From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 15:00:10 +0000 (+0200) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9e555aeb0a34b471b7a3f33acb562db4340cedca;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: fuse-reject-fuse_notify-pagecache-ops-on-directories.patch i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch i2c-tegra-fix-noirq-suspend-resume.patch input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch net-mv643xx-fix-of-node-refcount.patch net-rds-clear-i_sends-on-setup-unwind.patch nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch --- diff --git a/queue-6.6/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch b/queue-6.6/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch new file mode 100644 index 0000000000..ef4d72d0c3 --- /dev/null +++ b/queue-6.6/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch @@ -0,0 +1,56 @@ +From 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 19 May 2026 16:29:38 +0200 +Subject: fuse: reject fuse_notify() pagecache ops on directories + +From: Jann Horn + +commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream. + +The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the +FUSE daemon to actively write/read pagecache contents. + +For directories with FOPEN_CACHE_DIR, the pagecache is used as +kernel-internal cache storage, and userspace is not supposed to have +direct access to this cache - in particular, fuse_parse_cache() will hit +WARN_ON() if the cache contains bogus data. + +Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than +regular files with -EINVAL. + +Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com +Acked-by: Miklos Szeredi +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1597,6 +1597,10 @@ static int fuse_notify_store(struct fuse + inode = fuse_ilookup(fc, nodeid, NULL); + if (!inode) + goto out_up_killsb; ++ if (!S_ISREG(inode->i_mode)) { ++ err = -EINVAL; ++ goto out_iput; ++ } + + mapping = inode->i_mapping; + index = outarg.offset >> PAGE_SHIFT; +@@ -1768,7 +1772,10 @@ static int fuse_notify_retrieve(struct f + + inode = fuse_ilookup(fc, nodeid, &fm); + if (inode) { +- err = fuse_retrieve(fm, inode, &outarg); ++ if (!S_ISREG(inode->i_mode)) ++ err = -EINVAL; ++ else ++ err = fuse_retrieve(fm, inode, &outarg); + iput(inode); + } + up_read(&fc->killsb); diff --git a/queue-6.6/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch b/queue-6.6/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch new file mode 100644 index 0000000000..db77dcfec5 --- /dev/null +++ b/queue-6.6/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch @@ -0,0 +1,55 @@ +From 729ac5a4b966aac42e08a94dea966f4429008548 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Sat, 16 May 2026 02:41:18 +0300 +Subject: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() + +From: Vladimir Zapolskiy + +commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream. + +On all modern platforms Qualcomm CCI controller provides two I2C masters, +and on particular boards only one I2C master may be initialized, and in +such cases the device unbinding or driver removal causes a NULL pointer +dereference, because cci_halt() is called for all two I2C masters, but +a completion is initialized only for the single enabled master: + + % rmmod i2c-qcom-cci + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + + Call trace: + __wait_for_common+0x194/0x1a8 (P) + wait_for_completion_timeout+0x20/0x2c + cci_remove+0xc4/0x138 [i2c_qcom_cci] + platform_remove+0x20/0x30 + device_remove+0x4c/0x80 + device_release_driver_internal+0x1c8/0x224 + driver_detach+0x50/0x98 + bus_remove_driver+0x6c/0xbc + driver_unregister+0x30/0x60 + platform_driver_unregister+0x14/0x20 + qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci] + .... + +Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver") +Signed-off-by: Vladimir Zapolskiy +Cc: # v5.8+ +Reviewed-by: Konrad Dybcio +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qcom-cci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-qcom-cci.c ++++ b/drivers/i2c/busses/i2c-qcom-cci.c +@@ -683,8 +683,8 @@ static void cci_remove(struct platform_d + if (cci->master[i].cci) { + i2c_del_adapter(&cci->master[i].adap); + of_node_put(cci->master[i].adap.dev.of_node); ++ cci_halt(cci, i); + } +- cci_halt(cci, i); + } + + disable_irq(cci->irq); diff --git a/queue-6.6/i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch b/queue-6.6/i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch new file mode 100644 index 0000000000..9ad3d4bf68 --- /dev/null +++ b/queue-6.6/i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch @@ -0,0 +1,59 @@ +From a124579c0763da7bc408f4cd7e8f606cadc94855 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guillermo=20Rodr=C3=ADguez?= +Date: Tue, 26 May 2026 11:12:09 +0200 +Subject: i2c: stm32f7: fix timing computation ignoring i2c-analog-filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guillermo Rodríguez + +commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream. + +stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick +the analog filter delay, but i2c_dev->analog_filter is parsed from +the "i2c-analog-filter" DT property only after the compute_timing +loop in stm32f7_i2c_setup_timing(), so in practice the timing +calculations always ignore the analog filter. On an STM32MP1 board +with clock-frequency = <400000> and i2c-analog-filter set, measured +SCL frequency was ~382 kHz. + +This also affects (widens) the computed SDADEL range. At high bus +clock speeds, this can select an SDADEL value that violates tVD;DAT +(data valid time). + +Fix by parsing "i2c-analog-filter" before the compute_timing loop. + +Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter") +Signed-off-by: Guillermo Rodríguez +Cc: # v5.13+ +Acked-by: Alain Volmat +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-stm32f7.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -680,6 +680,9 @@ static int stm32f7_i2c_setup_timing(stru + if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter")) + i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT; + ++ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node, ++ "i2c-analog-filter"); ++ + do { + ret = stm32f7_i2c_compute_timing(i2c_dev, setup, + &i2c_dev->timing); +@@ -701,9 +704,6 @@ static int stm32f7_i2c_setup_timing(stru + return ret; + } + +- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node, +- "i2c-analog-filter"); +- + dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n", + setup->speed_freq, setup->clock_src); + dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n", diff --git a/queue-6.6/i2c-tegra-fix-noirq-suspend-resume.patch b/queue-6.6/i2c-tegra-fix-noirq-suspend-resume.patch new file mode 100644 index 0000000000..c37e631b94 --- /dev/null +++ b/queue-6.6/i2c-tegra-fix-noirq-suspend-resume.patch @@ -0,0 +1,121 @@ +From 656646b3847ac6a21b074a813223feef2aadd6e2 Mon Sep 17 00:00:00 2001 +From: Akhil R +Date: Mon, 18 May 2026 17:10:13 +0530 +Subject: i2c: tegra: Fix NOIRQ suspend/resume + +From: Akhil R + +commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream. + +The Tegra I2C driver relies on runtime PM to wake up the controller before +each transfer. However, runtime PM is disabled between the system suspend +and NOIRQ suspend. If an I2C device initiates a transfer during this +window, the I2C controller fails to wake up and the transfer fails. To +handle this, the controller must be kept available for this period to +allow transfers. + +Rework the I2C controller's system PM callbacks such that the controller +is resumed from runtime suspend during system suspend and it stays +RPM_ACTIVE throughout the suspend-resume cycle until it is runtime +suspended back in the system resume. The clocks are disabled in NOIRQ +suspend and enabled back in NOIRQ resume by calling the controller's +runtime PM functions directly. + +Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase") +Assisted-by: Cursor:claude-4.6-opus +Signed-off-by: Akhil R +Cc: # v5.4+ +Reviewed-by: Jon Hunter +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 23 deletions(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -1889,28 +1889,37 @@ static int __maybe_unused tegra_i2c_runt + + static int __maybe_unused tegra_i2c_suspend(struct device *dev) + { ++ /* ++ * Bring the controller up and hold a usage count so it stays ++ * available until the noirq phase. ++ */ ++ return pm_runtime_resume_and_get(dev); ++} ++ ++static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev) ++{ + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); +- int err; + + i2c_mark_adapter_suspended(&i2c_dev->adapter); + +- if (!pm_runtime_status_suspended(dev)) { +- err = tegra_i2c_runtime_suspend(dev); +- if (err) +- return err; +- } +- +- return 0; ++ /* ++ * Runtime PM is already disabled at this point, so invoke the ++ * runtime_suspend callback directly to put the controller down. ++ */ ++ return tegra_i2c_runtime_suspend(dev); + } + +-static int __maybe_unused tegra_i2c_resume(struct device *dev) ++static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev) + { + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); + int err; + + /* +- * We need to ensure that clocks are enabled so that registers can be +- * restored in tegra_i2c_init(). ++ * Runtime PM is still disabled at this point, so invoke the ++ * runtime_resume callback directly to bring the controller back up ++ * before re-initializing the hardware. The adapter is then marked ++ * resumed so that consumers can issue transfers from their own ++ * resume_noirq() handlers and onwards. + */ + err = tegra_i2c_runtime_resume(dev); + if (err) +@@ -1920,24 +1929,22 @@ static int __maybe_unused tegra_i2c_resu + if (err) + return err; + +- /* +- * In case we are runtime suspended, disable clocks again so that we +- * don't unbalance the clock reference counts during the next runtime +- * resume transition. +- */ +- if (pm_runtime_status_suspended(dev)) { +- err = tegra_i2c_runtime_suspend(dev); +- if (err) +- return err; +- } +- + i2c_mark_adapter_resumed(&i2c_dev->adapter); + + return 0; + } + ++static int __maybe_unused tegra_i2c_resume(struct device *dev) ++{ ++ pm_runtime_put(dev); ++ ++ return 0; ++} ++ + static const struct dev_pm_ops tegra_i2c_pm = { +- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume) ++ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume) ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq, ++ tegra_i2c_resume_noirq) + SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume, + NULL) + }; diff --git a/queue-6.6/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch b/queue-6.6/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch new file mode 100644 index 0000000000..a3b6e45a65 --- /dev/null +++ b/queue-6.6/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch @@ -0,0 +1,52 @@ +From ad0979fe053e9f2db82da82188256ef6eb41095a Mon Sep 17 00:00:00 2001 +From: Zeyu WANG +Date: Wed, 3 Jun 2026 01:09:09 +0800 +Subject: Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) + +From: Zeyu WANG + +commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream. + +The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive +after the standard atkbd init sequence. Controlled testing on the +actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate) +command specifically corrupts the EC state, causing zero IRQ1 +interrupts after init. + +Skipping only the deactivate command (while keeping F4 ENABLE) +resolves the issue completely: both keystroke input and CapsLock +LED toggle work correctly. The reverse test - skipping only F4 +while keeping F5 - makes the problem worse (zero keystroke +interrupts), confirming F5 is the sole culprit. + +Add a DMI quirk entry for LENOVO/83QK using the existing +atkbd_deactivate_fixup callback, consistent with the existing +entries for LG Electronics and HONOR FMB-P that address the +same EC F5 deactivate issue. + +Signed-off-by: Zeyu WANG +Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atkbd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -1944,6 +1944,14 @@ static const struct dmi_system_id atkbd_ + }, + .callback = atkbd_deactivate_fixup, + }, ++ { ++ /* Lenovo Yoga Air 14 (83QK) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"), ++ }, ++ .callback = atkbd_deactivate_fixup, ++ }, + { } + }; + diff --git a/queue-6.6/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch b/queue-6.6/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch new file mode 100644 index 0000000000..72b9b82b59 --- /dev/null +++ b/queue-6.6/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch @@ -0,0 +1,45 @@ +From fb402386af4cdce108ff991a796386de55439735 Mon Sep 17 00:00:00 2001 +From: Cryolitia PukNgae +Date: Fri, 5 Jun 2026 15:27:21 +0800 +Subject: Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard + +From: Cryolitia PukNgae + +commit fb402386af4cdce108ff991a796386de55439735 upstream. + +After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - +do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR +BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops +working. Adding the atkbd_deactivate_fixup quirk fixes it. + +DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026 + +Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID") +Reported-by: Hongfei Ren +Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891 +Tested-by: Hongfei Ren +Cc: stable@kernel.org +Signed-off-by: Cryolitia PukNgae +Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atkbd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -1952,6 +1952,13 @@ static const struct dmi_system_id atkbd_ + }, + .callback = atkbd_deactivate_fixup, + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"), ++ }, ++ .callback = atkbd_deactivate_fixup, ++ }, + { } + }; + diff --git a/queue-6.6/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch b/queue-6.6/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch new file mode 100644 index 0000000000..4120729bff --- /dev/null +++ b/queue-6.6/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch @@ -0,0 +1,68 @@ +From 2e5c6f4fd4001562781e99bbfc7f1f0127187542 Mon Sep 17 00:00:00 2001 +From: Yilin Zhu +Date: Thu, 30 Apr 2026 13:21:34 +0800 +Subject: ipc/shm: serialize orphan cleanup with shm_nattch updates + +From: Yilin Zhu + +commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream. + +shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that +does not serialize all fields tested by shm_may_destroy(). In particular, +shm_nattch is updated while holding shm_perm.lock, and attach paths can do +that without holding the rwsem. + +Do not decide that an orphaned segment is unused before taking the object +lock. Move the shm_may_destroy() check under shm_perm.lock, matching the +other destroy paths, and unlock the segment when it no longer qualifies +for removal. + +Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com +Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting") +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Yilin Zhu +Signed-off-by: Ren Wei +Cc: Christian Brauner +Cc: Jeongjun Park +Cc: Kees Cook +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Serge Hallyn +Cc: Vasiliy Kulikov +Cc: Davidlohr Bueso +Cc: Oleg Nesterov +Cc: Serge Hallyn +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + ipc/shm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -415,15 +415,17 @@ static int shm_try_destroy_orphaned(int + * We want to destroy segments without users and with already + * exit'ed originating process. + * +- * As shp->* are changed under rwsem, it's safe to skip shp locking. ++ * shm_nattch can be changed under shm_perm.lock without holding the ++ * rwsem, so take the object lock before checking shm_may_destroy(). + */ + if (!list_empty(&shp->shm_clist)) + return 0; + +- if (shm_may_destroy(shp)) { +- shm_lock_by_ptr(shp); ++ shm_lock_by_ptr(shp); ++ if (shm_may_destroy(shp)) + shm_destroy(ns, shp); +- } ++ else ++ shm_unlock(shp); + return 0; + } + diff --git a/queue-6.6/misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch b/queue-6.6/misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch new file mode 100644 index 0000000000..5d23871be9 --- /dev/null +++ b/queue-6.6/misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch @@ -0,0 +1,40 @@ +From 464c6ad2aa16e1e1df9d559289199356493d1e00 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Sat, 30 May 2026 21:45:26 +0100 +Subject: misc: fastrpc: fix DMA address corruption due to find_vma misuse + +From: Junrui Luo + +commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream. + +fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided +pointer and compute a DMA address offset. When the address falls in a gap +before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows, +corrupting the DMA address sent to the DSP. + +Replace find_vma() with vma_lookup(), which returns NULL when the address +is not contained within any VMA. + +Cc: stable@vger.kernel.org +Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") +Reported-by: Yuhao Jiang +Signed-off-by: Junrui Luo +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1057,7 +1057,7 @@ static int fastrpc_get_args(u32 kernel, + pages[i].addr = ctx->maps[i]->phys; + + mmap_read_lock(current->mm); +- vma = find_vma(current->mm, ctx->args[i].ptr); ++ vma = vma_lookup(current->mm, ctx->args[i].ptr); + if (vma) + pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) - + vma->vm_start; diff --git a/queue-6.6/misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch b/queue-6.6/misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch new file mode 100644 index 0000000000..4a72ed7a27 --- /dev/null +++ b/queue-6.6/misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch @@ -0,0 +1,79 @@ +From 5401fb4fe10fac6134c308495df18ed74aebb9c4 Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Sat, 30 May 2026 21:45:27 +0100 +Subject: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback + +From: Mukesh Ojha + +commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream. + +A NULL pointer dereference was observed on Hawi at boot when the DSP +sends a glink message before fastrpc_rpmsg_probe() has completed +initialization: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 + pc : _raw_spin_lock_irqsave+0x34/0x8c + lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] + ... + Call trace: + _raw_spin_lock_irqsave+0x34/0x8c (P) + fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] + qcom_glink_native_rx+0x538/0x6a4 + qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] + +The faulting address 0x178 corresponds to the lock variable inside +struct fastrpc_channel_ctx, confirming that cctx is NULL when +fastrpc_rpmsg_callback() attempts to take the spinlock. + +There are two issues here. First, dev_set_drvdata() is called before +spin_lock_init() and idr_init(), leaving a window where the callback +can retrieve a valid cctx pointer but operate on an uninitialized +spinlock. Second, the rpmsg channel becomes live as soon as the driver +is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() +is called at all, resulting in dev_get_drvdata() returning NULL. + +Fix both issues by moving all cctx initialization ahead of +dev_set_drvdata() so the structure is fully initialized before it +becomes visible to the callback, and add a NULL check in +fastrpc_rpmsg_callback() as a guard against any remaining window. + +Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") +Cc: stable@vger.kernel.org +Signed-off-by: Mukesh Ojha +Reviewed-by: Bjorn Andersson +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -2392,7 +2392,6 @@ static int fastrpc_rpmsg_probe(struct rp + + kref_init(&data->refcount); + +- dev_set_drvdata(&rpdev->dev, data); + rdev->dma_mask = &data->dma_mask; + dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32)); + INIT_LIST_HEAD(&data->users); +@@ -2401,6 +2400,7 @@ static int fastrpc_rpmsg_probe(struct rp + idr_init(&data->ctx_idr); + data->domain_id = domain_id; + data->rpdev = rpdev; ++ dev_set_drvdata(&rpdev->dev, data); + + err = of_platform_populate(rdev->of_node, NULL, NULL, rdev); + if (err) +@@ -2474,6 +2474,9 @@ static int fastrpc_rpmsg_callback(struct + if (len < sizeof(*rsp)) + return -EINVAL; + ++ if (!cctx) ++ return -ENODEV; ++ + ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4); + + spin_lock_irqsave(&cctx->lock, flags); diff --git a/queue-6.6/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch b/queue-6.6/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch new file mode 100644 index 0000000000..ba2eb4c5a7 --- /dev/null +++ b/queue-6.6/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch @@ -0,0 +1,207 @@ +From e85eb5feca8e254905ffa6c57a3c99c89a674a0f Mon Sep 17 00:00:00 2001 +From: Anandu Krishnan E +Date: Sat, 30 May 2026 21:45:25 +0100 +Subject: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anandu Krishnan E + +commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream. + +There is a race between fastrpc_device_release() and the workqueue +that processes DSP responses. When the user closes the file descriptor, +fastrpc_device_release() frees the fastrpc_user structure. Concurrently, +an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() +schedules context cleanup via schedule_work(&ctx->put_work). If the +workqueue runs fastrpc_context_free() in parallel with or after +fastrpc_device_release() has freed the user structure, it dereferences +the freed fastrpc_user. Depending on the state of the context at the +time of the race, any one of the following accesses can be hit: + + 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) + to strip the SID bits from the stored IOVA before passing the + physical address to dma_free_coherent(). + + 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to + reconstruct the source permission bitmask needed for the + qcom_scm_assign_mem() call that returns memory from the DSP VM + back to HLOS. + + 3. fastrpc_free_map() acquires map->fl->lock to safely remove the + map node from the fl->maps list. + +The resulting use-after-free manifests as: + + pc : fastrpc_buf_free+0x38/0x80 [fastrpc] + lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] + fastrpc_context_free+0xa8/0x1b0 [fastrpc] + fastrpc_context_put_wq+0x78/0xa0 [fastrpc] + process_one_work+0x180/0x450 + worker_thread+0x26c/0x388 + +Add kref-based reference counting to fastrpc_user. Have each invoke +context take a reference on the user at allocation time and release it +when the context is freed. Release the initial reference in +fastrpc_device_release() at file close. Move the teardown of the user +structure — freeing pending contexts, maps, mmaps, and the channel +context reference — into the kref release callback fastrpc_user_free(), +so that it runs only when the last reference is dropped, regardless of +whether that happens at device close or after the final in-flight +context completes. + +Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") +Cc: stable@kernel.org +Signed-off-by: Anandu Krishnan E +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 52 insertions(+), 23 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -305,6 +305,8 @@ struct fastrpc_user { + spinlock_t lock; + /* lock for allocations */ + struct mutex mutex; ++ /* Reference count */ ++ struct kref refcount; + }; + + static void fastrpc_free_map(struct kref *ref) +@@ -473,15 +475,57 @@ static void fastrpc_channel_ctx_put(stru + kref_put(&cctx->refcount, fastrpc_channel_ctx_free); + } + ++static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx); ++ ++static void fastrpc_user_free(struct kref *ref) ++{ ++ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount); ++ struct fastrpc_invoke_ctx *ctx, *n; ++ struct fastrpc_map *map, *m; ++ struct fastrpc_buf *buf, *b; ++ ++ if (fl->init_mem) ++ fastrpc_buf_free(fl->init_mem); ++ ++ list_for_each_entry_safe(ctx, n, &fl->pending, node) { ++ list_del(&ctx->node); ++ fastrpc_context_put(ctx); ++ } ++ ++ list_for_each_entry_safe(map, m, &fl->maps, node) ++ fastrpc_map_put(map); ++ ++ list_for_each_entry_safe(buf, b, &fl->mmaps, node) { ++ list_del(&buf->node); ++ fastrpc_buf_free(buf); ++ } ++ ++ fastrpc_channel_ctx_put(fl->cctx); ++ mutex_destroy(&fl->mutex); ++ kfree(fl); ++} ++ ++static void fastrpc_user_get(struct fastrpc_user *fl) ++{ ++ kref_get(&fl->refcount); ++} ++ ++static void fastrpc_user_put(struct fastrpc_user *fl) ++{ ++ kref_put(&fl->refcount, fastrpc_user_free); ++} ++ + static void fastrpc_context_free(struct kref *ref) + { + struct fastrpc_invoke_ctx *ctx; + struct fastrpc_channel_ctx *cctx; ++ struct fastrpc_user *fl; + unsigned long flags; + int i; + + ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount); + cctx = ctx->cctx; ++ fl = ctx->fl; + + for (i = 0; i < ctx->nbufs; i++) + fastrpc_map_put(ctx->maps[i]); +@@ -497,6 +541,8 @@ static void fastrpc_context_free(struct + kfree(ctx->olaps); + kfree(ctx); + ++ /* Release the reference taken in fastrpc_context_alloc() */ ++ fastrpc_user_put(fl); + fastrpc_channel_ctx_put(cctx); + } + +@@ -606,6 +652,8 @@ static struct fastrpc_invoke_ctx *fastrp + + /* Released in fastrpc_context_put() */ + fastrpc_channel_ctx_get(cctx); ++ /* Take a reference to user, released in fastrpc_context_free() */ ++ fastrpc_user_get(user); + + ctx->sc = sc; + ctx->retval = -1; +@@ -636,6 +684,7 @@ err_idr: + spin_lock(&user->lock); + list_del(&ctx->node); + spin_unlock(&user->lock); ++ fastrpc_user_put(user); + fastrpc_channel_ctx_put(cctx); + kfree(ctx->maps); + kfree(ctx->olaps); +@@ -1549,9 +1598,6 @@ static int fastrpc_device_release(struct + { + struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data; + struct fastrpc_channel_ctx *cctx = fl->cctx; +- struct fastrpc_invoke_ctx *ctx, *n; +- struct fastrpc_map *map, *m; +- struct fastrpc_buf *buf, *b; + unsigned long flags; + + fastrpc_release_current_dsp_process(fl); +@@ -1560,28 +1606,10 @@ static int fastrpc_device_release(struct + list_del(&fl->user); + spin_unlock_irqrestore(&cctx->lock, flags); + +- if (fl->init_mem) +- fastrpc_buf_free(fl->init_mem); +- +- list_for_each_entry_safe(ctx, n, &fl->pending, node) { +- list_del(&ctx->node); +- fastrpc_context_put(ctx); +- } +- +- list_for_each_entry_safe(map, m, &fl->maps, node) +- fastrpc_map_put(map); +- +- list_for_each_entry_safe(buf, b, &fl->mmaps, node) { +- list_del(&buf->node); +- fastrpc_buf_free(buf); +- } +- + fastrpc_session_free(cctx, fl->sctx); +- fastrpc_channel_ctx_put(cctx); +- +- mutex_destroy(&fl->mutex); +- kfree(fl); + file->private_data = NULL; ++ /* Release the reference taken in fastrpc_device_open */ ++ fastrpc_user_put(fl); + + return 0; + } +@@ -1626,6 +1654,7 @@ static int fastrpc_device_open(struct in + spin_lock_irqsave(&cctx->lock, flags); + list_add_tail(&fl->user, &cctx->users); + spin_unlock_irqrestore(&cctx->lock, flags); ++ kref_init(&fl->refcount); + + return 0; + } diff --git a/queue-6.6/misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch b/queue-6.6/misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch new file mode 100644 index 0000000000..535fb78f0c --- /dev/null +++ b/queue-6.6/misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch @@ -0,0 +1,85 @@ +From 07ebe87915d8accdaba20c4f88c5ae430fe62fbb Mon Sep 17 00:00:00 2001 +From: Zhenghang Xiao +Date: Sat, 30 May 2026 21:45:28 +0100 +Subject: misc: fastrpc: fix use-after-free race in fastrpc_map_create + +From: Zhenghang Xiao + +commit 07ebe87915d8accdaba20c4f88c5ae430fe62fbb upstream. + +fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The +caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) +on this unprotected pointer. A concurrent MEM_UNMAP can free the map +between the lock release and the kref operation, resulting in a +use-after-free on the freed slab object. + +Restore the take_ref parameter to fastrpc_map_lookup so the reference +is acquired atomically under fl->lock before the pointer is exposed to +the caller. + +Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles") +Cc: stable@vger.kernel.org +Signed-off-by: Zhenghang Xiao +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -364,7 +364,7 @@ static int fastrpc_map_get(struct fastrp + + + static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, +- struct fastrpc_map **ppmap) ++ struct fastrpc_map **ppmap, bool take_ref) + { + struct fastrpc_map *map = NULL; + struct dma_buf *buf; +@@ -379,6 +379,12 @@ static int fastrpc_map_lookup(struct fas + if (map->fd != fd || map->buf != buf) + continue; + ++ if (take_ref) { ++ ret = fastrpc_map_get(map); ++ if (ret) ++ break; ++ } ++ + *ppmap = map; + ret = 0; + break; +@@ -893,19 +899,10 @@ get_err: + static int fastrpc_map_create(struct fastrpc_user *fl, int fd, + u64 len, u32 attr, struct fastrpc_map **ppmap) + { +- struct fastrpc_session_ctx *sess = fl->sctx; +- int err = 0; ++ if (!fastrpc_map_lookup(fl, fd, ppmap, true)) ++ return 0; + +- if (!fastrpc_map_lookup(fl, fd, ppmap)) { +- if (!fastrpc_map_get(*ppmap)) +- return 0; +- dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n", +- __func__, fd); +- } +- +- err = fastrpc_map_attach(fl, fd, len, attr, ppmap); +- +- return err; ++ return fastrpc_map_attach(fl, fd, len, attr, ppmap); + } + + /* +@@ -1172,7 +1169,7 @@ cleanup_fdlist: + for (i = 0; i < FASTRPC_MAX_FDLIST; i++) { + if (!fdlist[i]) + break; +- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap)) ++ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false)) + fastrpc_map_put(mmap); + } + diff --git a/queue-6.6/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch b/queue-6.6/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch new file mode 100644 index 0000000000..2ef328d105 --- /dev/null +++ b/queue-6.6/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch @@ -0,0 +1,57 @@ +From a764b0e8317a863006e05732e1aefe821b9d8c2d Mon Sep 17 00:00:00 2001 +From: ZhaoJinming +Date: Mon, 1 Jun 2026 16:56:49 +0800 +Subject: net: bonding: fix NULL pointer dereference in bond_do_ioctl() + +From: ZhaoJinming + +commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream. + +In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which +can return NULL if the requested interface name does not exist. However, +the subsequent slave_dbg() call is placed before the NULL check: + + slave_dev = __dev_get_by_name(net, ifr->ifr_slave); + slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here + if (!slave_dev) + return -ENODEV; + +The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt, +(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name +before the NULL check is performed. This results in a NULL pointer +dereference kernel oops when a user calls bonding ioctl (e.g. +SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave +interface name. + +This is reachable from userspace via the bonding ioctl interface with +CAP_NET_ADMIN capability, making it a potential local denial-of-service +vector. + +Fix by moving the slave_dbg() call after the NULL check. + +Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: ZhaoJinming +Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4640,11 +4640,11 @@ static int bond_do_ioctl(struct net_devi + + slave_dev = __dev_get_by_name(net, ifr->ifr_slave); + +- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); +- + if (!slave_dev) + return -ENODEV; + ++ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); ++ + switch (cmd) { + case SIOCBONDENSLAVE: + res = bond_enslave(bond_dev, slave_dev, NULL); diff --git a/queue-6.6/net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch b/queue-6.6/net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch new file mode 100644 index 0000000000..e7e105c606 --- /dev/null +++ b/queue-6.6/net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch @@ -0,0 +1,64 @@ +From 02896a7fa4cd3ec61d60ba30136841e4f04bdeac Mon Sep 17 00:00:00 2001 +From: Nikolay Kuratov +Date: Tue, 26 May 2026 19:29:32 +0300 +Subject: net/mlx5: Reorder completion before putting command entry in cmd_work_handler + +From: Nikolay Kuratov + +commit 02896a7fa4cd3ec61d60ba30136841e4f04bdeac upstream. + +Assuming callback != NULL && !page_queue, cmd_work_handler takes +command entry with refcnt == 1 from mlx5_cmd_invoke. +If either semaphore timeout or index allocation error happens, +it does final cmd_ent_put(ent). To avoid access to freed memory, +notify slotted completion before cmd_ent_put. + +This is theoretical issue found by Svace static analyser. + +Cc: stable@vger.kernel.org +Fixes: 485d65e135712 ("net/mlx5: Add a timeout to acquire the command queue semaphore") +Fixes: 0e2909c6bec90 ("net/mlx5: Fix variable not being completed when function returns") +Signed-off-by: Nikolay Kuratov +Reviewed-by: Md Haris Iqbal +Reviewed-by: Moshe Shemesh +Acked-by: Tariq Toukan +Link: https://patch.msgid.link/20260526162932.501584-1-kniv@yandex-team.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -989,12 +989,13 @@ static void cmd_work_handler(struct work + ent->callback(-EBUSY, ent->context); + mlx5_free_cmd_msg(dev, ent->out); + free_msg(dev, ent->in); ++ complete(&ent->slotted); + cmd_ent_put(ent); + } else { + ent->ret = -EBUSY; + complete(&ent->done); ++ complete(&ent->slotted); + } +- complete(&ent->slotted); + return; + } + alloc_ret = cmd_alloc_index(cmd, ent); +@@ -1004,13 +1005,14 @@ static void cmd_work_handler(struct work + ent->callback(-EAGAIN, ent->context); + mlx5_free_cmd_msg(dev, ent->out); + free_msg(dev, ent->in); ++ complete(&ent->slotted); + cmd_ent_put(ent); + } else { + ent->ret = -EAGAIN; + complete(&ent->done); ++ complete(&ent->slotted); + } + up(&cmd->vars.sem); +- complete(&ent->slotted); + return; + } + } else { diff --git a/queue-6.6/net-mv643xx-fix-of-node-refcount.patch b/queue-6.6/net-mv643xx-fix-of-node-refcount.patch new file mode 100644 index 0000000000..9ceebced59 --- /dev/null +++ b/queue-6.6/net-mv643xx-fix-of-node-refcount.patch @@ -0,0 +1,38 @@ +From 4aacf509e537a711fa71bca9f234e5eb6968850e Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 2 Jun 2026 09:34:14 +0200 +Subject: net: mv643xx: fix OF node refcount + +From: Bartosz Golaszewski + +commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream. + +Platform devices created with platform_device_alloc() call +platform_device_release() when the last reference to the device's +kobject is dropped. This function calls of_node_put() unconditionally. +This works fine for devices created with platform_device_register_full() +but users of the split approach (platform_device_alloc() + +platform_device_add()) must bump the reference of the of_node they +assign manually. Add the missing call to of_node_get(). + +Cc: stable@vger.kernel.org +Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support") +Signed-off-by: Bartosz Golaszewski +Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2784,7 +2784,7 @@ static int mv643xx_eth_shared_of_add_por + goto put_err; + } + ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32); +- ppdev->dev.of_node = pnp; ++ ppdev->dev.of_node = of_node_get(pnp); + + ret = platform_device_add_resources(ppdev, &res, 1); + if (ret) diff --git a/queue-6.6/net-rds-clear-i_sends-on-setup-unwind.patch b/queue-6.6/net-rds-clear-i_sends-on-setup-unwind.patch new file mode 100644 index 0000000000..49d696afd8 --- /dev/null +++ b/queue-6.6/net-rds-clear-i_sends-on-setup-unwind.patch @@ -0,0 +1,47 @@ +From 20cf0fb715c41111469577e85e35d15f099473e0 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Fri, 29 May 2026 21:01:44 +0800 +Subject: net: rds: clear i_sends on setup unwind + +From: Yuqi Xu + +commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream. + +The RDS IB connection teardown path is written so it can run during +partial startup and on repeated shutdown attempts. It uses NULL +pointers to distinguish resources that are still owned from resources +that have already been released. + +When rds_ib_setup_qp() fails after allocating i_sends but before +allocating i_recvs, the sends_out path frees i_sends without clearing +the pointer. A later shutdown pass can still treat that stale pointer +as a live send ring allocation. + +Clear i_sends after vfree() in the error unwind path so the existing +shutdown logic continues to use the correct ownership state. + +Fixes: 3b12f73a5c29 ("rds: ib: add error handle") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_cm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rds/ib_cm.c ++++ b/net/rds/ib_cm.c +@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co + + sends_out: + vfree(ic->i_sends); ++ ic->i_sends = NULL; + + ack_dma_out: + rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma, diff --git a/queue-6.6/nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch b/queue-6.6/nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch new file mode 100644 index 0000000000..3bcc2dc0bf --- /dev/null +++ b/queue-6.6/nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch @@ -0,0 +1,46 @@ +From ea41020b9018e31c2ea7e9d89021e3e6d7470883 Mon Sep 17 00:00:00 2001 +From: Andre Heider +Date: Sat, 30 May 2026 21:43:39 +0100 +Subject: nvmem: layouts: onie-tlv: fix hang on unknown types + +From: Andre Heider + +commit ea41020b9018e31c2ea7e9d89021e3e6d7470883 upstream. + +The EEPROM on my board has a vendor specific entry of type 0x41. When +stumbling upon that, this driver hangs in an endless loop. + +Fix it by keep incrementing the offset on unknown entries, so the loop +will eventually stop. + +Fixes: d3c0d12f6474 ("nvmem: layouts: onie-tlv: Add new layout driver") +Cc: Stable@vger.kernel.org +Signed-off-by: Andre Heider +Reviewed-by: Miquel Raynal +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204340.116743-2-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/layouts/onie-tlv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvmem/layouts/onie-tlv.c ++++ b/drivers/nvmem/layouts/onie-tlv.c +@@ -119,7 +119,7 @@ static int onie_tlv_add_cells(struct dev + + cell.name = onie_tlv_cell_name(tlv.type); + if (!cell.name) +- continue; ++ goto next; + + cell.offset = hdr_len + offset + sizeof(tlv.type) + sizeof(tlv.len); + cell.bytes = tlv.len; +@@ -132,6 +132,7 @@ static int onie_tlv_add_cells(struct dev + return ret; + } + ++next: + offset += sizeof(tlv) + tlv.len; + } + diff --git a/queue-6.6/octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch b/queue-6.6/octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch new file mode 100644 index 0000000000..6e238e581a --- /dev/null +++ b/queue-6.6/octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch @@ -0,0 +1,49 @@ +From 09a5bf856aa759513afc4afd233d15bcc711b84e Mon Sep 17 00:00:00 2001 +From: Dawei Feng +Date: Thu, 4 Jun 2026 22:37:56 +0800 +Subject: octeontx2-af: fix memory leak in rvu_setup_hw_resources() + +From: Dawei Feng + +commit 09a5bf856aa759513afc4afd233d15bcc711b84e upstream. + +If rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function +returns directly instead of jumping to the error handling path. This +causes a resource leak for the previously initialized CGX, NPC, fwdata, +and MSI-X states. + +Fix this by replacing the direct return with goto cgx_err to ensure +proper cleanup. + +The bug was first flagged by an experimental analysis tool we are +developing for kernel memory-management bugs while analyzing +v6.13-rc1. The tool is still under development and is not yet publicly +available. Manual inspection confirms that the bug is still present in +v7.1-rc6. + +An x86_64 allyesconfig build showed no new warnings. As we do not have +access to Marvell OcteonTX2 RVU AF hardware to test with, no runtime +testing was able to be performed. + +Fixes: 3571fe07a090 ("octeontx2-af: Drop rules for NPC MCAM") +Cc: stable@vger.kernel.org +Signed-off-by: Dawei Feng +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1130,7 +1130,7 @@ cpt: + err = rvu_npc_exact_init(rvu); + if (err) { + dev_err(rvu->dev, "failed to initialize exact match table\n"); +- return err; ++ goto cgx_err; + } + + /* Assign MACs for CGX mapped functions */ diff --git a/queue-6.6/series b/queue-6.6/series index a0472459ff..71971e2a81 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -323,3 +323,20 @@ bnxt_en-fix-null-pointer-dereference.patch ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch +fuse-reject-fuse_notify-pagecache-ops-on-directories.patch +i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch +i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch +i2c-tegra-fix-noirq-suspend-resume.patch +input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch +input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch +ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch +misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch +misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch +misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch +misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch +net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch +net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch +net-mv643xx-fix-of-node-refcount.patch +net-rds-clear-i_sends-on-setup-unwind.patch +nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch +octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch