From: Greg Kroah-Hartman Date: Fri, 20 Mar 2026 17:40:09 +0000 (+0100) Subject: 6.18-stable patches X-Git-Tag: v6.1.167~79 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=260c2cbe467b4917154d74e48b93680e6f87cdfd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: ata-libata-core-disable-lpm-on-adata-su680-ssd.patch ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch io_uring-kbuf-fix-missing-buf_more-for-incremental-buffers-at-eof.patch io_uring-kbuf-propagate-buf_more-through-early-buffer-commit-path.patch io_uring-poll-fix-multishot-recv-missing-eof-on-wakeup-race.patch iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch iommu-vt-d-only-handle-iopf-for-sva-when-pri-is-supported.patch mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch spi-fix-statistics-allocation.patch spi-fix-use-after-free-on-controller-registration-failure.patch --- diff --git a/queue-6.18/ata-libata-core-disable-lpm-on-adata-su680-ssd.patch b/queue-6.18/ata-libata-core-disable-lpm-on-adata-su680-ssd.patch new file mode 100644 index 0000000000..e5a0d133db --- /dev/null +++ b/queue-6.18/ata-libata-core-disable-lpm-on-adata-su680-ssd.patch @@ -0,0 +1,38 @@ +From ce5ae93d1a216680460040c7c0465a6e3b629dec Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sun, 15 Mar 2026 07:24:15 +0900 +Subject: ata: libata-core: disable LPM on ADATA SU680 SSD + +From: Damien Le Moal + +commit ce5ae93d1a216680460040c7c0465a6e3b629dec upstream. + +ADATA SU680 SSDs suffer from NCQ read and write commands timeouts or bus +errors when link power management (LPM) is enabled. Flag these devices +with the ATA_QUIRK_NOLPM quirk to prevent the use of LPM and avoid these +command failures. + +Reported-by: Mohammad Khaled Bayan +Closes: https://bugs.launchpad.net/ubuntu/+source/linux-hwe-6.17/+bug/2144060 +Cc: stable@vger.kernel.org +Tested-by: Mohammad-Khaled Bayan +Signed-off-by: Damien Le Moal +Reviewed-by: Martin K. Petersen +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4156,6 +4156,9 @@ static const struct ata_dev_quirks_entry + { "ST3320[68]13AS", "SD1[5-9]", ATA_QUIRK_NONCQ | + ATA_QUIRK_FIRMWARE_WARN }, + ++ /* ADATA devices with LPM issues. */ ++ { "ADATA SU680", NULL, ATA_QUIRK_NOLPM }, ++ + /* Seagate disks with LPM issues */ + { "ST1000DM010-2EP102", NULL, ATA_QUIRK_NOLPM }, + { "ST2000DM008-2FR102", NULL, ATA_QUIRK_NOLPM }, diff --git a/queue-6.18/ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch b/queue-6.18/ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch new file mode 100644 index 0000000000..8befa13ce0 --- /dev/null +++ b/queue-6.18/ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch @@ -0,0 +1,37 @@ +From e6d7eba23b666d85cacee0643be280d6ce1ebffc Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 20 Mar 2026 12:48:01 +0900 +Subject: ata: libata-scsi: report correct sense field pointer in ata_scsiop_maint_in() + +From: Damien Le Moal + +commit e6d7eba23b666d85cacee0643be280d6ce1ebffc upstream. + +Commit 4ab7bb976343 ("ata: libata-scsi: Refactor ata_scsiop_maint_in()") +modified ata_scsiop_maint_in() to directly call +ata_scsi_set_invalid_field() to set the field pointer of the sense data +of a failed MAINTENANCE IN command. However, in the case of an invalid +command format, the sense data field incorrectly indicates byte 1 of +the CDB. Fix this to indicate byte 2 of the command. + +Reported-by: Guenter Roeck +Fixes: 4ab7bb976343 ("ata: libata-scsi: Refactor ata_scsiop_maint_in()") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3599,7 +3599,7 @@ static unsigned int ata_scsiop_maint_in( + + if (cdb[2] != 1 && cdb[2] != 3) { + ata_dev_warn(dev, "invalid command format %d\n", cdb[2]); +- ata_scsi_set_invalid_field(dev, cmd, 1, 0xff); ++ ata_scsi_set_invalid_field(dev, cmd, 2, 0xff); + return 0; + } + diff --git a/queue-6.18/io_uring-kbuf-fix-missing-buf_more-for-incremental-buffers-at-eof.patch b/queue-6.18/io_uring-kbuf-fix-missing-buf_more-for-incremental-buffers-at-eof.patch new file mode 100644 index 0000000000..c2d0d6f111 --- /dev/null +++ b/queue-6.18/io_uring-kbuf-fix-missing-buf_more-for-incremental-buffers-at-eof.patch @@ -0,0 +1,38 @@ +From 3ecd3e03144b38a21a3b70254f1b9d2e16629b09 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 19 Mar 2026 14:29:09 -0600 +Subject: io_uring/kbuf: fix missing BUF_MORE for incremental buffers at EOF + +From: Jens Axboe + +commit 3ecd3e03144b38a21a3b70254f1b9d2e16629b09 upstream. + +For a zero length transfer, io_kbuf_inc_commit() is called with !len. +Since we never enter the while loop to consume the buffers, +io_kbuf_inc_commit() ends up returning true, consuming the buffer. But +if no data was consumed, by definition it cannot have consumed the +buffer. Return false for that case. + +Reported-by: Martin Michaelis +Cc: stable@vger.kernel.org +Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption") +Link: https://github.com/axboe/liburing/issues/1553 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/kbuf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -34,6 +34,10 @@ struct io_provide_buf { + + static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len) + { ++ /* No data consumed, return false early to avoid consuming the buffer */ ++ if (!len) ++ return false; ++ + while (len) { + struct io_uring_buf *buf; + u32 buf_len, this_len; diff --git a/queue-6.18/io_uring-kbuf-propagate-buf_more-through-early-buffer-commit-path.patch b/queue-6.18/io_uring-kbuf-propagate-buf_more-through-early-buffer-commit-path.patch new file mode 100644 index 0000000000..764caa8fa9 --- /dev/null +++ b/queue-6.18/io_uring-kbuf-propagate-buf_more-through-early-buffer-commit-path.patch @@ -0,0 +1,88 @@ +From 418eab7a6f3c002d8e64d6e95ec27118017019af Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 19 Mar 2026 14:29:20 -0600 +Subject: io_uring/kbuf: propagate BUF_MORE through early buffer commit path + +From: Jens Axboe + +commit 418eab7a6f3c002d8e64d6e95ec27118017019af upstream. + +When io_should_commit() returns true (eg for non-pollable files), buffer +commit happens at buffer selection time and sel->buf_list is set to +NULL. When __io_put_kbufs() generates CQE flags at completion time, it +calls __io_put_kbuf_ring() which finds a NULL buffer_list and hence +cannot determine whether the buffer was consumed or not. This means that +IORING_CQE_F_BUF_MORE is never set for non-pollable input with +incrementally consumed buffers. + +Likewise for io_buffers_select(), which always commits upfront and +discards the return value of io_kbuf_commit(). + +Add REQ_F_BUF_MORE to store the result of io_kbuf_commit() during early +commit. Then __io_put_kbuf_ring() can check this flag and set +IORING_F_BUF_MORE accordingy. + +Reported-by: Martin Michaelis +Cc: stable@vger.kernel.org +Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption") +Link: https://github.com/axboe/liburing/issues/1553 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/io_uring_types.h | 3 +++ + io_uring/kbuf.c | 10 +++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/include/linux/io_uring_types.h ++++ b/include/linux/io_uring_types.h +@@ -518,6 +518,7 @@ enum { + REQ_F_BL_NO_RECYCLE_BIT, + REQ_F_BUFFERS_COMMIT_BIT, + REQ_F_BUF_NODE_BIT, ++ REQ_F_BUF_MORE_BIT, + REQ_F_HAS_METADATA_BIT, + REQ_F_IMPORT_BUFFER_BIT, + REQ_F_SQE_COPIED_BIT, +@@ -603,6 +604,8 @@ enum { + REQ_F_BUFFERS_COMMIT = IO_REQ_FLAG(REQ_F_BUFFERS_COMMIT_BIT), + /* buf node is valid */ + REQ_F_BUF_NODE = IO_REQ_FLAG(REQ_F_BUF_NODE_BIT), ++ /* incremental buffer consumption, more space available */ ++ REQ_F_BUF_MORE = IO_REQ_FLAG(REQ_F_BUF_MORE_BIT), + /* request has read/write metadata assigned */ + REQ_F_HAS_METADATA = IO_REQ_FLAG(REQ_F_HAS_METADATA_BIT), + /* +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -216,7 +216,8 @@ static struct io_br_sel io_ring_buffer_s + sel.addr = u64_to_user_ptr(READ_ONCE(buf->addr)); + + if (io_should_commit(req, issue_flags)) { +- io_kbuf_commit(req, sel.buf_list, *len, 1); ++ if (!io_kbuf_commit(req, sel.buf_list, *len, 1)) ++ req->flags |= REQ_F_BUF_MORE; + sel.buf_list = NULL; + } + return sel; +@@ -349,7 +350,8 @@ int io_buffers_select(struct io_kiocb *r + */ + if (ret > 0) { + req->flags |= REQ_F_BUFFERS_COMMIT | REQ_F_BL_NO_RECYCLE; +- io_kbuf_commit(req, sel->buf_list, arg->out_len, ret); ++ if (!io_kbuf_commit(req, sel->buf_list, arg->out_len, ret)) ++ req->flags |= REQ_F_BUF_MORE; + } + } else { + ret = io_provided_buffers_select(req, &arg->out_len, sel->buf_list, arg->iovs); +@@ -395,8 +397,10 @@ static inline bool __io_put_kbuf_ring(st + + if (bl) + ret = io_kbuf_commit(req, bl, len, nr); ++ if (ret && (req->flags & REQ_F_BUF_MORE)) ++ ret = false; + +- req->flags &= ~REQ_F_BUFFER_RING; ++ req->flags &= ~(REQ_F_BUFFER_RING | REQ_F_BUF_MORE); + return ret; + } + diff --git a/queue-6.18/io_uring-poll-fix-multishot-recv-missing-eof-on-wakeup-race.patch b/queue-6.18/io_uring-poll-fix-multishot-recv-missing-eof-on-wakeup-race.patch new file mode 100644 index 0000000000..961364dbbf --- /dev/null +++ b/queue-6.18/io_uring-poll-fix-multishot-recv-missing-eof-on-wakeup-race.patch @@ -0,0 +1,66 @@ +From a68ed2df72131447d131531a08fe4dfcf4fa4653 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 15 Mar 2026 09:03:03 -0600 +Subject: io_uring/poll: fix multishot recv missing EOF on wakeup race + +From: Jens Axboe + +commit a68ed2df72131447d131531a08fe4dfcf4fa4653 upstream. + +When a socket send and shutdown() happen back-to-back, both fire +wake-ups before the receiver's task_work has a chance to run. The first +wake gets poll ownership (poll_refs=1), and the second bumps it to 2. +When io_poll_check_events() runs, it calls io_poll_issue() which does a +recv that reads the data and returns IOU_RETRY. The loop then drains all +accumulated refs (atomic_sub_return(2) -> 0) and exits, even though only +the first event was consumed. Since the shutdown is a persistent state +change, no further wakeups will happen, and the multishot recv can hang +forever. + +Check specifically for HUP in the poll loop, and ensure that another +loop is done to check for status if more than a single poll activation +is pending. This ensures we don't lose the shutdown event. + +Cc: stable@vger.kernel.org +Fixes: dbc2564cfe0f ("io_uring: let fast poll support multishot") +Reported-by: Francis Brosseau +Link: https://github.com/axboe/liburing/issues/1549 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -254,6 +254,7 @@ static int io_poll_check_events(struct i + atomic_andnot(IO_POLL_RETRY_FLAG, &req->poll_refs); + v &= ~IO_POLL_RETRY_FLAG; + } ++ v &= IO_POLL_REF_MASK; + } + + /* the mask was stashed in __io_poll_execute */ +@@ -286,8 +287,13 @@ static int io_poll_check_events(struct i + return IOU_POLL_REMOVE_POLL_USE_RES; + } + } else { +- int ret = io_poll_issue(req, tw); ++ int ret; + ++ /* multiple refs and HUP, ensure we loop once more */ ++ if ((req->cqe.res & (POLLHUP | POLLRDHUP)) && v != 1) ++ v--; ++ ++ ret = io_poll_issue(req, tw); + if (ret == IOU_COMPLETE) + return IOU_POLL_REMOVE_POLL_USE_RES; + else if (ret == IOU_REQUEUE) +@@ -303,7 +309,6 @@ static int io_poll_check_events(struct i + * Release all references, retry if someone tried to restart + * task_work while we were executing it. + */ +- v &= IO_POLL_REF_MASK; + } while (atomic_sub_return(v, &req->poll_refs) & IO_POLL_REF_MASK); + + io_napi_add(req); diff --git a/queue-6.18/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch b/queue-6.18/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch new file mode 100644 index 0000000000..543d9405ea --- /dev/null +++ b/queue-6.18/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch @@ -0,0 +1,54 @@ +From fe89277c9ceb0d6af0aa665bcf24a41d8b1b79cd Mon Sep 17 00:00:00 2001 +From: Guanghui Feng +Date: Mon, 16 Mar 2026 15:16:39 +0800 +Subject: iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry + +From: Guanghui Feng + +commit fe89277c9ceb0d6af0aa665bcf24a41d8b1b79cd upstream. + +During the qi_check_fault process after an IOMMU ITE event, requests at +odd-numbered positions in the queue are set to QI_ABORT, only satisfying +single-request submissions. However, qi_submit_sync now supports multiple +simultaneous submissions, and can't guarantee that the wait_desc will be +at an odd-numbered position. Therefore, if an item times out, IOMMU can't +re-initiate the request, resulting in an infinite polling wait. + +This modifies the process by setting the status of all requests already +fetched by IOMMU and recorded as QI_IN_USE status (including wait_desc +requests) to QI_ABORT, thus enabling multiple requests to be resubmitted. + +Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()") +Cc: stable@vger.kernel.org +Signed-off-by: Guanghui Feng +Tested-by: Shuai Xue +Reviewed-by: Shuai Xue +Reviewed-by: Samiullah Khawaja +Link: https://lore.kernel.org/r/20260306101516.3885775-1-guanghuifeng@linux.alibaba.com +Signed-off-by: Lu Baolu +Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()") +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/dmar.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iommu/intel/dmar.c ++++ b/drivers/iommu/intel/dmar.c +@@ -1314,7 +1314,6 @@ static int qi_check_fault(struct intel_i + if (fault & DMA_FSTS_ITE) { + head = readl(iommu->reg + DMAR_IQH_REG); + head = ((head >> shift) - 1 + QI_LENGTH) % QI_LENGTH; +- head |= 1; + tail = readl(iommu->reg + DMAR_IQT_REG); + tail = ((tail >> shift) - 1 + QI_LENGTH) % QI_LENGTH; + +@@ -1331,7 +1330,7 @@ static int qi_check_fault(struct intel_i + do { + if (qi->desc_status[head] == QI_IN_USE) + qi->desc_status[head] = QI_ABORT; +- head = (head - 2 + QI_LENGTH) % QI_LENGTH; ++ head = (head - 1 + QI_LENGTH) % QI_LENGTH; + } while (head != tail); + + /* diff --git a/queue-6.18/iommu-vt-d-only-handle-iopf-for-sva-when-pri-is-supported.patch b/queue-6.18/iommu-vt-d-only-handle-iopf-for-sva-when-pri-is-supported.patch new file mode 100644 index 0000000000..d5dc90e20f --- /dev/null +++ b/queue-6.18/iommu-vt-d-only-handle-iopf-for-sva-when-pri-is-supported.patch @@ -0,0 +1,61 @@ +From 39c20c4e83b9f78988541d829aa34668904e54a0 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Mon, 16 Mar 2026 15:16:40 +0800 +Subject: iommu/vt-d: Only handle IOPF for SVA when PRI is supported + +From: Lu Baolu + +commit 39c20c4e83b9f78988541d829aa34668904e54a0 upstream. + +In intel_svm_set_dev_pasid(), the driver unconditionally manages the IOPF +handling during a domain transition. However, commit a86fb7717320 +("iommu/vt-d: Allow SVA with device-specific IOPF") introduced support for +SVA on devices that handle page faults internally without utilizing the +PCI PRI. On such devices, the IOMMU-side IOPF infrastructure is not +required. Calling iopf_for_domain_replace() on these devices is incorrect +and can lead to unexpected failures during PASID attachment or unwinding. + +Add a check for info->pri_supported to ensure that the IOPF queue logic +is only invoked for devices that actually rely on the IOMMU's PRI-based +fault handling. + +Fixes: 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach path") +Cc: stable@vger.kernel.org +Suggested-by: Kevin Tian +Reviewed-by: Kevin Tian +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20260310075520.295104-1-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/svm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/iommu/intel/svm.c ++++ b/drivers/iommu/intel/svm.c +@@ -164,9 +164,12 @@ static int intel_svm_set_dev_pasid(struc + if (IS_ERR(dev_pasid)) + return PTR_ERR(dev_pasid); + +- ret = iopf_for_domain_replace(domain, old, dev); +- if (ret) +- goto out_remove_dev_pasid; ++ /* SVA with non-IOMMU/PRI IOPF handling is allowed. */ ++ if (info->pri_supported) { ++ ret = iopf_for_domain_replace(domain, old, dev); ++ if (ret) ++ goto out_remove_dev_pasid; ++ } + + /* Setup the pasid table: */ + sflags = cpu_feature_enabled(X86_FEATURE_LA57) ? PASID_FLAG_FL5LP : 0; +@@ -180,7 +183,8 @@ static int intel_svm_set_dev_pasid(struc + + return 0; + out_unwind_iopf: +- iopf_for_domain_replace(old, domain, dev); ++ if (info->pri_supported) ++ iopf_for_domain_replace(old, domain, dev); + out_remove_dev_pasid: + domain_remove_dev_pasid(domain, dev, pasid); + return ret; diff --git a/queue-6.18/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch b/queue-6.18/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch new file mode 100644 index 0000000000..4cdef52087 --- /dev/null +++ b/queue-6.18/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch @@ -0,0 +1,47 @@ +From 5e3486e64094c28a526543f1e8aa0d5964b7f02d Mon Sep 17 00:00:00 2001 +From: Luke Wang +Date: Wed, 11 Mar 2026 17:50:06 +0800 +Subject: mmc: sdhci: fix timing selection for 1-bit bus width + +From: Luke Wang + +commit 5e3486e64094c28a526543f1e8aa0d5964b7f02d upstream. + +When 1-bit bus width is used with HS200/HS400 capabilities set, +mmc_select_hs200() returns 0 without actually switching. This +causes mmc_select_timing() to skip mmc_select_hs(), leaving eMMC +in legacy mode (26MHz) instead of High Speed SDR (52MHz). + +Per JEDEC eMMC spec section 5.3.2, 1-bit mode supports High Speed +SDR. Drop incompatible HS200/HS400/UHS/DDR caps early so timing +selection falls through to mmc_select_hs() correctly. + +Fixes: f2119df6b764 ("mmc: sd: add support for signal voltage switch procedure") +Signed-off-by: Luke Wang +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -4532,8 +4532,15 @@ int sdhci_setup_host(struct sdhci_host * + * their platform code before calling sdhci_add_host(), and we + * won't assume 8-bit width for hosts without that CAP. + */ +- if (!(host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA)) ++ if (host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA) { ++ host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50); ++ if (host->quirks2 & SDHCI_QUIRK2_CAPS_BIT63_FOR_HS400) ++ host->caps1 &= ~SDHCI_SUPPORT_HS400; ++ mmc->caps2 &= ~(MMC_CAP2_HS200 | MMC_CAP2_HS400 | MMC_CAP2_HS400_ES); ++ mmc->caps &= ~(MMC_CAP_DDR | MMC_CAP_UHS); ++ } else { + mmc->caps |= MMC_CAP_4_BIT_DATA; ++ } + + if (host->quirks2 & SDHCI_QUIRK2_HOST_NO_CMD23) + mmc->caps &= ~MMC_CAP_CMD23; diff --git a/queue-6.18/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch b/queue-6.18/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch new file mode 100644 index 0000000000..328c429831 --- /dev/null +++ b/queue-6.18/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch @@ -0,0 +1,60 @@ +From 2b76e0cc7803e5ab561c875edaba7f6bbd87fbb0 Mon Sep 17 00:00:00 2001 +From: Matthew Schwartz +Date: Mon, 2 Mar 2026 13:07:17 -0800 +Subject: mmc: sdhci-pci-gli: fix GL9750 DMA write corruption + +From: Matthew Schwartz + +commit 2b76e0cc7803e5ab561c875edaba7f6bbd87fbb0 upstream. + +The GL9750 SD host controller has intermittent data corruption during +DMA write operations. The GM_BURST register's R_OSRC_Lmt field +(bits 17:16), which limits outstanding DMA read requests from system +memory, is not being cleared during initialization. The Windows driver +sets R_OSRC_Lmt to zero, limiting requests to the smallest unit. + +Clear R_OSRC_Lmt to match the Windows driver behavior. This eliminates +write corruption verified with f3write/f3read tests while maintaining +DMA performance. + +Cc: stable@vger.kernel.org +Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support") +Closes: https://lore.kernel.org/linux-mmc/33d12807-5c72-41ce-8679-57aa11831fad@linux.dev/ +Acked-by: Adrian Hunter +Signed-off-by: Matthew Schwartz +Reviewed-by: Ben Chuang +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-gli.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -68,6 +68,9 @@ + #define GLI_9750_MISC_TX1_DLY_VALUE 0x5 + #define SDHCI_GLI_9750_MISC_SSC_OFF BIT(26) + ++#define SDHCI_GLI_9750_GM_BURST_SIZE 0x510 ++#define SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT GENMASK(17, 16) ++ + #define SDHCI_GLI_9750_TUNING_CONTROL 0x540 + #define SDHCI_GLI_9750_TUNING_CONTROL_EN BIT(4) + #define GLI_9750_TUNING_CONTROL_EN_ON 0x1 +@@ -345,10 +348,16 @@ static void gli_set_9750(struct sdhci_ho + u32 misc_value; + u32 parameter_value; + u32 control_value; ++ u32 burst_value; + u16 ctrl2; + + gl9750_wt_on(host); + ++ /* clear R_OSRC_Lmt to avoid DMA write corruption */ ++ burst_value = sdhci_readl(host, SDHCI_GLI_9750_GM_BURST_SIZE); ++ burst_value &= ~SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT; ++ sdhci_writel(host, burst_value, SDHCI_GLI_9750_GM_BURST_SIZE); ++ + driving_value = sdhci_readl(host, SDHCI_GLI_9750_DRIVING); + pll_value = sdhci_readl(host, SDHCI_GLI_9750_PLL); + sw_ctrl_value = sdhci_readl(host, SDHCI_GLI_9750_SW_CTRL); diff --git a/queue-6.18/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch b/queue-6.18/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch new file mode 100644 index 0000000000..ce5e52f0fc --- /dev/null +++ b/queue-6.18/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch @@ -0,0 +1,56 @@ +From 8e2f8020270af7777d49c2e7132260983e4fc566 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Mon, 16 Feb 2026 18:01:30 +1100 +Subject: mtd: Avoid boot crash in RedBoot partition table parser + +From: Finn Thain + +commit 8e2f8020270af7777d49c2e7132260983e4fc566 upstream. + +Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, +commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when +available") produces the warning below and an oops. + + Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 + ------------[ cut here ]------------ + WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 + memcmp: detected buffer overflow: 15 byte read of buffer size 14 + Modules linked in: + CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE + +As Kees said, "'names' is pointing to the final 'namelen' many bytes +of the allocation ... 'namelen' could be basically any length at all. +This fortify warning looks legit to me -- this code used to be reading +beyond the end of the allocation." + +Since the size of the dynamic allocation is calculated with strlen() +we can use strcmp() instead of memcmp() and remain within bounds. + +Cc: Kees Cook +Cc: stable@vger.kernel.org +Cc: linux-hardening@vger.kernel.org +Link: https://lore.kernel.org/all/202602151911.AD092DFFCD@keescook/ +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Suggested-by: Kees Cook +Signed-off-by: Finn Thain +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/parsers/redboot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/parsers/redboot.c ++++ b/drivers/mtd/parsers/redboot.c +@@ -270,9 +270,9 @@ nogood: + + strcpy(names, fl->img->name); + #ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY +- if (!memcmp(names, "RedBoot", 8) || +- !memcmp(names, "RedBoot config", 15) || +- !memcmp(names, "FIS directory", 14)) { ++ if (!strcmp(names, "RedBoot") || ++ !strcmp(names, "RedBoot config") || ++ !strcmp(names, "FIS directory")) { + parts[i].mask_flags = MTD_WRITEABLE; + } + #endif diff --git a/queue-6.18/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch b/queue-6.18/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch new file mode 100644 index 0000000000..c30e086ac6 --- /dev/null +++ b/queue-6.18/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch @@ -0,0 +1,34 @@ +From 0410e1a4c545c769c59c6eda897ad5d574d0c865 Mon Sep 17 00:00:00 2001 +From: Chen Ni +Date: Mon, 9 Feb 2026 15:56:18 +0800 +Subject: mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() + +From: Chen Ni + +commit 0410e1a4c545c769c59c6eda897ad5d574d0c865 upstream. + +Fix wrong variable used for error checking after dma_alloc_coherent() +call. The function checks cdns_ctrl->dma_cdma_desc instead of +cdns_ctrl->cdma_desc, which could lead to incorrect error handling. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Chen Ni +Reviewed-by: Alok Tiwari +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2878,7 +2878,7 @@ static int cadence_nand_init(struct cdns + sizeof(*cdns_ctrl->cdma_desc), + &cdns_ctrl->dma_cdma_desc, + GFP_KERNEL); +- if (!cdns_ctrl->dma_cdma_desc) ++ if (!cdns_ctrl->cdma_desc) + return -ENOMEM; + + cdns_ctrl->buf_size = SZ_16K; diff --git a/queue-6.18/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch b/queue-6.18/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch new file mode 100644 index 0000000000..b36b09f519 --- /dev/null +++ b/queue-6.18/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch @@ -0,0 +1,41 @@ +From b9465b04de4b90228de03db9a1e0d56b00814366 Mon Sep 17 00:00:00 2001 +From: Olivier Sobrie +Date: Tue, 17 Mar 2026 18:18:07 +0100 +Subject: mtd: rawnand: pl353: make sure optimal timings are applied + +From: Olivier Sobrie + +commit b9465b04de4b90228de03db9a1e0d56b00814366 upstream. + +Timings of the nand are adjusted by pl35x_nfc_setup_interface() but +actually applied by the pl35x_nand_select_target() function. +If there is only one nand chip, the pl35x_nand_select_target() will only +apply the timings once since the test at its beginning will always be true +after the first call to this function. As a result, the hardware will +keep using the default timings set at boot to detect the nand chip, not +the optimal ones. + +With this patch, we program directly the new timings when +pl35x_nfc_setup_interface() is called. + +Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller") +Signed-off-by: Olivier Sobrie +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/pl35x-nand-controller.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/nand/raw/pl35x-nand-controller.c ++++ b/drivers/mtd/nand/raw/pl35x-nand-controller.c +@@ -862,6 +862,9 @@ static int pl35x_nfc_setup_interface(str + PL35X_SMC_NAND_TAR_CYCLES(tmgs.t_ar) | + PL35X_SMC_NAND_TRR_CYCLES(tmgs.t_rr); + ++ writel(plnand->timings, nfc->conf_regs + PL35X_SMC_CYCLES); ++ pl35x_smc_update_regs(nfc); ++ + return 0; + } + diff --git a/queue-6.18/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch b/queue-6.18/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch new file mode 100644 index 0000000000..39aed68a72 --- /dev/null +++ b/queue-6.18/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch @@ -0,0 +1,76 @@ +From b826d2c0b0ecb844c84431ba6b502e744f5d919a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Tue, 17 Mar 2026 19:41:49 -0300 +Subject: pmdomain: bcm: bcm2835-power: Increase ASB control timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit b826d2c0b0ecb844c84431ba6b502e744f5d919a upstream. + +The bcm2835_asb_control() function uses a tight polling loop to wait +for the ASB bridge to acknowledge a request. During intensive workloads, +this handshake intermittently fails for V3D's master ASB on BCM2711, +resulting in "Failed to disable ASB master for v3d" errors during +runtime PM suspend. As a consequence, the failed power-off leaves V3D in +a broken state, leading to bus faults or system hangs on later accesses. + +As the timeout is insufficient in some scenarios, increase the polling +timeout from 1us to 5us, which is still negligible in the context of a +power domain transition. Also, replace the open-coded ktime_get_ns()/ +cpu_relax() polling loop with readl_poll_timeout_atomic(). + +Cc: stable@vger.kernel.org +Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.") +Signed-off-by: Maíra Canal +Reviewed-by: Stefan Wahren +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/bcm/bcm2835-power.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/pmdomain/bcm/bcm2835-power.c ++++ b/drivers/pmdomain/bcm/bcm2835-power.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -152,7 +153,6 @@ struct bcm2835_power { + static int bcm2835_asb_control(struct bcm2835_power *power, u32 reg, bool enable) + { + void __iomem *base = power->asb; +- u64 start; + u32 val; + + switch (reg) { +@@ -165,8 +165,6 @@ static int bcm2835_asb_control(struct bc + break; + } + +- start = ktime_get_ns(); +- + /* Enable the module's async AXI bridges. */ + if (enable) { + val = readl(base + reg) & ~ASB_REQ_STOP; +@@ -175,11 +173,9 @@ static int bcm2835_asb_control(struct bc + } + writel(PM_PASSWORD | val, base + reg); + +- while (!!(readl(base + reg) & ASB_ACK) == enable) { +- cpu_relax(); +- if (ktime_get_ns() - start >= 1000) +- return -ETIMEDOUT; +- } ++ if (readl_poll_timeout_atomic(base + reg, val, ++ !!(val & ASB_ACK) != enable, 0, 5)) ++ return -ETIMEDOUT; + + return 0; + } diff --git a/queue-6.18/series b/queue-6.18/series index 79e2ef6154..0f2b50e07f 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -48,3 +48,18 @@ sched_ext-disable-preemption-between-scx_claim_exit-and-kicking-helper-work.patc ipmi-consolidate-the-run-to-completion-checking-for-xmit-msgs-lock.patch ipmi-msghandler-handle-error-returns-from-the-smi-sender.patch mm-huge_memory-fix-a-folio_split-race-condition-with-folio_try_get.patch +ata-libata-core-disable-lpm-on-adata-su680-ssd.patch +ata-libata-scsi-report-correct-sense-field-pointer-in-ata_scsiop_maint_in.patch +mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch +mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch +pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch +spi-fix-use-after-free-on-controller-registration-failure.patch +spi-fix-statistics-allocation.patch +mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch +mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch +mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch +iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch +iommu-vt-d-only-handle-iopf-for-sva-when-pri-is-supported.patch +io_uring-poll-fix-multishot-recv-missing-eof-on-wakeup-race.patch +io_uring-kbuf-fix-missing-buf_more-for-incremental-buffers-at-eof.patch +io_uring-kbuf-propagate-buf_more-through-early-buffer-commit-path.patch diff --git a/queue-6.18/spi-fix-statistics-allocation.patch b/queue-6.18/spi-fix-statistics-allocation.patch new file mode 100644 index 0000000000..db2f68b253 --- /dev/null +++ b/queue-6.18/spi-fix-statistics-allocation.patch @@ -0,0 +1,76 @@ +From dee0774bbb2abb172e9069ce5ffef579b12b3ae9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Mar 2026 16:18:14 +0100 +Subject: spi: fix statistics allocation + +From: Johan Hovold + +commit dee0774bbb2abb172e9069ce5ffef579b12b3ae9 upstream. + +The controller per-cpu statistics is not allocated until after the +controller has been registered with driver core, which leaves a window +where accessing the sysfs attributes can trigger a NULL-pointer +dereference. + +Fix this by moving the statistics allocation to controller allocation +while tying its lifetime to that of the controller (rather than using +implicit devres). + +Fixes: 6598b91b5ac3 ("spi: spi.c: Convert statistics to per-cpu u64_stats_t") +Cc: stable@vger.kernel.org # 6.0 +Cc: David Jander +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260312151817.32100-3-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2914,6 +2914,8 @@ static void spi_controller_release(struc + struct spi_controller *ctlr; + + ctlr = container_of(dev, struct spi_controller, dev); ++ ++ free_percpu(ctlr->pcpu_statistics); + kfree(ctlr); + } + +@@ -3057,6 +3059,12 @@ struct spi_controller *__spi_alloc_contr + if (!ctlr) + return NULL; + ++ ctlr->pcpu_statistics = spi_alloc_pcpu_stats(NULL); ++ if (!ctlr->pcpu_statistics) { ++ kfree(ctlr); ++ return NULL; ++ } ++ + device_initialize(&ctlr->dev); + INIT_LIST_HEAD(&ctlr->queue); + spin_lock_init(&ctlr->queue_lock); +@@ -3347,13 +3355,6 @@ int spi_register_controller(struct spi_c + if (status) + goto del_ctrl; + } +- /* Add statistics */ +- ctlr->pcpu_statistics = spi_alloc_pcpu_stats(dev); +- if (!ctlr->pcpu_statistics) { +- dev_err(dev, "Error allocating per-cpu statistics\n"); +- status = -ENOMEM; +- goto destroy_queue; +- } + + mutex_lock(&board_lock); + list_add_tail(&ctlr->list, &spi_controller_list); +@@ -3366,8 +3367,6 @@ int spi_register_controller(struct spi_c + acpi_register_spi_devices(ctlr); + return status; + +-destroy_queue: +- spi_destroy_queue(ctlr); + del_ctrl: + device_del(&ctlr->dev); + free_bus_id: diff --git a/queue-6.18/spi-fix-use-after-free-on-controller-registration-failure.patch b/queue-6.18/spi-fix-use-after-free-on-controller-registration-failure.patch new file mode 100644 index 0000000000..dc075eeabe --- /dev/null +++ b/queue-6.18/spi-fix-use-after-free-on-controller-registration-failure.patch @@ -0,0 +1,49 @@ +From 8634e05b08ead636e926022f4a98416e13440df9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Mar 2026 16:18:13 +0100 +Subject: spi: fix use-after-free on controller registration failure + +From: Johan Hovold + +commit 8634e05b08ead636e926022f4a98416e13440df9 upstream. + +Make sure to deregister from driver core also in the unlikely event that +per-cpu statistics allocation fails during controller registration to +avoid use-after-free (of driver resources) and unclocked register +accesses. + +Fixes: 6598b91b5ac3 ("spi: spi.c: Convert statistics to per-cpu u64_stats_t") +Cc: stable@vger.kernel.org # 6.0 +Cc: David Jander +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260312151817.32100-2-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -3344,10 +3344,8 @@ int spi_register_controller(struct spi_c + dev_info(dev, "controller is unqueued, this is deprecated\n"); + } else if (ctlr->transfer_one || ctlr->transfer_one_message) { + status = spi_controller_initialize_queue(ctlr); +- if (status) { +- device_del(&ctlr->dev); +- goto free_bus_id; +- } ++ if (status) ++ goto del_ctrl; + } + /* Add statistics */ + ctlr->pcpu_statistics = spi_alloc_pcpu_stats(dev); +@@ -3370,6 +3368,8 @@ int spi_register_controller(struct spi_c + + destroy_queue: + spi_destroy_queue(ctlr); ++del_ctrl: ++ device_del(&ctlr->dev); + free_bus_id: + mutex_lock(&board_lock); + idr_remove(&spi_controller_idr, ctlr->bus_num);