From c7b4238c91318e0e520a248058eba776090167df Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 3 Feb 2026 15:50:37 +0100 Subject: [PATCH] 6.6-stable patches added patches: arm64-fpsimd-signal-consistently-read-fpsimd-context.patch arm64-fpsimd-signal-fix-restoration-of-sve-context.patch arm64-fpsimd-signal-mandate-sve-payload-for-streaming-mode-state.patch drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch ksmbd-fix-race-condition-in-rpc-handle-list-access.patch ksmbd-smbd-fix-dma_unmap_sg-nents.patch mei-trace-treat-reg-parameter-as-string.patch mm-kfence-randomize-the-freelist-on-initialization.patch team-move-team-device-type-change-at-the-end-of-team_port_add.patch wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch wifi-mac80211-move-tdls-work-to-wiphy-work.patch --- ...nal-consistently-read-fpsimd-context.patch | 145 +++++++++++++++ ...ignal-fix-restoration-of-sve-context.patch | 136 ++++++++++++++ ...sve-payload-for-streaming-mode-state.patch | 87 +++++++++ ...to-avoid-priority-inversion-in-sriov.patch | 172 ++++++++++++++++++ ...e_process-in-is_signaled-no-deadlock.patch | 52 ++++++ ...op-calling-pinctrl-for-set_direction.patch | 91 +++++++++ ...-condition-in-rpc-handle-list-access.patch | 106 +++++++++++ .../ksmbd-smbd-fix-dma_unmap_sg-nents.patch | 72 ++++++++ ...-trace-treat-reg-parameter-as-string.patch | 104 +++++++++++ ...omize-the-freelist-on-initialization.patch | 85 +++++++++ queue-6.6/series | 13 ++ ...e-change-at-the-end-of-team_port_add.patch | 117 ++++++++++++ ...for-ath11k_hal_srng_-in-monitor-mode.patch | 105 +++++++++++ ...ac80211-move-tdls-work-to-wiphy-work.patch | 102 +++++++++++ 14 files changed, 1387 insertions(+) create mode 100644 queue-6.6/arm64-fpsimd-signal-consistently-read-fpsimd-context.patch create mode 100644 queue-6.6/arm64-fpsimd-signal-fix-restoration-of-sve-context.patch create mode 100644 queue-6.6/arm64-fpsimd-signal-mandate-sve-payload-for-streaming-mode-state.patch create mode 100644 queue-6.6/drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch create mode 100644 queue-6.6/drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch create mode 100644 queue-6.6/gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch create mode 100644 queue-6.6/ksmbd-fix-race-condition-in-rpc-handle-list-access.patch create mode 100644 queue-6.6/ksmbd-smbd-fix-dma_unmap_sg-nents.patch create mode 100644 queue-6.6/mei-trace-treat-reg-parameter-as-string.patch create mode 100644 queue-6.6/mm-kfence-randomize-the-freelist-on-initialization.patch create mode 100644 queue-6.6/team-move-team-device-type-change-at-the-end-of-team_port_add.patch create mode 100644 queue-6.6/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch create mode 100644 queue-6.6/wifi-mac80211-move-tdls-work-to-wiphy-work.patch diff --git a/queue-6.6/arm64-fpsimd-signal-consistently-read-fpsimd-context.patch b/queue-6.6/arm64-fpsimd-signal-consistently-read-fpsimd-context.patch new file mode 100644 index 0000000000..68a576d8cd --- /dev/null +++ b/queue-6.6/arm64-fpsimd-signal-consistently-read-fpsimd-context.patch @@ -0,0 +1,145 @@ +From stable+bounces-212673-greg=kroah.com@vger.kernel.org Wed Jan 28 21:34:00 2026 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:33:49 -0500 +Subject: arm64/fpsimd: signal: Consistently read FPSIMD context +To: stable@vger.kernel.org +Cc: Mark Rutland , Will Deacon , Catalin Marinas , Marc Zyngier , Mark Brown , Sasha Levin +Message-ID: <20260128203350.2720303-2-sashal@kernel.org> + +From: Mark Rutland + +[ Upstream commit be625d803c3bbfa9652697eb57589fe6f2f24b89 ] + +For historical reasons, restore_sve_fpsimd_context() has an open-coded +copy of the logic from read_fpsimd_context(), which is used to either +restore an FPSIMD-only context, or to merge FPSIMD state into an +SVE state when restoring an SVE+FPSIMD context. The logic is *almost* +identical. + +Refactor the logic to avoid duplication and make this clearer. + +This comes with two functional changes that I do not believe will be +problematic in practice: + +* The user_fpsimd_state::size field will be checked in all restore paths + that consume it user_fpsimd_state. The kernel always populates this + field when delivering a signal, and so this should contain the + expected value unless it has been corrupted. + +* If a read of user_fpsimd_state fails, we will return early without + modifying TIF_SVE, the saved SVCR, or the save fp_type. This will + leave the task in a consistent state, without potentially resurrecting + stale FPSIMD state. A read of user_fpsimd_state should never fail + unless the structure has been corrupted or the stack has been + unmapped. + +Suggested-by: Will Deacon +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Link: https://lore.kernel.org/r/20250508132644.1395904-5-mark.rutland@arm.com +[will: Ensure read_fpsimd_context() returns negative error code or zero] +Signed-off-by: Will Deacon +Stable-dep-of: d2907cbe9ea0 ("arm64/fpsimd: signal: Fix restoration of SVE context") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/signal.c | 57 ++++++++++++++++++++++----------------------- + 1 file changed, 29 insertions(+), 28 deletions(-) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -202,29 +202,39 @@ static int preserve_fpsimd_context(struc + return err ? -EFAULT : 0; + } + +-static int restore_fpsimd_context(struct user_ctxs *user) ++static int read_fpsimd_context(struct user_fpsimd_state *fpsimd, ++ struct user_ctxs *user) + { +- struct user_fpsimd_state fpsimd; +- int err = 0; ++ int err; + + /* check the size information */ + if (user->fpsimd_size != sizeof(struct fpsimd_context)) + return -EINVAL; + + /* copy the FP and status/control registers */ +- err = __copy_from_user(fpsimd.vregs, &(user->fpsimd->vregs), +- sizeof(fpsimd.vregs)); +- __get_user_error(fpsimd.fpsr, &(user->fpsimd->fpsr), err); +- __get_user_error(fpsimd.fpcr, &(user->fpsimd->fpcr), err); ++ err = __copy_from_user(fpsimd->vregs, &(user->fpsimd->vregs), ++ sizeof(fpsimd->vregs)); ++ __get_user_error(fpsimd->fpsr, &(user->fpsimd->fpsr), err); ++ __get_user_error(fpsimd->fpcr, &(user->fpsimd->fpcr), err); ++ ++ return err ? -EFAULT : 0; ++} ++ ++static int restore_fpsimd_context(struct user_ctxs *user) ++{ ++ struct user_fpsimd_state fpsimd; ++ int err; ++ ++ err = read_fpsimd_context(&fpsimd, user); ++ if (err) ++ return err; + + clear_thread_flag(TIF_SVE); + current->thread.fp_type = FP_STATE_FPSIMD; + + /* load the hardware registers from the fpsimd_state structure */ +- if (!err) +- fpsimd_update_current_state(&fpsimd); +- +- return err ? -EFAULT : 0; ++ fpsimd_update_current_state(&fpsimd); ++ return 0; + } + + +@@ -316,12 +326,8 @@ static int restore_sve_fpsimd_context(st + * consistency and robustness, reject restoring streaming SVE state + * without an SVE payload. + */ +- if (!sm && user->sve_size == sizeof(*user->sve)) { +- clear_thread_flag(TIF_SVE); +- current->thread.svcr &= ~SVCR_SM_MASK; +- current->thread.fp_type = FP_STATE_FPSIMD; +- goto fpsimd_only; +- } ++ if (!sm && user->sve_size == sizeof(*user->sve)) ++ return restore_fpsimd_context(user); + + vq = sve_vq_from_vl(vl); + +@@ -357,19 +363,14 @@ static int restore_sve_fpsimd_context(st + set_thread_flag(TIF_SVE); + current->thread.fp_type = FP_STATE_SVE; + +-fpsimd_only: +- /* copy the FP and status/control registers */ +- /* restore_sigframe() already checked that user->fpsimd != NULL. */ +- err = __copy_from_user(fpsimd.vregs, user->fpsimd->vregs, +- sizeof(fpsimd.vregs)); +- __get_user_error(fpsimd.fpsr, &user->fpsimd->fpsr, err); +- __get_user_error(fpsimd.fpcr, &user->fpsimd->fpcr, err); ++ err = read_fpsimd_context(&fpsimd, user); ++ if (err) ++ return err; + +- /* load the hardware registers from the fpsimd_state structure */ +- if (!err) +- fpsimd_update_current_state(&fpsimd); ++ /* Merge the FPSIMD registers into the SVE state */ ++ fpsimd_update_current_state(&fpsimd); + +- return err ? -EFAULT : 0; ++ return 0; + } + + #else /* ! CONFIG_ARM64_SVE */ diff --git a/queue-6.6/arm64-fpsimd-signal-fix-restoration-of-sve-context.patch b/queue-6.6/arm64-fpsimd-signal-fix-restoration-of-sve-context.patch new file mode 100644 index 0000000000..de2b7ea420 --- /dev/null +++ b/queue-6.6/arm64-fpsimd-signal-fix-restoration-of-sve-context.patch @@ -0,0 +1,136 @@ +From stable+bounces-212674-greg=kroah.com@vger.kernel.org Wed Jan 28 21:35:11 2026 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:33:50 -0500 +Subject: arm64/fpsimd: signal: Fix restoration of SVE context +To: stable@vger.kernel.org +Cc: Mark Rutland , Mark Brown , Will Deacon , Catalin Marinas , Sasha Levin +Message-ID: <20260128203350.2720303-3-sashal@kernel.org> + +From: Mark Rutland + +[ Upstream commit d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 ] + +When SME is supported, Restoring SVE signal context can go wrong in a +few ways, including placing the task into an invalid state where the +kernel may read from out-of-bounds memory (and may potentially take a +fatal fault) and/or may kill the task with a SIGKILL. + +(1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into + an invalid state where SVCR.SM is set (and sve_state is non-NULL) + but TIF_SME is clear, consequently resuting in out-of-bounds memory + reads and/or killing the task with SIGKILL. + + This can only occur in unusual (but legitimate) cases where the SVE + signal context has either been modified by userspace or was saved in + the context of another task (e.g. as with CRIU), as otherwise the + presence of an SVE signal context with SVE_SIG_FLAG_SM implies that + TIF_SME is already set. + + While in this state, task_fpsimd_load() will NOT configure SMCR_ELx + (leaving some arbitrary value configured in hardware) before + restoring SVCR and attempting to restore the streaming mode SVE + registers from memory via sve_load_state(). As the value of + SMCR_ELx.LEN may be larger than the task's streaming SVE vector + length, this may read memory outside of the task's allocated + sve_state, reading unrelated data and/or triggering a fault. + + While this can result in secrets being loaded into streaming SVE + registers, these values are never exposed. As TIF_SME is clear, + fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 + accesses to streaming mode SVE registers, so these cannot be + accessed directly at EL0. As fpsimd_save_user_state() verifies the + live vector length before saving (S)SVE state to memory, no secret + values can be saved back to memory (and hence cannot be observed via + ptrace, signals, etc). + + When the live vector length doesn't match the expected vector length + for the task, fpsimd_save_user_state() will send a fatal SIGKILL + signal to the task. Hence the task may be killed after executing + userspace for some period of time. + +(2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the + task's SVCR.SM. If SVCR.SM was set prior to restoring the context, + then the task will be left in streaming mode unexpectedly, and some + register state will be combined inconsistently, though the task will + be left in legitimate state from the kernel's PoV. + + This can only occur in unusual (but legitimate) cases where ptrace + has been used to set SVCR.SM after entry to the sigreturn syscall, + as syscall entry clears SVCR.SM. + + In these cases, the the provided SVE register data will be loaded + into the task's sve_state using the non-streaming SVE vector length + and the FPSIMD registers will be merged into this using the + streaming SVE vector length. + +Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires +ensuring that the task's sme_state has been allocated, but as this could +contain live ZA state, it should not be zeroed. Fix (2) by clearing +SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear. + +For consistency, I've pulled the manipulation of SVCR, TIF_SVE, TIF_SME, +and fp_type earlier, immediately after the allocation of +sve_state/sme_state, before the restore of the actual register state. +This makes it easier to ensure that these are always modified +consistently, even if a fault is taken while reading the register data +from the signal context. I do not expect any software to depend on the +exact state restored when a fault is taken while reading the context. + +Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling") +Signed-off-by: Mark Rutland +Cc: +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Signed-off-by: Catalin Marinas +[ preserved fpsimd_flush_task_state() call before new SME allocation logic ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/signal.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -344,12 +344,28 @@ static int restore_sve_fpsimd_context(st + fpsimd_flush_task_state(current); + /* From now, fpsimd_thread_switch() won't touch thread.sve_state */ + ++ if (sm) { ++ sme_alloc(current, false); ++ if (!current->thread.sme_state) ++ return -ENOMEM; ++ } ++ + sve_alloc(current, true); + if (!current->thread.sve_state) { + clear_thread_flag(TIF_SVE); + return -ENOMEM; + } + ++ if (sm) { ++ current->thread.svcr |= SVCR_SM_MASK; ++ set_thread_flag(TIF_SME); ++ } else { ++ current->thread.svcr &= ~SVCR_SM_MASK; ++ set_thread_flag(TIF_SVE); ++ } ++ ++ current->thread.fp_type = FP_STATE_SVE; ++ + err = __copy_from_user(current->thread.sve_state, + (char __user const *)user->sve + + SVE_SIG_REGS_OFFSET, +@@ -357,12 +373,6 @@ static int restore_sve_fpsimd_context(st + if (err) + return -EFAULT; + +- if (flags & SVE_SIG_FLAG_SM) +- current->thread.svcr |= SVCR_SM_MASK; +- else +- set_thread_flag(TIF_SVE); +- current->thread.fp_type = FP_STATE_SVE; +- + err = read_fpsimd_context(&fpsimd, user); + if (err) + return err; diff --git a/queue-6.6/arm64-fpsimd-signal-mandate-sve-payload-for-streaming-mode-state.patch b/queue-6.6/arm64-fpsimd-signal-mandate-sve-payload-for-streaming-mode-state.patch new file mode 100644 index 0000000000..49a8940ea6 --- /dev/null +++ b/queue-6.6/arm64-fpsimd-signal-mandate-sve-payload-for-streaming-mode-state.patch @@ -0,0 +1,87 @@ +From stable+bounces-212672-greg=kroah.com@vger.kernel.org Wed Jan 28 21:35:07 2026 +From: Sasha Levin +Date: Wed, 28 Jan 2026 15:33:48 -0500 +Subject: arm64/fpsimd: signal: Mandate SVE payload for streaming-mode state +To: stable@vger.kernel.org +Cc: Mark Rutland , Catalin Marinas , Marc Zyngier , Mark Brown , Will Deacon , Sasha Levin +Message-ID: <20260128203350.2720303-1-sashal@kernel.org> + +From: Mark Rutland + +[ Upstream commit b465ace42620970e840c7aeb2c44a6e3b1002fec ] + +Non-streaming SVE state may be preserved without an SVE payload, in +which case the SVE context only has a header with VL==0, and all state +can be restored from the FPSIMD context. Streaming SVE state is always +preserved with an SVE payload, where the SVE context header has VL!=0, +and the SVE_SIG_FLAG_SM flag is set. + +The kernel never preserves an SVE context where SVE_SIG_FLAG_SM is set +without an SVE payload. However, restore_sve_fpsimd_context() doesn't +forbid restoring such a context, and will handle this case by clearing +PSTATE.SM and restoring the FPSIMD context into non-streaming mode, +which isn't consistent with the SVE_SIG_FLAG_SM flag. + +Forbid this case, and mandate an SVE payload when the SVE_SIG_FLAG_SM +flag is set. This avoids an awkward ABI quirk and reduces the risk that +later rework to this code permits configuring a task with PSTATE.SM==1 +and fp_type==FP_STATE_FPSIMD. + +I've marked this as a fix given that we never intended to support this +case, and we don't want anyone to start relying upon the old behaviour +once we re-enable SME. + +Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling") +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250508132644.1395904-4-mark.rutland@arm.com +Signed-off-by: Will Deacon +Stable-dep-of: d2907cbe9ea0 ("arm64/fpsimd: signal: Fix restoration of SVE context") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/signal.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -276,6 +276,7 @@ static int restore_sve_fpsimd_context(st + unsigned int vl, vq; + struct user_fpsimd_state fpsimd; + u16 user_vl, flags; ++ bool sm; + + if (user->sve_size < sizeof(*user->sve)) + return -EINVAL; +@@ -285,7 +286,8 @@ static int restore_sve_fpsimd_context(st + if (err) + return err; + +- if (flags & SVE_SIG_FLAG_SM) { ++ sm = flags & SVE_SIG_FLAG_SM; ++ if (sm) { + if (!system_supports_sme()) + return -EINVAL; + +@@ -305,7 +307,16 @@ static int restore_sve_fpsimd_context(st + if (user_vl != vl) + return -EINVAL; + +- if (user->sve_size == sizeof(*user->sve)) { ++ /* ++ * Non-streaming SVE state may be preserved without an SVE payload, in ++ * which case the SVE context only has a header with VL==0, and all ++ * state can be restored from the FPSIMD context. ++ * ++ * Streaming SVE state is always preserved with an SVE payload. For ++ * consistency and robustness, reject restoring streaming SVE state ++ * without an SVE payload. ++ */ ++ if (!sm && user->sve_size == sizeof(*user->sve)) { + clear_thread_flag(TIF_SVE); + current->thread.svcr &= ~SVCR_SM_MASK; + current->thread.fp_type = FP_STATE_FPSIMD; diff --git a/queue-6.6/drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch b/queue-6.6/drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch new file mode 100644 index 0000000000..7ed3546786 --- /dev/null +++ b/queue-6.6/drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch @@ -0,0 +1,172 @@ +From 1468888505@139.com Thu Jan 29 10:13:30 2026 +From: Li hongliang <1468888505@139.com> +Date: Thu, 29 Jan 2026 17:13:25 +0800 +Subject: drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, srinivasan.shanmugam@amd.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, alexander.deucher@amd.com, christian.koenig@amd.com, Xinhui.Pan@amd.com, airlied@gmail.com, daniel@ffwll.ch, sashal@kernel.org, mario.limonciello@amd.com, superm1@kernel.org, Jun.Ma2@amd.com, Zhigang.Luo@amd.com, Hawking.Zhang@amd.com, Jesse.Zhang@amd.com, victor.skvortsov@amd.com, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, lin.cao@amd.com, Jingwen.Chen2@amd.com +Message-ID: <20260129091325.3637010-1-1468888505@139.com> + +From: Srinivasan Shanmugam + +[ Upstream commit dc0297f3198bd60108ccbd167ee5d9fa4af31ed0 ] + +RLCG Register Access is a way for virtual functions to safely access GPU +registers in a virtualized environment., including TLB flushes and +register reads. When multiple threads or VFs try to access the same +registers simultaneously, it can lead to race conditions. By using the +RLCG interface, the driver can serialize access to the registers. This +means that only one thread can access the registers at a time, +preventing conflicts and ensuring that operations are performed +correctly. Additionally, when a low-priority task holds a mutex that a +high-priority task needs, ie., If a thread holding a spinlock tries to +acquire a mutex, it can lead to priority inversion. register access in +amdgpu_virt_rlcg_reg_rw especially in a fast code path is critical. + +The call stack shows that the function amdgpu_virt_rlcg_reg_rw is being +called, which attempts to acquire the mutex. This function is invoked +from amdgpu_sriov_wreg, which in turn is called from +gmc_v11_0_flush_gpu_tlb. + +The [ BUG: Invalid wait context ] indicates that a thread is trying to +acquire a mutex while it is in a context that does not allow it to sleep +(like holding a spinlock). + +Fixes the below: + +[ 253.013423] ============================= +[ 253.013434] [ BUG: Invalid wait context ] +[ 253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE +[ 253.013464] ----------------------------- +[ 253.013475] kworker/0:1/10 is trying to lock: +[ 253.013487] ffff9f30542e3cf8 (&adev->virt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.013815] other info that might help us debug this: +[ 253.013827] context-{4:4} +[ 253.013835] 3 locks held by kworker/0:1/10: +[ 253.013847] #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680 +[ 253.013877] #1: ffffb789c008be40 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680 +[ 253.013905] #2: ffff9f3054281838 (&adev->gmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu] +[ 253.014154] stack backtrace: +[ 253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14 +[ 253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +[ 253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024 +[ 253.014224] Workqueue: events work_for_cpu_fn +[ 253.014241] Call Trace: +[ 253.014250] +[ 253.014260] dump_stack_lvl+0x9b/0xf0 +[ 253.014275] dump_stack+0x10/0x20 +[ 253.014287] __lock_acquire+0xa47/0x2810 +[ 253.014303] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.014321] lock_acquire+0xd1/0x300 +[ 253.014333] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.014562] ? __lock_acquire+0xa6b/0x2810 +[ 253.014578] __mutex_lock+0x85/0xe20 +[ 253.014591] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.014782] ? sched_clock_noinstr+0x9/0x10 +[ 253.014795] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.014808] ? local_clock_noinstr+0xe/0xc0 +[ 253.014822] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.015012] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.015029] mutex_lock_nested+0x1b/0x30 +[ 253.015044] ? mutex_lock_nested+0x1b/0x30 +[ 253.015057] amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.015249] amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu] +[ 253.015435] gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu] +[ 253.015667] gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu] +[ 253.015901] ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu] +[ 253.016159] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.016173] ? smu_hw_init+0x18d/0x300 [amdgpu] +[ 253.016403] amdgpu_device_init+0x29ad/0x36a0 [amdgpu] +[ 253.016614] amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu] +[ 253.017057] amdgpu_pci_probe+0x1c2/0x660 [amdgpu] +[ 253.017493] local_pci_probe+0x4b/0xb0 +[ 253.017746] work_for_cpu_fn+0x1a/0x30 +[ 253.017995] process_one_work+0x21e/0x680 +[ 253.018248] worker_thread+0x190/0x330 +[ 253.018500] ? __pfx_worker_thread+0x10/0x10 +[ 253.018746] kthread+0xe7/0x120 +[ 253.018988] ? __pfx_kthread+0x10/0x10 +[ 253.019231] ret_from_fork+0x3c/0x60 +[ 253.019468] ? __pfx_kthread+0x10/0x10 +[ 253.019701] ret_from_fork_asm+0x1a/0x30 +[ 253.019939] + +v2: s/spin_trylock/spin_lock_irqsave to be safe (Christian). + +Fixes: e864180ee49b ("drm/amdgpu: Add lock around VF RLCG interface") +Cc: lin cao +Cc: Jingwen Chen +Cc: Victor Skvortsov +Cc: Zhigang Luo +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Suggested-by: Alex Deucher +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 +++-- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 ++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3582,7 +3582,6 @@ int amdgpu_device_init(struct amdgpu_dev + mutex_init(&adev->grbm_idx_mutex); + mutex_init(&adev->mn_lock); + mutex_init(&adev->virt.vf_errors.lock); +- mutex_init(&adev->virt.rlcg_reg_lock); + hash_init(adev->mn_hash); + mutex_init(&adev->psp.mutex); + mutex_init(&adev->notifier_lock); +@@ -3604,6 +3603,7 @@ int amdgpu_device_init(struct amdgpu_dev + spin_lock_init(&adev->se_cac_idx_lock); + spin_lock_init(&adev->audio_endpt_idx_lock); + spin_lock_init(&adev->mm_stats.lock); ++ spin_lock_init(&adev->virt.rlcg_reg_lock); + + INIT_LIST_HEAD(&adev->shadow_list); + mutex_init(&adev->shadow_list_lock); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +@@ -1007,6 +1007,7 @@ static u32 amdgpu_virt_rlcg_reg_rw(struc + void *scratch_reg2; + void *scratch_reg3; + void *spare_int; ++ unsigned long flags; + + if (!adev->gfx.rlc.rlcg_reg_access_supported) { + dev_err(adev->dev, +@@ -1028,7 +1029,7 @@ static u32 amdgpu_virt_rlcg_reg_rw(struc + scratch_reg2 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg2; + scratch_reg3 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg3; + +- mutex_lock(&adev->virt.rlcg_reg_lock); ++ spin_lock_irqsave(&adev->virt.rlcg_reg_lock, flags); + + if (reg_access_ctrl->spare_int) + spare_int = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->spare_int; +@@ -1086,7 +1087,7 @@ static u32 amdgpu_virt_rlcg_reg_rw(struc + + ret = readl(scratch_reg0); + +- mutex_unlock(&adev->virt.rlcg_reg_lock); ++ spin_unlock_irqrestore(&adev->virt.rlcg_reg_lock, flags); + + return ret; + } +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +@@ -267,7 +267,8 @@ struct amdgpu_virt { + /* the ucode id to signal the autoload */ + uint32_t autoload_ucode_id; + +- struct mutex rlcg_reg_lock; ++ /* Spinlock to protect access to the RLCG register interface */ ++ spinlock_t rlcg_reg_lock; + }; + + struct amdgpu_video_codec_info; diff --git a/queue-6.6/drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch b/queue-6.6/drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch new file mode 100644 index 0000000000..163240ef0f --- /dev/null +++ b/queue-6.6/drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch @@ -0,0 +1,52 @@ +From 1468888505@139.com Mon Feb 2 08:58:36 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 2 Feb 2026 15:58:31 +0800 +Subject: drm/radeon: delete radeon_fence_process in is_signaled, no deadlock +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, rbmccav@gmail.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, alexander.deucher@amd.com, christian.koenig@amd.com, Xinhui.Pan@amd.com, airlied@gmail.com, daniel@ffwll.ch, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org +Message-ID: <20260202075831.947537-1-1468888505@139.com> + +From: Robert McClinton + +[ Upstream commit 9eb00b5f5697bd56baa3222c7a1426fa15bacfb5 ] + +Delete the attempt to progress the queue when checking if fence is +signaled. This avoids deadlock. + +dma-fence_ops::signaled can be called with the fence lock in unknown +state. For radeon, the fence lock is also the wait queue lock. This can +cause a self deadlock when signaled() tries to make forward progress on +the wait queue. But advancing the queue is unneeded because incorrectly +returning false from signaled() is perfectly acceptable. + +Link: https://github.com/brave/brave-browser/issues/49182 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4641 +Cc: Alex Deucher +Signed-off-by: Robert McClinton +Signed-off-by: Alex Deucher +(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db) +Cc: stable@vger.kernel.org +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_fence.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_fence.c ++++ b/drivers/gpu/drm/radeon/radeon_fence.c +@@ -362,14 +362,6 @@ static bool radeon_fence_is_signaled(str + return true; + } + +- if (down_read_trylock(&rdev->exclusive_lock)) { +- radeon_fence_process(rdev, ring); +- up_read(&rdev->exclusive_lock); +- +- if (atomic64_read(&rdev->fence_drv[ring].last_seq) >= seq) { +- return true; +- } +- } + return false; + } + diff --git a/queue-6.6/gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch b/queue-6.6/gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch new file mode 100644 index 0000000000..aa9ec304a9 --- /dev/null +++ b/queue-6.6/gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch @@ -0,0 +1,91 @@ +From 7ca497be00163610afb663867db24ac408752f13 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Mon, 26 Jan 2026 12:12:26 +0000 +Subject: gpio: rockchip: Stop calling pinctrl for set_direction + +From: Robin Murphy + +commit 7ca497be00163610afb663867db24ac408752f13 upstream. + +Marking the whole controller as sleeping due to the pinctrl calls in the +.direction_{input,output} callbacks has the unfortunate side effect that +legitimate invocations of .get and .set, which cannot themselves sleep, +in atomic context now spew WARN()s from gpiolib. + +However, as Heiko points out, the driver doing this is a bit silly to +begin with, as the pinctrl .gpio_set_direction hook doesn't even care +about the direction, the hook is only used to claim the mux. And sure +enough, the .gpio_request_enable hook exists to serve this very purpose, +so switch to that and remove the problematic business entirely. + +Cc: stable@vger.kernel.org +Fixes: 20cf2aed89ac ("gpio: rockchip: mark the GPIO controller as sleeping") +Suggested-by: Heiko Stuebner +Signed-off-by: Robin Murphy +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/bddc0469f25843ca5ae0cf578ab3671435ae98a7.1769429546.git.robin.murphy@arm.com +Signed-off-by: Bartosz Golaszewski +[ Backport past pinctrl API change for the deleted calls ] +Signed-off-by: Robin Murphy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-rockchip.c | 8 -------- + drivers/pinctrl/pinctrl-rockchip.c | 9 ++++----- + 2 files changed, 4 insertions(+), 13 deletions(-) + +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -18,7 +18,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -157,12 +156,6 @@ static int rockchip_gpio_set_direction(s + unsigned long flags; + u32 data = input ? 0 : 1; + +- +- if (input) +- pinctrl_gpio_direction_input(bank->pin_base + offset); +- else +- pinctrl_gpio_direction_output(bank->pin_base + offset); +- + raw_spin_lock_irqsave(&bank->slock, flags); + rockchip_gpio_writel_bit(bank, offset, data, bank->gpio_regs->port_ddr); + raw_spin_unlock_irqrestore(&bank->slock, flags); +@@ -584,7 +577,6 @@ static int rockchip_gpiolib_register(str + gc->ngpio = bank->nr_pins; + gc->label = bank->name; + gc->parent = bank->dev; +- gc->can_sleep = true; + + ret = gpiochip_add_data(gc, bank); + if (ret) { +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -2749,10 +2749,9 @@ static int rockchip_pmx_set(struct pinct + return 0; + } + +-static int rockchip_pmx_gpio_set_direction(struct pinctrl_dev *pctldev, +- struct pinctrl_gpio_range *range, +- unsigned offset, +- bool input) ++static int rockchip_pmx_gpio_request_enable(struct pinctrl_dev *pctldev, ++ struct pinctrl_gpio_range *range, ++ unsigned int offset) + { + struct rockchip_pinctrl *info = pinctrl_dev_get_drvdata(pctldev); + struct rockchip_pin_bank *bank; +@@ -2766,7 +2765,7 @@ static const struct pinmux_ops rockchip_ + .get_function_name = rockchip_pmx_get_func_name, + .get_function_groups = rockchip_pmx_get_groups, + .set_mux = rockchip_pmx_set, +- .gpio_set_direction = rockchip_pmx_gpio_set_direction, ++ .gpio_request_enable = rockchip_pmx_gpio_request_enable, + }; + + /* diff --git a/queue-6.6/ksmbd-fix-race-condition-in-rpc-handle-list-access.patch b/queue-6.6/ksmbd-fix-race-condition-in-rpc-handle-list-access.patch new file mode 100644 index 0000000000..259f233b4b --- /dev/null +++ b/queue-6.6/ksmbd-fix-race-condition-in-rpc-handle-list-access.patch @@ -0,0 +1,106 @@ +From 1468888505@139.com Mon Feb 2 04:17:45 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 2 Feb 2026 11:17:39 +0800 +Subject: ksmbd: Fix race condition in RPC handle list access +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, ysk@kzalloc.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, linkinjeon@kernel.org, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, akendo@akendo.eu, set_pte_at@outlook.com, linux-cifs@vger.kernel.org, stfrench@microsoft.com +Message-ID: <20260202031739.515222-1-1468888505@139.com> + +From: Yunseong Kim + +[ Upstream commit 305853cce379407090a73b38c5de5ba748893aee ] + +The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd +session. Access to this list is intended to be protected by +'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was +flawed, leading to potential race conditions. + +In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock +before calling xa_store() and xa_erase(). Since these operations modify +the XArray structure, a write lock is required to ensure exclusive access +and prevent data corruption from concurrent modifications. + +Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load() +without holding any lock at all. This could lead to reading inconsistent +data or a potential use-after-free if an entry is concurrently removed and +the pointer is dereferenced. + +Fix these issues by: +1. Using down_write() and up_write() in ksmbd_session_rpc_open() + to ensure exclusive access during XArray modification, and ensuring + the lock is correctly released on error paths. +2. Adding down_read() and up_read() in ksmbd_session_rpc_method() + to safely protect the lookup. + +Fixes: a1f46c99d9ea ("ksmbd: fix use-after-free in ksmbd_session_rpc_open") +Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray") +Cc: stable@vger.kernel.org +Signed-off-by: Yunseong Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -104,29 +104,32 @@ int ksmbd_session_rpc_open(struct ksmbd_ + if (!entry) + return -ENOMEM; + +- down_read(&sess->rpc_lock); + entry->method = method; + entry->id = id = ksmbd_ipc_id_alloc(); + if (id < 0) + goto free_entry; ++ ++ down_write(&sess->rpc_lock); + old = xa_store(&sess->rpc_handle_list, id, entry, GFP_KERNEL); +- if (xa_is_err(old)) ++ if (xa_is_err(old)) { ++ up_write(&sess->rpc_lock); + goto free_id; ++ } + + resp = ksmbd_rpc_open(sess, id); +- if (!resp) +- goto erase_xa; ++ if (!resp) { ++ xa_erase(&sess->rpc_handle_list, entry->id); ++ up_write(&sess->rpc_lock); ++ goto free_id; ++ } + +- up_read(&sess->rpc_lock); ++ up_write(&sess->rpc_lock); + kvfree(resp); + return id; +-erase_xa: +- xa_erase(&sess->rpc_handle_list, entry->id); + free_id: + ksmbd_rpc_id_free(entry->id); + free_entry: + kfree(entry); +- up_read(&sess->rpc_lock); + return -EINVAL; + } + +@@ -144,9 +147,14 @@ void ksmbd_session_rpc_close(struct ksmb + int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id) + { + struct ksmbd_session_rpc *entry; ++ int method; + ++ down_read(&sess->rpc_lock); + entry = xa_load(&sess->rpc_handle_list, id); +- return entry ? entry->method : 0; ++ method = entry ? entry->method : 0; ++ up_read(&sess->rpc_lock); ++ ++ return method; + } + + void ksmbd_session_destroy(struct ksmbd_session *sess) diff --git a/queue-6.6/ksmbd-smbd-fix-dma_unmap_sg-nents.patch b/queue-6.6/ksmbd-smbd-fix-dma_unmap_sg-nents.patch new file mode 100644 index 0000000000..1177e42be1 --- /dev/null +++ b/queue-6.6/ksmbd-smbd-fix-dma_unmap_sg-nents.patch @@ -0,0 +1,72 @@ +From stable+bounces-212679-greg=kroah.com@vger.kernel.org Wed Jan 28 22:36:19 2026 +From: Sasha Levin +Date: Wed, 28 Jan 2026 16:36:14 -0500 +Subject: ksmbd: smbd: fix dma_unmap_sg() nents +To: stable@vger.kernel.org +Cc: Thomas Fourier , Namjae Jeon , Steve French , Sasha Levin +Message-ID: <20260128213614.2762269-1-sashal@kernel.org> + +From: Thomas Fourier + +[ Upstream commit 98e3e2b561bc88f4dd218d1c05890672874692f6 ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Cc: +Signed-off-by: Thomas Fourier +Acked-by: Namjae Jeon +Signed-off-by: Steve French +[ Context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -1108,14 +1108,12 @@ static int get_sg_list(void *buf, int si + + static int get_mapped_sg_list(struct ib_device *device, void *buf, int size, + struct scatterlist *sg_list, int nentries, +- enum dma_data_direction dir) ++ enum dma_data_direction dir, int *npages) + { +- int npages; +- +- npages = get_sg_list(buf, size, sg_list, nentries); +- if (npages < 0) ++ *npages = get_sg_list(buf, size, sg_list, nentries); ++ if (*npages < 0) + return -EINVAL; +- return ib_dma_map_sg(device, sg_list, npages, dir); ++ return ib_dma_map_sg(device, sg_list, *npages, dir); + } + + static int post_sendmsg(struct smb_direct_transport *t, +@@ -1184,12 +1182,13 @@ static int smb_direct_post_send_data(str + for (i = 0; i < niov; i++) { + struct ib_sge *sge; + int sg_cnt; ++ int npages; + + sg_init_table(sg, SMB_DIRECT_MAX_SEND_SGES - 1); + sg_cnt = get_mapped_sg_list(t->cm_id->device, + iov[i].iov_base, iov[i].iov_len, + sg, SMB_DIRECT_MAX_SEND_SGES - 1, +- DMA_TO_DEVICE); ++ DMA_TO_DEVICE, &npages); + if (sg_cnt <= 0) { + pr_err("failed to map buffer\n"); + ret = -ENOMEM; +@@ -1197,7 +1196,7 @@ static int smb_direct_post_send_data(str + } else if (sg_cnt + msg->num_sge > SMB_DIRECT_MAX_SEND_SGES) { + pr_err("buffer not fitted into sges\n"); + ret = -E2BIG; +- ib_dma_unmap_sg(t->cm_id->device, sg, sg_cnt, ++ ib_dma_unmap_sg(t->cm_id->device, sg, npages, + DMA_TO_DEVICE); + goto err; + } diff --git a/queue-6.6/mei-trace-treat-reg-parameter-as-string.patch b/queue-6.6/mei-trace-treat-reg-parameter-as-string.patch new file mode 100644 index 0000000000..6510ce3b1a --- /dev/null +++ b/queue-6.6/mei-trace-treat-reg-parameter-as-string.patch @@ -0,0 +1,104 @@ +From stable+bounces-212678-greg=kroah.com@vger.kernel.org Wed Jan 28 22:36:17 2026 +From: Sasha Levin +Date: Wed, 28 Jan 2026 16:36:08 -0500 +Subject: mei: trace: treat reg parameter as string +To: stable@vger.kernel.org +Cc: Alexander Usyskin , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260128213608.2762086-1-sashal@kernel.org> + +From: Alexander Usyskin + +[ Upstream commit 06d5a7afe1d0b47102936d8fba568572c2b4b941 ] + +The commit +afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") +forbids to emit event with a plain char* without a wrapper. + +The reg parameter always passed as static string and wrapper +is not strictly required, contrary to dev parameter. +Use the string wrapper anyway to check sanity of the reg parameters, +store it value independently and prevent internal kernel data leaks. + +Since some code refactoring has taken place, explicit backporting may +be needed for kernels older than 6.10. + +Cc: stable@vger.kernel.org # v6.11+ +Fixes: a0a927d06d79 ("mei: me: add io register tracing") +Signed-off-by: Alexander Usyskin +Link: https://patch.msgid.link/20260111145125.1754912-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +[ adapted __assign_str() calls to use two arguments ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/mei-trace.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/misc/mei/mei-trace.h ++++ b/drivers/misc/mei/mei-trace.h +@@ -21,18 +21,18 @@ TRACE_EVENT(mei_reg_read, + TP_ARGS(dev, reg, offs, val), + TP_STRUCT__entry( + __string(dev, dev_name(dev)) +- __field(const char *, reg) ++ __string(reg, reg) + __field(u32, offs) + __field(u32, val) + ), + TP_fast_assign( + __assign_str(dev, dev_name(dev)); +- __entry->reg = reg; ++ __assign_str(reg, reg); + __entry->offs = offs; + __entry->val = val; + ), + TP_printk("[%s] read %s:[%#x] = %#x", +- __get_str(dev), __entry->reg, __entry->offs, __entry->val) ++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val) + ); + + TRACE_EVENT(mei_reg_write, +@@ -40,18 +40,18 @@ TRACE_EVENT(mei_reg_write, + TP_ARGS(dev, reg, offs, val), + TP_STRUCT__entry( + __string(dev, dev_name(dev)) +- __field(const char *, reg) ++ __string(reg, reg) + __field(u32, offs) + __field(u32, val) + ), + TP_fast_assign( + __assign_str(dev, dev_name(dev)); +- __entry->reg = reg; ++ __assign_str(reg, reg); + __entry->offs = offs; + __entry->val = val; + ), + TP_printk("[%s] write %s[%#x] = %#x", +- __get_str(dev), __entry->reg, __entry->offs, __entry->val) ++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val) + ); + + TRACE_EVENT(mei_pci_cfg_read, +@@ -59,18 +59,18 @@ TRACE_EVENT(mei_pci_cfg_read, + TP_ARGS(dev, reg, offs, val), + TP_STRUCT__entry( + __string(dev, dev_name(dev)) +- __field(const char *, reg) ++ __string(reg, reg) + __field(u32, offs) + __field(u32, val) + ), + TP_fast_assign( + __assign_str(dev, dev_name(dev)); +- __entry->reg = reg; ++ __assign_str(reg, reg); + __entry->offs = offs; + __entry->val = val; + ), + TP_printk("[%s] pci cfg read %s:[%#x] = %#x", +- __get_str(dev), __entry->reg, __entry->offs, __entry->val) ++ __get_str(dev), __get_str(reg), __entry->offs, __entry->val) + ); + + #endif /* _MEI_TRACE_H_ */ diff --git a/queue-6.6/mm-kfence-randomize-the-freelist-on-initialization.patch b/queue-6.6/mm-kfence-randomize-the-freelist-on-initialization.patch new file mode 100644 index 0000000000..dd1d69ae35 --- /dev/null +++ b/queue-6.6/mm-kfence-randomize-the-freelist-on-initialization.patch @@ -0,0 +1,85 @@ +From 870ff19251bf3910dda7a7245da826924045fedd Mon Sep 17 00:00:00 2001 +From: Pimyn Girgis +Date: Tue, 20 Jan 2026 17:15:10 +0100 +Subject: mm/kfence: randomize the freelist on initialization + +From: Pimyn Girgis + +commit 870ff19251bf3910dda7a7245da826924045fedd upstream. + +Randomize the KFENCE freelist during pool initialization to make +allocation patterns less predictable. This is achieved by shuffling the +order in which metadata objects are added to the freelist using +get_random_u32_below(). + +Additionally, ensure the error path correctly calculates the address range +to be reset if initialization fails, as the address increment logic has +been moved to a separate loop. + +Link: https://lkml.kernel.org/r/20260120161510.3289089-1-pimyn@google.com +Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") +Signed-off-by: Pimyn Girgis +Reviewed-by: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Marco Elver +Cc: Ernesto Martnez Garca +Cc: Greg KH +Cc: Kees Cook +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Pimyn Girgis +Signed-off-by: Greg Kroah-Hartman +--- + mm/kfence/core.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/mm/kfence/core.c ++++ b/mm/kfence/core.c +@@ -577,7 +577,7 @@ static unsigned long kfence_init_pool(vo + { + unsigned long addr; + struct page *pages; +- int i; ++ int i, rand; + + if (!arch_kfence_init_pool()) + return (unsigned long)__kfence_pool; +@@ -626,13 +626,27 @@ static unsigned long kfence_init_pool(vo + INIT_LIST_HEAD(&meta->list); + raw_spin_lock_init(&meta->lock); + meta->state = KFENCE_OBJECT_UNUSED; +- meta->addr = addr; /* Initialize for validation in metadata_to_pageaddr(). */ +- list_add_tail(&meta->list, &kfence_freelist); ++ /* Use addr to randomize the freelist. */ ++ meta->addr = i; + + /* Protect the right redzone. */ +- if (unlikely(!kfence_protect(addr + PAGE_SIZE))) ++ if (unlikely(!kfence_protect(addr + 2 * i * PAGE_SIZE + PAGE_SIZE))) + goto reset_slab; ++ } ++ ++ for (i = CONFIG_KFENCE_NUM_OBJECTS; i > 0; i--) { ++ rand = get_random_u32_below(i); ++ swap(kfence_metadata_init[i - 1].addr, kfence_metadata_init[rand].addr); ++ } + ++ for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) { ++ struct kfence_metadata *meta_1 = &kfence_metadata_init[i]; ++ struct kfence_metadata *meta_2 = &kfence_metadata_init[meta_1->addr]; ++ ++ list_add_tail(&meta_2->list, &kfence_freelist); ++ } ++ for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) { ++ kfence_metadata_init[i].addr = addr; + addr += 2 * PAGE_SIZE; + } + +@@ -645,6 +659,7 @@ static unsigned long kfence_init_pool(vo + return 0; + + reset_slab: ++ addr += 2 * i * PAGE_SIZE; + for (i = 0; i < KFENCE_POOL_SIZE / PAGE_SIZE; i++) { + struct slab *slab = page_slab(nth_page(pages, i)); + diff --git a/queue-6.6/series b/queue-6.6/series index d31a9860ac..87e9aac259 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -39,3 +39,16 @@ drm-imx-tve-fix-probe-device-leak.patch drm-amdgpu-soc21-fix-xclk-for-apus.patch drm-amdgpu-gfx10-fix-wptr-reset-in-kgq-init.patch drm-amdgpu-gfx11-fix-wptr-reset-in-kgq-init.patch +gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch +mm-kfence-randomize-the-freelist-on-initialization.patch +arm64-fpsimd-signal-mandate-sve-payload-for-streaming-mode-state.patch +arm64-fpsimd-signal-consistently-read-fpsimd-context.patch +arm64-fpsimd-signal-fix-restoration-of-sve-context.patch +mei-trace-treat-reg-parameter-as-string.patch +ksmbd-smbd-fix-dma_unmap_sg-nents.patch +drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch +ksmbd-fix-race-condition-in-rpc-handle-list-access.patch +wifi-mac80211-move-tdls-work-to-wiphy-work.patch +wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch +team-move-team-device-type-change-at-the-end-of-team_port_add.patch +drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch diff --git a/queue-6.6/team-move-team-device-type-change-at-the-end-of-team_port_add.patch b/queue-6.6/team-move-team-device-type-change-at-the-end-of-team_port_add.patch new file mode 100644 index 0000000000..4601f5d81e --- /dev/null +++ b/queue-6.6/team-move-team-device-type-change-at-the-end-of-team_port_add.patch @@ -0,0 +1,117 @@ +From stable+bounces-213166-greg=kroah.com@vger.kernel.org Tue Feb 3 05:47:11 2026 +From: Rahul Sharma +Date: Tue, 3 Feb 2026 12:45:57 +0800 +Subject: team: Move team device type change at the end of team_port_add +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, "Nikola Z. Ivanov" , syzbot+a2a3b519de727b0f7903@syzkaller.appspotmail.com, Jiri Pirko , Jakub Kicinski , Rahul Sharma +Message-ID: <20260203044557.440244-1-black.hawk@163.com> + +From: "Nikola Z. Ivanov" + +[ Upstream commit 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef ] + +Attempting to add a port device that is already up will expectedly fail, +but not before modifying the team device header_ops. + +In the case of the syzbot reproducer the gre0 device is +already in state UP when it attempts to add it as a +port device of team0, this fails but before that +header_ops->create of team0 is changed from eth_header to ipgre_header +in the call to team_dev_type_check_change. + +Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense +as the private data of the device still holds a struct team. + +Example sequence of iproute2 commands to reproduce the hang/BUG(): +ip link add dev team0 type team +ip link add dev gre0 type gre +ip link set dev gre0 up +ip link set dev gre0 master team0 +ip link set dev team0 up +ping -I team0 1.1.1.1 + +Move team_dev_type_check_change down where all other checks have passed +as it changes the dev type with no way to restore it in case +one of the checks that follow it fail. + +Also make sure to preserve the origial mtu assignment: + - If port_dev is not the same type as dev, dev takes mtu from port_dev + - If port_dev is the same type as dev, port_dev takes mtu from dev + +This is done by adding a conditional before the call to dev_set_mtu +to prevent it from assigning port_dev->mtu = dev->mtu and instead +letting team_dev_type_check_change assign dev->mtu = port_dev->mtu. +The conditional is needed because the patch moves the call to +team_dev_type_check_change past dev_set_mtu. + +Testing: + - team device driver in-tree selftests + - Add/remove various devices as slaves of team device + - syzbot + +Reported-by: syzbot+a2a3b519de727b0f7903@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a2a3b519de727b0f7903 +Fixes: 1d76efe1577b ("team: add support for non-ethernet devices") +Signed-off-by: Nikola Z. Ivanov +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20251122002027.695151-1-zlatistiv@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/team/team.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1184,10 +1184,6 @@ static int team_port_add(struct team *te + return -EPERM; + } + +- err = team_dev_type_check_change(dev, port_dev); +- if (err) +- return err; +- + if (port_dev->flags & IFF_UP) { + NL_SET_ERR_MSG(extack, "Device is up. Set it down before adding it as a team port"); + netdev_err(dev, "Device %s is up. Set it down before adding it as a team port\n", +@@ -1205,10 +1201,16 @@ static int team_port_add(struct team *te + INIT_LIST_HEAD(&port->qom_list); + + port->orig.mtu = port_dev->mtu; +- err = dev_set_mtu(port_dev, dev->mtu); +- if (err) { +- netdev_dbg(dev, "Error %d calling dev_set_mtu\n", err); +- goto err_set_mtu; ++ /* ++ * MTU assignment will be handled in team_dev_type_check_change ++ * if dev and port_dev are of different types ++ */ ++ if (dev->type == port_dev->type) { ++ err = dev_set_mtu(port_dev, dev->mtu); ++ if (err) { ++ netdev_dbg(dev, "Error %d calling dev_set_mtu\n", err); ++ goto err_set_mtu; ++ } + } + + memcpy(port->orig.dev_addr, port_dev->dev_addr, port_dev->addr_len); +@@ -1283,6 +1285,10 @@ static int team_port_add(struct team *te + } + } + ++ err = team_dev_type_check_change(dev, port_dev); ++ if (err) ++ goto err_set_dev_type; ++ + if (dev->flags & IFF_UP) { + netif_addr_lock_bh(dev); + dev_uc_sync_multiple(port_dev, dev); +@@ -1301,6 +1307,7 @@ static int team_port_add(struct team *te + + return 0; + ++err_set_dev_type: + err_set_slave_promisc: + __team_option_inst_del_port(team, port); + diff --git a/queue-6.6/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch b/queue-6.6/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch new file mode 100644 index 0000000000..d78b000a9d --- /dev/null +++ b/queue-6.6/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch @@ -0,0 +1,105 @@ +From stable+bounces-213159-greg=kroah.com@vger.kernel.org Tue Feb 3 04:14:07 2026 +From: Li hongliang <1468888505@139.com> +Date: Tue, 3 Feb 2026 11:13:45 +0800 +Subject: wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, quic_kangyang@quicinc.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, kvalo@kernel.org, jjohnson@kernel.org, quic_vthiagar@quicinc.com, quic_vnaralas@quicinc.com, quic_msinada@quicinc.com, gseset@codeaurora.org, linux-wireless@vger.kernel.org, ath11k@lists.infradead.org, quic_jjohnson@quicinc.com, jeff.johnson@oss.qualcomm.com +Message-ID: <20260203031345.1357063-1-1468888505@139.com> + +From: Kang Yang + +[ Upstream commit 63b7af49496d0e32f7a748b6af3361ec138b1bd3 ] + +ath11k_hal_srng_* should be used with srng->lock to protect srng data. + +For ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx(), +they use ath11k_hal_srng_* for many times but never call srng->lock. + +So when running (full) monitor mode, warning will occur: +RIP: 0010:ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k] +Call Trace: + ? ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k] + ath11k_dp_rx_process_mon_status+0xc45/0x1190 [ath11k] + ? idr_alloc_u32+0x97/0xd0 + ath11k_dp_rx_process_mon_rings+0x32a/0x550 [ath11k] + ath11k_dp_service_srng+0x289/0x5a0 [ath11k] + ath11k_pcic_ext_grp_napi_poll+0x30/0xd0 [ath11k] + __napi_poll+0x30/0x1f0 + net_rx_action+0x198/0x320 + __do_softirq+0xdd/0x319 + +So add srng->lock for them to avoid such warnings. + +Inorder to fetch the srng->lock, should change srng's definition from +'void' to 'struct hal_srng'. And initialize them elsewhere to prevent +one line of code from being too long. This is consistent with other ring +process functions, such as ath11k_dp_process_rx(). + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Kang Yang +Acked-by: Jeff Johnson +Link: https://patch.msgid.link/20241219110531.2096-3-quic_kangyang@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -5093,7 +5093,7 @@ static void ath11k_dp_rx_mon_dest_proces + struct ath11k_mon_data *pmon = (struct ath11k_mon_data *)&dp->mon_data; + const struct ath11k_hw_hal_params *hal_params; + void *ring_entry; +- void *mon_dst_srng; ++ struct hal_srng *mon_dst_srng; + u32 ppdu_id; + u32 rx_bufs_used; + u32 ring_id; +@@ -5117,6 +5117,7 @@ static void ath11k_dp_rx_mon_dest_proces + + spin_lock_bh(&pmon->mon_lock); + ++ spin_lock_bh(&mon_dst_srng->lock); + ath11k_hal_srng_access_begin(ar->ab, mon_dst_srng); + + ppdu_id = pmon->mon_ppdu_info.ppdu_id; +@@ -5175,6 +5176,7 @@ static void ath11k_dp_rx_mon_dest_proces + mon_dst_srng); + } + ath11k_hal_srng_access_end(ar->ab, mon_dst_srng); ++ spin_unlock_bh(&mon_dst_srng->lock); + + spin_unlock_bh(&pmon->mon_lock); + +@@ -5564,7 +5566,7 @@ static int ath11k_dp_full_mon_process_rx + struct hal_sw_mon_ring_entries *sw_mon_entries; + struct ath11k_pdev_mon_stats *rx_mon_stats; + struct sk_buff *head_msdu, *tail_msdu; +- void *mon_dst_srng = &ar->ab->hal.srng_list[dp->rxdma_mon_dst_ring.ring_id]; ++ struct hal_srng *mon_dst_srng; + void *ring_entry; + u32 rx_bufs_used = 0, mpdu_rx_bufs_used; + int quota = 0, ret; +@@ -5580,6 +5582,9 @@ static int ath11k_dp_full_mon_process_rx + goto reap_status_ring; + } + ++ mon_dst_srng = &ar->ab->hal.srng_list[dp->rxdma_mon_dst_ring.ring_id]; ++ spin_lock_bh(&mon_dst_srng->lock); ++ + ath11k_hal_srng_access_begin(ar->ab, mon_dst_srng); + while ((ring_entry = ath11k_hal_srng_dst_peek(ar->ab, mon_dst_srng))) { + head_msdu = NULL; +@@ -5623,6 +5628,7 @@ next_entry: + } + + ath11k_hal_srng_access_end(ar->ab, mon_dst_srng); ++ spin_unlock_bh(&mon_dst_srng->lock); + spin_unlock_bh(&pmon->mon_lock); + + if (rx_bufs_used) { diff --git a/queue-6.6/wifi-mac80211-move-tdls-work-to-wiphy-work.patch b/queue-6.6/wifi-mac80211-move-tdls-work-to-wiphy-work.patch new file mode 100644 index 0000000000..d254856f2a --- /dev/null +++ b/queue-6.6/wifi-mac80211-move-tdls-work-to-wiphy-work.patch @@ -0,0 +1,102 @@ +From stable+bounces-213085-greg=kroah.com@vger.kernel.org Mon Feb 2 17:51:30 2026 +From: "Hanne-Lotta Mäenpää" +Date: Mon, 2 Feb 2026 18:47:45 +0200 +Subject: wifi: mac80211: move TDLS work to wiphy work +To: stable@vger.kernel.org +Cc: johannes@sipsolutions.net, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, "Johannes Berg" , "Emmanuel Grumbach" , "Hanne-Lotta Mäenpää" +Message-ID: <20260202164745.215560-1-hannelotta@gmail.com> + +From: Johannes Berg + +[ Upstream commit 777b26002b73127e81643d9286fadf3d41e0e477 ] + +Again, to have the wiphy locked for it. + +Reviewed-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +(cherry picked from commit 777b26002b73127e81643d9286fadf3d41e0e477) +Signed-off-by: Hanne-Lotta Mäenpää +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 4 ++-- + net/mac80211/mlme.c | 7 ++++--- + net/mac80211/tdls.c | 11 ++++++----- + 3 files changed, 12 insertions(+), 10 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -530,7 +530,7 @@ struct ieee80211_if_managed { + + /* TDLS support */ + u8 tdls_peer[ETH_ALEN] __aligned(2); +- struct delayed_work tdls_peer_del_work; ++ struct wiphy_delayed_work tdls_peer_del_work; + struct sk_buff *orig_teardown_skb; /* The original teardown skb */ + struct sk_buff *teardown_skb; /* A copy to send through the AP */ + spinlock_t teardown_lock; /* To lock changing teardown_skb */ +@@ -2599,7 +2599,7 @@ int ieee80211_tdls_mgmt(struct wiphy *wi + const u8 *extra_ies, size_t extra_ies_len); + int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev, + const u8 *peer, enum nl80211_tdls_operation oper); +-void ieee80211_tdls_peer_del_work(struct work_struct *wk); ++void ieee80211_tdls_peer_del_work(struct wiphy *wiphy, struct wiphy_work *wk); + int ieee80211_tdls_channel_switch(struct wiphy *wiphy, struct net_device *dev, + const u8 *addr, u8 oper_class, + struct cfg80211_chan_def *chandef); +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -6866,8 +6866,8 @@ void ieee80211_sta_setup_sdata(struct ie + ieee80211_beacon_connection_loss_work); + wiphy_work_init(&ifmgd->csa_connection_drop_work, + ieee80211_csa_connection_drop_work); +- INIT_DELAYED_WORK(&ifmgd->tdls_peer_del_work, +- ieee80211_tdls_peer_del_work); ++ wiphy_delayed_work_init(&ifmgd->tdls_peer_del_work, ++ ieee80211_tdls_peer_del_work); + wiphy_delayed_work_init(&ifmgd->ml_reconf_work, + ieee80211_ml_reconf_work); + timer_setup(&ifmgd->timer, ieee80211_sta_timer, 0); +@@ -7881,7 +7881,8 @@ void ieee80211_mgd_stop(struct ieee80211 + &ifmgd->beacon_connection_loss_work); + wiphy_work_cancel(sdata->local->hw.wiphy, + &ifmgd->csa_connection_drop_work); +- cancel_delayed_work_sync(&ifmgd->tdls_peer_del_work); ++ wiphy_delayed_work_cancel(sdata->local->hw.wiphy, ++ &ifmgd->tdls_peer_del_work); + wiphy_delayed_work_cancel(sdata->local->hw.wiphy, + &ifmgd->ml_reconf_work); + +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -21,7 +21,7 @@ + /* give usermode some time for retries in setting up the TDLS session */ + #define TDLS_PEER_SETUP_TIMEOUT (15 * HZ) + +-void ieee80211_tdls_peer_del_work(struct work_struct *wk) ++void ieee80211_tdls_peer_del_work(struct wiphy *wiphy, struct wiphy_work *wk) + { + struct ieee80211_sub_if_data *sdata; + struct ieee80211_local *local; +@@ -1224,9 +1224,9 @@ ieee80211_tdls_mgmt_setup(struct wiphy * + return ret; + } + +- ieee80211_queue_delayed_work(&sdata->local->hw, +- &sdata->u.mgd.tdls_peer_del_work, +- TDLS_PEER_SETUP_TIMEOUT); ++ wiphy_delayed_work_queue(sdata->local->hw.wiphy, ++ &sdata->u.mgd.tdls_peer_del_work, ++ TDLS_PEER_SETUP_TIMEOUT); + return 0; + + out_unlock: +@@ -1526,7 +1526,8 @@ int ieee80211_tdls_oper(struct wiphy *wi + } + + if (ret == 0 && ether_addr_equal(sdata->u.mgd.tdls_peer, peer)) { +- cancel_delayed_work(&sdata->u.mgd.tdls_peer_del_work); ++ wiphy_delayed_work_cancel(sdata->local->hw.wiphy, ++ &sdata->u.mgd.tdls_peer_del_work); + eth_zero_addr(sdata->u.mgd.tdls_peer); + } + -- 2.47.3