From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 13:27:32 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.18.19~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=556aacfaa28ef8f8f0e0952b6e4ec52dd39351d5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch cifs-make-default-value-of-retrans-as-zero.patch drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch iio-buffer-fix-wait_queue-not-being-removed.patch iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch iio-dac-ds4424-reject-128-raw-value.patch iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch s390-dasd-copy-detected-format-information-to-secondary-device.patch s390-dasd-move-quiesce-state-with-pprc-swap.patch scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch smb-client-fix-atomic-open-with-o_direct-o_sync.patch smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch xfs-fix-undersized-l_iclog_roundoff-values.patch --- diff --git a/queue-6.6/btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch b/queue-6.6/btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch new file mode 100644 index 0000000000..de841ae57e --- /dev/null +++ b/queue-6.6/btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch @@ -0,0 +1,36 @@ +From 0f475ee0ebce5c9492b260027cd95270191675fa Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 27 Feb 2026 00:02:33 +0000 +Subject: btrfs: abort transaction on failure to update root in the received subvol ioctl + +From: Filipe Manana + +commit 0f475ee0ebce5c9492b260027cd95270191675fa upstream. + +If we failed to update the root we don't abort the transaction, which is +wrong since we already used the transaction to remove an item from the +uuid tree. + +Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") +CC: stable@vger.kernel.org # 3.12+ +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4037,7 +4037,8 @@ static long _btrfs_ioctl_set_received_su + + ret = btrfs_update_root(trans, fs_info->tree_root, + &root->root_key, &root->root_item); +- if (ret < 0) { ++ if (unlikely(ret < 0)) { ++ btrfs_abort_transaction(trans, ret); + btrfs_end_transaction(trans); + goto out; + } diff --git a/queue-6.6/cifs-make-default-value-of-retrans-as-zero.patch b/queue-6.6/cifs-make-default-value-of-retrans-as-zero.patch new file mode 100644 index 0000000000..8bdff69c27 --- /dev/null +++ b/queue-6.6/cifs-make-default-value-of-retrans-as-zero.patch @@ -0,0 +1,34 @@ +From e3beefd3af09f8e460ddaf39063d3d7664d7ab59 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Wed, 11 Mar 2026 10:48:54 +0530 +Subject: cifs: make default value of retrans as zero + +From: Shyam Prasad N + +commit e3beefd3af09f8e460ddaf39063d3d7664d7ab59 upstream. + +When retrans mount option was introduced, the default value was set +as 1. However, in the light of some bugs that this has exposed recently +we should change it to 0 and retain the old behaviour before this option +was introduced. + +Cc: +Reviewed-by: Bharath SM +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/fs_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1809,7 +1809,7 @@ int smb3_init_fs_context(struct fs_conte + ctx->backupuid_specified = false; /* no backup intent for a user */ + ctx->backupgid_specified = false; /* no backup intent for a group */ + +- ctx->retrans = 1; ++ ctx->retrans = 0; + ctx->reparse_type = CIFS_REPARSE_TYPE_DEFAULT; + + /* diff --git a/queue-6.6/drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch b/queue-6.6/drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch new file mode 100644 index 0000000000..71e43ec430 --- /dev/null +++ b/queue-6.6/drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch @@ -0,0 +1,53 @@ +From 3646ff28780b4c52c5b5081443199e7a430110e5 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 10 Mar 2026 11:58:22 -0500 +Subject: drm/amd: Set num IP blocks to 0 if discovery fails + +From: Mario Limonciello + +commit 3646ff28780b4c52c5b5081443199e7a430110e5 upstream. + +If discovery has failed for any reason (such as no support for a block) +then there is no need to unwind all the IP blocks in fini. In this +condition there can actually be failures during the unwind too. + +Reset num_ip_blocks to zero during failure path and skip the unnecessary +cleanup path. + +Suggested-by: Lijo Lazar +Reviewed-by: Lijo Lazar +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit fae5984296b981c8cc3acca35b701c1f332a6cd8) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +++- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2096,8 +2096,10 @@ static int amdgpu_device_ip_early_init(s + break; + default: + r = amdgpu_discovery_set_ip_blocks(adev); +- if (r) ++ if (r) { ++ adev->num_ip_blocks = 0; + return r; ++ } + break; + } + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -82,7 +82,7 @@ void amdgpu_driver_unload_kms(struct drm + { + struct amdgpu_device *adev = drm_to_adev(dev); + +- if (adev == NULL) ++ if (adev == NULL || !adev->num_ip_blocks) + return; + + amdgpu_unregister_gpu_instance(adev); diff --git a/queue-6.6/drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch b/queue-6.6/drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch new file mode 100644 index 0000000000..ed9e78f922 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch @@ -0,0 +1,45 @@ +From 2c1030f2e84885cc58bffef6af67d5b9d2e7098f Mon Sep 17 00:00:00 2001 +From: Alysa Liu +Date: Thu, 5 Feb 2026 11:21:45 -0500 +Subject: drm/amdgpu: Fix use-after-free race in VM acquire + +From: Alysa Liu + +commit 2c1030f2e84885cc58bffef6af67d5b9d2e7098f upstream. + +Replace non-atomic vm->process_info assignment with cmpxchg() +to prevent race when parent/child processes sharing a drm_file +both try to acquire the same VM after fork(). + +Reviewed-by: Harish Kasiviswanathan +Signed-off-by: Alysa Liu +Signed-off-by: Alex Deucher +(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1351,7 +1351,10 @@ static int init_kfd_vm(struct amdgpu_vm + *ef = dma_fence_get(&info->eviction_fence->base); + } + +- vm->process_info = *process_info; ++ if (cmpxchg(&vm->process_info, NULL, *process_info) != NULL) { ++ ret = -EINVAL; ++ goto already_acquired; ++ } + + /* Validate page directory and attach eviction fence */ + ret = amdgpu_bo_reserve(vm->root.bo, true); +@@ -1389,6 +1392,7 @@ validate_pd_fail: + amdgpu_bo_unreserve(vm->root.bo); + reserve_pd_fail: + vm->process_info = NULL; ++already_acquired: + if (info) { + /* Two fence references: one in info and one in *ef */ + dma_fence_put(&info->eviction_fence->base); diff --git a/queue-6.6/drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch b/queue-6.6/drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch new file mode 100644 index 0000000000..73d9641a93 --- /dev/null +++ b/queue-6.6/drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch @@ -0,0 +1,50 @@ +From 2f22702dc0fee06a240404e0f7ead5b789b253d8 Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Thu, 26 Feb 2026 17:16:44 +0100 +Subject: drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding + +From: Luca Ceresoli + +commit 2f22702dc0fee06a240404e0f7ead5b789b253d8 upstream. + +The DSI frequency must be in the range: + + (CHA_DSI_CLK_RANGE * 5 MHz) <= DSI freq < ((CHA_DSI_CLK_RANGE + 1) * 5 MHz) + +So the register value should point to the lower range value, but +DIV_ROUND_UP() rounds the division to the higher range value, resulting in +an excess of 1 (unless the frequency is an exact multiple of 5 MHz). + +For example for a 437100000 MHz clock CHA_DSI_CLK_RANGE should be 87 (0x57): + + (87 * 5 = 435) <= 437.1 < (88 * 5 = 440) + +but current code returns 88 (0x58). + +Fix the computation by removing the DIV_ROUND_UP(). + +Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") +Cc: stable@vger.kernel.org +Reviewed-by: Marek Vasut +Link: https://patch.msgid.link/20260226-ti-sn65dsi83-dual-lvds-fixes-and-test-pattern-v1-1-2e15f5a9a6a0@bootlin.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/ti-sn65dsi83.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c +@@ -303,9 +303,9 @@ static u8 sn65dsi83_get_dsi_range(struct + * DSI_CLK = mode clock * bpp / dsi_data_lanes / 2 + * the 2 is there because the bus is DDR. + */ +- return DIV_ROUND_UP(clamp((unsigned int)mode->clock * +- mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) / +- ctx->dsi->lanes / 2, 40000U, 500000U), 5000U); ++ return clamp((unsigned int)mode->clock * ++ mipi_dsi_pixel_format_to_bpp(ctx->dsi->format) / ++ ctx->dsi->lanes / 2, 40000U, 500000U) / 5000U; + } + + static u8 sn65dsi83_get_dsi_div(struct sn65dsi83 *ctx) diff --git a/queue-6.6/drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch b/queue-6.6/drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch new file mode 100644 index 0000000000..33fefeb585 --- /dev/null +++ b/queue-6.6/drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch @@ -0,0 +1,91 @@ +From 029ae067431ab9d0fca479bdabe780fa436706ea Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Tue, 24 Feb 2026 10:49:06 +0100 +Subject: drm/i915: Fix potential overflow of shmem scatterlist length + +From: Janusz Krzysztofik + +commit 029ae067431ab9d0fca479bdabe780fa436706ea upstream. + +When a scatterlists table of a GEM shmem object of size 4 GB or more is +populated with pages allocated from a folio, unsigned int .length +attribute of a scatterlist may get overflowed if total byte length of +pages allocated to that single scatterlist happens to reach or cross the +4GB limit. As a consequence, users of the object may suffer from hitting +unexpected, premature end of the object's backing pages. + +[278.780187] ------------[ cut here ]------------ +[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915] +... +[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary) +[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER +[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024 +[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915] +... +[278.780786] Call Trace: +[278.780787] +[278.780788] ? __apply_to_page_range+0x3e6/0x910 +[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915] +[278.780906] apply_to_page_range+0x14/0x30 +[278.780908] remap_io_sg+0x14d/0x260 [i915] +[278.781013] vm_fault_cpu+0xd2/0x330 [i915] +[278.781137] __do_fault+0x3a/0x1b0 +[278.781140] do_fault+0x322/0x640 +[278.781143] __handle_mm_fault+0x938/0xfd0 +[278.781150] handle_mm_fault+0x12c/0x300 +[278.781152] ? lock_mm_and_find_vma+0x4b/0x760 +[278.781155] do_user_addr_fault+0x2d6/0x8e0 +[278.781160] exc_page_fault+0x96/0x2c0 +[278.781165] asm_exc_page_fault+0x27/0x30 +... + +That issue was apprehended by the author of a change that introduced it, +and potential risk even annotated with a comment, but then never addressed. + +When adding folio pages to a scatterlist table, take care of byte length +of any single scatterlist not exceeding max_segment. + +Fixes: 0b62af28f249b ("i915: convert shmem_sg_free_table() to use a folio_batch") +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14809 +Cc: Matthew Wilcox (Oracle) +Cc: Andrew Morton +Cc: stable@vger.kernel.org # v6.5+ +Signed-off-by: Janusz Krzysztofik +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260224094944.2447913-2-janusz.krzysztofik@linux.intel.com +(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +@@ -151,8 +151,12 @@ int shmem_sg_alloc_table(struct drm_i915 + } + } while (1); + +- nr_pages = min_t(unsigned long, +- folio_nr_pages(folio), page_count - i); ++ nr_pages = min_array(((unsigned long[]) { ++ folio_nr_pages(folio), ++ page_count - i, ++ max_segment / PAGE_SIZE, ++ }), 3); ++ + if (!i || + sg->length >= max_segment || + folio_pfn(folio) != next_pfn) { +@@ -162,7 +166,9 @@ int shmem_sg_alloc_table(struct drm_i915 + st->nents++; + sg_set_folio(sg, folio, nr_pages * PAGE_SIZE, 0); + } else { +- /* XXX: could overflow? */ ++ nr_pages = min_t(unsigned long, nr_pages, ++ (max_segment - sg->length) / PAGE_SIZE); ++ + sg->length += nr_pages * PAGE_SIZE; + } + next_pfn = folio_pfn(folio) + nr_pages; diff --git a/queue-6.6/iio-buffer-fix-wait_queue-not-being-removed.patch b/queue-6.6/iio-buffer-fix-wait_queue-not-being-removed.patch new file mode 100644 index 0000000000..aa2d564cf1 --- /dev/null +++ b/queue-6.6/iio-buffer-fix-wait_queue-not-being-removed.patch @@ -0,0 +1,41 @@ +From 064234044056c93a3719d6893e6e5a26a94a61b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Mon, 16 Feb 2026 13:24:27 +0000 +Subject: iio: buffer: Fix wait_queue not being removed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 064234044056c93a3719d6893e6e5a26a94a61b6 upstream. + +In the edge case where the IIO device is unregistered while we're +buffering, we were directly returning an error without removing the wait +queue. Instead, set 'ret' and break out of the loop. + +Fixes: 9eeee3b0bf19 ("iio: Add output buffer support") +Signed-off-by: Nuno Sá +Reviewed-by: David Lechner +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -194,8 +194,10 @@ static ssize_t iio_buffer_write(struct f + written = 0; + add_wait_queue(&rb->pollq, &wait); + do { +- if (!indio_dev->info) +- return -ENODEV; ++ if (!indio_dev->info) { ++ ret = -ENODEV; ++ break; ++ } + + if (!iio_buffer_space_available(rb)) { + if (signal_pending(current)) { diff --git a/queue-6.6/iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch b/queue-6.6/iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch new file mode 100644 index 0000000000..5f25ed484b --- /dev/null +++ b/queue-6.6/iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch @@ -0,0 +1,41 @@ +From f55b9510cd9437da3a0efa08b089caeb47595ff1 Mon Sep 17 00:00:00 2001 +From: Chris Spencer +Date: Thu, 5 Feb 2026 14:55:45 +0000 +Subject: iio: chemical: bme680: Fix measurement wait duration calculation + +From: Chris Spencer + +commit f55b9510cd9437da3a0efa08b089caeb47595ff1 upstream. + +This function refers to the Bosch BME680 API as the source of the +calculation, but one of the constants does not match the Bosch +implementation. This appears to be a simple transposition of two digits, +resulting in a wait time that is too short. This can cause the following +'device measurement cycle incomplete' check to occasionally fail, returning +EBUSY to user space. + +Adjust the constant to match the Bosch implementation and resolve the EBUSY +errors. + +Fixes: 4241665e6ea0 ("iio: chemical: bme680: Fix sensor data read operation") +Link: https://github.com/boschsensortec/BME68x_SensorAPI/blob/v4.4.8/bme68x.c#L521 +Signed-off-by: Chris Spencer +Acked-by: Vasileios Amoiridis +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/bme680_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -550,7 +550,7 @@ static int bme680_wait_for_eoc(struct bm + * + heater duration + */ + int wait_eoc_us = ((data->oversampling_temp + data->oversampling_press + +- data->oversampling_humid) * 1936) + (477 * 4) + ++ data->oversampling_humid) * 1963) + (477 * 4) + + (477 * 5) + 1000 + (data->heater_dur * 1000); + + usleep_range(wait_eoc_us, wait_eoc_us + 100); diff --git a/queue-6.6/iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch b/queue-6.6/iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch new file mode 100644 index 0000000000..50b420693d --- /dev/null +++ b/queue-6.6/iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch @@ -0,0 +1,35 @@ +From 216345f98cae7fcc84f49728c67478ac00321c87 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Thu, 12 Feb 2026 14:46:07 +0200 +Subject: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() + +From: Antoniu Miclaus + +commit 216345f98cae7fcc84f49728c67478ac00321c87 upstream. + +sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead +of the intended __be32 element size (4 bytes). Use sizeof(*meas) to +correctly match the buffer element type. + +Fixes: 8f3f13085278 ("iio: sps30: separate core and interface specific code") +Signed-off-by: Antoniu Miclaus +Acked-by: Tomasz Duszynski +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/sps30_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/sps30_i2c.c ++++ b/drivers/iio/chemical/sps30_i2c.c +@@ -171,7 +171,7 @@ static int sps30_i2c_read_meas(struct sp + if (!sps30_i2c_meas_ready(state)) + return -ETIMEDOUT; + +- return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(num) * num); ++ return sps30_i2c_command(state, SPS30_I2C_READ_MEAS, NULL, 0, meas, sizeof(*meas) * num); + } + + static int sps30_i2c_clean_fan(struct sps30_state *state) diff --git a/queue-6.6/iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch b/queue-6.6/iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch new file mode 100644 index 0000000000..0612261223 --- /dev/null +++ b/queue-6.6/iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch @@ -0,0 +1,36 @@ +From c3914ce1963c4db25e186112c90fa5d2361e9e0a Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Thu, 12 Feb 2026 14:46:08 +0200 +Subject: iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas() + +From: Antoniu Miclaus + +commit c3914ce1963c4db25e186112c90fa5d2361e9e0a upstream. + +sizeof(num) evaluates to sizeof(size_t) which is 8 bytes on 64-bit, +but the buffer elements are only 4 bytes. The same function already +uses sizeof(*meas) on line 312, making the mismatch evident. Use +sizeof(*meas) consistently. + +Fixes: b2e171f5a5c6 ("iio: sps30: add support for serial interface") +Signed-off-by: Antoniu Miclaus +Acked-by: Tomasz Duszynski +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/sps30_serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/chemical/sps30_serial.c ++++ b/drivers/iio/chemical/sps30_serial.c +@@ -303,7 +303,7 @@ static int sps30_serial_read_meas(struct + if (msleep_interruptible(1000)) + return -EINTR; + +- ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(num)); ++ ret = sps30_serial_command(state, SPS30_SERIAL_READ_MEAS, NULL, 0, meas, num * sizeof(*meas)); + if (ret < 0) + return ret; + /* if measurements aren't ready sensor returns empty frame */ diff --git a/queue-6.6/iio-dac-ds4424-reject-128-raw-value.patch b/queue-6.6/iio-dac-ds4424-reject-128-raw-value.patch new file mode 100644 index 0000000000..cc82abbb5f --- /dev/null +++ b/queue-6.6/iio-dac-ds4424-reject-128-raw-value.patch @@ -0,0 +1,39 @@ +From 5187e03b817c26c1c3bcb2645a612ea935c4be89 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Wed, 4 Feb 2026 15:00:33 +0100 +Subject: iio: dac: ds4424: reject -128 RAW value + +From: Oleksij Rempel + +commit 5187e03b817c26c1c3bcb2645a612ea935c4be89 upstream. + +The DS442x DAC uses sign-magnitude encoding, so -128 cannot be represented +in hardware (7-bit magnitude). + +Previously, passing -128 resulted in a truncated value that programmed +0mA (magnitude 0) instead of the expected maximum negative current, +effectively failing silently. + +Reject -128 to avoid producing the wrong current. + +Fixes: d632a2bd8ffc ("iio: dac: ds4422/ds4424 dac driver") +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Reviewed-by: Andy Shevchenko +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ds4424.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dac/ds4424.c ++++ b/drivers/iio/dac/ds4424.c +@@ -141,7 +141,7 @@ static int ds4424_write_raw(struct iio_d + + switch (mask) { + case IIO_CHAN_INFO_RAW: +- if (val < S8_MIN || val > S8_MAX) ++ if (val <= S8_MIN || val > S8_MAX) + return -EINVAL; + + if (val > 0) { diff --git a/queue-6.6/iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch b/queue-6.6/iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch new file mode 100644 index 0000000000..4b7ab9a94a --- /dev/null +++ b/queue-6.6/iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch @@ -0,0 +1,39 @@ +From 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb Mon Sep 17 00:00:00 2001 +From: SeungJu Cheon +Date: Sat, 24 Jan 2026 04:47:58 +0900 +Subject: iio: frequency: adf4377: Fix duplicated soft reset mask + +From: SeungJu Cheon + +commit 6c8bf4b604a8a6346ca71f1c027fa01c2c2e04cb upstream. + +The regmap_read_poll_timeout() uses ADF4377_0000_SOFT_RESET_R_MSK +twice instead of checking both SOFT_RESET_MSK (bit 0) and +SOFT_RESET_R_MSK (bit 7). This causes an incomplete reset status check. + +The code first sets both SOFT_RESET and SOFT_RESET_R bits to 1 via +regmap_update_bits(), then polls for them to be cleared. Since we set +both bits before polling, we should be waiting for both to clear. + +Fix by using both masks as done in regmap_update_bits() above. + +Fixes: eda549e2e524 ("iio: frequency: adf4377: add support for ADF4377") +Signed-off-by: SeungJu Cheon +Cc: Stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/frequency/adf4377.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/adf4377.c ++++ b/drivers/iio/frequency/adf4377.c +@@ -495,7 +495,7 @@ static int adf4377_soft_reset(struct adf + return ret; + + return regmap_read_poll_timeout(st->regmap, 0x0, read_val, +- !(read_val & (ADF4377_0000_SOFT_RESET_R_MSK | ++ !(read_val & (ADF4377_0000_SOFT_RESET_MSK | + ADF4377_0000_SOFT_RESET_R_MSK)), 200, 200 * 100); + } + diff --git a/queue-6.6/iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch b/queue-6.6/iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch new file mode 100644 index 0000000000..c2ca5e39ee --- /dev/null +++ b/queue-6.6/iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch @@ -0,0 +1,66 @@ +From acc3949aab3e8094641a9c7c2768de1958c88378 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Mon, 16 Feb 2026 11:57:56 +0200 +Subject: iio: gyro: mpu3050-core: fix pm_runtime error handling + +From: Antoniu Miclaus + +commit acc3949aab3e8094641a9c7c2768de1958c88378 upstream. + +The return value of pm_runtime_get_sync() is not checked, allowing +the driver to access hardware that may fail to resume. The device +usage count is also unconditionally incremented. Use +pm_runtime_resume_and_get() which propagates errors and avoids +incrementing the usage count on failure. + +In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() +failure since postdisable does not run when preenable fails. + +Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope") +Reviewed-by: Linus Walleij +Signed-off-by: Antoniu Miclaus +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/mpu3050-core.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -322,7 +322,9 @@ static int mpu3050_read_raw(struct iio_d + } + case IIO_CHAN_INFO_RAW: + /* Resume device */ +- pm_runtime_get_sync(mpu3050->dev); ++ ret = pm_runtime_resume_and_get(mpu3050->dev); ++ if (ret) ++ return ret; + mutex_lock(&mpu3050->lock); + + ret = mpu3050_set_8khz_samplerate(mpu3050); +@@ -651,14 +653,20 @@ out_trigger_unlock: + static int mpu3050_buffer_preenable(struct iio_dev *indio_dev) + { + struct mpu3050 *mpu3050 = iio_priv(indio_dev); ++ int ret; + +- pm_runtime_get_sync(mpu3050->dev); ++ ret = pm_runtime_resume_and_get(mpu3050->dev); ++ if (ret) ++ return ret; + + /* Unless we have OUR trigger active, run at full speed */ +- if (!mpu3050->hw_irq_trigger) +- return mpu3050_set_8khz_samplerate(mpu3050); ++ if (!mpu3050->hw_irq_trigger) { ++ ret = mpu3050_set_8khz_samplerate(mpu3050); ++ if (ret) ++ pm_runtime_put_autosuspend(mpu3050->dev); ++ } + +- return 0; ++ return ret; + } + + static int mpu3050_buffer_postdisable(struct iio_dev *indio_dev) diff --git a/queue-6.6/iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch b/queue-6.6/iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch new file mode 100644 index 0000000000..c3a4dad030 --- /dev/null +++ b/queue-6.6/iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch @@ -0,0 +1,37 @@ +From 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Mon, 16 Feb 2026 11:57:55 +0200 +Subject: iio: gyro: mpu3050-i2c: fix pm_runtime error handling + +From: Antoniu Miclaus + +commit 91f950b4cbb1aa9ea4eb3999f1463e8044b717fb upstream. + +The return value of pm_runtime_get_sync() is not checked, and the +function always returns success. This allows I2C mux operations to +proceed even when the device fails to resume. + +Use pm_runtime_resume_and_get() and propagate its return value to +properly handle resume failures. + +Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope") +Signed-off-by: Antoniu Miclaus +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/mpu3050-i2c.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/gyro/mpu3050-i2c.c ++++ b/drivers/iio/gyro/mpu3050-i2c.c +@@ -19,8 +19,7 @@ static int mpu3050_i2c_bypass_select(str + struct mpu3050 *mpu3050 = i2c_mux_priv(mux); + + /* Just power up the device, that is all that is needed */ +- pm_runtime_get_sync(mpu3050->dev); +- return 0; ++ return pm_runtime_resume_and_get(mpu3050->dev); + } + + static int mpu3050_i2c_bypass_deselect(struct i2c_mux_core *mux, u32 chan_id) diff --git a/queue-6.6/iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch b/queue-6.6/iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch new file mode 100644 index 0000000000..8c1e8e5393 --- /dev/null +++ b/queue-6.6/iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch @@ -0,0 +1,49 @@ +From c9f3a593137d862d424130343e77d4b5260a4f5a Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Fri, 30 Jan 2026 16:38:47 +0100 +Subject: iio: imu: inv_icm42600: fix odr switch to the same value + +From: Jean-Baptiste Maneyrol + +commit c9f3a593137d862d424130343e77d4b5260a4f5a upstream. + +ODR switch is done in 2 steps when FIFO is on : change the ODR register +value and acknowledge change when reading the FIFO ODR change flag. +When we are switching to the same odr value, we end up waiting for a +FIFO ODR flag that is never happening. + +Fix the issue by doing nothing and exiting properly when we are +switching to the same ODR value. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Signed-off-by: Jean-Baptiste Maneyrol +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 2 ++ + drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c +@@ -321,6 +321,8 @@ static int inv_icm42600_accel_write_odr( + return -EINVAL; + + conf.odr = inv_icm42600_accel_odr_conv[idx / 2]; ++ if (conf.odr == st->conf.accel.odr) ++ return 0; + + pm_runtime_get_sync(dev); + mutex_lock(&st->lock); +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c +@@ -333,6 +333,8 @@ static int inv_icm42600_gyro_write_odr(s + return -EINVAL; + + conf.odr = inv_icm42600_gyro_odr_conv[idx / 2]; ++ if (conf.odr == st->conf.gyro.odr) ++ return 0; + + pm_runtime_get_sync(dev); + mutex_lock(&st->lock); diff --git a/queue-6.6/iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch b/queue-6.6/iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch new file mode 100644 index 0000000000..8fd5d29095 --- /dev/null +++ b/queue-6.6/iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch @@ -0,0 +1,40 @@ +From 85e4614524dca6c0a43874f475a17de2b9725648 Mon Sep 17 00:00:00 2001 +From: Lukas Schmid +Date: Mon, 2 Feb 2026 21:15:35 +0100 +Subject: iio: potentiometer: mcp4131: fix double application of wiper shift + +From: Lukas Schmid + +commit 85e4614524dca6c0a43874f475a17de2b9725648 upstream. + +The MCP4131 wiper address is shifted twice when preparing the SPI +command in mcp4131_write_raw(). + +The address is already shifted when assigned to the local variable +"address", but is then shifted again when written to data->buf[0]. +This results in an incorrect command being sent to the device and +breaks wiper writes to the second channel. + +Remove the second shift and use the pre-shifted address directly +when composing the SPI transfer. + +Fixes: 22d199a53910 ("iio: potentiometer: add driver for Microchip MCP413X/414X/415X/416X/423X/424X/425X/426X") +Signed-off-by: Lukas Schmid # +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/potentiometer/mcp4131.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/potentiometer/mcp4131.c ++++ b/drivers/iio/potentiometer/mcp4131.c +@@ -222,7 +222,7 @@ static int mcp4131_write_raw(struct iio_ + + mutex_lock(&data->lock); + +- data->buf[0] = address << MCP4131_WIPER_SHIFT; ++ data->buf[0] = address; + data->buf[0] |= MCP4131_WRITE | (val >> 8); + data->buf[1] = val & 0xFF; /* 8 bits here */ + diff --git a/queue-6.6/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch b/queue-6.6/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch new file mode 100644 index 0000000000..ee807847cf --- /dev/null +++ b/queue-6.6/lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch @@ -0,0 +1,42 @@ +From 560f763baa0f2c9a44da4294c06af071405ac46f Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Thu, 12 Mar 2026 19:11:42 +0000 +Subject: lib/bootconfig: check bounds before writing in __xbc_open_brace() + +From: Josh Law + +commit 560f763baa0f2c9a44da4294c06af071405ac46f upstream. + +The bounds check for brace_index happens after the array write. +While the current call pattern prevents an actual out-of-bounds +access (the previous call would have returned an error), the +write-before-check pattern is fragile and would become a real +out-of-bounds write if the error return were ever not propagated. + +Move the bounds check before the array write so the function is +self-contained and safe regardless of caller behavior. + +Link: https://lore.kernel.org/all/20260312191143.28719-3-objecting@objecting.org/ + +Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/bootconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -534,9 +534,9 @@ static char *skip_spaces_until_newline(c + static int __init __xbc_open_brace(char *p) + { + /* Push the last key as open brace */ +- open_brace[brace_index++] = xbc_node_index(last_parent); + if (brace_index >= XBC_DEPTH_MAX) + return xbc_parse_error("Exceed max depth of braces", p); ++ open_brace[brace_index++] = xbc_node_index(last_parent); + + return 0; + } diff --git a/queue-6.6/lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch b/queue-6.6/lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch new file mode 100644 index 0000000000..5d60f65b58 --- /dev/null +++ b/queue-6.6/lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch @@ -0,0 +1,43 @@ +From 39ebc8d7f561e1b64eca87353ef9b18e2825e591 Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Thu, 12 Mar 2026 19:11:41 +0000 +Subject: lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error + +From: Josh Law + +commit 39ebc8d7f561e1b64eca87353ef9b18e2825e591 upstream. + +__xbc_open_brace() pushes entries with post-increment +(open_brace[brace_index++]), so brace_index always points one past +the last valid entry. xbc_verify_tree() reads open_brace[brace_index] +to report which brace is unclosed, but this is one past the last +pushed entry and contains stale/zero data, causing the error message +to reference the wrong node. + +Use open_brace[brace_index - 1] to correctly identify the unclosed +brace. brace_index is known to be > 0 here since we are inside the +if (brace_index) guard. + +Link: https://lore.kernel.org/all/20260312191143.28719-2-objecting@objecting.org/ + +Fixes: ead1e19ad905 ("lib/bootconfig: Fix a bug of breaking existing tree nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Law +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/bootconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -793,7 +793,7 @@ static int __init xbc_verify_tree(void) + + /* Brace closing */ + if (brace_index) { +- n = &xbc_nodes[open_brace[brace_index]]; ++ n = &xbc_nodes[open_brace[brace_index - 1]]; + return xbc_parse_error("Brace is not closed", + xbc_node_get_data(n)); + } diff --git a/queue-6.6/lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch b/queue-6.6/lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch new file mode 100644 index 0000000000..c298538198 --- /dev/null +++ b/queue-6.6/lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch @@ -0,0 +1,40 @@ +From 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Thu, 12 Mar 2026 19:11:43 +0000 +Subject: lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after() + +From: Josh Law + +commit 1120a36bb1e9b9e22de75ecb4ef0b998f73a97f1 upstream. + +snprintf() returns the number of characters that would have been +written excluding the NUL terminator. Output is truncated when the +return value is >= the buffer size, not just > the buffer size. + +When ret == size, the current code takes the non-truncated path, +advancing buf by ret and reducing size to 0. This is wrong because +the output was actually truncated (the last character was replaced by +NUL). Fix by using >= so the truncation path is taken correctly. + +Link: https://lore.kernel.org/all/20260312191143.28719-4-objecting@objecting.org/ + +Fixes: 76db5a27a827 ("bootconfig: Add Extra Boot Config support") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/bootconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -318,7 +318,7 @@ int __init xbc_node_compose_key_after(st + depth ? "." : ""); + if (ret < 0) + return ret; +- if (ret > size) { ++ if (ret >= size) { + size = 0; + } else { + size -= ret; diff --git a/queue-6.6/s390-dasd-copy-detected-format-information-to-secondary-device.patch b/queue-6.6/s390-dasd-copy-detected-format-information-to-secondary-device.patch new file mode 100644 index 0000000000..02d34631ed --- /dev/null +++ b/queue-6.6/s390-dasd-copy-detected-format-information-to-secondary-device.patch @@ -0,0 +1,74 @@ +From 4c527c7e030672efd788d0806d7a68972a7ba3c1 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Tue, 10 Mar 2026 15:23:30 +0100 +Subject: s390/dasd: Copy detected format information to secondary device + +From: Stefan Haberland + +commit 4c527c7e030672efd788d0806d7a68972a7ba3c1 upstream. + +During online processing for a DASD device an IO operation is started to +determine the format of the device. CDL format contains specifically +sized blocks at the beginning of the disk. + +For a PPRC secondary device no real IO operation is possible therefore +this IO request can not be started and this step is skipped for online +processing of secondary devices. This is generally fine since the +secondary is a copy of the primary device. + +In case of an additional partition detection that is run after a swap +operation the format information is needed to properly drive partition +detection IO. + +Currently the information is not passed leading to IO errors during +partition detection and a wrongly detected partition table which in turn +might lead to data corruption on the disk with the wrong partition table. + +Fix by passing the format information from primary to secondary device. + +Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability") +Cc: stable@vger.kernel.org #6.1 +Reviewed-by: Jan Hoeppner +Acked-by: Eduard Shishkin +Signed-off-by: Stefan Haberland +Link: https://patch.msgid.link/20260310142330.4080106-3-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -6185,6 +6185,7 @@ static void copy_pair_set_active(struct + static int dasd_eckd_copy_pair_swap(struct dasd_device *device, char *prim_busid, + char *sec_busid) + { ++ struct dasd_eckd_private *prim_priv, *sec_priv; + struct dasd_device *primary, *secondary; + struct dasd_copy_relation *copy; + struct dasd_block *block; +@@ -6205,6 +6206,9 @@ static int dasd_eckd_copy_pair_swap(stru + if (!secondary) + return DASD_COPYPAIRSWAP_SECONDARY; + ++ prim_priv = primary->private; ++ sec_priv = secondary->private; ++ + /* + * usually the device should be quiesced for swap + * for paranoia stop device and requeue requests again +@@ -6237,6 +6241,13 @@ static int dasd_eckd_copy_pair_swap(stru + dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE); + } + ++ /* ++ * The secondary device never got through format detection, but since it ++ * is a copy of the primary device, the format is exactly the same; ++ * therefore, the detected layout can simply be copied. ++ */ ++ sec_priv->uses_cdl = prim_priv->uses_cdl; ++ + /* re-enable device */ + dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC); + dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC); diff --git a/queue-6.6/s390-dasd-move-quiesce-state-with-pprc-swap.patch b/queue-6.6/s390-dasd-move-quiesce-state-with-pprc-swap.patch new file mode 100644 index 0000000000..7c0f9eaf72 --- /dev/null +++ b/queue-6.6/s390-dasd-move-quiesce-state-with-pprc-swap.patch @@ -0,0 +1,46 @@ +From 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Tue, 10 Mar 2026 15:23:29 +0100 +Subject: s390/dasd: Move quiesce state with pprc swap + +From: Stefan Haberland + +commit 40e9cd4ae8ec43b107ed2bff422a8fa39dcf4e4b upstream. + +Quiesce and resume is a mechanism to suspend operations on DASD devices. +In the context of a controlled copy pair swap operation, the quiesce +operation is usually issued before the actual swap and a resume +afterwards. + +During the swap operation, the underlying device is exchanged. Therefore, +the quiesce flag must be moved to the secondary device to ensure a +consistent quiesce state after the swap. + +The secondary device itself cannot be suspended separately because there +is no separate block device representation for it. + +Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability") +Cc: stable@vger.kernel.org #6.1 +Reviewed-by: Jan Hoeppner +Signed-off-by: Stefan Haberland +Link: https://patch.msgid.link/20260310142330.4080106-2-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -6232,6 +6232,11 @@ static int dasd_eckd_copy_pair_swap(stru + dev_name(&secondary->cdev->dev), rc); + } + ++ if (primary->stopped & DASD_STOPPED_QUIESCE) { ++ dasd_device_set_stop_bits(secondary, DASD_STOPPED_QUIESCE); ++ dasd_device_remove_stop_bits(primary, DASD_STOPPED_QUIESCE); ++ } ++ + /* re-enable device */ + dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC); + dasd_device_remove_stop_bits(secondary, DASD_STOPPED_PPRC); diff --git a/queue-6.6/scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch b/queue-6.6/scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch new file mode 100644 index 0000000000..349887f3d1 --- /dev/null +++ b/queue-6.6/scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch @@ -0,0 +1,41 @@ +From 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Wed, 4 Mar 2026 08:46:03 -0800 +Subject: scsi: core: Fix error handling for scsi_alloc_sdev() + +From: Junxiao Bi + +commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 upstream. + +After scsi_sysfs_device_initialize() was called, error paths must call +__scsi_remove_device(). + +Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt") +Cc: stable@vger.kernel.org +Signed-off-by: Junxiao Bi +Reviewed-by: John Garry +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_scan.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -353,12 +353,8 @@ static struct scsi_device *scsi_alloc_sd + * default device queue depth to figure out sbitmap shift + * since we use this queue depth most of times. + */ +- if (scsi_realloc_sdev_budget_map(sdev, depth)) { +- kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags); +- put_device(&starget->dev); +- kfree(sdev); +- goto out; +- } ++ if (scsi_realloc_sdev_budget_map(sdev, depth)) ++ goto out_device_destroy; + + scsi_change_queue_depth(sdev, depth); + diff --git a/queue-6.6/series b/queue-6.6/series index af85f49872..5e8a605632 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -331,3 +331,31 @@ ksmbd-fix-use-after-free-by-using-call_rcu-for-oplock_info.patch net-ncsi-fix-skb-leak-in-error-paths.patch net-ethernet-arc-emac-quiesce-interrupts-before-requesting-irq.patch net-dsa-microchip-fix-error-path-in-ptp-irq-setup.patch +drm-amdgpu-fix-use-after-free-race-in-vm-acquire.patch +drm-amd-set-num-ip-blocks-to-0-if-discovery-fails.patch +drm-bridge-ti-sn65dsi83-fix-cha_dsi_clk_range-rounding.patch +drm-i915-fix-potential-overflow-of-shmem-scatterlist-length.patch +tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch +cifs-make-default-value-of-retrans-as-zero.patch +xfs-fix-undersized-l_iclog_roundoff-values.patch +s390-dasd-move-quiesce-state-with-pprc-swap.patch +s390-dasd-copy-detected-format-information-to-secondary-device.patch +lib-bootconfig-fix-off-by-one-in-xbc_verify_tree-unclosed-brace-error.patch +scsi-core-fix-error-handling-for-scsi_alloc_sdev.patch +x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch +lib-bootconfig-fix-snprintf-truncation-check-in-xbc_node_compose_key_after.patch +lib-bootconfig-check-bounds-before-writing-in-__xbc_open_brace.patch +smb-client-fix-atomic-open-with-o_direct-o_sync.patch +smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch +smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch +btrfs-abort-transaction-on-failure-to-update-root-in-the-received-subvol-ioctl.patch +iio-dac-ds4424-reject-128-raw-value.patch +iio-frequency-adf4377-fix-duplicated-soft-reset-mask.patch +iio-chemical-sps30_serial-fix-buffer-size-in-sps30_serial_read_meas.patch +iio-chemical-sps30_i2c-fix-buffer-size-in-sps30_i2c_read_meas.patch +iio-potentiometer-mcp4131-fix-double-application-of-wiper-shift.patch +iio-chemical-bme680-fix-measurement-wait-duration-calculation.patch +iio-buffer-fix-wait_queue-not-being-removed.patch +iio-gyro-mpu3050-core-fix-pm_runtime-error-handling.patch +iio-gyro-mpu3050-i2c-fix-pm_runtime-error-handling.patch +iio-imu-inv_icm42600-fix-odr-switch-to-the-same-value.patch diff --git a/queue-6.6/smb-client-fix-atomic-open-with-o_direct-o_sync.patch b/queue-6.6/smb-client-fix-atomic-open-with-o_direct-o_sync.patch new file mode 100644 index 0000000000..6584436a75 --- /dev/null +++ b/queue-6.6/smb-client-fix-atomic-open-with-o_direct-o_sync.patch @@ -0,0 +1,102 @@ +From 4a7d2729dc99437dbb880a64c47828c0d191b308 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sat, 7 Mar 2026 18:20:16 -0300 +Subject: smb: client: fix atomic open with O_DIRECT & O_SYNC + +From: Paulo Alcantara + +commit 4a7d2729dc99437dbb880a64c47828c0d191b308 upstream. + +When user application requests O_DIRECT|O_SYNC along with O_CREAT on +open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in +CREATE request when performing an atomic open, thus leading to +potentially data integrity issues. + +Fix this by setting those missing bits in CREATE request when +O_DIRECT|O_SYNC has been specified in cifs_do_create(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Acked-by: Henrique Carvalho +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsglob.h | 11 +++++++++++ + fs/smb/client/dir.c | 1 + + fs/smb/client/file.c | 18 +++--------------- + 3 files changed, 15 insertions(+), 15 deletions(-) + +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include "cifs_fs_sb.h" + #include "cifsacl.h" + #include +@@ -2354,4 +2355,14 @@ static inline bool cifs_ses_exiting(stru + return ret; + } + ++static inline int cifs_open_create_options(unsigned int oflags, int opts) ++{ ++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ ++ if (oflags & O_SYNC) ++ opts |= CREATE_WRITE_THROUGH; ++ if (oflags & O_DIRECT) ++ opts |= CREATE_NO_BUFFER; ++ return opts; ++} ++ + #endif /* _CIFS_GLOB_H */ +--- a/fs/smb/client/dir.c ++++ b/fs/smb/client/dir.c +@@ -304,6 +304,7 @@ static int cifs_do_create(struct inode * + goto out; + } + ++ create_options |= cifs_open_create_options(oflags, create_options); + /* + * if we're not using unix extensions, see if we need to set + * ATTR_READONLY on the create call +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -459,15 +459,8 @@ static int cifs_nt_open(const char *full + *********************************************************************/ + + disposition = cifs_get_disposition(f_flags); +- + /* BB pass O_SYNC flag through on file attributes .. BB */ +- +- /* O_SYNC also has bit for O_DSYNC so following check picks up either */ +- if (f_flags & O_SYNC) +- create_options |= CREATE_WRITE_THROUGH; +- +- if (f_flags & O_DIRECT) +- create_options |= CREATE_NO_BUFFER; ++ create_options |= cifs_open_create_options(f_flags, create_options); + + retry_open: + oparms = (struct cifs_open_parms) { +@@ -1117,13 +1110,8 @@ cifs_reopen_file(struct cifsFileInfo *cf + rdwr_for_fscache = 1; + + desired_access = cifs_convert_flags(cfile->f_flags, rdwr_for_fscache); +- +- /* O_SYNC also has bit for O_DSYNC so following check picks up either */ +- if (cfile->f_flags & O_SYNC) +- create_options |= CREATE_WRITE_THROUGH; +- +- if (cfile->f_flags & O_DIRECT) +- create_options |= CREATE_NO_BUFFER; ++ create_options |= cifs_open_create_options(cfile->f_flags, ++ create_options); + + if (server->ops->get_lease_key) + server->ops->get_lease_key(inode, &cfile->fid); diff --git a/queue-6.6/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch b/queue-6.6/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch new file mode 100644 index 0000000000..b3e887371e --- /dev/null +++ b/queue-6.6/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch @@ -0,0 +1,74 @@ +From d4c7210d2f3ea481a6481f03040a64d9077a6172 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Wed, 11 Mar 2026 20:17:23 -0300 +Subject: smb: client: fix iface port assignment in parse_server_interfaces + +From: Henrique Carvalho + +commit d4c7210d2f3ea481a6481f03040a64d9077a6172 upstream. + +parse_server_interfaces() initializes interface socket addresses with +CIFS_PORT. When the mount uses a non-default port this overwrites the +configured destination port. + +Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr, +causing reconnect attempts to use the wrong port after server interface +updates. + +Use the existing port from server->dstaddr instead. + +Cc: stable@vger.kernel.org +Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries") +Tested-by: Dr. Thomas Orgis +Reviewed-by: Enzo Matsumiya +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -586,6 +586,7 @@ parse_server_interfaces(struct network_i + struct iface_info_ipv6 *p6; + struct cifs_server_iface *info = NULL, *iface = NULL, *niface = NULL; + struct cifs_server_iface tmp_iface; ++ __be16 port; + ssize_t bytes_left; + size_t next = 0; + int nb_iface = 0; +@@ -620,6 +621,15 @@ parse_server_interfaces(struct network_i + goto out; + } + ++ spin_lock(&ses->server->srv_lock); ++ if (ses->server->dstaddr.ss_family == AF_INET) ++ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port; ++ else if (ses->server->dstaddr.ss_family == AF_INET6) ++ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port; ++ else ++ port = cpu_to_be16(CIFS_PORT); ++ spin_unlock(&ses->server->srv_lock); ++ + while (bytes_left >= (ssize_t)sizeof(*p)) { + memset(&tmp_iface, 0, sizeof(tmp_iface)); + /* default to 1Gbps when link speed is unset */ +@@ -640,7 +650,7 @@ parse_server_interfaces(struct network_i + memcpy(&addr4->sin_addr, &p4->IPv4Address, 4); + + /* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */ +- addr4->sin_port = cpu_to_be16(CIFS_PORT); ++ addr4->sin_port = port; + + cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__, + &addr4->sin_addr); +@@ -654,7 +664,7 @@ parse_server_interfaces(struct network_i + /* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */ + addr6->sin6_flowinfo = 0; + addr6->sin6_scope_id = 0; +- addr6->sin6_port = cpu_to_be16(CIFS_PORT); ++ addr6->sin6_port = port; + + cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__, + &addr6->sin6_addr); diff --git a/queue-6.6/smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch b/queue-6.6/smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch new file mode 100644 index 0000000000..0e2b903c45 --- /dev/null +++ b/queue-6.6/smb-client-fix-in-place-encryption-corruption-in-smb2_write.patch @@ -0,0 +1,53 @@ +From d78840a6a38d312dc1a51a65317bb67e46f0b929 Mon Sep 17 00:00:00 2001 +From: Bharath SM +Date: Mon, 9 Mar 2026 16:00:49 +0530 +Subject: smb: client: fix in-place encryption corruption in SMB2_write() + +From: Bharath SM + +commit d78840a6a38d312dc1a51a65317bb67e46f0b929 upstream. + +SMB2_write() places write payload in iov[1..n] as part of rq_iov. +smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() +encrypts iov[1] in-place, replacing the original plaintext with +ciphertext. On a replayable error, the retry sends the same iov[1] +which now contains ciphertext instead of the original data, +resulting in corruption. + +The corruption is most likely to be observed when connections are +unstable, as reconnects trigger write retries that re-send the +already-encrypted data. + +This affects SFU mknod, MF symlinks, etc. On kernels before +6.10 (prior to the netfs conversion), sync writes also used +this path and were similarly affected. The async write path +wasn't unaffected as it uses rq_iter which gets deep-copied. + +Fix by moving the write payload into rq_iter via iov_iter_kvec(), +so smb3_init_transform_rq() deep-copies it before encryption. + +Cc: stable@vger.kernel.org #6.3+ +Acked-by: Henrique Carvalho +Acked-by: Shyam Prasad N +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Bharath SM +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -5073,7 +5073,10 @@ replay_again: + + memset(&rqst, 0, sizeof(struct smb_rqst)); + rqst.rq_iov = iov; +- rqst.rq_nvec = n_vec + 1; ++ /* iov[0] is the SMB header; move payload to rq_iter for encryption safety */ ++ rqst.rq_nvec = 1; ++ iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec, ++ io_parms->length); + + if (retries) + smb2_set_replay(server, &rqst); diff --git a/queue-6.6/tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch b/queue-6.6/tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch new file mode 100644 index 0000000000..3b5ffa542d --- /dev/null +++ b/queue-6.6/tracing-fix-trace_buf_size-cmdline-parameter-with-sizes-2g.patch @@ -0,0 +1,61 @@ +From d008ba8be8984760e36d7dcd4adbd5a41a645708 Mon Sep 17 00:00:00 2001 +From: Calvin Owens +Date: Fri, 6 Mar 2026 19:19:25 -0800 +Subject: tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G + +From: Calvin Owens + +commit d008ba8be8984760e36d7dcd4adbd5a41a645708 upstream. + +Some of the sizing logic through tracer_alloc_buffers() uses int +internally, causing unexpected behavior if the user passes a value that +does not fit in an int (on my x86 machine, the result is uselessly tiny +buffers). + +Fix by plumbing the parameter's real type (unsigned long) through to the +ring buffer allocation functions, which already use unsigned long. + +It has always been possible to create larger ring buffers via the sysfs +interface: this only affects the cmdline parameter. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/bff42a4288aada08bdf74da3f5b67a2c28b761f8.1772852067.git.calvin@wbinvd.org +Fixes: 73c5162aa362 ("tracing: keep ring buffer to minimum size till used") +Signed-off-by: Calvin Owens +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -9271,7 +9271,7 @@ static void + init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer); + + static int +-allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, int size) ++allocate_trace_buffer(struct trace_array *tr, struct array_buffer *buf, unsigned long size) + { + enum ring_buffer_flags rb_flags; + +@@ -9307,7 +9307,7 @@ static void free_trace_buffer(struct arr + } + } + +-static int allocate_trace_buffers(struct trace_array *tr, int size) ++static int allocate_trace_buffers(struct trace_array *tr, unsigned long size) + { + int ret; + +@@ -10330,7 +10330,7 @@ __init static void enable_instances(void + + __init static int tracer_alloc_buffers(void) + { +- int ring_buf_size; ++ unsigned long ring_buf_size; + int ret = -ENOMEM; + + diff --git a/queue-6.6/x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch b/queue-6.6/x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch new file mode 100644 index 0000000000..31944928b9 --- /dev/null +++ b/queue-6.6/x86-apic-disable-x2apic-on-resume-if-the-kernel-expects-so.patch @@ -0,0 +1,86 @@ +From 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 Mon Sep 17 00:00:00 2001 +From: Shashank Balaji +Date: Fri, 6 Mar 2026 14:46:28 +0900 +Subject: x86/apic: Disable x2apic on resume if the kernel expects so + +From: Shashank Balaji + +commit 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 upstream. + +When resuming from s2ram, firmware may re-enable x2apic mode, which may have +been disabled by the kernel during boot either because it doesn't support IRQ +remapping or for other reasons. This causes the kernel to continue using the +xapic interface, while the hardware is in x2apic mode, which causes hangs. +This happens on defconfig + bare metal + s2ram. + +Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be +disabled, i.e. when x2apic_mode = 0. + +The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the +pre-sleep configuration or initial boot configuration for each CPU, including +MSR state: + + When executing from the power-on reset vector as a result of waking from an + S2 or S3 sleep state, the platform firmware performs only the hardware + initialization required to restore the system to either the state the + platform was in prior to the initial operating system boot, or to the + pre-sleep configuration state. In multiprocessor systems, non-boot + processors should be placed in the same state as prior to the initial + operating system boot. + + (further ahead) + + If this is an S2 or S3 wake, then the platform runtime firmware restores + minimum context of the system before jumping to the waking vector. This + includes: + + CPU configuration. Platform runtime firmware restores the pre-sleep + configuration or initial boot configuration of each CPU (MSR, MTRR, + firmware update, SMBase, and so on). Interrupts must be disabled (for + IA-32 processors, disabled by CLI instruction). + + (and other things) + +So at least as per the spec, re-enablement of x2apic by the firmware is +allowed if "x2apic on" is a part of the initial boot configuration. + + [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization + + [ bp: Massage. ] + +Fixes: 6e1cb38a2aef ("x64, x2apic/intr-remap: add x2apic support, including enabling interrupt-remapping") +Co-developed-by: Rahul Bukte +Signed-off-by: Rahul Bukte +Signed-off-by: Shashank Balaji +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Thomas Gleixner +Reviewed-by: Sohil Mehta +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260306-x2apic-fix-v2-1-bee99c12efa3@sony.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1931,6 +1931,7 @@ void __init check_x2apic(void) + + static inline void try_to_enable_x2apic(int remap_mode) { } + static inline void __x2apic_enable(void) { } ++static inline void __x2apic_disable(void) { } + #endif /* !CONFIG_X86_X2APIC */ + + void __init enable_IR_x2apic(void) +@@ -2652,6 +2653,11 @@ static void lapic_resume(void) + if (x2apic_mode) { + __x2apic_enable(); + } else { ++ if (x2apic_enabled()) { ++ pr_warn_once("x2apic: re-enabled by firmware during resume. Disabling\n"); ++ __x2apic_disable(); ++ } ++ + /* + * Make sure the APICBASE points to the right address + * diff --git a/queue-6.6/xfs-fix-undersized-l_iclog_roundoff-values.patch b/queue-6.6/xfs-fix-undersized-l_iclog_roundoff-values.patch new file mode 100644 index 0000000000..bb57f68c0e --- /dev/null +++ b/queue-6.6/xfs-fix-undersized-l_iclog_roundoff-values.patch @@ -0,0 +1,66 @@ +From 52a8a1ba883defbfe3200baa22cf4cd21985d51a Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Wed, 4 Mar 2026 20:26:20 -0800 +Subject: xfs: fix undersized l_iclog_roundoff values + +From: Darrick J. Wong + +commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a upstream. + +If the superblock doesn't list a log stripe unit, we set the incore log +roundoff value to 512. This leads to corrupt logs and unmountable +filesystems in generic/617 on a disk with 4k physical sectors... + +XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c +XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. +XFS (sda1): failed to locate log tail +XFS (sda1): log mount/recovery failed: error -74 +XFS (sda1): log mount failed +XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c +XFS (sda1): Ending clean mount + +...on the current xfsprogs for-next which has a broken mkfs. xfs_info +shows this... + +meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks + = sectsz=4096 attr=2, projid32bit=1 + = crc=1 finobt=1, sparse=1, rmapbt=1 + = reflink=1 bigtime=1 inobtcount=1 nrext64=1 + = exchange=1 metadir=1 +data = bsize=4096 blocks=2579968, imaxpct=25 + = sunit=0 swidth=0 blks +naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 +log =internal log bsize=4096 blocks=16384, version=2 + = sectsz=4096 sunit=0 blks, lazy-count=1 +realtime =none extsz=4096 blocks=0, rtextents=0 + = rgcount=0 rgsize=268435456 extents + = zoned=0 start=0 reserved=0 + +...observe that the log section has sectsz=4096 sunit=0, which means +that the roundoff factor is 512, not 4096 as you'd expect. We should +fix mkfs not to generate broken filesystems, but anyone can fuzz the +ondisk superblock so we should be more cautious. I think the inadequate +logic predates commit a6a65fef5ef8d0, but that's clearly going to +require a different backport. + +Cc: stable@vger.kernel.org # v5.14 +Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_log.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -1552,6 +1552,8 @@ xlog_alloc_log( + + if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1) + log->l_iclog_roundoff = mp->m_sb.sb_logsunit; ++ else if (mp->m_sb.sb_logsectsize > 0) ++ log->l_iclog_roundoff = mp->m_sb.sb_logsectsize; + else + log->l_iclog_roundoff = BBSIZE; +