From fd85c7952f7b811d4accdec9b28254c1cf1fe13a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 27 Nov 2025 14:34:01 +0100 Subject: [PATCH] 6.6-stable patches added patches: crash-fix-crashkernel-resource-shrink.patch ftrace-fix-bpf-fexit-with-livepatch.patch hid-amd_sfh-stop-sensor-before-starting.patch kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch maple_tree-fix-tracepoint-string-pointers.patch mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch pmdomain-imx-gpc-convert-to-platform-remove-callback-returning-void.patch selftests-mptcp-join-endpoints-longer-transfer.patch smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch uio_hv_generic-set-event-for-all-channels-on-the-device.patch wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch --- ...rash-fix-crashkernel-resource-shrink.patch | 89 ++++++++ .../ftrace-fix-bpf-fexit-with-livepatch.patch | 115 ++++++++++ ...-amd_sfh-stop-sensor-before-starting.patch | 44 ++++ ...ntrusted-offset-in-ff-a-memory-share.patch | 48 +++++ ..._tree-fix-tracepoint-string-pointers.patch | 183 ++++++++++++++++ ...poisoning-order-0-pages-with-highmem.patch | 110 ++++++++++ ...ace-kmap_atomic-with-kmap_local_page.patch | 71 +++++++ ...fix-a-race-in-mptcp_pm_del_add_timer.patch | 198 ++++++++++++++++++ ...eak-on-provider-registration-failure.patch | 82 ++++++++ ...ference-count-leak-in-imx_gpc_remove.patch | 37 ++++ ...tform-remove-callback-returning-void.patch | 91 ++++++++ ...mptcp-join-endpoints-longer-transfer.patch | 78 +++++++ queue-6.6/series | 15 ++ ...ackport-in-cfids_invalidation_worker.patch | 30 +++ ...event-for-all-channels-on-the-device.patch | 74 +++++++ ...g-lock-in-cfg80211_check_and_end_cac.patch | 93 ++++++++ 16 files changed, 1358 insertions(+) create mode 100644 queue-6.6/crash-fix-crashkernel-resource-shrink.patch create mode 100644 queue-6.6/ftrace-fix-bpf-fexit-with-livepatch.patch create mode 100644 queue-6.6/hid-amd_sfh-stop-sensor-before-starting.patch create mode 100644 queue-6.6/kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch create mode 100644 queue-6.6/maple_tree-fix-tracepoint-string-pointers.patch create mode 100644 queue-6.6/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch create mode 100644 queue-6.6/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch create mode 100644 queue-6.6/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch create mode 100644 queue-6.6/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch create mode 100644 queue-6.6/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch create mode 100644 queue-6.6/pmdomain-imx-gpc-convert-to-platform-remove-callback-returning-void.patch create mode 100644 queue-6.6/selftests-mptcp-join-endpoints-longer-transfer.patch create mode 100644 queue-6.6/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch create mode 100644 queue-6.6/uio_hv_generic-set-event-for-all-channels-on-the-device.patch create mode 100644 queue-6.6/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch diff --git a/queue-6.6/crash-fix-crashkernel-resource-shrink.patch b/queue-6.6/crash-fix-crashkernel-resource-shrink.patch new file mode 100644 index 0000000000..2554d30d2e --- /dev/null +++ b/queue-6.6/crash-fix-crashkernel-resource-shrink.patch @@ -0,0 +1,89 @@ +From stable+bounces-196499-greg=kroah.com@vger.kernel.org Fri Nov 21 16:20:41 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 10:11:40 -0500 +Subject: crash: fix crashkernel resource shrink +To: stable@vger.kernel.org +Cc: Sourabh Jain , Baoquan He , Zhen Lei , Andrew Morton , Sasha Levin +Message-ID: <20251121151140.2560469-1-sashal@kernel.org> + +From: Sourabh Jain + +[ Upstream commit 00fbff75c5acb4755f06f08bd1071879c63940c5 ] + +When crashkernel is configured with a high reservation, shrinking its +value below the low crashkernel reservation causes two issues: + +1. Invalid crashkernel resource objects +2. Kernel crash if crashkernel shrinking is done twice + +For example, with crashkernel=200M,high, the kernel reserves 200MB of high +memory and some default low memory (say 256MB). The reservation appears +as: + +cat /proc/iomem | grep -i crash +af000000-beffffff : Crash kernel +433000000-43f7fffff : Crash kernel + +If crashkernel is then shrunk to 50MB (echo 52428800 > +/sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: +af000000-beffffff : Crash kernel + +Instead, it should show 50MB: +af000000-b21fffff : Crash kernel + +Further shrinking crashkernel to 40MB causes a kernel crash with the +following trace (x86): + +BUG: kernel NULL pointer dereference, address: 0000000000000038 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP NOPTI + +Call Trace: +? __die_body.cold+0x19/0x27 +? page_fault_oops+0x15a/0x2f0 +? search_module_extables+0x19/0x60 +? search_bpf_extables+0x5f/0x80 +? exc_page_fault+0x7e/0x180 +? asm_exc_page_fault+0x26/0x30 +? __release_resource+0xd/0xb0 +release_resource+0x26/0x40 +__crash_shrink_memory+0xe5/0x110 +crash_shrink_memory+0x12a/0x190 +kexec_crash_size_store+0x41/0x80 +kernfs_fop_write_iter+0x141/0x1f0 +vfs_write+0x294/0x460 +ksys_write+0x6d/0xf0 + + +This happens because __crash_shrink_memory()/kernel/crash_core.c +incorrectly updates the crashk_res resource object even when +crashk_low_res should be updated. + +Fix this by ensuring the correct crashkernel resource object is updated +when shrinking crashkernel memory. + +Link: https://lkml.kernel.org/r/20251101193741.289252-1-sourabhjain@linux.ibm.com +Fixes: 16c6006af4d4 ("kexec: enable kexec_crash_size to support two crash kernel regions") +Signed-off-by: Sourabh Jain +Acked-by: Baoquan He +Cc: Zhen Lei +Cc: +Signed-off-by: Andrew Morton +[ Applied fix to `kernel/kexec_core.c` instead of `kernel/crash_core.c` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kexec_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -1132,7 +1132,7 @@ static int __crash_shrink_memory(struct + old_res->start = 0; + old_res->end = 0; + } else { +- crashk_res.end = ram_res->start - 1; ++ old_res->end = ram_res->start - 1; + } + + crash_free_reserved_phys_range(ram_res->start, ram_res->end); diff --git a/queue-6.6/ftrace-fix-bpf-fexit-with-livepatch.patch b/queue-6.6/ftrace-fix-bpf-fexit-with-livepatch.patch new file mode 100644 index 0000000000..9c67c66dca --- /dev/null +++ b/queue-6.6/ftrace-fix-bpf-fexit-with-livepatch.patch @@ -0,0 +1,115 @@ +From stable+bounces-196504-greg=kroah.com@vger.kernel.org Fri Nov 21 16:28:53 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 10:20:00 -0500 +Subject: ftrace: Fix BPF fexit with livepatch +To: stable@vger.kernel.org +Cc: Song Liu , Andrey Grodzovsky , "Steven Rostedt (Google)" , "Masami Hiramatsu (Google)" , Jiri Olsa , Alexei Starovoitov , Sasha Levin +Message-ID: <20251121152000.2567643-1-sashal@kernel.org> + +From: Song Liu + +[ Upstream commit 56b3c85e153b84f27e6cff39623ba40a1ad299d3 ] + +When livepatch is attached to the same function as bpf trampoline with +a fexit program, bpf trampoline code calls register_ftrace_direct() +twice. The first time will fail with -EAGAIN, and the second time it +will succeed. This requires register_ftrace_direct() to unregister +the address on the first attempt. Otherwise, the bpf trampoline cannot +attach. Here is an easy way to reproduce this issue: + + insmod samples/livepatch/livepatch-sample.ko + bpftrace -e 'fexit:cmdline_proc_show {}' + ERROR: Unable to attach probe: fexit:vmlinux:cmdline_proc_show... + +Fix this by cleaning up the hash when register_ftrace_function_nolock hits +errors. + +Also, move the code that resets ops->func and ops->trampoline to the error +path of register_ftrace_direct(); and add a helper function reset_direct() +in register_ftrace_direct() and unregister_ftrace_direct(). + +Fixes: d05cb470663a ("ftrace: Fix modification of direct_function hash while in use") +Cc: stable@vger.kernel.org # v6.6+ +Reported-by: Andrey Grodzovsky +Closes: https://lore.kernel.org/live-patching/c5058315a39d4615b333e485893345be@crowdstrike.com/ +Cc: Steven Rostedt (Google) +Cc: Masami Hiramatsu (Google) +Acked-and-tested-by: Andrey Grodzovsky +Signed-off-by: Song Liu +Reviewed-by: Jiri Olsa +Link: https://lore.kernel.org/r/20251027175023.1521602-2-song@kernel.org +Signed-off-by: Alexei Starovoitov +Acked-by: Steven Rostedt (Google) +[ moved cleanup to reset_direct() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/trampoline.c | 4 ---- + kernel/trace/ftrace.c | 20 ++++++++++++++------ + 2 files changed, 14 insertions(+), 10 deletions(-) + +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -460,10 +460,6 @@ again: + * BPF_TRAMP_F_SHARE_IPMODIFY is set, we can generate the + * trampoline again, and retry register. + */ +- /* reset fops->func and fops->trampoline for re-register */ +- tr->fops->func = NULL; +- tr->fops->trampoline = 0; +- + /* reset im->image memory attr for arch_prepare_bpf_trampoline */ + set_memory_nx((long)im->image, 1); + set_memory_rw((long)im->image, 1); +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5370,6 +5370,17 @@ static void remove_direct_functions_hash + } + } + ++static void reset_direct(struct ftrace_ops *ops, unsigned long addr) ++{ ++ struct ftrace_hash *hash = ops->func_hash->filter_hash; ++ ++ remove_direct_functions_hash(hash, addr); ++ ++ /* cleanup for possible another register call */ ++ ops->func = NULL; ++ ops->trampoline = 0; ++} ++ + /** + * register_ftrace_direct - Call a custom trampoline directly + * for multiple functions registered in @ops +@@ -5465,6 +5476,8 @@ int register_ftrace_direct(struct ftrace + ops->direct_call = addr; + + err = register_ftrace_function_nolock(ops); ++ if (err) ++ reset_direct(ops, addr); + + out_unlock: + mutex_unlock(&direct_mutex); +@@ -5497,7 +5510,6 @@ EXPORT_SYMBOL_GPL(register_ftrace_direct + int unregister_ftrace_direct(struct ftrace_ops *ops, unsigned long addr, + bool free_filters) + { +- struct ftrace_hash *hash = ops->func_hash->filter_hash; + int err; + + if (check_direct_multi(ops)) +@@ -5507,13 +5519,9 @@ int unregister_ftrace_direct(struct ftra + + mutex_lock(&direct_mutex); + err = unregister_ftrace_function(ops); +- remove_direct_functions_hash(hash, addr); ++ reset_direct(ops, addr); + mutex_unlock(&direct_mutex); + +- /* cleanup for possible another register call */ +- ops->func = NULL; +- ops->trampoline = 0; +- + if (free_filters) + ftrace_free_filter(ops); + return err; diff --git a/queue-6.6/hid-amd_sfh-stop-sensor-before-starting.patch b/queue-6.6/hid-amd_sfh-stop-sensor-before-starting.patch new file mode 100644 index 0000000000..79d493b9e2 --- /dev/null +++ b/queue-6.6/hid-amd_sfh-stop-sensor-before-starting.patch @@ -0,0 +1,44 @@ +From stable+bounces-196754-greg=kroah.com@vger.kernel.org Mon Nov 24 15:56:48 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 09:54:31 -0500 +Subject: HID: amd_sfh: Stop sensor before starting +To: stable@vger.kernel.org +Cc: "Mario Limonciello (AMD)" , Titas , Jiri Kosina , Sasha Levin +Message-ID: <20251124145431.4116539-1-sashal@kernel.org> + +From: "Mario Limonciello (AMD)" + +[ Upstream commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 ] + +Titas reports that the accelerometer sensor on their laptop only +works after a warm boot or unloading/reloading the amd-sfh kernel +module. + +Presumably the sensor is in a bad state on cold boot and failing to +start, so explicitly stop it before starting. + +Cc: stable@vger.kernel.org +Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality") +Reported-by: Titas +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670 +Tested-by: Titas +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Jiri Kosina +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +@@ -163,6 +163,8 @@ static int amd_sfh1_1_hid_client_init(st + if (rc) + goto cleanup; + ++ mp2_ops->stop(privdata, cl_data->sensor_idx[i]); ++ amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR); + writel(0, privdata->mmio + AMD_P2C_MSG(0)); + mp2_ops->start(privdata, info); + status = amd_sfh_wait_for_response diff --git a/queue-6.6/kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch b/queue-6.6/kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch new file mode 100644 index 0000000000..78951afb6a --- /dev/null +++ b/queue-6.6/kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch @@ -0,0 +1,48 @@ +From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001 +From: Sebastian Ene +Date: Fri, 17 Oct 2025 07:57:10 +0000 +Subject: KVM: arm64: Check the untrusted offset in FF-A memory share + +From: Sebastian Ene + +commit 103e17aac09cdd358133f9e00998b75d6c1f1518 upstream. + +Verify the offset to prevent OOB access in the hypervisor +FF-A buffer in case an untrusted large enough value +[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] +is set from the host kernel. + +Signed-off-by: Sebastian Ene +Acked-by: Will Deacon +Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/nvhe/ffa.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/hyp/nvhe/ffa.c ++++ b/arch/arm64/kvm/hyp/nvhe/ffa.c +@@ -425,7 +425,7 @@ static void __do_ffa_mem_xfer(const u64 + DECLARE_REG(u32, npages_mbz, ctxt, 4); + struct ffa_composite_mem_region *reg; + struct ffa_mem_region *buf; +- u32 offset, nr_ranges; ++ u32 offset, nr_ranges, checked_offset; + int ret = 0; + + if (addr_mbz || npages_mbz || fraglen > len || +@@ -460,7 +460,12 @@ static void __do_ffa_mem_xfer(const u64 + goto out_unlock; + } + +- if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { ++ if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { ++ ret = FFA_RET_INVALID_PARAMETERS; ++ goto out_unlock; ++ } ++ ++ if (fraglen < checked_offset) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } diff --git a/queue-6.6/maple_tree-fix-tracepoint-string-pointers.patch b/queue-6.6/maple_tree-fix-tracepoint-string-pointers.patch new file mode 100644 index 0000000000..b97df9174d --- /dev/null +++ b/queue-6.6/maple_tree-fix-tracepoint-string-pointers.patch @@ -0,0 +1,183 @@ +From 91a54090026f84ceffaa12ac53c99b9f162946f6 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 30 Oct 2025 16:55:05 +0100 +Subject: maple_tree: fix tracepoint string pointers + +From: Martin Kaiser + +commit 91a54090026f84ceffaa12ac53c99b9f162946f6 upstream. + +maple_tree tracepoints contain pointers to function names. Such a pointer +is saved when a tracepoint logs an event. There's no guarantee that it's +still valid when the event is parsed later and the pointer is dereferenced. + +The kernel warns about these unsafe pointers. + + event 'ma_read' has unsafe pointer field 'fn' + WARNING: kernel/trace/trace.c:3779 at ignore_event+0x1da/0x1e4 + +Mark the function names as tracepoint_string() to fix the events. + +One case that doesn't work without my patch would be trace-cmd record +to save the binary ringbuffer and trace-cmd report to parse it in +userspace. The address of __func__ can't be dereferenced from +userspace but tracepoint_string will add an entry to +/sys/kernel/tracing/printk_formats + +Link: https://lkml.kernel.org/r/20251030155537.87972-1-martin@kaiser.cx +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Martin Kaiser +Acked-by: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -62,6 +62,8 @@ + #define CREATE_TRACE_POINTS + #include + ++#define TP_FCT tracepoint_string(__func__) ++ + #define MA_ROOT_PARENT 1 + + /* +@@ -2990,7 +2992,7 @@ static inline int mas_rebalance(struct m + MA_STATE(l_mas, mas->tree, mas->index, mas->last); + MA_STATE(r_mas, mas->tree, mas->index, mas->last); + +- trace_ma_op(__func__, mas); ++ trace_ma_op(TP_FCT, mas); + + /* + * Rebalancing occurs if a node is insufficient. Data is rebalanced +@@ -3365,7 +3367,7 @@ static int mas_split(struct ma_state *ma + MA_STATE(prev_l_mas, mas->tree, mas->index, mas->last); + MA_STATE(prev_r_mas, mas->tree, mas->index, mas->last); + +- trace_ma_op(__func__, mas); ++ trace_ma_op(TP_FCT, mas); + mas->depth = mas_mt_height(mas); + /* Allocation failures will happen early. */ + mas_node_count(mas, 1 + mas->depth * 2); +@@ -3598,7 +3600,7 @@ static bool mas_is_span_wr(struct ma_wr_ + return false; + } + +- trace_ma_write(__func__, wr_mas->mas, wr_mas->r_max, entry); ++ trace_ma_write(TP_FCT, wr_mas->mas, wr_mas->r_max, entry); + return true; + } + +@@ -3845,7 +3847,7 @@ static inline int mas_wr_spanning_store( + * of data may happen. + */ + mas = wr_mas->mas; +- trace_ma_op(__func__, mas); ++ trace_ma_op(TP_FCT, mas); + + if (unlikely(!mas->index && mas->last == ULONG_MAX)) + return mas_new_root(mas, wr_mas->entry); +@@ -3996,7 +3998,7 @@ done: + } else { + memcpy(wr_mas->node, newnode, sizeof(struct maple_node)); + } +- trace_ma_write(__func__, mas, 0, wr_mas->entry); ++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry); + mas_update_gap(mas); + return true; + } +@@ -4042,7 +4044,7 @@ static inline bool mas_wr_slot_store(str + return false; + } + +- trace_ma_write(__func__, mas, 0, wr_mas->entry); ++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry); + /* + * Only update gap when the new entry is empty or there is an empty + * entry in the original two ranges. +@@ -4178,7 +4180,7 @@ static inline bool mas_wr_append(struct + if (!wr_mas->content || !wr_mas->entry) + mas_update_gap(mas); + +- trace_ma_write(__func__, mas, new_end, wr_mas->entry); ++ trace_ma_write(TP_FCT, mas, new_end, wr_mas->entry); + return true; + } + +@@ -4192,7 +4194,7 @@ static void mas_wr_bnode(struct ma_wr_st + { + struct maple_big_node b_node; + +- trace_ma_write(__func__, wr_mas->mas, 0, wr_mas->entry); ++ trace_ma_write(TP_FCT, wr_mas->mas, 0, wr_mas->entry); + memset(&b_node, 0, sizeof(struct maple_big_node)); + mas_store_b_node(wr_mas, &b_node, wr_mas->offset_end); + mas_commit_b_node(wr_mas, &b_node, wr_mas->node_end); +@@ -5395,7 +5397,7 @@ void *mas_store(struct ma_state *mas, vo + { + MA_WR_STATE(wr_mas, mas, entry); + +- trace_ma_write(__func__, mas, 0, entry); ++ trace_ma_write(TP_FCT, mas, 0, entry); + #ifdef CONFIG_DEBUG_MAPLE_TREE + if (MAS_WARN_ON(mas, mas->index > mas->last)) + pr_err("Error %lX > %lX %p\n", mas->index, mas->last, entry); +@@ -5433,7 +5435,7 @@ int mas_store_gfp(struct ma_state *mas, + MA_WR_STATE(wr_mas, mas, entry); + + mas_wr_store_setup(&wr_mas); +- trace_ma_write(__func__, mas, 0, entry); ++ trace_ma_write(TP_FCT, mas, 0, entry); + retry: + mas_wr_store_entry(&wr_mas); + if (unlikely(mas_nomem(mas, gfp))) +@@ -5457,7 +5459,7 @@ void mas_store_prealloc(struct ma_state + MA_WR_STATE(wr_mas, mas, entry); + + mas_wr_store_setup(&wr_mas); +- trace_ma_write(__func__, mas, 0, entry); ++ trace_ma_write(TP_FCT, mas, 0, entry); + mas_wr_store_entry(&wr_mas); + MAS_WR_BUG_ON(&wr_mas, mas_is_err(mas)); + mas_destroy(mas); +@@ -6245,7 +6247,7 @@ void *mtree_load(struct maple_tree *mt, + MA_STATE(mas, mt, index, index); + void *entry; + +- trace_ma_read(__func__, &mas); ++ trace_ma_read(TP_FCT, &mas); + rcu_read_lock(); + retry: + entry = mas_start(&mas); +@@ -6288,7 +6290,7 @@ int mtree_store_range(struct maple_tree + MA_STATE(mas, mt, index, last); + MA_WR_STATE(wr_mas, &mas, entry); + +- trace_ma_write(__func__, &mas, 0, entry); ++ trace_ma_write(TP_FCT, &mas, 0, entry); + if (WARN_ON_ONCE(xa_is_advanced(entry))) + return -EINVAL; + +@@ -6470,7 +6472,7 @@ void *mtree_erase(struct maple_tree *mt, + void *entry = NULL; + + MA_STATE(mas, mt, index, index); +- trace_ma_op(__func__, &mas); ++ trace_ma_op(TP_FCT, &mas); + + mtree_lock(mt); + entry = mas_erase(&mas); +@@ -6536,7 +6538,7 @@ void *mt_find(struct maple_tree *mt, uns + unsigned long copy = *index; + #endif + +- trace_ma_read(__func__, &mas); ++ trace_ma_read(TP_FCT, &mas); + + if ((*index) > max) + return NULL; diff --git a/queue-6.6/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch b/queue-6.6/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch new file mode 100644 index 0000000000..73ffb82d44 --- /dev/null +++ b/queue-6.6/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch @@ -0,0 +1,110 @@ +From stable+bounces-196801-greg=kroah.com@vger.kernel.org Mon Nov 24 21:59:50 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 15:59:41 -0500 +Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM +To: stable@vger.kernel.org +Cc: Vlastimil Babka , kernel test robot , Christoph Hellwig , Sasha Levin +Message-ID: <20251124205941.27830-2-sashal@kernel.org> + +From: Vlastimil Babka + +[ Upstream commit ec33b59542d96830e3c89845ff833cf7b25ef172 ] + +The kernel test has reported: + + BUG: unable to handle page fault for address: fffba000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + *pde = 03171067 *pte = 00000000 + Oops: Oops: 0002 [#1] + CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca + Tainted: [T]=RANDSTRUCT + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) + Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 + EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b + ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 + DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 + CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 + Call Trace: + poison_element (mm/mempool.c:83 mm/mempool.c:102) + mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) + mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) + ? mempool_alloc_pages (mm/mempool.c:640) + bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) + ? mempool_alloc_pages (mm/mempool.c:640) + do_one_initcall (init/main.c:1283) + +Christoph found out this is due to the poisoning code not dealing +properly with CONFIG_HIGHMEM because only the first page is mapped but +then the whole potentially high-order page is accessed. + +We could give up on HIGHMEM here, but it's straightforward to fix this +with a loop that's mapping, poisoning or checking and unmapping +individual pages. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com +Analyzed-by: Christoph Hellwig +Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") +Cc: stable@vger.kernel.org +Tested-by: kernel test robot +Reviewed-by: Christoph Hellwig +Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz +Signed-off-by: Vlastimil Babka +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempool.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/mm/mempool.c ++++ b/mm/mempool.c +@@ -64,10 +64,20 @@ static void check_element(mempool_t *poo + } else if (pool->free == mempool_free_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_local_page((struct page *)element); + +- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_local(addr); ++#ifdef CONFIG_HIGHMEM ++ for (int i = 0; i < (1 << order); i++) { ++ struct page *page = (struct page *)element; ++ void *addr = kmap_local_page(page + i); ++ ++ __check_element(pool, addr, PAGE_SIZE); ++ kunmap_local(addr); ++ } ++#else ++ void *addr = page_address((struct page *)element); ++ ++ __check_element(pool, addr, PAGE_SIZE << order); ++#endif + } + } + +@@ -89,10 +99,20 @@ static void poison_element(mempool_t *po + } else if (pool->alloc == mempool_alloc_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_local_page((struct page *)element); + +- __poison_element(addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_local(addr); ++#ifdef CONFIG_HIGHMEM ++ for (int i = 0; i < (1 << order); i++) { ++ struct page *page = (struct page *)element; ++ void *addr = kmap_local_page(page + i); ++ ++ __poison_element(addr, PAGE_SIZE); ++ kunmap_local(addr); ++ } ++#else ++ void *addr = page_address((struct page *)element); ++ ++ __poison_element(addr, PAGE_SIZE << order); ++#endif + } + } + #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */ diff --git a/queue-6.6/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch b/queue-6.6/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch new file mode 100644 index 0000000000..673d47816a --- /dev/null +++ b/queue-6.6/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch @@ -0,0 +1,71 @@ +From stable+bounces-196800-greg=kroah.com@vger.kernel.org Mon Nov 24 21:59:49 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 15:59:40 -0500 +Subject: mm/mempool: replace kmap_atomic() with kmap_local_page() +To: stable@vger.kernel.org +Cc: "Fabio M. De Francesco" , Ira Weiny , Andrew Morton , Sasha Levin +Message-ID: <20251124205941.27830-1-sashal@kernel.org> + +From: "Fabio M. De Francesco" + +[ Upstream commit f2bcc99a5e901a13b754648d1dbab60f4adf9375 ] + +kmap_atomic() has been deprecated in favor of kmap_local_page(). + +Therefore, replace kmap_atomic() with kmap_local_page(). + +kmap_atomic() is implemented like a kmap_local_page() which also disables +page-faults and preemption (the latter only in !PREEMPT_RT kernels). The +kernel virtual addresses returned by these two API are only valid in the +context of the callers (i.e., they cannot be handed to other threads). + +With kmap_local_page() the mappings are per thread and CPU local like in +kmap_atomic(); however, they can handle page-faults and can be called from +any context (including interrupts). The tasks that call kmap_local_page() +can be preempted and, when they are scheduled to run again, the kernel +virtual addresses are restored and are still valid. + +The code blocks between the mappings and un-mappings don't rely on the +above-mentioned side effects of kmap_atomic(), so that mere replacements +of the old API with the new one is all that they require (i.e., there is +no need to explicitly call pagefault_disable() and/or preempt_disable()). + +Link: https://lkml.kernel.org/r/20231120142640.7077-1-fabio.maria.de.francesco@linux.intel.com +Signed-off-by: Fabio M. De Francesco +Cc: Ira Weiny +Signed-off-by: Andrew Morton +Stable-dep-of: ec33b59542d9 ("mm/mempool: fix poisoning order>0 pages with HIGHMEM") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempool.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/mm/mempool.c ++++ b/mm/mempool.c +@@ -64,10 +64,10 @@ static void check_element(mempool_t *poo + } else if (pool->free == mempool_free_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_atomic((struct page *)element); ++ void *addr = kmap_local_page((struct page *)element); + + __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_atomic(addr); ++ kunmap_local(addr); + } + } + +@@ -89,10 +89,10 @@ static void poison_element(mempool_t *po + } else if (pool->alloc == mempool_alloc_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_atomic((struct page *)element); ++ void *addr = kmap_local_page((struct page *)element); + + __poison_element(addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_atomic(addr); ++ kunmap_local(addr); + } + } + #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */ diff --git a/queue-6.6/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch b/queue-6.6/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch new file mode 100644 index 0000000000..3245033023 --- /dev/null +++ b/queue-6.6/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch @@ -0,0 +1,198 @@ +From stable+bounces-196831-greg=kroah.com@vger.kernel.org Tue Nov 25 01:46:41 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 19:46:33 -0500 +Subject: mptcp: fix a race in mptcp_pm_del_add_timer() +To: stable@vger.kernel.org +Cc: Eric Dumazet , syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com, Geliang Tang , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20251125004633.189471-1-sashal@kernel.org> + +From: Eric Dumazet + +[ Upstream commit 426358d9be7ce3518966422f87b96f1bad27295f ] + +mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) +while another might have free entry already, as reported by syzbot. + +Add RCU protection to fix this issue. + +Also change confusing add_timer variable with stop_timer boolean. + +syzbot report: + +BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 +Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 + +CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 +Workqueue: events mptcp_worker +Call Trace: + + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 + sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 + mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 + mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 + tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 + tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 + tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 + tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 + ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + __netif_receive_skb_one_core net/core/dev.c:6079 [inline] + __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 + process_backlog+0x31e/0x900 net/core/dev.c:6544 + __napi_poll+0xb6/0x540 net/core/dev.c:7594 + napi_poll net/core/dev.c:7657 [inline] + net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 + handle_softirqs+0x22f/0x710 kernel/softirq.c:622 + __do_softirq kernel/softirq.c:656 [inline] + __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 + mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] + mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 + mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 + mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 + process_one_work kernel/workqueue.c:3263 [inline] + process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + +Allocated by task 44: + kasan_save_stack mm/kasan/common.c:56 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 + poison_kmalloc_redzone mm/kasan/common.c:400 [inline] + __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 + kasan_kmalloc include/linux/kasan.h:262 [inline] + __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 + kmalloc_noprof include/linux/slab.h:957 [inline] + mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 + mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 + mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] + __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 + mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 + mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 + process_one_work kernel/workqueue.c:3263 [inline] + process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 6630: + kasan_save_stack mm/kasan/common.c:56 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 + __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 + kasan_save_free_info mm/kasan/kasan.h:406 [inline] + poison_slab_object mm/kasan/common.c:252 [inline] + __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 + kasan_slab_free include/linux/kasan.h:234 [inline] + slab_free_hook mm/slub.c:2523 [inline] + slab_free mm/slub.c:6611 [inline] + kfree+0x197/0x950 mm/slub.c:6818 + mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 + mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] + mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] + mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 + genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x508/0x820 net/socket.c:2630 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 + __sys_sendmsg net/socket.c:2716 [inline] + __do_sys_sendmsg net/socket.c:2721 [inline] + __se_sys_sendmsg net/socket.c:2719 [inline] + __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Cc: stable@vger.kernel.org +Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") +Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com +Signed-off-by: Eric Dumazet +Cc: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -29,6 +29,7 @@ struct mptcp_pm_add_entry { + u8 retrans_times; + struct timer_list add_timer; + struct mptcp_sock *sock; ++ struct rcu_head rcu; + }; + + struct pm_nl_pernet { +@@ -344,22 +345,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock + { + struct mptcp_pm_add_entry *entry; + struct sock *sk = (struct sock *)msk; +- struct timer_list *add_timer = NULL; ++ bool stop_timer = false; ++ ++ rcu_read_lock(); + + spin_lock_bh(&msk->pm.lock); + entry = mptcp_lookup_anno_list_by_saddr(msk, addr); + if (entry && (!check_id || entry->addr.id == addr->id)) { + entry->retrans_times = ADD_ADDR_RETRANS_MAX; +- add_timer = &entry->add_timer; ++ stop_timer = true; + } + if (!check_id && entry) + list_del(&entry->list); + spin_unlock_bh(&msk->pm.lock); + +- /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */ +- if (add_timer) +- sk_stop_timer_sync(sk, add_timer); ++ /* Note: entry might have been removed by another thread. ++ * We hold rcu_read_lock() to ensure it is not freed under us. ++ */ ++ if (stop_timer) ++ sk_stop_timer_sync(sk, &entry->add_timer); + ++ rcu_read_unlock(); + return entry; + } + +@@ -415,7 +421,7 @@ void mptcp_pm_free_anno_list(struct mptc + + list_for_each_entry_safe(entry, tmp, &free_list, list) { + sk_stop_timer_sync(sk, &entry->add_timer); +- kfree(entry); ++ kfree_rcu(entry, rcu); + } + } + +@@ -1573,7 +1579,7 @@ static bool remove_anno_list_by_saddr(st + + entry = mptcp_pm_del_add_timer(msk, addr, false); + if (entry) { +- kfree(entry); ++ kfree_rcu(entry, rcu); + return true; + } + diff --git a/queue-6.6/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch b/queue-6.6/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch new file mode 100644 index 0000000000..8e1cef6362 --- /dev/null +++ b/queue-6.6/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch @@ -0,0 +1,82 @@ +From stable+bounces-196511-greg=kroah.com@vger.kernel.org Fri Nov 21 16:43:53 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 10:43:01 -0500 +Subject: pmdomain: arm: scmi: Fix genpd leak on provider registration failure +To: stable@vger.kernel.org +Cc: Sudeep Holla , Peng Fan , Ulf Hansson , Sasha Levin +Message-ID: <20251121154301.2580293-1-sashal@kernel.org> + +From: Sudeep Holla + +[ Upstream commit 7458f72cc28f9eb0de811effcb5376d0ec19094a ] + +If of_genpd_add_provider_onecell() fails during probe, the previously +created generic power domains are not removed, leading to a memory leak +and potential kernel crash later in genpd_debug_add(). + +Add proper error handling to unwind the initialized domains before +returning from probe to ensure all resources are correctly released on +failure. + +Example crash trace observed without this fix: + + | Unable to handle kernel paging request at virtual address fffffffffffffc70 + | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT + | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform + | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + | pc : genpd_debug_add+0x2c/0x160 + | lr : genpd_debug_init+0x74/0x98 + | Call trace: + | genpd_debug_add+0x2c/0x160 (P) + | genpd_debug_init+0x74/0x98 + | do_one_initcall+0xd0/0x2d8 + | do_initcall_level+0xa0/0x140 + | do_initcalls+0x60/0xa8 + | do_basic_setup+0x28/0x40 + | kernel_init_freeable+0xe8/0x170 + | kernel_init+0x2c/0x140 + | ret_from_fork+0x10/0x20 + +Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") +Signed-off-by: Sudeep Holla +Reviewed-by: Peng Fan +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +[ drivers/pmdomain/arm/scmi_pm_domain.c -> drivers/firmware/arm_scmi/scmi_pm_domain.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_scmi/scmi_pm_domain.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c ++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c +@@ -54,7 +54,7 @@ static int scmi_pd_power_off(struct gene + + static int scmi_pm_domain_probe(struct scmi_device *sdev) + { +- int num_domains, i; ++ int num_domains, i, ret; + struct device *dev = &sdev->dev; + struct device_node *np = dev->of_node; + struct scmi_pm_domain *scmi_pd; +@@ -112,9 +112,18 @@ static int scmi_pm_domain_probe(struct s + scmi_pd_data->domains = domains; + scmi_pd_data->num_domains = num_domains; + ++ ret = of_genpd_add_provider_onecell(np, scmi_pd_data); ++ if (ret) ++ goto err_rm_genpds; ++ + dev_set_drvdata(dev, scmi_pd_data); + +- return of_genpd_add_provider_onecell(np, scmi_pd_data); ++ return 0; ++err_rm_genpds: ++ for (i = num_domains - 1; i >= 0; i--) ++ pm_genpd_remove(domains[i]); ++ ++ return ret; + } + + static void scmi_pm_domain_remove(struct scmi_device *sdev) diff --git a/queue-6.6/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch b/queue-6.6/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch new file mode 100644 index 0000000000..cd923b3572 --- /dev/null +++ b/queue-6.6/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch @@ -0,0 +1,37 @@ +From stable+bounces-196509-greg=kroah.com@vger.kernel.org Fri Nov 21 16:40:52 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 10:40:41 -0500 +Subject: pmdomain: imx: Fix reference count leak in imx_gpc_remove +To: stable@vger.kernel.org +Cc: Miaoqian Lin , Ulf Hansson , Sasha Levin +Message-ID: <20251121154041.2577393-2-sashal@kernel.org> + +From: Miaoqian Lin + +[ Upstream commit bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 ] + +of_get_child_by_name() returns a node pointer with refcount incremented, we +should use of_node_put() on it when not needed anymore. Add the missing +of_node_put() to avoid refcount leak. + +Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/gpc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pmdomain/imx/gpc.c ++++ b/drivers/pmdomain/imx/gpc.c +@@ -546,6 +546,8 @@ static void imx_gpc_remove(struct platfo + return; + } + } ++ ++ of_node_put(pgc_node); + } + + static struct platform_driver imx_gpc_driver = { diff --git a/queue-6.6/pmdomain-imx-gpc-convert-to-platform-remove-callback-returning-void.patch b/queue-6.6/pmdomain-imx-gpc-convert-to-platform-remove-callback-returning-void.patch new file mode 100644 index 0000000000..3107223fa8 --- /dev/null +++ b/queue-6.6/pmdomain-imx-gpc-convert-to-platform-remove-callback-returning-void.patch @@ -0,0 +1,91 @@ +From stable+bounces-196510-greg=kroah.com@vger.kernel.org Fri Nov 21 16:45:28 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 10:40:40 -0500 +Subject: pmdomain: imx-gpc: Convert to platform remove callback returning void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Ulf Hansson" , "Sasha Levin" +Message-ID: <20251121154041.2577393-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit da07c5871d18157608a0d0702cb093168d79080a ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is ignored (apart +from emitting a warning) and this typically results in resource leaks. + +To improve here there is a quest to make the remove callback return +void. In the first step of this quest all drivers are converted to +.remove_new(), which already returns void. Eventually after all drivers +are converted, .remove_new() will be renamed to .remove(). + +In the error path emit an error message replacing the (less useful) +message by the core. Apart from the improved error message there is no +change in behaviour. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20231124080623.564924-3-u.kleine-koenig@pengutronix.de +Signed-off-by: Ulf Hansson +Stable-dep-of: bbde14682eba ("pmdomain: imx: Fix reference count leak in imx_gpc_remove") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/gpc.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- a/drivers/pmdomain/imx/gpc.c ++++ b/drivers/pmdomain/imx/gpc.c +@@ -512,7 +512,7 @@ static int imx_gpc_probe(struct platform + return 0; + } + +-static int imx_gpc_remove(struct platform_device *pdev) ++static void imx_gpc_remove(struct platform_device *pdev) + { + struct device_node *pgc_node; + int ret; +@@ -522,7 +522,7 @@ static int imx_gpc_remove(struct platfor + /* bail out if DT too old and doesn't provide the necessary info */ + if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") && + !pgc_node) +- return 0; ++ return; + + /* + * If the old DT binding is used the toplevel driver needs to +@@ -532,16 +532,20 @@ static int imx_gpc_remove(struct platfor + of_genpd_del_provider(pdev->dev.of_node); + + ret = pm_genpd_remove(&imx_gpc_domains[GPC_PGC_DOMAIN_PU].base); +- if (ret) +- return ret; ++ if (ret) { ++ dev_err(&pdev->dev, "Failed to remove PU power domain (%pe)\n", ++ ERR_PTR(ret)); ++ return; ++ } + imx_pgc_put_clocks(&imx_gpc_domains[GPC_PGC_DOMAIN_PU]); + + ret = pm_genpd_remove(&imx_gpc_domains[GPC_PGC_DOMAIN_ARM].base); +- if (ret) +- return ret; ++ if (ret) { ++ dev_err(&pdev->dev, "Failed to remove ARM power domain (%pe)\n", ++ ERR_PTR(ret)); ++ return; ++ } + } +- +- return 0; + } + + static struct platform_driver imx_gpc_driver = { +@@ -550,6 +554,6 @@ static struct platform_driver imx_gpc_dr + .of_match_table = imx_gpc_dt_ids, + }, + .probe = imx_gpc_probe, +- .remove = imx_gpc_remove, ++ .remove_new = imx_gpc_remove, + }; + builtin_platform_driver(imx_gpc_driver) diff --git a/queue-6.6/selftests-mptcp-join-endpoints-longer-transfer.patch b/queue-6.6/selftests-mptcp-join-endpoints-longer-transfer.patch new file mode 100644 index 0000000000..8997582159 --- /dev/null +++ b/queue-6.6/selftests-mptcp-join-endpoints-longer-transfer.patch @@ -0,0 +1,78 @@ +From stable+bounces-196624-greg=kroah.com@vger.kernel.org Sun Nov 23 17:56:05 2025 +From: Sasha Levin +Date: Sun, 23 Nov 2025 11:55:57 -0500 +Subject: selftests: mptcp: join: endpoints: longer transfer +To: stable@vger.kernel.org +Cc: "Matthieu Baerts (NGI0)" , Geliang Tang , Jakub Kicinski , Sasha Levin +Message-ID: <20251123165557.3491636-1-sashal@kernel.org> + +From: "Matthieu Baerts (NGI0)" + +[ Upstream commit 6457595db9870298ee30b6d75287b8548e33fe19 ] + +In rare cases, when the test environment is very slow, some userspace +tests can fail because some expected events have not been seen. + +Because the tests are expecting a long on-going connection, and they are +not waiting for the end of the transfer, it is fine to make the +connection longer. This connection will be killed at the end, after the +verifications, so making it longer doesn't change anything, apart from +avoid it to end before the end of the verifications + +To play it safe, all endpoints tests not waiting for the end of the +transfer are now sharing a longer file (128KB) at slow speed. + +Fixes: 69c6ce7b6eca ("selftests: mptcp: add implicit endpoint test case") +Cc: stable@vger.kernel.org +Fixes: e274f7154008 ("selftests: mptcp: add subflow limits test-cases") +Fixes: b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") +Fixes: e06959e9eebd ("selftests: mptcp: join: test for flush/re-add endpoints") +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-3-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +[ removed curly braces and stderr redirection ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3741,7 +3741,7 @@ endpoint_tests() + pm_nl_set_limits $ns1 2 2 + pm_nl_set_limits $ns2 2 2 + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal +- speed=slow \ ++ test_linkfail=128 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 & + local tests_pid=$! + +@@ -3768,7 +3768,7 @@ endpoint_tests() + pm_nl_set_limits $ns2 0 3 + pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow + pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow +- test_linkfail=4 speed=5 \ ++ test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & + local tests_pid=$! + +@@ -3845,7 +3845,7 @@ endpoint_tests() + # broadcast IP: no packet for this address will be received on ns1 + pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal + pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal +- test_linkfail=4 speed=5 \ ++ test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & + local tests_pid=$! + +@@ -3917,7 +3917,7 @@ endpoint_tests() + # broadcast IP: no packet for this address will be received on ns1 + pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal + pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow +- test_linkfail=4 speed=20 \ ++ test_linkfail=128 speed=20 \ + run_tests $ns1 $ns2 10.0.1.1 & + local tests_pid=$! + diff --git a/queue-6.6/series b/queue-6.6/series index a167a43c33..1dfe27609e 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -69,3 +69,18 @@ f2fs-compress-fix-uaf-of-f2fs_inode_info-in-f2fs_fre.patch alsa-usb-audio-fix-uac2-clock-source-at-terminal-par.patch net-ethernet-ti-netcp-standardize-knav_dma_open_chan.patch tracing-tools-fix-incorrcet-short-option-in-usage-te.patch +smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch +kvm-arm64-check-the-untrusted-offset-in-ff-a-memory-share.patch +uio_hv_generic-set-event-for-all-channels-on-the-device.patch +maple_tree-fix-tracepoint-string-pointers.patch +wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch +crash-fix-crashkernel-resource-shrink.patch +ftrace-fix-bpf-fexit-with-livepatch.patch +pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch +pmdomain-imx-gpc-convert-to-platform-remove-callback-returning-void.patch +pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch +selftests-mptcp-join-endpoints-longer-transfer.patch +hid-amd_sfh-stop-sensor-before-starting.patch +mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch +mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch +mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch diff --git a/queue-6.6/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch b/queue-6.6/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch new file mode 100644 index 0000000000..fc2ac1c535 --- /dev/null +++ b/queue-6.6/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch @@ -0,0 +1,30 @@ +From 38ef85145fd3655cd4ac16578871afdc0aa6636f Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Wed, 26 Nov 2025 10:55:53 -0300 +Subject: smb: client: fix incomplete backport in cfids_invalidation_worker() + +From: Henrique Carvalho + +The previous commit bdb596ceb4b7 ("smb: client: fix potential UAF in +smb2_close_cached_fid()") was an incomplete backport and missed one +kref_put() call in cfids_invalidation_worker() that should have been +converted to close_cached_dir(). + +Fixes: cb52d9c86d70 ("smb: client: fix potential UAF in smb2_close_cached_fid()")" +Signed-off-by: Henrique Carvalho +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cached_dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cached_dir.c ++++ b/fs/smb/client/cached_dir.c +@@ -727,7 +727,7 @@ static void cfids_invalidation_worker(st + list_for_each_entry_safe(cfid, q, &entry, entry) { + list_del(&cfid->entry); + /* Drop the ref-count acquired in invalidate_all_cached_dirs */ +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + } + diff --git a/queue-6.6/uio_hv_generic-set-event-for-all-channels-on-the-device.patch b/queue-6.6/uio_hv_generic-set-event-for-all-channels-on-the-device.patch new file mode 100644 index 0000000000..7152ae9abe --- /dev/null +++ b/queue-6.6/uio_hv_generic-set-event-for-all-channels-on-the-device.patch @@ -0,0 +1,74 @@ +From d062463edf1770427dc2d637df4088df4835aa47 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Mon, 10 Mar 2025 15:12:01 -0700 +Subject: uio_hv_generic: Set event for all channels on the device + +From: Long Li + +commit d062463edf1770427dc2d637df4088df4835aa47 upstream. + +Hyper-V may offer a non latency sensitive device with subchannels without +monitor bit enabled. The decision is entirely on the Hyper-V host not +configurable within guest. + +When a device has subchannels, also signal events for the subchannel +if its monitor bit is disabled. + +This patch also removes the memory barrier when monitor bit is enabled +as it is not necessary. The memory barrier is only needed between +setting up interrupt mask and calling vmbus_set_event() when monitor +bit is disabled. + +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Reviewed-by: Saurabh Sengar +Link: https://lore.kernel.org/r/1741644721-20389-1-git-send-email-longli@linuxonhyperv.com +Fixes: b15b7d2a1b09 ("uio_hv_generic: Let userspace take care of interrupt mask") +Closes: https://bugs.debian.org/1120602 +Signed-off-by: Naman Jain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio_hv_generic.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -80,9 +80,15 @@ hv_uio_irqcontrol(struct uio_info *info, + { + struct hv_uio_private_data *pdata = info->priv; + struct hv_device *dev = pdata->device; ++ struct vmbus_channel *primary, *sc; + +- dev->channel->inbound.ring_buffer->interrupt_mask = !irq_state; +- virt_mb(); ++ primary = dev->channel; ++ primary->inbound.ring_buffer->interrupt_mask = !irq_state; ++ ++ mutex_lock(&vmbus_connection.channel_mutex); ++ list_for_each_entry(sc, &primary->sc_list, sc_list) ++ sc->inbound.ring_buffer->interrupt_mask = !irq_state; ++ mutex_unlock(&vmbus_connection.channel_mutex); + + return 0; + } +@@ -93,11 +99,18 @@ hv_uio_irqcontrol(struct uio_info *info, + static void hv_uio_channel_cb(void *context) + { + struct vmbus_channel *chan = context; +- struct hv_device *hv_dev = chan->device_obj; +- struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); ++ struct hv_device *hv_dev; ++ struct hv_uio_private_data *pdata; + + virt_mb(); + ++ /* ++ * The callback may come from a subchannel, in which case look ++ * for the hv device in the primary channel ++ */ ++ hv_dev = chan->primary_channel ? ++ chan->primary_channel->device_obj : chan->device_obj; ++ pdata = hv_get_drvdata(hv_dev); + uio_event_notify(&pdata->info); + } + diff --git a/queue-6.6/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch b/queue-6.6/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch new file mode 100644 index 0000000000..42ef1299af --- /dev/null +++ b/queue-6.6/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch @@ -0,0 +1,93 @@ +From 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Thu, 17 Jul 2025 18:25:45 +0200 +Subject: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() + +From: Alexander Wetzel + +commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 upstream. + +Callers of wdev_chandef() must hold the wiphy mutex. + +But the worker cfg80211_propagate_cac_done_wk() never takes the lock. +Which triggers the warning below with the mesh_peer_connected_dfs +test from hostapd and not (yet) released mac80211 code changes: + +WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 +Modules linked in: +CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf +Workqueue: cfg80211 cfg80211_propagate_cac_done_wk +Stack: + 00000000 00000001 ffffff00 6093267c + 00000000 6002ec30 6d577c50 60037608 + 00000000 67e8d108 6063717b 00000000 +Call Trace: + [<6002ec30>] ? _printk+0x0/0x98 + [<6003c2b3>] show_stack+0x10e/0x11a + [<6002ec30>] ? _printk+0x0/0x98 + [<60037608>] dump_stack_lvl+0x71/0xb8 + [<6063717b>] ? wdev_chandef+0x60/0x165 + [<6003766d>] dump_stack+0x1e/0x20 + [<6005d1b7>] __warn+0x101/0x20f + [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d + [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec + [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 + [<600b11a2>] ? mark_held_locks+0x5a/0x6e + [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d + [<60052e53>] ? unblock_signals+0x3a/0xe7 + [<60052f2d>] ? um_set_signals+0x2d/0x43 + [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 + [<607508b2>] ? lock_is_held_type+0x207/0x21f + [<6063717b>] wdev_chandef+0x60/0x165 + [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f + [<60052f00>] ? um_set_signals+0x0/0x43 + [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a + [<6007e460>] process_scheduled_works+0x3bc/0x60e + [<6007d0ec>] ? move_linked_works+0x4d/0x81 + [<6007d120>] ? assign_work+0x0/0xaa + [<6007f81f>] worker_thread+0x220/0x2dc + [<600786ef>] ? set_pf_worker+0x0/0x57 + [<60087c96>] ? to_kthread+0x0/0x43 + [<6008ab3c>] kthread+0x2d3/0x2e2 + [<6007f5ff>] ? worker_thread+0x0/0x2dc + [<6006c05b>] ? calculate_sigpending+0x0/0x56 + [<6003b37d>] new_thread_handler+0x4a/0x64 +irq event stamp: 614611 +hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf +hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf +softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 +softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985 + +Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC") +Signed-off-by: Alexander Wetzel +Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +[ The author recommends that when porting to older kernels, we should use wiphy_lock() +and wiphy_unlock() instead of guard(). ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -4208,6 +4208,9 @@ EXPORT_SYMBOL(regulatory_pre_cac_allowed + static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev) + { + struct wireless_dev *wdev; ++ ++ wiphy_lock(&rdev->wiphy); ++ + /* If we finished CAC or received radar, we should end any + * CAC running on the same channels. + * the check !cfg80211_chandef_dfs_usable contain 2 options: +@@ -4231,6 +4234,8 @@ static void cfg80211_check_and_end_cac(s + if (!cfg80211_chandef_dfs_usable(&rdev->wiphy, chandef)) + rdev_end_cac(rdev, wdev->netdev); + } ++ ++ wiphy_unlock(&rdev->wiphy); + } + + void regulatory_propagate_dfs_state(struct wiphy *wiphy, -- 2.47.3