +[ Upstream commit e9143268d259d98e111a649affa061acb8e13c5b ] + +When a new PlayStation gamepad (DualShock 4 or DualSense) is initialized, +the input subsystem sets the default value for its absolute axes (e.g., +ABS_X, ABS_Y) to 0. + +However, the hardware's actual neutral/resting state for these joysticks +is 128 (0x80). This creates a mismatch. + +When the first HID report arrives from the device, the driver sees the +resting value of 128. The kernel compares this to its initial state of 0 +and incorrectly interprets this as a delta (0 -> 128). Consequently, it +generates EV_ABS events for this initial, non-existent movement. + +This behavior can fail userspace 'sanity check' tests (e.g., in +Android CTS) that correctly assert no motion events should be generated +from a device that is already at rest. + +This patch fixes the issue by explicitly setting the initial value of the +main joystick axes (e.g., ABS_X, ABS_Y, ABS_RX, ABS_RY) to 128 (0x80) +in the common ps_gamepad_create() function. + +This aligns the kernel's initial state with the hardware's expected +neutral state, ensuring that the first report (at 128) produces no +delta and thus, no spurious event. + +Signed-off-by: Siarhei Vishniakou +Reviewed-by: Benjamin Tissoires +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-playstation.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-playstation.c b/drivers/hid/hid-playstation.c +index 8ac8f7b8e3173..32f65c45fdc8a 100644 +--- a/drivers/hid/hid-playstation.c ++++ b/drivers/hid/hid-playstation.c +@@ -711,11 +711,16 @@ static struct input_dev *ps_gamepad_create(struct hid_device *hdev, + if (IS_ERR(gamepad)) + return ERR_CAST(gamepad); + ++ /* Set initial resting state for joysticks to 128 (center) */ + input_set_abs_params(gamepad, ABS_X, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_X].value = 128; + input_set_abs_params(gamepad, ABS_Y, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_Y].value = 128; + input_set_abs_params(gamepad, ABS_Z, 0, 255, 0, 0); + input_set_abs_params(gamepad, ABS_RX, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RX].value = 128; + input_set_abs_params(gamepad, ABS_RY, 0, 255, 0, 0); ++ gamepad->absinfo[ABS_RY].value = 128; + input_set_abs_params(gamepad, ABS_RZ, 0, 255, 0, 0); + + input_set_abs_params(gamepad, ABS_HAT0X, -1, 1, 0, 0); +-- +2.51.0 + diff --git a/queue-6.6/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch b/queue-6.6/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch new file mode 100644 index 0000000000..7b51f887c3 --- /dev/null +++ b/queue-6.6/hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch @@ -0,0 +1,51 @@ +From c934fd515240ed79265fb3befad71eef4c1c5b2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 06:56:43 +0000 +Subject: HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list + +From: Chris Chiu + +[ Upstream commit c06bc3557542307b9658fbd43cc946a14250347b ] + +Another Chicony Electronics HP 5MP Camera with USB ID 04F2:B882 +reports a HID sensor interface that is not actually implemented. + +Add the device to the HID ignore list so the bogus sensor is never +exposed to userspace. Then the system won't hang when runtime PM +tries to wake the unresponsive device. + +Signed-off-by: Chris Chiu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index ca9c70c8f3cf1..fbbd1dc5582eb 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -307,6 +307,7 @@ + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 + #define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3 0xb882 + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 192b8f63baaab..b2a3ce7bfb6b6 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -763,6 +763,7 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA3) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +-- +2.51.0 + diff --git a/queue-6.6/hwmon-occ-mark-occ_init_attribute-as-__printf.patch b/queue-6.6/hwmon-occ-mark-occ_init_attribute-as-__printf.patch new file mode 100644 index 0000000000..81066fff27 --- /dev/null +++ b/queue-6.6/hwmon-occ-mark-occ_init_attribute-as-__printf.patch @@ -0,0 +1,42 @@ +From 0807680b7d4b1a8bfcb4072b3358ba9a5091bd97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 17:34:36 +0100 +Subject: hwmon: (occ) Mark occ_init_attribute() as __printf + +From: Arnd Bergmann + +[ Upstream commit 831a2b27914cc880130ffe8fb8d1e65a5324d07f ] + +This is a printf-style function, which gcc -Werror=suggest-attribute=format +correctly points out: + +drivers/hwmon/occ/common.c: In function 'occ_init_attribute': +drivers/hwmon/occ/common.c:761:9: error: function 'occ_init_attribute' might be a candidate for 'gnu_printf' format attribute [-Werror=suggest-attribute=format] + +Add the attribute to avoid this warning and ensure any incorrect +format strings are detected here. + +Fixes: 744c2fe950e9 ("hwmon: (occ) Rework attribute registration for stack usage") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20260203163440.2674340-1-arnd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c +index 483f79b394298..755926fa0bf7d 100644 +--- a/drivers/hwmon/occ/common.c ++++ b/drivers/hwmon/occ/common.c +@@ -749,6 +749,7 @@ static ssize_t occ_show_extended(struct device *dev, + * are dynamically allocated, we cannot use the existing kernel macros which + * stringify the name argument. + */ ++__printf(7, 8) + static void occ_init_attribute(struct occ_attribute *attr, int mode, + ssize_t (*show)(struct device *dev, struct device_attribute *attr, char *buf), + ssize_t (*store)(struct device *dev, struct device_attribute *attr, +-- +2.51.0 + diff --git a/queue-6.6/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch b/queue-6.6/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch new file mode 100644 index 0000000000..a5bbebdbc6 --- /dev/null +++ b/queue-6.6/ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch @@ -0,0 +1,93 @@ +From 89f7649ec001d30d5da0fcdac93d346790a8b80d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 18:58:37 +0900 +Subject: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF + +From: Shigeru Yoshida + +[ Upstream commit bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 ] + +syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 +route. [0] + +Commit f72514b3c569 ("ipv6: clear RA flags when adding a static +route") introduced logic to clear RTF_ADDRCONF from existing routes +when a static route with the same nexthop is added. However, this +causes a problem when the existing route has a gateway. + +When RTF_ADDRCONF is cleared from a route that has a gateway, that +route becomes eligible for ECMP, i.e. rt6_qualify_for_ecmp() returns +true. The issue is that this route was never added to the +fib6_siblings list. + +This leads to a mismatch between the following counts: + +- The sibling count computed by iterating fib6_next chain, which + includes the newly ECMP-eligible route + +- The actual siblings in fib6_siblings list, which does not include + that route + +When a subsequent ECMP route is added, fib6_add_rt2node() hits +BUG_ON(sibling->fib6_nsiblings != rt->fib6_nsiblings) because the +counts don't match. + +Fix this by only clearing RTF_ADDRCONF when the existing route does +not have a gateway. Routes without a gateway cannot qualify for ECMP +anyway (rt6_qualify_for_ecmp() requires fib_nh_gw_family), so clearing +RTF_ADDRCONF on them is safe and matches the original intent of the +commit. + +[0]: +kernel BUG at net/ipv6/ip6_fib.c:1217! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217 +[...] +Call Trace: + + fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1532 + __ip6_ins_rt net/ipv6/route.c:1351 [inline] + ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3946 + ipv6_route_ioctl+0x35c/0x480 net/ipv6/route.c:4571 + inet6_ioctl+0x219/0x280 net/ipv6/af_inet6.c:577 + sock_do_ioctl+0xdc/0x300 net/socket.c:1245 + sock_ioctl+0x576/0x790 net/socket.c:1366 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: f72514b3c569 ("ipv6: clear RA flags when adding a static route") +Reported-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cb809def1baaac68ab92 +Tested-by: syzbot+cb809def1baaac68ab92@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Reviewed-by: Fernando Fernandez Mancera +Link: https://patch.msgid.link/20260204095837.1285552-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_fib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 646ff1276aff2..fe57884ca7238 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1136,7 +1136,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, + fib6_set_expires(iter, rt->expires); + fib6_add_gc_list(iter); + } +- if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT))) { ++ if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT)) && ++ !iter->fib6_nh->fib_nh_gw_family) { + iter->fib6_flags &= ~RTF_ADDRCONF; + iter->fib6_flags &= ~RTF_PREFIX_RT; + } +-- +2.51.0 + diff --git a/queue-6.6/loongarch-enable-exception-fixup-for-specific-ade-su.patch b/queue-6.6/loongarch-enable-exception-fixup-for-specific-ade-su.patch new file mode 100644 index 0000000000..845c03b177 --- /dev/null +++ b/queue-6.6/loongarch-enable-exception-fixup-for-specific-ade-su.patch @@ -0,0 +1,58 @@ +From f71ab4842094df3774d96d69f15683e56165533a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:20 +0800 +Subject: LoongArch: Enable exception fixup for specific ADE subcode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenghao Duan + +[ Upstream commit 9bdc1ab5e4ce6f066119018d8f69631a46f9c5a0 ] + +This patch allows the LoongArch BPF JIT to handle recoverable memory +access errors generated by BPF_PROBE_MEM* instructions. + +When a BPF program performs memory access operations, the instructions +it executes may trigger ADEM exceptions. The kernel’s built-in BPF +exception table mechanism (EX_TYPE_BPF) will generate corresponding +exception fixup entries in the JIT compilation phase; however, the +architecture-specific trap handling function needs to proactively call +the common fixup routine to achieve exception recovery. + +do_ade(): fix EX_TYPE_BPF memory access exceptions for BPF programs, +ensure safe execution. + +Relevant test cases: illegal address access tests in module_attach and +subprogs_extable of selftests/bpf. + +Signed-off-by: Chenghao Duan +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/traps.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/loongarch/kernel/traps.c b/arch/loongarch/kernel/traps.c +index d7291b8ea65aa..0529bd32c1f17 100644 +--- a/arch/loongarch/kernel/traps.c ++++ b/arch/loongarch/kernel/traps.c +@@ -508,10 +508,15 @@ asmlinkage void noinstr do_fpe(struct pt_regs *regs, unsigned long fcsr) + asmlinkage void noinstr do_ade(struct pt_regs *regs) + { + irqentry_state_t state = irqentry_enter(regs); ++ unsigned int esubcode = FIELD_GET(CSR_ESTAT_ESUBCODE, regs->csr_estat); ++ ++ if ((esubcode == EXSUBCODE_ADEM) && fixup_exception(regs)) ++ goto out; + + die_if_kernel("Kernel ade access", regs); + force_sig_fault(SIGBUS, BUS_ADRERR, (void __user *)regs->csr_badvaddr); + ++out: + irqentry_exit(regs, state); + } + +-- +2.51.0 + diff --git a/queue-6.6/loongarch-set-correct-protection_map-for-vm_none-vm_.patch b/queue-6.6/loongarch-set-correct-protection_map-for-vm_none-vm_.patch new file mode 100644 index 0000000000..8b55a4d588 --- /dev/null +++ b/queue-6.6/loongarch-set-correct-protection_map-for-vm_none-vm_.patch @@ -0,0 +1,51 @@ +From 7ca287b64aa348be504022e8aad5c5f9ed158bfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 15:19:10 +0800 +Subject: LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED + +From: Huacai Chen + +[ Upstream commit d5be446948b379f1d1a8e7bc6656d13f44c5c7b1 ] + +For 32BIT platform _PAGE_PROTNONE is 0, so set a VMA to be VM_NONE or +VM_SHARED will make pages non-present, then cause Oops with kernel page +fault. + +Fix it by set correct protection_map[] for VM_NONE/VM_SHARED, replacing +_PAGE_PROTNONE with _PAGE_PRESENT. + +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/mm/cache.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/loongarch/mm/cache.c b/arch/loongarch/mm/cache.c +index 6be04d36ca076..496916845ff76 100644 +--- a/arch/loongarch/mm/cache.c ++++ b/arch/loongarch/mm/cache.c +@@ -160,8 +160,8 @@ void cpu_cache_init(void) + + static const pgprot_t protection_map[16] = { + [VM_NONE] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +@@ -180,8 +180,8 @@ static const pgprot_t protection_map[16] = { + [VM_EXEC | VM_WRITE | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT), + [VM_SHARED] = __pgprot(_CACHE_CC | _PAGE_USER | +- _PAGE_PROTNONE | _PAGE_NO_EXEC | +- _PAGE_NO_READ), ++ _PAGE_NO_EXEC | _PAGE_NO_READ | ++ (_PAGE_PROTNONE ? : _PAGE_PRESENT)), + [VM_SHARED | VM_READ] = __pgprot(_CACHE_CC | _PAGE_VALID | + _PAGE_USER | _PAGE_PRESENT | + _PAGE_NO_EXEC), +-- +2.51.0 + diff --git a/queue-6.6/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch b/queue-6.6/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch new file mode 100644 index 0000000000..400dbea3d7 --- /dev/null +++ b/queue-6.6/macvlan-fix-error-recovery-in-macvlan_common_newlink.patch @@ -0,0 +1,99 @@ +From 7ea5b45ff6745cd43f1007bb9d257562e2dddf99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 20:43:59 +0000 +Subject: macvlan: fix error recovery in macvlan_common_newlink() + +From: Eric Dumazet + +[ Upstream commit f8db6475a83649689c087a8f52486fcc53e627e9 ] + +valis provided a nice repro to crash the kernel: + +ip link add p1 type veth peer p2 +ip link set address 00:00:00:00:00:20 dev p1 +ip link set up dev p1 +ip link set up dev p2 + +ip link add mv0 link p2 type macvlan mode source +ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 + +ping -c1 -I p1 1.2.3.4 + +He also gave a very detailed analysis: + + + +The issue is triggered when a new macvlan link is created with +MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or +MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan +port and register_netdevice() called from macvlan_common_newlink() +fails (e.g. because of the invalid link name). + +In this case macvlan_hash_add_source is called from +macvlan_change_sources() / macvlan_common_newlink(): + +This adds a reference to vlan to the port's vlan_source_hash using +macvlan_source_entry. + +vlan is a pointer to the priv data of the link that is being created. + +When register_netdevice() fails, the error is returned from +macvlan_newlink() to rtnl_newlink_create(): + + if (ops->newlink) + err = ops->newlink(dev, ¶ms, extack); + else + err = register_netdevice(dev); + if (err < 0) { + free_netdev(dev); + goto out; + } + +and free_netdev() is called, causing a kvfree() on the struct +net_device that is still referenced in the source entry attached to +the lower device's macvlan port. + +Now all packets sent on the macvlan port with a matching source mac +address will trigger a use-after-free in macvlan_forward_source(). + + + +With all that, my fix is to make sure we call macvlan_flush_sources() +regardless of @create value whenever "goto destroy_macvlan_port;" +path is taken. + +Many thanks to valis for following up on this issue. + +Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.") +Signed-off-by: Eric Dumazet +Reported-by: valis +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +Closes: https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Cc: Boudewijn van der Heide +Link: https://patch.msgid.link/20260129204359.632556-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 09db43ce31767..fea7352e2a470 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1572,9 +1572,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(lowerdev)) { ++ if (macvlan_port_get_rtnl(lowerdev)) { + macvlan_flush_sources(port, vlan); +- macvlan_port_destroy(port->dev); ++ if (create) ++ macvlan_port_destroy(port->dev); + } + return err; + } +-- +2.51.0 + diff --git a/queue-6.6/net-add-skb_header_pointer_careful-helper.patch b/queue-6.6/net-add-skb_header_pointer_careful-helper.patch new file mode 100644 index 0000000000..64cfe9f0f2 --- /dev/null +++ b/queue-6.6/net-add-skb_header_pointer_careful-helper.patch @@ -0,0 +1,50 @@ +From c25d9cda289b73ff2fed7e30eecd4722f5ad6a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 14:15:38 +0000 +Subject: net: add skb_header_pointer_careful() helper + +From: Eric Dumazet + +[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ] + +This variant of skb_header_pointer() should be used in contexts +where @offset argument is user-controlled and could be negative. + +Negative offsets are supported, as long as the zone starts +between skb->head and skb->data. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: cabd1a976375 ("net/sched: cls_u32: use skb_header_pointer_careful()") +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 3a558a3c2cca8..69b392dc10aa3 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4114,6 +4114,18 @@ skb_header_pointer(const struct sk_buff *skb, int offset, int len, void *buffer) + skb_headlen(skb), buffer); + } + ++/* Variant of skb_header_pointer() where @offset is user-controlled ++ * and potentially negative. ++ */ ++static inline void * __must_check ++skb_header_pointer_careful(const struct sk_buff *skb, int offset, ++ int len, void *buffer) ++{ ++ if (unlikely(offset < 0 && -offset > skb_headroom(skb))) ++ return NULL; ++ return skb_header_pointer(skb, offset, len, buffer); ++} ++ + static inline void * __must_check + skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len) + { +-- +2.51.0 + diff --git a/queue-6.6/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch b/queue-6.6/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch new file mode 100644 index 0000000000..9e0dcf2a83 --- /dev/null +++ b/queue-6.6/net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch @@ -0,0 +1,69 @@ +From ebfb456592ba9efff606060e116952c1d90ed188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 19:38:27 -0800 +Subject: net: don't touch dev->stats in BPF redirect paths + +From: Jakub Kicinski + +[ Upstream commit fdf3f6800be36377e045e2448087f12132b88d2f ] + +Gal reports that BPF redirect increments dev->stats.tx_errors +on failure. This is not correct, most modern drivers completely +ignore dev->stats so these drops will be invisible to the user. +Core code should use the dedicated core stats which are folded +into device stats in dev_get_stats(). + +Note that we're switching from tx_errors to tx_dropped. +Core only has tx_dropped, hence presumably users already expect +that counter to increment for "stack" Tx issues. + +Reported-by: Gal Pressman +Link: https://lore.kernel.org/c5df3b60-246a-4030-9c9a-0a35cd1ca924@nvidia.com +Fixes: b4ab31414970 ("bpf: Add redirect_neigh helper as redirect drop-in") +Acked-by: Martin KaFai Lau +Acked-by: Daniel Borkmann +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260130033827.698841-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 99e931bc9e9aa..ddb6d3dd34deb 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2281,12 +2281,12 @@ static int __bpf_redirect_neigh_v6(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v6(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +@@ -2389,12 +2389,12 @@ static int __bpf_redirect_neigh_v4(struct sk_buff *skb, struct net_device *dev, + + err = bpf_out_neigh_v4(net, skb, dev, nh); + if (unlikely(net_xmit_eval(err))) +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + else + ret = NET_XMIT_SUCCESS; + goto out_xmit; + out_drop: +- DEV_STATS_INC(dev, tx_errors); ++ dev_core_stats_tx_dropped_inc(dev); + kfree_skb(skb); + out_xmit: + return ret; +-- +2.51.0 + diff --git a/queue-6.6/net-ethernet-adi-adin1110-check-return-value-of-devm.patch b/queue-6.6/net-ethernet-adi-adin1110-check-return-value-of-devm.patch new file mode 100644 index 0000000000..cceeec25a1 --- /dev/null +++ b/queue-6.6/net-ethernet-adi-adin1110-check-return-value-of-devm.patch @@ -0,0 +1,48 @@ +From cf1ceaf4a0dd061f7b112c5ea4fe4f02bd98118c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 12:02:28 +0800 +Subject: net: ethernet: adi: adin1110: Check return value of + devm_gpiod_get_optional() in adin1110_check_spi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ni + +[ Upstream commit 78211543d2e44f84093049b4ef5f5bfa535f4645 ] + +The devm_gpiod_get_optional() function may return an ERR_PTR in case of +genuine GPIO acquisition errors, not just NULL which indicates the +legitimate absence of an optional GPIO. + +Add an IS_ERR() check after the call in adin1110_check_spi(). On error, +return the error code to ensure proper failure handling rather than +proceeding with invalid pointers. + +Fixes: 36934cac7aaf ("net: ethernet: adi: adin1110: add reset GPIO") +Signed-off-by: Chen Ni +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20260202040228.4129097-1-nichen@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/adi/adin1110.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c +index 3c26176316a38..2bf5c81195360 100644 +--- a/drivers/net/ethernet/adi/adin1110.c ++++ b/drivers/net/ethernet/adi/adin1110.c +@@ -1087,6 +1087,9 @@ static int adin1110_check_spi(struct adin1110_priv *priv) + + reset_gpio = devm_gpiod_get_optional(&priv->spidev->dev, "reset", + GPIOD_OUT_LOW); ++ if (IS_ERR(reset_gpio)) ++ return dev_err_probe(&priv->spidev->dev, PTR_ERR(reset_gpio), ++ "failed to get reset gpio\n"); + if (reset_gpio) { + /* MISO pin is used for internal configuration, can't have + * anyone else disturbing the SDO line. +-- +2.51.0 + diff --git a/queue-6.6/net-gro-fix-outer-network-offset.patch b/queue-6.6/net-gro-fix-outer-network-offset.patch new file mode 100644 index 0000000000..cf0b0ef6e3 --- /dev/null +++ b/queue-6.6/net-gro-fix-outer-network-offset.patch @@ -0,0 +1,52 @@ +From 530032a04cd53203714c1097c032e4503d8d32d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 12:43:14 +0100 +Subject: net: gro: fix outer network offset + +From: Paolo Abeni + +[ Upstream commit 5c2c3c38be396257a6a2e55bd601a12bb9781507 ] + +The udp GRO complete stage assumes that all the packets inserted the RX +have the `encapsulation` flag zeroed. Such assumption is not true, as a +few H/W NICs can set such flag when H/W offloading the checksum for +an UDP encapsulated traffic, the tun driver can inject GSO packets with +UDP encapsulation and the problematic layout can also be created via +a veth based setup. + +Due to the above, in the problematic scenarios, udp4_gro_complete() uses +the wrong network offset (inner instead of outer) to compute the outer +UDP header pseudo checksum, leading to csum validation errors later on +in packet processing. + +Address the issue always clearing the encapsulation flag at GRO completion +time. Such flag will be set again as needed for encapsulated packets by +udp_gro_complete(). + +Fixes: 5ef31ea5d053 ("net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb") +Reviewed-by: Willem de Bruijn +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/562638dbebb3b15424220e26a180274b387e2a88.1770032084.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/gro.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/gro.c b/net/core/gro.c +index b8cc44406e69b..87889cb75d219 100644 +--- a/net/core/gro.c ++++ b/net/core/gro.c +@@ -240,6 +240,8 @@ static void napi_gro_complete(struct napi_struct *napi, struct sk_buff *skb) + goto out; + } + ++ /* NICs can feed encapsulated packets into GRO */ ++ skb->encapsulation = 0; + rcu_read_lock(); + list_for_each_entry_rcu(ptype, head, list) { + if (ptype->type != type || !ptype->callbacks.gro_complete) +-- +2.51.0 + diff --git a/queue-6.6/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch b/queue-6.6/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch new file mode 100644 index 0000000000..e8b96736e8 --- /dev/null +++ b/queue-6.6/net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch @@ -0,0 +1,61 @@ +From 236a7fb11399f8639efedff094354c48be2a330c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:39 +0000 +Subject: net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 8558aef4e8a1a83049ab906d21d391093cfa7e7f ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Also, decrement i in the devlink_alloc failure path to point to the +last successfully allocated index. + +Compile tested only. Issue found using code review. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-3-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index a1c50cbc44beb..8e4e49d24dad8 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3764,6 +3764,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + if (!devlink) { + device_unlock(&octeon_dev->pci_dev->dev); + dev_err(&octeon_dev->pci_dev->dev, "devlink alloc failed\n"); ++ i--; + goto setup_nic_dev_free; + } + +@@ -3779,11 +3780,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.6/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch b/queue-6.6/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch new file mode 100644 index 0000000000..e1d3017477 --- /dev/null +++ b/queue-6.6/net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch @@ -0,0 +1,50 @@ +From 4015c3c81115898dec7dba344fc2cf3dde3c1090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:40 +0000 +Subject: net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup + +From: Zilin Guan + +[ Upstream commit 6cbba46934aefdfb5d171e0a95aec06c24f7ca30 ] + +In setup_nic_devices(), the initialization loop jumps to the label +setup_nic_dev_free on failure. The current cleanup loop while(i--) +skip the failing index i, causing a memory leak. + +Fix this by changing the loop to iterate from the current index i +down to 0. + +Compile tested only. Issue found using code review. + +Fixes: 846b46873eeb ("liquidio CN23XX: VF offload features") +Suggested-by: Simon Horman +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-4-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index 62c2eadc33e35..15ef647e8aad3 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -2221,11 +2221,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + setup_nic_dev_free: + +- while (i--) { ++ do { + dev_err(&octeon_dev->pci_dev->dev, + "NIC ifidx:%d Setup failed\n", i); + liquidio_destroy_nic_device(octeon_dev, i); +- } ++ } while (i--); + + setup_nic_dev_done: + +-- +2.51.0 + diff --git a/queue-6.6/net-liquidio-initialize-netdev-pointer-before-queue-.patch b/queue-6.6/net-liquidio-initialize-netdev-pointer-before-queue-.patch new file mode 100644 index 0000000000..c8ed0a0e73 --- /dev/null +++ b/queue-6.6/net-liquidio-initialize-netdev-pointer-before-queue-.patch @@ -0,0 +1,98 @@ +From 6955c2604020a19f45d10cd3c44b7101af14fdbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:44:38 +0000 +Subject: net: liquidio: Initialize netdev pointer before queue setup + +From: Zilin Guan + +[ Upstream commit 926ede0c85e1e57c97d64d9612455267d597bb2c ] + +In setup_nic_devices(), the netdev is allocated using alloc_etherdev_mq(). +However, the pointer to this structure is stored in oct->props[i].netdev +only after the calls to netif_set_real_num_rx_queues() and +netif_set_real_num_tx_queues(). + +If either of these functions fails, setup_nic_devices() returns an error +without freeing the allocated netdev. Since oct->props[i].netdev is still +NULL at this point, the cleanup function liquidio_destroy_nic_device() +will fail to find and free the netdev, resulting in a memory leak. + +Fix this by initializing oct->props[i].netdev before calling the queue +setup functions. This ensures that the netdev is properly accessible for +cleanup in case of errors. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: c33c997346c3 ("liquidio: enhanced ethtool --set-channels feature") +Signed-off-by: Zilin Guan +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20260128154440.278369-2-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/cavium/liquidio/lio_main.c | 34 +++++++++---------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index 100daadbea2a6..a1c50cbc44beb 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3519,6 +3519,23 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + */ + netdev->netdev_ops = &lionetdevops; + ++ lio = GET_LIO(netdev); ++ ++ memset(lio, 0, sizeof(struct lio)); ++ ++ lio->ifidx = ifidx_or_pfnum; ++ ++ props = &octeon_dev->props[i]; ++ props->gmxport = resp->cfg_info.linfo.gmxport; ++ props->netdev = netdev; ++ ++ /* Point to the properties for octeon device to which this ++ * interface belongs. ++ */ ++ lio->oct_dev = octeon_dev; ++ lio->octprops = props; ++ lio->netdev = netdev; ++ + retval = netif_set_real_num_rx_queues(netdev, num_oqueues); + if (retval) { + dev_err(&octeon_dev->pci_dev->dev, +@@ -3535,16 +3552,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + goto setup_nic_dev_free; + } + +- lio = GET_LIO(netdev); +- +- memset(lio, 0, sizeof(struct lio)); +- +- lio->ifidx = ifidx_or_pfnum; +- +- props = &octeon_dev->props[i]; +- props->gmxport = resp->cfg_info.linfo.gmxport; +- props->netdev = netdev; +- + lio->linfo.num_rxpciq = num_oqueues; + lio->linfo.num_txpciq = num_iqueues; + for (j = 0; j < num_oqueues; j++) { +@@ -3610,13 +3617,6 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + netdev->min_mtu = LIO_MIN_MTU_SIZE; + netdev->max_mtu = LIO_MAX_MTU_SIZE; + +- /* Point to the properties for octeon device to which this +- * interface belongs. +- */ +- lio->oct_dev = octeon_dev; +- lio->octprops = props; +- lio->netdev = netdev; +- + dev_dbg(&octeon_dev->pci_dev->dev, + "if%d gmx: %d hw_addr: 0x%llx\n", i, + lio->linfo.gmxport, CVM_CAST64(lio->linfo.hw_addr)); +-- +2.51.0 + diff --git a/queue-6.6/net-sched-cls_u32-use-skb_header_pointer_careful.patch b/queue-6.6/net-sched-cls_u32-use-skb_header_pointer_careful.patch new file mode 100644 index 0000000000..c200a896be --- /dev/null +++ b/queue-6.6/net-sched-cls_u32-use-skb_header_pointer_careful.patch @@ -0,0 +1,70 @@ +From 45894fc2e6f862c24aeaa63315807f6105142c1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 14:15:39 +0000 +Subject: net/sched: cls_u32: use skb_header_pointer_careful() + +From: Eric Dumazet + +[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ] + +skb_header_pointer() does not fully validate negative @offset values. + +Use skb_header_pointer_careful() instead. + +GangMin Kim provided a report and a repro fooling u32_classify(): + +BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 +net/sched/cls_u32.c:221 + +Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely") +Reported-by: GangMin Kim +Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/ +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 67f27be138487..1338d9b4c03a4 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -161,10 +161,8 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + int toff = off + key->off + (off2 & key->offmask); + __be32 *data, hdata; + +- if (skb_headroom(skb) + toff > INT_MAX) +- goto out; +- +- data = skb_header_pointer(skb, toff, 4, &hdata); ++ data = skb_header_pointer_careful(skb, toff, 4, ++ &hdata); + if (!data) + goto out; + if ((*data ^ key->val) & key->mask) { +@@ -214,8 +212,9 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + if (ht->divisor) { + __be32 *data, hdata; + +- data = skb_header_pointer(skb, off + n->sel.hoff, 4, +- &hdata); ++ data = skb_header_pointer_careful(skb, ++ off + n->sel.hoff, ++ 4, &hdata); + if (!data) + goto out; + sel = ht->divisor & u32_hash_fold(*data, &n->sel, +@@ -229,7 +228,7 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb, + if (n->sel.flags & TC_U32_VAROFFSET) { + __be16 *data, hdata; + +- data = skb_header_pointer(skb, ++ data = skb_header_pointer_careful(skb, + off + n->sel.offoff, + 2, &hdata); + if (!data) +-- +2.51.0 + diff --git a/queue-6.6/net-usb-sr9700-support-devices-with-virtual-driver-c.patch b/queue-6.6/net-usb-sr9700-support-devices-with-virtual-driver-c.patch new file mode 100644 index 0000000000..6f9cc0f4c0 --- /dev/null +++ b/queue-6.6/net-usb-sr9700-support-devices-with-virtual-driver-c.patch @@ -0,0 +1,44 @@ +From f33af56c31706166c75e2b7ca40e198651320f4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 22:24:51 -0800 +Subject: net: usb: sr9700: support devices with virtual driver CD + +From: Ethan Nelson-Moore + +[ Upstream commit bf4172bd870c3a34d3065cbb39192c22cbd7b18d ] + +Some SR9700 devices have an SPI flash chip containing a virtual driver +CD, in which case they appear as a device with two interfaces and +product ID 0x9702. Interface 0 is the driver CD and interface 1 is the +Ethernet device. + +Link: https://github.com/name-kurniawan/usb-lan +Link: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=2185 +Signed-off-by: Ethan Nelson-Moore +Link: https://patch.msgid.link/20251211062451.139036-1-enelsonmoore@gmail.com +[pabeni@redhat.com: fixes link tags] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index 9587eb98cdb3b..213b4817cfdf6 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -539,6 +539,11 @@ static const struct usb_device_id products[] = { + USB_DEVICE(0x0fe6, 0x9700), /* SR9700 device */ + .driver_info = (unsigned long)&sr9700_driver_info, + }, ++ { ++ /* SR9700 with virtual driver CD-ROM - interface 0 is the CD-ROM device */ ++ USB_DEVICE_INTERFACE_NUMBER(0x0fe6, 0x9702, 1), ++ .driver_info = (unsigned long)&sr9700_driver_info, ++ }, + {}, /* END */ + }; + +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch b/queue-6.6/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch new file mode 100644 index 0000000000..163a89bdda --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch @@ -0,0 +1,72 @@ +From a04b9ba9b0b7e1d1c474084c4ebe722179087205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2026 17:46:58 +0100 +Subject: netfilter: nf_tables: fix inverted genmask check in + nft_map_catchall_activate() + +From: Andrew Fasano + +[ Upstream commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 ] + +nft_map_catchall_activate() has an inverted element activity check +compared to its non-catchall counterpart nft_mapelem_activate() and +compared to what is logically required. + +nft_map_catchall_activate() is called from the abort path to re-activate +catchall map elements that were deactivated during a failed transaction. +It should skip elements that are already active (they don't need +re-activation) and process elements that are inactive (they need to be +restored). Instead, the current code does the opposite: it skips inactive +elements and processes active ones. + +Compare the non-catchall activate callback, which is correct: + + nft_mapelem_activate(): + if (nft_set_elem_active(ext, iter->genmask)) + return 0; /* skip active, process inactive */ + +With the buggy catchall version: + + nft_map_catchall_activate(): + if (!nft_set_elem_active(ext, genmask)) + continue; /* skip inactive, process active */ + +The consequence is that when a DELSET operation is aborted, +nft_setelem_data_activate() is never called for the catchall element. +For NFT_GOTO verdict elements, this means nft_data_hold() is never +called to restore the chain->use reference count. Each abort cycle +permanently decrements chain->use. Once chain->use reaches zero, +DELCHAIN succeeds and frees the chain while catchall verdict elements +still reference it, resulting in a use-after-free. + +This is exploitable for local privilege escalation from an unprivileged +user via user namespaces + nftables on distributions that enable +CONFIG_USER_NS and CONFIG_NF_TABLES. + +Fix by removing the negation so the check matches nft_mapelem_activate(): +skip active elements, process inactive ones. + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Signed-off-by: Andrew Fasano +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c00dd7dae5cb9..120d9bd53321c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5608,7 +5608,7 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + list_for_each_entry(catchall, &set->catchall_list, list) { + ext = nft_set_elem_ext(set, catchall->elem); +- if (!nft_set_elem_active(ext, genmask)) ++ if (nft_set_elem_active(ext, genmask)) + continue; + + nft_clear(ctx->net, ext); +-- +2.51.0 + diff --git a/queue-6.6/netfilter-replace-eexist-with-ebusy.patch b/queue-6.6/netfilter-replace-eexist-with-ebusy.patch new file mode 100644 index 0000000000..79010fc8ae --- /dev/null +++ b/queue-6.6/netfilter-replace-eexist-with-ebusy.patch @@ -0,0 +1,84 @@ +From e8d4f5adda0b3d3a127ee3096590933b810e1070 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 06:13:20 +0100 +Subject: netfilter: replace -EEXIST with -EBUSY + +From: Daniel Gomez + +[ Upstream commit 2bafeb8d2f380c3a81d98bd7b78b854b564f9cd4 ] + +The -EEXIST error code is reserved by the module loading infrastructure +to indicate that a module is already loaded. When a module's init +function returns -EEXIST, userspace tools like kmod interpret this as +"module already loaded" and treat the operation as successful, returning +0 to the user even though the module initialization actually failed. + +Replace -EEXIST with -EBUSY to ensure correct error reporting in the module +initialization path. + +Affected modules: + * ebtable_broute ebtable_filter ebtable_nat arptable_filter + * ip6table_filter ip6table_mangle ip6table_nat ip6table_raw + * ip6table_security iptable_filter iptable_mangle iptable_nat + * iptable_raw iptable_security + +Signed-off-by: Daniel Gomez +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 2 +- + net/netfilter/nf_log.c | 4 ++-- + net/netfilter/x_tables.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index ed62c1026fe93..f99e348c8f37f 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne + list_for_each_entry(tmpl, &template_tables, list) { + if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) { + mutex_unlock(&ebt_mutex); +- return -EEXIST; ++ return -EBUSY; + } + } + +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index e16f158388bbe..75c812f157e20 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + if (pf == NFPROTO_UNSPEC) { + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { + if (rcu_access_pointer(loggers[i][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + } +@@ -97,7 +97,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) + rcu_assign_pointer(loggers[i][logger->type], logger); + } else { + if (rcu_access_pointer(loggers[pf][logger->type])) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto unlock; + } + rcu_assign_pointer(loggers[pf][logger->type], logger); +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index e50c23b9c9c41..d892afc9a1acc 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1761,7 +1761,7 @@ EXPORT_SYMBOL_GPL(xt_hook_ops_alloc); + int xt_register_template(const struct xt_table *table, + int (*table_init)(struct net *net)) + { +- int ret = -EEXIST, af = table->af; ++ int ret = -EBUSY, af = table->af; + struct xt_template *t; + + mutex_lock(&xt[af].mutex); +-- +2.51.0 + diff --git a/queue-6.6/nvme-fc-release-admin-tagset-if-init-fails.patch b/queue-6.6/nvme-fc-release-admin-tagset-if-init-fails.patch new file mode 100644 index 0000000000..5270c011bb --- /dev/null +++ b/queue-6.6/nvme-fc-release-admin-tagset-if-init-fails.patch @@ -0,0 +1,52 @@ +From 2732d6c0c02c50bd9093c86d31d61b7d70c2e769 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:18:42 -0800 +Subject: nvme-fc: release admin tagset if init fails + +From: Chaitanya Kulkarni + +[ Upstream commit d1877cc7270302081a315a81a0ee8331f19f95c8 ] + +nvme_fabrics creates an NVMe/FC controller in following path: + + nvmf_dev_write() + -> nvmf_create_ctrl() + -> nvme_fc_create_ctrl() + -> nvme_fc_init_ctrl() + +nvme_fc_init_ctrl() allocates the admin blk-mq resources right after +nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing +the controller state, scheduling connect work, etc.), we jump to the +fail_ctrl path, which tears down the controller references but never +frees the admin queue/tag set. The leaked blk-mq allocations match the +kmemleak report seen during blktests nvme/fc. + +Check ctrl->ctrl.admin_tagset in the fail_ctrl path and call +nvme_remove_admin_tag_set() when it is set so that all admin queue +allocations are reclaimed whenever controller setup aborts. + +Reported-by: Yi Zhang +Reviewed-by: Justin Tee +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 4fdb62ae996bf..44de1bcd0c657 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3550,6 +3550,8 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + ctrl->ctrl.opts = NULL; + ++ if (ctrl->ctrl.admin_tagset) ++ nvme_remove_admin_tag_set(&ctrl->ctrl); + /* initiate nvme ctrl ref counting teardown */ + nvme_uninit_ctrl(&ctrl->ctrl); + +-- +2.51.0 + diff --git a/queue-6.6/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch b/queue-6.6/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch new file mode 100644 index 0000000000..2732c26caf --- /dev/null +++ b/queue-6.6/nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch @@ -0,0 +1,51 @@ +From 5002d5b618ef051e4008fe780770a091cf474d8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 11:32:45 +0200 +Subject: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() + +From: Hannes Reinecke + +[ Upstream commit 2fa8961d3a6a1c2395d8d560ffed2c782681bade ] + +When the socket is closed while in TCP_LISTEN a callback is run to +flush all outstanding packets, which in turns calls +nvmet_tcp_listen_data_ready() with the sk_callback_lock held. +So we need to check if we are in TCP_LISTEN before attempting +to get the sk_callback_lock() to avoid a deadlock. + +Link: https://lore.kernel.org/linux-nvme/CAHj4cs-zu7eVB78yUpFjVe2UqMWFkLk8p+DaS3qj+uiGCXBAoA@mail.gmail.com/ +Tested-by: Yi Zhang +Reviewed-by: Sagi Grimberg +Signed-off-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index ee19eeb47dd2f..4d1f260ae60ab 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -1757,14 +1757,13 @@ static void nvmet_tcp_listen_data_ready(struct sock *sk) + + trace_sk_data_ready(sk); + ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ + read_lock_bh(&sk->sk_callback_lock); + port = sk->sk_user_data; +- if (!port) +- goto out; +- +- if (sk->sk_state == TCP_LISTEN) ++ if (port) + queue_work(nvmet_wq, &port->accept_work); +-out: + read_unlock_bh(&sk->sk_callback_lock); + } + +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch b/queue-6.6/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch new file mode 100644 index 0000000000..0acbc0b227 --- /dev/null +++ b/queue-6.6/platform-x86-hp-bioscfg-skip-empty-attribute-names.patch @@ -0,0 +1,46 @@ +From 1c2fd3e7b143be25ad03ca351c191031256237fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jan 2026 13:04:45 -0600 +Subject: platform/x86: hp-bioscfg: Skip empty attribute names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 6222883af286e2feb3c9ff2bf9fd8fdf4220c55a ] + +Avoid registering kobjects with empty names when a BIOS attribute +name decodes to an empty string. + +Fixes: a34fc329b1895 ("platform/x86: hp-bioscfg: bioscfg") +Reported-by: Alain Cousinie +Closes: https://lore.kernel.org/platform-driver-x86/22ed5f78-c8bf-4ab4-8c38-420cc0201e7e@laposte.net/ +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260128190501.2170068-1-mario.limonciello@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +index e9bade74997bf..ec7a74bee803a 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +@@ -701,6 +701,11 @@ static int hp_init_bios_package_attribute(enum hp_wmi_data_type attr_type, + return ret; + } + ++ if (!str_value || !str_value[0]) { ++ pr_debug("Ignoring attribute with empty name\n"); ++ goto pack_attr_exit; ++ } ++ + /* All duplicate attributes found are ignored */ + duplicate = kset_find_obj(temp_kset, str_value); + if (duplicate) { +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-intel_telemetry-fix-pss-event-register-.patch b/queue-6.6/platform-x86-intel_telemetry-fix-pss-event-register-.patch new file mode 100644 index 0000000000..63b064babc --- /dev/null +++ b/queue-6.6/platform-x86-intel_telemetry-fix-pss-event-register-.patch @@ -0,0 +1,48 @@ +From 04371ca149444504d1f2654007a1b59acbc79bf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 11:41:44 +0530 +Subject: platform/x86: intel_telemetry: Fix PSS event register mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kaushlendra Kumar + +[ Upstream commit 39e9c376ac42705af4ed4ae39eec028e8bced9b4 ] + +The PSS telemetry info parsing incorrectly applies +TELEM_INFO_SRAMEVTS_MASK when extracting event register +count from firmware response. This reads bits 15-8 instead +of the correct bits 7-0, causing misdetection of hardware +capabilities. + +The IOSS path correctly uses TELEM_INFO_NENABLES_MASK for +register count. Apply the same mask to PSS parsing for +consistency. + +Fixes: 9d16b482b059 ("platform:x86: Add Intel telemetry platform driver") +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20251224061144.3925519-1-kaushlendra.kumar@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/telemetry/pltdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/telemetry/pltdrv.c b/drivers/platform/x86/intel/telemetry/pltdrv.c +index 06311d0e94518..a574615c6faa6 100644 +--- a/drivers/platform/x86/intel/telemetry/pltdrv.c ++++ b/drivers/platform/x86/intel/telemetry/pltdrv.c +@@ -610,7 +610,7 @@ static int telemetry_setup(struct platform_device *pdev) + /* Get telemetry Info */ + events = (read_buf & TELEM_INFO_SRAMEVTS_MASK) >> + TELEM_INFO_SRAMEVTS_SHIFT; +- event_regs = read_buf & TELEM_INFO_SRAMEVTS_MASK; ++ event_regs = read_buf & TELEM_INFO_NENABLES_MASK; + if ((events < TELEM_MAX_EVENTS_SRAM) || + (event_regs < TELEM_MAX_EVENTS_SRAM)) { + dev_err(&pdev->dev, "PSS:Insufficient Space for SRAM Trace\n"); +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch b/queue-6.6/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch new file mode 100644 index 0000000000..76a3f86507 --- /dev/null +++ b/queue-6.6/platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch @@ -0,0 +1,42 @@ +From 311ed685e88915f6dbefb91c3d82e2c49ae0313a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jan 2026 16:38:45 +0200 +Subject: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines + +From: Rafael J. Wysocki + +[ Upstream commit 128497456756e1b952bd5a912cd073836465109d ] + +toshiba_haps_add() leaks the haps object allocated by it if it returns +an error after allocating that object successfully. + +toshiba_haps_remove() does not free the object pointed to by +toshiba_haps before clearing that pointer, so it becomes unreachable +allocated memory. + +Address these memory leaks by using devm_kzalloc() for allocating +the memory in question. + +Fixes: 23d0ba0c908a ("platform/x86: Toshiba HDD Active Protection Sensor") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_haps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/toshiba_haps.c b/drivers/platform/x86/toshiba_haps.c +index 8c9f76286b080..f2292d2412fd1 100644 +--- a/drivers/platform/x86/toshiba_haps.c ++++ b/drivers/platform/x86/toshiba_haps.c +@@ -183,7 +183,7 @@ static int toshiba_haps_add(struct acpi_device *acpi_dev) + + pr_info("Toshiba HDD Active Protection Sensor device\n"); + +- haps = kzalloc(sizeof(struct toshiba_haps_dev), GFP_KERNEL); ++ haps = devm_kzalloc(&acpi_dev->dev, sizeof(*haps), GFP_KERNEL); + if (!haps) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.6/regmap-maple-free-entry-on-mas_store_gfp-failure.patch b/queue-6.6/regmap-maple-free-entry-on-mas_store_gfp-failure.patch new file mode 100644 index 0000000000..d1deef1040 --- /dev/null +++ b/queue-6.6/regmap-maple-free-entry-on-mas_store_gfp-failure.patch @@ -0,0 +1,51 @@ +From 7a9213cbd0c7f72313a229972ffbacae7f1fb936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jan 2026 08:48:20 +0530 +Subject: regmap: maple: free entry on mas_store_gfp() failure + +From: Kaushlendra Kumar + +[ Upstream commit f3f380ce6b3d5c9805c7e0b3d5bc28d9ec41e2e8 ] + +regcache_maple_write() allocates a new block ('entry') to merge +adjacent ranges and then stores it with mas_store_gfp(). +When mas_store_gfp() fails, the new 'entry' remains allocated and +is never freed, leaking memory. + +Free 'entry' on the failure path; on success continue freeing the +replaced neighbor blocks ('lower', 'upper'). + +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20260105031820.260119-1-kaushlendra.kumar@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regcache-maple.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/base/regmap/regcache-maple.c b/drivers/base/regmap/regcache-maple.c +index fb5761a5ef6ee..86de71ce2c191 100644 +--- a/drivers/base/regmap/regcache-maple.c ++++ b/drivers/base/regmap/regcache-maple.c +@@ -96,12 +96,13 @@ static int regcache_maple_write(struct regmap *map, unsigned int reg, + + mas_unlock(&mas); + +- if (ret == 0) { +- kfree(lower); +- kfree(upper); ++ if (ret) { ++ kfree(entry); ++ return ret; + } +- +- return ret; ++ kfree(lower); ++ kfree(upper); ++ return 0; + } + + static int regcache_maple_drop(struct regmap *map, unsigned int min, +-- +2.51.0 + diff --git a/queue-6.6/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch b/queue-6.6/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch new file mode 100644 index 0000000000..dd1c6f2c3c --- /dev/null +++ b/queue-6.6/ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch @@ -0,0 +1,69 @@ +From 3f22a2ecf6a487e87f60189a38781255aff8dc5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 14:50:07 +0800 +Subject: ring-buffer: Avoid softlockup in ring_buffer_resize() during memory + free + +From: Wupeng Ma + +[ Upstream commit 6435ffd6c7fcba330dfa91c58dc30aed2df3d0bf ] + +When user resize all trace ring buffer through file 'buffer_size_kb', +then in ring_buffer_resize(), kernel allocates buffer pages for each +cpu in a loop. + +If the kernel preemption model is PREEMPT_NONE and there are many cpus +and there are many buffer pages to be freed, it may not give up cpu +for a long time and finally cause a softlockup. + +To avoid it, call cond_resched() after each cpu buffer free as Commit +f6bd2c92488c ("ring-buffer: Avoid softlockup in ring_buffer_resize()") +does. + +Detailed call trace as follow: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 24-....: (14837 ticks this GP) idle=521c/1/0x4000000000000000 softirq=230597/230597 fqs=5329 + rcu: (t=15004 jiffies g=26003221 q=211022 ncpus=96) + CPU: 24 UID: 0 PID: 11253 Comm: bash Kdump: loaded Tainted: G EL 6.18.2+ #278 NONE + pc : arch_local_irq_restore+0x8/0x20 + arch_local_irq_restore+0x8/0x20 (P) + free_frozen_page_commit+0x28c/0x3b0 + __free_frozen_pages+0x1c0/0x678 + ___free_pages+0xc0/0xe0 + free_pages+0x3c/0x50 + ring_buffer_resize.part.0+0x6a8/0x880 + ring_buffer_resize+0x3c/0x58 + __tracing_resize_ring_buffer.part.0+0x34/0xd8 + tracing_resize_ring_buffer+0x8c/0xd0 + tracing_entries_write+0x74/0xd8 + vfs_write+0xcc/0x288 + ksys_write+0x74/0x118 + __arm64_sys_write+0x24/0x38 + +Cc: +Link: https://patch.msgid.link/20251228065008.2396573-1-mawupeng1@huawei.com +Signed-off-by: Wupeng Ma +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 62d93db72b0a9..a305d1488387c 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2364,6 +2364,8 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, + list) { + list_del_init(&bpage->list); + free_buffer_page(bpage); ++ ++ cond_resched(); + } + } + out_err_unlock: +-- +2.51.0 + diff --git a/queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch b/queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch new file mode 100644 index 0000000000..fca9e15c66 --- /dev/null +++ b/queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch @@ -0,0 +1,51 @@ +From 38be3477761f3087ba717032d0c1863065258df4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:51 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_conn_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 9411a89e9e7135cc459178fa77a3f1d6191ae903 ] + +In iscsit_dec_conn_usage_count(), the function calls complete() while +holding the conn->conn_usage_lock. As soon as complete() is invoked, the +waiter (such as iscsit_close_connection()) may wake up and proceed to free +the iscsit_conn structure. + +If the waiter frees the memory before the current thread reaches +spin_unlock_bh(), it results in a KASAN slab-use-after-free as the function +attempts to release a lock within the already-freed connection structure. + +Fix this by releasing the spinlock before calling complete(). + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-2-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index ee0cf2c74952a..b7fa8eed213bb 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -857,8 +857,11 @@ void iscsit_dec_conn_usage_count(struct iscsit_conn *conn) + spin_lock_bh(&conn->conn_usage_lock); + conn->conn_usage_count--; + +- if (!conn->conn_usage_count && conn->conn_waiting_on_uc) ++ if (!conn->conn_usage_count && conn->conn_waiting_on_uc) { ++ spin_unlock_bh(&conn->conn_usage_lock); + complete(&conn->conn_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&conn->conn_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch b/queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch new file mode 100644 index 0000000000..dbcf6ab786 --- /dev/null +++ b/queue-6.6/scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch @@ -0,0 +1,53 @@ +From 0b345e14bc8d4d825d7e7f44a9c335a769892541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:53:52 +0100 +Subject: scsi: target: iscsi: Fix use-after-free in + iscsit_dec_session_usage_count() + +From: Maurizio Lombardi + +[ Upstream commit 84dc6037390b8607c5551047d3970336cb51ba9a ] + +In iscsit_dec_session_usage_count(), the function calls complete() while +holding the sess->session_usage_lock. Similar to the connection usage count +logic, the waiter signaled by complete() (e.g., in the session release +path) may wake up and free the iscsit_session structure immediately. + +This creates a race condition where the current thread may attempt to +execute spin_unlock_bh() on a session structure that has already been +deallocated, resulting in a KASAN slab-use-after-free. + +To resolve this, release the session_usage_lock before calling complete() +to ensure all dereferences of the sess pointer are finished before the +waiter is allowed to proceed with deallocation. + +Signed-off-by: Maurizio Lombardi +Reported-by: Zhaojuan Guo +Reviewed-by: Mike Christie +Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c +index 91a75a4a7cc1a..ee0cf2c74952a 100644 +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -785,8 +785,11 @@ void iscsit_dec_session_usage_count(struct iscsit_session *sess) + spin_lock_bh(&sess->session_usage_lock); + sess->session_usage_count--; + +- if (!sess->session_usage_count && sess->session_waiting_on_uc) ++ if (!sess->session_usage_count && sess->session_waiting_on_uc) { ++ spin_unlock_bh(&sess->session_usage_lock); + complete(&sess->session_waiting_on_uc_comp); ++ return; ++ } + + spin_unlock_bh(&sess->session_usage_lock); + } +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index d62c5e16fd..d82dd5502f 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -19,3 +19,58 @@ binderfs-fix-ida_alloc_max-upper-bound.patch kvm-selftests-add-u_fortify_source-to-avoid-some-unpredictable-test-failures.patch gve-fix-stats-report-corruption-on-queue-count-change.patch tracing-fix-ftrace-event-field-alignments.patch +wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch +wifi-wlcore-ensure-skb-headroom-before-skb_push.patch +net-usb-sr9700-support-devices-with-virtual-driver-c.patch +block-bfq-fix-aux-stat-accumulation-destination.patch +smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch +loongarch-set-correct-protection_map-for-vm_none-vm_.patch +smb-server-fix-refcount-leak-in-smb2_open.patch +loongarch-enable-exception-fixup-for-specific-ade-su.patch +smb-server-fix-refcount-leak-in-parse_durable_handle.patch +hid-intel-ish-hid-update-ishtp-bus-match-to-support-.patch +hid-multitouch-add-mt_quirk_sticky_fingers-to-mt_cls.patch +btrfs-fix-reservation-leak-in-some-error-paths-when-.patch +hid-intel-ish-hid-reset-enum_devices_done-before-enu.patch +hid-playstation-center-initial-joystick-axes-to-prev.patch +alsa-hda-realtek-add-hp-laptop-15s-eq1xxx-mute-led-q.patch +netfilter-replace-eexist-with-ebusy.patch +hid-quirks-add-another-chicony-hp-5mp-cameras-to-hid.patch +hid-i2c-hid-fix-potential-buffer-overflow-in-i2c_hid.patch +hid-apply-quirk-hid_quirk_always_poll-to-edifier-qr3.patch +ring-buffer-avoid-softlockup-in-ring_buffer_resize-d.patch +wifi-mac80211-collect-station-statistics-earlier-whe.patch +asoc-davinci-evm-fix-reference-leak-in-davinci_evm_p.patch +nvme-fc-release-admin-tagset-if-init-fails.patch +nvmet-tcp-fixup-hang-in-nvmet_tcp_listen_data_ready.patch +asoc-amd-yc-fix-microphone-on-asus-m6500re.patch +asoc-tlv320adcx140-propagate-error-codes-during-prob.patch +spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch +regmap-maple-free-entry-on-mas_store_gfp-failure.patch +wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_s.patch +alsa-hda-realtek-fix-headset-mic-for-tongfang-x6ar55.patch +scsi-target-iscsi-fix-use-after-free-in-iscsit_dec_c.patch +wifi-mac80211-correctly-check-if-csa-is-active.patch +wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch +platform-x86-toshiba_haps-fix-memory-leaks-in-add-re.patch +platform-x86-intel_telemetry-fix-pss-event-register-.patch +platform-x86-hp-bioscfg-skip-empty-attribute-names.patch +smb-client-fix-memory-leak-in-smb2_open_file.patch +net-add-skb_header_pointer_careful-helper.patch +net-sched-cls_u32-use-skb_header_pointer_careful.patch +dpaa2-switch-prevent-zero_size_ptr-dereference-when-.patch +net-liquidio-initialize-netdev-pointer-before-queue-.patch +net-liquidio-fix-off-by-one-error-in-pf-setup_nic_de.patch +net-liquidio-fix-off-by-one-error-in-vf-setup_nic_de.patch +dpaa2-switch-add-bounds-check-for-if_id-in-irq-handl.patch +macvlan-fix-error-recovery-in-macvlan_common_newlink.patch +net-don-t-touch-dev-stats-in-bpf-redirect-paths.patch +tipc-use-kfree_sensitive-for-session-key-material.patch +net-ethernet-adi-adin1110-check-return-value-of-devm.patch +net-gro-fix-outer-network-offset.patch +drm-mgag200-fix-mgag200_bmc_stop_scanout.patch +hwmon-occ-mark-occ_init_attribute-as-__printf.patch +netfilter-nf_tables-fix-inverted-genmask-check-in-nf.patch +ipv6-fix-ecmp-sibling-count-mismatch-when-clearing-r.patch +asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch diff --git a/queue-6.6/smb-client-fix-memory-leak-in-smb2_open_file.patch b/queue-6.6/smb-client-fix-memory-leak-in-smb2_open_file.patch new file mode 100644 index 0000000000..2cd1d5e4ec --- /dev/null +++ b/queue-6.6/smb-client-fix-memory-leak-in-smb2_open_file.patch @@ -0,0 +1,72 @@ +From a569b39dc3eb2a06a8f8c15d37c49377a22d1e3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Feb 2026 08:24:07 +0000 +Subject: smb/client: fix memory leak in smb2_open_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: ChenXiaoSong + +[ Upstream commit e3a43633023e3cacaca60d4b8972d084a2b06236 ] + +Reproducer: + + 1. server: directories are exported read-only + 2. client: mount -t cifs //${server_ip}/export /mnt + 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct + 4. client: umount /mnt + 5. client: sleep 1 + 6. client: modprobe -r cifs + +The error message is as follows: + + ============================================================================= + BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown() + ----------------------------------------------------------------------------- + + Object 0x00000000d47521be @offset=14336 + ... + WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577 + ... + Call Trace: + + kmem_cache_destroy+0x94/0x190 + cifs_destroy_request_bufs+0x3e/0x50 [cifs] + cleanup_module+0x4e/0x540 [cifs] + __se_sys_delete_module+0x278/0x400 + __x64_sys_delete_module+0x5f/0x70 + x64_sys_call+0x2299/0x2ff0 + do_syscall_64+0x89/0x350 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + ... + kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs] + WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577 + +Link: https://lore.kernel.org/linux-cifs/9751f02d-d1df-4265-a7d6-b19761b21834@linux.dev/T/#mf14808c144448b715f711ce5f0477a071f08eaf6 +Fixes: e255612b5ed9 ("cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES") +Reported-by: Paulo Alcantara +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: ChenXiaoSong +Reviewed-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c +index d7f2835e0b1cc..d436057ed77e3 100644 +--- a/fs/smb/client/smb2file.c ++++ b/fs/smb/client/smb2file.c +@@ -122,6 +122,7 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); + if (rc == -EACCES && retry_without_read_attributes) { ++ free_rsp_buf(err_buftype, err_iov.iov_base); + oparms->desired_access &= ~FILE_READ_ATTRIBUTES; + rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, + &err_buftype); +-- +2.51.0 + diff --git a/queue-6.6/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch b/queue-6.6/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch new file mode 100644 index 0000000000..4d35b84841 --- /dev/null +++ b/queue-6.6/smb-server-call-ksmbd_session_rpc_close-on-error-pat.patch @@ -0,0 +1,47 @@ +From 8ed4b9b78ffd4213cbf536f8a7e4ce77118b3249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Dec 2025 22:51:01 +0800 +Subject: smb/server: call ksmbd_session_rpc_close() on error path in + create_smb2_pipe() + +From: ZhangGuoDong + +[ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ] + +When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index eacfb241d3d49..19436ce8a4958 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2274,7 +2274,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + { + struct smb2_create_rsp *rsp; + struct smb2_create_req *req; +- int id; ++ int id = -1; + int err; + char *name; + +@@ -2331,6 +2331,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) + break; + } + ++ if (id >= 0) ++ ksmbd_session_rpc_close(work->sess, id); ++ + if (!IS_ERR(name)) + kfree(name); + +-- +2.51.0 + diff --git a/queue-6.6/smb-server-fix-refcount-leak-in-parse_durable_handle.patch b/queue-6.6/smb-server-fix-refcount-leak-in-parse_durable_handle.patch new file mode 100644 index 0000000000..05374e8905 --- /dev/null +++ b/queue-6.6/smb-server-fix-refcount-leak-in-parse_durable_handle.patch @@ -0,0 +1,36 @@ +From c4c78b4b8b75cd439755a6037a9b78e7a67b310a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:13:29 +0800 +Subject: smb/server: fix refcount leak in parse_durable_handle_context() + +From: ZhangGuoDong + +[ Upstream commit 3296c3012a9d9a27e81e34910384e55a6ff3cff0 ] + +When the command is a replay operation and -ENOEXEC is returned, +the refcount of ksmbd_file must be released. + +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 5cbe84938a729..da4d914c87ad2 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2805,6 +2805,7 @@ static int parse_durable_handle_context(struct ksmbd_work *work, + SMB2_CLIENT_GUID_SIZE)) { + if (!(req->hdr.Flags & SMB2_FLAGS_REPLAY_OPERATION)) { + err = -ENOEXEC; ++ ksmbd_put_durable_fd(dh_info->fp); + goto out; + } + +-- +2.51.0 + diff --git a/queue-6.6/smb-server-fix-refcount-leak-in-smb2_open.patch b/queue-6.6/smb-server-fix-refcount-leak-in-smb2_open.patch new file mode 100644 index 0000000000..fc6c90829c --- /dev/null +++ b/queue-6.6/smb-server-fix-refcount-leak-in-smb2_open.patch @@ -0,0 +1,41 @@ +From 940a4db49b2773f2408758aefdd078fee5459c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 11:15:18 +0800 +Subject: smb/server: fix refcount leak in smb2_open() + +From: ZhangGuoDong + +[ Upstream commit f416c556997aa56ec4384c6b6efd6a0e6ac70aa7 ] + +When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file +must be released. + +Suggested-by: Namjae Jeon +Signed-off-by: ZhangGuoDong +Signed-off-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 19436ce8a4958..5cbe84938a729 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2999,10 +2999,10 @@ int smb2_open(struct ksmbd_work *work) + file_info = FILE_OPENED; + + rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat); ++ ksmbd_put_durable_fd(fp); + if (rc) + goto err_out2; + +- ksmbd_put_durable_fd(fp); + goto reconnected_fp; + } + } else if (req_op_level == SMB2_OPLOCK_LEVEL_LEASE) +-- +2.51.0 + diff --git a/queue-6.6/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch b/queue-6.6/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch new file mode 100644 index 0000000000..34dd6d30ad --- /dev/null +++ b/queue-6.6/spi-hisi-kunpeng-fixed-the-wrong-debugfs-node-name-i.patch @@ -0,0 +1,49 @@ +From 4cb3395bfc99238644203f32ab4afcd17b94ece7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 15:53:23 +0800 +Subject: spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi + debugfs initialization + +From: Devyn Liu + +[ Upstream commit b062a899c997df7b9ce29c62164888baa7a85833 ] + +In hisi_spi_debugfs_init, spi controller pointer is calculated +by container_of macro, and the member is hs->dev. But the host +cannot be calculated offset directly by this. (hs->dev) points +to (pdev->dev), and it is the (host->dev.parent) rather than +(host->dev) points to the (pdev->dev), which is set in +__spi_alloc_controller. + +In this patch, this issues is fixed by getting the spi_controller +data from pdev->dev by dev_get_drvdata() directly. (dev->driver_data) +points to the spi controller data in the probe stage. + +Signed-off-by: Devyn Liu +Reviewed-by: Yang Shen +Link: https://patch.msgid.link/20260108075323.3831574-1-liudingyuan@h-partners.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-hisi-kunpeng.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-hisi-kunpeng.c b/drivers/spi/spi-hisi-kunpeng.c +index 16054695bdb04..f0a50f40a3ba1 100644 +--- a/drivers/spi/spi-hisi-kunpeng.c ++++ b/drivers/spi/spi-hisi-kunpeng.c +@@ -161,10 +161,8 @@ static const struct debugfs_reg32 hisi_spi_regs[] = { + static int hisi_spi_debugfs_init(struct hisi_spi *hs) + { + char name[32]; ++ struct spi_controller *host = dev_get_drvdata(hs->dev); + +- struct spi_controller *host; +- +- host = container_of(hs->dev, struct spi_controller, dev); + snprintf(name, 32, "hisi_spi%d", host->bus_num); + hs->debugfs = debugfs_create_dir(name, NULL); + if (IS_ERR(hs->debugfs)) +-- +2.51.0 + diff --git a/queue-6.6/tipc-use-kfree_sensitive-for-session-key-material.patch b/queue-6.6/tipc-use-kfree_sensitive-for-session-key-material.patch new file mode 100644 index 0000000000..1cc259d8d4 --- /dev/null +++ b/queue-6.6/tipc-use-kfree_sensitive-for-session-key-material.patch @@ -0,0 +1,51 @@ +From 375568de8b4efbd1642dccde40e51332e1df139d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jan 2026 10:01:14 -0800 +Subject: tipc: use kfree_sensitive() for session key material + +From: Daniel Hodges + +[ Upstream commit 74d9391e8849e70ded5309222d09b0ed0edbd039 ] + +The rx->skey field contains a struct tipc_aead_key with GCM-AES +encryption keys used for TIPC cluster communication. Using plain +kfree() leaves this sensitive key material in freed memory pages +where it could potentially be recovered. + +Switch to kfree_sensitive() to ensure the key material is zeroed +before the memory is freed. + +Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") +Signed-off-by: Daniel Hodges +Link: https://patch.msgid.link/20260131180114.2121438-1-hodgesd@meta.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index ea5bb131ebd06..2721baf9fd2b3 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -1219,7 +1219,7 @@ void tipc_crypto_key_flush(struct tipc_crypto *c) + rx = c; + tx = tipc_net(rx->net)->crypto_tx; + if (cancel_delayed_work(&rx->work)) { +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + atomic_xchg(&rx->key_distr, 0); + tipc_node_put(rx->node); +@@ -2394,7 +2394,7 @@ static void tipc_crypto_work_rx(struct work_struct *work) + break; + default: + synchronize_rcu(); +- kfree(rx->skey); ++ kfree_sensitive(rx->skey); + rx->skey = NULL; + break; + } +-- +2.51.0 + diff --git a/queue-6.6/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch b/queue-6.6/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch new file mode 100644 index 0000000000..7a9d0067e4 --- /dev/null +++ b/queue-6.6/wifi-cfg80211-fix-bitrate-calculation-overflow-for-h.patch @@ -0,0 +1,59 @@ +From 0b11171ebedb850c718dc214ba3e4da4fd8e66ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:30:04 +0530 +Subject: wifi: cfg80211: Fix bitrate calculation overflow for HE rates + +From: Veerendranath Jakkam + +[ Upstream commit a3034bf0746d88a00cceda9541534a5721445a24 ] + +An integer overflow occurs in cfg80211_calculate_bitrate_he() when +calculating bitrates for high throughput HE configurations. +For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0, +the multiplication (result * rate->nss) overflows the 32-bit 'result' +variable before division by 8, leading to significantly underestimated +bitrate values. + +The overflow occurs because the NSS multiplication operates on a 32-bit +integer that cannot accommodate intermediate values exceeding +4,294,967,295. When overflow happens, the value wraps around, producing +incorrect bitrates for high MCS and NSS combinations. + +Fix this by utilizing the 64-bit 'tmp' variable for the NSS +multiplication and subsequent divisions via do_div(). This approach +preserves full precision throughout the entire calculation, with the +final value assigned to 'result' only after completing all operations. + +Signed-off-by: Veerendranath Jakkam +Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 24e5af65da58e..640ec502e82d2 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1563,12 +1563,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate) + tmp = result; + tmp *= SCALE; + do_div(tmp, mcs_divisors[rate->mcs]); +- result = tmp; + + /* and take NSS, DCM into account */ +- result = (result * rate->nss) / 8; ++ tmp *= rate->nss; ++ do_div(tmp, 8); + if (rate->he_dcm) +- result /= 2; ++ do_div(tmp, 2); ++ ++ result = tmp; + + return result / 10000; + } +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-collect-station-statistics-earlier-whe.patch b/queue-6.6/wifi-mac80211-collect-station-statistics-earlier-whe.patch new file mode 100644 index 0000000000..05cccb22a6 --- /dev/null +++ b/queue-6.6/wifi-mac80211-collect-station-statistics-earlier-whe.patch @@ -0,0 +1,54 @@ +From 4c076c9d81b6a3ca9610e8d714eb0cd0f993282d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 10:29:07 +0800 +Subject: wifi: mac80211: collect station statistics earlier when disconnect + +From: Baochen Qiang + +[ Upstream commit a203dbeeca15a9b924f0d51f510921f4bae96801 ] + +In __sta_info_destroy_part2(), station statistics are requested after the +IEEE80211_STA_NONE -> IEEE80211_STA_NOTEXIST transition. This is +problematic because the driver may be unable to handle the request due to +the STA being in the NOTEXIST state (i.e. if the driver destroys the +underlying data when transitioning to NOTEXIST). + +Move the statistics collection to before the state transition to avoid +this issue. + +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20251222-mac80211-move-station-stats-collection-earlier-v1-1-12cd4e42c633@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 64cf5589989bb..9d7d7ee9d7ce2 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1477,6 +1477,10 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) + } + } + ++ sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); ++ if (sinfo) ++ sta_set_sinfo(sta, sinfo, true); ++ + if (sta->uploaded) { + ret = drv_sta_state(local, sdata, sta, IEEE80211_STA_NONE, + IEEE80211_STA_NOTEXIST); +@@ -1485,9 +1489,6 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc) + + sta_dbg(sdata, "Removed STA %pM\n", sta->sta.addr); + +- sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL); +- if (sinfo) +- sta_set_sinfo(sta, sinfo, true); + cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL); + kfree(sinfo); + +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-correctly-check-if-csa-is-active.patch b/queue-6.6/wifi-mac80211-correctly-check-if-csa-is-active.patch new file mode 100644 index 0000000000..b143108ef0 --- /dev/null +++ b/queue-6.6/wifi-mac80211-correctly-check-if-csa-is-active.patch @@ -0,0 +1,52 @@ +From be5dddd9358d3267bfefe534df4e0e356c2e9e72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 19:19:30 +0200 +Subject: wifi: mac80211: correctly check if CSA is active + +From: Miri Korenblit + +[ Upstream commit db1d0b6ab11f612ea8a327663a578c8946efeee9 ] + +We are not adding an interface if an existing one is doing CSA. +But the check won't work for MLO station interfaces, since for those, +vif->bss_conf is zeroed out. +Fix this by checking if any link of the vif has an active CSA. + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260111191912.7ceff62fc561.Ia38d27f42684d1cfd82d930d232bd5dea6ab9282@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index a531fb2b14dee..c8c53f4d1bdbf 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -347,6 +347,8 @@ static int ieee80211_check_concurrent_iface(struct ieee80211_sub_if_data *sdata, + /* we hold the RTNL here so can safely walk the list */ + list_for_each_entry(nsdata, &local->interfaces, list) { + if (nsdata != sdata && ieee80211_sdata_running(nsdata)) { ++ struct ieee80211_link_data *link; ++ + /* + * Only OCB and monitor mode may coexist + */ +@@ -373,8 +375,10 @@ static int ieee80211_check_concurrent_iface(struct ieee80211_sub_if_data *sdata, + * will not add another interface while any channel + * switch is active. + */ +- if (nsdata->vif.bss_conf.csa_active) +- return -EBUSY; ++ for_each_link_data(nsdata, link) { ++ if (link->conf->csa_active) ++ return -EBUSY; ++ } + + /* + * The remaining checks are only performed for interfaces +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch b/queue-6.6/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch new file mode 100644 index 0000000000..114abd4c0b --- /dev/null +++ b/queue-6.6/wifi-mac80211-don-t-increment-crypto_tx_tailroom_nee.patch @@ -0,0 +1,49 @@ +From 39da002690b11361fa113ab51d667aeba5817a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 09:28:29 +0200 +Subject: wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice + +From: Miri Korenblit + +[ Upstream commit 3f3d8ff31496874a69b131866f62474eb24ed20a ] + +In reconfig, in case the driver asks to disconnect during the reconfig, +all the keys of the interface are marked as tainted. +Then ieee80211_reenable_keys will loop over all the interface keys, and +for each one it will +a) increment crypto_tx_tailroom_needed_cnt +b) call ieee80211_key_enable_hw_accel, which in turn will detect that +this key is tainted, so it will mark it as "not in hardware", which is +paired with crypto_tx_tailroom_needed_cnt incrementation, so we get two +incrementations for each tainted key. +Then we get a warning in ieee80211_free_keys. + +To fix it, don't increment the count in ieee80211_reenable_keys for +tainted keys + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20260118092821.4ca111fddcda.Id6e554f4b1c83760aa02d5a9e4e3080edb197aa2@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index f5f1eb87797a4..327ae73434517 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -981,7 +981,8 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata) + + if (ieee80211_sdata_running(sdata)) { + list_for_each_entry(key, &sdata->key_list, list) { +- increment_tailroom_need_count(sdata); ++ if (!(key->flags & KEY_FLAG_TAINTED)) ++ increment_tailroom_need_count(sdata); + ieee80211_key_enable_hw_accel(key); + } + } +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch b/queue-6.6/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch new file mode 100644 index 0000000000..177641107a --- /dev/null +++ b/queue-6.6/wifi-mac80211-ocb-skip-rx_no_sta-when-interface-is-n.patch @@ -0,0 +1,44 @@ +From d4ceaf1a0747cba92df59646f1b08e7622da9ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 19:59:32 -0800 +Subject: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined + +From: Moon Hee Lee + +[ Upstream commit ff4071c60018a668249dc6a2df7d16330543540e ] + +ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only +present after JOIN_OCB. + +RX may run before JOIN_OCB is executed, in which case the OCB interface +is not operational. Skip RX peer handling when the interface is not +joined to avoid warnings in the RX path. + +Reported-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b364457b2d1d4e4a3054 +Tested-by: syzbot+b364457b2d1d4e4a3054@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20251216035932.18332-1-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ocb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c +index b44896e145224..1800d59d8b152 100644 +--- a/net/mac80211/ocb.c ++++ b/net/mac80211/ocb.c +@@ -48,6 +48,9 @@ void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata, + struct sta_info *sta; + int band; + ++ if (!ifocb->joined) ++ return; ++ + /* XXX: Consider removing the least recently used entry and + * allow new one to be added. + */ +-- +2.51.0 + diff --git a/queue-6.6/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch b/queue-6.6/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch new file mode 100644 index 0000000000..e777e7758c --- /dev/null +++ b/queue-6.6/wifi-wlcore-ensure-skb-headroom-before-skb_push.patch @@ -0,0 +1,42 @@ +From 2136766bda122b6a2cbadb70caed823f526b7f4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 08:57:08 +0100 +Subject: wifi: wlcore: ensure skb headroom before skb_push +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Åstrand + +[ Upstream commit e75665dd096819b1184087ba5718bd93beafff51 ] + +This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is +less than needed (typically 110 - 94 = 16 bytes). + +Signed-off-by: Peter Astrand +Link: https://patch.msgid.link/097bd417-e1d7-acd4-be05-47b199075013@lysator.liu.se +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/tx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 7bd3ce2f08044..75ad096676561 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -210,6 +210,11 @@ static int wl1271_tx_allocate(struct wl1271 *wl, struct wl12xx_vif *wlvif, + total_blocks = wlcore_hw_calc_tx_blocks(wl, total_len, spare_blocks); + + if (total_blocks <= wl->tx_blocks_available) { ++ if (skb_headroom(skb) < (total_len - skb->len) && ++ pskb_expand_head(skb, (total_len - skb->len), 0, GFP_ATOMIC)) { ++ wl1271_free_tx_id(wl, id); ++ return -EAGAIN; ++ } + desc = skb_push(skb, total_len - skb->len); + + wlcore_hw_set_tx_desc_blocks(wl, desc, total_blocks, +-- +2.51.0 + -- 2.47.3