From de592d71f62b2cf2c69d1479590e6f9fecc4b499 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 8 Nov 2025 14:30:21 +0900 Subject: [PATCH] 6.12-stable patches added patches: btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch media-uvcvideo-use-heuristic-to-find-stream-entity.patch media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch net-libwx-fix-device-bus-lan-id.patch revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch --- ...s-written-back-for-an-fs-with-errors.patch | 79 +++++++++++++ ...-afbc-support-on-mediatek-drm-driver.patch | 107 ++++++++++++++++++ ...-use-heuristic-to-find-stream-entity.patch | 60 ++++++++++ ...ve_bufs-when-legacy-fileio-is-active.patch | 39 +++++++ .../net-libwx-fix-device-bus-lan-id.patch | 60 ++++++++++ ...ssary-wait-for-service-ready-message.patch | 85 ++++++++++++++ ...ap_get_reader-when-reader-catches-up.patch | 51 +++++++++ queue-6.12/series | 7 ++ 8 files changed, 488 insertions(+) create mode 100644 queue-6.12/btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch create mode 100644 queue-6.12/drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch create mode 100644 queue-6.12/media-uvcvideo-use-heuristic-to-find-stream-entity.patch create mode 100644 queue-6.12/media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch create mode 100644 queue-6.12/net-libwx-fix-device-bus-lan-id.patch create mode 100644 queue-6.12/revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch create mode 100644 queue-6.12/ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch diff --git a/queue-6.12/btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch b/queue-6.12/btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch new file mode 100644 index 0000000000..3d383dfb6a --- /dev/null +++ b/queue-6.12/btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch @@ -0,0 +1,79 @@ +From 2618849f31e7cf51fadd4a5242458501a6d5b315 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 23 Oct 2025 19:44:04 +1030 +Subject: btrfs: ensure no dirty metadata is written back for an fs with errors + +From: Qu Wenruo + +commit 2618849f31e7cf51fadd4a5242458501a6d5b315 upstream. + +[BUG] +During development of a minor feature (make sure all btrfs_bio::end_io() +is called in task context), I noticed a crash in generic/388, where +metadata writes triggered new works after btrfs_stop_all_workers(). + +It turns out that it can even happen without any code modification, just +using RAID5 for metadata and the same workload from generic/388 is going +to trigger the use-after-free. + +[CAUSE] +If btrfs hits an error, the fs is marked as error, no new +transaction is allowed thus metadata is in a frozen state. + +But there are some metadata modifications before that error, and they are +still in the btree inode page cache. + +Since there will be no real transaction commit, all those dirty folios +are just kept as is in the page cache, and they can not be invalidated +by invalidate_inode_pages2() call inside close_ctree(), because they are +dirty. + +And finally after btrfs_stop_all_workers(), we call iput() on btree +inode, which triggers writeback of those dirty metadata. + +And if the fs is using RAID56 metadata, this will trigger RMW and queue +new works into rmw_workers, which is already stopped, causing warning +from queue_work() and use-after-free. + +[FIX] +Add a special handling for write_one_eb(), that if the fs is already in +an error state, immediately mark the bbio as failure, instead of really +submitting them. + +Then during close_ctree(), iput() will just discard all those dirty +tree blocks without really writing them back, thus no more new jobs for +already stopped-and-freed workqueues. + +The extra discard in write_one_eb() also acts as an extra safenet. +E.g. the transaction abort is triggered by some extent/free space +tree corruptions, and since extent/free space tree is already corrupted +some tree blocks may be allocated where they shouldn't be (overwriting +existing tree blocks). In that case writing them back will further +corrupting the fs. + +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -1882,6 +1882,14 @@ static noinline_for_stack void write_one + folio_unlock(folio); + } + } ++ /* ++ * If the fs is already in error status, do not submit any writeback ++ * but immediately finish it. ++ */ ++ if (unlikely(BTRFS_FS_ERROR(fs_info))) { ++ btrfs_bio_end_io(bbio, errno_to_blk_status(BTRFS_FS_ERROR(fs_info))); ++ return; ++ } + btrfs_submit_bbio(bbio, 0); + } + diff --git a/queue-6.12/drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch b/queue-6.12/drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch new file mode 100644 index 0000000000..168938b5ac --- /dev/null +++ b/queue-6.12/drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch @@ -0,0 +1,107 @@ +From 9882a40640036d5bbc590426a78981526d4f2345 Mon Sep 17 00:00:00 2001 +From: Ariel D'Alessandro +Date: Fri, 24 Oct 2025 17:27:56 -0300 +Subject: drm/mediatek: Disable AFBC support on Mediatek DRM driver + +From: Ariel D'Alessandro + +commit 9882a40640036d5bbc590426a78981526d4f2345 upstream. + +Commit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM +driver") added AFBC support to Mediatek DRM and enabled the +32x8/split/sparse modifier. + +However, this is currently broken on Mediatek MT8188 (Genio 700 EVK +platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by +default since Mesa v25.0. + +Kernel trace reports vblank timeouts constantly, and the render is garbled: + +``` +[CRTC:62:crtc-0] vblank wait timed out +WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c +[...] +Hardware name: MediaTek Genio-700 EVK (DT) +Workqueue: events_unbound commit_work +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c +lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c +sp : ffff80008337bca0 +x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 +x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 +x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 +x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a +x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 +x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b +x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 +x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 +x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 +x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 +Call trace: + drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) + drm_atomic_helper_commit_tail_rpm+0x64/0x80 + commit_tail+0xa4/0x1a4 + commit_work+0x14/0x20 + process_one_work+0x150/0x290 + worker_thread+0x2d0/0x3ec + kthread+0x12c/0x210 + ret_from_fork+0x10/0x20 +---[ end trace 0000000000000000 ]--- +``` + +Until this gets fixed upstream, disable AFBC support on this platform, as +it's currently broken with upstream Mesa. + +Fixes: c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ariel D'Alessandro +Reviewed-by: Daniel Stone +Reviewed-by: CK Hu +Reviewed-by: Macpaul Lin +Link: https://patchwork.kernel.org/project/dri-devel/patch/20251024202756.811425-1-ariel.dalessandro@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_plane.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +--- a/drivers/gpu/drm/mediatek/mtk_plane.c ++++ b/drivers/gpu/drm/mediatek/mtk_plane.c +@@ -21,9 +21,6 @@ + + static const u64 modifiers[] = { + DRM_FORMAT_MOD_LINEAR, +- DRM_FORMAT_MOD_ARM_AFBC(AFBC_FORMAT_MOD_BLOCK_SIZE_32x8 | +- AFBC_FORMAT_MOD_SPLIT | +- AFBC_FORMAT_MOD_SPARSE), + DRM_FORMAT_MOD_INVALID, + }; + +@@ -71,26 +68,7 @@ static bool mtk_plane_format_mod_support + uint32_t format, + uint64_t modifier) + { +- if (modifier == DRM_FORMAT_MOD_LINEAR) +- return true; +- +- if (modifier != DRM_FORMAT_MOD_ARM_AFBC( +- AFBC_FORMAT_MOD_BLOCK_SIZE_32x8 | +- AFBC_FORMAT_MOD_SPLIT | +- AFBC_FORMAT_MOD_SPARSE)) +- return false; +- +- if (format != DRM_FORMAT_XRGB8888 && +- format != DRM_FORMAT_ARGB8888 && +- format != DRM_FORMAT_BGRX8888 && +- format != DRM_FORMAT_BGRA8888 && +- format != DRM_FORMAT_ABGR8888 && +- format != DRM_FORMAT_XBGR8888 && +- format != DRM_FORMAT_RGB888 && +- format != DRM_FORMAT_BGR888) +- return false; +- +- return true; ++ return modifier == DRM_FORMAT_MOD_LINEAR; + } + + static void mtk_plane_destroy_state(struct drm_plane *plane, diff --git a/queue-6.12/media-uvcvideo-use-heuristic-to-find-stream-entity.patch b/queue-6.12/media-uvcvideo-use-heuristic-to-find-stream-entity.patch new file mode 100644 index 0000000000..b13a3cc02e --- /dev/null +++ b/queue-6.12/media-uvcvideo-use-heuristic-to-find-stream-entity.patch @@ -0,0 +1,60 @@ +From 758dbc756aad429da11c569c0d067f7fd032bcf7 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Tue, 21 Oct 2025 10:36:17 +0000 +Subject: media: uvcvideo: Use heuristic to find stream entity + +From: Ricardo Ribalda + +commit 758dbc756aad429da11c569c0d067f7fd032bcf7 upstream. + +Some devices, like the Grandstream GUV3100 webcam, have an invalid UVC +descriptor where multiple entities share the same ID, this is invalid +and makes it impossible to make a proper entity tree without heuristics. + +We have recently introduced a change in the way that we handle invalid +entities that has caused a regression on broken devices. + +Implement a new heuristic to handle these devices properly. + +Reported-by: Angel4005 +Closes: https://lore.kernel.org/linux-media/CAOzBiVuS7ygUjjhCbyWg-KiNx+HFTYnqH5+GJhd6cYsNLT=DaA@mail.gmail.com/ +Fixes: 0e2ee70291e6 ("media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID") +Cc: stable@vger.kernel.org +Signed-off-by: Ricardo Ribalda +Reviewed-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -165,13 +165,26 @@ static struct uvc_entity *uvc_entity_by_ + + static struct uvc_streaming *uvc_stream_by_id(struct uvc_device *dev, int id) + { +- struct uvc_streaming *stream; ++ struct uvc_streaming *stream, *last_stream; ++ unsigned int count = 0; + + list_for_each_entry(stream, &dev->streams, list) { ++ count += 1; ++ last_stream = stream; + if (stream->header.bTerminalLink == id) + return stream; + } + ++ /* ++ * If the streaming entity is referenced by an invalid ID, notify the ++ * user and use heuristics to guess the correct entity. ++ */ ++ if (count == 1 && id == UVC_INVALID_ENTITY_ID) { ++ dev_warn(&dev->intf->dev, ++ "UVC non compliance: Invalid USB header. The streaming entity has an invalid ID, guessing the correct one."); ++ return last_stream; ++ } ++ + return NULL; + } + diff --git a/queue-6.12/media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch b/queue-6.12/media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch new file mode 100644 index 0000000000..722dbd162a --- /dev/null +++ b/queue-6.12/media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch @@ -0,0 +1,39 @@ +From 27afd6e066cfd80ddbe22a4a11b99174ac89cced Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 23 Oct 2025 16:26:34 +0200 +Subject: media: videobuf2: forbid remove_bufs when legacy fileio is active + +From: Marek Szyprowski + +commit 27afd6e066cfd80ddbe22a4a11b99174ac89cced upstream. + +vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, +potentially overwriting some pointers used by the legacy fileio access +mode. Forbid that ioctl when fileio is active to protect internal queue +state between subsequent read/write calls. + +CC: stable@vger.kernel.org +Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") +Reported-by: Shuangpeng Bai +Closes: https://lore.kernel.org/linux-media/5317B590-AAB4-4F17-8EA1-621965886D49@psu.edu/ +Signed-off-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-v4l2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/common/videobuf2/videobuf2-v4l2.c ++++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c +@@ -1015,6 +1015,11 @@ int vb2_ioctl_remove_bufs(struct file *f + if (vb2_queue_is_busy(vdev->queue, file)) + return -EBUSY; + ++ if (vb2_fileio_is_active(vdev->queue)) { ++ dprintk(vdev->queue, 1, "file io in progress\n"); ++ return -EBUSY; ++ } ++ + return vb2_core_remove_bufs(vdev->queue, d->index, d->count); + } + EXPORT_SYMBOL_GPL(vb2_ioctl_remove_bufs); diff --git a/queue-6.12/net-libwx-fix-device-bus-lan-id.patch b/queue-6.12/net-libwx-fix-device-bus-lan-id.patch new file mode 100644 index 0000000000..a4858cb02d --- /dev/null +++ b/queue-6.12/net-libwx-fix-device-bus-lan-id.patch @@ -0,0 +1,60 @@ +From a04ea57aae375bdda1cb57034d8bcbb351e1f973 Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Tue, 4 Nov 2025 14:23:21 +0800 +Subject: net: libwx: fix device bus LAN ID + +From: Jiawen Wu + +commit a04ea57aae375bdda1cb57034d8bcbb351e1f973 upstream. + +The device bus LAN ID was obtained from PCI_FUNC(), but when a PF +port is passthrough to a virtual machine, the function number may not +match the actual port index on the device. This could cause the driver +to perform operations such as LAN reset on the wrong port. + +Fix this by reading the LAN ID from port status register. + +Fixes: a34b3e6ed8fb ("net: txgbe: Store PCI info") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/B60A670C1F52CB8E+20251104062321.40059-1-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/libwx/wx_hw.c | 3 ++- + drivers/net/ethernet/wangxun/libwx/wx_type.h | 4 ++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c +@@ -1943,7 +1943,8 @@ int wx_sw_init(struct wx *wx) + wx->oem_svid = pdev->subsystem_vendor; + wx->oem_ssid = pdev->subsystem_device; + wx->bus.device = PCI_SLOT(pdev->devfn); +- wx->bus.func = PCI_FUNC(pdev->devfn); ++ wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, ++ rd32(wx, WX_CFG_PORT_ST)); + + if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN) { + wx->subsystem_vendor_id = pdev->subsystem_vendor; +--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h ++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h +@@ -85,6 +85,8 @@ + #define WX_CFG_PORT_CTL_DRV_LOAD BIT(3) + #define WX_CFG_PORT_CTL_QINQ BIT(2) + #define WX_CFG_PORT_CTL_D_VLAN BIT(0) /* double vlan*/ ++#define WX_CFG_PORT_ST 0x14404 ++#define WX_CFG_PORT_ST_LANID GENMASK(9, 8) + #define WX_CFG_TAG_TPID(_i) (0x14430 + ((_i) * 4)) + #define WX_CFG_PORT_CTL_NUM_VT_MASK GENMASK(13, 12) /* number of TVs */ + +@@ -451,8 +453,6 @@ enum WX_MSCA_CMD_value { + #define TXD_USE_COUNT(S) DIV_ROUND_UP((S), WX_MAX_DATA_PER_TXD) + #define DESC_NEEDED (MAX_SKB_FRAGS + 4) + +-#define WX_CFG_PORT_ST 0x14404 +- + /******************* Receive Descriptor bit definitions **********************/ + #define WX_RXD_STAT_DD BIT(0) /* Done */ + #define WX_RXD_STAT_EOP BIT(1) /* End of Packet */ diff --git a/queue-6.12/revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch b/queue-6.12/revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch new file mode 100644 index 0000000000..cbef46c275 --- /dev/null +++ b/queue-6.12/revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch @@ -0,0 +1,85 @@ +From 2469bb6a6af944755a7d7daf66be90f3b8decbf9 Mon Sep 17 00:00:00 2001 +From: Baochen Qiang +Date: Mon, 27 Oct 2025 09:49:12 +0800 +Subject: Revert "wifi: ath10k: avoid unnecessary wait for service ready message" + +From: Baochen Qiang + +commit 2469bb6a6af944755a7d7daf66be90f3b8decbf9 upstream. + +This reverts commit 51a73f1b2e56b0324b4a3bb8cebc4221b5be4c7a. + +Although this commit benefits QCA6174, it breaks QCA988x and +QCA9984 [1][2]. Since it is not likely to root cause/fix this +issue in a short time, revert it to get those chips back. + +Compile tested only. + +Fixes: 51a73f1b2e56 ("wifi: ath10k: avoid unnecessary wait for service ready message") +Link: https://lore.kernel.org/ath10k/6d41bc00602c33ffbf68781f563ff2e6c6915a3e.camel@gmail.com # [1] +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220671 # [2] +Signed-off-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251027-ath10k-revert-polling-first-change-v1-1-89aaf3bcbfa1@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi.c | 39 +++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 19 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1764,32 +1764,33 @@ void ath10k_wmi_put_wmi_channel(struct a + + int ath10k_wmi_wait_for_service_ready(struct ath10k *ar) + { +- unsigned long timeout = jiffies + WMI_SERVICE_READY_TIMEOUT_HZ; + unsigned long time_left, i; + +- /* Sometimes the PCI HIF doesn't receive interrupt +- * for the service ready message even if the buffer +- * was completed. PCIe sniffer shows that it's +- * because the corresponding CE ring doesn't fires +- * it. Workaround here by polling CE rings. Since +- * the message could arrive at any time, continue +- * polling until timeout. +- */ +- do { ++ time_left = wait_for_completion_timeout(&ar->wmi.service_ready, ++ WMI_SERVICE_READY_TIMEOUT_HZ); ++ if (!time_left) { ++ /* Sometimes the PCI HIF doesn't receive interrupt ++ * for the service ready message even if the buffer ++ * was completed. PCIe sniffer shows that it's ++ * because the corresponding CE ring doesn't fires ++ * it. Workaround here by polling CE rings once. ++ */ ++ ath10k_warn(ar, "failed to receive service ready completion, polling..\n"); ++ + for (i = 0; i < CE_COUNT; i++) + ath10k_hif_send_complete_check(ar, i, 1); + +- /* The 100 ms granularity is a tradeoff considering scheduler +- * overhead and response latency +- */ + time_left = wait_for_completion_timeout(&ar->wmi.service_ready, +- msecs_to_jiffies(100)); +- if (time_left) +- return 0; +- } while (time_before(jiffies, timeout)); ++ WMI_SERVICE_READY_TIMEOUT_HZ); ++ if (!time_left) { ++ ath10k_warn(ar, "polling timed out\n"); ++ return -ETIMEDOUT; ++ } ++ ++ ath10k_warn(ar, "service ready completion received, continuing normally\n"); ++ } + +- ath10k_warn(ar, "failed to receive service ready completion\n"); +- return -ETIMEDOUT; ++ return 0; + } + + int ath10k_wmi_wait_for_unified_ready(struct ath10k *ar) diff --git a/queue-6.12/ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch b/queue-6.12/ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch new file mode 100644 index 0000000000..fed50b08ee --- /dev/null +++ b/queue-6.12/ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch @@ -0,0 +1,51 @@ +From aa997d2d2a0b2e76f4df0f1f12829f02acb4fb6b Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 16 Oct 2025 13:28:48 -0400 +Subject: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up + +From: Steven Rostedt + +commit aa997d2d2a0b2e76f4df0f1f12829f02acb4fb6b upstream. + +The function ring_buffer_map_get_reader() is a bit more strict than the +other get reader functions, and except for certain situations the +rb_get_reader_page() should not return NULL. If it does, it triggers a +warning. + +This warning was triggering but after looking at why, it was because +another acceptable situation was happening and it wasn't checked for. + +If the reader catches up to the writer and there's still data to be read +on the reader page, then the rb_get_reader_page() will return NULL as +there's no new page to get. + +In this situation, the reader page should not be updated and no warning +should trigger. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Vincent Donnefort +Reported-by: syzbot+92a3745cea5ec6360309@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/690babec.050a0220.baf87.0064.GAE@google.com/ +Link: https://lore.kernel.org/20251016132848.1b11bb37@gandalf.local.home +Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -7223,6 +7223,10 @@ consume: + goto out; + } + ++ /* Did the reader catch up with the writer? */ ++ if (cpu_buffer->reader_page == cpu_buffer->commit_page) ++ goto out; ++ + reader = rb_get_reader_page(cpu_buffer); + if (WARN_ON(!reader)) + goto out; diff --git a/queue-6.12/series b/queue-6.12/series index e50c59bd83..3030b3b658 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -497,3 +497,10 @@ x86-use-cmov-for-user-address-masking.patch x86-runtime-const-add-the-runtime_const_ptr-assembly.patch x86-uaccess-don-t-use-runtime-const-rewriting-in-mod.patch alsa-hda-realtek-audio-disappears-on-hp-15-fc000-aft.patch +btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch +media-uvcvideo-use-heuristic-to-find-stream-entity.patch +media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch +drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch +revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch +ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch +net-libwx-fix-device-bus-lan-id.patch -- 2.47.3