From: Sasha Levin Date: Mon, 23 Mar 2026 11:42:54 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v6.1.167~19^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e6dddfb56bc1c16af41712366eaa20a26669287;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/mtd-rawnand-brcmnand-move-to-polling-in-pio-mode-on-.patch b/queue-5.10/mtd-rawnand-brcmnand-move-to-polling-in-pio-mode-on-.patch new file mode 100644 index 0000000000..580e636590 --- /dev/null +++ b/queue-5.10/mtd-rawnand-brcmnand-move-to-polling-in-pio-mode-on-.patch @@ -0,0 +1,39 @@ +From 272d14adc95d5a71746e067efde0bcd328f9adf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 12:09:09 -0500 +Subject: mtd: rawnand: brcmnand: move to polling in pio mode on oops write + +From: Kamal Dasu + +[ Upstream commit 22ca05b82d3e3abc2b116a11ee41b6b692b95530 ] + +This change makes sure that Broadcom NAND driver moves to interrupt +polling on the first brcmnand_write() call. + +Signed-off-by: Kamal Dasu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210311170909.9031-2-kdasu.kdev@gmail.com +Stable-dep-of: da9ba4dcc01e ("mtd: rawnand: brcmnand: skip DMA during panic write") +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index a101df3b19f70..669c332d37ee8 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2399,6 +2399,10 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + ++ if (mtd->oops_panic_write) ++ /* switch to interrupt polling and PIO mode */ ++ disable_ctrl_irqs(ctrl); ++ + if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +-- +2.51.0 + diff --git a/queue-5.10/mtd-rawnand-brcmnand-read-write-oob-during-edu-trans.patch b/queue-5.10/mtd-rawnand-brcmnand-read-write-oob-during-edu-trans.patch new file mode 100644 index 0000000000..99bde87518 --- /dev/null +++ b/queue-5.10/mtd-rawnand-brcmnand-read-write-oob-during-edu-trans.patch @@ -0,0 +1,165 @@ +From 3e84025178a3d614b5390d5e4f0d5647048e5087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Mar 2021 12:09:08 -0500 +Subject: mtd: rawnand: brcmnand: read/write oob during EDU transfer + +From: Kamal Dasu + +[ Upstream commit a071912636cc3420f54e2a6312c1625ac763cf03 ] + +Added support to read/write oob during EDU transfers. + +Signed-off-by: Kamal Dasu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210311170909.9031-1-kdasu.kdev@gmail.com +Stable-dep-of: da9ba4dcc01e ("mtd: rawnand: brcmnand: skip DMA during panic write") +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 59 +++++++++++++++++++++--- + 1 file changed, 52 insertions(+), 7 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index cb35090510470..a101df3b19f70 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -245,6 +245,9 @@ struct brcmnand_controller { + u32 edu_ext_addr; + u32 edu_cmd; + u32 edu_config; ++ int sas; /* spare area size, per flash cache */ ++ int sector_size_1k; ++ u8 *oob; + + /* flash_dma reg */ + const u16 *flash_dma_offsets; +@@ -252,7 +255,7 @@ struct brcmnand_controller { + dma_addr_t dma_pa; + + int (*dma_trans)(struct brcmnand_host *host, u64 addr, u32 *buf, +- u32 len, u8 dma_cmd); ++ u8 *oob, u32 len, u8 dma_cmd); + + /* in-memory cache of the FLASH_CACHE, used only for some commands */ + u8 flash_cache[FC_BYTES]; +@@ -1527,6 +1530,23 @@ static irqreturn_t brcmnand_edu_irq(int irq, void *data) + edu_writel(ctrl, EDU_EXT_ADDR, ctrl->edu_ext_addr); + edu_readl(ctrl, EDU_EXT_ADDR); + ++ if (ctrl->oob) { ++ if (ctrl->edu_cmd == EDU_CMD_READ) { ++ ctrl->oob += read_oob_from_regs(ctrl, ++ ctrl->edu_count + 1, ++ ctrl->oob, ctrl->sas, ++ ctrl->sector_size_1k); ++ } else { ++ brcmnand_write_reg(ctrl, BRCMNAND_CMD_ADDRESS, ++ ctrl->edu_ext_addr); ++ brcmnand_read_reg(ctrl, BRCMNAND_CMD_ADDRESS); ++ ctrl->oob += write_oob_to_regs(ctrl, ++ ctrl->edu_count, ++ ctrl->oob, ctrl->sas, ++ ctrl->sector_size_1k); ++ } ++ } ++ + mb(); /* flush previous writes */ + edu_writel(ctrl, EDU_CMD, ctrl->edu_cmd); + edu_readl(ctrl, EDU_CMD); +@@ -1908,9 +1928,10 @@ static void brcmnand_write_buf(struct nand_chip *chip, const uint8_t *buf, + * Kick EDU engine + */ + static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf, +- u32 len, u8 cmd) ++ u8 *oob, u32 len, u8 cmd) + { + struct brcmnand_controller *ctrl = host->ctrl; ++ struct brcmnand_cfg *cfg = &host->hwcfg; + unsigned long timeo = msecs_to_jiffies(200); + int ret = 0; + int dir = (cmd == CMD_PAGE_READ ? DMA_FROM_DEVICE : DMA_TO_DEVICE); +@@ -1918,6 +1939,9 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf, + unsigned int trans = len >> FC_SHIFT; + dma_addr_t pa; + ++ dev_dbg(ctrl->dev, "EDU %s %p:%p\n", ((edu_cmd == EDU_CMD_READ) ? ++ "read" : "write"), buf, oob); ++ + pa = dma_map_single(ctrl->dev, buf, len, dir); + if (dma_mapping_error(ctrl->dev, pa)) { + dev_err(ctrl->dev, "unable to map buffer for EDU DMA\n"); +@@ -1929,6 +1953,8 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf, + ctrl->edu_ext_addr = addr; + ctrl->edu_cmd = edu_cmd; + ctrl->edu_count = trans; ++ ctrl->sas = cfg->spare_area_size; ++ ctrl->oob = oob; + + edu_writel(ctrl, EDU_DRAM_ADDR, (u32)ctrl->edu_dram_addr); + edu_readl(ctrl, EDU_DRAM_ADDR); +@@ -1937,6 +1963,16 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf, + edu_writel(ctrl, EDU_LENGTH, FC_BYTES); + edu_readl(ctrl, EDU_LENGTH); + ++ if (ctrl->oob && (ctrl->edu_cmd == EDU_CMD_WRITE)) { ++ brcmnand_write_reg(ctrl, BRCMNAND_CMD_ADDRESS, ++ ctrl->edu_ext_addr); ++ brcmnand_read_reg(ctrl, BRCMNAND_CMD_ADDRESS); ++ ctrl->oob += write_oob_to_regs(ctrl, ++ 1, ++ ctrl->oob, ctrl->sas, ++ ctrl->sector_size_1k); ++ } ++ + /* Start edu engine */ + mb(); /* flush previous writes */ + edu_writel(ctrl, EDU_CMD, ctrl->edu_cmd); +@@ -1951,6 +1987,14 @@ static int brcmnand_edu_trans(struct brcmnand_host *host, u64 addr, u32 *buf, + + dma_unmap_single(ctrl->dev, pa, len, dir); + ++ /* read last subpage oob */ ++ if (ctrl->oob && (ctrl->edu_cmd == EDU_CMD_READ)) { ++ ctrl->oob += read_oob_from_regs(ctrl, ++ 1, ++ ctrl->oob, ctrl->sas, ++ ctrl->sector_size_1k); ++ } ++ + /* for program page check NAND status */ + if (((brcmnand_read_reg(ctrl, BRCMNAND_INTFC_STATUS) & + INTFC_FLASH_STATUS) & NAND_STATUS_FAIL) && +@@ -2060,7 +2104,7 @@ static void brcmnand_dma_run(struct brcmnand_host *host, dma_addr_t desc) + } + + static int brcmnand_dma_trans(struct brcmnand_host *host, u64 addr, u32 *buf, +- u32 len, u8 dma_cmd) ++ u8 *oob, u32 len, u8 dma_cmd) + { + struct brcmnand_controller *ctrl = host->ctrl; + dma_addr_t buf_pa; +@@ -2205,8 +2249,9 @@ static int brcmnand_read(struct mtd_info *mtd, struct nand_chip *chip, + try_dmaread: + brcmnand_clear_ecc_addr(ctrl); + +- if (ctrl->dma_trans && !oob && flash_dma_buf_ok(buf)) { +- err = ctrl->dma_trans(host, addr, buf, ++ if (ctrl->dma_trans && (has_edu(ctrl) || !oob) && ++ flash_dma_buf_ok(buf)) { ++ err = ctrl->dma_trans(host, addr, buf, oob, + trans * FC_BYTES, + CMD_PAGE_READ); + +@@ -2354,8 +2399,8 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (use_dma(ctrl) && !oob && flash_dma_buf_ok(buf)) { +- if (ctrl->dma_trans(host, addr, (u32 *)buf, mtd->writesize, ++ if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) + + ret = -EIO; +-- +2.51.0 + diff --git a/queue-5.10/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch b/queue-5.10/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch new file mode 100644 index 0000000000..ed939211fc --- /dev/null +++ b/queue-5.10/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch @@ -0,0 +1,49 @@ +From 18179d4aeb3e163135d070deacbfaaa96e374d44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 15:21:57 -0500 +Subject: mtd: rawnand: brcmnand: skip DMA during panic write + +From: Kamal Dasu + +[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ] + +When oops_panic_write is set, the driver disables interrupts and +switches to PIO polling mode but still falls through into the DMA +path. DMA cannot be used reliably in panic context, so make the +DMA path an else branch to ensure only PIO is used during panic +writes. + +Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 669c332d37ee8..e4739d843f7b8 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2399,14 +2399,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (mtd->oops_panic_write) ++ if (mtd->oops_panic_write) { + /* switch to interrupt polling and PIO mode */ + disable_ctrl_irqs(ctrl); +- +- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +- + ret = -EIO; + + goto out; +-- +2.51.0 + diff --git a/queue-5.10/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch b/queue-5.10/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch new file mode 100644 index 0000000000..3987e9955e --- /dev/null +++ b/queue-5.10/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch @@ -0,0 +1,70 @@ +From 2d188a53a84e73a9858998c95523afd3c64dcc66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:49:06 -0500 +Subject: mtd: rawnand: serialize lock/unlock against other NAND operations + +From: Kamal Dasu + +[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ] + +nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area +without holding the NAND device lock. On controllers that implement +SET_FEATURES via multiple low-level PIO commands, these can race with +concurrent UBI/UBIFS background erase/write operations that hold the +device lock, resulting in cmd_pending conflicts on the NAND controller. + +Add nand_get_device()/nand_release_device() around the lock/unlock +operations to serialize them against all other NAND controller access. + +Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c +index 308fcbe394a5e..b40dc3ac8615a 100644 +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -4383,11 +4383,16 @@ static void nand_shutdown(struct mtd_info *mtd) + static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.lock_area) + return -ENOTSUPP; + +- return chip->ops.lock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.lock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /** +@@ -4399,11 +4404,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.unlock_area) + return -ENOTSUPP; + +- return chip->ops.unlock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.unlock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /* Set default functions */ +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index f67044d115..bf20a5bc34 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -229,3 +229,8 @@ net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch hwmon-pmbus-isl68137-fix-unchecked-return-value-and-use-sysfs_emit.patch i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch +mtd-rawnand-serialize-lock-unlock-against-other-nand.patch +mtd-rawnand-brcmnand-read-write-oob-during-edu-trans.patch +mtd-rawnand-brcmnand-move-to-polling-in-pio-mode-on-.patch +mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch +tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch diff --git a/queue-5.10/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch b/queue-5.10/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch new file mode 100644 index 0000000000..3dba64bccd --- /dev/null +++ b/queue-5.10/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch @@ -0,0 +1,44 @@ +From b7dd2a052a3a55a07760fbdde45f6e30e530ad5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:06 +0900 +Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure + +From: Josh Law + +[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ] + +If fstat() fails after open() succeeds, the function returns without +closing the file descriptor. Also preserve errno across close(), since +close() may overwrite it before the error is returned. + +Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/ + +Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 365c022fb7cdd..387cb91862dfc 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -138,8 +138,11 @@ static int load_xbc_file(const char *path, char **buf) + if (fd < 0) + return -errno; + ret = fstat(fd, &stat); +- if (ret < 0) +- return -errno; ++ if (ret < 0) { ++ ret = -errno; ++ close(fd); ++ return ret; ++ } + + ret = load_xbc_fd(fd, buf, stat.st_size); + +-- +2.51.0 + diff --git a/queue-5.15/drm-i915-gt-check-set_default_submission-before-defe.patch b/queue-5.15/drm-i915-gt-check-set_default_submission-before-defe.patch new file mode 100644 index 0000000000..cec5edb5f3 --- /dev/null +++ b/queue-5.15/drm-i915-gt-check-set_default_submission-before-defe.patch @@ -0,0 +1,105 @@ +From 06243fd24be03b31abe9b223fad82e058faacaeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 10:18:39 +0530 +Subject: drm/i915/gt: Check set_default_submission() before deferencing + +From: Rahul Bukte + +[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ] + +When the i915 driver firmware binaries are not present, the +set_default_submission pointer is not set. This pointer is +dereferenced during suspend anyways. + +Add a check to make sure it is set before dereferencing. + +[ 23.289926] PM: suspend entry (deep) +[ 23.293558] Filesystems sync: 0.000 seconds +[ 23.298010] Freezing user space processes +[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds) +[ 23.309766] OOM killer disabled. +[ 23.313027] Freezing remaining freezable tasks +[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 23.342038] serial 00:05: disabled +[ 23.345719] serial 00:02: disabled +[ 23.349342] serial 00:01: disabled +[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache +[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache +[ 23.361635] ata1.00: Entering standby power mode +[ 23.368863] ata2.00: Entering standby power mode +[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 23.452194] #PF: supervisor instruction fetch in kernel mode +[ 23.457896] #PF: error_code(0x0010) - not-present page +[ 23.463065] PGD 0 P4D 0 +[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI +[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary) +[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN +[ 23.496511] Workqueue: async async_run_entry_fn +[ 23.501087] RIP: 0010:0x0 +[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6. +[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246 +[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f +[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000 +[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff +[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8 +[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68 +[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000 +[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0 +[ 23.572539] PKRU: 55555554 +[ 23.575281] Call Trace: +[ 23.577770] +[ 23.579905] intel_engines_reset_default_submission+0x42/0x60 +[ 23.585695] __intel_gt_unset_wedged+0x191/0x200 +[ 23.590360] intel_gt_unset_wedged+0x20/0x40 +[ 23.594675] gt_sanitize+0x15e/0x170 +[ 23.598290] i915_gem_suspend_late+0x6b/0x180 +[ 23.602692] i915_drm_suspend_late+0x35/0xf0 +[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10 +[ 23.611843] dpm_run_callback+0x78/0x1c0 +[ 23.615817] device_suspend_late+0xde/0x2e0 +[ 23.620037] async_suspend_late+0x18/0x30 +[ 23.624082] async_run_entry_fn+0x25/0xa0 +[ 23.628129] process_one_work+0x15b/0x380 +[ 23.632182] worker_thread+0x2a5/0x3c0 +[ 23.635973] ? __pfx_worker_thread+0x10/0x10 +[ 23.640279] kthread+0xf6/0x1f0 +[ 23.643464] ? __pfx_kthread+0x10/0x10 +[ 23.647263] ? __pfx_kthread+0x10/0x10 +[ 23.651045] ret_from_fork+0x131/0x190 +[ 23.654837] ? __pfx_kthread+0x10/0x10 +[ 23.658634] ret_from_fork_asm+0x1a/0x30 +[ 23.662597] +[ 23.664826] Modules linked in: +[ 23.667914] CR2: 0000000000000000 +[ 23.671271] ------------[ cut here ]------------ + +Signed-off-by: Rahul Bukte +Reviewed-by: Suraj Kandpal +Signed-off-by: Suraj Kandpal +Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com +(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad) +Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc") +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +index 42cb3ad04d89a..e8e495694c182 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -1363,7 +1363,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt) + if (engine->sanitize) + engine->sanitize(engine); + +- engine->set_default_submission(engine); ++ if (engine->set_default_submission) ++ engine->set_default_submission(engine); + } + } + +-- +2.51.0 + diff --git a/queue-5.15/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch b/queue-5.15/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch new file mode 100644 index 0000000000..4339c8cca9 --- /dev/null +++ b/queue-5.15/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch @@ -0,0 +1,135 @@ +From e171be33d60797625053568d12b85ad27a21140d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:17:02 +0900 +Subject: ksmbd: fix use-after-free of share_conf in compound request + +From: Hyunwoo Kim + +[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ] + +smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without +validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == +TREE_CONNECTED on the initial lookup path, but the compound reuse path +bypasses this check entirely. + +If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state +to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), +subsequent commands dereference the freed share_conf through +work->tcon->share_conf. + +KASAN report: + +[ 4.144653] ================================================================== +[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 +[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 +[ 4.145772] +[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY +[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work +[ 4.145888] Call Trace: +[ 4.145892] +[ 4.145894] dump_stack_lvl+0x64/0x80 +[ 4.145910] print_report+0xce/0x660 +[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 4.145928] ? smb2_write+0xc74/0xe70 +[ 4.145931] kasan_report+0xce/0x100 +[ 4.145934] ? smb2_write+0xc74/0xe70 +[ 4.145937] smb2_write+0xc74/0xe70 +[ 4.145939] ? __pfx_smb2_write+0x10/0x10 +[ 4.145942] ? _raw_spin_unlock+0xe/0x30 +[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480 +[ 4.145951] handle_ksmbd_work+0x40f/0x1080 +[ 4.145953] process_one_work+0x5fa/0xef0 +[ 4.145962] ? assign_work+0x122/0x3e0 +[ 4.145964] worker_thread+0x54b/0xf70 +[ 4.145967] ? __pfx_worker_thread+0x10/0x10 +[ 4.145970] kthread+0x346/0x470 +[ 4.145976] ? recalc_sigpending+0x19b/0x230 +[ 4.145980] ? __pfx_kthread+0x10/0x10 +[ 4.145984] ret_from_fork+0x4fb/0x6c0 +[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10 +[ 4.145995] ? __switch_to+0x36c/0xbe0 +[ 4.145999] ? __pfx_kthread+0x10/0x10 +[ 4.146003] ret_from_fork_asm+0x1a/0x30 +[ 4.146013] +[ 4.146014] +[ 4.149858] Allocated by task 44: +[ 4.149953] kasan_save_stack+0x33/0x60 +[ 4.150061] kasan_save_track+0x14/0x30 +[ 4.150169] __kasan_kmalloc+0x8f/0xa0 +[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0 +[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600 +[ 4.150529] smb2_tree_connect+0x2e6/0x1000 +[ 4.150645] handle_ksmbd_work+0x40f/0x1080 +[ 4.150761] process_one_work+0x5fa/0xef0 +[ 4.150873] worker_thread+0x54b/0xf70 +[ 4.150978] kthread+0x346/0x470 +[ 4.151071] ret_from_fork+0x4fb/0x6c0 +[ 4.151176] ret_from_fork_asm+0x1a/0x30 +[ 4.151286] +[ 4.151332] Freed by task 44: +[ 4.151418] kasan_save_stack+0x33/0x60 +[ 4.151526] kasan_save_track+0x14/0x30 +[ 4.151634] kasan_save_free_info+0x3b/0x60 +[ 4.151751] __kasan_slab_free+0x43/0x70 +[ 4.151861] kfree+0x1ca/0x430 +[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190 +[ 4.152088] smb2_tree_disconnect+0x1cd/0x480 +[ 4.152211] handle_ksmbd_work+0x40f/0x1080 +[ 4.152326] process_one_work+0x5fa/0xef0 +[ 4.152438] worker_thread+0x54b/0xf70 +[ 4.152545] kthread+0x346/0x470 +[ 4.152638] ret_from_fork+0x4fb/0x6c0 +[ 4.152743] ret_from_fork_asm+0x1a/0x30 +[ 4.152853] +[ 4.152900] The buggy address belongs to the object at ffff88810430c180 +[ 4.152900] which belongs to the cache kmalloc-96 of size 96 +[ 4.153226] The buggy address is located 20 bytes inside of +[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0) +[ 4.153549] +[ 4.153596] The buggy address belongs to the physical page: +[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c +[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2) +[ 4.154160] page_type: f5(slab) +[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110 +[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000 +[ 4.154668] page dumped because: kasan: bad access detected +[ 4.154820] +[ 4.154866] Memory state around the buggy address: +[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 4.155587] ^ +[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.156087] ================================================================== + +Add the same t_state validation to the compound reuse path, consistent +with ksmbd_tree_conn_lookup(). + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index 222d3a31f5106..1210a3231d1c4 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -116,6 +116,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) + pr_err("The first operation in the compound does not have tcon\n"); + return -EINVAL; + } ++ if (work->tcon->t_state != TREE_CONNECTED) ++ return -ENOENT; + if (tree_id != UINT_MAX && work->tcon->id != tree_id) { + pr_err("tree id(%u) is different with id(%u) in first operation\n", + tree_id, work->tcon->id); +-- +2.51.0 + diff --git a/queue-5.15/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch b/queue-5.15/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch new file mode 100644 index 0000000000..6321e06cb5 --- /dev/null +++ b/queue-5.15/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch @@ -0,0 +1,49 @@ +From 265ffb9fa784e266ec6ad3177f64523d99ac43ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:05 +0900 +Subject: lib/bootconfig: check xbc_init_node() return in override path + +From: Josh Law + +[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ] + +The ':=' override path in xbc_parse_kv() calls xbc_init_node() to +re-initialize an existing value node but does not check the return +value. If xbc_init_node() fails (data offset out of range), parsing +silently continues with stale node data. + +Add the missing error check to match the xbc_add_node() call path +which already checks for failure. + +In practice, a bootconfig using ':=' to override a value near the +32KB data limit could silently retain the old value, meaning a +security-relevant boot parameter override (e.g., a trace filter or +debug setting) would not take effect as intended. + +Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ + +Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + lib/bootconfig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/bootconfig.c b/lib/bootconfig.c +index 0579a93cb163e..9873c6372adca 100644 +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -646,7 +646,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op) + if (op == ':') { + unsigned short nidx = child->next; + +- xbc_init_node(child, v, XBC_VALUE); ++ if (xbc_init_node(child, v, XBC_VALUE) < 0) ++ return xbc_parse_error("Failed to override value", v); + child->next = nidx; /* keep subkeys */ + goto array; + } +-- +2.51.0 + diff --git a/queue-5.15/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch b/queue-5.15/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch new file mode 100644 index 0000000000..823c52e97a --- /dev/null +++ b/queue-5.15/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch @@ -0,0 +1,49 @@ +From 91451bd7fc77de0a67fdd91a20fc36a125d22dab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 15:21:57 -0500 +Subject: mtd: rawnand: brcmnand: skip DMA during panic write + +From: Kamal Dasu + +[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ] + +When oops_panic_write is set, the driver disables interrupts and +switches to PIO polling mode but still falls through into the DMA +path. DMA cannot be used reliably in panic context, so make the +DMA path an else branch to ensure only PIO is used during panic +writes. + +Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index aa89fcfd71ea0..4bf91b00a2183 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2399,14 +2399,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (mtd->oops_panic_write) ++ if (mtd->oops_panic_write) { + /* switch to interrupt polling and PIO mode */ + disable_ctrl_irqs(ctrl); +- +- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +- + ret = -EIO; + + goto out; +-- +2.51.0 + diff --git a/queue-5.15/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch b/queue-5.15/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch new file mode 100644 index 0000000000..90671cadf3 --- /dev/null +++ b/queue-5.15/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch @@ -0,0 +1,70 @@ +From 56ec78c888b96df00644ec1045ea0b1f8aeeb09f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:49:06 -0500 +Subject: mtd: rawnand: serialize lock/unlock against other NAND operations + +From: Kamal Dasu + +[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ] + +nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area +without holding the NAND device lock. On controllers that implement +SET_FEATURES via multiple low-level PIO commands, these can race with +concurrent UBI/UBIFS background erase/write operations that hold the +device lock, resulting in cmd_pending conflicts on the NAND controller. + +Add nand_get_device()/nand_release_device() around the lock/unlock +operations to serialize them against all other NAND controller access. + +Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c +index ee8f47feeaf43..60ad72392b9f8 100644 +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -4680,11 +4680,16 @@ static void nand_shutdown(struct mtd_info *mtd) + static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.lock_area) + return -ENOTSUPP; + +- return chip->ops.lock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.lock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /** +@@ -4696,11 +4701,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.unlock_area) + return -ENOTSUPP; + +- return chip->ops.unlock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.unlock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /* Set default functions */ +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index a2eccccd16..df22ded1a0 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -283,3 +283,9 @@ net-dsa-bcm_sf2-fix-missing-clk_disable_unprepare-in.patch icmp-fix-null-pointer-dereference-in-icmp_tag_valida.patch hwmon-pmbus-isl68137-fix-unchecked-return-value-and-use-sysfs_emit.patch i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch +mtd-rawnand-serialize-lock-unlock-against-other-nand.patch +mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch +ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch +drm-i915-gt-check-set_default_submission-before-defe.patch +lib-bootconfig-check-xbc_init_node-return-in-overrid.patch +tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch diff --git a/queue-5.15/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch b/queue-5.15/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch new file mode 100644 index 0000000000..11d47f17c6 --- /dev/null +++ b/queue-5.15/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch @@ -0,0 +1,44 @@ +From 442be123ad7a3e7f0051ea31666c1614e128d531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:06 +0900 +Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure + +From: Josh Law + +[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ] + +If fstat() fails after open() succeeds, the function returns without +closing the file descriptor. Also preserve errno across close(), since +close() may overwrite it before the error is returned. + +Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/ + +Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index fc922cfdadaa6..78b252ac3817e 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -156,8 +156,11 @@ static int load_xbc_file(const char *path, char **buf) + if (fd < 0) + return -errno; + ret = fstat(fd, &stat); +- if (ret < 0) +- return -errno; ++ if (ret < 0) { ++ ret = -errno; ++ close(fd); ++ return ret; ++ } + + ret = load_xbc_fd(fd, buf, stat.st_size); + +-- +2.51.0 + diff --git a/queue-6.1/drm-i915-gt-check-set_default_submission-before-defe.patch b/queue-6.1/drm-i915-gt-check-set_default_submission-before-defe.patch new file mode 100644 index 0000000000..e391d7301d --- /dev/null +++ b/queue-6.1/drm-i915-gt-check-set_default_submission-before-defe.patch @@ -0,0 +1,105 @@ +From 061cd4ae0c1edadbe76ba416a84909c17977f4cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 10:18:39 +0530 +Subject: drm/i915/gt: Check set_default_submission() before deferencing + +From: Rahul Bukte + +[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ] + +When the i915 driver firmware binaries are not present, the +set_default_submission pointer is not set. This pointer is +dereferenced during suspend anyways. + +Add a check to make sure it is set before dereferencing. + +[ 23.289926] PM: suspend entry (deep) +[ 23.293558] Filesystems sync: 0.000 seconds +[ 23.298010] Freezing user space processes +[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds) +[ 23.309766] OOM killer disabled. +[ 23.313027] Freezing remaining freezable tasks +[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 23.342038] serial 00:05: disabled +[ 23.345719] serial 00:02: disabled +[ 23.349342] serial 00:01: disabled +[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache +[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache +[ 23.361635] ata1.00: Entering standby power mode +[ 23.368863] ata2.00: Entering standby power mode +[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 23.452194] #PF: supervisor instruction fetch in kernel mode +[ 23.457896] #PF: error_code(0x0010) - not-present page +[ 23.463065] PGD 0 P4D 0 +[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI +[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary) +[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN +[ 23.496511] Workqueue: async async_run_entry_fn +[ 23.501087] RIP: 0010:0x0 +[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6. +[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246 +[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f +[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000 +[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff +[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8 +[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68 +[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000 +[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0 +[ 23.572539] PKRU: 55555554 +[ 23.575281] Call Trace: +[ 23.577770] +[ 23.579905] intel_engines_reset_default_submission+0x42/0x60 +[ 23.585695] __intel_gt_unset_wedged+0x191/0x200 +[ 23.590360] intel_gt_unset_wedged+0x20/0x40 +[ 23.594675] gt_sanitize+0x15e/0x170 +[ 23.598290] i915_gem_suspend_late+0x6b/0x180 +[ 23.602692] i915_drm_suspend_late+0x35/0xf0 +[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10 +[ 23.611843] dpm_run_callback+0x78/0x1c0 +[ 23.615817] device_suspend_late+0xde/0x2e0 +[ 23.620037] async_suspend_late+0x18/0x30 +[ 23.624082] async_run_entry_fn+0x25/0xa0 +[ 23.628129] process_one_work+0x15b/0x380 +[ 23.632182] worker_thread+0x2a5/0x3c0 +[ 23.635973] ? __pfx_worker_thread+0x10/0x10 +[ 23.640279] kthread+0xf6/0x1f0 +[ 23.643464] ? __pfx_kthread+0x10/0x10 +[ 23.647263] ? __pfx_kthread+0x10/0x10 +[ 23.651045] ret_from_fork+0x131/0x190 +[ 23.654837] ? __pfx_kthread+0x10/0x10 +[ 23.658634] ret_from_fork_asm+0x1a/0x30 +[ 23.662597] +[ 23.664826] Modules linked in: +[ 23.667914] CR2: 0000000000000000 +[ 23.671271] ------------[ cut here ]------------ + +Signed-off-by: Rahul Bukte +Reviewed-by: Suraj Kandpal +Signed-off-by: Suraj Kandpal +Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com +(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad) +Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc") +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +index 07967adce16aa..20d4b9f4a4959 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -1798,7 +1798,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt) + if (engine->sanitize) + engine->sanitize(engine); + +- engine->set_default_submission(engine); ++ if (engine->set_default_submission) ++ engine->set_default_submission(engine); + } + } + +-- +2.51.0 + diff --git a/queue-6.1/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch b/queue-6.1/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch new file mode 100644 index 0000000000..5e3666cac0 --- /dev/null +++ b/queue-6.1/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch @@ -0,0 +1,135 @@ +From ce54d625345f22b9775fa514f94bbbd805c1873d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:17:02 +0900 +Subject: ksmbd: fix use-after-free of share_conf in compound request + +From: Hyunwoo Kim + +[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ] + +smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without +validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == +TREE_CONNECTED on the initial lookup path, but the compound reuse path +bypasses this check entirely. + +If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state +to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), +subsequent commands dereference the freed share_conf through +work->tcon->share_conf. + +KASAN report: + +[ 4.144653] ================================================================== +[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 +[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 +[ 4.145772] +[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY +[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work +[ 4.145888] Call Trace: +[ 4.145892] +[ 4.145894] dump_stack_lvl+0x64/0x80 +[ 4.145910] print_report+0xce/0x660 +[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 4.145928] ? smb2_write+0xc74/0xe70 +[ 4.145931] kasan_report+0xce/0x100 +[ 4.145934] ? smb2_write+0xc74/0xe70 +[ 4.145937] smb2_write+0xc74/0xe70 +[ 4.145939] ? __pfx_smb2_write+0x10/0x10 +[ 4.145942] ? _raw_spin_unlock+0xe/0x30 +[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480 +[ 4.145951] handle_ksmbd_work+0x40f/0x1080 +[ 4.145953] process_one_work+0x5fa/0xef0 +[ 4.145962] ? assign_work+0x122/0x3e0 +[ 4.145964] worker_thread+0x54b/0xf70 +[ 4.145967] ? __pfx_worker_thread+0x10/0x10 +[ 4.145970] kthread+0x346/0x470 +[ 4.145976] ? recalc_sigpending+0x19b/0x230 +[ 4.145980] ? __pfx_kthread+0x10/0x10 +[ 4.145984] ret_from_fork+0x4fb/0x6c0 +[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10 +[ 4.145995] ? __switch_to+0x36c/0xbe0 +[ 4.145999] ? __pfx_kthread+0x10/0x10 +[ 4.146003] ret_from_fork_asm+0x1a/0x30 +[ 4.146013] +[ 4.146014] +[ 4.149858] Allocated by task 44: +[ 4.149953] kasan_save_stack+0x33/0x60 +[ 4.150061] kasan_save_track+0x14/0x30 +[ 4.150169] __kasan_kmalloc+0x8f/0xa0 +[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0 +[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600 +[ 4.150529] smb2_tree_connect+0x2e6/0x1000 +[ 4.150645] handle_ksmbd_work+0x40f/0x1080 +[ 4.150761] process_one_work+0x5fa/0xef0 +[ 4.150873] worker_thread+0x54b/0xf70 +[ 4.150978] kthread+0x346/0x470 +[ 4.151071] ret_from_fork+0x4fb/0x6c0 +[ 4.151176] ret_from_fork_asm+0x1a/0x30 +[ 4.151286] +[ 4.151332] Freed by task 44: +[ 4.151418] kasan_save_stack+0x33/0x60 +[ 4.151526] kasan_save_track+0x14/0x30 +[ 4.151634] kasan_save_free_info+0x3b/0x60 +[ 4.151751] __kasan_slab_free+0x43/0x70 +[ 4.151861] kfree+0x1ca/0x430 +[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190 +[ 4.152088] smb2_tree_disconnect+0x1cd/0x480 +[ 4.152211] handle_ksmbd_work+0x40f/0x1080 +[ 4.152326] process_one_work+0x5fa/0xef0 +[ 4.152438] worker_thread+0x54b/0xf70 +[ 4.152545] kthread+0x346/0x470 +[ 4.152638] ret_from_fork+0x4fb/0x6c0 +[ 4.152743] ret_from_fork_asm+0x1a/0x30 +[ 4.152853] +[ 4.152900] The buggy address belongs to the object at ffff88810430c180 +[ 4.152900] which belongs to the cache kmalloc-96 of size 96 +[ 4.153226] The buggy address is located 20 bytes inside of +[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0) +[ 4.153549] +[ 4.153596] The buggy address belongs to the physical page: +[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c +[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2) +[ 4.154160] page_type: f5(slab) +[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110 +[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000 +[ 4.154668] page dumped because: kasan: bad access detected +[ 4.154820] +[ 4.154866] Memory state around the buggy address: +[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 4.155587] ^ +[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.156087] ================================================================== + +Add the same t_state validation to the compound reuse path, consistent +with ksmbd_tree_conn_lookup(). + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index fb756953fec3a..65b55e824aa8b 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -117,6 +117,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) + pr_err("The first operation in the compound does not have tcon\n"); + return -EINVAL; + } ++ if (work->tcon->t_state != TREE_CONNECTED) ++ return -ENOENT; + if (tree_id != UINT_MAX && work->tcon->id != tree_id) { + pr_err("tree id(%u) is different with id(%u) in first operation\n", + tree_id, work->tcon->id); +-- +2.51.0 + diff --git a/queue-6.1/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch b/queue-6.1/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch new file mode 100644 index 0000000000..0c7b8904a2 --- /dev/null +++ b/queue-6.1/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch @@ -0,0 +1,49 @@ +From bc0838e2a5d81a3afd90e0b2f1eef5c38d461169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:05 +0900 +Subject: lib/bootconfig: check xbc_init_node() return in override path + +From: Josh Law + +[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ] + +The ':=' override path in xbc_parse_kv() calls xbc_init_node() to +re-initialize an existing value node but does not check the return +value. If xbc_init_node() fails (data offset out of range), parsing +silently continues with stale node data. + +Add the missing error check to match the xbc_add_node() call path +which already checks for failure. + +In practice, a bootconfig using ':=' to override a value near the +32KB data limit could silently retain the old value, meaning a +security-relevant boot parameter override (e.g., a trace filter or +debug setting) would not take effect as intended. + +Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ + +Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + lib/bootconfig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/bootconfig.c b/lib/bootconfig.c +index 82f21a9b0aaba..675f34cf32f0d 100644 +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -714,7 +714,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op) + if (op == ':') { + unsigned short nidx = child->next; + +- xbc_init_node(child, v, XBC_VALUE); ++ if (xbc_init_node(child, v, XBC_VALUE) < 0) ++ return xbc_parse_error("Failed to override value", v); + child->next = nidx; /* keep subkeys */ + goto array; + } +-- +2.51.0 + diff --git a/queue-6.1/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch b/queue-6.1/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch new file mode 100644 index 0000000000..d2bffe4867 --- /dev/null +++ b/queue-6.1/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch @@ -0,0 +1,49 @@ +From 9289ab73f43575165ac78fc1283ecc7814e3cdf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 15:21:57 -0500 +Subject: mtd: rawnand: brcmnand: skip DMA during panic write + +From: Kamal Dasu + +[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ] + +When oops_panic_write is set, the driver disables interrupts and +switches to PIO polling mode but still falls through into the DMA +path. DMA cannot be used reliably in panic context, so make the +DMA path an else branch to ensure only PIO is used during panic +writes. + +Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 20c6aeef107c8..99e0d7aa2f4bd 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2410,14 +2410,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (mtd->oops_panic_write) ++ if (mtd->oops_panic_write) { + /* switch to interrupt polling and PIO mode */ + disable_ctrl_irqs(ctrl); +- +- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +- + ret = -EIO; + + goto out; +-- +2.51.0 + diff --git a/queue-6.1/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch b/queue-6.1/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch new file mode 100644 index 0000000000..ebded1e3ec --- /dev/null +++ b/queue-6.1/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch @@ -0,0 +1,70 @@ +From c00f5d0ebce0f75e3f4a3af90a491210daf6c260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:49:06 -0500 +Subject: mtd: rawnand: serialize lock/unlock against other NAND operations + +From: Kamal Dasu + +[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ] + +nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area +without holding the NAND device lock. On controllers that implement +SET_FEATURES via multiple low-level PIO commands, these can race with +concurrent UBI/UBIFS background erase/write operations that hold the +device lock, resulting in cmd_pending conflicts on the NAND controller. + +Add nand_get_device()/nand_release_device() around the lock/unlock +operations to serialize them against all other NAND controller access. + +Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c +index ea7e37a6e4c07..a545df56a30e7 100644 +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -4692,11 +4692,16 @@ static void nand_shutdown(struct mtd_info *mtd) + static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.lock_area) + return -ENOTSUPP; + +- return chip->ops.lock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.lock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /** +@@ -4708,11 +4713,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.unlock_area) + return -ENOTSUPP; + +- return chip->ops.unlock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.unlock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /* Set default functions */ +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index c69fd54af6..e8d5bce9a6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -445,3 +445,9 @@ mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch sched-fair-fix-pelt-clock-sync-when-entering-idle.patch usb-serial-f81232-fix-incomplete-serial-port-generation.patch i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch +mtd-rawnand-serialize-lock-unlock-against-other-nand.patch +mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch +ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch +drm-i915-gt-check-set_default_submission-before-defe.patch +lib-bootconfig-check-xbc_init_node-return-in-overrid.patch +tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch diff --git a/queue-6.1/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch b/queue-6.1/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch new file mode 100644 index 0000000000..7ce230d73a --- /dev/null +++ b/queue-6.1/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch @@ -0,0 +1,44 @@ +From f8c37d4990fedbff3dfbbab7876db9db836c78b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:06 +0900 +Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure + +From: Josh Law + +[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ] + +If fstat() fails after open() succeeds, the function returns without +closing the file descriptor. Also preserve errno across close(), since +close() may overwrite it before the error is returned. + +Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/ + +Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 8a48cc2536f56..32cf48f2da9a1 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -157,8 +157,11 @@ static int load_xbc_file(const char *path, char **buf) + if (fd < 0) + return -errno; + ret = fstat(fd, &stat); +- if (ret < 0) +- return -errno; ++ if (ret < 0) { ++ ret = -errno; ++ close(fd); ++ return ret; ++ } + + ret = load_xbc_fd(fd, buf, stat.st_size); + +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-display-fix-displayid-not-found-handling-in-.patch b/queue-6.12/drm-amd-display-fix-displayid-not-found-handling-in-.patch new file mode 100644 index 0000000000..9444b8d355 --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-displayid-not-found-handling-in-.patch @@ -0,0 +1,72 @@ +From f169ca2b0f469e8c3b6b4b79079d8973d40d5ab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 18:30:26 +0530 +Subject: drm/amd/display: Fix DisplayID not-found handling in + parse_edid_displayid_vrr() + +From: Srinivasan Shanmugam + +[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ] + +parse_edid_displayid_vrr() searches the EDID extension blocks for a +DisplayID extension before parsing the dynamic video timing range. + +The code previously checked whether edid_ext was NULL after the search +loop. However, edid_ext is assigned during each iteration of the loop, +so it will never be NULL once the loop has executed. If no DisplayID +extension is found, edid_ext ends up pointing to the last extension +block, and the NULL check does not correctly detect the failure case. + +Instead, check whether the loop completed without finding a matching +DisplayID block by testing "i == edid->extensions". This ensures the +function exits early when no DisplayID extension is present and avoids +parsing an unrelated EDID extension block. + +Also simplify the EDID validation check using "!edid || +!edid->extensions". + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075) + +Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel") +Cc: Roman Li +Cc: Alex Hung +Cc: Jerry Zuo +Cc: Sun peng Li +Cc: Tom Chung +Cc: Dan Carpenter +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 4d508129a5e65..e092d2372a4e6 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -12318,7 +12318,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + u16 min_vfreq; + u16 max_vfreq; + +- if (edid == NULL || edid->extensions == 0) ++ if (!edid || !edid->extensions) + return; + + /* Find DisplayID extension */ +@@ -12328,7 +12328,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + break; + } + +- if (edid_ext == NULL) ++ if (i == edid->extensions) + return; + + while (j < EDID_LENGTH) { +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-fix-dcn-2.01-check.patch b/queue-6.12/drm-amd-fix-dcn-2.01-check.patch new file mode 100644 index 0000000000..9fe2db038c --- /dev/null +++ b/queue-6.12/drm-amd-fix-dcn-2.01-check.patch @@ -0,0 +1,49 @@ +From 59510fc38cb721f2ec8b19c26bd3ede5268fbf6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 17:51:47 +0100 +Subject: drm/amd: fix dcn 2.01 check + +From: Andy Nguyen + +[ Upstream commit 39f44f54afa58661ecae9c27e15f5dbce2372892 ] + +The ASICREV_IS_BEIGE_GOBY_P check always took precedence, because it includes all chip revisions upto NV_UNKNOWN. + +Fixes: 54b822b3eac3 ("drm/amd/display: Use dce_version instead of chip_id") +Signed-off-by: Andy Nguyen +Signed-off-by: Alex Deucher +(cherry picked from commit 9c7be0efa6f0daa949a5f3e3fdf9ea090b0713cb) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c +index a0c1072c59a23..7de77358e1c08 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c +@@ -255,6 +255,10 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p + BREAK_TO_DEBUGGER(); + return NULL; + } ++ if (ctx->dce_version == DCN_VERSION_2_01) { ++ dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); ++ return &clk_mgr->base; ++ } + if (ASICREV_IS_SIENNA_CICHLID_P(asic_id.hw_internal_rev)) { + dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; +@@ -267,10 +271,6 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p + dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; + } +- if (ctx->dce_version == DCN_VERSION_2_01) { +- dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); +- return &clk_mgr->base; +- } + dcn20_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; + } +-- +2.51.0 + diff --git a/queue-6.12/drm-i915-gt-check-set_default_submission-before-defe.patch b/queue-6.12/drm-i915-gt-check-set_default_submission-before-defe.patch new file mode 100644 index 0000000000..ca94118c00 --- /dev/null +++ b/queue-6.12/drm-i915-gt-check-set_default_submission-before-defe.patch @@ -0,0 +1,105 @@ +From c21ad2bad024bc44d1ebd5a6696f77489aeb0376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 10:18:39 +0530 +Subject: drm/i915/gt: Check set_default_submission() before deferencing + +From: Rahul Bukte + +[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ] + +When the i915 driver firmware binaries are not present, the +set_default_submission pointer is not set. This pointer is +dereferenced during suspend anyways. + +Add a check to make sure it is set before dereferencing. + +[ 23.289926] PM: suspend entry (deep) +[ 23.293558] Filesystems sync: 0.000 seconds +[ 23.298010] Freezing user space processes +[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds) +[ 23.309766] OOM killer disabled. +[ 23.313027] Freezing remaining freezable tasks +[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 23.342038] serial 00:05: disabled +[ 23.345719] serial 00:02: disabled +[ 23.349342] serial 00:01: disabled +[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache +[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache +[ 23.361635] ata1.00: Entering standby power mode +[ 23.368863] ata2.00: Entering standby power mode +[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 23.452194] #PF: supervisor instruction fetch in kernel mode +[ 23.457896] #PF: error_code(0x0010) - not-present page +[ 23.463065] PGD 0 P4D 0 +[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI +[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary) +[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN +[ 23.496511] Workqueue: async async_run_entry_fn +[ 23.501087] RIP: 0010:0x0 +[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6. +[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246 +[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f +[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000 +[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff +[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8 +[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68 +[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000 +[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0 +[ 23.572539] PKRU: 55555554 +[ 23.575281] Call Trace: +[ 23.577770] +[ 23.579905] intel_engines_reset_default_submission+0x42/0x60 +[ 23.585695] __intel_gt_unset_wedged+0x191/0x200 +[ 23.590360] intel_gt_unset_wedged+0x20/0x40 +[ 23.594675] gt_sanitize+0x15e/0x170 +[ 23.598290] i915_gem_suspend_late+0x6b/0x180 +[ 23.602692] i915_drm_suspend_late+0x35/0xf0 +[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10 +[ 23.611843] dpm_run_callback+0x78/0x1c0 +[ 23.615817] device_suspend_late+0xde/0x2e0 +[ 23.620037] async_suspend_late+0x18/0x30 +[ 23.624082] async_run_entry_fn+0x25/0xa0 +[ 23.628129] process_one_work+0x15b/0x380 +[ 23.632182] worker_thread+0x2a5/0x3c0 +[ 23.635973] ? __pfx_worker_thread+0x10/0x10 +[ 23.640279] kthread+0xf6/0x1f0 +[ 23.643464] ? __pfx_kthread+0x10/0x10 +[ 23.647263] ? __pfx_kthread+0x10/0x10 +[ 23.651045] ret_from_fork+0x131/0x190 +[ 23.654837] ? __pfx_kthread+0x10/0x10 +[ 23.658634] ret_from_fork_asm+0x1a/0x30 +[ 23.662597] +[ 23.664826] Modules linked in: +[ 23.667914] CR2: 0000000000000000 +[ 23.671271] ------------[ cut here ]------------ + +Signed-off-by: Rahul Bukte +Reviewed-by: Suraj Kandpal +Signed-off-by: Suraj Kandpal +Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com +(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad) +Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc") +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +index 4d30a86016f24..d84b6c2af8607 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -1970,7 +1970,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt) + if (engine->sanitize) + engine->sanitize(engine); + +- engine->set_default_submission(engine); ++ if (engine->set_default_submission) ++ engine->set_default_submission(engine); + } + } + +-- +2.51.0 + diff --git a/queue-6.12/fs-tests-exec-remove-bad-test-vector.patch b/queue-6.12/fs-tests-exec-remove-bad-test-vector.patch new file mode 100644 index 0000000000..557ca2a8fe --- /dev/null +++ b/queue-6.12/fs-tests-exec-remove-bad-test-vector.patch @@ -0,0 +1,37 @@ +From 4d699c48e4f2ed2576a6c41a93afd8c20a897e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 11:36:29 -0700 +Subject: fs/tests: exec: Remove bad test vector + +From: Kees Cook + +[ Upstream commit c4192754e836e0ffed95833509b6ada975b74418 ] + +Drop an unusable test in the bprm stack limits. + +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/a3e9b1c2-40c1-45df-9fa2-14ee6a7b3fe2@roeck-us.net +Fixes: 60371f43e56b ("exec: Add KUnit test for bprm_stack_limits()") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/tests/exec_kunit.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/tests/exec_kunit.c b/fs/tests/exec_kunit.c +index f412d1a0f6bba..1c32cac098cf5 100644 +--- a/fs/tests/exec_kunit.c ++++ b/fs/tests/exec_kunit.c +@@ -94,9 +94,6 @@ static const struct bprm_stack_limits_result bprm_stack_limits_results[] = { + { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * 3 + sizeof(void *)), + .argc = 0, .envc = 0 }, + .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, +- { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * + sizeof(void *)), +- .argc = 0, .envc = 0 }, +- .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, + { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * _STK_LIM, + .argc = 0, .envc = 0 }, + .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, +-- +2.51.0 + diff --git a/queue-6.12/hwmon-max6639-fix-pulses-per-revolution-implementati.patch b/queue-6.12/hwmon-max6639-fix-pulses-per-revolution-implementati.patch new file mode 100644 index 0000000000..dbd63d5cb1 --- /dev/null +++ b/queue-6.12/hwmon-max6639-fix-pulses-per-revolution-implementati.patch @@ -0,0 +1,66 @@ +From 727b3648e4aba40ffc35f4c7f18a7fed0ef1dcd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:31:22 -0700 +Subject: hwmon: (max6639) Fix pulses-per-revolution implementation + +From: Guenter Roeck + +[ Upstream commit e7bae9a7a5e1251ab414291f4e9304d702bb9221 ] + +The valid range for the pulses-per-revolution devicetree property is +1..4. The current code checks for a range of 1..5. Fix it. + +Declare the variable used to retrieve pulses per revolution from +devicetree as u32 (unsigned) to match the of_property_read_u32() API. + +The current code uses a postfix decrement when writing the pulses per +resolution into the chip. This has no effect since the value is evaluated +before it is decremented. Fix it by decrementing before evaluating the +value. + +Fixes: 7506ebcd662b ("hwmon: (max6639) : Configure based on DT property") +Cc: Naresh Solanki +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max6639.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwmon/max6639.c b/drivers/hwmon/max6639.c +index 0b0a9f4c2307f..154250099adf1 100644 +--- a/drivers/hwmon/max6639.c ++++ b/drivers/hwmon/max6639.c +@@ -234,7 +234,7 @@ static int max6639_read_fan(struct device *dev, u32 attr, int channel, + static int max6639_set_ppr(struct max6639_data *data, int channel, u8 ppr) + { + /* Decrement the PPR value and shift left by 6 to match the register format */ +- return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), ppr-- << 6); ++ return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), --ppr << 6); + } + + static int max6639_write_fan(struct device *dev, u32 attr, int channel, +@@ -536,8 +536,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client, + + { + struct device *dev = &client->dev; +- u32 i; +- int err, val; ++ u32 i, val; ++ int err; + + err = of_property_read_u32(child, "reg", &i); + if (err) { +@@ -552,8 +552,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client, + + err = of_property_read_u32(child, "pulses-per-revolution", &val); + if (!err) { +- if (val < 1 || val > 5) { +- dev_err(dev, "invalid pulses-per-revolution %d of %pOFn\n", val, child); ++ if (val < 1 || val > 4) { ++ dev_err(dev, "invalid pulses-per-revolution %u of %pOFn\n", val, child); + return -EINVAL; + } + data->ppr[i] = val; +-- +2.51.0 + diff --git a/queue-6.12/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch b/queue-6.12/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch new file mode 100644 index 0000000000..cbdb581dcf --- /dev/null +++ b/queue-6.12/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch @@ -0,0 +1,128 @@ +From 876a1e98f103fb6b19335d0059bef431e8cf5ac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:15:51 +0900 +Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles + +From: Hyunwoo Kim + +[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ] + +parse_durable_handle_context() unconditionally assigns dh_info->fp->conn +to the current connection when handling a DURABLE_REQ_V2 context with +SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by +fp->conn, so it returns file handles that are already actively connected. +The unconditional overwrite replaces fp->conn, and when the overwriting +connection is subsequently freed, __ksmbd_close_fd() dereferences the +stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a +use-after-free. + +KASAN report: + +[ 7.349357] ================================================================== +[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0 +[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108 +[ 7.350010] +[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY +[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work +[ 7.350083] Call Trace: +[ 7.350087] +[ 7.350087] dump_stack_lvl+0x64/0x80 +[ 7.350094] print_report+0xce/0x660 +[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 7.350101] ? __pfx___mod_timer+0x10/0x10 +[ 7.350106] ? _raw_spin_lock+0x75/0xe0 +[ 7.350108] kasan_report+0xce/0x100 +[ 7.350109] ? _raw_spin_lock+0x75/0xe0 +[ 7.350114] kasan_check_range+0x105/0x1b0 +[ 7.350116] _raw_spin_lock+0x75/0xe0 +[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780 +[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0 +[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0 +[ 7.350131] ksmbd_close_fd+0x135/0x1b0 +[ 7.350133] smb2_close+0xb19/0x15b0 +[ 7.350142] ? __pfx_smb2_close+0x10/0x10 +[ 7.350143] ? xas_load+0x18/0x270 +[ 7.350146] ? _raw_spin_lock+0x84/0xe0 +[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350150] ? _raw_spin_unlock+0xe/0x30 +[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0 +[ 7.350154] handle_ksmbd_work+0x40f/0x1080 +[ 7.350156] process_one_work+0x5fa/0xef0 +[ 7.350162] ? assign_work+0x122/0x3e0 +[ 7.350163] worker_thread+0x54b/0xf70 +[ 7.350165] ? __pfx_worker_thread+0x10/0x10 +[ 7.350166] kthread+0x346/0x470 +[ 7.350170] ? recalc_sigpending+0x19b/0x230 +[ 7.350176] ? __pfx_kthread+0x10/0x10 +[ 7.350178] ret_from_fork+0x4fb/0x6c0 +[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10 +[ 7.350185] ? __switch_to+0x36c/0xbe0 +[ 7.350188] ? __pfx_kthread+0x10/0x10 +[ 7.350190] ret_from_fork_asm+0x1a/0x30 +[ 7.350197] +[ 7.350197] +[ 7.355160] Allocated by task 123: +[ 7.355261] kasan_save_stack+0x33/0x60 +[ 7.355373] kasan_save_track+0x14/0x30 +[ 7.355484] __kasan_kmalloc+0x8f/0xa0 +[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0 +[ 7.355711] ksmbd_kthread_fn+0x243/0xd70 +[ 7.355839] kthread+0x346/0x470 +[ 7.355942] ret_from_fork+0x4fb/0x6c0 +[ 7.356051] ret_from_fork_asm+0x1a/0x30 +[ 7.356164] +[ 7.356214] Freed by task 134: +[ 7.356305] kasan_save_stack+0x33/0x60 +[ 7.356416] kasan_save_track+0x14/0x30 +[ 7.356527] kasan_save_free_info+0x3b/0x60 +[ 7.356646] __kasan_slab_free+0x43/0x70 +[ 7.356761] kfree+0x1ca/0x430 +[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0 +[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40 +[ 7.357138] kthread+0x346/0x470 +[ 7.357240] ret_from_fork+0x4fb/0x6c0 +[ 7.357350] ret_from_fork_asm+0x1a/0x30 +[ 7.357463] +[ 7.357513] The buggy address belongs to the object at ffff8881056ac000 +[ 7.357513] which belongs to the cache kmalloc-1k of size 1024 +[ 7.357857] The buggy address is located 396 bytes inside of +[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400) + +Fix by removing the unconditional fp->conn assignment and rejecting the +replay when fp->conn is non-NULL. This is consistent with +ksmbd_lookup_durable_fd(), which also rejects file handles with a +non-NULL fp->conn. For disconnected file handles (fp->conn == NULL), +ksmbd_reopen_durable_fd() handles setting fp->conn. + +Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 9902f77d10483..63c092328752e 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2835,7 +2835,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work, + goto out; + } + +- dh_info->fp->conn = conn; ++ if (dh_info->fp->conn) { ++ ksmbd_put_durable_fd(dh_info->fp); ++ err = -EBADF; ++ goto out; ++ } + dh_info->reconnected = true; + goto out; + } +-- +2.51.0 + diff --git a/queue-6.12/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch b/queue-6.12/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch new file mode 100644 index 0000000000..14e962b0f4 --- /dev/null +++ b/queue-6.12/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch @@ -0,0 +1,135 @@ +From dbaad32d2f0fd10e038a02d0f7bdaccea393cc20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:17:02 +0900 +Subject: ksmbd: fix use-after-free of share_conf in compound request + +From: Hyunwoo Kim + +[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ] + +smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without +validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == +TREE_CONNECTED on the initial lookup path, but the compound reuse path +bypasses this check entirely. + +If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state +to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), +subsequent commands dereference the freed share_conf through +work->tcon->share_conf. + +KASAN report: + +[ 4.144653] ================================================================== +[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 +[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 +[ 4.145772] +[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY +[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work +[ 4.145888] Call Trace: +[ 4.145892] +[ 4.145894] dump_stack_lvl+0x64/0x80 +[ 4.145910] print_report+0xce/0x660 +[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 4.145928] ? smb2_write+0xc74/0xe70 +[ 4.145931] kasan_report+0xce/0x100 +[ 4.145934] ? smb2_write+0xc74/0xe70 +[ 4.145937] smb2_write+0xc74/0xe70 +[ 4.145939] ? __pfx_smb2_write+0x10/0x10 +[ 4.145942] ? _raw_spin_unlock+0xe/0x30 +[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480 +[ 4.145951] handle_ksmbd_work+0x40f/0x1080 +[ 4.145953] process_one_work+0x5fa/0xef0 +[ 4.145962] ? assign_work+0x122/0x3e0 +[ 4.145964] worker_thread+0x54b/0xf70 +[ 4.145967] ? __pfx_worker_thread+0x10/0x10 +[ 4.145970] kthread+0x346/0x470 +[ 4.145976] ? recalc_sigpending+0x19b/0x230 +[ 4.145980] ? __pfx_kthread+0x10/0x10 +[ 4.145984] ret_from_fork+0x4fb/0x6c0 +[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10 +[ 4.145995] ? __switch_to+0x36c/0xbe0 +[ 4.145999] ? __pfx_kthread+0x10/0x10 +[ 4.146003] ret_from_fork_asm+0x1a/0x30 +[ 4.146013] +[ 4.146014] +[ 4.149858] Allocated by task 44: +[ 4.149953] kasan_save_stack+0x33/0x60 +[ 4.150061] kasan_save_track+0x14/0x30 +[ 4.150169] __kasan_kmalloc+0x8f/0xa0 +[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0 +[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600 +[ 4.150529] smb2_tree_connect+0x2e6/0x1000 +[ 4.150645] handle_ksmbd_work+0x40f/0x1080 +[ 4.150761] process_one_work+0x5fa/0xef0 +[ 4.150873] worker_thread+0x54b/0xf70 +[ 4.150978] kthread+0x346/0x470 +[ 4.151071] ret_from_fork+0x4fb/0x6c0 +[ 4.151176] ret_from_fork_asm+0x1a/0x30 +[ 4.151286] +[ 4.151332] Freed by task 44: +[ 4.151418] kasan_save_stack+0x33/0x60 +[ 4.151526] kasan_save_track+0x14/0x30 +[ 4.151634] kasan_save_free_info+0x3b/0x60 +[ 4.151751] __kasan_slab_free+0x43/0x70 +[ 4.151861] kfree+0x1ca/0x430 +[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190 +[ 4.152088] smb2_tree_disconnect+0x1cd/0x480 +[ 4.152211] handle_ksmbd_work+0x40f/0x1080 +[ 4.152326] process_one_work+0x5fa/0xef0 +[ 4.152438] worker_thread+0x54b/0xf70 +[ 4.152545] kthread+0x346/0x470 +[ 4.152638] ret_from_fork+0x4fb/0x6c0 +[ 4.152743] ret_from_fork_asm+0x1a/0x30 +[ 4.152853] +[ 4.152900] The buggy address belongs to the object at ffff88810430c180 +[ 4.152900] which belongs to the cache kmalloc-96 of size 96 +[ 4.153226] The buggy address is located 20 bytes inside of +[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0) +[ 4.153549] +[ 4.153596] The buggy address belongs to the physical page: +[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c +[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2) +[ 4.154160] page_type: f5(slab) +[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110 +[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000 +[ 4.154668] page dumped because: kasan: bad access detected +[ 4.154820] +[ 4.154866] Memory state around the buggy address: +[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 4.155587] ^ +[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.156087] ================================================================== + +Add the same t_state validation to the compound reuse path, consistent +with ksmbd_tree_conn_lookup(). + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 8574a518014f4..9902f77d10483 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -124,6 +124,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) + pr_err("The first operation in the compound does not have tcon\n"); + return -EINVAL; + } ++ if (work->tcon->t_state != TREE_CONNECTED) ++ return -ENOENT; + if (tree_id != UINT_MAX && work->tcon->id != tree_id) { + pr_err("tree id(%u) is different with id(%u) in first operation\n", + tree_id, work->tcon->id); +-- +2.51.0 + diff --git a/queue-6.12/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch b/queue-6.12/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch new file mode 100644 index 0000000000..5d831d833a --- /dev/null +++ b/queue-6.12/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch @@ -0,0 +1,49 @@ +From 9e2b5f1ae4912caabd880a8458612815e683e600 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:05 +0900 +Subject: lib/bootconfig: check xbc_init_node() return in override path + +From: Josh Law + +[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ] + +The ':=' override path in xbc_parse_kv() calls xbc_init_node() to +re-initialize an existing value node but does not check the return +value. If xbc_init_node() fails (data offset out of range), parsing +silently continues with stale node data. + +Add the missing error check to match the xbc_add_node() call path +which already checks for failure. + +In practice, a bootconfig using ':=' to override a value near the +32KB data limit could silently retain the old value, meaning a +security-relevant boot parameter override (e.g., a trace filter or +debug setting) would not take effect as intended. + +Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ + +Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + lib/bootconfig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/bootconfig.c b/lib/bootconfig.c +index 0728c4a95249b..5d3802eba52a3 100644 +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op) + if (op == ':') { + unsigned short nidx = child->next; + +- xbc_init_node(child, v, XBC_VALUE); ++ if (xbc_init_node(child, v, XBC_VALUE) < 0) ++ return xbc_parse_error("Failed to override value", v); + child->next = nidx; /* keep subkeys */ + goto array; + } +-- +2.51.0 + diff --git a/queue-6.12/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch b/queue-6.12/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch new file mode 100644 index 0000000000..fd90dbcf0c --- /dev/null +++ b/queue-6.12/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch @@ -0,0 +1,49 @@ +From ed2730e68ab91f5e34cd21f7f49f403934f38a0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 15:21:57 -0500 +Subject: mtd: rawnand: brcmnand: skip DMA during panic write + +From: Kamal Dasu + +[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ] + +When oops_panic_write is set, the driver disables interrupts and +switches to PIO polling mode but still falls through into the DMA +path. DMA cannot be used reliably in panic context, so make the +DMA path an else branch to ensure only PIO is used during panic +writes. + +Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 2eb44c1428fbc..bbba3cf477e98 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2303,14 +2303,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (mtd->oops_panic_write) ++ if (mtd->oops_panic_write) { + /* switch to interrupt polling and PIO mode */ + disable_ctrl_irqs(ctrl); +- +- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +- + ret = -EIO; + + goto out; +-- +2.51.0 + diff --git a/queue-6.12/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch b/queue-6.12/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch new file mode 100644 index 0000000000..8ce52c8176 --- /dev/null +++ b/queue-6.12/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch @@ -0,0 +1,70 @@ +From a02285aad16b2e7dd3b9f6f18e7025ed75f129d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:49:06 -0500 +Subject: mtd: rawnand: serialize lock/unlock against other NAND operations + +From: Kamal Dasu + +[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ] + +nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area +without holding the NAND device lock. On controllers that implement +SET_FEATURES via multiple low-level PIO commands, these can race with +concurrent UBI/UBIFS background erase/write operations that hold the +device lock, resulting in cmd_pending conflicts on the NAND controller. + +Add nand_get_device()/nand_release_device() around the lock/unlock +operations to serialize them against all other NAND controller access. + +Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c +index 3e1844bfb8089..d654e5f52ee09 100644 +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -4868,11 +4868,16 @@ static void nand_shutdown(struct mtd_info *mtd) + static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.lock_area) + return -ENOTSUPP; + +- return chip->ops.lock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.lock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /** +@@ -4884,11 +4889,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.unlock_area) + return -ENOTSUPP; + +- return chip->ops.unlock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.unlock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /* Set default functions */ +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index ca345ae0fc..ecb5f48789 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -446,3 +446,14 @@ mm-shmem-fix-potential-data-corruption-during-shmem-swapin.patch mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch mm-shmem-swap-avoid-redundant-xarray-lookup-during-swapin.patch +mtd-rawnand-serialize-lock-unlock-against-other-nand.patch +mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch +drm-amd-display-fix-displayid-not-found-handling-in-.patch +drm-amd-fix-dcn-2.01-check.patch +ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch +ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch +drm-i915-gt-check-set_default_submission-before-defe.patch +fs-tests-exec-remove-bad-test-vector.patch +lib-bootconfig-check-xbc_init_node-return-in-overrid.patch +tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch +hwmon-max6639-fix-pulses-per-revolution-implementati.patch diff --git a/queue-6.12/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch b/queue-6.12/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch new file mode 100644 index 0000000000..532b7e506c --- /dev/null +++ b/queue-6.12/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch @@ -0,0 +1,44 @@ +From d6d96ea1e824a5872b72994a77faec558ebb97fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:06 +0900 +Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure + +From: Josh Law + +[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ] + +If fstat() fails after open() succeeds, the function returns without +closing the file descriptor. Also preserve errno across close(), since +close() may overwrite it before the error is returned. + +Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/ + +Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 8a48cc2536f56..32cf48f2da9a1 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -157,8 +157,11 @@ static int load_xbc_file(const char *path, char **buf) + if (fd < 0) + return -errno; + ret = fstat(fd, &stat); +- if (ret < 0) +- return -errno; ++ if (ret < 0) { ++ ret = -errno; ++ close(fd); ++ return ret; ++ } + + ret = load_xbc_fd(fd, buf, stat.st_size); + +-- +2.51.0 + diff --git a/queue-6.18/arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch b/queue-6.18/arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch new file mode 100644 index 0000000000..6cc2f7c84f --- /dev/null +++ b/queue-6.18/arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch @@ -0,0 +1,64 @@ +From e9a29904002374f7c061fb04a0a497ef8d1b2c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 16:19:01 +0000 +Subject: arm64: realm: Fix PTE_NS_SHARED for 52bit PA support + +From: Suzuki K Poulose + +[ Upstream commit 8c6e9b60f5c7985a9fe41320556a92d7a33451df ] + +With LPA/LPA2, the top bits of the PFN (Bits[51:48]) end up in the lower bits +of the PTE. So, simply creating a mask of the "top IPA bit" doesn't work well +for these configurations to set the "top" bit at the output of Stage1 +translation. + +Fix this by using the __phys_to_pte_val() to do the right thing for all +configurations. + +Tested using, kvmtool, placing the memory at a higher address (-m @). + + e.g: + # lkvm run --realm -c 4 -m 512M@@128T -k Image --console serial + + sh-5.0# dmesg | grep "LPA2\|RSI" +[ 0.000000] RME: Using RSI version 1.0 +[ 0.000000] CPU features: detected: 52-bit Virtual Addressing (LPA2) +[ 0.777354] CPU features: detected: 52-bit Virtual Addressing for KVM (LPA2) + +Fixes: 399306954996 ("arm64: realm: Query IPA size from the RMM") +Cc: Catalin Marinas +Cc: Steven Price +Cc: Will Deacon +Signed-off-by: Suzuki K Poulose +Reviewed-by: Steven Price +Reviewed-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/rsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/rsi.c b/arch/arm64/kernel/rsi.c +index c64a06f58c0bc..9e846ce4ef9ca 100644 +--- a/arch/arm64/kernel/rsi.c ++++ b/arch/arm64/kernel/rsi.c +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include + + static struct realm_config config; +@@ -146,7 +147,7 @@ void __init arm64_rsi_init(void) + return; + if (WARN_ON(rsi_get_realm_config(&config))) + return; +- prot_ns_shared = BIT(config.ipa_bits - 1); ++ prot_ns_shared = __phys_to_pte_val(BIT(config.ipa_bits - 1)); + + if (arm64_ioremap_prot_hook_register(realm_ioremap_hook)) + return; +-- +2.51.0 + diff --git a/queue-6.18/binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch b/queue-6.18/binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch new file mode 100644 index 0000000000..872cf97465 --- /dev/null +++ b/queue-6.18/binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch @@ -0,0 +1,74 @@ +From 2ad2e3bfef0fff666e8bf9f177fa299df3ee9397 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 18:01:05 +0000 +Subject: binfmt_elf_fdpic: fix AUXV size calculation for ELF_HWCAP3 and + ELF_HWCAP4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrei Vagin + +[ Upstream commit 4ced4cf5c9d172d91f181df3accdf949d3761aab ] + +Commit 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4") added +support for AT_HWCAP3 and AT_HWCAP4, but it missed updating the AUX +vector size calculation in create_elf_fdpic_tables() and +AT_VECTOR_SIZE_BASE in include/linux/auxvec.h. + +Similar to the fix for AT_HWCAP2 in commit c6a09e342f8e ("binfmt_elf_fdpic: +fix AUXV size calculation when ELF_HWCAP2 is defined"), this omission +leads to a mismatch between the reserved space and the actual number of +AUX entries, eventually triggering a kernel BUG_ON(csp != sp). + +Fix this by incrementing nitems when ELF_HWCAP3 or ELF_HWCAP4 are +defined and updating AT_VECTOR_SIZE_BASE. + +Cc: Mark Brown +Cc: Max Filippov +Reviewed-by: Michal Koutný +Reviewed-by: Mark Brown +Reviewed-by: Cyrill Gorcunov +Reviewed-by: Alexander Mikhalitsyn +Fixes: 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4") +Signed-off-by: Andrei Vagin +Link: https://patch.msgid.link/20260217180108.1420024-2-avagin@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf_fdpic.c | 6 ++++++ + include/linux/auxvec.h | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index 48fd2de3bca05..a3d4e6973b299 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -595,6 +595,12 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, + #ifdef ELF_HWCAP2 + nitems++; + #endif ++#ifdef ELF_HWCAP3 ++ nitems++; ++#endif ++#ifdef ELF_HWCAP4 ++ nitems++; ++#endif + + csp = sp; + sp -= nitems * 2 * sizeof(unsigned long); +diff --git a/include/linux/auxvec.h b/include/linux/auxvec.h +index 407f7005e6d60..8bcb9b7262628 100644 +--- a/include/linux/auxvec.h ++++ b/include/linux/auxvec.h +@@ -4,6 +4,6 @@ + + #include + +-#define AT_VECTOR_SIZE_BASE 22 /* NEW_AUX_ENT entries in auxiliary table */ ++#define AT_VECTOR_SIZE_BASE 24 /* NEW_AUX_ENT entries in auxiliary table */ + /* number of "#define AT_.*" above, minus {AT_NULL, AT_IGNORE, AT_NOTELF} */ + #endif /* _LINUX_AUXVEC_H */ +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-display-fix-displayid-not-found-handling-in-.patch b/queue-6.18/drm-amd-display-fix-displayid-not-found-handling-in-.patch new file mode 100644 index 0000000000..a51030e59d --- /dev/null +++ b/queue-6.18/drm-amd-display-fix-displayid-not-found-handling-in-.patch @@ -0,0 +1,72 @@ +From ada2cbb3b7b5f1d9d1cfe71d20941e8a540433bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 18:30:26 +0530 +Subject: drm/amd/display: Fix DisplayID not-found handling in + parse_edid_displayid_vrr() + +From: Srinivasan Shanmugam + +[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ] + +parse_edid_displayid_vrr() searches the EDID extension blocks for a +DisplayID extension before parsing the dynamic video timing range. + +The code previously checked whether edid_ext was NULL after the search +loop. However, edid_ext is assigned during each iteration of the loop, +so it will never be NULL once the loop has executed. If no DisplayID +extension is found, edid_ext ends up pointing to the last extension +block, and the NULL check does not correctly detect the failure case. + +Instead, check whether the loop completed without finding a matching +DisplayID block by testing "i == edid->extensions". This ensures the +function exits early when no DisplayID extension is present and avoids +parsing an unrelated EDID extension block. + +Also simplify the EDID validation check using "!edid || +!edid->extensions". + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075) + +Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel") +Cc: Roman Li +Cc: Alex Hung +Cc: Jerry Zuo +Cc: Sun peng Li +Cc: Tom Chung +Cc: Dan Carpenter +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 7db2d1a3784bd..77840b6cb2065 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -12864,7 +12864,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + u16 min_vfreq; + u16 max_vfreq; + +- if (edid == NULL || edid->extensions == 0) ++ if (!edid || !edid->extensions) + return; + + /* Find DisplayID extension */ +@@ -12874,7 +12874,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + break; + } + +- if (edid_ext == NULL) ++ if (i == edid->extensions) + return; + + while (j < EDID_LENGTH) { +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-fix-dcn-2.01-check.patch b/queue-6.18/drm-amd-fix-dcn-2.01-check.patch new file mode 100644 index 0000000000..725206c4d4 --- /dev/null +++ b/queue-6.18/drm-amd-fix-dcn-2.01-check.patch @@ -0,0 +1,49 @@ +From 96e9f991180a3a8def2551045941544e1530a806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 17:51:47 +0100 +Subject: drm/amd: fix dcn 2.01 check + +From: Andy Nguyen + +[ Upstream commit 39f44f54afa58661ecae9c27e15f5dbce2372892 ] + +The ASICREV_IS_BEIGE_GOBY_P check always took precedence, because it includes all chip revisions upto NV_UNKNOWN. + +Fixes: 54b822b3eac3 ("drm/amd/display: Use dce_version instead of chip_id") +Signed-off-by: Andy Nguyen +Signed-off-by: Alex Deucher +(cherry picked from commit 9c7be0efa6f0daa949a5f3e3fdf9ea090b0713cb) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c +index 15cf13ec53026..c450feae5fa5b 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c +@@ -255,6 +255,10 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p + BREAK_TO_DEBUGGER(); + return NULL; + } ++ if (ctx->dce_version == DCN_VERSION_2_01) { ++ dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); ++ return &clk_mgr->base; ++ } + if (ASICREV_IS_SIENNA_CICHLID_P(asic_id.hw_internal_rev)) { + dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; +@@ -267,10 +271,6 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p + dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; + } +- if (ctx->dce_version == DCN_VERSION_2_01) { +- dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); +- return &clk_mgr->base; +- } + dcn20_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; + } +-- +2.51.0 + diff --git a/queue-6.18/drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch b/queue-6.18/drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch new file mode 100644 index 0000000000..ca96daaf2f --- /dev/null +++ b/queue-6.18/drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch @@ -0,0 +1,44 @@ +From 6d07d494302b5d80707da7e84f9faf64017610e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 11:28:22 +0000 +Subject: drm/bridge: dw-hdmi-qp: fix multi-channel audio output + +From: Jonas Karlman + +[ Upstream commit cffcb42c57686e9a801dfcf37a3d0c62e51c1c3e ] + +Channel Allocation (PB4) and Level Shift Information (PB5) are +configured with values from PB1 and PB2 due to the wrong offset +being used. This results in missing audio channels or incorrect +speaker placement when playing multi-channel audio. + +Use the correct offset to fix multi-channel audio output. + +Fixes: fd0141d1a8a2 ("drm/bridge: synopsys: Add audio support for dw-hdmi-qp") +Reported-by: Christian Hewitt +Signed-off-by: Jonas Karlman +Signed-off-by: Christian Hewitt +Reviewed-by: Cristian Ciocaltea +Link: https://patch.msgid.link/20260228112822.4056354-1-christianshewitt@gmail.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c +index c85eb340e5a35..d302455875167 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c +@@ -818,7 +818,7 @@ static int dw_hdmi_qp_config_audio_infoframe(struct dw_hdmi_qp *hdmi, + + regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS0, &header_bytes, 1); + regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS1, &buffer[3], 1); +- regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[4], 1); ++ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[7], 1); + + /* Enable ACR, AUDI, AMD */ + dw_hdmi_qp_mod(hdmi, +-- +2.51.0 + diff --git a/queue-6.18/drm-i915-gt-check-set_default_submission-before-defe.patch b/queue-6.18/drm-i915-gt-check-set_default_submission-before-defe.patch new file mode 100644 index 0000000000..956254ae68 --- /dev/null +++ b/queue-6.18/drm-i915-gt-check-set_default_submission-before-defe.patch @@ -0,0 +1,105 @@ +From 004d56004ce89fa734477ed11e20caa1000a216a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 10:18:39 +0530 +Subject: drm/i915/gt: Check set_default_submission() before deferencing + +From: Rahul Bukte + +[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ] + +When the i915 driver firmware binaries are not present, the +set_default_submission pointer is not set. This pointer is +dereferenced during suspend anyways. + +Add a check to make sure it is set before dereferencing. + +[ 23.289926] PM: suspend entry (deep) +[ 23.293558] Filesystems sync: 0.000 seconds +[ 23.298010] Freezing user space processes +[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds) +[ 23.309766] OOM killer disabled. +[ 23.313027] Freezing remaining freezable tasks +[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 23.342038] serial 00:05: disabled +[ 23.345719] serial 00:02: disabled +[ 23.349342] serial 00:01: disabled +[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache +[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache +[ 23.361635] ata1.00: Entering standby power mode +[ 23.368863] ata2.00: Entering standby power mode +[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 23.452194] #PF: supervisor instruction fetch in kernel mode +[ 23.457896] #PF: error_code(0x0010) - not-present page +[ 23.463065] PGD 0 P4D 0 +[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI +[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary) +[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN +[ 23.496511] Workqueue: async async_run_entry_fn +[ 23.501087] RIP: 0010:0x0 +[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6. +[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246 +[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f +[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000 +[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff +[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8 +[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68 +[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000 +[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0 +[ 23.572539] PKRU: 55555554 +[ 23.575281] Call Trace: +[ 23.577770] +[ 23.579905] intel_engines_reset_default_submission+0x42/0x60 +[ 23.585695] __intel_gt_unset_wedged+0x191/0x200 +[ 23.590360] intel_gt_unset_wedged+0x20/0x40 +[ 23.594675] gt_sanitize+0x15e/0x170 +[ 23.598290] i915_gem_suspend_late+0x6b/0x180 +[ 23.602692] i915_drm_suspend_late+0x35/0xf0 +[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10 +[ 23.611843] dpm_run_callback+0x78/0x1c0 +[ 23.615817] device_suspend_late+0xde/0x2e0 +[ 23.620037] async_suspend_late+0x18/0x30 +[ 23.624082] async_run_entry_fn+0x25/0xa0 +[ 23.628129] process_one_work+0x15b/0x380 +[ 23.632182] worker_thread+0x2a5/0x3c0 +[ 23.635973] ? __pfx_worker_thread+0x10/0x10 +[ 23.640279] kthread+0xf6/0x1f0 +[ 23.643464] ? __pfx_kthread+0x10/0x10 +[ 23.647263] ? __pfx_kthread+0x10/0x10 +[ 23.651045] ret_from_fork+0x131/0x190 +[ 23.654837] ? __pfx_kthread+0x10/0x10 +[ 23.658634] ret_from_fork_asm+0x1a/0x30 +[ 23.662597] +[ 23.664826] Modules linked in: +[ 23.667914] CR2: 0000000000000000 +[ 23.671271] ------------[ cut here ]------------ + +Signed-off-by: Rahul Bukte +Reviewed-by: Suraj Kandpal +Signed-off-by: Suraj Kandpal +Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com +(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad) +Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc") +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +index b721bbd233567..ce8cdd517daa1 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -1969,7 +1969,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt) + if (engine->sanitize) + engine->sanitize(engine); + +- engine->set_default_submission(engine); ++ if (engine->set_default_submission) ++ engine->set_default_submission(engine); + } + } + +-- +2.51.0 + diff --git a/queue-6.18/drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch b/queue-6.18/drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch new file mode 100644 index 0000000000..067abe124c --- /dev/null +++ b/queue-6.18/drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch @@ -0,0 +1,43 @@ +From cb2af25f9f4e9b6c5980c51f8feef5684f1e5649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 14:03:30 -0600 +Subject: drm/vmwgfx: Don't overwrite KMS surface dirty tracker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ian Forbes + +[ Upstream commit c6cb77c474a32265e21c4871c7992468bf5e7638 ] + +We were overwriting the surface's dirty tracker here causing a memory leak. + +Reported-by: Mika Penttilä +Closes: https://lore.kernel.org/dri-devel/8c53f3c6-c6de-46fe-a8ca-d98dd52b3abe@redhat.com/ +Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling") +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20260302200330.66763-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 535d844191e7a..3e8a2f4a907da 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -768,7 +768,8 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, + ret = vmw_bo_dirty_add(bo); + if (!ret && surface && surface->res.func->dirty_alloc) { + surface->res.coherent = true; +- ret = surface->res.func->dirty_alloc(&surface->res); ++ if (surface->res.dirty == NULL) ++ ret = surface->res.func->dirty_alloc(&surface->res); + } + ttm_bo_unreserve(&bo->tbo); + } +-- +2.51.0 + diff --git a/queue-6.18/fs-tests-exec-remove-bad-test-vector.patch b/queue-6.18/fs-tests-exec-remove-bad-test-vector.patch new file mode 100644 index 0000000000..5bcb0c6ef2 --- /dev/null +++ b/queue-6.18/fs-tests-exec-remove-bad-test-vector.patch @@ -0,0 +1,37 @@ +From 51253da732bb3e63b00ca205d01c80cec63fb5b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 11:36:29 -0700 +Subject: fs/tests: exec: Remove bad test vector + +From: Kees Cook + +[ Upstream commit c4192754e836e0ffed95833509b6ada975b74418 ] + +Drop an unusable test in the bprm stack limits. + +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/a3e9b1c2-40c1-45df-9fa2-14ee6a7b3fe2@roeck-us.net +Fixes: 60371f43e56b ("exec: Add KUnit test for bprm_stack_limits()") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/tests/exec_kunit.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/tests/exec_kunit.c b/fs/tests/exec_kunit.c +index f412d1a0f6bba..1c32cac098cf5 100644 +--- a/fs/tests/exec_kunit.c ++++ b/fs/tests/exec_kunit.c +@@ -94,9 +94,6 @@ static const struct bprm_stack_limits_result bprm_stack_limits_results[] = { + { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * 3 + sizeof(void *)), + .argc = 0, .envc = 0 }, + .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, +- { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * + sizeof(void *)), +- .argc = 0, .envc = 0 }, +- .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, + { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * _STK_LIM, + .argc = 0, .envc = 0 }, + .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, +-- +2.51.0 + diff --git a/queue-6.18/hwmon-max6639-fix-pulses-per-revolution-implementati.patch b/queue-6.18/hwmon-max6639-fix-pulses-per-revolution-implementati.patch new file mode 100644 index 0000000000..b00bf3ff0c --- /dev/null +++ b/queue-6.18/hwmon-max6639-fix-pulses-per-revolution-implementati.patch @@ -0,0 +1,66 @@ +From 3e33c7b1d2f26f7fe04ec8a6423c8129e7748483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:31:22 -0700 +Subject: hwmon: (max6639) Fix pulses-per-revolution implementation + +From: Guenter Roeck + +[ Upstream commit e7bae9a7a5e1251ab414291f4e9304d702bb9221 ] + +The valid range for the pulses-per-revolution devicetree property is +1..4. The current code checks for a range of 1..5. Fix it. + +Declare the variable used to retrieve pulses per revolution from +devicetree as u32 (unsigned) to match the of_property_read_u32() API. + +The current code uses a postfix decrement when writing the pulses per +resolution into the chip. This has no effect since the value is evaluated +before it is decremented. Fix it by decrementing before evaluating the +value. + +Fixes: 7506ebcd662b ("hwmon: (max6639) : Configure based on DT property") +Cc: Naresh Solanki +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max6639.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwmon/max6639.c b/drivers/hwmon/max6639.c +index 1fc12e1463b58..447e8cdbc74c6 100644 +--- a/drivers/hwmon/max6639.c ++++ b/drivers/hwmon/max6639.c +@@ -235,7 +235,7 @@ static int max6639_read_fan(struct device *dev, u32 attr, int channel, + static int max6639_set_ppr(struct max6639_data *data, int channel, u8 ppr) + { + /* Decrement the PPR value and shift left by 6 to match the register format */ +- return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), ppr-- << 6); ++ return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), --ppr << 6); + } + + static int max6639_write_fan(struct device *dev, u32 attr, int channel, +@@ -537,8 +537,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client, + + { + struct device *dev = &client->dev; +- u32 i; +- int err, val; ++ u32 i, val; ++ int err; + + err = of_property_read_u32(child, "reg", &i); + if (err) { +@@ -553,8 +553,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client, + + err = of_property_read_u32(child, "pulses-per-revolution", &val); + if (!err) { +- if (val < 1 || val > 5) { +- dev_err(dev, "invalid pulses-per-revolution %d of %pOFn\n", val, child); ++ if (val < 1 || val > 4) { ++ dev_err(dev, "invalid pulses-per-revolution %u of %pOFn\n", val, child); + return -EINVAL; + } + data->ppr[i] = val; +-- +2.51.0 + diff --git a/queue-6.18/iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch b/queue-6.18/iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch new file mode 100644 index 0000000000..a2c9ae61b5 --- /dev/null +++ b/queue-6.18/iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch @@ -0,0 +1,59 @@ +From 923bd4fd6c00dc4814809c88cbf06c63543daf63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 22:18:42 -0800 +Subject: iommu/sva: Fix crash in iommu_sva_unbind_device() + +From: Lizhi Hou + +[ Upstream commit 06e14c36e20b48171df13d51b89fe67c594ed07a ] + +domain->mm->iommu_mm can be freed by iommu_domain_free(): + iommu_domain_free() + mmdrop() + __mmdrop() + mm_pasid_drop() +After iommu_domain_free() returns, accessing domain->mm->iommu_mm may +dereference a freed mm structure, leading to a crash. + +Fix this by moving the code that accesses domain->mm->iommu_mm to before +the call to iommu_domain_free(). + +Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space") +Signed-off-by: Lizhi Hou +Reviewed-by: Jason Gunthorpe +Reviewed-by: Yi Liu +Reviewed-by: Vasant Hegde +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu-sva.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c +index e1e63c2be82b2..fd735aaae9e3f 100644 +--- a/drivers/iommu/iommu-sva.c ++++ b/drivers/iommu/iommu-sva.c +@@ -182,13 +182,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle) + iommu_detach_device_pasid(domain, dev, iommu_mm->pasid); + if (--domain->users == 0) { + list_del(&domain->next); +- iommu_domain_free(domain); +- } ++ if (list_empty(&iommu_mm->sva_domains)) { ++ list_del(&iommu_mm->mm_list_elm); ++ if (list_empty(&iommu_sva_mms)) ++ iommu_sva_present = false; ++ } + +- if (list_empty(&iommu_mm->sva_domains)) { +- list_del(&iommu_mm->mm_list_elm); +- if (list_empty(&iommu_sva_mms)) +- iommu_sva_present = false; ++ iommu_domain_free(domain); + } + + mutex_unlock(&iommu_sva_lock); +-- +2.51.0 + diff --git a/queue-6.18/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch b/queue-6.18/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch new file mode 100644 index 0000000000..2c762a24a0 --- /dev/null +++ b/queue-6.18/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch @@ -0,0 +1,128 @@ +From ef8f7911fb145e754311e395bb2eadec47d40466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:15:51 +0900 +Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles + +From: Hyunwoo Kim + +[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ] + +parse_durable_handle_context() unconditionally assigns dh_info->fp->conn +to the current connection when handling a DURABLE_REQ_V2 context with +SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by +fp->conn, so it returns file handles that are already actively connected. +The unconditional overwrite replaces fp->conn, and when the overwriting +connection is subsequently freed, __ksmbd_close_fd() dereferences the +stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a +use-after-free. + +KASAN report: + +[ 7.349357] ================================================================== +[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0 +[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108 +[ 7.350010] +[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY +[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work +[ 7.350083] Call Trace: +[ 7.350087] +[ 7.350087] dump_stack_lvl+0x64/0x80 +[ 7.350094] print_report+0xce/0x660 +[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 7.350101] ? __pfx___mod_timer+0x10/0x10 +[ 7.350106] ? _raw_spin_lock+0x75/0xe0 +[ 7.350108] kasan_report+0xce/0x100 +[ 7.350109] ? _raw_spin_lock+0x75/0xe0 +[ 7.350114] kasan_check_range+0x105/0x1b0 +[ 7.350116] _raw_spin_lock+0x75/0xe0 +[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780 +[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0 +[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0 +[ 7.350131] ksmbd_close_fd+0x135/0x1b0 +[ 7.350133] smb2_close+0xb19/0x15b0 +[ 7.350142] ? __pfx_smb2_close+0x10/0x10 +[ 7.350143] ? xas_load+0x18/0x270 +[ 7.350146] ? _raw_spin_lock+0x84/0xe0 +[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350150] ? _raw_spin_unlock+0xe/0x30 +[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0 +[ 7.350154] handle_ksmbd_work+0x40f/0x1080 +[ 7.350156] process_one_work+0x5fa/0xef0 +[ 7.350162] ? assign_work+0x122/0x3e0 +[ 7.350163] worker_thread+0x54b/0xf70 +[ 7.350165] ? __pfx_worker_thread+0x10/0x10 +[ 7.350166] kthread+0x346/0x470 +[ 7.350170] ? recalc_sigpending+0x19b/0x230 +[ 7.350176] ? __pfx_kthread+0x10/0x10 +[ 7.350178] ret_from_fork+0x4fb/0x6c0 +[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10 +[ 7.350185] ? __switch_to+0x36c/0xbe0 +[ 7.350188] ? __pfx_kthread+0x10/0x10 +[ 7.350190] ret_from_fork_asm+0x1a/0x30 +[ 7.350197] +[ 7.350197] +[ 7.355160] Allocated by task 123: +[ 7.355261] kasan_save_stack+0x33/0x60 +[ 7.355373] kasan_save_track+0x14/0x30 +[ 7.355484] __kasan_kmalloc+0x8f/0xa0 +[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0 +[ 7.355711] ksmbd_kthread_fn+0x243/0xd70 +[ 7.355839] kthread+0x346/0x470 +[ 7.355942] ret_from_fork+0x4fb/0x6c0 +[ 7.356051] ret_from_fork_asm+0x1a/0x30 +[ 7.356164] +[ 7.356214] Freed by task 134: +[ 7.356305] kasan_save_stack+0x33/0x60 +[ 7.356416] kasan_save_track+0x14/0x30 +[ 7.356527] kasan_save_free_info+0x3b/0x60 +[ 7.356646] __kasan_slab_free+0x43/0x70 +[ 7.356761] kfree+0x1ca/0x430 +[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0 +[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40 +[ 7.357138] kthread+0x346/0x470 +[ 7.357240] ret_from_fork+0x4fb/0x6c0 +[ 7.357350] ret_from_fork_asm+0x1a/0x30 +[ 7.357463] +[ 7.357513] The buggy address belongs to the object at ffff8881056ac000 +[ 7.357513] which belongs to the cache kmalloc-1k of size 1024 +[ 7.357857] The buggy address is located 396 bytes inside of +[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400) + +Fix by removing the unconditional fp->conn assignment and rejecting the +replay when fp->conn is non-NULL. This is consistent with +ksmbd_lookup_durable_fd(), which also rejects file handles with a +non-NULL fp->conn. For disconnected file handles (fp->conn == NULL), +ksmbd_reopen_durable_fd() handles setting fp->conn. + +Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 6796bc919d580..60a8f53443082 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2840,7 +2840,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work, + goto out; + } + +- dh_info->fp->conn = conn; ++ if (dh_info->fp->conn) { ++ ksmbd_put_durable_fd(dh_info->fp); ++ err = -EBADF; ++ goto out; ++ } + dh_info->reconnected = true; + goto out; + } +-- +2.51.0 + diff --git a/queue-6.18/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch b/queue-6.18/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch new file mode 100644 index 0000000000..f09e214353 --- /dev/null +++ b/queue-6.18/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch @@ -0,0 +1,135 @@ +From 1b640ea0a58f902a71d6e104be9cf73972afdac4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:17:02 +0900 +Subject: ksmbd: fix use-after-free of share_conf in compound request + +From: Hyunwoo Kim + +[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ] + +smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without +validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == +TREE_CONNECTED on the initial lookup path, but the compound reuse path +bypasses this check entirely. + +If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state +to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), +subsequent commands dereference the freed share_conf through +work->tcon->share_conf. + +KASAN report: + +[ 4.144653] ================================================================== +[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 +[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 +[ 4.145772] +[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY +[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work +[ 4.145888] Call Trace: +[ 4.145892] +[ 4.145894] dump_stack_lvl+0x64/0x80 +[ 4.145910] print_report+0xce/0x660 +[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 4.145928] ? smb2_write+0xc74/0xe70 +[ 4.145931] kasan_report+0xce/0x100 +[ 4.145934] ? smb2_write+0xc74/0xe70 +[ 4.145937] smb2_write+0xc74/0xe70 +[ 4.145939] ? __pfx_smb2_write+0x10/0x10 +[ 4.145942] ? _raw_spin_unlock+0xe/0x30 +[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480 +[ 4.145951] handle_ksmbd_work+0x40f/0x1080 +[ 4.145953] process_one_work+0x5fa/0xef0 +[ 4.145962] ? assign_work+0x122/0x3e0 +[ 4.145964] worker_thread+0x54b/0xf70 +[ 4.145967] ? __pfx_worker_thread+0x10/0x10 +[ 4.145970] kthread+0x346/0x470 +[ 4.145976] ? recalc_sigpending+0x19b/0x230 +[ 4.145980] ? __pfx_kthread+0x10/0x10 +[ 4.145984] ret_from_fork+0x4fb/0x6c0 +[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10 +[ 4.145995] ? __switch_to+0x36c/0xbe0 +[ 4.145999] ? __pfx_kthread+0x10/0x10 +[ 4.146003] ret_from_fork_asm+0x1a/0x30 +[ 4.146013] +[ 4.146014] +[ 4.149858] Allocated by task 44: +[ 4.149953] kasan_save_stack+0x33/0x60 +[ 4.150061] kasan_save_track+0x14/0x30 +[ 4.150169] __kasan_kmalloc+0x8f/0xa0 +[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0 +[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600 +[ 4.150529] smb2_tree_connect+0x2e6/0x1000 +[ 4.150645] handle_ksmbd_work+0x40f/0x1080 +[ 4.150761] process_one_work+0x5fa/0xef0 +[ 4.150873] worker_thread+0x54b/0xf70 +[ 4.150978] kthread+0x346/0x470 +[ 4.151071] ret_from_fork+0x4fb/0x6c0 +[ 4.151176] ret_from_fork_asm+0x1a/0x30 +[ 4.151286] +[ 4.151332] Freed by task 44: +[ 4.151418] kasan_save_stack+0x33/0x60 +[ 4.151526] kasan_save_track+0x14/0x30 +[ 4.151634] kasan_save_free_info+0x3b/0x60 +[ 4.151751] __kasan_slab_free+0x43/0x70 +[ 4.151861] kfree+0x1ca/0x430 +[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190 +[ 4.152088] smb2_tree_disconnect+0x1cd/0x480 +[ 4.152211] handle_ksmbd_work+0x40f/0x1080 +[ 4.152326] process_one_work+0x5fa/0xef0 +[ 4.152438] worker_thread+0x54b/0xf70 +[ 4.152545] kthread+0x346/0x470 +[ 4.152638] ret_from_fork+0x4fb/0x6c0 +[ 4.152743] ret_from_fork_asm+0x1a/0x30 +[ 4.152853] +[ 4.152900] The buggy address belongs to the object at ffff88810430c180 +[ 4.152900] which belongs to the cache kmalloc-96 of size 96 +[ 4.153226] The buggy address is located 20 bytes inside of +[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0) +[ 4.153549] +[ 4.153596] The buggy address belongs to the physical page: +[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c +[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2) +[ 4.154160] page_type: f5(slab) +[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110 +[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000 +[ 4.154668] page dumped because: kasan: bad access detected +[ 4.154820] +[ 4.154866] Memory state around the buggy address: +[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 4.155587] ^ +[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.156087] ================================================================== + +Add the same t_state validation to the compound reuse path, consistent +with ksmbd_tree_conn_lookup(). + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 1f04b761a8cf8..6796bc919d580 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -125,6 +125,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) + pr_err("The first operation in the compound does not have tcon\n"); + return -EINVAL; + } ++ if (work->tcon->t_state != TREE_CONNECTED) ++ return -ENOENT; + if (tree_id != UINT_MAX && work->tcon->id != tree_id) { + pr_err("tree id(%u) is different with id(%u) in first operation\n", + tree_id, work->tcon->id); +-- +2.51.0 + diff --git a/queue-6.18/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch b/queue-6.18/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch new file mode 100644 index 0000000000..da5af20e96 --- /dev/null +++ b/queue-6.18/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch @@ -0,0 +1,49 @@ +From a785fa6f20d4688dcf6a9ca7979a50952e86515d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:05 +0900 +Subject: lib/bootconfig: check xbc_init_node() return in override path + +From: Josh Law + +[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ] + +The ':=' override path in xbc_parse_kv() calls xbc_init_node() to +re-initialize an existing value node but does not check the return +value. If xbc_init_node() fails (data offset out of range), parsing +silently continues with stale node data. + +Add the missing error check to match the xbc_add_node() call path +which already checks for failure. + +In practice, a bootconfig using ':=' to override a value near the +32KB data limit could silently retain the old value, meaning a +security-relevant boot parameter override (e.g., a trace filter or +debug setting) would not take effect as intended. + +Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ + +Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + lib/bootconfig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/bootconfig.c b/lib/bootconfig.c +index 0728c4a95249b..5d3802eba52a3 100644 +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op) + if (op == ':') { + unsigned short nidx = child->next; + +- xbc_init_node(child, v, XBC_VALUE); ++ if (xbc_init_node(child, v, XBC_VALUE) < 0) ++ return xbc_parse_error("Failed to override value", v); + child->next = nidx; /* keep subkeys */ + goto array; + } +-- +2.51.0 + diff --git a/queue-6.18/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch b/queue-6.18/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch new file mode 100644 index 0000000000..6aed9eb78e --- /dev/null +++ b/queue-6.18/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch @@ -0,0 +1,49 @@ +From 6aae98dd67c24d75444b64fb3d87ea1f0a015543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 15:21:57 -0500 +Subject: mtd: rawnand: brcmnand: skip DMA during panic write + +From: Kamal Dasu + +[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ] + +When oops_panic_write is set, the driver disables interrupts and +switches to PIO polling mode but still falls through into the DMA +path. DMA cannot be used reliably in panic context, so make the +DMA path an else branch to ensure only PIO is used during panic +writes. + +Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 835653bdd5abc..8f4d001377a1c 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2350,14 +2350,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (mtd->oops_panic_write) ++ if (mtd->oops_panic_write) { + /* switch to interrupt polling and PIO mode */ + disable_ctrl_irqs(ctrl); +- +- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +- + ret = -EIO; + + goto out; +-- +2.51.0 + diff --git a/queue-6.18/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch b/queue-6.18/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch new file mode 100644 index 0000000000..31f185c7cd --- /dev/null +++ b/queue-6.18/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch @@ -0,0 +1,70 @@ +From 5c51306805fcd1e24c60069db4f80e4d01178e09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:49:06 -0500 +Subject: mtd: rawnand: serialize lock/unlock against other NAND operations + +From: Kamal Dasu + +[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ] + +nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area +without holding the NAND device lock. On controllers that implement +SET_FEATURES via multiple low-level PIO commands, these can race with +concurrent UBI/UBIFS background erase/write operations that hold the +device lock, resulting in cmd_pending conflicts on the NAND controller. + +Add nand_get_device()/nand_release_device() around the lock/unlock +operations to serialize them against all other NAND controller access. + +Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c +index ad6d66309597b..b4bd73d7cd05c 100644 +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -4737,11 +4737,16 @@ static void nand_shutdown(struct mtd_info *mtd) + static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.lock_area) + return -ENOTSUPP; + +- return chip->ops.lock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.lock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /** +@@ -4753,11 +4758,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.unlock_area) + return -ENOTSUPP; + +- return chip->ops.unlock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.unlock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /* Set default functions */ +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 20493634eb..7cb164d9e9 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -191,3 +191,21 @@ perf-x86-move-event-pointer-setup-earlier-in-x86_pmu_enable.patch ring-buffer-fix-to-update-per-subbuf-entries-of-persistent-ring-buffer.patch tracing-fix-failure-to-read-user-space-from-system-call-trace-events.patch x86-platform-uv-handle-deconfigured-sockets.patch +binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch +mtd-rawnand-serialize-lock-unlock-against-other-nand.patch +mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch +spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch +spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch +drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch +iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch +drm-amd-display-fix-displayid-not-found-handling-in-.patch +drm-amd-fix-dcn-2.01-check.patch +drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch +ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch +ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch +drm-i915-gt-check-set_default_submission-before-defe.patch +fs-tests-exec-remove-bad-test-vector.patch +lib-bootconfig-check-xbc_init_node-return-in-overrid.patch +tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch +arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch +hwmon-max6639-fix-pulses-per-revolution-implementati.patch diff --git a/queue-6.18/spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch b/queue-6.18/spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch new file mode 100644 index 0000000000..17358fca99 --- /dev/null +++ b/queue-6.18/spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch @@ -0,0 +1,115 @@ +From b07c96cb011f602ea19b9de0df10d01c13c34ddd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 21:34:55 +0800 +Subject: spi: amlogic: spifc-a4: Remove redundant clock cleanup + +From: Felix Gu + +[ Upstream commit a00da54d06f435dbbeacb84f9121dbbe6d6eda74 ] + +The driver uses devm_clk_get_enabled() which enables the clock and +registers a callback to automatically disable it when the device +is unbound. + +Remove the redundant aml_sfc_disable_clk() call in the error paths +and remove callback. + +Fixes: 4670db6f32e9 ("spi: amlogic: add driver for Amlogic SPI Flash Controller") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260308-spifc-a4-1-v1-1-77e286c26832@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-amlogic-spifc-a4.c | 46 +++++------------------------- + 1 file changed, 7 insertions(+), 39 deletions(-) + +diff --git a/drivers/spi/spi-amlogic-spifc-a4.c b/drivers/spi/spi-amlogic-spifc-a4.c +index f324aa39a8976..b2589fe2425cc 100644 +--- a/drivers/spi/spi-amlogic-spifc-a4.c ++++ b/drivers/spi/spi-amlogic-spifc-a4.c +@@ -1083,14 +1083,6 @@ static int aml_sfc_clk_init(struct aml_sfc *sfc) + return clk_set_rate(sfc->core_clk, SFC_BUS_DEFAULT_CLK); + } + +-static int aml_sfc_disable_clk(struct aml_sfc *sfc) +-{ +- clk_disable_unprepare(sfc->core_clk); +- clk_disable_unprepare(sfc->gate_clk); +- +- return 0; +-} +- + static int aml_sfc_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; +@@ -1141,16 +1133,12 @@ static int aml_sfc_probe(struct platform_device *pdev) + + /* Enable Amlogic flash controller spi mode */ + ret = regmap_write(sfc->regmap_base, SFC_SPI_CFG, SPI_MODE_EN); +- if (ret) { +- dev_err(dev, "failed to enable SPI mode\n"); +- goto err_out; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "failed to enable SPI mode\n"); + + ret = dma_set_mask(sfc->dev, DMA_BIT_MASK(32)); +- if (ret) { +- dev_err(sfc->dev, "failed to set dma mask\n"); +- goto err_out; +- } ++ if (ret) ++ return dev_err_probe(sfc->dev, ret, "failed to set dma mask\n"); + + sfc->ecc_eng.dev = &pdev->dev; + sfc->ecc_eng.integration = NAND_ECC_ENGINE_INTEGRATION_PIPELINED; +@@ -1158,10 +1146,8 @@ static int aml_sfc_probe(struct platform_device *pdev) + sfc->ecc_eng.priv = sfc; + + ret = nand_ecc_register_on_host_hw_engine(&sfc->ecc_eng); +- if (ret) { +- dev_err(&pdev->dev, "failed to register Aml host ecc engine.\n"); +- goto err_out; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to register Aml host ecc engine.\n"); + + ret = of_property_read_u32(np, "amlogic,rx-adj", &val); + if (!ret) +@@ -1177,24 +1163,7 @@ static int aml_sfc_probe(struct platform_device *pdev) + ctrl->min_speed_hz = SFC_MIN_FREQUENCY; + ctrl->num_chipselect = SFC_MAX_CS_NUM; + +- ret = devm_spi_register_controller(dev, ctrl); +- if (ret) +- goto err_out; +- +- return 0; +- +-err_out: +- aml_sfc_disable_clk(sfc); +- +- return ret; +-} +- +-static void aml_sfc_remove(struct platform_device *pdev) +-{ +- struct spi_controller *ctlr = platform_get_drvdata(pdev); +- struct aml_sfc *sfc = spi_controller_get_devdata(ctlr); +- +- aml_sfc_disable_clk(sfc); ++ return devm_spi_register_controller(dev, ctrl); + } + + static const struct of_device_id aml_sfc_of_match[] = { +@@ -1212,7 +1181,6 @@ static struct platform_driver aml_sfc_driver = { + .of_match_table = aml_sfc_of_match, + }, + .probe = aml_sfc_probe, +- .remove = aml_sfc_remove, + }; + module_platform_driver(aml_sfc_driver); + +-- +2.51.0 + diff --git a/queue-6.18/spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch b/queue-6.18/spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch new file mode 100644 index 0000000000..e6e35b8d06 --- /dev/null +++ b/queue-6.18/spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch @@ -0,0 +1,68 @@ +From f308c6ffdbb1f1b0c00e20e689d43f573ad05162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:49:21 +0800 +Subject: spi: amlogic-spisg: Fix memory leak in aml_spisg_probe() + +From: Felix Gu + +[ Upstream commit b8db9552997924b750e727a625a30eaa4603bbb9 ] + +In aml_spisg_probe(), ctlr is allocated by +spi_alloc_target()/spi_alloc_host(), but fails to call +spi_controller_put() in several error paths. This leads +to a memory leak whenever the driver fails to probe after +the initial allocation. + +Convert to use devm_spi_alloc_host()/devm_spi_alloc_target() +to fix the memory leak. + +Fixes: cef9991e04ae ("spi: Add Amlogic SPISG driver") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260308-spisg-v1-1-2cace5cafc24@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-amlogic-spisg.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-amlogic-spisg.c b/drivers/spi/spi-amlogic-spisg.c +index bcd7ec291ad07..6045c89c37c83 100644 +--- a/drivers/spi/spi-amlogic-spisg.c ++++ b/drivers/spi/spi-amlogic-spisg.c +@@ -729,9 +729,9 @@ static int aml_spisg_probe(struct platform_device *pdev) + }; + + if (of_property_read_bool(dev->of_node, "spi-slave")) +- ctlr = spi_alloc_target(dev, sizeof(*spisg)); ++ ctlr = devm_spi_alloc_target(dev, sizeof(*spisg)); + else +- ctlr = spi_alloc_host(dev, sizeof(*spisg)); ++ ctlr = devm_spi_alloc_host(dev, sizeof(*spisg)); + if (!ctlr) + return -ENOMEM; + +@@ -750,10 +750,8 @@ static int aml_spisg_probe(struct platform_device *pdev) + return dev_err_probe(dev, PTR_ERR(spisg->map), "regmap init failed\n"); + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) { +- ret = irq; +- goto out_controller; +- } ++ if (irq < 0) ++ return irq; + + ret = device_reset_optional(dev); + if (ret) +@@ -818,8 +816,6 @@ static int aml_spisg_probe(struct platform_device *pdev) + if (spisg->core) + clk_disable_unprepare(spisg->core); + clk_disable_unprepare(spisg->pclk); +-out_controller: +- spi_controller_put(ctlr); + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.18/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch b/queue-6.18/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch new file mode 100644 index 0000000000..f9de653537 --- /dev/null +++ b/queue-6.18/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch @@ -0,0 +1,44 @@ +From 9a140ef58d6c35b6ebbf568d3c5667f1c5cb55a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:06 +0900 +Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure + +From: Josh Law + +[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ] + +If fstat() fails after open() succeeds, the function returns without +closing the file descriptor. Also preserve errno across close(), since +close() may overwrite it before the error is returned. + +Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/ + +Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 55d59ed507d54..643f707b8f1da 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -162,8 +162,11 @@ static int load_xbc_file(const char *path, char **buf) + if (fd < 0) + return -errno; + ret = fstat(fd, &stat); +- if (ret < 0) +- return -errno; ++ if (ret < 0) { ++ ret = -errno; ++ close(fd); ++ return ret; ++ } + + ret = load_xbc_fd(fd, buf, stat.st_size); + +-- +2.51.0 + diff --git a/queue-6.19/arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch b/queue-6.19/arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch new file mode 100644 index 0000000000..2dcf9e00b0 --- /dev/null +++ b/queue-6.19/arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch @@ -0,0 +1,64 @@ +From 74855fa8456fe725760ca0afb1ebaf888e7d4b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2026 16:19:01 +0000 +Subject: arm64: realm: Fix PTE_NS_SHARED for 52bit PA support + +From: Suzuki K Poulose + +[ Upstream commit 8c6e9b60f5c7985a9fe41320556a92d7a33451df ] + +With LPA/LPA2, the top bits of the PFN (Bits[51:48]) end up in the lower bits +of the PTE. So, simply creating a mask of the "top IPA bit" doesn't work well +for these configurations to set the "top" bit at the output of Stage1 +translation. + +Fix this by using the __phys_to_pte_val() to do the right thing for all +configurations. + +Tested using, kvmtool, placing the memory at a higher address (-m @). + + e.g: + # lkvm run --realm -c 4 -m 512M@@128T -k Image --console serial + + sh-5.0# dmesg | grep "LPA2\|RSI" +[ 0.000000] RME: Using RSI version 1.0 +[ 0.000000] CPU features: detected: 52-bit Virtual Addressing (LPA2) +[ 0.777354] CPU features: detected: 52-bit Virtual Addressing for KVM (LPA2) + +Fixes: 399306954996 ("arm64: realm: Query IPA size from the RMM") +Cc: Catalin Marinas +Cc: Steven Price +Cc: Will Deacon +Signed-off-by: Suzuki K Poulose +Reviewed-by: Steven Price +Reviewed-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/rsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/rsi.c b/arch/arm64/kernel/rsi.c +index c64a06f58c0bc..9e846ce4ef9ca 100644 +--- a/arch/arm64/kernel/rsi.c ++++ b/arch/arm64/kernel/rsi.c +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include + + static struct realm_config config; +@@ -146,7 +147,7 @@ void __init arm64_rsi_init(void) + return; + if (WARN_ON(rsi_get_realm_config(&config))) + return; +- prot_ns_shared = BIT(config.ipa_bits - 1); ++ prot_ns_shared = __phys_to_pte_val(BIT(config.ipa_bits - 1)); + + if (arm64_ioremap_prot_hook_register(realm_ioremap_hook)) + return; +-- +2.51.0 + diff --git a/queue-6.19/arm_mpam-fix-null-pointer-dereference-when-restoring.patch b/queue-6.19/arm_mpam-fix-null-pointer-dereference-when-restoring.patch new file mode 100644 index 0000000000..a17f4dd83c --- /dev/null +++ b/queue-6.19/arm_mpam-fix-null-pointer-dereference-when-restoring.patch @@ -0,0 +1,62 @@ +From f8f314840b1c3ff9ab8aac2fc1e86b240a196b9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:27:16 +0000 +Subject: arm_mpam: Fix null pointer dereference when restoring bandwidth + counters + +From: Ben Horgan + +[ Upstream commit 4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415 ] + +When an MSC supporting memory bandwidth monitoring is brought offline and +then online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to +restore the configuration of the bandwidth counters. It doesn't care about +the value read, mbwu_arg.val, and doesn't set it leading to a null pointer +dereference when __ris_msmon_read() adds to it. This results in a kernel +oops with a call trace such as: + +Call trace: +__ris_msmon_read+0x19c/0x64c (P) +mpam_restore_mbwu_state+0xa0/0xe8 +smp_call_on_cpu_callback+0x1c/0x38 +process_one_work+0x154/0x4b4 +worker_thread+0x188/0x310 +kthread+0x11c/0x130 +ret_from_fork+0x10/0x20 + +Provide a local variable for val to avoid __ris_msmon_read() dereferencing +a null pointer when adding to val. + +Fixes: 41e8a14950e1 ("arm_mpam: Track bandwidth counter state for power management") +Signed-off-by: Ben Horgan +Reviewed-by: James Morse +Signed-off-by: James Morse +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/resctrl/mpam_devices.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/resctrl/mpam_devices.c b/drivers/resctrl/mpam_devices.c +index b495d52918681..41fe421171813 100644 +--- a/drivers/resctrl/mpam_devices.c ++++ b/drivers/resctrl/mpam_devices.c +@@ -1428,6 +1428,7 @@ static void mpam_reprogram_ris_partid(struct mpam_msc_ris *ris, u16 partid, + static int mpam_restore_mbwu_state(void *_ris) + { + int i; ++ u64 val; + struct mon_read mwbu_arg; + struct mpam_msc_ris *ris = _ris; + struct mpam_class *class = ris->vmsc->comp->class; +@@ -1437,6 +1438,7 @@ static int mpam_restore_mbwu_state(void *_ris) + mwbu_arg.ris = ris; + mwbu_arg.ctx = &ris->mbwu_state[i].cfg; + mwbu_arg.type = mpam_msmon_choose_counter(class); ++ mwbu_arg.val = &val; + + __ris_msmon_read(&mwbu_arg); + } +-- +2.51.0 + diff --git a/queue-6.19/binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch b/queue-6.19/binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch new file mode 100644 index 0000000000..131c564e43 --- /dev/null +++ b/queue-6.19/binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch @@ -0,0 +1,74 @@ +From d4331a69a085d8d86422618bc7017933dcbde408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 18:01:05 +0000 +Subject: binfmt_elf_fdpic: fix AUXV size calculation for ELF_HWCAP3 and + ELF_HWCAP4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrei Vagin + +[ Upstream commit 4ced4cf5c9d172d91f181df3accdf949d3761aab ] + +Commit 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4") added +support for AT_HWCAP3 and AT_HWCAP4, but it missed updating the AUX +vector size calculation in create_elf_fdpic_tables() and +AT_VECTOR_SIZE_BASE in include/linux/auxvec.h. + +Similar to the fix for AT_HWCAP2 in commit c6a09e342f8e ("binfmt_elf_fdpic: +fix AUXV size calculation when ELF_HWCAP2 is defined"), this omission +leads to a mismatch between the reserved space and the actual number of +AUX entries, eventually triggering a kernel BUG_ON(csp != sp). + +Fix this by incrementing nitems when ELF_HWCAP3 or ELF_HWCAP4 are +defined and updating AT_VECTOR_SIZE_BASE. + +Cc: Mark Brown +Cc: Max Filippov +Reviewed-by: Michal Koutný +Reviewed-by: Mark Brown +Reviewed-by: Cyrill Gorcunov +Reviewed-by: Alexander Mikhalitsyn +Fixes: 4e6e8c2b757f ("binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4") +Signed-off-by: Andrei Vagin +Link: https://patch.msgid.link/20260217180108.1420024-2-avagin@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf_fdpic.c | 6 ++++++ + include/linux/auxvec.h | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index 48fd2de3bca05..a3d4e6973b299 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -595,6 +595,12 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, + #ifdef ELF_HWCAP2 + nitems++; + #endif ++#ifdef ELF_HWCAP3 ++ nitems++; ++#endif ++#ifdef ELF_HWCAP4 ++ nitems++; ++#endif + + csp = sp; + sp -= nitems * 2 * sizeof(unsigned long); +diff --git a/include/linux/auxvec.h b/include/linux/auxvec.h +index 407f7005e6d60..8bcb9b7262628 100644 +--- a/include/linux/auxvec.h ++++ b/include/linux/auxvec.h +@@ -4,6 +4,6 @@ + + #include + +-#define AT_VECTOR_SIZE_BASE 22 /* NEW_AUX_ENT entries in auxiliary table */ ++#define AT_VECTOR_SIZE_BASE 24 /* NEW_AUX_ENT entries in auxiliary table */ + /* number of "#define AT_.*" above, minus {AT_NULL, AT_IGNORE, AT_NOTELF} */ + #endif /* _LINUX_AUXVEC_H */ +-- +2.51.0 + diff --git a/queue-6.19/drm-amd-display-fix-displayid-not-found-handling-in-.patch b/queue-6.19/drm-amd-display-fix-displayid-not-found-handling-in-.patch new file mode 100644 index 0000000000..9ee638dc59 --- /dev/null +++ b/queue-6.19/drm-amd-display-fix-displayid-not-found-handling-in-.patch @@ -0,0 +1,72 @@ +From 53e0b514c630223428882eb17623a989fd2734a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 18:30:26 +0530 +Subject: drm/amd/display: Fix DisplayID not-found handling in + parse_edid_displayid_vrr() + +From: Srinivasan Shanmugam + +[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ] + +parse_edid_displayid_vrr() searches the EDID extension blocks for a +DisplayID extension before parsing the dynamic video timing range. + +The code previously checked whether edid_ext was NULL after the search +loop. However, edid_ext is assigned during each iteration of the loop, +so it will never be NULL once the loop has executed. If no DisplayID +extension is found, edid_ext ends up pointing to the last extension +block, and the NULL check does not correctly detect the failure case. + +Instead, check whether the loop completed without finding a matching +DisplayID block by testing "i == edid->extensions". This ensures the +function exits early when no DisplayID extension is present and avoids +parsing an unrelated EDID extension block. + +Also simplify the EDID validation check using "!edid || +!edid->extensions". + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075) + +Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel") +Cc: Roman Li +Cc: Alex Hung +Cc: Jerry Zuo +Cc: Sun peng Li +Cc: Tom Chung +Cc: Dan Carpenter +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index e84ec4365ca6b..5a54d3f4a3de5 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -13101,7 +13101,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + u16 min_vfreq; + u16 max_vfreq; + +- if (edid == NULL || edid->extensions == 0) ++ if (!edid || !edid->extensions) + return; + + /* Find DisplayID extension */ +@@ -13111,7 +13111,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + break; + } + +- if (edid_ext == NULL) ++ if (i == edid->extensions) + return; + + while (j < EDID_LENGTH) { +-- +2.51.0 + diff --git a/queue-6.19/drm-amd-fix-dcn-2.01-check.patch b/queue-6.19/drm-amd-fix-dcn-2.01-check.patch new file mode 100644 index 0000000000..52ed4d1cb9 --- /dev/null +++ b/queue-6.19/drm-amd-fix-dcn-2.01-check.patch @@ -0,0 +1,49 @@ +From 92a6aecaafec7cef360a3f1442fc1b46daa415b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 17:51:47 +0100 +Subject: drm/amd: fix dcn 2.01 check + +From: Andy Nguyen + +[ Upstream commit 39f44f54afa58661ecae9c27e15f5dbce2372892 ] + +The ASICREV_IS_BEIGE_GOBY_P check always took precedence, because it includes all chip revisions upto NV_UNKNOWN. + +Fixes: 54b822b3eac3 ("drm/amd/display: Use dce_version instead of chip_id") +Signed-off-by: Andy Nguyen +Signed-off-by: Alex Deucher +(cherry picked from commit 9c7be0efa6f0daa949a5f3e3fdf9ea090b0713cb) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c +index 15cf13ec53026..c450feae5fa5b 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c +@@ -255,6 +255,10 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p + BREAK_TO_DEBUGGER(); + return NULL; + } ++ if (ctx->dce_version == DCN_VERSION_2_01) { ++ dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); ++ return &clk_mgr->base; ++ } + if (ASICREV_IS_SIENNA_CICHLID_P(asic_id.hw_internal_rev)) { + dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; +@@ -267,10 +271,6 @@ struct clk_mgr *dc_clk_mgr_create(struct dc_context *ctx, struct pp_smu_funcs *p + dcn3_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; + } +- if (ctx->dce_version == DCN_VERSION_2_01) { +- dcn201_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); +- return &clk_mgr->base; +- } + dcn20_clk_mgr_construct(ctx, clk_mgr, pp_smu, dccg); + return &clk_mgr->base; + } +-- +2.51.0 + diff --git a/queue-6.19/drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch b/queue-6.19/drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch new file mode 100644 index 0000000000..8e1d32bb3d --- /dev/null +++ b/queue-6.19/drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch @@ -0,0 +1,44 @@ +From 47200bccfc571ccf9c6bc349a4337234eb0386c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 11:28:22 +0000 +Subject: drm/bridge: dw-hdmi-qp: fix multi-channel audio output + +From: Jonas Karlman + +[ Upstream commit cffcb42c57686e9a801dfcf37a3d0c62e51c1c3e ] + +Channel Allocation (PB4) and Level Shift Information (PB5) are +configured with values from PB1 and PB2 due to the wrong offset +being used. This results in missing audio channels or incorrect +speaker placement when playing multi-channel audio. + +Use the correct offset to fix multi-channel audio output. + +Fixes: fd0141d1a8a2 ("drm/bridge: synopsys: Add audio support for dw-hdmi-qp") +Reported-by: Christian Hewitt +Signed-off-by: Jonas Karlman +Signed-off-by: Christian Hewitt +Reviewed-by: Cristian Ciocaltea +Link: https://patch.msgid.link/20260228112822.4056354-1-christianshewitt@gmail.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c +index 60166919c5b54..ace9d8bcdd197 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c +@@ -838,7 +838,7 @@ static int dw_hdmi_qp_config_audio_infoframe(struct dw_hdmi_qp *hdmi, + + regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS0, &header_bytes, 1); + regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS1, &buffer[3], 1); +- regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[4], 1); ++ regmap_bulk_write(hdmi->regm, PKT_AUDI_CONTENTS2, &buffer[7], 1); + + /* Enable ACR, AUDI, AMD */ + dw_hdmi_qp_mod(hdmi, +-- +2.51.0 + diff --git a/queue-6.19/drm-i915-gt-check-set_default_submission-before-defe.patch b/queue-6.19/drm-i915-gt-check-set_default_submission-before-defe.patch new file mode 100644 index 0000000000..b14ba55160 --- /dev/null +++ b/queue-6.19/drm-i915-gt-check-set_default_submission-before-defe.patch @@ -0,0 +1,105 @@ +From 3b7db3385309b10341747b8f95dd46504b6aa1ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 10:18:39 +0530 +Subject: drm/i915/gt: Check set_default_submission() before deferencing + +From: Rahul Bukte + +[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ] + +When the i915 driver firmware binaries are not present, the +set_default_submission pointer is not set. This pointer is +dereferenced during suspend anyways. + +Add a check to make sure it is set before dereferencing. + +[ 23.289926] PM: suspend entry (deep) +[ 23.293558] Filesystems sync: 0.000 seconds +[ 23.298010] Freezing user space processes +[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds) +[ 23.309766] OOM killer disabled. +[ 23.313027] Freezing remaining freezable tasks +[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 23.342038] serial 00:05: disabled +[ 23.345719] serial 00:02: disabled +[ 23.349342] serial 00:01: disabled +[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache +[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache +[ 23.361635] ata1.00: Entering standby power mode +[ 23.368863] ata2.00: Entering standby power mode +[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 23.452194] #PF: supervisor instruction fetch in kernel mode +[ 23.457896] #PF: error_code(0x0010) - not-present page +[ 23.463065] PGD 0 P4D 0 +[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI +[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary) +[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN +[ 23.496511] Workqueue: async async_run_entry_fn +[ 23.501087] RIP: 0010:0x0 +[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6. +[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246 +[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f +[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000 +[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff +[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8 +[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68 +[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000 +[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0 +[ 23.572539] PKRU: 55555554 +[ 23.575281] Call Trace: +[ 23.577770] +[ 23.579905] intel_engines_reset_default_submission+0x42/0x60 +[ 23.585695] __intel_gt_unset_wedged+0x191/0x200 +[ 23.590360] intel_gt_unset_wedged+0x20/0x40 +[ 23.594675] gt_sanitize+0x15e/0x170 +[ 23.598290] i915_gem_suspend_late+0x6b/0x180 +[ 23.602692] i915_drm_suspend_late+0x35/0xf0 +[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10 +[ 23.611843] dpm_run_callback+0x78/0x1c0 +[ 23.615817] device_suspend_late+0xde/0x2e0 +[ 23.620037] async_suspend_late+0x18/0x30 +[ 23.624082] async_run_entry_fn+0x25/0xa0 +[ 23.628129] process_one_work+0x15b/0x380 +[ 23.632182] worker_thread+0x2a5/0x3c0 +[ 23.635973] ? __pfx_worker_thread+0x10/0x10 +[ 23.640279] kthread+0xf6/0x1f0 +[ 23.643464] ? __pfx_kthread+0x10/0x10 +[ 23.647263] ? __pfx_kthread+0x10/0x10 +[ 23.651045] ret_from_fork+0x131/0x190 +[ 23.654837] ? __pfx_kthread+0x10/0x10 +[ 23.658634] ret_from_fork_asm+0x1a/0x30 +[ 23.662597] +[ 23.664826] Modules linked in: +[ 23.667914] CR2: 0000000000000000 +[ 23.671271] ------------[ cut here ]------------ + +Signed-off-by: Rahul Bukte +Reviewed-by: Suraj Kandpal +Signed-off-by: Suraj Kandpal +Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com +(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad) +Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc") +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +index b721bbd233567..ce8cdd517daa1 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -1969,7 +1969,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt) + if (engine->sanitize) + engine->sanitize(engine); + +- engine->set_default_submission(engine); ++ if (engine->set_default_submission) ++ engine->set_default_submission(engine); + } + } + +-- +2.51.0 + diff --git a/queue-6.19/drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch b/queue-6.19/drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch new file mode 100644 index 0000000000..853dc8e6fe --- /dev/null +++ b/queue-6.19/drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch @@ -0,0 +1,43 @@ +From 89642906a7c32b501907e491aef809bff002c00d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 14:03:30 -0600 +Subject: drm/vmwgfx: Don't overwrite KMS surface dirty tracker +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ian Forbes + +[ Upstream commit c6cb77c474a32265e21c4871c7992468bf5e7638 ] + +We were overwriting the surface's dirty tracker here causing a memory leak. + +Reported-by: Mika Penttilä +Closes: https://lore.kernel.org/dri-devel/8c53f3c6-c6de-46fe-a8ca-d98dd52b3abe@redhat.com/ +Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling") +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20260302200330.66763-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index bc51b5d55e38a..35c7277521a90 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -771,7 +771,8 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, + ret = vmw_bo_dirty_add(bo); + if (!ret && surface && surface->res.func->dirty_alloc) { + surface->res.coherent = true; +- ret = surface->res.func->dirty_alloc(&surface->res); ++ if (surface->res.dirty == NULL) ++ ret = surface->res.func->dirty_alloc(&surface->res); + } + ttm_bo_unreserve(&bo->tbo); + } +-- +2.51.0 + diff --git a/queue-6.19/drm-xe-guc-fail-immediately-on-guc-load-error.patch b/queue-6.19/drm-xe-guc-fail-immediately-on-guc-load-error.patch new file mode 100644 index 0000000000..99e2e1828d --- /dev/null +++ b/queue-6.19/drm-xe-guc-fail-immediately-on-guc-load-error.patch @@ -0,0 +1,65 @@ +From e56811bd2fe3f0c14845d7137b0dd4313b33eec0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 16:17:33 -0800 +Subject: drm/xe/guc: Fail immediately on GuC load error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniele Ceraolo Spurio + +[ Upstream commit 9b72283ec9b8685acdb3467de8fbc3352fdb70bb ] + +By using the same variable for both the return of poll_timeout_us and +the return of the polled function guc_wait_ucode, the return value of +the latter is overwritten and lost after exiting the polling loop. Since +guc_wait_ucode returns -1 on GuC load failure, we lose that information +and always continue as if the GuC had been loaded correctly. + +This is fixed by simply using 2 separate variables. + +Fixes: a4916b4da448 ("drm/xe/guc: Refactor GuC load to use poll_timeout_us()") +Signed-off-by: Daniele Ceraolo Spurio +Reviewed-by: Matthew Brost +Signed-off-by: Vinay Belgaumkar +Link: https://patch.msgid.link/20260303001732.2540493-2-daniele.ceraolospurio@intel.com +(cherry picked from commit c85ec5c5753a46b5c2aea1292536487be9470ffe) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_guc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_guc.c b/drivers/gpu/drm/xe/xe_guc.c +index edb939f262685..2eaa009ba2d8d 100644 +--- a/drivers/gpu/drm/xe/xe_guc.c ++++ b/drivers/gpu/drm/xe/xe_guc.c +@@ -1121,14 +1121,14 @@ static int guc_wait_ucode(struct xe_guc *guc) + struct xe_guc_pc *guc_pc = >->uc.guc.pc; + u32 before_freq, act_freq, cur_freq; + u32 status = 0, tries = 0; ++ int load_result, ret; + ktime_t before; + u64 delta_ms; +- int ret; + + before_freq = xe_guc_pc_get_act_freq(guc_pc); + before = ktime_get(); + +- ret = poll_timeout_us(ret = guc_load_done(gt, &status, &tries), ret, ++ ret = poll_timeout_us(load_result = guc_load_done(gt, &status, &tries), load_result, + 10 * USEC_PER_MSEC, + GUC_LOAD_TIMEOUT_SEC * USEC_PER_SEC, false); + +@@ -1136,7 +1136,7 @@ static int guc_wait_ucode(struct xe_guc *guc) + act_freq = xe_guc_pc_get_act_freq(guc_pc); + cur_freq = xe_guc_pc_get_cur_freq_fw(guc_pc); + +- if (ret) { ++ if (ret || load_result <= 0) { + xe_gt_err(gt, "load failed: status = 0x%08X, time = %lldms, freq = %dMHz (req %dMHz)\n", + status, delta_ms, xe_guc_pc_get_act_freq(guc_pc), + xe_guc_pc_get_cur_freq_fw(guc_pc)); +-- +2.51.0 + diff --git a/queue-6.19/fs-tests-exec-remove-bad-test-vector.patch b/queue-6.19/fs-tests-exec-remove-bad-test-vector.patch new file mode 100644 index 0000000000..7325639a3a --- /dev/null +++ b/queue-6.19/fs-tests-exec-remove-bad-test-vector.patch @@ -0,0 +1,37 @@ +From bf475bcc9705d0f7a7f2f2b9869ea6fd40e99af8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2026 11:36:29 -0700 +Subject: fs/tests: exec: Remove bad test vector + +From: Kees Cook + +[ Upstream commit c4192754e836e0ffed95833509b6ada975b74418 ] + +Drop an unusable test in the bprm stack limits. + +Reported-by: Guenter Roeck +Closes: https://lore.kernel.org/all/a3e9b1c2-40c1-45df-9fa2-14ee6a7b3fe2@roeck-us.net +Fixes: 60371f43e56b ("exec: Add KUnit test for bprm_stack_limits()") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/tests/exec_kunit.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/tests/exec_kunit.c b/fs/tests/exec_kunit.c +index f412d1a0f6bba..1c32cac098cf5 100644 +--- a/fs/tests/exec_kunit.c ++++ b/fs/tests/exec_kunit.c +@@ -94,9 +94,6 @@ static const struct bprm_stack_limits_result bprm_stack_limits_results[] = { + { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * 3 + sizeof(void *)), + .argc = 0, .envc = 0 }, + .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, +- { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * (_STK_LIM / 4 * + sizeof(void *)), +- .argc = 0, .envc = 0 }, +- .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, + { { .p = ULONG_MAX, .rlim_stack.rlim_cur = 4 * _STK_LIM, + .argc = 0, .envc = 0 }, + .expected_argmin = ULONG_MAX - (_STK_LIM / 4 * 3) + sizeof(void *) }, +-- +2.51.0 + diff --git a/queue-6.19/hwmon-max6639-fix-pulses-per-revolution-implementati.patch b/queue-6.19/hwmon-max6639-fix-pulses-per-revolution-implementati.patch new file mode 100644 index 0000000000..8160432549 --- /dev/null +++ b/queue-6.19/hwmon-max6639-fix-pulses-per-revolution-implementati.patch @@ -0,0 +1,66 @@ +From 1fd0f7327b6c2ee0e46454b19739cb580fb67cf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 21:31:22 -0700 +Subject: hwmon: (max6639) Fix pulses-per-revolution implementation + +From: Guenter Roeck + +[ Upstream commit e7bae9a7a5e1251ab414291f4e9304d702bb9221 ] + +The valid range for the pulses-per-revolution devicetree property is +1..4. The current code checks for a range of 1..5. Fix it. + +Declare the variable used to retrieve pulses per revolution from +devicetree as u32 (unsigned) to match the of_property_read_u32() API. + +The current code uses a postfix decrement when writing the pulses per +resolution into the chip. This has no effect since the value is evaluated +before it is decremented. Fix it by decrementing before evaluating the +value. + +Fixes: 7506ebcd662b ("hwmon: (max6639) : Configure based on DT property") +Cc: Naresh Solanki +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max6639.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwmon/max6639.c b/drivers/hwmon/max6639.c +index 48fde4f1a1561..b6b32286d967a 100644 +--- a/drivers/hwmon/max6639.c ++++ b/drivers/hwmon/max6639.c +@@ -232,7 +232,7 @@ static int max6639_read_fan(struct device *dev, u32 attr, int channel, + static int max6639_set_ppr(struct max6639_data *data, int channel, u8 ppr) + { + /* Decrement the PPR value and shift left by 6 to match the register format */ +- return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), ppr-- << 6); ++ return regmap_write(data->regmap, MAX6639_REG_FAN_PPR(channel), --ppr << 6); + } + + static int max6639_write_fan(struct device *dev, u32 attr, int channel, +@@ -524,8 +524,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client, + + { + struct device *dev = &client->dev; +- u32 i; +- int err, val; ++ u32 i, val; ++ int err; + + err = of_property_read_u32(child, "reg", &i); + if (err) { +@@ -540,8 +540,8 @@ static int max6639_probe_child_from_dt(struct i2c_client *client, + + err = of_property_read_u32(child, "pulses-per-revolution", &val); + if (!err) { +- if (val < 1 || val > 5) { +- dev_err(dev, "invalid pulses-per-revolution %d of %pOFn\n", val, child); ++ if (val < 1 || val > 4) { ++ dev_err(dev, "invalid pulses-per-revolution %u of %pOFn\n", val, child); + return -EINVAL; + } + data->ppr[i] = val; +-- +2.51.0 + diff --git a/queue-6.19/iommu-amd-block-identity-domain-when-snp-enabled.patch b/queue-6.19/iommu-amd-block-identity-domain-when-snp-enabled.patch new file mode 100644 index 0000000000..6bb729464e --- /dev/null +++ b/queue-6.19/iommu-amd-block-identity-domain-when-snp-enabled.patch @@ -0,0 +1,89 @@ +From 5e6153083a47cc52ca5b8bec42d37c2daa1b920c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 16:52:33 -0700 +Subject: iommu/amd: Block identity domain when SNP enabled + +From: Joe Damato + +[ Upstream commit ba17de98545d07285d15ce4fe2afe98283338fb0 ] + +Previously, commit 8388f7df936b ("iommu/amd: Do not support +IOMMU_DOMAIN_IDENTITY after SNP is enabled") prevented users from +changing the IOMMU domain to identity if SNP was enabled. + +This resulted in an error when writing to sysfs: + + # echo "identity" > /sys/kernel/iommu_groups/50/type + -bash: echo: write error: Cannot allocate memory + +However, commit 4402f2627d30 ("iommu/amd: Implement global identity +domain") changed the flow of the code, skipping the SNP guard and +allowing users to change the IOMMU domain to identity after a machine +has booted. + +Once the user does that, they will probably try to bind and the +device/driver will start to do DMA which will trigger errors: + + iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020] + iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d + AMD-Vi: DTE[0]: 6000000000000003 + AMD-Vi: DTE[1]: 0000000000000001 + AMD-Vi: DTE[2]: 2000003088b3e013 + AMD-Vi: DTE[3]: 0000000000000000 + bnxt_en 0000:43:00.0 (unnamed net_device) (uninitialized): Error (timeout: 500015) msg {0x0 0x0} len:0 + iommu ivhd3: AMD-Vi: Event logged [ILLEGAL_DEV_TABLE_ENTRY device=0000:43:00.0 pasid=0x00000 address=0x3737b01000 flags=0x0020] + iommu ivhd3: AMD-Vi: Control Reg : 0xc22000142148d + AMD-Vi: DTE[0]: 6000000000000003 + AMD-Vi: DTE[1]: 0000000000000001 + AMD-Vi: DTE[2]: 2000003088b3e013 + AMD-Vi: DTE[3]: 0000000000000000 + bnxt_en 0000:43:00.0: probe with driver bnxt_en failed with error -16 + +To prevent this from happening, create an attach wrapper for +identity_domain_ops which returns EINVAL if amd_iommu_snp_en is true. + +With this commit applied: + + # echo "identity" > /sys/kernel/iommu_groups/62/type + -bash: echo: write error: Invalid argument + +Fixes: 4402f2627d30 ("iommu/amd: Implement global identity domain") +Signed-off-by: Joe Damato +Reviewed-by: Vasant Hegde +Reviewed-by: Jason Gunthorpe +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index e216b5a13d49d..cdcce33336826 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -2854,8 +2854,21 @@ static struct iommu_domain blocked_domain = { + + static struct protection_domain identity_domain; + ++static int amd_iommu_identity_attach(struct iommu_domain *dom, struct device *dev, ++ struct iommu_domain *old) ++{ ++ /* ++ * Don't allow attaching a device to the identity domain if SNP is ++ * enabled. ++ */ ++ if (amd_iommu_snp_en) ++ return -EINVAL; ++ ++ return amd_iommu_attach_device(dom, dev, old); ++} ++ + static const struct iommu_domain_ops identity_domain_ops = { +- .attach_dev = amd_iommu_attach_device, ++ .attach_dev = amd_iommu_identity_attach, + }; + + void amd_iommu_init_identity_domain(void) +-- +2.51.0 + diff --git a/queue-6.19/iommu-fix-mapping-check-for-0x0-to-avoid-re-mapping-.patch b/queue-6.19/iommu-fix-mapping-check-for-0x0-to-avoid-re-mapping-.patch new file mode 100644 index 0000000000..c7932b4d12 --- /dev/null +++ b/queue-6.19/iommu-fix-mapping-check-for-0x0-to-avoid-re-mapping-.patch @@ -0,0 +1,74 @@ +From 7caafd76c5f43cff4878625a0d2dcea3448eaee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 09:06:37 +0100 +Subject: iommu: Fix mapping check for 0x0 to avoid re-mapping it + +From: Antheas Kapenekakis + +[ Upstream commit 0a4d00e2e99a39a5698e4b63c394415dcbb39d90 ] + +Commit 789a5913b29c ("iommu/amd: Use the generic iommu page table") +introduces the shared iommu page table for AMD IOMMU. Some bioses +contain an identity mapping for address 0x0, which is not parsed +properly (e.g., certain Strix Halo devices). This causes the DMA +components of the device to fail to initialize (e.g., the NVMe SSD +controller), leading to a failed post. + +Specifically, on the GPD Win 5, the NVME and SSD GPU fail to mount, +making collecting errors difficult. While debugging, it was found that +a -EADDRINUSE error was emitted and its source was traced to +iommu_iova_to_phys(). After adding some debug prints, it was found that +phys_addr becomes 0, which causes the code to try to re-map the 0 +address and fail, causing a cascade leading to a failed post. This is +because the GPD Win 5 contains a 0x0-0x1 identity mapping for DMA +devices, causing it to be repeated for each device. + +The cause of this failure is the following check in +iommu_create_device_direct_mappings(), where address aliasing is handled +via the following check: + +``` +phys_addr = iommu_iova_to_phys(domain, addr); +if (!phys_addr) { + map_size += pg_size; + continue; +} +```` + +Obviously, the iommu_iova_to_phys() signature is faulty and aliases +unmapped and 0 together, causing the allocation code to try to +re-allocate the 0 address per device. However, it has too many +instantiations to fix. Therefore, use a ternary so that when addr +is 0, the check is done for address 1 instead. + +Suggested-by: Robin Murphy +Fixes: 789a5913b29c ("iommu/amd: Use the generic iommu page table") +Signed-off-by: Antheas Kapenekakis +Reviewed-by: Vasant Hegde +Reviewed-by: Jason Gunthorpe +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index 2ca990dfbb884..3a0c0e4b42fff 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -1207,7 +1207,11 @@ static int iommu_create_device_direct_mappings(struct iommu_domain *domain, + if (addr == end) + goto map_end; + +- phys_addr = iommu_iova_to_phys(domain, addr); ++ /* ++ * Return address by iommu_iova_to_phys for 0 is ++ * ambiguous. Offset to address 1 if addr is 0. ++ */ ++ phys_addr = iommu_iova_to_phys(domain, addr ? addr : 1); + if (!phys_addr) { + map_size += pg_size; + continue; +-- +2.51.0 + diff --git a/queue-6.19/iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch b/queue-6.19/iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch new file mode 100644 index 0000000000..774ce56bf2 --- /dev/null +++ b/queue-6.19/iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch @@ -0,0 +1,59 @@ +From 789ac296d4f06c76213eeeec2a80a7f53a56590d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 22:18:42 -0800 +Subject: iommu/sva: Fix crash in iommu_sva_unbind_device() + +From: Lizhi Hou + +[ Upstream commit 06e14c36e20b48171df13d51b89fe67c594ed07a ] + +domain->mm->iommu_mm can be freed by iommu_domain_free(): + iommu_domain_free() + mmdrop() + __mmdrop() + mm_pasid_drop() +After iommu_domain_free() returns, accessing domain->mm->iommu_mm may +dereference a freed mm structure, leading to a crash. + +Fix this by moving the code that accesses domain->mm->iommu_mm to before +the call to iommu_domain_free(). + +Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space") +Signed-off-by: Lizhi Hou +Reviewed-by: Jason Gunthorpe +Reviewed-by: Yi Liu +Reviewed-by: Vasant Hegde +Reviewed-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu-sva.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c +index e1e63c2be82b2..fd735aaae9e3f 100644 +--- a/drivers/iommu/iommu-sva.c ++++ b/drivers/iommu/iommu-sva.c +@@ -182,13 +182,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle) + iommu_detach_device_pasid(domain, dev, iommu_mm->pasid); + if (--domain->users == 0) { + list_del(&domain->next); +- iommu_domain_free(domain); +- } ++ if (list_empty(&iommu_mm->sva_domains)) { ++ list_del(&iommu_mm->mm_list_elm); ++ if (list_empty(&iommu_sva_mms)) ++ iommu_sva_present = false; ++ } + +- if (list_empty(&iommu_mm->sva_domains)) { +- list_del(&iommu_mm->mm_list_elm); +- if (list_empty(&iommu_sva_mms)) +- iommu_sva_present = false; ++ iommu_domain_free(domain); + } + + mutex_unlock(&iommu_sva_lock); +-- +2.51.0 + diff --git a/queue-6.19/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch b/queue-6.19/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch new file mode 100644 index 0000000000..10ec79d4da --- /dev/null +++ b/queue-6.19/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch @@ -0,0 +1,128 @@ +From b191aa1613499dc7b2a7a1c5b6b5c7ffcfd5d911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:15:51 +0900 +Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles + +From: Hyunwoo Kim + +[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ] + +parse_durable_handle_context() unconditionally assigns dh_info->fp->conn +to the current connection when handling a DURABLE_REQ_V2 context with +SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by +fp->conn, so it returns file handles that are already actively connected. +The unconditional overwrite replaces fp->conn, and when the overwriting +connection is subsequently freed, __ksmbd_close_fd() dereferences the +stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a +use-after-free. + +KASAN report: + +[ 7.349357] ================================================================== +[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0 +[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108 +[ 7.350010] +[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY +[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work +[ 7.350083] Call Trace: +[ 7.350087] +[ 7.350087] dump_stack_lvl+0x64/0x80 +[ 7.350094] print_report+0xce/0x660 +[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 7.350101] ? __pfx___mod_timer+0x10/0x10 +[ 7.350106] ? _raw_spin_lock+0x75/0xe0 +[ 7.350108] kasan_report+0xce/0x100 +[ 7.350109] ? _raw_spin_lock+0x75/0xe0 +[ 7.350114] kasan_check_range+0x105/0x1b0 +[ 7.350116] _raw_spin_lock+0x75/0xe0 +[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780 +[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0 +[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0 +[ 7.350131] ksmbd_close_fd+0x135/0x1b0 +[ 7.350133] smb2_close+0xb19/0x15b0 +[ 7.350142] ? __pfx_smb2_close+0x10/0x10 +[ 7.350143] ? xas_load+0x18/0x270 +[ 7.350146] ? _raw_spin_lock+0x84/0xe0 +[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350150] ? _raw_spin_unlock+0xe/0x30 +[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0 +[ 7.350154] handle_ksmbd_work+0x40f/0x1080 +[ 7.350156] process_one_work+0x5fa/0xef0 +[ 7.350162] ? assign_work+0x122/0x3e0 +[ 7.350163] worker_thread+0x54b/0xf70 +[ 7.350165] ? __pfx_worker_thread+0x10/0x10 +[ 7.350166] kthread+0x346/0x470 +[ 7.350170] ? recalc_sigpending+0x19b/0x230 +[ 7.350176] ? __pfx_kthread+0x10/0x10 +[ 7.350178] ret_from_fork+0x4fb/0x6c0 +[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10 +[ 7.350185] ? __switch_to+0x36c/0xbe0 +[ 7.350188] ? __pfx_kthread+0x10/0x10 +[ 7.350190] ret_from_fork_asm+0x1a/0x30 +[ 7.350197] +[ 7.350197] +[ 7.355160] Allocated by task 123: +[ 7.355261] kasan_save_stack+0x33/0x60 +[ 7.355373] kasan_save_track+0x14/0x30 +[ 7.355484] __kasan_kmalloc+0x8f/0xa0 +[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0 +[ 7.355711] ksmbd_kthread_fn+0x243/0xd70 +[ 7.355839] kthread+0x346/0x470 +[ 7.355942] ret_from_fork+0x4fb/0x6c0 +[ 7.356051] ret_from_fork_asm+0x1a/0x30 +[ 7.356164] +[ 7.356214] Freed by task 134: +[ 7.356305] kasan_save_stack+0x33/0x60 +[ 7.356416] kasan_save_track+0x14/0x30 +[ 7.356527] kasan_save_free_info+0x3b/0x60 +[ 7.356646] __kasan_slab_free+0x43/0x70 +[ 7.356761] kfree+0x1ca/0x430 +[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0 +[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40 +[ 7.357138] kthread+0x346/0x470 +[ 7.357240] ret_from_fork+0x4fb/0x6c0 +[ 7.357350] ret_from_fork_asm+0x1a/0x30 +[ 7.357463] +[ 7.357513] The buggy address belongs to the object at ffff8881056ac000 +[ 7.357513] which belongs to the cache kmalloc-1k of size 1024 +[ 7.357857] The buggy address is located 396 bytes inside of +[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400) + +Fix by removing the unconditional fp->conn assignment and rejecting the +replay when fp->conn is non-NULL. This is consistent with +ksmbd_lookup_durable_fd(), which also rejects file handles with a +non-NULL fp->conn. For disconnected file handles (fp->conn == NULL), +ksmbd_reopen_durable_fd() handles setting fp->conn. + +Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 80ca55e28a972..8d18a97eed275 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2830,7 +2830,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work, + goto out; + } + +- dh_info->fp->conn = conn; ++ if (dh_info->fp->conn) { ++ ksmbd_put_durable_fd(dh_info->fp); ++ err = -EBADF; ++ goto out; ++ } + dh_info->reconnected = true; + goto out; + } +-- +2.51.0 + diff --git a/queue-6.19/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch b/queue-6.19/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch new file mode 100644 index 0000000000..f3554429f6 --- /dev/null +++ b/queue-6.19/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch @@ -0,0 +1,135 @@ +From 9683fa581bcf82dd2666bf25e7e14dbc46deed06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:17:02 +0900 +Subject: ksmbd: fix use-after-free of share_conf in compound request + +From: Hyunwoo Kim + +[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ] + +smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without +validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == +TREE_CONNECTED on the initial lookup path, but the compound reuse path +bypasses this check entirely. + +If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state +to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), +subsequent commands dereference the freed share_conf through +work->tcon->share_conf. + +KASAN report: + +[ 4.144653] ================================================================== +[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 +[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 +[ 4.145772] +[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY +[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work +[ 4.145888] Call Trace: +[ 4.145892] +[ 4.145894] dump_stack_lvl+0x64/0x80 +[ 4.145910] print_report+0xce/0x660 +[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 4.145928] ? smb2_write+0xc74/0xe70 +[ 4.145931] kasan_report+0xce/0x100 +[ 4.145934] ? smb2_write+0xc74/0xe70 +[ 4.145937] smb2_write+0xc74/0xe70 +[ 4.145939] ? __pfx_smb2_write+0x10/0x10 +[ 4.145942] ? _raw_spin_unlock+0xe/0x30 +[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480 +[ 4.145951] handle_ksmbd_work+0x40f/0x1080 +[ 4.145953] process_one_work+0x5fa/0xef0 +[ 4.145962] ? assign_work+0x122/0x3e0 +[ 4.145964] worker_thread+0x54b/0xf70 +[ 4.145967] ? __pfx_worker_thread+0x10/0x10 +[ 4.145970] kthread+0x346/0x470 +[ 4.145976] ? recalc_sigpending+0x19b/0x230 +[ 4.145980] ? __pfx_kthread+0x10/0x10 +[ 4.145984] ret_from_fork+0x4fb/0x6c0 +[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10 +[ 4.145995] ? __switch_to+0x36c/0xbe0 +[ 4.145999] ? __pfx_kthread+0x10/0x10 +[ 4.146003] ret_from_fork_asm+0x1a/0x30 +[ 4.146013] +[ 4.146014] +[ 4.149858] Allocated by task 44: +[ 4.149953] kasan_save_stack+0x33/0x60 +[ 4.150061] kasan_save_track+0x14/0x30 +[ 4.150169] __kasan_kmalloc+0x8f/0xa0 +[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0 +[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600 +[ 4.150529] smb2_tree_connect+0x2e6/0x1000 +[ 4.150645] handle_ksmbd_work+0x40f/0x1080 +[ 4.150761] process_one_work+0x5fa/0xef0 +[ 4.150873] worker_thread+0x54b/0xf70 +[ 4.150978] kthread+0x346/0x470 +[ 4.151071] ret_from_fork+0x4fb/0x6c0 +[ 4.151176] ret_from_fork_asm+0x1a/0x30 +[ 4.151286] +[ 4.151332] Freed by task 44: +[ 4.151418] kasan_save_stack+0x33/0x60 +[ 4.151526] kasan_save_track+0x14/0x30 +[ 4.151634] kasan_save_free_info+0x3b/0x60 +[ 4.151751] __kasan_slab_free+0x43/0x70 +[ 4.151861] kfree+0x1ca/0x430 +[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190 +[ 4.152088] smb2_tree_disconnect+0x1cd/0x480 +[ 4.152211] handle_ksmbd_work+0x40f/0x1080 +[ 4.152326] process_one_work+0x5fa/0xef0 +[ 4.152438] worker_thread+0x54b/0xf70 +[ 4.152545] kthread+0x346/0x470 +[ 4.152638] ret_from_fork+0x4fb/0x6c0 +[ 4.152743] ret_from_fork_asm+0x1a/0x30 +[ 4.152853] +[ 4.152900] The buggy address belongs to the object at ffff88810430c180 +[ 4.152900] which belongs to the cache kmalloc-96 of size 96 +[ 4.153226] The buggy address is located 20 bytes inside of +[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0) +[ 4.153549] +[ 4.153596] The buggy address belongs to the physical page: +[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c +[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2) +[ 4.154160] page_type: f5(slab) +[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110 +[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000 +[ 4.154668] page dumped because: kasan: bad access detected +[ 4.154820] +[ 4.154866] Memory state around the buggy address: +[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 4.155587] ^ +[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.156087] ================================================================== + +Add the same t_state validation to the compound reuse path, consistent +with ksmbd_tree_conn_lookup(). + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 1ec9060ffe912..80ca55e28a972 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -125,6 +125,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) + pr_err("The first operation in the compound does not have tcon\n"); + return -EINVAL; + } ++ if (work->tcon->t_state != TREE_CONNECTED) ++ return -ENOENT; + if (tree_id != UINT_MAX && work->tcon->id != tree_id) { + pr_err("tree id(%u) is different with id(%u) in first operation\n", + tree_id, work->tcon->id); +-- +2.51.0 + diff --git a/queue-6.19/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch b/queue-6.19/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch new file mode 100644 index 0000000000..fa1f1e9f45 --- /dev/null +++ b/queue-6.19/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch @@ -0,0 +1,49 @@ +From 97d0b91f0412645e31409254fd5f76a8f10c3571 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:05 +0900 +Subject: lib/bootconfig: check xbc_init_node() return in override path + +From: Josh Law + +[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ] + +The ':=' override path in xbc_parse_kv() calls xbc_init_node() to +re-initialize an existing value node but does not check the return +value. If xbc_init_node() fails (data offset out of range), parsing +silently continues with stale node data. + +Add the missing error check to match the xbc_add_node() call path +which already checks for failure. + +In practice, a bootconfig using ':=' to override a value near the +32KB data limit could silently retain the old value, meaning a +security-relevant boot parameter override (e.g., a trace filter or +debug setting) would not take effect as intended. + +Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ + +Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + lib/bootconfig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/bootconfig.c b/lib/bootconfig.c +index 0728c4a95249b..5d3802eba52a3 100644 +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -712,7 +712,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op) + if (op == ':') { + unsigned short nidx = child->next; + +- xbc_init_node(child, v, XBC_VALUE); ++ if (xbc_init_node(child, v, XBC_VALUE) < 0) ++ return xbc_parse_error("Failed to override value", v); + child->next = nidx; /* keep subkeys */ + goto array; + } +-- +2.51.0 + diff --git a/queue-6.19/mshv-fix-use-after-free-in-mshv_map_user_memory-erro.patch b/queue-6.19/mshv-fix-use-after-free-in-mshv_map_user_memory-erro.patch new file mode 100644 index 0000000000..18542266f8 --- /dev/null +++ b/queue-6.19/mshv-fix-use-after-free-in-mshv_map_user_memory-erro.patch @@ -0,0 +1,41 @@ +From 0b2e7c2e72664e8c0623eb9bd483260483c414a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 16:02:53 +0000 +Subject: mshv: Fix use-after-free in mshv_map_user_memory error path + +From: Stanislav Kinsburskii + +[ Upstream commit 6922db250422a0dfee34de322f86b7a73d713d33 ] + +In the error path of mshv_map_user_memory(), calling vfree() directly on +the region leaves the MMU notifier registered. When userspace later unmaps +the memory, the notifier fires and accesses the freed region, causing a +use-after-free and potential kernel panic. + +Replace vfree() with mshv_partition_put() to properly unregister +the MMU notifier before freeing the region. + +Fixes: b9a66cd5ccbb9 ("mshv: Add support for movable memory regions") +Signed-off-by: Stanislav Kinsburskii +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/mshv_root_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c +index d3e8a66443ad6..45cf086ad430d 100644 +--- a/drivers/hv/mshv_root_main.c ++++ b/drivers/hv/mshv_root_main.c +@@ -1334,7 +1334,7 @@ mshv_map_user_memory(struct mshv_partition *partition, + return 0; + + errout: +- vfree(region); ++ mshv_region_put(region); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.19/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch b/queue-6.19/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch new file mode 100644 index 0000000000..509df1d217 --- /dev/null +++ b/queue-6.19/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch @@ -0,0 +1,49 @@ +From b6e9c7f58f55554607e871c48ac7b77fd7797e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 15:21:57 -0500 +Subject: mtd: rawnand: brcmnand: skip DMA during panic write + +From: Kamal Dasu + +[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ] + +When oops_panic_write is set, the driver disables interrupts and +switches to PIO polling mode but still falls through into the DMA +path. DMA cannot be used reliably in panic context, so make the +DMA path an else branch to ensure only PIO is used during panic +writes. + +Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 835653bdd5abc..8f4d001377a1c 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2350,14 +2350,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (mtd->oops_panic_write) ++ if (mtd->oops_panic_write) { + /* switch to interrupt polling and PIO mode */ + disable_ctrl_irqs(ctrl); +- +- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +- + ret = -EIO; + + goto out; +-- +2.51.0 + diff --git a/queue-6.19/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch b/queue-6.19/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch new file mode 100644 index 0000000000..1240f2a23e --- /dev/null +++ b/queue-6.19/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch @@ -0,0 +1,70 @@ +From e39c1dd107b67fcf2b22304d4e56ecade8f05f2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:49:06 -0500 +Subject: mtd: rawnand: serialize lock/unlock against other NAND operations + +From: Kamal Dasu + +[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ] + +nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area +without holding the NAND device lock. On controllers that implement +SET_FEATURES via multiple low-level PIO commands, these can race with +concurrent UBI/UBIFS background erase/write operations that hold the +device lock, resulting in cmd_pending conflicts on the NAND controller. + +Add nand_get_device()/nand_release_device() around the lock/unlock +operations to serialize them against all other NAND controller access. + +Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c +index f2322de93ab41..19e3bbf42931d 100644 +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -4737,11 +4737,16 @@ static void nand_shutdown(struct mtd_info *mtd) + static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.lock_area) + return -ENOTSUPP; + +- return chip->ops.lock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.lock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /** +@@ -4753,11 +4758,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.unlock_area) + return -ENOTSUPP; + +- return chip->ops.unlock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.unlock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /* Set default functions */ +-- +2.51.0 + diff --git a/queue-6.19/series b/queue-6.19/series index d29df7608c..5330771db9 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -194,3 +194,27 @@ tracing-fix-failure-to-read-user-space-from-system-call-trace-events.patch tracing-fix-trace_marker-copy-link-list-updates.patch x86-mce-amd-check-smca-feature-bit-before-accessing-smca-msrs.patch x86-platform-uv-handle-deconfigured-sockets.patch +binfmt_elf_fdpic-fix-auxv-size-calculation-for-elf_h.patch +mtd-rawnand-serialize-lock-unlock-against-other-nand.patch +mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch +x86-hyperv-use-__naked-attribute-to-fix-stackless-c-.patch +arm_mpam-fix-null-pointer-dereference-when-restoring.patch +mshv-fix-use-after-free-in-mshv_map_user_memory-erro.patch +spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch +spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch +drm-vmwgfx-don-t-overwrite-kms-surface-dirty-tracker.patch +iommu-fix-mapping-check-for-0x0-to-avoid-re-mapping-.patch +iommu-sva-fix-crash-in-iommu_sva_unbind_device.patch +iommu-amd-block-identity-domain-when-snp-enabled.patch +drm-amd-display-fix-displayid-not-found-handling-in-.patch +drm-amd-fix-dcn-2.01-check.patch +drm-bridge-dw-hdmi-qp-fix-multi-channel-audio-output.patch +ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch +ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch +drm-i915-gt-check-set_default_submission-before-defe.patch +fs-tests-exec-remove-bad-test-vector.patch +lib-bootconfig-check-xbc_init_node-return-in-overrid.patch +tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch +arm64-realm-fix-pte_ns_shared-for-52bit-pa-support.patch +drm-xe-guc-fail-immediately-on-guc-load-error.patch +hwmon-max6639-fix-pulses-per-revolution-implementati.patch diff --git a/queue-6.19/spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch b/queue-6.19/spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch new file mode 100644 index 0000000000..4eec33a122 --- /dev/null +++ b/queue-6.19/spi-amlogic-spifc-a4-remove-redundant-clock-cleanup.patch @@ -0,0 +1,115 @@ +From 4d4af37097631fd3c22de7505bf20a064c48f588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 21:34:55 +0800 +Subject: spi: amlogic: spifc-a4: Remove redundant clock cleanup + +From: Felix Gu + +[ Upstream commit a00da54d06f435dbbeacb84f9121dbbe6d6eda74 ] + +The driver uses devm_clk_get_enabled() which enables the clock and +registers a callback to automatically disable it when the device +is unbound. + +Remove the redundant aml_sfc_disable_clk() call in the error paths +and remove callback. + +Fixes: 4670db6f32e9 ("spi: amlogic: add driver for Amlogic SPI Flash Controller") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260308-spifc-a4-1-v1-1-77e286c26832@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-amlogic-spifc-a4.c | 46 +++++------------------------- + 1 file changed, 7 insertions(+), 39 deletions(-) + +diff --git a/drivers/spi/spi-amlogic-spifc-a4.c b/drivers/spi/spi-amlogic-spifc-a4.c +index f324aa39a8976..b2589fe2425cc 100644 +--- a/drivers/spi/spi-amlogic-spifc-a4.c ++++ b/drivers/spi/spi-amlogic-spifc-a4.c +@@ -1083,14 +1083,6 @@ static int aml_sfc_clk_init(struct aml_sfc *sfc) + return clk_set_rate(sfc->core_clk, SFC_BUS_DEFAULT_CLK); + } + +-static int aml_sfc_disable_clk(struct aml_sfc *sfc) +-{ +- clk_disable_unprepare(sfc->core_clk); +- clk_disable_unprepare(sfc->gate_clk); +- +- return 0; +-} +- + static int aml_sfc_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; +@@ -1141,16 +1133,12 @@ static int aml_sfc_probe(struct platform_device *pdev) + + /* Enable Amlogic flash controller spi mode */ + ret = regmap_write(sfc->regmap_base, SFC_SPI_CFG, SPI_MODE_EN); +- if (ret) { +- dev_err(dev, "failed to enable SPI mode\n"); +- goto err_out; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "failed to enable SPI mode\n"); + + ret = dma_set_mask(sfc->dev, DMA_BIT_MASK(32)); +- if (ret) { +- dev_err(sfc->dev, "failed to set dma mask\n"); +- goto err_out; +- } ++ if (ret) ++ return dev_err_probe(sfc->dev, ret, "failed to set dma mask\n"); + + sfc->ecc_eng.dev = &pdev->dev; + sfc->ecc_eng.integration = NAND_ECC_ENGINE_INTEGRATION_PIPELINED; +@@ -1158,10 +1146,8 @@ static int aml_sfc_probe(struct platform_device *pdev) + sfc->ecc_eng.priv = sfc; + + ret = nand_ecc_register_on_host_hw_engine(&sfc->ecc_eng); +- if (ret) { +- dev_err(&pdev->dev, "failed to register Aml host ecc engine.\n"); +- goto err_out; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to register Aml host ecc engine.\n"); + + ret = of_property_read_u32(np, "amlogic,rx-adj", &val); + if (!ret) +@@ -1177,24 +1163,7 @@ static int aml_sfc_probe(struct platform_device *pdev) + ctrl->min_speed_hz = SFC_MIN_FREQUENCY; + ctrl->num_chipselect = SFC_MAX_CS_NUM; + +- ret = devm_spi_register_controller(dev, ctrl); +- if (ret) +- goto err_out; +- +- return 0; +- +-err_out: +- aml_sfc_disable_clk(sfc); +- +- return ret; +-} +- +-static void aml_sfc_remove(struct platform_device *pdev) +-{ +- struct spi_controller *ctlr = platform_get_drvdata(pdev); +- struct aml_sfc *sfc = spi_controller_get_devdata(ctlr); +- +- aml_sfc_disable_clk(sfc); ++ return devm_spi_register_controller(dev, ctrl); + } + + static const struct of_device_id aml_sfc_of_match[] = { +@@ -1212,7 +1181,6 @@ static struct platform_driver aml_sfc_driver = { + .of_match_table = aml_sfc_of_match, + }, + .probe = aml_sfc_probe, +- .remove = aml_sfc_remove, + }; + module_platform_driver(aml_sfc_driver); + +-- +2.51.0 + diff --git a/queue-6.19/spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch b/queue-6.19/spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch new file mode 100644 index 0000000000..4cad5a922d --- /dev/null +++ b/queue-6.19/spi-amlogic-spisg-fix-memory-leak-in-aml_spisg_probe.patch @@ -0,0 +1,68 @@ +From 481c88ef698a3bd724f6f72b1e85d46ee75b578d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:49:21 +0800 +Subject: spi: amlogic-spisg: Fix memory leak in aml_spisg_probe() + +From: Felix Gu + +[ Upstream commit b8db9552997924b750e727a625a30eaa4603bbb9 ] + +In aml_spisg_probe(), ctlr is allocated by +spi_alloc_target()/spi_alloc_host(), but fails to call +spi_controller_put() in several error paths. This leads +to a memory leak whenever the driver fails to probe after +the initial allocation. + +Convert to use devm_spi_alloc_host()/devm_spi_alloc_target() +to fix the memory leak. + +Fixes: cef9991e04ae ("spi: Add Amlogic SPISG driver") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260308-spisg-v1-1-2cace5cafc24@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-amlogic-spisg.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-amlogic-spisg.c b/drivers/spi/spi-amlogic-spisg.c +index bcd7ec291ad07..6045c89c37c83 100644 +--- a/drivers/spi/spi-amlogic-spisg.c ++++ b/drivers/spi/spi-amlogic-spisg.c +@@ -729,9 +729,9 @@ static int aml_spisg_probe(struct platform_device *pdev) + }; + + if (of_property_read_bool(dev->of_node, "spi-slave")) +- ctlr = spi_alloc_target(dev, sizeof(*spisg)); ++ ctlr = devm_spi_alloc_target(dev, sizeof(*spisg)); + else +- ctlr = spi_alloc_host(dev, sizeof(*spisg)); ++ ctlr = devm_spi_alloc_host(dev, sizeof(*spisg)); + if (!ctlr) + return -ENOMEM; + +@@ -750,10 +750,8 @@ static int aml_spisg_probe(struct platform_device *pdev) + return dev_err_probe(dev, PTR_ERR(spisg->map), "regmap init failed\n"); + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) { +- ret = irq; +- goto out_controller; +- } ++ if (irq < 0) ++ return irq; + + ret = device_reset_optional(dev); + if (ret) +@@ -818,8 +816,6 @@ static int aml_spisg_probe(struct platform_device *pdev) + if (spisg->core) + clk_disable_unprepare(spisg->core); + clk_disable_unprepare(spisg->pclk); +-out_controller: +- spi_controller_put(ctlr); + + return ret; + } +-- +2.51.0 + diff --git a/queue-6.19/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch b/queue-6.19/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch new file mode 100644 index 0000000000..d861ef12a1 --- /dev/null +++ b/queue-6.19/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch @@ -0,0 +1,44 @@ +From 5b83f955ede737447d552aa9afa1e9b1cd433cae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:06 +0900 +Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure + +From: Josh Law + +[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ] + +If fstat() fails after open() succeeds, the function returns without +closing the file descriptor. Also preserve errno across close(), since +close() may overwrite it before the error is returned. + +Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/ + +Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 55d59ed507d54..643f707b8f1da 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -162,8 +162,11 @@ static int load_xbc_file(const char *path, char **buf) + if (fd < 0) + return -errno; + ret = fstat(fd, &stat); +- if (ret < 0) +- return -errno; ++ if (ret < 0) { ++ ret = -errno; ++ close(fd); ++ return ret; ++ } + + ret = load_xbc_fd(fd, buf, stat.st_size); + +-- +2.51.0 + diff --git a/queue-6.19/x86-hyperv-use-__naked-attribute-to-fix-stackless-c-.patch b/queue-6.19/x86-hyperv-use-__naked-attribute-to-fix-stackless-c-.patch new file mode 100644 index 0000000000..02f48c61fc --- /dev/null +++ b/queue-6.19/x86-hyperv-use-__naked-attribute-to-fix-stackless-c-.patch @@ -0,0 +1,159 @@ +From b85df51191992e1116c46a50ca12dd35d3c57738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 17:45:31 +0100 +Subject: x86/hyperv: Use __naked attribute to fix stackless C function + +From: Ard Biesheuvel + +[ Upstream commit 3fde5281b805370a6c3bd2ef462ebff70a0ea2c6 ] + +hv_crash_c_entry() is a C function that is entered without a stack, +and this is only allowed for functions that have the __naked attribute, +which informs the compiler that it must not emit the usual prologue and +epilogue or emit any other kind of instrumentation that relies on a +stack frame. + +So split up the function, and set the __naked attribute on the initial +part that sets up the stack, GDT, IDT and other pieces that are needed +for ordinary C execution. Given that function calls are not permitted +either, use the existing long return coded in an asm() block to call the +second part of the function, which is an ordinary function that is +permitted to call other functions as usual. + +Reviewed-by: Andrew Cooper # asm parts, not hv parts +Reviewed-by: Mukesh Rathor +Acked-by: Uros Bizjak +Cc: Wei Liu +Cc: linux-hyperv@vger.kernel.org +Fixes: 94212d34618c ("x86/hyperv: Implement hypervisor RAM collection into vmcore") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_crash.c | 82 ++++++++++++++++++++------------------ + 1 file changed, 43 insertions(+), 39 deletions(-) + +diff --git a/arch/x86/hyperv/hv_crash.c b/arch/x86/hyperv/hv_crash.c +index a78e4fed57203..1d91051daa3de 100644 +--- a/arch/x86/hyperv/hv_crash.c ++++ b/arch/x86/hyperv/hv_crash.c +@@ -107,14 +107,12 @@ static void __noreturn hv_panic_timeout_reboot(void) + cpu_relax(); + } + +-/* This cannot be inlined as it needs stack */ +-static noinline __noclone void hv_crash_restore_tss(void) ++static void hv_crash_restore_tss(void) + { + load_TR_desc(); + } + +-/* This cannot be inlined as it needs stack */ +-static noinline void hv_crash_clear_kernpt(void) ++static void hv_crash_clear_kernpt(void) + { + pgd_t *pgd; + p4d_t *p4d; +@@ -125,6 +123,25 @@ static noinline void hv_crash_clear_kernpt(void) + native_p4d_clear(p4d); + } + ++ ++static void __noreturn hv_crash_handle(void) ++{ ++ hv_crash_restore_tss(); ++ hv_crash_clear_kernpt(); ++ ++ /* we are now fully in devirtualized normal kernel mode */ ++ __crash_kexec(NULL); ++ ++ hv_panic_timeout_reboot(); ++} ++ ++/* ++ * __naked functions do not permit function calls, not even to __always_inline ++ * functions that only contain asm() blocks themselves. So use a macro instead. ++ */ ++#define hv_wrmsr(msr, val) \ ++ asm volatile("wrmsr" :: "c"(msr), "a"((u32)val), "d"((u32)(val >> 32)) : "memory") ++ + /* + * This is the C entry point from the asm glue code after the disable hypercall. + * We enter here in IA32-e long mode, ie, full 64bit mode running on kernel +@@ -133,51 +150,38 @@ static noinline void hv_crash_clear_kernpt(void) + * available. We restore kernel GDT, and rest of the context, and continue + * to kexec. + */ +-static asmlinkage void __noreturn hv_crash_c_entry(void) ++static void __naked hv_crash_c_entry(void) + { +- struct hv_crash_ctxt *ctxt = &hv_crash_ctxt; +- + /* first thing, restore kernel gdt */ +- native_load_gdt(&ctxt->gdtr); ++ asm volatile("lgdt %0" : : "m" (hv_crash_ctxt.gdtr)); + +- asm volatile("movw %%ax, %%ss" : : "a"(ctxt->ss)); +- asm volatile("movq %0, %%rsp" : : "m"(ctxt->rsp)); ++ asm volatile("movw %0, %%ss\n\t" ++ "movq %1, %%rsp" ++ :: "m"(hv_crash_ctxt.ss), "m"(hv_crash_ctxt.rsp)); + +- asm volatile("movw %%ax, %%ds" : : "a"(ctxt->ds)); +- asm volatile("movw %%ax, %%es" : : "a"(ctxt->es)); +- asm volatile("movw %%ax, %%fs" : : "a"(ctxt->fs)); +- asm volatile("movw %%ax, %%gs" : : "a"(ctxt->gs)); ++ asm volatile("movw %0, %%ds" : : "m"(hv_crash_ctxt.ds)); ++ asm volatile("movw %0, %%es" : : "m"(hv_crash_ctxt.es)); ++ asm volatile("movw %0, %%fs" : : "m"(hv_crash_ctxt.fs)); ++ asm volatile("movw %0, %%gs" : : "m"(hv_crash_ctxt.gs)); + +- native_wrmsrq(MSR_IA32_CR_PAT, ctxt->pat); +- asm volatile("movq %0, %%cr0" : : "r"(ctxt->cr0)); ++ hv_wrmsr(MSR_IA32_CR_PAT, hv_crash_ctxt.pat); ++ asm volatile("movq %0, %%cr0" : : "r"(hv_crash_ctxt.cr0)); + +- asm volatile("movq %0, %%cr8" : : "r"(ctxt->cr8)); +- asm volatile("movq %0, %%cr4" : : "r"(ctxt->cr4)); +- asm volatile("movq %0, %%cr2" : : "r"(ctxt->cr4)); ++ asm volatile("movq %0, %%cr8" : : "r"(hv_crash_ctxt.cr8)); ++ asm volatile("movq %0, %%cr4" : : "r"(hv_crash_ctxt.cr4)); ++ asm volatile("movq %0, %%cr2" : : "r"(hv_crash_ctxt.cr2)); + +- native_load_idt(&ctxt->idtr); +- native_wrmsrq(MSR_GS_BASE, ctxt->gsbase); +- native_wrmsrq(MSR_EFER, ctxt->efer); ++ asm volatile("lidt %0" : : "m" (hv_crash_ctxt.idtr)); ++ hv_wrmsr(MSR_GS_BASE, hv_crash_ctxt.gsbase); ++ hv_wrmsr(MSR_EFER, hv_crash_ctxt.efer); + + /* restore the original kernel CS now via far return */ +- asm volatile("movzwq %0, %%rax\n\t" +- "pushq %%rax\n\t" +- "pushq $1f\n\t" +- "lretq\n\t" +- "1:nop\n\t" : : "m"(ctxt->cs) : "rax"); +- +- /* We are in asmlinkage without stack frame, hence make C function +- * calls which will buy stack frames. +- */ +- hv_crash_restore_tss(); +- hv_crash_clear_kernpt(); +- +- /* we are now fully in devirtualized normal kernel mode */ +- __crash_kexec(NULL); +- +- hv_panic_timeout_reboot(); ++ asm volatile("pushq %q0\n\t" ++ "pushq %q1\n\t" ++ "lretq" ++ :: "r"(hv_crash_ctxt.cs), "r"(hv_crash_handle)); + } +-/* Tell gcc we are using lretq long jump in the above function intentionally */ ++/* Tell objtool we are using lretq long jump in the above function intentionally */ + STACK_FRAME_NON_STANDARD(hv_crash_c_entry); + + static void hv_mark_tss_not_busy(void) +-- +2.51.0 + diff --git a/queue-6.6/drm-amd-display-fix-displayid-not-found-handling-in-.patch b/queue-6.6/drm-amd-display-fix-displayid-not-found-handling-in-.patch new file mode 100644 index 0000000000..23f9bd0422 --- /dev/null +++ b/queue-6.6/drm-amd-display-fix-displayid-not-found-handling-in-.patch @@ -0,0 +1,72 @@ +From a05fcfa5110f0d50d1bbbe41f6b1f82612ac4afd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 18:30:26 +0530 +Subject: drm/amd/display: Fix DisplayID not-found handling in + parse_edid_displayid_vrr() + +From: Srinivasan Shanmugam + +[ Upstream commit 2323b019651ad81c20a0f7f817c63392b3110652 ] + +parse_edid_displayid_vrr() searches the EDID extension blocks for a +DisplayID extension before parsing the dynamic video timing range. + +The code previously checked whether edid_ext was NULL after the search +loop. However, edid_ext is assigned during each iteration of the loop, +so it will never be NULL once the loop has executed. If no DisplayID +extension is found, edid_ext ends up pointing to the last extension +block, and the NULL check does not correctly detect the failure case. + +Instead, check whether the loop completed without finding a matching +DisplayID block by testing "i == edid->extensions". This ensures the +function exits early when no DisplayID extension is present and avoids +parsing an unrelated EDID extension block. + +Also simplify the EDID validation check using "!edid || +!edid->extensions". + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:13079 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 13075) + +Fixes: a638b837d0e6 ("drm/amd/display: Fix refresh rate range for some panel") +Cc: Roman Li +Cc: Alex Hung +Cc: Jerry Zuo +Cc: Sun peng Li +Cc: Tom Chung +Cc: Dan Carpenter +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +(cherry picked from commit 91c7e6342e98c846b259c57273436fdea4c043f2) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 26047109726eb..f51c3921cbc26 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -10695,7 +10695,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + u16 min_vfreq; + u16 max_vfreq; + +- if (edid == NULL || edid->extensions == 0) ++ if (!edid || !edid->extensions) + return; + + /* Find DisplayID extension */ +@@ -10705,7 +10705,7 @@ static void parse_edid_displayid_vrr(struct drm_connector *connector, + break; + } + +- if (edid_ext == NULL) ++ if (i == edid->extensions) + return; + + while (j < EDID_LENGTH) { +-- +2.51.0 + diff --git a/queue-6.6/drm-i915-gt-check-set_default_submission-before-defe.patch b/queue-6.6/drm-i915-gt-check-set_default_submission-before-defe.patch new file mode 100644 index 0000000000..5d5b2a592e --- /dev/null +++ b/queue-6.6/drm-i915-gt-check-set_default_submission-before-defe.patch @@ -0,0 +1,105 @@ +From 8c5ff58ff19e3aa43a17d201ea3b56301db77ffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Feb 2026 10:18:39 +0530 +Subject: drm/i915/gt: Check set_default_submission() before deferencing + +From: Rahul Bukte + +[ Upstream commit 0162ab3220bac870e43e229e6e3024d1a21c3f26 ] + +When the i915 driver firmware binaries are not present, the +set_default_submission pointer is not set. This pointer is +dereferenced during suspend anyways. + +Add a check to make sure it is set before dereferencing. + +[ 23.289926] PM: suspend entry (deep) +[ 23.293558] Filesystems sync: 0.000 seconds +[ 23.298010] Freezing user space processes +[ 23.302771] Freezing user space processes completed (elapsed 0.000 seconds) +[ 23.309766] OOM killer disabled. +[ 23.313027] Freezing remaining freezable tasks +[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 23.342038] serial 00:05: disabled +[ 23.345719] serial 00:02: disabled +[ 23.349342] serial 00:01: disabled +[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache +[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache +[ 23.361635] ata1.00: Entering standby power mode +[ 23.368863] ata2.00: Entering standby power mode +[ 23.445187] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 23.452194] #PF: supervisor instruction fetch in kernel mode +[ 23.457896] #PF: error_code(0x0010) - not-present page +[ 23.463065] PGD 0 P4D 0 +[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI +[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary) +[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN +[ 23.496511] Workqueue: async async_run_entry_fn +[ 23.501087] RIP: 0010:0x0 +[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6. +[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246 +[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX: 000000000000000f +[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff9f428290e000 +[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09: 00000000ffffffff +[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f42829070f8 +[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15: ffff9f4282906b68 +[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000) knlGS:0000000000000000 +[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4: 0000000000f70ef0 +[ 23.572539] PKRU: 55555554 +[ 23.575281] Call Trace: +[ 23.577770] +[ 23.579905] intel_engines_reset_default_submission+0x42/0x60 +[ 23.585695] __intel_gt_unset_wedged+0x191/0x200 +[ 23.590360] intel_gt_unset_wedged+0x20/0x40 +[ 23.594675] gt_sanitize+0x15e/0x170 +[ 23.598290] i915_gem_suspend_late+0x6b/0x180 +[ 23.602692] i915_drm_suspend_late+0x35/0xf0 +[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10 +[ 23.611843] dpm_run_callback+0x78/0x1c0 +[ 23.615817] device_suspend_late+0xde/0x2e0 +[ 23.620037] async_suspend_late+0x18/0x30 +[ 23.624082] async_run_entry_fn+0x25/0xa0 +[ 23.628129] process_one_work+0x15b/0x380 +[ 23.632182] worker_thread+0x2a5/0x3c0 +[ 23.635973] ? __pfx_worker_thread+0x10/0x10 +[ 23.640279] kthread+0xf6/0x1f0 +[ 23.643464] ? __pfx_kthread+0x10/0x10 +[ 23.647263] ? __pfx_kthread+0x10/0x10 +[ 23.651045] ret_from_fork+0x131/0x190 +[ 23.654837] ? __pfx_kthread+0x10/0x10 +[ 23.658634] ret_from_fork_asm+0x1a/0x30 +[ 23.662597] +[ 23.664826] Modules linked in: +[ 23.667914] CR2: 0000000000000000 +[ 23.671271] ------------[ cut here ]------------ + +Signed-off-by: Rahul Bukte +Reviewed-by: Suraj Kandpal +Signed-off-by: Suraj Kandpal +Link: https://patch.msgid.link/20260203044839.1555147-1-suraj.kandpal@intel.com +(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad) +Fixes: ff44ad51ebf8 ("drm/i915: Move engine->submit_request selection to a vfunc") +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +index 0729ab5955171..6ea2c14f78160 100644 +--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c ++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c +@@ -1973,7 +1973,8 @@ void intel_engines_reset_default_submission(struct intel_gt *gt) + if (engine->sanitize) + engine->sanitize(engine); + +- engine->set_default_submission(engine); ++ if (engine->set_default_submission) ++ engine->set_default_submission(engine); + } + } + +-- +2.51.0 + diff --git a/queue-6.6/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch b/queue-6.6/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch new file mode 100644 index 0000000000..6cf10ac461 --- /dev/null +++ b/queue-6.6/ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch @@ -0,0 +1,128 @@ +From 5b0173d6e769ac4fd0bd53621683e3ac707d828f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:15:51 +0900 +Subject: ksmbd: fix use-after-free in durable v2 replay of active file handles + +From: Hyunwoo Kim + +[ Upstream commit b425e4d0eb321a1116ddbf39636333181675d8f4 ] + +parse_durable_handle_context() unconditionally assigns dh_info->fp->conn +to the current connection when handling a DURABLE_REQ_V2 context with +SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by +fp->conn, so it returns file handles that are already actively connected. +The unconditional overwrite replaces fp->conn, and when the overwriting +connection is subsequently freed, __ksmbd_close_fd() dereferences the +stale fp->conn via spin_lock(&fp->conn->llist_lock), causing a +use-after-free. + +KASAN report: + +[ 7.349357] ================================================================== +[ 7.349607] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x75/0xe0 +[ 7.349811] Write of size 4 at addr ffff8881056ac18c by task kworker/1:2/108 +[ 7.350010] +[ 7.350064] CPU: 1 UID: 0 PID: 108 Comm: kworker/1:2 Not tainted 7.0.0-rc3+ #58 PREEMPTLAZY +[ 7.350068] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 7.350070] Workqueue: ksmbd-io handle_ksmbd_work +[ 7.350083] Call Trace: +[ 7.350087] +[ 7.350087] dump_stack_lvl+0x64/0x80 +[ 7.350094] print_report+0xce/0x660 +[ 7.350100] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 7.350101] ? __pfx___mod_timer+0x10/0x10 +[ 7.350106] ? _raw_spin_lock+0x75/0xe0 +[ 7.350108] kasan_report+0xce/0x100 +[ 7.350109] ? _raw_spin_lock+0x75/0xe0 +[ 7.350114] kasan_check_range+0x105/0x1b0 +[ 7.350116] _raw_spin_lock+0x75/0xe0 +[ 7.350118] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350119] ? __call_rcu_common.constprop.0+0x25e/0x780 +[ 7.350125] ? close_id_del_oplock+0x2cc/0x4e0 +[ 7.350128] __ksmbd_close_fd+0x27f/0xaf0 +[ 7.350131] ksmbd_close_fd+0x135/0x1b0 +[ 7.350133] smb2_close+0xb19/0x15b0 +[ 7.350142] ? __pfx_smb2_close+0x10/0x10 +[ 7.350143] ? xas_load+0x18/0x270 +[ 7.350146] ? _raw_spin_lock+0x84/0xe0 +[ 7.350148] ? __pfx__raw_spin_lock+0x10/0x10 +[ 7.350150] ? _raw_spin_unlock+0xe/0x30 +[ 7.350151] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 7.350153] ? ksmbd_tree_conn_lookup+0xcd/0xf0 +[ 7.350154] handle_ksmbd_work+0x40f/0x1080 +[ 7.350156] process_one_work+0x5fa/0xef0 +[ 7.350162] ? assign_work+0x122/0x3e0 +[ 7.350163] worker_thread+0x54b/0xf70 +[ 7.350165] ? __pfx_worker_thread+0x10/0x10 +[ 7.350166] kthread+0x346/0x470 +[ 7.350170] ? recalc_sigpending+0x19b/0x230 +[ 7.350176] ? __pfx_kthread+0x10/0x10 +[ 7.350178] ret_from_fork+0x4fb/0x6c0 +[ 7.350183] ? __pfx_ret_from_fork+0x10/0x10 +[ 7.350185] ? __switch_to+0x36c/0xbe0 +[ 7.350188] ? __pfx_kthread+0x10/0x10 +[ 7.350190] ret_from_fork_asm+0x1a/0x30 +[ 7.350197] +[ 7.350197] +[ 7.355160] Allocated by task 123: +[ 7.355261] kasan_save_stack+0x33/0x60 +[ 7.355373] kasan_save_track+0x14/0x30 +[ 7.355484] __kasan_kmalloc+0x8f/0xa0 +[ 7.355593] ksmbd_conn_alloc+0x44/0x6d0 +[ 7.355711] ksmbd_kthread_fn+0x243/0xd70 +[ 7.355839] kthread+0x346/0x470 +[ 7.355942] ret_from_fork+0x4fb/0x6c0 +[ 7.356051] ret_from_fork_asm+0x1a/0x30 +[ 7.356164] +[ 7.356214] Freed by task 134: +[ 7.356305] kasan_save_stack+0x33/0x60 +[ 7.356416] kasan_save_track+0x14/0x30 +[ 7.356527] kasan_save_free_info+0x3b/0x60 +[ 7.356646] __kasan_slab_free+0x43/0x70 +[ 7.356761] kfree+0x1ca/0x430 +[ 7.356862] ksmbd_tcp_disconnect+0x59/0xe0 +[ 7.356993] ksmbd_conn_handler_loop+0x77e/0xd40 +[ 7.357138] kthread+0x346/0x470 +[ 7.357240] ret_from_fork+0x4fb/0x6c0 +[ 7.357350] ret_from_fork_asm+0x1a/0x30 +[ 7.357463] +[ 7.357513] The buggy address belongs to the object at ffff8881056ac000 +[ 7.357513] which belongs to the cache kmalloc-1k of size 1024 +[ 7.357857] The buggy address is located 396 bytes inside of +[ 7.357857] freed 1024-byte region [ffff8881056ac000, ffff8881056ac400) + +Fix by removing the unconditional fp->conn assignment and rejecting the +replay when fp->conn is non-NULL. This is consistent with +ksmbd_lookup_durable_fd(), which also rejects file handles with a +non-NULL fp->conn. For disconnected file handles (fp->conn == NULL), +ksmbd_reopen_durable_fd() handles setting fp->conn. + +Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index a647662ca7681..bdd2214c79f98 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2813,7 +2813,11 @@ static int parse_durable_handle_context(struct ksmbd_work *work, + goto out; + } + +- dh_info->fp->conn = conn; ++ if (dh_info->fp->conn) { ++ ksmbd_put_durable_fd(dh_info->fp); ++ err = -EBADF; ++ goto out; ++ } + dh_info->reconnected = true; + goto out; + } +-- +2.51.0 + diff --git a/queue-6.6/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch b/queue-6.6/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch new file mode 100644 index 0000000000..721cbe97b6 --- /dev/null +++ b/queue-6.6/ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch @@ -0,0 +1,135 @@ +From eb6982af20dc17bac222ab048c718600bcb9d577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 17:17:02 +0900 +Subject: ksmbd: fix use-after-free of share_conf in compound request + +From: Hyunwoo Kim + +[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ] + +smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without +validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == +TREE_CONNECTED on the initial lookup path, but the compound reuse path +bypasses this check entirely. + +If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state +to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), +subsequent commands dereference the freed share_conf through +work->tcon->share_conf. + +KASAN report: + +[ 4.144653] ================================================================== +[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70 +[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44 +[ 4.145772] +[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY +[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work +[ 4.145888] Call Trace: +[ 4.145892] +[ 4.145894] dump_stack_lvl+0x64/0x80 +[ 4.145910] print_report+0xce/0x660 +[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 4.145928] ? smb2_write+0xc74/0xe70 +[ 4.145931] kasan_report+0xce/0x100 +[ 4.145934] ? smb2_write+0xc74/0xe70 +[ 4.145937] smb2_write+0xc74/0xe70 +[ 4.145939] ? __pfx_smb2_write+0x10/0x10 +[ 4.145942] ? _raw_spin_unlock+0xe/0x30 +[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0 +[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480 +[ 4.145951] handle_ksmbd_work+0x40f/0x1080 +[ 4.145953] process_one_work+0x5fa/0xef0 +[ 4.145962] ? assign_work+0x122/0x3e0 +[ 4.145964] worker_thread+0x54b/0xf70 +[ 4.145967] ? __pfx_worker_thread+0x10/0x10 +[ 4.145970] kthread+0x346/0x470 +[ 4.145976] ? recalc_sigpending+0x19b/0x230 +[ 4.145980] ? __pfx_kthread+0x10/0x10 +[ 4.145984] ret_from_fork+0x4fb/0x6c0 +[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10 +[ 4.145995] ? __switch_to+0x36c/0xbe0 +[ 4.145999] ? __pfx_kthread+0x10/0x10 +[ 4.146003] ret_from_fork_asm+0x1a/0x30 +[ 4.146013] +[ 4.146014] +[ 4.149858] Allocated by task 44: +[ 4.149953] kasan_save_stack+0x33/0x60 +[ 4.150061] kasan_save_track+0x14/0x30 +[ 4.150169] __kasan_kmalloc+0x8f/0xa0 +[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0 +[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600 +[ 4.150529] smb2_tree_connect+0x2e6/0x1000 +[ 4.150645] handle_ksmbd_work+0x40f/0x1080 +[ 4.150761] process_one_work+0x5fa/0xef0 +[ 4.150873] worker_thread+0x54b/0xf70 +[ 4.150978] kthread+0x346/0x470 +[ 4.151071] ret_from_fork+0x4fb/0x6c0 +[ 4.151176] ret_from_fork_asm+0x1a/0x30 +[ 4.151286] +[ 4.151332] Freed by task 44: +[ 4.151418] kasan_save_stack+0x33/0x60 +[ 4.151526] kasan_save_track+0x14/0x30 +[ 4.151634] kasan_save_free_info+0x3b/0x60 +[ 4.151751] __kasan_slab_free+0x43/0x70 +[ 4.151861] kfree+0x1ca/0x430 +[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190 +[ 4.152088] smb2_tree_disconnect+0x1cd/0x480 +[ 4.152211] handle_ksmbd_work+0x40f/0x1080 +[ 4.152326] process_one_work+0x5fa/0xef0 +[ 4.152438] worker_thread+0x54b/0xf70 +[ 4.152545] kthread+0x346/0x470 +[ 4.152638] ret_from_fork+0x4fb/0x6c0 +[ 4.152743] ret_from_fork_asm+0x1a/0x30 +[ 4.152853] +[ 4.152900] The buggy address belongs to the object at ffff88810430c180 +[ 4.152900] which belongs to the cache kmalloc-96 of size 96 +[ 4.153226] The buggy address is located 20 bytes inside of +[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0) +[ 4.153549] +[ 4.153596] The buggy address belongs to the physical page: +[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c +[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2) +[ 4.154160] page_type: f5(slab) +[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110 +[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000 +[ 4.154668] page dumped because: kasan: bad access detected +[ 4.154820] +[ 4.154866] Memory state around the buggy address: +[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 4.155587] ^ +[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 4.156087] ================================================================== + +Add the same t_state validation to the compound reuse path, consistent +with ksmbd_tree_conn_lookup(). + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index e52a05ea25ccc..a647662ca7681 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -118,6 +118,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work) + pr_err("The first operation in the compound does not have tcon\n"); + return -EINVAL; + } ++ if (work->tcon->t_state != TREE_CONNECTED) ++ return -ENOENT; + if (tree_id != UINT_MAX && work->tcon->id != tree_id) { + pr_err("tree id(%u) is different with id(%u) in first operation\n", + tree_id, work->tcon->id); +-- +2.51.0 + diff --git a/queue-6.6/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch b/queue-6.6/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch new file mode 100644 index 0000000000..73e2cbe583 --- /dev/null +++ b/queue-6.6/lib-bootconfig-check-xbc_init_node-return-in-overrid.patch @@ -0,0 +1,49 @@ +From f2b4bfb2d52199d11ab31fa9a51c81324020c4b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:05 +0900 +Subject: lib/bootconfig: check xbc_init_node() return in override path + +From: Josh Law + +[ Upstream commit bb288d7d869e86d382f35a0e26242c5ccb05ca82 ] + +The ':=' override path in xbc_parse_kv() calls xbc_init_node() to +re-initialize an existing value node but does not check the return +value. If xbc_init_node() fails (data offset out of range), parsing +silently continues with stale node data. + +Add the missing error check to match the xbc_add_node() call path +which already checks for failure. + +In practice, a bootconfig using ':=' to override a value near the +32KB data limit could silently retain the old value, meaning a +security-relevant boot parameter override (e.g., a trace filter or +debug setting) would not take effect as intended. + +Link: https://lore.kernel.org/all/20260318155847.78065-2-objecting@objecting.org/ + +Fixes: e5efaeb8a8f5 ("bootconfig: Support mixing a value and subkeys under a key") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + lib/bootconfig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/bootconfig.c b/lib/bootconfig.c +index 82f21a9b0aaba..675f34cf32f0d 100644 +--- a/lib/bootconfig.c ++++ b/lib/bootconfig.c +@@ -714,7 +714,8 @@ static int __init xbc_parse_kv(char **k, char *v, int op) + if (op == ':') { + unsigned short nidx = child->next; + +- xbc_init_node(child, v, XBC_VALUE); ++ if (xbc_init_node(child, v, XBC_VALUE) < 0) ++ return xbc_parse_error("Failed to override value", v); + child->next = nidx; /* keep subkeys */ + goto array; + } +-- +2.51.0 + diff --git a/queue-6.6/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch b/queue-6.6/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch new file mode 100644 index 0000000000..cec54e5690 --- /dev/null +++ b/queue-6.6/mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch @@ -0,0 +1,49 @@ +From 1c1f332294aa53707a2c0066d25e07651eb991e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 15:21:57 -0500 +Subject: mtd: rawnand: brcmnand: skip DMA during panic write + +From: Kamal Dasu + +[ Upstream commit da9ba4dcc01e7cf52b7676f0ee9607b8358c2171 ] + +When oops_panic_write is set, the driver disables interrupts and +switches to PIO polling mode but still falls through into the DMA +path. DMA cannot be used reliably in panic context, so make the +DMA path an else branch to ensure only PIO is used during panic +writes. + +Fixes: c1ac2dc34b51 ("mtd: rawnand: brcmnand: When oops in progress use pio and interrupt polling") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 03d7e26d49537..ece399705bd73 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2411,14 +2411,12 @@ static int brcmnand_write(struct mtd_info *mtd, struct nand_chip *chip, + for (i = 0; i < ctrl->max_oob; i += 4) + oob_reg_write(ctrl, i, 0xffffffff); + +- if (mtd->oops_panic_write) ++ if (mtd->oops_panic_write) { + /* switch to interrupt polling and PIO mode */ + disable_ctrl_irqs(ctrl); +- +- if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { ++ } else if (use_dma(ctrl) && (has_edu(ctrl) || !oob) && flash_dma_buf_ok(buf)) { + if (ctrl->dma_trans(host, addr, (u32 *)buf, oob, mtd->writesize, + CMD_PROGRAM_PAGE)) +- + ret = -EIO; + + goto out; +-- +2.51.0 + diff --git a/queue-6.6/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch b/queue-6.6/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch new file mode 100644 index 0000000000..3252e53394 --- /dev/null +++ b/queue-6.6/mtd-rawnand-serialize-lock-unlock-against-other-nand.patch @@ -0,0 +1,70 @@ +From 5574356a21c48989303fdda53f372cd1322e4820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:49:06 -0500 +Subject: mtd: rawnand: serialize lock/unlock against other NAND operations + +From: Kamal Dasu + +[ Upstream commit bab2bc6e850a697a23b9e5f0e21bb8c187615e95 ] + +nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area +without holding the NAND device lock. On controllers that implement +SET_FEATURES via multiple low-level PIO commands, these can race with +concurrent UBI/UBIFS background erase/write operations that hold the +device lock, resulting in cmd_pending conflicts on the NAND controller. + +Add nand_get_device()/nand_release_device() around the lock/unlock +operations to serialize them against all other NAND controller access. + +Fixes: 92270086b7e5 ("mtd: rawnand: Add support for manufacturer specific lock/unlock operation") +Signed-off-by: Kamal Dasu +Reviewed-by: William Zhang +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/nand_base.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c +index fe0b298f8425e..896a7d819e3c7 100644 +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -4849,11 +4849,16 @@ static void nand_shutdown(struct mtd_info *mtd) + static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.lock_area) + return -ENOTSUPP; + +- return chip->ops.lock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.lock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /** +@@ -4865,11 +4870,16 @@ static int nand_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + static int nand_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) + { + struct nand_chip *chip = mtd_to_nand(mtd); ++ int ret; + + if (!chip->ops.unlock_area) + return -ENOTSUPP; + +- return chip->ops.unlock_area(chip, ofs, len); ++ nand_get_device(chip); ++ ret = chip->ops.unlock_area(chip, ofs, len); ++ nand_release_device(chip); ++ ++ return ret; + } + + /* Set default functions */ +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index a4574dbffd..bbcba619d5 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -554,3 +554,11 @@ usb-serial-f81232-fix-incomplete-serial-port-generation.patch i2c-fsi-fix-a-potential-leak-in-fsi_i2c_probe.patch i2c-pxa-defer-reset-on-armada-3700-when-recovery-is-used.patch x86-platform-uv-handle-deconfigured-sockets.patch +mtd-rawnand-serialize-lock-unlock-against-other-nand.patch +mtd-rawnand-brcmnand-skip-dma-during-panic-write.patch +drm-amd-display-fix-displayid-not-found-handling-in-.patch +ksmbd-fix-use-after-free-of-share_conf-in-compound-r.patch +ksmbd-fix-use-after-free-in-durable-v2-replay-of-act.patch +drm-i915-gt-check-set_default_submission-before-defe.patch +lib-bootconfig-check-xbc_init_node-return-in-overrid.patch +tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch diff --git a/queue-6.6/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch b/queue-6.6/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch new file mode 100644 index 0000000000..43216c2d4d --- /dev/null +++ b/queue-6.6/tools-bootconfig-fix-fd-leak-in-load_xbc_file-on-fst.patch @@ -0,0 +1,44 @@ +From d7adb2d28fe3a723e8e27245a6354d7edf57fa45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2026 08:43:06 +0900 +Subject: tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure + +From: Josh Law + +[ Upstream commit 3b2c2ab4ceb82af484310c3087541eab00ea288b ] + +If fstat() fails after open() succeeds, the function returns without +closing the file descriptor. Also preserve errno across close(), since +close() may overwrite it before the error is returned. + +Link: https://lore.kernel.org/all/20260318155847.78065-3-objecting@objecting.org/ + +Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command") +Signed-off-by: Josh Law +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 8a48cc2536f56..32cf48f2da9a1 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -157,8 +157,11 @@ static int load_xbc_file(const char *path, char **buf) + if (fd < 0) + return -errno; + ret = fstat(fd, &stat); +- if (ret < 0) +- return -errno; ++ if (ret < 0) { ++ ret = -errno; ++ close(fd); ++ return ret; ++ } + + ret = load_xbc_fd(fd, buf, stat.st_size); + +-- +2.51.0 +