From: Greg Kroah-Hartman Date: Sun, 29 Mar 2026 07:59:17 +0000 (+0200) Subject: 6.19-stable patches X-Git-Tag: v6.6.131~57 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=32a698fd82b8b1675636eca269b38d3028ba1bc7;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: accel-ivpu-add-disable-clock-relinquish-workaround-for-nvl-a0.patch alsa-firewire-lib-fix-uninitialized-local-variable.patch alsa-hda-realtek-add-quirk-for-asus-strix-g16-g615jmr.patch asoc-codecs-wcd934x-fix-typo-in-dt-parsing.patch asoc-sma1307-fix-double-free-of-devm_kzalloc-memory.patch asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch cpufreq-conservative-reset-requested_freq-on-limits-change.patch cpufreq-don-t-skip-cpufreq_frequency_table_cpuinfo.patch drm-xe-always-keep-track-of-remap-prev-next.patch kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch ksmbd-do-not-expire-session-on-binding-failure.patch ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch mm-damon-stat-monitor-all-system-ram-resources.patch revert-alsa-hda-intel-add-msi-x870e-tomahawk-to-denylist.patch s390-barrier-make-array_index_mask_nospec-__always_inline.patch s390-entry-scrub-r12-register-on-kernel-entry.patch s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch tracing-drain-deferred-trigger-frees-if-kthread-creation-fails.patch tracing-fix-potential-deadlock-in-cpu-hotplug-with-osnoise.patch --- diff --git a/queue-6.19/accel-ivpu-add-disable-clock-relinquish-workaround-for-nvl-a0.patch b/queue-6.19/accel-ivpu-add-disable-clock-relinquish-workaround-for-nvl-a0.patch new file mode 100644 index 0000000000..d602b3a0ba --- /dev/null +++ b/queue-6.19/accel-ivpu-add-disable-clock-relinquish-workaround-for-nvl-a0.patch @@ -0,0 +1,57 @@ +From e8ab57b56402697a9bef50b71aecc613f0d61846 Mon Sep 17 00:00:00 2001 +From: Karol Wachowski +Date: Mon, 23 Mar 2026 10:50:29 +0100 +Subject: accel/ivpu: Add disable clock relinquish workaround for NVL-A0 + +From: Karol Wachowski + +commit e8ab57b56402697a9bef50b71aecc613f0d61846 upstream. + +Turn on disable clock relinquish workaround for Nova Lake A0. +Without this workaround NPU may not power off correctly after +inference, leading to unexpected system behavior. + +Fixes: 550f4dd2cedd ("accel/ivpu: Add support for Nova Lake's NPU") +Cc: # v6.19+ + +Reviewed-by: Lizhi.hou +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260323095029.64613-1-karol.wachowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_drv.h | 1 + + drivers/accel/ivpu/ivpu_hw.c | 6 ++++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/accel/ivpu/ivpu_drv.h b/drivers/accel/ivpu/ivpu_drv.h +index 5b34b6f50e69..f1b6155065ff 100644 +--- a/drivers/accel/ivpu/ivpu_drv.h ++++ b/drivers/accel/ivpu/ivpu_drv.h +@@ -35,6 +35,7 @@ + #define IVPU_HW_IP_60XX 60 + + #define IVPU_HW_IP_REV_LNL_B0 4 ++#define IVPU_HW_IP_REV_NVL_A0 0 + + #define IVPU_HW_BTRS_MTL 1 + #define IVPU_HW_BTRS_LNL 2 +diff --git a/drivers/accel/ivpu/ivpu_hw.c b/drivers/accel/ivpu/ivpu_hw.c +index d69cd0d93569..d4a9bcda4100 100644 +--- a/drivers/accel/ivpu/ivpu_hw.c ++++ b/drivers/accel/ivpu/ivpu_hw.c +@@ -70,8 +70,10 @@ static void wa_init(struct ivpu_device *vdev) + if (ivpu_hw_btrs_gen(vdev) == IVPU_HW_BTRS_MTL) + vdev->wa.interrupt_clear_with_0 = ivpu_hw_btrs_irqs_clear_with_0_mtl(vdev); + +- if (ivpu_device_id(vdev) == PCI_DEVICE_ID_LNL && +- ivpu_revision(vdev) < IVPU_HW_IP_REV_LNL_B0) ++ if ((ivpu_device_id(vdev) == PCI_DEVICE_ID_LNL && ++ ivpu_revision(vdev) < IVPU_HW_IP_REV_LNL_B0) || ++ (ivpu_device_id(vdev) == PCI_DEVICE_ID_NVL && ++ ivpu_revision(vdev) == IVPU_HW_IP_REV_NVL_A0)) + vdev->wa.disable_clock_relinquish = true; + + if (ivpu_test_mode & IVPU_TEST_MODE_CLK_RELINQ_ENABLE) +-- +2.53.0 + diff --git a/queue-6.19/alsa-firewire-lib-fix-uninitialized-local-variable.patch b/queue-6.19/alsa-firewire-lib-fix-uninitialized-local-variable.patch new file mode 100644 index 0000000000..ba143a1f2a --- /dev/null +++ b/queue-6.19/alsa-firewire-lib-fix-uninitialized-local-variable.patch @@ -0,0 +1,41 @@ +From bb120ad57def62e3f23e3d999c5fbed11f610993 Mon Sep 17 00:00:00 2001 +From: Alexey Nepomnyashih +Date: Mon, 16 Mar 2026 19:18:22 +0000 +Subject: ALSA: firewire-lib: fix uninitialized local variable + +From: Alexey Nepomnyashih + +commit bb120ad57def62e3f23e3d999c5fbed11f610993 upstream. + +Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized +local variable"), the local variable `curr_cycle_time` in +process_rx_packets() is declared without initialization. + +When the tracepoint event is not probed, the variable may appear to be +used without being initialized. In practice the value is only relevant +when the tracepoint is enabled, however initializing it avoids potential +use of an uninitialized value and improves code safety. + +Initialize `curr_cycle_time` to zero. + +Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI") +Cc: stable@vger.kernel.org +Signed-off-by: Alexey Nepomnyashih +Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -1179,7 +1179,7 @@ static void process_rx_packets(struct fw + struct pkt_desc *desc = s->packet_descs_cursor; + unsigned int pkt_header_length; + unsigned int packets; +- u32 curr_cycle_time; ++ u32 curr_cycle_time = 0; + bool need_hw_irq; + int i; + diff --git a/queue-6.19/alsa-hda-realtek-add-quirk-for-asus-strix-g16-g615jmr.patch b/queue-6.19/alsa-hda-realtek-add-quirk-for-asus-strix-g16-g615jmr.patch new file mode 100644 index 0000000000..4ef82cf5c7 --- /dev/null +++ b/queue-6.19/alsa-hda-realtek-add-quirk-for-asus-strix-g16-g615jmr.patch @@ -0,0 +1,34 @@ +From 0bdf27abaf8940592207be939142451436afe39f Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Mon, 16 Mar 2026 10:28:43 +0800 +Subject: ALSA: hda/realtek: add quirk for ASUS Strix G16 G615JMR + +From: Zhang Heng + +commit 0bdf27abaf8940592207be939142451436afe39f upstream. + +The machine is equipped with ALC294 and requires the +ALC287_FIXUP_TXNW2781_I2C_ASUS quirk for the amplifier to work properly. +Since the machine's PCI SSID is also 1043:1204, HDA_CODEC_QUIRK is +used to retain the previous quirk. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221173 +Cc: +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260316022843.2809968-1-zhangheng@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7203,6 +7203,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x1194, "ASUS UM3406KA", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), ++ HDA_CODEC_QUIRK(0x1043, 0x1204, "ASUS Strix G16 G615JMR", ALC287_FIXUP_TXNW2781_I2C_ASUS), + SND_PCI_QUIRK(0x1043, 0x1204, "ASUS Strix G615JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x1214, "ASUS Strix G615LH_LM_LP", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), diff --git a/queue-6.19/asoc-codecs-wcd934x-fix-typo-in-dt-parsing.patch b/queue-6.19/asoc-codecs-wcd934x-fix-typo-in-dt-parsing.patch new file mode 100644 index 0000000000..7daaef0c77 --- /dev/null +++ b/queue-6.19/asoc-codecs-wcd934x-fix-typo-in-dt-parsing.patch @@ -0,0 +1,41 @@ +From cfb385a8dc88d86a805a5682eaa68f59fa5c0ec3 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 23 Mar 2026 23:17:48 +0000 +Subject: ASoC: codecs: wcd934x: fix typo in dt parsing + +From: Srinivas Kandagatla + +commit cfb385a8dc88d86a805a5682eaa68f59fa5c0ec3 upstream. + +Looks like we ended up with a typo during device tree data parsing +as part of 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd +codecs") patch. + This will result in not parsing the device tree data and results in +zero mic bias values. + +Fix this by calling wcd_dt_parse_micbias_info instead of +wcd_dt_parse_mbhc_data. + +Fixes: 4f16b6351bbff ("ASoC: codecs: wcd: add common helper for wcd codecs") +Cc: Stable@vger.kernel.org +Reported-by: Joel Selvaraj +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Konrad Dybcio +Link: https://patch.msgid.link/20260323231748.2217967-1-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -2172,7 +2172,7 @@ static int wcd934x_init_dmic(struct snd_ + u32 def_dmic_rate, dmic_clk_drv; + int ret; + +- ret = wcd_dt_parse_mbhc_data(comp->dev, &wcd->mbhc_cfg); ++ ret = wcd_dt_parse_micbias_info(&wcd->common); + if (ret) + return ret; + diff --git a/queue-6.19/asoc-sma1307-fix-double-free-of-devm_kzalloc-memory.patch b/queue-6.19/asoc-sma1307-fix-double-free-of-devm_kzalloc-memory.patch new file mode 100644 index 0000000000..c21a79ac18 --- /dev/null +++ b/queue-6.19/asoc-sma1307-fix-double-free-of-devm_kzalloc-memory.patch @@ -0,0 +1,44 @@ +From fe757092d2329c397ecb32f2bf68a5b1c4bd9193 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Fri, 13 Mar 2026 12:06:11 +0800 +Subject: ASoC: sma1307: fix double free of devm_kzalloc() memory + +From: Guangshuo Li + +commit fe757092d2329c397ecb32f2bf68a5b1c4bd9193 upstream. + +A previous change added NULL checks and cleanup for allocation +failures in sma1307_setting_loaded(). + +However, the cleanup for mode_set entries is wrong. Those entries are +allocated with devm_kzalloc(), so they are device-managed resources and +must not be freed with kfree(). Manually freeing them in the error path +can lead to a double free when devres later releases the same memory. + +Drop the manual kfree() loop and let devres handle the cleanup. + +Fixes: 0ec6bd16705fe ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Link: https://patch.msgid.link/20260313040611.391479-1-lgs201920130244@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/sma1307.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/sma1307.c ++++ b/sound/soc/codecs/sma1307.c +@@ -1759,8 +1759,10 @@ static void sma1307_setting_loaded(struc + sma1307->set.mode_size * 2 * sizeof(int), + GFP_KERNEL); + if (!sma1307->set.mode_set[i]) { +- for (int j = 0; j < i; j++) +- kfree(sma1307->set.mode_set[j]); ++ for (int j = 0; j < i; j++) { ++ devm_kfree(sma1307->dev, sma1307->set.mode_set[j]); ++ sma1307->set.mode_set[j] = NULL; ++ } + sma1307->set.status = false; + return; + } diff --git a/queue-6.19/asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch b/queue-6.19/asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch new file mode 100644 index 0000000000..0a10466b11 --- /dev/null +++ b/queue-6.19/asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch @@ -0,0 +1,40 @@ +From d40a198e2b7821197c5c77b89d0130cc90f400f5 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Thu, 26 Mar 2026 09:56:18 +0200 +Subject: ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload + +From: Peter Ujfalusi + +commit d40a198e2b7821197c5c77b89d0130cc90f400f5 upstream. + +It is unexpected, but allowed to have no initial payload for a bytes +control and the code is prepared to handle this case, but the size check +missed this corner case. + +Update the check for minimal size to allow the initial size to be 0. + +Cc: stable@vger.kernel.org +Fixes: a653820700b8 ("ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Bard Liao +Reviewed-by: Liam Girdwood +Reviewed-by: Seppo Ingalsuo +Reviewed-by: Kai Vehmanen +Link: https://patch.msgid.link/20260326075618.1603-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/ipc4-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/sof/ipc4-topology.c ++++ b/sound/soc/sof/ipc4-topology.c +@@ -2889,7 +2889,7 @@ static int sof_ipc4_control_load_bytes(s + return -EINVAL; + } + +- if (scontrol->priv_size < sizeof(struct sof_abi_hdr)) { ++ if (scontrol->priv_size && scontrol->priv_size < sizeof(struct sof_abi_hdr)) { + dev_err(sdev->dev, + "bytes control %s initial data size %zu is insufficient.\n", + scontrol->name, scontrol->priv_size); diff --git a/queue-6.19/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch b/queue-6.19/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch new file mode 100644 index 0000000000..26e5d773af --- /dev/null +++ b/queue-6.19/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch @@ -0,0 +1,77 @@ +From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001 +From: Ali Norouzi +Date: Thu, 19 Mar 2026 16:47:44 +0100 +Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel() + +From: Ali Norouzi + +commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream. + +cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): + + int from = calc_idx(crc8->from_idx, cf->len); + int to = calc_idx(crc8->to_idx, cf->len); + int res = calc_idx(crc8->result_idx, cf->len); + + if (from < 0 || to < 0 || res < 0) + return; + +However, the loop and the result write then use the raw s8 fields directly +instead of the computed variables: + + for (i = crc8->from_idx; ...) /* BUG: raw negative index */ + cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */ + +With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, +calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with +i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. +This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the +start of the canfd_frame on the heap. + +The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` +correctly throughout; fix cgw_csum_crc8_rel() to match. + +Confirmed with KASAN on linux-7.0-rc2: + BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 + Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 + +To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed. + +Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames") +Cc: stable@vger.kernel.org +Reported-by: Ali Norouzi +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Signed-off-by: Ali Norouzi +Signed-off-by: Oliver Hartkopp +Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/gw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can + return; + + if (from <= to) { +- for (i = crc8->from_idx; i <= crc8->to_idx; i++) ++ for (i = from; i <= to; i++) + crc = crc8->crctab[crc ^ cf->data[i]]; + } else { +- for (i = crc8->from_idx; i >= crc8->to_idx; i--) ++ for (i = from; i >= to; i--) + crc = crc8->crctab[crc ^ cf->data[i]]; + } + +@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can + break; + } + +- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val; ++ cf->data[res] = crc ^ crc8->final_xor_val; + } + + static void cgw_csum_crc8_pos(struct canfd_frame *cf, diff --git a/queue-6.19/can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch b/queue-6.19/can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch new file mode 100644 index 0000000000..c8d73f65bb --- /dev/null +++ b/queue-6.19/can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch @@ -0,0 +1,83 @@ +From 424e95d62110cdbc8fd12b40918f37e408e35a92 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Thu, 19 Mar 2026 16:47:45 +0100 +Subject: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() + +From: Oliver Hartkopp + +commit 424e95d62110cdbc8fd12b40918f37e408e35a92 upstream. + +isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access +to so->tx.buf. isotp_release() waits for ISOTP_IDLE via +wait_event_interruptible() and then calls kfree(so->tx.buf). + +If a signal interrupts the wait_event_interruptible() inside close() +while tx.state is ISOTP_SENDING, the loop exits early and release +proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) +while sendmsg may still be reading so->tx.buf for the final CAN frame +in isotp_fill_dataframe(). + +The so->tx.buf can be allocated once when the standard tx.buf length needs +to be extended. Move the kfree() of this potentially extended tx.buf to +sk_destruct time when either isotp_sendmsg() and isotp_release() are done. + +Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size") +Cc: stable@vger.kernel.org +Reported-by: Ali Norouzi +Co-developed-by: Ali Norouzi +Signed-off-by: Ali Norouzi +Signed-off-by: Oliver Hartkopp +Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1230,12 +1230,6 @@ static int isotp_release(struct socket * + so->ifindex = 0; + so->bound = 0; + +- if (so->rx.buf != so->rx.sbuf) +- kfree(so->rx.buf); +- +- if (so->tx.buf != so->tx.sbuf) +- kfree(so->tx.buf); +- + sock_orphan(sk); + sock->sk = NULL; + +@@ -1604,6 +1598,21 @@ static int isotp_notifier(struct notifie + return NOTIFY_DONE; + } + ++static void isotp_sock_destruct(struct sock *sk) ++{ ++ struct isotp_sock *so = isotp_sk(sk); ++ ++ /* do the standard CAN sock destruct work */ ++ can_sock_destruct(sk); ++ ++ /* free potential extended PDU buffers */ ++ if (so->rx.buf != so->rx.sbuf) ++ kfree(so->rx.buf); ++ ++ if (so->tx.buf != so->tx.sbuf) ++ kfree(so->tx.buf); ++} ++ + static int isotp_init(struct sock *sk) + { + struct isotp_sock *so = isotp_sk(sk); +@@ -1648,6 +1657,9 @@ static int isotp_init(struct sock *sk) + list_add_tail(&so->notifier, &isotp_notifier_list); + spin_unlock(&isotp_notifier_lock); + ++ /* re-assign default can_sock_destruct() reference */ ++ sk->sk_destruct = isotp_sock_destruct; ++ + return 0; + } + diff --git a/queue-6.19/can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch b/queue-6.19/can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch new file mode 100644 index 0000000000..66b1000c8c --- /dev/null +++ b/queue-6.19/can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch @@ -0,0 +1,39 @@ +From cadf6019231b614ebbd9ec2a16e5997ecbd8d016 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 10 Mar 2026 13:48:03 +0100 +Subject: can: netlink: can_changelink(): add missing error handling to call can_ctrlmode_changelink() + +From: Marc Kleine-Budde + +commit cadf6019231b614ebbd9ec2a16e5997ecbd8d016 upstream. + +In commit e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()") the +CAN Control Mode (IFLA_CAN_CTRLMODE) handling was factored out into the +can_ctrlmode_changelink() function. But the call to +can_ctrlmode_changelink() is missing the error handling. + +Add the missing error handling and propagation to the call +can_ctrlmode_changelink(). + +Cc: stable@vger.kernel.org +Fixes: e1a5cd9d6665 ("can: netlink: add can_ctrlmode_changelink()") +Link: https://patch.msgid.link/20260310-can_ctrlmode_changelink-add-error-handling-v1-1-0daf63d85922@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev/netlink.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/dev/netlink.c ++++ b/drivers/net/can/dev/netlink.c +@@ -601,7 +601,9 @@ static int can_changelink(struct net_dev + /* We need synchronization with dev->stop() */ + ASSERT_RTNL(); + +- can_ctrlmode_changelink(dev, data, extack); ++ err = can_ctrlmode_changelink(dev, data, extack); ++ if (err) ++ return err; + + if (data[IFLA_CAN_BITTIMING]) { + struct can_bittiming bt; diff --git a/queue-6.19/cpufreq-conservative-reset-requested_freq-on-limits-change.patch b/queue-6.19/cpufreq-conservative-reset-requested_freq-on-limits-change.patch new file mode 100644 index 0000000000..7c7cc2f6a6 --- /dev/null +++ b/queue-6.19/cpufreq-conservative-reset-requested_freq-on-limits-change.patch @@ -0,0 +1,95 @@ +From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 20 Mar 2026 15:08:14 +0530 +Subject: cpufreq: conservative: Reset requested_freq on limits change + +From: Viresh Kumar + +commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream. + +A recently reported issue highlighted that the cached requested_freq +is not guaranteed to stay in sync with policy->cur. If the platform +changes the actual CPU frequency after the governor sets one (e.g. +due to platform-specific frequency scaling) and a re-sync occurs +later, policy->cur may diverge from requested_freq. + +This can lead to incorrect behavior in the conservative governor. +For example, the governor may assume the CPU is already running at +the maximum frequency and skip further increases even though there +is still headroom. + +Avoid this by resetting the cached requested_freq to policy->cur on +detecting a change in policy limits. + +Reported-by: Lifeng Zheng +Tested-by: Lifeng Zheng +Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/ +Signed-off-by: Viresh Kumar +Reviewed-by: Zhongqiu Han +Cc: All applicable +Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++ + drivers/cpufreq/cpufreq_governor.c | 3 +++ + drivers/cpufreq/cpufreq_governor.h | 1 + + 3 files changed, 16 insertions(+) + +--- a/drivers/cpufreq/cpufreq_conservative.c ++++ b/drivers/cpufreq/cpufreq_conservative.c +@@ -313,6 +313,17 @@ static void cs_start(struct cpufreq_poli + dbs_info->requested_freq = policy->cur; + } + ++static void cs_limits(struct cpufreq_policy *policy) ++{ ++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data); ++ ++ /* ++ * The limits have changed, so may have the current frequency. Reset ++ * requested_freq to avoid any unintended outcomes due to the mismatch. ++ */ ++ dbs_info->requested_freq = policy->cur; ++} ++ + static struct dbs_governor cs_governor = { + .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"), + .kobj_type = { .default_groups = cs_groups }, +@@ -322,6 +333,7 @@ static struct dbs_governor cs_governor = + .init = cs_init, + .exit = cs_exit, + .start = cs_start, ++ .limits = cs_limits, + }; + + #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov) +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -563,6 +563,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s + + void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy) + { ++ struct dbs_governor *gov = dbs_governor_of(policy); + struct policy_dbs_info *policy_dbs; + + /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */ +@@ -574,6 +575,8 @@ void cpufreq_dbs_governor_limits(struct + mutex_lock(&policy_dbs->update_mutex); + cpufreq_policy_apply_limits(policy); + gov_update_sample_delay(policy_dbs, 0); ++ if (gov->limits) ++ gov->limits(policy); + mutex_unlock(&policy_dbs->update_mutex); + + out: +--- a/drivers/cpufreq/cpufreq_governor.h ++++ b/drivers/cpufreq/cpufreq_governor.h +@@ -138,6 +138,7 @@ struct dbs_governor { + int (*init)(struct dbs_data *dbs_data); + void (*exit)(struct dbs_data *dbs_data); + void (*start)(struct cpufreq_policy *policy); ++ void (*limits)(struct cpufreq_policy *policy); + }; + + static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy) diff --git a/queue-6.19/cpufreq-don-t-skip-cpufreq_frequency_table_cpuinfo.patch b/queue-6.19/cpufreq-don-t-skip-cpufreq_frequency_table_cpuinfo.patch new file mode 100644 index 0000000000..12517c2a02 --- /dev/null +++ b/queue-6.19/cpufreq-don-t-skip-cpufreq_frequency_table_cpuinfo.patch @@ -0,0 +1,62 @@ +From 8f13c0c6cb75cc4421d5a60fc060e9e6fd9d1097 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 20 Mar 2026 14:54:06 +0530 +Subject: cpufreq: Don't skip cpufreq_frequency_table_cpuinfo() + +From: Viresh Kumar + +commit 8f13c0c6cb75cc4421d5a60fc060e9e6fd9d1097 upstream. + +The commit 6db0f533d320 ("cpufreq: preserve freq_table_sorted +across suspend/hibernate") unintentionally made a change where +cpufreq_frequency_table_cpuinfo() isn't getting called anymore +for old policies getting re-initialized. + +This leads to potentially invalid values of policy->max and +policy->cpuinfo_max_freq. + +Fix the issue by reverting the original commit and adding the condition +for just the sorting function. + +Fixes: 6db0f533d320 ("cpufreq: preserve freq_table_sorted across suspend/hibernate") +Signed-off-by: Viresh Kumar +Cc: 6.19+ # 6.19+ +Link: https://patch.msgid.link/65ba5c45749267c82e8a87af3dc788b37a0b3f48.1773998611.git.viresh.kumar@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq.c | 9 +++------ + drivers/cpufreq/freq_table.c | 4 ++++ + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1421,12 +1421,9 @@ static int cpufreq_policy_online(struct + * If there is a problem with its frequency table, take it + * offline and drop it. + */ +- if (policy->freq_table_sorted != CPUFREQ_TABLE_SORTED_ASCENDING && +- policy->freq_table_sorted != CPUFREQ_TABLE_SORTED_DESCENDING) { +- ret = cpufreq_table_validate_and_sort(policy); +- if (ret) +- goto out_offline_policy; +- } ++ ret = cpufreq_table_validate_and_sort(policy); ++ if (ret) ++ goto out_offline_policy; + + /* related_cpus should at least include policy->cpus. */ + cpumask_copy(policy->related_cpus, policy->cpus); +--- a/drivers/cpufreq/freq_table.c ++++ b/drivers/cpufreq/freq_table.c +@@ -360,6 +360,10 @@ int cpufreq_table_validate_and_sort(stru + if (policy_has_boost_freq(policy)) + policy->boost_supported = true; + ++ if (policy->freq_table_sorted == CPUFREQ_TABLE_SORTED_ASCENDING || ++ policy->freq_table_sorted == CPUFREQ_TABLE_SORTED_DESCENDING) ++ return 0; ++ + return set_freq_table_sorted(policy); + } + diff --git a/queue-6.19/drm-xe-always-keep-track-of-remap-prev-next.patch b/queue-6.19/drm-xe-always-keep-track-of-remap-prev-next.patch new file mode 100644 index 0000000000..f9b86f5cd3 --- /dev/null +++ b/queue-6.19/drm-xe-always-keep-track-of-remap-prev-next.patch @@ -0,0 +1,197 @@ +From bfe9e314d7574d1c5c851972e7aee342733819d2 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Wed, 18 Mar 2026 10:02:09 +0000 +Subject: drm/xe: always keep track of remap prev/next + +From: Matthew Auld + +commit bfe9e314d7574d1c5c851972e7aee342733819d2 upstream. + +During 3D workload, user is reporting hitting: + +[ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925 +[ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy) +[ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe] +[ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282 +[ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000 +[ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000 +[ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380 +[ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380 +[ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000 +[ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +[ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0 +[ 413.362088] PKRU: 55555554 +[ 413.362089] Call Trace: +[ 413.362092] +[ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe] + +Which seems to hint that the vma we are re-inserting for the ops unwind +is either invalid or overlapping with something already inserted in the +vm. It shouldn't be invalid since this is a re-insertion, so must have +worked before. Leaving the likely culprit as something already placed +where we want to insert the vma. + +Following from that, for the case where we do something like a rebind in +the middle of a vma, and one or both mapped ends are already compatible, +we skip doing the rebind of those vma and set next/prev to NULL. As well +as then adjust the original unmap va range, to avoid unmapping the ends. +However, if we trigger the unwind path, we end up with three va, with +the two ends never being removed and the original va range in the middle +still being the shrunken size. + +If this occurs, one failure mode is when another unwind op needs to +interact with that range, which can happen with a vector of binds. For +example, if we need to re-insert something in place of the original va. +In this case the va is still the shrunken version, so when removing it +and then doing a re-insert it can overlap with the ends, which were +never removed, triggering a warning like above, plus leaving the vm in a +bad state. + +With that, we need two things here: + + 1) Stop nuking the prev/next tracking for the skip cases. Instead + relying on checking for skip prev/next, where needed. That way on the + unwind path, we now correctly remove both ends. + + 2) Undo the unmap va shrinkage, on the unwind path. With the two ends + now removed the unmap va should expand back to the original size again, + before re-insertion. + +v2: + - Update the explanation in the commit message, based on an actual IGT of + triggering this issue, rather than conjecture. + - Also undo the unmap shrinkage, for the skip case. With the two ends + now removed, the original unmap va range should expand back to the + original range. +v3: + - Track the old start/range separately. vma_size/start() uses the va + info directly. + +Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7602 +Fixes: 8f33b4f054fc ("drm/xe: Avoid doing rebinds") +Signed-off-by: Matthew Auld +Cc: Matthew Brost +Cc: # v6.8+ +Reviewed-by: Matthew Brost +Link: https://patch.msgid.link/20260318100208.78097-2-matthew.auld@intel.com +(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_pt.c | 12 ++++++------ + drivers/gpu/drm/xe/xe_vm.c | 22 ++++++++++++++++++---- + drivers/gpu/drm/xe/xe_vm_types.h | 4 ++++ + 3 files changed, 28 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_pt.c ++++ b/drivers/gpu/drm/xe/xe_pt.c +@@ -1442,9 +1442,9 @@ static int op_check_svm_userptr(struct x + err = vma_check_userptr(vm, op->map.vma, pt_update); + break; + case DRM_GPUVA_OP_REMAP: +- if (op->remap.prev) ++ if (op->remap.prev && !op->remap.skip_prev) + err = vma_check_userptr(vm, op->remap.prev, pt_update); +- if (!err && op->remap.next) ++ if (!err && op->remap.next && !op->remap.skip_next) + err = vma_check_userptr(vm, op->remap.next, pt_update); + break; + case DRM_GPUVA_OP_UNMAP: +@@ -2029,12 +2029,12 @@ static int op_prepare(struct xe_vm *vm, + + err = unbind_op_prepare(tile, pt_update_ops, old); + +- if (!err && op->remap.prev) { ++ if (!err && op->remap.prev && !op->remap.skip_prev) { + err = bind_op_prepare(vm, tile, pt_update_ops, + op->remap.prev, false); + pt_update_ops->wait_vm_bookkeep = true; + } +- if (!err && op->remap.next) { ++ if (!err && op->remap.next && !op->remap.skip_next) { + err = bind_op_prepare(vm, tile, pt_update_ops, + op->remap.next, false); + pt_update_ops->wait_vm_bookkeep = true; +@@ -2258,10 +2258,10 @@ static void op_commit(struct xe_vm *vm, + + unbind_op_commit(vm, tile, pt_update_ops, old, fence, fence2); + +- if (op->remap.prev) ++ if (op->remap.prev && !op->remap.skip_prev) + bind_op_commit(vm, tile, pt_update_ops, op->remap.prev, + fence, fence2, false); +- if (op->remap.next) ++ if (op->remap.next && !op->remap.skip_next) + bind_op_commit(vm, tile, pt_update_ops, op->remap.next, + fence, fence2, false); + break; +--- a/drivers/gpu/drm/xe/xe_vm.c ++++ b/drivers/gpu/drm/xe/xe_vm.c +@@ -2532,7 +2532,6 @@ static int xe_vma_op_commit(struct xe_vm + if (!err && op->remap.skip_prev) { + op->remap.prev->tile_present = + tile_present; +- op->remap.prev = NULL; + } + } + if (op->remap.next) { +@@ -2542,11 +2541,13 @@ static int xe_vma_op_commit(struct xe_vm + if (!err && op->remap.skip_next) { + op->remap.next->tile_present = + tile_present; +- op->remap.next = NULL; + } + } + +- /* Adjust for partial unbind after removing VMA from VM */ ++ /* ++ * Adjust for partial unbind after removing VMA from VM. In case ++ * of unwind we might need to undo this later. ++ */ + if (!err) { + op->base.remap.unmap->va->va.addr = op->remap.start; + op->base.remap.unmap->va->va.range = op->remap.range; +@@ -2665,6 +2666,8 @@ static int vm_bind_ioctl_ops_parse(struc + + op->remap.start = xe_vma_start(old); + op->remap.range = xe_vma_size(old); ++ op->remap.old_start = op->remap.start; ++ op->remap.old_range = op->remap.range; + + flags |= op->base.remap.unmap->va->flags & XE_VMA_CREATE_MASK; + if (op->base.remap.prev) { +@@ -2812,8 +2815,19 @@ static void xe_vma_op_unwind(struct xe_v + xe_svm_notifier_lock(vm); + vma->gpuva.flags &= ~XE_VMA_DESTROYED; + xe_svm_notifier_unlock(vm); +- if (post_commit) ++ if (post_commit) { ++ /* ++ * Restore the old va range, in case of the ++ * prev/next skip optimisation. Otherwise what ++ * we re-insert here could be smaller than the ++ * original range. ++ */ ++ op->base.remap.unmap->va->va.addr = ++ op->remap.old_start; ++ op->base.remap.unmap->va->va.range = ++ op->remap.old_range; + xe_vm_insert_vma(vm, vma); ++ } + } + break; + } +--- a/drivers/gpu/drm/xe/xe_vm_types.h ++++ b/drivers/gpu/drm/xe/xe_vm_types.h +@@ -360,6 +360,10 @@ struct xe_vma_op_remap { + u64 start; + /** @range: range of the VMA unmap */ + u64 range; ++ /** @old_start: Original start of the VMA we unmap */ ++ u64 old_start; ++ /** @old_range: Original range of the VMA we unmap */ ++ u64 old_range; + /** @skip_prev: skip prev rebind */ + bool skip_prev; + /** @skip_next: skip next rebind */ diff --git a/queue-6.19/kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch b/queue-6.19/kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch new file mode 100644 index 0000000000..6c583ee57e --- /dev/null +++ b/queue-6.19/kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch @@ -0,0 +1,35 @@ +From a76e30c2479ce6ffa2aa6c8a8462897afc82bc90 Mon Sep 17 00:00:00 2001 +From: Charles Mirabile +Date: Sat, 7 Mar 2026 23:43:30 -0500 +Subject: kbuild: Delete .builtin-dtbs.S when running make clean + +From: Charles Mirabile + +commit a76e30c2479ce6ffa2aa6c8a8462897afc82bc90 upstream. + +The makefile tries to delete a file named ".builtin-dtb.S" but the file +created by scripts/Makefile.vmlinux is actually called ".builtin-dtbs.S". + +Fixes: 654102df2ac2a ("kbuild: add generic support for built-in boot DTBs") +Cc: stable@vger.kernel.org +Signed-off-by: Charles Mirabile +Reviewed-by: Nicolas Schier +Link: https://patch.msgid.link/20260308044338.181403-1-cmirabil@redhat.com +[nathan: Small commit message adjustments] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -1622,7 +1622,7 @@ CLEAN_FILES += vmlinux.symvers modules-o + modules.builtin.ranges vmlinux.o.map vmlinux.unstripped \ + compile_commands.json rust/test \ + rust-project.json .vmlinux.objs .vmlinux.export.c \ +- .builtin-dtbs-list .builtin-dtb.S ++ .builtin-dtbs-list .builtin-dtbs.S + + # Directories & files removed with 'make mrproper' + MRPROPER_FILES += include/config include/generated \ diff --git a/queue-6.19/ksmbd-do-not-expire-session-on-binding-failure.patch b/queue-6.19/ksmbd-do-not-expire-session-on-binding-failure.patch new file mode 100644 index 0000000000..bf2933fa3b --- /dev/null +++ b/queue-6.19/ksmbd-do-not-expire-session-on-binding-failure.patch @@ -0,0 +1,49 @@ +From 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Tue, 17 Mar 2026 08:52:01 +0900 +Subject: ksmbd: do not expire session on binding failure + +From: Hyunwoo Kim + +commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream. + +When a multichannel session binding request fails (e.g. wrong password), +the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. +However, during binding, sess points to the target session looked up via +ksmbd_session_lookup_slowpath() -- which belongs to another connection's +user. This allows a remote attacker to invalidate any active session by +simply sending a binding request with a wrong password (DoS). + +Fix this by skipping session expiration when the failed request was +a binding attempt, since the session does not belong to the current +connection. The reference taken by ksmbd_session_lookup_slowpath() is +still correctly released via ksmbd_user_session_put(). + +Cc: stable@vger.kernel.org +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1938,8 +1938,14 @@ out_err: + if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION) + try_delay = true; + +- sess->last_active = jiffies; +- sess->state = SMB2_SESSION_EXPIRED; ++ /* ++ * For binding requests, session belongs to another ++ * connection. Do not expire it. ++ */ ++ if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { ++ sess->last_active = jiffies; ++ sess->state = SMB2_SESSION_EXPIRED; ++ } + ksmbd_user_session_put(sess); + work->sess = NULL; + if (try_delay) { diff --git a/queue-6.19/ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch b/queue-6.19/ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch new file mode 100644 index 0000000000..4d669f5d55 --- /dev/null +++ b/queue-6.19/ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch @@ -0,0 +1,114 @@ +From 309b44ed684496ed3f9c5715d10b899338623512 Mon Sep 17 00:00:00 2001 +From: Werner Kasselman +Date: Tue, 17 Mar 2026 07:55:37 +0000 +Subject: ksmbd: fix memory leaks and NULL deref in smb2_lock() + +From: Werner Kasselman + +commit 309b44ed684496ed3f9c5715d10b899338623512 upstream. + +smb2_lock() has three error handling issues after list_del() detaches +smb_lock from lock_list at no_check_cl: + +1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK + path, goto out leaks smb_lock and its flock because the out: + handler only iterates lock_list and rollback_list, neither of + which contains the detached smb_lock. + +2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out + leaks smb_lock and flock for the same reason. The error code + returned to the dispatcher is also stale. + +3) In the rollback path, smb_flock_init() can return NULL on + allocation failure. The result is dereferenced unconditionally, + causing a kernel NULL pointer dereference. Add a NULL check to + prevent the crash and clean up the bookkeeping; the VFS lock + itself cannot be rolled back without the allocation and will be + released at file or connection teardown. + +Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before +the if(!rc) check in the UNLOCK branch so all exit paths share one +free site, and by freeing smb_lock and flock before goto out in the +non-UNLOCK branch. Propagate the correct error code in both cases. +Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding +a NULL check for locks_free_lock(rlock) in the shared cleanup. + +Found via call-graph analysis using sqry. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Suggested-by: ChenXiaoSong +Signed-off-by: Werner Kasselman +Reviewed-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7600,14 +7600,15 @@ retry: + rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); + skip: + if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) { ++ locks_free_lock(flock); ++ kfree(smb_lock); + if (!rc) { + ksmbd_debug(SMB, "File unlocked\n"); + } else if (rc == -ENOENT) { + rsp->hdr.Status = STATUS_NOT_LOCKED; ++ err = rc; + goto out; + } +- locks_free_lock(flock); +- kfree(smb_lock); + } else { + if (rc == FILE_LOCK_DEFERRED) { + void **argv; +@@ -7676,6 +7677,9 @@ skip: + spin_unlock(&work->conn->llist_lock); + ksmbd_debug(SMB, "successful in taking lock\n"); + } else { ++ locks_free_lock(flock); ++ kfree(smb_lock); ++ err = rc; + goto out; + } + } +@@ -7706,13 +7710,17 @@ out: + struct file_lock *rlock = NULL; + + rlock = smb_flock_init(filp); +- rlock->c.flc_type = F_UNLCK; +- rlock->fl_start = smb_lock->start; +- rlock->fl_end = smb_lock->end; +- +- rc = vfs_lock_file(filp, F_SETLK, rlock, NULL); +- if (rc) +- pr_err("rollback unlock fail : %d\n", rc); ++ if (rlock) { ++ rlock->c.flc_type = F_UNLCK; ++ rlock->fl_start = smb_lock->start; ++ rlock->fl_end = smb_lock->end; ++ ++ rc = vfs_lock_file(filp, F_SETLK, rlock, NULL); ++ if (rc) ++ pr_err("rollback unlock fail : %d\n", rc); ++ } else { ++ pr_err("rollback unlock alloc failed\n"); ++ } + + list_del(&smb_lock->llist); + spin_lock(&work->conn->llist_lock); +@@ -7722,7 +7730,8 @@ out: + spin_unlock(&work->conn->llist_lock); + + locks_free_lock(smb_lock->fl); +- locks_free_lock(rlock); ++ if (rlock) ++ locks_free_lock(rlock); + kfree(smb_lock); + } + out2: diff --git a/queue-6.19/ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch b/queue-6.19/ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch new file mode 100644 index 0000000000..4fef894078 --- /dev/null +++ b/queue-6.19/ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch @@ -0,0 +1,72 @@ +From beef2634f81f1c086208191f7228bce1d366493d Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 19 Mar 2026 21:00:02 +0900 +Subject: ksmbd: fix potencial OOB in get_file_all_info() for compound requests + +From: Namjae Jeon + +commit beef2634f81f1c086208191f7228bce1d366493d upstream. + +When a compound request consists of QUERY_DIRECTORY + QUERY_INFO +(FILE_ALL_INFORMATION) and the first command consumes nearly the entire +max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() +with PATH_MAX, causing out-of-bounds write beyond the response buffer. +In get_file_all_info(), there was a missing validation check for +the client-provided OutputBufferLength before copying the filename into +FileName field of the smb2_file_all_info structure. +If the filename length exceeds the available buffer space, it could lead to +potential buffer overflows or memory corruption during smbConvertToUTF16 +conversion. This calculating the actual free buffer size using +smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is +insufficient and updating smbConvertToUTF16 to use the actual filename +length (clamped by PATH_MAX) to ensure a safe copy operation. + +Cc: stable@vger.kernel.org +Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") +Reported-by: Asim Viladi Oglu Manizada +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4933,7 +4933,8 @@ static int get_file_all_info(struct ksmb + int conv_len; + char *filename; + u64 time; +- int ret; ++ int ret, buf_free_len, filename_len; ++ struct smb2_query_info_req *req = ksmbd_req_buf_next(work); + + if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { + ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n", +@@ -4945,6 +4946,16 @@ static int get_file_all_info(struct ksmb + if (IS_ERR(filename)) + return PTR_ERR(filename); + ++ filename_len = strlen(filename); ++ buf_free_len = smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_info_rsp, Buffer) + ++ offsetof(struct smb2_file_all_info, FileName), ++ le32_to_cpu(req->OutputBufferLength)); ++ if (buf_free_len < (filename_len + 1) * 2) { ++ kfree(filename); ++ return -EINVAL; ++ } ++ + ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS, + AT_STATX_SYNC_AS_STAT); + if (ret) { +@@ -4988,7 +4999,8 @@ static int get_file_all_info(struct ksmb + file_info->Mode = fp->coption; + file_info->AlignmentRequirement = 0; + conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, filename, +- PATH_MAX, conn->local_nls, 0); ++ min(filename_len, PATH_MAX), ++ conn->local_nls, 0); + conv_len *= 2; + file_info->FileNameLength = cpu_to_le32(conv_len); + rsp->OutputBufferLength = diff --git a/queue-6.19/ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch b/queue-6.19/ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch new file mode 100644 index 0000000000..13bd37612c --- /dev/null +++ b/queue-6.19/ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch @@ -0,0 +1,75 @@ +From 0e55f63dd08f09651d39e1b709a91705a8a0ddcb Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 13 Mar 2026 14:45:58 +0900 +Subject: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() + +From: Namjae Jeon + +commit 0e55f63dd08f09651d39e1b709a91705a8a0ddcb upstream. + +After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), +response buffer management was changed to use dynamic iov array. +In the new design, smb2_calc_max_out_buf_len() expects the second +argument (hdr2_len) to be the offset of ->Buffer field in the +response structure, not a hardcoded magic number. +Fix the remaining call sites to use the correct offsetof() value. + +Cc: stable@vger.kernel.org +Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4445,8 +4445,9 @@ int smb2_query_dir(struct ksmbd_work *wo + d_info.wptr = (char *)rsp->Buffer; + d_info.rptr = (char *)rsp->Buffer; + d_info.out_buf_len = +- smb2_calc_max_out_buf_len(work, 8, +- le32_to_cpu(req->OutputBufferLength)); ++ smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_directory_rsp, Buffer), ++ le32_to_cpu(req->OutputBufferLength)); + if (d_info.out_buf_len < 0) { + rc = -EINVAL; + goto err_out; +@@ -4713,8 +4714,9 @@ static int smb2_get_ea(struct ksmbd_work + } + + buf_free_len = +- smb2_calc_max_out_buf_len(work, 8, +- le32_to_cpu(req->OutputBufferLength)); ++ smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_info_rsp, Buffer), ++ le32_to_cpu(req->OutputBufferLength)); + if (buf_free_len < 0) + return -EINVAL; + +@@ -5040,8 +5042,9 @@ static int get_file_stream_info(struct k + file_info = (struct smb2_file_stream_info *)rsp->Buffer; + + buf_free_len = +- smb2_calc_max_out_buf_len(work, 8, +- le32_to_cpu(req->OutputBufferLength)); ++ smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_info_rsp, Buffer), ++ le32_to_cpu(req->OutputBufferLength)); + if (buf_free_len < 0) + goto out; + +@@ -8190,8 +8193,9 @@ int smb2_ioctl(struct ksmbd_work *work) + buffer = (char *)req + le32_to_cpu(req->InputOffset); + + cnt_code = le32_to_cpu(req->CtlCode); +- ret = smb2_calc_max_out_buf_len(work, 48, +- le32_to_cpu(req->MaxOutputResponse)); ++ ret = smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_ioctl_rsp, Buffer), ++ le32_to_cpu(req->MaxOutputResponse)); + if (ret < 0) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; diff --git a/queue-6.19/mm-damon-stat-monitor-all-system-ram-resources.patch b/queue-6.19/mm-damon-stat-monitor-all-system-ram-resources.patch new file mode 100644 index 0000000000..0977b67654 --- /dev/null +++ b/queue-6.19/mm-damon-stat-monitor-all-system-ram-resources.patch @@ -0,0 +1,108 @@ +From 84481e705ab07ed46e56587fe846af194acacafe Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 16 Mar 2026 16:51:17 -0700 +Subject: mm/damon/stat: monitor all System RAM resources + +From: SeongJae Park + +commit 84481e705ab07ed46e56587fe846af194acacafe upstream. + +DAMON_STAT usage document (Documentation/admin-guide/mm/damon/stat.rst) +says it monitors the system's entire physical memory. But, it is +monitoring only the biggest System RAM resource of the system. When there +are multiple System RAM resources, this results in monitoring only an +unexpectedly small fraction of the physical memory. For example, suppose +the system has a 500 GiB System RAM, 10 MiB non-System RAM, and 500 GiB +System RAM resources in order on the physical address space. DAMON_STAT +will monitor only the first 500 GiB System RAM. This situation is +particularly common on NUMA systems. + +Select a physical address range that covers all System RAM areas of the +system, to fix this issue and make it work as documented. + +[sj@kernel.org: return error if monitoring target region is invalid] + Link: https://lkml.kernel.org/r/20260317053631.87907-1-sj@kernel.org +Link: https://lkml.kernel.org/r/20260316235118.873-1-sj@kernel.org +Fixes: 369c415e6073 ("mm/damon: introduce DAMON_STAT module") +Signed-off-by: SeongJae Park +Cc: [6.17+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/stat.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 50 insertions(+), 3 deletions(-) + +--- a/mm/damon/stat.c ++++ b/mm/damon/stat.c +@@ -145,12 +145,59 @@ static int damon_stat_damon_call_fn(void + return 0; + } + ++struct damon_stat_system_ram_range_walk_arg { ++ bool walked; ++ struct resource res; ++}; ++ ++static int damon_stat_system_ram_walk_fn(struct resource *res, void *arg) ++{ ++ struct damon_stat_system_ram_range_walk_arg *a = arg; ++ ++ if (!a->walked) { ++ a->walked = true; ++ a->res.start = res->start; ++ } ++ a->res.end = res->end; ++ return 0; ++} ++ ++static unsigned long damon_stat_res_to_core_addr(resource_size_t ra, ++ unsigned long addr_unit) ++{ ++ /* ++ * Use div_u64() for avoiding linking errors related with __udivdi3, ++ * __aeabi_uldivmod, or similar problems. This should also improve the ++ * performance optimization (read div_u64() comment for the detail). ++ */ ++ if (sizeof(ra) == 8 && sizeof(addr_unit) == 4) ++ return div_u64(ra, addr_unit); ++ return ra / addr_unit; ++} ++ ++static int damon_stat_set_monitoring_region(struct damon_target *t, ++ unsigned long addr_unit, unsigned long min_region_sz) ++{ ++ struct damon_addr_range addr_range; ++ struct damon_stat_system_ram_range_walk_arg arg = {}; ++ ++ walk_system_ram_res(0, -1, &arg, damon_stat_system_ram_walk_fn); ++ if (!arg.walked) ++ return -EINVAL; ++ addr_range.start = damon_stat_res_to_core_addr( ++ arg.res.start, addr_unit); ++ addr_range.end = damon_stat_res_to_core_addr( ++ arg.res.end + 1, addr_unit); ++ if (addr_range.end <= addr_range.start) ++ return -EINVAL; ++ return damon_set_regions(t, &addr_range, 1, min_region_sz); ++} ++ + static struct damon_ctx *damon_stat_build_ctx(void) + { + struct damon_ctx *ctx; + struct damon_attrs attrs; + struct damon_target *target; +- unsigned long start = 0, end = 0; + + ctx = damon_new_ctx(); + if (!ctx) +@@ -188,8 +235,8 @@ static struct damon_ctx *damon_stat_buil + if (!target) + goto free_out; + damon_add_target(ctx, target); +- if (damon_set_region_biggest_system_ram_default(target, &start, &end, +- ctx->min_region_sz)) ++ if (damon_stat_set_monitoring_region(target, ctx->addr_unit, ++ ctx->min_region_sz)) + goto free_out; + return ctx; + free_out: diff --git a/queue-6.19/revert-alsa-hda-intel-add-msi-x870e-tomahawk-to-denylist.patch b/queue-6.19/revert-alsa-hda-intel-add-msi-x870e-tomahawk-to-denylist.patch new file mode 100644 index 0000000000..9e25335fc3 --- /dev/null +++ b/queue-6.19/revert-alsa-hda-intel-add-msi-x870e-tomahawk-to-denylist.patch @@ -0,0 +1,40 @@ +From ed4da361bf943b9041fc63e5cb6af01b3c0de978 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 26 Mar 2026 14:05:38 -0500 +Subject: Revert "ALSA: hda/intel: Add MSI X870E Tomahawk to denylist" + +From: Mario Limonciello + +commit ed4da361bf943b9041fc63e5cb6af01b3c0de978 upstream. + +commit 30b3211aa2416 ("ALSA: hda/intel: Add MSI X870E Tomahawk +to denylist") was added to silence a warning, but this effectively +reintroduced commit df42ee7e22f03 ("ALSA: hda: Add ASRock +X670E Taichi to denylist") which was already reported to cause +problems and reverted in commit ee8f1613596ad ("Revert "ALSA: hda: +Add ASRock X670E Taichi to denylist"") + +Revert it yet again. + +Cc: stable@vger.kernel.org +Reported-by: Juhyun Song +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221274 +Cc: Stuart Hayhurst +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20260326190542.524515-1-mario.limonciello@amd.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/controllers/intel.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/sound/hda/controllers/intel.c ++++ b/sound/hda/controllers/intel.c +@@ -2077,7 +2077,6 @@ static const struct pci_device_id driver + { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1043, 0x874f) }, /* ASUS ROG Zenith II / Strix */ + { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb59) }, /* MSI TRX40 Creator */ + { PCI_DEVICE_SUB(0x1022, 0x1487, 0x1462, 0xcb60) }, /* MSI TRX40 */ +- { PCI_DEVICE_SUB(0x1022, 0x15e3, 0x1462, 0xee59) }, /* MSI X870E Tomahawk WiFi */ + {} + }; + diff --git a/queue-6.19/s390-barrier-make-array_index_mask_nospec-__always_inline.patch b/queue-6.19/s390-barrier-make-array_index_mask_nospec-__always_inline.patch new file mode 100644 index 0000000000..5865dbbc0f --- /dev/null +++ b/queue-6.19/s390-barrier-make-array_index_mask_nospec-__always_inline.patch @@ -0,0 +1,34 @@ +From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Thu, 26 Mar 2026 14:38:44 +0100 +Subject: s390/barrier: Make array_index_mask_nospec() __always_inline + +From: Vasily Gorbik + +commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream. + +Mark array_index_mask_nospec() as __always_inline to guarantee the +mitigation is emitted inline regardless of compiler inlining decisions. + +Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec") +Cc: stable@kernel.org +Reviewed-by: Ilya Leoshkevich +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/barrier.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/barrier.h ++++ b/arch/s390/include/asm/barrier.h +@@ -62,8 +62,8 @@ do { \ + * @size: number of elements in array + */ + #define array_index_mask_nospec array_index_mask_nospec +-static inline unsigned long array_index_mask_nospec(unsigned long index, +- unsigned long size) ++static __always_inline unsigned long array_index_mask_nospec(unsigned long index, ++ unsigned long size) + { + unsigned long mask; + diff --git a/queue-6.19/s390-entry-scrub-r12-register-on-kernel-entry.patch b/queue-6.19/s390-entry-scrub-r12-register-on-kernel-entry.patch new file mode 100644 index 0000000000..e913085f49 --- /dev/null +++ b/queue-6.19/s390-entry-scrub-r12-register-on-kernel-entry.patch @@ -0,0 +1,54 @@ +From 0738d395aab8fae3b5a3ad3fc640630c91693c27 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Thu, 26 Mar 2026 19:50:14 +0100 +Subject: s390/entry: Scrub r12 register on kernel entry + +From: Vasily Gorbik + +commit 0738d395aab8fae3b5a3ad3fc640630c91693c27 upstream. + +Before commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"), +all entry handlers loaded r12 with the current task pointer +(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That +commit removed TIF_ISOLATE_BP, dropping both the branch prediction +macros and the r12 load, but did not add r12 to the register clearing +sequence. + +Add the missing xgr %r12,%r12 to make the register scrub consistent +across all entry points. + +Fixes: f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP") +Cc: stable@kernel.org +Reviewed-by: Ilya Leoshkevich +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/entry.S | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -260,6 +260,7 @@ SYM_CODE_START(system_call) + xgr %r9,%r9 + xgr %r10,%r10 + xgr %r11,%r11 ++ xgr %r12,%r12 + la %r2,STACK_FRAME_OVERHEAD(%r15) # pointer to pt_regs + mvc __PT_R8(64,%r2),__LC_SAVE_AREA(%r13) + MBEAR %r2,%r13 +@@ -396,6 +397,7 @@ SYM_CODE_START(\name) + xgr %r6,%r6 + xgr %r7,%r7 + xgr %r10,%r10 ++ xgr %r12,%r12 + xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11) + mvc __PT_R8(64,%r11),__LC_SAVE_AREA(%r13) + MBEAR %r11,%r13 +@@ -485,6 +487,7 @@ SYM_CODE_START(mcck_int_handler) + xgr %r6,%r6 + xgr %r7,%r7 + xgr %r10,%r10 ++ xgr %r12,%r12 + stmg %r8,%r9,__PT_PSW(%r11) + xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11) + xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15) diff --git a/queue-6.19/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch b/queue-6.19/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch new file mode 100644 index 0000000000..61b2e6902b --- /dev/null +++ b/queue-6.19/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch @@ -0,0 +1,53 @@ +From 48b8814e25d073dd84daf990a879a820bad2bcbd Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 24 Mar 2026 17:34:05 +0100 +Subject: s390/syscalls: Add spectre boundary for syscall dispatch table + +From: Greg Kroah-Hartman + +commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream. + +The s390 syscall number is directly controlled by userspace, but does +not have an array_index_nospec() boundary to prevent access past the +syscall function pointer tables. + +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: Arnd Bergmann +Fixes: 56e62a737028 ("s390: convert to generic entry") +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Vasily Gorbik +Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/syscall.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/s390/kernel/syscall.c ++++ b/arch/s390/kernel/syscall.c +@@ -13,6 +13,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -131,8 +132,10 @@ void noinstr __do_syscall(struct pt_regs + if (unlikely(test_and_clear_pt_regs_flag(regs, PIF_SYSCALL_RET_SET))) + goto out; + regs->gprs[2] = -ENOSYS; +- if (likely(nr < NR_syscalls)) ++ if (likely(nr < NR_syscalls)) { ++ nr = array_index_nospec(nr, NR_syscalls); + regs->gprs[2] = sys_call_table[nr](regs); ++ } + out: + syscall_exit_to_user_mode(regs); + } diff --git a/queue-6.19/series b/queue-6.19/series index 59faf0078f..54cbdd2c0f 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -192,3 +192,27 @@ spi-spi-fsl-lpspi-fix-teardown-order-issue-uaf.patch io_uring-fdinfo-fix-sqe_mixed-sqe-displaying.patch io_uring-fdinfo-fix-oob-read-in-sqe_mixed-wrap-check.patch alsa-usb-audio-exclude-scarlett-2i4-1st-gen-from-ski.patch +s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch +s390-barrier-make-array_index_mask_nospec-__always_inline.patch +s390-entry-scrub-r12-register-on-kernel-entry.patch +tracing-drain-deferred-trigger-frees-if-kthread-creation-fails.patch +tracing-fix-potential-deadlock-in-cpu-hotplug-with-osnoise.patch +drm-xe-always-keep-track-of-remap-prev-next.patch +ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch +ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch +ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch +ksmbd-do-not-expire-session-on-binding-failure.patch +revert-alsa-hda-intel-add-msi-x870e-tomahawk-to-denylist.patch +alsa-hda-realtek-add-quirk-for-asus-strix-g16-g615jmr.patch +alsa-firewire-lib-fix-uninitialized-local-variable.patch +accel-ivpu-add-disable-clock-relinquish-workaround-for-nvl-a0.patch +asoc-codecs-wcd934x-fix-typo-in-dt-parsing.patch +asoc-sma1307-fix-double-free-of-devm_kzalloc-memory.patch +asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch +can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch +can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch +can-netlink-can_changelink-add-missing-error-handling-to-call-can_ctrlmode_changelink.patch +cpufreq-don-t-skip-cpufreq_frequency_table_cpuinfo.patch +cpufreq-conservative-reset-requested_freq-on-limits-change.patch +kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch +mm-damon-stat-monitor-all-system-ram-resources.patch diff --git a/queue-6.19/tracing-drain-deferred-trigger-frees-if-kthread-creation-fails.patch b/queue-6.19/tracing-drain-deferred-trigger-frees-if-kthread-creation-fails.patch new file mode 100644 index 0000000000..93c8c65f9e --- /dev/null +++ b/queue-6.19/tracing-drain-deferred-trigger-frees-if-kthread-creation-fails.patch @@ -0,0 +1,146 @@ +From 250ab25391edeeab8462b68be42e4904506c409c Mon Sep 17 00:00:00 2001 +From: Wesley Atwell +Date: Tue, 24 Mar 2026 16:13:26 -0600 +Subject: tracing: Drain deferred trigger frees if kthread creation fails + +From: Wesley Atwell + +commit 250ab25391edeeab8462b68be42e4904506c409c upstream. + +Boot-time trigger registration can fail before the trigger-data cleanup +kthread exists. Deferring those frees until late init is fine, but the +post-boot fallback must still drain the deferred list if kthread +creation never succeeds. + +Otherwise, boot-deferred nodes can accumulate on +trigger_data_free_list, later frees fall back to synchronously freeing +only the current object, and the older queued entries are leaked +forever. + +To trigger this, add the following to the kernel command line: + + trace_event=sched_switch trace_trigger=sched_switch.traceon,sched_switch.traceon + +The second traceon trigger will fail and be freed. This triggers a NULL +pointer dereference and crashes the kernel. + +Keep the deferred boot-time behavior, but when kthread creation fails, +drain the whole queued list synchronously. Do the same in the late-init +drain path so queued entries are not stranded there either. + +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260324221326.1395799-3-atwellwea@gmail.com +Fixes: 61d445af0a7c ("tracing: Add bulk garbage collection of freeing event_trigger_data") +Signed-off-by: Wesley Atwell +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_trigger.c | 79 ++++++++++++++++++++++++++++++------ + 1 file changed, 66 insertions(+), 13 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -22,6 +22,39 @@ static struct task_struct *trigger_kthre + static struct llist_head trigger_data_free_list; + static DEFINE_MUTEX(trigger_data_kthread_mutex); + ++static int trigger_kthread_fn(void *ignore); ++ ++static void trigger_create_kthread_locked(void) ++{ ++ lockdep_assert_held(&trigger_data_kthread_mutex); ++ ++ if (!trigger_kthread) { ++ struct task_struct *kthread; ++ ++ kthread = kthread_create(trigger_kthread_fn, NULL, ++ "trigger_data_free"); ++ if (!IS_ERR(kthread)) ++ WRITE_ONCE(trigger_kthread, kthread); ++ } ++} ++ ++static void trigger_data_free_queued_locked(void) ++{ ++ struct event_trigger_data *data, *tmp; ++ struct llist_node *llnodes; ++ ++ lockdep_assert_held(&trigger_data_kthread_mutex); ++ ++ llnodes = llist_del_all(&trigger_data_free_list); ++ if (!llnodes) ++ return; ++ ++ tracepoint_synchronize_unregister(); ++ ++ llist_for_each_entry_safe(data, tmp, llnodes, llist) ++ kfree(data); ++} ++ + /* Bulk garbage collection of event_trigger_data elements */ + static int trigger_kthread_fn(void *ignore) + { +@@ -56,30 +89,50 @@ void trigger_data_free(struct event_trig + if (data->cmd_ops->set_filter) + data->cmd_ops->set_filter(NULL, data, NULL); + ++ /* ++ * Boot-time trigger registration can fail before kthread creation ++ * works. Keep the deferred-free semantics during boot and let late ++ * init start the kthread to drain the list. ++ */ ++ if (system_state == SYSTEM_BOOTING && !trigger_kthread) { ++ llist_add(&data->llist, &trigger_data_free_list); ++ return; ++ } ++ + if (unlikely(!trigger_kthread)) { + guard(mutex)(&trigger_data_kthread_mutex); ++ ++ trigger_create_kthread_locked(); + /* Check again after taking mutex */ + if (!trigger_kthread) { +- struct task_struct *kthread; +- +- kthread = kthread_create(trigger_kthread_fn, NULL, +- "trigger_data_free"); +- if (!IS_ERR(kthread)) +- WRITE_ONCE(trigger_kthread, kthread); ++ llist_add(&data->llist, &trigger_data_free_list); ++ /* Drain the queued frees synchronously if creation failed. */ ++ trigger_data_free_queued_locked(); ++ return; + } + } + +- if (!trigger_kthread) { +- /* Do it the slow way */ +- tracepoint_synchronize_unregister(); +- kfree(data); +- return; +- } +- + llist_add(&data->llist, &trigger_data_free_list); + wake_up_process(trigger_kthread); + } + ++static int __init trigger_data_free_init(void) ++{ ++ guard(mutex)(&trigger_data_kthread_mutex); ++ ++ if (llist_empty(&trigger_data_free_list)) ++ return 0; ++ ++ trigger_create_kthread_locked(); ++ if (trigger_kthread) ++ wake_up_process(trigger_kthread); ++ else ++ trigger_data_free_queued_locked(); ++ ++ return 0; ++} ++late_initcall(trigger_data_free_init); ++ + static inline void data_ops_trigger(struct event_trigger_data *data, + struct trace_buffer *buffer, void *rec, + struct ring_buffer_event *event) diff --git a/queue-6.19/tracing-fix-potential-deadlock-in-cpu-hotplug-with-osnoise.patch b/queue-6.19/tracing-fix-potential-deadlock-in-cpu-hotplug-with-osnoise.patch new file mode 100644 index 0000000000..ed89657cf7 --- /dev/null +++ b/queue-6.19/tracing-fix-potential-deadlock-in-cpu-hotplug-with-osnoise.patch @@ -0,0 +1,101 @@ +From 1f9885732248d22f788e4992c739a98c88ab8a55 Mon Sep 17 00:00:00 2001 +From: Luo Haiyang +Date: Thu, 26 Mar 2026 14:19:53 +0800 +Subject: tracing: Fix potential deadlock in cpu hotplug with osnoise + +From: Luo Haiyang + +commit 1f9885732248d22f788e4992c739a98c88ab8a55 upstream. + +The following sequence may leads deadlock in cpu hotplug: + + task1 task2 task3 + ----- ----- ----- + + mutex_lock(&interface_lock) + + [CPU GOING OFFLINE] + + cpus_write_lock(); + osnoise_cpu_die(); + kthread_stop(task3); + wait_for_completion(); + + osnoise_sleep(); + mutex_lock(&interface_lock); + + cpus_read_lock(); + + [DEAD LOCK] + +Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock). + +Cc: stable@vger.kernel.org +Cc: +Cc: +Cc: +Cc: +Fixes: bce29ac9ce0bb ("trace: Add osnoise tracer") +Link: https://patch.msgid.link/20260326141953414bVSj33dAYktqp9Oiyizq8@zte.com.cn +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Luo Haiyang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_osnoise.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -2073,8 +2073,8 @@ static void osnoise_hotplug_workfn(struc + if (!osnoise_has_registered_instances()) + return; + +- guard(mutex)(&interface_lock); + guard(cpus_read_lock)(); ++ guard(mutex)(&interface_lock); + + if (!cpu_online(cpu)) + return; +@@ -2237,11 +2237,11 @@ static ssize_t osnoise_options_write(str + if (running) + stop_per_cpu_kthreads(); + +- mutex_lock(&interface_lock); + /* + * avoid CPU hotplug operations that might read options. + */ + cpus_read_lock(); ++ mutex_lock(&interface_lock); + + retval = cnt; + +@@ -2257,8 +2257,8 @@ static ssize_t osnoise_options_write(str + clear_bit(option, &osnoise_options); + } + +- cpus_read_unlock(); + mutex_unlock(&interface_lock); ++ cpus_read_unlock(); + + if (running) + start_per_cpu_kthreads(); +@@ -2345,16 +2345,16 @@ osnoise_cpus_write(struct file *filp, co + if (running) + stop_per_cpu_kthreads(); + +- mutex_lock(&interface_lock); + /* + * osnoise_cpumask is read by CPU hotplug operations. + */ + cpus_read_lock(); ++ mutex_lock(&interface_lock); + + cpumask_copy(&osnoise_cpumask, osnoise_cpumask_new); + +- cpus_read_unlock(); + mutex_unlock(&interface_lock); ++ cpus_read_unlock(); + + if (running) + start_per_cpu_kthreads();